diff -Nru exim4-4.91/ACKNOWLEDGMENTS exim4-4.92~RC4/ACKNOWLEDGMENTS
--- exim4-4.91/ACKNOWLEDGMENTS	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/ACKNOWLEDGMENTS	2018-12-27 13:36:19.000000000 +0000
@@ -67,8 +67,8 @@
 Ian Kirk                  Radius support
 Stuart Levy               Replacement for broken inet_ntoa() on IRIX
 Stuart Lynne              First code for LDAP
-Nigel Metheringham        Setting up the web site and mailing list
-                            Managing the web site and mailing list
+Nigel Metheringham        Setting up the website and mailing list
+                            Managing the website and mailing list
                             Interface to Berkeley DB
                             Support for cdb
                             Support for maildir
diff -Nru exim4-4.91/debian/changelog exim4-4.92~RC4/debian/changelog
--- exim4-4.91/debian/changelog	2018-11-03 00:08:13.000000000 +0000
+++ exim4-4.92~RC4/debian/changelog	2019-01-10 15:41:45.000000000 +0000
@@ -1,3 +1,105 @@
+exim4 (4.92~RC4-2ubuntu1) disco; urgency=medium
+
+  * Merge with Debian unstable (LP: #1811095). Remaining changes:
+    - Show Ubuntu distribution in SMTP banner
+      + Build-Depends on lsb-release to detect Distribution.
+      + d/p/fix_smtp_banner.patch: Show Ubuntu distribution in SMTP banner.
+
+ -- Karl Stenerud <kstenerud@gmail.com>  Thu, 10 Jan 2019 16:41:45 +0100
+
+exim4 (4.92~RC4-2) unstable; urgency=medium
+
+  * Upload to unstable.
+
+ -- Andreas Metzler <ametzler@debian.org>  Sat, 05 Jan 2019 15:35:38 +0100
+
+exim4 (4.92~RC4-1) experimental; urgency=low
+
+  * New upstream version.
+    + Drop 75_GnuTLS-repeat-lowlevel-read-and-write-operations-whi.patch.
+    + Unfuzz patches.
+
+ -- Andreas Metzler <ametzler@debian.org>  Mon, 31 Dec 2018 13:13:45 +0100
+
+exim4 (4.92~RC3-1) unstable; urgency=low
+
+  * Add 75_GnuTLS-repeat-lowlevel-read-and-write-operations-whi.patch from
+    upstream GIT master, fixing outgoing TLS 1.3.
+    https://bugs.exim.org/show_bug.cgi?id=2359
+  * New upstream version.
+  * Upload to unstable.
+
+ -- Andreas Metzler <ametzler@debian.org>  Wed, 26 Dec 2018 16:07:52 +0100
+
+exim4 (4.92~RC2-1) experimental; urgency=low
+
+  * New upstream version.
+    + Drop 75_01-Fix-parsing-of-option-type-Kint-integer-stored-in-K-.patch
+
+ -- Andreas Metzler <ametzler@debian.org>  Tue, 18 Dec 2018 19:20:24 +0100
+
+exim4 (4.92~RC1-1) experimental; urgency=low
+
+  * Update upstream/signing-key.asc from
+    https://ftp.exim.org/pub/exim/Exim-Maintainers-Keyring.asc, adding
+    96E4754B8F93C1B239F1A95785BCF7AC6735A680 while removing
+    1F9C181B1E83D2099F02C95AC4F4F94804D29EBA and
+    FAA1C7F9CD077DC4304BC0C885AB833FDDC03262.
+  * New upstream release candidate:
+    + Point watchfile to test subdir.
+    + Update watchfile to handle -RC1 in addition to _RC1.
+    + Drop 75_fixes*.patch.
+    + Unfuzz 32_exim4.dpatch and 90_localscan_dlopen.dpatch
+    + Update configuration from upstream example, except for
+      tls_sni/tls_require_ciphers settings on remote_smtp_smarthost transport:
+      * Enable dns_dnssec_ok.
+      * Set dnssec_request_domains = * on dnslookup and
+        dnslookup_relay_to_domains routers.
+      * Set hosts_try_dane = */dnssec_request_domains = * on remote_smtp
+        transport unless REMOTE_SMTP_DISABLE_DANE is set.
+      * Set multi_domain on remote_smtp_smarthost transport.
+  * Post release updates:
+    + 75_01-Fix-parsing-of-option-type-Kint-integer-stored-in-K-.patch
+
+ -- Andreas Metzler <ametzler@debian.org>  Sat, 15 Dec 2018 16:24:54 +0100
+
+exim4 (4.91-9) unstable; urgency=low
+
+  * Run "wrap-and-sort --max-line-length=72 --short-indent" and add back
+    autodeleted comments.
+  * Update from exim-4_91+fixes branch:
+    + 75_fixes_26-Fix-bad-use-of-library-copying-string-over-itself.patch
+    + 75_fixes_27-Fix-cyrus-sasl-authenticator-for-authenticated_fail_.patch
+    + 75_fixes_28-Avoid-leaving-domain-live-with-bogus-info-during-ser.patch
+    + 75_fixes_29-Fix-AUTH_GSASL-build.patch
+    + 75_fixes_30-Harden-string-list-handling.patch
+
+ -- Andreas Metzler <ametzler@debian.org>  Thu, 06 Dec 2018 19:19:38 +0100
+
+exim4 (4.91-8) unstable; urgency=low
+
+  [ Andreas Metzler ]
+  * Update from exim-4_91+fixes branch:
+    + 75_fixes_18-Restore-Darwin-OS-configuration.patch
+    + 75_fixes_20-Fix-filter-noerror-command.-Bug-2318.patch
+    + 75_fixes_21-DANE-fix-TA-mode-verify-under-GnuTLS.-Bug-2311.patch
+    + 75_fixes_22-Testsuite-track-newer-GnuTLS-behaviour.patch
+    + 75_fixes_24-DANE-ignore-undersized-TLSA-records.patch
+    + 75_fixes_25-Logging-do-not-log-a-missing-proxy-address-on-delive.patch
+
+  [ Marc Haber ]
+  * Move definition of CHECK_RCPT_*_LOCALPARTS macro to acl file proper.
+
+ -- Andreas Metzler <ametzler@debian.org>  Sat, 29 Sep 2018 19:08:52 +0200
+
+exim4 (4.91-7) unstable; urgency=low
+
+  * Update from exim-4_91+fixes branch:
+    + 75_fixes_16-Fix-non-EVENTS-build.patch
+    + 75_fixes_17-Fix-cutthrough-delivery-for-more-than-one-iteration-.patch
+
+ -- Andreas Metzler <ametzler@debian.org>  Sun, 26 Aug 2018 11:33:15 +0200
+
 exim4 (4.91-6ubuntu2) disco; urgency=medium
 
   * No-change rebuild for the perl 5.28 transition.
diff -Nru exim4-4.91/debian/control exim4-4.92~RC4/debian/control
--- exim4-4.91/debian/control	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/control	2019-01-10 15:41:45.000000000 +0000
@@ -3,33 +3,70 @@
 Priority: standard
 Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
 XSBC-Original-Maintainer: Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>
-Uploaders: Andreas Metzler <ametzler@debian.org>,Marc Haber <mh+debian-packages@zugschlus.de>
+Uploaders:
+ Andreas Metzler <ametzler@debian.org>,
+ Marc Haber <mh+debian-packages@zugschlus.de>
 Homepage: https://www.exim.org/
-Standards-Version: 4.1.5
+Standards-Version: 4.3.0
 Vcs-Git: https://salsa.debian.org/exim-team/exim4.git
 Vcs-Browser: https://salsa.debian.org/exim-team/exim4
-Build-Depends: debhelper (>= 10), po-debconf, docbook-xsl, xsltproc,
-  lynx, docbook-xml, libpcre3-dev, libldap2-dev, libpam0g-dev,
-  libident-dev, libdb5.3-dev, libxmu-dev, libxt-dev, libxext-dev, libx11-dev,
-  libxaw7-dev, libpq-dev, default-libmysqlclient-dev,
-  libsqlite3-dev, libperl-dev, libgnutls28-dev (>= 3.5.7), libsasl2-dev,
-  lsb-release
+Build-Depends:
+ debhelper (>= 10),
+ default-libmysqlclient-dev,
+ docbook-xml,
+ docbook-xsl,
+ libdb5.3-dev,
+ libgnutls28-dev (>= 3.5.7),
+ libident-dev,
+ libldap2-dev,
+ libpam0g-dev,
+ libpcre3-dev,
+ libperl-dev,
+ libpq-dev,
+ libsasl2-dev,
+ libsqlite3-dev,
+ libx11-dev,
+ libxaw7-dev,
+ libxext-dev,
+ libxmu-dev,
+ libxt-dev,
+ lynx,
+ po-debconf,
+ xsltproc,
+ lsb-release
 
 Package: exim4-base
 Architecture: any
 Priority: optional
-Breaks: exim4-daemon-light (<<${Upstream-Version}),
+Breaks:
+ exim4-daemon-custom (<<${Upstream-Version}),
  exim4-daemon-heavy (<<${Upstream-Version}),
- exim4-daemon-custom (<<${Upstream-Version})
+ exim4-daemon-light (<<${Upstream-Version})
 Conflicts: exim, exim-tls
-Replaces: exim, exim-tls, exim4-daemon-light, exim4-daemon-heavy, exim4-daemon-custom
-Depends: ${shlibs:Depends}, ${misc:Depends},
+Replaces:
+ exim,
+ exim-tls,
+ exim4-daemon-custom,
+ exim4-daemon-heavy,
+ exim4-daemon-light
+Depends:
+ adduser,
  cron | cron-daemon | anacron,
- exim4-config (>=4.82) | exim4-config-2, adduser, netbase, lsb-base (>= 3.0-6)
+ exim4-config (>=4.82) | exim4-config-2,
+ lsb-base (>= 3.0-6),
+ netbase,
+ ${misc:Depends},
+ ${shlibs:Depends}
 # psmisc just for exiwhat.
-Recommends: psmisc, mailx
-Suggests: mail-reader, eximon4, exim4-doc-html|exim4-doc-info,
- gnutls-bin | openssl, file, spf-tools-perl, swaks
+Recommends: mailx, psmisc
+Suggests:
+ exim4-doc-html | exim4-doc-info,
+ eximon4,
+ file,
+ gnutls-bin | openssl,
+ mail-reader,
+ spf-tools-perl,
+ swaks
 Description: support files for all Exim MTA (v4) packages
  Exim (v4) is a mail transport agent. exim4-base provides the support
  files needed by all exim4 daemon packages. You need an additional package
@@ -60,10 +97,17 @@
 Package: exim4-config
 Architecture: all
 Priority: optional
-Breaks: exim4-daemon-light (<< 4.87~RC5), exim4-daemon-heavy (<< 4.87~RC5)
+Breaks:
+ exim4-daemon-heavy (<< 4.87~RC5),
+ exim4-daemon-light (<< 4.87~RC5)
 Provides: exim4-config-2
-Conflicts: exim, exim-tls, exim4-config, exim4-config-2, ${MTA-Conflicts}
-Depends: ${shlibs:Depends}, ${misc:Depends}, adduser
+Conflicts:
+ exim,
+ exim-tls,
+ exim4-config,
+ exim4-config-2,
+ ${MTA-Conflicts}
+Depends: adduser, ${misc:Depends}, ${shlibs:Depends}
 Description: configuration for the Exim MTA (v4)
  Exim (v4) is a mail transport agent. exim4-config provides the configuration
  for the exim4 daemon packages. The configuration framework has been split
@@ -95,11 +139,16 @@
 Package: exim4-daemon-light
 Architecture: any
 Priority: optional
-Provides: mail-transport-agent, exim4-localscanapi-2.0,
+Provides:
+ exim4-localscanapi-2.0,
+ mail-transport-agent,
  ${dist:Provides:exim4-daemon-light}
 Conflicts: mail-transport-agent
-Replaces: mail-transport-agent, exim4-base (<= 4.61-1)
-Depends: exim4-base (>= ${Upstream-Version}), ${shlibs:Depends}, ${misc:Depends}
+Replaces: exim4-base (<= 4.61-1), mail-transport-agent
+Depends:
+ exim4-base (>= ${Upstream-Version}),
+ ${misc:Depends},
+ ${shlibs:Depends}
 Description: lightweight Exim MTA (v4) daemon
  Exim (v4) is a mail transport agent. This package contains the exim4
  daemon with only basic features enabled. It works well with the
@@ -126,10 +175,12 @@
 Package: exim4
 Architecture: all
 Priority: optional
-Depends: ${misc:Depends}, debconf (>= 1.4.69) | cdebconf (>= 0.39),
- exim4-base (>= ${source:Version}),
+Depends:
+ debconf (>= 1.4.69) | cdebconf (>= 0.39),
  exim4-base (<< ${source:Version}.1),
- exim4-daemon-light | exim4-daemon-heavy | exim4-daemon-custom
+ exim4-base (>= ${source:Version}),
+ exim4-daemon-light | exim4-daemon-heavy | exim4-daemon-custom,
+ ${misc:Depends}
 Description: metapackage to ease Exim MTA (v4) installation
  Exim (v4) is a mail transport agent. exim4 is the metapackage depending
  on the essential components for a basic exim4 installation.
@@ -153,11 +204,13 @@
 Package: exim4-daemon-heavy
 Architecture: any
 Priority: optional
-Provides: mail-transport-agent, exim4-localscanapi-2.0
+Provides: exim4-localscanapi-2.0, mail-transport-agent
 Conflicts: mail-transport-agent
-Replaces: mail-transport-agent, exim4-base (<= 4.61-1)
-Depends: exim4-base (>= ${Upstream-Version}), ${shlibs:Depends},
- ${misc:Depends}
+Replaces: exim4-base (<= 4.61-1), mail-transport-agent
+Depends:
+ exim4-base (>= ${Upstream-Version}),
+ ${misc:Depends},
+ ${shlibs:Depends}
 Breaks: clamav-daemon (<< 0.95)
 Description: Exim MTA (v4) daemon with extended features, including exiscan-acl
  Exim (v4) is a mail transport agent. This package contains the exim4
@@ -187,10 +240,13 @@
 #Package: exim4-daemon-custom
 #Architecture: any
 #Priority: optional
-#Provides: mail-transport-agent, exim4-localscanapi-2.0
+#Provides: exim4-localscanapi-2.0, mail-transport-agent
 #Conflicts: mail-transport-agent
-#Replaces: mail-transport-agent, exim4-base (<= 4.61-1)
-#Depends: exim4-base (>= ${Upstream-Version}), ${shlibs:Depends}, ${misc:Depends}
+#Replaces: exim4-base (<= 4.61-1), mail-transport-agent
+#Depends:
+# exim4-base (>= ${Upstream-Version}),
+# ${misc:Depends},
+# ${shlibs:Depends}
 #Description: custom Exim MTA (v4) daemon with locally set features
 # Exim (v4) is a mail transport agent. This package contains a
 # custom-configured exim4 daemon compiled to local needs. This package
@@ -219,7 +275,7 @@
 Priority: optional
 Conflicts: eximon
 Replaces: eximon
-Depends: ${shlibs:Depends}, ${misc:Depends}, exim4-base (>= 4.10)
+Depends: exim4-base (>= 4.10), ${misc:Depends}, ${shlibs:Depends}
 Description: monitor application for the Exim MTA (v4) (X11 interface)
  Eximon is a helper program for the Exim MTA (v4). It allows
  administrators to view the mail queue and logs, and perform a variety
diff -Nru exim4-4.91/debian/copyright exim4-4.92~RC4/debian/copyright
--- exim4-4.91/debian/copyright	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/copyright	2019-01-10 15:41:45.000000000 +0000
@@ -58,7 +58,7 @@
 exim is copyright (c) 1995 - 2018 University of Cambridge.
 
 The original licence is as follows (from the file NOTICE in the upstream
-distribution); a copy of the GNU GPL version 2 is available in 
+distribution); a copy of the GNU GPL version 2 is available in
 /usr/share/common-licenses/GPL-2 on Debian systems.
 
 _________________________________________________________________________
diff -Nru exim4-4.91/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt exim4-4.92~RC4/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt
--- exim4-4.91/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt	2019-01-10 15:41:45.000000000 +0000
@@ -2,6 +2,19 @@
 ### acl/30_exim4-config_check_rcpt
 #################################
 
+# define macros to be used below in this file to check recipient
+# local parts for strange characters. Documentation below.
+# This blocks local parts that begin with a dot or contain a quite
+# broad range of non-alphanumeric characters.
+
+.ifndef CHECK_RCPT_LOCAL_LOCALPARTS
+CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
+.endif
+
+.ifndef CHECK_RCPT_REMOTE_LOCALPARTS
+CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
+.endif
+
 # This access control list is used for every RCPT command in an incoming
 # SMTP message. The tests are run in order until the address is either
 # accepted or denied.
@@ -46,7 +59,7 @@
   # incorporated unthinkingly into a shell command line.
   #
   # These ACL components will block recipient addresses that are valid
-  # from an RFC2822 point of view. We chose to have them blocked by
+  # from an RFC5322 point of view. We chose to have them blocked by
   # default for security reasons.
   #
   # If you feel that your site should have less strict recipient
@@ -58,11 +71,8 @@
   # default, and is applied to messages that are addressed to one of the
   # local domains handled by this host.
 
-  # The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined in
-  # main/01_exim4-config_listmacrosdefs:
-  # CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
-  # This blocks local parts that begin with a dot or contain a quite
-  # broad range of non-alphanumeric characters.
+  # The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined
+  # at the top of this file.
   .ifdef CHECK_RCPT_LOCAL_LOCALPARTS
   deny
     domains = +local_domains
diff -Nru exim4-4.91/debian/debconf/conf.d/main/01_exim4-config_listmacrosdefs exim4-4.92~RC4/debian/debconf/conf.d/main/01_exim4-config_listmacrosdefs
--- exim4-4.91/debian/debconf/conf.d/main/01_exim4-config_listmacrosdefs	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/debconf/conf.d/main/01_exim4-config_listmacrosdefs	2019-01-10 15:41:45.000000000 +0000
@@ -75,26 +75,6 @@
 gecos_pattern = ^([^,:]*)
 gecos_name = $1
 
-# define macros to be used in acl/30_exim4-config_check_rcpt to check
-# recipient local parts for strange characters.
-
-# This macro definition really should be in
-# acl/30_exim4-config_check_rcpt but cannot be there due to
-# http://www.exim.org/bugzilla/show_bug.cgi?id=101 as of exim 4.62.
-
-# These macros are documented in acl/30_exim4-config_check_rcpt,
-# can be changed here or overridden by a locally added configuration
-# file as described in README.Debian section "Using Exim Macros to control
-# the configuration".
-
-.ifndef CHECK_RCPT_LOCAL_LOCALPARTS
-CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
-.endif
-
-.ifndef CHECK_RCPT_REMOTE_LOCALPARTS
-CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
-.endif
-
 # always log tls_peerdn as we use TLS for outgoing connects by default
 .ifndef MAIN_LOG_SELECTOR
 MAIN_LOG_SELECTOR = +smtp_protocol_error +smtp_syntax_error +tls_certificate_verified +tls_peerdn
diff -Nru exim4-4.91/debian/debconf/conf.d/main/02_exim4-config_options exim4-4.92~RC4/debian/debconf/conf.d/main/02_exim4-config_options
--- exim4-4.91/debian/debconf/conf.d/main/02_exim4-config_options	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/debconf/conf.d/main/02_exim4-config_options	2019-01-10 15:41:45.000000000 +0000
@@ -84,6 +84,10 @@
 host_lookup = MAIN_HOST_LOOKUP
 .endif
 
+# The setting below causes Exim to try to initialize the system resolver
+# library with DNSSEC support.  It has no effect if your library lacks
+# DNSSEC support.
+dns_dnssec_ok = 1
 
 # In a minimaldns setup, update-exim4.conf guesses the hostname and
 # dumps it here to avoid DNS lookups being done at Exim run time.
diff -Nru exim4-4.91/debian/debconf/conf.d/router/200_exim4-config_primary exim4-4.92~RC4/debian/debconf/conf.d/router/200_exim4-config_primary
--- exim4-4.91/debian/debconf/conf.d/router/200_exim4-config_primary	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/debconf/conf.d/router/200_exim4-config_primary	2019-01-10 15:41:45.000000000 +0000
@@ -19,6 +19,7 @@
   domains = ! +local_domains : +relay_to_domains
   transport = remote_smtp
   same_domain_copy_routing = yes
+  dnssec_request_domains = *
   no_more
 
 # deliver mail directly to the recipient. This router is only reached
@@ -36,6 +37,7 @@
   ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
                         172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\
 			255.255.255.255
+  dnssec_request_domains = *
   no_more
 
 .endif
diff -Nru exim4-4.91/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp exim4-4.92~RC4/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp
--- exim4-4.91/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp	2019-01-10 15:41:45.000000000 +0000
@@ -51,3 +51,7 @@
 .ifdef REMOTE_SMTP_PRIVATEKEY
 tls_privatekey = REMOTE_SMTP_PRIVATEKEY
 .endif
+.ifndef REMOTE_SMTP_DISABLE_DANE
+dnssec_request_domains = *
+hosts_try_dane = *
+.endif
diff -Nru exim4-4.91/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost exim4-4.92~RC4/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost
--- exim4-4.91/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost	2019-01-10 15:41:45.000000000 +0000
@@ -12,6 +12,7 @@
 remote_smtp_smarthost:
   debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
   driver = smtp
+  multi_domain
 .ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT
   message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
 .endif
diff -Nru exim4-4.91/debian/example.conf.md5 exim4-4.92~RC4/debian/example.conf.md5
--- exim4-4.91/debian/example.conf.md5	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/example.conf.md5	2019-01-10 15:41:45.000000000 +0000
@@ -1 +1 @@
-cee7f82425cc6c414c96eb65f659c4e2  -
+c63273e99348ba157c3c000a67c48299  -
diff -Nru exim4-4.91/debian/exim4-base.dirs exim4-4.92~RC4/debian/exim4-base.dirs
--- exim4-4.91/debian/exim4-base.dirs	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/exim4-base.dirs	2019-01-10 15:41:45.000000000 +0000
@@ -1,5 +1,5 @@
-/usr/sbin
-/usr/share/man/man8
 /etc/cron.daily
 /etc/logrotate.d
+/usr/sbin
 /usr/share/doc/exim4-base/examples
+/usr/share/man/man8
diff -Nru exim4-4.91/debian/exim4-base.docs exim4-4.92~RC4/debian/exim4-base.docs
--- exim4-4.91/debian/exim4-base.docs	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/exim4-base.docs	2019-01-10 15:41:45.000000000 +0000
@@ -1,15 +1,15 @@
-b-exim4-daemon-light/NOTICE
 b-exim4-daemon-light/ACKNOWLEDGMENTS
-b-exim4-daemon-light/doc/README
-b-exim4-daemon-light/doc/README.SIEVE
+b-exim4-daemon-light/NOTICE
 b-exim4-daemon-light/README.UPDATING
-b-exim4-daemon-light/doc/dbm.discuss.txt
 b-exim4-daemon-light/doc/Exim3.upgrade
 b-exim4-daemon-light/doc/Exim4.upgrade
-b-exim4-daemon-light/doc/filter.txt
+b-exim4-daemon-light/doc/GnuTLS-FAQ.txt
 b-exim4-daemon-light/doc/NewStuff
 b-exim4-daemon-light/doc/OptionLists.txt
+b-exim4-daemon-light/doc/README
+b-exim4-daemon-light/doc/README.SIEVE
+b-exim4-daemon-light/doc/dbm.discuss.txt
+b-exim4-daemon-light/doc/filter.txt
 b-exim4-daemon-light/doc/spec.txt
-b-exim4-daemon-light/doc/GnuTLS-FAQ.txt
-debian/changelog.Debian.old
 debian/README.Debian.html
+debian/changelog.Debian.old
diff -Nru exim4-4.91/debian/exim4-base.examples exim4-4.92~RC4/debian/exim4-base.examples
--- exim4-4.91/debian/exim4-base.examples	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/exim4-base.examples	2019-01-10 15:41:45.000000000 +0000
@@ -1,5 +1,5 @@
 b-exim4-daemon-light/util/cramtest.pl
 b-exim4-daemon-light/util/logargs.sh
 b-exim4-daemon-light/util/unknownuser.sh
-debian/exim-gencert
 debian/exim-adduser
+debian/exim-gencert
diff -Nru exim4-4.91/debian/exim4-base.install exim4-4.92~RC4/debian/exim4-base.install
--- exim4-4.91/debian/exim4-base.install	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/exim4-base.install	2019-01-10 15:41:45.000000000 +0000
@@ -1,3 +1,3 @@
-debian/script usr/share/bug/exim4-base
-debian/gnutls-params-2048 usr/share/exim4
 debian/exim4_refresh_gnutls-params usr/share/exim4
+debian/gnutls-params-2048 usr/share/exim4
+debian/script usr/share/bug/exim4-base
diff -Nru exim4-4.91/debian/exim4-base.manpages exim4-4.92~RC4/debian/exim4-base.manpages
--- exim4-4.91/debian/exim4-base.manpages	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/exim4-base.manpages	2019-01-10 15:41:45.000000000 +0000
@@ -2,6 +2,7 @@
 debian/manpages/exicyclog.8
 debian/manpages/exigrep.8
 debian/manpages/exim_checkaccess.8
+debian/manpages/exim_convert4r4.8
 debian/manpages/exim_db.8
 debian/manpages/exim_dbmbuild.8
 debian/manpages/exim_lock.8
@@ -9,4 +10,3 @@
 debian/manpages/exiqgrep.8
 debian/manpages/exiqsumm.8
 debian/manpages/exiwhat.8
-debian/manpages/exim_convert4r4.8
diff -Nru exim4-4.91/debian/exim4-config.dirs exim4-4.92~RC4/debian/exim4-config.dirs
--- exim4-4.91/debian/exim4-config.dirs	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/exim4-config.dirs	2019-01-10 15:41:45.000000000 +0000
@@ -1,6 +1,6 @@
-/usr/sbin
 /etc/exim4/conf.d
 /etc/ppp/ip-up.d
+/usr/sbin
 /usr/share/doc/exim4-config
 /usr/share/man/man8
 /var/lib/exim4
diff -Nru exim4-4.91/debian/exim4-config.install exim4-4.92~RC4/debian/exim4-config.install
--- exim4-4.91/debian/exim4-config.install	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/exim4-config.install	2019-01-10 15:41:45.000000000 +0000
@@ -1,3 +1,3 @@
-debian/debconf/update-exim4.conf.template usr/sbin
 debian/debconf/exim4.conf.template etc/exim4
+debian/debconf/update-exim4.conf.template usr/sbin
 debian/script usr/share/bug/exim4-config
diff -Nru exim4-4.91/debian/exim4-config.links exim4-4.92~RC4/debian/exim4-config.links
--- exim4-4.91/debian/exim4-config.links	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/exim4-config.links	2019-01-10 15:41:45.000000000 +0000
@@ -1,15 +1,15 @@
 usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/etc-aliases.5.gz
 usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/etc-email-addresses.5.gz
+usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/exim4_exim_crt.5.gz
+usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/exim4_exim_key.5.gz
+usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/exim4_host_local_deny_exceptions.5.gz
+usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/exim4_hubbed_hosts.5.gz
+usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/exim4_local_domain_dnsbl_whitelist.5.gz
 usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/exim4_local_host_blacklist.5.gz
+usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/exim4_local_rcpt_callout.5.gz
 usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/exim4_local_sender_blacklist.5.gz
-usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/exim4_host_local_deny_exceptions.5.gz
-usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/exim4_sender_local_deny_exceptions.5.gz
 usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/exim4_local_sender_callout.5.gz
-usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/exim4_local_rcpt_callout.5.gz
-usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/exim4_local_domain_dnsbl_whitelist.5.gz
-usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/exim4_hubbed_hosts.5.gz
 usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/exim4_passwd.5.gz
 usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/exim4_passwd_client.5.gz
-usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/exim4_exim_crt.5.gz
-usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/exim4_exim_key.5.gz
+usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/exim4_sender_local_deny_exceptions.5.gz
 usr/share/man/man8/update-exim4.conf.8.gz usr/share/man/man5/update-exim4.conf.conf.5.gz
diff -Nru exim4-4.91/debian/exim4-config.manpages exim4-4.92~RC4/debian/exim4-config.manpages
--- exim4-4.91/debian/exim4-config.manpages	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/exim4-config.manpages	2019-01-10 15:41:45.000000000 +0000
@@ -1,4 +1,4 @@
+debian/manpages/exim4-config_files.5
 debian/manpages/update-exim4.conf.8
 debian/manpages/update-exim4.conf.template.8
 debian/manpages/update-exim4defaults.8
-debian/manpages/exim4-config_files.5
diff -Nru exim4-4.91/debian/exim4-daemon-custom.links exim4-4.92~RC4/debian/exim4-daemon-custom.links
--- exim4-4.91/debian/exim4-daemon-custom.links	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/exim4-daemon-custom.links	2019-01-10 15:41:45.000000000 +0000
@@ -1,18 +1,18 @@
-usr/share/man/man8/exim.8.gz usr/share/man/man8/exim4.8.gz
+usr/sbin/exim4 usr/bin/mailq
+usr/sbin/exim4 usr/bin/newaliases
 usr/sbin/exim4 usr/lib/exim4/exim4
 usr/sbin/exim4 usr/lib/sendmail
 usr/sbin/exim4 usr/sbin/exim
-usr/sbin/exim4 usr/sbin/sendmail
-usr/sbin/exim4 usr/sbin/runq
 usr/sbin/exim4 usr/sbin/rmail
 usr/sbin/exim4 usr/sbin/rsmtp
-usr/sbin/exim4 usr/bin/mailq
-usr/sbin/exim4 usr/bin/newaliases
-usr/share/doc/exim4-base/changelog.gz usr/share/doc/exim4-daemon-custom/changelog.gz
+usr/sbin/exim4 usr/sbin/runq
+usr/sbin/exim4 usr/sbin/sendmail
 usr/share/doc/exim4-base/README.Debian.gz usr/share/doc/exim4-daemon-custom/README.Debian.gz
-usr/share/man/man8/exim.8.gz usr/share/man/man8/sendmail.8.gz
-usr/share/man/man8/exim.8.gz usr/share/man/man8/runq.8.gz
-usr/share/man/man8/exim.8.gz usr/share/man/man8/rmail.8.gz
-usr/share/man/man8/exim.8.gz usr/share/man/man8/rsmtp.8.gz
+usr/share/doc/exim4-base/changelog.gz usr/share/doc/exim4-daemon-custom/changelog.gz
+usr/share/man/man8/exim.8.gz usr/share/man/man8/exim4.8.gz
 usr/share/man/man8/exim.8.gz usr/share/man/man8/mailq.8.gz
 usr/share/man/man8/exim.8.gz usr/share/man/man8/newaliases.8.gz
+usr/share/man/man8/exim.8.gz usr/share/man/man8/rmail.8.gz
+usr/share/man/man8/exim.8.gz usr/share/man/man8/rsmtp.8.gz
+usr/share/man/man8/exim.8.gz usr/share/man/man8/runq.8.gz
+usr/share/man/man8/exim.8.gz usr/share/man/man8/sendmail.8.gz
diff -Nru exim4-4.91/debian/exim4-daemon-heavy.dirs exim4-4.92~RC4/debian/exim4-daemon-heavy.dirs
--- exim4-4.91/debian/exim4-daemon-heavy.dirs	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/exim4-daemon-heavy.dirs	2019-01-10 15:41:45.000000000 +0000
@@ -1,4 +1,4 @@
 /usr/lib/exim4
+/usr/lib/exim4/local_scan
 /usr/sbin
 /usr/share/man/man8
-/usr/lib/exim4/local_scan
diff -Nru exim4-4.91/debian/exim4-daemon-heavy.links exim4-4.92~RC4/debian/exim4-daemon-heavy.links
--- exim4-4.91/debian/exim4-daemon-heavy.links	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/exim4-daemon-heavy.links	2019-01-10 15:41:45.000000000 +0000
@@ -1,18 +1,18 @@
-usr/share/man/man8/exim.8.gz usr/share/man/man8/exim4.8.gz
+usr/sbin/exim4 usr/bin/mailq
+usr/sbin/exim4 usr/bin/newaliases
 usr/sbin/exim4 usr/lib/exim4/exim4
 usr/sbin/exim4 usr/lib/sendmail
 usr/sbin/exim4 usr/sbin/exim
-usr/sbin/exim4 usr/sbin/sendmail
-usr/sbin/exim4 usr/sbin/runq
 usr/sbin/exim4 usr/sbin/rmail
 usr/sbin/exim4 usr/sbin/rsmtp
-usr/sbin/exim4 usr/bin/mailq
-usr/sbin/exim4 usr/bin/newaliases
-usr/share/doc/exim4-base/changelog.gz usr/share/doc/exim4-daemon-heavy/changelog.gz
+usr/sbin/exim4 usr/sbin/runq
+usr/sbin/exim4 usr/sbin/sendmail
 usr/share/doc/exim4-base/README.Debian.gz usr/share/doc/exim4-daemon-heavy/README.Debian.gz
-usr/share/man/man8/exim.8.gz usr/share/man/man8/sendmail.8.gz
-usr/share/man/man8/exim.8.gz usr/share/man/man8/runq.8.gz
-usr/share/man/man8/exim.8.gz usr/share/man/man8/rmail.8.gz
-usr/share/man/man8/exim.8.gz usr/share/man/man8/rsmtp.8.gz
+usr/share/doc/exim4-base/changelog.gz usr/share/doc/exim4-daemon-heavy/changelog.gz
+usr/share/man/man8/exim.8.gz usr/share/man/man8/exim4.8.gz
 usr/share/man/man8/exim.8.gz usr/share/man/man8/mailq.8.gz
 usr/share/man/man8/exim.8.gz usr/share/man/man8/newaliases.8.gz
+usr/share/man/man8/exim.8.gz usr/share/man/man8/rmail.8.gz
+usr/share/man/man8/exim.8.gz usr/share/man/man8/rsmtp.8.gz
+usr/share/man/man8/exim.8.gz usr/share/man/man8/runq.8.gz
+usr/share/man/man8/exim.8.gz usr/share/man/man8/sendmail.8.gz
diff -Nru exim4-4.91/debian/exim4-daemon-light.links exim4-4.92~RC4/debian/exim4-daemon-light.links
--- exim4-4.91/debian/exim4-daemon-light.links	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/exim4-daemon-light.links	2019-01-10 15:41:45.000000000 +0000
@@ -1,18 +1,18 @@
-usr/share/man/man8/exim.8.gz usr/share/man/man8/exim4.8.gz
+usr/sbin/exim4 usr/bin/mailq
+usr/sbin/exim4 usr/bin/newaliases
 usr/sbin/exim4 usr/lib/exim4/exim4
 usr/sbin/exim4 usr/lib/sendmail
 usr/sbin/exim4 usr/sbin/exim
-usr/sbin/exim4 usr/sbin/sendmail
-usr/sbin/exim4 usr/sbin/runq
 usr/sbin/exim4 usr/sbin/rmail
 usr/sbin/exim4 usr/sbin/rsmtp
-usr/sbin/exim4 usr/bin/mailq
-usr/sbin/exim4 usr/bin/newaliases
-usr/share/doc/exim4-base/changelog.gz usr/share/doc/exim4-daemon-light/changelog.gz
+usr/sbin/exim4 usr/sbin/runq
+usr/sbin/exim4 usr/sbin/sendmail
 usr/share/doc/exim4-base/README.Debian.gz usr/share/doc/exim4-daemon-light/README.Debian.gz
-usr/share/man/man8/exim.8.gz usr/share/man/man8/sendmail.8.gz
-usr/share/man/man8/exim.8.gz usr/share/man/man8/runq.8.gz
-usr/share/man/man8/exim.8.gz usr/share/man/man8/rmail.8.gz
-usr/share/man/man8/exim.8.gz usr/share/man/man8/rsmtp.8.gz
+usr/share/doc/exim4-base/changelog.gz usr/share/doc/exim4-daemon-light/changelog.gz
+usr/share/man/man8/exim.8.gz usr/share/man/man8/exim4.8.gz
 usr/share/man/man8/exim.8.gz usr/share/man/man8/mailq.8.gz
 usr/share/man/man8/exim.8.gz usr/share/man/man8/newaliases.8.gz
+usr/share/man/man8/exim.8.gz usr/share/man/man8/rmail.8.gz
+usr/share/man/man8/exim.8.gz usr/share/man/man8/rsmtp.8.gz
+usr/share/man/man8/exim.8.gz usr/share/man/man8/runq.8.gz
+usr/share/man/man8/exim.8.gz usr/share/man/man8/sendmail.8.gz
diff -Nru exim4-4.91/debian/exim4-dev.install exim4-4.92~RC4/debian/exim4-dev.install
--- exim4-4.91/debian/exim4-dev.install	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/exim4-dev.install	2019-01-10 15:41:45.000000000 +0000
@@ -1,4 +1,4 @@
 b-exim4-daemon-light/src/local_scan.h usr/include/exim4
-b-exim4-daemon-light/src/store.h usr/include/exim4
 b-exim4-daemon-light/src/mytypes.h usr/include/exim4
+b-exim4-daemon-light/src/store.h usr/include/exim4
 debian/exim4-localscan-plugin-config usr/bin
diff -Nru exim4-4.91/debian/exim4-dev.links exim4-4.92~RC4/debian/exim4-dev.links
--- exim4-4.91/debian/exim4-dev.links	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/exim4-dev.links	2019-01-10 15:41:45.000000000 +0000
@@ -1,2 +1,2 @@
-usr/share/doc/exim4-base/changelog.gz usr/share/doc/exim4-dev/changelog.gz
 usr/share/doc/exim4-base/README.Debian.gz usr/share/doc/exim4-dev/README.Debian.gz
+usr/share/doc/exim4-base/changelog.gz usr/share/doc/exim4-dev/changelog.gz
diff -Nru exim4-4.91/debian/eximon4.dirs exim4-4.92~RC4/debian/eximon4.dirs
--- exim4-4.91/debian/eximon4.dirs	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/eximon4.dirs	2019-01-10 15:41:45.000000000 +0000
@@ -1,2 +1,2 @@
-usr/sbin
 usr/lib/exim4
+usr/sbin
diff -Nru exim4-4.91/debian/patches/31_eximmanpage.dpatch exim4-4.92~RC4/debian/patches/31_eximmanpage.dpatch
--- exim4-4.91/debian/patches/31_eximmanpage.dpatch	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/patches/31_eximmanpage.dpatch	2019-01-10 15:41:45.000000000 +0000
@@ -2,7 +2,7 @@
  accordingly.
 Author: Marc Haber <mh+debian-packages@zugschlus.de>, 
  Andreas Metzler <ametzler@bebt.de>
-Last-Update: 2017-01-31
+Last-Update: 2018-12-31
 Forwarded: not-needed (upstream uses the "exim" name)
 
 --- a/doc/exim.8
@@ -40,7 +40,7 @@
  PID_FILE_PATH in Local/Makefile. The file is written while Exim is still
  running as root.
  .sp
-@@ -179,7 +179,7 @@ available to admin users.
+@@ -180,7 +180,7 @@ available to admin users.
  This option operates like \fB\-be\fP except that it must be followed by the name
  of a file. For example:
  .sp
@@ -49,7 +49,7 @@
  .sp
  The file is read as a message (as if receiving a locally\-submitted non\-SMTP
  message) before any of the test expansions are done. Thus, message\-specific
-@@ -205,7 +205,7 @@ If you want to test a system filter file
+@@ -206,7 +206,7 @@ If you want to test a system filter file
  can use both \fB\-bF\fP and \fB\-bf\fP on the same command, in order to test a system
  filter and a user filter in the same run. For example:
  .sp
@@ -58,7 +58,7 @@
  .sp
  This is helpful when the system filter adds header lines or sets filter
  variables that are used by the user filter.
-@@ -257,8 +257,8 @@ This option runs a fake SMTP session as
+@@ -258,8 +258,8 @@ This option runs a fake SMTP session as
  standard input and output. The IP address may include a port number at the end,
  after a full stop. For example:
  .sp
@@ -69,7 +69,7 @@
  .sp
  When an IPv6 address is given, it is converted into canonical form. In the case
  of the second example above, the value of \fI$sender_host_address\fP after
-@@ -416,7 +416,7 @@ main configuration options to be written
+@@ -417,7 +417,7 @@ main configuration options to be written
  of one or more specific options can be requested by giving their names as
  arguments, for example:
  .sp
@@ -78,7 +78,7 @@
  .sp
  However, any option setting that is preceded by the word "hide" in the
  configuration file is not shown in full, except to an admin user. For other
-@@ -444,7 +444,7 @@ written directly into the spool director
+@@ -445,7 +445,7 @@ written directly into the spool director
  .sp
  If \fB\-bP\fP is followed by a name preceded by +, for example,
  .sp
@@ -87,7 +87,7 @@
  .sp
  it searches for a matching named list of any type (domain, host, address, or
  local part) and outputs what it finds.
-@@ -453,7 +453,7 @@ If one of the words \fBrouter\fP, \fBtra
+@@ -454,7 +454,7 @@ If one of the words \fBrouter\fP, \fBtra
  followed by the name of an appropriate driver instance, the option settings for
  that driver are output. For example:
  .sp
@@ -96,7 +96,7 @@
  .sp
  The generic driver options are output first, followed by the driver's private
  options. A list of the names of drivers of a particular type can be obtained by
-@@ -536,7 +536,7 @@ This option is for testing retry rules,
+@@ -539,7 +539,7 @@ This option is for testing retry rules,
  arguments. It causes Exim to look for a retry rule that matches the values
  and to write it to the standard output. For example:
  .sp
@@ -105,7 +105,7 @@
    Retry rule: *.comp.mus.example  F,2h,15m; F,4d,30m;
  .sp
   The first
-@@ -549,7 +549,7 @@ rule is found that matches the host, one
+@@ -552,7 +552,7 @@ rule is found that matches the host, one
  sought. Finally, an argument that is the name of a specific delivery error, as
  used in setting up retry rules, can be given. For example:
  .sp
@@ -114,7 +114,7 @@
    Retry rule: *@haydn.comp.mus.example quota_3d  F,1h,15m
  .TP 10
  \fB\-brw\fP
-@@ -652,7 +652,7 @@ doing such tests.
+@@ -655,7 +655,7 @@ doing such tests.
  .TP 10
  \fB\-bV\fP
  This option causes Exim to write the current version number, compilation
@@ -122,8 +122,8 @@
 +number, and compilation date of the \fIexim4\fP binary to the standard output.
  It also lists the DBM library that is being used, the optional modules (such as
  specific lookup types), the drivers that are included in the binary, and the
- name of the run time configuration file that is in use.
-@@ -680,7 +680,7 @@ If no arguments are given, Exim runs in
+ name of the runtime configuration file that is in use.
+@@ -683,7 +683,7 @@ If no arguments are given, Exim runs in
  right angle bracket for addresses to be verified.
  .sp
  Unlike the \fB\-be\fP test option, you cannot arrange for Exim to use the
@@ -132,7 +132,7 @@
  security issues.
  .sp
  Verification differs from address testing (the \fB\-bt\fP option) in that routers
-@@ -793,14 +793,14 @@ command line item. \fB\-D\fP can be used
+@@ -796,14 +796,14 @@ command line item. \fB\-D\fP can be used
  string, in which case the equals sign is optional. These two commands are
  synonymous:
  .sp
@@ -150,7 +150,7 @@
  .sp
  \fB\-D\fP may be repeated up to 10 times on a command line.
  Only macro names up to 22 letters long can be set.
-@@ -930,8 +930,8 @@ never provoke a bounce. An empty sender
+@@ -938,8 +938,8 @@ never provoke a bounce. An empty sender
  string, or as a pair of angle brackets with nothing between them, as in these
  examples of shell commands:
  .sp
@@ -161,7 +161,7 @@
  .sp
  In addition, the use of \fB\-f\fP is not restricted when testing a filter file
  with \fB\-bf\fP or when testing or verifying addresses using the \fB\-bt\fP or
-@@ -1307,12 +1307,12 @@ other circumstances, they are ignored un
+@@ -1315,12 +1315,12 @@ other circumstances, they are ignored un
  The \fB\-oMa\fP option sets the sender host address. This may include a port
  number at the end, after a full stop (period). For example:
  .sp
@@ -176,7 +176,7 @@
  .sp
  The IP address is placed in the \fI$sender_host_address\fP variable, and the
  port, if present, in \fI$sender_host_port\fP. If both \fB\-oMa\fP and \fB\-bh\fP
-@@ -1518,22 +1518,22 @@ If other commandline options specify an
+@@ -1526,22 +1526,22 @@ If other commandline options specify an
  will specify a queue to operate on.
  For example:
  .sp
@@ -203,7 +203,7 @@
  .sp
  just one delivery process is started, for that message. This differs from
  \fB\-M\fP in that retry data is respected, and it also differs from \fB\-Mc\fP in
-@@ -1549,7 +1549,7 @@ starting a queue runner process at inter
+@@ -1557,7 +1557,7 @@ starting a queue runner process at inter
  single daemon process handles both functions. A common way of starting up a
  combined daemon at system boot time is to use a command such as
  .sp
@@ -212,7 +212,7 @@
  .sp
  Such a daemon listens for incoming SMTP calls, and also starts a queue runner
  process every 30 minutes.
-@@ -1580,7 +1580,7 @@ regular expression; otherwise it is a li
+@@ -1588,7 +1588,7 @@ regular expression; otherwise it is a li
  If you want to do periodic queue runs for messages with specific recipients,
  you can combine \fB\-R\fP with \fB\-q\fP and a time value. For example:
  .sp
@@ -221,7 +221,7 @@
  .sp
  This example does a queue run for messages with recipients in the given domain
  every 25 minutes. Any additional flags that are specified with \fB\-q\fP are
-@@ -1696,6 +1696,26 @@ under most shells.
+@@ -1704,6 +1704,26 @@ under most shells.
  .sp
  .
  .SH "SEE ALSO"
diff -Nru exim4-4.91/debian/patches/32_exim4.dpatch exim4-4.92~RC4/debian/patches/32_exim4.dpatch
--- exim4-4.91/debian/patches/32_exim4.dpatch	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/patches/32_exim4.dpatch	2019-01-10 15:41:45.000000000 +0000
@@ -2,7 +2,7 @@
 Author: Andreas Metzler <ametzler@debian.org>
 Origin: vendor
 Forwarded: not-needed
-Last-Update: 2013-09-28
+Last-Update: 2018-12-12
 
 --- a/OS/Makefile-Linux
 +++ b/OS/Makefile-Linux
@@ -84,7 +84,7 @@
  my %opt;
 --- a/src/exiwhat.src
 +++ b/src/exiwhat.src
-@@ -95,7 +95,7 @@ fi
+@@ -98,7 +98,7 @@ fi
  
  st='	 '
  exim_path=`grep "^[$st]*exim_path" $config | sed "s/.*=[$st]*//"`
@@ -95,12 +95,12 @@
  
 --- a/src/globals.c
 +++ b/src/globals.c
-@@ -725,7 +725,7 @@ const uschar *event_name         = NULL;
+@@ -906,7 +906,7 @@ const uschar *event_name         = NULL;
+ 
  
  gid_t   exim_gid               = EXIM_GID;
- BOOL    exim_gid_set           = TRUE;          /* This gid is always set */
 -uschar *exim_path              = US BIN_DIRECTORY "/exim"
 +uschar *exim_path              = US BIN_DIRECTORY "/exim4"
                          "\0<---------------Space to patch exim_path->";
  uid_t   exim_uid               = EXIM_UID;
- BOOL    exim_uid_set           = TRUE;          /* This uid is always set */
+ int     expand_level	       = 0;		/* Nesting depth, indent for debug */
diff -Nru exim4-4.91/debian/patches/67_unnecessaryCopt.diff exim4-4.92~RC4/debian/patches/67_unnecessaryCopt.diff
--- exim4-4.91/debian/patches/67_unnecessaryCopt.diff	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/patches/67_unnecessaryCopt.diff	2019-01-10 15:41:45.000000000 +0000
@@ -1,8 +1,8 @@
 Description: Stop using exim's -C option in utility scripts (exiwhat
   et al.) since this breaks with ALT_CONFIG_PREFIX.
-Author: Andreas Metzler <ametzler@downhill.at.eu.org>
+Author: Andreas Metzler <ametzler@bebt.de>
 Forwarded: http://bugs.exim.org/show_bug.cgi?id=1045
-Last-Update: 2014-12-01
+Last-Update: 2018-12-31
 
 --- a/src/exicyclog.src
 +++ b/src/exicyclog.src
@@ -56,7 +56,7 @@
    while (<LIST>)
 --- a/src/exiwhat.src
 +++ b/src/exiwhat.src
-@@ -96,8 +96,8 @@ fi
+@@ -99,8 +99,8 @@ fi
  st='	 '
  exim_path=`grep "^[$st]*exim_path" $config | sed "s/.*=[$st]*//"`
  if test "$exim_path" = ""; then exim_path=BIN_DIRECTORY/exim4; fi
diff -Nru exim4-4.91/debian/patches/70_remove_exim-users_references.dpatch exim4-4.92~RC4/debian/patches/70_remove_exim-users_references.dpatch
--- exim4-4.91/debian/patches/70_remove_exim-users_references.dpatch	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/patches/70_remove_exim-users_references.dpatch	2019-01-10 15:41:45.000000000 +0000
@@ -1,9 +1,6 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 70_remove_exim-users_references.dpatch by Marc Haber <mh+debian-packages@zugschlus.de>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: No description.
-Last-Update: 2014-12-01
+Description: Point Debian users to Debian specific ML.
+Author: Marc Haber <mh+debian-packages@zugschlus.de>
+Last-Update: 2018-12-31
 
 --- a/README
 +++ b/README
@@ -11,7 +8,7 @@
  older book may be helpful for the background, but a lot of the detail has
  changed, so it is likely to be confusing to newcomers.
  
--There is a web site at http://www.exim.org; this contains details of the
+-There is a website at https://www.exim.org; this contains details of the
 -mailing list exim-users@exim.org.
 +Information about the way Debian has built the binary packages is
 +obtainable in /usr/share/doc/exim4-base/README.Debian.gz, and there
@@ -22,7 +19,7 @@
 +can find the subscription web page on
 +http://lists.alioth.debian.org/mailman/listinfo/pkg-exim4-users
 +
-+There is a web site at http://www.exim.org.
++There is a website at https://www.exim.org/.
  
  A copy of the Exim FAQ should be available from the same source that you used
  to obtain the Exim distribution. Additional formats for the documentation
@@ -32,9 +29,9 @@
  
  =head1 AUTHOR
  
--There is a web site at http://www.exim.org - this contains details of the
+-There is a website at https://www.exim.org - this contains details of the
 -mailing list exim-users@exim.org.
-+There is a web site at http://www.exim.org
++There is a website at https://www.exim.org/.
  
  =head1 TO DO
  
diff -Nru exim4-4.91/debian/patches/75_fixes_01-Belated-README.UPDATING-notes-for-Exim-4.91.patch exim4-4.92~RC4/debian/patches/75_fixes_01-Belated-README.UPDATING-notes-for-Exim-4.91.patch
--- exim4-4.91/debian/patches/75_fixes_01-Belated-README.UPDATING-notes-for-Exim-4.91.patch	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/patches/75_fixes_01-Belated-README.UPDATING-notes-for-Exim-4.91.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,52 +0,0 @@
-From 0111e9faaba8126eac5f50992968cce768050399 Mon Sep 17 00:00:00 2001
-From: Phil Pennock <pdp@exim.org>
-Date: Mon, 16 Apr 2018 15:24:34 -0400
-Subject: [PATCH 1/6] Belated README.UPDATING notes for Exim 4.91
-
-People skip versions and move past them later, so while it's too late
-for 4.91, this will still help people moving to 4.92 from pre-4.91 in
-future.
-
-Note that none of these strictly needed to be documented here:
-experimental features, features marked as deprecated for many many
-years, etc.  But let's err on the side of caution and include "things
-which will break if you try to upgrade without changing Local/Makefile".
----
- src/README.UPDATING | 21 +++++++++++++++++++++
- 1 file changed, 21 insertions(+)
-
-diff --git a/README.UPDATING b/README.UPDATING
-index 05b3d9d9..73b52e4a 100644
---- a/README.UPDATING
-+++ b/README.UPDATING
-@@ -26,6 +26,27 @@ The rest of this document contains information about changes in 4.xx releases
- that might affect a running system.
- 
- 
-+Exim version 4.91
-+-----------------
-+
-+ * DANE and SPF have been promoted from Experimental to Supported status, thus
-+   the options to enable them in Local/Makefile have been renamed.
-+   See current src/EDITME for full details, including changes in dependencies,
-+   but loosely: replace EXPERIMENTAL_SPF with SUPPORT_SPF and replace
-+   EXPERIMENTAL_DANE with SUPPORT_DANE.
-+
-+ * Ancient ClamAV stream support, long deprecated by ClamAV, has been removed;
-+   if you were building with WITH_OLD_CLAMAV_STREAM enabled then your problems
-+   have marginally increased.
-+
-+ * A number of logging changes; if relying upon the previous DKIM additional
-+   log-line, explicit log_selector configuration is needed to keep it.
-+
-+ * Other incompatible changes in EXPERIMENTAL_* features, read NewStuff and
-+   ChangeLog carefully if relying upon an experimental feature such as DMARC.
-+   Note that this includes changes to SPF as it was promoted into Supported.
-+
-+
- Exim version 4.89
- -----------------
- 
--- 
-2.17.0
-
diff -Nru exim4-4.91/debian/patches/75_fixes_02-Avoid-doing-logging-in-signal-handlers.-Bug-1007.patch exim4-4.92~RC4/debian/patches/75_fixes_02-Avoid-doing-logging-in-signal-handlers.-Bug-1007.patch
--- exim4-4.91/debian/patches/75_fixes_02-Avoid-doing-logging-in-signal-handlers.-Bug-1007.patch	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/patches/75_fixes_02-Avoid-doing-logging-in-signal-handlers.-Bug-1007.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,628 +0,0 @@
-From 101702337f7eb652fc99f440b64904b1e1629c2f Mon Sep 17 00:00:00 2001
-From: Jeremy Harris <jgh146exb@wizmail.org>
-Date: Mon, 23 Apr 2018 12:41:31 +0100
-Subject: [PATCH 2/6]         Avoid doing logging in signal-handlers.  Bug 1007
-
-        Cherry-picked from 9723f96673, with the LOCAL_SCAN changes removed
----
- doc/ChangeLog |   7 ++
- src/functions.h   |   4 +
- src/globals.c     |   4 +
- src/globals.h     |   4 +
- src/local_scan.c  |   1 +
- src/receive.c     | 193 +++++++++++++++++++++++-------------------
- src/smtp_in.c     |  82 +++++++++++++-----
- src/spool_out.c   |   4 +-
- src/tls-gnu.c     |  20 +++--
- src/tls-openssl.c |  11 ++-
- 10 files changed, 216 insertions(+), 114 deletions(-)
-
-diff --git a/doc/ChangeLog b/doc/ChangeLog
-index b4c98572..58673c23 100644
---- a/doc/ChangeLog
-+++ b/doc/ChangeLog
-@@ -5,6 +5,13 @@ affect Exim's operation, with an unchanged configuration file.  For new
- options, and new features, see the NewStuff file next to this ChangeLog.
- 
- 
-+Since version 4.91
-+------------------
-+
-+JH/02 Bug 1007: Avoid doing logging from signal-handlers, as that can result in
-+      non-signal-safe functions being used.
-+
-+
- Exim version 4.91
- -----------------
- 
-diff --git a/src/functions.h b/src/functions.h
-index 9be5c32a..5f9deab6 100644
---- a/src/functions.h
-+++ b/src/functions.h
-@@ -427,6 +427,10 @@ extern int     sieve_interpret(uschar *, int, uschar *, uschar *, uschar *,
- extern void    sigalrm_handler(int);
- extern BOOL    smtp_buffered(void);
- extern void    smtp_closedown(uschar *);
-+extern void    smtp_command_timeout_exit(void);
-+extern void    smtp_command_sigterm_exit(void);
-+extern void    smtp_data_timeout_exit(void);
-+extern void    smtp_data_sigint_exit(void);
- extern uschar *smtp_cmd_hist(void);
- extern int     smtp_connect(host_item *, int, uschar *, int,
- 	       	 transport_instance *);
-diff --git a/src/globals.c b/src/globals.c
-index 7d18b38b..5b480572 100644
---- a/src/globals.c
-+++ b/src/globals.c
-@@ -770,6 +770,10 @@ uschar *gecos_name             = NULL;
- uschar *gecos_pattern          = NULL;
- rewrite_rule  *global_rewrite_rules = NULL;
- 
-+volatile sig_atomic_t had_command_timeout = 0;
-+volatile sig_atomic_t had_command_sigterm = 0;
-+volatile sig_atomic_t had_data_timeout    = 0;
-+volatile sig_atomic_t had_data_sigint     = 0;
- uschar *headers_charset        = US HEADERS_CHARSET;
- int     header_insert_maxlen   = 64 * 1024;
- header_line  *header_last      = NULL;
-diff --git a/src/globals.h b/src/globals.h
-index da1230b7..2915513f 100644
---- a/src/globals.h
-+++ b/src/globals.h
-@@ -492,6 +492,10 @@ extern uschar *gecos_name;             /* To be expanded when pattern matches */
- extern uschar *gecos_pattern;          /* Pattern to match */
- extern rewrite_rule *global_rewrite_rules;  /* Chain of rewriting rules */
- 
-+extern volatile sig_atomic_t had_command_timeout;   /* Alarm sighandler called */
-+extern volatile sig_atomic_t had_command_sigterm;   /* TERM  sighandler called */
-+extern volatile sig_atomic_t had_data_timeout;      /* Alarm sighandler called */
-+extern volatile sig_atomic_t had_data_sigint;       /* TERM/INT  sighandler called */
- extern int     header_insert_maxlen;   /* Max for inserting headers */
- extern int     header_maxsize;         /* Max total length for header */
- extern int     header_line_maxsize;    /* Max for an individual line */
-diff --git a/src/local_scan.c b/src/local_scan.c
-index 3500047c..4dd0b2ba 100644
---- a/src/local_scan.c
-+++ b/src/local_scan.c
-@@ -12,6 +12,7 @@ If you want to implement your own version, you should copy this file to, say
- Local/local_scan.c, and edit the copy. To use your version instead of the
- default, you must set
- 
-+HAVE_LOCAL_SCAN=yes
- LOCAL_SCAN_SOURCE=Local/local_scan.c
- 
- in your Local/Makefile. This makes it easy to copy your version for use with
-diff --git a/src/receive.c b/src/receive.c
-index cba53c20..3b215f23 100644
---- a/src/receive.c
-+++ b/src/receive.c
-@@ -8,6 +8,7 @@
- /* Code for receiving a message and setting up spool files. */
- 
- #include "exim.h"
-+#include <setjmp.h>
- 
- #ifdef EXPERIMENTAL_DCC
- extern int dcc_ok;
-@@ -27,6 +28,10 @@ static uschar *spool_name = US"";
- 
- enum CH_STATE {LF_SEEN, MID_LINE, CR_SEEN};
- 
-+jmp_buf local_scan_env;		/* error-handling context for local_scan */
-+unsigned had_local_scan_crash;
-+unsigned had_local_scan_timeout;
-+
- 
- /*************************************************
- *      Non-SMTP character reading functions      *
-@@ -40,7 +45,27 @@ changing the pointer variables.) */
- int
- stdin_getc(unsigned lim)
- {
--return getc(stdin);
-+int c = getc(stdin);
-+
-+if (had_data_timeout)
-+  {
-+  fprintf(stderr, "exim: timed out while reading - message abandoned\n");
-+  log_write(L_lost_incoming_connection,
-+            LOG_MAIN, "timed out while reading local message");
-+  receive_bomb_out(US"data-timeout", NULL);   /* Does not return */
-+  }
-+if (had_data_sigint)
-+  {
-+  if (filter_test == FTEST_NONE)
-+    {
-+    fprintf(stderr, "\nexim: %s received - message abandoned\n",
-+      had_data_sigint == SIGTERM ? "SIGTERM" : "SIGINT");
-+    log_write(0, LOG_MAIN, "%s received while reading local message",
-+      had_data_sigint == SIGTERM ? "SIGTERM" : "SIGINT");
-+    }
-+  receive_bomb_out(US"signal-exit", NULL);    /* Does not return */
-+  }
-+return c;
- }
- 
- int
-@@ -316,11 +341,13 @@ if (spool_name[0] != '\0')
- 
- /* Now close the file if it is open, either as a fd or a stream. */
- 
--if (data_file != NULL)
-+if (data_file)
-   {
-   (void)fclose(data_file);
-   data_file = NULL;
--} else if (data_fd >= 0) {
-+  }
-+else if (data_fd >= 0)
-+  {
-   (void)close(data_fd);
-   data_fd = -1;
-   }
-@@ -361,27 +388,7 @@ Returns:   nothing
- static void
- data_timeout_handler(int sig)
- {
--uschar *msg = NULL;
--
--sig = sig;    /* Keep picky compilers happy */
--
--if (smtp_input)
--  {
--  msg = US"SMTP incoming data timeout";
--  log_write(L_lost_incoming_connection,
--            LOG_MAIN, "SMTP data timeout (message abandoned) on connection "
--            "from %s F=<%s>",
--            (sender_fullhost != NULL)? sender_fullhost : US"local process",
--            sender_address);
--  }
--else
--  {
--  fprintf(stderr, "exim: timed out while reading - message abandoned\n");
--  log_write(L_lost_incoming_connection,
--            LOG_MAIN, "timed out while reading local message");
--  }
--
--receive_bomb_out(US"data-timeout", msg);   /* Does not return */
-+had_data_timeout = sig;
- }
- 
- 
-@@ -391,7 +398,18 @@ receive_bomb_out(US"data-timeout", msg);   /* Does not return */
- *************************************************/
- 
- /* Handler function for timeouts that occur while running a local_scan()
--function.
-+function.  Posix recommends against calling longjmp() from a signal-handler,
-+but the GCC manual says you can so we will, and trust that it's better than
-+calling probably non-signal-safe functions during logging from within the
-+handler, even with other compilers.
-+
-+See also https://cwe.mitre.org/data/definitions/745.html which also lists
-+it as unsafe.
-+
-+This is all because we have no control over what might be written for a
-+local-scan function, so cannot sprinkle had-signal checks after each
-+call-site.  At least with the default "do-nothing" function we won't
-+ever get here.
- 
- Argument:  the signal number
- Returns:   nothing
-@@ -400,11 +418,8 @@ Returns:   nothing
- static void
- local_scan_timeout_handler(int sig)
- {
--sig = sig;    /* Keep picky compilers happy */
--log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() function timed out - "
--  "message temporarily rejected (size %d)", message_size);
--/* Does not return */
--receive_bomb_out(US"local-scan-timeout", US"local verification problem");
-+had_local_scan_timeout = sig;
-+siglongjmp(local_scan_env, 1);
- }
- 
- 
-@@ -423,13 +438,12 @@ Returns:   nothing
- static void
- local_scan_crash_handler(int sig)
- {
--log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() function crashed with "
--  "signal %d - message temporarily rejected (size %d)", sig, message_size);
--/* Does not return */
--receive_bomb_out(US"local-scan-error", US"local verification problem");
-+had_local_scan_crash = sig;
-+siglongjmp(local_scan_env, 1);
- }
- 
- 
-+
- /*************************************************
- *           SIGTERM or SIGINT received           *
- *************************************************/
-@@ -444,26 +458,7 @@ Returns:   nothing
- static void
- data_sigterm_sigint_handler(int sig)
- {
--uschar *msg = NULL;
--
--if (smtp_input)
--  {
--  msg = US"Service not available - SIGTERM or SIGINT received";
--  log_write(0, LOG_MAIN, "%s closed after %s", smtp_get_connection_info(),
--    (sig == SIGTERM)? "SIGTERM" : "SIGINT");
--  }
--else
--  {
--  if (filter_test == FTEST_NONE)
--    {
--    fprintf(stderr, "\nexim: %s received - message abandoned\n",
--      (sig == SIGTERM)? "SIGTERM" : "SIGINT");
--    log_write(0, LOG_MAIN, "%s received while reading local message",
--      (sig == SIGTERM)? "SIGTERM" : "SIGINT");
--    }
--  }
--
--receive_bomb_out(US"signal-exit", msg);    /* Does not return */
-+had_data_sigint = sig;
- }
- 
- 
-@@ -1678,6 +1673,7 @@ int dmarc_up = 0;
- uschar *timestamp;
- int tslen;
- 
-+
- /* Release any open files that might have been cached while preparing to
- accept the message - e.g. by verifying addresses - because reading a message
- might take a fair bit of real time. */
-@@ -1751,7 +1747,9 @@ received_time = message_id_tv;
- /* If SMTP input, set the special handler for timeouts. The alarm() calls
- happen in the smtp_getc() function when it refills its buffer. */
- 
--if (smtp_input) os_non_restarting_signal(SIGALRM, data_timeout_handler);
-+had_data_timeout = 0;
-+if (smtp_input)
-+  os_non_restarting_signal(SIGALRM, data_timeout_handler);
- 
- /* If not SMTP input, timeout happens only if configured, and we just set a
- single timeout for the whole message. */
-@@ -1764,6 +1762,7 @@ else if (receive_timeout > 0)
- 
- /* SIGTERM and SIGINT are caught always. */
- 
-+had_data_sigint = 0;
- signal(SIGTERM, data_sigterm_sigint_handler);
- signal(SIGINT, data_sigterm_sigint_handler);
- 
-@@ -3638,43 +3637,65 @@ dcc_ok = 0;
- version supplied with Exim always accepts, but this is a hook for sysadmins to
- supply their own checking code. The local_scan() function is run even when all
- the recipients have been discarded. */
--/*XXS could we avoid this for the standard case, given that few people will use it? */
- 
- lseek(data_fd, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
- 
- /* Arrange to catch crashes in local_scan(), so that the -D file gets
- deleted, and the incident gets logged. */
- 
--os_non_restarting_signal(SIGSEGV, local_scan_crash_handler);
--os_non_restarting_signal(SIGFPE, local_scan_crash_handler);
--os_non_restarting_signal(SIGILL, local_scan_crash_handler);
--os_non_restarting_signal(SIGBUS, local_scan_crash_handler);
--
--DEBUG(D_receive) debug_printf("calling local_scan(); timeout=%d\n",
--  local_scan_timeout);
--local_scan_data = NULL;
--
--os_non_restarting_signal(SIGALRM, local_scan_timeout_handler);
--if (local_scan_timeout > 0) alarm(local_scan_timeout);
--rc = local_scan(data_fd, &local_scan_data);
--alarm(0);
--os_non_restarting_signal(SIGALRM, sigalrm_handler);
--
--enable_dollar_recipients = FALSE;
--
--store_pool = POOL_MAIN;   /* In case changed */
--DEBUG(D_receive) debug_printf("local_scan() returned %d %s\n", rc,
--  local_scan_data);
--
--os_non_restarting_signal(SIGSEGV, SIG_DFL);
--os_non_restarting_signal(SIGFPE, SIG_DFL);
--os_non_restarting_signal(SIGILL, SIG_DFL);
--os_non_restarting_signal(SIGBUS, SIG_DFL);
-+if (sigsetjmp(local_scan_env, 1) == 0)
-+  {
-+  had_local_scan_crash = 0;
-+  os_non_restarting_signal(SIGSEGV, local_scan_crash_handler);
-+  os_non_restarting_signal(SIGFPE, local_scan_crash_handler);
-+  os_non_restarting_signal(SIGILL, local_scan_crash_handler);
-+  os_non_restarting_signal(SIGBUS, local_scan_crash_handler);
-+
-+  DEBUG(D_receive) debug_printf("calling local_scan(); timeout=%d\n",
-+    local_scan_timeout);
-+  local_scan_data = NULL;
-+
-+  had_local_scan_timeout = 0;
-+  os_non_restarting_signal(SIGALRM, local_scan_timeout_handler);
-+  if (local_scan_timeout > 0) alarm(local_scan_timeout);
-+  rc = local_scan(data_fd, &local_scan_data);
-+  alarm(0);
-+  os_non_restarting_signal(SIGALRM, sigalrm_handler);
-+
-+  enable_dollar_recipients = FALSE;
-+
-+  store_pool = POOL_MAIN;   /* In case changed */
-+  DEBUG(D_receive) debug_printf("local_scan() returned %d %s\n", rc,
-+    local_scan_data);
-+
-+  os_non_restarting_signal(SIGSEGV, SIG_DFL);
-+  os_non_restarting_signal(SIGFPE, SIG_DFL);
-+  os_non_restarting_signal(SIGILL, SIG_DFL);
-+  os_non_restarting_signal(SIGBUS, SIG_DFL);
-+  }
-+else
-+  {
-+  if (had_local_scan_crash)
-+    {
-+    log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() function crashed with "
-+      "signal %d - message temporarily rejected (size %d)",
-+      had_local_scan_crash, message_size);
-+    /* Does not return */
-+    receive_bomb_out(US"local-scan-error", US"local verification problem");
-+    }
-+  if (had_local_scan_timeout)
-+    {
-+    log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() function timed out - "
-+      "message temporarily rejected (size %d)", message_size);
-+    /* Does not return */
-+    receive_bomb_out(US"local-scan-timeout", US"local verification problem");
-+    }
-+  }
- 
- /* The length check is paranoia against some runaway code, and also because
- (for a success return) lines in the spool file are read into big_buffer. */
- 
--if (local_scan_data != NULL)
-+if (local_scan_data)
-   {
-   int len = Ustrlen(local_scan_data);
-   if (len > LOCAL_SCAN_MAX_RETURN) len = LOCAL_SCAN_MAX_RETURN;
-@@ -3706,7 +3727,7 @@ the spool file gets corrupted. Ensure that all recipients are qualified. */
- 
- if (rc == LOCAL_SCAN_ACCEPT)
-   {
--  if (local_scan_data != NULL)
-+  if (local_scan_data)
-     {
-     uschar *s;
-     for (s = local_scan_data; *s != 0; s++) if (*s == '\n') *s = ' ';
-@@ -4331,9 +4352,9 @@ starting. */
- 
- if (blackholed_by)
-   {
--  const uschar *detail = local_scan_data
--    ? string_printing(local_scan_data)
--    : string_sprintf("(%s discarded recipients)", blackholed_by);
-+  const uschar *detail =
-+    local_scan_data ? string_printing(local_scan_data) :
-+    string_sprintf("(%s discarded recipients)", blackholed_by);
-   log_write(0, LOG_MAIN, "=> blackhole %s%s", detail, blackhole_log_msg);
-   log_write(0, LOG_MAIN, "Completed");
-   message_id[0] = 0;
-diff --git a/src/smtp_in.c b/src/smtp_in.c
-index 33d6d3cc..433c677e 100644
---- a/src/smtp_in.c
-+++ b/src/smtp_in.c
-@@ -424,6 +424,53 @@ log_write(L_smtp_incomplete_transaction, LOG_MAIN|LOG_SENDER|LOG_RECIPIENTS,
- 
- 
- 
-+void
-+smtp_command_timeout_exit(void)
-+{
-+log_write(L_lost_incoming_connection,
-+	  LOG_MAIN, "SMTP command timeout on%s connection from %s",
-+	  tls_in.active >= 0 ? " TLS" : "", host_and_ident(FALSE));
-+if (smtp_batched_input)
-+  moan_smtp_batch(NULL, "421 SMTP command timeout"); /* Does not return */
-+smtp_notquit_exit(US"command-timeout", US"421",
-+  US"%s: SMTP command timeout - closing connection",
-+  smtp_active_hostname);
-+exim_exit(EXIT_FAILURE, US"receiving");
-+}
-+
-+void
-+smtp_command_sigterm_exit(void)
-+{
-+log_write(0, LOG_MAIN, "%s closed after SIGTERM", smtp_get_connection_info());
-+if (smtp_batched_input)
-+  moan_smtp_batch(NULL, "421 SIGTERM received");  /* Does not return */
-+smtp_notquit_exit(US"signal-exit", US"421",
-+  US"%s: Service not available - closing connection", smtp_active_hostname);
-+exim_exit(EXIT_FAILURE, US"receiving");
-+}
-+
-+void
-+smtp_data_timeout_exit(void)
-+{
-+log_write(L_lost_incoming_connection,
-+  LOG_MAIN, "SMTP data timeout (message abandoned) on connection from %s F=<%s>",
-+  sender_fullhost ? sender_fullhost : US"local process", sender_address);
-+receive_bomb_out(US"data-timeout", US"SMTP incoming data timeout");
-+/* Does not return */
-+}
-+
-+void
-+smtp_data_sigint_exit(void)
-+{
-+log_write(0, LOG_MAIN, "%s closed after %s",
-+  smtp_get_connection_info(), had_data_sigint == SIGTERM ? "SIGTERM":"SIGINT");
-+receive_bomb_out(US"signal-exit",
-+  US"Service not available - SIGTERM or SIGINT received");
-+/* Does not return */
-+}
-+
-+
-+
- /* Refill the buffer, and notify DKIM verification code.
- Return false for error or EOF.
- */
-@@ -441,18 +488,28 @@ Take care to not touch the safety NUL at the end of the buffer. */
- 
- rc = read(fileno(smtp_in), smtp_inbuffer, MIN(IN_BUFFER_SIZE-1, lim));
- save_errno = errno;
--alarm(0);
-+if (smtp_receive_timeout > 0) alarm(0);
- if (rc <= 0)
-   {
-   /* Must put the error text in fixed store, because this might be during
-   header reading, where it releases unused store above the header. */
-   if (rc < 0)
-     {
-+    if (had_command_timeout)		/* set by signal handler */
-+      smtp_command_timeout_exit();	/* does not return */
-+    if (had_command_sigterm)
-+      smtp_command_sigterm_exit();
-+    if (had_data_timeout)
-+      smtp_data_timeout_exit();
-+    if (had_data_sigint)
-+      smtp_data_sigint_exit();
-+
-     smtp_had_error = save_errno;
-     smtp_read_error = string_copy_malloc(
-       string_sprintf(" (error: %s)", strerror(save_errno)));
-     }
--  else smtp_had_eof = 1;
-+  else
-+    smtp_had_eof = 1;
-   return FALSE;
-   }
- #ifndef DISABLE_DKIM
-@@ -914,16 +971,7 @@ Returns:  nothing
- static void
- command_timeout_handler(int sig)
- {
--sig = sig;    /* Keep picky compilers happy */
--log_write(L_lost_incoming_connection,
--          LOG_MAIN, "SMTP command timeout on%s connection from %s",
--          (tls_in.active >= 0)? " TLS" : "",
--          host_and_ident(FALSE));
--if (smtp_batched_input)
--  moan_smtp_batch(NULL, "421 SMTP command timeout");  /* Does not return */
--smtp_notquit_exit(US"command-timeout", US"421",
--  US"%s: SMTP command timeout - closing connection", smtp_active_hostname);
--exim_exit(EXIT_FAILURE, US"receiving");
-+had_command_timeout = sig;
- }
- 
- 
-@@ -941,13 +989,7 @@ Returns:  nothing
- static void
- command_sigterm_handler(int sig)
- {
--sig = sig;    /* Keep picky compilers happy */
--log_write(0, LOG_MAIN, "%s closed after SIGTERM", smtp_get_connection_info());
--if (smtp_batched_input)
--  moan_smtp_batch(NULL, "421 SIGTERM received");  /* Does not return */
--smtp_notquit_exit(US"signal-exit", US"421",
--  US"%s: Service not available - closing connection", smtp_active_hostname);
--exim_exit(EXIT_FAILURE, US"receiving");
-+had_command_sigterm = sig;
- }
- 
- 
-@@ -1507,6 +1549,7 @@ int ptr = 0;
- smtp_cmd_list *p;
- BOOL hadnull = FALSE;
- 
-+had_command_timeout = 0;
- os_non_restarting_signal(SIGALRM, command_timeout_handler);
- 
- while ((c = (receive_getc)(buffer_lim)) != '\n' && c != EOF)
-@@ -3811,6 +3854,7 @@ cmd_list[CMD_LIST_STARTTLS].is_mail_cmd = TRUE;
- 
- /* Set the local signal handler for SIGTERM - it tries to end off tidily */
- 
-+had_command_sigterm = 0;
- os_non_restarting_signal(SIGTERM, command_sigterm_handler);
- 
- /* Batched SMTP is handled in a different function. */
-diff --git a/src/spool_out.c b/src/spool_out.c
-index 8bebf107..2aa60322 100644
---- a/src/spool_out.c
-+++ b/src/spool_out.c
-@@ -221,7 +221,7 @@ if (host_lookup_deferred) fprintf(f, "-host_lookup_deferred\n");
- if (host_lookup_failed) fprintf(f, "-host_lookup_failed\n");
- if (sender_local) fprintf(f, "-local\n");
- if (local_error_message) fprintf(f, "-localerror\n");
--if (local_scan_data != NULL) fprintf(f, "-local_scan %s\n", local_scan_data);
-+if (local_scan_data) fprintf(f, "-local_scan %s\n", local_scan_data);
- #ifdef WITH_CONTENT_SCAN
- if (spam_bar)       fprintf(f,"-spam_bar %s\n",       spam_bar);
- if (spam_score)     fprintf(f,"-spam_score %s\n",     spam_score);
-@@ -231,7 +231,7 @@ if (deliver_manual_thaw) fprintf(f, "-manual_thaw\n");
- if (sender_set_untrusted) fprintf(f, "-sender_set_untrusted\n");
- 
- #ifdef EXPERIMENTAL_BRIGHTMAIL
--if (bmi_verdicts != NULL) fprintf(f, "-bmi_verdicts %s\n", bmi_verdicts);
-+if (bmi_verdicts) fprintf(f, "-bmi_verdicts %s\n", bmi_verdicts);
- #endif
- 
- #ifdef SUPPORT_TLS
-diff --git a/src/tls-gnu.c b/src/tls-gnu.c
-index d7318827..35816cd6 100644
---- a/src/tls-gnu.c
-+++ b/src/tls-gnu.c
-@@ -2511,12 +2511,20 @@ sigalrm_seen = FALSE;
- if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
- inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
-   MIN(ssl_xfer_buffer_size, lim));
--alarm(0);
--
--/* Timeouts do not get this far; see command_timeout_handler().
--   A zero-byte return appears to mean that the TLS session has been
--   closed down, not that the socket itself has been closed down. Revert to
--   non-TLS handling. */
-+if (smtp_receive_timeout > 0) alarm(0);
-+
-+if (had_command_timeout)		/* set by signal handler */
-+  smtp_command_timeout_exit();		/* does not return */
-+if (had_command_sigterm)
-+  smtp_command_sigterm_exit();
-+if (had_data_timeout)
-+  smtp_data_timeout_exit();
-+if (had_data_sigint)
-+  smtp_data_sigint_exit();
-+
-+/* Timeouts do not get this far.  A zero-byte return appears to mean that the
-+TLS session has been closed down, not that the socket itself has been closed
-+down. Revert to non-TLS handling. */
- 
- if (sigalrm_seen)
-   {
-diff --git a/src/tls-openssl.c b/src/tls-openssl.c
-index bfdfe211..fb59217d 100644
---- a/src/tls-openssl.c
-+++ b/src/tls-openssl.c
-@@ -2475,7 +2475,16 @@ if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
- inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
- 		  MIN(ssl_xfer_buffer_size, lim));
- error = SSL_get_error(server_ssl, inbytes);
--alarm(0);
-+if (smtp_receive_timeout > 0) alarm(0);
-+
-+if (had_command_timeout)		/* set by signal handler */
-+  smtp_command_timeout_exit();		/* does not return */
-+if (had_command_sigterm)
-+  smtp_command_sigterm_exit();
-+if (had_data_timeout)
-+  smtp_data_timeout_exit();
-+if (had_data_sigint)
-+  smtp_data_sigint_exit();
- 
- /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
- closed down, not that the socket itself has been closed down. Revert to
--- 
-2.17.0
-
diff -Nru exim4-4.91/debian/patches/75_fixes_03-Fix-typo-in-arc.-Bug-2262.patch exim4-4.92~RC4/debian/patches/75_fixes_03-Fix-typo-in-arc.-Bug-2262.patch
--- exim4-4.91/debian/patches/75_fixes_03-Fix-typo-in-arc.-Bug-2262.patch	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/patches/75_fixes_03-Fix-typo-in-arc.-Bug-2262.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,26 +0,0 @@
-From d862036b77ae978f3d105adb7c11f0795bbb2732 Mon Sep 17 00:00:00 2001
-From: Jeremy Harris <jgh146exb@wizmail.org>
-Date: Mon, 16 Apr 2018 09:15:17 +0100
-Subject: [PATCH 3/6] Fix typo in arc.  Bug 2262
-
-(cherry picked from commit 69a82da3e9018b082cee870030ecc557497301df)
----
- src/arc.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/arc.c b/src/arc.c
-index 6f567dc5..557ea851 100644
---- a/src/arc.c
-+++ b/src/arc.c
-@@ -1546,7 +1546,7 @@ pdkim_bodyhash * b;
- 
- identity = string_nextinlist(&signspec, &sep, NULL, 0);
- selector = string_nextinlist(&signspec, &sep, NULL, 0);
--if (  !*identity | !*selector
-+if (  !*identity || !*selector
-    || !(privkey = string_nextinlist(&signspec, &sep, NULL, 0)) || !*privkey)
-   {
-   log_write(0, LOG_MAIN, "ARC: bad signing-specification (%s)",
--- 
-2.17.0
-
diff -Nru exim4-4.91/debian/patches/75_fixes_04-Fix-OpenSSL-non-OCSP-build.patch exim4-4.92~RC4/debian/patches/75_fixes_04-Fix-OpenSSL-non-OCSP-build.patch
--- exim4-4.91/debian/patches/75_fixes_04-Fix-OpenSSL-non-OCSP-build.patch	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/patches/75_fixes_04-Fix-OpenSSL-non-OCSP-build.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,45 +0,0 @@
-From 2349d6c47c1922b661dcd2e3ce57fc34ade42230 Mon Sep 17 00:00:00 2001
-From: Jeremy Harris <jgh146exb@wizmail.org>
-Date: Mon, 16 Apr 2018 18:45:04 +0100
-Subject: [PATCH 4/6] Fix OpenSSL non-OCSP build
-
-(cherry picked from commit 37f0ce65959019e417ff79b9d0959e13470c5290)
----
- src/tls-openssl.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/src/tls-openssl.c b/src/tls-openssl.c
-index fb59217d..cefa94fe 100644
---- a/src/tls-openssl.c
-+++ b/src/tls-openssl.c
-@@ -2505,10 +2505,12 @@ if (error == SSL_ERROR_ZERO_RETURN)
-   if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
-  	SSL_shutdown(server_ssl);
- 
-+#ifndef DISABLE_OCSP
-   sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
-+  server_static_cbinfo->verify_stack = NULL;
-+#endif
-   SSL_free(server_ssl);
-   SSL_CTX_free(server_ctx);
--  server_static_cbinfo->verify_stack = NULL;
-   server_ctx = NULL;
-   server_ssl = NULL;
-   tls_in.active = -1;
-@@ -2782,11 +2784,13 @@ if (shutdown)
-     }
-   }
- 
-+#ifndef DISABLE_OCSP
- if (is_server)
-   {
-   sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
-   server_static_cbinfo->verify_stack = NULL;
-   }
-+#endif
- 
- SSL_CTX_free(*ctxp);
- SSL_free(*sslp);
--- 
-2.17.0
-
diff -Nru exim4-4.91/debian/patches/75_fixes_05-DKIM-enforce-limit-of-20-on-received-DKIM-Signature-.patch exim4-4.92~RC4/debian/patches/75_fixes_05-DKIM-enforce-limit-of-20-on-received-DKIM-Signature-.patch
--- exim4-4.91/debian/patches/75_fixes_05-DKIM-enforce-limit-of-20-on-received-DKIM-Signature-.patch	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/patches/75_fixes_05-DKIM-enforce-limit-of-20-on-received-DKIM-Signature-.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,211 +0,0 @@
-From e20e2d6d5e2dd50b29b785b3831be655138d046e Mon Sep 17 00:00:00 2001
-From: Jeremy Harris <jgh146exb@wizmail.org>
-Date: Mon, 23 Apr 2018 11:26:52 +0100
-Subject: [PATCH 6/6] DKIM: enforce limit of 20 on received DKIM-Signature:
- headers.  Bug 2269
-
-(cherry picked from commit 64b67b658a37dd780cc1b2fd0ef87febe461a0ba)
----
- doc/ChangeLog         |    4 +
- exim_monitor/em_globals.c |    2 +-
- src/dkim.c                |    8 +-
- src/globals.c             |    2 +-
- src/globals.h             |    2 +-
- src/pdkim/pdkim.c         |   10 +-
- src/pdkim/pdkim.h         |    5 +-
- src/smtp_in.c             |    7 +-
- src/spool_in.c            |    2 +-
- test/log/4506                 |   14 +-
- test/scripts/4500-DKIM/4506   | 6068 +++++++++++++++++++++++++++++++++
- 11 files changed, 6106 insertions(+), 18 deletions(-)
-
-diff --git a/doc/ChangeLog b/doc/ChangeLog
-index 58673c23..5e1ff056 100644
---- a/doc/ChangeLog
-+++ b/doc/ChangeLog
-@@ -11,6 +11,10 @@ Since version 4.91
- JH/02 Bug 1007: Avoid doing logging from signal-handlers, as that can result in
-       non-signal-safe functions being used.
- 
-+JH/03 Bug 2269: When presented with a received message having a stupidly large
-+      number of DKIM-Signature headers, disable DKIM verification to avoid
-+      a resource-consumption attack.  The limit is set at twenty.
-+
- 
- Exim version 4.91
- -----------------
-diff --git a/exim_monitor/em_globals.c b/exim_monitor/em_globals.c
-index 50da58c8..e0ed0244 100644
---- a/exim_monitor/em_globals.c
-+++ b/exim_monitor/em_globals.c
-@@ -139,7 +139,7 @@ uschar *dkim_signers             = NULL;
- uschar *dkim_signing_domain      = NULL;
- uschar *dkim_signing_selector    = NULL;
- uschar *dkim_verify_signers      = US"$dkim_signers";
--BOOL    dkim_collect_input       = FALSE;
-+unsigned dkim_collect_input      = 0;
- BOOL    dkim_disable_verify      = FALSE;
- #endif
- 
-diff --git a/src/dkim.c b/src/dkim.c
-index 59445a85..c86dd5f0 100644
---- a/src/dkim.c
-+++ b/src/dkim.c
-@@ -34,6 +34,8 @@ pdkim_signature *dkim_signatures = NULL;
- pdkim_signature *dkim_cur_sig = NULL;
- static const uschar * dkim_collect_error = NULL;
- 
-+#define DKIM_MAX_SIGNATURES 20
-+
- 
- 
- /*XXX the caller only uses the first record if we return multiple.
-@@ -115,7 +117,7 @@ if (dkim_verify_ctx)
- /* Create new context */
- 
- dkim_verify_ctx = pdkim_init_verify(&dkim_exim_query_dns_txt, dot_stuffing);
--dkim_collect_input = !!dkim_verify_ctx;
-+dkim_collect_input = dkim_verify_ctx ? DKIM_MAX_SIGNATURES : 0;
- dkim_collect_error = NULL;
- 
- /* Start feed up with any cached data */
-@@ -137,7 +139,7 @@ if (  dkim_collect_input
-   dkim_collect_error = pdkim_errstr(rc);
-   log_write(0, LOG_MAIN,
- 	     "DKIM: validation error: %.100s", dkim_collect_error);
--  dkim_collect_input = FALSE;
-+  dkim_collect_input = 0;
-   }
- store_pool = dkim_verify_oldpool;
- }
-@@ -309,7 +311,7 @@ if (dkim_collect_error)
-   goto out;
-   }
- 
--dkim_collect_input = FALSE;
-+dkim_collect_input = 0;
- 
- /* Finish DKIM operation and fetch link to signatures chain */
- 
-diff --git a/src/globals.c b/src/globals.c
-index 5b480572..9b34da87 100644
---- a/src/globals.c
-+++ b/src/globals.c
-@@ -669,7 +669,7 @@ BOOL    disable_ipv6           = FALSE;
- BOOL    disable_logging        = FALSE;
- 
- #ifndef DISABLE_DKIM
--BOOL    dkim_collect_input       = FALSE;
-+unsigned dkim_collect_input      = 0;
- uschar *dkim_cur_signer          = NULL;
- BOOL    dkim_disable_verify      = FALSE;
- int     dkim_key_length          = 0;
-diff --git a/src/globals.h b/src/globals.h
-index 2915513f..a8835ed3 100644
---- a/src/globals.h
-+++ b/src/globals.h
-@@ -392,7 +392,7 @@ extern BOOL    disable_ipv6;           /* Don't do any IPv6 things */
- extern BOOL    disable_logging;        /* Disables log writing when TRUE */
- 
- #ifndef DISABLE_DKIM
--extern BOOL    dkim_collect_input;     /* Runtime flag that tracks wether SMTP input is fed to DKIM validation */
-+extern unsigned dkim_collect_input;    /* Runtime count of dkim signtures; tracks wether SMTP input is fed to DKIM validation */
- extern uschar *dkim_cur_signer;        /* Expansion variable, holds the current "signer" domain or identity during a acl_smtp_dkim run */
- extern BOOL    dkim_disable_verify;    /* Set via ACL control statement. When set, DKIM verification is disabled for the current message */
- extern int     dkim_key_length;        /* Expansion variable, length of signing key in bits */
-diff --git a/src/pdkim/pdkim.c b/src/pdkim/pdkim.c
-index 5688c78a..594af03c 100644
---- a/src/pdkim/pdkim.c
-+++ b/src/pdkim/pdkim.c
-@@ -192,6 +192,7 @@ switch(status)
-   case PDKIM_ERR_RSA_SIGNING:	return US"SIGNING";
-   case PDKIM_ERR_LONG_LINE:	return US"LONG_LINE";
-   case PDKIM_ERR_BUFFER_TOO_SMALL:	return US"BUFFER_TOO_SMALL";
-+  case PDKIM_ERR_EXCESS_SIGS:	return US"EXCESS_SIGS";
-   case PDKIM_SIGN_PRIVKEY_WRAP:	return US"PRIVKEY_WRAP";
-   case PDKIM_SIGN_PRIVKEY_B64D:	return US"PRIVKEY_B64D";
-   default: return US"(unknown)";
-@@ -1008,6 +1009,13 @@ else
-       while (last_sig->next) last_sig = last_sig->next;
-       last_sig->next = sig;
-       }
-+
-+    if (--dkim_collect_input == 0)
-+      {
-+      ctx->headers = pdkim_prepend_stringlist(ctx->headers, ctx->cur_header->s);
-+      ctx->cur_header->s[ctx->cur_header->ptr = 0] = '\0';
-+      return PDKIM_ERR_EXCESS_SIGS;
-+      }
-     }
- 
-   /* all headers are stored for signature verification */
-@@ -1033,7 +1041,7 @@ int p, rc;
- if (!data)
-   pdkim_body_complete(ctx);
- 
--else for (p = 0; p<len; p++)
-+else for (p = 0; p < len; p++)
-   {
-   uschar c = data[p];
- 
-diff --git a/src/pdkim/pdkim.h b/src/pdkim/pdkim.h
-index 59ac0388..02938754 100644
---- a/src/pdkim/pdkim.h
-+++ b/src/pdkim/pdkim.h
-@@ -48,8 +48,9 @@
- #define PDKIM_ERR_RSA_SIGNING      -102
- #define PDKIM_ERR_LONG_LINE        -103
- #define PDKIM_ERR_BUFFER_TOO_SMALL -104
--#define PDKIM_SIGN_PRIVKEY_WRAP    -105
--#define PDKIM_SIGN_PRIVKEY_B64D    -106
-+#define PDKIM_ERR_EXCESS_SIGS	   -105
-+#define PDKIM_SIGN_PRIVKEY_WRAP    -106
-+#define PDKIM_SIGN_PRIVKEY_B64D    -107
- 
- /* -------------------------------------------------------------------------- */
- /* Main/Extended verification status */
-diff --git a/src/smtp_in.c b/src/smtp_in.c
-index 433c677e..e4d02cea 100644
---- a/src/smtp_in.c
-+++ b/src/smtp_in.c
-@@ -595,7 +595,7 @@ uschar * log_msg;
- for(;;)
-   {
- #ifndef DISABLE_DKIM
--  BOOL dkim_save;
-+  unsigned dkim_save;
- #endif
- 
-   if (chunking_data_left > 0)
-@@ -606,7 +606,7 @@ for(;;)
-   receive_ungetc = lwr_receive_ungetc;
- #ifndef DISABLE_DKIM
-   dkim_save = dkim_collect_input;
--  dkim_collect_input = FALSE;
-+  dkim_collect_input = 0;
- #endif
- 
-   /* Unless PIPELINING was offered, there should be no next command
-@@ -2041,7 +2041,8 @@ dnslist_domain = dnslist_matched = NULL;
- dkim_cur_signer = dkim_signers =
- dkim_signing_domain = dkim_signing_selector = NULL;
- dkim_cur_signer = dkim_signers = dkim_signing_domain = dkim_signing_selector = NULL;
--dkim_disable_verify = dkim_collect_input = FALSE;
-+dkim_disable_verify = FALSE;
-+dkim_collect_input = 0;
- dkim_verify_overall = dkim_verify_status = dkim_verify_reason = NULL;
- dkim_key_length = 0;
- dkim_verify_signers = US"$dkim_signers";
-diff --git a/src/spool_in.c b/src/spool_in.c
-index e34b5417..f0275bb7 100644
---- a/src/spool_in.c
-+++ b/src/spool_in.c
-@@ -261,7 +261,7 @@ bmi_verdicts = NULL;
- #ifndef DISABLE_DKIM
- dkim_signers = NULL;
- dkim_disable_verify = FALSE;
--dkim_collect_input = FALSE;
-+dkim_collect_input = 0;
- #endif
- 
- #ifdef SUPPORT_TLS
diff -Nru exim4-4.91/debian/patches/75_fixes_06-Cutthrough-fix-race-resulting-in-duplicate-delivery..patch exim4-4.92~RC4/debian/patches/75_fixes_06-Cutthrough-fix-race-resulting-in-duplicate-delivery..patch
--- exim4-4.91/debian/patches/75_fixes_06-Cutthrough-fix-race-resulting-in-duplicate-delivery..patch	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/patches/75_fixes_06-Cutthrough-fix-race-resulting-in-duplicate-delivery..patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,84 +0,0 @@
-From 56b566daa255a8c3ebf59e6b71ba9576f21a9b2c Mon Sep 17 00:00:00 2001
-From: Jeremy Harris <jgh146exb@wizmail.org>
-Date: Sat, 5 May 2018 22:47:58 +0100
-Subject: [PATCH 1/4] Cutthrough: fix race resulting in duplicate-delivery. 
- Bug 2273
-
-Cherry-picked from: cfbb0d24e8
----
- doc/ChangeLog |  5 +++++
- src/receive.c     | 28 +++++++++++++++++++---------
- 2 files changed, 24 insertions(+), 9 deletions(-)
-
-diff --git a/doc/ChangeLog b/doc/ChangeLog
-index 5e1ff056..d48ea832 100644
---- a/doc/ChangeLog
-+++ b/doc/ChangeLog
-@@ -15,6 +15,11 @@ JH/03 Bug 2269: When presented with a received message having a stupidly large
-       number of DKIM-Signature headers, disable DKIM verification to avoid
-       a resource-consumption attack.  The limit is set at twenty.
- 
-+JH/05 Bug 2273: Cutthrough delivery left a window where the received messsage
-+      files in the spool were present and unlocked.  A queue-runner could spot
-+      them, resulting in a duplicate delivery.  Fix that by doing the unlock
-+      after the unlink.  Investigation by Time Stewart.
-+
- 
- Exim version 4.91
- -----------------
-diff --git a/src/receive.c b/src/receive.c
-index 3b215f23..e7dc910b 100644
---- a/src/receive.c
-+++ b/src/receive.c
-@@ -4228,22 +4228,30 @@ if (deliver_freeze && freeze_tell != NULL && freeze_tell[0] != 0)
- 
- /* Either a message has been successfully received and written to the two spool
- files, or an error in writing the spool has occurred for an SMTP message, or
--an SMTP message has been rejected for policy reasons. (For a non-SMTP message
--we will have already given up because there's no point in carrying on!) In
--either event, we must now close (and thereby unlock) the data file. In the
--successful case, this leaves the message on the spool, ready for delivery. In
--the error case, the spool file will be deleted. Then tidy up store, interact
--with an SMTP call if necessary, and return.
-+an SMTP message has been rejected for policy reasons, or a message was passed on
-+by cutthrough delivery. (For a non-SMTP message we will have already given up
-+because there's no point in carrying on!) For non-cutthrough we must now close
-+(and thereby unlock) the data file. In the successful case, this leaves the
-+message on the spool, ready for delivery. In the error case, the spool file will
-+be deleted. Then tidy up store, interact with an SMTP call if necessary, and
-+return.
-+
-+For cutthrough we hold the data file locked until we have deleted it, otherwise
-+a queue-runner could grab it in the window.
- 
- A fflush() was done earlier in the expectation that any write errors on the
- data file will be flushed(!) out thereby. Nevertheless, it is theoretically
- possible for fclose() to fail - but what to do? What has happened to the lock
--if this happens? */
-+if this happens?  We can at least log it; if it is observed on some platform
-+then we can think about properly declaring the message not-received. */
- 
- 
- TIDYUP:
--process_info[process_info_len] = 0;                /* Remove message id */
--if (data_file != NULL) (void)fclose(data_file);    /* Frees the lock */
-+process_info[process_info_len] = 0;			/* Remove message id */
-+if (data_file && cutthrough_done == NOT_TRIED)
-+  if (fclose(data_file))				/* Frees the lock */
-+    log_write(0, LOG_MAIN|LOG_PANIC,
-+      "spoolfile error on close: %s", strerror(errno));
- 
- /* Now reset signal handlers to their defaults */
- 
-@@ -4330,6 +4338,8 @@ if (smtp_input)
-       }
-     if (cutthrough_done != NOT_TRIED)
-       {
-+      if (data_file)
-+	(void) fclose(data_file);  /* Frees the lock; do not care if error */
-       message_id[0] = 0;	  /* Prevent a delivery from starting */
-       cutthrough.delivery = cutthrough.callout_hold_only = FALSE;
-       cutthrough.defer_pass = FALSE;
--- 
-2.17.0
-
diff -Nru exim4-4.91/debian/patches/75_fixes_07-tidying.patch exim4-4.92~RC4/debian/patches/75_fixes_07-tidying.patch
--- exim4-4.91/debian/patches/75_fixes_07-tidying.patch	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/patches/75_fixes_07-tidying.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,25 +0,0 @@
-From 8c28d16989c25923568f4e95cf526c8f3db38713 Mon Sep 17 00:00:00 2001
-From: Jeremy Harris <jgh146exb@wizmail.org>
-Date: Mon, 7 May 2018 14:44:31 +0100
-Subject: [PATCH 2/4] tidying
-
----
- doc/ChangeLog | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/doc/ChangeLog b/doc/ChangeLog
-index d48ea832..3ae2c4fd 100644
---- a/doc/ChangeLog
-+++ b/doc/ChangeLog
-@@ -18,7 +18,7 @@ JH/03 Bug 2269: When presented with a received message having a stupidly large
- JH/05 Bug 2273: Cutthrough delivery left a window where the received messsage
-       files in the spool were present and unlocked.  A queue-runner could spot
-       them, resulting in a duplicate delivery.  Fix that by doing the unlock
--      after the unlink.  Investigation by Time Stewart.
-+      after the unlink.  Investigation by Tim Stewart.
- 
- 
- Exim version 4.91
--- 
-2.17.0
-
diff -Nru exim4-4.91/debian/patches/75_fixes_08-ARC-fix-crash-on-signing-with-missing-key-file.patch exim4-4.92~RC4/debian/patches/75_fixes_08-ARC-fix-crash-on-signing-with-missing-key-file.patch
--- exim4-4.91/debian/patches/75_fixes_08-ARC-fix-crash-on-signing-with-missing-key-file.patch	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/patches/75_fixes_08-ARC-fix-crash-on-signing-with-missing-key-file.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,47 +0,0 @@
-From d4de30edf98c3ea326f6f949a9bf934d17d8412e Mon Sep 17 00:00:00 2001
-From: Jeremy Harris <jgh146exb@wizmail.org>
-Date: Fri, 11 May 2018 16:26:17 +0100
-Subject: [PATCH 3/4] ARC: fix crash on signing with missing key file
-
-Cherry-picked from: 97e939dfe2
----
- src/arc.c              |  4 ++-
- test/confs/4560            |  4 +++
- test/log/4560              | 20 +++++++++++--
- test/log/4561              | 10 +++++++
- test/mail/4560.a           | 20 +++++++++++++
- test/mail/4561.a           | 35 ++++++++++++++++++++++
- test/mail/4562.a           | 60 ++++++++++++++++++++++++++++++++++++++
- test/scripts/4560-ARC/4560 | 34 +++++++++++++++++++++
- 8 files changed, 183 insertions(+), 4 deletions(-)
- create mode 100644 test/log/4561
- create mode 100644 test/mail/4561.a
- create mode 100644 test/mail/4562.a
-
-diff --git a/src/arc.c b/src/arc.c
-index 557ea851..a8562a72 100644
---- a/src/arc.c
-+++ b/src/arc.c
-@@ -1632,7 +1632,9 @@ g = arc_sign_append_ams(g, &arc_sign_ctx, instance, identity, selector,
-         including self (but with an empty b= in self)
- */
- 
--g = arc_sign_prepend_as(g, &arc_sign_ctx, instance, identity, selector, &ar, privkey);
-+if (g)
-+  g = arc_sign_prepend_as(g, &arc_sign_ctx, instance, identity, selector, &ar,
-+      privkey);
- 
- /* Finally, append the dkim headers and return the lot. */
- 
-diff --git a/test/log/4561 b/test/log/4561
-new file mode 100644
-index 00000000..d5e6af73
-diff --git a/test/mail/4561.a b/test/mail/4561.a
-new file mode 100644
-index 00000000..55f56734
-diff --git a/test/mail/4562.a b/test/mail/4562.a
-new file mode 100644
-index 00000000..df2a234c
--- 
-2.17.0
-
diff -Nru exim4-4.91/debian/patches/75_fixes_09-Content-scanning-Fix-locking-on-message-spool-files..patch exim4-4.92~RC4/debian/patches/75_fixes_09-Content-scanning-Fix-locking-on-message-spool-files..patch
--- exim4-4.91/debian/patches/75_fixes_09-Content-scanning-Fix-locking-on-message-spool-files..patch	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/patches/75_fixes_09-Content-scanning-Fix-locking-on-message-spool-files..patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,388 +0,0 @@
-From 9bd1e34631cc3d6f2b79b546a50c64ed6c5a48b6 Mon Sep 17 00:00:00 2001
-From: Jeremy Harris <jgh146exb@wizmail.org>
-Date: Fri, 11 May 2018 18:02:29 +0100
-Subject: [PATCH 4/4] Content scanning: Fix locking on message spool files. 
- Bug 2275
-
-(cherry picked from commit 1bd642c265dae5643f16d023879043b7576f66a9)
----
- doc/ChangeLog |  8 +++++
- src/globals.c     |  1 +
- src/globals.h     |  1 +
- src/receive.c     | 76 ++++++++++++++++++++++++-------------------
- src/spool_mbox.c  | 32 +++++++++---------
- 5 files changed, 69 insertions(+), 49 deletions(-)
-
-diff --git a/doc/ChangeLog b/doc/ChangeLog
-index 3ae2c4fd..c6f34173 100644
---- a/doc/ChangeLog
-+++ b/doc/ChangeLog
-@@ -20,6 +20,14 @@ JH/05 Bug 2273: Cutthrough delivery left a window where the received messsage
-       them, resulting in a duplicate delivery.  Fix that by doing the unlock
-       after the unlink.  Investigation by Tim Stewart.
- 
-+JH/06 Bug 2275: The MIME ACL unlocked the received message files early, and
-+      a queue-runner could start a delivery while other operations were ongoing.
-+      Cutthrough delivery was a common victim, resulting in duplicate delivery.
-+      Found and investigated by Tim Stewart.  Fix by using the open message data
-+      file handle rather than opening another, and not locally closing it (which
-+      releases a lock) for that case, while creating the temporary .eml format
-+      file for the MIME ACL.  Also applies to "regex" and "spam" ACL conditions.
-+
- 
- Exim version 4.91
- -----------------
-diff --git a/src/globals.c b/src/globals.c
-index 9b34da87..45f49c85 100644
---- a/src/globals.c
-+++ b/src/globals.c
-@@ -1392,6 +1392,7 @@ uschar *spf_smtp_comment       = NULL;
- #endif
- 
- BOOL    split_spool_directory  = FALSE;
-+FILE   *spool_data_file	       = NULL;
- uschar *spool_directory        = US SPOOL_DIRECTORY
-                            "\0<--------------Space to patch spool_directory->";
- BOOL    spool_file_wireformat  = FALSE;
-diff --git a/src/globals.h b/src/globals.h
-index a8835ed3..77b742d8 100644
---- a/src/globals.h
-+++ b/src/globals.h
-@@ -890,6 +890,7 @@ extern BOOL    spf_result_guessed;     /* spf result is of best-guess operation
- extern uschar *spf_smtp_comment;       /* spf comment to include in SMTP reply */
- #endif
- extern BOOL    split_spool_directory;  /* TRUE to use multiple subdirs */
-+extern FILE   *spool_data_file;	       /* handle for -D file */
- extern uschar *spool_directory;        /* Name of spool directory */
- extern BOOL    spool_file_wireformat;  /* current -D file has CRLF rather than NL */
- extern BOOL    spool_wireformat;       /* can write wireformat -D files */
-diff --git a/src/receive.c b/src/receive.c
-index e7dc910b..f6db46c4 100644
---- a/src/receive.c
-+++ b/src/receive.c
-@@ -22,7 +22,6 @@ extern int dcc_ok;
- *                Local static variables          *
- *************************************************/
- 
--static FILE   *data_file = NULL;
- static int     data_fd = -1;
- static uschar *spool_name = US"";
- 
-@@ -341,10 +340,10 @@ if (spool_name[0] != '\0')
- 
- /* Now close the file if it is open, either as a fd or a stream. */
- 
--if (data_file)
-+if (spool_data_file)
-   {
--  (void)fclose(data_file);
--  data_file = NULL;
-+  (void)fclose(spool_data_file);
-+  spool_data_file = NULL;
-   }
- else if (data_fd >= 0)
-   {
-@@ -1445,10 +1444,12 @@ if (rc == DISCARD)
-   {
-   recipients_count = 0;
-   *blackholed_by_ptr = US"MIME ACL";
-+  cancel_cutthrough_connection(TRUE, US"mime acl discard");
-   }
- else if (rc != OK)
-   {
-   Uunlink(spool_name);
-+  cancel_cutthrough_connection(TRUE, US"mime acl not ok");
-   unspool_mbox();
- #ifdef EXPERIMENTAL_DCC
-   dcc_ok = 0;
-@@ -1706,7 +1707,7 @@ header names list to be the normal list. Indicate there is no data file open
- yet, initialize the size and warning count, and deal with no size limit. */
- 
- message_id[0] = 0;
--data_file = NULL;
-+spool_data_file = NULL;
- data_fd = -1;
- spool_name = US"";
- message_size = 0;
-@@ -3048,7 +3049,7 @@ the first line of the file (containing the message ID) because otherwise there
- are problems when Exim is run under Cygwin (I'm told). See comments in
- spool_in.c, where the same locking is done. */
- 
--data_file = fdopen(data_fd, "w+");
-+spool_data_file = fdopen(data_fd, "w+");
- lock_data.l_type = F_WRLCK;
- lock_data.l_whence = SEEK_SET;
- lock_data.l_start = 0;
-@@ -3065,31 +3066,32 @@ data line (which was read as a header but then turned out not to have the right
- format); write it (remembering that it might contain binary zeros). The result
- of fwrite() isn't inspected; instead we call ferror() below. */
- 
--fprintf(data_file, "%s-D\n", message_id);
-+fprintf(spool_data_file, "%s-D\n", message_id);
- if (next)
-   {
-   uschar *s = next->text;
-   int len = next->slen;
--  len = fwrite(s, 1, len, data_file);  len = len; /* compiler quietening */
--  body_linecount++;                 /* Assumes only 1 line */
-+  if (fwrite(s, 1, len, spool_data_file) == len) /* "if" for compiler quietening */
-+    body_linecount++;                 /* Assumes only 1 line */
-   }
- 
- /* Note that we might already be at end of file, or the logical end of file
- (indicated by '.'), or might have encountered an error while writing the
- message id or "next" line. */
- 
--if (!ferror(data_file) && !(receive_feof)() && message_ended != END_DOT)
-+if (!ferror(spool_data_file) && !(receive_feof)() && message_ended != END_DOT)
-   {
-   if (smtp_input)
-     {
-     message_ended = chunking_state <= CHUNKING_OFFERED
--      ? read_message_data_smtp(data_file)
-+      ? read_message_data_smtp(spool_data_file)
-       : spool_wireformat
--      ? read_message_bdat_smtp_wire(data_file)
--      : read_message_bdat_smtp(data_file);
-+      ? read_message_bdat_smtp_wire(spool_data_file)
-+      : read_message_bdat_smtp(spool_data_file);
-     receive_linecount++;                /* The terminating "." line */
-     }
--  else message_ended = read_message_data(data_file);
-+  else
-+    message_ended = read_message_data(spool_data_file);
- 
-   receive_linecount += body_linecount;  /* For BSMTP errors mainly */
-   message_linecount += body_linecount;
-@@ -3136,10 +3138,10 @@ if (!ferror(data_file) && !(receive_feof)() && message_ended != END_DOT)
- 	}
-       else
- 	{
--	fseek(data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
-+	fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
- 	give_local_error(ERRMESS_TOOBIG,
- 	  string_sprintf("message too big (max=%d)", thismessage_size_limit),
--	  US"message rejected: ", error_rc, data_file, header_list);
-+	  US"message rejected: ", error_rc, spool_data_file, header_list);
- 	/* Does not return */
- 	}
-       break;
-@@ -3169,8 +3171,8 @@ we can then give up. Note that for SMTP input we must swallow the remainder of
- the input in cases of output errors, since the far end doesn't expect to see
- anything until the terminating dot line is sent. */
- 
--if (fflush(data_file) == EOF || ferror(data_file) ||
--    EXIMfsync(fileno(data_file)) < 0 || (receive_ferror)())
-+if (fflush(spool_data_file) == EOF || ferror(spool_data_file) ||
-+    EXIMfsync(fileno(spool_data_file)) < 0 || (receive_ferror)())
-   {
-   uschar *msg_errno = US strerror(errno);
-   BOOL input_error = (receive_ferror)() != 0;
-@@ -3198,8 +3200,8 @@ if (fflush(data_file) == EOF || ferror(data_file) ||
- 
-   else
-     {
--    fseek(data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
--    give_local_error(ERRMESS_IOERR, msg, US"", error_rc, data_file,
-+    fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
-+    give_local_error(ERRMESS_IOERR, msg, US"", error_rc, spool_data_file,
-       header_list);
-     /* Does not return */
-     }
-@@ -3240,7 +3242,7 @@ if (extract_recip && (bad_addresses || recipients_count == 0))
-       }
-     }
- 
--  fseek(data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
-+  fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
- 
-   /* If configured to send errors to the sender, but this fails, force
-   a failure error code. We use a special one for no recipients so that it
-@@ -3254,7 +3256,7 @@ if (extract_recip && (bad_addresses || recipients_count == 0))
-           (bad_addresses == NULL)?
-             (extracted_ignored? ERRMESS_IGADDRESS : ERRMESS_NOADDRESS) :
-           (recipients_list == NULL)? ERRMESS_BADNOADDRESS : ERRMESS_BADADDRESS,
--          bad_addresses, header_list, data_file, FALSE))
-+          bad_addresses, header_list, spool_data_file, FALSE))
-       error_rc = (bad_addresses == NULL)? EXIT_NORECIPIENTS : EXIT_FAILURE;
-     }
-   else
-@@ -3282,7 +3284,7 @@ if (extract_recip && (bad_addresses || recipients_count == 0))
-   if (recipients_count == 0 || error_handling == ERRORS_STDERR)
-     {
-     Uunlink(spool_name);
--    (void)fclose(data_file);
-+    (void)fclose(spool_data_file);
-     exim_exit(error_rc, US"receiving");
-     }
-   }
-@@ -3607,9 +3609,9 @@ else
-           }
-         else
-           {
--          fseek(data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
-+          fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
-           give_local_error(ERRMESS_LOCAL_ACL, user_msg,
--            US"message rejected by non-SMTP ACL: ", error_rc, data_file,
-+            US"message rejected by non-SMTP ACL: ", error_rc, spool_data_file,
-               header_list);
-           /* Does not return */
-           }
-@@ -3807,9 +3809,9 @@ else
-     }
-   else
-     {
--    fseek(data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
-+    fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
-     give_local_error(ERRMESS_LOCAL_SCAN, errmsg,
--      US"message rejected by local scan code: ", error_rc, data_file,
-+      US"message rejected by local scan code: ", error_rc, spool_data_file,
-         header_list);
-     /* Does not return */
-     }
-@@ -3882,8 +3884,8 @@ else
-       }
-     else
-       {
--      fseek(data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
--      give_local_error(ERRMESS_IOERR, errmsg, US"", error_rc, data_file,
-+      fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
-+      give_local_error(ERRMESS_IOERR, errmsg, US"", error_rc, spool_data_file,
-         header_list);
-       /* Does not return */
-       }
-@@ -3909,7 +3911,7 @@ that is in the file, but we do add one extra for the notional blank line that
- precedes the data. This total differs from message_size in that it include the
- added Received: header and any other headers that got created locally. */
- 
--fflush(data_file);
-+fflush(spool_data_file);
- fstat(data_fd, &statbuf);
- 
- msg_size += statbuf.st_size - SPOOL_DATA_START_OFFSET + 1;
-@@ -4248,10 +4250,13 @@ then we can think about properly declaring the message not-received. */
- 
- TIDYUP:
- process_info[process_info_len] = 0;			/* Remove message id */
--if (data_file && cutthrough_done == NOT_TRIED)
--  if (fclose(data_file))				/* Frees the lock */
-+if (spool_data_file && cutthrough_done == NOT_TRIED)
-+  {
-+  if (fclose(spool_data_file))				/* Frees the lock */
-     log_write(0, LOG_MAIN|LOG_PANIC,
-       "spoolfile error on close: %s", strerror(errno));
-+  spool_data_file = NULL;
-+  }
- 
- /* Now reset signal handlers to their defaults */
- 
-@@ -4338,8 +4343,11 @@ if (smtp_input)
-       }
-     if (cutthrough_done != NOT_TRIED)
-       {
--      if (data_file)
--	(void) fclose(data_file);  /* Frees the lock; do not care if error */
-+      if (spool_data_file)
-+	{
-+	(void) fclose(spool_data_file);  /* Frees the lock; do not care if error */
-+	spool_data_file = NULL;
-+	}
-       message_id[0] = 0;	  /* Prevent a delivery from starting */
-       cutthrough.delivery = cutthrough.callout_hold_only = FALSE;
-       cutthrough.defer_pass = FALSE;
-diff --git a/src/spool_mbox.c b/src/spool_mbox.c
-index 749484f2..05f90a81 100644
---- a/src/spool_mbox.c
-+++ b/src/spool_mbox.c
-@@ -35,9 +35,7 @@ uschar message_subdir[2];
- uschar buffer[16384];
- uschar *temp_string;
- uschar *mbox_path;
--FILE *mbox_file = NULL;
--FILE *data_file = NULL;
--FILE *yield = NULL;
-+FILE *mbox_file = NULL, *l_data_file = NULL, *yield = NULL;
- header_line *my_headerlist;
- struct stat statbuf;
- int i, j;
-@@ -108,21 +106,25 @@ if (!spool_mbox_ok)
-     goto OUT;
-     }
- 
--  /* copy body file */
--  if (!source_file_override)
-+  /* Copy body file.  If the main receive still has it open then it is holding
-+  a lock, and we must not close it (which releases the lock), so just use the
-+  global file handle. */
-+  if (source_file_override)
-+    l_data_file = Ufopen(source_file_override, "rb");
-+  else if (spool_data_file)
-+    l_data_file = spool_data_file;
-+  else
-     {
-     message_subdir[1] = '\0';
-     for (i = 0; i < 2; i++)
-       {
-       message_subdir[0] = split_spool_directory == (i == 0) ? message_id[5] : 0;
-       temp_string = spool_fname(US"input", message_subdir, message_id, US"-D");
--      if ((data_file = Ufopen(temp_string, "rb"))) break;
-+      if ((l_data_file = Ufopen(temp_string, "rb"))) break;
-       }
-     }
--  else
--    data_file = Ufopen(source_file_override, "rb");
- 
--  if (!data_file)
-+  if (!l_data_file)
-     {
-     log_write(0, LOG_MAIN|LOG_PANIC, "Could not open datafile for message %s",
-       message_id);
-@@ -131,7 +133,7 @@ if (!spool_mbox_ok)
- 
-   /* The code used to use this line, but it doesn't work in Cygwin.
- 
--      (void)fread(data_buffer, 1, 18, data_file);
-+      (void)fread(data_buffer, 1, 18, l_data_file);
- 
-      What's happening is that spool_mbox used to use an fread to jump over the
-      file header. That fails under Cygwin because the header is locked, but
-@@ -139,23 +141,23 @@ if (!spool_mbox_ok)
-      explicitly, because the one in the file is parted of the locked area.  */
- 
-   if (!source_file_override)
--    (void)fseek(data_file, SPOOL_DATA_START_OFFSET, SEEK_SET);
-+    (void)fseek(l_data_file, SPOOL_DATA_START_OFFSET, SEEK_SET);
- 
-   do
-     {
-     uschar * s;
- 
-     if (!spool_file_wireformat || source_file_override)
--      j = fread(buffer, 1, sizeof(buffer), data_file);
-+      j = fread(buffer, 1, sizeof(buffer), l_data_file);
-     else						/* needs CRLF -> NL */
--      if ((s = US fgets(CS buffer, sizeof(buffer), data_file)))
-+      if ((s = US fgets(CS buffer, sizeof(buffer), l_data_file)))
- 	{
- 	uschar * p = s + Ustrlen(s) - 1;
- 
- 	if (*p == '\n' && p[-1] == '\r')
- 	  *--p = '\n';
- 	else if (*p == '\r')
--	  ungetc(*p--, data_file);
-+	  ungetc(*p--, l_data_file);
- 
- 	j = p - buffer;
- 	}
-@@ -190,7 +192,7 @@ else
-   *mbox_file_size = statbuf.st_size;
- 
- OUT:
--if (data_file) (void)fclose(data_file);
-+if (l_data_file && !spool_data_file) (void)fclose(l_data_file);
- if (mbox_file) (void)fclose(mbox_file);
- store_reset(reset_point);
- return yield;
--- 
-2.17.0
-
diff -Nru exim4-4.91/debian/patches/75_fixes_10-Use-serial-number-1-for-self-generated-selfsigned-ce.patch exim4-4.92~RC4/debian/patches/75_fixes_10-Use-serial-number-1-for-self-generated-selfsigned-ce.patch
--- exim4-4.91/debian/patches/75_fixes_10-Use-serial-number-1-for-self-generated-selfsigned-ce.patch	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/patches/75_fixes_10-Use-serial-number-1-for-self-generated-selfsigned-ce.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,57 +0,0 @@
-From 3b9730e3deaf4eb03a99977d830da446dcc85cfb Mon Sep 17 00:00:00 2001
-From: Jeremy Harris <jgh146exb@wizmail.org>
-Date: Thu, 24 May 2018 16:31:27 +0100
-Subject: [PATCH 1/3] Use serial number 1 for self-generated selfsigned
- certificate
-
-Broken-by: 23bb69826c
-(cherry picked from commit 1613fd68b5931757016c3c25fdc3b0f37827e7f1)
----
- doc/ChangeLog | 3 +++
- src/tls-gnu.c     | 2 +-
- src/tls-openssl.c | 2 +-
- 3 files changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/doc/ChangeLog b/doc/ChangeLog
-index c6f34173..3edcb12f 100644
---- a/doc/ChangeLog
-+++ b/doc/ChangeLog
-@@ -28,6 +28,9 @@ JH/06 Bug 2275: The MIME ACL unlocked the received message files early, and
-       releases a lock) for that case, while creating the temporary .eml format
-       file for the MIME ACL.  Also applies to "regex" and "spam" ACL conditions.
- 
-+JH/08 When generating a selfsigned cert, use serial number 1 since zero is not
-+      legitimate.
-+
- 
- Exim version 4.91
- -----------------
-diff --git a/src/tls-gnu.c b/src/tls-gnu.c
-index 35816cd6..08c1d939 100644
---- a/src/tls-gnu.c
-+++ b/src/tls-gnu.c
-@@ -790,7 +790,7 @@ if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
-   goto err;
- 
- where = US"configuring cert";
--now = 0;
-+now = 1;
- if (  (rc = gnutls_x509_crt_set_version(cert, 3))
-    || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
-    || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))
-diff --git a/src/tls-openssl.c b/src/tls-openssl.c
-index cefa94fe..068a0d87 100644
---- a/src/tls-openssl.c
-+++ b/src/tls-openssl.c
-@@ -1000,7 +1000,7 @@ if (!EVP_PKEY_assign_RSA(pkey, rsa))
-   goto err;
- 
- X509_set_version(x509, 2);				/* N+1 - version 3 */
--ASN1_INTEGER_set(X509_get_serialNumber(x509), 0);
-+ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
- X509_gmtime_adj(X509_get_notBefore(x509), 0);
- X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60);	/* 1 hour */
- X509_set_pubkey(x509, pkey);
--- 
-2.17.1
-
diff -Nru exim4-4.91/debian/patches/75_fixes_11-Fix-logging-of-cmdline-args-when-starting-in-an-unli.patch exim4-4.92~RC4/debian/patches/75_fixes_11-Fix-logging-of-cmdline-args-when-starting-in-an-unli.patch
--- exim4-4.91/debian/patches/75_fixes_11-Fix-logging-of-cmdline-args-when-starting-in-an-unli.patch	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/patches/75_fixes_11-Fix-logging-of-cmdline-args-when-starting-in-an-unli.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,59 +0,0 @@
-From d5bd2a53d8a226793321b0c3011092ab97e63902 Mon Sep 17 00:00:00 2001
-From: Jeremy Harris <jgh146exb@wizmail.org>
-Date: Wed, 6 Jun 2018 11:19:23 +0100
-Subject: [PATCH 2/3] Fix logging of cmdline args when starting in an unlinked
- cwd.  Bug 2274
-
----
- doc/ChangeLog |  3 +++
- src/exim.c        | 15 ++++++++++++---
- 2 files changed, 15 insertions(+), 3 deletions(-)
-
-diff --git a/doc/ChangeLog b/doc/ChangeLog
-index 3edcb12f..5fb0149d 100644
---- a/doc/ChangeLog
-+++ b/doc/ChangeLog
-@@ -31,6 +31,9 @@ JH/06 Bug 2275: The MIME ACL unlocked the received message files early, and
- JH/08 When generating a selfsigned cert, use serial number 1 since zero is not
-       legitimate.
- 
-+JH/09 Bug 2274: Fix logging of cmdline args when starting in an unlinked cwd.
-+      Previously this would segfault.
-+
- 
- Exim version 4.91
- -----------------
-diff --git a/src/exim.c b/src/exim.c
-index d740814f..93a65dbc 100644
---- a/src/exim.c
-+++ b/src/exim.c
-@@ -4083,14 +4083,23 @@ a debugging feature for finding out what arguments certain MUAs actually use.
- Don't attempt it if logging is disabled, or if listing variables or if
- verifying/testing addresses or expansions. */
- 
--if (((debug_selector & D_any) != 0 || LOGGING(arguments))
--      && really_exim && !list_options && !checking)
-+if (  (debug_selector & D_any  ||  LOGGING(arguments))
-+   && really_exim && !list_options && !checking)
-   {
-   int i;
-   uschar *p = big_buffer;
-   Ustrcpy(p, "cwd= (failed)");
- 
--  Ustrncpy(p + 4, initial_cwd, big_buffer_size-5);
-+  if (!initial_cwd)
-+    p += 13;
-+  else
-+    {
-+    Ustrncpy(p + 4, initial_cwd, big_buffer_size-5);
-+    p += 4 + Ustrlen(initial_cwd);
-+    /* in case p is near the end and we don't provide enough space for
-+     * string_format to be willing to write. */
-+    *p = '\0';
-+    }
- 
-   while (*p) p++;
-   (void)string_format(p, big_buffer_size - (p - big_buffer), " %d args:", argc);
--- 
-2.17.1
-
diff -Nru exim4-4.91/debian/patches/75_fixes_12-ARC-Fix-signing-for-case-when-DKIM-signing-failed.patch exim4-4.92~RC4/debian/patches/75_fixes_12-ARC-Fix-signing-for-case-when-DKIM-signing-failed.patch
--- exim4-4.91/debian/patches/75_fixes_12-ARC-Fix-signing-for-case-when-DKIM-signing-failed.patch	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/patches/75_fixes_12-ARC-Fix-signing-for-case-when-DKIM-signing-failed.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,40 +0,0 @@
-From ebf2c3666fd2e9bbb208dbeb297a901ba287c72c Mon Sep 17 00:00:00 2001
-From: Jeremy Harris <jgh146exb@wizmail.org>
-Date: Thu, 7 Jun 2018 16:24:31 +0100
-Subject: [PATCH 3/3] ARC: Fix signing for case when DKIM signing failed
-
----
- doc/ChangeLog | 3 +++
- src/arc.c         | 2 +-
- 2 files changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/doc/ChangeLog b/doc/ChangeLog
-index 5fb0149d..63bcf0c2 100644
---- a/doc/ChangeLog
-+++ b/doc/ChangeLog
-@@ -34,6 +34,9 @@ JH/08 When generating a selfsigned cert, use serial number 1 since zero is not
- JH/09 Bug 2274: Fix logging of cmdline args when starting in an unlinked cwd.
-       Previously this would segfault.
- 
-+JH/10 Fix ARC signing for case when DKIM signing failed.  Previously this would
-+      segfault.
-+
- 
- Exim version 4.91
- -----------------
-diff --git a/src/arc.c b/src/arc.c
-index a8562a72..c2e7e508 100644
---- a/src/arc.c
-+++ b/src/arc.c
-@@ -1638,7 +1638,7 @@ if (g)
- 
- /* Finally, append the dkim headers and return the lot. */
- 
--g = string_catn(g, sigheaders->s, sigheaders->ptr);
-+if (sigheaders) g = string_catn(g, sigheaders->s, sigheaders->ptr);
- (void) string_from_gstring(g);
- gstring_reset_unused(g);
- return g;
--- 
-2.17.1
-
diff -Nru exim4-4.91/debian/patches/75_fixes_13-DKIM-Fix-signing-for-body-lines-starting-with-a-pair.patch exim4-4.92~RC4/debian/patches/75_fixes_13-DKIM-Fix-signing-for-body-lines-starting-with-a-pair.patch
--- exim4-4.91/debian/patches/75_fixes_13-DKIM-Fix-signing-for-body-lines-starting-with-a-pair.patch	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/patches/75_fixes_13-DKIM-Fix-signing-for-body-lines-starting-with-a-pair.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,58 +0,0 @@
-From e9f733e658a1605edca1bd6b689232e18c8f53c6 Mon Sep 17 00:00:00 2001
-From: Jeremy Harris <jgh146exb@wizmail.org>
-Date: Thu, 21 Jun 2018 17:03:38 +0100
-Subject: [PATCH 1/4] DKIM: Fix signing for body lines starting with a pair of
- dots.  Bug 2284
-
-Broken-by: 42055a3385
----
- doc/ChangeLog       |  2 ++
- src/dkim_transport.c    |  9 +++++++--
- test/log/4520               | 14 ++++++++++++--
- test/mail/4520.a            | 17 -----------------
- test/scripts/4500-DKIM/4520 |  9 ++++++++-
- 5 files changed, 29 insertions(+), 22 deletions(-)
-
-diff --git a/doc/ChangeLog b/doc/ChangeLog
-index 63bcf0c2..da162a04 100644
---- a/doc/ChangeLog
-+++ b/doc/ChangeLog
-@@ -37,6 +37,8 @@ JH/09 Bug 2274: Fix logging of cmdline args when starting in an unlinked cwd.
- JH/10 Fix ARC signing for case when DKIM signing failed.  Previously this would
-       segfault.
- 
-+JH/14 Bug 2284: Fix DKIM signing for body lines starting with a pair of dots.
-+
- 
- Exim version 4.91
- -----------------
-diff --git a/src/dkim_transport.c b/src/dkim_transport.c
-index 11458680..13db0f2f 100644
---- a/src/dkim_transport.c
-+++ b/src/dkim_transport.c
-@@ -155,7 +155,10 @@ if (!rc) return FALSE;
- arc_sign_init();
- #endif
- 
--dkim->dot_stuffed = !!(save_options & topt_end_dot);
-+/* The dotstuffed status of the datafile depends on whether it was stored
-+in wireformat. */
-+
-+dkim->dot_stuffed = spool_file_wireformat;
- if (!(dkim_signature = dkim_exim_sign(deliver_datafile, SPOOL_DATA_START_OFFSET,
- 				    hdrs, dkim, &errstr)))
-   if (!(rc = dkt_sign_fail(dkim, &errno)))
-@@ -271,7 +274,9 @@ if (!rc)
- arc_sign_init();
- #endif
- 
--/* Feed the file to the goats^W DKIM lib */
-+/* Feed the file to the goats^W DKIM lib.  At this point the dotstuffed
-+status of the file depends on the output of transport_write_message() just
-+above, which should be the result of the end_dot flag in tctx->options. */
- 
- dkim->dot_stuffed = !!(options & topt_end_dot);
- if (!(dkim_signature = dkim_exim_sign(dkim_fd, 0, NULL, dkim, &errstr)))
--- 
-2.18.0
-
diff -Nru exim4-4.91/debian/patches/75_fixes_14-ARC-Fix-verification-to-do-AS-checks-in-reverse-orde.patch exim4-4.92~RC4/debian/patches/75_fixes_14-ARC-Fix-verification-to-do-AS-checks-in-reverse-orde.patch
--- exim4-4.91/debian/patches/75_fixes_14-ARC-Fix-verification-to-do-AS-checks-in-reverse-orde.patch	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/patches/75_fixes_14-ARC-Fix-verification-to-do-AS-checks-in-reverse-orde.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,82 +0,0 @@
-From 64469eb46f042bea1c12996d69c5fedd0bf44510 Mon Sep 17 00:00:00 2001
-From: Jeremy Harris <jgh146exb@wizmail.org>
-Date: Mon, 25 Jun 2018 12:08:37 +0100
-Subject: [PATCH 3/4] ARC: Fix verification to do AS checks in reverse order
-
-Broken from the original introduction (617d39327e)
----
- doc/ChangeLog             | 2 ++
- doc/experimental-spec.txt | 8 +++++++-
- src/arc.c                     | 9 +++------
- 3 files changed, 12 insertions(+), 7 deletions(-)
-
-diff --git a/doc/ChangeLog b/doc/ChangeLog
-index da162a04..fff417f0 100644
---- a/doc/ChangeLog
-+++ b/doc/ChangeLog
-@@ -39,6 +39,8 @@ JH/10 Fix ARC signing for case when DKIM signing failed.  Previously this would
- 
- JH/14 Bug 2284: Fix DKIM signing for body lines starting with a pair of dots.
- 
-+JH/16 Fix ARC verification to do AS checks in reverse order.
-+
- 
- Exim version 4.91
- -----------------
-diff --git a/doc/experimental-spec.txt b/doc/experimental-spec.txt
-index 0eeb2275..95272f43 100644
---- a/doc/experimental-spec.txt
-+++ b/doc/experimental-spec.txt
-@@ -805,18 +805,24 @@ An option on the smtp transport, which constructs and prepends to the message
- an ARC set of headers.  The textually-first Authentication-Results: header
- is used as a basis (you must have added one on entry to the ADMD).
- Expanded as a whole; if unset, empty or forced-failure then no signing is done.
--If it is set, all three elements must be non-empty.
-+If it is set, all of the first three elements must be non-empty.
- 
- Caveats:
-  * There must be an Authentication-Results header, presumably added by an ACL
-    while receiving the message, for the same ADMD, for arc_sign to succeed.
-    This requires careful coordination between inbound and outbound logic.
-+
-+   Only one A-R header is taken account of.  This is a limitation versus
-+   the ARC spec (which says that all A-R headers from within the ADMD must
-+   be used).
-+
-  * If passing a message to another system, such as a mailing-list manager
-    (MLM), between receipt and sending, be wary of manipulations to headers made
-    by the MLM.
-    + For instance, Mailman with REMOVE_DKIM_HEADERS==3 might improve
-      deliverability in a pre-ARC world, but that option also renames the
-      Authentication-Results header, which breaks signing.
-+
-  * Even if you use multiple DKIM keys for different domains, the ARC concept
-    should try to stick to one ADMD, so pick a primary domain and use that for
-    AR headers and outbound signing.
-diff --git a/src/arc.c b/src/arc.c
-index c2e7e508..3bde81e2 100644
---- a/src/arc.c
-+++ b/src/arc.c
-@@ -966,16 +966,13 @@ return NULL;
- static const uschar *
- arc_verify_seals(arc_ctx * ctx)
- {
--arc_set * as = ctx->arcset_chain;
-+arc_set * as = ctx->arcset_chain_last;
- 
- if (!as)
-   return US"none";
- 
--while (as)
--  {
--  if (arc_seal_verify(ctx, as)) return US"fail";
--  as = as->next;
--  }
-+for ( ; as; as = as->prev) if (arc_seal_verify(ctx, as)) return US"fail";
-+
- DEBUG(D_acl) debug_printf("ARC: AS vfy overall pass\n");
- return NULL;
- }
--- 
-2.18.0
-
diff -Nru exim4-4.91/debian/patches/75_fixes_15-I18N-Fix-protocol-recorded-for-a-multi-SMTPUTF8-mess.patch exim4-4.92~RC4/debian/patches/75_fixes_15-I18N-Fix-protocol-recorded-for-a-multi-SMTPUTF8-mess.patch
--- exim4-4.91/debian/patches/75_fixes_15-I18N-Fix-protocol-recorded-for-a-multi-SMTPUTF8-mess.patch	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/patches/75_fixes_15-I18N-Fix-protocol-recorded-for-a-multi-SMTPUTF8-mess.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,58 +0,0 @@
-From 9dbbd9a5b838b85c2db09eaee9f26ef25b7c4ae4 Mon Sep 17 00:00:00 2001
-From: Jeremy Harris <jgh146exb@wizmail.org>
-Date: Wed, 18 Jul 2018 22:16:38 +0100
-Subject: [PATCH 4/4] I18N: Fix protocol recorded for a multi-SMTPUTF8-message
- connection.  Bug 2287
-
-(cherry picked from commit 946515bfe62796f6c0d6554e9e1e227f33253e7c)
----
- doc/ChangeLog                |  4 ++++
- src/smtp_in.c                    | 12 +++++++-----
- test/log/4201                        |  3 +++
- test/scripts/4200-International/4201 | 13 ++++++++++++-
- test/stdout/4201                     | 15 +++++++++++++++
- 5 files changed, 41 insertions(+), 6 deletions(-)
-
-diff --git a/doc/ChangeLog b/doc/ChangeLog
-index fff417f0..018473e4 100644
---- a/doc/ChangeLog
-+++ b/doc/ChangeLog
-@@ -41,6 +41,10 @@ JH/14 Bug 2284: Fix DKIM signing for body lines starting with a pair of dots.
- 
- JH/16 Fix ARC verification to do AS checks in reverse order.
- 
-+JH/18 Bug 2287: Fix the protocol name (eg utf8esmtp) for multiple messages
-+      using the SMTPUTF8 option on their MAIL FROM commands, in one connection.
-+      Previously the "utf8" would be re-prepended for every additional message.
-+
- 
- Exim version 4.91
- -----------------
-diff --git a/src/smtp_in.c b/src/smtp_in.c
-index e4d02cea..b1f442c8 100644
---- a/src/smtp_in.c
-+++ b/src/smtp_in.c
-@@ -4670,13 +4670,15 @@ while (done <= 0)
-         case ENV_MAIL_OPT_UTF8:
- 	  if (smtputf8_advertised)
- 	    {
--	    int old_pool = store_pool;
--
- 	    DEBUG(D_receive) debug_printf("smtputf8 requested\n");
- 	    message_smtputf8 = allow_utf8_domains = TRUE;
--	    store_pool = POOL_PERM;
--	    received_protocol = string_sprintf("utf8%s", received_protocol);
--	    store_pool = old_pool;
-+	    if (Ustrncmp(received_protocol, US"utf8", 4) != 0)
-+	      {
-+	      int old_pool = store_pool;
-+	      store_pool = POOL_PERM;
-+	      received_protocol = string_sprintf("utf8%s", received_protocol);
-+	      store_pool = old_pool;
-+	      }
- 	    }
- 	  break;
- #endif
--- 
-2.18.0
-
diff -Nru exim4-4.91/debian/patches/90_localscan_dlopen.dpatch exim4-4.92~RC4/debian/patches/90_localscan_dlopen.dpatch
--- exim4-4.91/debian/patches/90_localscan_dlopen.dpatch	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/patches/90_localscan_dlopen.dpatch	2019-01-10 15:41:45.000000000 +0000
@@ -6,11 +6,11 @@
 Author: David Woodhouse, Derrick 'dman' Hudson, Marc MERLIN
 Origin: other, http://marc.merlins.org/linux/exim/files/sa-exim-current/
 Forwarded: no
-Last-Update: 2014-12-01
+Last-Update: 2018-12-12
 
 --- a/src/EDITME
 +++ b/src/EDITME
-@@ -819,6 +819,21 @@ HEADERS_CHARSET="ISO-8859-1"
+@@ -824,6 +824,21 @@ HEADERS_CHARSET="ISO-8859-1"
  
  
  #------------------------------------------------------------------------------
@@ -45,7 +45,7 @@
  #define CONFIGURE_FILE
 --- a/src/globals.c
 +++ b/src/globals.c
-@@ -140,6 +140,10 @@ int     dsn_ret                = 0;
+@@ -141,6 +141,10 @@ int     dsn_ret                = 0;
  const pcre  *regex_DSN         = NULL;
  uschar *dsn_advertise_hosts    = NULL;
  
@@ -58,7 +58,7 @@
  BOOL    gnutls_allow_auto_pkcs11 = FALSE;
 --- a/src/globals.h
 +++ b/src/globals.h
-@@ -133,6 +133,9 @@ extern int      dsn_ret;               /
+@@ -138,6 +138,9 @@ extern int      dsn_ret;               /
  extern const pcre  *regex_DSN;         /* For recognizing DSN settings */
  extern uschar  *dsn_advertise_hosts;   /* host for which TLS is advertised */
  
@@ -269,13 +269,13 @@
  /* End of local_scan.h */
 --- a/src/readconf.c
 +++ b/src/readconf.c
-@@ -195,6 +195,9 @@ static optionlist optionlist_config[] =
+@@ -199,6 +199,9 @@ static optionlist optionlist_config[] =
    { "local_from_prefix",        opt_stringptr,   &local_from_prefix },
    { "local_from_suffix",        opt_stringptr,   &local_from_suffix },
    { "local_interfaces",         opt_stringptr,   &local_interfaces },
 +#ifdef DLOPEN_LOCAL_SCAN
 +  { "local_scan_path",          opt_stringptr,   &local_scan_path },
 +#endif
+ #ifdef HAVE_LOCAL_SCAN
    { "local_scan_timeout",       opt_time,        &local_scan_timeout },
-   { "local_sender_retain",      opt_bool,        &local_sender_retain },
-   { "localhost_number",         opt_stringptr,   &host_number_string },
+ #endif
diff -Nru exim4-4.91/debian/patches/fix_smtp_banner.patch exim4-4.92~RC4/debian/patches/fix_smtp_banner.patch
--- exim4-4.91/debian/patches/fix_smtp_banner.patch	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/patches/fix_smtp_banner.patch	2019-01-10 15:41:45.000000000 +0000
@@ -6,18 +6,18 @@
 
 --- a/src/globals.c
 +++ b/src/globals.c
-@@ -1311,7 +1311,7 @@ int     smtp_accept_reserve    = 0;
+@@ -1443,7 +1443,7 @@ int     smtp_accept_queue_per_connection = 10;
+ int     smtp_accept_reserve    = 0;
  uschar *smtp_active_hostname   = NULL;
- BOOL    smtp_authenticated     = FALSE;
  uschar *smtp_banner            = US"$smtp_active_hostname ESMTP "
 -                             "Exim $version_number $tod_full"
 +                             "Exim $version_number " EXIM_DISTRIBUTION " $tod_full"
                               "\0<---------------Space to patch smtp_banner->";
- BOOL    smtp_batched_input     = FALSE;
- BOOL    smtp_check_spool_space = TRUE;
+ int     smtp_ch_index          = 0;
+ uschar *smtp_cmd_argument      = NULL;
 --- a/src/config.h.defaults
 +++ b/src/config.h.defaults
-@@ -210,4 +210,6 @@ for EXIM_ARITH_MAX and _MIN in OS/oh.h-F
+@@ -224,4 +224,6 @@ for EXIM_ARITH_MAX and _MIN in OS/oh.h-FOO */
  #define SC_EXIM_ARITH "%" SCNi64		/* scanf incl. 0x prefix */
  #define SC_EXIM_DEC   "%" SCNd64		/* scanf decimal */
  
@@ -41,8 +41,8 @@
  # BEWARE: tab characters needed in the following sed command. They have had
 --- a/src/exim.h
 +++ b/src/exim.h
-@@ -603,5 +603,9 @@ default to EDQUOT if it exists, otherwis
- # define POLLRDHUP (POLLIN | POLLHUP)
+@@ -597,5 +597,9 @@ default to EDQUOT if it exists, otherwise ENOSPC. */
+ # define EXIM_GROUPLIST_SIZE NGROUPS_MAX
  #endif
  
 +#ifndef EXIM_DISTRIBUTION
diff -Nru exim4-4.91/debian/patches/series exim4-4.92~RC4/debian/patches/series
--- exim4-4.91/debian/patches/series	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/patches/series	2019-01-10 15:41:45.000000000 +0000
@@ -6,20 +6,5 @@
 60_convert4r4.dpatch
 67_unnecessaryCopt.diff
 70_remove_exim-users_references.dpatch
-75_fixes_01-Belated-README.UPDATING-notes-for-Exim-4.91.patch
-75_fixes_02-Avoid-doing-logging-in-signal-handlers.-Bug-1007.patch
-75_fixes_03-Fix-typo-in-arc.-Bug-2262.patch
-75_fixes_04-Fix-OpenSSL-non-OCSP-build.patch
-75_fixes_05-DKIM-enforce-limit-of-20-on-received-DKIM-Signature-.patch
-75_fixes_06-Cutthrough-fix-race-resulting-in-duplicate-delivery..patch
-75_fixes_07-tidying.patch
-75_fixes_08-ARC-fix-crash-on-signing-with-missing-key-file.patch
-75_fixes_09-Content-scanning-Fix-locking-on-message-spool-files..patch
-75_fixes_10-Use-serial-number-1-for-self-generated-selfsigned-ce.patch
-75_fixes_11-Fix-logging-of-cmdline-args-when-starting-in-an-unli.patch
-75_fixes_12-ARC-Fix-signing-for-case-when-DKIM-signing-failed.patch
-75_fixes_13-DKIM-Fix-signing-for-body-lines-starting-with-a-pair.patch
-75_fixes_14-ARC-Fix-verification-to-do-AS-checks-in-reverse-orde.patch
-75_fixes_15-I18N-Fix-protocol-recorded-for-a-multi-SMTPUTF8-mess.patch
 90_localscan_dlopen.dpatch
 fix_smtp_banner.patch
diff -Nru exim4-4.91/debian/upstream/signing-key.asc exim4-4.92~RC4/debian/upstream/signing-key.asc
--- exim4-4.91/debian/upstream/signing-key.asc	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/upstream/signing-key.asc	2019-01-10 15:41:45.000000000 +0000
@@ -1,777 +1,802 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 
-mQGiBEIV3d4RBADiY+ImtiuxCxe4ImIWZd6IetWIZaAjxLQliWrRHK7CdA6ANYAA
-OWwk6uMucPSjP2RUYXehDdVAb2i5AG3kGb/SNZ08x2eaeAtALAvRw3SxPW5/Ch4g
-bNB8VBCyyZlPsmS1epbaOags+1oD41FopdvfIQrtoD4I0d/ndG64wkDh2wCgiXdE
-QZzYknZgf4HA9DZHhizNnx0EAMBDVTpIq7xaYlK4dot4xNcWNJg4UX27a62lEKvV
-sDf1tH1qB4ujZy1ht83oXURpNk7uDf718kwaLGoSwW6qOx9iI46XoOtoxSH+6J8A
-oKtBNhCl03x10E8MK1fANe9WLdxARxgZxnPo9QOSTNO4PYR1yvrq0ThTKXvMweYT
-OJlIBADdTquCiM9fgoU3sBsnlmSMpFn27By0Yz4QjR8cLD0F1bZKmWPRAHDdwArS
-pOmKNv4tOaNp8WuuLEEJbPEcc6QdPEOH3lVQ/QZHdemYerwMN25i3MYeWAPRg4Sl
-dZ648IPWdHA/QYfp5JhlT/9UwwKPvIDTPg10FI5ecPYxcXUT2LQuTmlnZWwgTWV0
-aGVyaW5naGFtIChFeGltIGtleSkgPG5pZ2VsQGV4aW0ub3JnPohkBBMRCgAkAhsD
-BgsJCAcDAgMVAgMDFgIBAh4BAheABQJWzue5BQkVsOPbAAoJEIWrgz/dwDJiGmoA
-oIfRyEwpzL4v6JB4BzK3TqfH6mVRAJ90M8AfnhzW3KG7l3KYxscnVZdOlbkCDQRC
-Fd3nEAgAgeLGF7rot+0cc0hwGFK7h1aGP6r2p+o1arsR/zJystk99UBWqjmKzu+3
-6ve+H4J28Al4B7Sm75bvnKignppp0ZGP/WXlkGsk6Tt30c7tkK+1izrCFGlxf5j0
-LKrH/cCyZp7tgqRN0ewDoqK6OmEBmSqMgarSTatyYuZy5OKof8EcJEt6nTydPdts
-VgRziX71B1pd0t/bdWwLnuQ9gkSJNiwPGBrV53x9uh43ZcpqLl17yfXh/FaUcdlZ
-N1GPtXYMr208Hv8fGpPEQVr92OJAblrlGck+aWIoYgX3tqCZDqCYtxcBaXCyRZzu
-7usKJukY1Z6t0qF1U7aWTjeVVeWXhwADBQf/RYK2jTNLnhtCVWqWhFVd0/NTbXIs
-QDeZuZXp8xHB+YjxmcbrSTvKrkRqfCvPR5r5SBOwBtq+LHElwp1OcIt2xYIEmuS1
-Jod8+h+ohl9p11XtTp3Rd8selh7AHccFz6BYK1SsHO5ZdrFwlZf+oVxLrQzibFqZ
-Ob69T4HUp5Vh5Z9XO+YsVa5a3K1/pfpOJYMP3VgdsBlX/gUxkz9stfNUOIR5caQK
-UHfOaCQaQ02fAsmnThQkAmqACTapvqZV9wSHxgvUUbPcw2h3rty14u13J+cJDrE0
-+x1tCDSsPLbq62A1d9GJor8s6GpyYXq1ArZJgBpdq74qOKU5jc1gvMmE8YhOBBgR
-AgAPBQJCFd3nAhsMBQkJZgGAAAoJEIWrgz/dwDJiqxIAnAm3NzfRaBtl5XpnCA6n
-W2MNAwIgAJds5g802u5CKZDLGE90hHNXgF2kuQENBE1Aj9kBCADfrgx9xrDHoYSU
-3aU8zST2GEoMZypO1fBi3AiInsKakMsVibZpEI8MVM24lZw9jxGfsX70Xr+mYiTI
-ZY9GJROG6fHFLKgUYFxYeUA1GtNNilFvBGlXJAYduyKYZMdEVVtUX4b6QpQqmTeY
-sgNCznb1HuVpj4Vl6CiirjWhnZ/WhR3L20AMK6422lCw9jZuAK5RbSRJwkgI55rl
-zZGpGbBmBIHSCccMB/jg2LRYsVs//D9Qrxtkt8W8fIHCj66L6eNw1gcndpEkyytZ
-bifE3khwlRWn/Llpw8NiQiJKUE01TWQusEvd5EHFThE/9bYpUGdMiR0UmpSLkEq3
-zurCcUK1ABEBAAGJAW4EGBECAA8FAk1Aj9kCGwIFCRKtsIABKQkQhauDP93AMmLA
-XSAEGQECAAYFAk1Aj9kACgkQA8m6p6iaqTb0Dwf/QiTT/Aj4XdoSVGR4yeXFpQNR
-l99dOtUwsP7wtSSeV5jQgEMpRwh8ib702retoWbHQva0FsDxotEatHKvdtkkCUqF
-D33jZ+aKkadcXjqnSepXY0m7sG605QN5hE1dXBhPPy5hUfXuAphSq+ma4Q4Vz+Zm
-al3etKXL2xIgAIkSX+srng3j09JfOaYdEDXOU5sNEMuDqcqPC/yt0giGFPDBd7xZ
-JQER08MyfDoFmwiVGi1Trbzjdnp1Y0q9UF2NpWUMB0q9/CaodwjU7SB4OU9FYst9
-uImVDwI3XqL45ULUCZGhUnuHz15ePb1W5cUUu55M0iuCrjhHqt0e8/c7BrdFuwee
-AJ41rUXzNNSj3w/o9T0O7mWd0rh+HQCfSNjhzVUditAzFdNneXLgs9KddFq5AQ0E
-TUCP7gEIALzLEYpmJLCDALPKv07Yd4bhyX/st+7Hz3Uj1BjIW/+pCEFf8e+ihZg/
-caWuSL695DddreiIhJlQiso8HsjehDccU51kep4vvTKu2p3zTSSZvIgsTTPAeyqa
-L12UCAm4SlkjhEH86Yf7Qyic5cZhkGBCtN/1RVxoEoonRGOJg2jkrvok3Dz1DQ5W
-UyS5gRASDnF58EW4HSMiRek2XgN/MEY9GLkXsoaSFWU9X3rW3Mgd4EMpTf+id2eS
-Ffp820Ati+1VB6Hte8JOWRhTopSB6FZfpZ322N2iCAX0TkZesfSwfZSTZ/Xc+29B
-3JHDrVbFmCLhJfzv6MqQ04VQZ1VWzUEAEQEAAYhPBBgRAgAPBQJNQI/uAhsMBQkS
-rbCAAAoJEIWrgz/dwDJiNIgAoIdWmf17rL5Zmf/EoPtmYngbadnaAJ45YtXrEDCV
-4fuUhLK6EdvHsGGtl5kBogRRHjTKEQQA7Nj/xLjtdH+34XBWzVRupKAEA27d5Ikn
-AVtyPK/4aiGZ2mQHPX7qaVOOHHFHVfj+38ENwZG2do87x5oJgaAf/WAqQRp0m81r
-7YZ3DGWZxeDuCYESwZxEkJ9SfOwmQ66NrHuXjjabOoQEoxtQdxcyaGDBWbvpDaXS
-4fG1oKyx1T8AoOGl+25xKVwA5GKU/DLqbBOoyOi7A/914vhUW1bd8TcKk5owI7/q
-FoSIjk1/lxxDFX600giri1FrENN+ERg0jaIBFFnkJF4dx6G5xIuEAHLJ0Y2BdXCF
-mJPJw7ZzgtTmWSKW0kDhbRx+Ozvpwa1spxyjgQAg3B1fVUBkGlV6+bDZOHmMDK8b
-7RoRdW44+ygbE+WHS5/oiQQAiZtFY14WcSi4bqhpTDK5YFZh2lyhQ2snYfOiQWB/
-gLLfKDTDJ6pVygtayPKlx4jXuapyNE62QhU5zgCKr9DpsM7v7UnPfTgPYse5HqUW
-IPOiOE+ga0TpZT4egqzW6mPGRYQ/ZjViL+JGMa2ATvrSoR1BJCd8BFmmplDs2it2
-Nme0LlRvZGQgTHlvbnMgKEV4aW0gTWFpbnRhaW5lcikgPHRseW9uc0BleGltLm9y
-Zz6IZgQTEQIAJgUCUR40ygIbAwUJCWYBgAYLCQgHAwIEFQIIAwQWAgMBAh4BAheA
-AAoJEMT0+UgE0p66MDwAnRW1VWjfUD5yGhedcxiHsEg1A8vnAJ9NxfoOwPP50sWT
-f2vycK0mGECYcrkCDQRRHjTREAgAlhjQZt1+uSQ3puq7p9o/AqRrVsZxxbi/C0cS
-eAvr/iN4tkKk/4esSMevwLIMPw0ByuwCDdZusdLAI6TdDe3nwDBQVRbMlmmQM1fx
-1wsJHbiEO+WDENULU0SxqU7lwq3YCqL7oKVtZsJ0MkmEAbZlWuzBE1RzNTgdoMSB
-GmSeDu5f5q1a+BMH1gcZWQkW7Y1e1kgHDgnz6vh+cBulWCwEzrwGaEvmJJ+w2HPE
-cD9q4IvTjXxZbli7WHrSctqCdgF433iWOa+NjUCfl98z4D7KjKMqvXKqD88NYbqG
-wrvupQZMOeNjybWMnkouAXHJdA8fiTy5hV9P7nat1OMq6h+YRwAEDQf9Gl43A+H4
-xJJ34RrCp9il8/Ef7VHEn9ZnaoMNuwCjYU9OaTHAjd7V5N23ZF15+XMvO0Szx/to
-qQ14ev385VgBD/FWGy1r+UBK1/gA3pArQhpd4mtzRsjg8e2yl0D5v3v4K1EjEtDn
-37IBwAmWjwbMU12SP0NM+KQXtO0WCQF+ggRhD8hhUPV20ejYqnismX5b7LYX+8NB
-OCleryW4pz4ZQT6MTolyjeojyCyaHE9G554ECKX+fKG/WMQmjjwjngkrPk0s3HN/
-uU8UvQv+uucP62iHcPRKwIk6jrlR7KODR00IzSXaRNYtJoDC8oFS0xyhrG1vMiGv
-OQTBfKpgyxoIBIhPBBgRAgAPBQJRHjTRAhsMBQkJZgGAAAoJEMT0+UgE0p66lx4A
-n2JHiU9h4ElPNbDSfqjQoshYKIb3AJ9RjvMg0AdlIPi6k2PWTTBAKsoB+JkCDQRU
-rvZBARAA4jmen1cqxMnj2SIOPBV5igqnsSljlCADmC8MlW1OzozaxFJo/GMMfZjE
-AAiST3IFIzk8YBotDfUwSaVpRQ8QFz0XT6+BrDwKvMId7lZ3AuaqWkXT4+uv52Yr
-PVN87kbn52MLoUEtxgWxa1dvNmg8+wzsBVI63Oep3yo9eot95SIHeqDQj+4Rzd2Z
-Ejh/m3AHcoZl+Y71b9zsaherqvBgB6QpBNaYhEXXAFZGXzynX+6WxNKQ9gRxnsKD
-ZkbnJvBOyOLz+fsVI/lbGnSXycQ/hVw3xg30bXHuOkYhIe1SRz78YAaAlBp76o3P
-+M9oJA9SxP8j6XWj3vlBtbLRNl1eUXl1ED8S95jGVzmou0I08HGJRmOGAmEYQjDJ
-JB8UR6RHn4m0yCQZZgocXCGERgSRNmPMUOaIskMnBqoCfqEifGS1ATqZgYuEik9M
-o8wfHCAeMOGsjr6ew1NGPfjvzUQGRUPRgvuE5c3m6WcsDJkgTH7YW9P8T4QeboeV
-Y7xpwkAp9Sd/eoQvpXGXjEAkC5dJhaHXKbtxrxlLHaV7cTp17+Vajuf4s3zzXhjQ
-rh9ojiNyEVBDetsowzN+UxgWybGeFtXeeqUmUgLpoV8iOjaqKI/n24+dl+JY51tH
-8cR8DG93N9xYL/CDersmvxgIZEVDrpvc3/YMhCWVHDZ0ZqmnQrsAEQEAAbQzSGVp
-a28gU2NobGl0dGVybWFubiAoRHJlc2RlbikgPGhzQHNjaGxpdHRlcm1hbm4uZGU+
-iQJABBMBCgAqAhsBAh4BAheAAhkBBQsJCAcDBRUKCQgLBRYCAwEABQJYVnXoBQkF
-vsCnAAoJECYQG2L2k3bOhKkP/2zWhq0BlT7AAAuefaZPl9b52uT7PbY4owcMWXJz
-i7FTLWFo6KJOCBH9UTX0TXmf9S3AMMfoewblU6zOy+H1Q/ZVdzth5iJaXSbTgLlZ
-7yc7k3P+qUdBGdCHwpUJmBScdGaKCkbdcOPIxTi02sPFTBJx45ogr3/n0S8PFNOY
-Vv0fl4Nnr2bOpoSKSka08lk4HJKsMMA/BRfaSffez1QYdRJKhKTkljlJjA682Fuf
-NBaZIQ8GHUjyyOIUwQUit2yAGChbBCh9wq5Z//xzBwdqGx64QLHHF+wCg2r9Ba3D
-QMNllPidfPBPUPQ+xGXmHz0R0FzlaTYnFYKqpJSX8j/5IhaijZRxvtJljXa0fOg3
-D1A7ZuagCpNcXWVM66FeOx2hYMlBNn/eLejBc244ydlI5lqyocGRL3qjHufp6JVi
-uwJpNMnWyLvxqrwgC6mcCDx7jJL7eI7rdAFLwfoTYnBb0zNPStf9pWngLmxsD9G0
-U3nJnVzhsZfa9s7F13wxkfZYio/HkKW1IGZHTkJzWswXx0Ba2UK9oLDCy8dByesA
-5KmtA09dk0M/GuMFcb+ZZ3x3USa36Cw7vbJYcmDw6O4XgNf1aja5cdltENLsVKIW
-I1VguZGfIwkLC3iXN2PzO3yOW5GXQ1wPHTc/SPMuBeT6UAqPBjO6vRQRFf4ghslG
-//T2tDVIZWlrbyBTY2hsaXR0ZXJtYW5uIChIUzEyLVJJUEUpIDxoc0BzY2hsaXR0
-ZXJtYW5uLmRlPokCPwQTAQoAKQIbAQcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheA
-BQJYVnXuBQkFvsCnAAoJECYQG2L2k3bO3YYP/0vbSNKAD68r2EN8//yRGgH1xyUe
-uRARgxJnhw7tBsO3k1YIkIEG7vKzLcRhi3vcM12ttY9R425Kl1c5ug6f4jt22bnO
-ONrJ++0Or6hRucJ3L5IHRK0b2niPqvXBbg9PMp/9p0jKCHqme7mdD6jBOHBAQIZe
-MuGLyzNKx6Dk52DZeLYRznoloYtUEurckrysL1/C9Qsah3JKlURSihVFibnIF1Wa
-GfphxKsgLDDi8FUyNWrt99MhxYwwlAbBNQ99ifX3ZLFR9Q2B2ntL4Vfvom9QBYWG
-5e3rzlfQtw4pGWpFZFDSi0LdP8FfM9wKhtnbHVEav9Te7syYgMBDx5q6irqwTh58
-gKLicWkD22rtVGYPv+En54thAq6MXMQuzJ3s4MW/5GTZcbtsBBAj4OtHvtyKzI08
-/TlS09bk9mlaI8PYGUU8JKZj39alL7bI7hZVn5HkGMn1Z/lojdW8Is35uKmMZnF+
-im0vonw1n52OTv+4nOpBcidckeDr0PsiAScJBnaJNVF6v+jL5hrUxs4hD4UgTgSL
-obUzHi1g4/UP/eC1cEZH7aC2FiG2jTUqo84qTZ9Cik07fmUf95jCfsWFvijzVCPB
-oIg4W5SDfkccvoermqS2KE9b9DXdZDiaWTLO3U98nwkO6ps24lbX6mjJ+QjsSokA
-msGdN5BhOaltRYBZ0dHq0egBEAABAQAAAAAAAAAAAAAAAP/Y/+AAEEpGSUYAAQEB
-AEgASAAA/9sAQwADAgIDAgIDAwMDBAMDBAUIBQUEBAUKBwcGCAwKDAwLCgsLDQ4S
-EA0OEQ4LCxAWEBETFBUVFQwPFxgWFBgSFBUU/9sAQwEDBAQFBAUJBQUJFA0LDRQU
-FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
-/8IAEQgAYQBQAwERAAIRAQMRAf/EABwAAAIDAQEBAQAAAAAAAAAAAAQFAwYHCAIB
-AP/EABsBAAIDAQEBAAAAAAAAAAAAAAIDAQQFAAYH/9oADAMBAAIQAxAAAAG9fPO/
-GubSEtBlGa96w7AivEFcmWBP87YnPpNAfdeJLIrVB5bw3TDYD3w4bu2LTZXYacWO
-gVnc64Pf8Ec9x669KlsTzp6t1iYG/tSFU0r7naLuwuQl12uih5tA9jqX6uq2jvAz
-pGF6McSNYyGJiilQ83NYWhp/p61ZWTds7d5z0VM584dN0L7eKFnVdTHT5L9NlFkL
-Jva35/0DrrVIVyK3lLNTL2PPsXHG0OOvT44MFAwd0xttYpwTK1Q38ZNWPTkM3fF0
-OIvQZknQrAnUwPMrh54UPTFkg+osm3wFrVWJQNEvXACUD12FzzDoYjPXeS7gnWSR
-0nGJtlalBxLL5HGT12juo6HcKX+skxbGBn/EvUTEoWDLWe08e6Foxw5fK4kD5o5m
-sxQloUADLA+1dXbvUH//xAAmEAACAgICAgICAgMAAAAAAAACAwEEAAUREgYTFCEi
-MyM1FTEy/9oACAEBAAEFAh54gp4AvUZvJ8dYrKN0sFQz7ztyx4H0EEdgn+AVsX2K
-5xi+MsfZSAxnq9LIzmSBbDrKZvr20zWWNhGTtuhVrgymkEXBTUUEP16HjdozXaov
-Sqyv7Wdy7mp019t/4ZaUE1EkNSPWK3fUv4zdhDteu4LYesShtWHx48tCNjsdwe12
-IVFoxOzQbWEa8m1j7PtqjS7NtA34pW18MuyE6hX+QsDaHjY0G2XFto1jW2l2AM5s
-hS9iWprwqCszeskE962zirt1Vu5q2ddQPrfOlzY1Qa7cTYzSMVegV+qKZBraztqE
-4yxFsNXuRva2xHOTswprhrbFx4EkvFtlM7guCwbISTYggUz0un4y2PsEWBYbJV7n
-5fuqeLdGb0W85DjwH/U/nIjETZniFxAQMxirnTNeInc7CEBH0AdmNqlVeEfTmd2/
-Z53xGePqk7HP8g5o6/v2vkyYXduNJeTONiKtYOWEOePK4R2EWDni/wDeeTf2lz98
-f9bP9dfA/wBaX9LM/8QAJBEAAgIBBAEFAQEAAAAAAAAAAAECESEDEBIxBBMgIkFR
-YZH/2gAIAQMBAT8BSxkqhfFnPNGIrByOxd2cnJUL9stfZJR7TLbwjH2Pb+oqTF/d
-mv0wjPaOV9kYOZSXRQ/hh7TXHZtbR8SXpx1ZfZGCiqJad9Honkaa4EbWSXyjndIe
-Uor62STOBrriNcskouqW1EVy1IxIZPTjfIbjWTng8jWt0iMs0KHE620MT5M0v0q+
-xxU0eRqLRVEu7NFf6Kx5KONM0pYJan6S8hRXZqOWq7EQbjIvOCtmKbHJsorbojK1
-XsYt62hWPavatn0IXuW0tl7frb//xAAoEQACAQQCAQMEAwEAAAAAAAAAAQIDERIx
-ECEEEyJBMlFhgQUUIDP/2gAIAQIBAT8BpSxlhq5DFv03olRg+oK37MZItdWaMLqy
-KVTF+74HVb7HJkYRlG6J+NWqRTUbiozo1FCcdkqcaZOLqO8dHtTJSVzrQrJWIuKj
-7iNWUFaJSpQpRxpxsjBS+on4cZEv4+pD/mz+nSppZO7I04LSJUKc9oq+P6c7LR38
-opoSb0KDH+CfkpSdNbRlkyLMir7omSnsjSim5JlhuxFfY+XL7iaL20ZmSkmiFKVN
-JD/BcZf06U6n6LnbVhNofZHxHVpvuwlOldNGbkrF78eXb08I6MS6RdrR41F15dkX
-ZWPM3f4HjcXSMhTyjYls2QoTqOyKWFBYkvuVkpwdy3Xei/C2OCexRSLsTPgqfSyV
-7/ji/CXZLm5LRPLvlbESf+HolzFEnx8cyHwti0S3w9LmQz//xAA0EAABAwMBBgMH
-AgcAAAAAAAABAAIRAxIhMRMiQVFhcQQQMjNCUnKRobEjgRRDc4PC0fH/2gAIAQEA
-Bj8C1VvWUZG8RhmpQZZ6viUTp7sLdAlundSLbQbiOql2GgnXK9mY9Wn3QqNvtHqJ
-z9EHkWNd7xVxfAHpRxCE7x+KFy6KMCcYVwJiMoAjXM81YSZ4f9Vt4z6uqB2NXkKj
-dP3TA6kwt4mlWbP0KqsqU3B7W3Y94KnX2l1MiRjVNe+6HZDV7Nv0UFlvVuFsHP3T
-o5fq6nqsZ5ZwrfD0Kj/lHBUm1m7Jky5u0Ex2TfFube2qbalB+lv+097GWUb5ZQ4A
-LOvm951p7yve1k94V7XXcZHBbO51Dw4/l0d2e5VgY2nSbmOyaGez9DJ/KnLg3QLZ
-k2nqVLTLVJT2YBdjKaTdS4YCDKTczo1EXFsc0/ZH1cUQ/dB3TH3+35UGAOSa9jJc
-NHoUaxEwtrScOyLA8Nd1WyfLGTndmED6qg4kJjKb3Y1eOATWTLCcTwXhWM3aIJbn
-jPFbd+eYTphpbp1VV7ocXHIKLGkbaoIps5K5zpfqZWTFenHHgjNS+dJQm7avy6Gz
-+yItdBzK2o3Xg7w6qnvfrgb0c1Lt1HfuJ91uq/iK+vM8Ft2Cze+kqjve0ZaUZkSt
-LD1XMoEenQjmENk2uK54Mfa09UTUe6uebiY/ZQHW/LhC+Z+JVGE3GJXhqjn2U272
-vRNHCOC1u7rGDy4KVf75bHZAKSroXrjpqgwzZxtQtGQPJoGpMKx2qzlFABQcqeCc
-/sPutbR5eFZzeqQbrZJ+qY1pha5KpPHrqE/QeXRMd8dQKXCR5UOzvwv7bfId14T+
-n/kfPwnzD8o91//EACUQAQACAgEEAgIDAQAAAAAAAAEAESExQVFhcYGhsZHBENHw
-4f/aAAgBAQABPyE9Z0rcCdB2bi2gtW4HmMjIVWHuYcUCU5eYwoKFP2hBbZQu19sF
-WDFwPZOZgcDQquaH+Yxs5203VdHuFqNXouUu6EZ+Z1hTDzTyxnM2aDHT1EbUVngs
-BSjk5PuFkJ5DWp0M5q09Mths3DHf6UTfwkPHrMbbXRvQOEmjDiBef7oFSfCo7F8n
-SLaqvShWNQC6XDUeXtNSX2i4ae6lqNVvt8EfJrA7V0fcxG1jFyP/ACV9cKBqOiUZ
-C2wXUN1ApsETZqunJIbCqcbC1m/dd4h6PcoosA95waBemcygowzxV8n1CAldAx+G
-OkInmlb5kcXOqMULtdvdZzsfDvL+5eXLDgwcETK42ClB5gsmWhGyDjvAo+hw1rIV
-9xwyiycHKe4fkg6SxlMs8Vz6mlZG7809IE71q2QhtMSziU80qOcS/wCBscTUFAae
-5nJNf12vZAGlQczs+e8aURa6ew/GYQRAvyXqXlqPNGre4DAcqcwxTNC4oUqEbJcl
-biDq9rKPMLLuULL4ivJldr7qiB6YFVL8gr8TptMS6eyMT0lxwSMNwp9qE2vLaYjv
-XMHtP6jsaTjgGggcJu1d8kFcDC9Vv9TEDAt1EJs+D+J9kefEfIF+uQ4kBP2GO5Ag
-Tyx8JjS81gCjw0bY3cFQ+JV5iroWcvcomXk7O8cl2dMyCY6tvK8RFTCsu+0teB/b
-O9OZeCphaTSkz8OWFmWqmDiurNXKDVUxz5gmEbUh+U18t/mMXgnTEypbiqsw6syz
-AGjrHFnPuRKNbJhRgUl/lgr4M/qH0ZfZhCE1tqWF5RdHUDxi+X6m59xaDSY6z8JC
-aFK2E1n+p1z/AGeZ9H8d8/DV/m13h//aAAwDAQACAAMAAAAQHHAkhuHnIM0XSVXk
-2hYx4dFqqkUj87TBa9n+afigH7l5i9yqnkoqIre5SNPbUU7e8//EACARAQACAgMA
-AwEBAAAAAAAAAAEAESExEEFRYXGB8PH/2gAIAQMBAT8QJY8fHUttqO9u11G1pn57
-i0lUztYjpmDC1RtJ/vvzGVqhZWAwTm+S5AAjvGuag4qpoYZK6xBsVVKvHc9FxssZ
-sNUdOxiNrVDNURCUkbmtMAKzN6jP9+Ro3K2JlQluitTtDF/XnsqCG7gTuE0ySzYz
-EEDMv2NsuS+6IktRiSqxBqcMtqULuW7FV5GEJTD3KR9t+iFGI4DdTIKIxu558TCD
-Q/sMDuUCEb2bj6lkow7UclYgA7llruXDRg3PeBUHccjqV17gVDq4UPuZFMIV7U6H
-mWIXeZpANE2LcB5GDCQbXBEcJEoiomU1KiGY3H93LkuOYY8umbnDpRNQezUMqcum
-IHPGsORthO4bQ1P/xAAnEQEAAwACAQMDBAMAAAAAAAABABEhMUFhUYGxEHGRocHh
-8CDR8f/aAAgBAgEBPxAGWhXj2uOieu61TMeZb0hy/Dc4lXFTKOT+PxEWfb489ylj
-hXxEJxbivXj++s0HnzzAbWfEqE5y9e3x94q5OgUteh4ilDGel+rLo7eeePHvAuvb
-fz79TB7ZCbx8fDXEVlJXiLjXOZV9/wB6ll8lS3giEAPzH0tr+9wAQTrd8k1EHO5s
-BzPacX+2fEwD1X5/3KVlH7SzUr9fecGj0uD16QLMNehi7WZ7GkFi9bELz+1n/ZyJ
-OuiIqp0Yi15foXLB+sOdyK0snlFN7GGXfVXn7QKdQlYrbIFfmqfdgTmLY8RtouM0
-Tm4eP5ii1nv/ABFhc/M1yV5yWddv3fWJvSX6qDVUUuD94YDgjwlsbXiWYuu1ikmq
-qXS5Iwp+Jq2ARzt6lANr8zKjIZdC/wATNpBjVTGJoAgthUUy5XyRbRFIC/NINcQg
-1lyZkqEuuoMiVVLHE2XOJmTJeoQ2XCGNXKgbKFY5QR3mJQfX6Gv0X2o/4lfpP3nc
-OPo7T//EACUQAQACAgMAAgICAwEAAAAAAAERIQAxQVFhcZGBoRCx0fDxwf/aAAgB
-AQABPxCUBCWAk8m945oGlsQalN+ZGw2ECd9zQQNzsxJ8GXOmKEjFkyxgQcQ+ZQEQ
-mLyRUgMBGQ/Dn2MR5mTXYGgZibmeIMVlINayjJgqHH6y6LMN0kG5tGGYwsioXfaV
-yxhhBW4OFS/b8YuvJGyFPBN4CBa0SKESkjAu8aYmuwMtOwz/AJwXCcxJ7Adx9Y7K
-AGg3C8G2zcc4rIY2hYH5fqNzlwVTAoA2l+O0MkAZCKJIUiSYoVvBBCEBrgiwsKSR
-zlDgqv2M9tJw5VZocibdDM6JVvKs9CCIpCXTNZ2Y04tyRLZunfVYPlAK2zwXHfxg
-9FANFHUsucm6Lgjin4cTkQ+W1rpAJJ3gaMdwQ1KFcoyNlZ7cMTOjbVXxjZuKMbQn
-R2rK5BiSzwTKntV65yVaC1QEKRAQCNFRluTDWhmuSWkQ0hkgJEp2v+MCcPT3ixFe
-hj5gnJwAPiGY8weAkvaIdiRp5EZrxTqkYigJE6U+cCnlwd5kDwjARSogJarKFCsf
-jCWJRVIKg0LfgA4x+WIHpD9ivK41E0QCzpOMC2OmSs1iJxz/AMwoOFCWttD81ktc
-ZIkOARg5XPZjp5lYkI2JgV6kGItFG19eXHN3YbWUh2nZ7hD5WqQU1sSOeMM0RBHg
-E86x8bDCjOWpv2cnq4dB8v8AOCFKDbbqsZ4yFlzz4dTxvWb7UBTTcLl8ljgTKiRi
-2RwmHdMVgr3HejpRnhMPWE8lASSO5wG1MRdMelBXBBh8yYFRGx5iNe+YgikAEiRZ
-0jWDKpGjgBPMWQ3pGTXGhzKusGAB5oeNER5lONEQOShhBE/IY96ZaMNTFp/WUBix
-85oB5tcYKAEYSW4eZDKB2cgJV0xJ0icGD2ROsJD8WJ/OPY7JpXsnXxORpkBfIJo+
-0e5CKdoDhLtCNEr+cC0aAzIAQVNY4lH63ojxD+cnNBQlGe+OoxrKsBE+J0n0MFwD
-cGD5D+sv6PTba95HhBwyPgtCSKOtgYkbDJMkS0upbPX6ylD0FfZf7wO7B0mrmZwT
-YyVY2COq/vGeuYqZxJqGFc4ERwS5iE+LwNUiIiD4xTQrSDlTZg2kqyz78aNUdB9L
-3iQgNwcBo+8OaC3vJwOaFA+ZwGgwILT1VE+uVpWRTr0SFXihhAmpW2N/qM72dvOR
-3ok+Qf8AuHSQRRJzA8cRsxtVv85SwUvgcYiANqODFJ5dSVhk3wA/AwDaSYf+MON/
-JWK0kneU2jzC8arwrxZtC5JIfQ/eSsO8/onzHUJkK79xsC+Coko5lcNjYWVitI6O
-XFemlMcCcPuGgEBLvizNH8FNf+152Z/Sf2fxc/f/AIf990z99/bn/9mJAj8EEwEK
-ACkCGwEHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAUCWFZ19gUJBb7ApwAKCRAm
-EBti9pN2znUgD/0X0ppBbZ8LZBYkyCtCtIqK+CzQTI6sWU6NDAjHrHoDsmy2RcQS
-K0Ihb4g3w0VWhU/xbwDsOyHCEj5KnhfLQTUAD/8LIKUha0lJFnpT0/WDUV9EBRMT
-xJYENuE+Cn6VhjJLrsXNTawcifU3RFUOnxYDHI/0UwEJ52b+9l1D4c+HxkJZGjqQ
-DSQh8skqos2Lrhm4m41B7/dY2BfpzA/ZVUpMtWOwLHumBjtu2n97h6Jhx6duTSif
-+qghW9ViLAK0u86ZXyQKnhZSbTpeHdfU5tJUpCVb3hFNqzaS0HSfRTxeanQ09zyV
-92eoRuOVqfcj2/uYq6PerLgoPPhmP90PpSg8WVHSo/nsqV7+oteFkEvPxU2Pq21k
-B4iqD0TNann6h9qu40ZkrwX/oe1y7DVRBmBhcRHYiClmQQHO19OvD/gGt5KHKXZR
-jEvMD1EhW2d8sDlr3tvOiplim+k2EdjMBa/edhmtoRVV0NAuStlgiWNuzehFay9g
-7AjA2qurNoGvLlr/016hDy8KcP+0Uhg7bdhuELzU4RDqGRPGD49cH5QFYn4FaGre
-LrYksk/zNt8Hj1nko9seOMX36gSXqA+dyl/095Mtl+8E3rwhWtQbx4AzWlhFmQ1m
-f1sKZxdPbIa2MuSmzWBnctUCIus/4i8AOi4w4J/gAQ6txiAVaytzMUxf8bQ6SGVp
-a28gU2NobGl0dGVybWFubiAoRXhpbSBNVEEgTWFpbnRhaW5lcikgPGhlaWtvQGV4
-aW0ub3JnPokCPQQTAQoAJwIbAQULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAUCWFZ1
-/AUJBb7ApwAKCRAmEBti9pN2zo33D/4xSI5qfxOJMVdwmcK03uWQoaAkda4n5/AV
-yZb2lEfwR+CfuwmXFKwTc4ogZhE06lkDoW6bfQbsbA81Vnmjzn6YUIR0/7Te5YDQ
-l30MeBR7dD5yXArOw1yNT+/jDU9BM2wisJyAzdGuYUm9AEH2EDn8iRehSKYIhDwK
-eqhSWGr0Epl6qQLB2nTQb3yCB6dXxYKVOr1OFcZI7sOn2yc9LxbHdajWXcf+xvWP
-khvnGdsx2ZDjCKUvEa9JmKkF9WszqIdHl0oNceJSa5qf1PXKL2EcNGd6KMx5Pjwu
-LKBxQtWx3SD6tGs33jHBh99keQ06zZwpS4DsrQWR3g/ks8YvjIY2DJJEtMbka0dk
-cnZGbUl114/UYFEsmLK6r5/TB5WTAL4ucl/chrr5+CZ3yZChhv6+1HUyEtIDQ5CL
-zjtheVb6PTzWbSYZTaqXv9Rkq9611LpUeb+61PaHDKw00hFur+e4ITKM0ouaMQBo
-XKLhTYt4HsiRKuoTjiaTlMm2yLPQDpc+Fcmnrq1YaNIAq1qVzapRb7pL06ZwJm28
-6sixlfrC4K/p4TZ5H91uorI+8zaIiKH1knbg1y1iW1J1JgJ+4qkG23TFYPeFevsU
-dY5KitWUEIGZUYbvi7IfP4FKUfobT2Ed/4nWvm67lDUXT1dU+KkII2Zp3fnYTBKa
-dWmOwHP62LkBDQRUrwUqAQgAoloa9GF0nWdO/3DrH4XvOdcupSk6oFoZMQdoQfx8
-7NoxjR4epy1iZtYrZNgexs6S7a3lOyaAmH0zSBw8iJ5CydKpY7pVFd2lFbUvS2qe
-Hz/XVVOnCXcDShHfYULBpt9geuJc9NGmoSlF8Jjp0h3HxrSTDneatYlrwJaxMCmz
-4AfC2QIwmt8FfX7WvNm5qqEc/7qDLgAVhbFBNPLRUpyhLn2JfMaXM0aPFaPvqwSw
-0reLIpe+L4TXdv68jRq8FPjBzcXBgsW9uV3qJnncE3yHVVv5pIF3ls8V24jl7k+W
-wf0vdbHFomPbFRWosabwlG00O23X1TCdqytDNal7iHCzPQARAQABiQIfBBgBAgAJ
-BQJUrwUqAhsMAAoJECYQG2L2k3bOL/4QAJHiGmiO+h7e7G9AUMmZUmiLdcZ0QJhz
-webKbsebI5qGF6x4sqsT5FuVEFs4HYEaXCP/Mk92xBpt/5/9h1uKqrxToiIsL7EY
-dDtTQM9dlLACPTinbz/JRXG13aH19IAQcpc2mVwKNSR4qPnPLUJmBIrGdUGNh7dm
-zmnTrziM8U35DcnEf6Dj1GzIK3wfj+p4DFp0YWXr5dNGmxU63e/RJXOA6fZet4ZU
-ON6BhooEEGiZHxQ3sL43VLEKUaGbOkFBHq4+I1zec7VM++SkW+7zjNWvspvk3Tab
-tPDAf4OEtl84jHQpC863AzehOcXT+60THTC+K/1/u7C2B3yPUO1gIArHFkBrWIu6
-ePUj5YsqxXDhM3u3EYG4vqUB3b3zbg+1vLx8w+j0/Y0b6UX5GkbfYAVi27SGxg7o
-FaLR+ceFuzybw1xhUVWp795gHf6pX0XZOFRoBUlsSGczCJK+BhJzDm6swEtbSBcT
-eZsfnH1GmBM4X0+730tGs0Z6Va/+rn7KgST+JzztiO6/D3uBeUVC/wOHuMNcI3AP
-e0lSZp3iX57nxedd24TioFyOhXGjExl5Rb7PtntGT2cFrn4hZcxUMaobKZDsGVi9
-pGaT/LvWPauIzY06f+kS/iCdDUHQhrtzEj+vuZF4xY2YYKxbTpicC76LrdW0iVBF
-CS4Bdra3PzODuQENBFSvBtkBCACz7w7u9QK+K1Sbtr5wree+76DNF79X8a3+I9hL
-w+mRJXV3CIn666fzaqI666nQFeUXK5C6x/utoGfqPn9Ki3nXOg5NibHRcwC6yRi1
-vxoFLhsPYZGtHUuReToGpBqRxa6VtwKbiojRIr7EXS+JAwhrEsEpYIO0CymXHFmb
-2p4EPWQB16ukWOO3MRn/Z1ucuF+9LJCwWVEGI0oKyEFQ9QNFRCnqP9gSjU8q0HVZ
-XQWUr7+hNmfkK8ODVnnNW1EHpEZAO2AfBObngSjfT9ETzNzLTsWsgvhDx33o79SZ
-Iim47U6JYjTsfavRjEkXhaJNkTKGC/1RXAjBI3NaISmQFjeBABEBAAGJAkcEKAEK
-ADEFAlTSdNYqHQFrZXkgZGVzdHJveWVkLCByZXBsYWNlZCB3aXRoIG5ldyB2ZXJz
-aW9uAAoJECYQG2L2k3bO58wQAKYDrOJAhpamwad8AcgA98Ary2AWPMLeSKqiV7uv
-3c0JN19owZcsSR5lmknaXH5fCAVaJg4x2RlO1iFGwRBekS2gX781er/evNktWBvA
-EHX9dZjbuc/78k6Pl9XpbBCljbGtClLi/gM7k/tgGEwyqr+Pg+dXBFhGbgknumjh
-0XJ+cc+1Hiq/pgzx+/m1blQPACxruh2Dmt9QE/SfkvxseGNcCVVppWM2JvZAQI6B
-YVGUiKDOcO1bgdaISzp47/2ShJJ2RNQzKMQ2pAPjtTUbTfq3VxkJCi3pzkkoKVkZ
-hgduh/tKA6RMqPYCXuRimB1QEixfRWwBGlAPbgCmXtaFR8FcFWtSMFs2w2zibxe0
-cWRLAAUfqkMEUPJA8aUZzsBaM0o4Qlz7+ZX6Vp8/av4nfjfgZVQyrwmedGcgCj3X
-uYTdiGLLhjYA7XyH8uiKyVjCXRc2j8GcTtKfa0DTFMvdMwPtt39IEv9Fs4m2xlIq
-hg9rIUydgIv1+iiJOUF5iqoF8tMUko2moqEoCe3cc8+w8BsTncjKiN6nbng77vIk
-zRO101YJN6Kw1bPvGeFu8MapXNq3/fKM1CGJBx7G/dI545CHsc7Cd4YWX5LF7+6Q
-Fc2jTAceFG81OEoYD6O1YHXDcwEcTQYrLO3iPSHBLW7qAeCkhVH7BmHjXyQYuyZH
-sH0fiQM+BBgBAgAJBQJUrwbZAhsCASkJECYQG2L2k3bOwF0gBBkBAgAGBQJUrwbZ
-AAoJEJG05d4bZCmnqnoH/24cH0moIvRY+KPhEkSEn/9BTTd0ugm6wxNi2MyS9bWS
-wGaUkk31OG6I4unGauca7qMbbhHqn0G+ibWT4IHyU7En8ROyXbLXs4ySzk9Tja48
-g3qaFWeqTZVpMzhqewM8R3cZxvucYPxriDFdZjWHmdi/qCTd+s8RPCOQ8fW04VH/
-U/Eeoon9soQE+8s/MeA9fyyrBMI/AXIiiEHP3dpAiWLJsMKZoHSmAvIonolan8BW
-4NRH4SqO7jvoj05Ac8snkHVTO/BxHanZ0kEUsytABs0L4XEI30w5ctC+XAVyTFoR
-UjPp9UY8lGRIN2E8cn51klNAaQIrNje71Db6PqLos4ExURAAqtjFVU+Cr2vUwVfk
-Fp58c136MDmxv1sjNczDQ6ujyOV9cwMI5t0ibAw7T/JxkqfLltX8uZc6hPaBFQNW
-aJNgHNjKooTYSkrrBJS/nkv9zt9ORhjzEOETa0pMCEaKW+WtNCWcomOxJkhq1PTn
-V+17ZLLZ4iF4w4ApWW9lzEtVjr3bUibHGuSjB4gchHj0maMIbmVuOtNWqgWi3lVS
-wgD6Wh9ZEPvgdl+H3Ue1TmuI+ZIoy+2PMHntrJAy7Q6OOu9KbsLl3aDslxKNxNGO
-yv550QclwIhabZhMnXMzwvMC5RBNF5Yb05+RK6ZI1aATdTISCHfs1MKuS1gNSBGP
-Sr9TnT3TxmLkLb9g5+ytu58BmzQ5M2lalc75ii4WE5vDD241cGCflPFsFY+ODZBR
-9u0fqaqyUSopELgNFYXn/5dqWtpC/lANuLgLai93ATPcY5K8mB8pe9yXut9lO59W
-EPLwHnPt7BEpzTlm6vTfWzICn3sLDX814DRGqlxi02LSTq4TuLSRfDeGQWPJ8xEu
-gSTjinhyilCcTSBjkZVPzHpfNgrRbMZ6XRKItHk5+2m1XQuqFRChw9k/zuksrw2E
-BeD+8hExpr2k4H8kzD9iIDX7+JgafRi2zYwWHtGpkelerPQv/K3aEYxopWPzj9zJ
-wcu1OS+DX6R3v4p6iiF3vtKudJe5AQ0EVK8HqAEIAJTaC3AINpl8qDPK9qSq5zV+
-lfeVA9D0O3BqCA+iqZneW3c7mi7T7A2da+KpRGanywOJtibB2TF/jWrNrbltpbhO
-JAvsou0/edeZQ0xpTAYRt/gURgRLGvRveaY/EE/zyWAmLqz1FYJUoYcyAvGRl3Yi
-AgbeDBMsrCUpJF5S77sxg03/QEjpO6jicfFdSC7HvYwfC/KLOU3nckWKkElFJG1G
-/X0+cww3H2yl7smZ/a/rs4nolcPOl9pvtZPqSuyzW3Z3JBktaeVZPGMrxqtCOgQ4
-HCXhWSNdtuilO3r5Ojwt1mJLf1VAFm8oOB8/AZUeKDGNFJJl9VjIX6UAOhdYkEUA
-EQEAAYkCHwQYAQIACQUCVK8HqAIbIAAKCRAmEBti9pN2znd7EACmlHur1eB5p7Tm
-sOn8cHN7/3vbXqaGJab4q3i0Yg+0ZTmq3AmvjFnT9tsE1FxkSHM7cvtg9jSIZ4J2
-aqQu50x+heypV12VSMpSVMoI58YoX6IIj2vAxBjbNsUvpXemOzisYPdpCd4z9h+0
-C6b6vd3r1cWnE4SQoD0+QDJh0eXPSmESdF7DJPmKz/BvRJzJQW+XdV0+w+6+Dxex
-W3gFkqM5mix6BTDs4NoVqWgXHNDuoM/26RODm9FaI3tueFfszRxGq8X6DHFTWr0Z
-dHvZoDudz/LNNOXU/jsajcB0dBmbB3f2P3EjOlxsoau8bq145iltr97RmnHDqdPK
-du7uNcelXn6Qct63dyizFzvZh7LejXHslikupKe4pXccCCpc8HtQ6OoUNGXdVyWO
-0WgMKJ53NGLKxtiRpQrr+7D9YAXEi7KsfwDxcH1AIupVKgHAfs9NF06KOr5tYYi7
-JhaCAxlGZ5uz0AX/h0caLdrCoLQZ9deV8dRhXe1d1pVzuMc9e40RI0y+z/B/q+DJ
-23I23Q5kE6zuBfhJrgCUUj76cEU3PugDBlDkjAyjfgEkKGsyz0QohGYCwQq/aKEX
-eAJ+NrfkD9Jv1jWOafk0UEX7KyWLsCbnlfSkVY7QIYDPNgwwKC5dQD9EIYWyQb6u
-QnWuUai52+ANTEFuDj8tmeiwvTienIkCRwQoAQoAMQUCVNJ07iodAWtleSBkZXN0
-cm95ZWQsIHJlcGxhY2VkIHdpdGggbmV3IHZlcnNpb24ACgkQJhAbYvaTds66/w/7
-BcpolgxUGKvdObzd1bfM7uCXgahvwIOY6PAi3b2yFElRlkWNnUUSRq4ZcZnqcMF+
-eOWkKkomsTHD5z64vH0jBZxTVis6vMSAuWgmjOcWZzfDU9lecPtj/72cXOf912vZ
-0Jarlwfb+e48wCFtSyZWKr1OyC2yWZctu7K9r9SToKIKs4BM+DQMQksFKDTOjmT1
-5yORHoCDboliqSI7hrSEKCnlJmtWATitVmm8X3th87tf0vpZgMGbaoOxwl9/DcD7
-gBcRJQAur8d0AFfOfitU1oz56AR7O8G8b/B2RFHsKs0oo7S2Gv8i4sjFVK9AJt9c
-obIBYCi0F8IcZyv4N8U8lOf5/Y4GTBMIOJtxSHqFxerQ8mL14+0SubgRki77eUeN
-JFjYlJPKZdS/iLZq01Mp4/+oNcLi62FpBD0z0pcioGaI08erLAIgzDlR48aVsVZ4
-ZwJFzpSzLnHEz8aFxEIvbFzvAcq20e6ZlUtPrFzQerV27ZZQbDwaGD0/snTihi6k
-of9URScnbN0D7PLM8KLK9sKOUzKwjHCIl6WJ/+J+ITOtToTy1dDo2JkKMRxNHLYv
-KZ7RaQ3liTLw2HjdXwLtmWYomBP/uAghnvnJmLztlylmTEB8C72nbPKAhqk6XonZ
-+sCKbDbFTYOpYnyhXEarlYfest+hj1vibh3nkxrjeO+5AQ0EVNJ1IgEIAJwynfBE
-7wL03nQdEmO/D3ZaPnOT8jFORIXrjXsxuCxScYoIsSLqPWVuU5ddXTtBKZ8g95Cr
-CciHP/haERbkp52XhfKycB3AfNfm0CJH3pOa3PmWv6OsCfOMjM3asFOTqHNTK1XZ
-P9031Ostbhmj0np71FJKNO0rlVDizgbrHif6Hc/BNpUbdoidRy3G0V4vqUf/AyyJ
-uFPjy2CCmCq8QzQZZ9ppQe8FiCzes+3InGhNx82afdtLKnkhn5dLXV+c+8CONhGX
-H6hEVpqzXctP5s15kV/6qIU7suyNOm8K7+2rBojS7wH7z+sJ7EZy24aNNxZauBHn
-db3nXK9GT7cmgcUAEQEAAYkDPgQYAQoACQUCVNJ1IgIbAgEpCRAmEBti9pN2zsBd
-IAQZAQoABgUCVNJ1IgAKCRBqF2OKoEUM9e+4CACKtQ+EJkf2auqHlbGMx/+fq9EN
-CTOX/iSg9WvTrTzZFeGdweslgQOr1SBgVtRgekK1ffXX8VwM6mL7A7g2j7TXLFzW
-yu4kCrd+ZZVqvhvT5H4/cK0axKPq738FgyTJ6eQtjPYbnDwnN2iwlBOVF9rizi7T
-zqA/RrfZr+/pzoHRWXgDZ43x9bFM7IGDnJilV+yjnFeO/Z5DU9TV3qiJnpF5pExR
-ZliBNP80PTISkmnvhdH1eQIL+lIr0XOdTH7P6PWs1mpexwf+bttBQT1fonmV87Ep
-xtOZL15JnXBjmkqzD+fmdFOx36NWLZDYTHltm+HSJmS3wmVG+tkOyuCwqFvntQIP
-/2AG8xgVX5ZE77BAIsC9LW42qqRjHAFjFoOopTZ6htkb3eBkxsuujzGNJ2Dlcu9+
-KO58skhcuCF21B/elXqWtBuicw5IokUVYXd1T3xBSvKjWUWF3NlvKIUFfLEFP8EV
-qThD+5Mw+a5usIXNId6jXi2143Ig30u/OZgIx8FVjzs2Lj5cWixNBmkHTDGD55+t
-op3AIHnYyfcF3p2LoKLX22KH1+uSJdNcAlIb/m9Qrknd1pcBEJ4mu8ZP6PxVXUaA
-vsehhR3haY8s7EfUCVXZlA3Q3S8r7VTg/pDB67FhaJcc6rVXlKHdPtW8rzKI010J
-625omSYA7N+HlTGDL+E0DzYapkLleDHcwkvppl52yY8S/GNpwEVIeInw3iR+jPKh
-EKlhhx05HIDwBRBDOZDURZMmBRZZTXx0Ykp0QerjDAi17YJk8mpm6KNkZt0dWODg
-qNsK8haBoiKK3pEMeGub8QsONSwxx65vlxlCBWYtZ+gJh3aBnB6tDovZ6ytfZ1Mi
-bvZqOcOBFNzrPBNldVfdsiMfZzTtGbqUQV4qiqdYmg95xkFq0upinBvr5sBI8qln
-q+4vdZosivEt8hp6uMzaFKBbX2ktrIk1jUIMwhI6ZjBHBIlaz8HxSOTgNta3r0QO
-7UelMLWZ9w1LJWsaLWNhPXQxIA70WbLb8geMVq7VyuE+uQENBFTSdbQBCACE132Q
-pR7pocJTL+LrdLkXj9Em0fs2yXv1tRS5eW7tVIzc1XITsqjXThn5hzfJ5f33ONqv
-esqeaBakMMaW39I3SZKGHFoLwqaczGfBk4ihnsSmiGoyeMD2F9gTUCGxdT23tlmZ
-SlwDH6rAnXV1JFk3QEh/QmFwjAdDfkzpt8roWOiZRWYHKwC7I1eVC5OEadK+287/
-/RWS1mfieMaOiGIZTZqTDtGaokN3rLB62LygOUQjW20J9j4ZGIaHBvmf6dQ3LwBB
-xumeSsLxGq17VCZID9EPCAoTVPkuKs8ZfrKiLjAbuyZqgTm3oxHqStmJhGlKVn0Q
-a9IRfztb+NF0yqdNABEBAAGJAh8EGAEKAAkFAlTSdbQCGyAACgkQJhAbYvaTds4e
-fw/9Hdd/bHOfZACu0BrGS7dX+/2QmVZ6SP+yxegCQTeu4w0iZ+ohXVx4NUNzoBsg
-JqmnlY9+ulWUKMKQjTHJuC1W/4Md2rYLVMDvDl5xXY1fwkiGwAdjAVVQyJmQCjXL
-tKD50Bm1txiHARKScIuNoFj96c19pA+MUvZoLWXL52PNEKCHdi7mq6Vtu3ae3W4S
-QhFpXAlcm3CrKK52OxMFKTqMkk0r4/P+U5U9tdooElDJVoUIYoLfSr/rqPf7UrUA
-JNyk9AhajaYYgJ+Spw7FrnLoUJXgrQzRCSyDiWK6StHiCrzBej+4Co+m/N3ajqWY
-kZeFtvARPSNDxjFELxT3Jaj855WoR7DV/biAgvu3TwYcav4GYykYuq/hdFFy0Z0P
-QxSAL2Hu2s8f8T8rGjqED4++BeqTabDynKCT5dmRQ/fDw0LTTHeoxfveFKfegc8O
-R/nzYteGj71DBPpdaGTCZGDIYdSy3wb9a+9ezg2vEmP3JKMn1Z7DxP4LNOoL/ySu
-mIQIcrZWxWZSuPsiOm8FUWuvQ4iwzu+ZUC8kzNwQp7MFWPwh+DYHkp8K7m2AdjeJ
-EGPaIlhqTKIUrUEVUxkuTHGMExd/+gp3CIT5v3X08msnKrN4/HRU4x4wyUJqWVIB
-43Pv6Xfqz/1LayeY/PvMbHSSXOeXjl20iDCVxKt5qii8sfCZAg0EUmYFigEQAOeF
-OFMWA6lDAGSAlUU6g/pRDegFlNxFJhPHcDilxCLjLOIhJU6D0T1+HZh4bB4BkA9E
-qt6/FDzaW/mQO/xS+UI6cSH28fiWl8NqCKuIQCRxNzvJSYIkDJHzKDkqbtXTV+9s
-tNYhmKx/kSrADBV2Qhp6fkINjHF9rLu/iMEZfE3B1C7ieww4a5g3dOXQUGVaJ/Qz
-KEZPKGXqsxPaWXIqeUlodsKgCyle83VFda2qj9satyibcV82Z/dsP/wrELnwOYEu
-eGcN5q7q2iFI/yHfGvzoLF1hvVfPwTkhFWZmij80szRsbWEeSJREeImqjfpGgxqs
-USEJ/KgfC/3wfO55ZXVXDxlZxkcy4ciyRP/94jadxSfcHNPei7d5LHotmhLg10q1
-QqpTJPzYcNdj1xSAu50MD93ZhSLkHLZi+AZcVE6YqO2o5ONSq7mTQFMA6N9fn8hU
-ED7PbpdgmAjTVtaK8Pk8ji2G0l3zydfbx6+7pLA3R6/93VNPv6sazRYyKh9Yuel7
-4rXbzsm5D5alWF/39R9xxFsvmthflNCnFh0zMm/LVPEeKfMT6MRwSRjQdUGE62v9
-xrnolWI6UBCL0CDjtJuwMrUKDwHaE7gygRW6mQEX3ZEdERDX5GGcLxwdfki8T0Jv
-i1g/cNvJ39lRZC61tusKhos/DO7qfrzIjgm9AKOdABEBAAG0G1BoaWwgUGVubm9j
-ayA8cGRwQGV4aW0ub3JnPokCWAQTAQIAQgUCUmYKXAIbAwQLCQgHBRUKCQgLBBYD
-AgECHgECF4AiGGhrcDovL2hhLnBvb2wuc2tzLWtleXNlcnZlcnMubmV0LwAKCRBN
-HpAOFMHMBL2BD/4kqg1vkxbZmlIVCjPS/YYhsAzd445elkpvx56S66HOJwEK3h5g
-tJvuSBuIXQgfvfeqwWf4w1tFja5GiBTpRd0SSq3ZT2OOXOYpNrAnFDyRy13B7Pmd
-Cz1ibZtM/7W75SXWVL0bkuSzxTYO7v2VJ4XjEsZmBhj6i3JKidmR31a5gf1WBtky
-Eun9WV+KaQSKjaxbPlK+wTvWdXpClVNOR6izFGbxATowWQmZR1do8yLh64WPf0Ia
-/yg88cM7ZnnGKa6X9Tgr8vgJ4LyUgNmCPIX4eQKQ4PVTGB9M7hEobutQicvBceHB
-AMJI79GXzker9n17E7Fyo2uJzjIdWoKyCYqp1ASu4oBuk+LxnEW6nv2A48YnZSr5
-kF/6SRM9PVykWoEKIrj/GEHzo9dpgeg8EBrjQpJ76GyTqy/KJwRUxRw1M8wrSeGX
-X1tEJbRgbXih2k1zLjQVCq9rrNTf2nX30PEcMEoLiO9mbLYkDqIvhGAfcwjoB302
-oPuPlLfCnI//3HnhbBs1lZryLjjoWzMBbHK8E3HLruN6uvYxtnKY7rF7hsFJLB6j
-6kgeC8Li9ZjmID40/0vvyamUs6jsvIiS+1mDvCCYhOX/7G/19bl8gcOCCbDh9tC5
-bGSf0KpHu1EqaV7I+ny25g7TFX8AaPtuu2AmUi4P4JC1crBDESuigUBv07QcUGhp
-bCBQZW5ub2NrIDxwZHBAZ251cGcubmV0PokCWAQTAQIAQgUCUv0tJQIbAwQLCQgH
-BRUKCQgLBBYDAgECHgECF4AiGGhrcDovL2hhLnBvb2wuc2tzLWtleXNlcnZlcnMu
-bmV0LwAKCRBNHpAOFMHMBLNyEAConhqhQTA1q0tQ0b5NEAellt7aae2m1rtLC74T
-PArVMU5SZqcFdbhiRKo0s1QlI4V+SNZShkNH79pk7ltjx4B7Qy2H0WTjygNNULM3
-X2AalDxs0j3vPdi3TCm0ebLO04WNUbyPr1972mHjqaCE2JgTrEr5ZUebg7/7CsYV
-dtO3T1i3KAy5J0ODg65wqcf++TJs5YGJhQD6Xu5T6glndBxK+5ChHJ39Mz4GlCLr
-Wa87YKgQfyupZRNx3H7TMp9jbjFcpIXar8wFPvX+3K8eLmr03tMbCA62biuULrl0
-k54ZE9R/E0faqMAXydPSPc95B6BxxSeONoicFuwocESyJUKLo60FR42F671OBud2
-WqEGhjxO2/tIymPLUJEdESq1pKCqaq+dIZwVf/H99wPKFEvBhzzFvtdgkGIKsvAE
-LFK8dmRSaLzU51CLmjwzVodiKNLxAV4ma6Kp6V0lCGcqKXGZwkqO0+DUJ0//ZTRN
-ARcS5MQqV7rPVkS5ejqZTBU0xPOiWCkpvfzgmVZaw/9B+eb7uR9OBLxUiHo/rtDY
-uwhRkX+JtwvWBkZur0zpHwIeJn/nkvV47PdUgPuwIn1ZhlQWwAj5ryhNUaAsQYlV
-POUELHjsJSy/MpHUKbs3Zz/MoYHEQgB2TEf97/lS6H4LDGFOi11t49d7Xi7F5DMc
-L+fqd7QfUGhpbCBQZW5ub2NrIDxwZHBAc3BvZGh1aXMub3JnPokCWAQTAQIAQgUC
-UmYJ5AIbAwQLCQgHBRUKCQgLBBYDAgECHgECF4AiGGhrcDovL2hhLnBvb2wuc2tz
-LWtleXNlcnZlcnMubmV0LwAKCRBNHpAOFMHMBIaED/4v+2yqYRS87QasQ945CE5H
-eeTU2oKbqnZBgeK5FlPmHC0fWFBA8/iJsLB+TwfZ5pNlnYbowX01ixa9usW9qGDh
-nHAxnHeI8lRheZ36rNnbXMiHXE9fEzrWcTkgIy4iB5vlV1KBQ5UrQFcxGlexdLqq
-CENaSPxHYohusrBPBbk6V0KxNVonCACOdXL2ECPZcjA2TIFDjn9bAFO/DFh0pJuZ
-TVqzBlazqDxzL/YTwMGimKiy1SeQFoIZGbQNdYoXyG2TRCuQYX/qGCXAbbvym0eU
-TqQfzHQ4f0zXxeu5ZVZaspRUTSZiydXG+/4HEDeSICMtRXWl4aPXRG19u4A4lLob
-g6Ty2+Hez2RsvAtCwmgt0DQfqKDKnLdubFtM0LtmfPPQ/4vx9dfcO8jzcG1ZGWHL
-DjJoOscUBY/kheaA6Vi+68GZVfQPh8/qLDPU0PZ6/6PLtvm/XFsJjuBIwG2fy8QD
-UaE0O5zKGbcEnKQPTEF4cjLuusz5Kp3iu25VwmUEQNcFLKhUEI2bQ3r43wADJNHw
-GPY5olkHSflyhv5fWsZCL24H2WuQMmlEq/a+53hYD+WFu0w9sVE01wSZInNdCen0
-K5dhP9StLShPHFDlFxazGssV1LDRX0FGlyfw7LcW8vPSBFmq2/csH455QXqzFgJ3
-waeojCbZQn5zX9AI+XRsMrQnUGhpbCBQZW5ub2NrIDxwaGlsLnBlbm5vY2tAZ2xv
-Ym5peC5vcmc+iQJYBBMBAgBCBQJSZgnCAhsDBAsJCAcFFQoJCAsEFgMCAQIeAQIX
-gCIYaGtwOi8vaGEucG9vbC5za3Mta2V5c2VydmVycy5uZXQvAAoJEE0ekA4UwcwE
-nQ4P/jB+mcHiWC4qEhIfXln15ydho9j1BNAGCx3u/axC8Lu1Ykzq5MfMyTYbpiiL
-I4Wq2w1eXp6N2e9cif25nVo9yVISTxdd1wzZzehedbjz85rjtCUMRgYsQh4N52PH
-nYYlkk5ctjdvrENUJ17J7v92hogDY0qXhGply0pI9LeH6g//OyrcysHAVqbIgr/B
-yjYKgaOHRvzxdYB34Djw253NQkyqA7kio6SPegHhSVlfJceNFDuf+lJ4wXyB0wlU
-TIGFnJfE4Gl5bqOhKMLOqGr9BhUoGMj/wEKjh2Mcb9aHQy1p97IiODgj+J/mloqg
-9VDfC3+I/dh3E842rApu5aLrFn8nPjyz9LRcpBwPHPIjOibGeNMlLDW3VeEPNo4+
-/e/TU9O1fJJxioqKyytSnOs2ACwzVMH2EobfkhaSBe9VhmX2SB8TFErGc2JhQteC
-G6ueXCVqGPIcFsD1IQvUVFgxkS2IMld8vEXGZTK2jLWjJ+WH81Thij6MEoqGmtjz
-Siddr1uKNsxKp7XOioIG8r4ZEVDPvTiUiSp7dbQqVEXtI4NOIKheIqtURJ21t4Ww
-vMrIpJT1aZBrMhCIdn2xTl5NZyD7mfKnZfbdCsQxo501D6R4Flq3il0fPxsCPy6G
-T04rpaMFlE0VY4B35bGwikKy+tHIqouYFtyp+kHbDDW8nDE3tChQaGlsIFBlbm5v
-Y2sgPHBoaWwucGVubm9ja0BzcG9kaHVpcy5vcmc+iQJbBBMBAgBFAhsDBAsJCAcF
-FQoJCAsEFgMCAQIeAQIXgCIYaGtwOi8vaGEucG9vbC5za3Mta2V5c2VydmVycy5u
-ZXQvBQJSZgrxAhkBAAoJEE0ekA4UwcwEWhgP/1JmfyfHoIsCJEBXhSKb2YxcEuzu
-z6R/KhBvqyCFByjjmqh5P7SWsoTRUN1ntetQVRUGe8fK1vPcmnTjI5UVwYchNwVR
-Pr7WS66zD0Vie2UQROQB+XE3V0jgewojoSkw+fEXkLJi3q1AbHnFg0AtlxhfMl8P
-KXYzjgJJ/ZwHh+cAiRMNjy9MOK/bQlyDY6iTG9DUP0/Zny7FAq6+oyiuP1TT163L
-knFbVaEH/UdhbewQLs5GXufJ0R8TGP3VaSCiSk33kqOe4qvwFxkDN+7ioXR2A60y
-RAZNOsDd4KOxdwhUm8mNIWHne6WjFxGznrPv/VKRxUwwDV0clf7DZYvPJ0xCFLTx
-xC/9x1oKwpDB6fmqkA7DJ1GHJuKXM4O7EjVQ3SJPacU01tr2qC2BodYJG6PvzE2+
-FzGndtwQfb+eBYrEQ12Apd6rADrFnbAyd+FH6uwRxWCPweMCyUZpCF9ZQhjd20O1
-fDOSUhaHQUDa7NLcZA3Pzka0S4Rjkj4NPJd7r3ckXIwSgp3vwPBe9yUt/PZ09WbI
-YGYFy1z9kml2uycdsaY4WMQiA0unkpbkQN/WaraZltNTrfs5a47b/LWYeBe97n8P
-dczXAC3jSrj/wOJNb4as+bUVJ8U34BeUlJo0UCJPBINdRcKSiakjfGa8WAYEgbZl
-P9rRR5hZQvUaS4zytCxQaGlsIFBlbm5vY2sgPHBoaWwucGVubm9ja0BncnVtcHkt
-dHJvbGwub3JnPokCWAQTAQIAQgUCUmYKUAIbAwQLCQgHBRUKCQgLBBYDAgECHgEC
-F4AiGGhrcDovL2hhLnBvb2wuc2tzLWtleXNlcnZlcnMubmV0LwAKCRBNHpAOFMHM
-BFksD/4k7P55N/ZHdHuMU59DfQSvk4r6DNrGzZNvjiwpDa9GUdvFw2vXhFsxASFI
-A4i7fmkxVUzfy508+hkP3rZivqltnaie0HRSDhilruiJF8mwSWvJ1yGvmouJvT82
-lUyUqtw79lnEADw3NypRXIRP+oz3N3jZ0s3Wmil+Lj5A2tn7QLIqTcLLtX2YmmSt
-fjc8Kk+tt6gaT+r8pov2JDjU/gG5xtKG0LfPbO12y7+qY7dJFd4gNaXAub1O0qrt
-IWsUyNqxvG98DHD0ub/+NqQdzrzhBfW7QG8hzrSafkc5qvxBR2PwJW2F5RPRwURj
-+JkT1GPHZWFlUK8t6EG9w6kzL7i1xOYkxTjYK+1VFXXMQQRIy6d5a3+7ac2OtS3X
-qvhEBH8XBLdHi/0i3GQ8EAkNC3nB+p8RUrbJQbq7mzeZ5FuHOUbf2Uo9I8FCm0aK
-trVYFiLYh5joYYlXoE2Yo8rB9uMtttyvCcdIm+ewZCIQCF8MuA8PshXaOVwq/k60
-JIIJlo+r9vX0Zgq4hEQUHA3hYkxoXWGAn0TMVZ9TekZSIdhxAIo4VsJzll2Bc51L
-IgH3zJ0FxFBTcGdKU6mDUVhrIiDe29PPQkla3wCbuH9l7W0dgebTqVZX92hbQYgm
-E3h0UcX+vnCFFPm5qpdYs4puNrSgJF8Cn9LDUGFPvUN696wmE7QkUGhpbCBQZW5u
-b2NrIDxwaGlsQHBlbm5vY2stdGVjaC5jb20+iQJYBBMBCABCBQJXqC8TAhsDBAsJ
-CAcFFQoJCAsEFgMCAQIeAQIXgCIYaGtwOi8vaGEucG9vbC5za3Mta2V5c2VydmVy
-cy5uZXQvAAoJEE0ekA4UwcwE6b4P/jUOwdtIiNmAwYNWRJvlGoq7/l+gu8CIo18e
-i35j/r6LFFuwC0+vgEowZHCqLGIBpK6yliIX1S2voguGCpoxkalPdNEb2mcBODNz
-FUVscRqzjPMOD5VY7pipP9JFJJR1FNLKCdy2OCD+lTpQkmaBmKXaGanhJ/wkDZep
-TURn75WhgpDzzdISR9tPygZvKWeE8/Ov+RzL0caOcoR4yuI+dbld1bwz0hem4rBe
-XiT8+ZSW5F8OE6MirBMyHU3fHQjHvQ3Iy/UUsMyPxE0iIMmirkKwB//U6vCJTRf/
-2M2/k9h2DZYhsMpDkiFSI1q7jo9/zrEQEeQCX20atAPZJeaO+OLQPdBy8sghA2HD
-8UY+wZ+bfWTfQpUHvWVuPmfLUtFzulcBvE3rwJpNsgu499XZg9GJ2O8ulhOgJRHH
-z/ddaNYvSQXQvJt3woF6ElkJI9kF9MKdvlt3Rm4Lp9dfb7wmpnv5isYBte4MlVJp
-nHCg+ABZJdzm86HP6/LdfWNpZnCX5IHFgtZwdT30aUM55fVMpqCDyfM3zcnBPE5L
-pLabNyWoSYXllDy9J4FkuRkGr55bTijNK6WU47EF5U2+5BeLVbizuJ20DHcwEl5f
-p5IyZBdBmSrlltwtX6Qp1qRfaIeyiTHzx2Bz8LzONEL29swcsQxuRyf4Xovt6EIz
-4VNGqRc3uQINBFJmBYoBEAC6C/l0gjpwGcO+6BV0YP/eYSF8XxQ7BcEj+ooSs18j
-Zeg+9ih1yJyMWqrzXrREpPoIvxSTXgYN9cvc1hXSu0OxqCLjJ9R+wfIpUJyFoaQw
-AvuFfrnbwqUDoa/bSFXoUFxv/M9d9o8brO3ilgBouys3QTDTZuVttK6GQUZDYcgt
-gQsaKGQKvylwqmoldProvcetvNG2nTAnXYtNetF2r58jn/cVXS8t2Wn0wTs+b3WV
-kgnChnODJT9qaaoCFHhygNH6ERp+XlaqW81sNTkjyd+Wq+vXMvFzyk7i6ezplnYG
-vhEE1hPxYRDZEc9dEROgI95k0RzYXQvSahqoCyMS3DybqEPJJh2mxJim6UYHD5gc
-cVhTb7j3WfWoyMRZeEzb5bSesnkzrb4kRz6ZYvYF0EyvcWC7mSOtnIkQDjO/FfMo
-fRgtolBchHc1AOjBGVjRn39YhCDijo5cB5z+nhyK5BNSOQAtyrGOU+8mNSVDw4TW
-WjH2ZDJRnbE4NwSpDzVRbBEEPGILjIoPaPQ11IObjYHY8WQ+dxb+9e45WGjv2KlD
-S3UF3ABeLkjSYyPTTuH83gykU12gr60MrUQExdbG46mGjfTs/GOgzlItkEuQc4xZ
-kjk53jl1s1RjjFo+LxLpAYu1D0KpiclhNqWPbp6I9amEF5AeIWgDDOI46yC2Rtkb
-0wARAQABiQIfBBgBAgAJBQJSZgWKAhsMAAoJEE0ekA4UwcwEfrgP/1E7HYaMcyDT
-RbEy8GJt+grN+m07wLO4bnES2VzVN9X1ymWP407upZt7vy8LUN7d7AEXCMJ8KffH
-IhTN+tMbx/+xMqNhSVG5AYTlPfdaumL8jR7WvZXh6nRXZNbeGqofH36zlAbV1NiT
-SWBMxQZ6MbkW3z6QXvad/MTQFlcFouGlFHmvGdtSIBdg0e25Y+mrwXnyN1OgLJLg
-L1CzmSae944LSA8fi1EA/R+vwgJNkQPTWbuiFNKvH/UwOUXJ+JxKG/CamPT3Lgzw
-VoW6bKqDPsgWz2gSGBmN1Umb86n+xV7fu39BfWaEfpoY5g2dq+CLFYgxzymKOxj8
-oIBfy/2VZuX2Aj8Gzh8q/Q2b0iqlrLzfXViHLD7LTzHn0G/xOks2qkwvm90wM32m
-2qkniAGimeYD0MFpbL9cD0fRAhLkMsF4t1EUTIzSdZKouKF7DMI9eJe9RbqCcOiw
-6V9h456hwqFd7Z5fi3/SbHNS8weP004DUcVhSwNsAbMDCxSDlv/QNOmGc2QDRGiP
-QrWIhq1fVj1YfWq6dfkOvwI1qvgg8b9GybIasL5YuC0xW/GHPwo54xiFcGBoWkjh
-QwxzJFDCAlO80ugGRpgEqPis6Q7gAWYjQxHuvEtgCtUcWOmlIZDyxDbcvlP2VPt6
-mUjOkYtwOLN6xiYi7OGBxwcJU02OmG+NiQIlBBgBAgAPAhsMBQJXwTGaBQkF0dMQ
-AAoJEE0ekA4UwcwEg9AP/2QqpW7xqcuU4RQzCEJQhg+iiSx1AhFZyP/+rMMuPDvk
-CGXtEepUz67AcdWEHLKXOnQJjiFJ70jgBNtD1A+EU+kUMuWZt8QjFXyx5g0ua+nz
-oTXGjCx95uDeVz8UmmjtEf3WqwgdOeB5ezcLCbNpcotYHj7lx3eHnIbC+Tv/GQf6
-YFS+OWS1SmNkJ8XlYoDSQwx3rjcyx5Oa07fS3a7+nsYCyHjepVRt7BPI+567+bEp
-FIcmx+BEYp3XSHUsXzp31o2aVgndLaJdbi79TN8cL+v7QwKTGdrE0PQx4moT3ww8
-jR4gAPB+xKYHg3ArE5LeRTxvq+UAj8CrC35gtaiLSnAoYtfqS3hsqtGfRm8SigPy
-5qObH+9VrHW7f3EZFgPXHGJHig1xl2egq6AbJquG1Hg6+5AmaPIBlea7nDspfPoX
-+c83Vagc/70WN0EKn6dKx+EJ43XQsEqJhUzNE1mgOEwPWz39/I/Emu2ROVD5W0nb
-ZJq/TiIQI/cmKGmxkyjk5iF0y2se58tqMclXLyUfdmZyfLeDT7tcl3FoGghosiby
-Nze5rGPjl7qpEOAqK14HxpTCTtenrmPhebYTAL4qOByQB6DdbZOST8MRPBq84Vo8
-c1O8Rq74o2KIbAaotUHe0XlxFY7d4zwiWiWxIoOfbeD0JaQcYK/TBwBx8btmDFhm
-uDMEV8EwcRYJKwYBBAHaRw8BAQdAJf5CtBXUXVqiGpt1xQ4NlzBtqamtSgshdXad
-LIuJLHaJAn8EGAEIAAkFAlfBMHECGwIAagkQTR6QDhTBzARfIAQZFggABgUCV8Ew
-cQAKCRBREE5mjdBEgfmhAQCkv6N3THjDjvp6VDcXQzTTY1d3sUqi7L1qB4Ez6gdL
-iQD/bygVdVyoOtrP1/lsWfBfbjTsIMsprPUyneOKO9Gnogep/RAAkZflNkOvoJ0R
-Fjlw5MKzvTLTaraxU43p3GJwT5QDE4vWeql5/YWI6hu7h744AZhmeCbyg1AE01cD
-oRNz5SD7NRU/mnczCSkUALnYZYX3Ko6M5pm5DHVBmhbD9aFtraLH6tlJKLXM9rGs
-vyJCl7Tgy3cgXCYuXFiFPZn24MX+Wi1E5Nbk8hxaa3bIdht0vRdisan3n0OYo0aW
-muBMFtZN67BpBTD9I6Tw6Lzeq/7xh1k3K5rEvPeqHRVLHH29CcYxuyUOmLb6Fc65
-Mm4xWztS0+2wWBk85AhZ00Lf2i2WkdATrPx7NGWw5fssV/7UIU+Q+NuquzQPh84S
-v7KKWjQOP3mLGcJ7WU4PKR4STBAThd2WsgaMs52LTtD+IwtMZAMvTc9Ws1e3VqTy
-lMkjtJlGxC6Uvf5OpvnYfKcENu6LBLKOp0IYBn+hEKFatbq12Dduiz1iKK8+AizA
-J+vLS1zdYanbKAJtYW+AdmbFTyfC6ytONyIiHpvXHAb/B5vH+UE8yIrJEL4XXAup
-0kEOjts26jcbPxbvfe8FHD4NZIM8F5tbuST+TckfSNfUwJ2/7M7nC66vwN2oMsuV
-faZk5NFlUlwaDiNDgQnb1qQm/ltLBrVsVFc3Qra41IZu18etxsOaDRpTmyW/i+2z
-F5QWE4RzEccLAJ+BPLdIQX5xKVZYhsy4OARXwTClEgorBgEEAZdVAQUBAQdAt3Vx
-YCdOrV+5P3o39foPJbUE97JkCZsH/SLX7d4WK3UDAQgHiQIlBBgBCAAPBQJXwTCl
-AhsMBQkFo5qAAAoJEE0ekA4UwcwE5q4QAN/5x/N/8gldfGwarLCLrtHywZy0JMwJ
-ZcZjT0z5mBBTwNsP1Ib2k9tGqAeqR92IYuAEJI7UYNJ8aEMbDDbfOtuhecQupfXH
-yAahLrKSaCXj49m/nwBQGDESDSbaOU/j9YSwwrG2vFZESwhTUdhJha+Uple3vtj3
-H7JH+CvdCucjOTWSpdl0nf/64wPHbos+SfeS862UjLJnS6kq4GA+T8Wyh5ttYzho
-bdNZSRh1aU5clQNFLhe+O8GWTY81AI/t3wT0WLsavhUa3CqVPJM6vzHBT46weyim
-P0qoHRpo1sfJ2A4/YGc/+r8cwDimHpG9mIr2G3nx1Z8FhXxjQN4k1QFpMJ8LyHrO
-LS1oIpmNmwWzVDXuRQoerXXqOO61qEaorQi0buR6Y3uT0+DhnGmbXYvy07IaLlyk
-fAE6/CCUkIo5BNBBm0spChAud3Hhr95uLmey0JvEGXd4kjU+6QCnY0pI//2Px3Bm
-2V9d1o1+31dr8cbh5RkhbT9qrg+5QIOeWG3SsOQqKhOaK1l5VpdlpSMoE1OJxUOT
-TsA5RcDWlbSC6hQR+8AnUpGnB9eZDtTsAVzzcJfiphoQhCb0tyjgyeioSSPyA2SW
-/Xe8lk9swoG5eK2PI5rKQ+Av/f7vZgG3qMX9F7Ywl/Cewje6cXFaeMbOWzkrNGRN
-6Y7KlqQSpY4luQINBFfBMcwBEAC6AUNasY9Ibw9B064L2U4uflZq3N41ZUKEcrhA
-JZbDhPlKYqLPN0xwJrbUGFCkkTZF/5jsy/2YKir1ywjNPuvrIgqRwuyouTeJOLQX
-dAlbZHajVR8ljbQehdVxMJ2nPYHyuwRAQTjtYceMC2DFe/YrdWKa9p2x7z9hD7sx
-g3HrzXXtAj0Cp/F5fokQg5xnqGqUyEjV7AHajljsap0bOZpJLkXDhDYsgMtObWgt
-yZHKfmpKv3XdFgHUpxu+XX8hw6Q9FIS28DEOVRFCzGsY6tqRUMfBSnUvj+x3pF/g
-XNMH1HJF7u4nQ5nulhlyyDupXQ5BNIF0o1bEKMOLHc0TZ7wgJnPvZXFB27dE/U5j
-W839cu0e5eVGrJz21AwnwIUSDkVG+qIGjRIVys4ce65kgjCOJkL7yRJD5YCWW7hj
-T3/JU3l3lAQVwS6bR4Qi6Qsl0eKmhsjqkT7N3KDXbCSqmAp9b994bxYOeNyotFtQ
-APCmUVFykQYDMJTUdm0iZX40q8p7T+OhkWtmuL5xGpP9KU6IOWHRxgcRN7cVNOoo
-igE9mqwiTl236kxY7NQLilF5dzNbExtFSKf2h2aXyU+CpYE2aa6FTetMUxZnI2+o
-B1hGmVGoGBzdlhdXjrn9uZdiLOumSaWZ1mt/EMNJVT6aPIPSASkXx1Se7g8pCCW1
-K2OtgQARAQABiQIlBBgBCAAPBQJXwTHMAhsMBQkFo5qAAAoJEE0ekA4UwcwEBqUP
-/jLOHwYJeaJsgsi5I2v4HPUR0kZZNrAeraW66O+zkHyPehiU2dc4KeuWAP1YZ04c
-jUyusCN9QLSx4zbaZHPJjqStLQqsanYZ9qdeAVLgxp3A3ZFAt/19DlSMIf0cWmg2
-VY9md4Ex0rTfv50cGnaB8CLpEaKwwJJVkSG3YfqgBb/1rjWj7KubM4k3QNQ2UwG4
-ABs+mZ0f7VYpd9hQkRza8IcOQ/xpGIoNlweWqOrMm9Xk1XN3LQ2SUG5pPs56FHGW
-/Q4jN0zqCGVPv68T+ij50w//JOfrL98x+QOkTYHhFBUDsqmysBO7deBeQ772Rr3w
-qLVqmVyVovhSWn+r6QLX+OD80o2I7bJKAgxK4A2blBcjIA6zK7rKlh5zitACRs3B
-vmGYenCxF55n5BTY4osVE/8iG6c3i7NLZFRtsYwaA9TCYZxOUIW8cfZi2PyfMw0A
-mndldZ5SauaACfEdcIe7LE4Qu6vUz1qEr0DCG1+VetK0NKePSXMg/VV3RTi4mUOX
-mv/pSrJxDSQMPA3y6QdXqUtQl25nM6KzgcOpGah8UOdyDZccK6B3zlq1ngKE9U19
-e/FgZamUn49hqKNu6QhQ+2pgiehgRJ1Nmo6iyf+0O12kwTHWhXsb7ZbfA86OHlPu
-EjFDDW4kXkOSE3SRTP9GY5w7HVY1qUWy+2/FeYyW4syGuQINBFfD2hsBEACqLMDp
-uA+/9VWscimKTs7+k0BiuxfPwNJAYYznAVNFt+GE464v6YJNXpKt07BRzDpuivaD
-PobqtFXc2nvBHcCUOP6QTUP89rOC/bw039B+KRaPlQJTGbPKL/kqIXiK5ihjgSXd
-HDCmzNFHuec07pWgBMI+LYfZpKIHGsFVynIL53mmhxavGTCSzJrBd6pyhoeCzMsI
-ZAq6pZ0HKjfVWP7B3yBJfazCr2V/HkOmKV/vPJT+oflE4f+PP5tTuvEWE5UXM8VX
-nROMcxaNHLB43Pbh3A5neGgFm74Ha0tfWZHrZYnNCFRGbxp7PnfbKL+tZ8xtyQr1
-pQ+x1y8Bkxj1MgiOj55MmRmjxlVJ+L6zyB5Tw7kqsaBHiSDBWUz6SJz3pFD3X3GP
-D/nkNqhBhSzFM2qxHME3CkK+hU4jOEkcZpHhsjL+pXVudGNHIByDNj9lqP7vswg7
-cnGN7QIPdpBdvgcFg4qZS93LsLJlqhNDtCwd/Ut+QNT6xE51HflZ+3/su9FEjUFK
-ZMEtAu0TDoaf7iV9VyD84wjLWAm1GVXpDh1/WuSUBifMfTyHXyLN2y2Ja5D1mws1
-g2ywzHBW/2e3gUzYSd4JQEWLYld0kZhQ5V/Y9Y19jDpDUUgxkZmb5dnHRaGwmyx2
-7zReKqN5NF2tdeWsUMibZkEQdib0n+WnzuJMYwARAQABiQQ+BBgBCAAJBQJXw9ob
-AhsCAikJEE0ekA4UwcwEwV0gBBkBCAAGBQJXw9obAAoJEBPa2Zx+QVGcxvwP/2aI
-UD60sKExN2fLXj7mMZ/wWlDnCdqvTGD7lrk6r/fAQcaOAgajCMEXOPZXlPBhdQ4j
-xD3FLs52CNZkcwzXMbspz1lfIOk2U1UGhmnAyriY4Uf5cRu2RPR0HYwOBB0xr69S
-IrsmlX4pf1AnulE7CIY/oPBjB2XQRQ7ls8sMqmm+0TxRysaosHGu7Vbez5iKBm3p
-0rEh8TcVkgMivdUPue/ip+mCaDCfGeAiXLXWtiEiwaS3Pq+QzHhZtBvShWlc3k2m
-CFlrGQwovPxY5SqGs6QwifrmnGSSlyaAorDZcQEkZe/HP2/qXKb7uBD3/r8t2OE+
-BZKwJxW2fIpaO+u8k5EXSDzuxRqSNj3wYUI2+WNQzBmAyOZ6XBX4Pz0xZyahtXCz
-J+5deqCnEtJI1HdPSvM7STE6s6BmkhUl8weSAD+7v/HNPWvQXYFoeGFeqvoVOCqB
-7jJZUj+n/eUh9PxsOtwdJlvdoODuQIYyzuSapm6OPnBKg+v7Bp39Ym8j5Nfe3xqg
-+O6CQVH/qx3NoFrKfAaLKGsV++jnf894b23Y/fgu84Myt+Kn8uOrO6jbBwiWLkgn
-0uzmO57bi/6F7aMQwSxcMcAY3DhCoeXkeYq0QRZZd2raPbA5r278wPXWg/U5bHen
-GYX1COWlRehWqXkqR9ZJYY1hTT0/WSAK2ZLCGTK5tDYP/iiHbpeWlZhwgx9Jkfmg
-L+N5XoAW6oJna3tozS+xVM5pxTaTNO24vnQw+XQxkiCFwtf81chd/oXhjWpLg/K1
-vF0AWGomN9yS5dtKtlWZ0H/3KeEGkKf9iRp8j1bVNF6mBhb8Xl+nKLWiqE/uezx6
-OYBFJuj6WpCgbmaRUbmKpX7P++JuOosg0n+BzzJYAIKP4+/FLL35qSpLW+DuWZaX
-bvgS/OgjJUL8AQj8Nwk7ViRyhBRwSAvwpdcwvlAH1VfTHfpQ8a0jjN1Nzf8Tr9Ij
-o8NQnsa+5y6Pmf6l40j4C8HPsMB7SX8ptFig8lnBRPtzEWj54/WtXJwGRG10XW4r
-dQU5hR9Tufc+WFuRfwdLgrhPTnKGyVG9zOkTd9Cl4j58tEsju+m4HNkUN5goouvd
-xHSe/dmA6cQAWf6/nhJ/uSM3aJPSUOtZwPZO7/NzsMgkwZTLXbehm+9xWMkPRt1Q
-T7V5MgfxnxhVoIeoPAEYBo8t0P2GXVMNZdZkJPoViWGOei4iPE3rj6NBynIIoEZN
-DEJ0OQOUe6Naq5AaG/a6wPa9+ITzKY8VR5KMf3XgcKLBlntyyxTgnHY7j5VrhxU3
-+mUrnwg8LIN9Sx4oWDks/SEB7KN3KGjSgczn1k3GIJRF8BhYin5Cuw/+aD16w5gS
-HxUhIgwH2BbM5X8eopbp/csAmQENBFWABsQBCADTFfb9EHGGiDel/iFzU0ag1Ruo
-HfL/09z1y7iQlLynOAQTRRNwCWezmqpDp6zDFOf1Ldp0EdEQtUXva5g2lm3o56o+
-mnXrEQr11uZIcsfGIck7yV/y/17I7ApgXMPg/mcjifOTM9C7+Ptghf3jUhj4ErYM
-FQLelBGEZZifnnAoHLOEAH70DENCI08PfYRRG6lZDB09nPW7vVG8RbRUWjQyxQUW
-wXuq4gQohSFDqF4NE8zDHE/DgPJ/yFy+wFr2ab90DsE7vOYb42y95keKtTBp98/Y
-7/2xbzi8EYrXC+291dwZELMHnYLF5sO/fDcrDdwrde2cbZ+wtpJwtSYPNvVxABEB
-AAG0HkplcmVteSBIYXJyaXMgPGpnaEByZWRoYXQuY29tPokBOAQTAQIAIgUCVYAW
-BgIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQvOWMjOQfMt/0Bwf6Ah3U
-WuUL1L2wChjHXktv0j8oQmL8CD1AUYkg+4NRTkZTm5ngZlNk4ZSJB7sonaEmzs30
-fw9zex8LMtCMnEHQYtFNb6r1M2QfMS8ZUdeaUNmlGHu8UnHqr+aTkQbQsvhs/UaL
-knWlOWqdsM29Z311yGA3BdlGxw/2wej+AtRSazT4dEISP8K8xfnoQmhIVUZ33aMV
-DF70iinmAfWfqUKhgRctrVMLgXxKtYiOeTGXDtm2dnvXTHOO3u0N2skwc6YwOxLj
-1XXwWL6KQJx77/2SqVHDJVeEkMEb9Wr/e/l1PggU+fYxLZ5/HWbGatNmoRFoYNuC
-GlpBL9XOuQK98PcIyrQmSmVyZW15IEhhcnJpcyAobm9uZSkgPGpnaEB3aXptYWls
-Lm9yZz6JATsEEwECACUCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJVgBgE
-AhkBAAoJELzljIzkHzLfiIUH/3CjMhhGiA11jVp6MUWLFvr77LhvWuLKMy9YRQt4
-TMOVDSUxPpnc/FeFkgsPjLho/srPHSjNdrmporLjUQA8pCg+KmdEAfThDK0lsgRG
-/PxOi38t4JUpRzQb0NXE48EPTdzNOCqDPgSNXaq+csX6tNTRgF6+s0KW4qiwZJ37
-dG8tZW7SEGGf2kQsp9ck1JBdlv5OkcOFINn+AKuCUEQ6EDphZsNv/iDP7lMUp2T4
-H76IBBlIe/vMhJpuM34E9iAjjsD4xTgnJyhdoBScxzSXltrp8Y1oivOu4ThoBmuU
-/mj7uaVT0ybRAmp2pjFg8CKmUkatm/5hcfV+nm54QreX40a5AQ0EVYAGxAEIAOmE
-sdopOhG5H8TtMd6sGIKMNq3AJoRM4o5NjbNEFClpDfan8XZcgYtLwJzbv6CtlIpD
-plfRk3js74AXIUcXwMf3QhdkWklHdFvzOBdPyOctfTwMzfV4QJkedHMWEaU6arpY
-BSWoHcYoI9QJjZzh5NFfKhcu15PGtcJiiPjnL9ia+VmuWicE2M8EDIeI78s3P5Xt
-9m02w3s39caucttx018135IPUQ2ZssnxG/LKbGC5PIH+Rr0l2MccihAQnovXroHe
-GF8Iem3yILQY9mS2L0gyXQ2gnTb2MmbcmrWoRx4QGfkflAwafoWrriJfBOw7VMw1
-TClbHymO9XvBUjGMjxkAEQEAAYkBHwQYAQIACQUCVYAGxAIbDAAKCRC85YyM5B8y
-303oB/wJLYJOsxAV2GQYS0FeYviJ8PxQcWQFEEaYzxkvZ9ZQFNldPyat1Ew4rq1w
-+cpZoK9a8qvSSe33vSP8PICAWYfyGA6LfJy2KAV5xUOOOKUB4IkyrfyzW1gpiIsN
-sF0da12QD24dnCreV93dDFwQQ7dBqZAX507uHyAA5eUb6mjzseb4TTDPizAgHz5L
-fsnOvH267QtIUN8kJMr5MgoZrlSfwvE/HKr1aec0OHvbMrsGJGJ2T+zjQpw2h3zc
-0zgef+xsZ/ItryxLQXcwTRL6hxIw6K79kcc6LCktg1vBMnuy1nEayuC5Z5P0/5qb
-FsD9iUr3kt52y3C835Zwdnt374CumQGiBDzS0/URBACREmlUnPeSzfnC0m2oQV4e
-SzgYjskiLfwZ++Ql3zErPw0AphH7m95dZwAscTm3CQRHDDd/RYxkJMAYA+jmw8cV
-X1rXtQ2URRmzy2/I+qBU1NCPrqBjKRqrav9uhLCLGvEwdqWg2dqn8TMwNdlETbH+
-R0QQ/1lK8XtW0NiHC8I+NwCgj/8Av8ifdpVSnFp1QesTAVwdTbMD/icRYOZ5I94D
-SRk5GGnmD+lyhfj+ejYbuVEgg2igV9HuXJMnBKTnuwriuskTreeNQBvBCTltHrRe
-1LujAtlsbixooTgUU5jkzY+J/PeNfLd1J9uoqTGQ7GjT4SMfKuetSRBhcRZYvm9F
-M+54vsumKcXGK+qBfPVBHo1bk8goJxgBA/9tnrAoLIUPvs4d4ce9h5BGA2yG9Syn
-z3w1l8Zr+4coomUjbJFV86ZWKPM6nyb2RhDb20ESkZnCoDxZY+p5t9c3aiQJKQQV
-8Gj0tj3c7/OKoyMePgabH9752Q6upiZ5Ml3mfse/Kja4THRoPEjkQzAn77jxfves
-KiEh+fu6gsJ3cLQZVG9ueSBGaW5jaCA8ZG90QGRvdGF0LmF0PohiBBMRAgAaBQsH
-CgMEAxUDAgMWAgECF4ACGQEFAjzS3ywAEgkQ/8DxTITHG24HZUdQRwABASeAAJ99
-oc3W8UA0Peqdc5cX4Lbis7hI5QCgg7U7yZqSbW1bRDP8kufk/86S5g+0GlRvbnkg
-RmluY2ggPGZhbmZAZXhpbS5vcmc+iGAEExECACAFAkRka8wCGwMGCwkIBwMCBBUC
-CAMEFgIDAQIeAQIXgAAKCRD/wPFMhMcbblBiAJ9ggPC4h2/eyMlfUlypfFzLqQki
-LwCfd83Ub3FN2C01OLRovTWsmXWBaWC0HFRvbnkgRmluY2ggPGZhbmYyQGNhbS5h
-Yy51az6IZAQTEQIAHAUCPRc64wIbAwQLBwMCAxUCAwMWAgECHgECF4AAEgkQ/8Dx
-TITHG24HZUdQRwABAbmqAJ48Zhf7b9JQWWEiVO0m35yrUG4/7gCfc5OE/gBTg9P/
-1C/5UFC6wzPXtdy0HFRvbnkgRmluY2ggPGZhbmZAYXBhY2hlLm9yZz6IXwQTEQIA
-FwUCPNLYtgULBwoDBAMVAwIDFgIBAheAABIJEP/A8UyExxtuB2VHUEcAAQHATwCf
-QaJHzDZcMzhOrYjhobphXayiTboAnifEwKJ1DDVZxPxxWvxNoTvaPwm2tB1Ub255
-IEZpbmNoIDxmYW5mQEZyZWVCU0Qub3JnPohfBBMRAgAXBQI80tiTBQsHCgMEAxUD
-AgMWAgECF4AAEgkQ/8DxTITHG24HZUdQRwABAfCfAJ4santm5g2yaXD29CKE/OJ5
-4Sd5LwCfbDiwEI1mLyu0nScjBddGF9AiHx65Ag0EPNLUFRAIAJtkhGBrUaEVP2fO
-4wQpmujYfPc7+GT+Q0naKCXrMQ1vDK5ppsghiSr9TdVB3kdkev2oGxgsCfy2uPC/
-JuewQByYBmtKJuU6GDaRVXgMhpVwhcRraaDeYZm0GIDQEX3fWSlL07xxbzSZnewl
-SqUEAznHjLGN1pq9mvPBczq2hrAsd9TPHo/IB9JsVmHV9GYasHUSbVWx1S6ntU2k
-V2TyKpBS4luF1Z7y6yIWS9pwiZjTlWdUGSfUkkTu6sM59dBAxv9S5Q8TY44TUQfh
-HQhcLTz84UurU96i6cb99ZmN5uq6IP6NPIumhOJAqPvHSqly+Ez/oSzSyUoyZ0Sa
-j35E1C8AAwUH/0tkQh1bn/BhIyBO4S9z5wQfI+ZpR7npeKZ1aYQUjFzbULb27Y20
-HRujvXljFPoWB1oJO+oXULkCaNWI+72TYXzKRDqYWMaubwrYe5dHJ4hEDpmpqeG7
-W425rItDfhz2wKORc9vk+eHMHGZZhKamurmeH7hrVpe33BRfts5yvYWofYonWGF+
-KydBcrMp3AMbKGQMSOwcBiSpIJVn0HYJFIOWmthtKIMqfVmLWS2sqFKITbBKHBem
-P+97FVAc82dXxj6irB7/jBjdPX5/5B8HHOXWeEvuHSjZ+6efXFrTVbeh2u1alB0a
-X5kz4cb8Fl9Oziqc2Lx5HLgfkKiWgDAu4YOITgQYEQIABgUCPNLUFQASCRD/wPFM
-hMcbbgdlR1BHAAEBh+4AniTeOAdNc4fOd+lc1EMiNmo8+MkQAJ9cCqXvdHcqeQ6p
-c1DsXNhc4g8rvpkCDQROjXEBARAAzeS7Rq/35b643de5gjparUQdurY+huIwHOVV
-EWG3o0Bm22Mz+S/nwi3w6NNTGCyOo335JX6XA0R4dq/wArwPjQU01az/l1/PrPPm
-OPSnv9/a7eDVFgv7fVGiJFftID9wz2EANhrHjhsGhfFe79wV6ula8KMldipQ+LwG
-FGoSedlcbGRvvyIa72Z9jI5gMm9X482WK/+xl+evAinUWOVWlRaiyl3Qu2c0WTm4
-M0fN82mt3KAu5d3BUbZhkZrbQ4FCfEdzqqdl/aHvnspc6Zp3RGZMxj2YiPdFZmXI
-b7dV1Cf1UaUcD8Zib68/jSVlZLcw1NZKGrsjposgdnDuvkXEjGqECF/k6cqiWfeq
-3eirBwsk6HRd/d8bO99FduKUSV0m6iacgTUzo3dk/OejCPQiENEkb01CRrKeMfNo
-/t6yb0ihkwpT8BTiZCdCmkMjzCGrnT9D3bKlC0qB14gZN5Pso+rYPQmvOE67Eqy8
-dX7zOLAGaaqOaS64g25e44urVGaL6ltOjEU+6xQjIyVtAZPIz6dq/+QEnY799y48
-b6/vcHmByef6zSfTFFcN615sg21Ie/rgJv9ntuM9usROi7MSQfCc3UakUjKl3X/C
-bIrkC1qSmQcGKISw/hCivm36ar0wBx9/Vyz8/h8dT8oN/p5HECSB7GToh+bp3kMn
-+aCHdDEAEQEAAbQgRGF2aWQgV29vZGhvdXNlIDxkd213MkBleGltLm9yZz6JAjgE
-EwECACICGwMCHgECF4AFAk7PxLgGCwkIBwMCBhUIAgkKCwQWAgMBAAoJEGN2LNpn
-4vNZhm4QALEBYT7YFCeywswA3PH88h951uia3Cc5Gn4XBKbQxQQ4QRWHkrRhmINR
-qc7SMBUfxUtYnT+T2/Ei07OtRzKX1AjKN74mF+p7s8i7JCM2t7Kc+/xSIZIhpwgb
-f4OOjtUQ3RJoYjlL+ke8YomX6geMZV/IXN2nqj4a8CYkmzXCi2dg7uWf8v/p/hyk
-/DLYlD+HwxpRG6ANUkQ6zxTxgnzwihrnhaNsu2PAnWJo9G/Tfk8o5JuTRBn5qGr7
-SyQ0PUG5s8D2IPgMaABHhpoT9mYvVOundroC2RyusS9xzrTJC+BEvLZ+J3idAvT7
-/TfjJuOrPpkr2BUIZYr4MF+acG0QQUstsJdp7V27iINNN0jmlybbCl7RiIO8nCSf
-VRssgKbfJMnThvMGjYSSFPUz25gIgH95t8a/2rGR5nnBJQYbd+1Toj0vqc4PIuSA
-Lk8bF/fr0s1DwKUJGgbiUYA4moIY165he7/RVGVwm5qM49YgSaJWwintDCGox7kD
-JMBfOz1n0FVi5LLGCHmWosLt/CRpb+F+r0ix2g4d5kIU/JedT1kU8dOugLVb5bLu
-isK28h5J06k48VfTkzkSjOb8Nn4w7q78RUZ2zx8Ny5Y5+BFEKtmu7Bs9Pzs6698D
-HSaeZzqIuSTgn8ddu8iBjHZF/sw7wrZO1z2cKj6FW6bMen/bX+HbtCJEYXZpZCBX
-b29kaG91c2UgPGRhdmlkQHdvb2Rob3Uuc2U+iQI4BBMBAgAiAhsDAh4BAheABQJO
-z8S4BgsJCAcDAgYVCAIJCgsEFgIDAQAKCRBjdizaZ+LzWbR7D/4hKUfh04TLD2ZF
-sIWxrgEE/661lHaYZNi/rJAkhX73+bpPP5aVuWiqvFkYbcIvA4+PzSi8KXuKiLSb
-xtUDgqBKPWI9Zh2cOj2Ykl/+Qqp+TAPnjTde5+lc++MUm7K0QU2CJQZwvRwnLtwM
-vqsj7dlF37N46oSOqcPb6JRsDmJmoJUn1ylZhjys0qAw9A+3VVxXIIacsf7Oxr+5
-VDMTJmyclfGwbsAAEyYYEgopQ2R8Z+bEOVTdDYSC051oO0KUHidbRGU8/un7yM8R
-FtZSoPp88O4wdWyr9xbahSr4LYImoNUGpJLQQKf+EtMI4pKITDs5Nkl8S6q/Gkh8
-nhqleuVQ/jT35Uk0T1qzhX+8EaUAs4Bp/kUJ50K+V6C4wBMECoMDHXyvmgkKCkb1
-8g7tMgv1ea3gZXcOU7MUvhgSzcndLKZi+taGTgmO+bNNdOnA1MAxMJpoU45cWpVy
-Pp5nUg1E5/joQGW9VDJFLkoIArO50e2Ccx+beDPtD20zBO4Yga+hfrztlAP9aGUA
-r5Zxu49MpeClqTyTnCoFyAMbAJXSjaBEcnpIWghaUZinyvnneB8JpK4I4zjwBgwa
-N2+D6K0MTDJjyYw/bkRa4U6vv8L91NTH6avCpMJMdo9SeokLVuPGXxAH85JfzeK/
-q1bnjrGBca/HJSksT+3wtj7XCAKIKLQiRGF2aWQgV29vZGhvdXNlIDxkd213MkBr
-ZXJuZWwub3JnPokCOAQTAQIAIgIbAwIeAQIXgAUCTs/EuAYLCQgHAwIGFQgCCQoL
-BBYCAwEACgkQY3Ys2mfi81lOqg/9Ev3xFwdEWPZdknj63f4DruELPC7GYb5aY4mA
-NzmsLkl5qlbr6+JtTZOyvM5wmR/0zD6me3e7YvMWC3bQJplMExcRJVlTBrk9hdie
-P/0CGaY5iXFLLqSVbKyNNQ3BoES6vJBX4OAgnD5J5NmCy7pnplHF7hRiasK0YyCG
-2QcDtMdgq2AKkqRjaQ3r0kBblbNQbU1KMhVfww890wYIJ/1H51ep3IkCw9L1i/0C
-8Z9mBQbUBGW8k6Vd4wtvnPYs6LNBXHuDX9qZumClEALfdIx/WIQZZ5OIhB94FSC2
-06gP4pgMFJb+dgOrQU6Q46y8rRsArEJRkQBS0m1Nd5hTxYi+O5V2igbi2vvMw3ij
-emA+nEURCJku7/qb7vXhtfUYCK+9XUUIHkW6IadW5hRqt0+O24tnOsoj5yZWdbbS
-2tpH44F/lFO5VRhKkKVy+j9D5+WXsR2NLnujMpqLVezIZY+5H8QsNp9+nPXKaLy6
-kfg86Ou4C0gdOXY3M9h+j6METzPOehhPcU4Oep6uwdogFEP85cQH/YubpX/xrTmV
-VcXJPfYsDoR/SEvCN0ZW6HBRbXs5fJrCZeFwvAG+ytXJ6CY56vp9n9fHp1n1+WuE
-f8eMBJvWn9IaZYa4fUKNPp2FGj5eCRS95onmKngom8YL4nzEN2qRQ8edF1Sz9H78
-Osshh5+0JURhdmlkIFdvb2Rob3VzZSA8ZHdtdzJAaW5mcmFkZWFkLm9yZz6JAjsE
-EwECACUCGwMCHgECF4ACGQEFAk7PxK8GCwkIBwMCBhUIAgkKCwQWAgMBAAoJEGN2
-LNpn4vNZjlAP/0QmueyzFVNlUC3855fh5yDLpnucSwCrrxBZzudRu6bMbd3eTNaf
-2WLnIstHqQS+PWDnDq3tf2k4btROqkJizSPDvajME+slM0mTyuTTT9HbhE5VfgGN
-vW0FR0sS4id72VLsycjaho1NP2/JNXTs4tz9qisq/eHIjp2vJbjcgNUBdAGoUvsf
-6I/O3SZJM6j64LBjUbmm6yZZSUtQCTzcB96cEkKCPoXRatzFj0xHEGmCCEFWrTuH
-KczbC6VTgQfGOK3N9UeaSplrR1mEBij+M51T4rXqQvb52ko/L/UoAPNuk0TiRQs6
-YvQTy16cQEszkJvxBZUTS3ifSmEVfaWt8f9sbVfeWPm5USIG/HwsiNNy977wbbao
-BO25C+3rC4W7rFKqzYsRXnKKBWiTVtDs7gvQBdGqWRwJMj1crTDFgI09Gn+N/Xth
-IcC/STvJdDgaomxuv9oUqM9QMm1x8jVD+4nnEYPWpV4mtxjoA+gIW+Vv1PGJS+39
-+dlA2TEtDzJfGPE3YF0jjy8ycqw+y9ar6+nnspyrLafCUybXCafQ121+F+zIVfR6
-KKr+Xy5bdHUVuRWeP+EfWnaYuevRoMsY+29eURO6hh1S1ZYukpANJP7Nu2onAPOO
-P2e8X8TF23ZcYcON0/sneMnnCuWLQ/Z91ZjTDu8BjbCYPWqgUuD6f8Q2uQINBE6N
-cQEBEADahf5YXCjYAsBznLgpRFL47H0ThjvxJ7LX/bCPTo81X8T3u+kd82AFr6qN
-yc/da3mVBJ0HUMqOSGXTnT6ncvlxe56HaHX09ZWc9yONa+LLhWMvHh8cfS9Z6fH5
-I1WP0DrtLRofO99K+gGE8GflaETIoqGVCcKbHwcmBmyfJM7OcYbBNq1vMj7vsF6I
-VyYGsGCmLoAwjuZX3gO/mZSwiJGY4XHQQx4wiRLmhxl/HvcCiqNOZy3FaD8s+KBZ
-hXoOeAtj5g0vQleRcoLp6fWEXBz/eSaAC3y2P9egj7CWjsQ/8ky4dEq+96VD+Xr9
-GE0cKVFfAPDSCbC2cHBfFbLBDXlnizLgqBWEjJJ1jPAcG5pcdk4YlL0Nh73Zkp9E
-uB9nLs5bLsWsmcNBCsHXkgq/GuDKzkWzmVhgQ6YpdIM0PJ+ycmys5mErZjkU942R
-JID9xpO2tIsBoWQT5w0nvAOejjjoSFMVGIWKRwMpNyXo/MQ8IovahZwn1B/1CQgb
-aTP5unmAgyYgQ5bKvf7QVoFB30tu2SX9c8Inx2ma0tpI82GZXmEA4Crgok1q3LQR
-NO7TVEmE4I5c37HkWW7z9oyO59KZLI6jCQKcIZnTuNu3viKf1GC2fy26QgdnTZFI
-5VOlfRYbVzu/V7MrAG56i3lZjEJ7uXhBPNugxMXtxoegvbXj8wARAQABiQIfBBgB
-AgAJBQJOjXEBAhsMAAoJEGN2LNpn4vNZDq0QAMeOdXlaM4pLO6spFxElkUK7YwSD
-j2oaI3DKDfsMt5Y1cM1pn6DPJWFE0+I3HG7KuNj1ldcxDQJ75LQclgS0SJUkn3kM
-AFkZRcpB2rbXYpUoN/9dZyiPFj689EgqooiQVVv0mbyrnDMJIlQ3oj0DUGUfAY3K
-XBVSameDnIadMKsPauwWIuqaT6BookoVYajEG7meUs4fCIG8Kwi+Yz98dFScQbkv
-YSUGC34i9g+35KnQ6ZyY2n7hYQHRizfkuYOPk9iF8YLMaefw+SDGu62EH+eS5Ip5
-crNwNAzjdETHRs3fNVzWxHt4+8KYI+nRBBwSeQes+gx5IYPaBJ9u16Bb6ygK84GA
-pgxdYBT6d9O8GST5VSFFVa6bZDW2Gr7MUAW6O4jFLrflZx6qqef86AG/2y36pZgr
-pfTg4CJszLSncTxuLQS6fKxSuaoB+H4Xn3U0nWDkpmG8tHCEWZkPktBcDebp3K+i
-BGH/00oy24sTQPzj/m3z4STzBmMFyIo7/9Md1H0PahgTYbVDquDP2+uEIh0Bh4sx
-bw5VudBxre4VpVxMLfun2alD019JN1nTsCLsvknb6A2zyEb/bK/YArPkgC0eK/uG
-x+tSCVNJzJwdmtyx6lISsuRWgamakejZAQJ1RsYey4uxchVoIBosEr96HGAXC6QG
-qUGpmp4gd45ZOhyRmQINBEvFfPcBEADU5bFOcbVCBDsTGq3D+8AnA933S4iYvxPw
-Z2eRaT415jXQs91wNTpVwgY3xRzkjThXyt6FV7Cd+BdS4YvGHMvqKZCOgVnrzpxe
-Oqy7GsC10yfU+dA7GvZiY8hm4tw/bdkjTsQQeWePgWoCgmqpadKAn4iGh0u3fBZC
-7p4Z8Jsf02yqUFIy48OxKf/aeV8W5sTRr1m3HDmbjtUw/UbUW761GIgR11BxcPIa
-MaN7WAwKHNpIUqjIZyZ6z6tGGQ3fRwTAJwi1SROEU74DgRtRHn+pu2kp0pOsD3wz
-8yT95gL92CC2hkitTZB4+3uglmMvuQ9nwQjadPt8as3fB2mfGK7c9tLXMIq8bmDZ
-w+mWU/XRbU4vrCdQVyWH6LUI28/Wnj6LUEC6hZOnmiLSll3bapo0eca3LV9NVp0G
-aNy8QX7Op2KwE3mWkN4F7c2ZyGQ8MaL6qLlmE63Qe4QFy5wJ4H16NCvXHqGxm60b
-nJy51NmQJGd7YQeDa5AFbgFJ8V4Bg+f1LfIeh9rpHKiuZRPZDs8yxs0kFOQOjZ4u
-5HNn2AyuYvibT1CXj0X8OHzXpQ3SylBy+LE4xEnt6JPkQjXahwEwTotUxTJbu0fK
-9UvBB4mqzITs270HSowzEofhc/5YJSxlxQ8a3dPBBRjzUeTfNN6gBrEV/7YalfDm
-xHKEyFHepwARAQABtDtHcmFlbWUgRm93bGVyIChLZXkgY3JlYXRlZCAyMDEwLTA0
-LTE0KSA8Z3JhZW1lQGdyYWVtZWYubmV0PokCPAQTAQIAJgIbAwYLCQgHAwIEFQII
-AwQWAgMBAh4BAheABQJWrk32BQkSbZ7/AAoJEK1e27eT7FfklXUP/2XzrCgNOhRr
-DkonKQddWqzgz9DXPttmA9mNeXAM0gBDcnNUhFXiL5yjRyCmtmrjdiv2GE3yE5Xg
-arCoyb8tTve1Ps9ouzkbHQomDOdoTv8maL+p7MovSXr0jcJow9rVIdSP03BdFExZ
-u+H7nXrKoSKcBFIMdDVznMOGBO49Z4dXFeDQgZ8xafDpB0KqCHKMf5PNQ7iQ77uv
-3lIVFvX4svnPP5t0FEmFmwZ0YaKbRoa/I4fy0jHCpfCtEEtmrUuKIuQt8uzpYpo/
-BnH/yqXp/ajJ7x/P4n4IbLV+HSkX8Pxfh6ABeilHKvwmmNKYrNl2vCnYzUyWOyDF
-SEySxHAEN6hLdrExZNXDaLh73QKN/y8bl4sh3Ehml/DBhbktGteUBHt5M09OHvu+
-AYLpYx0iZUGzUd6hxkWlkJ2kPeToMcKfRLNGT+237VAvbGaNrXwFZXELwaptL22X
-uu2Tfn403/aD9ssk4L2v7GwJPeTQ1U9xH0742eWJf7OX7UMUoCG2HJf7Sg2nRtIg
-hK531cE1cv3i35EOHeVWClTeX2kc/9hwgzXAMWKrEe/3OMGPHQNNRsnPCsJHjhUY
-PRvS1pa6k1nuid8IZEeWskDT2PmSNWJQay9oA2ojcFua+UC/29upvBqO0O+/CtLH
-YvinLANDShtEZJ42rwbYEorT6OO8YIwbuQINBEvFfPcBEACtCHNuOn+pZjBOWmW0
-rqCnN9Oywq0h0Twk/UsqkhAijImgXrZLMoeylGA+UIsnuNl6e+x76Ke2z6H0Jytw
-IZEi9EqqZa3UhpN7JQ0ddNzkzE8tvYdicPdcXkZ99KBcHoPd25/N3fNJWJmbBv/b
-CQMW2J/zRo5QPokOjEl770xNS9wcXmA3ptTKbyzfQ4Wh8LALrJ3F9vZw8GsZFAmF
-NeMLCJ4Qhxk3MjCoQdzzRSTYEu4c7eYbE+biU/ZUgBMJH4Ed4urhOO81d9dDvf2C
-CdcJdftAYy/ACtTeq8tc3YzG+E4J+uplxxyD+IFP8U8Q5TyWdb5AU/rAWa1UdpwZ
-IQiaJfy4E1x+ac9BHAD1BZaCMv0fTcPxYm8m67GYUfFqRaI5Yd9sPvuzF8IDs2bo
-Nl5L60ce8ROOBtwRGp9daOHmhIlRKGoG7FPc1dTGjrVd5lWgzet+CHnWZ+HKYsNg
-W7cDo52Dwa8BjenK9OUxvzTNzwmz97cCioufv+ysUS9DY9tl7P0eHR1tehTM7HSA
-n/lCEU90j5/f/ozwBR8cDF8lLSMXlKybudjHteLFA/2/HbzWIEWVLpckmu3Xxpw9
-EF9xoiQmbJTmkWEIBBSLAALYtuygBbiGUdwPBeJQQUYliNpdgrwKXp9OIB8NFK99
-DvG7xB61569hUaekwnmB5uEU0wARAQABiQIlBBgBAgAPBQJLxXz3AhsMBQkSzAMA
-AAoJEK1e27eT7Ffkop4P/R97j+X8zfPt9gsABnU5zHtGS6jQ9Ahax+q0Dx0Vm7Wv
-qH8DC7RsSGp51YflfS4S3xNVGtQTUSV+z7H4cFUSD8f22RnubLUKOplVup6m3Dqz
-/Nosht8sU5Yo2mFmRNMFGo/gJF6vtqX15rPpPh0gHsEi3Toa7qzegnIVfuU14ZND
-tRnn5OmuJfFP9xO1PxIwqi+GaY06zkKbcmSw12xOwOCEt8kv4FGCx1FiSrFdHK4G
-fszvtzOG6VPbAROnERG2AbGQPXO0+m3bfYxSv8rxepSjo4f/1sXbVAX5AgH8wtcs
-iZLq7D+UrTdRe27dB/PmN+L4xz9UEmU//1rLzxOBfyWLfITF+65e4QZkrxIwVI2M
-4AVB9pAb+fSMmWMb4IU1tuSkeJT3k/bKeWdGVbXrDiSgd6XChBeui+Td/KR0Hbl+
-i3jeDm/6tYeCob4XQ4nhJ3dI9gI1S4YXJgGizhZmiWqipA41b12rQAB6ieU6aE/N
-OX7rwcNGaCwbyCgDOQfR7fiqxVF2xA8som/asBwAUWFZIMEhfijsn7fpK/7uGoN9
-2Eqfxvcwr7Rkp+bhCS6Wg0q+bgBn/02MB+9Uk9Yi9O7/DI8CqpwsiMzZ72ZMm4pT
-Lp8WFmqbxePWSxr4JA6XmApmC7sSlH75melFC6MCwaxpoRMbeH2mDhAfwbjXSPMO
-=XUWN
+mQINBFSu9kEBEADiOZ6fVyrEyePZIg48FXmKCqexKWOUIAOYLwyVbU7OjNrEUmj8
+Ywx9mMQACJJPcgUjOTxgGi0N9TBJpWlFDxAXPRdPr4GsPAq8wh3uVncC5qpaRdPj
+66/nZis9U3zuRufnYwuhQS3GBbFrV282aDz7DOwFUjrc56nfKj16i33lIgd6oNCP
+7hHN3ZkSOH+bcAdyhmX5jvVv3OxqF6uq8GAHpCkE1piERdcAVkZfPKdf7pbE0pD2
+BHGewoNmRucm8E7I4vP5+xUj+VsadJfJxD+FXDfGDfRtce46RiEh7VJHPvxgBoCU
+Gnvqjc/4z2gkD1LE/yPpdaPe+UG1stE2XV5ReXUQPxL3mMZXOai7QjTwcYlGY4YC
+YRhCMMkkHxRHpEefibTIJBlmChxcIYRGBJE2Y8xQ5oiyQycGqgJ+oSJ8ZLUBOpmB
+i4SKT0yjzB8cIB4w4ayOvp7DU0Y9+O/NRAZFQ9GC+4TlzebpZywMmSBMfthb0/xP
+hB5uh5VjvGnCQCn1J396hC+lcZeMQCQLl0mFodcpu3GvGUsdpXtxOnXv5VqO5/iz
+fPNeGNCuH2iOI3IRUEN62yjDM35TGBbJsZ4W1d56pSZSAumhXyI6Nqooj+fbj52X
+4ljnW0fxxHwMb3c33Fgv8IN6uya/GAhkRUOum9zf9gyEJZUcNnRmqadCuwARAQAB
+tDNIZWlrbyBTY2hsaXR0ZXJtYW5uIChEcmVzZGVuKSA8aHNAc2NobGl0dGVybWFu
+bi5kZT6JAlcEEwEKAEECGwECHgECF4ACGQEFCwkIBwMFFQoJCAsFFgIDAQAWIQTl
+yjMdRKuOTIBv2+4mEBti9pN2zgUCWmhlwgUJB6KMAQAKCRAmEBti9pN2znltEACa
+MD2eE28dV/wMu/G/3u4uJ6mLvb6gH51KC8KKUG2GXsnp3Bcx6RxEnsktOTRG8Zdm
+Q8Xk1QdTh6sREug62MgEKXPsNudRxzcMteISyvYAR4RkrZuHAHRxboRxB317AfFV
+iKon62bFvygOgO4MnTgfwXr7Zvm/gPONzFZgH7sdTICQXOylgce6NKojdM96FJ9F
+39A2hMcFGkzrGKWvnEIRKPngV1oIH+qfrRjNXiaSvHxpePkp/QFGXzjCQASEw76h
+2x9YytkhOkrOkFVFeuwPXCyenA3w8XOfzkRku5nuFmyeOhE1wUdP1zXDSI+5+rc/
+RV/FnQ9z1XvTBL2CypLJWANH4qWYF8cqvTP4RZBB5nTof/l9gF0+7qASYwEqplk7
+0MZHCjgadi4SB9I7w9j5bJBndSeNZPYc2w1eIPc6v+FM4BLtUU7VnTVfdhX0TY50
+iV7Y1rF3glJbWTG7btmEGRTX1GZWJcfsS46jDKqBW5LEC0WxtNFfPn4La5dY/VzC
+cVxyZdsz+HxKdq23rNZRLdKdSrTAsGgjRJIBevVa2fw2q8YXRVwtWY1dccr+Fxmp
+kSamoAlLH98HNUxDpkr5aaI0h8dxhMqX15esqW4UtdbGKxec1bC4AbJHzyCTNckd
+naDR+/umd0Jh0UmgccQzQuAy5X0t76Co6RSOMigqsrQ1SGVpa28gU2NobGl0dGVy
+bWFubiAoSFMxMi1SSVBFKSA8aHNAc2NobGl0dGVybWFubi5kZT6JAlYEEwEKAEAC
+GwEHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgBYhBOXKMx1Eq45MgG/b7iYQG2L2
+k3bOBQJaaGXJBQkHoowBAAoJECYQG2L2k3bOrfcP/Awnvbjd0ZRBsYeGjehzDSBk
+SeTMalsX1OGVeY2Muq/bGwc2MUQNOuHLXhpO0h0R0uaZOj8AqI2omP+kfvIIAp1l
+hH1cS+wAuJRMGimOJgaqcXBo6EZlCsA64dK+vcAoZiKlmQaYxKvXU1gv1fDcUczP
+b6g8GAPPL/3XJZ7TbrAgjWX8hWmveJAS1T82EZ5B6T7mQcSQfcPwyMLikdgxT0Wf
+G9peOCFXf3FbiIoElK8tN3xgvFwMc8znv4A5eV2Xq43ZpDV2WY6KphUxSL8Jozrr
+IdsQSp00jLkh31b9KGHN3Hwi4ig6A5zihxFJFWpqBpWbaRR7J8/YCP3uo3/NF7MT
+uOP0OuJ/7OFnpT2laDtNtg+apxnJ26zSCvcgUbhxmWPNiRVK36v799jjVpJSsv49
+or0Llnk7iZF72S3IEIx59EhpQOha5KbhKjjUBlEHbrCLFaRPgsU8SVeu0HAevBY+
+O23oXjW0OswgSAUDADICGj6CJEvz3CwVuSxhDjHUurIB3oSw2KQFba6pVbPyq2n5
+JJ387ZD6mmYrXJeTSMptPoWXxqCB2EK3eryp/ns947yIpyUQ/U0/chXpcV0hCafw
+32QkrM41aej5/r42TwOyFVUnPZzm25BzLEkx1m8FcQJDkrJf6XUwiqzcd5KpB3hl
+T5/rF40Udw3RSryKNB3v0dHq0egBEAABAQAAAAAAAAAAAAAAAP/Y/+AAEEpGSUYA
+AQEBAEgASAAA/9sAQwADAgIDAgIDAwMDBAMDBAUIBQUEBAUKBwcGCAwKDAwLCgsL
+DQ4SEA0OEQ4LCxAWEBETFBUVFQwPFxgWFBgSFBUU/9sAQwEDBAQFBAUJBQUJFA0L
+DRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
+FBQU/8IAEQgAYQBQAwERAAIRAQMRAf/EABwAAAIDAQEBAQAAAAAAAAAAAAQFAwYH
+CAIBAP/EABsBAAIDAQEBAAAAAAAAAAAAAAIDAQQFAAYH/9oADAMBAAIQAxAAAAG9
+fPO/GubSEtBlGa96w7AivEFcmWBP87YnPpNAfdeJLIrVB5bw3TDYD3w4bu2LTZXY
+acWOgVnc64Pf8Ec9x669KlsTzp6t1iYG/tSFU0r7naLuwuQl12uih5tA9jqX6uq2
+jvAzpGF6McSNYyGJiilQ83NYWhp/p61ZWTds7d5z0VM584dN0L7eKFnVdTHT5L9N
+lFkLJva35/0DrrVIVyK3lLNTL2PPsXHG0OOvT44MFAwd0xttYpwTK1Q38ZNWPTkM
+3fF0OIvQZknQrAnUwPMrh54UPTFkg+osm3wFrVWJQNEvXACUD12FzzDoYjPXeS7g
+nWSR0nGJtlalBxLL5HGT12juo6HcKX+skxbGBn/EvUTEoWDLWe08e6Foxw5fK4kD
+5o5msxQloUADLA+1dXbvUH//xAAmEAACAgICAgICAgMAAAAAAAACAwEEAAUREgYT
+FCEiMyM1FTEy/9oACAEBAAEFAh54gp4AvUZvJ8dYrKN0sFQz7ztyx4H0EEdgn+AV
+sX2K5xi+MsfZSAxnq9LIzmSBbDrKZvr20zWWNhGTtuhVrgymkEXBTUUEP16Hjdoz
+XaovSqyv7Wdy7mp019t/4ZaUE1EkNSPWK3fUv4zdhDteu4LYesShtWHx48tCNjsd
+we12IVFoxOzQbWEa8m1j7PtqjS7NtA34pW18MuyE6hX+QsDaHjY0G2XFto1jW2l2
+AM5shS9iWprwqCszeskE962zirt1Vu5q2ddQPrfOlzY1Qa7cTYzSMVegV+qKZBra
+ztqE4yxFsNXuRva2xHOTswprhrbFx4EkvFtlM7guCwbISTYggUz0un4y2PsEWBYb
+JV7n5fuqeLdGb0W85DjwH/U/nIjETZniFxAQMxirnTNeInc7CEBH0AdmNqlVeEfT
+md2/Z53xGePqk7HP8g5o6/v2vkyYXduNJeTONiKtYOWEOePK4R2EWDni/wDeeTf2
+lz98f9bP9dfA/wBaX9LM/8QAJBEAAgIBBAEFAQEAAAAAAAAAAAECESEDEBIxBBMg
+IkFRYZH/2gAIAQMBAT8BSxkqhfFnPNGIrByOxd2cnJUL9stfZJR7TLbwjH2Pb+oq
+TF/dmv0wjPaOV9kYOZSXRQ/hh7TXHZtbR8SXpx1ZfZGCiqJad9Honkaa4EbWSXyj
+ndIeUor62STOBrriNcskouqW1EVy1IxIZPTjfIbjWTng8jWt0iMs0KHE620MT5M0
+v0q+xxU0eRqLRVEu7NFf6Kx5KONM0pYJan6S8hRXZqOWq7EQbjIvOCtmKbHJsorb
+ojK1XsYt62hWPavatn0IXuW0tl7frb//xAAoEQACAQQCAQMEAwEAAAAAAAAAAQID
+ERIxECEEEyJBMlFhgQUUIDP/2gAIAQIBAT8BpSxlhq5DFv03olRg+oK37MZItdWa
+MLqyKVTF+74HVb7HJkYRlG6J+NWqRTUbiozo1FCcdkqcaZOLqO8dHtTJSVzrQrJW
+IuKj7iNWUFaJSpQpRxpxsjBS+on4cZEv4+pD/mz+nSppZO7I04LSJUKc9oq+P6c7
+LR38opoSb0KDH+CfkpSdNbRlkyLMir7omSnsjSim5JlhuxFfY+XL7iaL20ZmSkmi
+FKVNJD/BcZf06U6n6LnbVhNofZHxHVpvuwlOldNGbkrF78eXb08I6MS6RdrR41F1
+5dkXZWPM3f4HjcXSMhTyjYls2QoTqOyKWFBYkvuVkpwdy3Xei/C2OCexRSLsTPgq
+fSyV7/ji/CXZLm5LRPLvlbESf+HolzFEnx8cyHwti0S3w9LmQz//xAA0EAABAwMB
+BgMHAgcAAAAAAAABAAIRAxIhMRMiQVFhcQQQMjNCUnKRobEjgRRDc4PC0fH/2gAI
+AQEABj8C1VvWUZG8RhmpQZZ6viUTp7sLdAlundSLbQbiOql2GgnXK9mY9Wn3QqNv
+tHqJz9EHkWNd7xVxfAHpRxCE7x+KFy6KMCcYVwJiMoAjXM81YSZ4f9Vt4z6uqB2N
+XkKjdP3TA6kwt4mlWbP0KqsqU3B7W3Y94KnX2l1MiRjVNe+6HZDV7Nv0UFlvVuFs
+HP3To5fq6nqsZ5ZwrfD0Kj/lHBUm1m7Jky5u0Ex2TfFube2qbalB+lv+097GWUb5
+ZQ4ALOvm951p7yve1k94V7XXcZHBbO51Dw4/l0d2e5VgY2nSbmOyaGez9DJ/KnLg
+3QLZk2nqVLTLVJT2YBdjKaTdS4YCDKTczo1EXFsc0/ZH1cUQ/dB3TH3+35UGAOSa
+9jJcNHoUaxEwtrScOyLA8Nd1WyfLGTndmED6qg4kJjKb3Y1eOATWTLCcTwXhWM3a
+IJbnjPFbd+eYTphpbp1VV7ocXHIKLGkbaoIps5K5zpfqZWTFenHHgjNS+dJQm7av
+y6Gz+yItdBzK2o3Xg7w6qnvfrgb0c1Lt1HfuJ91uq/iK+vM8Ft2Cze+kqjve0ZaU
+ZkStLD1XMoEenQjmENk2uK54Mfa09UTUe6uebiY/ZQHW/LhC+Z+JVGE3GJXhqjn2
+U272vRNHCOC1u7rGDy4KVf75bHZAKSroXrjpqgwzZxtQtGQPJoGpMKx2qzlFABQc
+qeCc/sPutbR5eFZzeqQbrZJ+qY1pha5KpPHrqE/QeXRMd8dQKXCR5UOzvwv7bfId
+14T+n/kfPwnzD8o91//EACUQAQACAgEEAgIDAQAAAAAAAAEAESExQVFhcYGhsZHB
+ENHw4f/aAAgBAQABPyE9Z0rcCdB2bi2gtW4HmMjIVWHuYcUCU5eYwoKFP2hBbZQu
+19sFWDFwPZOZgcDQquaH+Yxs5203VdHuFqNXouUu6EZ+Z1hTDzTyxnM2aDHT1EbU
+VngsBSjk5PuFkJ5DWp0M5q09Mths3DHf6UTfwkPHrMbbXRvQOEmjDiBef7oFSfCo
+7F8nSLaqvShWNQC6XDUeXtNSX2i4ae6lqNVvt8EfJrA7V0fcxG1jFyP/ACV9cKBq
+OiUZC2wXUN1ApsETZqunJIbCqcbC1m/dd4h6PcoosA95waBemcygowzxV8n1CAld
+Ax+GOkInmlb5kcXOqMULtdvdZzsfDvL+5eXLDgwcETK42ClB5gsmWhGyDjvAo+hw
+1rIV9xwyiycHKe4fkg6SxlMs8Vz6mlZG7809IE71q2QhtMSziU80qOcS/wCBscTU
+FAae5nJNf12vZAGlQczs+e8aURa6ew/GYQRAvyXqXlqPNGre4DAcqcwxTNC4oUqE
+bJclbiDq9rKPMLLuULL4ivJldr7qiB6YFVL8gr8TptMS6eyMT0lxwSMNwp9qE2vL
+aYjvXMHtP6jsaTjgGggcJu1d8kFcDC9Vv9TEDAt1EJs+D+J9kefEfIF+uQ4kBP2G
+O5AgTyx8JjS81gCjw0bY3cFQ+JV5iroWcvcomXk7O8cl2dMyCY6tvK8RFTCsu+0t
+eB/bO9OZeCphaTSkz8OWFmWqmDiurNXKDVUxz5gmEbUh+U18t/mMXgnTEypbiqsw
+6syzAGjrHFnPuRKNbJhRgUl/lgr4M/qH0ZfZhCE1tqWF5RdHUDxi+X6m59xaDSY6
+z8JCaFK2E1n+p1z/AGeZ9H8d8/DV/m13h//aAAwDAQACAAMAAAAQHHAkhuHnIM0X
+SVXk2hYx4dFqqkUj87TBa9n+afigH7l5i9yqnkoqIre5SNPbUU7e8//EACARAQAC
+AgMAAwEBAAAAAAAAAAEAESExEEFRYXGB8PH/2gAIAQMBAT8QJY8fHUttqO9u11G1
+pn57i0lUztYjpmDC1RtJ/vvzGVqhZWAwTm+S5AAjvGuag4qpoYZK6xBsVVKvHc9F
+xssZsNUdOxiNrVDNURCUkbmtMAKzN6jP9+Ro3K2JlQluitTtDF/XnsqCG7gTuE0y
+SzYzEEDMv2NsuS+6IktRiSqxBqcMtqULuW7FV5GEJTD3KR9t+iFGI4DdTIKIxu55
+8TCDQ/sMDuUCEb2bj6lkow7UclYgA7llruXDRg3PeBUHccjqV17gVDq4UPuZFMIV
+7U6HmWIXeZpANE2LcB5GDCQbXBEcJEoiomU1KiGY3H93LkuOYY8umbnDpRNQezUM
+qcumIHPGsORthO4bQ1P/xAAnEQEAAwACAQMDBAMAAAAAAAABABEhMUFhUYGxEHGR
+ocHh8CDR8f/aAAgBAgEBPxAGWhXj2uOieu61TMeZb0hy/Dc4lXFTKOT+PxEWfb48
+9yljhXxEJxbivXj++s0HnzzAbWfEqE5y9e3x94q5OgUteh4ilDGel+rLo7eeePHv
+Auvbfz79TB7ZCbx8fDXEVlJXiLjXOZV9/wB6ll8lS3giEAPzH0tr+9wAQTrd8k1E
+HO5sBzPacX+2fEwD1X5/3KVlH7SzUr9fecGj0uD16QLMNehi7WZ7GkFi9bELz+1n
+/ZyJOuiIqp0Yi15foXLB+sOdyK0snlFN7GGXfVXn7QKdQlYrbIFfmqfdgTmLY8Rt
+ouM0Tm4eP5ii1nv/ABFhc/M1yV5yWddv3fWJvSX6qDVUUuD94YDgjwlsbXiWYuu1
+ikmqqXS5Iwp+Jq2ARzt6lANr8zKjIZdC/wATNpBjVTGJoAgthUUy5XyRbRFIC/NI
+NcQg1lyZkqEuuoMiVVLHE2XOJmTJeoQ2XCGNXKgbKFY5QR3mJQfX6Gv0X2o/4lfp
+P3ncOPo7T//EACUQAQACAgMAAgICAwEAAAAAAAERIQAxQVFhcZGBoRCx0fDxwf/a
+AAgBAQABPxCUBCWAk8m945oGlsQalN+ZGw2ECd9zQQNzsxJ8GXOmKEjFkyxgQcQ+
+ZQEQmLyRUgMBGQ/Dn2MR5mTXYGgZibmeIMVlINayjJgqHH6y6LMN0kG5tGGYwsio
+XfaVyxhhBW4OFS/b8YuvJGyFPBN4CBa0SKESkjAu8aYmuwMtOwz/AJwXCcxJ7Adx
+9Y7KAGg3C8G2zcc4rIY2hYH5fqNzlwVTAoA2l+O0MkAZCKJIUiSYoVvBBCEBrgiw
+sKSRzlDgqv2M9tJw5VZocibdDM6JVvKs9CCIpCXTNZ2Y04tyRLZunfVYPlAK2zwX
+Hfxg9FANFHUsucm6Lgjin4cTkQ+W1rpAJJ3gaMdwQ1KFcoyNlZ7cMTOjbVXxjZuK
+MbQnR2rK5BiSzwTKntV65yVaC1QEKRAQCNFRluTDWhmuSWkQ0hkgJEp2v+MCcPT3
+ixFehj5gnJwAPiGY8weAkvaIdiRp5EZrxTqkYigJE6U+cCnlwd5kDwjARSogJarK
+FCsfjCWJRVIKg0LfgA4x+WIHpD9ivK41E0QCzpOMC2OmSs1iJxz/AMwoOFCWttD8
+1ktcZIkOARg5XPZjp5lYkI2JgV6kGItFG19eXHN3YbWUh2nZ7hD5WqQU1sSOeMM0
+RBHgE86x8bDCjOWpv2cnq4dB8v8AOCFKDbbqsZ4yFlzz4dTxvWb7UBTTcLl8ljgT
+KiRi2RwmHdMVgr3HejpRnhMPWE8lASSO5wG1MRdMelBXBBh8yYFRGx5iNe+YgikA
+EiRZ0jWDKpGjgBPMWQ3pGTXGhzKusGAB5oeNER5lONEQOShhBE/IY96ZaMNTFp/W
+UBix85oB5tcYKAEYSW4eZDKB2cgJV0xJ0icGD2ROsJD8WJ/OPY7JpXsnXxORpkBf
+IJo+0e5CKdoDhLtCNEr+cC0aAzIAQVNY4lH63ojxD+cnNBQlGe+OoxrKsBE+J0n0
+MFwDcGD5D+sv6PTba95HhBwyPgtCSKOtgYkbDJMkS0upbPX6ylD0FfZf7wO7B0mr
+mZwTYyVY2COq/vGeuYqZxJqGFc4ERwS5iE+LwNUiIiD4xTQrSDlTZg2kqyz78aNU
+dB9L3iQgNwcBo+8OaC3vJwOaFA+ZwGgwILT1VE+uVpWRTr0SFXihhAmpW2N/qM72
+dvOR3ok+Qf8AuHSQRRJzA8cRsxtVv85SwUvgcYiANqODFJ5dSVhk3wA/AwDaSYf+
+MON/JWK0kneU2jzC8arwrxZtC5JIfQ/eSsO8/onzHUJkK79xsC+Coko5lcNjYWVi
+tI6OXFemlMcCcPuGgEBLvizNH8FNf+152Z/Sf2fxc/f/AIf990z99/bn/9mJAlYE
+EwEKAEACGwEHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgBYhBOXKMx1Eq45MgG/b
+7iYQG2L2k3bOBQJaaGXQBQkHoowBAAoJECYQG2L2k3bO1k0QAIIrNpPvClBQaHao
+IhXRp4xAUG2pGNFlBbroQfRZYHqXXCEO2TQYZBgiGiCyzgTKBYJKiZVdTjcF7Mf6
+/mYe54YWxNddVpjMv6g1wAEvdMh1o4V33Di0/Xp/VWjzUIsrg9dpVutYmg8SKRZO
+b4QGRuLi7gZZSzlniu2YvTnLUZ64/nT6gAKNUP/tTvbSgO7FcunwwhPuUoiwVP5E
+7stvVfA7e4zucJdvmpTHeUP+LV+AyVWAmTua5ytEtAUOLrJHsPixGVKXNfij2cYE
+1EIZ3xyVF65uxC+41Y8wmjfbZ+30rTZ7pA2/dlhEg7LO3zGZ6xH9Ud0HIe3zY3ce
+uLdsGOlxBZrTePi+Y6ltLrLwzlkaR3+BvqP9g3Cb5m4G6y/KAPH4QeL2Ych5yITU
+qu7eMIjsoJHxy74fSxWr20vLW9rjBEFhZUxZykHEtbilFZdo++VuQqNKJLHlZ1F2
+P6peoWZ2wZ4+vW4rr63STYyQC8Tyc8Ng0+ftvG9pEyfxOjM6wwYVw1jGed2enSDp
+QRd79nkBgm2CtUPXjUwhTxXO/0ZnpIX2+0wBQuTvS4+2QnG6yKqdo34UfBUpifLo
+FUGd8ks1fc9bL+CrnUgFaN6nEJxHjlsihtPQG479R1gNEYLaOrbATHn2BgC8SN3o
+ChYdiVbWni4pUuEIItiFEIujlQN7tDpIZWlrbyBTY2hsaXR0ZXJtYW5uIChFeGlt
+IE1UQSBNYWludGFpbmVyKSA8aGVpa29AZXhpbS5vcmc+iQJTBBMBCgA+AhsBBQsJ
+CAcDBRUKCQgLBRYCAwEAAh4BAheAFiEE5cozHUSrjkyAb9vuJhAbYvaTds4FAlpo
+ZdYFCQeijAEACgkQJhAbYvaTds6yqg/4mANG2PHYlugP5NNdtfFHxM5VwPUSCumW
+BB8cUEW7VQYhOVUukzAFywzxY9rczSWbpDZwOlTZkB1EKi3cA3XoUR7p4+B02V2x
+TMm0YF3FMmKKXzKl37iGRhhPWrrrVLixnZ4Vi3YRB7M34Clr2+7//sLlEh1rZ4QU
+sRoxgSj5NGJGhYBU5DXjoJqPFWmRxC5hhelxSq0Dlbu9I0aAWIp/IbCkfIyTT0og
+IIVOF5OwvBOcey6ZGuSYPWu4v2F4QtWlUZD1J4Ez48hoOnJ2Dx0BU3stg2pkVIq+
+eCkMyAkCU+OKpvI90B3rFNPv+aFwXlYFJKh4A9wpGr8r57It8vx5IdY/hjLI/YeS
+D1de0vQ0xgK4OqJ382J479AKuGEIsHQ4040PD/xYGECvmmruQwQeiq2uVGMvN/oD
+R5gM7HBc/qqgDRl+GIwwhqjJaNnmDCizdoevXj2pCZ7mD+SKxyExRwxD/Hz/ekyt
+I99MVs6LqAbLQZGxBmxRACDZA/enAIf0vyjfVf43Ye2ZcTRqkvLcr54acLVJy4FI
+HU8BMwzDaAY49wgfIVtoMW1swFnz5t4XYN97H6PtH4sogNvEd1E2Nmnm/yTubocV
+ruLABq2Bium1A1cREMaURACrq8QH9EBsO8vjn28xhXxNVGC4NFmI33RlBvSGkA7l
+OHqaKk8gpLQ9SGVpa28gU2NobGl0dGVybWFubiAoSFMxMi1SSVBFKSA8aHNAbm9k
+bWFyYy5zY2hsaXR0ZXJtYW5uLmRlPokCVAQTAQoAPhYhBOXKMx1Eq45MgG/b7iYQ
+G2L2k3bOBQJafrGjAhsBBQkHoowBBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJ
+ECYQG2L2k3bO1AIP/jaUoeWDHD75+6mg3fsqepXkf5NyZ6zrpeCwYfJBInknbA9Q
+OJH+uHWs6U8NIVTKpvF1bNWK/swa/9oG3igr7iys1WirrJCsxwc9px9BIzvhqkG9
+EicZbBCRWQLFYAXgi/2iNXl/SJ9YKO4ofn4P4CLNLDDr2oNZW2M3QHwOl27Y6pZn
+aGQvIzExLwC13D6wKxMTEbMiT9+cGw7pUyZy6jSsSdworsZmx4jQFmIFm7WTAx3C
+X9Usy9fVPH+qYQAoYVpeEs+/I1MhOpMp50/AkOqfu5/qVI/s2PUxIvctTJSk799H
+nDxKaECslTLGbUKjy8iGrMexNvSLaVJyhV+Dsd6tSmknLRIcIvRV6sRaOTCmuhaD
+10jsXTVlZ3ww9IFtymmB+dNuNbQjDHLyIQX0n2yz4MYrmtkYsl6DNM/ugYBXzXFd
+s3TcdRgbJh4gsi2GCHbQEzhGzrLjoacSYHFWqIL4qdJYEGfFwh7itXHQJNyJ4yEm
+bDXVLTiMdnYIzQiRIIFJdPgHgTOHcWeR5ymI7W9vhnXhRaCaw2aKGo7s1MH/4XQ7
+j/Mb0kHvbLVtyWIyZS7j3uPdKA1pTemmq0jF00dK6QA7OgDmkKwfCe+Deptm5UH1
+wvc3Op56vNL1Dza7EzP42rrVSBRtCUuZFsDsH1UbQYoFb/54SblKeWMK4Dk9uQEN
+BFSvBSoBCACiWhr0YXSdZ07/cOsfhe851y6lKTqgWhkxB2hB/Hzs2jGNHh6nLWJm
+1itk2B7GzpLtreU7JoCYfTNIHDyInkLJ0qljulUV3aUVtS9Lap4fP9dVU6cJdwNK
+Ed9hQsGm32B64lz00aahKUXwmOnSHcfGtJMOd5q1iWvAlrEwKbPgB8LZAjCa3wV9
+fta82bmqoRz/uoMuABWFsUE08tFSnKEufYl8xpczRo8Vo++rBLDSt4sil74vhNd2
+/ryNGrwU+MHNxcGCxb25XeomedwTfIdVW/mkgXeWzxXbiOXuT5bB/S91scWiY9sV
+FaixpvCUbTQ7bdfVMJ2rK0M1qXuIcLM9ABEBAAGJAh8EGAECAAkFAlSvBSoCGwwA
+CgkQJhAbYvaTds4v/hAAkeIaaI76Ht7sb0BQyZlSaIt1xnRAmHPB5spux5sjmoYX
+rHiyqxPkW5UQWzgdgRpcI/8yT3bEGm3/n/2HW4qqvFOiIiwvsRh0O1NAz12UsAI9
+OKdvP8lFcbXdofX0gBBylzaZXAo1JHio+c8tQmYEisZ1QY2Ht2bOadOvOIzxTfkN
+ycR/oOPUbMgrfB+P6ngMWnRhZevl00abFTrd79Elc4Dp9l63hlQ43oGGigQQaJkf
+FDewvjdUsQpRoZs6QUEerj4jXN5ztUz75KRb7vOM1a+ym+TdNpu08MB/g4S2XziM
+dCkLzrcDN6E5xdP7rRMdML4r/X+7sLYHfI9Q7WAgCscWQGtYi7p49SPliyrFcOEz
+e7cRgbi+pQHdvfNuD7W8vHzD6PT9jRvpRfkaRt9gBWLbtIbGDugVotH5x4W7PJvD
+XGFRVanv3mAd/qlfRdk4VGgFSWxIZzMIkr4GEnMObqzAS1tIFxN5mx+cfUaYEzhf
+T7vfS0azRnpVr/6ufsqBJP4nPO2I7r8Pe4F5RUL/A4e4w1wjcA97SVJmneJfnufF
+513bhOKgXI6FcaMTGXlFvs+2e0ZPZwWufiFlzFQxqhspkOwZWL2kZpP8u9Y9q4jN
+jTp/6RL+IJ0NQdCGu3MSP6+5kXjFjZhgrFtOmJwLvout1bSJUEUJLgF2trc/M4O5
+AQ0EVK8G2QEIALPvDu71Ar4rVJu2vnCt577voM0Xv1fxrf4j2EvD6ZEldXcIifrr
+p/NqojrrqdAV5RcrkLrH+62gZ+o+f0qLedc6Dk2JsdFzALrJGLW/GgUuGw9hka0d
+S5F5OgakGpHFrpW3ApuKiNEivsRdL4kDCGsSwSlgg7QLKZccWZvangQ9ZAHXq6RY
+47cxGf9nW5y4X70skLBZUQYjSgrIQVD1A0VEKeo/2BKNTyrQdVldBZSvv6E2Z+Qr
+w4NWec1bUQekRkA7YB8E5ueBKN9P0RPM3MtOxayC+EPHfejv1JkiKbjtToliNOx9
+q9GMSReFok2RMoYL/VFcCMEjc1ohKZAWN4EAEQEAAYkCRwQoAQoAMQUCVNJ01iod
+AWtleSBkZXN0cm95ZWQsIHJlcGxhY2VkIHdpdGggbmV3IHZlcnNpb24ACgkQJhAb
+YvaTds7nzBAApgOs4kCGlqbBp3wByAD3wCvLYBY8wt5IqqJXu6/dzQk3X2jBlyxJ
+HmWaSdpcfl8IBVomDjHZGU7WIUbBEF6RLaBfvzV6v9682S1YG8AQdf11mNu5z/vy
+To+X1elsEKWNsa0KUuL+AzuT+2AYTDKqv4+D51cEWEZuCSe6aOHRcn5xz7UeKr+m
+DPH7+bVuVA8ALGu6HYOa31AT9J+S/Gx4Y1wJVWmlYzYm9kBAjoFhUZSIoM5w7VuB
+1ohLOnjv/ZKEknZE1DMoxDakA+O1NRtN+rdXGQkKLenOSSgpWRmGB26H+0oDpEyo
+9gJe5GKYHVASLF9FbAEaUA9uAKZe1oVHwVwVa1IwWzbDbOJvF7RxZEsABR+qQwRQ
+8kDxpRnOwFozSjhCXPv5lfpWnz9q/id+N+BlVDKvCZ50ZyAKPde5hN2IYsuGNgDt
+fIfy6IrJWMJdFzaPwZxO0p9rQNMUy90zA+23f0gS/0WzibbGUiqGD2shTJ2Ai/X6
+KIk5QXmKqgXy0xSSjaaioSgJ7dxzz7DwGxOdyMqI3qdueDvu8iTNE7XTVgk3orDV
+s+8Z4W7wxqlc2rf98ozUIYkHHsb90jnjkIexzsJ3hhZfksXv7pAVzaNMBx4UbzU4
+ShgPo7VgdcNzARxNBiss7eI9IcEtbuoB4KSFUfsGYeNfJBi7JkewfR+JAz4EGAEC
+AAkFAlSvBtkCGwIBKQkQJhAbYvaTds7AXSAEGQECAAYFAlSvBtkACgkQkbTl3htk
+Kaeqegf/bhwfSagi9Fj4o+ESRISf/0FNN3S6CbrDE2LYzJL1tZLAZpSSTfU4boji
+6cZq5xruoxtuEeqfQb6JtZPggfJTsSfxE7JdstezjJLOT1ONrjyDepoVZ6pNlWkz
+OGp7AzxHdxnG+5xg/GuIMV1mNYeZ2L+oJN36zxE8I5Dx9bThUf9T8R6iif2yhAT7
+yz8x4D1/LKsEwj8BciKIQc/d2kCJYsmwwpmgdKYC8iieiVqfwFbg1EfhKo7uO+iP
+TkBzyyeQdVM78HEdqdnSQRSzK0AGzQvhcQjfTDly0L5cBXJMWhFSM+n1RjyUZEg3
+YTxyfnWSU0BpAis2N7vUNvo+ouizgTFREACq2MVVT4Kva9TBV+QWnnxzXfowObG/
+WyM1zMNDq6PI5X1zAwjm3SJsDDtP8nGSp8uW1fy5lzqE9oEVA1Zok2Ac2MqihNhK
+SusElL+eS/3O305GGPMQ4RNrSkwIRopb5a00JZyiY7EmSGrU9OdX7XtkstniIXjD
+gClZb2XMS1WOvdtSJsca5KMHiByEePSZowhuZW4601aqBaLeVVLCAPpaH1kQ++B2
+X4fdR7VOa4j5kijL7Y8wee2skDLtDo4670puwuXdoOyXEo3E0Y7K/nnRByXAiFpt
+mEydczPC8wLlEE0XlhvTn5ErpkjVoBN1MhIId+zUwq5LWA1IEY9Kv1OdPdPGYuQt
+v2Dn7K27nwGbNDkzaVqVzvmKLhYTm8MPbjVwYJ+U8WwVj44NkFH27R+pqrJRKikQ
+uA0Vhef/l2pa2kL+UA24uAtqL3cBM9xjkryYHyl73Je632U7n1YQ8vAec+3sESnN
+OWbq9N9bMgKfewsNfzXgNEaqXGLTYtJOrhO4tJF8N4ZBY8nzES6BJOOKeHKKUJxN
+IGORlU/Mel82CtFsxnpdEoi0eTn7abVdC6oVEKHD2T/O6SyvDYQF4P7yETGmvaTg
+fyTMP2IgNfv4mBp9GLbNjBYe0amR6V6s9C/8rdoRjGilY/OP3MnBy7U5L4NfpHe/
+inqKIXe+0q50l7kBDQRUrweoAQgAlNoLcAg2mXyoM8r2pKrnNX6V95UD0PQ7cGoI
+D6Kpmd5bdzuaLtPsDZ1r4qlEZqfLA4m2JsHZMX+Nas2tuW2luE4kC+yi7T9515lD
+TGlMBhG3+BRGBEsa9G95pj8QT/PJYCYurPUVglShhzIC8ZGXdiICBt4MEyysJSkk
+XlLvuzGDTf9ASOk7qOJx8V1ILse9jB8L8os5TedyRYqQSUUkbUb9fT5zDDcfbKXu
+yZn9r+uzieiVw86X2m+1k+pK7LNbdnckGS1p5Vk8YyvGq0I6BDgcJeFZI1226KU7
+evk6PC3WYkt/VUAWbyg4Hz8BlR4oMY0UkmX1WMhfpQA6F1iQRQARAQABiQIfBBgB
+AgAJBQJUrweoAhsgAAoJECYQG2L2k3bOd3sQAKaUe6vV4HmntOaw6fxwc3v/e9te
+poYlpvireLRiD7RlOarcCa+MWdP22wTUXGRIczty+2D2NIhngnZqpC7nTH6F7KlX
+XZVIylJUygjnxihfogiPa8DEGNs2xS+ld6Y7OKxg92kJ3jP2H7QLpvq93evVxacT
+hJCgPT5AMmHR5c9KYRJ0XsMk+YrP8G9EnMlBb5d1XT7D7r4PF7FbeAWSozmaLHoF
+MOzg2hWpaBcc0O6gz/bpE4Ob0Voje254V+zNHEarxfoMcVNavRl0e9mgO53P8s00
+5dT+OxqNwHR0GZsHd/Y/cSM6XGyhq7xurXjmKW2v3tGaccOp08p27u41x6VefpBy
+3rd3KLMXO9mHst6NceyWKS6kp7ildxwIKlzwe1Do6hQ0Zd1XJY7RaAwonnc0YsrG
+2JGlCuv7sP1gBcSLsqx/APFwfUAi6lUqAcB+z00XToo6vm1hiLsmFoIDGUZnm7PQ
+Bf+HRxot2sKgtBn115Xx1GFd7V3WlXO4xz17jREjTL7P8H+r4MnbcjbdDmQTrO4F
++EmuAJRSPvpwRTc+6AMGUOSMDKN+ASQoazLPRCiEZgLBCr9ooRd4An42t+QP0m/W
+NY5p+TRQRfsrJYuwJueV9KRVjtAhgM82DDAoLl1AP0QhhbJBvq5Cda5RqLnb4A1M
+QW4OPy2Z6LC9OJ6ciQJHBCgBCgAxBQJU0nTuKh0Ba2V5IGRlc3Ryb3llZCwgcmVw
+bGFjZWQgd2l0aCBuZXcgdmVyc2lvbgAKCRAmEBti9pN2zrr/D/sFymiWDFQYq905
+vN3Vt8zu4JeBqG/Ag5jo8CLdvbIUSVGWRY2dRRJGrhlxmepwwX545aQqSiaxMcPn
+Pri8fSMFnFNWKzq8xIC5aCaM5xZnN8NT2V5w+2P/vZxc5/3Xa9nQlquXB9v57jzA
+IW1LJlYqvU7ILbJZly27sr2v1JOgogqzgEz4NAxCSwUoNM6OZPXnI5EegINuiWKp
+IjuGtIQoKeUma1YBOK1Wabxfe2Hzu1/S+lmAwZtqg7HCX38NwPuAFxElAC6vx3QA
+V85+K1TWjPnoBHs7wbxv8HZEUewqzSijtLYa/yLiyMVUr0Am31yhsgFgKLQXwhxn
+K/g3xTyU5/n9jgZMEwg4m3FIeoXF6tDyYvXj7RK5uBGSLvt5R40kWNiUk8pl1L+I
+tmrTUynj/6g1wuLrYWkEPTPSlyKgZojTx6ssAiDMOVHjxpWxVnhnAkXOlLMuccTP
+xoXEQi9sXO8ByrbR7pmVS0+sXNB6tXbtllBsPBoYPT+ydOKGLqSh/1RFJyds3QPs
+8szwosr2wo5TMrCMcIiXpYn/4n4hM61OhPLV0OjYmQoxHE0cti8pntFpDeWJMvDY
+eN1fAu2ZZiiYE/+4CCGe+cmYvO2XKWZMQHwLvads8oCGqTpeidn6wIpsNsVNg6li
+fKFcRquVh96y36GPW+JuHeeTGuN477kBDQRU0nUiAQgAnDKd8ETvAvTedB0SY78P
+dlo+c5PyMU5EheuNezG4LFJxigixIuo9ZW5Tl11dO0EpnyD3kKsJyIc/+FoRFuSn
+nZeF8rJwHcB81+bQIkfek5rc+Za/o6wJ84yMzdqwU5Ooc1MrVdk/3TfU6y1uGaPS
+envUUko07SuVUOLOBuseJ/odz8E2lRt2iJ1HLcbRXi+pR/8DLIm4U+PLYIKYKrxD
+NBln2mlB7wWILN6z7cicaE3HzZp920sqeSGfl0tdX5z7wI42EZcfqERWmrNdy0/m
+zXmRX/qohTuy7I06bwrv7asGiNLvAfvP6wnsRnLbho03Flq4Eed1vedcr0ZPtyaB
+xQARAQABiQM+BBgBCgAJBQJU0nUiAhsCASkJECYQG2L2k3bOwF0gBBkBCgAGBQJU
+0nUiAAoJEGoXY4qgRQz177gIAIq1D4QmR/Zq6oeVsYzH/5+r0Q0JM5f+JKD1a9Ot
+PNkV4Z3B6yWBA6vVIGBW1GB6QrV99dfxXAzqYvsDuDaPtNcsXNbK7iQKt35llWq+
+G9Pkfj9wrRrEo+rvfwWDJMnp5C2M9hucPCc3aLCUE5UX2uLOLtPOoD9Gt9mv7+nO
+gdFZeANnjfH1sUzsgYOcmKVX7KOcV479nkNT1NXeqImekXmkTFFmWIE0/zQ9MhKS
+ae+F0fV5Agv6UivRc51Mfs/o9azWal7HB/5u20FBPV+ieZXzsSnG05kvXkmdcGOa
+SrMP5+Z0U7Hfo1YtkNhMeW2b4dImZLfCZUb62Q7K4LCoW+e1Ag//YAbzGBVflkTv
+sEAiwL0tbjaqpGMcAWMWg6ilNnqG2Rvd4GTGy66PMY0nYOVy734o7nyySFy4IXbU
+H96Vepa0G6JzDkiiRRVhd3VPfEFK8qNZRYXc2W8ohQV8sQU/wRWpOEP7kzD5rm6w
+hc0h3qNeLbXjciDfS785mAjHwVWPOzYuPlxaLE0GaQdMMYPnn62incAgedjJ9wXe
+nYugotfbYofX65Il01wCUhv+b1CuSd3WlwEQnia7xk/o/FVdRoC+x6GFHeFpjyzs
+R9QJVdmUDdDdLyvtVOD+kMHrsWFolxzqtVeUod0+1byvMojTXQnrbmiZJgDs34eV
+MYMv4TQPNhqmQuV4MdzCS+mmXnbJjxL8Y2nARUh4ifDeJH6M8qEQqWGHHTkcgPAF
+EEM5kNRFkyYFFllNfHRiSnRB6uMMCLXtgmTyamboo2Rm3R1Y4OCo2wryFoGiIore
+kQx4a5vxCw41LDHHrm+XGUIFZi1n6AmHdoGcHq0Oi9nrK19nUyJu9mo5w4EU3Os8
+E2V1V92yIx9nNO0ZupRBXiqKp1iaD3nGQWrS6mKcG+vmwEjyqWer7i91miyK8S3y
+Gnq4zNoUoFtfaS2siTWNQgzCEjpmMEcEiVrPwfFI5OA21revRA7tR6UwtZn3DUsl
+axotY2E9dDEgDvRZstvyB4xWrtXK4T6JAkYEKAEKADAWIQTlyjMdRKuOTIBv2+4m
+EBti9pN2zgUCWT6rDhIdAWhhcmR3YXJlIGZhaWx1cmUACgkQJhAbYvaTds7A9Q//
+fwupqkn+2LCKKU2OeZxLksOvFyRXhBxndQrIVlyPo3xOt7sZkQvhsQvff1HA9n9Y
+Aj/4Drp+AyHwnWxibKXMnD3SHSrhKQ1Crp7RUWOBe06mqAQzBL3L5LyXqtcb2u8g
+06DZway5YCDiif3LlNIf2AdjxMcg3lqAXCMm1cGRSiuoMZAG/eU14lNQKMODLlge
+dBnmpzUc26QcGlcltzzY9fFL1WhHmHpLwtM0eIuT0GW/dQUDKsgKa7oWJM/4UCZ/
+ug19mHSxtLrQGMNQG5JKIebPkM5SgL42fRHDMpnFNtWf4vu9dG42i8oWHNGZDOdv
+PGnzM0I0Km62F2zFTTljGQ9SEDxV1hQe99Lt8TeKoch3Y8QLELh5M0FDRVet//z6
+UxYivwAzPpOK31vLsUMhjVt0jPDnRi4PJ1DYZgKVvsMbgJ2eD/NgURefHqfltR1k
+7UZLtYEhGRVowXWZ8JNR5xDVczsxMNRmJ6JpnFw8Rfco8MLM7sWROzmYn/NhjJ+h
+y83cy36vlmlTYwvFqCJW1J26Y5GMiJ9ilLNeObyh0YSZlTDYfK2mnQmsId/nm23k
+NpuZBZcd2tPTIGPsn4YhzntNG3gOe+4LMshszAUS4ZMKeXOviDRtES74zJ8hVhrq
+Q5rHcHop2Er1ZprNTebsJpSmkHhqTqYjCv666GXvgcG5AQ0EVNJ1tAEIAITXfZCl
+HumhwlMv4ut0uReP0SbR+zbJe/W1FLl5bu1UjNzVchOyqNdOGfmHN8nl/fc42q96
+yp5oFqQwxpbf0jdJkoYcWgvCppzMZ8GTiKGexKaIajJ4wPYX2BNQIbF1Pbe2WZlK
+XAMfqsCddXUkWTdASH9CYXCMB0N+TOm3yuhY6JlFZgcrALsjV5ULk4Rp0r7bzv/9
+FZLWZ+J4xo6IYhlNmpMO0ZqiQ3essHrYvKA5RCNbbQn2PhkYhocG+Z/p1DcvAEHG
+6Z5KwvEarXtUJkgP0Q8IChNU+S4qzxl+sqIuMBu7JmqBObejEepK2YmEaUpWfRBr
+0hF/O1v40XTKp00AEQEAAYkCHwQYAQoACQUCVNJ1tAIbIAAKCRAmEBti9pN2zh5/
+D/0d139sc59kAK7QGsZLt1f7/ZCZVnpI/7LF6AJBN67jDSJn6iFdXHg1Q3OgGyAm
+qaeVj366VZQowpCNMcm4LVb/gx3atgtUwO8OXnFdjV/CSIbAB2MBVVDImZAKNcu0
+oPnQGbW3GIcBEpJwi42gWP3pzX2kD4xS9mgtZcvnY80QoId2LuarpW27dp7dbhJC
+EWlcCVybcKsornY7EwUpOoySTSvj8/5TlT212igSUMlWhQhigt9Kv+uo9/tStQAk
+3KT0CFqNphiAn5KnDsWucuhQleCtDNEJLIOJYrpK0eIKvMF6P7gKj6b83dqOpZiR
+l4W28BE9I0PGMUQvFPclqPznlahHsNX9uICC+7dPBhxq/gZjKRi6r+F0UXLRnQ9D
+FIAvYe7azx/xPysaOoQPj74F6pNpsPKcoJPl2ZFD98PDQtNMd6jF+94Up96Bzw5H
++fNi14aPvUME+l1oZMJkYMhh1LLfBv1r717ODa8SY/ckoyfVnsPE/gs06gv/JK6Y
+hAhytlbFZlK4+yI6bwVRa69DiLDO75lQLyTM3BCnswVY/CH4NgeSnwrubYB2N4kQ
+Y9oiWGpMohStQRVTGS5McYwTF3/6CncIhPm/dfTyaycqs3j8dFTjHjDJQmpZUgHj
+c+/pd+rP/UtrJ5j8+8xsdJJc55eOXbSIMJXEq3mqKLyx8IkCRgQoAQoAMBYhBOXK
+Mx1Eq45MgG/b7iYQG2L2k3bOBQJZPqseEh0BaGFyZHdhcmUgZmFpbHVyZQAKCRAm
+EBti9pN2zvUkD/9y9aiwD5OE5QPhxbUnbF+AAJeOIrviSBLpk2zSqhmN5XLfbcS3
+CU25rQuu3dAe31HRUHJBMUSb5GhPjpgIDJPEQApIZxeYcu861oG6pa4/PpEOWWlK
+yOzE9JwRo6jreDIjOqvTVT5+QiiGT3bmeudX8anj+4Eq4UVl+MKQ4ZByqyhis0tj
+dx4lNF6NH34CZlXPfazkN7rWmGJr8tBjYbe0wkWSHaXSncx7y0A0S5ioOb4aG5CJ
+5v7EMq6lTs5JbbVKSRAMJFjvOPBAHrOWRU0hmahWXXRnjj+J8qCNTUHCBbWgkHuF
+KdsdLZBhDpVs7EIveUg1w6e5luyyD+e22nHpQK1GWywtjnaNHKIYTeDWFVTvgfk8
+oK2K6uFtKjGQHjPeJot37z/w+PsLY8YMJefyfubdoOkmuDtqtfD8hB0z8k5RNWQ/
+BsrPgtJWctaLD7OLJUCRrl/VJ/J8ytBAterbHvWO+lQFu134qV7fQb4BwTsrgC6r
+KVWD0tMrU2Ltc87Q+ULMgIn/WCuFZk0AiUg9BgNSLvgXWrqatw2YSOsZd6AgucNp
+FvvOdgVNg6LBsgj/SbNNQDnRyQuKhphktll1c24/uQixgPJNA6ojHwQiCqQRYhZJ
+iE6Y8qkkqk4De/4IdyBA1cREgLpyqc7njswyprPpVXFDBzisMHrAYGSiHrkBDQRZ
+PqfeAQgA5b+99btbBH58zRUpB39U8R8v+Qv544x2p239oEkJ6N0GNZtLMpaqPpql
+p8BUcQHdVqeq35UPSDl9fQGswIgylrppO3CEznYPYTCAuma0aSeibcPS6F9F/OlD
+PPFjYpEqkIWqhuENL6ZajaIB7H7zH/VH1VxdyXMWjblZOLnDngW6j+a7IfSFzWHN
+J8MmKeTEDEG1FBxofvnbzQu8pz1MJO5E/9DF7Gv0XRmcYEdNwrxJmleJ8x6AJKE2
+5n3x0RJO4Wf1PIqzkyohGuGOPih0ncOUzwINbpbRpwXt9+PkWzj2o4O8Y5KHLR0w
+MNm3MMzgbmk82gXxM+NDm70HXRMAkwARAQABiQNsBBgBCAAgFiEE5cozHUSrjkyA
+b9vuJhAbYvaTds4FAlk+p94CGwIBQAkQJhAbYvaTds7AdCAEGQEIAB0WIQTQv9a5
+7KVpSm8Unc6vTMZ2prbBQgUCWT6n3gAKCRCvTMZ2prbBQmcSB/9RYspARPjzMf1M
+nZwYHfsL78MynfO+8ccVYFjA73njemCGaGSaP6GHE7g4dbzoFPdnwLkF71rLF/Pe
+qs+34DA3wIR9IbwlKKhLVymCrqxAsOdSglNg8z+OXlS73omm9f3Y6Gqngge19H5i
+9mXmgJZ9LdgSUhNO2NNZh9K5A381YzzcBLIInf3HmUUHdHFoYguvG78rBrRlEqWY
+hp/yG/JYbR/UbXhrNbEggf8LOeiQtODMD7kAwDCVfQjfZsBh995K0ml6/d6DFobu
+ZkkPAjhMAiWnsLYFCEqnpYnwQ4NEyNAhiB+AM62jj0nivvpmdunk2kQNtwZvpIRD
+IU4aJxkxrG8P/RVWJZyjzlPKC8qzlhPoNXc3bAlnVkO2F32f51nPx2kE9MFMFQp2
+agFR3YhCir8Gx61JsLKqp5gG7QysKeRDGzxf08ufrhcjpKoCIECCNCBUaBQ9P/Oy
+4BzleM9N0pyw0CXV3ca20GVnH7DUnXAJtTVElOBISKjV5tLS0eczEAHt3P7A5Qa1
+YRQBzRHVXbHjhdudz0maJucAERUwntqOsojoJo/bQkhggxCzuHPsfK5KUgcaKhcu
+KUhZYchL7JAlUxKxbmvvHgy2me5LUCxmhSsMN/uiWNiftDePt+O9dXQlUu/rCCyA
+pyyKODlwK8+ga1tYjBa72iteeKdqnBV7e1Z+bn+eFpFEgg6EqJc2gTaWb9hKLz0n
+/cybabpx7SAUd/nMjyxtslxtNH3Xj6Cnq/J8KYQOcHyAy7TAXsYguPmXOOBv19sA
+nU52IyeAqaREb1UEzUGpwQIOM7J5bH51ZSy3r2SSgQj53fRTv3Su13uqIPMWWGj4
+JMOgozutbFa17SJ+INDtuQMbwP4oc1Tv5hEhLoZiM92Gpg6IEmZMvUqZ2jXReEd8
+wfnXSgHvF1JTV1NF95icrIO9D8xramrSq2UaSetp5FCWZQzTihz4PiDHLU4JNw5o
+QMtb3dHtVC8+jT+b489s8qvWrCut4DZpfR07FbP15de4X53lpy+YI3N1uQENBFk+
+qAsBCACtRr15KNnY3mR3r+H+Cy0C0Wyow7gScBTXx+euP2RoO9xHurphg7rvvGEN
+WTfOlk/qzj9V2+BbwkU7tZa7uRC0fLxodKKr+QTO2BXxRGdipkQpjdflUxeascMT
+EG6WOIsNfmn2+uaPapKNedpTE2bf22hHGlooDqqmFjdfFU17dBWSMKJ8yQCgOCFJ
+5DVM3c0/t+teShLkXmVzU0G/rKrZDXjKZUlS1B7t46NhgY99ATi/go1/hs3lNMQP
++gpc/FM9IM6Y6eWXoS3F6nTbibavVdsx/qig8sbv6FqoEi2cDx2QyPlXjLCVlt2Z
+1kv+KhXX8fltjmBifFgiq/H35cZTABEBAAGJAjYEGAEIACAWIQTlyjMdRKuOTIBv
+2+4mEBti9pN2zgUCWT6oCwIbIAAKCRAmEBti9pN2zokbEADescj66he29QklIsHg
+Wj83vl1b5byfPO4taMY6sQ0w2joGOlaS/QFZSTkSxc96xlnMJ1gDMc+HMR+REoth
+sBg+1yuz32dzvV6+eBYA2nccfAqhirKk0iijF3WRBmbe2hiTLDIr0m1h1v0LuCEw
+/kH7PseXabJ/zxt6wHBq5XbIy/H2z8PRaSEUsb9qZdtMyjvcgvU45GksjFmGoWnl
+lHFVuxQ24xcIkPe91NTa++PfuOwwRqAWThYM0lCLfJJuQbaJUlggPNrsu4FsD1GC
+9GIJT5au/v89TUIuNfEZjCnqaQuOYg4MkkHB8lyuglIv8ny3T46aEK9Mux1Ok7d8
+i77QVtezDwAch2+yPHxRT2596Dh4NVqP4+99LPqtZY3rKuzAJD25nhie0z9M71Oc
+4JC39vNi53XV3ckIy6sUg/yTi1na6/W2+JrZVLeQW7bTCTunz0FbpTt3CQRk3cMO
+aSx7PLo6x48C9Ph/It+y7d8E6qoFCpj/Lt13lnnRQdsdb8Lnl8X6QC4AK7vcZAi+
+7QwNjuSJv1aSk5cVz6IU6UD/VQrjGyfUShaPOf1nNjwFj5nQ+BxVIUlxEB55KhUb
+UuIm00VUrdB+WpLDse6X1E+OyvnxvIbXQTdkoCMtf6K59HhcavM2VJZsXYJzyZLJ
+WCVmN59H5VX6KKo9GpK9QVBS3ZkCDQRSZgWKARAA54U4UxYDqUMAZICVRTqD+lEN
+6AWU3EUmE8dwOKXEIuMs4iElToPRPX4dmHhsHgGQD0Sq3r8UPNpb+ZA7/FL5Qjpx
+Ifbx+JaXw2oIq4hAJHE3O8lJgiQMkfMoOSpu1dNX72y01iGYrH+RKsAMFXZCGnp+
+Qg2McX2su7+IwRl8TcHULuJ7DDhrmDd05dBQZVon9DMoRk8oZeqzE9pZcip5SWh2
+wqALKV7zdUV1raqP2xq3KJtxXzZn92w//CsQufA5gS54Zw3mruraIUj/Id8a/Ogs
+XWG9V8/BOSEVZmaKPzSzNGxtYR5IlER4iaqN+kaDGqxRIQn8qB8L/fB87nlldVcP
+GVnGRzLhyLJE//3iNp3FJ9wc096Lt3ksei2aEuDXSrVCqlMk/Nhw12PXFIC7nQwP
+3dmFIuQctmL4BlxUTpio7ajk41KruZNAUwDo31+fyFQQPs9ul2CYCNNW1orw+TyO
+LYbSXfPJ19vHr7uksDdHr/3dU0+/qxrNFjIqH1i56XvitdvOybkPlqVYX/f1H3HE
+Wy+a2F+U0KcWHTMyb8tU8R4p8xPoxHBJGNB1QYTra/3GueiVYjpQEIvQIOO0m7Ay
+tQoPAdoTuDKBFbqZARfdkR0RENfkYZwvHB1+SLxPQm+LWD9w28nf2VFkLrW26wqG
+iz8M7up+vMiOCb0Ao50AEQEAAbQbUGhpbCBQZW5ub2NrIDxwZHBAZXhpbS5vcmc+
+iQJJBBMBCAAzAhsDAh4BAheAAwsJBwMVCggEFgMCARYhBKy7QyQ5Ot41Fdot2k0e
+kA4UwcwEBQJbSOj4AAoJEE0ekA4UwcwElYMP/RQyT71nLmskNNj9cjWXRASrUGgH
+cpW9u1j/fJ6QuGfbWF30ibewRN0ff7OOg0V8iI3BWGOdu0+xb+y+FWC5XP9ddS41
+Yn1FSDjMRWM0t1hTzjQtZS0e/5F6VM1mE3h+EZnhSkl9r1aKm5cuv9g2OxWulzDA
+69Q2/K97QenJND8KDMXX5neHc2bGnVbMPlhv3RoyNxajSSg6alOsrjdBEHEnsHI8
+rzQ6UGT1M0unxwsYCrt/AD6V09/UStR1oyWRE2WWCcHqS+MW4JXas40GR2JtUhnT
+T8zB3OGhT947rrQ2fbVOsz4fOhonTFrR+aboTQQpj4XFH8HERk/wO0XUBDuAGavM
+mnz7T8wn4CTEmiBB/M5rBXa/TMtI7VweZbK2Hj2ye+0tOnx3aRQbTO4C+if4MepM
+RsKZUYufRwQYnaBbDOs2B8/QYZxnOFT8+Y3dkYj4Erucsc740cEQbSuchB7IZq/K
+QAzY4DaUUvsucWObXQR5+PyOYEmE3v047Rh/pSH5XudrjPtyBlsmo23cIuBJK4rj
+c8C9PTEJnJG8MqoHZV4U88TQVo4PU11BURAwD2ZV0MCL2HqWmbJOREm4cMudXMq2
+rmCxGfEgjUQOk0+VOFyI+W+M5Etg3jWIrdB6pZbKXWrVa4MwEDvsAfvPyRxXsJIG
+R1RVewxJpxlP6upstBxQaGlsIFBlbm5vY2sgPHBkcEBnbnVwZy5uZXQ+iQJJBBMB
+CAAzAhsDAh4BAheAAwsJBwMVCggEFgMCARYhBKy7QyQ5Ot41Fdot2k0ekA4UwcwE
+BQJbSOj5AAoJEE0ekA4UwcwEmtsP+gP0nC6dtrEyoLYGACFkp7FNnuCtO0IR6ppP
+XFTXaGMjR3g+N3+s17ztdH5X6CUS5rIvDJQGgtAbqDQ6EgQbr/tNBKu5mGYSAvSO
+vjR0b6tmgc3FYl29tFjgpeUJRPa/nNdhUi+TY7pbEv0O9+gGD8lKoFNiHBjEooqJ
+CU+CH96uBy9n+BI81Xqc8cuAQNKMZd5TFLmbmwAnMIt8pPOHatrorJjfJM0Odk3G
+a5CuziVfJojDTgck/tFprpr8MSnAiIW21xQVzfRazFGUA9iRF/r0gJKSyQuZj9ke
+Kn8fFVQufMAJyBrsjykloaYkx2XPccB/isjFYEYp7Aa4qQASjCGkffNuYfo0JuTp
+8k7IUHPv3sb7TodYoWFgHh8z2Za6i2I5dKb+EgWs/eGDOrRyOdgbxgqJc3KpwMLS
+JwmagViQ+PiKcRV+uGZ57BSMsTwt1vT0iKsQhM0IY0htxcYR8HPdaJnvLkD+wmNi
+DAXejp+BUZ8s+7W3VN0gyktjrN0IMsi420mVOCS64IKBeb9qCqO+IE4JDny79a1q
+Kx82jAfLOkN1KYy8xYylXJTypLtA16OiFB9Tsq6DR+BYXE2n07CEOko439HGZJIM
+thLamu0JjGAwPGKqYXyVA0pwFPBQ0OXa00H6qCZz9FpVvRe1c035x/RdsmzqgVu3
+8C8bGPZ+tB9QaGlsIFBlbm5vY2sgPHBkcEBzcG9kaHVpcy5vcmc+iQJiBBMBCABM
+AhsDAh4BAheAAwsJBwMVCggEFgMCARYhBKy7QyQ5Ot41Fdot2k0ekA4UwcwEBQJb
+SOkXGBhmaW5nZXI6cGRwQHNwb2RodWlzLm9yZwAKCRBNHpAOFMHMBIaIEADH1dXX
+LSMW2SW60L6jMQRUNMKUKsekEpTdrzmfWJng050X6/0Rc2HGqbgUUC7R2w1bsUcl
+5RQuj4kcgnXBnxB5XfN41M/xJlzZOgh1yLEowyOBrEV+F9z+y/4IhViFP26CBujY
+StS/WMNMl4SwWlPWfLWy9rCSuD4DRGjZXx5tC73os3D4Vl8KUjFOg+yPefPsawjd
+KnPyAUv9aZNJ8MTG77xOAFQcbX/bSMjlw18s0hAMAHZ/3r9OMjYSz4gy880i1maY
+6EHfx75Tjyow2IqIisIB+NMkH+Se56FlMRL4636Dq+GWl6GWXhoRYs7Nmre1FPCY
+Fcn7iIve86BnYPcN+iNFWj2tvf6yXiYtRJFl1BL4xvE/er/QXk3eCDpncEf+4Q/x
+i0HUc48hHdL8T52L1oePUbgXYtH1fZn5Hr6pva53mPkmfY7p+NoDgvktVAuuviPc
+SlZKlzut2Y2QClvlGZ8Mle18m/28w44Q0Oi/i1Wg4i9lFGuu7jFMaDARnySOaU5u
+Bt8nd53v9GudYkW0aNQghsRgKCsXsGPLirJI1rObzRraI17ETTawgGzvYhZaz/Mo
+HPlFMNtGwGr53uewLGw58b2BEQaFIVHtadz2iuoXNPCmoVYNFNAf5mmXoUpJnt7V
++ZUnP0fOcXAHuerJ1ZbDDKnYxhEQLAbHCIyxprQnUGhpbCBQZW5ub2NrIDxwaGls
+LnBlbm5vY2tAZ2xvYm5peC5vcmc+iQJJBBMBCAAzAhsDAh4BAheAAwsJBwMVCggE
+FgMCARYhBKy7QyQ5Ot41Fdot2k0ekA4UwcwEBQJbSOjqAAoJEE0ekA4UwcwEPpYQ
+AJgBYmNAuP67KdxC6HjtcPe2/hQcFXSPYi2TJGfgJrgoMHdXQW008EPz3kaXkzxD
+pda9bNpUOcRL1u9riO/4V1f+yFvkZOrnkEhw4ebrvip4sbufvb6ezD9S/OuNnTdi
+eraJlltStrq6HXaUXe8VEIfqOiZPB+3DEbcL3AHw3dfEZDYygNFLji292ZpEoYp+
+QlKamdEcebOYH/AhsQUaEmJAACY/TVMgdWio04uCDZjicvBt5+nHsN7RTfTfuVED
+Z5XeVVfOifA7D5rNBZhiI9BjsUzx74j/GNP/e8kiMEcHAPF9BgzOXfK3sTQNsZxR
+zl+rZDt3ltg49N/5BcoyTW+SA7hM3U/CWqtNH0srKPkuKFhAbLr+mVZyA8AH6vk6
+iiBmOAO6MMzcV7ru2wwu/LtgEHfdiq6XYoFVjQXkH7SanNPpmyHFocc06gLmXWNc
+qn0pvepKzjjApCs+KaHx0G6DyGeCno1qC6P9huINs7n/6bLSyh/JSHnuLddJBiRS
+w8DwYy76WzPGENjkxKv9iVO7k3S+XOGkjtqaJZFMWOZ+l6VZ29Hr9ezYJuDu+CBC
+Z/7grbjnkE+4QmvOlPNFBHsfyFb5RoX7kZ5Fmtb7flA0x0TUgaWtjocQxGbZkYrE
+7xdySqfzBycPqLCqzmDAyrREoJOLc8HD5A8dEZNVYeTbtChQaGlsIFBlbm5vY2sg
+PHBoaWwucGVubm9ja0BzcG9kaHVpcy5vcmc+iQJuBBMBCABYAhsDAh4BAheAAhkB
+AwsJBwMVCggEFgMCARYhBKy7QyQ5Ot41Fdot2k0ekA4UwcwEBQJbSOkKIRhmaW5n
+ZXI6cGhpbC5wZW5ub2NrQHNwb2RodWlzLm9yZwAKCRBNHpAOFMHMBMFPD/0cePg3
+HswrdBK7aHJXrD5j+5ExH6W8VeRRH1Rk8bEOgf9lWw36qOxZF4Iz0kJZZcbsISfj
+K1/SRM8bQxofZRXVvdxpXOl6lOR/aGAL8kd/TYh/6H+TMFz5WZmTvGP2Jvgltk2W
++9I7n1xTboZ3GRZKqBzA+aAtceLWx/ofP0YRlduTIQboG0/WQsPbKORPKoM5syyE
+uAO9m9ZbvPJRRHX/O5yLgeXaQzGvkyHA8qYvYN267KEDVBqh9OSo9B5SOibk9LBs
+Kq2Yhl/XBUM5o3m0qml+sdwciNTUtQRyI7xBIjM7z1dGiHSJOo5DypUtQ0jgTVi3
+gYftu3lYiuV+FkWrhtTVNjtrKT1Q/CE9LtPx4RLhfuPz8yYRRhLunCJSriIWAHTM
++QIdBXCH6Hu3dig+W1gPd0+3+5oqJCyZu+Hk5c7O8RyVE7zhriS+Zw2oLhhUyUSa
+E9sldEpzwK0oAFp7sOtQcWR3Qbh0lKrK+Mh6AQ3f/+uUVJruqK2CI6D4SMP+BIl5
+RUOUGUKQ0qNjeJ7vuLtCkma1bCpr54B8S2uLGDe57ox6+99XClF0cv7WANWLKTBt
+gOooYgtTwZvbZCeiMZLIBN1qjyOcE7Hkv0Fjvsgt0NIz4vcN4Yx2AJxjTMECLoFs
+k3HkMWti75tQeCGMCptMMJ02yrUsTv7zOg+sr7QsUGhpbCBQZW5ub2NrIDxwaGls
+LnBlbm5vY2tAZ3J1bXB5LXRyb2xsLm9yZz6JAkkEEwEIADMCGwMCHgECF4ADCwkH
+AxUKCAQWAwIBFiEErLtDJDk63jUV2i3aTR6QDhTBzAQFAltI6PcACgkQTR6QDhTB
+zATWUBAAmvJG5cz6hJa9RgyQGzODGWZi2dj27u1Djjz34wY9xifqFxl1/s+EEZ6M
+L/i+UmIzprY++4h/NgoAQGDBkt/EkJojmVjhwr3VHRzoi8vREMFkyELi4lPC9GmJ
+QP7wslk+L2zEVUuGLbGW8YXAUnUhwmMk6DQrabgubc6W2xL1od6TQZw7CUuLtiqz
+j8/1d8Ck8lGjWwmSF7kPhW70gP1AK+CHIRb/wOVZzhK3TG5ZYF5QUGPF2lL6yGJe
+6aYsxfn8gV5MhikG8idbRxIDiSsbvQNeHMkjVGTnAdz+I6t+x+rhGko0INehjULY
+JroxAmwWTH/t8qFD4jHRapp8d8j0sCCxziOmHAI7bi8xQt6slh8cHkmEGpiIWued
+SaKLlcYeE6ZkNvo6hKqJCh6nah54fybmlUD7Fa1hCR76l4FSPNBoGo+UIuikob1s
+6SEetzQa7ZNiIvkCVEoMxXWHuNGbZUjec+6kN1mfTjspJLtVgPo4C8jL8icZ1TNh
+0NomLpjQz/0MAxCMaIsURmv4Dn7AdCwlW/jXEiR9gt1cjGY4xFZ6Nfcx1t906S7r
+bxb4O8BtyD9Lmm0SPLSRZRqlr1eyX7sHWuCFClxO9i4CD4XKQ+obU7veo6a6xTrn
+Ylh8HpGP/spY4qjyDIArvt8W7G/XJUmAUPAiloOmrMTaraThvcK0JFBoaWwgUGVu
+bm9jayA8cGhpbEBwZW5ub2NrLXRlY2guY29tPokCSQQTAQgAMwIbAwIeAQIXgAML
+CQcDFQoIBBYDAgEWIQSsu0MkOTreNRXaLdpNHpAOFMHMBAUCW0jo+gAKCRBNHpAO
+FMHMBPQDD/9mNS3hjVL+DG1m2opXB92yyVcg4GARpVmT9lRcpYk10MasaDh/plwt
+9cEZ4OKYVOJjEO6WWqMreBb17djr3vkB9jnhkTUyw4Y4vNcmdmlt5NnL89n4Eq5x
+m0TYMUfNyNoZEdtRFcH59WD9fk7TUhhPS8JrPBV+TmKrIlpuPXx4Vpx9K97Pq4rV
+9TpQZGGRcjbwSNKecAdI0WqZ0cfEAWMHVq/CPMQzmBWSOjrqUw5JiPX1mQN7RuWr
+vpWXDiR1s2PYhVI7tgaz5nV478OW3MmmLlz5to5z4C70FFzI46ylw5XGwCZPNrIO
+rezTZC+4GGj98pz583eg7HXS+5bt2FYeckClha9fs5mse/vXvleA7AGs9HoG3G8d
+3Nt9vCaj+pI/VTbOp9+gvtxfg4DSriGeNZoTQnzbkkVFQe/n9FYNtsco/MPugGc4
+w4fBpq0AIJw66raQsFXu/30+aICb1nU/RgyksXLlL7oQ8fyZ7xprfy6fAAsuvfu7
+lI85gaWs1NboLhP8lLDAD0/rg/Bu0YGfxEfguDEIrTTmN26+4i95TiffCqch54Wf
+AQtzV9CIkxsmPxVrrAh6HEKs7gEBFIaNew8L05uUzoQnwcl6xOcbGSJLyG1a6+6H
+5IakDkcnypy/LBOPrx8HyqO4fOR/4GJ3oV7hm+e3svnC52hVdmccr7gzBFfBMHEW
+CSsGAQQB2kcPAQEHQCX+QrQV1F1aohqbdcUODZcwbamprUoLIXV2nSyLiSx2iQJ/
+BBgBCAAJBQJXwTBxAhsCAGoJEE0ekA4UwcwEXyAEGRYIAAYFAlfBMHEACgkQURBO
+Zo3QRIH5oQEApL+jd0x4w476elQ3F0M002NXd7FKouy9ageBM+oHS4kA/28oFXVc
+qDraz9f5bFnwX2407CDLKaz1Mp3jijvRp6IHqf0QAJGX5TZDr6CdERY5cOTCs70y
+02q2sVON6dxicE+UAxOL1nqpef2FiOobu4e+OAGYZngm8oNQBNNXA6ETc+Ug+zUV
+P5p3MwkpFAC52GWF9yqOjOaZuQx1QZoWw/Whba2ix+rZSSi1zPaxrL8iQpe04Mt3
+IFwmLlxYhT2Z9uDF/lotROTW5PIcWmt2yHYbdL0XYrGp959DmKNGlprgTBbWTeuw
+aQUw/SOk8Oi83qv+8YdZNyuaxLz3qh0VSxx9vQnGMbslDpi2+hXOuTJuMVs7UtPt
+sFgZPOQIWdNC39otlpHQE6z8ezRlsOX7LFf+1CFPkPjbqrs0D4fOEr+yilo0Dj95
+ixnCe1lODykeEkwQE4XdlrIGjLOdi07Q/iMLTGQDL03PVrNXt1ak8pTJI7SZRsQu
+lL3+Tqb52HynBDbuiwSyjqdCGAZ/oRChWrW6tdg3bos9YiivPgIswCfry0tc3WGp
+2ygCbWFvgHZmxU8nwusrTjciIh6b1xwG/webx/lBPMiKyRC+F1wLqdJBDo7bNuo3
+Gz8W733vBRw+DWSDPBebW7kk/k3JH0jX1MCdv+zO5wuur8DdqDLLlX2mZOTRZVJc
+Gg4jQ4EJ29akJv5bSwa1bFRXN0K2uNSGbtfHrcbDmg0aU5slv4vtsxeUFhOEcxHH
+CwCfgTy3SEF+cSlWWIbMuQINBFfD2hsBEACqLMDpuA+/9VWscimKTs7+k0BiuxfP
+wNJAYYznAVNFt+GE464v6YJNXpKt07BRzDpuivaDPobqtFXc2nvBHcCUOP6QTUP8
+9rOC/bw039B+KRaPlQJTGbPKL/kqIXiK5ihjgSXdHDCmzNFHuec07pWgBMI+LYfZ
+pKIHGsFVynIL53mmhxavGTCSzJrBd6pyhoeCzMsIZAq6pZ0HKjfVWP7B3yBJfazC
+r2V/HkOmKV/vPJT+oflE4f+PP5tTuvEWE5UXM8VXnROMcxaNHLB43Pbh3A5neGgF
+m74Ha0tfWZHrZYnNCFRGbxp7PnfbKL+tZ8xtyQr1pQ+x1y8Bkxj1MgiOj55MmRmj
+xlVJ+L6zyB5Tw7kqsaBHiSDBWUz6SJz3pFD3X3GPD/nkNqhBhSzFM2qxHME3CkK+
+hU4jOEkcZpHhsjL+pXVudGNHIByDNj9lqP7vswg7cnGN7QIPdpBdvgcFg4qZS93L
+sLJlqhNDtCwd/Ut+QNT6xE51HflZ+3/su9FEjUFKZMEtAu0TDoaf7iV9VyD84wjL
+WAm1GVXpDh1/WuSUBifMfTyHXyLN2y2Ja5D1mws1g2ywzHBW/2e3gUzYSd4JQEWL
+Yld0kZhQ5V/Y9Y19jDpDUUgxkZmb5dnHRaGwmyx27zReKqN5NF2tdeWsUMibZkEQ
+dib0n+WnzuJMYwARAQABiQQ+BBgBCAAJBQJXw9obAhsCAikJEE0ekA4UwcwEwV0g
+BBkBCAAGBQJXw9obAAoJEBPa2Zx+QVGcxvwP/2aIUD60sKExN2fLXj7mMZ/wWlDn
+CdqvTGD7lrk6r/fAQcaOAgajCMEXOPZXlPBhdQ4jxD3FLs52CNZkcwzXMbspz1lf
+IOk2U1UGhmnAyriY4Uf5cRu2RPR0HYwOBB0xr69SIrsmlX4pf1AnulE7CIY/oPBj
+B2XQRQ7ls8sMqmm+0TxRysaosHGu7Vbez5iKBm3p0rEh8TcVkgMivdUPue/ip+mC
+aDCfGeAiXLXWtiEiwaS3Pq+QzHhZtBvShWlc3k2mCFlrGQwovPxY5SqGs6Qwifrm
+nGSSlyaAorDZcQEkZe/HP2/qXKb7uBD3/r8t2OE+BZKwJxW2fIpaO+u8k5EXSDzu
+xRqSNj3wYUI2+WNQzBmAyOZ6XBX4Pz0xZyahtXCzJ+5deqCnEtJI1HdPSvM7STE6
+s6BmkhUl8weSAD+7v/HNPWvQXYFoeGFeqvoVOCqB7jJZUj+n/eUh9PxsOtwdJlvd
+oODuQIYyzuSapm6OPnBKg+v7Bp39Ym8j5Nfe3xqg+O6CQVH/qx3NoFrKfAaLKGsV
+++jnf894b23Y/fgu84Myt+Kn8uOrO6jbBwiWLkgn0uzmO57bi/6F7aMQwSxcMcAY
+3DhCoeXkeYq0QRZZd2raPbA5r278wPXWg/U5bHenGYX1COWlRehWqXkqR9ZJYY1h
+TT0/WSAK2ZLCGTK5tDYP/iiHbpeWlZhwgx9JkfmgL+N5XoAW6oJna3tozS+xVM5p
+xTaTNO24vnQw+XQxkiCFwtf81chd/oXhjWpLg/K1vF0AWGomN9yS5dtKtlWZ0H/3
+KeEGkKf9iRp8j1bVNF6mBhb8Xl+nKLWiqE/uezx6OYBFJuj6WpCgbmaRUbmKpX7P
+++JuOosg0n+BzzJYAIKP4+/FLL35qSpLW+DuWZaXbvgS/OgjJUL8AQj8Nwk7ViRy
+hBRwSAvwpdcwvlAH1VfTHfpQ8a0jjN1Nzf8Tr9Ijo8NQnsa+5y6Pmf6l40j4C8HP
+sMB7SX8ptFig8lnBRPtzEWj54/WtXJwGRG10XW4rdQU5hR9Tufc+WFuRfwdLgrhP
+TnKGyVG9zOkTd9Cl4j58tEsju+m4HNkUN5goouvdxHSe/dmA6cQAWf6/nhJ/uSM3
+aJPSUOtZwPZO7/NzsMgkwZTLXbehm+9xWMkPRt1QT7V5MgfxnxhVoIeoPAEYBo8t
+0P2GXVMNZdZkJPoViWGOei4iPE3rj6NBynIIoEZNDEJ0OQOUe6Naq5AaG/a6wPa9
++ITzKY8VR5KMf3XgcKLBlntyyxTgnHY7j5VrhxU3+mUrnwg8LIN9Sx4oWDks/SEB
+7KN3KGjSgczn1k3GIJRF8BhYin5Cuw/+aD16w5gSHxUhIgwH2BbM5X8eopbp/csA
+uDgEWlPNvRIKKwYBBAGXVQEFAQEHQK1DtStYAOrv8CKh19A+Grx4WJusGieqP6kN
+cPu/o4dlAwEIB4kCPAQYAQgAJhYhBKy7QyQ5Ot41Fdot2k0ekA4UwcwEBQJaU829
+AhsMBQkEBFIAAAoJEE0ekA4UwcwEvIoQAJFgOFOsevc8GDLKxSV7hR3tytGLlfss
+Y9I+PGOt2Yi6S6v7dP833FLRS/TnoKlDof3A7dw87hNy/FFelm+GUz2gWCIjGEk0
+yWqvHYfjwryTug5713cmtKBdLSQ9vxD932ZH3mRcWNmaN5909nh8ugf2TCchQ5JR
+KmGSthukPE8tHk3T5hldlRW87V0gIexJoo70RrvPwnK4dzYaA9F8SZ+rFGYTpTaK
+A3/L2CwdPIDvi73PXAkieHISOc/u9YqPR4VS7P8zD8ckCpTNZ4iAOh0mFJsozMnT
+MGekw3cozJwKxsfWCwUMyQasc0d8Yx1fJIdIOrJeXvIWIFZQrhrwDqUVPyY4jhnK
+EiL7TQIrWuYKopH3AUmKWxA9T89/Oyrsjqu8ySDT//svOF8b4VUc66y8vR1s6oUh
+8XA7sCj8TA04yxi6vzux63xQIA4DUljcUyifcr4N/RwKcv4Nd2Yxg4zY9Y81/raM
+lvEysnKqJRBpExzUmO4Zgap39aRRwSCieH3NqYkZDsVsUrcAFcU22ir0wwba+S2X
+LkedTrTB7xrM5Tdzg7EjaHfrwONOobWBn8mDEUyYIW+kuwZxdS6h5wJZRXJ6p0vZ
+xEpxpe7WJ5r6S0oFlyPU0EYVBMFbHuG49Ml504sGWn0uwLuJJZ0sQ1zYU1BgAOnD
+J6kx5FwtQIR1uQINBFpTzYABEADF6zFzagbZqkqKDYFES5aEBZUuy8dDZGSr8zMB
+sGZ5A1OJHosGZCnVA7w9265rUIwPimQi7pOC30chLcfK2bkMFZUt4keC8wHaY50c
+VGIc4xA4MMrdkg2qSBDMP1H8+i/jrpbYKSq2dH3VmdFFqxvJs/XYh/ZU+dRMvfny
+8SULvi4Gp01P3PLIcn60WW0Xt40TbADl0ueCM2GxgCbbWjvt09MvMwmj506JewsW
+bUhFDjJH9W0196giDNbSi03vg9nI3lfpFC9Ao0mNcIobyffL1E6ounBeUcA7yoi/
+QPQTB0dtNcIvtLDLCGWTw/Z42FGJQFLdHEf0cINPIL5qiJlCvdVsHhVeHKA5azpB
+TlhvnHH4eSkGquKI8Q4PIzGsQM9PG/Aa02XC1hve+kRvKWMqFWjoTfc6TcI87oEV
+qMa9eNOZIk7UG46Y4dRkSBSwRVLanH3xRK+zPnMJ3X8ePGL6yna8W2XcHznR9xyN
+zA8GoNpA0CX+SyM+xpVH+ZHEBupvArqusqrS4RPaOkZ2uurUxOJ2N91Rj06IydlR
+qWkhFX0E7rEURnBxIZrMhVWbYRufn1QiRLXOtfZF122QfLx8L1oPakyVG07TPVnh
+gcmcDny45ZeUnz8V9/gyKDopT3OXdaxqe9Ovh052QwWg4HtnGBdlhJyhwQAy9yH0
+gEOPtQARAQABiQI8BBgBCAAmFiEErLtDJDk63jUV2i3aTR6QDhTBzAQFAlpTzYAC
+GwwFCQQEUgAACgkQTR6QDhTBzAQK/A//eWA/Xd2SRObD6CEw7fhmR3J5afqifNiS
+vxQbbkZ4SIshrEs5wZF26IUl9u8uHeSyCrIB/vB4/NmCk306ATNQ1jlnQd+OKVfi
+C5Qy5Xi1T8o5W+chsy3PCGvdzG2vgvACa6vyKB6O3lV6F+WQ6GAd5NA9536vW7KW
+AXfwG7TsTcPzmRmXYb5ZpfI4g9gLw9ih6OzcP5+C2BDppWoQjnVj1+t2lw0SuFv1
+k3H4MnhEJCcTCURu6I7J6gOtNW1YJB9XRJX/9G1RiEV8R8mTUZ1HTj3T7nYRZgna
+enRsnIs3l4++dFQgGJgWctLcqlwdBr0Vc+Q8gmbbQo+RZImHXByIp7Isu5GjNOaa
+FpHS6pnMa4YWy2Zb1w4TFDZtKQLJFh9xlnm9raJboLkUH5IMZwM9GSqeSe1baXxm
+3Rd05NAhqaB5C/3e4K0x06p2s/FTlnKKIXDWjE3LaGR22yiWN1hJ0UjMNp30IfKW
+XjqdNHeeuhFkh+LzlUW234gAiPp6b+S+/Mad/qMjsuYVdvEP3NN3Wa9myA6dYNV2
+TiFKH968gp7dibCzhq2VlKGDS9EElDxPyQ2Ksl8TQInWB87/OQIVcoSuyyW/5SCQ
+clcWTJiMl+u7iuYSVqeRRFpW8cXNqvBQvWlVh6xS06sdbViqUUAx9UHkDHznIZB6
+gWTwHQbPYW+ZAQ0EVYAGxAEIANMV9v0QcYaIN6X+IXNTRqDVG6gd8v/T3PXLuJCU
+vKc4BBNFE3AJZ7OaqkOnrMMU5/Ut2nQR0RC1Re9rmDaWbejnqj6adesRCvXW5khy
+x8YhyTvJX/L/XsjsCmBcw+D+ZyOJ85Mz0Lv4+2CF/eNSGPgStgwVAt6UEYRlmJ+e
+cCgcs4QAfvQMQ0IjTw99hFEbqVkMHT2c9bu9UbxFtFRaNDLFBRbBe6riBCiFIUOo
+Xg0TzMMcT8OA8n/IXL7AWvZpv3QOwTu85hvjbL3mR4q1MGn3z9jv/bFvOLwRitcL
+7b3V3BkQswedgsXmw798NysN3Ct17Zxtn7C2knC1Jg829XEAEQEAAbQeSmVyZW15
+IEhhcnJpcyA8amdoQHJlZGhhdC5jb20+iQE4BBMBAgAiBQJVgBYGAhsDBgsJCAcD
+AgYVCAIJCgsEFgIDAQIeAQIXgAAKCRC85YyM5B8y3/QHB/oCHdRa5QvUvbAKGMde
+S2/SPyhCYvwIPUBRiSD7g1FORlObmeBmU2ThlIkHuyidoSbOzfR/D3N7Hwsy0Iyc
+QdBi0U1vqvUzZB8xLxlR15pQ2aUYe7xSceqv5pORBtCy+Gz9RouSdaU5ap2wzb1n
+fXXIYDcF2UbHD/bB6P4C1FJrNPh0QhI/wrzF+ehCaEhVRnfdoxUMXvSKKeYB9Z+p
+QqGBFy2tUwuBfEq1iI55MZcO2bZ2e9dMc47e7Q3ayTBzpjA7EuPVdfBYvopAnHvv
+/ZKpUcMlV4SQwRv1av97+XU+CBT59jEtnn8dZsZq02ahEWhg24IaWkEv1c65Ar3w
+9wjKtCZKZXJlbXkgSGFycmlzIChub25lKSA8amdoQHdpem1haWwub3JnPokBOwQT
+AQIAJQIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAlWAGAQCGQEACgkQvOWM
+jOQfMt+IhQf/cKMyGEaIDXWNWnoxRYsW+vvsuG9a4sozL1hFC3hMw5UNJTE+mdz8
+V4WSCw+MuGj+ys8dKM12uamisuNRADykKD4qZ0QB9OEMrSWyBEb8/E6Lfy3glSlH
+NBvQ1cTjwQ9N3M04KoM+BI1dqr5yxfq01NGAXr6zQpbiqLBknft0by1lbtIQYZ/a
+RCyn1yTUkF2W/k6Rw4Ug2f4Aq4JQRDoQOmFmw2/+IM/uUxSnZPgfvogEGUh7+8yE
+mm4zfgT2ICOOwPjFOCcnKF2gFJzHNJeW2unxjWiK867hOGgGa5T+aPu5pVPTJtEC
+anamMWDwIqZSRq2b/mFx9X6ebnhCt5fjRrkBDQRVgAbEAQgA6YSx2ik6EbkfxO0x
+3qwYgow2rcAmhEzijk2Ns0QUKWkN9qfxdlyBi0vAnNu/oK2UikOmV9GTeOzvgBch
+RxfAx/dCF2RaSUd0W/M4F0/I5y19PAzN9XhAmR50cxYRpTpqulgFJagdxigj1AmN
+nOHk0V8qFy7Xk8a1wmKI+Ocv2Jr5Wa5aJwTYzwQMh4jvyzc/le32bTbDezf1xq5y
+23HTXzXfkg9RDZmyyfEb8spsYLk8gf5GvSXYxxyKEBCei9eugd4YXwh6bfIgtBj2
+ZLYvSDJdDaCdNvYyZtyatahHHhAZ+R+UDBp+hauuIl8E7DtUzDVMKVsfKY71e8FS
+MYyPGQARAQABiQEfBBgBAgAJBQJVgAbEAhsMAAoJELzljIzkHzLfTegH/Aktgk6z
+EBXYZBhLQV5i+Inw/FBxZAUQRpjPGS9n1lAU2V0/Jq3UTDiurXD5ylmgr1ryq9JJ
+7fe9I/w8gIBZh/IYDot8nLYoBXnFQ444pQHgiTKt/LNbWCmIiw2wXR1rXZAPbh2c
+Kt5X3d0MXBBDt0GpkBfnTu4fIADl5RvqaPOx5vhNMM+LMCAfPkt+yc68fbrtC0hQ
+3yQkyvkyChmuVJ/C8T8cqvVp5zQ4e9syuwYkYnZP7ONCnDaHfNzTOB5/7Gxn8i2v
+LEtBdzBNEvqHEjDorv2RxzosKS2DW8Eye7LWcRrK4Llnk/T/mpsWwP2JSveS3nbL
+cLzflnB2e3fvgK6ZAaIEPNLT9REEAJESaVSc95LN+cLSbahBXh5LOBiOySIt/Bn7
+5CXfMSs/DQCmEfub3l1nACxxObcJBEcMN39FjGQkwBgD6ObDxxVfWte1DZRFGbPL
+b8j6oFTU0I+uoGMpGqtq/26EsIsa8TB2paDZ2qfxMzA12URNsf5HRBD/WUrxe1bQ
+2IcLwj43AKCP/wC/yJ92lVKcWnVB6xMBXB1NswP+JxFg5nkj3gNJGTkYaeYP6XKF
++P56Nhu5USCDaKBX0e5ckycEpOe7CuK6yROt541AG8EJOW0etF7Uu6MC2WxuLGih
+OBRTmOTNj4n89418t3Un26ipMZDsaNPhIx8q561JEGFxFli+b0Uz7ni+y6YpxcYr
+6oF89UEejVuTyCgnGAED/22esCgshQ++zh3hx72HkEYDbIb1LKfPfDWXxmv7hyii
+ZSNskVXzplYo8zqfJvZGENvbQRKRmcKgPFlj6nm31zdqJAkpBBXwaPS2Pdzv84qj
+Ix4+Bpsf3vnZDq6mJnkyXeZ+x78qNrhMdGg8SORDMCfvuPF+96wqISH5+7qCwndw
+tBlUb255IEZpbmNoIDxkb3RAZG90YXQuYXQ+iGIEExECABoFCwcKAwQDFQMCAxYC
+AQIXgAIZAQUCPNLfLAASCRD/wPFMhMcbbgdlR1BHAAEBJ4AAn32hzdbxQDQ96p1z
+lxfgtuKzuEjlAKCDtTvJmpJtbVtEM/yS5+T/zpLmD7QaVG9ueSBGaW5jaCA8ZmFu
+ZkBleGltLm9yZz6IYAQTEQIAIAUCRGRrzAIbAwYLCQgHAwIEFQIIAwQWAgMBAh4B
+AheAAAoJEP/A8UyExxtuUGIAn2CA8LiHb97IyV9SXKl8XMupCSIvAJ93zdRvcU3Y
+LTU4tGi9NayZdYFpYLQcVG9ueSBGaW5jaCA8ZmFuZjJAY2FtLmFjLnVrPohkBBMR
+AgAcBQI9FzrjAhsDBAsHAwIDFQIDAxYCAQIeAQIXgAASCRD/wPFMhMcbbgdlR1BH
+AAEBuaoAnjxmF/tv0lBZYSJU7SbfnKtQbj/uAJ9zk4T+AFOD0//UL/lQULrDM9e1
+3LQcVG9ueSBGaW5jaCA8ZmFuZkBhcGFjaGUub3JnPohfBBMRAgAXBQI80ti2BQsH
+CgMEAxUDAgMWAgECF4AAEgkQ/8DxTITHG24HZUdQRwABAcBPAJ9BokfMNlwzOE6t
+iOGhumFdrKJNugCeJ8TAonUMNVnE/HFa/E2hO9o/Cba0HVRvbnkgRmluY2ggPGZh
+bmZARnJlZUJTRC5vcmc+iF8EExECABcFAjzS2JMFCwcKAwQDFQMCAxYCAQIXgAAS
+CRD/wPFMhMcbbgdlR1BHAAEB8J8Anixqe2bmDbJpcPb0IoT84nnhJ3kvAJ9sOLAQ
+jWYvK7SdJyMF10YX0CIfHrkCDQQ80tQVEAgAm2SEYGtRoRU/Z87jBCma6Nh89zv4
+ZP5DSdooJesxDW8MrmmmyCGJKv1N1UHeR2R6/agbGCwJ/La48L8m57BAHJgGa0om
+5ToYNpFVeAyGlXCFxGtpoN5hmbQYgNARfd9ZKUvTvHFvNJmd7CVKpQQDOceMsY3W
+mr2a88FzOraGsCx31M8ej8gH0mxWYdX0ZhqwdRJtVbHVLqe1TaRXZPIqkFLiW4XV
+nvLrIhZL2nCJmNOVZ1QZJ9SSRO7qwzn10EDG/1LlDxNjjhNRB+EdCFwtPPzhS6tT
+3qLpxv31mY3m6rog/o08i6aE4kCo+8dKqXL4TP+hLNLJSjJnRJqPfkTULwADBQf/
+S2RCHVuf8GEjIE7hL3PnBB8j5mlHuel4pnVphBSMXNtQtvbtjbQdG6O9eWMU+hYH
+Wgk76hdQuQJo1Yj7vZNhfMpEOphYxq5vCth7l0cniEQOmamp4btbjbmsi0N+HPbA
+o5Fz2+T54cwcZlmEpqa6uZ4fuGtWl7fcFF+2znK9hah9iidYYX4rJ0FysyncAxso
+ZAxI7BwGJKkglWfQdgkUg5aa2G0ogyp9WYtZLayoUohNsEocF6Y/73sVUBzzZ1fG
+PqKsHv+MGN09fn/kHwcc5dZ4S+4dKNn7p59cWtNVt6Ha7VqUHRpfmTPhxvwWX07O
+KpzYvHkcuB+QqJaAMC7hg4hOBBgRAgAGBQI80tQVABIJEP/A8UyExxtuB2VHUEcA
+AQGH7gCeJN44B01zh8536VzUQyI2ajz4yRAAn1wKpe90dyp5DqlzUOxc2FziDyu+
+mQINBE6NcQEBEADN5LtGr/flvrjd17mCOlqtRB26tj6G4jAc5VURYbejQGbbYzP5
+L+fCLfDo01MYLI6jffklfpcDRHh2r/ACvA+NBTTVrP+XX8+s8+Y49Ke/39rt4NUW
+C/t9UaIkV+0gP3DPYQA2GseOGwaF8V7v3BXq6VrwoyV2KlD4vAYUahJ52VxsZG+/
+IhrvZn2MjmAyb1fjzZYr/7GX568CKdRY5VaVFqLKXdC7ZzRZObgzR83zaa3coC7l
+3cFRtmGRmttDgUJ8R3Oqp2X9oe+eylzpmndEZkzGPZiI90VmZchvt1XUJ/VRpRwP
+xmJvrz+NJWVktzDU1koauyOmiyB2cO6+RcSMaoQIX+TpyqJZ96rd6KsHCyTodF39
+3xs730V24pRJXSbqJpyBNTOjd2T856MI9CIQ0SRvTUJGsp4x82j+3rJvSKGTClPw
+FOJkJ0KaQyPMIaudP0PdsqULSoHXiBk3k+yj6tg9Ca84TrsSrLx1fvM4sAZpqo5p
+LriDbl7ji6tUZovqW06MRT7rFCMjJW0Bk8jPp2r/5ASdjv33Ljxvr+9weYHJ5/rN
+J9MUVw3rXmyDbUh7+uAm/2e24z26xE6LsxJB8JzdRqRSMqXdf8JsiuQLWpKZBwYo
+hLD+EKK+bfpqvTAHH39XLPz+Hx1Pyg3+nkcQJIHsZOiH5uneQyf5oId0MQARAQAB
+tCBEYXZpZCBXb29kaG91c2UgPGR3bXcyQGV4aW0ub3JnPokCOAQTAQIAIgIbAwIe
+AQIXgAUCTs/EuAYLCQgHAwIGFQgCCQoLBBYCAwEACgkQY3Ys2mfi81mGbhAAsQFh
+PtgUJ7LCzADc8fzyH3nW6JrcJzkafhcEptDFBDhBFYeStGGYg1GpztIwFR/FS1id
+P5Pb8SLTs61HMpfUCMo3viYX6nuzyLskIza3spz7/FIhkiGnCBt/g46O1RDdEmhi
+OUv6R7xiiZfqB4xlX8hc3aeqPhrwJiSbNcKLZ2Du5Z/y/+n+HKT8MtiUP4fDGlEb
+oA1SRDrPFPGCfPCKGueFo2y7Y8CdYmj0b9N+Tyjkm5NEGfmoavtLJDQ9QbmzwPYg
++AxoAEeGmhP2Zi9U66d2ugLZHK6xL3HOtMkL4ES8tn4neJ0C9Pv9N+Mm46s+mSvY
+FQhlivgwX5pwbRBBSy2wl2ntXbuIg003SOaXJtsKXtGIg7ycJJ9VGyyApt8kydOG
+8waNhJIU9TPbmAiAf3m3xr/asZHmecElBht37VOiPS+pzg8i5IAuTxsX9+vSzUPA
+pQkaBuJRgDiaghjXrmF7v9FUZXCbmozj1iBJolbCKe0MIajHuQMkwF87PWfQVWLk
+ssYIeZaiwu38JGlv4X6vSLHaDh3mQhT8l51PWRTx066AtVvlsu6KwrbyHknTqTjx
+V9OTORKM5vw2fjDurvxFRnbPHw3Lljn4EUQq2a7sGz0/Ozrr3wMdJp5nOoi5JOCf
+x127yIGMdkX+zDvCtk7XPZwqPoVbpsx6f9tf4du0IkRhdmlkIFdvb2Rob3VzZSA8
+ZGF2aWRAd29vZGhvdS5zZT6JAjgEEwECACICGwMCHgECF4AFAk7PxLgGCwkIBwMC
+BhUIAgkKCwQWAgMBAAoJEGN2LNpn4vNZtHsP/iEpR+HThMsPZkWwhbGuAQT/rrWU
+dphk2L+skCSFfvf5uk8/lpW5aKq8WRhtwi8Dj4/NKLwpe4qItJvG1QOCoEo9Yj1m
+HZw6PZiSX/5Cqn5MA+eNN17n6Vz74xSbsrRBTYIlBnC9HCcu3Ay+qyPt2UXfs3jq
+hI6pw9volGwOYmaglSfXKVmGPKzSoDD0D7dVXFcghpyx/s7Gv7lUMxMmbJyV8bBu
+wAATJhgSCilDZHxn5sQ5VN0NhILTnWg7QpQeJ1tEZTz+6fvIzxEW1lKg+nzw7jB1
+bKv3FtqFKvgtgiag1QakktBAp/4S0wjikohMOzk2SXxLqr8aSHyeGqV65VD+NPfl
+STRPWrOFf7wRpQCzgGn+RQnnQr5XoLjAEwQKgwMdfK+aCQoKRvXyDu0yC/V5reBl
+dw5TsxS+GBLNyd0spmL61oZOCY75s0106cDUwDEwmmhTjlxalXI+nmdSDUTn+OhA
+Zb1UMkUuSggCs7nR7YJzH5t4M+0PbTME7hiBr6F+vO2UA/1oZQCvlnG7j0yl4KWp
+PJOcKgXIAxsAldKNoERyekhaCFpRmKfK+ed4HwmkrgjjOPAGDBo3b4PorQxMMmPJ
+jD9uRFrhTq+/wv3U1Mfpq8Kkwkx2j1J6iQtW48ZfEAfzkl/N4r+rVueOsYFxr8cl
+KSxP7fC2PtcIAogotCJEYXZpZCBXb29kaG91c2UgPGR3bXcyQGtlcm5lbC5vcmc+
+iQI4BBMBAgAiAhsDAh4BAheABQJOz8S4BgsJCAcDAgYVCAIJCgsEFgIDAQAKCRBj
+dizaZ+LzWU6qD/0S/fEXB0RY9l2SePrd/gOu4Qs8LsZhvlpjiYA3OawuSXmqVuvr
+4m1Nk7K8znCZH/TMPqZ7d7ti8xYLdtAmmUwTFxElWVMGuT2F2J4//QIZpjmJcUsu
+pJVsrI01DcGgRLq8kFfg4CCcPknk2YLLumemUcXuFGJqwrRjIIbZBwO0x2CrYAqS
+pGNpDevSQFuVs1BtTUoyFV/DDz3TBggn/UfnV6nciQLD0vWL/QLxn2YFBtQEZbyT
+pV3jC2+c9izos0Fce4Nf2pm6YKUQAt90jH9YhBlnk4iEH3gVILbTqA/imAwUlv52
+A6tBTpDjrLytGwCsQlGRAFLSbU13mFPFiL47lXaKBuLa+8zDeKN6YD6cRREImS7v
++pvu9eG19RgIr71dRQgeRbohp1bmFGq3T47bi2c6yiPnJlZ1ttLa2kfjgX+UU7lV
+GEqQpXL6P0Pn5ZexHY0ue6MymotV7Mhlj7kfxCw2n36c9cpovLqR+Dzo67gLSB05
+djcz2H6PowRPM856GE9xTg56nq7B2iAUQ/zlxAf9i5ulf/GtOZVVxck99iwOhH9I
+S8I3RlbocFFtezl8msJl4XC8Ab7K1cnoJjnq+n2f18enWfX5a4R/x4wEm9af0hpl
+hrh9Qo0+nYUaPl4JFL3mieYqeCibxgvifMQ3apFDx50XVLP0fvw6yyGHn7QlRGF2
+aWQgV29vZGhvdXNlIDxkd213MkBpbmZyYWRlYWQub3JnPokCOwQTAQIAJQIbAwIe
+AQIXgAIZAQUCTs/ErwYLCQgHAwIGFQgCCQoLBBYCAwEACgkQY3Ys2mfi81mOUA//
+RCa57LMVU2VQLfznl+HnIMume5xLAKuvEFnO51G7psxt3d5M1p/ZYuciy0epBL49
+YOcOre1/aThu1E6qQmLNI8O9qMwT6yUzSZPK5NNP0duETlV+AY29bQVHSxLiJ3vZ
+UuzJyNqGjU0/b8k1dOzi3P2qKyr94ciOna8luNyA1QF0AahS+x/oj87dJkkzqPrg
+sGNRuabrJllJS1AJPNwH3pwSQoI+hdFq3MWPTEcQaYIIQVatO4cpzNsLpVOBB8Y4
+rc31R5pKmWtHWYQGKP4znVPitepC9vnaSj8v9SgA826TROJFCzpi9BPLXpxASzOQ
+m/EFlRNLeJ9KYRV9pa3x/2xtV95Y+blRIgb8fCyI03L3vvBttqgE7bkL7esLhbus
+UqrNixFecooFaJNW0OzuC9AF0apZHAkyPVytMMWAjT0af439e2EhwL9JO8l0OBqi
+bG6/2hSoz1AybXHyNUP7iecRg9alXia3GOgD6Ahb5W/U8YlL7f352UDZMS0PMl8Y
+8TdgXSOPLzJyrD7L1qvr6eeynKstp8JTJtcJp9DXbX4X7MhV9Hooqv5fLlt0dRW5
+FZ4/4R9adpi569Ggyxj7b15RE7qGHVLVli6SkA0k/s27aicA844/Z7xfxMXbdlxh
+w43T+yd4yecK5YtD9n3VmNMO7wGNsJg9aqBS4Pp/xDa5Ag0ETo1xAQEQANqF/lhc
+KNgCwHOcuClEUvjsfROGO/Enstf9sI9OjzVfxPe76R3zYAWvqo3Jz91reZUEnQdQ
+yo5IZdOdPqdy+XF7nododfT1lZz3I41r4suFYy8eHxx9L1np8fkjVY/QOu0tGh87
+30r6AYTwZ+VoRMiioZUJwpsfByYGbJ8kzs5xhsE2rW8yPu+wXohXJgawYKYugDCO
+5lfeA7+ZlLCIkZjhcdBDHjCJEuaHGX8e9wKKo05nLcVoPyz4oFmFeg54C2PmDS9C
+V5Fygunp9YRcHP95JoALfLY/16CPsJaOxD/yTLh0Sr73pUP5ev0YTRwpUV8A8NIJ
+sLZwcF8VssENeWeLMuCoFYSMknWM8Bwbmlx2ThiUvQ2HvdmSn0S4H2cuzlsuxayZ
+w0EKwdeSCr8a4MrORbOZWGBDpil0gzQ8n7JybKzmYStmORT3jZEkgP3Gk7a0iwGh
+ZBPnDSe8A56OOOhIUxUYhYpHAyk3Jej8xDwii9qFnCfUH/UJCBtpM/m6eYCDJiBD
+lsq9/tBWgUHfS27ZJf1zwifHaZrS2kjzYZleYQDgKuCiTWrctBE07tNUSYTgjlzf
+seRZbvP2jI7n0pksjqMJApwhmdO427e+Ip/UYLZ/LbpCB2dNkUjlU6V9FhtXO79X
+sysAbnqLeVmMQnu5eEE826DExe3Gh6C9tePzABEBAAGJAh8EGAECAAkFAk6NcQEC
+GwwACgkQY3Ys2mfi81kOrRAAx451eVoziks7qykXESWRQrtjBIOPahojcMoN+wy3
+ljVwzWmfoM8lYUTT4jccbsq42PWV1zENAnvktByWBLRIlSSfeQwAWRlFykHattdi
+lSg3/11nKI8WPrz0SCqiiJBVW/SZvKucMwkiVDeiPQNQZR8BjcpcFVJqZ4Ochp0w
+qw9q7BYi6ppPoGiiShVhqMQbuZ5Szh8IgbwrCL5jP3x0VJxBuS9hJQYLfiL2D7fk
+qdDpnJjafuFhAdGLN+S5g4+T2IXxgsxp5/D5IMa7rYQf55Lkinlys3A0DON0RMdG
+zd81XNbEe3j7wpgj6dEEHBJ5B6z6DHkhg9oEn27XoFvrKArzgYCmDF1gFPp307wZ
+JPlVIUVVrptkNbYavsxQBbo7iMUut+VnHqqp5/zoAb/bLfqlmCul9ODgImzMtKdx
+PG4tBLp8rFK5qgH4fhefdTSdYOSmYby0cIRZmQ+S0FwN5uncr6IEYf/TSjLbixNA
+/OP+bfPhJPMGYwXIijv/0x3UfQ9qGBNhtUOq4M/b64QiHQGHizFvDlW50HGt7hWl
+XEwt+6fZqUPTX0k3WdOwIuy+SdvoDbPIRv9sr9gCs+SALR4r+4bH61IJU0nMnB2a
+3LHqUhKy5FaBqZqR6NkBAnVGxh7Li7FyFWggGiwSv3ocYBcLpAapQamaniB3jlk6
+HJGZAg0ES8V89wEQANTlsU5xtUIEOxMarcP7wCcD3fdLiJi/E/BnZ5FpPjXmNdCz
+3XA1OlXCBjfFHOSNOFfK3oVXsJ34F1Lhi8Ycy+opkI6BWevOnF46rLsawLXTJ9T5
+0Dsa9mJjyGbi3D9t2SNOxBB5Z4+BagKCaqlp0oCfiIaHS7d8FkLunhnwmx/TbKpQ
+UjLjw7Ep/9p5XxbmxNGvWbccOZuO1TD9RtRbvrUYiBHXUHFw8hoxo3tYDAoc2khS
+qMhnJnrPq0YZDd9HBMAnCLVJE4RTvgOBG1Eef6m7aSnSk6wPfDPzJP3mAv3YILaG
+SK1NkHj7e6CWYy+5D2fBCNp0+3xqzd8HaZ8Yrtz20tcwirxuYNnD6ZZT9dFtTi+s
+J1BXJYfotQjbz9aePotQQLqFk6eaItKWXdtqmjR5xrctX01WnQZo3LxBfs6nYrAT
+eZaQ3gXtzZnIZDwxovqouWYTrdB7hAXLnAngfXo0K9ceobGbrRucnLnU2ZAkZ3th
+B4NrkAVuAUnxXgGD5/Ut8h6H2ukcqK5lE9kOzzLGzSQU5A6Nni7kc2fYDK5i+JtP
+UJePRfw4fNelDdLKUHL4sTjESe3ok+RCNdqHATBOi1TFMlu7R8r1S8EHiarMhOzb
+vQdKjDMSh+Fz/lglLGXFDxrd08EFGPNR5N803qAGsRX/thqV8ObEcoTIUd6nABEB
+AAG0O0dyYWVtZSBGb3dsZXIgKEtleSBjcmVhdGVkIDIwMTAtMDQtMTQpIDxncmFl
+bWVAZ3JhZW1lZi5uZXQ+iQI8BBMBAgAmAhsDBgsJCAcDAgQVAggDBBYCAwECHgEC
+F4AFAlauTfYFCRJtnv8ACgkQrV7bt5PsV+SVdQ//ZfOsKA06FGsOSicpB11arODP
+0Nc+22YD2Y15cAzSAENyc1SEVeIvnKNHIKa2auN2K/YYTfITleBqsKjJvy1O97U+
+z2i7ORsdCiYM52hO/yZov6nsyi9JevSNwmjD2tUh1I/TcF0UTFm74fudesqhIpwE
+Ugx0NXOcw4YE7j1nh1cV4NCBnzFp8OkHQqoIcox/k81DuJDvu6/eUhUW9fiy+c8/
+m3QUSYWbBnRhoptGhr8jh/LSMcKl8K0QS2atS4oi5C3y7Olimj8Gcf/Kpen9qMnv
+H8/ifghstX4dKRfw/F+HoAF6KUcq/CaY0pis2Xa8KdjNTJY7IMVITJLEcAQ3qEt2
+sTFk1cNouHvdAo3/LxuXiyHcSGaX8MGFuS0a15QEe3kzT04e+74BguljHSJlQbNR
+3qHGRaWQnaQ95Ogxwp9Es0ZP7bftUC9sZo2tfAVlcQvBqm0vbZe67ZN+fjTf9oP2
+yyTgva/sbAk95NDVT3EfTvjZ5Yl/s5ftQxSgIbYcl/tKDadG0iCErnfVwTVy/eLf
+kQ4d5VYKVN5faRz/2HCDNcAxYqsR7/c4wY8dA01Gyc8KwkeOFRg9G9LWlrqTWe6J
+3whkR5ayQNPY+ZI1YlBrL2gDaiNwW5r5QL/b26m8Go7Q778K0sdi+KcsA0NKG0Rk
+njavBtgSitPo47xgjBu5Ag0ES8V89wEQAK0Ic246f6lmME5aZbSuoKc307LCrSHR
+PCT9SyqSECKMiaBetksyh7KUYD5Qiye42Xp77Hvop7bPofQnK3AhkSL0SqplrdSG
+k3slDR103OTMTy29h2Jw91xeRn30oFweg93bn83d80lYmZsG/9sJAxbYn/NGjlA+
+iQ6MSXvvTE1L3BxeYDem1MpvLN9DhaHwsAusncX29nDwaxkUCYU14wsInhCHGTcy
+MKhB3PNFJNgS7hzt5hsT5uJT9lSAEwkfgR3i6uE47zV310O9/YIJ1wl1+0BjL8AK
+1N6ry1zdjMb4Tgn66mXHHIP4gU/xTxDlPJZ1vkBT+sBZrVR2nBkhCJol/LgTXH5p
+z0EcAPUFloIy/R9Nw/FibybrsZhR8WpFojlh32w++7MXwgOzZug2XkvrRx7xE44G
+3BEan11o4eaEiVEoagbsU9zV1MaOtV3mVaDN634IedZn4cpiw2BbtwOjnYPBrwGN
+6cr05TG/NM3PCbP3twKKi5+/7KxRL0Nj22Xs/R4dHW16FMzsdICf+UIRT3SPn9/+
+jPAFHxwMXyUtIxeUrJu52Me14sUD/b8dvNYgRZUulySa7dfGnD0QX3GiJCZslOaR
+YQgEFIsAAti27KAFuIZR3A8F4lBBRiWI2l2CvApen04gHw0Ur30O8bvEHrXnr2FR
+p6TCeYHm4RTTABEBAAGJAiUEGAECAA8FAkvFfPcCGwwFCRLMAwAACgkQrV7bt5Ps
+V+Sing/9H3uP5fzN8+32CwAGdTnMe0ZLqND0CFrH6rQPHRWbta+ofwMLtGxIannV
+h+V9LhLfE1Ua1BNRJX7PsfhwVRIPx/bZGe5stQo6mVW6nqbcOrP82iyG3yxTlija
+YWZE0wUaj+AkXq+2pfXms+k+HSAewSLdOhrurN6CchV+5TXhk0O1Gefk6a4l8U/3
+E7U/EjCqL4ZpjTrOQptyZLDXbE7A4IS3yS/gUYLHUWJKsV0crgZ+zO+3M4bpU9sB
+E6cREbYBsZA9c7T6bdt9jFK/yvF6lKOjh//WxdtUBfkCAfzC1yyJkursP5StN1F7
+bt0H8+Y34vjHP1QSZT//WsvPE4F/JYt8hMX7rl7hBmSvEjBUjYzgBUH2kBv59IyZ
+YxvghTW25KR4lPeT9sp5Z0ZVtesOJKB3pcKEF66L5N38pHQduX6LeN4Ob/q1h4Kh
+vhdDieEnd0j2AjVLhhcmAaLOFmaJaqKkDjVvXatAAHqJ5TpoT805fuvBw0ZoLBvI
+KAM5B9Ht+KrFUXbEDyyib9qwHABRYVkgwSF+KOyft+kr/u4ag33YSp/G9zCvtGSn
+5uEJLpaDSr5uAGf/TYwH71ST1iL07v8MjwKqnCyIzNnvZkybilMunxYWapvF49ZL
+GvgkDpeYCmYLuxKUfvmZ6UULowLBrGmhExt4faYOEB/BuNdI8w6ZAg0EVs7rJwEQ
+AKuAZeqi/WRgVUK/paJfKVw2VHZQFumpRgPptHMbaw0XxGKP4uKHAFfS61za3/zL
+KYwsGlV8n8OCOJG5N5rdTF+bIJ7l6q2o4TFYsiz0EzBhPZNl4XjEsODn7Z6rbZ1i
+qFguKap6AnMFc8/9hZhDFwJBFC8R5cjP8rW9lq/ax78B81Rfmp9iY4vSEHPVdfcN
+HvyEuOCsxSe3YiFVuPc6fzY1yVNYQgTmkeI8Dcl5DQiLcgzABNbpMY4SLBJ8mbDz
+BLUrRaywhZCPHPtTN5xMCl5pEf2lgH/Zaj5VrDtr8+TFwfFVKFzWMp4zIzLBHvfC
+jM+vigeaPzCeg1Fj5Fe3YU3ejuibtsijHg9uL5ZGaRVPcoSmwEt7vgGKX2IncrNO
+vCxwN7gG4/NXiwtc7EWfIa1iRb7y22el8hULTgLC2HTmTqaM25VbbTWAE0x7MDbE
+E8glPrKPMe03sSUSrqrzP/pOgaKPVc89crn8Zfft6CkWeNBGRsykdnoaPlzMGDIn
+8xyTLwpGJChxSLgH8ipu745sodUxx2XCho7iuU0b3BR9PvTOaP12f27+MjJommGV
+N9ki2WiD5DWm4e4G4+e0fYcSl32lg8n8RUKh0YW3BIWxjMdeYc/VpqBPbtCb+tzk
+nJP/6fD9WcTTZlhX2/C18XASLSeZZw0LAMqD2O2oaMiVABEBAAG0Rk5pZ2VsIE1l
+dGhlcmluZ2hhbSAoMjAxNiBLZXkgUmVwbGFjaW5nIFByZXZpb3VzIEtleXMpIDxu
+aWdlbEBleGltLm9yZz6JAj0EEwEKACcFAlbO6ycCGwMFCRLP94AFCwkIBwMFFQoJ
+CAsFFgIDAQACHgECF4AACgkQhbz3rGc1poADpw//ZIccvKPtubHjCNSkbXapl67E
+c8wInOFv/eUKPjO5uYhwR5TjGlVCWuU0peRJIU6n0qsB3b2G2sEuDKVp9uMma89u
+VeLai9uWwaFdeXIQzcOKdhRHH8DhEXmr23U8oPhzmRqvYcQnmfdrihPH3IDIzER1
++BK+/Rghh3+iHUk8y/MN8cu0k25NKp54oDafLyOy+RLMYVXNL0G+I4VYYW1UEoc5
+esOnXWa/F7SMXl7/1qNQWyBTSk35o8vH6bpUzv69ClBK+izygPWt8oZk+BdAcwOS
+ujYtMiK/oNUd25eJGMa1Q8IMR2aU9fZaLfSbg0z274jQWNI6jRzk7cp2R8/3GCGC
+xUZ5g+CSbayfKDpyHidWOTf1TRkMSv+Yg0RbQiu4iHcOOCDPl9L50bmkezlrVWak
+FyNcGOFtsAlud1MgLSwJsiZUfvV2sa0zGztgp2msRE53aei7qC8D6iLylUY7d0S0
+Fh7TnD5MjvoQpKgyBX06bXx1uYTf0+w1GZ7NqYe+lVUTr+r3IpTCNwzdikrLPgOP
+IS9PDBQeNwDyeWR5GJ+xI1K+aZGEeMI2aAT1im9rxmecQokGx6Ylqpbztoqm64ef
+kVNB2VrpsOGNZSQvm2ZLwJp4+ok3jihlb6zcGKqDcy6BwDaQYcuAc8W8IMTo8Mim
+F5ViqvdytkEng1xDQZu5Ag0EVs7rJwEQAMhaTeBpgUtUKhKYAyZldOLIZo1NwEtL
+d/NmOgGYb0nWr9uptNh5GOWSdhYPb9jdFbMZVrjs9PqsgsNWp86jMfLa5b06ZKW2
+2pYMN4vOrwPZ5R1IU0VDw3Bzk6OvQiyPAdUqB4n9MGa4fPzooOGUt8pL6fhfhkk0
+4kwmnk9NpmeR02W+S/jUX1idY+4n3G4lkmEDxwfYmheCgACM3x2s14PJAXG4VEfQ
++BCSnvm4+OfyrL5H0F06xk9uD/hLdu8A9gWXoF/mW0SAQ6UHEjPwiEBFLz6HdVMT
+ZZu4mXl4EhMlmWINZ0sYgoDUEJBHki9M0YXg4Bwv9zdrLXb1oJN+C8wc7aBM8rS8
+t5Z5lhuwUmblADjYsgTBPZokbeXrXPWf3Sndj4+A5SSgrV//rxXNNtqtEFwbbWAZ
+tf/me2GiuMJViu0QFw+M2woG6WCZCBcxjIWp7lsm7n6YKs0Egac7DR4q/tNika4t
+4IYH8QV8aVQdU/3IArtSUPrHn3S8aVoQ19FqDA4AA6q9pp7CG1o5xTNmCyygVdJ2
+jQR3i6ky4ODG1OHNu7KWbsAfowZYmIleZfwWW0jkugeuqZrrulhjXIKZ3xZ0rijq
+uxhhz3Tlr9CHVpR7OagUXTH+lJc02un7ixDe2f/hLd0lV1qcHMIS30rCsFwbd2WQ
+9gthjKxhdLYpABEBAAGJAiUEGAEKAA8FAlbO6ycCGwwFCRLP94AACgkQhbz3rGc1
+poD2Gg/+ODNxjP2HAu+ex+XrtpZ8W1UnP+M+NhT37bJbPFTWozgS/klT3d6p3Icr
+uztDWVNTQPKpXf17OlH/4xIRHTG2bIny7SIFMrzcR3Z9MKaP8zQxZjMWXbTMho31
+/v1+mukUY8STiPBCdBcWqE3gIwqP+6PmE2gpifpICXHSRcVwDUSniqzrk81xeEgd
+3ohG1+r2YyUfubnHxLP2YGZsP6dEe2hzmwbb+s8Tq5ickphgyOomh7D3PqSY8UXq
+GYXP2LmWb2oB8clw4LRkorN/5L0rGekuYYxCMzjs3+RJ4sxDtdG5uay3+zVpt4pK
+tg1WpiXP9GyX7TVqgMIXM61q3NYPWWWcEWUfj7wvNs0R3D3w5lnB4DaXSXtl9UeM
+KRmPGIziRB6LhKbfPkcMDfZiuwqmSzFvKyDviSw5AAL8ofsepBvb8dnJERtWdTdm
+SNDN2aaOqj0rpKnANbmTrYcveC9++MuQKZ+ifsjWsXoHuchGSt5jEMRUS37AipR4
+muGkEzDlAg+DUaD1PzBzeTmZA2Ghq0PH0+Cv9f5TDFvcthovWJDbFwaMhjHYDIET
+UCdHElkmJWMsdthUPj1UfRdPE2qxwcEjFFD86NBrT2r3KnVwLG38tLm31Zgs7euH
+w6MKM5BAM7K2ho0qfhKDSyZXsjN9eBKqdCxMrprdLyRJzStetq0=
+=dOmA
 -----END PGP PUBLIC KEY BLOCK-----
diff -Nru exim4-4.91/debian/watch exim4-4.92~RC4/debian/watch
--- exim4-4.91/debian/watch	2018-07-30 18:35:06.000000000 +0000
+++ exim4-4.92~RC4/debian/watch	2019-01-10 15:41:45.000000000 +0000
@@ -1,3 +1,3 @@
 version=3
-opts=pgpsigurlmangle=s/$/.asc/,uversionmangle=s/_/~/ \
-https://downloads.exim.org/exim4/exim-(\d.*)\.(?:tgz|tar\.(?:gz|bz2|xz))
+opts=pgpsigurlmangle=s/$/.asc/,uversionmangle=s/[_-]/~/g \
+https://downloads.exim.org/exim4/test/exim-(\d.*)\.(?:tgz|tar\.(?:gz|bz2|xz))
diff -Nru exim4-4.91/doc/ChangeLog exim4-4.92~RC4/doc/ChangeLog
--- exim4-4.91/doc/ChangeLog	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/doc/ChangeLog	2018-12-27 13:36:19.000000000 +0000
@@ -5,6 +5,185 @@
 options, and new features, see the NewStuff file next to this ChangeLog.
 
 
+Exim version 4.92
+-----------------
+
+JH/01 Remove code calling the customisable local_scan function, unless a new
+      definition "HAVE_LOCAL_SCAN=yes" is present in the Local/Makefile.
+
+JH/02 Bug 1007: Avoid doing logging from signal-handlers, as that can result in
+      non-signal-safe functions being used.
+
+JH/03 Bug 2269: When presented with a received message having a stupidly large
+      number of DKIM-Signature headers, disable DKIM verification to avoid
+      a resource-consumption attack.  The limit is set at twenty.
+
+JH/04 Add variables $arc_domains, $arc_oldest_pass for ARC verify.  Fix the
+      report of oldest_pass in ${authres } in consequence, and separate out
+      some descriptions of reasons for verification fail.
+
+JH/05 Bug 2273: Cutthrough delivery left a window where the received messsage
+      files in the spool were present and unlocked.  A queue-runner could spot
+      them, resulting in a duplicate delivery.  Fix that by doing the unlock
+      after the unlink.  Investigation by Tim Stewart.  Take the opportunity to
+      add more error-checking on spoolfile handling while that code is being
+      messed with.
+
+PP/01 Refuse to open a spool data file (*-D) if it's a symlink.
+      No known attacks, no CVE, this is defensive hardening.
+
+JH/06 Bug 2275: The MIME ACL unlocked the received message files early, and
+      a queue-runner could start a delivery while other operations were ongoing.
+      Cutthrough delivery was a common victim, resulting in duplicate delivery.
+      Found and investigated by Tim Stewart.  Fix by using the open message data
+      file handle rather than opening another, and not locally closing it (which
+      releases a lock) for that case, while creating the temporary .eml format
+      file for the MIME ACL.  Also applies to "regex" and "spam" ACL conditions.
+
+JH/07 Bug 177: Make a random-recipient callout success visible in ACL, by setting
+      $sender_verify_failure/$recipient_verify_failure to "random".
+
+JH/08 When generating a selfsigned cert, use serial number 1 since zero is not
+      legitimate.
+
+JH/09 Bug 2274: Fix logging of cmdline args when starting in an unlinked cwd.
+      Previously this would segfault.
+
+JH/10 Fix ARC signing for case when DKIM signing failed.  Previously this would
+      segfault.
+
+JH/11 Bug 2264: Exim now only follows CNAME chains one step by default. We'd
+      like zero, since the resolver should be doing this for us, But we need one
+      as a CNAME but no MX presence gets the CNAME returned; we need to check
+      that doesn't point to an MX to declare it "no MX returned" rather than
+      "error, loop".  A new main option is added so the older capability of
+      following some limited number of chain links is maintained.
+
+JH/12 Add client-ip info to non-pass iprev ${authres } lines.
+
+JH/13 For receent Openssl versions (1.1 onward) use modern generic protocol
+      methods.  These should support TLS 1.3; they arrived with TLS 1.3 and the
+      now-deprecated earlier definitions used only specified the range up to TLS
+      1.2 (in the older-version library docs).
+
+JH/14 Bug 2284: Fix DKIM signing for body lines starting with a pair of dots.
+
+JH/15 Rework TLS client-side context management.  Stop using a global, and
+      explicitly pass a context around.  This enables future use of TLS for
+      connections to service-daemons (eg. malware scanning) while a client smtp
+      connection is using TLS; with cutthrough connections this is quite likely.
+
+JH/16 Fix ARC verification to do AS checks in reverse order.
+
+JH/17 Support a "tls" option on the ${readsocket } expansion item.
+
+JH/18 Bug 2287: Fix the protocol name (eg utf8esmtp) for multiple messages
+      using the SMTPUTF8 option on their MAIL FROM commands, in one connection.
+      Previously the "utf8" would be re-prepended for every additional message.
+
+JH/19 Reject MAIL FROM commands with SMTPUTF8 when the facility was not advertised.
+      Previously thery were accepted, resulting in issues when attempting to
+      forward messages to a non-supporting MTA.
+
+PP/02 Let -n work with printing macros too, not just options.
+
+JH/20 Bug 2296: Fix cutthrough for >1 address redirection.  Previously only
+      one parent address was copied, and bogus data was used at delivery-logging
+      time.  Either a crash (after delivery) or bogus log data could result.
+      Discovery and analysis by Tim Stewart.
+
+PP/03 Make ${utf8clean:} expansion operator detect incomplete final character.
+      Previously if the string ended mid-character, we did not insert the
+      promised '?' replacement.
+
+PP/04 Documentation: current string operators work on bytes, not codepoints.
+
+JH/21 Change as many as possible of the global flags into one-bit bitfields; these
+      should pack well giving a smaller memory footprint so better caching and
+      therefore performance.  Group the declarations where this can't be done so
+      that the byte-sized flag variables are not interspersed among pointer
+      variables, giving a better chance of good packing by the compiler.
+
+JH/22 Bug 1896: Fix the envelope from for DMARC forensic reports to be possibly
+      non-null, to avoid issues with sites running BATV.  Previously reports were
+      sent with an empty envelope sender so looked like bounces.
+
+JH/23 Bug 2318: Fix the noerror command within filters.  It wasn't working.
+      The ignore_error flag wasn't being returned from the filter subprocess so
+      was not set for later routers.  Investigation and fix by Matthias Kurz.
+
+JH/24 Bug 2310: Raise a msg:fail:internal event for each undelivered recipient,
+      and a msg:complete for the whole, when a message is manually removed using
+      -Mrm.  Developement by Matthias Kurz, hacked on by JH.
+
+JH/25 Avoid fixed-size buffers for pathnames in DB access.  This required using
+      a "Gnu special" function, asprintf() in the DB utility binary builds; I
+      hope that is portable enough.
+
+JH/26 Bug 2311: Fix DANE-TA verification under GnuTLS.  Previously it was also
+      requiring a known-CA anchor certificate; make it now rely entirely on the
+      TLSA as an anchor.  Checking the name on the leaf cert against the name
+      on the A-record for the host is still done for TA (but not for EE mode).
+
+JH/27 Fix logging of proxy address.  Previously, a pointless "PRX=[]:0" would be
+      included in delivery lines for non-proxied connections, when compiled with
+      SUPPORT_SOCKS and running with proxy logging enabled.
+
+JH/28 Bug 2314: Fire msg:fail:delivery event even when error is being ignored.
+      Developement by Matthias Kurz, tweaked by JH.  While in that bit of code,
+      move the existing event to fire before the normal logging of message
+      failure so that custom logging is bracketed by normal logging.
+
+JH/29 Bug 2322: A "fail" command in a non-system filter (file) now fires the
+      msg:fail:internal event.  Developement by Matthias Kurz.
+
+JH/30 Bug 2329: Increase buffer size used for dns lookup from 2k, which was
+      far too small for todays use of crypto signatures stored there.  Go all
+      the way to the max DNS message size of 64kB, even though this might be
+      overmuch for IOT constrained device use.
+
+JH/31 Fix a bad use of a copy function, which could be used to pointlessly
+      copy a string over itself.  The library routine is documented as not
+      supporting overlapping copies, and on MacOS it actually raised a SIGABRT.
+
+JH/32 For main options check_spool_space and check_inode_space, where the
+      platform supports 64b integers, support more than the previous 2^31 kB
+      (i.e. more than 2 TB).  Accept E, P and T multipliers in addition to
+      the previous G, M, k.
+
+JH/33 Bug 2338: Fix the cyrus-sasl authenticator to fill in the
+      $authenticated_fail_id variable on authentication failure.  Previously
+      it was unset.
+
+JH/34 Increase RSA keysize of autogen selfsign cert from 1024 to 2048.  RHEL 8.0
+      OpenSSL didn't want to use such a weak key.  Do for GnuTLS also, and for
+      more-modern GnuTLS move from GNUTLS_SEC_PARAM_LOW to
+      GNUTLS_SEC_PARAM_MEDIUM.
+
+JH/35 OpenSSL: fail the handshake when SNI processing hits a problem, server
+      side.  Previously we would continue as if no SNI had been received.
+
+JH/36 Harden the handling of string-lists.  When a list consisted of a sole
+      "<" character, which should be a list-separator specification, we walked
+      off past the nul-terimation.
+
+JH/37 Bug 2341: Send "message delayed" warning MDNs (restricted to external
+      causes) even when the retry time is not yet met.  Previously they were
+      not, meaning that when (say) an account was over-quota and temp-rejecting,
+      and multiple senders' messages were queued, only one sender would get
+      notified on each configured delay_warning cycle.
+
+JH/38 Bug 2351: Log failures to extract envelope addresses from message headers.
+
+JH/39 OpenSSL: clear the error stack after an SSL_accept().  With anon-auth
+      cipher-suites, an error can be left on the stack even for a succeeding
+      accept; this results in impossible error messages when a later operation
+      actually does fail.
+
+AM/01 Bug 2359: GnuTLS: repeat lowlevel read and write operations while they return error
+      codes indicating retry.  Under TLS1.3 this becomes required.
+
+
 Exim version 4.91
 -----------------
 
@@ -371,7 +550,7 @@
       line, the header hash was calculated to an incorrect value thanks to
       the (relaxed) space the fold became.
 
-HS/02 Fix Bug 2130: large writes from the transport subprocess where chunked
+HS/02 Fix Bug 2130: large writes from the transport subprocess were chunked
       and confused the parent.
 
 JH/27 Fix SOCKS bug: an unitialized pointer was deref'd by the transport process
diff -Nru exim4-4.91/doc/dbm.discuss.txt exim4-4.92~RC4/doc/dbm.discuss.txt
--- exim4-4.91/doc/dbm.discuss.txt	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/doc/dbm.discuss.txt	2018-12-27 13:36:19.000000000 +0000
@@ -223,7 +223,7 @@
 Berkeley DB 4.x
 ---------------
 
-The 4.x series is a developement of the 2.x and 3.x series, and the above
+The 4.x series is a development of the 2.x and 3.x series, and the above
 comments apply.
 
 
diff -Nru exim4-4.91/doc/exim.8 exim4-4.92~RC4/doc/exim.8
--- exim4-4.91/doc/exim.8	2018-04-15 13:17:34.000000000 +0000
+++ exim4-4.92~RC4/doc/exim.8	2018-12-27 13:38:26.000000000 +0000
@@ -159,7 +159,7 @@
 test data. A line history is supported.
 .sp
 Long expansion expressions can be split over several lines by using backslash
-continuations. As in Exim's run time configuration, white space at the start of
+continuations. As in Exim's runtime configuration, white space at the start of
 continuation lines is ignored. Each argument or data line is passed through the
 string expansion mechanism, and the result is output. Variable values from the
 configuration file (for example, \fI$qualify_domain\fP) are available, but no
@@ -428,7 +428,7 @@
 If \fBconfig\fP is given as an argument, the config is
 output, as it was parsed, any include file resolved, any comment removed.
 .sp
-If \fBconfig_file\fP is given as an argument, the name of the run time
+If \fBconfig_file\fP is given as an argument, the name of the runtime
 configuration file is output. (\fBconfigure_file\fP works too, for
 backward compatibility.)
 If a list of configuration files was supplied, the value that is output here
@@ -481,13 +481,13 @@
 admin user. However, the \fBqueue_list_requires_admin\fP option can be set false
 to allow any user to see the queue.
 .sp
-Each message on the queue is displayed as in the following example:
+Each message in the queue is displayed as in the following example:
 .sp
   25m  2.9K 0t5C6f\-0000c8\-00 <alice@wonderland.fict.example>
             red.king@looking\-glass.fict.example
             <other addresses>
 .sp
-The first line contains the length of time the message has been on the queue
+The first line contains the length of time the message has been in the queue
 (in this case 25 minutes), the size of the message (2.9K), the unique local
 identifier for the message, and the message sender, as contained in the
 envelope. For bounce messages, the sender address is empty, and appears as
@@ -512,14 +512,14 @@
 of just "D".
 .TP 10
 \fB\-bpc\fP
-This option counts the number of messages on the queue, and writes the total
+This option counts the number of messages in the queue, and writes the total
 to the standard output. It is restricted to admin users, unless
 \fBqueue_list_requires_admin\fP is set false.
 .TP 10
 \fB\-bpr\fP
 This option operates like \fB\-bp\fP, but the output is not sorted into
 chronological order of message arrival. This can speed it up when there are
-lots of messages on the queue, and is particularly useful if the output is
+lots of messages in the queue, and is particularly useful if the output is
 going to be post\-processed in a way that doesn't need the sorting.
 .TP 10
 \fB\-bpra\fP
@@ -658,7 +658,7 @@
 number, and compilation date of the \fIexim\fP binary to the standard output.
 It also lists the DBM library that is being used, the optional modules (such as
 specific lookup types), the drivers that are included in the binary, and the
-name of the run time configuration file that is in use.
+name of the runtime configuration file that is in use.
 .sp
 As part of its operation, \fB\-bV\fP causes Exim to read and syntax check its
 configuration file. However, this is a static check only. It cannot check
@@ -733,10 +733,10 @@
 which the daemon will exit, which should cause inetd to listen once more.
 .TP 10
 \fB\-C\fP <\fIfilelist\fP>
-This option causes Exim to find the run time configuration file from the given
+This option causes Exim to find the runtime configuration file from the given
 list instead of from the list specified by the CONFIGURE_FILE
-compile\-time setting. Usually, the list will consist of just a single file
-name, but it can be a colon\-separated list of names. In this case, the first
+compile\-time setting. Usually, the list will consist of just a single filename,
+but it can be a colon\-separated list of names. In this case, the first
 file that exists is used. Failure to open an existing file stops Exim from
 proceeding any further along the list, and an error is generated.
 .sp
@@ -756,15 +756,15 @@
 running as the Exim user, so when it re\-executes to regain privilege for the
 delivery, the use of \fB\-C\fP causes privilege to be lost. However, root can
 test reception and delivery using two separate commands (one to put a message
-on the queue, using \fB\-odq\fP, and another to do the delivery, using \fB\-M\fP).
+in the queue, using \fB\-odq\fP, and another to do the delivery, using \fB\-M\fP).
 .sp
 If ALT_CONFIG_PREFIX is defined in Local/Makefile, it specifies a
 prefix string with which any file named in a \fB\-C\fP command line option
-must start. In addition, the file name must not contain the sequence /../.
+must start. In addition, the filename must not contain the sequence /../.
 However, if the value of the \fB\-C\fP option is identical to the value of
 CONFIGURE_FILE in Local/Makefile, Exim ignores \fB\-C\fP and proceeds as
 usual. There is no default setting for ALT_CONFIG_PREFIX; when it is
-unset, any file name can be used with \fB\-C\fP.
+unset, any filename can be used with \fB\-C\fP.
 .sp
 ALT_CONFIG_PREFIX can be used to confine alternative configuration files
 to a directory to which only root has access. This prevents someone who has
@@ -842,7 +842,8 @@
   local_scan      can be used by local_scan()
   lookup          general lookup code and all lookups
   memory          memory handling
-  pid             add pid to debug output lines
+  noutf8          modifier: avoid UTF\-8 line\-drawing
+  pid             modifier: add pid to debug output lines
   process_info    setting info for the process log
   queue_run       queue runs
   receive         general message reception logic
@@ -850,7 +851,7 @@
   retry           retry handling
   rewrite         address rewriting
   route           address routing
-  timestamp       add timestamp to debug output lines
+  timestamp       modifier: add timestamp to debug output lines
   tls             TLS logic
   transport       transports
   uid             changes of uid/gid and looking up uid/gid
@@ -879,6 +880,10 @@
 The timestamp selector causes the current time to be inserted at the start
 of all debug output lines. This can be useful when trying to track down delays
 in processing.
+The noutf8 selector disables the use of
+UTF\-8 line\-drawing characters to group related information.
+When disabled. ascii\-art is used instead.
+Using the +all option does not set this modifier,
 .sp
 If the \fBdebug_print\fP option is set in any driver, it produces output whenever
 any debugging is selected, or if \fB\-v\fP is used.
@@ -1066,7 +1071,7 @@
 The arguments give the local address and port being proxied, and the TLS cipher.
 .TP 10
 \fB\-Mc\fP <\fImessage id\fP> <\fImessage id\fP> ...
-This option requests Exim to run a delivery attempt on each message in turn,
+This option requests Exim to run a delivery attempt on each message, in turn,
 but unlike the \fB\-M\fP option, it does check for retry hints, and respects any
 that are found. This option is not very useful to external callers. It is
 provided mainly for internal use by Exim when it needs to re\-invoke itself in
@@ -1121,7 +1126,7 @@
 bounce messages are sent; each message is simply forgotten. However, if any of
 the messages are active, their status is not altered. This option can be used
 only by an admin user or by the user who originally caused the message to be
-placed on the queue.
+placed in the queue.
 .TP 10
 \fB\-Mset\fP <\fImessage id\fP>
 This option is useful only in conjunction with \fB\-be\fP (that is, when testing
@@ -1188,7 +1193,7 @@
 .TP 10
 \fB\-oA\fP <\fIfile name\fP>
 This option is used by Sendmail in conjunction with \fB\-bi\fP to specify an
-alternative alias file name. Exim handles \fB\-bi\fP differently; see the
+alternative alias filename. Exim handles \fB\-bi\fP differently; see the
 description above.
 .TP 10
 \fB\-oB\fP <\fIn\fP>
@@ -1227,7 +1232,7 @@
 false and one of the queueing options in the configuration file is in effect.
 .sp
 If there is a temporary delivery error during foreground delivery, the
-message is left on the queue for later delivery, and the original reception
+message is left in the queue for later delivery, and the original reception
 process exits.
 .TP 10
 \fB\-odi\fP
@@ -1238,7 +1243,7 @@
 This option applies to all modes in which Exim accepts incoming messages,
 including the listening daemon. It specifies that the accepting process should
 not automatically start a delivery process for each message received. Messages
-are placed on the queue, and remain there until a subsequent queue runner
+are placed in the queue, and remain there until a subsequent queue runner
 process encounters them. There are several configuration options (such as
 \fBqueue_only\fP) that can be used to queue incoming messages under certain
 conditions. This option overrides all of them and also \fB\-odqs\fP. It always
@@ -1254,7 +1259,7 @@
 message, in the background by default, but in the foreground if \fB\-odi\fP is
 also present. The recipient addresses are routed, and local deliveries are done
 in the normal way. However, if any SMTP deliveries are required, they are not
-done at this time, so the message remains on the queue until a subsequent queue
+done at this time, so the message remains in the queue until a subsequent queue
 runner process encounters it. Because routing was done, Exim knows which
 messages are waiting for which hosts, and so a number of messages for the same
 host can be sent in a single SMTP connection. The \fBqueue_smtp_domains\fP
@@ -1414,7 +1419,7 @@
 \fB\-oX\fP <\fInumber or string\fP>
 This option is relevant only when the \fB\-bd\fP (start listening daemon) option
 is also given. It controls which ports and interfaces the daemon uses. When \fB\-oX\fP is used to start a daemon, no pid
-file is written unless \fB\-oP\fP is also present to specify a pid file name.
+file is written unless \fB\-oP\fP is also present to specify a pid filename.
 .TP 10
 \fB\-pd\fP
 This option applies when an embedded Perl interpreter is linked with Exim. It overrides the setting of the \fBperl_at_start\fP
@@ -1493,7 +1498,7 @@
 \fB\-q[q]i...\fP
 If the \fIi\fP flag is present, the queue runner runs delivery processes only for
 those messages that haven't previously been tried. (\fIi\fP stands for "initial
-delivery".) This can be helpful if you are putting messages on the queue using
+delivery".) This can be helpful if you are putting messages in the queue using
 \fB\-odq\fP and want a queue runner just to process the new messages.
 .TP 10
 \fB\-q[q][i]f...\fP
@@ -1507,7 +1512,7 @@
 .TP 10
 \fB\-q[q][i][f[f]]l\fP
 The \fIl\fP (the letter "ell") flag specifies that only local deliveries are to
-be done. If a message requires any remote deliveries, it remains on the queue
+be done. If a message requires any remote deliveries, it remains in the queue
 for later delivery.
 .TP 10
 \fB\-q[q][i][f[f]][l][G<name>[/<time>]]]\fP
diff -Nru exim4-4.91/doc/experimental-spec.txt exim4-4.92~RC4/doc/experimental-spec.txt
--- exim4-4.91/doc/experimental-spec.txt	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/doc/experimental-spec.txt	2018-12-27 13:36:19.000000000 +0000
@@ -447,11 +447,19 @@
                     directory of this file is writable by the user
                     exim runs as.
 
-dmarc_forensic_sender The email address to use when sending a
+dmarc_forensic_sender Alternate email address to use when sending a
                     forensic report detailing alignment failures
                     if a sender domain's dmarc record specifies it
                     and you have configured Exim to send them.
-                    Default: do-not-reply@$default_hostname
+
+		    If set, this is expanded and used for the
+		    From: header line; the address is extracted
+		    from it and used for the envelope from.
+		    If not set, the From: header is expanded from
+		    the dsn_from option, and <> is used for the
+		    envelope from.
+
+                    Default: unset.
 
 
 3. By default, the DMARC processing will run for any remote,
@@ -709,6 +717,8 @@
 
 The spool files can then be processed by external processes and then
 requeued into exim spool directories for final delivery.
+However, note carefully the warnings in the main documentation on
+qpool file formats.
 
 The motivation/inspiration for the transport is to allow external
 processes to access email queued by exim and have access to all the
@@ -793,30 +803,63 @@
 	Note that it would be wise to strip incoming messages of A-R headers
 	that claim to be from our own <admd-identifier>.
 
-There are two new variables: $arc_state and $arc_state_reason.
+There are four new variables:
+
+  $arc_state		One of pass, fail, none
+  $arc_state_reason	(if fail, why)
+  $arc_domains		colon-sep list of ARC chain domains, in chain order.
+			problematic elements may have empty list elements
+  $arc_oldest_pass	lowest passing instance number of chain
+
+Example:
+  logwrite = oldest-p-ams: <${reduce {$lh_ARC-Authentication-Results:} \
+				{} \
+				{${if = {$arc_oldest_pass} \
+					{${extract {i}{${extract {1}{;}{$item}}}}} \
+					{$item} {$value}}} \
+			    }>
 
 Receive log lines for an ARC pass will be tagged "ARC".
 
 
 Signing
 --
-arc_sign = <admd-identifier> : <selector> : <privkey>
+arc_sign = <admd-identifier> : <selector> : <privkey> [ : <options> ]
 An option on the smtp transport, which constructs and prepends to the message
 an ARC set of headers.  The textually-first Authentication-Results: header
 is used as a basis (you must have added one on entry to the ADMD).
 Expanded as a whole; if unset, empty or forced-failure then no signing is done.
-If it is set, all three elements must be non-empty.
+If it is set, all of the first three elements must be non-empty.
+
+The fourth element is optional, and if present consists of a comma-separated list
+of options.  The options implemented are
+
+  timestamps    	Add a t= tag to the generated AMS and AS headers, with the
+                	current time.
+  expire[=<val>]	Add an x= tag to the generated AMS header, with an expiry time.
+			If the value <val> is an plain number it is used unchanged.
+			If it starts with a '+' then the following number is added
+                	to the current time, as an offset in seconds.
+			If a value is not given it defaults to a one month offset.
+
+[As of writing, gmail insist that a t= tag on the AS is mandatory]
 
 Caveats:
  * There must be an Authentication-Results header, presumably added by an ACL
    while receiving the message, for the same ADMD, for arc_sign to succeed.
    This requires careful coordination between inbound and outbound logic.
+
+   Only one A-R header is taken account of.  This is a limitation versus
+   the ARC spec (which says that all A-R headers from within the ADMD must
+   be used).
+
  * If passing a message to another system, such as a mailing-list manager
    (MLM), between receipt and sending, be wary of manipulations to headers made
    by the MLM.
    + For instance, Mailman with REMOVE_DKIM_HEADERS==3 might improve
      deliverability in a pre-ARC world, but that option also renames the
      Authentication-Results header, which breaks signing.
+
  * Even if you use multiple DKIM keys for different domains, the ARC concept
    should try to stick to one ADMD, so pick a primary domain and use that for
    AR headers and outbound signing.
@@ -827,6 +870,120 @@
 
 
 
+
+REQUIRETLS support
+------------------
+Ref: https://tools.ietf.org/html/draft-ietf-uta-smtp-require-tls-03
+
+If compiled with EXPERIMENTAL_REQUIRETLS support is included for this
+feature, where a REQUIRETLS option is added to the MAIL command.
+The client may not retry in clear if the MAIL+REQUIRETLS fails (or was never
+offered), and the server accepts an obligation that any onward transmission
+by SMTP of the messages accepted will also use REQUIRETLS - or generate a
+fail DSN.
+
+The Exim implementation includes
+- a main-part option tls_advertise_requiretls; host list, default "*"
+- an observability variable $requiretls returning yes/no
+- an ACL "control = requiretls" modifier for setting the requirement
+- Log lines and Received: headers capitalise the S in the protocol
+  element: "P=esmtpS"
+
+Differences from spec:
+- we support upgrading the requirement for REQUIRETLS, including adding
+  it from cold, within an MTA.  The spec only define the sourcing MUA
+  as being able to source the requirement, and makes no mention of upgrade.
+- No support is coded for the RequireTLS header (which can be used
+  to annul DANE and/or STS policiy). [this can _almost_ be done in
+  transport option expansions, but not quite: it requires tha DANE-present
+  but STARTTLS-failing targets fallback to cleartext, which current DANE
+  coding specifically blocks]
+
+Note that REQUIRETLS is only advertised once a TLS connection is achieved
+(in contrast to STARTTLS).  If you want to check the advertising, do something
+like "swaks -s 127.0.0.1 -tls -q HELO".
+
+
+
+
+Early pipelining support
+------------------------
+Ref: https://datatracker.ietf.org/doc/draft-harris-early-pipe/
+
+If compiled with EXPERIMENTAL_PIPE_CONNECT support is included for this feature.
+The server advertises the feature in its EHLO response, currently using the name
+"X_PIPE_CONNECT" (this will change, some time in the future).
+A client may cache this information, along with the rest of the EHLO response,
+and use it for later connections.  Those later ones can send esmtp commands before
+a banner is received.
+
+Up to 1.5 roundtrip times can be taken out of cleartext connections, 2.5 on
+STARTTLS connections.
+
+In combination with the traditional PIPELINING feature the following example
+sequences are possible (among others):
+
+(client)                (server)
+
+EHLO,MAIL,RCPT,DATA ->
+                     <- banner,EHLO-resp,MAIL-ack,RCPT-ack,DATA-goahead
+message-data        ->
+------
+
+EHLO,MAIL,RCPT,BDAT              ->
+                                  <- banner,EHLO-resp,MAIL-ack,RCPT-ack
+message-data                     ->
+------
+
+EHLO,STARTTLS                     ->
+                                   <- banner,EHLO-resp,TLS-goahead
+TLS1.2-client-hello               ->
+                                   <- TLS-server-hello,cert,hello-done
+client-Kex,change-cipher,finished ->
+                                   <- change-cipher,finshed
+EHLO,MAIL,RCPT,DATA               ->
+                                   <- EHLO-resp,MAIL-ack,RCPT-ack,DATA-goahead
+
+------
+(tls-on-connect)
+TLS1.2-client-hello               ->
+                                   <- TLS-server-hello,cert,hello-done
+client-Kex,change-cipher,finished ->
+                                   <- change-cipher,finshed
+                                   <- banner
+EHLO,MAIL,RCPT,DATA               ->
+                                   <- EHLO-resp,MAIL-ack,RCPT-ack,DATA-goahead
+
+Where the initial client packet is SMTP, it can combine with the TCP Fast Open
+feature and be sent in the TCP SYN.
+
+
+A main-section option "pipelining_connect_advertise_hosts" (default: *)
+and an smtp transport option "hosts_pipe_connect" (default: unset)
+control the feature.
+
+If the "pipelining" log_selector is enabled, the "L" field in server <=
+log lines has a period appended if the feature was advertised but not used;
+or has an asterisk appended if the feature was used.  In client => lines
+the "L" field has an asterisk appended if the feature was used.
+
+The "retry_data_expire" option controls cache invalidation.
+Entries are also rewritten (or cleared) if the adverised features
+change.
+
+
+NOTE: since the EHLO command must be constructed before the connection is
+made it cannot depend on the interface IP address that will be used.
+Transport configurations should be checked for this.  An example avoidance:
+
+ helo_data =	${if def:sending_ip_address \
+		   {${lookup dnsdb{>! ptr=$sending_ip_address} \
+			{${sg{$value} {^([^!]*).*\$} {\$1}}} fail}} \
+		   {$primary_hostname}}
+
+
+
+
 --------------------------------------------------------------
 End of file
 --------------------------------------------------------------
diff -Nru exim4-4.91/doc/filter.txt exim4-4.92~RC4/doc/filter.txt
--- exim4-4.91/doc/filter.txt	2018-04-15 13:17:34.000000000 +0000
+++ exim4-4.92~RC4/doc/filter.txt	2018-12-27 13:38:26.000000000 +0000
@@ -4,7 +4,7 @@
 
 Copyright (c) 2014 University of Cambridge
 
-Revision 4.91  15 Apr 2018 PH
+Revision 4.92-RC4 27 Dez 2018 PH
 
 -------------------------------------------------------------------------------
 
@@ -77,7 +77,7 @@
 
 This document describes the user interfaces to Exim's in-built mail filtering
 facilities, and is copyright (c) University of Cambridge 2014. It corresponds
-to Exim version 4.91.
+to Exim version 4.92-RC4.
 
 
 1.1 Introduction
diff -Nru exim4-4.91/doc/GnuTLS-FAQ.txt exim4-4.92~RC4/doc/GnuTLS-FAQ.txt
--- exim4-4.91/doc/GnuTLS-FAQ.txt	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/doc/GnuTLS-FAQ.txt	2018-12-27 13:36:19.000000000 +0000
@@ -6,7 +6,7 @@
 (3) I'm seeing:
     "(gnutls_handshake): A TLS packet with unexpected length was received"
     Why?
-(4) What's the deal with MD5?
+(4) What's the deal with MD5?  (And SHA-1?)
 (5) What happened to gnutls_require_kx / gnutls_require_mac /
     gnutls_require_protocols?
 (6) What's the deal with tls_dh_max_bits?  What's DH?
@@ -89,8 +89,8 @@
 
 
 
-(4): What's the deal with MD5?
-------------------------------
+(4): What's the deal with MD5?  (And SHA-1?)
+--------------------------------------------
 
 MD5 is a hash algorithm.  Hash algorithms are used to reduce a lot of data
 down to a fairly short value, which is supposed to be extremely hard to
@@ -119,6 +119,10 @@
 revocation protocols.  This is just another of those ongoing costs you have
 already paid for.
 
+The same has happened to SHA-1: there are real-world collision attacks against
+SHA-1, so SHA-1 is mostly defunct in certificates.  GnuTLS no longer supports
+its use in TLS certificates.
+
 
 
 (5): ... gnutls_require_kx / gnutls_require_mac / gnutls_require_protocols?
diff -Nru exim4-4.91/doc/NewStuff exim4-4.92~RC4/doc/NewStuff
--- exim4-4.91/doc/NewStuff	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/doc/NewStuff	2018-12-27 13:36:19.000000000 +0000
@@ -6,6 +6,32 @@
 test from the snapshots or the Git before the documentation is updated. Once
 the documentation is updated, this file is reduced to a short list.
 
+Version 4.92
+--------------
+
+ 1. ${l_header:<name>} and ${l_h:<name>} expansion items, giving a colon-sep
+    list when there are multiple headers having a given name.  This matters
+    when individual headers are wrapped onto multiple lines; with previous
+    facilities hard to parse.
+
+ 2. The ${readsocket } expansion item now takes a "tls" option, doing the
+    obvious thing.
+
+ 3. EXPERIMENTAL_REQUIRETLS and EXPERIMENTAL_PIPE_CONNECT optional build
+    features.  See the experimental.spec file.
+
+ 4. If built with SUPPORT_I18N a "utf8_downconvert" option on the smtp transport.
+
+ 5. A "pipelining" log_selector.
+
+ 6. Builtin macros for supported log_selector and openssl_options values.
+
+ 7. JSON variants of the ${extract } expansion item.
+
+ 8. A "noutf8" debug option, for disabling the UTF-8 characters in debug output.
+
+ 9. TCP Fast Open support on MacOS.
+
 Version 4.91
 --------------
 
@@ -924,7 +950,7 @@
     longest line that was received as part of the message, not counting the
     line termination character(s).
 
- 7. Host lists can now include +ignore_defer and +include_defer, analagous to
+ 7. Host lists can now include +ignore_defer and +include_defer, analogous to
     +ignore_unknown and +include_unknown. These options should be used with
     care, probably only in non-critical host lists such as whitelists.
 
diff -Nru exim4-4.91/doc/openssl.txt exim4-4.92~RC4/doc/openssl.txt
--- exim4-4.91/doc/openssl.txt	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/doc/openssl.txt	2018-12-27 13:36:19.000000000 +0000
@@ -28,6 +28,27 @@
 So this only applies if you build Exim yourself.
 
 
+Insecure versions and ciphers
+-----------------------------
+
+Email delivery to MX hosts is usually done with automatic fallback to
+plaintext if TLS could not be negotiated.  There are good historical reasons
+for this.  You can and should avoid it by using DNSSEC for signing your DNS
+and publishing TLSA records, to enable "DANE" security.  This signals to
+senders that they should be able to verify your certificates, and that they
+should not fallback to cleartext.
+
+In the absence of DANE, trying to increase the security of TLS by removing
+support for older generations of ciphers and protocols will actually _lower_
+the security, because the clients fallback to plaintext and retry anyway.  As
+a result, you should give serious thought to enabling older features which are
+no longer default in OpenSSL.
+
+The examples below explicitly enable ssl3 and weak ciphers.
+
+We don't like this, but reality doesn't care and is messy.
+
+
 Build
 -----
 
@@ -45,7 +66,8 @@
 
     ./config --prefix=/opt/openssl --openssldir=/etc/ssl  \
         -L/opt/openssl/lib -Wl,-R/opt/openssl/lib         \
-        enable-ssl-trace shared
+        enable-ssl-trace shared                           \
+        enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers
     make
     make install
 
diff -Nru exim4-4.91/doc/OptionLists.txt exim4-4.92~RC4/doc/OptionLists.txt
--- exim4-4.91/doc/OptionLists.txt	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/doc/OptionLists.txt	2018-12-27 13:36:19.000000000 +0000
@@ -54,7 +54,7 @@
 acl_smtp_auth                        string*         unset         main              4.00
 acl_smtp_connect                     string*         unset         main              4.11
 acl_smtp_data                        string*         unset         main              4.00
-acl_smtp_data_prdr                   string*         unset         main              4.82 with experimental_prdr
+acl_smtp_data_prdr                   string*         unset         main              4.82 with experimental_prdr, 4.83 unless disable_prdr
 acl_smtp_dkim                        string*         unset         main              4.70 unless disable_dkim
 acl_smtp_etrn                        string*         unset         main              4.00
 acl_smtp_expn                        string*         unset         main              4.00
@@ -169,6 +169,7 @@
 dkim_selector                        string*         unset         smtp              4.70
 dkim_sign_headers                    string*         (RFC4871)     smtp              4.70
 dkim_strict                          string*         unset         smtp              4.70
+dkim_timestamps                      integer*        unset         smtp              4.92
 dkim_verify_signers                  string*         $dkim_signers main              4.70
 directory                            string*         unset         appendfile
 directory_file                       string*         +             appendfile
@@ -182,6 +183,7 @@
 dmarc_tld_file                       string          unset         main              4.82 if experimental_dmarc
 dns_again_means_nonexist             domain list     unset         main              1.89
 dns_check_names_pattern              string          +             main              2.11
+dns_cname_loops                      integer         0             main              4.92 Set to 9 for older behaviour
 dns_csa_search_limit                 integer         5             main              4.60
 dns_csa_use_reverse                  boolean         true          main              4.60
 dns_dnssec_ok                        integer         -1            main              4.82
@@ -298,6 +300,7 @@
 hosts_nopass_tls                     host list       unset         smtp              4.00
 hosts_noproxy_tls                    host list       "*"           smtp              4.90
 hosts_override                       boolean         false         smtp              2.11
+hosts_pipe_connect		     host_list	     unset	   smtp		     4.93 if experimental_pipe_connect
 hosts_randomize                      boolean         false         manualroute       4.00
                                                      false         smtp              3.14
 hosts_require_auth                   host list       unset         smtp              4.00
@@ -410,6 +413,7 @@
 pipe_as_creator                      boolean         false         pipe
 pipe_transport                       string*         unset         redirect          4.00
 pipelining_advertise_hosts           host list       "*"           main              4.14
+pipelining__connect_advertise_hosts  host list       "*"           main              4.92 if experimental_pipe_connect
 port                                 integer         0             iplookup          4.00
                                      string          "smtp"        smtp
 preserve_message_logs                boolean         false         main
@@ -567,6 +571,7 @@
 timeout_frozen_after                 time            0s            main              3.20
 timezone                             string          +             main              3.15
 tls_advertise_hosts                  host list       *             main              3.20
+tls_advertise_requiretls             host list       *             main              4.92 if experimental_requiretls
 tls_certificate                      string*         unset         main              3.20
                                                      unset         smtp              3.20
 tls_dh_max_bits                      integer         2236          main              4.80
@@ -610,6 +615,7 @@
 use_shell                            boolean         false         pipe              1.70
 user                                 string          +             routers           4.00
                                                      unset         transports        4.00 replaces individual options
+utf8_downconvert                     integer         unset         smtp              4.92 if SUPPORT_I18N
 uucp_from_pattern                    string          +             main              1.75
 uucp_from_sender                     string*         "$1"          main              1.75
 verify                               boolean         true          routers           4.00
diff -Nru exim4-4.91/doc/spec.txt exim4-4.92~RC4/doc/spec.txt
--- exim4-4.91/doc/spec.txt	2018-04-15 13:17:33.000000000 +0000
+++ exim4-4.92~RC4/doc/spec.txt	2018-12-27 13:38:26.000000000 +0000
@@ -4,7 +4,7 @@
 
 Copyright (c) 2018 University of Cambridge
 
-Revision 4.91  15 Apr 2018 EM
+Revision 4.92-RC4 27 Dez 2018 EM
 
 -------------------------------------------------------------------------------
 
@@ -13,12 +13,12 @@
 1. Introduction
 
     1.1. Exim documentation
-    1.2. FTP and web sites
+    1.2. FTP site and websites
     1.3. Mailing lists
     1.4. Bug reports
     1.5. Where to find the Exim distribution
     1.6. Limitations
-    1.7. Run time configuration
+    1.7. Runtime configuration
     1.8. Calling interface
     1.9. Terminology
 
@@ -74,7 +74,7 @@
     5.2. Trusted and admin users
     5.3. Command line options
 
-6. The Exim run time configuration file
+6. The Exim runtime configuration file
 
     6.1. Using a different configuration file
     6.2. Configuration file format
@@ -102,13 +102,14 @@
 
 7. The default configuration file
 
-    7.1. Main configuration settings
-    7.2. ACL configuration
-    7.3. Router configuration
-    7.4. Transport configuration
-    7.5. Default retry rule
-    7.6. Rewriting configuration
-    7.7. Authenticators configuration
+    7.1. Macros
+    7.2. Main configuration settings
+    7.3. ACL configuration
+    7.4. Router configuration
+    7.5. Transport configuration
+    7.6. Default retry rule
+    7.7. Rewriting configuration
+    7.8. Authenticators configuration
 
 8. Regular expressions
 9. File and database lookups
@@ -640,7 +641,7 @@
 BSD/OS (aka BSDI), Darwin (Mac OS X), DGUX, Dragonfly, FreeBSD, GNU/Hurd, GNU/
 Linux, HI-OSF (Hitachi), HI-UX, HP-UX, IRIX, MIPS RISCOS, NetBSD, OpenBSD,
 OpenUNIX, QNX, SCO, SCO SVR4.2 (aka UNIX-SV), Solaris (aka SunOS5), SunOS4,
-Tru64-Unix (formerly Digital UNIX, formerly DEC-OSF1), Ultrix, and Unixware.
+Tru64-Unix (formerly Digital UNIX, formerly DEC-OSF1), Ultrix, and UnixWare.
 Some of these operating systems are no longer current and cannot easily be
 tested, so the configuration files may no longer work in practice.
 
@@ -652,11 +653,11 @@
 the file NOTICE. Exim is distributed under the terms of the GNU General Public
 Licence, a copy of which may be found in the file LICENCE.
 
-The use, supply or promotion of Exim for the purpose of sending bulk,
-unsolicited electronic mail is incompatible with the basic aims of the program,
-which revolve around the free provision of a service that enhances the quality
-of personal communications. The author of Exim regards indiscriminate
-mass-mailing as an antisocial, irresponsible abuse of the Internet.
+The use, supply, or promotion of Exim for the purpose of sending bulk,
+unsolicited electronic mail is incompatible with the basic aims of Exim, which
+revolve around the free provision of a service that enhances the quality of
+personal communications. The author of Exim regards indiscriminate mass-mailing
+as an antisocial, irresponsible abuse of the Internet.
 
 Exim owes a great deal to Smail 3 and its author, Ron Karr. Without the
 experience of running and working on the Smail 3 code, I could never have
@@ -673,8 +674,8 @@
 1.1 Exim documentation
 ----------------------
 
-This edition of the Exim specification applies to version 4.91 of Exim.
-Substantive changes from the 4.90 edition are marked in some renditions of the
+This edition of the Exim specification applies to version 4.92-RC4 of Exim.
+Substantive changes from the 4.91 edition are marked in some renditions of this
 document; this paragraph is so marked if the rendition is capable of showing a
 change indicator.
 
@@ -683,16 +684,16 @@
 with general Unix system administration. Although there are some discussions
 and examples in places, the information is mostly organized in a way that makes
 it easy to look up, rather than in a natural order for sequential reading.
-Furthermore, the manual aims to cover every aspect of Exim in detail, including
-a number of rarely-used, special-purpose features that are unlikely to be of
-very wide interest.
+Furthermore, this manual aims to cover every aspect of Exim in detail,
+including a number of rarely-used, special-purpose features that are unlikely
+to be of very wide interest.
 
 An "easier" discussion of Exim which provides more in-depth explanatory,
 introductory, and tutorial material can be found in a book entitled The Exim
-SMTP Mail Server (second edition, 2007), published by UIT Cambridge (http://
+SMTP Mail Server (second edition, 2007), published by UIT Cambridge (https://
 www.uit.co.uk/exim-book/).
 
-This book also contains a chapter that gives a general introduction to SMTP and
+The book also contains a chapter that gives a general introduction to SMTP and
 Internet mail. Inevitably, however, the book is unlikely to be fully up-to-date
 with the latest release of Exim. (Note that the earlier book about Exim,
 published by O'Reilly, covers Exim 3, and many things have changed in Exim 4.)
@@ -702,8 +703,8 @@
 The command man update-exim.conf is another source of Debian-specific
 information.
 
-As the program develops, there may be features in newer versions that have not
-yet made it into this document, which is updated only when the most significant
+As Exim develops, there may be features in newer versions that have not yet
+made it into this document, which is updated only when the most significant
 digit of the fractional part of the version number changes. Specifications of
 new features that are not yet in this manual are placed in the file doc/
 NewStuff in the Exim distribution.
@@ -713,8 +714,8 @@
 they are not documented in this manual. Information about experimental features
 can be found in the file doc/experimental.txt.
 
-All changes to the program (whether new features, bug fixes, or other kinds of
-change) are noted briefly in the file called doc/ChangeLog.
+All changes to Exim (whether new features, bug fixes, or other kinds of change)
+are noted briefly in the file called doc/ChangeLog.
 
 This specification itself is available as an ASCII file in doc/spec.txt so that
 it can easily be searched with a text editor. Other files in the doc directory
@@ -734,27 +735,25 @@
 below tells you how to get hold of these.
 
 
-1.2 FTP and web sites
----------------------
+1.2 FTP site and websites
+-------------------------
 
 The primary site for Exim source distributions is the exim.org FTP site,
 available over HTTPS, HTTP and FTP. These services, and the exim.org website,
 are hosted at the University of Cambridge.
 
-As well as Exim distribution tar files, the Exim web site contains a number of
+As well as Exim distribution tar files, the Exim website contains a number of
 differently formatted versions of the documentation. A recent addition to the
-online information is the Exim wiki (http://wiki.exim.org), which contains what
-used to be a separate FAQ, as well as various other examples, tips, and
-know-how that have been contributed by Exim users.
-
-The wiki site should always redirect to the correct place, which is currently
-provided by GitHub, and is open to editing by anyone with a GitHub account.
+online information is the Exim wiki (https://wiki.exim.org), which contains
+what used to be a separate FAQ, as well as various other examples, tips, and
+know-how that have been contributed by Exim users. The wiki site should always
+redirect to the correct place, which is currently provided by GitHub, and is
+open to editing by anyone with a GitHub account.
 
 An Exim Bugzilla exists at https://bugs.exim.org. You can use this to report
 bugs, and also to add items to the wish list. Please search first to check that
-you are not duplicating a previous entry.
-
-Please do not ask for configuration help in the bug-tracker.
+you are not duplicating a previous entry. Please do not ask for configuration
+help in the bug-tracker.
 
 
 1.3 Mailing lists
@@ -773,9 +772,9 @@
 Debian-specific mailing list pkg-exim4-users@lists.alioth.debian.org via this
 web page:
 
-http://lists.alioth.debian.org/mailman/listinfo/pkg-exim4-users
+https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-exim4-users
 
-Please ask Debian-specific questions on this list and not on the general Exim
+Please ask Debian-specific questions on that list and not on the general Exim
 lists.
 
 
@@ -819,23 +818,22 @@
 exim-n.nn.tar.bz2
 
 where n.nn is the highest such version number in the directory. The three files
-contain identical data; the only difference is the type of compression.
-
-The .xz file is usually the smallest, while the .gz file is the most portable
-to old systems.
+contain identical data; the only difference is the type of compression. The .xz
+file is usually the smallest, while the .gz file is the most portable to old
+systems.
 
 The distributions will be PGP signed by an individual key of the Release
 Coordinator. This key will have a uid containing an email address in the 
 exim.org domain and will have signatures from other people, including other
 Exim maintainers. We expect that the key will be in the "strong set" of PGP
-keys. There should be a trust path to that key from Nigel Metheringham's PGP
-key, a version of which can be found in the release directory in the file
-nigel-pubkey.asc. All keys used will be available in public keyserver pools,
-such as pool.sks-keyservers.net.
-
-At time of last update, releases were being made by Jeremy Harris and signed
-with key 0xBCE58C8CE41F32DF. Other recent keys used for signing are those of
-Heiko Schlittermann, 0x26101B62F69376CE, and of Phil Pennock, 
+keys. There should be a trust path to that key from the Exim Maintainer's PGP
+keys, a version of which can be found in the release directory in the file
+Exim-Maintainers-Keyring.asc. All keys used will be available in public
+keyserver pools, such as pool.sks-keyservers.net.
+
+At the time of the last update, releases were being made by Jeremy Harris and
+signed with key 0xBCE58C8CE41F32DF. Other recent keys used for signing are
+those of Heiko Schlittermann, 0x26101B62F69376CE, and of Phil Pennock, 
 0x4D1E900E14C1CC04.
 
 The signatures for the tar bundles are in:
@@ -844,9 +842,9 @@
 exim-n.nn.tar.gz.asc
 exim-n.nn.tar.bz2.asc
 
-For each released version, the log of changes is made separately available in a
-separate file in the directory ChangeLogs so that it is possible to find out
-what has changed without having to download the entire distribution.
+For each released version, the log of changes is made available in a separate
+file in the directory ChangeLogs so that it is possible to find out what has
+changed without having to download the entire distribution.
 
 The main distribution contains ASCII versions of this specification and other
 documentation; other formats of the documents are available in separate files
@@ -897,14 +895,14 @@
     straightforward interfaces to a number of common scanners are provided.
 
 
-1.7 Run time configuration
---------------------------
+1.7 Runtime configuration
+-------------------------
 
-Exim's run time configuration is held in a single text file that is divided
-into a number of sections. The entries in this file consist of keywords and
-values, in the style of Smail 3 configuration files. A default configuration
-file which is suitable for simple online installations is provided in the
-distribution, and is described in chapter 7 below.
+Exim's runtime configuration is held in a single text file that is divided into
+a number of sections. The entries in this file consist of keywords and values,
+in the style of Smail 3 configuration files. A default configuration file which
+is suitable for simple online installations is provided in the distribution,
+and is described in chapter 7 below.
 
 
 1.8 Calling interface
@@ -915,13 +913,13 @@
 sending mail, but you do not need to know anything about Sendmail in order to
 run Exim. For actions other than sending messages, Sendmail-compatible options
 also exist, but those that produce output (for example, -bp, which lists the
-messages on the queue) do so in Exim's own format. There are also some
+messages in the queue) do so in Exim's own format. There are also some
 additional options that are compatible with Smail 3, and some further options
 that are new to Exim. Chapter 5 documents all Exim's command line options. This
 information is automatically made into the man page that forms part of the Exim
 distribution.
 
-Control of messages on the queue can be done via certain privileged command
+Control of messages in the queue can be done via certain privileged command
 line options. There is also an optional monitor program called eximon, which
 displays current information in an X window, and which contains a menu
 interface to Exim's command line administration options.
@@ -931,8 +929,8 @@
 ---------------
 
 The body of a message is the actual data that the sender wants to transmit. It
-is the last part of a message, and is separated from the header (see below) by
-a blank line.
+is the last part of a message and is separated from the header (see below) by a
+blank line.
 
 When a message cannot be delivered, it is normally returned to the sender in a
 delivery failure message or a "non-delivery report" (NDR). The term bounce is
@@ -968,9 +966,9 @@
 Long header lines can be split over several text lines by indenting the
 continuations. The header is separated from the body by a blank line.
 
-The term local part, which is taken from RFC 2822, is used to refer to that
-part of an email address that precedes the @ sign. The part that follows the @
-sign is called the domain or mail domain.
+The term local part, which is taken from RFC 2822, is used to refer to the part
+of an email address that precedes the @ sign. The part that follows the @ sign
+is called the domain or mail domain.
 
 The terms local delivery and remote delivery are used to distinguish delivery
 to a file or a pipe on the local host from delivery by SMTP over TCP/IP to
@@ -980,18 +978,18 @@
 Return path is another name that is used for the sender address in a message's
 envelope.
 
-The term queue is used to refer to the set of messages awaiting delivery,
+The term queue is used to refer to the set of messages awaiting delivery
 because this term is in widespread use in the context of MTAs. However, in
-Exim's case the reality is more like a pool than a queue, because there is
+Exim's case, the reality is more like a pool than a queue, because there is
 normally no ordering of waiting messages.
 
 The term queue runner is used to describe a process that scans the queue and
 attempts to deliver those messages whose retry times have come. This term is
-used by other MTAs, and also relates to the command runq, but in Exim the
+used by other MTAs and also relates to the command runq, but in Exim the
 waiting messages are normally processed in an unpredictable order.
 
 The term spool directory is used for a directory in which Exim keeps the
-messages on its queue - that is, those that it is in the process of delivering.
+messages in its queue - that is, those that it is in the process of delivering.
 This should not be confused with the directory in which local mailboxes are
 stored, which is called a "spool directory" by some people. In the Exim
 documentation, "spool" is always used in the first sense.
@@ -1023,9 +1021,9 @@
         Free Software Foundation; either version 2 of the License, or (at your
         option) any later version. This code implements Dan Bernstein's
         Constant DataBase (cdb) spec. Information, the spec and sample code for
-        cdb can be obtained from http://www.pobox.com/~djb/cdb.html. This
-        implementation borrows some code from Dan Bernstein's implementation
-        (which has no license restrictions applied to it).
+        cdb can be obtained from https://cr.yp.to/cdb.html. This implementation
+        borrows some code from Dan Bernstein's implementation (which has no
+        license restrictions applied to it).
 
   * Client support for Microsoft's Secure Password Authentication is provided
     by code contributed by Marc Prud'hommeaux. Server support was contributed
@@ -1067,7 +1065,7 @@
             acknowledgment:
 
             "This product includes software developed by Computing Services at
-            Carnegie Mellon University (http://www.cmu.edu/computing/."
+            Carnegie Mellon University (https://www.cmu.edu/computing/."
 
             CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO
             THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
@@ -1112,7 +1110,7 @@
     the distributed source code.
 
   * Many people have contributed code fragments, some large, some small, that
-    were not covered by any specific licence requirements. It is assumed that
+    were not covered by any specific license requirements. It is assumed that
     the contributors are happy to see their code incorporated into Exim under
     the GPL.
 
@@ -1137,9 +1135,9 @@
 ------------------
 
 Policy controls are now an important feature of MTAs that are connected to the
-Internet. Perhaps their most important job is to stop MTAs being abused as
+Internet. Perhaps their most important job is to stop MTAs from being abused as
 "open relays" by misguided individuals who send out vast amounts of unsolicited
-junk, and want to disguise its source. Exim provides flexible facilities for
+junk and want to disguise its source. Exim provides flexible facilities for
 specifying policy controls on incoming mail:
 
   * Exim 4 (unlike previous versions of Exim) implements policy controls on
@@ -1202,7 +1200,7 @@
 encoding numbers in base 62. However, in the Darwin operating system (Mac OS X)
 and when Exim is compiled to run under Cygwin, base 36 (avoiding the use of
 lower case letters) is used instead, because the message id is used to
-construct file names, and the names of files in those systems are not always
+construct filenames, and the names of files in those systems are not always
 case-sensitive.
 
 The detail of the contents of the message id have changed as Exim has evolved.
@@ -1253,8 +1251,8 @@
   * If the process runs Exim with the -bS option, the message is also read
     non-interactively, but in this case the recipients are listed at the start
     of the message in a series of SMTP RCPT commands, terminated by a DATA
-    command. This is so-called "batch SMTP" format, but it isn't really SMTP.
-    The SMTP commands are just another way of passing envelope addresses in a
+    command. This is called "batch SMTP" format, but it isn't really SMTP. The
+    SMTP commands are just another way of passing envelope addresses in a
     non-interactive submission.
 
   * If the process runs Exim with the -bs option, the message is read
@@ -1273,7 +1271,7 @@
 qualification domain (which can be set by the qualify_domain configuration
 option). For local or batch SMTP, a sender address that is passed using the
 SMTP MAIL command is ignored. However, the system administrator may allow
-certain users ("trusted users") to specify a different sender address
+certain users ("trusted users") to specify a different sender addresses
 unconditionally, or all users to specify certain forms of different sender
 address. The -f option or the SMTP MAIL command is used to specify these
 different addresses. See section 5.2 for details of trusted users, and the 
@@ -1281,10 +1279,10 @@
 sender addresses.
 
 Messages received by either of the non-interactive mechanisms are subject to
-checking by the non-SMTP ACL, if one is defined. Messages received using SMTP
-(either over TCP/IP, or interacting with a local process) can be checked by a
+checking by the non-SMTP ACL if one is defined. Messages received using SMTP
+(either over TCP/IP or interacting with a local process) can be checked by a
 number of ACLs that operate at different times during the SMTP session. Either
-individual recipients, or the entire message, can be rejected if local policy
+individual recipients or the entire message can be rejected if local policy
 requirements are not met. The local_scan() function (see chapter 45) is run for
 all incoming messages.
 
@@ -1305,7 +1303,7 @@
 the two spool files consist of the message id, followed by "-H" for the file
 containing the envelope and header, and "-D" for the data file.
 
-By default all these message files are held in a single directory called input
+By default, all these message files are held in a single directory called input
 inside the general Exim spool directory. Some operating systems do not perform
 very well if the number of files in a directory gets large; to improve
 performance in such cases, the split_spool_directory option can be used. This
@@ -1339,7 +1337,7 @@
 A message remains in the spool directory until it is completely delivered to
 its recipients or to an error address, or until it is deleted by an
 administrator or by the user who originally created it. In cases when delivery
-cannot proceed - for example, when a message can neither be delivered to its
+cannot proceed - for example when a message can neither be delivered to its
 recipients nor returned to its sender, the message is marked "frozen" on the
 spool, and no more deliveries are attempted.
 
@@ -1349,13 +1347,13 @@
 
 There are options called ignore_bounce_errors_after and timeout_frozen_after,
 which discard frozen messages after a certain time. The first applies only to
-frozen bounces, the second to any frozen messages.
+frozen bounces, the second to all frozen messages.
 
 While Exim is working on a message, it writes information about each delivery
 attempt to its main log file. This includes successful, unsuccessful, and
 delayed deliveries for each recipient (see chapter 52). The log lines are also
 written to a separate message log file for each message. These logs are solely
-for the benefit of the administrator, and are normally deleted along with the
+for the benefit of the administrator and are normally deleted along with the
 spool files when processing of a message is complete. The use of individual
 message logs can be disabled by setting no_message_logs; this might give an
 improvement in performance on very busy systems.
@@ -1369,11 +1367,11 @@
 Updating the spool file is done by writing a new file and renaming it, to
 minimize the possibility of data loss.
 
-Should the system or the program crash after a successful delivery but before
-the spool file has been updated, the journal is left lying around. The next
-time Exim attempts to deliver the message, it reads the journal file and
-updates the spool file before proceeding. This minimizes the chances of double
-deliveries caused by crashes.
+Should the system or Exim crash after a successful delivery but before the
+spool file has been updated, the journal is left lying around. The next time
+Exim attempts to deliver the message, it reads the journal file and updates the
+spool file before proceeding. This minimizes the chances of double deliveries
+caused by crashes.
 
 
 3.8 Processing an address for delivery
@@ -1382,10 +1380,10 @@
 The main delivery processing elements of Exim are called routers and transports
 , and collectively these are known as drivers. Code for a number of them is
 provided in the source distribution, and compile-time options specify which
-ones are included in the binary. Run time options specify which ones are
+ones are included in the binary. Runtime options specify which ones are
 actually used for delivering messages.
 
-Each driver that is specified in the run time configuration is an instance of
+Each driver that is specified in the runtime configuration is an instance of
 that particular driver type. Multiple instances are allowed; for example, you
 can set up several different smtp transports, each with different option values
 that might specify different ports or different timeouts. Each instance has its
@@ -1418,14 +1416,14 @@
 configuration.
 
 The first router that is specified in a configuration is often one that handles
-addresses in domains that are not recognized specially by the local host. These
-are typically addresses for arbitrary domains on the Internet. A precondition
-is set up which looks for the special domains known to the host (for example,
-its own domain name), and the router is run for addresses that do not match.
-Typically, this is a router that looks up domains in the DNS in order to find
-the hosts to which this address routes. If it succeeds, the address is assigned
-to a suitable SMTP transport; if it does not succeed, the router is configured
-to fail the address.
+addresses in domains that are not recognized specifically by the local host.
+Typically these are addresses for arbitrary domains on the Internet. A
+precondition is set up which looks for the special domains known to the host
+(for example, its own domain name), and the router is run for addresses that do
+not match. Typically, this is a router that looks up domains in the DNS in
+order to find the hosts to which this address routes. If it succeeds, the
+address is assigned to a suitable SMTP transport; if it does not succeed, the
+router is configured to fail the address.
 
 The second router is reached only when the domain is recognized as one that
 "belongs" to the local host. This router does redirection - also known as
@@ -1455,7 +1453,7 @@
 does not affect the way the routers work, but it is a state that can be
 detected. By this means, a router can be skipped or made to behave differently
 when verifying. A common example is a configuration in which the first router
-sends all messages to a message-scanning program, unless they have been
+sends all messages to a message-scanning program unless they have been
 previously scanned. Thus, the first router accepts all addresses without any
 checking, making it useless for verifying. Normally, the no_verify option would
 be set for such a router, causing it to be skipped in verify mode.
@@ -1471,12 +1469,12 @@
 following:
 
   * accept: The router accepts the address, and either assigns it to a
-    transport, or generates one or more "child" addresses. Processing the
-    original address ceases, unless the unseen option is set on the router.
-    This option can be used to set up multiple deliveries with different
-    routing (for example, for keeping archive copies of messages). When unseen
-    is set, the address is passed to the next router. Normally, however, an 
-    accept return marks the end of routing.
+    transport or generates one or more "child" addresses. Processing the
+    original address ceases unless the unseen option is set on the router. This
+    option can be used to set up multiple deliveries with different routing
+    (for example, for keeping archive copies of messages). When unseen is set,
+    the address is passed to the next router. Normally, however, an accept
+    return marks the end of routing.
 
     Any child addresses generated by the router are processed independently,
     starting with the first router by default. It is possible to change this by
@@ -1485,7 +1483,7 @@
     redirect_router may be anywhere in the router configuration.
 
   * pass: The router recognizes the address, but cannot handle it itself. It
-    requests that the address be passed to another router. By default the
+    requests that the address be passed to another router. By default, the
     address is passed to the next router, but this can be changed by setting
     the pass_router option. However, (unlike redirect_router) the named router
     must be below the current router (to avoid loops).
@@ -1525,8 +1523,8 @@
 ------------------------
 
 Once routing is complete, Exim scans the addresses that are assigned to local
-and remote transports, and discards any duplicates that it finds. During this
-check, local parts are treated as case-sensitive. This happens only when
+and remote transports and discards any duplicates that it finds. During this
+check, local parts are treated case-sensitively. This happens only when
 actually delivering a message; when testing routers with -bt, all the routed
 addresses are shown.
 
@@ -1631,7 +1629,7 @@
     condition first_delivery can be used to detect the first run of the system
     filter.
 
-  * Each recipient address is offered to each configured router in turn,
+  * Each recipient address is offered to each configured router, in turn,
     subject to its preconditions, until one is able to handle it. If no router
     can handle the address, that is, if they all decline, the address is
     failed. Because routers can be targeted at particular domains, several
@@ -1702,9 +1700,9 @@
 Exim's mechanism for retrying messages that fail to get delivered at the first
 attempt is the queue runner process. You must either run an Exim daemon that
 uses the -q option with a time interval to start queue runners at regular
-intervals, or use some other means (such as cron) to start them. If you do not
+intervals or use some other means (such as cron) to start them. If you do not
 arrange for queue runners to be run, messages that fail temporarily at the
-first attempt will remain on your queue for ever. A queue runner process works
+first attempt will remain in your queue forever. A queue runner process works
 its way through the queue, one message at a time, trying each delivery that has
 passed its retry time. You can run several queue runners at once.
 
@@ -1766,7 +1764,7 @@
 ----------------------------------------
 
 If a bounce message (either locally generated or received from a remote host)
-itself suffers a permanent delivery failure, the message is left on the queue,
+itself suffers a permanent delivery failure, the message is left in the queue,
 but it is frozen, awaiting the attention of an administrator. There are options
 that can be used to make Exim discard such failed messages, or to keep them for
 only a short time (see timeout_frozen_after and ignore_bounce_errors_after).
@@ -1782,7 +1780,7 @@
 
 Exim is distributed as a gzipped or bzipped tar file which, when unpacked,
 creates a directory with the name of the current release (for example,
-exim-4.91) into which the following files are placed:
+exim-4.92-RC4) into which the following files are placed:
 
     ACKNOWLEDGMENTS contains some acknowledgments
     CHANGES         contains a reference to where changes are documented
@@ -1802,9 +1800,9 @@
     src          remaining source files
     util         independent utilities
 
-The main utility programs are contained in the src directory, and are built
-with the Exim binary. The util directory contains a few optional scripts that
-may be useful to some sites.
+The main utility programs are contained in the src directory and are built with
+the Exim binary. The util directory contains a few optional scripts that may be
+useful to some sites.
 
 
 4.2 Multiple machine architectures and operating systems
@@ -1825,14 +1823,14 @@
 
 Exim no longer has an embedded PCRE library as the vast majority of modern
 systems include PCRE as a system library, although you may need to install the
-PCRE or PCRE development package for your operating system. If your system has
-a normal PCRE installation the Exim build process will need no further
-configuration. If the library or the headers are in an unusual location you
-will need to either set the PCRE_LIBS and INCLUDE directives appropriately, or
-set PCRE_CONFIG=yes to use the installed pcre-config command. If your operating
-system has no PCRE support then you will need to obtain and build the current
-PCRE from ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/. More
-information on PCRE is available at http://www.pcre.org/.
+PCRE package or the PCRE development package for your operating system. If your
+system has a normal PCRE installation the Exim build process will need no
+further configuration. If the library or the headers are in an unusual location
+you will need to either set the PCRE_LIBS and INCLUDE directives appropriately,
+or set PCRE_CONFIG=yes to use the installed pcre-config command. If your
+operating system has no PCRE support then you will need to obtain and build the
+current PCRE from ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/. More
+information on PCRE is available at https://www.pcre.org/.
 
 
 4.4 DBM libraries
@@ -1865,8 +1863,8 @@
 
  2. The GNU library, gdbm, operates on a single file. If used via its ndbm
     compatibility interface it makes two different hard links to it with names
-    dbmfile.dir and dbmfile.pag, but if used via its native interface, the file
-    name is used unmodified.
+    dbmfile.dir and dbmfile.pag, but if used via its native interface, the
+    filename is used unmodified.
 
  3. The Berkeley DB package, if called via its ndbm compatibility interface,
     operates on a single file called dbmfile.db, but otherwise looks to the
@@ -1878,13 +1876,18 @@
 
  5. To complicate things further, there are several very different versions of
     the Berkeley DB package. Version 1.85 was stable for a very long time,
-    releases 2.x and 3.x were current for a while, but the latest versions are
-    now numbered 4.x. Maintenance of some of the earlier releases has ceased.
-    All versions of Berkeley DB can be obtained from http://www.sleepycat.com/.
-
- 6. Yet another DBM library, called tdb, is available from http://
-    download.sourceforge.net/tdb. It has its own interface, and also operates
-    on a single file.
+    releases 2.x and 3.x were current for a while, but the latest versions when
+    Exim last revamped support were numbered 4.x. Maintenance of some of the
+    earlier releases has ceased. All versions of Berkeley DB could be obtained
+    from http://www.sleepycat.com/, which is now a redirect to their new
+    owner's page with far newer versions listed. It is probably wise to plan to
+    move your storage configurations away from Berkeley DB format, as today
+    there are smaller and simpler alternatives more suited to Exim's usage
+    model.
+
+ 6. Yet another DBM library, called tdb, is available from https://
+    sourceforge.net/projects/tdb/files/. It has its own interface, and also
+    operates on a single file.
 
 Exim and its utilities can be compiled to use any of these interfaces. In order
 to use any version of the Berkeley DB package in native mode, you must set
@@ -1935,17 +1938,17 @@
 then read it and edit it appropriately.
 
 There are three settings that you must supply, because Exim will not build
-without them. They are the location of the run time configuration file
+without them. They are the location of the runtime configuration file
 (CONFIGURE_FILE), the directory in which Exim binaries will be installed
 (BIN_DIRECTORY), and the identity of the Exim user (EXIM_USER and maybe
 EXIM_GROUP as well). The value of CONFIGURE_FILE can in fact be a
-colon-separated list of file names; Exim uses the first of them that exists.
+colon-separated list of filenames; Exim uses the first of them that exists.
 
 There are a few other parameters that can be specified either at build time or
-at run time, to enable the same binary to be used on a number of different
+at runtime, to enable the same binary to be used on a number of different
 machines. However, if the locations of Exim's spool directory and log file
 directory (if not within the spool directory) are fixed, it is recommended that
-you specify them in Local/Makefile instead of at run time, so that errors
+you specify them in Local/Makefile instead of at runtime, so that errors
 detected early in Exim's execution (such as a malformed configuration file) can
 be logged.
 
@@ -1967,8 +1970,8 @@
 This is all the configuration that is needed in straightforward cases for known
 operating systems. However, the building process is set up so that it is easy
 to override options that are set by default or by operating-system-specific
-configuration files, for example to change the name of the C compiler, which
-defaults to gcc. See section 4.13 below for details of how to do this.
+configuration files, for example, to change the C compiler, which defaults to 
+gcc. See section 4.13 below for details of how to do this.
 
 
 4.6 Support for iconv()
@@ -1983,7 +1986,7 @@
 operating system supports the iconv() function.
 
 However, some of the operating systems that supply iconv() do not support very
-many conversions. The GNU libiconv library (available from http://www.gnu.org/
+many conversions. The GNU libiconv library (available from https://www.gnu.org/
 software/libiconv/) can be installed on such systems to remedy this deficiency,
 as well as on systems that do not supply iconv() at all. After installing 
 libiconv, you should add
@@ -2233,7 +2236,7 @@
 lookup types (such as cdb) for which the code is entirely contained within
 Exim, and no external include files or libraries are required. When a lookup
 type is not included in the binary, attempts to configure Exim to use it cause
-run time configuration errors.
+runtime configuration errors.
 
 Many systems now use a tool called pkg-config to encapsulate information about
 how to compile against a library; Exim has some initial support for being able
@@ -2323,8 +2326,8 @@
 OS/eximon.conf-<ostype> file is also optional. The default values in OS/
 eximon.conf-Default can be overridden dynamically by setting environment
 variables of the same name, preceded by EXIMON_. For example, setting
-EXIMON_LOG_DEPTH in the environment overrides the value of LOG_DEPTH at run
-time.
+EXIMON_LOG_DEPTH in the environment overrides the value of LOG_DEPTH at
+runtime.
 
 
 4.16 Installing Exim binaries and scripts
@@ -2341,12 +2344,12 @@
 possible to run Exim without making the binary setuid root (see chapter 55 for
 details).
 
-Exim's run time configuration file is named by the CONFIGURE_FILE setting in
+Exim's runtime configuration file is named by the CONFIGURE_FILE setting in
 Local/Makefile. If this names a single file, and the file does not exist, the
 default configuration file src/configure.default is copied there by the
-installation script. If a run time configuration file already exists, it is
-left alone. If CONFIGURE_FILE is a colon-separated list, naming several
-alternative files, no default is installed.
+installation script. If a runtime configuration file already exists, it is left
+alone. If CONFIGURE_FILE is a colon-separated list, naming several alternative
+files, no default is installed.
 
 One change is made to the default configuration file when it is installed: the
 default configuration contains a router that references a system aliases file.
@@ -2387,10 +2390,10 @@
 For the utility programs, old versions are renamed by adding the suffix .O to
 their names. The Exim binary itself, however, is handled differently. It is
 installed under a name that includes the version number and the compile number,
-for example exim-4.91-1. The script then arranges for a symbolic link called
-exim to point to the binary. If you are updating a previous version of Exim,
-the script takes care to ensure that the name exim is never absent from the
-directory (as seen by other processes).
+for example, exim-4.92-RC4-1. The script then arranges for a symbolic link
+called exim to point to the binary. If you are updating a previous version of
+Exim, the script takes care to ensure that the name exim is never absent from
+the directory (as seen by other processes).
 
 If you want to see what the make install will do before running it for real,
 you can pass the -n option to the installation script by this command:
@@ -2428,7 +2431,7 @@
 
 Not all systems use the GNU info system for documentation, and for this reason,
 the Texinfo source of Exim's documentation is not included in the main
-distribution. Instead it is available separately from the ftp site (see section
+distribution. Instead it is available separately from the FTP site (see section
 1.5).
 
 If you have defined INFO_DIRECTORY in Local/Makefile and the Texinfo source of
@@ -2448,7 +2451,7 @@
 4.19 Testing
 ------------
 
-Having installed Exim, you can check that the run time configuration file is
+Having installed Exim, you can check that the runtime configuration file is
 syntactically valid by running the following command, which assumes that the
 Exim binary directory is within your PATH environment variable:
 
@@ -2515,7 +2518,7 @@
 
 Testing a new version on a system that is already running Exim can most easily
 be done by building a binary with a different CONFIGURE_FILE setting. From
-within the run time configuration, all other file and directory names that Exim
+within the runtime configuration, all other file and directory names that Exim
 uses can be altered, in order to keep it entirely clear of the production
 version.
 
@@ -2775,9 +2778,9 @@
     data. A line history is supported.
 
     Long expansion expressions can be split over several lines by using
-    backslash continuations. As in Exim's run time configuration, white space
-    at the start of continuation lines is ignored. Each argument or data line
-    is passed through the string expansion mechanism, and the result is output.
+    backslash continuations. As in Exim's runtime configuration, white space at
+    the start of continuation lines is ignored. Each argument or data line is
+    passed through the string expansion mechanism, and the result is output.
     Variable values from the configuration file (for example, $qualify_domain)
     are available, but no message-specific values (such as $message_exim_id)
     are set, because no message is being processed (but see -bem and -Mset).
@@ -3057,7 +3060,7 @@
     If config is given as an argument, the config is output, as it was parsed,
     any include file resolved, any comment removed.
 
-    If config_file is given as an argument, the name of the run time
+    If config_file is given as an argument, the name of the runtime
     configuration file is output. (configure_file works too, for backward
     compatibility.) If a list of configuration files was supplied, the value
     that is output here is the name of the file that was actually used.
@@ -3097,10 +3100,8 @@
     If invoked by an admin user, then macro, macro_list and macros are
     available, similarly to the drivers. Because macros are sometimes used for
     storing passwords, this option is restricted. The output format is one item
-    per line.
-
-    For the "-bP macro <name>" form, if no such macro is found the exit status
-    will be nonzero.
+    per line. For the "-bP macro <name>" form, if no such macro is found the
+    exit status will be nonzero.
 
 -bp
 
@@ -3110,13 +3111,13 @@
     an admin user. However, the queue_list_requires_admin option can be set
     false to allow any user to see the queue.
 
-    Each message on the queue is displayed as in the following example:
+    Each message in the queue is displayed as in the following example:
 
     25m  2.9K 0t5C6f-0000c8-00 <alice@wonderland.fict.example>
               red.king@looking-glass.fict.example
               <other addresses>
 
-    The first line contains the length of time the message has been on the
+    The first line contains the length of time the message has been in the
     queue (in this case 25 minutes), the size of the message (2.9K), the unique
     local identifier for the message, and the message sender, as contained in
     the envelope. For bounce messages, the sender address is empty, and appears
@@ -3143,7 +3144,7 @@
 
 -bpc
 
-    This option counts the number of messages on the queue, and writes the
+    This option counts the number of messages in the queue, and writes the
     total to the standard output. It is restricted to admin users, unless 
     queue_list_requires_admin is set false.
 
@@ -3151,7 +3152,7 @@
 
     This option operates like -bp, but the output is not sorted into
     chronological order of message arrival. This can speed it up when there are
-    lots of messages on the queue, and is particularly useful if the output is
+    lots of messages in the queue, and is particularly useful if the output is
     going to be post-processed in a way that doesn't need the sorting.
 
 -bpra
@@ -3299,7 +3300,7 @@
     number, and compilation date of the exim binary to the standard output. It
     also lists the DBM library that is being used, the optional modules (such
     as specific lookup types), the drivers that are included in the binary, and
-    the name of the run time configuration file that is in use.
+    the name of the runtime configuration file that is in use.
 
     As part of its operation, -bV causes Exim to read and syntax check its
     configuration file. However, this is a static check only. It cannot check
@@ -3378,10 +3379,10 @@
 
 -C <filelist>
 
-    This option causes Exim to find the run time configuration file from the
+    This option causes Exim to find the runtime configuration file from the
     given list instead of from the list specified by the CONFIGURE_FILE
-    compile-time setting. Usually, the list will consist of just a single file
-    name, but it can be a colon-separated list of names. In this case, the
+    compile-time setting. Usually, the list will consist of just a single
+    filename, but it can be a colon-separated list of names. In this case, the
     first file that exists is used. Failure to open an existing file stops Exim
     from proceeding any further along the list, and an error is generated.
 
@@ -3401,15 +3402,15 @@
     running as the Exim user, so when it re-executes to regain privilege for
     the delivery, the use of -C causes privilege to be lost. However, root can
     test reception and delivery using two separate commands (one to put a
-    message on the queue, using -odq, and another to do the delivery, using -M
+    message in the queue, using -odq, and another to do the delivery, using -M
     ).
 
     If ALT_CONFIG_PREFIX is defined in Local/Makefile, it specifies a prefix
     string with which any file named in a -C command line option must start. In
-    addition, the file name must not contain the sequence "/../". However, if
+    addition, the filename must not contain the sequence "/../". However, if
     the value of the -C option is identical to the value of CONFIGURE_FILE in
     Local/Makefile, Exim ignores -C and proceeds as usual. There is no default
-    setting for ALT_CONFIG_PREFIX; when it is unset, any file name can be used
+    setting for ALT_CONFIG_PREFIX; when it is unset, any filename can be used
     with -C.
 
     ALT_CONFIG_PREFIX can be used to confine alternative configuration files to
@@ -3491,7 +3492,8 @@
     local_scan      can be used by local_scan() (see chapter 45)
     lookup          general lookup code and all lookups
     memory          memory handling
-    pid             add pid to debug output lines
+    noutf8          modifier: avoid UTF-8 line-drawing
+    pid             modifier: add pid to debug output lines
     process_info    setting info for the process log
     queue_run       queue runs
     receive         general message reception logic
@@ -3499,7 +3501,7 @@
     retry           retry handling
     rewrite         address rewriting
     route           address routing
-    timestamp       add timestamp to debug output lines
+    timestamp       modifier: add timestamp to debug output lines
     tls             TLS logic
     transport       transports
     uid             changes of uid/gid and looking up uid/gid
@@ -3528,6 +3530,10 @@
     start of all debug output lines. This can be useful when trying to track
     down delays in processing.
 
+    The "noutf8" selector disables the use of UTF-8 line-drawing characters to
+    group related information. When disabled. ascii-art is used instead. Using
+    the "+all" option does not set this modifier,
+
     If the debug_print option is set in any driver, it produces output whenever
     any debugging is selected, or if -v is used.
 
@@ -3740,7 +3746,7 @@
 
 -Mc <message id> <message id> ...
 
-    This option requests Exim to run a delivery attempt on each message in
+    This option requests Exim to run a delivery attempt on each message, in
     turn, but unlike the -M option, it does check for retry hints, and respects
     any that are found. This option is not very useful to external callers. It
     is provided mainly for internal use by Exim when it needs to re-invoke
@@ -3801,7 +3807,7 @@
     bounce messages are sent; each message is simply forgotten. However, if any
     of the messages are active, their status is not altered. This option can be
     used only by an admin user or by the user who originally caused the message
-    to be placed on the queue.
+    to be placed in the queue.
 
 -Mset <message id>
 
@@ -3881,7 +3887,7 @@
 -oA <file name>
 
     This option is used by Sendmail in conjunction with -bi to specify an
-    alternative alias file name. Exim handles -bi differently; see the
+    alternative alias filename. Exim handles -bi differently; see the
     description above.
 
 -oB <n>
@@ -3924,7 +3930,7 @@
     effect.
 
     If there is a temporary delivery error during foreground delivery, the
-    message is left on the queue for later delivery, and the original reception
+    message is left in the queue for later delivery, and the original reception
     process exits. See chapter 51 for a way of setting up a restricted
     configuration that never queues messages.
 
@@ -3938,7 +3944,7 @@
     This option applies to all modes in which Exim accepts incoming messages,
     including the listening daemon. It specifies that the accepting process
     should not automatically start a delivery process for each message
-    received. Messages are placed on the queue, and remain there until a
+    received. Messages are placed in the queue, and remain there until a
     subsequent queue runner process encounters them. There are several
     configuration options (such as queue_only) that can be used to queue
     incoming messages under certain conditions. This option overrides all of
@@ -3954,7 +3960,7 @@
     message, in the background by default, but in the foreground if -odi is
     also present. The recipient addresses are routed, and local deliveries are
     done in the normal way. However, if any SMTP deliveries are required, they
-    are not done at this time, so the message remains on the queue until a
+    are not done at this time, so the message remains in the queue until a
     subsequent queue runner process encounters it. Because routing was done,
     Exim knows which messages are waiting for which hosts, and so a number of
     messages for the same host can be sent in a single SMTP connection. The 
@@ -4143,7 +4149,7 @@
     is also given. It controls which ports and interfaces the daemon uses.
     Details of the syntax, and how it interacts with configuration file
     options, are given in chapter 13. When -oX is used to start a daemon, no
-    pid file is written unless -oP is also present to specify a pid file name.
+    pid file is written unless -oP is also present to specify a pid filename.
 
 -pd
 
@@ -4229,7 +4235,7 @@
 
     If the i flag is present, the queue runner runs delivery processes only for
     those messages that haven't previously been tried. (i stands for "initial
-    delivery".) This can be helpful if you are putting messages on the queue
+    delivery".) This can be helpful if you are putting messages in the queue
     using -odq and want a queue runner just to process the new messages.
 
 -q[q][i]f...
@@ -4246,7 +4252,7 @@
 -q[q][i][f[f]]l
 
     The l (the letter "ell") flag specifies that only local deliveries are to
-    be done. If a message requires any remote deliveries, it remains on the
+    be done. If a message requires any remote deliveries, it remains in the
     queue for later delivery.
 
 -q[q][i][f[f]][l][G<name>[/<time>]]]
@@ -4457,9 +4463,9 @@
 
 
 ===============================================================================
-6. THE EXIM RUN TIME CONFIGURATION FILE
+6. THE EXIM RUNTIME CONFIGURATION FILE
 
-Exim uses a single run time configuration file that is read whenever an Exim
+Exim uses a single runtime configuration file that is read whenever an Exim
 binary is executed. Note that in normal operation, this happens frequently,
 because Exim is designed to operate in a distributed manner, without central
 control.
@@ -4474,29 +4480,29 @@
 The name of the configuration file is compiled into the binary for security
 reasons, and is specified by the CONFIGURE_FILE compilation option. In most
 configurations, this specifies a single file. However, it is permitted to give
-a colon-separated list of file names, in which case Exim uses the first
-existing file in the list.
+a colon-separated list of filenames, in which case Exim uses the first existing
+file in the list.
 
-The run time configuration file must be owned by root or by the user that is
+The runtime configuration file must be owned by root or by the user that is
 specified at compile time by the CONFIGURE_OWNER option (if set). The
 configuration file must not be world-writeable, or group-writeable unless its
 group is the root group or the one specified at compile time by the
 CONFIGURE_GROUP option.
 
 Warning: In a conventional configuration, where the Exim binary is setuid to
-root, anybody who is able to edit the run time configuration file has an easy
+root, anybody who is able to edit the runtime configuration file has an easy
 way to run commands as root. If you specify a user or group in the
 CONFIGURE_OWNER or CONFIGURE_GROUP options, then that user and/or any users who
 are members of that group will trivially be able to obtain root privileges.
 
-Up to Exim version 4.72, the run time configuration file was also permitted to
+Up to Exim version 4.72, the runtime configuration file was also permitted to
 be writeable by the Exim user and/or group. That has been changed in Exim 4.73
 since it offered a simple privilege escalation for any attacker who managed to
 compromise the Exim user account.
 
 A default configuration file, which will work correctly in simple situations,
 is provided in the file src/configure.default. If CONFIGURE_FILE defines just
-one file name, the installation process copies the default configuration to a
+one filename, the installation process copies the default configuration to a
 new file of that name if it did not previously exist. If CONFIGURE_FILE is a
 list, no default is automatically installed. Chapter 7 is a "walk-through"
 discussion of the default configuration.
@@ -4522,13 +4528,13 @@
 the caller is root. The reception works, but by that time, Exim is running as
 the Exim user, so when it re-execs to regain privilege for the delivery, the
 use of -C causes privilege to be lost. However, root can test reception and
-delivery using two separate commands (one to put a message on the queue, using 
+delivery using two separate commands (one to put a message in the queue, using 
 -odq, and another to do the delivery, using -M).
 
 If ALT_CONFIG_PREFIX is defined in Local/Makefile, it specifies a prefix string
 with which any file named in a -C command line option must start. In addition,
-the file name must not contain the sequence "/../". There is no default setting
-for ALT_CONFIG_PREFIX; when it is unset, any file name can be used with -C.
+the filename must not contain the sequence "/../". There is no default setting
+for ALT_CONFIG_PREFIX; when it is unset, any filename can be used with -C.
 
 One-off changes to a configuration can be specified by the -D command line
 option, which defines and overrides values for macros used inside the
@@ -4549,10 +4555,10 @@
 Some sites may wish to use the same Exim binary on different machines that
 share a file system, but to use different configuration files on each machine.
 If CONFIGURE_FILE_USE_NODE is defined in Local/Makefile, Exim first looks for a
-file whose name is the configuration file name followed by a dot and the
+file whose name is the configuration filename followed by a dot and the
 machine's node name, as obtained from the uname() function. If this file does
-not exist, the standard name is tried. This processing occurs for each file
-name in the list given by CONFIGURE_FILE or -C.
+not exist, the standard name is tried. This processing occurs for each filename
+in the list given by CONFIGURE_FILE or -C.
 
 In some esoteric situations different versions of Exim may be run under
 different effective uids and the CONFIGURE_FILE_USE_EUID is defined to help
@@ -4627,17 +4633,17 @@
 6.3 File inclusions in the configuration file
 ---------------------------------------------
 
-You can include other files inside Exim's run time configuration file by using
+You can include other files inside Exim's runtime configuration file by using
 this syntax:
 
-.include <file name>
-.include_if_exists <file name>
+.include <filename>
+.include_if_exists <filename>
 
-on a line by itself. Double quotes round the file name are optional. If you use
+on a line by itself. Double quotes round the filename are optional. If you use
 the first form, a configuration error occurs if the file does not exist; the
 second form does nothing for non-existent files. The first form allows a
 relative name. It is resolved relative to the directory of the including file.
-For the second form an absolute file name is required.
+For the second form an absolute filename is required.
 
 Includes may be nested to any depth, but remember that Exim reads its
 configuration file often, so it is a good idea to keep them to a minimum. If
@@ -4681,7 +4687,7 @@
 
 Once a macro is defined, all subsequent lines in the file (and any included
 files) are scanned for the macro name; if there are several macros, the line is
-scanned for each in turn, in the order in which the macros are defined. The
+scanned for each, in turn, in the order in which the macros are defined. The
 replacement text is not re-scanned for the current macro, though it is scanned
 for subsequently defined macros. For this reason, a macro name may not contain
 the name of a previously defined macro as a substring. You could, for example,
@@ -4765,6 +4771,7 @@
  _DRIVER_ROUTER_*             router drivers
  _DRIVER_TRANSPORT_*          transport drivers
  _DRIVER_AUTHENTICATOR_*      authenticator drivers
+ _LOG_*                       log_selector values
  _OPT_MAIN_*                  main config options
  _OPT_ROUTERS_*               generic router options
  _OPT_TRANSPORTS_*            generic transport options
@@ -5152,12 +5159,31 @@
 all in the default configuration.
 
 
-7.1 Main configuration settings
+7.1 Macros
+----------
+
+All macros should be defined before any options.
+
+One macro is specified, but commented out, in the default configuration:
+
+# ROUTER_SMARTHOST=MAIL.HOSTNAME.FOR.CENTRAL.SERVER.EXAMPLE
+
+If all off-site mail is expected to be delivered to a "smarthost", then set the
+hostname here and uncomment the macro. This will affect which router is used
+later on. If this is left commented out, then Exim will perform direct-to-MX
+deliveries using a dnslookup router.
+
+In addition to macros defined here, Exim includes a number of built-in macros
+to enable configuration to be guarded by a binary built with support for a
+given feature. See section 6.9 for more details.
+
+
+7.2 Main configuration settings
 -------------------------------
 
-The main (global) configuration option settings must always come first in the
-file. The first thing you'll see in the file, after some initial comments, is
-the line
+The main (global) configuration option settings section must always come first
+in the file, after the macros. The first thing you'll see in the file, after
+some initial comments, is the line
 
 # primary_hostname =
 
@@ -5237,7 +5263,7 @@
 These are example settings that can be used when Exim is compiled with support
 for TLS (aka SSL) as described in section 4.7. The first one specifies the list
 of clients that are allowed to use TLS when connecting to this server; in this
-case the wildcard means all clients. The other options specify where Exim
+case, the wildcard means all clients. The other options specify where Exim
 should find its TLS certificate and private key, which together prove the
 server's identity to any clients that connect. More details are given in
 chapter 42.
@@ -5250,7 +5276,7 @@
 These options provide better support for roaming users who wish to use this
 server for message submission. They are not much use unless you have turned on
 TLS (as described in the previous paragraph) and authentication (about which
-more in section 7.7). Mail submission from mail clients (MUAs) should be
+more in section 7.8). Mail submission from mail clients (MUAs) should be
 separate from inbound mail to your domain (MX delivery) for various good
 reasons (eg, ability to impose much saner TLS protocol and ciphersuite
 requirements without unintended consequences). RFC 6409 (previously 4409)
@@ -5365,7 +5391,7 @@
 timeout_frozen_after = 7d
 
 The first of these options specifies that failing bounce messages are to be
-discarded after 2 days on the queue. The second specifies that any frozen
+discarded after 2 days in the queue. The second specifies that any frozen
 message (whether a bounce message or not) is to be timed out (and discarded)
 after a week. In this configuration, the first setting ensures that no failing
 bounce message ever lasts a week.
@@ -5404,7 +5430,7 @@
 # add_environment = PATH=/usr/bin::/bin
 
 
-7.2 ACL configuration
+7.3 ACL configuration
 ---------------------
 
 In the default configuration, the ACL section follows the main configuration.
@@ -5481,10 +5507,10 @@
 convention of local parts constructed as "
 first-initial.second-initial.family-name" when applied to someone like the
 author of Exim, who has no second initial.) However, a local part starting with
-a dot or containing "/../" can cause trouble if it is used as part of a file
-name (for example, for a mailing list). This is also true for local parts that
-contain slashes. A pipe symbol can also be troublesome if the local part is
-incorporated unthinkingly into a shell command line.
+a dot or containing "/../" can cause trouble if it is used as part of a
+filename (for example, for a mailing list). This is also true for local parts
+that contain slashes. A pipe symbol can also be troublesome if the local part
+is incorporated unthinkingly into a shell command line.
 
 The second rule above applies to all other domains, and is less strict. This
 allows your own users to send outgoing messages to sites that use slashes and
@@ -5537,7 +5563,7 @@
 Submission mode is again specified, on the grounds that such messages are most
 likely to come from MUAs. The default configuration does not define any
 authenticators, though it does include some nearly complete commented-out
-examples described in 7.7. This means that no client can in fact authenticate
+examples described in 7.8. This means that no client can in fact authenticate
 until you complete the authenticator definitions.
 
 require message = relay not permitted
@@ -5608,7 +5634,7 @@
 This final line in the DATA ACL accepts the message unconditionally.
 
 
-7.3 Router configuration
+7.4 Router configuration
 ------------------------
 
 The router configuration comes next in the default configuration, introduced by
@@ -5617,7 +5643,7 @@
 begin routers
 
 Routers are the modules in Exim that make decisions about where to send
-messages. An address is passed to each router in turn, until it is either
+messages. An address is passed to each router, in turn, until it is either
 accepted, or failed. This means that the order in which you define the routers
 matters. Each router is fully described in its own chapter later in this
 manual. Here we give only brief overviews.
@@ -5632,15 +5658,32 @@
 uncomment this router, you also need to uncomment the setting of 
 allow_domain_literals in the main part of the configuration.
 
+Which router is used next depends upon whether or not the ROUTER_SMARTHOST
+macro has been defined, per
+
+.ifdef ROUTER_SMARTHOST
+smarthost:
+#...
+.else
 dnslookup:
-  driver = dnslookup
+#...
+.endif
+
+If ROUTER_SMARTHOST has been defined, either at the top of the file or on the
+command-line, then we route all non-local mail to that smarthost; otherwise,
+we'll perform DNS lookups for direct-to-MX lookup. Any mail which is to a local
+domain will skip these routers because of the domains option.
+
+smarthost:
+  driver = manualroute
   domains = ! +local_domains
-  transport = remote_smtp
-  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
+  transport = smarthost_smtp
+  route_data = ROUTER_SMARTHOST
+  ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
   no_more
 
-The first uncommented router handles addresses that do not involve any local
-domains. This is specified by the line
+This router only handles mail which is not to any local domains; this is
+specified by the line
 
 domains = ! +local_domains
 
@@ -5651,6 +5694,28 @@
 it is referring to a named list. Addresses in other domains are passed on to
 the following routers.
 
+The name of the router driver is manualroute because we are manually specifying
+how mail should be routed onwards, instead of using DNS MX. While the name of
+this router instance is arbitrary, the driver option must be one of the driver
+modules that is in the Exim binary.
+
+With no pre-conditions other than domains, all mail for non-local domains will
+be handled by this router, and the no_more setting will ensure that no other
+routers will be used for messages matching the pre-conditions. See 3.12 for
+more on how the pre-conditions apply. For messages which are handled by this
+router, we provide a hostname to deliver to in route_data and the macro
+supplies the value; the address is then queued for the smarthost_smtp
+transport.
+
+dnslookup:
+  driver = dnslookup
+  domains = ! +local_domains
+  transport = remote_smtp
+  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
+  no_more
+
+The domains option behaves as per smarthost, above.
+
 The name of the router driver is dnslookup, and is specified by the driver
 option. Do not be confused by the fact that the name of this router instance is
 the same as the name of the driver. The instance name is arbitrary, but the
@@ -5777,7 +5842,7 @@
 same purpose as they do for the userforward router.
 
 
-7.4 Transport configuration
+7.5 Transport configuration
 ---------------------------
 
 Transports define mechanisms for actually delivering messages. They operate
@@ -5786,17 +5851,72 @@
 
 begin transports
 
-One remote transport and four local transports are defined.
+Two remote transports and four local transports are defined.
 
 remote_smtp:
   driver = smtp
-  hosts_try_prdr = *
+  message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+.ifdef _HAVE_DANE
+  dnssec_request_domains = *
+  hosts_try_dane = *
+.endif
 
 This transport is used for delivering messages over SMTP connections. The list
-of remote hosts comes from the router. The hosts_try_prdr option enables an
-efficiency SMTP option. It is negotiated between client and server and not
-expected to cause problems but can be disabled if needed. All other options are
-defaulted.
+of remote hosts comes from the router. The message_size_limit usage is a hack
+to avoid sending on messages with over-long lines. The built-in macro
+_HAVE_DANE guards configuration to try to use DNSSEC for all queries and to use
+DANE for delivery; see section 42.15 for more details.
+
+The other remote transport is used when delivering to a specific smarthost with
+whom there must be some kind of existing relationship, instead of the usual
+federated system.
+
+smarthost_smtp:
+  driver = smtp
+  message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+  multi_domain
+  #
+.ifdef _HAVE_TLS
+  # Comment out any of these which you have to, then file a Support
+  # request with your smarthost provider to get things fixed:
+  hosts_require_tls = *
+  tls_verify_hosts = *
+  # As long as tls_verify_hosts is enabled, this won't matter, but if you
+  # have to comment it out then this will at least log whether you succeed
+  # or not:
+  tls_try_verify_hosts = *
+  #
+  # The SNI name should match the name which we'll expect to verify;
+  # many mail systems don't use SNI and this doesn't matter, but if it does,
+  # we need to send a name which the remote site will recognize.
+  # This _should_ be the name which the smarthost operators specified as
+  # the hostname for sending your mail to.
+  tls_sni = ROUTER_SMARTHOST
+  #
+.ifdef _HAVE_OPENSSL
+  tls_require_ciphers = HIGH:!aNULL:@STRENGTH
+.endif
+.ifdef _HAVE_GNUTLS
+  tls_require_ciphers = SECURE192:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
+.endif
+.endif
+
+After the same message_size_limit hack, we then specify that this Transport can
+handle messages to multiple domains in one run. The assumption here is that
+you're routing all non-local mail to the same place and that place is happy to
+take all messages from you as quickly as possible. All other options depend
+upon built-in macros; if Exim was built without TLS support then no other
+options are defined. If TLS is available, then we configure "stronger than
+default" TLS ciphersuites and versions using the tls_require_ciphers option,
+where the value to be used depends upon the library providing TLS. Beyond that,
+the options adopt the stance that you should have TLS support available from
+your smarthost on today's Internet, so we turn on requiring TLS for the mail to
+be delivered, and requiring that the certificate be valid, and match the
+expected hostname. The tls_sni option can be used by service providers to
+select an appropriate certificate to present to you and here we re-use the
+ROUTER_SMARTHOST macro, because that is unaffected by CNAMEs present in DNS.
+You want to specify the hostname which you'll expect to validate for, and that
+should not be subject to insecure tampering via DNS results.
 
 local_delivery:
   driver = appendfile
@@ -5844,7 +5964,7 @@
 filter files.
 
 
-7.5 Default retry rule
+7.6 Default retry rule
 ----------------------
 
 The retry section of the configuration file contains rules which affect the way
@@ -5869,7 +5989,7 @@
 temporary errors into permanent errors.
 
 
-7.6 Rewriting configuration
+7.7 Rewriting configuration
 ---------------------------
 
 The rewriting section of the configuration, introduced by
@@ -5880,7 +6000,7 @@
 rewriting rules in the default configuration file.
 
 
-7.7 Authenticators configuration
+7.8 Authenticators configuration
 --------------------------------
 
 The authenticators section of the configuration, introduced by
@@ -5918,7 +6038,7 @@
 LOGIN. The server_advertise_condition setting controls when Exim offers
 authentication to clients; in the examples, this is only when TLS or SSL has
 been started, so to enable the authenticators you also need to add support for
-TLS as described in section 7.1.
+TLS as described in section 7.2.
 
 The server_condition setting defines how to verify that the username and
 password are correct. In the examples it just produces an error message. To
@@ -6093,11 +6213,12 @@
     indexed files that are read frequently and never updated, except by total
     re-creation. As such, it is particularly suitable for large files
     containing aliases or other indexed data referenced by an MTA. Information
-    about cdb can be found in several places:
+    about cdb and tools for building the files can be found in several places:
 
-    http://www.pobox.com/~djb/cdb.html
-    ftp://ftp.corpit.ru/pub/tinycdb/
-    http://packages.debian.org/stable/utils/freecdb.html
+    https://cr.yp.to/cdb.html
+    http://www.corpit.ru/mjt/tinycdb.html
+    https://packages.debian.org/stable/utils/freecdb
+    https://github.com/philpennock/cdbtools (in Go)
 
     A cdb distribution is not needed in order to build Exim with cdb support,
     because the code for reading cdb files is included directly in Exim itself.
@@ -6261,6 +6382,9 @@
     wildlsearch can not be turned into a DBM or cdb file, because those lookup
     types support only literal keys.
 
+  * If Exim is built with SPF support, manual lookups can be done (as opposed
+    to the standard ACL condition method. For details see section 57.4.
+
 
 9.4 Query-style lookup types
 ----------------------------
@@ -6303,7 +6427,7 @@
   * redis: The format of the query is either a simple get or simple set, passed
     to a Redis database. See section 9.21.
 
-  * sqlite: The format of the query is a file name followed by an SQL statement
+  * sqlite: The format of the query is a filename followed by an SQL statement
     that is passed to an SQLite database. See section 9.26.
 
   * testdb: This is a lookup type that is used for testing Exim. It is not
@@ -7249,7 +7373,7 @@
 9.26 More about SQLite
 ----------------------
 
-SQLite is different to the other SQL lookups because a file name is required in
+SQLite is different to the other SQL lookups because a filename is required in
 addition to the SQL query. An SQLite database is a single file, and there is no
 daemon as in the other SQL databases. The interface to Exim requires the name
 of the file, as an absolute path, to be given at the start of the query. It is
@@ -7380,10 +7504,10 @@
 10.3 File names in lists
 ------------------------
 
-If an item in a domain, host, address, or local part list is an absolute file
-name (beginning with a slash character), each line of the file is read and
+If an item in a domain, host, address, or local part list is an absolute
+filename (beginning with a slash character), each line of the file is read and
 processed as if it were an independent item in the list, except that further
-file names are not allowed, and no expansion of the data from the file takes
+filenames are not allowed, and no expansion of the data from the file takes
 place. Empty lines in the file are ignored, and the file may also contain
 comment lines:
 
@@ -7396,13 +7520,13 @@
 
     not#comment@x.y.z   # but this is a comment
 
-Putting a file name in a list has the same effect as inserting each line of the
+Putting a filename in a list has the same effect as inserting each line of the
 file as an item in the list (blank lines and comments excepted). However, there
 is one important difference: the file is read each time the list is processed,
 so if its contents vary over time, Exim's behaviour changes.
 
-If a file name is preceded by an exclamation mark, the sense of any match
-within the file is inverted. For example, if
+If a filename is preceded by an exclamation mark, the sense of any match within
+the file is inverted. For example, if
 
 hold_domains = !/etc/nohold-domains
 
@@ -7427,9 +7551,9 @@
 just as for any other single-key lookup type.
 
 If you want to use a file to contain wild-card patterns that form part of a
-list, just give the file name on its own, without a search type, as described
-in the previous section. You could also use the wildlsearch or nwildlsearch,
-but there is no advantage in doing this.
+list, just give the filename on its own, without a search type, as described in
+the previous section. You could also use the wildlsearch or nwildlsearch, but
+there is no advantage in doing this.
 
 
 10.5 Named lists
@@ -7645,7 +7769,7 @@
 
   * If a pattern starts with the name of a single-key lookup type followed by a
     semicolon (for example, "dbm;" or "lsearch;"), the remainder of the pattern
-    must be a file name in a suitable format for the lookup type. For example,
+    must be a filename in a suitable format for the lookup type. For example,
     for "cdb;" it must be an absolute path:
 
     domains = cdb;/etc/mail/local_domains.cdb
@@ -8266,7 +8390,7 @@
 The domain portion of an address is always lowercased before matching it to an
 address list. The local part is lowercased by default, and any string
 comparisons that take place are done caselessly. This means that the data in
-the address list itself, in files included as plain file names, and in any file
+the address list itself, in files included as plain filenames, and in any file
 that is looked up using the "@@" mechanism, can be in any case. However, the
 keys in files that are looked up by a search type other than lsearch (which
 works caselessly) must be in lower case, because these lookups are not
@@ -8306,7 +8430,7 @@
 ===============================================================================
 11. STRING EXPANSIONS
 
-Many strings in Exim's run time configuration are expanded before use. Some of
+Many strings in Exim's runtime configuration are expanded before use. Some of
 them are expanded every time they are used; others are expanded only once.
 
 When a string is being expanded it is copied verbatim from left to right except
@@ -8374,7 +8498,7 @@
 
 If you want to test expansions that include variables whose values are taken
 from a message, there are two other options that can be used. The -bem option
-is like -be except that it is followed by a file name. The file is read as a
+is like -be except that it is followed by a filename. The file is read as a
 message before doing the test expansions. For example:
 
 exim -bem /tmp/test.message '$h_subject:'
@@ -8625,6 +8749,21 @@
     This forces an expansion failure (see section 11.4); {<string2>} must be
     present for "fail" to be recognized.
 
+${extract json{<key>}{<string1>}{<string2>}{<string3>}}
+
+    The key and <string1> are first expanded separately. Leading and trailing
+    white space is removed from the key (but not from any of the strings). The
+    key must not be empty and must not consist entirely of digits. The expanded
+    <string1> must be of the form:
+
+    { <"key1"> : <value1> ,  <"key2"> , <value2> ... }
+
+    The braces, commas and colons, and the quoting of the member name are
+    required; the spaces are optional. Matching of the key against the member
+    names is done case-sensitively.
+
+    The results of matching are handled as above.
+
 ${extract{<number>}{<separators>}{<string1>}{<string2>}{<string3>}}
 
     The <number> argument must consist entirely of decimal digits, apart from
@@ -8652,6 +8791,14 @@
     yields "99". Two successive separators mean that the field between them is
     empty (for example, the fifth field above).
 
+${extract json{<number>}}{<string1>}{<string2>}{<string3>}}
+
+    The <number> argument must consist entirely of decimal digits, apart from
+    leading and trailing white space, which is ignored.
+
+    Field selection and result handling is as above; there is no choice of
+    field separator.
+
 ${filter{<string>}{<condition>}}
 
     After expansion, <string> is interpreted as a list, colon-separated by
@@ -8696,9 +8843,10 @@
     $hash{4}{62}{monty python}}   yields  fbWx
 
 $header_<header name>: or $h_<header name>:, $bheader_<header name>: or $bh_<
-    header name>:, $rheader_<header name>: or $rh_<header name>:
+    header name>:, $lheader_<header name>: or $lh_<header name>:
 
-    Substitute the contents of the named message header line, for example
+    "$rheader_<header name>: or $rh_<header name>:" Substitute the contents of
+    the named message header line, for example
 
     $header_reply-to:
 
@@ -8706,13 +8854,19 @@
     but internal newlines (caused by splitting the header line over several
     physical lines) may be present.
 
-    The difference between rheader, bheader, and header is in the way the data
+    The difference between the four pairs of expansions is in the way the data
     in the header line is interpreted.
 
       + rheader gives the original "raw" content of the header line, with no
         processing at all, and without the removal of leading and trailing
         white space.
 
+      + lheader gives a colon-separated list, one element per header when there
+        are multiple headers with a given name. Any embedded colon characters
+        within an element are doubled, so normal Exim list-processing
+        facilities can be used. The terminating newline of each element is
+        removed; in other respects the content is "raw".
+
       + bheader removes leading and trailing white space, and then decodes
         base64 or quoted-printable MIME "words" within the header text, but
         does no character set translation. If decoding of what looks
@@ -8812,7 +8966,7 @@
     X-Spam-Scanned: header line. If you know the secret, you can check that
     this header line is authentic by recomputing the authentication code from
     the host name, message ID and the Message-id: header line. This can be done
-    using Exim's -be option, or by other means, for example by using the 
+    using Exim's -be option, or by other means, for example, by using the 
     hmac_md5_hex() function in Perl.
 
 ${if <condition> {<string1>}{<string2>}}
@@ -8856,9 +9010,10 @@
 
     ${length_<n>:<string>}
 
-    The result of this item is either the first <n> characters or the whole of
-    <string2>, whichever is the shorter. Do not confuse length with strlen,
-    which gives the length of a string.
+    The result of this item is either the first <n> bytes or the whole of <
+    string2>, whichever is the shorter. Do not confuse length with strlen,
+    which gives the length of a string. All measurement is done in bytes and is
+    not UTF-8 aware.
 
 ${listextract{<number>}{<string1>}{<string2>}{<string3>}}
 
@@ -9040,8 +9195,8 @@
 
 ${readfile{<file name>}{<eol string>}}
 
-    The file name and end-of-line string are first expanded separately. The
-    file is then read, and its contents replace the entire item. All newline
+    The filename and end-of-line string are first expanded separately. The file
+    is then read, and its contents replace the entire item. All newline
     characters in the file are replaced by the end-of-line string if it is
     present. Otherwise, newlines are left in the string. String expansion is
     not applied to the contents of the file. If you want this, you must wrap
@@ -9081,13 +9236,20 @@
 
     The third argument is a list of options, of which the first element is the
     timeout and must be present if the argument is given. Further elements are
-    options of form name=value. One option type is currently recognised,
-    defining whether (the default) or not a shutdown is done on the connection
-    after sending the request. Example, to not do so (preferred, eg. by some
-    webservers):
+    options of form name=value. Two option types is currently recognised:
+    shutdown and tls. The first defines whether (the default) or not a shutdown
+    is done on the connection after sending the request. Example, to not do so
+    (preferred, eg. by some webservers):
 
     ${readsocket{/socket/name}{request string}{3s:shutdown=no}}
 
+    The second, tls, controls the use of TLS on the connection. Example:
+
+    ${readsocket{/socket/name}{request string}{3s:tls=yes}}
+
+    The default is to not use TLS. If it is enabled, a shutdown as descripbed
+    above is never done.
+
     A fourth argument allows you to change any newlines that are in the data
     that is read, in the same way as for readfile (see above). This example
     turns them into spaces:
@@ -9129,7 +9291,7 @@
     <string1> is interpreted as a list, colon-separated by default, but the
     separator can be changed in the usual way. Then <string2> is expanded and
     assigned to the $value variable. After this, each item in the <string1>
-    list is assigned to $item in turn, and <string3> is expanded for each of
+    list is assigned to $item, in turn, and <string3> is expanded for each of
     them. The result of that expansion is assigned to $value before the next
     iteration. When the end of the list is reached, the final value of $value
     is added to the expansion output. The reduce expansion item can be used in
@@ -9149,7 +9311,7 @@
 $rheader_<header name>: or $rh_<header name>:
 
     This item inserts "raw" header lines. It is described with the header
-    expansion item above.
+    expansion item in section 11.5 above.
 
 ${run{<command> <args>}{<string1>}{<string2>}}
 
@@ -9239,6 +9401,9 @@
     yields "K1=A K4=D K3=C". Note the use of "\N" to protect the contents of
     the regular expression from string expansion.
 
+    The regular expression is compiled in 8-bit mode, working against bytes
+    rather than any Unicode-aware character handling.
+
 ${sort{<string>}{<comparator>}{<extractor>}}
 
     After expansion, <string> is interpreted as a list, colon-separated by
@@ -9284,10 +9449,10 @@
     If the starting offset is greater than the string length the result is the
     null string; if the length plus starting offset is greater than the string
     length, the result is the right-hand part of the string, starting from the
-    given offset. The first character in the string has offset zero.
+    given offset. The first byte (character) in the string has offset zero.
 
     The substr expansion item can take negative offset values to count from the
-    right-hand end of its operand. The last character is offset -1, the
+    right-hand end of its operand. The last byte (character) is offset -1, the
     second-last is offset -2, and so on. Thus, for example,
 
     ${substr{-5}{2}{1234567}}
@@ -9305,21 +9470,24 @@
     yields "1".
 
     When the second number is omitted from substr, the remainder of the string
-    is taken if the offset is positive. If it is negative, all characters in
-    the string preceding the offset point are taken. For example, an offset of
-    -1 and no length, as in these semantically identical examples:
+    is taken if the offset is positive. If it is negative, all bytes
+    (characters) in the string preceding the offset point are taken. For
+    example, an offset of -1 and no length, as in these semantically identical
+    examples:
 
     ${substr_-1:abcde}
     ${substr{-1}{abcde}}
 
     yields all but the last character of the string, that is, "abcd".
 
+    All measurement is done in bytes and is not UTF-8 aware.
+
 ${tr{<subject>}{<characters>}{<replacements>}}
 
-    This item does single-character translation on its subject string. The
-    second argument is a list of characters to be translated in the subject
-    string. Each matching character is replaced by the corresponding character
-    from the replacement list. For example
+    This item does single-character (in bytes) translation on its subject
+    string. The second argument is a list of characters to be translated in the
+    subject string. Each matching character is replaced by the corresponding
+    character from the replacement list. For example
 
     ${tr{abcdea}{ac}{13}}
 
@@ -9328,6 +9496,8 @@
     second, its last character is replicated. However, if it is empty, no
     translation takes place.
 
+    All character handling is done in bytes and is not UTF-8 aware.
+
 
 11.6 Expansion operators
 ------------------------
@@ -9343,6 +9513,8 @@
     header line, and the effective address is extracted from it. If the string
     does not parse successfully, the result is empty.
 
+    The parsing correctly handles SMTPUTF8 Unicode in the string.
+
 ${addresses:<string>}
 
     The string (after expansion) is interpreted as a list of addresses in RFC
@@ -9382,7 +9554,7 @@
     "=2C". The second example below is passed the contents of "$header_from:",
     meaning it gets de-mimed. Exim sees the decoded "," so it treats it as two
     email addresses. The third example shows that the presence of a comma is
-    skipped when it is quoted.
+    skipped when it is quoted. The fourth example shows SMTPUTF8 handling.
 
     # exim -be '${addresses:From: \
     =?iso-8859-2?Q?Last=2C_First?= <user@example.com>}'
@@ -9391,6 +9563,8 @@
     Last:user@example.com
     # exim -be '${addresses:From: "Last, First" <user@example.com>}'
     user@example.com
+    # exim -be '${addresses:?????? <??????????@example.jp>}'
+    ??????????@example.jp
 
 ${base32:<digits>}
 
@@ -9409,7 +9583,7 @@
     to base 62 and output as a string of six characters, including leading
     zeros. In the few operating environments where Exim uses base 36 instead of
     base 62 for its message identifiers (because those systems do not have
-    case-sensitive file names), base 36 is used by this operator, despite its
+    case-sensitive filenames), base 36 is used by this operator, despite its
     name. Note: Just to be absolutely clear: this is not base64 encoding.
 
 ${base62d:<base-62 digits>}
@@ -9549,15 +9723,14 @@
 ${hex2b64:<hexstring>}
 
     This operator converts a hex string into one that is base64 encoded. This
-    can be useful for processing the output of the MD5 and SHA-1 hashing
-    functions.
+    can be useful for processing the output of the various hashing functions.
 
 ${hexquote:<string>}
 
     This operator converts non-printable characters in a string into a hex
     escape form. Byte values between 33 (!) and 126 (~) inclusive are left as
-    is, and other byte values are converted to "\xNN", for example a byte value
-    127 is converted to "\x7f".
+    is, and other byte values are converted to "\xNN", for example, a byte
+    value 127 is converted to "\x7f".
 
 ${ipv6denorm:<string>}
 
@@ -9579,6 +9752,8 @@
 
     ${lc:$local_part}
 
+    Case is defined per the system C locale.
+
 ${length_<number>:<string>}
 
     The length operator is a simpler interface to the length function that can
@@ -9589,7 +9764,8 @@
 
     See the description of the general length item above for details. Note that
     length is not the same as strlen. The abbreviation l can be used when 
-    length is used as an operator.
+    length is used as an operator. All measurement is done in bytes and is not
+    UTF-8 aware.
 
 ${listcount:<string>}
 
@@ -9608,7 +9784,7 @@
 
     The string is interpreted as an RFC 2822 address and the local part is
     extracted from it. If the string does not parse successfully, the result is
-    empty.
+    empty. The parsing correctly handles SMTPUTF8 Unicode in the string.
 
 ${mask:<IP address>/<bit count>}
 
@@ -9676,6 +9852,10 @@
     you are creating a new email address from the contents of $local_part (or
     any other unknown data), you should always use this operator.
 
+    This quoting determination is not SMTPUTF8-aware, thus quoting non-ASCII
+    data will likely use the quoting form. Thus ${quote_local_part:??????} will
+    always become "??????".
+
 ${quote_<lookup-type>:<string>}
 
     This operator applies lookup-specific quoting rules to the string. Each
@@ -9778,10 +9958,8 @@
     default.
 
     The sha3 expansion item is only supported if Exim has been compiled with
-    GnuTLS 3.5.0 or later,
-
-    or OpenSSL 1.1.1 or later. The macro "_CRYPTO_HASH_SHA3" will be defined if
-    it is supported.
+    GnuTLS 3.5.0 or later, or OpenSSL 1.1.1 or later. The macro
+    "_CRYPTO_HASH_SHA3" will be defined if it is supported.
 
 ${stat:<string>}
 
@@ -9806,7 +9984,8 @@
 ${strlen:<string>}
 
     The item is replace by the length of the expanded string, expressed as a
-    decimal number. Note: Do not confuse strlen with length.
+    decimal number. Note: Do not confuse strlen with length. All measurement is
+    done in bytes and is not UTF-8 aware.
 
 ${substr_<start>_<length>:<string>}
 
@@ -9817,7 +9996,8 @@
     ${substr{<start>}{<length>}{<string>}}
 
     See the description of the general substr item above for details. The
-    abbreviation s can be used when substr is used as an operator.
+    abbreviation s can be used when substr is used as an operator. All
+    measurement is done in bytes and is not UTF-8 aware.
 
 ${time_eval:<string>}
 
@@ -9833,13 +10013,27 @@
 
 ${uc:<string>}
 
-    This forces the letters in the string into upper-case.
+    This forces the letters in the string into upper-case. Case is defined per
+    the system C locale.
 
 ${utf8clean:<string>}
 
     This replaces any invalid utf-8 sequence in the string by the character "?
     ".
 
+    In versions of Exim before 4.92, this did not correctly do so for a
+    truncated final codepoint's encoding, and the character would be silently
+    dropped. If you must handle detection of this scenario across both sets of
+    Exim behavior, the complexity will depend upon the task. For instance, to
+    detect if the first character is multibyte and a 1-byte extraction can be
+    successfully used as a path component (as is common for dividing up
+    delivery folders), you might use:
+
+    condition = ${if inlist{${utf8clean:${length_1:$local_part}}}{:?}{yes}{no}}
+
+    (which will false-positive if the first character of the local part is a
+    literal question mark).
+
 ${utf8_domain_to_alabel:<string>}, ${utf8_domain_from_alabel:<string>}, $
     {utf8_localpart_to_alabel:<string>}, ${utf8_localpart_from_alabel:<string>}
 
@@ -10019,7 +10213,8 @@
 
     The two substrings are first expanded. The condition is true if the two
     resulting strings are identical. For eq the comparison includes the case of
-    letters, whereas for eqi the comparison is case-independent.
+    letters, whereas for eqi the comparison is case-independent, where case is
+    defined per the system C locale.
 
 exists {<file name>}
 
@@ -10068,20 +10263,23 @@
     The two substrings are first expanded. The condition is true if the first
     string is lexically greater than or equal to the second string. For ge the
     comparison includes the case of letters, whereas for gei the comparison is
-    case-independent.
+    case-independent. Case and collation order are defined per the system C
+    locale.
 
 gt {<string1>}{<string2>}, gti {<string1>}{<string2>}
 
     The two substrings are first expanded. The condition is true if the first
     string is lexically greater than the second string. For gt the comparison
     includes the case of letters, whereas for gti the comparison is
-    case-independent.
+    case-independent. Case and collation order are defined per the system C
+    locale.
 
 inlist {<string1>}{<string2>}, inlisti {<string1>}{<string2>}
 
     Both strings are expanded; the second string is treated as a list of simple
     strings; if the first string is a member of the second, then the condition
-    is true.
+    is true. For the case-independent inlisti condition, case is defined per
+    the system C locale.
 
     These are simpler to use versions of the more powerful forany condition.
     Examples, and the forany equivalents:
@@ -10132,14 +10330,16 @@
     The two substrings are first expanded. The condition is true if the first
     string is lexically less than or equal to the second string. For le the
     comparison includes the case of letters, whereas for lei the comparison is
-    case-independent.
+    case-independent. Case and collation order are defined per the system C
+    locale.
 
 lt {<string1>}{<string2>}, lti {<string1>}{<string2>}
 
     The two substrings are first expanded. The condition is true if the first
     string is lexically less than the second string. For lt the comparison
     includes the case of letters, whereas for lti the comparison is
-    case-independent.
+    case-independent. Case and collation order are defined per the system C
+    locale.
 
 match {<string1>}{<string2>}
 
@@ -10162,7 +10362,8 @@
     there is no circumflex, the expression is not anchored, and it may match
     anywhere in the subject, not just at the start. If you want the pattern to
     match at the end of the subject, you must include the "$" metacharacter at
-    an appropriate point.
+    an appropriate point. All character handling is done in bytes and is not
+    UTF-8 aware, but we might change this in a future Exim release.
 
     At the start of an if expansion the values of the numeric variable
     substitutions $1 etc. are remembered. Obeying a match condition that
@@ -10262,11 +10463,11 @@
 
 pam {<string1>:<string2>:...}
 
-    Pluggable Authentication Modules (http://www.kernel.org/pub/linux/libs/pam/
-    ) are a facility that is available in the latest releases of Solaris and in
-    some GNU/Linux distributions. The Exim support, which is intended for use
-    in conjunction with the SMTP AUTH command, is available only if Exim is
-    compiled with
+    Pluggable Authentication Modules (https://mirrors.edge.kernel.org/pub/linux
+    /libs/pam/) are a facility that is available in the latest releases of
+    Solaris and in some GNU/Linux distributions. The Exim support, which is
+    intended for use in conjunction with the SMTP AUTH command, is available
+    only if Exim is compiled with
 
     SUPPORT_PAM=yes
 
@@ -10297,11 +10498,7 @@
     In some operating systems, PAM authentication can be done only from a
     process running as root. Since Exim is running as the Exim user when
     receiving messages, this means that PAM cannot be used directly in those
-    systems. A patched version of the pam_unix module that comes with the Linux
-    PAM package is available from http://www.e-admin.de/pam_exim/. The patched
-    module allows one special uid/gid combination, in addition to root, to
-    authenticate. If you build the patched module to allow the Exim user and
-    group, PAM can then be used from an Exim authenticator.
+    systems.
 
 pwcheck {<string1>:<string2>}
 
@@ -10549,10 +10746,8 @@
     When a message is submitted locally (that is, not over a TCP connection)
     the value of $authenticated_id is normally the login name of the calling
     process. However, a trusted user can override this by means of the -oMai
-    command line option.
-
-    This second case also sets up inforamtion used by the $authresults
-    expansion item.
+    command line option. This second case also sets up information used by the
+    $authresults expansion item.
 
 $authenticated_fail_id
 
@@ -10642,7 +10837,7 @@
 
     The building process for Exim keeps a count of the number of times it has
     been compiled. This serves to distinguish different compilations of the
-    same version of the program.
+    same version of Exim.
 
 $config_dir
 
@@ -10765,7 +10960,8 @@
     This is not strictly an expansion variable. It is expansion syntax for
     inserting the message header line with the given name. Note that the name
     must be terminated by colon or white space, because it may contain a wide
-    variety of characters. Note also that braces must not be used.
+    variety of characters. Note also that braces must not be used. See the full
+    description in section 11.5 above.
 
 $headers_added
 
@@ -10916,7 +11112,7 @@
 
     When a message is being delivered to a file, pipe, or autoreply transport
     as a result of aliasing or forwarding, $local_part is set to the local part
-    of the parent address, not to the file name or command (see $address_file
+    of the parent address, not to the filename or command (see $address_file
     and $address_pipe).
 
     When an ACL is running for a RCPT command, $local_part contains the local
@@ -11310,7 +11506,7 @@
     line option.
 
     As well as being useful in ACLs (including the "connect" ACL), these
-    variable could be used, for example, to make the file name for a TLS
+    variable could be used, for example, to make the filename for a TLS
     certificate depend on which interface and/or port is being used for the
     incoming connection. The values of $received_ip_address and $received_port
     are saved with any messages that are received, thus making these variables
@@ -12422,7 +12618,7 @@
 ===============================================================================
 14. MAIN CONFIGURATION
 
-The first part of the run time configuration file contains three types of item:
+The first part of the runtime configuration file contains three types of item:
 
   * Macro definitions: These lines start with an upper case letter. See section
     6.4 for details of macro processing.
@@ -12615,6 +12811,7 @@
 acl_smtp_vrfy          ACL for VRFY
 av_scanner             specify virus scanner
 check_rfc2047_length   check length of RFC 2047 "encoded words"
+dns_cname_loops        follow CNAMEs returned by resolver
 dns_csa_search_limit   control CSA parent search depth
 dns_csa_use_reverse    en/disable CSA IP reverse search
 header_maxsize         total size of message header
@@ -12852,7 +13049,7 @@
 defaults to true. A more detailed analysis of the issues is provided by Dan
 Bernstein:
 
-http://cr.yp.to/smtp/8bitmime.html
+https://cr.yp.to/smtp/8bitmime.html
 
 To log received 8BITMIME status use
 
@@ -13397,7 +13594,7 @@
 intervals specified by this option. The data is a colon-separated list of times
 after which to send warning messages. If the value of the option is an empty
 string or a zero time, no warnings are sent. Up to 10 times may be given. If a
-message has been on the queue for longer than the last time, the last interval
+message has been in the queue for longer than the last time, the last interval
 between the times is used to compute subsequent warning times. For example,
 with
 
@@ -13563,6 +13760,17 @@
 reversed and looked up in the reverse DNS, as described in more detail in
 section 43.50.
 
++--------------------------------------------------+
+|dns_cname_loops|Use: main|Type: integer|Default: 1|
++--------------------------------------------------+
+
+This option controls the following of CNAME chains, needed if the resolver does
+not do it internally. As of 2018 most should, and the default can be left. If
+you have an ancient one, a value of 10 is likely needed.
+
+The default value of one CNAME-follow is needed thanks to the observed return
+for an MX request, given no MX presence but a CNAME to an A, of the CNAME.
+
 +-------------------------------------------------+
 |dns_dnssec_ok|Use: main|Type: integer|Default: -1|
 +-------------------------------------------------+
@@ -13873,11 +14081,14 @@
 server. This reduces security slightly, but improves interworking with older
 implementations of TLS.
 
-option gnutls_allow_auto_pkcs11 main boolean unset This option will let GnuTLS
-(2.12.0 or later) autoload PKCS11 modules with the p11-kit configuration files
-in /etc/pkcs11/modules/.
++---------------------------------------------------------------+
+|gnutls_allow_auto_pkcs11|Use: main|Type: boolean|Default: unset|
++---------------------------------------------------------------+
+
+This option will let GnuTLS (2.12.0 or later) autoload PKCS11 modules with the
+p11-kit configuration files in /etc/pkcs11/modules/.
 
-See http://www.gnutls.org/manual/gnutls.html#Smart-cards-and-HSMs for
+See https://www.gnutls.org/manual/gnutls.html#Smart-cards-and-HSMs for
 documentation.
 
 +---------------------------------------------------------+
@@ -13986,7 +14197,7 @@
 |hold_domains|Use: main|Type: domain list*|Default: unset|
 +--------------------------------------------------------+
 
-This option allows mail for particular domains to be held on the queue
+This option allows mail for particular domains to be held in the queue
 manually. The option is overridden if a message delivery is forced with the -M,
 -qf, -Rf or -Sf options, and also while testing or verifying addresses using 
 -bt or -bv. Otherwise, if a domain matches an item in hold_domains, no routing
@@ -14116,7 +14327,7 @@
 
 After a permanent delivery failure, bounce messages are frozen, because there
 is no sender to whom they can be returned. When a frozen bounce message has
-been on the queue for more than the given time, it is unfrozen at the next
+been in the queue for more than the given time, it is unfrozen at the next
 queue run, and a further delivery is attempted. If delivery fails again, the
 bounce message is discarded. This makes it possible to keep failed bounce
 messages around for a shorter time than the normal maximum retry time for
@@ -14383,16 +14594,15 @@
 This option sets the path which is used to determine the names of Exim's log
 files, or indicates that logging is to be to syslog, or both. It is expanded
 when Exim is entered, so it can, for example, contain a reference to the host
-name. If no specific path is set for the log files at compile or run time, or
-if the option is unset at run time (i.e. "log_file_path = ") they are written
-in a sub-directory called log in Exim's spool directory. Chapter 52 contains
-further details about Exim's logging, and section 52.1 describes how the
-contents of log_file_path are used. If this string is fixed at your
-installation (contains no expansion variables) it is recommended that you do
-not set this option in the configuration file, but instead supply the path
-using LOG_FILE_PATH in Local/Makefile so that it is available to Exim for
-logging errors detected early on - in particular, failure to read the
-configuration file.
+name. If no specific path is set for the log files at compile or runtime, or if
+the option is unset at runtime (i.e. "log_file_path = ") they are written in a
+sub-directory called log in Exim's spool directory. Chapter 52 contains further
+details about Exim's logging, and section 52.1 describes how the contents of 
+log_file_path are used. If this string is fixed at your installation (contains
+no expansion variables) it is recommended that you do not set this option in
+the configuration file, but instead supply the path using LOG_FILE_PATH in
+Local/Makefile so that it is available to Exim for logging errors detected
+early on - in particular, failure to read the configuration file.
 
 +--------------------------------------------------+
 |log_selector|Use: main|Type: string|Default: unset|
@@ -14892,7 +15102,7 @@
 +-------------------------------------------------+
 
 If queue_only is set, a delivery process is not automatically started whenever
-a message is received. Instead, the message waits on the queue for the next
+a message is received. Instead, the message waits in the queue for the next
 queue run. Even if queue_only is false, incoming messages may not get delivered
 immediately when certain conditions (such as heavy load) occur.
 
@@ -14998,7 +15208,7 @@
 When this option is set, a delivery process is started whenever a message is
 received, routing is performed, and local deliveries take place. However, if
 any SMTP deliveries are required for domains that match queue_smtp_domains,
-they are not immediately delivered, but instead the message waits on the queue
+they are not immediately delivered, but instead the message waits in the queue
 for the next queue run. Since routing of the message has taken place, Exim
 knows to which remote hosts it must be delivered, and so when the queue run
 happens, multiple messages for the same host are delivered over a single SMTP
@@ -15012,7 +15222,7 @@
 
 This option sets the timeout for accepting a non-SMTP message, that is, the
 maximum time that Exim waits when reading a message on the standard input. If
-the value is zero, it will wait for ever. This setting is overridden by the -or
+the value is zero, it will wait forever. This setting is overridden by the -or
 command line option. The timeout for incoming SMTP messages is controlled by 
 smtp_receive_timeout.
 
@@ -15329,7 +15539,7 @@
 
 If the number of simultaneous incoming SMTP connections being handled via the
 listening daemon exceeds this value, messages received by SMTP are just placed
-on the queue; no delivery processes are started automatically. The count is
+in the queue; no delivery processes are started automatically. The count is
 fixed at the start of an SMTP connection. It cannot be updated in the
 subprocess that receives messages, and so the queueing or not queueing applies
 to all messages received in the same connection.
@@ -15347,7 +15557,7 @@
 automatically when receiving messages via SMTP, whether via the daemon or by
 the use of -bs or -bS. If the value of the option is greater than zero, and the
 number of messages received in a single SMTP session exceeds this number,
-subsequent messages are placed on the queue, but no delivery processes are
+subsequent messages are placed in the queue, but no delivery processes are
 started. This helps to limit the number of Exim processes when a server
 restarts after downtime and there is a lot of mail waiting for it on other
 systems. On large systems, the default should probably be increased, and on
@@ -15675,11 +15885,11 @@
 
 When split_spool_directory is set, the behaviour of queue runner processes
 changes. Instead of creating a list of all messages in the queue, and then
-trying to deliver each one in turn, it constructs a list of those in one
+trying to deliver each one, in turn, it constructs a list of those in one
 sub-directory and tries to deliver them, before moving on to the next
 sub-directory. The sub-directories are processed in a random order. This
 spreads out the scanning of the input directories, and uses less memory. It is
-particularly beneficial when there are lots of messages on the queue. However,
+particularly beneficial when there are lots of messages in the queue. However,
 if queue_run_in_order is set, none of this new processing happens. The entire
 queue has to be scanned and sorted before any deliveries can start.
 
@@ -15897,7 +16107,7 @@
 +-----------------------------------------------------+
 
 If timeout_frozen_after is set to a time greater than zero, a frozen message of
-any kind that has been on the queue for longer than the given time is
+any kind that has been in the queue for longer than the given time is
 automatically cancelled at the next queue run. If the frozen message is a
 bounce message, it is just discarded; otherwise, a bounce is sent to the
 sender, in a similar manner to cancellation by the -Mg command line option. If
@@ -15905,7 +16115,7 @@
 message, see ignore_bounce_errors_after.
 
 Note: the default value of zero means no timeouts; with this setting, frozen
-messages remain on the queue forever (except for any frozen bounce messages
+messages remain in the queue forever (except for any frozen bounce messages
 that are released by ignore_bounce_errors_after).
 
 +----------------------------------------------+
@@ -16115,8 +16325,8 @@
 +---------------------------------------------------------------+
 
 This option specifies a list of incoming SSMTP (aka SMTPS) ports that should
-operate the obsolete SSMTP (SMTPS) protocol, where a TLS session is immediately
-set up without waiting for the client to issue a STARTTLS command. For further
+operate the SSMTP (SMTPS) protocol, where a TLS session is immediately set up
+without waiting for the client to issue a STARTTLS command. For further
 details, see section 13.4.
 
 +----------------------------------------------------+
@@ -16336,7 +16546,7 @@
 
 This option defines a template file containing paragraphs of text to be used
 for constructing the warning message which is sent by Exim when a message has
-been on the queue for a specified amount of time, as specified by delay_warning
+been in the queue for a specified amount of time, as specified by delay_warning
 . Details of the file's contents are given in chapter 49. See also 
 bounce_message_file.
 
@@ -17057,8 +17267,8 @@
 in which preconditions are evaluated.) However, as these options are all
 expanded, you can use the exists expansion condition to make such tests. The 
 require_files option is intended for checking files that the router may be
-going to use internally, or which are needed by a transport (for example
-.procmailrc).
+going to use internally, or which are needed by a transport (e.g., .procmailrc
+).
 
 During delivery, the stat() function is run as root, but there is a facility
 for some checking of the accessibility of a file by another user. This is not a
@@ -17097,9 +17307,9 @@
 caused by a configuration error, and routing is deferred because the existence
 or non-existence of the file cannot be determined. However, in some
 circumstances it may be desirable to treat this condition as if the file did
-not exist. If the file name (or the exclamation mark that precedes the file
-name for non-existence) is preceded by a plus sign, the EACCES error is treated
-as if the file did not exist. For example:
+not exist. If the filename (or the exclamation mark that precedes the filename
+for non-existence) is preceded by a plus sign, the EACCES error is treated as
+if the file did not exist. For example:
 
 require_files = +/some/file
 
@@ -17457,11 +17667,9 @@
 MX records of equal priority are sorted by Exim into a random order. Exim then
 looks for address records for the host names obtained from MX or SRV records.
 When a host has more than one IP address, they are sorted into a random order,
-
-except that IPv6 addresses are sorted before IPv4 addresses. If all the
-
-IP addresses found are discarded by a setting of the ignore_target_hosts
-generic option, the router declines.
+except that IPv6 addresses are sorted before IPv4 addresses. If all the IP
+addresses found are discarded by a setting of the ignore_target_hosts generic
+option, the router declines.
 
 Unless they have the highest priority (lowest MX value), MX records that point
 to the local host, or to any host name that matches hosts_treat_as_local, are
@@ -18085,9 +18293,10 @@
 A list of hosts, whether obtained via route_data or route_list, is always
 separately expanded before use. If the expansion fails, the router declines.
 The result of the expansion must be a colon-separated list of names and/or IP
-addresses, optionally also including ports. The format of each item in the list
-is described in the next section. The list separator can be changed as
-described in section 6.20.
+addresses, optionally also including ports. If the list is written with spaces,
+it must be protected with quotes. The format of each item in the list is
+described in the next section. The list separator can be changed as described
+in section 6.20.
 
 If the list of hosts was obtained from a route_list item, the following
 variables are set during its expansion:
@@ -18596,8 +18805,8 @@
   * Otherwise, the data must be a comma-separated list of redirection items, as
     described in the next section.
 
-When a message is redirected to a file (a "mail folder"), the file name given
-in a non-filter redirection list must always be an absolute path. A filter may
+When a message is redirected to a file (a "mail folder"), the filename given in
+a non-filter redirection list must always be an absolute path. A filter may
 generate a relative path - how this is handled depends on the transport's
 configuration. See section 26.1 for a discussion of this issue for the 
 appendfile transport.
@@ -18608,9 +18817,9 @@
 
 When the redirection data is not an Exim or Sieve filter, for example, if it
 comes from a conventional alias or forward file, it consists of a list of
-addresses, file names, pipe commands, or certain special items (see section
-22.6 below). The special items can be individually enabled or disabled by means
-of options whose names begin with allow_ or forbid_, depending on their default
+addresses, filenames, pipe commands, or certain special items (see section 22.6
+below). The special items can be individually enabled or disabled by means of
+options whose names begin with allow_ or forbid_, depending on their default
 values. The items in the list are separated by commas or newlines. If a comma
 is required in an item, the entire item must be enclosed in double quotes.
 
@@ -18726,14 +18935,14 @@
 
     /home/world/minbari
 
-    is treated as a file name, but
+    is treated as a filename, but
 
     /s=molari/o=babylon/@x400gate.way
 
-    is treated as an address. For a file name, a transport must be specified
+    is treated as an address. For a filename, a transport must be specified
     using the file_transport option. However, if the generated path name ends
     with a forward slash character, it is interpreted as a directory name
-    rather than a file name, and directory_transport is used instead.
+    rather than a filename, and directory_transport is used instead.
 
     Normally, either the router or the transport specifies a user and a group
     under which to run the delivery. The default is to use the Exim user and
@@ -18817,7 +19026,7 @@
 
     During routing for message delivery (as opposed to verification), a
     redirection containing :fail: causes an immediate failure of the incoming
-    address, whereas :defer: causes the message to remain on the queue so that
+    address, whereas :defer: causes the message to remain in the queue so that
     a subsequent delivery attempt can happen at a later time. If an address is
     deferred for too long, it will ultimately fail, because the normal retry
     rules still apply.
@@ -19027,7 +19236,7 @@
 ending in a slash is specified as a new "address". The transport used is
 specified by this option, which, after expansion, must be the name of a
 configured transport. This should normally be an appendfile transport. When it
-is running, the file name is in $address_file.
+is running, the filename is in $address_file.
 
 +-------------------------------------------------------------+
 |filter_prepend_home|Use: redirect|Type: boolean|Default: true|
@@ -20224,7 +20433,7 @@
 fileinto "folder23";
 
 In this situation, the expansion of file or directory in the transport must
-transform the relative path into an appropriate absolute file name. In the case
+transform the relative path into an appropriate absolute filename. In the case
 of Sieve filters, the name inbox must be handled. It is the name that is used
 as a result of a "keep" action in the filter. This example shows one way of
 handling this requirement:
@@ -20353,9 +20562,9 @@
 
 The option must be set to one of the words "anywhere", "inhome", or
 "belowhome". In the second and third cases, a home directory must have been set
-for the transport. This option is not useful when an explicit file name is
-given for normal mailbox deliveries. It is intended for the case when file
-names are generated from users' .forward files. These are usually handled by an
+for the transport. This option is not useful when an explicit filename is given
+for normal mailbox deliveries. It is intended for the case when filenames are
+generated from users' .forward files. These are usually handled by an 
 appendfile transport called address_file. See also file_must_exist.
 
 +------------------------------------------------------+
@@ -20812,14 +21021,14 @@
 This option applies when one of the delivery modes that writes a separate file
 for each message is being used. When Exim wants to find the size of one of
 these files in order to test the quota, it first checks quota_size_regex. If
-this is set to a regular expression that matches the file name, and it captures
+this is set to a regular expression that matches the filename, and it captures
 one string, that string is interpreted as a representation of the file's size.
 The value of quota_size_regex is not expanded.
 
 This feature is useful only when users have no shell access to their mailboxes
 - otherwise they could defeat the quota simply by renaming the files. This
 facility can be used with maildir deliveries, by setting maildir_tag to add the
-file length to the file name. For example:
+file length to the filename. For example:
 
 maildir_tag = ,S=$message_size
 quota_size_regex = ,S=(\d+)
@@ -20828,8 +21037,8 @@
 number of lines in the message.
 
 The regular expression should not assume that the length is at the end of the
-file name (even though maildir_tag puts it there) because maildir MUAs
-sometimes add other information onto the ends of message file names.
+filename (even though maildir_tag puts it there) because maildir MUAs sometimes
+add other information onto the ends of message filenames.
 
 Section 26.7 contains further information.
 
@@ -21000,7 +21209,7 @@
         for writing as a new file. If this fails with an access error, delivery
         is deferred.
 
-     2. Close the hitching post file, and hard link it to the lock file name.
+     2. Close the hitching post file, and hard link it to the lock filename.
 
      3. If the call to link() succeeds, creation of the lock file has
         succeeded. Unlink the hitching post name.
@@ -21147,10 +21356,10 @@
 is defined by the directory option (the "delivery directory"). If the delivery
 is successful, the file is renamed into the new subdirectory.
 
-In the file name, <stime> is the current time of day in seconds, and <mtime> is
+In the filename, <stime> is the current time of day in seconds, and <mtime> is
 the microsecond fraction of the time. After a maildir delivery, Exim checks
 that the time-of-day clock has moved on by at least one microsecond before
-terminating the delivery process. This guarantees uniqueness for the file name.
+terminating the delivery process. This guarantees uniqueness for the filename.
 However, as a precaution, Exim calls stat() for the file before opening it. If
 any response other than ENOENT (does not exist) is given, Exim waits 2 seconds
 and tries again, up to maildir_retries times.
@@ -21458,7 +21667,7 @@
 does not apply to Cc: or Bcc: recipients.
 
 If once is unset, or is set to an empty string, the message is always sent. By
-default, if once is set to a non-empty file name, the message is not sent if a
+default, if once is set to a non-empty filename, the message is not sent if a
 potential recipient is already listed in the database. However, if the 
 once_repeat option specifies a time greater than zero, the message is sent if
 that much time has elapsed since a message was last sent to this recipient. A
@@ -22411,20 +22620,28 @@
 of the message. Its value must not be zero. See also final_timeout.
 
 +-------------------------------------------------+
+|dkim_canon|Use: smtp|Type: string*|Default: unset|
++-------------------------------------------------+
+
++-------------------------------------------------+
 |dkim_domain|Use: smtp|Type: string|Default: list*|
 +-------------------------------------------------+
 
++-------------------------------------------------+
+|dkim_hash|Use: smtp|Type: string*|Default: sha256|
++-------------------------------------------------+
+
 +----------------------------------------------------+
-|dkim_selector|Use: smtp|Type: string*|Default: unset|
+|dkim_identity|Use: smtp|Type: string*|Default: unset|
 +----------------------------------------------------+
 
 +-------------------------------------------------------+
 |dkim_private_key|Use: smtp|Type: string*|Default: unset|
 +-------------------------------------------------------+
 
-+-------------------------------------------------+
-|dkim_canon|Use: smtp|Type: string*|Default: unset|
-+-------------------------------------------------+
++----------------------------------------------------+
+|dkim_selector|Use: smtp|Type: string*|Default: unset|
++----------------------------------------------------+
 
 +--------------------------------------------------+
 |dkim_strict|Use: smtp|Type: string*|Default: unset|
@@ -22434,13 +22651,9 @@
 |dkim_sign_headers|Use: smtp|Type: string*|Default: per RFC|
 +----------------------------------------------------------+
 
-+-------------------------------------------------+
-|dkim_hash|Use: smtp|Type: string*|Default: sha256|
-+-------------------------------------------------+
-
-+----------------------------------------------------+
-|dkim_identity|Use: smtp|Type: string*|Default: unset|
-+----------------------------------------------------+
++------------------------------------------------------+
+|dkim_timestamps|Use: smtp|Type: string*|Default: unset|
++------------------------------------------------------+
 
 DKIM signing options. For details see section 57.2.
 
@@ -22916,8 +23129,12 @@
 
 If the value of this option begins with a digit it is taken as a port number;
 otherwise it is looked up using getservbyname(). The default value is normally
-"smtp", but if protocol is set to "lmtp", the default is "lmtp". If the
-expansion fails, or if a port number cannot be found, delivery is deferred.
+"smtp", but if protocol is set to "lmtp" the default is "lmtp" and if protocol
+is set to "smtps" the default is "smtps". If the expansion fails, or if a port
+number cannot be found, delivery is deferred.
+
+Note that at least one Linux distribution has been seen failing to put "smtps"
+in its "/etc/services" file, resulting is such deferrals.
 
 +---------------------------------------------+
 |protocol|Use: smtp|Type: string|Default: smtp|
@@ -22931,8 +23148,11 @@
 
 If this option is set to "smtps", the default value for the port option changes
 to "smtps", and the transport initiates TLS immediately after connecting, as an
-outbound SSL-on-connect, instead of using STARTTLS to upgrade. The Internet
-standards bodies strongly discourage use of this mode.
+outbound SSL-on-connect, instead of using STARTTLS to upgrade.
+
+The Internet standards bodies used to strongly discourage use of this mode, but
+as of RFC 8314 it is perferred over STARTTLS for message submission (as
+distinct from MTA-MTA communication).
 
 +---------------------------------------------------------------+
 |retry_include_ip_address|Use: smtp|Type: boolean*|Default: true|
@@ -23138,6 +23358,13 @@
 also be set. If both this option and tls_try_verify_hosts are unset operation
 is as if this option selected all hosts.
 
++---------------------------------------------------------+
+|utf8_downconvert|Use: smtp|Type: integer!!|Default: unset|
++---------------------------------------------------------+
+
+If built with internationalization support, this option controls conversion of
+UTF-8 in message addresses to a-label form. For details see section 59.1.
+
 
 30.5 How the limits for the number of hosts to try are used
 -----------------------------------------------------------
@@ -23327,7 +23554,7 @@
 31.3 Testing the rewriting rules that apply on input
 ----------------------------------------------------
 
-Exim's input rewriting configuration appears in a part of the run time
+Exim's input rewriting configuration appears in a part of the runtime
 configuration file headed by "begin rewrite". It can be tested by the -brw
 command line option. This takes an address (which can be a full RFC 2822
 address) as its argument. The output is a list of how the address would be
@@ -23645,7 +23872,7 @@
 delivered at the first attempt. If there are no retry rules (the section is
 empty or not present), there are no retries. In this situation, temporary
 errors are treated as permanent. The default configuration contains a single,
-general-purpose retry rule (see section 7.5). The -brt command line option can
+general-purpose retry rule (see section 7.6). The -brt command line option can
 be used to test which retry rule will be used for a given address, domain and
 error.
 
@@ -24117,11 +24344,12 @@
 
 If the delivery is remote, there are two possibilities, controlled by the 
 delay_after_cutoff option of the smtp transport. The option is true by default.
-Until the post-cutoff retry time for one of the IP addresses is reached, the
-failing email address is bounced immediately, without a delivery attempt taking
-place. After that time, one new delivery attempt is made to those IP addresses
-that are past their retry times, and if that still fails, the address is
-bounced and new retry times are computed.
+Until the post-cutoff retry time for one of the IP addresses, as set by the 
+retry_data_expire option, is reached, the failing email address is bounced
+immediately, without a delivery attempt taking place. After that time, one new
+delivery attempt is made to those IP addresses that are past their retry times,
+and if that still fails, the address is bounced and new retry times are
+computed.
 
 In other words, when all the hosts for a given email address have been failing
 for a long time, Exim bounces rather then defers until one of the hosts' retry
@@ -24149,7 +24377,7 @@
 its delivery when others to the same address get through. In this situation,
 because some messages are successfully delivered, the "retry clock" for the
 host or address keeps getting reset by the successful deliveries, and so
-failing messages remain on the queue for ever because the cutoff time is never
+failing messages remain in the queue for ever because the cutoff time is never
 reached.
 
 Two exceptional actions are applied to prevent this happening. The first
@@ -24172,7 +24400,7 @@
 ===============================================================================
 33. SMTP AUTHENTICATION
 
-The "authenticators" section of Exim's run time configuration is concerned with
+The "authenticators" section of Exim's runtime configuration is concerned with
 SMTP authentication. This facility is an extension to the SMTP protocol,
 described in RFC 2554, which allows a client SMTP host to authenticate itself
 to a server. This is a common way for a server to recognize clients that are
@@ -24392,8 +24620,9 @@
 messages in the variable $authenticated_id. It is also included in the log
 lines for incoming messages. For example, a user/password authenticator
 configuration might preserve the user name that was used to authenticate, and
-refer to it subsequently during delivery of the message. If expansion fails,
-the option is ignored.
+refer to it subsequently during delivery of the message. On a failing
+authentication the expansion result is instead saved in the
+$authenticated_fail_id variable. If expansion fails, the option is ignored.
 
 +---------------------------------------------------------------------------+
 |server_mail_auth_condition|Use: authenticators|Type: string*|Default: unset|
@@ -25001,8 +25230,8 @@
 ===============================================================================
 36. THE CYRUS_SASL AUTHENTICATOR
 
-The code for this authenticator was provided by Matthew Byng-Maddick of A L
-Digital Ltd (http://www.aldigital.co.uk).
+The code for this authenticator was provided by Matthew Byng-Maddick while at A
+L Digital Ltd.
 
 The cyrus_sasl authenticator provides server support for the Cyrus SASL library
 implementation of the RFC 2222 ("Simple Authentication and Security Layer").
@@ -25015,7 +25244,7 @@
 so can the cyrus_sasl authenticator. By default it uses the public name of the
 driver to determine which mechanism to support.
 
-Where access to some kind of secret file is required, for example in GSSAPI or
+Where access to some kind of secret file is required, for example, in GSSAPI or
 CRAM-MD5, it is worth noting that the authenticator runs as the Exim user, and
 that the Cyrus SASL library has no way of escalating privileges by default. You
 may also find you need to set environment variables, depending on the driver
@@ -25115,7 +25344,7 @@
 |server_socket|Use: dovecot|Type: string|Default: unset|
 +------------------------------------------------------+
 
-This option must specify the socket that is the interface to Dovecot
+This option must specify the UNIX socket that is the interface to Dovecot
 authentication. The public_name option must specify an authentication mechanism
 that Dovecot is configured to support. You can have several authenticators for
 different mechanisms. For example:
@@ -25151,27 +25380,36 @@
 particular new authentication mechanism will be supported without code changes
 in Exim.
 
+Exim's gsasl authenticator does not have client-side support at this time; only
+the server-side support is implemented. Patches welcome.
+
 +-------------------------------------------------------------+
 |server_channelbinding|Use: gsasl|Type: boolean|Default: false|
 +-------------------------------------------------------------+
 
+Do not set this true without consulting a cryptographic engineer.
+
 Some authentication mechanisms are able to use external context at both ends of
 the session to bind the authentication to that context, and fail the
 authentication process if that context differs. Specifically, some TLS
 ciphersuites can provide identifying information about the cryptographic
 context.
 
-This means that certificate identity and verification becomes a non-issue, as a
-man-in-the-middle attack will cause the correct client and server to see
-different identifiers and authentication will fail.
+This should have meant that certificate identity and verification becomes a
+non-issue, as a man-in-the-middle attack will cause the correct client and
+server to see different identifiers and authentication will fail.
 
 This is currently only supported when using the GnuTLS library. This is only
 usable by mechanisms which support "channel binding"; at time of writing,
 that's the SCRAM family.
 
 This defaults off to ensure smooth upgrade across Exim releases, in case this
-option causes some clients to start failing. Some future release of Exim may
-switch the default to be true.
+option causes some clients to start failing. Some future release of Exim might
+have switched the default to be true.
+
+However, Channel Binding in TLS has proven to be broken in current versions. Do
+not plan to rely upon this feature for security, ever, without consulting with
+a subject matter expert (a cryptographic engineer).
 
 +-----------------------------------------------------------+
 |server_hostname|Use: gsasl|Type: string*|Default: see below|
@@ -25343,8 +25581,8 @@
 The spa authenticator provides client support for Microsoft's Secure Password
 Authentication mechanism, which is also sometimes known as NTLM (NT LanMan).
 The code for client side of this authenticator was contributed by Marc
-Prud'hommeaux, and much of it is taken from the Samba project (http://
-www.samba.org). The code for the server side was subsequently contributed by
+Prud'hommeaux, and much of it is taken from the Samba project (https://
+www.samba.org/). The code for the server side was subsequently contributed by
 Tom Kistner. The mechanism works as follows:
 
   * After the AUTH command has been accepted, the client sends an SPA
@@ -25692,10 +25930,13 @@
 
 There is a function in the OpenSSL library that can be passed a list of cipher
 suites before the cipher negotiation takes place. This specifies which ciphers
-are acceptable. The list is colon separated and may contain names like
-DES-CBC3-SHA. Exim passes the expanded value of tls_require_ciphers directly to
-this function call. Many systems will install the OpenSSL manual-pages, so you
-may have ciphers(1) available to you. The following quotation from the OpenSSL
+
+are acceptable for TLS versions prior to 1.3.
+
+The list is colon separated and may contain names like DES-CBC3-SHA. Exim
+passes the expanded value of tls_require_ciphers directly to this function
+call. Many systems will install the OpenSSL manual-pages, so you may have 
+ciphers(1) available to you. The following quotation from the OpenSSL
 documentation specifies what forms of item are allowed in the cipher string:
 
   * It can consist of a single cipher suite such as RC4-SHA.
@@ -25747,6 +25988,14 @@
 
 tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT
 
+For TLS version 1.3 the control available is less fine-grained and Exim does
+not provide access to it at present. The value of the tls_require_ciphers
+option is ignored when TLS version 1.3 is negotiated.
+
+As of writing the library default cipher suite list for TLSv1.3 is
+
+TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+
 
 42.5 Requiring specific ciphers or other parameters in GnuTLS
 -------------------------------------------------------------
@@ -25766,10 +26015,10 @@
 feature enhancements of GnuTLS.
 
 Documentation of the strings accepted may be found in the GnuTLS manual, under
-"Priority strings". This is online as http://www.gnutls.org/manual/html_node/
+"Priority strings". This is online as https://www.gnutls.org/manual/html_node/
 Priority-Strings.html, but beware that this relates to GnuTLS 3, which may be
 newer than the version installed on your system. If you are using GnuTLS 3,
-then the example code http://www.gnutls.org/manual/gnutls.html#
+then the example code https://www.gnutls.org/manual/gnutls.html#
 Listing-the-ciphersuites-in-a-priority-string on that site can be used to test
 a given string.
 
@@ -25912,9 +26161,9 @@
 all TLS connections. For any host that matches one of these options, Exim
 requests a certificate as part of the setup of the TLS session. The contents of
 the certificate are verified by comparing it with a list of expected
-certificates. These may be the system default set (depending on library
-version), an explicit file or, depending on library version, a directory,
-identified by tls_verify_certificates.
+trust-anchors or certificates. These may be the system default set (depending
+on library version), an explicit file or, depending on library version, a
+directory, identified by tls_verify_certificates.
 
 A file can contain multiple certificates, concatenated end to end. If a
 directory is used (OpenSSL only), each certificate must be in a separate file,
@@ -25926,6 +26175,9 @@
 
 where /cert/file contains a single certificate.
 
+There is no checking of names of the client against the certificate Subject
+Name or Subject Alternate Names.
+
 The difference between tls_verify_hosts and tls_try_verify_hosts is what
 happens if the client does not supply a certificate, or if the certificate does
 not match any of the certificates in the collection named by 
@@ -26066,6 +26318,10 @@
 verification to the listed servers. Verification either must or need not
 succeed respectively.
 
+The tls_verify_cert_hostnames option lists hosts for which additional checks
+are made: that the host name (the one in the DNS A record) is valid for the
+certificate. The option defaults to always checking.
+
 The smtp transport has two OCSP-related options: hosts_require_ocsp; a
 host-list for which a Certificate Status is requested and required for the
 connection to proceed. The default value is empty. hosts_request_ocsp; a
@@ -26210,19 +26466,25 @@
 -------------------------------
 
 In order to understand fully how TLS works, you need to know about
-certificates, certificate signing, and certificate authorities. This is not the
-place to give a tutorial, especially as I do not know very much about it
-myself. Some helpful introduction can be found in the FAQ for the SSL addition
-to Apache, currently at
-
-http://www.modssl.org/docs/2.7/ssl_faq.html#ToC24
-
-Other parts of the modssl documentation are also helpful, and have links to
-further files. Eric Rescorla's book, SSL and TLS, published by Addison-Wesley
-(ISBN 0-201-61598-3), contains both introductory and more in-depth
-descriptions. Some sample programs taken from the book are available from
+certificates, certificate signing, and certificate authorities. This is a large
+topic and an introductory guide is unsuitable for the Exim reference manual, so
+instead we provide pointers to existing documentation.
 
-http://www.rtfm.com/openssl-examples/
+The Apache web-server was for a long time the canonical guide, so their
+documentation is a good place to start; their SSL module's Introduction
+document is currently at
+
+https://httpd.apache.org/docs/current/ssl/ssl_intro.html
+
+and their FAQ is at
+
+https://httpd.apache.org/docs/current/ssl/ssl_faq.html
+
+Eric Rescorla's book, SSL and TLS, published by Addison-Wesley (ISBN
+0-201-61598-3) in 2001, contains both introductory and more in-depth
+descriptions. More recently Ivan Risti?'s book Bulletproof SSL and TLS,
+published by Feisty Duck (ISBN 978-1907117046) in 2013 is good. Ivan is the
+author of the popular TLS testing tools at https://www.ssllabs.com/.
 
 
 42.13 Certificate chains
@@ -26286,7 +26548,8 @@
 
 For information on creating self-signed CA certificates and using them to sign
 user certificates, see the General implementation overview chapter of the
-Open-source PKI book, available online at http://ospkibook.sourceforge.net/.
+Open-source PKI book, available online at https://sourceforge.net/projects/
+ospkibook/.
 
 
 42.15 DANE
@@ -26329,24 +26592,42 @@
 "_HAVE_DANE" will be defined.
 
 The TLSA record for the server may have "certificate usage" of DANE-TA(2) or
-DANE-EE(3). The latter specifies the End Entity directly, i.e. the certificate
-involved is that of the server (and should be the sole one transmitted during
-the TLS handshake); this is appropriate for a single system, using a
+DANE-EE(3). These are the "Trust Anchor" and "End Entity" variants. The latter
+specifies the End Entity directly, i.e. the certificate involved is that of the
+server (and if only DANE-EE is used then it should be the sole one transmitted
+during the TLS handshake); this is appropriate for a single system, using a
 self-signed certificate. DANE-TA usage is effectively declaring a specific CA
 to be used; this might be a private CA or a public, well-known one. A private
-CA at simplest is just a self-signed certificate which is used to sign cerver
-certificates, but running one securely does require careful arrangement. If a
-private CA is used then either all clients must be primed with it, or (probably
-simpler) the server TLS handshake must transmit the entire certificate chain
-from CA to server-certificate. If a public CA is used then all clients must be
-primed with it (losing one advantage of DANE) - but the attack surface is
-reduced from all public CAs to that single CA. DANE-TA is commonly used for
-several services and/or servers, each having a TLSA query-domain CNAME record,
-all of which point to a single TLSA record.
-
-Another approach which should be seriously considered is to use DANE with a
-certificate from a public CA, because of another technology, "MTA-STS",
-described below.
+CA at simplest is just a self-signed certificate (with certain attributes)
+which is used to sign server certificates, but running one securely does
+require careful arrangement. With DANE-TA, as implemented in Exim and commonly
+in other MTAs, the server TLS handshake must transmit the entire certificate
+chain from CA to server-certificate. DANE-TA is commonly used for several
+services and/or servers, each having a TLSA query-domain CNAME record, all of
+which point to a single TLSA record. DANE-TA and DANE-EE can both be used
+together.
+
+Our recommendation is to use DANE with a certificate from a public CA, because
+this enables a variety of strategies for remote clients to verify your
+certificate. You can then publish information both via DANE and another
+technology, "MTA-STS", described below.
+
+When you use DANE-TA to publish trust anchor information, you ask entities
+outside your administrative control to trust the Certificate Authority for
+connections to you. If using a private CA then you should expect others to
+still apply the technical criteria they'd use for a public CA to your
+certificates. In particular, you should probably try to follow current best
+practices for CA operation around hash algorithms and key sizes. Do not expect
+other organizations to lower their security expectations just because a
+particular profile might be reasonable for your own internal use.
+
+When this text was last updated, this in practice means to avoid use of SHA-1
+and MD5; if using RSA to use key sizes of at least 2048 bits (and no larger
+than 4096, for interoperability); to use keyUsage fields correctly; to use
+random serial numbers. The list of requirements is subject to change as best
+practices evolve. If you're not already using a private CA, or it doesn't meet
+these requirements, then we encourage you to avoid all these issues and use a
+public CA such as Let's Encrypt instead.
 
 The TLSA record should have a Selector field of SPKI(1) and a Matching Type
 field of SHA2-512(2).
@@ -26364,6 +26645,12 @@
 For use with the DANE-TA model, server certificates must have a correct name
 (SubjectName or SubjectAltName).
 
+The Certificate issued by the CA published in the DANE-TA model should be
+issued using a strong hash algorithm. Exim, and importantly various other MTAs
+sending to you, will not re-enable hash algorithms which have been disabled by
+default in TLS libraries. This means no MD5 and no SHA-1. SHA2-256 is the
+minimum for reliable interoperability (and probably the maximum too, in 2018).
+
 The use of OCSP-stapling should be considered, allowing for fast revocation of
 certificates (which would otherwise be limited by the DNS TTL on the TLSA
 records). However, this is likely to only be usable with DANE-TA. NOTE: the
@@ -26443,8 +26730,8 @@
 those clients who do use that protocol derive trust information.
 
 The MTA-STS design requires a certificate from a public Certificate Authority
-which is recognized by clients sending to you. That selection is outside your
-control.
+which is recognized by clients sending to you. That selection of which CAs are
+trusted by others is outside your control.
 
 The most interoperable course of action is probably to use Let's Encrypt, with
 automated certificate renewal; to publish the anchor information in
@@ -26458,7 +26745,7 @@
 ===============================================================================
 43. ACCESS CONTROL LISTS
 
-Access Control Lists (ACLs) are defined in a separate section of the run time
+Access Control Lists (ACLs) are defined in a separate section of the runtime
 configuration file, headed by "begin acl". Each ACL definition starts with a
 name, terminated by a colon. Here is a complete ACL section that contains just
 one very small ACL:
@@ -26759,7 +27046,7 @@
 file; there are other possibilities. Having expanded the string, Exim searches
 for an ACL as follows:
 
-  * If the string begins with a slash, Exim uses it as a file name, and reads
+  * If the string begins with a slash, Exim uses it as a filename, and reads
     its contents as an ACL. The lines are processed in the same way as lines in
     the Exim configuration file. In particular, continuation lines are
     supported, blank lines are ignored, as are lines whose first non-whitespace
@@ -27918,10 +28205,11 @@
 warn   message         = Remove internal headers
        remove_header   = $acl_c_ihdrs
 
-Removed header lines are accumulated during the MAIL, RCPT, and predata ACLs.
-They are removed from the message before processing the DATA and MIME ACLs.
-There is no harm in attempting to remove the same header twice nor is removing
-a non-existent header. Further header lines to be removed may be accumulated
+Header names for removal are accumulated during the MAIL, RCPT, and predata
+ACLs. Matching header lines are removed from the message before processing the
+DATA and MIME ACLs. If multiple header lines match, all are removed. There is
+no harm in attempting to remove the same header twice nor in removing a
+non-existent header. Further header lines to be removed may be accumulated
 during the DATA and MIME ACLs, after which they are removed from the message,
 if present. In the case of non-SMTP messages, headers to be removed are
 accumulated during the non-SMTP ACLs, and are removed from the message after
@@ -28364,6 +28652,10 @@
 does not share information between multiple incoming connections (but your
 local name server cache should be active).
 
+There are a number of DNS lists to choose from, some commercial, some free, or
+free for small deployments. An overview can be found at https://
+en.wikipedia.org/wiki/Comparison_of_DNS_blacklists.
+
 
 43.28 Specifying the IP address for a DNS list lookup
 -----------------------------------------------------
@@ -28384,7 +28676,7 @@
 -------------------------------------
 
 There are some lists that are keyed on domain names rather than inverted IP
-addresses (see for example the domain based zones link at http://
+addresses (see, e.g., the domain based zones link at http://
 www.rfc-ignorant.org/). No reversing of components is used with these lists.
 You can change the name that is looked up in a DNS list by listing it after the
 domain name, introduced by a slash. For example,
@@ -28707,7 +28999,7 @@
 tested is indeed on the first list. The first domain is the one that is put in
 $dnslist_domain. For example:
 
-reject message  = \
+deny message  = \
          rejected because $sender_host_address is blacklisted \
          at $dnslist_domain\n$dnslist_text
        dnslists = \
@@ -28725,7 +29017,7 @@
 several times, but because the results of the DNS lookups are cached, the DNS
 calls themselves are not repeated. For example:
 
-reject dnslists = \
+deny dnslists = \
          http.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.2 : \
          socks.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.3 : \
          misc.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.4 : \
@@ -28818,7 +29110,7 @@
 "$local_part@$domain" with the per_rcpt option (see below) in a RCPT ACL.
 
 Each ratelimit condition can have up to four options. A per_* option specifies
-what Exim measures the rate of, for example messages or recipients or bytes.
+what Exim measures the rate of, for example, messages or recipients or bytes.
 You can adjust the measurement using the unique= and/or count= options. You can
 also control when Exim updates the recorded rate using a strict, leaky, or 
 readonly option. The options are separated by a slash, like the other
@@ -28928,13 +29220,12 @@
 
 The leaky (default) option means that the client's recorded rate is not updated
 if it is above the limit. The effect of this is that Exim measures the client's
-average rate of successfully sent email, which cannot be greater than the
-maximum allowed. If the client is over the limit it may suffer some
-counter-measures (as specified in the ACL), but it will still be able to send
-email at the configured maximum rate, whatever the rate of its attempts. This
-is generally the better choice if you have clients that retry automatically.
-For example, it does not prevent a sender with an over-aggressive retry rate
-from getting any email through.
+average rate of successfully sent email,
+
+up to the given limit. This is appropriate if the countermeasure when the
+condition is true consists of refusing the message, and is generally the better
+choice if you have clients that retry automatically. If the action when true is
+anything more complex then this option is likely not what is wanted.
 
 The strict option means that the client's recorded rate is always updated. The
 effect of this is that Exim measures the client's average rate of attempts to
@@ -29094,6 +29385,10 @@
 The main use of these variables is expected to be to distinguish between
 rejections of MAIL and rejections of RCPT in callouts.
 
+The above variables may also be set after a successful address verification to:
+
+  * random: A random local-part callout succeeded
+
 
 43.45 Callout verification
 --------------------------
@@ -29801,7 +30096,7 @@
 aveserver
 
     This is the scanner daemon of Kaspersky Version 5. You can get a trial
-    version at http://www.kaspersky.com. This scanner type takes one option,
+    version at https://www.kaspersky.com/. This scanner type takes one option,
     which is the path to the daemon's UNIX socket. The default is shown in this
     example:
 
@@ -29809,7 +30104,7 @@
 
 clamd
 
-    This daemon-type scanner is GPL and free. You can get it at http://
+    This daemon-type scanner is GPL and free. You can get it at https://
     www.clamav.net/. Some older versions of clamd do not seem to unpack MIME
     containers, so it used to be recommended to unpack MIME attachments in the
     MIME ACL. This is no longer believed to be necessary.
@@ -29896,7 +30191,7 @@
 
 drweb
 
-    The DrWeb daemon scanner (http://www.sald.com/) interface takes one option,
+    The DrWeb daemon scanner (https://www.sald.ru/) interface takes one option,
     either a full path to a UNIX socket, or host and port specifiers separated
     by white space. The host may be a name or an IP address; the port is either
     a single number or a pair of numbers with a dash between. For example:
@@ -29929,7 +30224,7 @@
 
 fsecure
 
-    The F-Secure daemon scanner (http://www.f-secure.com) takes one argument
+    The F-Secure daemon scanner (https://www.f-secure.com/) takes one argument
     which is the path to a UNIX socket. For example:
 
     av_scanner = fsecure:/path/to/.fsav
@@ -29950,12 +30245,14 @@
 
 mksd
 
-    This is a daemon type scanner that is aimed mainly at Polish users, though
-    some parts of documentation are now available in English. You can get it at
-    http://linux.mks.com.pl/. The only option for this scanner type is the
-    maximum number of processes used simultaneously to scan the attachments,
-    provided that mksd has been run with at least the same number of child
-    processes. For example:
+    This was a daemon type scanner that is aimed mainly at Polish users, though
+    some documentation was available in English. The history can be shown at 
+    https://en.wikipedia.org/wiki/Mks_vir and this appears to be a candidate
+    for removal from Exim, unless we are informed of other virus scanners which
+    use the same protocol to integrate. The only option for this scanner type
+    is the maximum number of processes used simultaneously to scan the
+    attachments, provided that mksd has been run with at least the same number
+    of child processes. For example:
 
     av_scanner = mksd:2
 
@@ -29981,8 +30278,8 @@
 sophie
 
     Sophie is a daemon that uses Sophos' libsavi library to scan for viruses.
-    You can get Sophie at http://www.clanfield.info/sophie/. The only option
-    for this scanner type is the path to the UNIX socket that Sophie uses for
+    You can get Sophie at http://sophie.sourceforge.net/. The only option for
+    this scanner type is the path to the UNIX socket that Sophie uses for
     client communication. For example:
 
     av_scanner = sophie:/tmp/sophie
@@ -30072,8 +30369,8 @@
 and a report for the message. Support is also provided for Rspamd.
 
 For more information about installation and configuration of SpamAssassin or
-Rspamd refer to their respective websites at http://spamassassin.apache.org and
-http://www.rspamd.com
+Rspamd refer to their respective websites at https://spamassassin.apache.org/
+and https://www.rspamd.com/
 
 SpamAssassin can be installed with CPAN by running:
 
@@ -30104,8 +30401,8 @@
 spamd_address = 127.0.0.1 11333 variant=rspamd
 
 As of version 2.60, SpamAssassin also supports communication over UNIX sockets.
-If you want to us these, supply spamd_address with an absolute file name
-instead of an address/port pair:
+If you want to us these, supply spamd_address with an absolute filename instead
+of an address/port pair:
 
 spamd_address = /var/run/spamd_socket
 
@@ -30216,7 +30513,7 @@
 
 $spam_score
 
-    The spam score of the message, for example "3.4" or "30.5". This is useful
+    The spam score of the message, for example, "3.4" or "30.5". This is useful
     for inclusion in log or reject messages.
 
 $spam_score_int
@@ -30316,13 +30613,13 @@
 
  2. The string "default". In that case, the file is put in the temporary
     "default" directory <spool_directory>/scan/<message_id>/ with a sequential
-    file name consisting of the message id and a sequence number. The full path
+    filename consisting of the message id and a sequence number. The full path
     and name is available in $mime_decoded_filename after decoding.
 
  3. A full path name starting with a slash. If the full name is an existing
     directory, it is used as a replacement for the default directory. The
     filename is then sequentially assigned. If the path does not exist, it is
-    used as the full path and file name.
+    used as the full path and filename.
 
  4. If the string does not start with a slash, it is used as the filename, and
     the default path is then used.
@@ -30418,7 +30715,7 @@
 $mime_decoded_filename
 
     This variable is set only after the decode modifier (see above) has been
-    successfully run. It contains the full path and file name of the file
+    successfully run. It contains the full path and filename of the file
     containing the decoded data.
 
 $mime_filename
@@ -30463,9 +30760,9 @@
 $mime_is_multipart
 
     This variable has the value 1 (true) when the current part has the main
-    type "multipart", for example "multipart/alternative" or "multipart/mixed".
-    Since multipart entities only serve as containers for other parts, you may
-    not want to carry out specific actions on them.
+    type "multipart", for example, "multipart/alternative" or "multipart/
+    mixed". Since multipart entities only serve as containers for other parts,
+    you may not want to carry out specific actions on them.
 
 $mime_is_rfc822
 
@@ -30557,10 +30854,14 @@
 -----------------------------------------------
 
 To make use of the local scan function feature, you must tell Exim where your
-function is before building Exim, by setting LOCAL_SCAN_SOURCE in your Local/
-Makefile. A recommended place to put it is in the Local directory, so you might
-set
+function is before building Exim, by setting
+
+both HAVE_LOCAL_SCAN and
+
+LOCAL_SCAN_SOURCE in your Local/Makefile. A recommended place to put it is in
+the Local directory, so you might set
 
+HAVE_LOCAL_SCAN=yes
 LOCAL_SCAN_SOURCE=Local/local_scan.c
 
 for example. The function must be called local_scan(). It is called by Exim
@@ -30570,8 +30871,8 @@
 commented template function (that just accepts the message) in the file _src/
 local_scan.c_.
 
-If you want to make use of Exim's run time configuration file to set options
-for your local_scan() function, you must also set
+If you want to make use of Exim's runtime configuration file to set options for
+your local_scan() function, you must also set
 
 LOCAL_SCAN_HAS_OPTIONS=yes
 
@@ -32751,7 +33052,7 @@
 ===============================================================================
 49. CUSTOMIZING BOUNCE AND WARNING MESSAGES
 
-When a message fails to be delivered, or remains on the queue for more than a
+When a message fails to be delivered, or remains in the queue for more than a
 configured amount of time, Exim sends a message to the original sender, or to
 an alternative configured address. The text of these messages is built into the
 code of Exim, but it is possible to change it, either by adding a single
@@ -32859,7 +33160,7 @@
 <$sender_address>
 
 }}has not been delivered to all of its recipients after
-more than $warn_message_delay on the queue on $primary_hostname.
+more than $warn_message_delay in the queue on $primary_hostname.
 
 The message identifier is:     $message_exim_id
 The subject of the message is: $h_subject
@@ -32934,7 +33235,7 @@
 routers are tried, and so the whole delivery fails.
 
 The forbid_pipe and forbid_file options prevent a local part from being
-expanded into a file name or a pipe delivery, which is usually inappropriate in
+expanded into a filename or a pipe delivery, which is usually inappropriate in
 a mailing list.
 
 The errors_to option specifies that any delivery errors caused by addresses
@@ -33053,11 +33354,11 @@
 50.6 Variable Envelope Return Paths (VERP)
 ------------------------------------------
 
-Variable Envelope Return Paths - see http://cr.yp.to/proto/verp.txt - are a way
-of helping mailing list administrators discover which subscription address is
-the cause of a particular delivery failure. The idea is to encode the original
-recipient address in the outgoing envelope sender address, so that if the
-message is forwarded by another host and then subsequently bounces, the
+Variable Envelope Return Paths - see https://cr.yp.to/proto/verp.txt - are a
+way of helping mailing list administrators discover which subscription address
+is the cause of a particular delivery failure. The idea is to encode the
+original recipient address in the outgoing envelope sender address, so that if
+the message is forwarded by another host and then subsequently bounces, the
 original recipient can be extracted from the recipient address of the bounce.
 
 Envelope sender addresses can be modified by Exim using two different
@@ -33172,7 +33473,7 @@
 ensures that if the lookup fails (leading to data being an empty string), Exim
 gives up on the address without trying any subsequent routers.
 
-This one router can handle all the virtual domains because the alias file names
+This one router can handle all the virtual domains because the alias filenames
 follow a fixed pattern. Permissions can be arranged so that appropriate people
 can edit the different alias files. A successful aliasing operation results in
 a new envelope recipient address, which is then routed from scratch.
@@ -33313,7 +33614,7 @@
 --------------------------------------
 
 It is tempting to arrange for incoming mail for the intermittently connected
-host to remain on Exim's queue until the client connects. However, this
+host to remain in Exim's queue until the client connects. However, this
 approach does not scale very well. Two different kinds of waiting message are
 being mixed up in the same queue - those that cannot be delivered because of
 some temporary problem, and those that are waiting for their destination host
@@ -33540,14 +33841,14 @@
 this has been seen to make syslog take 90% plus of CPU time.
 
 The destination for Exim's logs is configured by setting LOG_FILE_PATH in Local
-/Makefile or by setting log_file_path in the run time configuration. This
-latter string is expanded, so it can contain, for example, references to the
-host name:
+/Makefile or by setting log_file_path in the runtime configuration. This latter
+string is expanded, so it can contain, for example, references to the host
+name:
 
 log_file_path = /var/log/$primary_hostname/exim_%slog
 
 It is generally advisable, however, to set the string in Local/Makefile rather
-than at run time, because then the setting is available right from the start of
+than at runtime, because then the setting is available right from the start of
 Exim's execution. Otherwise, if there's something it wants to log before it has
 read the configuration file (for example, an error in the configuration file)
 it will not use the path you want, and may not be able to log at all.
@@ -33569,11 +33870,11 @@
 
 log_file_path = $spool_directory/log/%slog
 
-If you do not specify anything at build time or run time, or if you unset the
-option at run time (i.e. "log_file_path = "), that is where the logs are
+If you do not specify anything at build time or runtime, or if you unset the
+option at runtime (i.e. "log_file_path = "), that is where the logs are
 written.
 
-A log file path may also contain "%D" or "%M" if datestamped log file names are
+A log file path may also contain "%D" or "%M" if datestamped log filenames are
 in use - see section 52.3 below.
 
 Here are some examples of possible settings:
@@ -33971,8 +34272,9 @@
 F           sender address (on delivery lines)
 H           host name and IP address
 I           local interface used
-K           CHUNKING extension used
 id          message id for incoming message
+K           CHUNKING extension used
+L           on <= and => lines: PIPELINING extension used
 M8S         8BITMIME status for incoming message
 P           on <= lines: protocol used
             on => and ** lines: return path
@@ -34073,6 +34375,7 @@
  queue_time                   time on queue for one recipient
  queue_time_overall           time on queue for whole message
  pid                          Exim process id
+ pipelining                   PIPELINING use, on <= and => lines
  proxy                        proxy address on <= and => lines
  receive_time                 time taken to receive message
  received_recipients          recipients on <= lines
@@ -34180,7 +34483,7 @@
   * incoming_interface: The interface on which a message was received is added
     to the "<=" line as an IP address in square brackets, tagged by I= and
     followed by a colon and the port number. The local interface and port are
-    also added to other SMTP log lines, for example "SMTP connection from", to
+    also added to other SMTP log lines, for example, "SMTP connection from", to
     rejection lines, and (despite the name) to outgoing "=>" and "->" lines.
     The latter can be disabled by turning off the outgoing_interface option.
 
@@ -34217,6 +34520,12 @@
   * pid: The current process id is added to every log line, in square brackets,
     immediately after the time and date.
 
+  * pipelining: A field is added to delivery and accept log lines when the
+    ESMTP PIPELINING extension was used. The field is a single "L".
+
+    On accept lines, where PIPELINING was offered but not used by the client,
+    the field has a minus appended.
+
   * queue_run: The start and end of every queue run are logged.
 
   * queue_time: The amount of time the message has been in the queue on the
@@ -34360,10 +34669,7 @@
 
   * tls_certificate_verified: An extra item is added to <= and => log lines
     when TLS is in use. The item is "CV=yes" if the peer's certificate was
-    verified
-
-    using a CA trust anchor, "CA=dane" if using a DNS trust anchor,
-
+    verified using a CA trust anchor, "CA=dane" if using a DNS trust anchor,
     and "CV=no" if not.
 
   * tls_cipher: When a message is sent or received over an encrypted
@@ -34422,8 +34728,8 @@
     53.15 exim_lock        lock a mailbox file
 
 Another utility that might be of use to sites with many MTAs is Tom Kistner's 
-exilog. It provides log visualizations across multiple Exim servers. See http:/
-/duncanthrax.net/exilog/ for details.
+exilog. It provides log visualizations across multiple Exim servers. See https:
+//duncanthrax.net/exilog/ for details.
 
 
 53.1 Finding out what Exim processes are doing (exiwhat)
@@ -34550,7 +34856,7 @@
 -------------------------------------
 
 The exiqsumm utility is a Perl script which reads the output of "exim -bp" and
-produces a summary of the messages on the queue. Thus, you use it by running a
+produces a summary of the messages in the queue. Thus, you use it by running a
 command such as
 
 exim -bp | exiqsumm
@@ -34592,11 +34898,11 @@
 
 exigrep [-t<n>] [-I] [-l] [-M] [-v] <pattern> [<log file>] ...
 
-If no log file names are given on the command line, the standard input is read.
+If no log filenames are given on the command line, the standard input is read.
 
 The -t argument specifies a number of seconds. It adds an additional condition
 for message selection. Messages that are complete are shown only if they spent
-more than <n> seconds on the queue.
+more than <n> seconds in the queue.
 
 By default, exigrep does case-insensitive matching. The -I option makes it
 case-sensitive. This may give a performance improvement when searching large
@@ -34654,8 +34960,8 @@
     the script's default, which is to find the setting from Exim's
     configuration.
 
-Each time exicyclog is run the file names get "shuffled down" by one. If the
-main log file name is mainlog (the default) then when exicyclog is run mainlog
+Each time exicyclog is run the filenames get "shuffled down" by one. If the
+main log filename is mainlog (the default) then when exicyclog is run mainlog
 becomes mainlog.01, the previous mainlog.01 becomes mainlog.02 and so on, up to
 the limit that is set in the script or by the -k option. Log files whose
 numbers exceed the limit are discarded. Reject logs are handled similarly.
@@ -34681,9 +34987,7 @@
 --------------------------------
 
 A Perl script called eximstats is provided for extracting statistical
-information from log files. The output is either plain text, or HTML. Exim log
-files are also supported by the Lire system produced by the LogReport
-Foundation http://www.logreport.org.
+information from log files. The output is either plain text, or HTML.
 
 The eximstats script has been hacked about quite a bit over time. The latest
 version is the result of some extensive revision by Steve Campbell. A lot of
@@ -34723,7 +35027,7 @@
 The remainder of the output is in sections that can be independently disabled
 or modified by various options. It consists of a summary of deliveries by
 transport, histograms of messages received and delivered per time interval
-(default per hour), information about the time messages spent on the queue, a
+(default per hour), information about the time messages spent in the queue, a
 list of relayed messages, lists of the top fifty sending hosts, local senders,
 destination hosts, and destination local users by count and by volume, and a
 list of delivery errors that occurred.
@@ -34798,9 +35102,9 @@
 well.
 
 If the native DB interface is in use (USE_DB is set in a compile-time
-configuration file - this is common in free versions of Unix) the two file
-names must be different, because in this mode the Berkeley DB functions create
-a single output file using exactly the name given. For example,
+configuration file - this is common in free versions of Unix) the two filenames
+must be different, because in this mode the Berkeley DB functions create a
+single output file using exactly the name given. For example,
 
 exim_dbmbuild /etc/aliases /etc/aliases.db
 
@@ -34811,7 +35115,7 @@
 suffixes are added to the second argument of exim_dbmbuild, so it can be the
 same as the first. This is also the case when the Berkeley functions are used
 in compatibility mode (though this is not recommended), because in that case it
-adds a .db suffix to the file name.
+adds a .db suffix to the filename.
 
 If a duplicate key is encountered, the program outputs a warning, and when it
 finishes, its return code is 1 rather than zero, unless the -noduperr option is
@@ -35061,7 +35365,7 @@
 create a lock file and also to use fcntl() locking on the mailbox, which is the
 same as Exim's default. The use of -flock or -fcntl requires that the file be
 writeable; the use of -lockfile requires that the directory containing the file
-be writeable. Locking by lock file does not last for ever; Exim assumes that a
+be writeable. Locking by lock file does not last forever; Exim assumes that a
 lock file is expired if it is more than 30 minutes old.
 
 The -mbx option can be used with either or both of -fcntl or -flock. It assumes
@@ -35145,7 +35449,7 @@
 Eximon*highlight: gray
 End
 
-In order to see the contents of messages on the queue, and to operate on them, 
+In order to see the contents of messages in the queue, and to operate on them, 
 eximon must either be run as root or by an admin user.
 
 The command-line parameters of eximon are passed to eximon.bin and may contain
@@ -35164,7 +35468,7 @@
 54.2 The stripcharts
 --------------------
 
-The first stripchart is always a count of messages on the queue. Its name can
+The first stripchart is always a count of messages in the queue. Its name can
 be configured by setting QUEUE_STRIPCHART_NAME in the Local/eximon.conf file.
 The remaining stripcharts are defined in the configuration script by regular
 expression matches on log file entries, making it possible to display, for
@@ -35274,7 +35578,7 @@
 ----------------------
 
 The bottom section of the monitor window contains a list of all messages that
-are on the queue, which includes those currently being received or delivered,
+are in the queue, which includes those currently being received or delivered,
 as well as those awaiting delivery. The size of this subwindow is controlled by
 parameters in the configuration file Local/eximon.conf, and the frequency at
 which it is updated is controlled by another parameter in the same file - the
@@ -35283,7 +35587,7 @@
 an update of the queue display at any time.
 
 When a host is down for some time, a lot of pending mail can build up for it,
-and this can make it hard to deal with other messages on the queue. To help
+and this can make it hard to deal with other messages in the queue. To help
 with this situation there is a button next to "Update" called "Hide". If
 pressed, a dialogue box called "Hide addresses ending with" is put up. If you
 type anything in here and press "Return", the text is added to a chain of such
@@ -35304,7 +35608,7 @@
 pressing the "Hide" button.
 
 The queue display contains, for each unhidden queued message, the length of
-time it has been on the queue, the size of the message, the message id, the
+time it has been in the queue, the size of the message, the message id, the
 message sender, and the first undelivered recipient, all on one line. If it is
 a bounce message, the sender is shown as "<>". If there is more than one
 recipient to which the message has not yet been delivered, subsequent ones are
@@ -35350,7 +35654,7 @@
   * body: The contents of the spool file containing the body of the message are
     displayed in a new text window. There is a default limit of 20,000 bytes to
     the amount of data displayed. This can be changed by setting the BODY_MAX
-    option at compile time, or the EXIMON_BODY_MAX option at run time.
+    option at compile time, or the EXIMON_BODY_MAX option at runtime.
 
   * deliver message: A call to Exim is made using the -M option to request
     delivery of the message. This causes an automatic thaw if the message is
@@ -35446,10 +35750,10 @@
 penetrated the Exim (but not the root) account. These options are as follows:
 
   * ALT_CONFIG_PREFIX can be set to a string that is required to match the
-    start of any file names used with the -C option. When it is set, these file
-    names are also not allowed to contain the sequence "/../". (However, if the
-    value of the -C option is identical to the value of CONFIGURE_FILE in Local
-    /Makefile, Exim ignores -C and proceeds as usual.) There is no default
+    start of any filenames used with the -C option. When it is set, these
+    filenames are also not allowed to contain the sequence "/../". (However, if
+    the value of the -C option is identical to the value of CONFIGURE_FILE in
+    Local/Makefile, Exim ignores -C and proceeds as usual.) There is no default
     setting for ALT_CONFIG_PREFIX.
 
     If the permitted configuration files are confined to a directory to which
@@ -35511,7 +35815,7 @@
 obviously more secure if Exim does not run as root except when necessary. For
 this reason, a user and group for Exim to use must be defined in Local/Makefile
 . These are known as "the Exim user" and "the Exim group". Their values can be
-changed by the run time configuration, though this is not recommended. Often a
+changed by the runtime configuration, though this is not recommended. Often a
 user called exim is used, but some sites use mail or another user name
 altogether.
 
@@ -35882,6 +36186,10 @@
 is insurance against disk crashes where the directory is lost but the files
 themselves are recoverable.
 
+The file formats may be changed, or new formats added, at any release. Spool
+files are not intended as an interface to other programs and should not be used
+as such.
+
 Some people are tempted into editing -D files in order to modify messages. You
 need to be extremely careful if you do this; it is not recommended and you are
 on your own if you do it. Here are some of the pitfalls:
@@ -36406,7 +36714,8 @@
 This option sets the canonicalization method used when signing a message. The
 DKIM RFC currently supports two methods: "simple" and "relaxed". The option
 defaults to "relaxed" when unset. Note: the current implementation only
-supports using the same canonicalization method for both headers and body.
+supports signing with the same canonicalization method for both headers and
+body.
 
 +--------------------------------------------------+
 |dkim_strict|Use: smtp|Type: string*|Default: unset|
@@ -36436,23 +36745,36 @@
 prefix if used, all headers that are present with this name will be signed, and
 one signature added for a missing header with the name will be appended.
 
++-------------------------------------------------------+
+|dkim_timestamps|Use: smtp|Type: integer*|Default: unset|
++-------------------------------------------------------+
+
+This option controls the inclusion of timestamp information in the signature.
+If not set, no such information will be included. Otherwise, must be an
+unsigned number giving an offset in seconds from the current time for the
+expiry tag (eg. 1209600 for two weeks); both creation (t=) and expiry (x=) tags
+will be included.
+
+RFC 6376 lists these tags as RECOMMENDED.
+
 
 57.3 Verifying DKIM signatures in incoming mail
 -----------------------------------------------
 
-Verification of DKIM signatures in SMTP incoming email is implemented via the 
-acl_smtp_dkim ACL. By default, this ACL is called once for each syntactically
-(!) correct signature in the incoming message. A missing ACL definition
-defaults to accept. If any ACL call does not accept, the message is not
-accepted. If a cutthrough delivery was in progress for the message, that is
-summarily dropped (having wasted the transmission effort).
-
-To evaluate the signature in the ACL a large number of expansion variables
-containing the signature status and its details are set up during the runtime
-of the ACL.
-
-Performing verification sets up information used by the $authresults expansion
-item.
+Verification of DKIM signatures in SMTP incoming email is done for all messages
+for which an ACL control dkim_disable_verify has not been set. Performing
+verification sets up information used by the $authresults expansion item.
+
+The acl_smtp_dkim ACL, which can examine and modify them. By default, this ACL
+is called once for each syntactically(!) correct signature in the incoming
+message. A missing ACL definition defaults to accept. If any ACL call does not
+accept, the message is not accepted. If a cutthrough delivery was in progress
+for the message, that is summarily dropped (having wasted the transmission
+effort).
+
+To evaluate the verification result in the ACL a large number of expansion
+variables containing the signature status and its details are set up during the
+runtime of the ACL.
 
 Calling the ACL only for existing signatures is not sufficient to build more
 advanced policies. For that reason, the global option dkim_verify_signers, and
@@ -36523,8 +36845,10 @@
            set dkim_verify_status = fail
            set dkim_verify_reason = hash too weak or key too short
 
-    After all the DKIM ACL runs have completed, the value becomes a
-    colon-separated list of the values after each run.
+    So long as a DKIM ACL is defined (it need do no more than accept), after
+    all the DKIM ACL runs have completed, the value becomes a colon-separated
+    list of the values after each run. This is maintained for the mime, prdr
+    and data ACLs.
 
 $dkim_verify_reason
 
@@ -36568,11 +36892,10 @@
 
 $dkim_algo
 
-    The algorithm used. One of 'rsa-sha1' or 'rsa-sha256'.
-
-    If running under GnuTLS 3.6.0 or OpenSSL 1.1.1 or later, may also be
-    'ed25519-sha256'. The "_CRYPTO_SIGN_ED25519" macro will be defined if
-    support is present for EC keys.
+    The algorithm used. One of 'rsa-sha1' or 'rsa-sha256'. If running under
+    GnuTLS 3.6.0 or OpenSSL 1.1.1 or later, may also be 'ed25519-sha256'. The
+    "_CRYPTO_SIGN_ED25519" macro will be defined if support is present for EC
+    keys.
 
     Note that RFC 8301 says:
 
@@ -36606,6 +36929,11 @@
     limit was set by the signer, "9999999999999" is returned. This makes sure
     that this variable always expands to an integer value.
 
+    Note: The presence of the signature tag specifying a signing body length is
+    one possible route to spoofing of valid DKIM signatures. A paranoid
+    implementation might wish to regard signature where this variable shows
+    less than the "no limit" return as being invalid.
+
 $dkim_created
 
     UNIX timestamp reflecting the date and time when the signature was created.
@@ -36616,9 +36944,8 @@
     UNIX timestamp reflecting the date and time when the signer wants the
     signature to be treated as "expired". When this was not specified by the
     signer, "9999999999999" is returned. This makes it possible to do useful
-    integer size comparisons against this value.
-
-    Note that Exim does not check this value.
+    integer size comparisons against this value. Note that Exim does not check
+    this value.
 
 $dkim_headernames
 
@@ -36705,12 +37032,11 @@
 This includes retransmissions done by traditional forwarders.
 
 SPF verification support is built into Exim if SUPPORT_SPF=yes is set in Local/
-Makefile. The support uses the libspf2 library http://www.libspf2.org/. There
+Makefile. The support uses the libspf2 library https://www.libspf2.org/. There
 is no Exim involvement in the transmission of messages; publishing certain DNS
 records is all that is required.
 
-For verification, an ACL condition and an expansion lookup are provided.
-
+For verification, an ACL condition and an expansion lookup are provided. 
 Performing verification sets up information used by the $authresults expansion
 item.
 
@@ -36851,9 +37177,8 @@
 "Proxy Protocol" to speak to it. To include this support, include
 "SUPPORT_PROXY=yes" in Local/Makefile.
 
-It was built on specifications from: (http://haproxy.1wt.eu/download/1.5/doc/
-proxy-protocol.txt). That URL was revised in May 2014 to version 2 spec: (http:
-//git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=afb768340c9d7e50d8e).
+It was built on the HAProxy specification, found at https://www.haproxy.org/
+download/1.8/doc/proxy-protocol.txt.
 
 The purpose of this facility is so that an application load balancer, such as
 HAProxy, can sit in front of several Exim servers to distribute load. Exim uses
@@ -37013,9 +37338,7 @@
 ${utf8_localpart_to_alabel:str}
 ${utf8_localpart_from_alabel:str}
 
-The RCPT ACL
-
-may use the following modifier:
+The RCPT ACL may use the following modifier:
 
 control = utf8_downconvert
 control = utf8_downconvert/<value>
@@ -37030,6 +37353,9 @@
 
 If mua_wrapper is set, the utf8_downconvert control is initially set to -1.
 
+The smtp transport has an option utf8_downconvert. If set it must expand to one
+of the three values described above, and it overrides any previously set value.
+
 There is no explicit support for VRFY and EXPN. Configurations supporting these
 should inspect $smtp_command_argument for an SMTPUTF8 argument.
 
@@ -37138,6 +37464,8 @@
 
 dane:fail             failure reason
 msg:delivery          smtp confirmation message
+msg:fail:internal     failure reason
+msg:fail:delivery     smtp error message
 msg:rcpt:host:defer   error string
 msg:rcpt:defer        error string
 msg:host:defer        error string
diff -Nru exim4-4.91/exim_monitor/em_globals.c exim4-4.92~RC4/exim_monitor/em_globals.c
--- exim4-4.91/exim_monitor/em_globals.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/exim_monitor/em_globals.c	2018-12-27 13:36:19.000000000 +0000
@@ -139,7 +139,7 @@
 uschar *dkim_signing_domain      = NULL;
 uschar *dkim_signing_selector    = NULL;
 uschar *dkim_verify_signers      = US"$dkim_signers";
-BOOL    dkim_collect_input       = FALSE;
+unsigned dkim_collect_input      = 0;
 BOOL    dkim_disable_verify      = FALSE;
 #endif
 
@@ -148,6 +148,10 @@
 int     dsn_ret                = 0;
 uschar *dsn_envid              = NULL;
 
+struct global_flags f = {
+ .sender_local		= FALSE,
+};
+
 #ifdef WITH_CONTENT_SCAN
 int     fake_response          = OK;
 #endif
@@ -205,7 +209,6 @@
 uschar *sender_host_name       = NULL;
 int     sender_host_port       = 0;
 uschar *sender_ident           = NULL;
-BOOL    sender_local           = FALSE;
 BOOL    sender_set_untrusted   = FALSE;
 uschar *smtp_active_hostname   = NULL;
 
@@ -217,7 +220,7 @@
 
 BOOL    timestamps_utc         = FALSE;
 tls_support tls_in = {
- -1,	/* tls_active */
+ {-1},	/* tls_active */
  0,	/* bits */
  FALSE,	/* tls_certificate_verified */
 #ifdef SUPPORT_DANE
diff -Nru exim4-4.91/exim_monitor/em_hdr.h exim4-4.92~RC4/exim_monitor/em_hdr.h
--- exim4-4.91/exim_monitor/em_hdr.h	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/exim_monitor/em_hdr.h	2018-12-27 13:36:19.000000000 +0000
@@ -87,11 +87,12 @@
 
 #include <pcre.h>
 
-/* Includes from the main source of Exim. We need to have MAXPACKET defined for
-the benefit of structs.h. One of these days I should tidy up this interface so
-that this kind of kludge isn't needed. */
+/* Includes from the main source of Exim.  One of these days I should tidy up
+this interface so that this kind of kludge isn't needed. */
 
-#define MAXPACKET 1024
+#ifndef NS_MAXMSG
+# define NS_MAXMSG 65535
+#endif
 typedef void hctx;
 
 #include "config.h"
diff -Nru exim4-4.91/exim_monitor/em_menu.c exim4-4.92~RC4/exim_monitor/em_menu.c
--- exim4-4.91/exim_monitor/em_menu.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/exim_monitor/em_menu.c	2018-12-27 13:36:19.000000000 +0000
@@ -680,7 +680,7 @@
 
 if (sender_address != NULL)
   {
-  text_showf(text, "%s sender: <%s>\n", sender_local? "Local" : "Remote",
+  text_showf(text, "%s sender: <%s>\n", f.sender_local ? "Local" : "Remote",
     sender_address);
   }
 
diff -Nru exim4-4.91/exim_monitor/em_queue.c exim4-4.92~RC4/exim_monitor/em_queue.c
--- exim4-4.91/exim_monitor/em_queue.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/exim_monitor/em_queue.c	2018-12-27 13:36:19.000000000 +0000
@@ -234,7 +234,7 @@
     }
   else
     {
-    deliver_freeze = FALSE;
+    f.deliver_freeze = FALSE;
     sender_address = msg;
     recipients_count = 0;
     }
@@ -242,9 +242,9 @@
 
 /* Now set up the remaining data. */
 
-q->frozen = deliver_freeze;
+q->frozen = f.deliver_freeze;
 
-if (sender_set_untrusted)
+if (f.sender_set_untrusted)
   {
   if (sender_address[0] == 0)
     {
diff -Nru exim4-4.91/OS/Makefile-Base exim4-4.92~RC4/OS/Makefile-Base
--- exim4-4.91/OS/Makefile-Base	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/OS/Makefile-Base	2018-12-27 13:36:19.000000000 +0000
@@ -130,6 +130,7 @@
 
 OBJ_MACRO = macro_predef.o \
 	macro-globals.o macro-readconf.o macro-route.o macro-transport.o macro-drtables.o \
+	macro-tls.o \
 	macro-appendfile.o macro-autoreply.o macro-lmtp.o macro-pipe.o macro-queuefile.o \
 	macro-smtp.o macro-accept.o macro-dnslookup.o macro-ipliteral.o macro-iplookup.o \
 	macro-manualroute.o macro-queryprogram.o macro-redirect.o \
@@ -157,6 +158,9 @@
 macro-drtables.o :	drtables.c
 	@echo "$(CC) -DMACRO_PREDEF drtables.c"
 	$(FE)$(CC) -c $(CFLAGS) -DMACRO_PREDEF $(INCLUDE) -o $@ drtables.c
+macro-tls.o:	tls.c
+	@echo "$(CC) -DMACRO_PREDEF tls.c"
+	$(FE)$(CC) -c $(CFLAGS) -DMACRO_PREDEF $(INCLUDE) -o $@ tls.c
 macro-appendfile.o :	transports/appendfile.c
 	@echo "$(CC) -DMACRO_PREDEF transports/appendfile.c"
 	$(FE)$(CC) -c $(CFLAGS) -DMACRO_PREDEF $(INCLUDE) -o $@ transports/appendfile.c
diff -Nru exim4-4.91/OS/Makefile-Darwin exim4-4.92~RC4/OS/Makefile-Darwin
--- exim4-4.91/OS/Makefile-Darwin	1970-01-01 00:00:00.000000000 +0000
+++ exim4-4.92~RC4/OS/Makefile-Darwin	2018-12-27 13:36:19.000000000 +0000
@@ -0,0 +1,29 @@
+# Exim: OS-specific make file for Darwin (Mac OS X).
+
+CC=cc
+
+BASENAME_COMMAND=look_for_it
+CHOWN_COMMAND=/usr/sbin/chown
+CHMOD_COMMAND=/bin/chmod
+
+HAVE_SA_LEN=YES
+
+# Removed -DBIND_8_COMPAT for 4.61
+# CFLAGS=-O -no-cpp-precomp -DBIND_8_COMPAT
+
+CFLAGS=-O -no-cpp-precomp
+LIBRESOLV=-lresolv
+
+USE_DB = yes
+DBMLIB =
+
+X11=/usr/X11R6
+XINCLUDE=-I$(X11)/include
+XLFLAGS=-L$(X11)/lib
+X11_LD_LIB=$(X11)/lib
+
+EXIWHAT_PS_ARG=ax
+EXIWHAT_EGREP_ARG='/exim( |$$)'
+EXIWHAT_KILL_SIGNAL=-USR1
+
+# End
diff -Nru exim4-4.91/OS/Makefile-OpenBSD exim4-4.92~RC4/OS/Makefile-OpenBSD
--- exim4-4.91/OS/Makefile-OpenBSD	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/OS/Makefile-OpenBSD	2018-12-27 13:36:19.000000000 +0000
@@ -4,7 +4,7 @@
 CHGRP_COMMAND=/usr/sbin/chgrp
 CHMOD_COMMAND=/bin/chmod
 
-CFLAGS=-O2 -Wall
+CFLAGS=-O2 -Wall -Wno-parentheses -Wno-self-assign -Wno-logical-op-parentheses
 
 LIBS=-lm
 
diff -Nru exim4-4.91/OS/os.h-Darwin exim4-4.92~RC4/OS/os.h-Darwin
--- exim4-4.91/OS/os.h-Darwin	1970-01-01 00:00:00.000000000 +0000
+++ exim4-4.92~RC4/OS/os.h-Darwin	2018-12-27 13:36:19.000000000 +0000
@@ -0,0 +1,58 @@
+/* Exim: OS-specific C header file for Darwin (Mac OS X) */
+
+/* #define CRYPT_H */  /* Apparently this isn't needed */
+
+#define HAVE_MMAP
+#define HAVE_SYS_MOUNT_H
+#define PAM_H_IN_PAM
+#define SIOCGIFCONF_GIVES_ADDR
+
+
+#define F_FREESP     O_TRUNC
+typedef struct flock flock_t;
+
+#define BASE_62 36  /* HFS+ aliases lower and upper cases in filenames.
+                               Consider reducing MAX_LOCALHOST_NUMBER */
+
+#ifndef        _BSD_SOCKLEN_T_
+# define _BSD_SOCKLEN_T_ int32_t                 /* socklen_t (duh) */
+#endif
+
+/* Settings for handling IP options. There's no netinet/ip_var.h. The IP
+option handling is in the style of the later GLIBCs but the GLIBC macros
+aren't set, so we invent a new one. */
+
+#define NO_IP_VAR_H
+#define DARWIN_IP_OPTIONS
+
+/* Need this for the DNS lookup code. Remember to remove if we get round to
+updating Exim to use the newer interface. */
+
+#define BIND_8_COMPAT
+
+/* It's not .so for dynamic libraries on Darwin. */
+#define DYNLIB_FN_EXT "dylib"
+
+/* We currently need some assistance getting OFF_T_FMT correct on MacOS */
+#ifdef OFF_T_FMT
+# undef OFF_T_FMT
+#endif
+#define OFF_T_FMT "%lld"
+#define LONGLONG_T long int
+
+/* default is non-const */
+#define ICONV_ARG2_TYPE const char **
+
+/* seems arpa/nameser.h does not define this */
+#define NS_MAXMSG 65535
+
+/* There may be very many supplementary groups for the user. See notes
+in "man 2 getgroups". */
+#define _DARWIN_UNLIMITED_GETGROUPS
+#define EXIM_GROUPLIST_SIZE 64
+
+/* TCP Fast Open: Darwin uses a connectx() call
+rather than a modified sendto() */
+#define EXIM_TFO_CONNECTX
+
+/* End */
diff -Nru exim4-4.91/OS/os.h-FreeBSD exim4-4.92~RC4/OS/os.h-FreeBSD
--- exim4-4.91/OS/os.h-FreeBSD	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/OS/os.h-FreeBSD	2018-12-27 13:36:19.000000000 +0000
@@ -4,6 +4,7 @@
 
 
 #include <sys/types.h>
+#include <sys/param.h>
 
 #define HAVE_BSD_GETLOADAVG
 #define HAVE_SETCLASSRESOURCES
@@ -13,6 +14,14 @@
 #define HAVE_SRANDOMDEV
 #define HAVE_ARC4RANDOM
 
+/* Applications should not call arc4random_stir() explicitly after
+ * FreeBSD r227520 (approximately 1000002).
+ * Set NOT_HAVE_ARC4RANDOM_STIR if the version released is past
+ * that point. */
+#if __FreeBSD_version >= 1000002
+# define NOT_HAVE_ARC4RANDOM_STIR
+#endif
+
 typedef struct flock flock_t;
 
 /* iconv arg2 type: libiconv in Ports uses "const char* * inbuf" and was
@@ -36,9 +45,8 @@
 #if __FreeBSD__ >= 10
 # define LIBICONV_PLUG
 #endif
-/* for more specific version constraints, include <sys/param.h> and look at
- * __FreeBSD_version */
-
+/* for more specific version constraints, look at __FreeBSD_version
+ * from <sys/param.h> */
 
 /* When using DKIM, setting OS_SENDFILE can increase
 performance on outgoing mail a bit. */
diff -Nru exim4-4.91/OS/os.h-Linux exim4-4.92~RC4/OS/os.h-Linux
--- exim4-4.91/OS/os.h-Linux	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/OS/os.h-Linux	2018-12-27 13:36:19.000000000 +0000
@@ -83,6 +83,9 @@
 # define MSG_FASTOPEN 0x20000000
 #endif
 #define EXIM_HAVE_TCPI_UNACKED
+#ifndef TCPI_OPT_SYN_DATA
+# define TCPI_OPT_SYN_DATA 32
+#endif
 
 
 /* End */
diff -Nru exim4-4.91/OS/os.h-OpenBSD exim4-4.92~RC4/OS/os.h-OpenBSD
--- exim4-4.91/OS/os.h-OpenBSD	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/OS/os.h-OpenBSD	2018-12-27 13:36:19.000000000 +0000
@@ -53,4 +53,8 @@
 #endif
 #define TIME_T_FMT "%lld"
 
+/* seems arpa/nameser.h does not define this.
+Space-constrained devices could use much smaller; a few k. */
+#define NS_MAXMSG 65535
+
 /* End */
diff -Nru exim4-4.91/OS/unsupported/Makefile-Darwin exim4-4.92~RC4/OS/unsupported/Makefile-Darwin
--- exim4-4.91/OS/unsupported/Makefile-Darwin	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/OS/unsupported/Makefile-Darwin	1970-01-01 00:00:00.000000000 +0000
@@ -1,29 +0,0 @@
-# Exim: OS-specific make file for Darwin (Mac OS X).
-
-CC=cc
-
-BASENAME_COMMAND=look_for_it
-CHOWN_COMMAND=/usr/sbin/chown
-CHMOD_COMMAND=/bin/chmod
-
-HAVE_SA_LEN=YES
-
-# Removed -DBIND_8_COMPAT for 4.61
-# CFLAGS=-O -no-cpp-precomp -DBIND_8_COMPAT
-
-CFLAGS=-O -no-cpp-precomp
-LIBRESOLV=-lresolv
-
-USE_DB = yes
-DBMLIB =
-
-X11=/usr/X11R6
-XINCLUDE=-I$(X11)/include
-XLFLAGS=-L$(X11)/lib
-X11_LD_LIB=$(X11)/lib
-
-EXIWHAT_PS_ARG=ax
-EXIWHAT_EGREP_ARG='/exim( |$$)'
-EXIWHAT_KILL_SIGNAL=-USR1
-
-# End
diff -Nru exim4-4.91/OS/unsupported/os.h-Darwin exim4-4.92~RC4/OS/unsupported/os.h-Darwin
--- exim4-4.91/OS/unsupported/os.h-Darwin	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/OS/unsupported/os.h-Darwin	1970-01-01 00:00:00.000000000 +0000
@@ -1,48 +0,0 @@
-/* Exim: OS-specific C header file for Darwin (Mac OS X) */
-
-/* #define CRYPT_H */  /* Apparently this isn't needed */
-
-#define HAVE_MMAP
-#define HAVE_SYS_MOUNT_H
-#define PAM_H_IN_PAM
-#define SIOCGIFCONF_GIVES_ADDR
-
-/* OSX 10.2 does not have poll.h, 10.3 does emulate it badly. */
-#define NO_POLL_H
-
-#define F_FREESP     O_TRUNC
-typedef struct flock flock_t;
-
-#define BASE_62 36  /* HFS+ aliases lower and upper cases in filenames.
-                               Consider reducing MAX_LOCALHOST_NUMBER */
-
-#ifndef        _BSD_SOCKLEN_T_
-#define _BSD_SOCKLEN_T_ int32_t                 /* socklen_t (duh) */
-#endif
-
-/* Settings for handling IP options. There's no netinet/ip_var.h. The IP
-option handling is in the style of the later GLIBCs but the GLIBC macros
-aren't set, so we invent a new one. */
-
-#define NO_IP_VAR_H
-#define DARWIN_IP_OPTIONS
-
-/* Need this for the DNS lookup code. Remember to remove if we get round to
-updating Exim to use the newer interface. */
-
-#define BIND_8_COMPAT
-
-/* It's not .so for dynamic libraries on Darwin. */
-#define DYNLIB_FN_EXT "dylib"
-
-/* We currently need some assistance getting OFF_T_FMT correct on MacOS */
-#ifdef OFF_T_FMT
-# undef OFF_T_FMT
-#endif
-#define OFF_T_FMT "%lld"
-#define LONGLONG_T long int
-
-/* default is non-const */
-#define ICONV_ARG2_TYPE const char **
-
-/* End */
diff -Nru exim4-4.91/README exim4-4.92~RC4/README
--- exim4-4.91/README	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/README	2018-12-27 13:36:19.000000000 +0000
@@ -1,7 +1,7 @@
 THE EXIM MAIL TRANSFER AGENT VERSION 4
 --------------------------------------
 
-Copyright (c) 1995 - 2012 University of Cambridge.
+Copyright (c) 1995 - 2018 University of Cambridge.
 See the file NOTICE for conditions of use and distribution.
 
 There is a book about Exim by Philip Hazel called "The Exim SMTP Mail Server",
@@ -14,7 +14,7 @@
 older book may be helpful for the background, but a lot of the detail has
 changed, so it is likely to be confusing to newcomers.
 
-There is a web site at http://www.exim.org; this contains details of the
+There is a website at https://www.exim.org; this contains details of the
 mailing list exim-users@exim.org.
 
 A copy of the Exim FAQ should be available from the same source that you used
diff -Nru exim4-4.91/README.UPDATING exim4-4.92~RC4/README.UPDATING
--- exim4-4.91/README.UPDATING	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/README.UPDATING	2018-12-27 13:36:19.000000000 +0000
@@ -26,6 +26,35 @@
 that might affect a running system.
 
 
+Exim version 4.92
+-----------------
+
+ * Exim used to manually follow CNAME chains, to a limited depth.  In this
+   day-and-age we expect the resolver to be doing this for us, so the loop
+   is limited to one retry unless the (new) config option dns_cname_loops
+   is changed.
+
+Exim version 4.91
+-----------------
+
+ * DANE and SPF have been promoted from Experimental to Supported status, thus
+   the options to enable them in Local/Makefile have been renamed.
+   See current src/EDITME for full details, including changes in dependencies,
+   but loosely: replace EXPERIMENTAL_SPF with SUPPORT_SPF and replace
+   EXPERIMENTAL_DANE with SUPPORT_DANE.
+
+ * Ancient ClamAV stream support, long deprecated by ClamAV, has been removed;
+   if you were building with WITH_OLD_CLAMAV_STREAM enabled then your problems
+   have marginally increased.
+
+ * A number of logging changes; if relying upon the previous DKIM additional
+   log-line, explicit log_selector configuration is needed to keep it.
+
+ * Other incompatible changes in EXPERIMENTAL_* features, read NewStuff and
+   ChangeLog carefully if relying upon an experimental feature such as DMARC.
+   Note that this includes changes to SPF as it was promoted into Supported.
+
+
 Exim version 4.89
 -----------------
 
@@ -63,7 +92,7 @@
 -----------------
 
  * SPF condition results renamed "permerror" and "temperror".  The old
-   names are still accepted for back-compatability, for this release.
+   names are still accepted for back-compatibility, for this release.
 
  * TLS details are now logged on rejects, subject to log selectors.
 
@@ -104,7 +133,7 @@
    upgrading, then lock the message, replace the new-lines that should be part
    of the -tls_peerdn line with the two-character sequence \n and then unlock
    the message.  No tool has been provided as we believe this is a rare
-   occurence.
+   occurrence.
 
  * For OpenSSL, SSLv2 is now disabled by default.  (GnuTLS does not support
    SSLv2).  RFC 6176 prohibits SSLv2 and some informal surveys suggest no
@@ -317,7 +346,7 @@
 -----------------
 
 1. Experimental Yahoo! Domainkeys support has been dropped in this release.
-It has been superceded by a native implementation of its successor DKIM.
+It has been superseded by a native implementation of its successor DKIM.
 
 2. Up to version 4.69, Exim came with an embedded version of the PCRE library.
 As of 4.70, this is no longer the case. To compile Exim, you will need PCRE
diff -Nru exim4-4.91/scripts/Configure-os.h exim4-4.92~RC4/scripts/Configure-os.h
--- exim4-4.91/scripts/Configure-os.h	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/scripts/Configure-os.h	2018-12-27 13:36:19.000000000 +0000
@@ -28,7 +28,7 @@
 fi
 rm -f os.h
 
-# In order to accomodate for the fudge below, copy the file instead of
+# In order to accommodate for the fudge below, copy the file instead of
 # symlinking it. Otherwise we pollute the clean copy with the fudge.
 cp -p ../OS/os.h-$os os.h || exit 1
 
diff -Nru exim4-4.91/scripts/reversion exim4-4.92~RC4/scripts/reversion
--- exim4-4.91/scripts/reversion	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/scripts/reversion	2018-12-27 13:36:19.000000000 +0000
@@ -29,43 +29,41 @@
 # Read version information that was generated by a previous run of
 # this script, or during the release process.
 
-if   [ -f ./version.sh ]
-then .    ./version.sh
-elif [ -f ../src/version.sh ]
-then .    ../src/version.sh
-fi
-
-# If this tree is a git working directory, use that to get version information.
-
-if [ -d ../../.git ] || [ -f ../../.git ] || [ "$1" = "release" ]
-then
-	# Modify the output of git describe into separate parts for
-	# the name "exim" and the release and variant versions.
-	# Put a dot in the version number and remove a spurious g.
-	if [ "$2" ]
-	then
-	    description=$(git describe "$2")
-	else
-	    description=$(git describe --dirty=-XX --match 'exim-4*')
-	fi
-	set $(echo "$description" | sed 's|-| |;s|_|.|;s|[-_]| _|;s|-g|-|')
-	# Only update if we need to
-	if [ "$2 $3" != "$EXIM_RELEASE_VERSION $EXIM_VARIANT_VERSION" ]
-	then
-		EXIM_RELEASE_VERSION="$2"
-		EXIM_VARIANT_VERSION="$3"
-		rm -f version.h
-	fi
+if   [ -f ./version.sh ]; then
+    .    ./version.sh
+elif [ -f ../src/version.sh ]; then
+    .    ../src/version.sh
+elif [ -d ../../.git ] || [ -f ../../.git ] || [ "$1" = release ]; then
+    # Modify the output of git describe into separate parts for
+    # the name "exim" and the release and variant versions.
+    # Put a dot in the version number and remove a spurious g.
+    if [ "$2" ]
+    then
+        description=$(git describe "$2")
+    else
+        description=$(git describe --dirty=-XX --match 'exim-4*')
+    fi
+    set $(echo "$description" | sed 's/-/ /; s/-g/-/')
+    # Only update if we need to
+    if [ "$2 $3" != "$EXIM_RELEASE_VERSION $EXIM_VARIANT_VERSION" ]
+    then
+            EXIM_RELEASE_VERSION="$2"
+            EXIM_VARIANT_VERSION="$3"
+            rm -f version.h
+    fi
+else
+    echo "Cannot determine the release number" >&2
+    exit
 fi
 
 # If you are maintaining a patched version of Exim, you can either
 # create your own version.sh as part of your release process, or you
 # can modify EXIM_VARIANT_VERSION at this point in this script.
 
-case "$EXIM_RELEASE_VERSION" in
-'')	echo "*** Your copy of Exim lacks any version information."
-	exit 1
-esac
+if test -z "$EXIM_RELEASE_VERSION"; then
+    echo "$0: Your copy of Exim lacks any version information." >&2
+    exit 1
+fi
 
 EXIM_COMPILE_NUMBER=$(expr "${EXIM_COMPILE_NUMBER:-0}" + 1)
 
@@ -101,6 +99,7 @@
 
 ( echo '# automatically generated file - see ../scripts/reversion'
   echo EXIM_RELEASE_VERSION='"'"$EXIM_RELEASE_VERSION"'"'
+  test -n "$EXIM_VARIANT_VERSION" && \
   echo EXIM_VARIANT_VERSION='"'"$EXIM_VARIANT_VERSION"'"'
   echo EXIM_COMPILE_NUMBER='"'"$EXIM_COMPILE_NUMBER"'"'
   if [ ".${exim_build_date_override:-}" != "." ]; then
@@ -112,13 +111,18 @@
 then
 ( echo '/* automatically generated file - see ../scripts/reversion */'
   echo '#define EXIM_RELEASE_VERSION "'"$EXIM_RELEASE_VERSION"'"'
+  test -n "$EXIM_VARIANT_VERSION" && \
   echo '#define EXIM_VARIANT_VERSION "'"$EXIM_VARIANT_VERSION"'"'
-  echo '#define EXIM_VERSION_STR EXIM_RELEASE_VERSION EXIM_VARIANT_VERSION'
+  echo '#ifdef EXIM_VARIANT_VERSION'
+  echo '#define EXIM_VERSION_STR EXIM_RELEASE_VERSION "-" EXIM_VARIANT_VERSION'
+  echo '#else'
+  echo '#define EXIM_VERSION_STR EXIM_RELEASE_VERSION'
+  echo '#endif'
   if [ ".${exim_build_date_override:-}" != "." ]; then
     echo '#define EXIM_BUILD_DATE_OVERRIDE "'"${exim_build_date_override}"'"'
   fi
 ) >version.h
 fi
 
-echo ">>> version $EXIM_RELEASE_VERSION$EXIM_VARIANT_VERSION #$EXIM_COMPILE_NUMBER"
+echo ">>> version $EXIM_RELEASE_VERSION $EXIM_VARIANT_VERSION #$EXIM_COMPILE_NUMBER"
 echo
diff -Nru exim4-4.91/src/acl.c exim4-4.92~RC4/src/acl.c
--- exim4-4.91/src/acl.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/acl.c	2018-12-27 13:36:19.000000000 +0000
@@ -367,6 +367,9 @@
   CONTROL_NO_PIPELINING,
 
   CONTROL_QUEUE_ONLY,
+#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
+  CONTROL_REQUIRETLS,
+#endif
   CONTROL_SUBMISSION,
   CONTROL_SUPPRESS_LOCAL_FIXUPS,
 #ifdef SUPPORT_I18N
@@ -510,6 +513,18 @@
 	    // ACL_BIT_PRDR|    /* Not allow one user to freeze for all */
 	    ACL_BIT_NOTSMTP | ACL_BIT_MIME)
   },
+
+
+#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
+[CONTROL_REQUIRETLS] =
+  { US"requiretls",		 FALSE,
+	  (unsigned)
+	  ~(ACL_BIT_MAIL | ACL_BIT_RCPT | ACL_BIT_PREDATA |
+	    ACL_BIT_DATA | ACL_BIT_MIME |
+	    ACL_BIT_NOTSMTP)
+  },
+#endif
+
 [CONTROL_SUBMISSION] =
   { US"submission",              TRUE,
 	  (unsigned)
@@ -1042,33 +1057,16 @@
 fn_hdrs_added(void)
 {
 gstring * g = NULL;
-header_line * h = acl_added_headers;
-uschar * s;
-uschar * cp;
-
-if (!h) return NULL;
+header_line * h;
 
-do
+for (h = acl_added_headers; h; h = h->next)
   {
-  s = h->text;
-  while ((cp = Ustrchr(s, '\n')) != NULL)
-    {
-    if (cp[1] == '\0') break;
-
-    /* contains embedded newline; needs doubling */
-    g = string_catn(g, s, cp-s+1);
-    g = string_catn(g, US"\n", 1);
-    s = cp+1;
-    }
-  /* last bit of header */
-
-/*XXX could we use add_listele? */
-  g = string_catn(g, s, cp-s+1);	/* newline-sep list */
+  int i = h->slen;
+  if (h->text[i-1] == '\n') i--;
+  g = string_append_listele_n(g, '\n', h->text, i);
   }
-while((h = h->next));
 
-g->s[g->ptr - 1] = '\0';	/* overwrite last newline */
-return g->s;
+return g ? g->s : NULL;
 }
 
 
@@ -1087,7 +1085,7 @@
 static void
 setup_remove_header(const uschar *hnames)
 {
-if (*hnames != 0)
+if (*hnames)
   acl_removed_headers = acl_removed_headers
     ? string_sprintf("%s : %s", acl_removed_headers, hnames)
     : string_copy(hnames);
@@ -1676,8 +1674,8 @@
     /* We can test the result of optional HELO verification that might have
     occurred earlier. If not, we can attempt the verification now. */
 
-    if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
-    return helo_verified ? OK : FAIL;
+    if (!f.helo_verified && !f.helo_verify_failed) smtp_verify_helo();
+    return f.helo_verified ? OK : FAIL;
 
   case VERIFY_CSA:
     /* Do Client SMTP Authorization checks in a separate function, and turn the
@@ -1909,7 +1907,7 @@
       {
       if (!*user_msgptr && *log_msgptr)
         *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
-      if (rc == DEFER) acl_temp_details = TRUE;
+      if (rc == DEFER) f.acl_temp_details = TRUE;
       }
     }
   }
@@ -2062,7 +2060,7 @@
     addr2.user_message : addr2.message;
 
   /* Allow details for temporary error if the address is so flagged. */
-  if (testflag((&addr2), af_pass_message)) acl_temp_details = TRUE;
+  if (testflag((&addr2), af_pass_message)) f.acl_temp_details = TRUE;
 
   /* Make $address_data visible */
   deliver_address_data = addr2.prop.address_data;
@@ -2167,8 +2165,6 @@
   log_msgptr  for error messages
   format      format string
   ...         supplementary arguments
-  ss          ratelimit option name
-  where       ACL_WHERE_xxxx indicating which ACL this is
 
 Returns:      ERROR
 */
@@ -2177,14 +2173,15 @@
 ratelimit_error(uschar **log_msgptr, const char *format, ...)
 {
 va_list ap;
-uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
+gstring * g =
+  string_cat(NULL, US"error in arguments to \"ratelimit\" condition: ");
+
 va_start(ap, format);
-if (!string_vformat(buffer, sizeof(buffer), format, ap))
-  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
-    "string_sprintf expansion was longer than " SIZE_T_FMT, sizeof(buffer));
+g = string_vformat(g, TRUE, format, ap);
 va_end(ap);
-*log_msgptr = string_sprintf(
-  "error in arguments to \"ratelimit\" condition: %s", buffer);
+
+gstring_reset_unused(g);
+*log_msgptr = string_from_gstring(g);
 return ERROR;
 }
 
@@ -2340,7 +2337,7 @@
   return ratelimit_error(log_msgptr, "conflicting update modes");
 if (badacl && (leaky || strict) && !noupdate)
   return ratelimit_error(log_msgptr,
-    "\"%s\" must not have /leaky or /strict option in %s ACL",
+    "\"%s\" must not have /leaky or /strict option, or cannot be used in %s ACL",
     ratelimit_option_string[mode], acl_wherenames[where]);
 
 /* Set the default values of any unset options. In readonly mode we
@@ -2865,7 +2862,7 @@
 int sep = -'/';
 #endif
 
-for (; cb != NULL; cb = cb->next)
+for (; cb; cb = cb->next)
   {
   const uschar *arg;
   int control_type;
@@ -2904,10 +2901,10 @@
     arg = cb->arg;
   else if (!(arg = expand_string(cb->arg)))
     {
-    if (expand_string_forcedfail) continue;
+    if (f.expand_string_forcedfail) continue;
     *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
       cb->arg, expand_string_message);
-    return search_find_defer ? DEFER : ERROR;
+    return f.search_find_defer ? DEFER : ERROR;
     }
 
   /* Show condition, and expanded condition if it's different */
@@ -3029,7 +3026,7 @@
       switch(control_type)
 	{
 	case CONTROL_AUTH_UNADVERTISED:
-	allow_auth_unadvertised = TRUE;
+	f.allow_auth_unadvertised = TRUE;
 	break;
 
 	#ifdef EXPERIMENTAL_BRIGHTMAIL
@@ -3040,22 +3037,22 @@
 
 	#ifndef DISABLE_DKIM
 	case CONTROL_DKIM_VERIFY:
-	dkim_disable_verify = TRUE;
+	f.dkim_disable_verify = TRUE;
 	#ifdef EXPERIMENTAL_DMARC
 	/* Since DKIM was blocked, skip DMARC too */
-	dmarc_disable_verify = TRUE;
-	dmarc_enable_forensic = FALSE;
+	f.dmarc_disable_verify = TRUE;
+	f.dmarc_enable_forensic = FALSE;
 	#endif
 	break;
 	#endif
 
 	#ifdef EXPERIMENTAL_DMARC
 	case CONTROL_DMARC_VERIFY:
-	dmarc_disable_verify = TRUE;
+	f.dmarc_disable_verify = TRUE;
 	break;
 
 	case CONTROL_DMARC_FORENSIC:
-	dmarc_enable_forensic = TRUE;
+	f.dmarc_enable_forensic = TRUE;
 	break;
 	#endif
 
@@ -3120,24 +3117,24 @@
 
 	#ifdef WITH_CONTENT_SCAN
 	case CONTROL_NO_MBOX_UNSPOOL:
-	no_mbox_unspool = TRUE;
+	f.no_mbox_unspool = TRUE;
 	break;
 	#endif
 
 	case CONTROL_NO_MULTILINE:
-	no_multiline_responses = TRUE;
+	f.no_multiline_responses = TRUE;
 	break;
 
 	case CONTROL_NO_PIPELINING:
-	pipelining_enable = FALSE;
+	f.pipelining_enable = FALSE;
 	break;
 
 	case CONTROL_NO_DELAY_FLUSH:
-	disable_delay_flush = TRUE;
+	f.disable_delay_flush = TRUE;
 	break;
 
 	case CONTROL_NO_CALLOUT_FLUSH:
-	disable_callout_flush = TRUE;
+	f.disable_callout_flush = TRUE;
 	break;
 
 	case CONTROL_FAKEREJECT:
@@ -3159,7 +3156,7 @@
 	break;
 
 	case CONTROL_FREEZE:
-	deliver_freeze = TRUE;
+	f.deliver_freeze = TRUE;
 	deliver_frozen_at = time(NULL);
 	freeze_tell = freeze_tell_config;       /* Reset to configured value */
 	if (Ustrncmp(p, "/no_tell", 8) == 0)
@@ -3176,20 +3173,25 @@
 	break;
 
 	case CONTROL_QUEUE_ONLY:
-	queue_only_policy = TRUE;
+	f.queue_only_policy = TRUE;
 	cancel_cutthrough_connection(TRUE, US"queueing forced");
 	break;
 
+#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
+	case CONTROL_REQUIRETLS:
+	tls_requiretls |= REQUIRETLS_MSG;
+	break;
+#endif
 	case CONTROL_SUBMISSION:
 	originator_name = US"";
-	submission_mode = TRUE;
+	f.submission_mode = TRUE;
 	while (*p == '/')
 	  {
 	  if (Ustrncmp(p, "/sender_retain", 14) == 0)
 	    {
 	    p += 14;
-	    active_local_sender_retain = TRUE;
-	    active_local_from_check = FALSE;
+	    f.active_local_sender_retain = TRUE;
+	    f.active_local_from_check = FALSE;
 	    }
 	  else if (Ustrncmp(p, "/domain=", 8) == 0)
 	    {
@@ -3254,7 +3256,7 @@
 	break;
 
 	case CONTROL_SUPPRESS_LOCAL_FIXUPS:
-	suppress_local_fixups = TRUE;
+	f.suppress_local_fixups = TRUE;
 	break;
 
 	case CONTROL_CUTTHROUGH_DELIVERY:
@@ -3271,9 +3273,9 @@
 	  ignored = US"PRDR active";
 	else
 	  {
-	  if (deliver_freeze)
+	  if (f.deliver_freeze)
 	    ignored = US"frozen";
-	  else if (queue_only_policy)
+	  else if (f.queue_only_policy)
 	    ignored = US"queue-only";
 	  else if (fake_response == FAIL)
 	    ignored = US"fakereject";
@@ -3401,7 +3403,7 @@
 
         else
           {
-          if (smtp_out != NULL && !disable_delay_flush)
+          if (smtp_out && !f.disable_delay_flush)
 	    mac_smtp_fflush();
 
 #if !defined(NO_POLL_H) && defined (POLLRDHUP)
@@ -3418,16 +3420,16 @@
 	      HDEBUG(D_acl) debug_printf_indent("delay cancelled by peer close\n");
 	    }
 #else
-        /* It appears to be impossible to detect that a TCP/IP connection has
-        gone away without reading from it. This means that we cannot shorten
-        the delay below if the client goes away, because we cannot discover
-        that the client has closed its end of the connection. (The connection
-        is actually in a half-closed state, waiting for the server to close its
-        end.) It would be nice to be able to detect this state, so that the
-        Exim process is not held up unnecessarily. However, it seems that we
-        can't. The poll() function does not do the right thing, and in any case
-        it is not always available.
-        */
+	  /* Lacking POLLRDHUP it appears to be impossible to detect that a
+	  TCP/IP connection has gone away without reading from it. This means
+	  that we cannot shorten the delay below if the client goes away,
+	  because we cannot discover that the client has closed its end of the
+	  connection. (The connection is actually in a half-closed state,
+	  waiting for the server to close its end.) It would be nice to be able
+	  to detect this state, so that the Exim process is not held up
+	  unnecessarily. However, it seems that we can't. The poll() function
+	  does not do the right thing, and in any case it is not always
+	  available.  */
 
           while (delay > 0) delay = sleep(delay);
 #endif
@@ -3453,9 +3455,9 @@
 
     #ifdef EXPERIMENTAL_DMARC
     case ACLC_DMARC_STATUS:
-    if (!dmarc_has_been_checked)
+    if (!f.dmarc_has_been_checked)
       dmarc_process();
-    dmarc_has_been_checked = TRUE;
+    f.dmarc_has_been_checked = TRUE;
     /* used long way of dmarc_exim_expand_query() in case we need more
      * view into the process in the future. */
     rc = match_isinlist(dmarc_exim_expand_query(DMARC_VERIFY_STATUS),
@@ -3563,7 +3565,6 @@
         }
       while (isspace(*s)) s++;
 
-
       if (logbits == 0) logbits = LOG_MAIN;
       log_write(0, logbits, "%s", string_printing(s));
       }
@@ -3769,7 +3770,7 @@
     expmessage = expand_string(user_message);
     if (!expmessage)
       {
-      if (!expand_string_forcedfail)
+      if (!f.expand_string_forcedfail)
         log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
           user_message, expand_string_message);
       }
@@ -3782,7 +3783,7 @@
     expmessage = expand_string(log_message);
     if (!expmessage)
       {
-      if (!expand_string_forcedfail)
+      if (!f.expand_string_forcedfail)
         log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
           log_message, expand_string_message);
       }
@@ -3970,7 +3971,7 @@
   {
   if (!(ss = expand_string(s)))
     {
-    if (expand_string_forcedfail) return OK;
+    if (f.expand_string_forcedfail) return OK;
     *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
       expand_string_message);
     return ERROR;
@@ -4072,7 +4073,7 @@
     && (where == ACL_WHERE_QUIT || where == ACL_WHERE_NOTQUIT);
 
   *log_msgptr = *user_msgptr = NULL;
-  acl_temp_details = FALSE;
+  f.acl_temp_details = FALSE;
 
   HDEBUG(D_acl) debug_printf_indent("processing \"%s\"\n", verbs[acl->verb]);
 
@@ -4094,12 +4095,10 @@
       {
       if (search_error_message != NULL && *search_error_message != 0)
         *log_msgptr = search_error_message;
-      if (smtp_return_error_details) acl_temp_details = TRUE;
+      if (smtp_return_error_details) f.acl_temp_details = TRUE;
       }
     else
-      {
-      acl_temp_details = TRUE;
-      }
+      f.acl_temp_details = TRUE;
     if (acl->verb != ACL_WARN) return DEFER;
     break;
 
@@ -4155,7 +4154,7 @@
       {
       HDEBUG(D_acl) debug_printf_indent("end of %s: DEFER\n", acl_name);
       if (acl_quit_check) goto badquit;
-      acl_temp_details = TRUE;
+      f.acl_temp_details = TRUE;
       return DEFER;
       }
     break;
@@ -4288,10 +4287,10 @@
 return ret;
 
 bad:
-if (expand_string_forcedfail) return ERROR;
+if (f.expand_string_forcedfail) return ERROR;
 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
   tmp, expand_string_message);
-return search_find_defer?DEFER:ERROR;
+return f.search_find_defer ? DEFER : ERROR;
 }
 
 
@@ -4422,7 +4421,7 @@
   case ACL_WHERE_PRDR:
 #endif
 
-    if (host_checking_callout)	/* -bhc mode */
+    if (f.host_checking_callout)	/* -bhc mode */
       cancel_cutthrough_connection(TRUE, US"host-checking mode");
 
     else if (  rc == OK
@@ -4438,7 +4437,7 @@
 	  while (*s) s++;
 	  do --s; while (!isdigit(*s));
 	  if (*--s && isdigit(*s) && *--s && isdigit(*s)) *user_msgptr = s;
-	  acl_temp_details = TRUE;
+	  f.acl_temp_details = TRUE;
 	  }
 	else
 	  {
diff -Nru exim4-4.91/src/aliases.default exim4-4.92~RC4/src/aliases.default
--- exim4-4.91/src/aliases.default	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/aliases.default	2018-12-27 13:36:19.000000000 +0000
@@ -35,6 +35,6 @@
 #
 # abuse:       the person dealing with network and mail abuse
 # hostmaster:  the person dealing with DNS problems
-# webmaster:   the person dealing with your web site
+# webmaster:   the person dealing with your website
 
 ####
diff -Nru exim4-4.91/src/arc.c exim4-4.92~RC4/src/arc.c
--- exim4-4.91/src/arc.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/arc.c	2018-12-27 13:36:19.000000000 +0000
@@ -21,6 +21,11 @@
 extern pdkim_ctx * dkim_verify_ctx;
 extern pdkim_ctx dkim_sign_ctx;
 
+#define ARC_SIGN_OPT_TSTAMP	BIT(0)
+#define ARC_SIGN_OPT_EXPIRE	BIT(1)
+
+#define ARC_SIGN_DEFAULT_EXPIRE_DELTA (60 * 60 * 24 * 30)	/* one month */
+
 /******************************************************************************/
 
 typedef struct hdr_rlist {
@@ -84,8 +89,11 @@
 #define HDR_AR		US"Authentication-Results:"
 #define HDRLEN_AR	23
 
+static time_t now;
+static time_t expire;
 static hdr_rlist * headers_rlist;
 static arc_ctx arc_sign_ctx = { NULL };
+static arc_ctx arc_verify_ctx = { NULL };
 
 
 /******************************************************************************/
@@ -375,7 +383,7 @@
 arc_insert_hdr(arc_ctx * ctx, header_line * h, unsigned off, unsigned hoff,
   BOOL instance_only)
 {
-int i;
+unsigned i;
 arc_set * as;
 arc_line * al = store_get(sizeof(arc_line)), ** alp;
 uschar * e;
@@ -388,6 +396,7 @@
   return US"line parse";
   }
 if (!(i = arc_instance_from_hdr(al)))	return US"instance find";
+if (i > 50)				return US"overlarge instance number";
 if (!(as = arc_find_set(ctx, i)))	return US"set find";
 if (*(alp = (arc_line **)(US as + hoff))) return US"dup hdr";
 
@@ -761,22 +770,25 @@
 int inst;
 BOOL ams_fail_found = FALSE;
 
-if (!(as = ctx->arcset_chain))
+if (!(as = ctx->arcset_chain_last))
   return US"none";
 
-for(inst = 0; as; as = as->next)
+for(inst = as->instance; as; as = as->prev, inst--)
   {
-  if (  as->instance != ++inst
-     || !as->hdr_aar || !as->hdr_ams || !as->hdr_as
-     || arc_cv_match(as->hdr_as, US"fail")
-     )
-    {
-    arc_state_reason = string_sprintf("i=%d"
-      " (cv, sequence or missing header)", as->instance);
-    DEBUG(D_acl) debug_printf("ARC chain fail at %s\n", arc_state_reason);
-    return US"fail";
-    }
+  if (as->instance != inst)
+    arc_state_reason = string_sprintf("i=%d (sequence; expected %d)",
+      as->instance, inst);
+  else if (!as->hdr_aar || !as->hdr_ams || !as->hdr_as)
+    arc_state_reason = string_sprintf("i=%d (missing header)", as->instance);
+  else if (arc_cv_match(as->hdr_as, US"fail"))
+    arc_state_reason = string_sprintf("i=%d (cv)", as->instance);
+  else
+    goto good;
 
+  DEBUG(D_acl) debug_printf("ARC chain fail at %s\n", arc_state_reason);
+  return US"fail";
+
+  good:
   /* Evaluate the oldest-pass AMS validation while we're here.
   It does not affect the AS chain validation but is reported as
   auxilary info. */
@@ -788,9 +800,15 @@
       arc_oldest_pass = inst;
   arc_state_reason = NULL;
   }
+if (inst != 0)
+  {
+  arc_state_reason = string_sprintf("(sequence; expected i=%d)", inst);
+  DEBUG(D_acl) debug_printf("ARC chain fail %s\n", arc_state_reason);
+  return US"fail";
+  }
 
 arc_received = ctx->arcset_chain_last;
-arc_received_instance = inst;
+arc_received_instance = arc_received->instance;
 
 /* We can skip the latest-AMS validation, if we already did it. */
 
@@ -966,16 +984,13 @@
 static const uschar *
 arc_verify_seals(arc_ctx * ctx)
 {
-arc_set * as = ctx->arcset_chain;
+arc_set * as = ctx->arcset_chain_last;
 
 if (!as)
   return US"none";
 
-while (as)
-  {
-  if (arc_seal_verify(ctx, as)) return US"fail";
-  as = as->next;
-  }
+for ( ; as; as = as->prev) if (arc_seal_verify(ctx, as)) return US"fail";
+
 DEBUG(D_acl) debug_printf("ARC: AS vfy overall pass\n");
 return NULL;
 }
@@ -990,9 +1005,10 @@
 const uschar *
 acl_verify_arc(void)
 {
-arc_ctx ctx = { NULL };
 const uschar * res;
 
+memset(&arc_verify_ctx, 0, sizeof(arc_verify_ctx));
+
 if (!dkim_verify_ctx)
   {
   DEBUG(D_acl) debug_printf("ARC: no DKIM verify context\n");
@@ -1006,7 +1022,7 @@
        none, the ARC state is "none" and the algorithm stops here.
 */
 
-if ((res = arc_vfy_collect_hdrs(&ctx)))
+if ((res = arc_vfy_collect_hdrs(&arc_verify_ctx)))
   goto out;
 
 /* 2.  If the form of any ARC set is invalid (e.g., does not contain
@@ -1024,7 +1040,7 @@
        then the chain state is "fail" and the algorithm stops here.
 */
 
-if ((res = arc_headers_check(&ctx)))
+if ((res = arc_headers_check(&arc_verify_ctx)))
   goto out;
 
 /* 4.  For each ARC-Seal from the "N"th instance to the first, apply the
@@ -1066,7 +1082,7 @@
        the algorithm is complete.
 */
 
-if ((res = arc_verify_seals(&ctx)))
+if ((res = arc_verify_seals(&arc_verify_ctx)))
   goto out;
 
 res = US"pass";
@@ -1178,7 +1194,7 @@
 header_line * h = (header_line *)(al+1);
 
 g = string_catn(g, ARC_HDR_AAR, ARC_HDRLEN_AAR);
-g = string_cat(g, string_sprintf(" i=%d; %s;\r\n\t", instance, identity));
+g = string_fmt_append(g, " i=%d; %s;\r\n\t", instance, identity);
 g = string_catn(g, US ar->data, ar->len);
 
 h->slen = g->ptr - aar_off;
@@ -1239,6 +1255,9 @@
    || (errstr = exim_dkim_sign(&sctx, hm, &hhash, sig)))
   {
   log_write(0, LOG_MAIN, "ARC: %s signing: %s\n", why, errstr);
+  DEBUG(D_transport)
+    debug_printf("private key, or private-key file content, was: '%s'\n",
+      privkey);
   return FALSE;
   }
 return TRUE;
@@ -1272,7 +1291,7 @@
 static gstring *
 arc_sign_append_ams(gstring * g, arc_ctx * ctx, int instance,
   const uschar * identity, const uschar * selector, blob * bodyhash,
-  hdr_rlist * rheaders, const uschar * privkey)
+  hdr_rlist * rheaders, const uschar * privkey, unsigned options)
 {
 uschar * s;
 gstring * hdata = NULL;
@@ -1288,13 +1307,14 @@
 /* Construct the to-be-signed AMS pseudo-header: everything but the sig. */
 
 ams_off = g->ptr;
-g = string_append(g, 10,
-      ARC_HDR_AMS,
-      US" i=", string_sprintf("%d", instance),
-      US"; a=rsa-sha256; c=relaxed; d=", identity,		/*XXX hardwired */
-      US"; s=", selector,
-      US";\r\n\tbh=", pdkim_encode_base64(bodyhash),
-      US";\r\n\th=");
+g = string_fmt_append(g, "%s i=%d; a=rsa-sha256; c=relaxed; d=%s; s=%s",
+      ARC_HDR_AMS, instance, identity, selector);	/*XXX hardwired a= */
+if (options & ARC_SIGN_OPT_TSTAMP)
+  g = string_fmt_append(g, "; t=%lu", (u_long)now);
+if (options & ARC_SIGN_OPT_EXPIRE)
+  g = string_fmt_append(g, "; x=%lu", (u_long)expire);
+g = string_fmt_append(g, ";\r\n\tbh=%s;\r\n\th=",
+      pdkim_encode_base64(bodyhash));
 
 for(col = 3; rheaders; rheaders = rheaders->prev)
   {
@@ -1390,7 +1410,7 @@
 static gstring *
 arc_sign_prepend_as(gstring * arcset_interim, arc_ctx * ctx,
   int instance, const uschar * identity, const uschar * selector, blob * ar,
-  const uschar * privkey)
+  const uschar * privkey, unsigned options)
 {
 gstring * arcset;
 arc_set * as;
@@ -1417,12 +1437,16 @@
 
 /* Construct the AS except for the signature */
 
-arcset = string_append(NULL, 10,
+arcset = string_append(NULL, 9,
 	  ARC_HDR_AS,
 	  US" i=", string_sprintf("%d", instance),
 	  US"; cv=", status,
 	  US"; a=rsa-sha256; d=", identity,			/*XXX hardwired */
-	  US"; s=", selector,					/*XXX same as AMS */
+	  US"; s=", selector);					/*XXX same as AMS */
+if (options & ARC_SIGN_OPT_TSTAMP)
+  arcset = string_append(arcset, 2,
+      US"; t=", string_sprintf("%lu", (u_long)now));
+arcset = string_cat(arcset,
 	  US";\r\n\t b=;");
 
 h->slen = arcset->ptr;
@@ -1520,7 +1544,8 @@
 message body for us so long as we requested a hash previously.
 
 Arguments:
-  signspec	Three-element colon-sep list: identity, selector, privkey
+  signspec	Three-element colon-sep list: identity, selector, privkey.
+		Optional fourth element: comma-sep list of options.
 		Already expanded
   sigheaders	Any signature headers already generated, eg. by DKIM, or NULL
   errstr	Error string
@@ -1533,7 +1558,8 @@
 gstring *
 arc_sign(const uschar * signspec, gstring * sigheaders, uschar ** errstr)
 {
-const uschar * identity, * selector, * privkey;
+const uschar * identity, * selector, * privkey, * opts, * s;
+unsigned options = 0;
 int sep = 0;
 header_line * headers;
 hdr_rlist * rheaders;
@@ -1542,11 +1568,13 @@
 gstring * g = NULL;
 pdkim_bodyhash * b;
 
+expire = now = 0;
+
 /* Parse the signing specification */
 
 identity = string_nextinlist(&signspec, &sep, NULL, 0);
 selector = string_nextinlist(&signspec, &sep, NULL, 0);
-if (  !*identity | !*selector
+if (  !*identity || !*selector
    || !(privkey = string_nextinlist(&signspec, &sep, NULL, 0)) || !*privkey)
   {
   log_write(0, LOG_MAIN, "ARC: bad signing-specification (%s)",
@@ -1556,6 +1584,36 @@
 if (*privkey == '/' && !(privkey = expand_file_big_buffer(privkey)))
   return sigheaders ? sigheaders : string_get(0);
 
+if ((opts = string_nextinlist(&signspec, &sep, NULL, 0)))
+  {
+  int osep = ',';
+  while ((s = string_nextinlist(&opts, &osep, NULL, 0)))
+    if (Ustrcmp(s, "timestamps") == 0)
+      {
+      options |= ARC_SIGN_OPT_TSTAMP;
+      if (!now) now = time(NULL);
+      }
+    else if (Ustrncmp(s, "expire", 6) == 0)
+      {
+      options |= ARC_SIGN_OPT_EXPIRE;
+      if (*(s += 6) == '=')
+	if (*++s == '+')
+	  {
+	  if (!(expire = (time_t)atoi(CS ++s)))
+	    expire = ARC_SIGN_DEFAULT_EXPIRE_DELTA;
+	  if (!now) now = time(NULL);
+	  expire += now;
+	  }
+	else
+	  expire = (time_t)atol(CS s);
+      else
+	{
+	if (!now) now = time(NULL);
+	expire = now + ARC_SIGN_DEFAULT_EXPIRE_DELTA;
+	}
+      }
+  }
+
 DEBUG(D_transport) debug_printf("ARC: sign for %s\n", identity);
 
 /* Make an rlist of any new DKIM headers, then add the "normals" rlist to it.
@@ -1617,7 +1675,7 @@
 
 b = arc_ams_setup_sign_bodyhash();
 g = arc_sign_append_ams(g, &arc_sign_ctx, instance, identity, selector,
-      &b->bh, headers_rlist, privkey);
+      &b->bh, headers_rlist, privkey, options);
 
 /*
 - Generate AS
@@ -1632,11 +1690,13 @@
         including self (but with an empty b= in self)
 */
 
-g = arc_sign_prepend_as(g, &arc_sign_ctx, instance, identity, selector, &ar, privkey);
+if (g)
+  g = arc_sign_prepend_as(g, &arc_sign_ctx, instance, identity, selector, &ar,
+      privkey, options);
 
 /* Finally, append the dkim headers and return the lot. */
 
-g = string_catn(g, sigheaders->s, sigheaders->ptr);
+if (sigheaders) g = string_catn(g, sigheaders->s, sigheaders->ptr);
 (void) string_from_gstring(g);
 gstring_reset_unused(g);
 return g;
@@ -1718,7 +1778,37 @@
 
 /******************************************************************************/
 
-/* Construct an Authenticate-Results header portion, for the ARC module */
+/* Construct the list of domains from the ARC chain after validation */
+
+uschar *
+fn_arc_domains(void)
+{
+arc_set * as;
+unsigned inst;
+gstring * g = NULL;
+
+for (as = arc_verify_ctx.arcset_chain, inst = 1; as; as = as->next, inst++)
+  {
+  arc_line * hdr_as = as->hdr_as;
+  if (hdr_as)
+    {
+    blob * d = &hdr_as->d;
+
+    for (; inst < as->instance; inst++)
+      g = string_catn(g, US":", 1);
+
+    g = d->data && d->len
+      ? string_append_listele_n(g, ':', d->data, d->len)
+      : string_catn(g, US":", 1);
+    }
+  else
+    g = string_catn(g, US":", 1);
+  }
+return g ? g->s : US"";
+}
+
+
+/* Construct an Authentication-Results header portion, for the ARC module */
 
 gstring *
 authres_arc(gstring * g)
@@ -1732,19 +1822,17 @@
   g = string_append(g, 2, US";\n\tarc=", arc_state);
   if (arc_received_instance > 0)
     {
-    g = string_append(g, 3, US" (i=",
-      string_sprintf("%d", arc_received_instance), US")");
+    g = string_fmt_append(g, " (i=%d)", arc_received_instance);
     if (arc_state_reason)
       g = string_append(g, 3, US"(", arc_state_reason, US")");
     g = string_catn(g, US" header.s=", 10);
     highest_ams = arc_received->hdr_ams;
     g = string_catn(g, highest_ams->s.data, highest_ams->s.len);
 
-    g = string_append(g, 2,
-      US" arc.oldest-pass=", string_sprintf("%d", arc_oldest_pass));
+    g = string_fmt_append(g, " arc.oldest-pass=%d", arc_oldest_pass);
 
     if (sender_host_address)
-      g = string_append(g, 2, US" smtp.client-ip=", sender_host_address);
+      g = string_append(g, 2, US" smtp.remote-ip=", sender_host_address);
     }
   else if (arc_state_reason)
     g = string_append(g, 3, US" (", arc_state_reason, US")");
diff -Nru exim4-4.91/src/auths/auth-spa.c exim4-4.92~RC4/src/auths/auth-spa.c
--- exim4-4.91/src/auths/auth-spa.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/auths/auth-spa.c	2018-12-27 13:36:19.000000000 +0000
@@ -1220,7 +1220,7 @@
 
 #define spa_bytes_add(ptr, header, buf, count) \
 { \
-if (buf != NULL  &&  count) \
+if (buf != NULL  &&  count != 0) /* we hate -Wint-in-bool-contex */ \
   { \
   SSVAL(&ptr->header.len,0,count); \
   SSVAL(&ptr->header.maxlen,0,count); \
diff -Nru exim4-4.91/src/auths/check_serv_cond.c exim4-4.92~RC4/src/auths/check_serv_cond.c
--- exim4-4.91/src/auths/check_serv_cond.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/auths/check_serv_cond.c	2018-12-27 13:36:19.000000000 +0000
@@ -102,7 +102,7 @@
 
 if (cond == NULL)
   {
-  if (expand_string_forcedfail) return FAIL;
+  if (f.expand_string_forcedfail) return FAIL;
   auth_defer_msg = expand_string_message;
   return DEFER;
   }
diff -Nru exim4-4.91/src/auths/cram_md5.c exim4-4.92~RC4/src/auths/cram_md5.c
--- exim4-4.91/src/auths/cram_md5.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/auths/cram_md5.c	2018-12-27 13:36:19.000000000 +0000
@@ -52,8 +52,8 @@
 /* Dummy values */
 void auth_cram_md5_init(auth_instance *ablock) {}
 int auth_cram_md5_server(auth_instance *ablock, uschar *data) {return 0;}
-int auth_cram_md5_client(auth_instance *ablock, smtp_inblock *inblock,
-  smtp_outblock *outblock, int timeout, uschar *buffer, int buffsize) {return 0;}
+int auth_cram_md5_client(auth_instance *ablock, void *sx, int timeout,
+    uschar *buffer, int buffsize) {return 0;}
 
 #else	/*!MACRO_PREDEF*/
 
@@ -175,7 +175,7 @@
 /* If we are running in the test harness, always send the same challenge,
 an example string taken from the RFC. */
 
-if (running_in_test_harness)
+if (f.running_in_test_harness)
   challenge = US"<1896.697170952@postoffice.reston.mci.net>";
 
 /* No data should have been sent with the AUTH command */
@@ -212,7 +212,7 @@
 
 if (secret == NULL)
   {
-  if (expand_string_forcedfail) return FAIL;
+  if (f.expand_string_forcedfail) return FAIL;
   auth_defer_msg = expand_string_message;
   return DEFER;
   }
@@ -259,8 +259,7 @@
 int
 auth_cram_md5_client(
   auth_instance *ablock,                 /* authenticator block */
-  smtp_inblock *inblock,                 /* input connection */
-  smtp_outblock *outblock,               /* output connection */
+  void * sx,				 /* smtp connextion */
   int timeout,                           /* command timeout */
   uschar *buffer,                        /* for reading response */
   int buffsize)                          /* size of buffer */
@@ -278,7 +277,7 @@
 
 if (!secret || !name)
   {
-  if (expand_string_forcedfail)
+  if (f.expand_string_forcedfail)
     {
     *buffer = 0;           /* No message */
     return CANCELLED;
@@ -293,10 +292,9 @@
 /* Initiate the authentication exchange and read the challenge, which arrives
 in base 64. */
 
-if (smtp_write_command(outblock, SCMD_FLUSH, "AUTH %s\r\n",
-		       	ablock->public_name) < 0)
+if (smtp_write_command(sx, SCMD_FLUSH, "AUTH %s\r\n", ablock->public_name) < 0)
   return FAIL_SEND;
-if (!smtp_read_response(inblock, buffer, buffsize, '3', timeout))
+if (!smtp_read_response(sx, buffer, buffsize, '3', timeout))
   return FAIL;
 
 if (b64decode(buffer + 4, &challenge) < 0)
@@ -324,10 +322,10 @@
 so calling smtp_write_command(), which uses big_buffer, is OK. */
 
 buffer[0] = 0;
-if (smtp_write_command(outblock, SCMD_FLUSH, "%s\r\n", b64encode(big_buffer,
+if (smtp_write_command(sx, SCMD_FLUSH, "%s\r\n", b64encode(big_buffer,
   p - big_buffer)) < 0) return FAIL_SEND;
 
-return smtp_read_response(inblock, US buffer, buffsize, '2', timeout)
+return smtp_read_response(sx, US buffer, buffsize, '2', timeout)
   ? OK : FAIL;
 }
 #endif  /* STAND_ALONE */
diff -Nru exim4-4.91/src/auths/cram_md5.h exim4-4.92~RC4/src/auths/cram_md5.h
--- exim4-4.91/src/auths/cram_md5.h	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/auths/cram_md5.h	2018-12-27 13:36:19.000000000 +0000
@@ -26,7 +26,6 @@
 
 extern void auth_cram_md5_init(auth_instance *);
 extern int auth_cram_md5_server(auth_instance *, uschar *);
-extern int auth_cram_md5_client(auth_instance *, smtp_inblock *,
-                                smtp_outblock *, int, uschar *, int);
+extern int auth_cram_md5_client(auth_instance *, void *, int, uschar *, int);
 
 /* End of cram_md5.h */
diff -Nru exim4-4.91/src/auths/cyrus_sasl.c exim4-4.92~RC4/src/auths/cyrus_sasl.c
--- exim4-4.91/src/auths/cyrus_sasl.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/auths/cyrus_sasl.c	2018-12-27 13:36:19.000000000 +0000
@@ -68,8 +68,8 @@
 /* Dummy values */
 void auth_cyrus_sasl_init(auth_instance *ablock) {}
 int auth_cyrus_sasl_server(auth_instance *ablock, uschar *data) {return 0;}
-int auth_cyrus_sasl_client(auth_instance *ablock, smtp_inblock *inblock,
-  smtp_outblock *outblock, int timeout, uschar *buffer, int buffsize) {return 0;}
+int auth_cyrus_sasl_client(auth_instance *ablock, void * sx,
+  int timeout, uschar *buffer, int buffsize) {return 0;}
 void auth_cyrus_sasl_version_report(FILE *f) {}
 
 #else   /*!MACRO_PREDEF*/
@@ -118,13 +118,13 @@
 char *realm_expanded;
 
 sasl_conn_t *conn;
-sasl_callback_t cbs[]={
+sasl_callback_t cbs[] = {
   {SASL_CB_GETOPT, NULL, NULL },
   {SASL_CB_LIST_END, NULL, NULL}};
 
 /* default the mechanism to our "public name" */
-if(ob->server_mech == NULL)
-  ob->server_mech=string_copy(ablock->public_name);
+if (ob->server_mech == NULL)
+  ob->server_mech = string_copy(ablock->public_name);
 
 expanded_hostname = expand_string(ob->server_hostname);
 if (expanded_hostname == NULL)
@@ -132,7 +132,7 @@
       "couldn't expand server_hostname [%s]: %s",
       ablock->name, ob->server_hostname, expand_string_message);
 
-realm_expanded=NULL;
+realm_expanded = NULL;
 if (ob->server_realm != NULL) {
   realm_expanded = CS expand_string(ob->server_realm);
   if (realm_expanded == NULL)
@@ -148,45 +148,42 @@
 cbs[0].proc = (int(*)(void)) &mysasl_config;
 cbs[0].context = ob->server_mech;
 
-rc=sasl_server_init(cbs, "exim");
-
-if( rc != SASL_OK )
+if ((rc = sasl_server_init(cbs, "exim")) != SASL_OK )
   log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
       "couldn't initialise Cyrus SASL library.", ablock->name);
 
-rc=sasl_server_new(CS ob->server_service, CS expanded_hostname,
-                   realm_expanded, NULL, NULL, NULL, 0, &conn);
-if( rc != SASL_OK )
+if ((rc = sasl_server_new(CS ob->server_service, CS expanded_hostname,
+                   realm_expanded, NULL, NULL, NULL, 0, &conn)) != SASL_OK )
   log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
       "couldn't initialise Cyrus SASL server connection.", ablock->name);
 
-rc=sasl_listmech(conn, NULL, "", ":", "", (const char **)&list, &len, &i);
-if( rc != SASL_OK )
+if ((rc = sasl_listmech(conn, NULL, "", ":", "", (const char **)&list, &len, &i)) != SASL_OK )
   log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
       "couldn't get Cyrus SASL mechanism list.", ablock->name);
 
-i=':';
-listptr=list;
+i = ':';
+listptr = list;
 
-HDEBUG(D_auth) {
+HDEBUG(D_auth)
+  {
   debug_printf("Initialised Cyrus SASL service=\"%s\" fqdn=\"%s\" realm=\"%s\"\n",
       ob->server_service, expanded_hostname, realm_expanded);
   debug_printf("Cyrus SASL knows mechanisms: %s\n", list);
-}
+  }
 
 /* the store_get / store_reset mechanism is hierarchical
  * the hierarchy is stored for us behind our back. This point
  * creates a hierarchy point for this function.
  */
-rs_point=store_get(0);
+rs_point = store_get(0);
 
 /* loop until either we get to the end of the list, or we match the
  * public name of this authenticator
  */
-while( ( buffer = string_nextinlist(&listptr, &i, NULL, 0) ) &&
+while ( ( buffer = string_nextinlist(&listptr, &i, NULL, 0) ) &&
        strcmpic(buffer,ob->server_mech) );
 
-if(!buffer)
+if (!buffer)
   log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
       "Cyrus SASL doesn't know about mechanism %s.", ablock->name, ob->server_mech);
 
@@ -218,54 +215,48 @@
   (auth_cyrus_sasl_options_block *)(ablock->options_block);
 uschar *output, *out2, *input, *clear, *hname;
 uschar *debug = NULL;   /* Stops compiler complaining */
-sasl_callback_t cbs[]={{SASL_CB_LIST_END, NULL, NULL}};
+sasl_callback_t cbs[] = {{SASL_CB_LIST_END, NULL, NULL}};
 sasl_conn_t *conn;
-char *realm_expanded;
-int rc, i, firsttime=1, clen, *negotiated_ssf_ptr=NULL, negotiated_ssf;
+char * realm_expanded = NULL;
+int rc, i, firsttime = 1, clen, *negotiated_ssf_ptr = NULL, negotiated_ssf;
 unsigned int inlen, outlen;
 
-input=data;
-inlen=Ustrlen(data);
+input = data;
+inlen = Ustrlen(data);
 
-HDEBUG(D_auth) debug=string_copy(data);
+HDEBUG(D_auth) debug = string_copy(data);
 
-hname=expand_string(ob->server_hostname);
-realm_expanded=NULL;
+hname = expand_string(ob->server_hostname);
 if (hname && ob->server_realm)
-  realm_expanded= CS expand_string(ob->server_realm);
-if((hname == NULL) ||
-   ((realm_expanded == NULL) && (ob->server_realm != NULL)))
+  realm_expanded = CS expand_string(ob->server_realm);
+if (!hname  ||  !realm_expanded  && ob->server_realm)
   {
   auth_defer_msg = expand_string_message;
   return DEFER;
   }
 
-if(inlen)
+if (inlen)
   {
-  clen = b64decode(input, &clear);
-  if(clen < 0)
-    {
+  if ((clen = b64decode(input, &clear)) < 0)
     return BAD64;
-    }
-  input=clear;
-  inlen=clen;
+  input = clear;
+  inlen = clen;
   }
 
-rc=sasl_server_init(cbs, "exim");
-if (rc != SASL_OK)
+if ((rc = sasl_server_init(cbs, "exim")) != SASL_OK)
   {
   auth_defer_msg = US"couldn't initialise Cyrus SASL library";
   return DEFER;
   }
 
-rc=sasl_server_new(CS ob->server_service, CS hname, realm_expanded, NULL,
+rc = sasl_server_new(CS ob->server_service, CS hname, realm_expanded, NULL,
   NULL, NULL, 0, &conn);
 
 HDEBUG(D_auth)
   debug_printf("Initialised Cyrus SASL server connection; service=\"%s\" fqdn=\"%s\" realm=\"%s\"\n",
       ob->server_service, hname, realm_expanded);
 
-if( rc != SASL_OK )
+if (rc != SASL_OK )
   {
   auth_defer_msg = US"couldn't initialise Cyrus SASL connection";
   sasl_done();
@@ -274,8 +265,7 @@
 
 if (tls_in.cipher)
   {
-  rc = sasl_setprop(conn, SASL_SSF_EXTERNAL, (sasl_ssf_t *) &tls_in.bits);
-  if (rc != SASL_OK)
+  if ((rc = sasl_setprop(conn, SASL_SSF_EXTERNAL, (sasl_ssf_t *) &tls_in.bits)) != SASL_OK)
     {
     HDEBUG(D_auth) debug_printf("Cyrus SASL EXTERNAL SSF set %d failed: %s\n",
         tls_in.bits, sasl_errstring(rc, NULL, NULL));
@@ -298,7 +288,7 @@
 So the docs are too strict and we shouldn't worry about :: contractions. */
 
 /* Set properties for remote and local host-ip;port */
-for (i=0; i < 2; ++i)
+for (i = 0; i < 2; ++i)
   {
   struct sockaddr_storage ss;
   int (*query)(int, struct sockaddr *, socklen_t *);
@@ -322,8 +312,7 @@
     }
 
   sslen = sizeof(ss);
-  rc = query(fileno(smtp_in), (struct sockaddr *) &ss, &sslen);
-  if (rc < 0)
+  if ((rc = query(fileno(smtp_in), (struct sockaddr *) &ss, &sslen)) < 0)
     {
     HDEBUG(D_auth)
       debug_printf("Failed to get %s address information: %s\n",
@@ -334,8 +323,7 @@
   address = host_ntoa(-1, &ss, NULL, &port);
   address_port = string_sprintf("%s;%d", address, port);
 
-  rc = sasl_setprop(conn, propnum, address_port);
-  if (rc != SASL_OK)
+  if ((rc = sasl_setprop(conn, propnum, address_port)) != SASL_OK)
     {
     s_err = sasl_errdetail(conn);
     HDEBUG(D_auth)
@@ -347,24 +335,21 @@
       label, address_port);
   }
 
-rc=SASL_CONTINUE;
-
-while(rc==SASL_CONTINUE)
+for (rc = SASL_CONTINUE; rc == SASL_CONTINUE; )
   {
-  if(firsttime)
+  if (firsttime)
     {
-    firsttime=0;
+    firsttime = 0;
     HDEBUG(D_auth) debug_printf("Calling sasl_server_start(%s,\"%s\")\n", ob->server_mech, debug);
-    rc=sasl_server_start(conn, CS ob->server_mech, inlen?CS input:NULL, inlen,
+    rc = sasl_server_start(conn, CS ob->server_mech, inlen?CS input:NULL, inlen,
            (const char **)(&output), &outlen);
     }
   else
     {
     /* make sure that we have a null-terminated string */
-    out2=store_get(outlen+1);
-    memcpy(out2,output,outlen);
-    out2[outlen]='\0';
-    if((rc=auth_get_data(&input, out2, outlen))!=OK)
+    out2 = string_copyn(output, outlen);
+
+    if ((rc = auth_get_data(&input, out2, outlen)) != OK)
       {
       /* we couldn't get the data, so free up the library before
        * returning whatever error we get */
@@ -372,133 +357,130 @@
       sasl_done();
       return rc;
       }
-    inlen=Ustrlen(input);
+    inlen = Ustrlen(input);
 
-    HDEBUG(D_auth) debug=string_copy(input);
-    if(inlen)
+    HDEBUG(D_auth) debug = string_copy(input);
+    if (inlen)
       {
-      clen = b64decode(input, &clear);
-      if(clen < 0)
+      if ((clen = b64decode(input, &clear)) < 0)
        {
-        sasl_dispose(&conn);
-        sasl_done();
+       sasl_dispose(&conn);
+       sasl_done();
        return BAD64;
        }
-      input=clear;
-      inlen=clen;
+      input = clear;
+      inlen = clen;
       }
 
     HDEBUG(D_auth) debug_printf("Calling sasl_server_step(\"%s\")\n", debug);
-    rc=sasl_server_step(conn, CS input, inlen, (const char **)(&output), &outlen);
+    rc = sasl_server_step(conn, CS input, inlen, (const char **)(&output), &outlen);
     }
-  if(rc==SASL_BADPROT)
+
+  if (rc == SASL_BADPROT)
     {
     sasl_dispose(&conn);
     sasl_done();
     return UNEXPECTED;
     }
-  else if( rc==SASL_FAIL     || rc==SASL_BUFOVER
-       || rc==SASL_BADMAC   || rc==SASL_BADAUTH
-       || rc==SASL_NOAUTHZ  || rc==SASL_ENCRYPT
-       || rc==SASL_EXPIRED  || rc==SASL_DISABLED
-       || rc==SASL_NOUSER   )
+  if (rc == SASL_CONTINUE)
+    continue;
+
+  /* Get the username and copy it into $auth1 and $1. The former is now the
+  preferred variable; the latter is the original variable. */
+
+  if ((sasl_getprop(conn, SASL_USERNAME, (const void **)(&out2))) != SASL_OK)
     {
-    /* these are considered permanent failure codes */
     HDEBUG(D_auth)
-      debug_printf("Cyrus SASL permanent failure %d (%s)\n", rc, sasl_errstring(rc, NULL, NULL));
+      debug_printf("Cyrus SASL library will not tell us the username: %s\n",
+	  sasl_errstring(rc, NULL, NULL));
     log_write(0, LOG_REJECT, "%s authenticator (%s):\n  "
-       "Cyrus SASL permanent failure: %s", ablock->name, ob->server_mech,
+       "Cyrus SASL username fetch problem: %s", ablock->name, ob->server_mech,
        sasl_errstring(rc, NULL, NULL));
     sasl_dispose(&conn);
     sasl_done();
     return FAIL;
     }
-  else if(rc==SASL_NOMECH)
-    {
-    /* this is a temporary failure, because the mechanism is not
-     * available for this user. If it wasn't available at all, we
-     * shouldn't have got here in the first place...
-     */
-    HDEBUG(D_auth)
-      debug_printf("Cyrus SASL temporary failure %d (%s)\n", rc, sasl_errstring(rc, NULL, NULL));
-    auth_defer_msg =
-        string_sprintf("Cyrus SASL: mechanism %s not available", ob->server_mech);
-    sasl_dispose(&conn);
-    sasl_done();
-    return DEFER;
-    }
-  else if(!(rc==SASL_OK || rc==SASL_CONTINUE))
-    {
-    /* Anything else is a temporary failure, and we'll let SASL print out
-     * the error string for us
-     */
-    HDEBUG(D_auth)
-      debug_printf("Cyrus SASL temporary failure %d (%s)\n", rc, sasl_errstring(rc, NULL, NULL));
-    auth_defer_msg =
-        string_sprintf("Cyrus SASL: %s", sasl_errstring(rc, NULL, NULL));
-    sasl_dispose(&conn);
-    sasl_done();
-    return DEFER;
-    }
-  else if(rc==SASL_OK)
-    {
-    /* Get the username and copy it into $auth1 and $1. The former is now the
-    preferred variable; the latter is the original variable. */
-    rc = sasl_getprop(conn, SASL_USERNAME, (const void **)(&out2));
-    if (rc != SASL_OK)
-      {
+  auth_vars[0] = expand_nstring[1] = string_copy(out2);
+  expand_nlength[1] = Ustrlen(out2);
+  expand_nmax = 1;
+
+  switch (rc)
+    {
+    case SASL_FAIL: case SASL_BUFOVER: case SASL_BADMAC: case SASL_BADAUTH:
+    case SASL_NOAUTHZ: case SASL_ENCRYPT: case SASL_EXPIRED:
+    case SASL_DISABLED: case SASL_NOUSER:
+      /* these are considered permanent failure codes */
       HDEBUG(D_auth)
-        debug_printf("Cyrus SASL library will not tell us the username: %s\n",
-            sasl_errstring(rc, NULL, NULL));
+	debug_printf("Cyrus SASL permanent failure %d (%s)\n", rc, sasl_errstring(rc, NULL, NULL));
       log_write(0, LOG_REJECT, "%s authenticator (%s):\n  "
-         "Cyrus SASL username fetch problem: %s", ablock->name, ob->server_mech,
-         sasl_errstring(rc, NULL, NULL));
+	 "Cyrus SASL permanent failure: %s", ablock->name, ob->server_mech,
+	 sasl_errstring(rc, NULL, NULL));
       sasl_dispose(&conn);
       sasl_done();
       return FAIL;
-      }
-
-    auth_vars[0] = expand_nstring[1] = string_copy(out2);
-    expand_nlength[1] = Ustrlen(expand_nstring[1]);
-    expand_nmax = 1;
-
-    HDEBUG(D_auth)
-      debug_printf("Cyrus SASL %s authentication succeeded for %s\n",
-          ob->server_mech, auth_vars[0]);
 
-    rc = sasl_getprop(conn, SASL_SSF, (const void **)(&negotiated_ssf_ptr));
-    if (rc != SASL_OK)
-      {
+    case SASL_NOMECH:
+      /* this is a temporary failure, because the mechanism is not
+       * available for this user. If it wasn't available at all, we
+       * shouldn't have got here in the first place...
+       */
       HDEBUG(D_auth)
-        debug_printf("Cyrus SASL library will not tell us the SSF: %s\n",
-            sasl_errstring(rc, NULL, NULL));
-      log_write(0, LOG_REJECT, "%s authenticator (%s):\n  "
-          "Cyrus SASL SSF value not available: %s", ablock->name, ob->server_mech,
-          sasl_errstring(rc, NULL, NULL));
+	debug_printf("Cyrus SASL temporary failure %d (%s)\n", rc, sasl_errstring(rc, NULL, NULL));
+      auth_defer_msg =
+	  string_sprintf("Cyrus SASL: mechanism %s not available", ob->server_mech);
       sasl_dispose(&conn);
       sasl_done();
-      return FAIL;
-      }
-    negotiated_ssf = *negotiated_ssf_ptr;
-    HDEBUG(D_auth)
-      debug_printf("Cyrus SASL %s negotiated SSF: %d\n", ob->server_mech, negotiated_ssf);
-    if (negotiated_ssf > 0)
-      {
+      return DEFER;
+
+    case SASL_OK:
       HDEBUG(D_auth)
-        debug_printf("Exim does not implement SASL wrapping (needed for SSF %d).\n", negotiated_ssf);
-      log_write(0, LOG_REJECT, "%s authenticator (%s):\n  "
-          "Cyrus SASL SSF %d not supported by Exim", ablock->name, ob->server_mech, negotiated_ssf);
+	debug_printf("Cyrus SASL %s authentication succeeded for %s\n",
+	    ob->server_mech, auth_vars[0]);
+
+      if ((rc = sasl_getprop(conn, SASL_SSF, (const void **)(&negotiated_ssf_ptr)))!= SASL_OK)
+	{
+	HDEBUG(D_auth)
+	  debug_printf("Cyrus SASL library will not tell us the SSF: %s\n",
+	      sasl_errstring(rc, NULL, NULL));
+	log_write(0, LOG_REJECT, "%s authenticator (%s):\n  "
+	    "Cyrus SASL SSF value not available: %s", ablock->name, ob->server_mech,
+	    sasl_errstring(rc, NULL, NULL));
+	sasl_dispose(&conn);
+	sasl_done();
+	return FAIL;
+	}
+      negotiated_ssf = *negotiated_ssf_ptr;
+      HDEBUG(D_auth)
+	debug_printf("Cyrus SASL %s negotiated SSF: %d\n", ob->server_mech, negotiated_ssf);
+      if (negotiated_ssf > 0)
+	{
+	HDEBUG(D_auth)
+	  debug_printf("Exim does not implement SASL wrapping (needed for SSF %d).\n", negotiated_ssf);
+	log_write(0, LOG_REJECT, "%s authenticator (%s):\n  "
+	    "Cyrus SASL SSF %d not supported by Exim", ablock->name, ob->server_mech, negotiated_ssf);
+	sasl_dispose(&conn);
+	sasl_done();
+	return FAIL;
+	}
+
+      /* close down the connection, freeing up library's memory */
       sasl_dispose(&conn);
       sasl_done();
-      return FAIL;
-      }
 
-    /* close down the connection, freeing up library's memory */
-    sasl_dispose(&conn);
-    sasl_done();
+      /* Expand server_condition as an authorization check */
+      return auth_check_serv_cond(ablock);
 
-    /* Expand server_condition as an authorization check */
-    return auth_check_serv_cond(ablock);
+    default:
+      /* Anything else is a temporary failure, and we'll let SASL print out
+       * the error string for us
+       */
+      HDEBUG(D_auth)
+	debug_printf("Cyrus SASL temporary failure %d (%s)\n", rc, sasl_errstring(rc, NULL, NULL));
+      auth_defer_msg =
+	  string_sprintf("Cyrus SASL: %s", sasl_errstring(rc, NULL, NULL));
+      sasl_dispose(&conn);
+      sasl_done();
+      return DEFER;
     }
   }
 /* NOTREACHED */
@@ -512,12 +494,12 @@
 void
 auth_cyrus_sasl_version_report(FILE *f)
 {
-  const char *implementation, *version;
-  sasl_version_info(&implementation, &version, NULL, NULL, NULL, NULL);
-  fprintf(f, "Library version: Cyrus SASL: Compile: %d.%d.%d\n"
-             "                             Runtime: %s [%s]\n",
-          SASL_VERSION_MAJOR, SASL_VERSION_MINOR, SASL_VERSION_STEP,
-          version, implementation);
+const char *implementation, *version;
+sasl_version_info(&implementation, &version, NULL, NULL, NULL, NULL);
+fprintf(f, "Library version: Cyrus SASL: Compile: %d.%d.%d\n"
+	   "                             Runtime: %s [%s]\n",
+	SASL_VERSION_MAJOR, SASL_VERSION_MINOR, SASL_VERSION_STEP,
+	version, implementation);
 }
 
 /*************************************************
@@ -529,8 +511,7 @@
 int
 auth_cyrus_sasl_client(
   auth_instance *ablock,                 /* authenticator block */
-  smtp_inblock *inblock,                 /* input connection */
-  smtp_outblock *outblock,               /* output connection */
+  void * sx,			 	 /* connexction */
   int timeout,                           /* command timeout */
   uschar *buffer,                          /* for reading response */
   int buffsize)                          /* size of buffer */
diff -Nru exim4-4.91/src/auths/cyrus_sasl.h exim4-4.92~RC4/src/auths/cyrus_sasl.h
--- exim4-4.91/src/auths/cyrus_sasl.h	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/auths/cyrus_sasl.h	2018-12-27 13:36:19.000000000 +0000
@@ -29,8 +29,7 @@
 
 extern void auth_cyrus_sasl_init(auth_instance *);
 extern int auth_cyrus_sasl_server(auth_instance *, uschar *);
-extern int auth_cyrus_sasl_client(auth_instance *, smtp_inblock *,
-                                smtp_outblock *, int, uschar *, int);
+extern int auth_cyrus_sasl_client(auth_instance *, void *, int, uschar *, int);
 extern void auth_cyrus_sasl_version_report(FILE *f);
 
 /* End of cyrus_sasl.h */
diff -Nru exim4-4.91/src/auths/dovecot.c exim4-4.92~RC4/src/auths/dovecot.c
--- exim4-4.91/src/auths/dovecot.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/auths/dovecot.c	2018-12-27 13:36:19.000000000 +0000
@@ -78,8 +78,8 @@
 /* Dummy values */
 void auth_dovecot_init(auth_instance *ablock) {}
 int auth_dovecot_server(auth_instance *ablock, uschar *data) {return 0;}
-int auth_dovecot_client(auth_instance *ablock, smtp_inblock *inblock,
-  smtp_outblock *outblock, int timeout, uschar *buffer, int buffsize) {return 0;}
+int auth_dovecot_client(auth_instance *ablock, void * sx,
+  int timeout, uschar *buffer, int buffsize) {return 0;}
 
 #else   /*!MACRO_PREDEF*/
 
diff -Nru exim4-4.91/src/auths/gsasl_exim.c exim4-4.92~RC4/src/auths/gsasl_exim.c
--- exim4-4.91/src/auths/gsasl_exim.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/auths/gsasl_exim.c	2018-12-27 13:36:19.000000000 +0000
@@ -84,8 +84,8 @@
 /* Dummy values */
 void auth_gsasl_init(auth_instance *ablock) {}
 int auth_gsasl_server(auth_instance *ablock, uschar *data) {return 0;}
-int auth_gsasl_client(auth_instance *ablock, smtp_inblock *inblock,
-  smtp_outblock *outblock, int timeout, uschar *buffer, int buffsize) {return 0;}
+int auth_gsasl_client(auth_instance *ablock, smtp_inblock * sx,
+  int timeout, uschar *buffer, int buffsize) {return 0;}
 void auth_gsasl_version_report(FILE *f) {}
 
 #else   /*!MACRO_PREDEF*/
@@ -286,7 +286,7 @@
   gsasl_property_set(sctx, GSASL_QOPS, "qop-auth");
 #ifdef SUPPORT_TLS
   if (tls_channelbinding_b64) {
-    /* Some auth mechanisms can ensure that both sides are talking withing the
+    /* Some auth mechanisms can ensure that both sides are talking within the
     same security context; for TLS, this means that even if a bad certificate
     has been accepted, they remain MitM-proof because both sides must be within
     the same negotiated session; if someone is terminating one session and
@@ -554,7 +554,7 @@
 
       tmps = CS expand_string(ob->server_password);
       if (tmps == NULL) {
-        sasl_error_should_defer = expand_string_forcedfail ? FALSE : TRUE;
+        sasl_error_should_defer = f.expand_string_forcedfail ? FALSE : TRUE;
         HDEBUG(D_auth) debug_printf("server_password expansion failed, so "
             "can't tell GNU SASL library the password for %s\n", auth_vars[0]);
         return GSASL_AUTHENTICATION_ERROR;
@@ -587,12 +587,11 @@
 
 int
 auth_gsasl_client(
-  auth_instance *ablock,                 /* authenticator block */
-  smtp_inblock *inblock,                 /* connection inblock */
-  smtp_outblock *outblock,               /* connection outblock */
-  int timeout,                           /* command timeout */
-  uschar *buffer,                        /* buffer for reading response */
-  int buffsize)                          /* size of buffer */
+  auth_instance *ablock,		/* authenticator block */
+  smtp_inblock * sx,			/* connection */
+  int timeout,				/* command timeout */
+  uschar *buffer,			/* buffer for reading response */
+  int buffsize)				/* size of buffer */
 {
   HDEBUG(D_auth)
     debug_printf("Client side NOT IMPLEMENTED: you should not see this!\n");
diff -Nru exim4-4.91/src/auths/gsasl_exim.h exim4-4.92~RC4/src/auths/gsasl_exim.h
--- exim4-4.91/src/auths/gsasl_exim.h	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/auths/gsasl_exim.h	2018-12-27 13:36:19.000000000 +0000
@@ -36,7 +36,7 @@
 extern void auth_gsasl_init(auth_instance *);
 extern int auth_gsasl_server(auth_instance *, uschar *);
 extern int auth_gsasl_client(auth_instance *, smtp_inblock *,
-                                smtp_outblock *, int, uschar *, int);
+				int, uschar *, int);
 extern void auth_gsasl_version_report(FILE *f);
 
 /* End of gsasl_exim.h */
diff -Nru exim4-4.91/src/auths/heimdal_gssapi.c exim4-4.92~RC4/src/auths/heimdal_gssapi.c
--- exim4-4.91/src/auths/heimdal_gssapi.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/auths/heimdal_gssapi.c	2018-12-27 13:36:19.000000000 +0000
@@ -82,8 +82,8 @@
 /* Dummy values */
 void auth_heimdal_gssapi_init(auth_instance *ablock) {}
 int auth_heimdal_gssapi_server(auth_instance *ablock, uschar *data) {return 0;}
-int auth_heimdal_gssapi_client(auth_instance *ablock, smtp_inblock *inblock,
-  smtp_outblock *outblock, int timeout, uschar *buffer, int buffsize) {return 0;}
+int auth_heimdal_gssapi_client(auth_instance *ablock, void * sx,
+  int timeout, uschar *buffer, int buffsize) {return 0;}
 void auth_heimdal_gssapi_version_report(FILE *f) {}
 
 #else   /*!MACRO_PREDEF*/
@@ -534,31 +534,30 @@
     const char *format, ...)
 {
   va_list ap;
-  uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
   OM_uint32 maj_stat, min_stat;
   OM_uint32 msgcontext = 0;
   gss_buffer_desc status_string;
+  gstring * g;
 
-  va_start(ap, format);
-  if (!string_vformat(buffer, sizeof(buffer), format, ap))
-    log_write(0, LOG_MAIN|LOG_PANIC_DIE,
-        "exim_gssapi_error_defer expansion larger than %lu",
-        sizeof(buffer));
-  va_end(ap);
+  HDEBUG(D_auth)
+    {
+    va_start(ap, format);
+    g = string_vformat(NULL, TRUE, format, ap);
+    va_end(ap);
+    }
 
   auth_defer_msg = NULL;
 
   do {
     maj_stat = gss_display_status(&min_stat,
-        major, GSS_C_GSS_CODE, GSS_C_NO_OID,
-        &msgcontext, &status_string);
+        major, GSS_C_GSS_CODE, GSS_C_NO_OID, &msgcontext, &status_string);
 
-    if (auth_defer_msg == NULL) {
+    if (!auth_defer_msg)
       auth_defer_msg = string_copy(US status_string.value);
-    }
 
     HDEBUG(D_auth) debug_printf("heimdal %s: %.*s\n",
-        buffer, (int)status_string.length, CS status_string.value);
+        string_from_gstring(g), (int)status_string.length,
+	CS status_string.value);
     gss_release_buffer(&min_stat, &status_string);
 
   } while (msgcontext != 0);
@@ -578,8 +577,7 @@
 int
 auth_heimdal_gssapi_client(
   auth_instance *ablock,                 /* authenticator block */
-  smtp_inblock *inblock,                 /* connection inblock */
-  smtp_outblock *outblock,               /* connection outblock */
+  void * sx,				 /* connection */
   int timeout,                           /* command timeout */
   uschar *buffer,                        /* buffer for reading response */
   int buffsize)                          /* size of buffer */
diff -Nru exim4-4.91/src/auths/plaintext.c exim4-4.92~RC4/src/auths/plaintext.c
--- exim4-4.91/src/auths/plaintext.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/auths/plaintext.c	2018-12-27 13:36:19.000000000 +0000
@@ -40,8 +40,8 @@
 /* Dummy values */
 void auth_plaintext_init(auth_instance *ablock) {}
 int auth_plaintext_server(auth_instance *ablock, uschar *data) {return 0;}
-int auth_plaintext_client(auth_instance *ablock, smtp_inblock *inblock,
-  smtp_outblock *outblock, int timeout, uschar *buffer, int buffsize) {return 0;}
+int auth_plaintext_client(auth_instance *ablock, void * sx, int timeout,
+    uschar *buffer, int buffsize) {return 0;}
 
 #else   /*!MACRO_PREDEF*/
 
@@ -167,8 +167,7 @@
 int
 auth_plaintext_client(
   auth_instance *ablock,                 /* authenticator block */
-  smtp_inblock *inblock,                 /* connection inblock */
-  smtp_outblock *outblock,               /* connection outblock */
+  void * sx,				 /* smtp connextion */
   int timeout,                           /* command timeout */
   uschar *buffer,                        /* buffer for reading response */
   int buffsize)                          /* size of buffer */
@@ -201,10 +200,10 @@
     uschar *ssave = string_copy(s);
     if (!first)
       {
-      if (smtp_write_command(outblock, SCMD_FLUSH, "*\r\n") >= 0)
-        (void) smtp_read_response(inblock, US buffer, buffsize, '2', timeout);
+      if (smtp_write_command(sx, SCMD_FLUSH, "*\r\n") >= 0)
+        (void) smtp_read_response(sx, US buffer, buffsize, '2', timeout);
       }
-    if (expand_string_forcedfail)
+    if (f.expand_string_forcedfail)
       {
       *buffer = 0;       /* No message */
       return CANCELLED;
@@ -236,15 +235,13 @@
   if (first)
     {
     first = FALSE;
-    if (smtp_write_command(outblock, SCMD_FLUSH, "AUTH %s%s%s\r\n",
-         ablock->public_name, (len == 0)? "" : " ",
-         b64encode(ss, len)) < 0)
+    if (smtp_write_command(sx, SCMD_FLUSH, "AUTH %s%s%s\r\n",
+         ablock->public_name, len == 0 ? "" : " ", b64encode(ss, len)) < 0)
       return FAIL_SEND;
     }
   else
     {
-    if (smtp_write_command(outblock, SCMD_FLUSH, "%s\r\n",
-          b64encode(ss, len)) < 0)
+    if (smtp_write_command(sx, SCMD_FLUSH, "%s\r\n", b64encode(ss, len)) < 0)
       return FAIL_SEND;
     }
 
@@ -252,7 +249,7 @@
   has succeeded. There may be more data to send, but is there any point
   in provoking an error here? */
 
-  if (smtp_read_response(inblock, US buffer, buffsize, '2', timeout)) return OK;
+  if (smtp_read_response(sx, US buffer, buffsize, '2', timeout)) return OK;
 
   /* Not a success response. If errno != 0 there is some kind of transmission
   error. Otherwise, check the response code in the buffer. If it starts with
@@ -263,10 +260,10 @@
   /* If there is no more data to send, we have to cancel the authentication
   exchange and return ERROR. */
 
-  if (text == NULL)
+  if (!text)
     {
-    if (smtp_write_command(outblock, SCMD_FLUSH, "*\r\n") >= 0)
-      (void)smtp_read_response(inblock, US buffer, buffsize, '2', timeout);
+    if (smtp_write_command(sx, SCMD_FLUSH, "*\r\n") >= 0)
+      (void)smtp_read_response(sx, US buffer, buffsize, '2', timeout);
     string_format(buffer, buffsize, "Too few items in client_send in %s "
       "authenticator", ablock->name);
     return ERROR;
@@ -287,8 +284,8 @@
     uschar *save_bad = string_copy(buffer);
     if (!ob->client_ignore_invalid_base64)
       {
-      if (smtp_write_command(outblock, SCMD_FLUSH, "*\r\n") >= 0)
-        (void)smtp_read_response(inblock, US buffer, buffsize, '2', timeout);
+      if (smtp_write_command(sx, SCMD_FLUSH, "*\r\n") >= 0)
+        (void)smtp_read_response(sx, US buffer, buffsize, '2', timeout);
       string_format(buffer, buffsize, "Invalid base64 string in server "
         "response \"%s\"", save_bad);
       return CANCELLED;
diff -Nru exim4-4.91/src/auths/plaintext.h exim4-4.92~RC4/src/auths/plaintext.h
--- exim4-4.91/src/auths/plaintext.h	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/auths/plaintext.h	2018-12-27 13:36:19.000000000 +0000
@@ -26,7 +26,6 @@
 
 extern void auth_plaintext_init(auth_instance *);
 extern int auth_plaintext_server(auth_instance *, uschar *);
-extern int auth_plaintext_client(auth_instance *, smtp_inblock *,
-                                 smtp_outblock *, int, uschar *, int);
+extern int auth_plaintext_client(auth_instance *, void *, int, uschar *, int);
 
 /* End of plaintext.h */
diff -Nru exim4-4.91/src/auths/README exim4-4.92~RC4/src/auths/README
--- exim4-4.91/src/auths/README	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/auths/README	2018-12-27 13:36:19.000000000 +0000
@@ -68,7 +68,7 @@
 The third function performs authentication as a client. It receives a pointer
 to the instance block, and four further arguments:
 
-  The smtp_inblock item for the connection to the remote host.
+  The smtp_context item for the connection to the remote host.
 
   The normal command-reading timeout value.
 
diff -Nru exim4-4.91/src/auths/spa.c exim4-4.92~RC4/src/auths/spa.c
--- exim4-4.91/src/auths/spa.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/auths/spa.c	2018-12-27 13:36:19.000000000 +0000
@@ -76,8 +76,8 @@
 /* Dummy values */
 void auth_spa_init(auth_instance *ablock) {}
 int auth_spa_server(auth_instance *ablock, uschar *data) {return 0;}
-int auth_spa_client(auth_instance *ablock, smtp_inblock *inblock,
-  smtp_outblock *outblock, int timeout, uschar *buffer, int buffsize) {return 0;}
+int auth_spa_client(auth_instance *ablock, void * sx, int timeout,
+    uschar *buffer, int buffsize) {return 0;}
 
 #else   /*!MACRO_PREDEF*/
 
@@ -224,7 +224,7 @@
 clearpass = expand_string(ob->spa_serverpassword);
 if (clearpass == NULL)
   {
-  if (expand_string_forcedfail)
+  if (f.expand_string_forcedfail)
     {
     DEBUG(D_auth) debug_printf("auth_spa_server(): forced failure while "
       "expanding spa_serverpassword\n");
@@ -268,8 +268,7 @@
 int
 auth_spa_client(
   auth_instance *ablock,                 /* authenticator block */
-  smtp_inblock *inblock,                 /* connection inblock */
-  smtp_outblock *outblock,               /* connection outblock */
+  void * sx,				 /* connection */
   int timeout,                           /* command timeout */
   uschar *buffer,                        /* buffer for reading response */
   int buffsize)                          /* size of buffer */
@@ -289,7 +288,7 @@
 
 if (!(username = CS expand_string(ob->spa_username)))
   {
-  if (expand_string_forcedfail) return CANCELLED;
+  if (f.expand_string_forcedfail) return CANCELLED;
   string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
    "authenticator: %s", ob->spa_username, ablock->name,
    expand_string_message);
@@ -298,7 +297,7 @@
 
 if (!(password = CS expand_string(ob->spa_password)))
   {
-  if (expand_string_forcedfail) return CANCELLED;
+  if (f.expand_string_forcedfail) return CANCELLED;
   string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
    "authenticator: %s", ob->spa_password, ablock->name,
    expand_string_message);
@@ -306,25 +305,22 @@
   }
 
 if (ob->spa_domain)
-  {
   if (!(domain = CS expand_string(ob->spa_domain)))
     {
-    if (expand_string_forcedfail) return CANCELLED;
+    if (f.expand_string_forcedfail) return CANCELLED;
     string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
 		  "authenticator: %s", ob->spa_domain, ablock->name,
 		  expand_string_message);
     return ERROR;
     }
-  }
 
 /* Original code */
 
-if (smtp_write_command(outblock, SCMD_FLUSH, "AUTH %s\r\n",
-    ablock->public_name) < 0)
+if (smtp_write_command(sx, SCMD_FLUSH, "AUTH %s\r\n", ablock->public_name) < 0)
   return FAIL_SEND;
 
 /* wait for the 3XX OK message */
-if (!smtp_read_response(inblock, US buffer, buffsize, '3', timeout))
+if (!smtp_read_response(sx, US buffer, buffsize, '3', timeout))
   return FAIL;
 
 DSPA("\n\n%s authenticator: using domain %s\n\n", ablock->name, domain);
@@ -336,11 +332,11 @@
 DSPA("\n\n%s authenticator: sending request (%s)\n\n", ablock->name, msgbuf);
 
 /* send the encrypted password */
-if (smtp_write_command(outblock, SCMD_FLUSH, "%s\r\n", msgbuf) < 0)
+if (smtp_write_command(sx, SCMD_FLUSH, "%s\r\n", msgbuf) < 0)
   return FAIL_SEND;
 
 /* wait for the auth challenge */
-if (!smtp_read_response(inblock, US buffer, buffsize, '3', timeout))
+if (!smtp_read_response(sx, US buffer, buffsize, '3', timeout))
   return FAIL;
 
 /* convert the challenge into the challenge struct */
@@ -353,14 +349,14 @@
 DSPA("\n\n%s authenticator: challenge response (%s)\n\n", ablock->name, msgbuf);
 
 /* send the challenge response */
-if (smtp_write_command(outblock, SCMD_FLUSH, "%s\r\n", msgbuf) < 0)
+if (smtp_write_command(sx, SCMD_FLUSH, "%s\r\n", msgbuf) < 0)
        return FAIL_SEND;
 
 /* If we receive a success response from the server, authentication
 has succeeded. There may be more data to send, but is there any point
 in provoking an error here? */
 
-if (smtp_read_response(inblock, US buffer, buffsize, '2', timeout))
+if (smtp_read_response(sx, US buffer, buffsize, '2', timeout))
   return OK;
 
 /* Not a success response. If errno != 0 there is some kind of transmission
diff -Nru exim4-4.91/src/auths/spa.h exim4-4.92~RC4/src/auths/spa.h
--- exim4-4.91/src/auths/spa.h	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/auths/spa.h	2018-12-27 13:36:19.000000000 +0000
@@ -33,7 +33,6 @@
 
 extern void auth_spa_init(auth_instance *);
 extern int auth_spa_server(auth_instance *, uschar *);
-extern int auth_spa_client(auth_instance *, smtp_inblock *,
-                                 smtp_outblock *, int, uschar *, int);
+extern int auth_spa_client(auth_instance *, void *, int, uschar *, int);
 
 /* End of spa.h */
diff -Nru exim4-4.91/src/auths/tls.c exim4-4.92~RC4/src/auths/tls.c
--- exim4-4.91/src/auths/tls.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/auths/tls.c	2018-12-27 13:36:19.000000000 +0000
@@ -45,8 +45,8 @@
 /* Dummy values */
 void auth_tls_init(auth_instance *ablock) {}
 int auth_tls_server(auth_instance *ablock, uschar *data) {return 0;}
-int auth_tls_client(auth_instance *ablock, smtp_inblock *inblock,
-  smtp_outblock *outblock, int timeout, uschar *buffer, int buffsize) {return 0;}
+int auth_tls_client(auth_instance *ablock, void * sx,
+  int timeout, uschar *buffer, int buffsize) {return 0;}
 
 #else   /*!MACRO_PREDEF*/
 
diff -Nru exim4-4.91/src/buildconfig.c exim4-4.92~RC4/src/buildconfig.c
--- exim4-4.91/src/buildconfig.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/buildconfig.c	2018-12-27 13:36:19.000000000 +0000
@@ -36,6 +36,8 @@
 #include <stdlib.h>
 #include <string.h>
 #include <sys/types.h>
+#include <sys/time.h>
+#include <poll.h>
 #include <pwd.h>
 #include <grp.h>
 
@@ -956,6 +958,25 @@
     "#define SUPPORT_CRYPTEQ\n");
   }
 
+/* Check poll() for timer functionality.
+Some OS' have released with it broken. */
+
+  {
+  struct timeval before, after;
+  int rc;
+  size_t us;
+
+  gettimeofday(&before, NULL);
+  rc = poll(NULL, 0, 500);
+  gettimeofday(&after, NULL);
+
+  us = (after.tv_sec - before.tv_sec) * 1000000 +
+    (after.tv_usec - before.tv_usec);
+
+  if (us < 400000)
+    fprintf(new, "#define NO_POLL_H\n");
+  }
+
 /* End off */
 
 fprintf(new, "\n/* End of config.h */\n");
diff -Nru exim4-4.91/src/child.c exim4-4.92~RC4/src/child.c
--- exim4-4.91/src/child.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/child.c	2018-12-27 13:36:19.000000000 +0000
@@ -10,6 +10,10 @@
 
 static void (*oldsignal)(int);
 
+#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
+static uschar tls_requiretls_copy = 0;
+#endif
+
 
 /*************************************************
 *          Ensure an fd has a given value        *
@@ -73,8 +77,13 @@
 int first_special = -1;
 int n = 0;
 int extra = pcount ? *pcount : 0;
-uschar **argv =
-  store_get((extra + acount + MAX_CLMACROS + 18) * sizeof(char *));
+uschar **argv;
+
+#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
+if (tls_requiretls) extra++;
+#endif
+
+argv = store_get((extra + acount + MAX_CLMACROS + 18) * sizeof(char *));
 
 /* In all case, the list starts out with the path, any macros, and a changed
 config file. */
@@ -85,7 +94,7 @@
   memcpy(argv + n, clmacros, clmacro_count * sizeof(uschar *));
   n += clmacro_count;
   }
-if (config_changed)
+if (f.config_changed)
   {
   argv[n++] = US"-C";
   argv[n++] = config_main_filename;
@@ -108,9 +117,9 @@
     if (debug_selector != 0)
       argv[n++] = string_sprintf("-d=0x%x", debug_selector);
     }
-  if (dont_deliver) argv[n++] = US"-N";
-  if (queue_smtp) argv[n++] = US"-odqs";
-  if (synchronous_delivery) argv[n++] = US"-odi";
+  if (f.dont_deliver) argv[n++] = US"-N";
+  if (f.queue_smtp) argv[n++] = US"-odqs";
+  if (f.synchronous_delivery) argv[n++] = US"-odi";
   if (connection_max_messages >= 0)
     argv[n++] = string_sprintf("-oB%d", connection_max_messages);
   if (*queue_name)
@@ -120,6 +129,11 @@
     }
   }
 
+#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
+if (tls_requiretls_copy & REQUIRETLS_MSG)
+  argv[n++] = US"-MS";
+#endif
+
 /* Now add in any others that are in the call. Remember which they were,
 for more helpful diagnosis on failure. */
 
@@ -229,10 +243,13 @@
 
 if (pid == 0)
   {
+#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
+  tls_requiretls_copy = tls_requiretls;
+#endif
   force_fd(pfd[pipe_read], 0);
   (void)close(pfd[pipe_write]);
   if (debug_fd > 0) force_fd(debug_fd, 2);
-  if (running_in_test_harness && !queue_only)
+  if (f.running_in_test_harness && !queue_only)
     {
     if (sender_authentication != NULL)
       child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 9,
@@ -490,7 +507,7 @@
 if (timeout > 0)
   {
   sigalrm_seen = FALSE;
-  alarm(timeout);
+  ALARM(timeout);
   }
 
 for(;;)
@@ -500,18 +517,23 @@
   if (rc == pid)
     {
     int lowbyte = status & 255;
-    if (lowbyte == 0) yield = (status >> 8) & 255;
-      else yield = -lowbyte;
+    yield = lowbyte == 0 ? (status >> 8) & 255 : -lowbyte;
     break;
     }
   if (rc < 0)
     {
-    yield = (errno == EINTR && sigalrm_seen)? -256 : -257;
+    /* This "shouldn't happen" test does happen on MacOS: for some reason
+    I do not understand we seems to get an alarm signal despite not having
+    an active alarm set. There seems to be only one, so just go round again. */
+
+    if (errno == EINTR && sigalrm_seen && timeout <= 0) continue;
+
+    yield = (errno == EINTR && sigalrm_seen) ? -256 : -257;
     break;
     }
   }
 
-if (timeout > 0) alarm(0);
+if (timeout > 0) ALARM_CLR(0);
 
 signal(SIGCHLD, oldsignal);   /* restore */
 return yield;
diff -Nru exim4-4.91/src/cnumber.h exim4-4.92~RC4/src/cnumber.h
--- exim4-4.91/src/cnumber.h	1970-01-01 00:00:00.000000000 +0000
+++ exim4-4.92~RC4/src/cnumber.h	2018-12-27 13:38:04.000000000 +0000
@@ -0,0 +1 @@
+1
diff -Nru exim4-4.91/src/config.h.defaults exim4-4.92~RC4/src/config.h.defaults
--- exim4-4.91/src/config.h.defaults	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/config.h.defaults	2018-12-27 13:36:19.000000000 +0000
@@ -71,6 +71,7 @@
 #define FIXED_NEVER_USERS         "root"
 
 #define HAVE_CRYPT16
+#define HAVE_LOCAL_SCAN
 #define HAVE_SA_LEN
 #define HEADERS_CHARSET           "ISO-8859-1"
 #define HEADER_ADD_BUFFER_SIZE    (8192 * 4)
@@ -197,6 +198,8 @@
 #define EXPERIMENTAL_DMARC
     #define DMARC_TLD_FILE "/etc/exim/opendmarc.tlds"
 #define EXPERIMENTAL_LMDB
+#define EXPERIMENTAL_PIPE_CONNECT
+#define EXPERIMENTAL_REQUIRETLS
 #define EXPERIMENTAL_QUEUEFILE
 #define EXPERIMENTAL_SRS
 
diff -Nru exim4-4.91/src/configure.default exim4-4.92~RC4/src/configure.default
--- exim4-4.91/src/configure.default	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/configure.default	2018-12-27 13:36:19.000000000 +0000
@@ -9,7 +9,7 @@
 # configuration file. There are many more than are mentioned here. The
 # manual is in the file doc/spec.txt in the Exim distribution as a plain
 # ASCII file. Other formats (PostScript, Texinfo, HTML, PDF) are available
-# from the Exim ftp sites. The manual is also online at the Exim web sites.
+# from the Exim ftp sites. The manual is also online at the Exim website.
 
 
 # This file is divided into several parts, all but the first of which are
@@ -38,6 +38,18 @@
 
 
 ######################################################################
+#                               MACROS                               #
+######################################################################
+#
+
+# If you want to use a smarthost instead of sending directly to recipient
+# domains, uncomment this macro definition and set a real hostname.
+# An appropriately privileged user can then redirect email on the command-line
+# in emergencies, via -D.
+#
+# ROUTER_SMARTHOST=MAIL.HOSTNAME.FOR.CENTRAL.SERVER.EXAMPLE
+
+######################################################################
 #                    MAIN CONFIGURATION SETTINGS                     #
 ######################################################################
 #
@@ -225,6 +237,13 @@
 host_lookup = *
 
 
+# The setting below causes Exim to try to initialize the system resolver
+# library with DNSSEC support.  It has no effect if your library lacks
+# DNSSEC support.
+
+dns_dnssec_ok = 1
+
+
 # The settings below cause Exim to make RFC 1413 (ident) callbacks
 # for all incoming SMTP calls. You can limit the hosts to which these
 # calls are made, and/or change the timeout that is used. If you set
@@ -573,6 +592,25 @@
 #   transport = remote_smtp
 
 
+# This router can be used when you want to send all mail to a
+# server which handles DNS lookups for you; an ISP will typically run such
+# a server for their customers.  The hostname in route_data comes from the
+# macro defined at the top of the file.  If not defined, then we'll use the
+# dnslookup router below instead.
+# Beware that the hostname is specified again in the Transport.
+
+.ifdef ROUTER_SMARTHOST
+
+smarthost:
+  driver = manualroute
+  domains = ! +local_domains
+  transport = smarthost_smtp
+  route_data = ROUTER_SMARTHOST
+  ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
+  no_more
+
+.else
+
 # This router routes addresses that are not in local domains by doing a DNS
 # lookup on the domain name. The exclamation mark that appears in "domains = !
 # +local_domains" is a negating operator, that is, it can be read as "not". The
@@ -593,22 +631,12 @@
   ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
 # if ipv6-enabled then instead use:
 # ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
+  dnssec_request_domains = *
   no_more
 
-
-# This alternative router can be used when you want to send all mail to a
-# server which handles DNS lookups for you; an ISP will typically run such
-# a server for their customers.  If you uncomment "smarthost" then you
-# should comment out "dnslookup" above.  Setting a real hostname in route_data
-# wouldn't hurt either.
-
-# smarthost:
-#   driver = manualroute
-#   domains = ! +local_domains
-#   transport = remote_smtp
-#   route_data = MAIL.HOSTNAME.FOR.CENTRAL.SERVER.EXAMPLE
-#   ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
-#   no_more
+# This closes the ROUTER_SMARTHOST ifdef around the choice of routing for
+# off-site mail.
+.endif
 
 
 # The remaining routers handle addresses in the local domain(s), that is those
@@ -725,6 +753,48 @@
 remote_smtp:
   driver = smtp
   message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+.ifdef _HAVE_DANE
+  dnssec_request_domains = *
+  hosts_try_dane = *
+.endif
+
+
+# This transport is used for delivering messages to a smarthost, if the
+# smarthost router is enabled.  This starts from the same basis as
+# "remote_smtp" but then turns on various security options, because
+# we assume that if you're told "use smarthost.example.org as the smarthost"
+# then there will be TLS available, with a verifiable certificate for that
+# hostname, using decent TLS.
+
+smarthost_smtp:
+  driver = smtp
+  message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+  multi_domain
+  #
+.ifdef _HAVE_TLS
+  # Comment out any of these which you have to, then file a Support
+  # request with your smarthost provider to get things fixed:
+  hosts_require_tls = *
+  tls_verify_hosts = *
+  # As long as tls_verify_hosts is enabled, this won't matter, but if you
+  # have to comment it out then this will at least log whether you succeed
+  # or not:
+  tls_try_verify_hosts = *
+  #
+  # The SNI name should match the name which we'll expect to verify;
+  # many mail systems don't use SNI and this doesn't matter, but if it does,
+  # we need to send a name which the remote site will recognize.
+  # This _should_ be the name which the smarthost operators specified as
+  # the hostname for sending your mail to.
+  tls_sni = ROUTER_SMARTHOST
+  #
+.ifdef _HAVE_OPENSSL
+  tls_require_ciphers = HIGH:!aNULL:@STRENGTH
+.endif
+.ifdef _HAVE_GNUTLS
+  tls_require_ciphers = SECURE192:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
+.endif
+.endif
 
 
 # This transport is used for local delivery to user mailboxes in traditional
diff -Nru exim4-4.91/src/daemon.c exim4-4.92~RC4/src/daemon.c
--- exim4-4.91/src/daemon.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/daemon.c	2018-12-27 13:36:19.000000000 +0000
@@ -106,10 +106,10 @@
 static void
 never_error(uschar *log_msg, uschar *smtp_msg, int was_errno)
 {
-uschar *emsg = (was_errno <= 0)? US"" :
-  string_sprintf(": %s", strerror(was_errno));
+uschar *emsg = was_errno <= 0
+  ? US"" : string_sprintf(": %s", strerror(was_errno));
 log_write(0, LOG_MAIN|LOG_PANIC, "%s%s", log_msg, emsg);
-if (smtp_out != NULL) smtp_printf("421 %s\r\n", FALSE, smtp_msg);
+if (smtp_out) smtp_printf("421 %s\r\n", FALSE, smtp_msg);
 }
 
 
@@ -202,11 +202,11 @@
 whofrom = string_append(NULL, 3, "[", sender_host_address, "]");
 
 if (LOGGING(incoming_port))
-  whofrom = string_append(whofrom, 2, ":", string_sprintf("%d", sender_host_port));
+  whofrom = string_fmt_append(whofrom, ":%d", sender_host_port);
 
 if (LOGGING(incoming_interface))
-  whofrom = string_append(whofrom, 4, " I=[",
-    interface_address, "]:", string_sprintf("%d", interface_port));
+  whofrom = string_fmt_append(whofrom, " I=[%s]:%d",
+    interface_address, interface_port);
 
 (void) string_from_gstring(whofrom);    /* Terminate the newly-built string */
 
@@ -259,7 +259,7 @@
   uschar *expanded = expand_string(smtp_accept_max_per_host);
   if (expanded == NULL)
     {
-    if (!expand_string_forcedfail)
+    if (!f.expand_string_forcedfail)
       log_write(0, LOG_MAIN|LOG_PANIC, "expansion of smtp_accept_max_per_host "
         "failed for %s: %s", whofrom->s, expand_string_message);
     }
@@ -387,7 +387,7 @@
     uschar * nah = expand_string(raw_active_hostname);
     if (!nah)
       {
-      if (!expand_string_forcedfail)
+      if (!f.expand_string_forcedfail)
         {
         log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand \"%s\" "
           "(smtp_active_hostname): %s", raw_active_hostname,
@@ -441,7 +441,7 @@
   finding the id, but turn it on again afterwards so that information about the
   incoming connection is output. */
 
-  if (debug_daemon) debug_selector = 0;
+  if (f.debug_daemon) debug_selector = 0;
   verify_get_ident(IDENT_PORT);
   host_build_sender_fullhost();
   debug_selector = save_debug_selector;
@@ -453,7 +453,7 @@
   /* Now disable debugging permanently if it's required only for the daemon
   process. */
 
-  if (debug_daemon) debug_selector = 0;
+  if (f.debug_daemon) debug_selector = 0;
 
   /* If there are too many child processes for immediate delivery,
   set the session_local_queue_only flag, which is initialized from the
@@ -565,9 +565,9 @@
 
       {
       int r = receive_messagecount;
-      BOOL q = queue_only_policy;
+      BOOL q = f.queue_only_policy;
       smtp_reset(reset_point);
-      queue_only_policy = q;
+      f.queue_only_policy = q;
       receive_messagecount = r;
       }
 
@@ -629,7 +629,7 @@
     If we are not root, we have to re-exec exim unless deliveries are being
     done unprivileged. */
 
-    else if (!queue_only_policy && !deliver_freeze)
+    else if (!f.queue_only_policy && !f.deliver_freeze)
       {
       pid_t dpid;
 
@@ -648,7 +648,7 @@
         the data structures if necessary. */
 
 #ifdef SUPPORT_TLS
-        tls_close(TRUE, TLS_NO_SHUTDOWN);
+        tls_close(NULL, TLS_NO_SHUTDOWN);
 #endif
 
         /* Reset SIGHUP and SIGCHLD in the child in both cases. */
@@ -927,7 +927,7 @@
 
 DEBUG(D_any|D_v) debug_selector |= D_pid;
 
-if (inetd_wait_mode)
+if (f.inetd_wait_mode)
   {
   listen_socket_count = 1;
   listen_sockets = store_get(sizeof(int));
@@ -966,7 +966,7 @@
   }
 
 
-if (inetd_wait_mode || daemon_listen)
+if (f.inetd_wait_mode || f.daemon_listen)
   {
   /* If any option requiring a load average to be available during the
   reception of a message is set, call os_getloadavg() while we are root
@@ -1048,7 +1048,7 @@
 first, so that we can return non-zero if there are any syntax errors, and also
 write to stderr. */
 
-if (daemon_listen && !inetd_wait_mode)
+if (f.daemon_listen && !f.inetd_wait_mode)
   {
   int *default_smtp_port;
   int sep;
@@ -1270,7 +1270,7 @@
 
   } /* daemon_listen but not inetd_wait_mode */
 
-if (daemon_listen)
+if (f.daemon_listen)
   {
 
   /* Do a sanity check on the max connects value just to save us from getting
@@ -1310,7 +1310,7 @@
 setsid() for getting rid of the controlling terminal. For any OS that doesn't,
 setsid() can be #defined as a no-op, or as something else. */
 
-if (background_daemon || inetd_wait_mode)
+if (f.background_daemon || f.inetd_wait_mode)
   {
   log_close_all();    /* Just in case anything was logged earlier */
   search_tidyup();    /* Just in case any were used in reading the config. */
@@ -1321,7 +1321,7 @@
   log_stderr = NULL;  /* So no attempt to copy paniclog output */
   }
 
-if (background_daemon)
+if (f.background_daemon)
   {
   /* If the parent process of this one has pid == 1, we are re-initializing the
   daemon as the result of a SIGHUP. In this case, there is no need to do
@@ -1342,7 +1342,7 @@
 /* We are now in the disconnected, daemon process (unless debugging). Set up
 the listening sockets if required. */
 
-if (daemon_listen && !inetd_wait_mode)
+if (f.daemon_listen && !f.inetd_wait_mode)
   {
   int sk;
   ip_address_item *ipa;
@@ -1420,7 +1420,7 @@
     listen() stage instead. */
 
 #ifdef TCP_FASTOPEN
-    tcp_fastopen_ok = TRUE;
+    f.tcp_fastopen_ok = TRUE;
 #endif
     for(;;)
       {
@@ -1458,19 +1458,32 @@
       else
         debug_printf("listening on %s port %d\n", ipa->address, ipa->port);
 
-#ifdef TCP_FASTOPEN
-    if (setsockopt(listen_sockets[sk], IPPROTO_TCP, TCP_FASTOPEN,
+#if defined(TCP_FASTOPEN) && !defined(__APPLE__)
+    if (  f.tcp_fastopen_ok
+       && setsockopt(listen_sockets[sk], IPPROTO_TCP, TCP_FASTOPEN,
 		    &smtp_connect_backlog, sizeof(smtp_connect_backlog)))
       {
       DEBUG(D_any) debug_printf("setsockopt FASTOPEN: %s\n", strerror(errno));
-      tcp_fastopen_ok = FALSE;
+      f.tcp_fastopen_ok = FALSE;
       }
 #endif
 
     /* Start listening on the bound socket, establishing the maximum backlog of
     connections that is allowed. On success, continue to the next address. */
 
-    if (listen(listen_sockets[sk], smtp_connect_backlog) >= 0) continue;
+    if (listen(listen_sockets[sk], smtp_connect_backlog) >= 0)
+      {
+#if defined(TCP_FASTOPEN) && defined(__APPLE__)
+      if (  f.tcp_fastopen_ok
+	 && setsockopt(listen_sockets[sk], IPPROTO_TCP, TCP_FASTOPEN,
+		      &on, sizeof(on)))
+	{
+	DEBUG(D_any) debug_printf("setsockopt FASTOPEN: %s\n", strerror(errno));
+	f.tcp_fastopen_ok = FALSE;
+	}
+#endif
+      continue;
+      }
 
     /* Listening has failed. In an IPv6 environment, as for bind(), if listen()
     fails with the error EADDRINUSE and we are doing IPv4 wildcard listening
@@ -1525,7 +1538,7 @@
 
 The variable daemon_write_pid is used to control this. */
 
-if (running_in_test_harness || write_pid)
+if (f.running_in_test_harness || write_pid)
   {
   FILE *f;
 
@@ -1591,7 +1604,7 @@
 /* Log the start up of a daemon - at least one of listening or queue running
 must be set up. */
 
-if (inetd_wait_mode)
+if (f.inetd_wait_mode)
   {
   uschar *p = big_buffer;
 
@@ -1609,7 +1622,7 @@
   sigalrm_seen = 1;
   }
 
-else if (daemon_listen)
+else if (f.daemon_listen)
   {
   int i, j;
   int smtp_ports = 0;
@@ -1787,7 +1800,7 @@
         }
 
       sigalrm_seen = FALSE;
-      alarm(resignal_interval);
+      ALARM(resignal_interval);
       }
 
     else
@@ -1812,7 +1825,7 @@
           leave the above message, because it ties up with the "child ended"
           debugging messages. */
 
-          if (debug_daemon) debug_selector = 0;
+          if (f.debug_daemon) debug_selector = 0;
 
           /* Close any open listening sockets in the child */
 
@@ -1837,11 +1850,11 @@
             signal(SIGALRM, SIG_DFL);
             *p++ = '-';
             *p++ = 'q';
-            if (queue_2stage) *p++ = 'q';
-            if (queue_run_first_delivery) *p++ = 'i';
-            if (queue_run_force) *p++ = 'f';
-            if (deliver_force_thaw) *p++ = 'f';
-            if (queue_run_local) *p++ = 'l';
+            if (f.queue_2stage) *p++ = 'q';
+            if (f.queue_run_first_delivery) *p++ = 'i';
+            if (f.queue_run_force) *p++ = 'f';
+            if (f.deliver_force_thaw) *p++ = 'f';
+            if (f.queue_run_local) *p++ = 'l';
             *p = 0;
 	    extra[0] = queue_name
 	      ? string_sprintf("%sG%s", opt, queue_name) : opt;
@@ -1851,13 +1864,13 @@
 
             if (deliver_selectstring)
               {
-              extra[extracount++] = deliver_selectstring_regex ? US"-Rr" : US"-R";
+              extra[extracount++] = f.deliver_selectstring_regex ? US"-Rr" : US"-R";
               extra[extracount++] = deliver_selectstring;
               }
 
             if (deliver_selectstring_sender)
               {
-              extra[extracount++] = deliver_selectstring_sender_regex
+              extra[extracount++] = f.deliver_selectstring_sender_regex
 	        ? US"-Sr" : US"-S";
               extra[extracount++] = deliver_selectstring_sender;
               }
@@ -1900,7 +1913,7 @@
       /* Reset the alarm clock */
 
       sigalrm_seen = FALSE;
-      alarm(queue_interval);
+      ALARM(queue_interval);
       }
 
     } /* sigalrm_seen */
@@ -1915,7 +1928,7 @@
   new OS. In fact, the later addition of listening on specific interfaces only
   requires this way of working anyway. */
 
-  if (daemon_listen)
+  if (f.daemon_listen)
     {
     int sk, lcount, select_errno;
     int max_socket = 0;
@@ -2087,7 +2100,7 @@
       getpid());
     for (sk = 0; sk < listen_socket_count; sk++)
       (void)close(listen_sockets[sk]);
-    alarm(0);
+    ALARM_CLR(0);
     signal(SIGHUP, SIG_IGN);
     sighup_argv[0] = exim_path;
     exim_nullstd();
diff -Nru exim4-4.91/src/dane-openssl.c exim4-4.92~RC4/src/dane-openssl.c
--- exim4-4.91/src/dane-openssl.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/dane-openssl.c	2018-12-27 13:36:19.000000000 +0000
@@ -414,7 +414,7 @@
 X509_NAME *name = akid_issuer_name(akid);
 
 /*
- * If subject's akid specifies an authority key identifer issuer name, we
+ * If subject's akid specifies an authority key identifier issuer name, we
  * must use that.
  */
 return X509_set_issuer_name(cert,
diff -Nru exim4-4.91/src/dbfn.c exim4-4.92~RC4/src/dbfn.c
--- exim4-4.91/src/dbfn.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/dbfn.c	2018-12-27 13:36:19.000000000 +0000
@@ -93,6 +93,8 @@
 flock_t lock_data;
 uschar dirname[256], filename[256];
 
+DEBUG(D_hints_lookup) acl_level++;
+
 /* The first thing to do is to open a separate file on which to lock. This
 ensures that Exim has exclusive use of the database before it even tries to
 open it. Early versions tried to lock on the open database itself, but that
@@ -121,6 +123,7 @@
   log_write(0, LOG_MAIN, "%s",
     string_open_failed(errno, "database lock file %s", filename));
   errno = 0;      /* Indicates locking failure */
+  DEBUG(D_hints_lookup) acl_level--;
   return NULL;
   }
 
@@ -131,12 +134,12 @@
 lock_data.l_whence = lock_data.l_start = lock_data.l_len = 0;
 
 DEBUG(D_hints_lookup|D_retry|D_route|D_deliver)
-  debug_printf("locking %s\n", filename);
+  debug_printf_indent("locking %s\n", filename);
 
 sigalrm_seen = FALSE;
-alarm(EXIMDB_LOCK_TIMEOUT);
+ALARM(EXIMDB_LOCK_TIMEOUT);
 rc = fcntl(dbblock->lockfd, F_SETLKW, &lock_data);
-alarm(0);
+ALARM_CLR(0);
 
 if (sigalrm_seen) errno = ETIMEDOUT;
 if (rc < 0)
@@ -146,10 +149,11 @@
     errno == ETIMEDOUT ? "timed out" : strerror(errno));
   (void)close(dbblock->lockfd);
   errno = 0;       /* Indicates locking failure */
+  DEBUG(D_hints_lookup) acl_level--;
   return NULL;
   }
 
-DEBUG(D_hints_lookup) debug_printf("locked  %s\n", filename);
+DEBUG(D_hints_lookup) debug_printf_indent("locked  %s\n", filename);
 
 /* At this point we have an opened and locked separate lock file, that is,
 exclusive access to the database, so we can go ahead and open it. If we are
@@ -166,7 +170,7 @@
 if (!dbblock->dbptr && errno == ENOENT && flags == O_RDWR)
   {
   DEBUG(D_hints_lookup)
-    debug_printf("%s appears not to exist: trying to create\n", filename);
+    debug_printf_indent("%s appears not to exist: trying to create\n", filename);
   created = TRUE;
   EXIM_DBOPEN(filename, dirname, flags|O_CREAT, EXIMDB_MODE, &(dbblock->dbptr));
   }
@@ -204,9 +208,9 @@
       Ustrcpy(lastname, ent->d_name);
       if (Ustat(filename, &statbuf) >= 0 && statbuf.st_uid != exim_uid)
         {
-        DEBUG(D_hints_lookup) debug_printf("ensuring %s is owned by exim\n", filename);
+        DEBUG(D_hints_lookup) debug_printf_indent("ensuring %s is owned by exim\n", filename);
         if (Uchown(filename, exim_uid, exim_gid))
-          DEBUG(D_hints_lookup) debug_printf("failed setting %s to owned by exim\n", filename);
+          DEBUG(D_hints_lookup) debug_printf_indent("failed setting %s to owned by exim\n", filename);
         }
       }
 
@@ -224,15 +228,16 @@
         filename));
   else
     DEBUG(D_hints_lookup)
-      debug_printf("%s\n", CS string_open_failed(save_errno, "DB file %s",
+      debug_printf_indent("%s\n", CS string_open_failed(save_errno, "DB file %s",
           filename));
   (void)close(dbblock->lockfd);
   errno = save_errno;
+  DEBUG(D_hints_lookup) acl_level--;
   return NULL;
   }
 
 DEBUG(D_hints_lookup)
-  debug_printf("opened hints database %s: flags=%s\n", filename,
+  debug_printf_indent("opened hints database %s: flags=%s\n", filename,
     flags == O_RDONLY ? "O_RDONLY"
     : flags == O_RDWR ? "O_RDWR"
     : flags == (O_RDWR|O_CREAT) ? "O_RDWR|O_CREAT"
@@ -263,7 +268,8 @@
 {
 EXIM_DBCLOSE(dbblock->dbptr);
 (void)close(dbblock->lockfd);
-DEBUG(D_hints_lookup) debug_printf("closed hints database and lockfile\n");
+DEBUG(D_hints_lookup)
+  { debug_printf_indent("closed hints database and lockfile\n"); acl_level--; }
 }
 
 
@@ -300,7 +306,7 @@
 
 memcpy(key_copy, key, klen);
 
-DEBUG(D_hints_lookup) debug_printf("dbfn_read: key=%s\n", key);
+DEBUG(D_hints_lookup) debug_printf_indent("dbfn_read: key=%s\n", key);
 
 EXIM_DATUM_INIT(key_datum);         /* Some DBM libraries require the datum */
 EXIM_DATUM_INIT(result_datum);      /* to be cleared before use. */
@@ -345,7 +351,7 @@
 memcpy(key_copy, key, klen);
 gptr->time_stamp = time(NULL);
 
-DEBUG(D_hints_lookup) debug_printf("dbfn_write: key=%s\n", key);
+DEBUG(D_hints_lookup) debug_printf_indent("dbfn_write: key=%s\n", key);
 
 EXIM_DATUM_INIT(key_datum);         /* Some DBM libraries require the datum */
 EXIM_DATUM_INIT(value_datum);       /* to be cleared before use. */
@@ -376,6 +382,8 @@
 int klen = Ustrlen(key) + 1;
 uschar * key_copy = store_get(klen);
 
+DEBUG(D_hints_lookup) debug_printf_indent("dbfn_delete: key=%s\n", key);
+
 memcpy(key_copy, key, klen);
 EXIM_DATUM key_datum;
 EXIM_DATUM_INIT(key_datum);         /* Some DBM libraries require clearing */
@@ -409,6 +417,8 @@
 uschar *yield;
 value_datum = value_datum;    /* dummy; not all db libraries use this */
 
+DEBUG(D_hints_lookup) debug_printf_indent("dbfn_scan\n");
+
 /* Some dbm require an initialization */
 
 if (start) EXIM_DBCREATE_CURSOR(dbblock->dbptr, cursor);
diff -Nru exim4-4.91/src/dbstuff.h exim4-4.92~RC4/src/dbstuff.h
--- exim4-4.91/src/dbstuff.h	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/dbstuff.h	2018-12-27 13:36:19.000000000 +0000
@@ -636,18 +636,18 @@
 #  define EXIM_DBOPEN(name, dirname, flags, mode, dbpp) \
   do { \
   DEBUG(D_hints_lookup) \
-    debug_printf("EXIM_DBOPEN: file <%s> dir <%s> flags=%s\n", \
+    debug_printf_indent("EXIM_DBOPEN: file <%s> dir <%s> flags=%s\n", \
       (name), (dirname),		\
       (flags) == O_RDONLY ? "O_RDONLY"	\
       : (flags) == O_RDWR ? "O_RDWR"	\
       : (flags) == (O_RDWR|O_CREAT) ? "O_RDWR|O_CREAT"	\
       : "??");	\
   EXIM_DBOPEN__(name, dirname, flags, mode, dbpp); \
-  DEBUG(D_hints_lookup) debug_printf("returned from EXIM_DBOPEN: %p\n", *dbpp); \
+  DEBUG(D_hints_lookup) debug_printf_indent("returned from EXIM_DBOPEN: %p\n", *dbpp); \
   } while(0)
 #  define EXIM_DBCLOSE(db) \
   do { \
-  DEBUG(D_hints_lookup) debug_printf("EXIM_DBCLOSE(%p)\n", db); \
+  DEBUG(D_hints_lookup) debug_printf_indent("EXIM_DBCLOSE(%p)\n", db); \
   EXIM_DBCLOSE__(db); \
   } while(0)
 
@@ -786,5 +786,23 @@
   uschar   bloom[40];     /* Bloom filter which may be larger than this */
 } dbdata_ratelimit_unique;
 
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+/* This structure records the EHLO responses, cleartext and crypted,
+for an IP, as bitmasks (cf. OPTION_TLS) */
+
+typedef struct {
+  unsigned short cleartext_features;
+  unsigned short crypted_features;
+  unsigned short cleartext_auths;
+  unsigned short crypted_auths;
+} ehlo_resp_precis;
+
+typedef struct {
+  time_t time_stamp;
+  /*************/
+  ehlo_resp_precis data;
+} dbdata_ehlo_resp;
+#endif
+
 
 /* End of dbstuff.h */
diff -Nru exim4-4.91/src/debug.c exim4-4.92~RC4/src/debug.c
--- exim4-4.91/src/debug.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/debug.c	2018-12-27 13:36:19.000000000 +0000
@@ -188,7 +188,7 @@
 
     gettimeofday(&now, NULL);
     tmp = now.tv_sec;
-    t = timestamps_utc ? gmtime(&tmp) : localtime(&tmp);
+    t = f.timestamps_utc ? gmtime(&tmp) : localtime(&tmp);
     debug_ptr += sprintf(CS debug_ptr,
       LOGGING(millisec) ? "%02d:%02d:%02d.%03d " : "%02d:%02d:%02d ",
       t->tm_hour, t->tm_min, t->tm_sec, (int)(now.tv_usec/1000));
@@ -212,11 +212,19 @@
   {
   int i;
   for (i = indent >> 2; i > 0; i--)
-    {
-    Ustrcpy(debug_ptr, "   " UTF8_VERT_2DASH);
-    debug_ptr += 6;	/* 3 spaces + 3 UTF-8 octets */
-    debug_prefix_length += 6;
-    }
+    DEBUG(D_noutf8)
+      {
+      Ustrcpy(debug_ptr, "   !");
+      debug_ptr += 4;	/* 3 spaces + shriek */
+      debug_prefix_length += 4;
+      }
+    else
+      {
+      Ustrcpy(debug_ptr, "   " UTF8_VERT_2DASH);
+      debug_ptr += 6;	/* 3 spaces + 3 UTF-8 octets */
+      debug_prefix_length += 6;
+      }
+
   Ustrncpy(debug_ptr, "   ", indent &= 3);
   debug_ptr += indent;
   debug_prefix_length += indent;
@@ -225,19 +233,27 @@
 /* Use the checked formatting routine to ensure that the buffer
 does not overflow. Ensure there's space for a newline at the end. */
 
-if (!string_vformat(debug_ptr,
-     sizeof(debug_buffer) - (debug_ptr - debug_buffer) - 1, format, ap))
   {
-  uschar *s = US"**** debug string too long - truncated ****\n";
-  uschar *p = debug_buffer + Ustrlen(debug_buffer);
-  int maxlen = sizeof(debug_buffer) - Ustrlen(s) - 3;
-  if (p > debug_buffer + maxlen) p = debug_buffer + maxlen;
-  if (p > debug_buffer && p[-1] != '\n') *p++ = '\n';
-  Ustrcpy(p, s);
+  gstring gs = { .size = (int)sizeof(debug_buffer) - 1,
+		.ptr = debug_ptr - debug_buffer,
+		.s = debug_buffer };
+  if (!string_vformat(&gs, FALSE, format, ap))
+    {
+    uschar * s = US"**** debug string too long - truncated ****\n";
+    uschar * p = gs.s + gs.ptr;
+    int maxlen = gs.size - Ustrlen(s) - 2;
+    if (p > gs.s + maxlen) p = gs.s + maxlen;
+    if (p > gs.s && p[-1] != '\n') *p++ = '\n';
+    Ustrcpy(p, s);
+    while(*debug_ptr) debug_ptr++;
+    }
+  else
+    {
+    string_from_gstring(&gs);
+    debug_ptr = gs.s + gs.ptr;
+    }
   }
 
-while(*debug_ptr != 0) debug_ptr++;
-
 /* Output the line if it is complete. If we added any prefix data and there
 are internal newlines, make sure the prefix is on the continuation lines,
 as long as there is room in the buffer. We want to do just a single fprintf()
diff -Nru exim4-4.91/src/deliver.c exim4-4.92~RC4/src/deliver.c
--- exim4-4.91/src/deliver.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/deliver.c	2018-12-27 13:36:19.000000000 +0000
@@ -761,10 +761,9 @@
 if (LOGGING(incoming_interface) && LOGGING(outgoing_interface)
     && sending_ip_address)
   {
-  g = string_append(g, 2, US" I=[", sending_ip_address);
-  g = LOGGING(outgoing_port)
-    ? string_append(g, 2, US"]:", string_sprintf("%d", sending_port))
-    : string_catn(g, US"]", 1);
+  g = string_fmt_append(g, " I=[%s]", sending_ip_address);
+  if (LOGGING(outgoing_port))
+    g = string_fmt_append(g, "%d", sending_port);
   }
 return g;
 }
@@ -784,21 +783,21 @@
 g = string_append(g, 3, US" [", h->address, US"]");
 
 if (LOGGING(outgoing_port))
-  g = string_append(g, 2, US":", string_sprintf("%d", h->port));
+  g = string_fmt_append(g, ":%d", h->port);
 
 #ifdef SUPPORT_SOCKS
 if (LOGGING(proxy) && proxy_local_address)
   {
   g = string_append(g, 3, US" PRX=[", proxy_local_address, US"]");
   if (LOGGING(outgoing_port))
-    g = string_append(g, 2, US":", string_sprintf("%d", proxy_local_port));
+    g = string_fmt_append(g, ":%d", proxy_local_port);
   }
 #endif
 
 g = d_log_interface(g);
 
 if (testflag(addr, af_tcp_fastopen))
-  g = string_catn(g, US" TFO", 4);
+  g = string_catn(g, US" TFO*", testflag(addr, af_tcp_fastopen_data) ? 5 : 4);
 
 return g;
 }
@@ -851,7 +850,7 @@
   if (!(s = expand_string(action)) && *expand_string_message)
     log_write(0, LOG_MAIN|LOG_PANIC,
       "failed to expand event_action %s in %s: %s\n",
-      event, transport_name, expand_string_message);
+      event, transport_name ? transport_name : US"main", expand_string_message);
 
   event_name = event_data = NULL;
 
@@ -877,20 +876,33 @@
 const uschar * save_address = deliver_host_address;
 const int      save_port =   deliver_host_port;
 
-if (!addr->transport)
-  return;
-
 router_name =    addr->router ? addr->router->name : NULL;
-transport_name = addr->transport->name;
 deliver_domain = addr->domain;
 deliver_localpart = addr->local_part;
 deliver_host =   addr->host_used ? addr->host_used->name : NULL;
 
-(void) event_raise(addr->transport->event_action, event,
-	  addr->host_used
-          || Ustrcmp(addr->transport->driver_name, "smtp") == 0
-	  || Ustrcmp(addr->transport->driver_name, "lmtp") == 0
-	 ? addr->message : NULL);
+if (!addr->transport)
+  {
+  if (Ustrcmp(event, "msg:fail:delivery") == 0)
+    {
+     /* An address failed with no transport involved. This happens when
+     a filter was used which triggered a fail command (in such a case
+     a transport isn't needed).  Convert it to an internal fail event. */
+
+    (void) event_raise(event_action, US"msg:fail:internal", addr->message);
+    }
+  }
+else
+  {
+  transport_name = addr->transport->name;
+
+  (void) event_raise(addr->transport->event_action, event,
+	    addr->host_used
+	    || Ustrcmp(addr->transport->driver_name, "smtp") == 0
+	    || Ustrcmp(addr->transport->driver_name, "lmtp") == 0
+	    || Ustrcmp(addr->transport->driver_name, "autoreply") == 0
+	   ? addr->message : NULL);
+  }
 
 deliver_host_port =    save_port;
 deliver_host_address = save_address;
@@ -1095,7 +1107,7 @@
 if (diff->tv_sec >= 5 || !LOGGING(millisec))
   return readconf_printtime((int)diff->tv_sec);
 
-sprintf(CS buf, "%d.%03ds", (int)diff->tv_sec, (int)diff->tv_usec/1000);
+sprintf(CS buf, "%u.%03us", (uint)diff->tv_sec, (uint)diff->tv_usec/1000);
 return buf;
 }
 
@@ -1183,8 +1195,7 @@
 g = string_append(g, 2, US" T=", addr->transport->name);
 
 if (LOGGING(delivery_size))
-  g = string_append(g, 2, US" S=",
-    string_sprintf("%d", transport_count));
+  g = string_fmt_append(g, " S=%d", transport_count);
 
 /* Local delivery */
 
@@ -1234,6 +1245,16 @@
       }
     }
 
+  if (LOGGING(pipelining))
+    {
+    if (testflag(addr, af_pipelining))
+      g = string_catn(g, US" L", 2);
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+    if (testflag(addr, af_early_pipe))
+      g = string_catn(g, US"*", 1);
+#endif
+    }
+
 #ifndef DISABLE_PRDR
   if (testflag(addr, af_prdr_used))
     g = string_catn(g, US" PRDR", 5);
@@ -1322,13 +1343,12 @@
   {
   if (driver_kind[1] == 't' && addr->router)
     g = string_append(g, 2, US" R=", addr->router->name);
-  g = string_cat(g, string_sprintf(" %c=%s", toupper(driver_kind[1]), driver_name));
+  g = string_fmt_append(g, " %c=%s", toupper(driver_kind[1]), driver_name);
   }
 else if (driver_kind)
   g = string_append(g, 2, US" ", driver_kind);
 
-/*XXX need an s+s+p sprintf */
-g = string_cat(g, string_sprintf(" defer (%d)", addr->basic_errno));
+g = string_fmt_append(g, " defer (%d)", addr->basic_errno);
 
 if (addr->basic_errno > 0)
   g = string_append(g, 2, US": ",
@@ -1342,8 +1362,7 @@
   if (LOGGING(outgoing_port))
     {
     int port = addr->host_used->port;
-    g = string_append(g, 2,
-	  US":", port == PORT_NONE ? US"25" : string_sprintf("%d", port));
+    g = string_fmt_append(g, ":%d", port == PORT_NONE ? 25 : port);
     }
   }
 
@@ -1355,7 +1374,7 @@
 /* Log the deferment in the message log, but don't clutter it
 up with retry-time defers after the first delivery attempt. */
 
-if (deliver_firsttime || addr->basic_errno > ERRNO_RETRY_BASE)
+if (f.deliver_firsttime || addr->basic_errno > ERRNO_RETRY_BASE)
   deliver_msglog("%s %s\n", now, g->s);
 
 /* Write the main log and reset the store.
@@ -1380,6 +1399,16 @@
 void * reset_point;
 gstring * g = reset_point = string_get(256);
 
+#ifndef DISABLE_EVENT
+/* Message failures for which we will send a DSN get their event raised
+later so avoid doing it here. */
+
+if (  !addr->prop.ignore_error
+   && !(addr->dsn_flags & (rf_dsnflags & ~rf_notify_failure))
+   )
+  msg_event_raise(US"msg:fail:delivery", addr);
+#endif
+
 /* Build up the log line for the message and main logs */
 
 /* Create the address string for logging. Must not do this earlier, because
@@ -1428,10 +1457,6 @@
 
 log_write(0, LOG_MAIN, "** %s", g->s);
 
-#ifndef DISABLE_EVENT
-msg_event_raise(US"msg:fail:delivery", addr);
-#endif
-
 store_reset(reset_point);
 return;
 }
@@ -1475,7 +1500,7 @@
     {
     driver_name = addr->transport->name;
     driver_kind = US" transport";
-    disable_logging = addr->transport->disable_logging;
+    f.disable_logging = addr->transport->disable_logging;
     }
   else driver_kind = US"transporting";
   }
@@ -1485,7 +1510,7 @@
     {
     driver_name = addr->router->name;
     driver_kind = US" router";
-    disable_logging = addr->router->disable_logging;
+    f.disable_logging = addr->router->disable_logging;
     }
   else driver_kind = US"routing";
   }
@@ -1553,7 +1578,7 @@
           log_write(0, LOG_MAIN, "<%s>: %s transport output: %s",
             addr->address, tb->name, sp);
           }
-        (void)fclose(f);
+      (void)fclose(f);
       }
 
     /* Handle returning options, but only if there is an address to return
@@ -1659,7 +1684,7 @@
 
   if (addr->special_action == SPECIAL_FREEZE)
     {
-    deliver_freeze = TRUE;
+    f.deliver_freeze = TRUE;
     deliver_frozen_at = time(NULL);
     update_spool = TRUE;
     }
@@ -1667,7 +1692,7 @@
   /* If doing a 2-stage queue run, we skip writing to either the message
   log or the main log for SMTP defers. */
 
-  if (!queue_2stage || addr->basic_errno != 0)
+  if (!f.queue_2stage || addr->basic_errno != 0)
     deferral_log(addr, now, logflags, driver_name, driver_kind);
   }
 
@@ -1700,10 +1725,10 @@
     {
     frozen_info = addr->special_action == SPECIAL_FREEZE
       ? US""
-      : sender_local && !local_error_message
+      : f.sender_local && !f.local_error_message
       ? US" (message created with -f <>)"
       : US" (delivery error message)";
-    deliver_freeze = TRUE;
+    f.deliver_freeze = TRUE;
     deliver_frozen_at = time(NULL);
     update_spool = TRUE;
 
@@ -1728,7 +1753,7 @@
 
 /* Ensure logging is turned on again in all cases */
 
-disable_logging = FALSE;
+f.disable_logging = FALSE;
 }
 
 
@@ -1763,13 +1788,12 @@
 if (format)
   {
   va_list ap;
-  uschar buffer[512];
+  gstring * g;
+
   va_start(ap, format);
-  if (!string_vformat(buffer, sizeof(buffer), CS format, ap))
-    log_write(0, LOG_MAIN|LOG_PANIC_DIE,
-      "common_error expansion was longer than " SIZE_T_FMT, sizeof(buffer));
+  g = string_vformat(NULL, TRUE, CS format, ap);
   va_end(ap);
-  addr->message = string_copy(buffer);
+  addr->message = string_from_gstring(g);
   }
 
 for (addr2 = addr->next; addr2; addr2 = addr2->next)
@@ -2154,7 +2178,7 @@
   uschar *new_return_path = expand_string(tp->return_path);
   if (!new_return_path)
     {
-    if (!expand_string_forcedfail)
+    if (!f.expand_string_forcedfail)
       {
       common_error(TRUE, addr, ERRNO_EXPANDFAIL,
         US"Failed to expand return path \"%s\" in %s transport: %s",
@@ -2553,7 +2577,7 @@
       /* In the test harness, wait just a bit to let the subprocess finish off
       any debug output etc first. */
 
-      if (running_in_test_harness) millisleep(300);
+      if (f.running_in_test_harness) millisleep(300);
 
       DEBUG(D_deliver) debug_printf("journalling %s", big_buffer);
       len = Ustrlen(big_buffer);
@@ -2713,7 +2737,7 @@
   struct timeval deliver_time;
   address_item *addr2, *addr3, *nextaddr;
   int logflags = LOG_MAIN;
-  int logchar = dont_deliver? '*' : '=';
+  int logchar = f.dont_deliver? '*' : '=';
   transport_instance *tp;
   uschar * serialize_key = NULL;
 
@@ -2731,7 +2755,7 @@
   if (!(tp = addr->transport))
     {
     logflags |= LOG_PANIC;
-    disable_logging = FALSE;  /* Jic */
+    f.disable_logging = FALSE;  /* Jic */
     addr->message = addr->router
       ? string_sprintf("No transport set by %s router", addr->router->name)
       : string_sprintf("No transport set by system filter");
@@ -2749,7 +2773,7 @@
 
   /* There are weird cases where logging is disabled */
 
-  disable_logging = tp->disable_logging;
+  f.disable_logging = tp->disable_logging;
 
   /* Check for batched addresses and possible amalgamation. Skip all the work
   if either batch_max <= 1 or there aren't any other addresses for local
@@ -2936,7 +2960,7 @@
             retry_record->expired);
           }
 
-        if (queue_running && !deliver_force)
+        if (f.queue_running && !f.deliver_force)
           {
           ok = (now - retry_record->time_stamp > retry_data_expire)
 	    || (now >= retry_record->next_try)
@@ -3293,8 +3317,8 @@
 often bigger) so even if we are reading while the subprocess is still going, we
 should never have only a partial item in the buffer.
 
-hs12: This assumption is not true anymore, since we got quit large items (certificate
-information and such)
+hs12: This assumption is not true anymore, since we get quite large items (certificate
+information and such).
 
 Argument:
   poffset     the offset of the parlist item
@@ -3551,6 +3575,16 @@
       break;
 #endif
 
+    case 'L':
+      switch (*subid)
+	{
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+	case 2: setflag(addr, af_early_pipe);	/*FALLTHROUGH*/
+#endif
+	case 1: setflag(addr, af_pipelining); break;
+	}
+      break;
+
     case 'K':
       setflag(addr, af_chunking_used);
       break;
@@ -3558,6 +3592,7 @@
     case 'T':
       setflag(addr, af_tcp_fastopen_conn);
       if (*subid > '0') setflag(addr, af_tcp_fastopen);
+      if (*subid > '1') setflag(addr, af_tcp_fastopen_data);
       break;
 
     case 'D':
@@ -4251,7 +4286,7 @@
 
   if (!(tp = addr->transport))
     {
-    disable_logging = FALSE;  /* Jic */
+    f.disable_logging = FALSE;  /* Jic */
     panicmsg = US"No transport set by router";
     goto panic_continue;
     }
@@ -4446,7 +4481,7 @@
     uschar *new_return_path = expand_string(tp->return_path);
     if (new_return_path)
       return_path = new_return_path;
-    else if (!expand_string_forcedfail)
+    else if (!f.expand_string_forcedfail)
       {
       panicmsg = string_sprintf("Failed to expand return path \"%s\": %s",
 	tp->return_path, expand_string_message);
@@ -4478,7 +4513,7 @@
   treat it as if it is a continued connection (apart from the counter used
   for the log line mark). */
 
-  if (cutthrough.fd >= 0 && cutthrough.callout_hold_only)
+  if (cutthrough.cctx.sock >= 0 && cutthrough.callout_hold_only)
     {
     DEBUG(D_deliver)
       debug_printf("lazy-callout-close: have conn still open from verification\n");
@@ -4497,7 +4532,7 @@
   we must check that the continue host is on the list. Otherwise, the
   host is set in the transport. */
 
-  continue_more = FALSE;           /* In case got set for the last lot */
+  f.continue_more = FALSE;           /* In case got set for the last lot */
   if (continue_transport)
     {
     BOOL ok = Ustrcmp(continue_transport, tp->name) == 0;
@@ -4572,12 +4607,12 @@
     connected to is too hard to manage.  Perhaps we need a finer-grain
     interface to the transport. */
 
-    for (next = addr_remote; next && !continue_more; next = next->next)
+    for (next = addr_remote; next && !f.continue_more; next = next->next)
       {
       host_item *h;
       for (h = next->host_list; h; h = h->next)
         if (Ustrcmp(h->name, continue_hostname) == 0)
-          { continue_more = TRUE; break; }
+          { f.continue_more = TRUE; break; }
       }
     }
 
@@ -4656,18 +4691,16 @@
 
   search_tidyup();
 
-
   if ((pid = fork()) == 0)
     {
     int fd = pfd[pipe_write];
     host_item *h;
-    DEBUG(D_deliver) debug_selector |= D_pid;  // hs12
 
     /* Setting this global in the subprocess means we need never clear it */
     transport_name = tp->name;
 
     /* There are weird circumstances in which logging is disabled */
-    disable_logging = tp->disable_logging;
+    f.disable_logging = tp->disable_logging;
 
     /* Show pids on debug output if parallelism possible */
 
@@ -4682,7 +4715,7 @@
     predictable settings for each delivery process, so do something explicit
     here rather they rely on the fixed reset in the random number function. */
 
-    random_seed = running_in_test_harness ? 42 + 2*delivery_count : 0;
+    random_seed = f.running_in_test_harness ? 42 + 2*delivery_count : 0;
 
     /* Set close-on-exec on the pipe so that it doesn't get passed on to
     a new process that may be forked to do another delivery down the same
@@ -4856,12 +4889,22 @@
 	rmt_dlv_checked_write(fd, 'P', '0', NULL, 0);
 #endif
 
+      if (testflag(addr, af_pipelining))
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+	if (testflag(addr, af_early_pipe))
+	  rmt_dlv_checked_write(fd, 'L', '2', NULL, 0);
+	else
+#endif
+	  rmt_dlv_checked_write(fd, 'L', '1', NULL, 0);
+
       if (testflag(addr, af_chunking_used))
 	rmt_dlv_checked_write(fd, 'K', '0', NULL, 0);
 
       if (testflag(addr, af_tcp_fastopen_conn))
 	rmt_dlv_checked_write(fd, 'T',
-	  testflag(addr, af_tcp_fastopen) ? '1' : '0', NULL, 0);
+	  testflag(addr, af_tcp_fastopen) ? testflag(addr, af_tcp_fastopen_data)
+	  ? '2' : '1' : '0',
+	  NULL, 0);
 
       memcpy(big_buffer, &addr->dsn_aware, sizeof(addr->dsn_aware));
       rmt_dlv_checked_write(fd, 'D', '0', big_buffer, sizeof(addr->dsn_aware));
@@ -4985,12 +5028,13 @@
   release its TLS library context (if any) as responsibility was passed to
   the delivery child process. */
 
-  if (cutthrough.fd >= 0 && cutthrough.callout_hold_only)
+  if (cutthrough.cctx.sock >= 0 && cutthrough.callout_hold_only)
     {
 #ifdef SUPPORT_TLS
-    tls_close(FALSE, TLS_NO_SHUTDOWN);
+    if (cutthrough.is_tls)
+      tls_close(cutthrough.cctx.tls_ctx, TLS_NO_SHUTDOWN);
 #endif
-    (void) close(cutthrough.fd);
+    (void) close(cutthrough.cctx.sock);
     release_cutthrough_connection(US"passed to transport proc");
     }
 
@@ -5032,7 +5076,7 @@
   newly created process get going before we create another process. This should
   ensure repeatability in the tests. We only need to wait a tad. */
 
-  else if (running_in_test_harness) millisleep(500);
+  else if (f.running_in_test_harness) millisleep(500);
 
   continue;
 
@@ -5334,7 +5378,7 @@
 print_address_error(address_item *addr, FILE *f, uschar *t)
 {
 int count = Ustrlen(t);
-uschar *s = testflag(addr, af_pass_message)? addr->message : NULL;
+uschar *s = testflag(addr, af_pass_message) ? addr->message : NULL;
 
 if (!s && !(s = addr->user_message))
   return;
@@ -5555,8 +5599,9 @@
 it is obtained from a command line (the -M or -q options), and otherwise it is
 known to be a valid message id. */
 
-Ustrcpy(message_id, id);
-deliver_force = forced;
+if (id != message_id)
+  Ustrcpy(message_id, id);
+f.deliver_force = forced;
 return_count = 0;
 message_size = 0;
 
@@ -5704,7 +5749,7 @@
 can happen, but in the default situation, unless forced, no delivery is
 attempted. */
 
-if (deliver_freeze)
+if (f.deliver_freeze)
   {
 #ifdef SUPPORT_MOVE_FROZEN_MESSAGES
   /* Moving to another directory removes the message from Exim's view. Other
@@ -5747,8 +5792,8 @@
 	  || auto_thaw <= 0
 	  || now <= deliver_frozen_at + auto_thaw
           )
-       && (  !forced || !deliver_force_thaw
-	  || !admin_user || continue_hostname
+       && (  !forced || !f.deliver_force_thaw
+	  || !f.admin_user || continue_hostname
        )  )
       {
       (void)close(deliver_datafile);
@@ -5762,7 +5807,7 @@
 
     if (forced)
       {
-      deliver_manual_thaw = TRUE;
+      f.deliver_manual_thaw = TRUE;
       log_write(0, LOG_MAIN, "Unfrozen by forced delivery");
       }
     else log_write(0, LOG_MAIN, "Unfrozen by auto-thaw");
@@ -5770,7 +5815,7 @@
 
   /* We get here if any of the rules for unfreezing have triggered. */
 
-  deliver_freeze = FALSE;
+  f.deliver_freeze = FALSE;
   update_spool = TRUE;
   }
 
@@ -5840,13 +5885,11 @@
     ugid.uid_set = ugid.gid_set = TRUE;
     }
   else
-    {
     ugid.uid_set = ugid.gid_set = FALSE;
-    }
 
   return_path = sender_address;
-  enable_dollar_recipients = TRUE;   /* Permit $recipients in system filter */
-  system_filtering = TRUE;
+  f.enable_dollar_recipients = TRUE;   /* Permit $recipients in system filter */
+  f.system_filtering = TRUE;
 
   /* Any error in the filter file causes a delivery to be abandoned. */
 
@@ -5894,8 +5937,8 @@
   /* Reset things. If the filter message is an empty string, which can happen
   for a filter "fail" or "freeze" command with no text, reset it to NULL. */
 
-  system_filtering = FALSE;
-  enable_dollar_recipients = FALSE;
+  f.system_filtering = FALSE;
+  f.enable_dollar_recipients = FALSE;
   if (filter_message && filter_message[0] == 0) filter_message = NULL;
 
   /* Save the values of the system filter variables so that user filters
@@ -5918,9 +5961,9 @@
   unset "delivered", which is forced by the "freeze" command to make -bF
   work properly. */
 
-  else if (rc == FF_FREEZE && !deliver_manual_thaw)
+  else if (rc == FF_FREEZE && !f.deliver_manual_thaw)
     {
-    deliver_freeze = TRUE;
+    f.deliver_freeze = TRUE;
     deliver_frozen_at = time(NULL);
     process_recipients = RECIP_DEFER;
     frozen_info = string_sprintf(" by the system filter%s%s",
@@ -6157,19 +6200,19 @@
         /* RECIP_DEFER is set when a system filter freezes a message. */
 
         case RECIP_DEFER:
-        new->next = addr_defer;
-        addr_defer = new;
-        break;
+	  new->next = addr_defer;
+	  addr_defer = new;
+	  break;
 
 
         /* RECIP_FAIL_FILTER is set when a system filter has obeyed a "fail"
         command. */
 
         case RECIP_FAIL_FILTER:
-        new->message =
-          filter_message ? filter_message : US"delivery cancelled";
-        setflag(new, af_pass_message);
-        goto RECIP_QUEUE_FAILED;   /* below */
+	  new->message =
+	    filter_message ? filter_message : US"delivery cancelled";
+	  setflag(new, af_pass_message);
+	  goto RECIP_QUEUE_FAILED;   /* below */
 
 
         /* RECIP_FAIL_TIMEOUT is set when a message is frozen, but is older
@@ -6179,15 +6222,15 @@
         been logged. */
 
         case RECIP_FAIL_TIMEOUT:
-        new->message  = US"delivery cancelled; message timed out";
-        goto RECIP_QUEUE_FAILED;   /* below */
+	  new->message  = US"delivery cancelled; message timed out";
+	  goto RECIP_QUEUE_FAILED;   /* below */
 
 
         /* RECIP_FAIL is set when -Mg has been used. */
 
         case RECIP_FAIL:
-        new->message  = US"delivery cancelled by administrator";
-        /* Fall through */
+	  new->message  = US"delivery cancelled by administrator";
+	  /* Fall through */
 
         /* Common code for the failure cases above. If this is not a bounce
         message, put the address on the failed list so that it is used to
@@ -6195,11 +6238,11 @@
         The incident has already been logged. */
 
         RECIP_QUEUE_FAILED:
-        if (sender_address[0] != 0)
-          {
-          new->next = addr_failed;
-          addr_failed = new;
-          }
+	  if (sender_address[0])
+	    {
+	    new->next = addr_failed;
+	    addr_failed = new;
+	    }
         break;
 
 
@@ -6208,17 +6251,17 @@
         is a bounce message, it will get frozen. */
 
         case RECIP_FAIL_LOOP:
-        new->message = US"Too many \"Received\" headers - suspected mail loop";
-        post_process_one(new, FAIL, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
-        break;
+	  new->message = US"Too many \"Received\" headers - suspected mail loop";
+	  post_process_one(new, FAIL, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
+	  break;
 
 
         /* Value should be RECIP_ACCEPT; take this as the safe default. */
 
         default:
-        if (!addr_new) addr_new = new; else addr_last->next = new;
-        addr_last = new;
-        break;
+	  if (!addr_new) addr_new = new; else addr_last->next = new;
+	  addr_last = new;
+	  break;
         }
 
 #ifndef DISABLE_EVENT
@@ -6226,17 +6269,23 @@
 	{
 	uschar * save_local =  deliver_localpart;
 	const uschar * save_domain = deliver_domain;
+	uschar * addr = new->address, * errmsg = NULL;
+	int start, end, dom;
 
-	deliver_localpart = expand_string(
-		      string_sprintf("${local_part:%s}", new->address));
-	deliver_domain =    expand_string(
-		      string_sprintf("${domain:%s}", new->address));
+	if (!parse_extract_address(addr, &errmsg, &start, &end, &dom, TRUE))
+	  log_write(0, LOG_MAIN|LOG_PANIC,
+                "failed to parse address '%.100s': %s\n", addr, errmsg);
+	else
+	  {
+	  deliver_localpart =
+	    string_copyn(addr+start, dom ? (dom-1) - start : end - start);
+	  deliver_domain = dom ? CUS string_copyn(addr+dom, end - dom) : CUS"";
 
-	(void) event_raise(event_action,
-		      US"msg:fail:internal", new->message);
+	  event_raise(event_action, US"msg:fail:internal", new->message);
 
-	deliver_localpart = save_local;
-	deliver_domain =    save_domain;
+	  deliver_localpart = save_local;
+	  deliver_domain = save_domain;
+	  }
 	}
 #endif
       }
@@ -6295,7 +6344,7 @@
  . If new addresses have been generated by the routers, da capo.
 */
 
-header_rewritten = FALSE;          /* No headers rewritten yet */
+f.header_rewritten = FALSE;          /* No headers rewritten yet */
 while (addr_new)           /* Loop until all addresses dealt with */
   {
   address_item *addr, *parent;
@@ -6559,13 +6608,21 @@
       if (  domain_retry_record
          && now - domain_retry_record->time_stamp > retry_data_expire
 	 )
+	{
+	DEBUG(D_deliver|D_retry)
+	  debug_printf("domain retry record present but expired\n");
         domain_retry_record = NULL;    /* Ignore if too old */
+	}
 
       address_retry_record = dbfn_read(dbm_file, addr->address_retry_key);
       if (  address_retry_record
          && now - address_retry_record->time_stamp > retry_data_expire
 	 )
+	{
+	DEBUG(D_deliver|D_retry)
+	  debug_printf("address retry record present but expired\n");
         address_retry_record = NULL;   /* Ignore if too old */
+	}
 
       if (!address_retry_record)
         {
@@ -6574,7 +6631,11 @@
         address_retry_record = dbfn_read(dbm_file, altkey);
         if (  address_retry_record
 	   && now - address_retry_record->time_stamp > retry_data_expire)
+	  {
+	  DEBUG(D_deliver|D_retry)
+	    debug_printf("address<sender> retry record present but expired\n");
           address_retry_record = NULL;   /* Ignore if too old */
+	  }
         }
       }
     else
@@ -6583,9 +6644,18 @@
     DEBUG(D_deliver|D_retry)
       {
       if (!domain_retry_record)
-        debug_printf("no domain retry record\n");
+	debug_printf("no   domain  retry record\n");
+      else
+	debug_printf("have domain  retry record; next_try = now%+d\n",
+		      f.running_in_test_harness ? 0 :
+		      (int)(domain_retry_record->next_try - now));
+
       if (!address_retry_record)
-        debug_printf("no address retry record\n");
+	debug_printf("no   address retry record\n");
+      else
+	debug_printf("have address retry record; next_try = now%+d\n",
+		      f.running_in_test_harness ? 0 :
+		      (int)(address_retry_record->next_try - now));
       }
 
     /* If we are sending a message down an existing SMTP connection, we must
@@ -6607,6 +6677,9 @@
       addr->message = US"reusing SMTP connection skips previous routing defer";
       addr->basic_errno = ERRNO_RRETRY;
       (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
+
+      addr->message = domain_retry_record->text;
+      setflag(addr, af_pass_message);
       }
 
     /* If we are in a queue run, defer routing unless there is no retry data or
@@ -6641,7 +6714,7 @@
     which keep the retry record fresh, which can lead to us perpetually
     deferring messages. */
 
-    else if (  (  queue_running && !deliver_force
+    else if (  (  f.queue_running && !f.deliver_force
 	       || continue_hostname
 	       )
             && (  (  domain_retry_record
@@ -6660,6 +6733,16 @@
       addr->message = US"retry time not reached";
       addr->basic_errno = ERRNO_RRETRY;
       (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
+
+      /* For remote-retry errors (here and just above) that we've not yet
+      hit the rery time, use the error recorded in the retry database
+      as info in the warning message.  This lets us send a message even
+      when we're not failing on a fresh attempt.  We assume that this
+      info is not sensitive. */
+
+      addr->message = domain_retry_record
+	? domain_retry_record->text : address_retry_record->text;
+      setflag(addr, af_pass_message);
       }
 
     /* The domain is OK for routing. Remember if retry data exists so it
@@ -6685,7 +6768,7 @@
   those domains. During queue runs, queue_domains is forced to be unset.
   Optimize by skipping this pass through the addresses if nothing is set. */
 
-  if (!deliver_force && queue_domains)
+  if (!f.deliver_force && queue_domains)
     {
     address_item *okaddr = NULL;
     while (addr_route)
@@ -6979,18 +7062,18 @@
 there is only address to be delivered - if it succeeds the spool write need not
 happen. */
 
-if (  header_rewritten
+if (  f.header_rewritten
    && (  addr_local && (addr_local->next || addr_remote)
       || addr_remote && addr_remote->next
    )  )
   {
   /* Panic-dies on error */
   (void)spool_write_header(message_id, SW_DELIVERING, NULL);
-  header_rewritten = FALSE;
+  f.header_rewritten = FALSE;
   }
 
 
-/* If there are any deliveries to be and we do not already have the journal
+/* If there are any deliveries to do and we do not already have the journal
 file, create it. This is used to record successful deliveries as soon as
 possible after each delivery is known to be complete. A file opened with
 O_APPEND is used so that several processes can run simultaneously.
@@ -7066,13 +7149,13 @@
   DEBUG(D_deliver|D_transport)
     debug_printf(">>>>>>>>>>>>>>>> Local deliveries >>>>>>>>>>>>>>>>\n");
   do_local_deliveries();
-  disable_logging = FALSE;
+  f.disable_logging = FALSE;
   }
 
 /* If queue_run_local is set, we do not want to attempt any remote deliveries,
 so just queue them all. */
 
-if (queue_run_local)
+if (f.queue_run_local)
   while (addr_remote)
     {
     address_item *addr = addr_remote;
@@ -7124,7 +7207,7 @@
     if (remote_sort_domains) sort_remote_deliveries();
     do_remote_deliveries(TRUE);
     }
-  disable_logging = FALSE;
+  f.disable_logging = FALSE;
   }
 
 
@@ -7203,7 +7286,7 @@
 updating of the database if the -N flag is set, which is a debugging thing that
 prevents actual delivery. */
 
-else if (!dont_deliver)
+else if (!f.dont_deliver)
   retry_update(&addr_defer, &addr_failed, &addr_succeed);
 
 /* Send DSN for successful messages if requested */
@@ -7234,7 +7317,6 @@
   if (  (  addr_dsntmp->dsn_aware != dsn_support_yes
 	|| addr_dsntmp->dsn_flags & rf_dsnlasthop
         )
-     && addr_dsntmp->dsn_flags & rf_dsnflags
      && addr_dsntmp->dsn_flags & rf_notify_success
      )
     {
@@ -7268,7 +7350,7 @@
     }
   else  /* Creation of child succeeded */
     {
-    FILE *f = fdopen(fd, "wb");
+    FILE * f = fdopen(fd, "wb");
     /* header only as required by RFC. only failure DSN needs to honor RET=FULL */
     uschar * bound;
     transport_ctx tctx = {{0}};
@@ -7301,11 +7383,9 @@
 	 addr_dsntmp = addr_dsntmp->next)
       fprintf(f, "<%s> (relayed %s)\n\n",
 	addr_dsntmp->address,
-	(addr_dsntmp->dsn_flags & rf_dsnlasthop) == 1
-	  ? "via non DSN router"
-	  : addr_dsntmp->dsn_aware == dsn_support_no
-	  ? "to non-DSN-aware mailer"
-	  : "via non \"Remote SMTP\" router"
+	addr_dsntmp->dsn_flags & rf_dsnlasthop ? "via non DSN router"
+	: addr_dsntmp->dsn_aware == dsn_support_no ? "to non-DSN-aware mailer"
+	: "via non \"Remote SMTP\" router"
 	);
 
     fprintf(f, "--%s\n"
@@ -7340,7 +7420,7 @@
 	  addr_dsntmp->host_used->name);
       else
 	fprintf(f, "Diagnostic-Code: X-Exim; relayed via non %s router\n\n",
-	  (addr_dsntmp->dsn_flags & rf_dsnlasthop) == 1 ? "DSN" : "SMTP");
+	  addr_dsntmp->dsn_flags & rf_dsnlasthop ? "DSN" : "SMTP");
       }
 
     fprintf(f, "--%s\nContent-type: text/rfc822-headers\n\n", bound);
@@ -7351,8 +7431,10 @@
 
     /* Write the original email out */
 
-    tctx.u.fd = fileno(f);
+    tctx.u.fd = fd;
     tctx.options = topt_add_return_path | topt_no_body;
+    /*XXX hmm, retval ignored.
+    Could error for any number of reasons, and they are not handled. */
     transport_write_message(&tctx, 0);
     fflush(f);
 
@@ -7383,9 +7465,9 @@
   /* There are weird cases when logging is disabled in the transport. However,
   there may not be a transport (address failed by a router). */
 
-  disable_logging = FALSE;
+  f.disable_logging = FALSE;
   if (addr_failed->transport)
-    disable_logging = addr_failed->transport->disable_logging;
+    f.disable_logging = addr_failed->transport->disable_logging;
 
   DEBUG(D_deliver)
     debug_printf("processing failed address %s\n", addr_failed->address);
@@ -7421,14 +7503,16 @@
   mark the recipient done. */
 
   if (  addr_failed->prop.ignore_error
-     || (  addr_failed->dsn_flags & rf_dsnflags
-        && (addr_failed->dsn_flags & rf_notify_failure) != rf_notify_failure
-     )  )
+     || addr_failed->dsn_flags & (rf_dsnflags & ~rf_notify_failure)
+     )
     {
     addr = addr_failed;
     addr_failed = addr->next;
     if (addr->return_filename) Uunlink(addr->return_filename);
 
+#ifndef DISABLE_EVENT
+    msg_event_raise(US"msg:fail:delivery", addr);
+#endif
     log_write(0, LOG_MAIN, "%s%s%s%s: error ignored",
       addr->address,
       !addr->parent ? US"" : US" <",
@@ -7467,8 +7551,8 @@
       int filecount = 0;
       int rcount = 0;
       uschar *bcc, *emf_text;
-      FILE *f = fdopen(fd, "wb");
-      FILE *emf = NULL;
+      FILE * fp = fdopen(fd, "wb");
+      FILE * emf = NULL;
       BOOL to_sender = strcmpic(sender_address, bounce_recipient) == 0;
       int max = (bounce_return_size_limit/DELIVER_IN_BUFFER_SIZE + 1) *
         DELIVER_IN_BUFFER_SIZE;
@@ -7506,10 +7590,10 @@
         if (testflag(addr, af_hide_child)) continue;
         if (rcount >= 50)
           {
-          fprintf(f, "\n");
+          fprintf(fp, "\n");
           rcount = 0;
           }
-        fprintf(f, "%s%s",
+        fprintf(fp, "%s%s",
           rcount++ == 0
 	  ? "X-Failed-Recipients: "
 	  : ",\n  ",
@@ -7517,20 +7601,20 @@
 	  ? string_printing(addr->parent->address)
 	  : string_printing(addr->address));
         }
-      if (rcount > 0) fprintf(f, "\n");
+      if (rcount > 0) fprintf(fp, "\n");
 
       /* Output the standard headers */
 
       if (errors_reply_to)
-        fprintf(f, "Reply-To: %s\n", errors_reply_to);
-      fprintf(f, "Auto-Submitted: auto-replied\n");
-      moan_write_from(f);
-      fprintf(f, "To: %s\n", bounce_recipient);
+        fprintf(fp, "Reply-To: %s\n", errors_reply_to);
+      fprintf(fp, "Auto-Submitted: auto-replied\n");
+      moan_write_from(fp);
+      fprintf(fp, "To: %s\n", bounce_recipient);
 
       /* generate boundary string and output MIME-Headers */
       bound = string_sprintf(TIME_T_FMT "-eximdsn-%d", time(NULL), rand());
 
-      fprintf(f, "Content-Type: multipart/report;"
+      fprintf(fp, "Content-Type: multipart/report;"
 	    " report-type=delivery-status; boundary=%s\n"
 	  "MIME-Version: 1.0\n",
 	bound);
@@ -7546,46 +7630,46 @@
       /* Quietly copy to configured additional addresses if required. */
 
       if ((bcc = moan_check_errorcopy(bounce_recipient)))
-	fprintf(f, "Bcc: %s\n", bcc);
+	fprintf(fp, "Bcc: %s\n", bcc);
 
       /* The texts for the message can be read from a template file; if there
       isn't one, or if it is too short, built-in texts are used. The first
       emf text is a Subject: and any other headers. */
 
       if ((emf_text = next_emf(emf, US"header")))
-	fprintf(f, "%s\n", emf_text);
+	fprintf(fp, "%s\n", emf_text);
       else
-        fprintf(f, "Subject: Mail delivery failed%s\n\n",
+        fprintf(fp, "Subject: Mail delivery failed%s\n\n",
           to_sender? ": returning message to sender" : "");
 
       /* output human readable part as text/plain section */
-      fprintf(f, "--%s\n"
+      fprintf(fp, "--%s\n"
 	  "Content-type: text/plain; charset=us-ascii\n\n",
 	bound);
 
       if ((emf_text = next_emf(emf, US"intro")))
-	fprintf(f, "%s", CS emf_text);
+	fprintf(fp, "%s", CS emf_text);
       else
         {
-        fprintf(f,
+        fprintf(fp,
 /* This message has been reworded several times. It seems to be confusing to
 somebody, however it is worded. I have retreated to the original, simple
 wording. */
 "This message was created automatically by mail delivery software.\n");
 
         if (bounce_message_text)
-	  fprintf(f, "%s", CS bounce_message_text);
+	  fprintf(fp, "%s", CS bounce_message_text);
         if (to_sender)
-          fprintf(f,
+          fprintf(fp,
 "\nA message that you sent could not be delivered to one or more of its\n"
 "recipients. This is a permanent error. The following address(es) failed:\n");
         else
-          fprintf(f,
+          fprintf(fp,
 "\nA message sent by\n\n  <%s>\n\n"
 "could not be delivered to one or more of its recipients. The following\n"
 "address(es) failed:\n", sender_address);
         }
-      fputc('\n', f);
+      fputc('\n', fp);
 
       /* Process the addresses, leaving them on the msgchain if they have a
       file name for a return message. (There has already been a check in
@@ -7596,12 +7680,12 @@
       paddr = &msgchain;
       for (addr = msgchain; addr; addr = *paddr)
         {
-        if (print_address_information(addr, f, US"  ", US"\n    ", US""))
-          print_address_error(addr, f, US"");
+        if (print_address_information(addr, fp, US"  ", US"\n    ", US""))
+          print_address_error(addr, fp, US"");
 
         /* End the final line for the address */
 
-        fputc('\n', f);
+        fputc('\n', fp);
 
         /* Leave on msgchain if there's a return file. */
 
@@ -7622,7 +7706,7 @@
           }
         }
 
-      fputc('\n', f);
+      fputc('\n', fp);
 
       /* Get the next text, whether we need it or not, so as to be
       positioned for the one after. */
@@ -7641,9 +7725,9 @@
         address_item *nextaddr;
 
         if (emf_text)
-	  fprintf(f, "%s", CS emf_text);
+	  fprintf(fp, "%s", CS emf_text);
 	else
-          fprintf(f,
+          fprintf(fp,
             "The following text was generated during the delivery "
             "attempt%s:\n", (filecount > 1)? "s" : "");
 
@@ -7654,24 +7738,24 @@
 
           /* List all the addresses that relate to this file */
 
-	  fputc('\n', f);
+	  fputc('\n', fp);
           while(addr)                   /* Insurance */
             {
-            print_address_information(addr, f, US"------ ",  US"\n       ",
+            print_address_information(addr, fp, US"------ ",  US"\n       ",
               US" ------\n");
             if (addr->return_filename) break;
             addr = addr->next;
             }
-	  fputc('\n', f);
+	  fputc('\n', fp);
 
           /* Now copy the file */
 
           if (!(fm = Ufopen(addr->return_filename, "rb")))
-            fprintf(f, "    +++ Exim error... failed to open text file: %s\n",
+            fprintf(fp, "    +++ Exim error... failed to open text file: %s\n",
               strerror(errno));
           else
             {
-            while ((ch = fgetc(fm)) != EOF) fputc(ch, f);
+            while ((ch = fgetc(fm)) != EOF) fputc(ch, fp);
             (void)fclose(fm);
             }
           Uunlink(addr->return_filename);
@@ -7683,19 +7767,19 @@
           addr->next = handled_addr;
           handled_addr = topaddr;
           }
-	fputc('\n', f);
+	fputc('\n', fp);
         }
 
       /* output machine readable part */
 #ifdef SUPPORT_I18N
       if (message_smtputf8)
-	fprintf(f, "--%s\n"
+	fprintf(fp, "--%s\n"
 	    "Content-type: message/global-delivery-status\n\n"
 	    "Reporting-MTA: dns; %s\n",
 	  bound, smtp_active_hostname);
       else
 #endif
-	fprintf(f, "--%s\n"
+	fprintf(fp, "--%s\n"
 	    "Content-type: message/delivery-status\n\n"
 	    "Reporting-MTA: dns; %s\n",
 	  bound, smtp_active_hostname);
@@ -7705,40 +7789,42 @@
         /* must be decoded from xtext: see RFC 3461:6.3a */
         uschar *xdec_envid;
         if (auth_xtextdecode(dsn_envid, &xdec_envid) > 0)
-          fprintf(f, "Original-Envelope-ID: %s\n", dsn_envid);
+          fprintf(fp, "Original-Envelope-ID: %s\n", dsn_envid);
         else
-          fprintf(f, "X-Original-Envelope-ID: error decoding xtext formatted ENVID\n");
+          fprintf(fp, "X-Original-Envelope-ID: error decoding xtext formatted ENVID\n");
         }
-      fputc('\n', f);
+      fputc('\n', fp);
 
       for (addr = handled_addr; addr; addr = addr->next)
         {
 	host_item * hu;
-        fprintf(f, "Action: failed\n"
+        fprintf(fp, "Action: failed\n"
 	    "Final-Recipient: rfc822;%s\n"
 	    "Status: 5.0.0\n",
 	    addr->address);
         if ((hu = addr->host_used) && hu->name)
 	  {
-	  const uschar * s;
-	  fprintf(f, "Remote-MTA: dns; %s\n", hu->name);
+	  fprintf(fp, "Remote-MTA: dns; %s\n", hu->name);
 #ifdef EXPERIMENTAL_DSN_INFO
+	  {
+	  const uschar * s;
 	  if (hu->address)
 	    {
 	    uschar * p = hu->port == 25
 	      ? US"" : string_sprintf(":%d", hu->port);
-	    fprintf(f, "Remote-MTA: X-ip; [%s]%s\n", hu->address, p);
+	    fprintf(fp, "Remote-MTA: X-ip; [%s]%s\n", hu->address, p);
 	    }
 	  if ((s = addr->smtp_greeting) && *s)
-	    fprintf(f, "X-Remote-MTA-smtp-greeting: X-str; %s\n", s);
+	    fprintf(fp, "X-Remote-MTA-smtp-greeting: X-str; %s\n", s);
 	  if ((s = addr->helo_response) && *s)
-	    fprintf(f, "X-Remote-MTA-helo-response: X-str; %s\n", s);
+	    fprintf(fp, "X-Remote-MTA-helo-response: X-str; %s\n", s);
 	  if ((s = addr->message) && *s)
-	    fprintf(f, "X-Exim-Diagnostic: X-str; %s\n", s);
+	    fprintf(fp, "X-Exim-Diagnostic: X-str; %s\n", s);
+	  }
 #endif
-	  print_dsn_diagnostic_code(addr, f);
+	  print_dsn_diagnostic_code(addr, fp);
 	  }
-	fputc('\n', f);
+	fputc('\n', fp);
         }
 
       /* Now copy the message, trying to give an intelligible comment if
@@ -7759,7 +7845,7 @@
          bounce_return_size_limit is always honored.
       */
 
-      fprintf(f, "--%s\n", bound);
+      fprintf(fp, "--%s\n", bound);
 
       dsnlimitmsg = US"X-Exim-DSN-Information: Due to administrative limits only headers are returned";
       dsnnotifyhdr = NULL;
@@ -7797,44 +7883,45 @@
       if (message_smtputf8)
 	fputs(topt & topt_no_body ? "Content-type: message/global-headers\n\n"
 				  : "Content-type: message/global\n\n",
-	      f);
+	      fp);
       else
 #endif
 	fputs(topt & topt_no_body ? "Content-type: text/rfc822-headers\n\n"
 				  : "Content-type: message/rfc822\n\n",
-	      f);
+	      fp);
 
-      fflush(f);
+      fflush(fp);
       transport_filter_argv = NULL;   /* Just in case */
       return_path = sender_address;   /* In case not previously set */
 	{			      /* Dummy transport for headers add */
 	transport_ctx tctx = {{0}};
 	transport_instance tb = {0};
 
-	tctx.u.fd = fileno(f);
+	tctx.u.fd = fileno(fp);
 	tctx.tblock = &tb;
 	tctx.options = topt;
 	tb.add_headers = dsnnotifyhdr;
 
+	/*XXX no checking for failure!  buggy! */
 	transport_write_message(&tctx, 0);
 	}
-      fflush(f);
+      fflush(fp);
 
       /* we never add the final text. close the file */
       if (emf)
         (void)fclose(emf);
 
-      fprintf(f, "\n--%s--\n", bound);
+      fprintf(fp, "\n--%s--\n", bound);
 
       /* Close the file, which should send an EOF to the child process
       that is receiving the message. Wait for it to finish. */
 
-      (void)fclose(f);
+      (void)fclose(fp);
       rc = child_close(pid, 0);     /* Waits for child to close, no timeout */
 
       /* In the test harness, let the child do it's thing first. */
 
-      if (running_in_test_harness) millisleep(500);
+      if (f.running_in_test_harness) millisleep(500);
 
       /* If the process failed, there was some disaster in setting up the
       error message. Unless the message is very old, ensure that addr_defer
@@ -7851,7 +7938,7 @@
         if (now - received_time.tv_sec < retry_maximum_timeout && !addr_defer)
           {
           addr_defer = (address_item *)(+1);
-          deliver_freeze = TRUE;
+          f.deliver_freeze = TRUE;
           deliver_frozen_at = time(NULL);
           /* Panic-dies on error */
           (void)spool_write_header(message_id, SW_DELIVERING, NULL);
@@ -7880,7 +7967,7 @@
     }
   }
 
-disable_logging = FALSE;  /* In case left set */
+f.disable_logging = FALSE;  /* In case left set */
 
 /* Come here from the mua_wrapper case if routing goes wrong */
 
@@ -7938,7 +8025,7 @@
     log_write(0, LOG_MAIN, "Completed");
 
   /* Unset deliver_freeze so that we won't try to move the spool files further down */
-  deliver_freeze = FALSE;
+  f.deliver_freeze = FALSE;
 
 #ifndef DISABLE_EVENT
   (void) event_raise(event_action, US"msg:complete", NULL);
@@ -7957,6 +8044,8 @@
 If all the deferred addresses have an error number that indicates "retry time
 not reached", skip sending the warning message, because it won't contain the
 reason for the delay. It will get sent at the next real delivery attempt.
+  Exception: for retries caused by a remote peer we use the error message
+  store in the retry DB as the reason.
 However, if at least one address has tried, we'd better include all of them in
 the message.
 
@@ -7976,7 +8065,7 @@
   {
   address_item *addr;
   uschar *recipients = US"";
-  BOOL delivery_attempted = FALSE;
+  BOOL want_warning_msg = FALSE;
 
   deliver_domain = testflag(addr_defer, af_pfr)
     ? addr_defer->parent->domain : addr_defer->domain;
@@ -7985,7 +8074,7 @@
     {
     address_item *otaddr;
 
-    if (addr->basic_errno > ERRNO_RETRY_BASE) delivery_attempted = TRUE;
+    if (addr->basic_errno > ERRNO_WARN_BASE) want_warning_msg = TRUE;
 
     if (deliver_domain)
       {
@@ -8056,10 +8145,10 @@
   is not sent. Another attempt will be made at the next delivery attempt (if
   it also defers). */
 
-  if (  !queue_2stage
-     && delivery_attempted
-     && (  ((addr_defer->dsn_flags & rf_dsnflags) == 0)
-        || (addr_defer->dsn_flags & rf_notify_delay) == rf_notify_delay
+  if (  !f.queue_2stage
+     && want_warning_msg
+     && (  !(addr_defer->dsn_flags & rf_dsnflags)
+        || addr_defer->dsn_flags & rf_notify_delay
 	)
      && delay_warning[1] > 0
      && sender_address[0] != 0
@@ -8078,7 +8167,7 @@
     time off the list. In queue runs, the list pointer gets updated in the
     calling process. */
 
-    if (running_in_test_harness && fudged_queue_times[0] != 0)
+    if (f.running_in_test_harness && fudged_queue_times[0] != 0)
       {
       int qt = readconf_readtime(fudged_queue_times, '/', FALSE);
       if (qt >= 0)
@@ -8108,7 +8197,7 @@
 
     DEBUG(D_deliver)
       {
-      debug_printf("time on queue = %s\n", readconf_printtime(queue_time));
+      debug_printf("time on queue = %s  id %s  addr %s\n", readconf_printtime(queue_time), message_id, addr_defer->address);
       debug_printf("warning counts: required %d done %d\n", count,
         warning_count);
       }
@@ -8282,6 +8371,7 @@
         return_path = sender_address;   /* In case not previously set */
 
         /* Write the original email out */
+	/*XXX no checking for failure!  buggy! */
         transport_write_message(&tctx, 0);
         fflush(f);
 
@@ -8309,9 +8399,9 @@
   /* If this was a first delivery attempt, unset the first time flag, and
   ensure that the spool gets updated. */
 
-  if (deliver_firsttime)
+  if (f.deliver_firsttime)
     {
-    deliver_firsttime = FALSE;
+    f.deliver_firsttime = FALSE;
     update_spool = TRUE;
     }
 
@@ -8322,9 +8412,9 @@
   For the "tell" message, we turn \n back into newline. Also, insert a newline
   near the start instead of the ": " string. */
 
-  if (deliver_freeze)
+  if (f.deliver_freeze)
     {
-    if (freeze_tell && freeze_tell[0] != 0 && !local_error_message)
+    if (freeze_tell && freeze_tell[0] != 0 && !f.local_error_message)
       {
       uschar *s = string_copy(frozen_info);
       uschar *ss = Ustrstr(s, " by the system filter: ");
@@ -8365,9 +8455,9 @@
 
   DEBUG(D_deliver)
     debug_printf("delivery deferred: update_spool=%d header_rewritten=%d\n",
-      update_spool, header_rewritten);
+      update_spool, f.header_rewritten);
 
-  if (update_spool || header_rewritten)
+  if (update_spool || f.header_rewritten)
     /* Panic-dies on error */
     (void)spool_write_header(message_id, SW_DELIVERING, NULL);
   }
@@ -8402,7 +8492,7 @@
   /* Move the message off the spool if requested */
 
 #ifdef SUPPORT_MOVE_FROZEN_MESSAGES
-  if (deliver_freeze && move_frozen_messages)
+  if (f.deliver_freeze && move_frozen_messages)
     (void)spool_move_message(id, message_subdir, US"", US"F");
 #endif
   }
@@ -8434,7 +8524,7 @@
 #ifdef EXIM_TFO_PROBE
 tfo_probe();
 #else
-tcp_fastopen_ok = TRUE;
+f.tcp_fastopen_ok = TRUE;
 #endif
 
 
@@ -8445,12 +8535,16 @@
   regex_must_compile(US"\\n250[\\s\\-]SIZE(\\s|\\n|$)", FALSE, TRUE);
 
 if (!regex_AUTH) regex_AUTH =
-  regex_must_compile(US"\\n250[\\s\\-]AUTH\\s+([\\-\\w\\s]+)(?:\\n|$)",
-    FALSE, TRUE);
+  regex_must_compile(AUTHS_REGEX, FALSE, TRUE);
 
 #ifdef SUPPORT_TLS
 if (!regex_STARTTLS) regex_STARTTLS =
   regex_must_compile(US"\\n250[\\s\\-]STARTTLS(\\s|\\n|$)", FALSE, TRUE);
+
+# ifdef EXPERIMENTAL_REQUIRETLS
+if (!regex_REQUIRETLS) regex_REQUIRETLS =
+  regex_must_compile(US"\\n250[\\s\\-]REQUIRETLS(\\s|\\n|$)", FALSE, TRUE);
+# endif
 #endif
 
 if (!regex_CHUNKING) regex_CHUNKING =
@@ -8471,6 +8565,11 @@
 
 if (!regex_IGNOREQUOTA) regex_IGNOREQUOTA =
   regex_must_compile(US"\\n250[\\s\\-]IGNOREQUOTA(\\s|\\n|$)", FALSE, TRUE);
+
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+if (!regex_EARLY_PIPE) regex_EARLY_PIPE =
+  regex_must_compile(US"\\n250[\\s\\-]" EARLY_PIPE_FEATURE_NAME "(\\s|\\n|$)", FALSE, TRUE);
+#endif
 }
 
 
@@ -8480,17 +8579,17 @@
 int rc;
 uschar * new_sender_address,
        * save_sender_address;
-BOOL save_qr = queue_running;
+BOOL save_qr = f.queue_running;
 uschar * spoolname;
 
 /* make spool_open_datafile non-noisy on fail */
 
-queue_running = TRUE;
+f.queue_running = TRUE;
 
 /* Side effect: message_subdir is set for the (possibly split) spool directory */
 
 deliver_datafile = spool_open_datafile(id);
-queue_running = save_qr;
+f.queue_running = save_qr;
 if (deliver_datafile < 0)
   return NULL;
 
@@ -8526,9 +8625,9 @@
 {
 uschar * where;
 
-if (cutthrough.fd >= 0 && cutthrough.callout_hold_only)
+if (cutthrough.cctx.sock >= 0 && cutthrough.callout_hold_only)
   {
-  int pfd[2], channel_fd = cutthrough.fd, pid;
+  int channel_fd = cutthrough.cctx.sock;
 
   smtp_peer_options = cutthrough.peer_options;
   continue_sequence = 0;
@@ -8536,6 +8635,8 @@
 #ifdef SUPPORT_TLS
   if (cutthrough.is_tls)
     {
+    int pfd[2], pid;
+
     smtp_peer_options |= OPTION_TLS;
     sending_ip_address = cutthrough.snd_ip;
     sending_port = cutthrough.snd_port;
@@ -8550,9 +8651,10 @@
 
     else if (pid == 0)		/* child: fork again to totally disconnect */
       {
-      if (running_in_test_harness) millisleep(100); /* let parent debug out */
+      if (f.running_in_test_harness) millisleep(100); /* let parent debug out */
       /* does not return */
-      smtp_proxy_tls(big_buffer, big_buffer_size, pfd, 5*60);
+      smtp_proxy_tls(cutthrough.cctx.tls_ctx, big_buffer, big_buffer_size,
+		      pfd, 5*60);
       }
 
     DEBUG(D_transport) debug_printf("proxy-proc inter-pid %d\n", pid);
@@ -8573,6 +8675,7 @@
   }
 return;		/* compiler quietening; control does not reach here. */
 
+#ifdef SUPPORT_TLS
 fail:
   log_write(0,
     LOG_MAIN | (exec_type == CEE_EXEC_EXIT ? LOG_PANIC : LOG_PANIC_DIE),
@@ -8582,6 +8685,7 @@
   Note: this must be _exit(), not exit(). */
 
   _exit(EX_EXECFAILED);
+#endif
 }
 
 /* vi: aw ai sw=2
diff -Nru exim4-4.91/src/dkim.c exim4-4.92~RC4/src/dkim.c
--- exim4-4.91/src/dkim.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/dkim.c	2018-12-27 13:36:19.000000000 +0000
@@ -30,10 +30,11 @@
 
 int dkim_verify_oldpool;
 pdkim_ctx *dkim_verify_ctx = NULL;
-pdkim_signature *dkim_signatures = NULL;
 pdkim_signature *dkim_cur_sig = NULL;
 static const uschar * dkim_collect_error = NULL;
 
+#define DKIM_MAX_SIGNATURES 20
+
 
 
 /*XXX the caller only uses the first record if we return multiple.
@@ -115,7 +116,7 @@
 /* Create new context */
 
 dkim_verify_ctx = pdkim_init_verify(&dkim_exim_query_dns_txt, dot_stuffing);
-dkim_collect_input = !!dkim_verify_ctx;
+dkim_collect_input = dkim_verify_ctx ? DKIM_MAX_SIGNATURES : 0;
 dkim_collect_error = NULL;
 
 /* Start feed up with any cached data */
@@ -137,7 +138,7 @@
   dkim_collect_error = pdkim_errstr(rc);
   log_write(0, LOG_MAIN,
 	     "DKIM: validation error: %.100s", dkim_collect_error);
-  dkim_collect_input = FALSE;
+  dkim_collect_input = 0;
   }
 store_pool = dkim_verify_oldpool;
 }
@@ -191,19 +192,18 @@
 logmsg = string_append(logmsg, 2, "d=", s);
 if (!(s = sig->selector)) s = US"<UNSET>";
 logmsg = string_append(logmsg, 2, " s=", s);
-logmsg = string_append(logmsg, 7,
-  " c=", sig->canon_headers == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
-  "/",   sig->canon_body    == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
-  " a=", dkim_sig_to_a_tag(sig),
-string_sprintf(" b=" SIZE_T_FMT,
-		(int)sig->sighash.len > -1 ? sig->sighash.len * 8 : 0));
+logmsg = string_fmt_append(logmsg, " c=%s/%s a=%s b=" SIZE_T_FMT,
+	  sig->canon_headers == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
+	  sig->canon_body    == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
+	  dkim_sig_to_a_tag(sig),
+	  (int)sig->sighash.len > -1 ? sig->sighash.len * 8 : (size_t)0);
 if ((s= sig->identity)) logmsg = string_append(logmsg, 2, " i=", s);
-if (sig->created > 0) logmsg = string_cat(logmsg,
-			      string_sprintf(" t=%lu", sig->created));
-if (sig->expires > 0) logmsg = string_cat(logmsg,
-			      string_sprintf(" x=%lu", sig->expires));
-if (sig->bodylength > -1) logmsg = string_cat(logmsg,
-			      string_sprintf(" l=%lu", sig->bodylength));
+if (sig->created > 0) logmsg = string_fmt_append(logmsg, " t=%lu",
+				    sig->created);
+if (sig->expires > 0) logmsg = string_fmt_append(logmsg, " x=%lu",
+				    sig->expires);
+if (sig->bodylength > -1) logmsg = string_fmt_append(logmsg, " l=%lu",
+				    sig->bodylength);
 
 if (sig->verify_status & PDKIM_VERIFY_POLICY)
   logmsg = string_append(logmsg, 5,
@@ -305,15 +305,16 @@
   log_write(0, LOG_MAIN,
       "DKIM: Error during validation, disabling signature verification: %.100s",
       dkim_collect_error);
-  dkim_disable_verify = TRUE;
+  f.dkim_disable_verify = TRUE;
   goto out;
   }
 
-dkim_collect_input = FALSE;
+dkim_collect_input = 0;
 
 /* Finish DKIM operation and fetch link to signatures chain */
 
-rc = pdkim_feed_finish(dkim_verify_ctx, &dkim_signatures, &errstr);
+rc = pdkim_feed_finish(dkim_verify_ctx, (pdkim_signature **)&dkim_signatures,
+			&errstr);
 if (rc != PDKIM_OK && errstr)
   log_write(0, LOG_MAIN, "DKIM: validation error: %s", errstr);
 
@@ -379,7 +380,7 @@
 dkim_verify_reason = US"";
 dkim_cur_signer = id;
 
-if (dkim_disable_verify || !id || !dkim_verify_ctx)
+if (f.dkim_disable_verify || !id || !dkim_verify_ctx)
   return OK;
 
 /* Find signatures to run ACL on */
@@ -395,7 +396,7 @@
     them here. This is easy since a domain and selector is guaranteed
     to be in a signature. The other dkim_* expansion items are
     dynamically fetched from dkim_cur_sig at expansion time (see
-    function below). */
+    dkim_exim_expand_query() below). */
 
     dkim_cur_sig = sig;
     dkim_signing_domain = US sig->domain;
@@ -451,7 +452,7 @@
 uschar *
 dkim_exim_expand_query(int what)
 {
-if (!dkim_verify_ctx || dkim_disable_verify || !dkim_cur_sig)
+if (!dkim_verify_ctx || f.dkim_disable_verify || !dkim_cur_sig)
   return dkim_exim_expand_defaults(what);
 
 switch (what)
@@ -643,6 +644,8 @@
     uschar * dkim_private_key_expanded;
     uschar * dkim_hash_expanded;
     uschar * dkim_identity_expanded = NULL;
+    uschar * dkim_timestamps_expanded = NULL;
+    unsigned long tval = 0, xval = 0;
 
     /* Get canonicalization to use */
 
@@ -693,6 +696,13 @@
       else if (!*dkim_identity_expanded)
 	dkim_identity_expanded = NULL;
 
+    if (dkim->dkim_timestamps)
+      if (!(dkim_timestamps_expanded = expand_string(dkim->dkim_timestamps)))
+	{ errwhen = US"dkim_timestamps"; goto expand_bad; }
+      else
+	xval = (tval = (unsigned long) time(NULL))
+	      + strtoul(CCS dkim_timestamps_expanded, NULL, 10);
+
     if (!(sig = pdkim_init_sign(&dkim_sign_ctx, dkim_signing_domain,
 			  dkim_signing_selector,
 			  dkim_private_key_expanded,
@@ -706,7 +716,7 @@
 			CS dkim_sign_headers_expanded,
 			CS dkim_identity_expanded,
 			pdkim_canon,
-			pdkim_canon, -1, 0, 0);
+			pdkim_canon, -1, tval, xval);
 
     if (!pdkim_set_sig_bodyhash(&dkim_sign_ctx, sig))
       goto bad;
@@ -813,7 +823,7 @@
           g = string_cat(g, US"permerror (overlong public key record)\n\t\t"); break;
         case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD:
         case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT:
-          g = string_cat(g, US"neutral (syntax error in public key record)\n\t\t");
+          g = string_cat(g, US"neutral (public key record import problem)\n\t\t");
           break;
         case PDKIM_VERIFY_INVALID_SIGNATURE_ERROR:
           g = string_cat(g, US"neutral (signature tag missing or invalid)\n\t\t");
diff -Nru exim4-4.91/src/dkim_transport.c exim4-4.92~RC4/src/dkim_transport.c
--- exim4-4.91/src/dkim_transport.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/dkim_transport.c	2018-12-27 13:36:19.000000000 +0000
@@ -56,7 +56,7 @@
    to the socket. However only if we don't use TLS,
    as then there's another layer of indirection
    before the data finally hits the socket. */
-if (tls_out.active != out_fd)
+if (tls_out.active.sock != out_fd)
   {
   ssize_t copied = 0;
 
@@ -84,8 +84,8 @@
     while (sread)
       {
 #ifdef SUPPORT_TLS
-      wwritten = tls_out.active == out_fd
-	? tls_write(FALSE, p, sread, FALSE)
+      wwritten = tls_out.active.sock == out_fd
+	? tls_write(tls_out.active.tls_ctx, p, sread, FALSE)
 	: write(out_fd, CS p, sread);
 #else
       wwritten = write(out_fd, CS p, sread);
@@ -124,12 +124,11 @@
 {
 int save_fd = tctx->u.fd;
 int save_options = tctx->options;
-BOOL save_wireformat = spool_file_wireformat;
+BOOL save_wireformat = f.spool_file_wireformat;
 uschar * hdrs;
 gstring * dkim_signature;
 int hsize;
 const uschar * errstr;
-uschar * verrstr;
 BOOL rc;
 
 DEBUG(D_transport) debug_printf("dkim signing direct-mode\n");
@@ -155,7 +154,10 @@
 arc_sign_init();
 #endif
 
-dkim->dot_stuffed = !!(save_options & topt_end_dot);
+/* The dotstuffed status of the datafile depends on whether it was stored
+in wireformat. */
+
+dkim->dot_stuffed = f.spool_file_wireformat;
 if (!(dkim_signature = dkim_exim_sign(deliver_datafile, SPOOL_DATA_START_OFFSET,
 				    hdrs, dkim, &errstr)))
   if (!(rc = dkt_sign_fail(dkim, &errno)))
@@ -166,12 +168,14 @@
 
 #ifdef EXPERIMENTAL_ARC
 if (dkim->arc_signspec)			/* Prepend ARC headers */
-  if (!(dkim_signature =
-	arc_sign(dkim->arc_signspec, dkim_signature, &verrstr)))
+  {
+  uschar * e;
+  if (!(dkim_signature = arc_sign(dkim->arc_signspec, dkim_signature, &e)))
     {
-    *err = verrstr;
+    *err = e;
     return FALSE;
     }
+  }
 #endif
 
 /* Write the signature and headers into the deliver-out-buffer.  This should
@@ -182,7 +186,7 @@
 temporarily set the marker for possible already-CRLF input. */
 
 tctx->options &= ~topt_escape_headers;
-spool_file_wireformat = TRUE;
+f.spool_file_wireformat = TRUE;
 transport_write_reset(0);
 if (  (  dkim_signature
       && dkim_signature->ptr > 0
@@ -192,7 +196,7 @@
    )
   return FALSE;
 
-spool_file_wireformat = save_wireformat;
+f.spool_file_wireformat = save_wireformat;
 tctx->options = save_options | topt_no_headers | topt_continuation;
 
 if (!(transport_write_message(tctx, 0)))
@@ -271,7 +275,9 @@
 arc_sign_init();
 #endif
 
-/* Feed the file to the goats^W DKIM lib */
+/* Feed the file to the goats^W DKIM lib.  At this point the dotstuffed
+status of the file depends on the output of transport_write_message() just
+above, which should be the result of the end_dot flag in tctx->options. */
 
 dkim->dot_stuffed = !!(options & topt_end_dot);
 if (!(dkim_signature = dkim_exim_sign(dkim_fd, 0, NULL, dkim, &errstr)))
diff -Nru exim4-4.91/src/dmarc.c exim4-4.92~RC4/src/dmarc.c
--- exim4-4.91/src/dmarc.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/dmarc.c	2018-12-27 13:36:19.000000000 +0000
@@ -28,7 +28,6 @@
 OPENDMARC_STATUS_T  da, sa, action;
 BOOL dmarc_abort  = FALSE;
 uschar *dmarc_pass_fail = US"skipped";
-extern pdkim_signature  *dkim_signatures;
 header_line *from_header   = NULL;
 extern SPF_response_t   *spf_response;
 int dmarc_spf_ares_result  = 0;
@@ -92,13 +91,13 @@
 dmarc_abort        = FALSE;
 dmarc_pass_fail    = US"skipped";
 dmarc_used_domain  = US"";
-dmarc_has_been_checked = FALSE;
+f.dmarc_has_been_checked = FALSE;
 header_from_sender = NULL;
 spf_sender_domain  = NULL;
 spf_human_readable = NULL;
 
 /* ACLs have "control=dmarc_disable_verify" */
-if (dmarc_disable_verify == TRUE)
+if (f.dmarc_disable_verify == TRUE)
   return OK;
 
 (void) memset(&dmarc_ctx, '\0', sizeof dmarc_ctx);
@@ -115,7 +114,7 @@
   DEBUG(D_receive) debug_printf("DMARC: no dmarc_tld_file\n");
   dmarc_abort = TRUE;
   }
-else if (opendmarc_tld_read_file(dmarc_tld_file, NULL, NULL, NULL))
+else if (opendmarc_tld_read_file(CS dmarc_tld_file, NULL, NULL, NULL))
   {
   log_write(0, LOG_MAIN|LOG_PANIC, "DMARC failure to load tld list %s: %d",
 		       dmarc_tld_file, errno);
@@ -149,7 +148,7 @@
 dmarc_store_data(header_line *hdr)
 {
 /* No debug output because would change every test debug output */
-if (!dmarc_disable_verify)
+if (!f.dmarc_disable_verify)
   from_header = hdr;
 return OK;
 }
@@ -165,7 +164,7 @@
 FILE *message_file = NULL;
 
 /* Earlier ACL does not have *required* control=dmarc_enable_forensic */
-if (!dmarc_enable_forensic)
+if (!f.dmarc_enable_forensic)
   return;
 
 if (  dmarc_policy == DMARC_POLICY_REJECT     && action == DMARC_RESULT_REJECT
@@ -179,14 +178,11 @@
     eblock = add_to_eblock(eblock, US"Sender IP Address", sender_host_address);
     eblock = add_to_eblock(eblock, US"Received Date", tod_stamp(tod_full));
     eblock = add_to_eblock(eblock, US"SPF Alignment",
-			   (sa==DMARC_POLICY_SPF_ALIGNMENT_PASS) ?US"yes":US"no");
+		     sa == DMARC_POLICY_SPF_ALIGNMENT_PASS ? US"yes" : US"no");
     eblock = add_to_eblock(eblock, US"DKIM Alignment",
-			   (da==DMARC_POLICY_DKIM_ALIGNMENT_PASS)?US"yes":US"no");
+		     da == DMARC_POLICY_DKIM_ALIGNMENT_PASS ? US"yes" : US"no");
     eblock = add_to_eblock(eblock, US"DMARC Results", dmarc_status_text);
-    /* Set a sane default envelope sender */
-    dsn_from = dmarc_forensic_sender ? dmarc_forensic_sender :
-	       dsn_from ? dsn_from :
-	       string_sprintf("do-not-reply@%s",primary_hostname);
+
     for (c = 0; ruf[c]; c++)
       {
       recipient = string_copylc(ruf[c]);
@@ -196,16 +192,12 @@
       recipient += 7;
       DEBUG(D_receive)
 	debug_printf("DMARC forensic report to %s%s\n", recipient,
-	     (host_checking || running_in_test_harness) ? " (not really)" : "");
-      if (host_checking || running_in_test_harness)
+	     (host_checking || f.running_in_test_harness) ? " (not really)" : "");
+      if (host_checking || f.running_in_test_harness)
 	continue;
 
-      save_sender = sender_address;
-      sender_address = recipient;
-      send_status = moan_to_sender(ERRMESS_DMARC_FORENSIC, eblock,
-				   header_list, message_file, FALSE);
-      sender_address = save_sender;
-      if (!send_status)
+      if (!moan_send_message(recipient, ERRMESS_DMARC_FORENSIC, eblock,
+			    header_list, message_file, NULL))
 	log_write(0, LOG_MAIN|LOG_PANIC,
 	  "failure to send DMARC forensic report to %s", recipient);
       }
@@ -222,12 +214,12 @@
 int sr, origin;             /* used in SPF section */
 int dmarc_spf_result  = 0;  /* stores spf into dmarc conn ctx */
 int tmp_ans, c;
-pdkim_signature *sig  = NULL;
+pdkim_signature * sig = dkim_signatures;
 BOOL has_dmarc_record = TRUE;
 u_char **ruf; /* forensic report addressees, if called for */
 
 /* ACLs have "control=dmarc_disable_verify" */
-if (dmarc_disable_verify)
+if (f.dmarc_disable_verify)
   return OK;
 
 /* Store the header From: sender domain for this part of DMARC.
@@ -243,27 +235,27 @@
   }
 else if (!dmarc_abort)
   {
-    uschar * errormsg;
-    int dummy, domain;
-    uschar * p;
-    uschar saveend;
-
-    parse_allow_group = TRUE;
-    p = parse_find_address_end(from_header->text, FALSE);
-    saveend = *p; *p = '\0';
-    if ((header_from_sender = parse_extract_address(from_header->text, &errormsg,
-                                &dummy, &dummy, &domain, FALSE)))
-      header_from_sender += domain;
-    *p = saveend;
-
-    /* The opendmarc library extracts the domain from the email address, but
-     * only try to store it if it's not empty.  Otherwise, skip out of DMARC. */
-    if (!header_from_sender || (strcmp( CCS header_from_sender, "") == 0))
-      dmarc_abort = TRUE;
-    libdm_status = dmarc_abort ?
-      DMARC_PARSE_OKAY :
-      opendmarc_policy_store_from_domain(dmarc_pctx, header_from_sender);
-    if (libdm_status != DMARC_PARSE_OKAY)
+  uschar * errormsg;
+  int dummy, domain;
+  uschar * p;
+  uschar saveend;
+
+  f.parse_allow_group = TRUE;
+  p = parse_find_address_end(from_header->text, FALSE);
+  saveend = *p; *p = '\0';
+  if ((header_from_sender = parse_extract_address(from_header->text, &errormsg,
+			      &dummy, &dummy, &domain, FALSE)))
+    header_from_sender += domain;
+  *p = saveend;
+
+  /* The opendmarc library extracts the domain from the email address, but
+   * only try to store it if it's not empty.  Otherwise, skip out of DMARC. */
+  if (!header_from_sender || (strcmp( CCS header_from_sender, "") == 0))
+    dmarc_abort = TRUE;
+  libdm_status = dmarc_abort
+    ? DMARC_PARSE_OKAY
+    : opendmarc_policy_store_from_domain(dmarc_pctx, header_from_sender);
+  if (libdm_status != DMARC_PARSE_OKAY)
     {
     log_write(0, LOG_MAIN|LOG_PANIC,
 	      "failure to store header From: in DMARC: %s, header was '%s'",
@@ -276,6 +268,8 @@
  * instead do this in the ACLs.  */
 if (!dmarc_abort && !sender_host_authenticated)
   {
+  uschar * dmarc_domain;
+
   /* Use the envelope sender domain for this part of DMARC */
   spf_sender_domain = expand_string(US"$sender_address_domain");
   if (!spf_response)
@@ -330,11 +324,11 @@
 
   /* Now we cycle through the dkim signature results and put into
    * the opendmarc context, further building the DMARC reply.  */
-  sig = dkim_signatures;
   dkim_history_buffer = US"";
   while (sig)
     {
     int dkim_result, dkim_ares_result, vs, ves;
+
     vs  = sig->verify_status & ~PDKIM_VERIFY_POLICY;
     ves = sig->verify_ext_status;
     dkim_result = vs == PDKIM_VERIFY_PASS ? DMARC_POLICY_DKIM_OUTCOME_PASS :
@@ -403,9 +397,9 @@
       }
 
   /* Can't use exim's string manipulation functions so allocate memory
-   * for libopendmarc using its max hostname length definition. */
+  for libopendmarc using its max hostname length definition. */
 
-  uschar *dmarc_domain = US calloc(DMARC_MAXHOSTNAMELEN, sizeof(uschar));
+  dmarc_domain = US calloc(DMARC_MAXHOSTNAMELEN, sizeof(uschar));
   libdm_status = opendmarc_policy_fetch_utilized_domain(dmarc_pctx,
     dmarc_domain, DMARC_MAXHOSTNAMELEN-1);
   dmarc_used_domain = string_copy(dmarc_domain);
@@ -416,8 +410,7 @@
       "failure to read domainname used for DMARC lookup: %s",
       opendmarc_policy_status_to_str(libdm_status));
 
-  libdm_status = opendmarc_get_policy_to_enforce(dmarc_pctx);
-  dmarc_policy = libdm_status;
+  dmarc_policy = libdm_status = opendmarc_get_policy_to_enforce(dmarc_pctx);
   switch(libdm_status)
     {
     case DMARC_POLICY_ABSENT:     /* No DMARC record found */
@@ -487,7 +480,7 @@
 /* shut down libopendmarc */
 if (dmarc_pctx)
   (void) opendmarc_policy_connect_shutdown(dmarc_pctx);
-if (!dmarc_disable_verify)
+if (!f.dmarc_disable_verify)
   (void) opendmarc_policy_library_shutdown(&dmarc_ctx);
 
 return OK;
@@ -558,8 +551,8 @@
 /* Write the contents to the history file */
 DEBUG(D_receive)
   debug_printf("DMARC logging history data for opendmarc reporting%s\n",
-	     (host_checking || running_in_test_harness) ? " (not really)" : "");
-if (host_checking || running_in_test_harness)
+	     (host_checking || f.running_in_test_harness) ? " (not really)" : "");
+if (host_checking || f.running_in_test_harness)
   {
   DEBUG(D_receive)
     debug_printf("DMARC history data for debugging:\n%s", history_buffer);
@@ -584,7 +577,7 @@
 uschar *
 dmarc_exim_expand_query(int what)
 {
-if (dmarc_disable_verify || !dmarc_pctx)
+if (f.dmarc_disable_verify || !dmarc_pctx)
   return dmarc_exim_expand_defaults(what);
 
 if (what == DMARC_VERIFY_STATUS)
@@ -596,7 +589,7 @@
 dmarc_exim_expand_defaults(int what)
 {
 if (what == DMARC_VERIFY_STATUS)
-  return dmarc_disable_verify ?  US"off" : US"none";
+  return f.dmarc_disable_verify ?  US"off" : US"none";
 return US"";
 }
 
@@ -604,7 +597,7 @@
 gstring *
 authres_dmarc(gstring * g)
 {
-if (dmarc_has_been_checked)
+if (f.dmarc_has_been_checked)
   {
   g = string_append(g, 2, US";\n\tdmarc=", dmarc_pass_fail);
   if (header_from_sender)
diff -Nru exim4-4.91/src/dns.c exim4-4.92~RC4/src/dns.c
--- exim4-4.91/src/dns.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/dns.c	2018-12-27 13:36:19.000000000 +0000
@@ -639,6 +639,10 @@
 providing a list of domains for which this is treated as a non-existent
 host.
 
+The dns_answer structure is pretty big; enough to hold a max-sized DNS message
+- so best allocated from fast-release memory.  As of writing, all our callers
+use a stack-auto variable.
+
 Arguments:
   dnsa      pointer to dns_answer structure
   name      name to look up
@@ -674,10 +678,10 @@
   {
   DEBUG(D_dns) debug_printf("DNS lookup of %.255s-%s: using cached value %s\n",
     name, dns_text_type(type),
-      (previous->data.val == DNS_NOMATCH)? "DNS_NOMATCH" :
-      (previous->data.val == DNS_NODATA)? "DNS_NODATA" :
-      (previous->data.val == DNS_AGAIN)? "DNS_AGAIN" :
-      (previous->data.val == DNS_FAIL)? "DNS_FAIL" : "??");
+      previous->data.val == DNS_NOMATCH ? "DNS_NOMATCH" :
+      previous->data.val == DNS_NODATA ? "DNS_NODATA" :
+      previous->data.val == DNS_AGAIN ? "DNS_AGAIN" :
+      previous->data.val == DNS_FAIL ? "DNS_FAIL" : "??");
   return previous->data.val;
   }
 
@@ -693,7 +697,7 @@
     DEBUG(D_dns)
       debug_printf("DNS name '%s' utf8 conversion to alabel failed: %s\n", name,
         errstr);
-    host_find_failed_syntax = TRUE;
+    f.host_find_failed_syntax = TRUE;
     return DNS_NOMATCH;
     }
   name = alabel;
@@ -738,7 +742,7 @@
     DEBUG(D_dns)
       debug_printf("DNS name syntax check failed: %s (%s)\n", name,
         dns_text_type(type));
-    host_find_failed_syntax = TRUE;
+    f.host_find_failed_syntax = TRUE;
     return DNS_NOMATCH;
     }
   }
@@ -761,7 +765,7 @@
 (res_search), we call fakens_search(), which recognizes certain special
 domains, and interfaces to a fake nameserver for certain special zones. */
 
-dnsa->answerlen = running_in_test_harness
+dnsa->answerlen = f.running_in_test_harness
   ? fakens_search(name, type, dnsa->answer, sizeof(dnsa->answer))
   : res_search(CCS name, C_IN, type, dnsa->answer, sizeof(dnsa->answer));
 
@@ -836,6 +840,8 @@
 /* Look up the given domain name, using the given type. Follow CNAMEs if
 necessary, but only so many times. There aren't supposed to be CNAME chains in
 the DNS, but you are supposed to cope with them if you find them.
+By default, follow one CNAME since a resolver has been seen, faced with
+an MX request and a CNAME (to an A) but no MX present, returning the CNAME.
 
 The assumption is made that if the resolver gives back records of the
 requested type *and* a CNAME, we don't need to make another call to look up
@@ -871,14 +877,19 @@
 const uschar *orig_name = name;
 BOOL secure_so_far = TRUE;
 
-/* Loop to follow CNAME chains so far, but no further... */
+/* By default, assume the resolver follows CNAME chains (and returns NODATA for
+an unterminated one). If it also does that for a CNAME loop, fine; if it returns
+a CNAME (maybe the last?) whine about it.  However, retain the coding for dumb
+resolvers hiding behind a config variable. Loop to follow CNAME chains so far,
+but no further...  The testsuite tests the latter case, mostly assuming that the
+former will work. */
 
-for (i = 0; i < 10; i++)
+for (i = 0; i <= dns_cname_loops; i++)
   {
   uschar * data;
   dns_record *rr, cname_rr, type_rr;
   dns_scan dnss;
-  int datalen, rc;
+  int rc;
 
   /* DNS lookup failures get passed straight back. */
 
@@ -940,8 +951,8 @@
     return DNS_FAIL;
 
   data = store_get(256);
-  if ((datalen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
-    cname_rr.data, (DN_EXPAND_ARG4_TYPE)data, 256)) < 0)
+  if (dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
+      cname_rr.data, (DN_EXPAND_ARG4_TYPE)data, 256) < 0)
     return DNS_FAIL;
   name = data;
 
@@ -1094,7 +1105,7 @@
 	  && (h->rcode == NOERROR || h->rcode == NXDOMAIN)
 	  && ntohs(h->qdcount) == 1 && ntohs(h->ancount) == 0
 	  && ntohs(h->nscount) >= 1)
-	    dnsa->answerlen = MAXPACKET;
+	    dnsa->answerlen = sizeof(dnsa->answer);
 
       for (rr = dns_next_rr(dnsa, &dnss, RESET_AUTHORITY);
 	   rr; rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
diff -Nru exim4-4.91/src/dummies.c exim4-4.92~RC4/src/dummies.c
--- exim4-4.91/src/dummies.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/dummies.c	2018-12-27 13:36:19.000000000 +0000
@@ -20,7 +20,7 @@
 /* We don't have the full Exim headers dragged in, but this function
 is used for debugging output. */
 
-extern int  string_vformat(char *, int, char *, va_list);
+extern gstring * string_vformat(gstring *, BOOL, const char *, va_list);
 
 
 /*************************************************
@@ -69,22 +69,24 @@
 debug_printf(char *format, ...)
 {
 va_list ap;
-char buffer[1024];
+gstring * g = string_get(1024);
+void * reset_point = g;
 
 va_start(ap, format);
 
-if (!string_vformat(buffer, sizeof(buffer), format, ap))
+if (!string_vformat(g, FALSE, format, ap))
   {
-  char *s = "**** debug string overflowed buffer ****\n";
-  char *p = buffer + (int)strlen(buffer);
-  int maxlen = sizeof(buffer) - (int)strlen(s) - 3;
-  if (p > buffer + maxlen) p = buffer + maxlen;
-  if (p > buffer && p[-1] != '\n') *p++ = '\n';
+  char * s = "**** debug string overflowed buffer ****\n";
+  char * p = CS g->s + g->ptr;
+  int maxlen = g->size - (int)strlen(s) - 3;
+  if (p > g->s + maxlen) p = g->s + maxlen;
+  if (p > g->s && p[-1] != '\n') *p++ = '\n';
   strcpy(p, s);
   }
 
-fprintf(stderr, "%s", buffer);
+fprintf(stderr, "%s", string_from_gstring(g));
 fflush(stderr);
+store_reset(reset_point);
 va_end(ap);
 }
 
@@ -100,7 +102,7 @@
 sigalrm_handler(int sig)
 {
 sig = sig;            /* Keep picky compilers happy */
-sigalrm_seen = 1;
+sigalrm_seen = TRUE;
 }
 
 
diff -Nru exim4-4.91/src/EDITME exim4-4.92~RC4/src/EDITME
--- exim4-4.91/src/EDITME	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/EDITME	2018-12-27 13:36:19.000000000 +0000
@@ -511,6 +511,11 @@
 # Uncomment the following line to add queuefile transport support
 # EXPERIMENTAL_QUEUEFILE=yes
 
+# Uncomment the following to add REQUIRETLS support.
+# You must also have SUPPORT_TLS enabled.
+# Ref: https://datatracker.ietf.org/doc/draft-fenton-smtp-require-tls
+# EXPERIMENTAL_REQUIRETLS=yes
+
 ###############################################################################
 #                 THESE ARE THINGS YOU MIGHT WANT TO SPECIFY                  #
 ###############################################################################
diff -Nru exim4-4.91/src/exim.c exim4-4.92~RC4/src/exim.c
--- exim4-4.91/src/exim.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/exim.c	2018-12-27 13:36:19.000000000 +0000
@@ -140,14 +140,14 @@
 int ovector[3*(EXPAND_MAXN+1)];
 uschar * s = string_copy(subject);	/* de-constifying */
 int n = pcre_exec(re, NULL, CS s, Ustrlen(s), 0,
-  PCRE_EOPT | options, ovector, sizeof(ovector)/sizeof(int));
+  PCRE_EOPT | options, ovector, nelem(ovector));
 BOOL yield = n >= 0;
 if (n == 0) n = EXPAND_MAXN + 1;
 if (yield)
   {
   int nn;
-  expand_nmax = (setup < 0)? 0 : setup + 1;
-  for (nn = (setup < 0)? 0 : 2; nn < n*2; nn += 2)
+  expand_nmax = setup < 0 ? 0 : setup + 1;
+  for (nn = setup < 0 ? 0 : 2; nn < n*2; nn += 2)
     {
     expand_nstring[expand_nmax] = s + ovector[nn];
     expand_nlength[expand_nmax++] = ovector[nn+1] - ovector[nn];
@@ -174,15 +174,22 @@
 void
 set_process_info(const char *format, ...)
 {
-int len = sprintf(CS process_info, "%5d ", (int)getpid());
+gstring gs = { .size = PROCESS_INFO_SIZE - 2, .ptr = 0, .s = process_info };
+gstring * g;
+int len;
 va_list ap;
+
+g = string_fmt_append(&gs, "%5d ", (int)getpid());
+len = g->ptr;
 va_start(ap, format);
-if (!string_vformat(process_info + len, PROCESS_INFO_SIZE - len - 2, format, ap))
-  Ustrcpy(process_info + len, "**** string overflowed buffer ****");
-len = Ustrlen(process_info);
-process_info[len+0] = '\n';
-process_info[len+1] = '\0';
-process_info_len = len + 1;
+if (!string_vformat(g, FALSE, format, ap))
+  {
+  gs.ptr = len;
+  g = string_cat(&gs, US"**** string overflowed buffer ****");
+  }
+g = string_catn(g, US"\n", 1);
+string_from_gstring(g);
+process_info_len = g->ptr;
 DEBUG(D_process_info) debug_printf("set_process_info: %s", process_info);
 va_end(ap);
 }
@@ -420,7 +427,7 @@
 
   DEBUG(D_transport|D_receive)
     {
-    if (!running_in_test_harness)
+    if (!f.running_in_test_harness)
       {
       debug_printf("tick check: " TIME_T_FMT ".%06lu " TIME_T_FMT ".%06lu\n",
         then_tv->tv_sec, (long) then_tv->tv_usec,
@@ -550,9 +557,9 @@
 {
 if (smtp_input)
   {
-  #ifdef SUPPORT_TLS
-  tls_close(TRUE, TLS_NO_SHUTDOWN);      /* Shut down the TLS library */
-  #endif
+#ifdef SUPPORT_TLS
+  tls_close(NULL, TLS_NO_SHUTDOWN);      /* Shut down the TLS library */
+#endif
   (void)close(fileno(smtp_in));
   (void)close(fileno(smtp_out));
   smtp_in = NULL;
@@ -563,7 +570,7 @@
   if ((debug_selector & D_resolver) == 0) (void)close(1);  /* stdout */
   if (debug_selector == 0)                                 /* stderr */
     {
-    if (!synchronous_delivery)
+    if (!f.synchronous_delivery)
       {
       (void)close(2);
       log_stderr = NULL;
@@ -609,21 +616,18 @@
   if (igflag)
     {
     struct passwd *pw = getpwuid(uid);
-    if (pw != NULL)
-      {
-      if (initgroups(pw->pw_name, gid) != 0)
-        log_write(0,LOG_MAIN|LOG_PANIC_DIE,"initgroups failed for uid=%ld: %s",
-          (long int)uid, strerror(errno));
-      }
-    else log_write(0, LOG_MAIN|LOG_PANIC_DIE, "cannot run initgroups(): "
-      "no passwd entry for uid=%ld", (long int)uid);
+    if (!pw)
+      log_write(0, LOG_MAIN|LOG_PANIC_DIE, "cannot run initgroups(): "
+	"no passwd entry for uid=%ld", (long int)uid);
+
+    if (initgroups(pw->pw_name, gid) != 0)
+      log_write(0,LOG_MAIN|LOG_PANIC_DIE,"initgroups failed for uid=%ld: %s",
+	(long int)uid, strerror(errno));
     }
 
   if (setgid(gid) < 0 || setuid(uid) < 0)
-    {
     log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to set gid=%ld or uid=%ld "
       "(euid=%ld): %s", (long int)gid, (long int)uid, (long int)euid, msg);
-    }
   }
 
 /* Debugging output included uid/gid and all groups */
@@ -631,10 +635,10 @@
 DEBUG(D_uid)
   {
   int group_count, save_errno;
-  gid_t group_list[NGROUPS_MAX];
+  gid_t group_list[EXIM_GROUPLIST_SIZE];
   debug_printf("changed uid/gid: %s\n  uid=%ld gid=%ld pid=%ld\n", msg,
     (long int)geteuid(), (long int)getegid(), (long int)getpid());
-  group_count = getgroups(NGROUPS_MAX, group_list);
+  group_count = getgroups(nelem(group_list), group_list);
   save_errno = errno;
   debug_printf("  auxiliary group list:");
   if (group_count > 0)
@@ -678,6 +682,17 @@
 
 
 
+/* Print error string, then die */
+static void
+exim_fail(const char * fmt, ...)
+{
+va_list ap;
+va_start(ap, fmt);
+vfprintf(stderr, fmt, ap);
+exit(EXIT_FAILURE);
+}
+
+
 
 /*************************************************
 *         Extract port from host address         *
@@ -699,10 +714,7 @@
 {
 int port = host_address_extract_port(address);
 if (string_is_ip_address(address, NULL) == 0)
-  {
-  fprintf(stderr, "exim abandoned: \"%s\" is not an IP address\n", address);
-  exit(EXIT_FAILURE);
-  }
+  exim_fail("exim abandoned: \"%s\" is not an IP address\n", address);
 return port;
 }
 
@@ -793,190 +805,196 @@
 */
 
 static void
-show_whats_supported(FILE * f)
+show_whats_supported(FILE * fp)
 {
 auth_info * authi;
 
-DEBUG(D_any) {} else show_db_version(f);
+DEBUG(D_any) {} else show_db_version(fp);
 
-fprintf(f, "Support for:");
+fprintf(fp, "Support for:");
 #ifdef SUPPORT_CRYPTEQ
-  fprintf(f, " crypteq");
+  fprintf(fp, " crypteq");
 #endif
 #if HAVE_ICONV
-  fprintf(f, " iconv()");
+  fprintf(fp, " iconv()");
 #endif
 #if HAVE_IPV6
-  fprintf(f, " IPv6");
+  fprintf(fp, " IPv6");
 #endif
 #ifdef HAVE_SETCLASSRESOURCES
-  fprintf(f, " use_setclassresources");
+  fprintf(fp, " use_setclassresources");
 #endif
 #ifdef SUPPORT_PAM
-  fprintf(f, " PAM");
+  fprintf(fp, " PAM");
 #endif
 #ifdef EXIM_PERL
-  fprintf(f, " Perl");
+  fprintf(fp, " Perl");
 #endif
 #ifdef EXPAND_DLFUNC
-  fprintf(f, " Expand_dlfunc");
+  fprintf(fp, " Expand_dlfunc");
 #endif
 #ifdef USE_TCP_WRAPPERS
-  fprintf(f, " TCPwrappers");
+  fprintf(fp, " TCPwrappers");
 #endif
 #ifdef SUPPORT_TLS
 # ifdef USE_GNUTLS
-  fprintf(f, " GnuTLS");
+  fprintf(fp, " GnuTLS");
 # else
-  fprintf(f, " OpenSSL");
+  fprintf(fp, " OpenSSL");
 # endif
 #endif
 #ifdef SUPPORT_TRANSLATE_IP_ADDRESS
-  fprintf(f, " translate_ip_address");
+  fprintf(fp, " translate_ip_address");
 #endif
 #ifdef SUPPORT_MOVE_FROZEN_MESSAGES
-  fprintf(f, " move_frozen_messages");
+  fprintf(fp, " move_frozen_messages");
 #endif
 #ifdef WITH_CONTENT_SCAN
-  fprintf(f, " Content_Scanning");
+  fprintf(fp, " Content_Scanning");
 #endif
 #ifdef SUPPORT_DANE
-  fprintf(f, " DANE");
+  fprintf(fp, " DANE");
 #endif
 #ifndef DISABLE_DKIM
-  fprintf(f, " DKIM");
+  fprintf(fp, " DKIM");
 #endif
 #ifndef DISABLE_DNSSEC
-  fprintf(f, " DNSSEC");
+  fprintf(fp, " DNSSEC");
 #endif
 #ifndef DISABLE_EVENT
-  fprintf(f, " Event");
+  fprintf(fp, " Event");
 #endif
 #ifdef SUPPORT_I18N
-  fprintf(f, " I18N");
+  fprintf(fp, " I18N");
 #endif
 #ifndef DISABLE_OCSP
-  fprintf(f, " OCSP");
+  fprintf(fp, " OCSP");
 #endif
 #ifndef DISABLE_PRDR
-  fprintf(f, " PRDR");
+  fprintf(fp, " PRDR");
 #endif
 #ifdef SUPPORT_PROXY
-  fprintf(f, " PROXY");
+  fprintf(fp, " PROXY");
 #endif
 #ifdef SUPPORT_SOCKS
-  fprintf(f, " SOCKS");
+  fprintf(fp, " SOCKS");
 #endif
 #ifdef SUPPORT_SPF
-  fprintf(f, " SPF");
+  fprintf(fp, " SPF");
 #endif
 #ifdef TCP_FASTOPEN
   deliver_init();
-  if (tcp_fastopen_ok) fprintf(f, " TCP_Fast_Open");
+  if (f.tcp_fastopen_ok) fprintf(fp, " TCP_Fast_Open");
 #endif
 #ifdef EXPERIMENTAL_LMDB
-  fprintf(f, " Experimental_LMDB");
+  fprintf(fp, " Experimental_LMDB");
 #endif
 #ifdef EXPERIMENTAL_QUEUEFILE
-  fprintf(f, " Experimental_QUEUEFILE");
+  fprintf(fp, " Experimental_QUEUEFILE");
 #endif
 #ifdef EXPERIMENTAL_SRS
-  fprintf(f, " Experimental_SRS");
+  fprintf(fp, " Experimental_SRS");
 #endif
 #ifdef EXPERIMENTAL_ARC
-  fprintf(f, " Experimental_ARC");
+  fprintf(fp, " Experimental_ARC");
 #endif
 #ifdef EXPERIMENTAL_BRIGHTMAIL
-  fprintf(f, " Experimental_Brightmail");
+  fprintf(fp, " Experimental_Brightmail");
 #endif
 #ifdef EXPERIMENTAL_DCC
-  fprintf(f, " Experimental_DCC");
+  fprintf(fp, " Experimental_DCC");
 #endif
 #ifdef EXPERIMENTAL_DMARC
-  fprintf(f, " Experimental_DMARC");
+  fprintf(fp, " Experimental_DMARC");
 #endif
 #ifdef EXPERIMENTAL_DSN_INFO
-  fprintf(f, " Experimental_DSN_info");
+  fprintf(fp, " Experimental_DSN_info");
+#endif
+#ifdef EXPERIMENTAL_REQUIRETLS
+  fprintf(fp, " Experimental_REQUIRETLS");
 #endif
-fprintf(f, "\n");
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+  fprintf(fp, " Experimental_PIPE_CONNECT");
+#endif
+fprintf(fp, "\n");
 
-fprintf(f, "Lookups (built-in):");
+fprintf(fp, "Lookups (built-in):");
 #if defined(LOOKUP_LSEARCH) && LOOKUP_LSEARCH!=2
-  fprintf(f, " lsearch wildlsearch nwildlsearch iplsearch");
+  fprintf(fp, " lsearch wildlsearch nwildlsearch iplsearch");
 #endif
 #if defined(LOOKUP_CDB) && LOOKUP_CDB!=2
-  fprintf(f, " cdb");
+  fprintf(fp, " cdb");
 #endif
 #if defined(LOOKUP_DBM) && LOOKUP_DBM!=2
-  fprintf(f, " dbm dbmjz dbmnz");
+  fprintf(fp, " dbm dbmjz dbmnz");
 #endif
 #if defined(LOOKUP_DNSDB) && LOOKUP_DNSDB!=2
-  fprintf(f, " dnsdb");
+  fprintf(fp, " dnsdb");
 #endif
 #if defined(LOOKUP_DSEARCH) && LOOKUP_DSEARCH!=2
-  fprintf(f, " dsearch");
+  fprintf(fp, " dsearch");
 #endif
 #if defined(LOOKUP_IBASE) && LOOKUP_IBASE!=2
-  fprintf(f, " ibase");
+  fprintf(fp, " ibase");
 #endif
 #if defined(LOOKUP_LDAP) && LOOKUP_LDAP!=2
-  fprintf(f, " ldap ldapdn ldapm");
+  fprintf(fp, " ldap ldapdn ldapm");
 #endif
 #ifdef EXPERIMENTAL_LMDB
-  fprintf(f, " lmdb");
+  fprintf(fp, " lmdb");
 #endif
 #if defined(LOOKUP_MYSQL) && LOOKUP_MYSQL!=2
-  fprintf(f, " mysql");
+  fprintf(fp, " mysql");
 #endif
 #if defined(LOOKUP_NIS) && LOOKUP_NIS!=2
-  fprintf(f, " nis nis0");
+  fprintf(fp, " nis nis0");
 #endif
 #if defined(LOOKUP_NISPLUS) && LOOKUP_NISPLUS!=2
-  fprintf(f, " nisplus");
+  fprintf(fp, " nisplus");
 #endif
 #if defined(LOOKUP_ORACLE) && LOOKUP_ORACLE!=2
-  fprintf(f, " oracle");
+  fprintf(fp, " oracle");
 #endif
 #if defined(LOOKUP_PASSWD) && LOOKUP_PASSWD!=2
-  fprintf(f, " passwd");
+  fprintf(fp, " passwd");
 #endif
 #if defined(LOOKUP_PGSQL) && LOOKUP_PGSQL!=2
-  fprintf(f, " pgsql");
+  fprintf(fp, " pgsql");
 #endif
 #if defined(LOOKUP_REDIS) && LOOKUP_REDIS!=2
-  fprintf(f, " redis");
+  fprintf(fp, " redis");
 #endif
 #if defined(LOOKUP_SQLITE) && LOOKUP_SQLITE!=2
-  fprintf(f, " sqlite");
+  fprintf(fp, " sqlite");
 #endif
 #if defined(LOOKUP_TESTDB) && LOOKUP_TESTDB!=2
-  fprintf(f, " testdb");
+  fprintf(fp, " testdb");
 #endif
 #if defined(LOOKUP_WHOSON) && LOOKUP_WHOSON!=2
-  fprintf(f, " whoson");
+  fprintf(fp, " whoson");
 #endif
-fprintf(f, "\n");
+fprintf(fp, "\n");
 
-auth_show_supported(f);
-route_show_supported(f);
-transport_show_supported(f);
+auth_show_supported(fp);
+route_show_supported(fp);
+transport_show_supported(fp);
 
 #ifdef WITH_CONTENT_SCAN
-malware_show_supported(f);
+malware_show_supported(fp);
 #endif
 
 if (fixed_never_users[0] > 0)
   {
   int i;
-  fprintf(f, "Fixed never_users: ");
+  fprintf(fp, "Fixed never_users: ");
   for (i = 1; i <= (int)fixed_never_users[0] - 1; i++)
-    fprintf(f, "%d:", (unsigned int)fixed_never_users[i]);
-  fprintf(f, "%d\n", (unsigned int)fixed_never_users[i]);
+    fprintf(fp, "%d:", (unsigned int)fixed_never_users[i]);
+  fprintf(fp, "%d\n", (unsigned int)fixed_never_users[i]);
   }
 
-fprintf(f, "Configure owner: %d:%d\n", config_uid, config_gid);
+fprintf(fp, "Configure owner: %d:%d\n", config_uid, config_gid);
 
-fprintf(f, "Size of off_t: " SIZE_T_FMT "\n", sizeof(off_t));
+fprintf(fp, "Size of off_t: " SIZE_T_FMT "\n", sizeof(off_t));
 
 /* Everything else is details which are only worth reporting when debugging.
 Perhaps the tls_version_report should move into this too. */
@@ -986,9 +1004,9 @@
 
 /* clang defines __GNUC__ (at least, for me) so test for it first */
 #if defined(__clang__)
-  fprintf(f, "Compiler: CLang [%s]\n", __clang_version__);
+  fprintf(fp, "Compiler: CLang [%s]\n", __clang_version__);
 #elif defined(__GNUC__)
-  fprintf(f, "Compiler: GCC [%s]\n",
+  fprintf(fp, "Compiler: GCC [%s]\n",
 # ifdef __VERSION__
       __VERSION__
 # else
@@ -996,29 +1014,29 @@
 # endif
       );
 #else
-  fprintf(f, "Compiler: <unknown>\n");
+  fprintf(fp, "Compiler: <unknown>\n");
 #endif
 
 #if defined(__GLIBC__) && !defined(__UCLIBC__)
-  fprintf(f, "Library version: Glibc: Compile: %d.%d\n",
+  fprintf(fp, "Library version: Glibc: Compile: %d.%d\n",
 	       	__GLIBC__, __GLIBC_MINOR__);
   if (__GLIBC_PREREQ(2, 1))
-    fprintf(f, "                        Runtime: %s\n",
+    fprintf(fp, "                        Runtime: %s\n",
 	       	gnu_get_libc_version());
 #endif
 
-show_db_version(f);
+show_db_version(fp);
 
 #ifdef SUPPORT_TLS
-  tls_version_report(f);
+  tls_version_report(fp);
 #endif
 #ifdef SUPPORT_I18N
-  utf8_version_report(f);
+  utf8_version_report(fp);
 #endif
 
   for (authi = auths_available; *authi->driver_name != '\0'; ++authi)
     if (authi->version_report)
-      (*authi->version_report)(f);
+      (*authi->version_report)(fp);
 
   /* PCRE_PRERELEASE is either defined and empty or a bare sequence of
   characters; unless it's an ancient version of PCRE in which case it
@@ -1028,7 +1046,7 @@
 #endif
 #define QUOTE(X) #X
 #define EXPAND_AND_QUOTE(X) QUOTE(X)
-  fprintf(f, "Library version: PCRE: Compile: %d.%d%s\n"
+  fprintf(fp, "Library version: PCRE: Compile: %d.%d%s\n"
              "                       Runtime: %s\n",
           PCRE_MAJOR, PCRE_MINOR,
           EXPAND_AND_QUOTE(PCRE_PRERELEASE) "",
@@ -1039,17 +1057,17 @@
   init_lookup_list();
   for (i = 0; i < lookup_list_count; i++)
     if (lookup_list[i]->version_report)
-      lookup_list[i]->version_report(f);
+      lookup_list[i]->version_report(fp);
 
 #ifdef WHITELIST_D_MACROS
-  fprintf(f, "WHITELIST_D_MACROS: \"%s\"\n", WHITELIST_D_MACROS);
+  fprintf(fp, "WHITELIST_D_MACROS: \"%s\"\n", WHITELIST_D_MACROS);
 #else
-  fprintf(f, "WHITELIST_D_MACROS unset\n");
+  fprintf(fp, "WHITELIST_D_MACROS unset\n");
 #endif
 #ifdef TRUSTED_CONFIG_LIST
-  fprintf(f, "TRUSTED_CONFIG_LIST: \"%s\"\n", TRUSTED_CONFIG_LIST);
+  fprintf(fp, "TRUSTED_CONFIG_LIST: \"%s\"\n", TRUSTED_CONFIG_LIST);
 #else
-  fprintf(f, "TRUSTED_CONFIG_LIST unset\n");
+  fprintf(fp, "TRUSTED_CONFIG_LIST unset\n");
 #endif
 
 } while (0);
@@ -1284,20 +1302,15 @@
 
 /* Handle specific program invocation variants */
 if (Ustrcmp(progname, US"-mailq") == 0)
-  {
-  fprintf(stderr,
+  exim_fail(
     "mailq - list the contents of the mail queue\n\n"
     "For a list of options, see the Exim documentation.\n");
-  exit(EXIT_FAILURE);
-  }
 
 /* Generic usage - we output this whatever happens */
-fprintf(stderr,
+exim_fail(
   "Exim is a Mail Transfer Agent. It is normally called by Mail User Agents,\n"
   "not directly from a shell command line. Options and/or arguments control\n"
   "what it does when called. For a list of options, see the Exim documentation.\n");
-
-exit(EXIT_FAILURE);
 }
 
 
@@ -1446,6 +1459,7 @@
 }
 
 
+
 /*************************************************
 *          Entry point and high-level code       *
 *************************************************/
@@ -1488,6 +1502,7 @@
 int  sender_address_domain = 0;
 int  test_retry_arg = -1;
 int  test_rewrite_arg = -1;
+gid_t original_egid;
 BOOL arg_queue_only = FALSE;
 BOOL bi_option = FALSE;
 BOOL checking = FALSE;
@@ -1537,7 +1552,7 @@
 struct stat statbuf;
 pid_t passed_qr_pid = (pid_t)0;
 int passed_qr_pipe = -1;
-gid_t group_list[NGROUPS_MAX];
+gid_t group_list[EXIM_GROUPLIST_SIZE];
 
 /* For the -bI: flag */
 enum commandline_info info_flag = CMDINFO_NONE;
@@ -1561,49 +1576,32 @@
 if (route_finduser(US EXIM_USERNAME, &pw, &exim_uid))
   {
   if (exim_uid == 0)
-    {
-    fprintf(stderr, "exim: refusing to run with uid 0 for \"%s\"\n",
-      EXIM_USERNAME);
-    exit(EXIT_FAILURE);
-    }
+    exim_fail("exim: refusing to run with uid 0 for \"%s\"\n", EXIM_USERNAME);
+
   /* If ref:name uses a number as the name, route_finduser() returns
   TRUE with exim_uid set and pw coerced to NULL. */
   if (pw)
     exim_gid = pw->pw_gid;
 #ifndef EXIM_GROUPNAME
   else
-    {
-    fprintf(stderr,
+    exim_fail(
         "exim: ref:name should specify a usercode, not a group.\n"
         "exim: can't let you get away with it unless you also specify a group.\n");
-    exit(EXIT_FAILURE);
-    }
 #endif
   }
 else
-  {
-  fprintf(stderr, "exim: failed to find uid for user name \"%s\"\n",
-    EXIM_USERNAME);
-  exit(EXIT_FAILURE);
-  }
+  exim_fail("exim: failed to find uid for user name \"%s\"\n", EXIM_USERNAME);
 #endif
 
 #ifdef EXIM_GROUPNAME
 if (!route_findgroup(US EXIM_GROUPNAME, &exim_gid))
-  {
-  fprintf(stderr, "exim: failed to find gid for group name \"%s\"\n",
-    EXIM_GROUPNAME);
-  exit(EXIT_FAILURE);
-  }
+  exim_fail("exim: failed to find gid for group name \"%s\"\n", EXIM_GROUPNAME);
 #endif
 
 #ifdef CONFIGURE_OWNERNAME
 if (!route_finduser(US CONFIGURE_OWNERNAME, NULL, &config_uid))
-  {
-  fprintf(stderr, "exim: failed to find uid for user name \"%s\"\n",
+  exim_fail("exim: failed to find uid for user name \"%s\"\n",
     CONFIGURE_OWNERNAME);
-  exit(EXIT_FAILURE);
-  }
 #endif
 
 /* We default the system_filter_user to be the Exim run-time user, as a
@@ -1612,11 +1610,8 @@
 
 #ifdef CONFIGURE_GROUPNAME
 if (!route_findgroup(US CONFIGURE_GROUPNAME, &config_gid))
-  {
-  fprintf(stderr, "exim: failed to find gid for group name \"%s\"\n",
+  exim_fail("exim: failed to find gid for group name \"%s\"\n",
     CONFIGURE_GROUPNAME);
-  exit(EXIT_FAILURE);
-  }
 #endif
 
 /* In the Cygwin environment, some initialization used to need doing.
@@ -1630,9 +1625,9 @@
 /* Check a field which is patched when we are running Exim within its
 testing harness; do a fast initial check, and then the whole thing. */
 
-running_in_test_harness =
+f.running_in_test_harness =
   *running_status == '<' && Ustrcmp(running_status, "<<<testing>>>") == 0;
-if (running_in_test_harness)
+if (f.running_in_test_harness)
   debug_store = TRUE;
 
 /* The C standard says that the equivalent of setlocale(LC_ALL, "C") is obeyed
@@ -1650,10 +1645,7 @@
 because store_malloc writes a log entry on failure. */
 
 if (!(log_buffer = US malloc(LOG_BUFFER_SIZE)))
-  {
-  fprintf(stderr, "exim: failed to get store for log buffer\n");
-  exit(EXIT_FAILURE);
-  }
+  exim_fail("exim: failed to get store for log buffer\n");
 
 /* Initialize the default log options. */
 
@@ -1796,7 +1788,7 @@
 if ((namelen == 5 && Ustrcmp(argv[0], "rmail") == 0) ||
     (namelen  > 5 && Ustrncmp(argv[0] + namelen - 6, "/rmail", 6) == 0))
   {
-  dot_ends = FALSE;
+  f.dot_ends = FALSE;
   called_as = US"-rmail";
   errors_sender_rc = EXIT_SUCCESS;
   }
@@ -1837,6 +1829,7 @@
 normally be root, but in some esoteric environments it may not be. */
 
 original_euid = geteuid();
+original_egid = getegid();
 
 /* Get the real uid and gid. If the caller is root, force the effective uid/gid
 to be the same as the real ones. This makes a difference only if Exim is setuid
@@ -1848,20 +1841,12 @@
 
 if (real_uid == root_uid)
   {
-  rv = setgid(real_gid);
-  if (rv)
-    {
-    fprintf(stderr, "exim: setgid(%ld) failed: %s\n",
+  if ((rv = setgid(real_gid)))
+    exim_fail("exim: setgid(%ld) failed: %s\n",
         (long int)real_gid, strerror(errno));
-    exit(EXIT_FAILURE);
-    }
-  rv = setuid(real_uid);
-  if (rv)
-    {
-    fprintf(stderr, "exim: setuid(%ld) failed: %s\n",
+  if ((rv = setuid(real_uid)))
+    exim_fail("exim: setuid(%ld) failed: %s\n",
         (long int)real_uid, strerror(errno));
-    exit(EXIT_FAILURE);
-    }
   }
 
 /* If neither the original real uid nor the original euid was root, Exim is
@@ -1918,7 +1903,7 @@
     {
     switchchar = arg[3];
     argrest += 2;
-    queue_2stage = TRUE;
+    f.queue_2stage = TRUE;
     }
 
   /* Make -r synonymous with -f, since it is a documented alias */
@@ -1989,8 +1974,8 @@
 
     if (*argrest == 'd')
       {
-      daemon_listen = TRUE;
-      if (*(++argrest) == 'f') background_daemon = FALSE;
+      f.daemon_listen = TRUE;
+      if (*(++argrest) == 'f') f.background_daemon = FALSE;
         else if (*argrest != 0) { badarg = TRUE; break; }
       }
 
@@ -2017,10 +2002,7 @@
       filter_test |= checking = FTEST_SYSTEM;
       if (*(++argrest) != 0) { badarg = TRUE; break; }
       if (++i < argc) filter_test_sfile = argv[i]; else
-        {
-        fprintf(stderr, "exim: file name expected after %s\n", argv[i-1]);
-        exit(EXIT_FAILURE);
-        }
+        exim_fail("exim: file name expected after %s\n", argv[i-1]);
       }
 
     /* -bf:  Run user filter test
@@ -2036,18 +2018,12 @@
         {
         filter_test |= checking = FTEST_USER;
         if (++i < argc) filter_test_ufile = argv[i]; else
-          {
-          fprintf(stderr, "exim: file name expected after %s\n", argv[i-1]);
-          exit(EXIT_FAILURE);
-          }
+          exim_fail("exim: file name expected after %s\n", argv[i-1]);
         }
       else
         {
         if (++i >= argc)
-          {
-          fprintf(stderr, "exim: string expected after %s\n", arg);
-          exit(EXIT_FAILURE);
-          }
+          exim_fail("exim: string expected after %s\n", arg);
         if (Ustrcmp(argrest, "d") == 0) ftest_domain = argv[i];
         else if (Ustrcmp(argrest, "l") == 0) ftest_localpart = argv[i];
         else if (Ustrcmp(argrest, "p") == 0) ftest_prefix = argv[i];
@@ -2062,8 +2038,8 @@
       {
       if (++i >= argc) { badarg = TRUE; break; }
       sender_host_address = argv[i];
-      host_checking = checking = log_testing_mode = TRUE;
-      host_checking_callout = argrest[1] == 'c';
+      host_checking = checking = f.log_testing_mode = TRUE;
+      f.host_checking_callout = argrest[1] == 'c';
       message_logs = FALSE;
       }
 
@@ -2120,8 +2096,8 @@
 
     else if (Ustrcmp(argrest, "nq") == 0)
       {
-      allow_unqualified_sender = FALSE;
-      allow_unqualified_recipient = FALSE;
+      f.allow_unqualified_sender = FALSE;
+      f.allow_unqualified_recipient = FALSE;
       }
 
     /* -bpxx: List the contents of the mail queue, in various forms. If
@@ -2220,18 +2196,18 @@
     /* -bt: address testing mode */
 
     else if (Ustrcmp(argrest, "t") == 0)
-      address_test_mode = checking = log_testing_mode = TRUE;
+      f.address_test_mode = checking = f.log_testing_mode = TRUE;
 
     /* -bv: verify addresses */
 
     else if (Ustrcmp(argrest, "v") == 0)
-      verify_address_mode = checking = log_testing_mode = TRUE;
+      verify_address_mode = checking = f.log_testing_mode = TRUE;
 
     /* -bvs: verify sender addresses */
 
     else if (Ustrcmp(argrest, "vs") == 0)
       {
-      verify_address_mode = checking = log_testing_mode = TRUE;
+      verify_address_mode = checking = f.log_testing_mode = TRUE;
       verify_as_sender = TRUE;
       }
 
@@ -2244,25 +2220,19 @@
       printf("%s\n", CS version_copyright);
       version_printed = TRUE;
       show_whats_supported(stdout);
-      log_testing_mode = TRUE;
+      f.log_testing_mode = TRUE;
       }
 
     /* -bw: inetd wait mode, accept a listening socket as stdin */
 
     else if (*argrest == 'w')
       {
-      inetd_wait_mode = TRUE;
-      background_daemon = FALSE;
-      daemon_listen = TRUE;
+      f.inetd_wait_mode = TRUE;
+      f.background_daemon = FALSE;
+      f.daemon_listen = TRUE;
       if (*(++argrest) != '\0')
-        {
-        inetd_wait_timeout = readconf_readtime(argrest, 0, FALSE);
-        if (inetd_wait_timeout <= 0)
-          {
-          fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]);
-          exit(EXIT_FAILURE);
-          }
-        }
+        if ((inetd_wait_timeout = readconf_readtime(argrest, 0, FALSE)) <= 0)
+          exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
       }
 
     else badarg = TRUE;
@@ -2292,10 +2262,7 @@
              Ustrncmp(filename, ALT_CONFIG_PREFIX, len) != 0 ||
              Ustrstr(filename, "/../") != NULL) &&
              (Ustrcmp(filename, "/dev/null") != 0 || real_uid != root_uid))
-          {
-          fprintf(stderr, "-C Permission denied\n");
-          exit(EXIT_FAILURE);
-          }
+          exim_fail("-C Permission denied\n");
         }
       #endif
       if (real_uid != root_uid)
@@ -2307,7 +2274,7 @@
             && real_uid != config_uid
             #endif
             )
-          trusted_config = FALSE;
+          f.trusted_config = FALSE;
         else
           {
           FILE *trust_list = Ufopen(TRUSTED_CONFIG_LIST, "rb");
@@ -2329,7 +2296,7 @@
                    ) ||                            /* or */
                 (statbuf.st_mode & 2) != 0)        /* world writeable */
               {
-              trusted_config = FALSE;
+              f.trusted_config = FALSE;
               fclose(trust_list);
               }
 	    else
@@ -2361,7 +2328,7 @@
                 int sep = 0;
                 const uschar *list = argrest;
                 uschar *filename;
-                while (trusted_config && (filename = string_nextinlist(&list,
+                while (f.trusted_config && (filename = string_nextinlist(&list,
                         &sep, big_buffer, big_buffer_size)) != NULL)
                   {
                   for (i=0; i < nr_configs; i++)
@@ -2371,7 +2338,7 @@
                     }
                   if (i == nr_configs)
                     {
-                    trusted_config = FALSE;
+                    f.trusted_config = FALSE;
                     break;
                     }
                   }
@@ -2380,24 +2347,24 @@
               else
                 {
                 /* No valid prefixes found in trust_list file. */
-                trusted_config = FALSE;
+                f.trusted_config = FALSE;
                 }
               }
 	    }
           else
             {
             /* Could not open trust_list file. */
-            trusted_config = FALSE;
+            f.trusted_config = FALSE;
             }
           }
       #else
         /* Not root; don't trust config */
-        trusted_config = FALSE;
+        f.trusted_config = FALSE;
       #endif
         }
 
       config_main_filelist = argrest;
-      config_changed = TRUE;
+      f.config_changed = TRUE;
       }
     break;
 
@@ -2405,10 +2372,9 @@
     /* -D: set up a macro definition */
 
     case 'D':
-    #ifdef DISABLE_D_OPTION
-    fprintf(stderr, "exim: -D is not available in this Exim binary\n");
-    exit(EXIT_FAILURE);
-    #else
+#ifdef DISABLE_D_OPTION
+      exim_fail("exim: -D is not available in this Exim binary\n");
+#else
       {
       int ptr = 0;
       macro_item *m;
@@ -2419,11 +2385,8 @@
       while (isspace(*s)) s++;
 
       if (*s < 'A' || *s > 'Z')
-        {
-        fprintf(stderr, "exim: macro name set by -D must start with "
+        exim_fail("exim: macro name set by -D must start with "
           "an upper case letter\n");
-        exit(EXIT_FAILURE);
-        }
 
       while (isalnum(*s) || *s == '_')
         {
@@ -2441,18 +2404,12 @@
 
       for (m = macros_user; m; m = m->next)
         if (Ustrcmp(m->name, name) == 0)
-          {
-          fprintf(stderr, "exim: duplicated -D in command line\n");
-          exit(EXIT_FAILURE);
-          }
+          exim_fail("exim: duplicated -D in command line\n");
 
       m = macro_create(name, s, TRUE);
 
       if (clmacro_count >= MAX_CLMACROS)
-        {
-        fprintf(stderr, "exim: too many -D options on command line\n");
-        exit(EXIT_FAILURE);
-        }
+        exim_fail("exim: too many -D options on command line\n");
       clmacros[clmacro_count++] = string_sprintf("-D%s=%s", m->name,
         m->replacement);
       }
@@ -2479,7 +2436,7 @@
       debug_file = NULL;
       if (*argrest == 'd')
         {
-        debug_daemon = TRUE;
+        f.debug_daemon = TRUE;
         argrest++;
         }
       if (*argrest != 0)
@@ -2498,7 +2455,7 @@
     message_reference at it, for logging. */
 
     case 'E':
-    local_error_message = TRUE;
+    f.local_error_message = TRUE;
     if (mac_ismsgid(argrest)) message_reference = argrest;
     break;
 
@@ -2535,7 +2492,7 @@
         { badarg = TRUE; break; }
       }
     originator_name = argrest;
-    sender_name_forced = TRUE;
+    f.sender_name_forced = TRUE;
     break;
 
 
@@ -2583,13 +2540,10 @@
 #endif
         allow_domain_literals = FALSE;
         strip_trailing_dot = FALSE;
-        if (sender_address == NULL)
-          {
-          fprintf(stderr, "exim: bad -f address \"%s\": %s\n", argrest, errmess);
-          return EXIT_FAILURE;
-          }
+        if (!sender_address)
+          exim_fail("exim: bad -f address \"%s\": %s\n", argrest, errmess);
         }
-      sender_address_forced = TRUE;
+      f.sender_address_forced = TRUE;
       }
     break;
 
@@ -2620,7 +2574,7 @@
     not to be documented for sendmail but mailx (at least) uses it) */
 
     case 'i':
-    if (*argrest == 0) dot_ends = FALSE; else badarg = TRUE;
+    if (*argrest == 0) f.dot_ends = FALSE; else badarg = TRUE;
     break;
 
 
@@ -2633,17 +2587,10 @@
       if(++i < argc) argrest = argv[i]; else
         { badarg = TRUE; break; }
       }
-    sz = Ustrlen(argrest);
-    if (sz > 32)
-      {
-      fprintf(stderr, "exim: the -L syslog name is too long: \"%s\"\n", argrest);
-      return EXIT_FAILURE;
-      }
+    if ((sz = Ustrlen(argrest)) > 32)
+      exim_fail("exim: the -L syslog name is too long: \"%s\"\n", argrest);
     if (sz < 1)
-      {
-      fprintf(stderr, "exim: the -L syslog name is too short\n");
-      return EXIT_FAILURE;
-      }
+      exim_fail("exim: the -L syslog name is too short\n");
     cmdline_syslog_name = argrest;
     break;
 
@@ -2669,16 +2616,10 @@
       EXIM_SOCKLEN_T size = sizeof(interface_sock);
 
       if (argc != i + 6)
-        {
-        fprintf(stderr, "exim: too many or too few arguments after -MC\n");
-        return EXIT_FAILURE;
-        }
+        exim_fail("exim: too many or too few arguments after -MC\n");
 
       if (msg_action_arg >= 0)
-        {
-        fprintf(stderr, "exim: incompatible arguments\n");
-        return EXIT_FAILURE;
-        }
+        exim_fail("exim: incompatible arguments\n");
 
       continue_transport = argv[++i];
       continue_hostname = argv[++i];
@@ -2691,11 +2632,8 @@
       queue_run_pipe = passed_qr_pipe;
 
       if (!mac_ismsgid(argv[i]))
-        {
-        fprintf(stderr, "exim: malformed message id %s after -MC option\n",
+        exim_fail("exim: malformed message id %s after -MC option\n",
           argv[i]);
-        return EXIT_FAILURE;
-        }
 
       /* Set up $sending_ip_address and $sending_port, unless proxied */
 
@@ -2705,13 +2643,10 @@
 	  sending_ip_address = host_ntoa(-1, &interface_sock, NULL,
 	    &sending_port);
 	else
-	  {
-	  fprintf(stderr, "exim: getsockname() failed after -MC option: %s\n",
+	  exim_fail("exim: getsockname() failed after -MC option: %s\n",
 	    strerror(errno));
-	  return EXIT_FAILURE;
-	  }
 
-      if (running_in_test_harness) millisleep(500);
+      if (f.running_in_test_harness) millisleep(500);
       break;
       }
 
@@ -2723,7 +2658,7 @@
     precedes -MC (see above). The flag indicates that the host to which
     Exim is connected has accepted an AUTH sequence. */
 
-	case 'A': smtp_authenticated = TRUE; break;
+	case 'A': f.smtp_authenticated = TRUE; break;
 
     /* -MCD: set the smtp_use_dsn flag; this indicates that the host
        that exim is connected to supports the esmtp extension DSN */
@@ -2762,7 +2697,7 @@
 
 #ifdef SUPPORT_TLS
     /* -MCt: similar to -MCT below but the connection is still open
-    via a proxy proces which handles the TLS context and coding.
+    via a proxy process which handles the TLS context and coding.
     Require three arguments for the proxied local address and port,
     and the TLS cipher.  */
 
@@ -2783,9 +2718,19 @@
 
 	default:  badarg = TRUE; break;
 	}
-	break;
+      break;
       }
 
+#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
+    /* -MS   set REQUIRETLS on (new) message */
+
+    else if (*argrest == 'S')
+      {
+      tls_requiretls |= REQUIRETLS_MSG;
+      break;
+      }
+#endif
+
     /* -M[x]: various operations on the following list of message ids:
        -M    deliver the messages, ignoring next retry times and thawing
        -Mc   deliver the messages, checking next retry times, no thawing
@@ -2810,7 +2755,7 @@
     else if (*argrest == 0)
       {
       msg_action = MSG_DELIVER;
-      forced_delivery = deliver_force_thaw = TRUE;
+      forced_delivery = f.deliver_force_thaw = TRUE;
       }
     else if (Ustrcmp(argrest, "ar") == 0)
       {
@@ -2871,10 +2816,7 @@
 
     msg_action_arg = i + 1;
     if (msg_action_arg >= argc)
-      {
-      fprintf(stderr, "exim: no message ids given after %s option\n", arg);
-      return EXIT_FAILURE;
-      }
+      exim_fail("exim: no message ids given after %s option\n", arg);
 
     /* Some require only message ids to follow */
 
@@ -2882,11 +2824,8 @@
       {
       int j;
       for (j = msg_action_arg; j < argc; j++) if (!mac_ismsgid(argv[j]))
-        {
-        fprintf(stderr, "exim: malformed message id %s after %s option\n",
+        exim_fail("exim: malformed message id %s after %s option\n",
           argv[j], arg);
-        return EXIT_FAILURE;
-        }
       goto END_ARG;   /* Remaining args are ids */
       }
 
@@ -2896,11 +2835,8 @@
     else
       {
       if (!mac_ismsgid(argv[msg_action_arg]))
-        {
-        fprintf(stderr, "exim: malformed message id %s after %s option\n",
+        exim_fail("exim: malformed message id %s after %s option\n",
           argv[msg_action_arg], arg);
-        return EXIT_FAILURE;
-        }
       i++;
       }
     break;
@@ -2920,7 +2856,7 @@
     case 'N':
     if (*argrest == 0)
       {
-      dont_deliver = TRUE;
+      f.dont_deliver = TRUE;
       debug_selector |= D_v;
       debug_file = stderr;
       }
@@ -2944,10 +2880,7 @@
     if (*argrest == 0)
       {
       if (++i >= argc)
-        {
-        fprintf(stderr, "exim: string expected after -O\n");
-        exit(EXIT_FAILURE);
-        }
+        exim_fail("exim: string expected after -O\n");
       }
     break;
 
@@ -2962,10 +2895,7 @@
       if (alias_arg[0] == 0)
         {
         if (i+1 < argc) alias_arg = argv[++i]; else
-          {
-          fprintf(stderr, "exim: string expected after -oA\n");
-          exit(EXIT_FAILURE);
-          }
+          exim_fail("exim: string expected after -oA\n");
         }
       }
 
@@ -2986,10 +2916,7 @@
       if (p != NULL)
         {
         if (!isdigit(*p))
-          {
-          fprintf(stderr, "exim: number expected after -oB\n");
-          exit(EXIT_FAILURE);
-          }
+          exim_fail("exim: number expected after -oB\n");
         connection_max_messages = Uatoi(p);
         }
       }
@@ -2998,7 +2925,7 @@
 
     else if (Ustrcmp(argrest, "db") == 0)
       {
-      synchronous_delivery = FALSE;
+      f.synchronous_delivery = FALSE;
       arg_queue_only = FALSE;
       queue_only_set = TRUE;
       }
@@ -3009,7 +2936,7 @@
 
     else if (Ustrcmp(argrest, "df") == 0 || Ustrcmp(argrest, "di") == 0)
       {
-      synchronous_delivery = TRUE;
+      f.synchronous_delivery = TRUE;
       arg_queue_only = FALSE;
       queue_only_set = TRUE;
       }
@@ -3018,7 +2945,7 @@
 
     else if (Ustrcmp(argrest, "dq") == 0)
       {
-      synchronous_delivery = FALSE;
+      f.synchronous_delivery = FALSE;
       arg_queue_only = TRUE;
       queue_only_set = TRUE;
       }
@@ -3028,7 +2955,7 @@
 
     else if (Ustrcmp(argrest, "dqs") == 0)
       {
-      queue_smtp = TRUE;
+      f.queue_smtp = TRUE;
       arg_queue_only = FALSE;
       queue_only_set = TRUE;
       }
@@ -3042,7 +2969,7 @@
 
     else if (Ustrcmp(argrest, "i") == 0 ||
              Ustrcmp(argrest, "itrue") == 0)
-      dot_ends = FALSE;
+      f.dot_ends = FALSE;
 
     /* -oM*: Set various characteristics for an incoming message; actually
     acted on for trusted callers only. */
@@ -3050,10 +2977,7 @@
     else if (*argrest == 'M')
       {
       if (i+1 >= argc)
-        {
-        fprintf(stderr, "exim: data expected after -o%s\n", argrest);
-        exit(EXIT_FAILURE);
-        }
+        exim_fail("exim: data expected after -o%s\n", argrest);
 
       /* -oMa: Set sender host address */
 
@@ -3081,15 +3005,9 @@
       else if (Ustrcmp(argrest, "Mm") == 0)
         {
         if (!mac_ismsgid(argv[i+1]))
-          {
-            fprintf(stderr,"-oMm must be a valid message ID\n");
-            exit(EXIT_FAILURE);
-          }
-        if (!trusted_config)
-          {
-            fprintf(stderr,"-oMm must be called by a trusted user/config\n");
-            exit(EXIT_FAILURE);
-          }
+            exim_fail("-oMm must be a valid message ID\n");
+        if (!f.trusted_config)
+            exim_fail("-oMm must be called by a trusted user/config\n");
           message_reference = argv[++i];
         }
 
@@ -3098,11 +3016,9 @@
       else if (Ustrcmp(argrest, "Mr") == 0)
 
         if (received_protocol)
-          {
-          fprintf(stderr, "received_protocol is set already\n");
-          exit(EXIT_FAILURE);
-          }
-        else received_protocol = argv[++i];
+          exim_fail("received_protocol is set already\n");
+        else
+	  received_protocol = argv[++i];
 
       /* -oMs: Set sender host name */
 
@@ -3154,10 +3070,7 @@
         }
       else *tp = readconf_readtime(argrest + 1, 0, FALSE);
       if (*tp < 0)
-        {
-        fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]);
-        exit(EXIT_FAILURE);
-        }
+        exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
       }
 
     /* -oX <list>: Override local_interfaces and/or default daemon ports */
@@ -3201,10 +3114,7 @@
       uschar *hn;
 
       if (received_protocol)
-        {
-        fprintf(stderr, "received_protocol is set already\n");
-        exit(EXIT_FAILURE);
-        }
+        exim_fail("received_protocol is set already\n");
 
       hn = Ustrchr(argrest, ':');
       if (hn == NULL)
@@ -3224,16 +3134,13 @@
     case 'q':
     receiving_message = FALSE;
     if (queue_interval >= 0)
-      {
-      fprintf(stderr, "exim: -q specified more than once\n");
-      exit(EXIT_FAILURE);
-      }
+      exim_fail("exim: -q specified more than once\n");
 
     /* -qq...: Do queue runs in a 2-stage manner */
 
     if (*argrest == 'q')
       {
-      queue_2stage = TRUE;
+      f.queue_2stage = TRUE;
       argrest++;
       }
 
@@ -3241,7 +3148,7 @@
 
     if (*argrest == 'i')
       {
-      queue_run_first_delivery = TRUE;
+      f.queue_run_first_delivery = TRUE;
       argrest++;
       }
 
@@ -3250,10 +3157,10 @@
 
     if (*argrest == 'f')
       {
-      queue_run_force = TRUE;
+      f.queue_run_force = TRUE;
       if (*++argrest == 'f')
         {
-        deliver_force_thaw = TRUE;
+        f.deliver_force_thaw = TRUE;
         argrest++;
         }
       }
@@ -3262,7 +3169,7 @@
 
     if (*argrest == 'l')
       {
-      queue_run_local = TRUE;
+      f.queue_run_local = TRUE;
       argrest++;
       }
 
@@ -3295,10 +3202,7 @@
 
     else if ((queue_interval = readconf_readtime(*argrest ? argrest : argv[++i],
 						0, FALSE)) <= 0)
-      {
-      fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]);
-      exit(EXIT_FAILURE);
-      }
+      exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
     break;
 
 
@@ -3320,9 +3224,9 @@
       for (i = 0; i < nelem(rsopts); i++)
         if (Ustrcmp(argrest, rsopts[i]) == 0)
           {
-          if (i != 2) queue_run_force = TRUE;
-          if (i >= 2) deliver_selectstring_regex = TRUE;
-          if (i == 1 || i == 4) deliver_force_thaw = TRUE;
+          if (i != 2) f.queue_run_force = TRUE;
+          if (i >= 2) f.deliver_selectstring_regex = TRUE;
+          if (i == 1 || i == 4) f.deliver_force_thaw = TRUE;
           argrest += Ustrlen(rsopts[i]);
           }
       }
@@ -3335,10 +3239,7 @@
     else if (i+1 < argc)
       deliver_selectstring = argv[++i];
     else
-      {
-      fprintf(stderr, "exim: string expected after -R\n");
-      exit(EXIT_FAILURE);
-      }
+      exim_fail("exim: string expected after -R\n");
     break;
 
 
@@ -3365,9 +3266,9 @@
       for (i = 0; i < nelem(rsopts); i++)
         if (Ustrcmp(argrest, rsopts[i]) == 0)
           {
-          if (i != 2) queue_run_force = TRUE;
-          if (i >= 2) deliver_selectstring_sender_regex = TRUE;
-          if (i == 1 || i == 4) deliver_force_thaw = TRUE;
+          if (i != 2) f.queue_run_force = TRUE;
+          if (i >= 2) f.deliver_selectstring_sender_regex = TRUE;
+          if (i == 1 || i == 4) f.deliver_force_thaw = TRUE;
           argrest += Ustrlen(rsopts[i]);
           }
       }
@@ -3380,10 +3281,7 @@
     else if (i+1 < argc)
       deliver_selectstring_sender = argv[++i];
     else
-      {
-      fprintf(stderr, "exim: string expected after -S\n");
-      exit(EXIT_FAILURE);
-      }
+      exim_fail("exim: string expected after -S\n");
     break;
 
     /* -Tqt is an option that is exclusively for use by the testing suite.
@@ -3392,7 +3290,7 @@
     tested. Otherwise variability of clock ticks etc. cause problems. */
 
     case 'T':
-    if (running_in_test_harness && Ustrcmp(argrest, "qt") == 0)
+    if (f.running_in_test_harness && Ustrcmp(argrest, "qt") == 0)
       fudged_queue_times = argv[++i];
     else badarg = TRUE;
     break;
@@ -3409,7 +3307,7 @@
     else if (Ustrcmp(argrest, "i") == 0)
       {
       extract_recipients = TRUE;
-      dot_ends = FALSE;
+      f.dot_ends = FALSE;
       }
 
     /* -tls-on-connect: don't wait for STARTTLS (for old clients) */
@@ -3462,19 +3360,15 @@
     case 'X':
     if (*argrest == '\0')
       if (++i >= argc)
-        {
-        fprintf(stderr, "exim: string expected after -X\n");
-        exit(EXIT_FAILURE);
-        }
+        exim_fail("exim: string expected after -X\n");
     break;
 
     case 'z':
     if (*argrest == '\0')
-      if (++i < argc) log_oneline = argv[i]; else
-        {
-        fprintf(stderr, "exim: file name expected after %s\n", argv[i-1]);
-        exit(EXIT_FAILURE);
-        }
+      if (++i < argc)
+	log_oneline = argv[i];
+      else
+        exim_fail("exim: file name expected after %s\n", argv[i-1]);
     break;
 
     /* All other initial characters are errors */
@@ -3487,11 +3381,8 @@
   /* Failed to recognize the option, or syntax error */
 
   if (badarg)
-    {
-    fprintf(stderr, "exim abandoned: unknown, malformed, or incomplete "
+    exim_fail("exim abandoned: unknown, malformed, or incomplete "
       "option %s\n", arg);
-    exit(EXIT_FAILURE);
-    }
   }
 
 
@@ -3509,26 +3400,26 @@
 /* Arguments have been processed. Check for incompatibilities. */
 if ((
     (smtp_input || extract_recipients || recipients_arg < argc) &&
-    (daemon_listen || queue_interval >= 0 || bi_option ||
+    (f.daemon_listen || queue_interval >= 0 || bi_option ||
       test_retry_arg >= 0 || test_rewrite_arg >= 0 ||
       filter_test != FTEST_NONE || (msg_action_arg > 0 && !one_msg_action))
     ) ||
     (
     msg_action_arg > 0 &&
-    (daemon_listen || queue_interval > 0 || list_options ||
+    (f.daemon_listen || queue_interval > 0 || list_options ||
       (checking && msg_action != MSG_LOAD) ||
       bi_option || test_retry_arg >= 0 || test_rewrite_arg >= 0)
     ) ||
     (
-    (daemon_listen || queue_interval > 0) &&
+    (f.daemon_listen || queue_interval > 0) &&
     (sender_address != NULL || list_options || list_queue || checking ||
       bi_option)
     ) ||
     (
-    daemon_listen && queue_interval == 0
+    f.daemon_listen && queue_interval == 0
     ) ||
     (
-    inetd_wait_mode && queue_interval >= 0
+    f.inetd_wait_mode && queue_interval >= 0
     ) ||
     (
     list_options &&
@@ -3537,11 +3428,11 @@
     ) ||
     (
     verify_address_mode &&
-    (address_test_mode || smtp_input || extract_recipients ||
+    (f.address_test_mode || smtp_input || extract_recipients ||
       filter_test != FTEST_NONE || bi_option)
     ) ||
     (
-    address_test_mode && (smtp_input || extract_recipients ||
+    f.address_test_mode && (smtp_input || extract_recipients ||
       filter_test != FTEST_NONE || bi_option)
     ) ||
     (
@@ -3556,10 +3447,7 @@
       (!expansion_test || expansion_test_message != NULL)
     )
    )
-  {
-  fprintf(stderr, "exim: incompatible command-line options or arguments\n");
-  exit(EXIT_FAILURE);
-  }
+  exim_fail("exim: incompatible command-line options or arguments\n");
 
 /* If debugging is set up, set the file and the file descriptor to pass on to
 child processes. It should, of course, be 2 for stderr. Also, force the daemon
@@ -3569,8 +3457,8 @@
   {
   debug_file = stderr;
   debug_fd = fileno(debug_file);
-  background_daemon = FALSE;
-  if (running_in_test_harness) millisleep(100);   /* lets caller finish */
+  f.background_daemon = FALSE;
+  if (f.running_in_test_harness) millisleep(100);   /* lets caller finish */
   if (debug_selector != D_v)    /* -v only doesn't show this */
     {
     debug_printf("Exim version %s uid=%ld gid=%ld pid=%d D=%x\n",
@@ -3656,12 +3544,8 @@
 till after reading the config, which might specify the exim gid. Therefore,
 save the group list here first. */
 
-group_count = getgroups(NGROUPS_MAX, group_list);
-if (group_count < 0)
-  {
-  fprintf(stderr, "exim: getgroups() failed: %s\n", strerror(errno));
-  exit(EXIT_FAILURE);
-  }
+if ((group_count = getgroups(nelem(group_list), group_list)) < 0)
+  exim_fail("exim: getgroups() failed: %s\n", strerror(errno));
 
 /* There is a fundamental difference in some BSD systems in the matter of
 groups. FreeBSD and BSDI are known to be different; NetBSD and OpenBSD are
@@ -3674,19 +3558,18 @@
 list. Calling setgroups() with zero groups on a "different" system results in
 an error return. The following code should cope with both types of system.
 
+ Unfortunately, recent MacOS, which should be a FreeBSD, "helpfully" succeeds
+ the "setgroups() with zero groups" - and changes the egid.
+ Thanks to that we had to stash the original_egid above, for use below
+ in the call to exim_setugid().
+
 However, if this process isn't running as root, setgroups() can't be used
 since you have to be root to run it, even if throwing away groups. Not being
 root here happens only in some unusual configurations. We just ignore the
 error. */
 
-if (setgroups(0, NULL) != 0)
-  {
-  if (setgroups(1, group_list) != 0 && !unprivileged)
-    {
-    fprintf(stderr, "exim: setgroups() failed: %s\n", strerror(errno));
-    exit(EXIT_FAILURE);
-    }
-  }
+if (setgroups(0, NULL) != 0 && setgroups(1, group_list) != 0 && !unprivileged)
+  exim_fail("exim: setgroups() failed: %s\n", strerror(errno));
 
 /* If the configuration file name has been altered by an argument on the
 command line (either a new file name or a macro definition) and the caller is
@@ -3706,10 +3589,10 @@
 configuration file changes and macro definitions haven't happened. */
 
 if ((                                            /* EITHER */
-    (!trusted_config ||                          /* Config changed, or */
+    (!f.trusted_config ||                          /* Config changed, or */
      !macros_trusted(opt_D_used)) &&		 /*  impermissible macros and */
     real_uid != root_uid &&                      /* Not root, and */
-    !running_in_test_harness                     /* Not fudged */
+    !f.running_in_test_harness                     /* Not fudged */
     ) ||                                         /*   OR   */
     expansion_test                               /* expansion testing */
     ||                                           /*   OR   */
@@ -3729,8 +3612,8 @@
   Note that if the invoker is Exim, the logs remain available. Messing with
   this causes unlogged successful deliveries.  */
 
-  if ((log_stderr != NULL) && (real_uid != exim_uid))
-    really_exim = FALSE;
+  if (log_stderr && real_uid != exim_uid)
+    f.really_exim = FALSE;
   }
 
 /* Privilege is to be retained for the moment. It may be dropped later,
@@ -3738,32 +3621,21 @@
 the real uid to the effective so that subsequent re-execs of Exim are done by a
 privileged user. */
 
-else exim_setugid(geteuid(), getegid(), FALSE, US"forcing real = effective");
+else
+  exim_setugid(geteuid(), original_egid, FALSE, US"forcing real = effective");
 
 /* If testing a filter, open the file(s) now, before wasting time doing other
 setups and reading the message. */
 
-if ((filter_test & FTEST_SYSTEM) != 0)
-  {
-  filter_sfd = Uopen(filter_test_sfile, O_RDONLY, 0);
-  if (filter_sfd < 0)
-    {
-    fprintf(stderr, "exim: failed to open %s: %s\n", filter_test_sfile,
+if (filter_test & FTEST_SYSTEM)
+  if ((filter_sfd = Uopen(filter_test_sfile, O_RDONLY, 0)) < 0)
+    exim_fail("exim: failed to open %s: %s\n", filter_test_sfile,
       strerror(errno));
-    return EXIT_FAILURE;
-    }
-  }
 
-if ((filter_test & FTEST_USER) != 0)
-  {
-  filter_ufd = Uopen(filter_test_ufile, O_RDONLY, 0);
-  if (filter_ufd < 0)
-    {
-    fprintf(stderr, "exim: failed to open %s: %s\n", filter_test_ufile,
+if (filter_test & FTEST_USER)
+  if ((filter_ufd = Uopen(filter_test_ufile, O_RDONLY, 0)) < 0)
+    exim_fail("exim: failed to open %s: %s\n", filter_test_ufile,
       strerror(errno));
-    return EXIT_FAILURE;
-    }
-  }
 
 /* Initialise lookup_list
 If debugging, already called above via version reporting.
@@ -3777,14 +3649,14 @@
 init_lookup_list();
 
 #ifdef SUPPORT_I18N
-if (running_in_test_harness) smtputf8_advertise_hosts = NULL;
+if (f.running_in_test_harness) smtputf8_advertise_hosts = NULL;
 #endif
 
 /* Read the main runtime configuration data; this gives up if there
 is a failure. It leaves the configuration file open so that the subsequent
 configuration data for delivery can be read if needed.
 
-NOTE: immediatly after opening the configuration file we change the working
+NOTE: immediately after opening the configuration file we change the working
 directory to "/"! Later we change to $spool_directory. We do it there, because
 during readconf_main() some expansion takes place already. */
 
@@ -3826,17 +3698,17 @@
 for later interrogation. */
 
 if (real_uid == root_uid || real_uid == exim_uid || real_gid == exim_gid)
-  admin_user = TRUE;
+  f.admin_user = TRUE;
 else
   {
   int i, j;
-  for (i = 0; i < group_count && !admin_user; i++)
+  for (i = 0; i < group_count && !f.admin_user; i++)
     if (group_list[i] == exim_gid)
-      admin_user = TRUE;
+      f.admin_user = TRUE;
     else if (admin_groups)
-      for (j = 1; j <= (int)admin_groups[0] && !admin_user; j++)
+      for (j = 1; j <= (int)admin_groups[0] && !f.admin_user; j++)
         if (admin_groups[j] == group_list[i])
-          admin_user = TRUE;
+          f.admin_user = TRUE;
   }
 
 /* Another group of privileged users are the trusted users. These are root,
@@ -3845,32 +3717,30 @@
 other message parameters as well. */
 
 if (real_uid == root_uid || real_uid == exim_uid)
-  trusted_caller = TRUE;
+  f.trusted_caller = TRUE;
 else
   {
   int i, j;
 
   if (trusted_users)
-    for (i = 1; i <= (int)trusted_users[0] && !trusted_caller; i++)
+    for (i = 1; i <= (int)trusted_users[0] && !f.trusted_caller; i++)
       if (trusted_users[i] == real_uid)
-        trusted_caller = TRUE;
+        f.trusted_caller = TRUE;
 
   if (trusted_groups)
-    for (i = 1; i <= (int)trusted_groups[0] && !trusted_caller; i++)
+    for (i = 1; i <= (int)trusted_groups[0] && !f.trusted_caller; i++)
       if (trusted_groups[i] == real_gid)
-        trusted_caller = TRUE;
-      else for (j = 0; j < group_count && !trusted_caller; j++)
+        f.trusted_caller = TRUE;
+      else for (j = 0; j < group_count && !f.trusted_caller; j++)
         if (trusted_groups[i] == group_list[j])
-          trusted_caller = TRUE;
+          f.trusted_caller = TRUE;
   }
 
 /* At this point, we know if the user is privileged and some command-line
 options become possibly impermissible, depending upon the configuration file. */
 
-if (checking && commandline_checks_require_admin && !admin_user) {
-  fprintf(stderr, "exim: those command-line flags are set to require admin\n");
-  exit(EXIT_FAILURE);
-}
+if (checking && commandline_checks_require_admin && !f.admin_user)
+  exim_fail("exim: those command-line flags are set to require admin\n");
 
 /* Handle the decoding of logging options. */
 
@@ -3890,39 +3760,28 @@
 /* If domain literals are not allowed, check the sender address that was
 supplied with -f. Ditto for a stripped trailing dot. */
 
-if (sender_address != NULL)
+if (sender_address)
   {
   if (sender_address[sender_address_domain] == '[' && !allow_domain_literals)
-    {
-    fprintf(stderr, "exim: bad -f address \"%s\": domain literals not "
+    exim_fail("exim: bad -f address \"%s\": domain literals not "
       "allowed\n", sender_address);
-    return EXIT_FAILURE;
-    }
   if (f_end_dot && !strip_trailing_dot)
-    {
-    fprintf(stderr, "exim: bad -f address \"%s.\": domain is malformed "
+    exim_fail("exim: bad -f address \"%s.\": domain is malformed "
       "(trailing dot not allowed)\n", sender_address);
-    return EXIT_FAILURE;
-    }
   }
 
 /* See if an admin user overrode our logging. */
 
-if (cmdline_syslog_name != NULL)
-  {
-  if (admin_user)
+if (cmdline_syslog_name)
+  if (f.admin_user)
     {
     syslog_processname = cmdline_syslog_name;
     log_file_path = string_copy(CUS"syslog");
     }
   else
-    {
     /* not a panic, non-privileged users should not be able to spam paniclog */
-    fprintf(stderr,
+    exim_fail(
         "exim: you lack sufficient privilege to specify syslog process name\n");
-    return EXIT_FAILURE;
-    }
-  }
 
 /* Paranoia check of maximum lengths of certain strings. There is a check
 on the length of the log file path in log.c, which will come into effect
@@ -3952,7 +3811,7 @@
     "syslog_processname is longer than 32 chars: aborting");
 
 if (log_oneline)
-  if (admin_user)
+  if (f.admin_user)
     {
     log_write(0, LOG_MAIN, "%s", log_oneline);
     return EXIT_SUCCESS;
@@ -3994,7 +3853,7 @@
 timestamps_utc is set, because then all times are in UTC anyway. */
 
 if (timezone_string && strcmpic(timezone_string, US"UTC") == 0)
-  timestamps_utc = TRUE;
+  f.timestamps_utc = TRUE;
 else
   {
   uschar *envtz = US getenv("TZ");
@@ -4047,14 +3906,14 @@
       trusted configuration file (when deliver_drop_privilege is false). */
 
 if (  removed_privilege
-   && (!trusted_config || opt_D_used)
+   && (!f.trusted_config || opt_D_used)
    && real_uid == exim_uid)
   if (deliver_drop_privilege)
-    really_exim = TRUE; /* let logging work normally */
+    f.really_exim = TRUE; /* let logging work normally */
   else
     log_write(0, LOG_MAIN|LOG_PANIC,
       "exim user lost privilege for using %s option",
-      trusted_config? "-D" : "-C");
+      f.trusted_config? "-D" : "-C");
 
 /* Start up Perl interpreter if Perl support is configured and there is a
 perl_startup option, and the configuration or the command line specifies
@@ -4068,12 +3927,8 @@
   {
   uschar *errstr;
   DEBUG(D_any) debug_printf("Starting Perl interpreter\n");
-  errstr = init_perl(opt_perl_startup);
-  if (errstr != NULL)
-    {
-    fprintf(stderr, "exim: error in perl_startup code: %s\n", errstr);
-    return EXIT_FAILURE;
-    }
+  if ((errstr = init_perl(opt_perl_startup)))
+    exim_fail("exim: error in perl_startup code: %s\n", errstr);
   opt_perl_started = TRUE;
   }
 #endif /* EXIM_PERL */
@@ -4083,16 +3938,24 @@
 Don't attempt it if logging is disabled, or if listing variables or if
 verifying/testing addresses or expansions. */
 
-if (((debug_selector & D_any) != 0 || LOGGING(arguments))
-      && really_exim && !list_options && !checking)
+if (  (debug_selector & D_any  ||  LOGGING(arguments))
+   && f.really_exim && !list_options && !checking)
   {
   int i;
   uschar *p = big_buffer;
   Ustrcpy(p, "cwd= (failed)");
 
-  Ustrncpy(p + 4, initial_cwd, big_buffer_size-5);
+  if (!initial_cwd)
+    p += 13;
+  else
+    {
+    Ustrncpy(p + 4, initial_cwd, big_buffer_size-5);
+    p += 4 + Ustrlen(initial_cwd);
+    /* in case p is near the end and we don't provide enough space for
+     * string_format to be willing to write. */
+    *p = '\0';
+    }
 
-  while (*p) p++;
   (void)string_format(p, big_buffer_size - (p - big_buffer), " %d args:", argc);
   while (*p) p++;
   for (i = 0; i < argc; i++)
@@ -4163,8 +4026,7 @@
       (argv[1] == NULL)? US"" : argv[1]);
 
     execv(CS argv[0], (char *const *)argv);
-    fprintf(stderr, "exim: exec failed: %s\n", strerror(errno));
-    exit(EXIT_FAILURE);
+    exim_fail("exim: exec failed: %s\n", strerror(errno));
     }
   else
     {
@@ -4177,8 +4039,8 @@
 configuration file.  We leave these prints here to ensure that syslog setup,
 logfile setup, and so on has already happened. */
 
-if (trusted_caller) DEBUG(D_any) debug_printf("trusted user\n");
-if (admin_user) DEBUG(D_any) debug_printf("admin user\n");
+if (f.trusted_caller) DEBUG(D_any) debug_printf("trusted user\n");
+if (f.admin_user) DEBUG(D_any) debug_printf("admin user\n");
 
 /* Only an admin user may start the daemon or force a queue run in the default
 configuration, but the queue run restriction can be relaxed. Only an admin
@@ -4188,18 +4050,15 @@
 count. Only an admin user can use the test interface to scan for email
 (because Exim will be in the spool dir and able to look at mails). */
 
-if (!admin_user)
+if (!f.admin_user)
   {
   BOOL debugset = (debug_selector & ~D_v) != 0;
-  if (deliver_give_up || daemon_listen || malware_test_file ||
+  if (deliver_give_up || f.daemon_listen || malware_test_file ||
      (count_queue && queue_list_requires_admin) ||
      (list_queue && queue_list_requires_admin) ||
      (queue_interval >= 0 && prod_requires_admin) ||
-     (debugset && !running_in_test_harness))
-    {
-    fprintf(stderr, "exim:%s permission denied\n", debugset? " debugging" : "");
-    exit(EXIT_FAILURE);
-    }
+     (debugset && !f.running_in_test_harness))
+    exim_fail("exim:%s permission denied\n", debugset? " debugging" : "");
   }
 
 /* If the real user is not root or the exim uid, the argument for passing
@@ -4210,20 +4069,17 @@
 
 if (real_uid != root_uid && real_uid != exim_uid &&
      (continue_hostname != NULL ||
-       (dont_deliver &&
-         (queue_interval >= 0 || daemon_listen || msg_action_arg > 0)
-       )) && !running_in_test_harness)
-  {
-  fprintf(stderr, "exim: Permission denied\n");
-  return EXIT_FAILURE;
-  }
+       (f.dont_deliver &&
+         (queue_interval >= 0 || f.daemon_listen || msg_action_arg > 0)
+       )) && !f.running_in_test_harness)
+  exim_fail("exim: Permission denied\n");
 
 /* If the caller is not trusted, certain arguments are ignored when running for
 real, but are permitted when checking things (-be, -bv, -bt, -bh, -bf, -bF).
 Note that authority for performing certain actions on messages is tested in the
 queue_action() function. */
 
-if (!trusted_caller && !checking)
+if (!f.trusted_caller && !checking)
   {
   sender_host_name = sender_host_address = interface_address =
     sender_ident = received_protocol = NULL;
@@ -4246,16 +4102,13 @@
 /* If the caller is trusted, then they can use -G to suppress_local_fixups. */
 if (flag_G)
   {
-  if (trusted_caller)
+  if (f.trusted_caller)
     {
-    suppress_local_fixups = suppress_local_fixups_default = TRUE;
+    f.suppress_local_fixups = f.suppress_local_fixups_default = TRUE;
     DEBUG(D_acl) debug_printf("suppress_local_fixups forced on by -G\n");
     }
   else
-    {
-    fprintf(stderr, "exim: permission denied (-G requires a trusted user)\n");
-    return EXIT_FAILURE;
-    }
+    exim_fail("exim: permission denied (-G requires a trusted user)\n");
   }
 
 /* If an SMTP message is being received check to see if the standard input is a
@@ -4283,18 +4136,15 @@
 
       if (real_uid == root_uid || real_uid == exim_uid || interface_port < 1024)
         {
-        is_inetd = TRUE;
+        f.is_inetd = TRUE;
         sender_host_address = host_ntoa(-1, (struct sockaddr *)(&inetd_sock),
           NULL, &sender_host_port);
         if (mua_wrapper) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Input from "
           "inetd is not supported when mua_wrapper is set");
         }
       else
-        {
-        fprintf(stderr,
+        exim_fail(
           "exim: Permission denied (unprivileged user, unprivileged port)\n");
-        return EXIT_FAILURE;
-        }
       }
     }
   }
@@ -4306,7 +4156,7 @@
 #ifdef LOAD_AVG_NEEDS_ROOT
 if (receiving_message &&
       (queue_only_load >= 0 ||
-        (is_inetd && smtp_load_reserve >= 0)
+        (f.is_inetd && smtp_load_reserve >= 0)
       ))
   {
   load_average = OS_GETLOADAVG();
@@ -4338,7 +4188,7 @@
 
 if (!unprivileged &&                      /* originally had root AND */
     !removed_privilege &&                 /* still got root AND      */
-    !daemon_listen &&                     /* not starting the daemon */
+    !f.daemon_listen &&                     /* not starting the daemon */
     queue_interval <= 0 &&                /* (either kind of daemon) */
       (                                   /*    AND EITHER           */
       deliver_drop_privilege ||           /* requested unprivileged  */
@@ -4346,7 +4196,7 @@
         queue_interval < 0 &&             /* not running the queue   */
         (msg_action_arg < 0 ||            /*       and               */
           msg_action != MSG_DELIVER) &&   /* not delivering and      */
-        (!checking || !address_test_mode) /* not address checking    */
+        (!checking || !f.address_test_mode) /* not address checking    */
    )  ) )
   exim_setugid(exim_uid, exim_gid, TRUE, US"privilege not needed");
 
@@ -4363,11 +4213,7 @@
   no need to complain then. */
   if (rv == -1)
     if (!(unprivileged || removed_privilege))
-      {
-      fprintf(stderr,
-          "exim: changing group failed: %s\n", strerror(errno));
-      exit(EXIT_FAILURE);
-      }
+      exim_fail("exim: changing group failed: %s\n", strerror(errno));
     else
       DEBUG(D_any) debug_printf("changing group to %ld failed: %s\n",
           (long int)exim_gid, strerror(errno));
@@ -4428,6 +4274,12 @@
   int yield = EXIT_SUCCESS;
   set_process_info("acting on specified messages");
 
+  /* ACL definitions may be needed when removing a message (-Mrm) because
+  event_action gets expanded */
+
+  if (msg_action == MSG_REMOVE)
+    readconf_rest();
+
   if (!one_msg_action)
     {
     for (i = msg_action_arg; i < argc; i++)
@@ -4441,7 +4293,7 @@
   }
 
 /* We used to set up here to skip reading the ACL section, on
- (msg_action_arg > 0 || (queue_interval == 0 && !daemon_listen)
+ (msg_action_arg > 0 || (queue_interval == 0 && !f.daemon_listen)
 Now, since the intro of the ${acl } expansion, ACL definitions may be
 needed in transports so we lost the optimisation. */
 
@@ -4637,13 +4489,13 @@
 
 if (msg_action_arg > 0 && msg_action != MSG_LOAD)
   {
-  if (prod_requires_admin && !admin_user)
+  if (prod_requires_admin && !f.admin_user)
     {
     fprintf(stderr, "exim: Permission denied\n");
     exim_exit(EXIT_FAILURE, US"main");
     }
   set_process_info("delivering specified messages");
-  if (deliver_give_up) forced_delivery = deliver_force_thaw = TRUE;
+  if (deliver_give_up) forced_delivery = f.deliver_force_thaw = TRUE;
   for (i = msg_action_arg; i < argc; i++)
     {
     int status;
@@ -4670,7 +4522,7 @@
 /* If only a single queue run is requested, without SMTP listening, we can just
 turn into a queue runner, with an optional starting message id. */
 
-if (queue_interval == 0 && !daemon_listen)
+if (queue_interval == 0 && !f.daemon_listen)
   {
   DEBUG(D_queue_run) debug_printf("Single queue run%s%s%s%s\n",
     (start_queue_run_id == NULL)? US"" : US" starting at ",
@@ -4707,7 +4559,7 @@
 
     if (!originator_name)
       {
-      if (!sender_address || (!trusted_caller && filter_test == FTEST_NONE))
+      if (!sender_address || (!f.trusted_caller && filter_test == FTEST_NONE))
         {
         uschar *name = US pw->pw_gecos;
         uschar *amp = Ustrchr(name, '&');
@@ -4772,7 +4624,7 @@
 configuration specifies something to use. When running in the test harness,
 any setting of unknown_login overrides the actual name. */
 
-if (originator_login == NULL || running_in_test_harness)
+if (originator_login == NULL || f.running_in_test_harness)
   {
   if (unknown_login != NULL)
     {
@@ -4807,7 +4659,7 @@
 for incoming messages via the daemon. The daemon cannot be run in mua_wrapper
 mode. */
 
-if (daemon_listen || inetd_wait_mode || queue_interval > 0)
+if (f.daemon_listen || f.inetd_wait_mode || queue_interval > 0)
   {
   if (mua_wrapper)
     {
@@ -4831,7 +4683,7 @@
 
 if (test_rewrite_arg >= 0)
   {
-  really_exim = FALSE;
+  f.really_exim = FALSE;
   if (test_rewrite_arg >= argc)
     {
     printf("-brw needs an address argument\n");
@@ -4846,9 +4698,9 @@
 message via SMTP (inetd invocation or otherwise). */
 
 if ((sender_address == NULL && !smtp_input) ||
-    (!trusted_caller && filter_test == FTEST_NONE))
+    (!f.trusted_caller && filter_test == FTEST_NONE))
   {
-  sender_local = TRUE;
+  f.sender_local = TRUE;
 
   /* A trusted caller can supply authenticated_sender and authenticated_id
   via -oMas and -oMai and if so, they will already be set. Otherwise, force
@@ -4881,14 +4733,14 @@
        !checking))                       /* Not running tests, including filter tests */
     {
     sender_address = originator_login;
-    sender_address_forced = FALSE;
+    f.sender_address_forced = FALSE;
     sender_address_domain = 0;
     }
   }
 
 /* Remember whether an untrusted caller set the sender address */
 
-sender_set_untrusted = sender_address != originator_login && !trusted_caller;
+f.sender_set_untrusted = sender_address != originator_login && !f.trusted_caller;
 
 /* Ensure that the sender address is fully qualified unless it is the empty
 address, which indicates an error message, or doesn't exist (root caller, smtp
@@ -4907,7 +4759,7 @@
 stdin. Set debug_level to at least D_v to get full output for address testing.
 */
 
-if (verify_address_mode || address_test_mode)
+if (verify_address_mode || f.address_test_mode)
   {
   int exit_value = 0;
   int flags = vopt_qualify;
@@ -4967,11 +4819,8 @@
   if (msg_action_arg > 0 && msg_action == MSG_LOAD)
     {
     uschar spoolname[256];  /* Not big_buffer; used in spool_read_header() */
-    if (!admin_user)
-      {
-      fprintf(stderr, "exim: permission denied\n");
-      exit(EXIT_FAILURE);
-      }
+    if (!f.admin_user)
+      exim_fail("exim: permission denied\n");
     message_id = argv[msg_action_arg];
     (void)string_format(spoolname, sizeof(spoolname), "%s-H", message_id);
     if ((deliver_datafile = spool_open_datafile(message_id)) < 0)
@@ -4988,11 +4837,8 @@
     int save_stdin = dup(0);
     int fd = Uopen(expansion_test_message, O_RDONLY, 0);
     if (fd < 0)
-      {
-      fprintf(stderr, "exim: failed to open %s: %s\n", expansion_test_message,
+      exim_fail("exim: failed to open %s: %s\n", expansion_test_message,
         strerror(errno));
-      return EXIT_FAILURE;
-      }
     (void) dup2(fd, 0);
     filter_test = FTEST_USER;      /* Fudge to make it look like filter test */
     message_ended = END_NOTENDED;
@@ -5005,11 +4851,11 @@
 
   /* Only admin users may see config-file macros this way */
 
-  if (!admin_user) macros_user = macros = mlast = NULL;
+  if (!f.admin_user) macros_user = macros = mlast = NULL;
 
   /* Allow $recipients for this testing */
 
-  enable_dollar_recipients = TRUE;
+  f.enable_dollar_recipients = TRUE;
 
   /* Expand command line items */
 
@@ -5059,7 +4905,7 @@
   uschar *nah = expand_string(raw_active_hostname);
   if (nah == NULL)
     {
-    if (!expand_string_forcedfail)
+    if (!f.expand_string_forcedfail)
       log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to expand \"%s\" "
         "(smtp_active_hostname): %s", raw_active_hostname,
         expand_string_message);
@@ -5082,7 +4928,7 @@
   if (!sender_ident_set)
     {
     sender_ident = NULL;
-    if (running_in_test_harness && sender_host_port != 0 &&
+    if (f.running_in_test_harness && sender_host_port != 0 &&
         interface_address != NULL && interface_port != 0)
       verify_get_ident(1413);
     }
@@ -5100,8 +4946,8 @@
   smtp_input = TRUE;
   smtp_in = stdin;
   smtp_out = stdout;
-  sender_local = FALSE;
-  sender_host_notsocket = TRUE;
+  f.sender_local = FALSE;
+  f.sender_host_notsocket = TRUE;
   debug_file = stderr;
   debug_fd = fileno(debug_file);
   fprintf(stdout, "\n**** SMTP testing session as if from host %s\n"
@@ -5152,6 +4998,8 @@
   {
   if (version_printed)
     {
+    if (Ustrchr(config_main_filelist, ':'))
+      printf("Configuration file search path is %s\n", config_main_filelist);
     printf("Configuration file is %s\n", config_main_filename);
     return EXIT_SUCCESS;
     }
@@ -5183,11 +5031,11 @@
 
 if (mua_wrapper)
   {
-  synchronous_delivery = TRUE;
+  f.synchronous_delivery = TRUE;
   arg_error_handling = ERRORS_STDERR;
   remote_max_parallel = 1;
   deliver_drop_privilege = TRUE;
-  queue_smtp = FALSE;
+  f.queue_smtp = FALSE;
   queue_smtp_domains = NULL;
 #ifdef SUPPORT_I18N
   message_utf8_downconvert = -1;	/* convert-if-needed */
@@ -5210,7 +5058,7 @@
 logging being sent down the socket and make an identd call to get the
 sender_ident. */
 
-else if (is_inetd)
+else if (f.is_inetd)
   {
   (void)fclose(stderr);
   exim_nullstd();                       /* Re-open to /dev/null */
@@ -5230,13 +5078,13 @@
   host_build_sender_fullhost();
   set_process_info("handling incoming connection from %s via -oMa",
     sender_fullhost);
-  sender_host_notsocket = TRUE;
+  f.sender_host_notsocket = TRUE;
   }
 
 /* Otherwise, set the sender host as unknown except for inetd calls. This
 prevents host checking in the case of -bs not from inetd and also for -bS. */
 
-else if (!is_inetd) sender_host_unknown = TRUE;
+else if (!f.is_inetd) f.sender_host_unknown = TRUE;
 
 /* If stdout does not exist, then dup stdin to stdout. This can happen
 if exim is started from inetd. In this case fd 0 will be set to the socket,
@@ -5252,7 +5100,7 @@
 
 if (smtp_input)
   {
-  if (!is_inetd) set_process_info("accepting a local %sSMTP message from <%s>",
+  if (!f.is_inetd) set_process_info("accepting a local %sSMTP message from <%s>",
     smtp_batched_input? "batched " : "",
     (sender_address!= NULL)? sender_address : originator_login);
   }
@@ -5279,10 +5127,7 @@
 error code is given.) */
 
 if ((!smtp_input || smtp_batched_input) && !receive_check_fs(0))
-  {
-  fprintf(stderr, "exim: insufficient disk space\n");
-  return EXIT_FAILURE;
-  }
+  exim_fail("exim: insufficient disk space\n");
 
 /* If this is smtp input of any kind, real or batched, handle the start of the
 SMTP session.
@@ -5349,7 +5194,7 @@
 As a consequence of this, the waitpid() below is now excluded if we are sure
 that SIG_IGN works. */
 
-if (!synchronous_delivery)
+if (!f.synchronous_delivery)
   {
   #ifdef SA_NOCLDWAIT
   struct sigaction act;
@@ -5404,10 +5249,10 @@
       if (smtp_batched_input && acl_not_smtp_start != NULL)
         {
         uschar *user_msg, *log_msg;
-        enable_dollar_recipients = TRUE;
+        f.enable_dollar_recipients = TRUE;
         (void)acl_check(ACL_WHERE_NOTSMTP_START, NULL, acl_not_smtp_start,
           &user_msg, &log_msg);
-        enable_dollar_recipients = FALSE;
+        f.enable_dollar_recipients = FALSE;
         }
 
       /* Now get the data for the message */
@@ -5444,8 +5289,8 @@
 
     /* These options cannot be changed dynamically for non-SMTP messages */
 
-    active_local_sender_retain = local_sender_retain;
-    active_local_from_check = local_from_check;
+    f.active_local_sender_retain = local_sender_retain;
+    f.active_local_from_check = local_from_check;
 
     /* Save before any rewriting */
 
@@ -5498,7 +5343,7 @@
 	  allow_utf8_domains = b;
 	}
 #endif
-        if (domain == 0 && !allow_unqualified_recipient)
+        if (domain == 0 && !f.allow_unqualified_recipient)
           {
           recipient = NULL;
           errmess = US"unqualified recipient address not allowed";
@@ -5552,10 +5397,10 @@
     if (acl_not_smtp_start)
       {
       uschar *user_msg, *log_msg;
-      enable_dollar_recipients = TRUE;
+      f.enable_dollar_recipients = TRUE;
       (void)acl_check(ACL_WHERE_NOTSMTP_START, NULL, acl_not_smtp_start,
         &user_msg, &log_msg);
-      enable_dollar_recipients = FALSE;
+      f.enable_dollar_recipients = FALSE;
       }
 
     /* Pause for a while waiting for input.  If none received in that time,
@@ -5687,7 +5532,7 @@
   are ignored. */
 
   if (mua_wrapper)
-    local_queue_only = queue_only_policy = deliver_freeze = FALSE;
+    local_queue_only = f.queue_only_policy = f.deliver_freeze = FALSE;
 
   /* Log the queueing here, when it will get a message id attached, but
   not if queue_only is set (case 0). Case 1 doesn't happen here (too many
@@ -5712,7 +5557,7 @@
       }
     }
 
-  else if (queue_only_policy || deliver_freeze)
+  else if (f.queue_only_policy || f.deliver_freeze)
     cancel_cutthrough_connection(TRUE, US"no delivery; queueing");
 
   /* Else do the delivery unless the ACL or local_scan() called for queue only
@@ -5764,7 +5609,7 @@
       /* In the parent, wait if synchronous delivery is required. This will
       always be the case in MUA wrapper mode. */
 
-      if (synchronous_delivery)
+      if (f.synchronous_delivery)
 	{
 	int status;
 	while (wait(&status) != pid);
diff -Nru exim4-4.91/src/exim_dbutil.c exim4-4.92~RC4/src/exim_dbutil.c
--- exim4-4.91/src/exim_dbutil.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/exim_dbutil.c	2018-12-27 13:36:19.000000000 +0000
@@ -253,14 +253,20 @@
 int rc;
 struct flock lock_data;
 BOOL read_only = flags == O_RDONLY;
-uschar dirname[256], filename[256];
+uschar * dirname, * filename;
 
 /* The first thing to do is to open a separate file on which to lock. This
 ensures that Exim has exclusive use of the database before it even tries to
 open it. If there is a database, there should be a lock file in existence. */
 
-snprintf(CS dirname, sizeof(dirname), "%s/db", spool_directory);
-snprintf(CS filename, sizeof(filename), "%s/%.200s.lockfile", dirname, name);
+#ifdef COMPILE_UTILITY
+if (  asprintf(CSS &dirname, "%s/db", spool_directory) < 0
+   || asprintf(CSS &filename, "%s/%s.lockfile", dirname, name) < 0)
+  return NULL;
+#else
+dirname = string_sprintf("%s/db", spool_directory);
+filename = string_sprintf("%s/%s.lockfile", dirname, name);
+#endif
 
 dbblock->lockfd = Uopen(filename, flags, 0);
 if (dbblock->lockfd < 0)
@@ -273,14 +279,14 @@
 /* Now we must get a lock on the opened lock file; do this with a blocking
 lock that times out. */
 
-lock_data.l_type = read_only? F_RDLCK : F_WRLCK;
+lock_data.l_type = read_only ? F_RDLCK : F_WRLCK;
 lock_data.l_whence = lock_data.l_start = lock_data.l_len = 0;
 
 sigalrm_seen = FALSE;
 os_non_restarting_signal(SIGALRM, sigalrm_handler);
-alarm(EXIMDB_LOCK_TIMEOUT);
+ALARM(EXIMDB_LOCK_TIMEOUT);
 rc = fcntl(dbblock->lockfd, F_SETLKW, &lock_data);
-alarm(0);
+ALARM_CLR(0);
 
 if (sigalrm_seen) errno = ETIMEDOUT;
 if (rc < 0)
@@ -296,10 +302,14 @@
 /* At this point we have an opened and locked separate lock file, that is,
 exclusive access to the database, so we can go ahead and open it. */
 
-sprintf(CS filename, "%s/%s", dirname, name);
+#ifdef COMPILE_UTILITY
+if (asprintf(CSS &filename, "%s/%s", dirname, name) < 0) return NULL;
+#else
+filename = string_sprintf("%s/%s", dirname, name);
+#endif
 EXIM_DBOPEN(filename, dirname, flags, 0, &(dbblock->dbptr));
 
-if (dbblock->dbptr == NULL)
+if (!dbblock->dbptr)
   {
   printf("** Failed to open DBM file %s for %s:\n   %s%s\n", filename,
     read_only? "reading" : "writing", strerror(errno),
diff -Nru exim4-4.91/src/exim.h exim4-4.92~RC4/src/exim.h
--- exim4-4.91/src/exim.h	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/exim.h	2018-12-27 13:36:19.000000000 +0000
@@ -284,18 +284,6 @@
 #include <arpa/nameser.h>
 
 
-/* If arpa/nameser.h defines a maximum name server packet size, use it,
-provided it is greater than 2048. Otherwise go for a default. PACKETSZ was used
-for this, but it seems that NS_PACKETSZ is coming into use. */
-
-#if defined(NS_PACKETSZ) && NS_PACKETSZ >= 2048
-  #define MAXPACKET NS_PACKETSZ
-#elif defined(PACKETSZ) && PACKETSZ >= 2048
-  #define MAXPACKET PACKETSZ
-#else
-  #define MAXPACKET 2048
-#endif
-
 /* While IPv6 is still young the definitions of T_AAAA and T_A6 may not be
 included in arpa/nameser.h. Fudge them here. */
 
@@ -603,5 +591,11 @@
 # define POLLRDHUP (POLLIN | POLLHUP)
 #endif
 
+/* Some platforms (Darwin) have to define a larger limit on groups membership */
+
+#ifndef EXIM_GROUPLIST_SIZE
+# define EXIM_GROUPLIST_SIZE NGROUPS_MAX
+#endif
+
 #endif
 /* End of exim.h */
diff -Nru exim4-4.91/src/eximstats.src exim4-4.92~RC4/src/eximstats.src
--- exim4-4.91/src/eximstats.src	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/eximstats.src	2018-12-27 13:36:19.000000000 +0000
@@ -533,7 +533,7 @@
 
 =head1 AUTHOR
 
-There is a web site at http://www.exim.org - this contains details of the
+There is a website at https://www.exim.org - this contains details of the
 mailing list exim-users@exim.org.
 
 =head1 TO DO
diff -Nru exim4-4.91/src/expand.c exim4-4.92~RC4/src/expand.c
--- exim4-4.91/src/expand.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/expand.c	2018-12-27 13:36:19.000000000 +0000
@@ -462,6 +462,8 @@
   { "address_file",        vtype_stringptr,   &address_file },
   { "address_pipe",        vtype_stringptr,   &address_pipe },
 #ifdef EXPERIMENTAL_ARC
+  { "arc_domains",         vtype_string_func, &fn_arc_domains },
+  { "arc_oldest_pass",     vtype_int,         &arc_oldest_pass },
   { "arc_state",           vtype_stringptr,   &arc_state },
   { "arc_state_reason",    vtype_stringptr,   &arc_state_reason },
 #endif
@@ -562,7 +564,9 @@
   { "local_part_data",     vtype_stringptr,   &deliver_localpart_data },
   { "local_part_prefix",   vtype_stringptr,   &deliver_localpart_prefix },
   { "local_part_suffix",   vtype_stringptr,   &deliver_localpart_suffix },
+#ifdef HAVE_LOCAL_SCAN
   { "local_scan_data",     vtype_stringptr,   &local_scan_data },
+#endif
   { "local_user_gid",      vtype_gid,         &local_user_gid },
   { "local_user_uid",      vtype_uid,         &local_user_uid },
   { "localhost_number",    vtype_int,         &host_number },
@@ -656,6 +660,9 @@
   { "regex_match_string",  vtype_stringptr,   &regex_match_string },
 #endif
   { "reply_address",       vtype_reply,       NULL },
+#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
+  { "requiretls",          vtype_bool,        &tls_requiretls },
+#endif
   { "return_path",         vtype_stringptr,   &return_path },
   { "return_size_limit",   vtype_int,         &bounce_return_size_limit },
   { "router_name",         vtype_stringptr,   &router_name },
@@ -813,6 +820,10 @@
 static uschar *mtable_sticky[] =
   { US"--T", US"--t", US"-wT", US"-wt", US"r-T", US"r-t", US"rwT", US"rwt" };
 
+/* flags for find_header() */
+#define FH_EXISTS_ONLY	BIT(0)
+#define FH_WANT_RAW	BIT(1)
+#define FH_WANT_LIST	BIT(2)
 
 
 /*************************************************
@@ -916,7 +927,7 @@
 uschar *ss = expand_string(condition);
 if (ss == NULL)
   {
-  if (!expand_string_forcedfail && !search_find_defer)
+  if (!f.expand_string_forcedfail && !f.search_find_defer)
     log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand condition \"%s\" "
       "for %s %s: %s", condition, m1, m2, expand_string_message);
   return FALSE;
@@ -1122,20 +1133,20 @@
 */
 
 static uschar *
-expand_getkeyed(uschar *key, const uschar *s)
+expand_getkeyed(uschar * key, const uschar * s)
 {
 int length = Ustrlen(key);
 while (isspace(*s)) s++;
 
 /* Loop to search for the key */
 
-while (*s != 0)
+while (*s)
   {
   int dkeylength;
-  uschar *data;
-  const uschar *dkey = s;
+  uschar * data;
+  const uschar * dkey = s;
 
-  while (*s != 0 && *s != '=' && !isspace(*s)) s++;
+  while (*s && *s != '=' && !isspace(*s)) s++;
   dkeylength = s - dkey;
   while (isspace(*s)) s++;
   if (*s == '=') while (isspace((*(++s))));
@@ -1246,17 +1257,17 @@
 static uschar *
 expand_getlistele(int field, const uschar * list)
 {
-const uschar * tlist= list;
-int sep= 0;
+const uschar * tlist = list;
+int sep = 0;
 uschar dummy;
 
-if(field<0)
+if (field < 0)
   {
-  for(field++; string_nextinlist(&tlist, &sep, &dummy, 1); ) field++;
-  sep= 0;
+  for (field++; string_nextinlist(&tlist, &sep, &dummy, 1); ) field++;
+  sep = 0;
   }
-if(field==0) return NULL;
-while(--field>0 && (string_nextinlist(&list, &sep, &dummy, 1))) ;
+if (field == 0) return NULL;
+while (--field > 0 && (string_nextinlist(&list, &sep, &dummy, 1))) ;
 return string_nextinlist(&list, &sep, NULL, 0);
 }
 
@@ -1517,22 +1528,25 @@
 specific headers that contain lists of addresses, a comma is inserted between
 them. Otherwise we use a straight concatenation. Because some messages can have
 pathologically large number of lines, there is a limit on the length that is
-returned. Also, to avoid massive store use which would result from using
-string_cat() as it copies and extends strings, we do a preliminary pass to find
-out exactly how much store will be needed. On "normal" messages this will be
-pretty trivial.
+returned.
 
 Arguments:
   name          the name of the header, without the leading $header_ or $h_,
                 or NULL if a concatenation of all headers is required
-  exists_only   TRUE if called from a def: test; don't need to build a string;
-                just return a string that is not "" and not "0" if the header
-                exists
   newsize       return the size of memory block that was obtained; may be NULL
                 if exists_only is TRUE
-  want_raw      TRUE if called for $rh_ or $rheader_ variables; no processing,
-                other than concatenating, will be done on the header. Also used
-                for $message_headers_raw.
+  flags		FH_EXISTS_ONLY
+		  set if called from a def: test; don't need to build a string;
+		  just return a string that is not "" and not "0" if the header
+		  exists
+		FH_WANT_RAW
+		  set if called for $rh_ or $rheader_ items; no processing,
+		  other than concatenating, will be done on the header. Also used
+		  for $message_headers_raw.
+		FH_WANT_LIST
+		  Double colon chars in the content, and replace newline with
+		  colon between each element when concatenating; returning a
+		  colon-sep list (elements might contain newlines)
   charset       name of charset to translate MIME words to; used only if
                 want_raw is false; if NULL, no translation is done (this is
                 used for $bh_ and $bheader_)
@@ -1542,134 +1556,113 @@
 */
 
 static uschar *
-find_header(uschar *name, BOOL exists_only, int *newsize, BOOL want_raw,
-  uschar *charset)
+find_header(uschar *name, int *newsize, unsigned flags, uschar *charset)
 {
-BOOL found = name == NULL;
-int comma = 0;
-int len = found? 0 : Ustrlen(name);
-int i;
-uschar *yield = NULL;
-uschar *ptr = NULL;
-
-/* Loop for two passes - saves code repetition */
-
-for (i = 0; i < 2; i++)
-  {
-  int size = 0;
-  header_line *h;
-
-  for (h = header_list; size < header_insert_maxlen && h; h = h->next)
-    if (h->type != htype_old && h->text)  /* NULL => Received: placeholder */
-      if (!name || (len <= h->slen && strncmpic(name, h->text, len) == 0))
-        {
-        int ilen;
-        uschar *t;
-
-        if (exists_only) return US"1";      /* don't need actual string */
-        found = TRUE;
-        t = h->text + len;                  /* text to insert */
-        if (!want_raw)                      /* unless wanted raw, */
-          while (isspace(*t)) t++;          /* remove leading white space */
-        ilen = h->slen - (t - h->text);     /* length to insert */
-
-        /* Unless wanted raw, remove trailing whitespace, including the
-        newline. */
-
-        if (!want_raw)
-          while (ilen > 0 && isspace(t[ilen-1])) ilen--;
-
-        /* Set comma = 1 if handling a single header and it's one of those
-        that contains an address list, except when asked for raw headers. Only
-        need to do this once. */
-
-        if (!want_raw && name && comma == 0 &&
-            Ustrchr("BCFRST", h->type) != NULL)
-          comma = 1;
-
-        /* First pass - compute total store needed; second pass - compute
-        total store used, including this header. */
-
-        size += ilen + comma + 1;  /* +1 for the newline */
-
-        /* Second pass - concatenate the data, up to a maximum. Note that
-        the loop stops when size hits the limit. */
-
-        if (i != 0)
-          {
-          if (size > header_insert_maxlen)
-            {
-            ilen -= size - header_insert_maxlen - 1;
-            comma = 0;
-            }
-          Ustrncpy(ptr, t, ilen);
-          ptr += ilen;
+BOOL found = !name;
+int len = name ? Ustrlen(name) : 0;
+BOOL comma = FALSE;
+header_line * h;
+gstring * g = NULL;
 
-          /* For a non-raw header, put in the comma if needed, then add
-          back the newline we removed above, provided there was some text in
-          the header. */
+for (h = header_list; h; h = h->next)
+  if (h->type != htype_old && h->text)  /* NULL => Received: placeholder */
+    if (!name || (len <= h->slen && strncmpic(name, h->text, len) == 0))
+      {
+      uschar * s, * t;
+      size_t inc;
+
+      if (flags & FH_EXISTS_ONLY)
+	return US"1";  /* don't need actual string */
+
+      found = TRUE;
+      s = h->text + len;		/* text to insert */
+      if (!(flags & FH_WANT_RAW))	/* unless wanted raw, */
+	while (isspace(*s)) s++;	/* remove leading white space */
+      t = h->text + h->slen;		/* end-point */
+
+      /* Unless wanted raw, remove trailing whitespace, including the
+      newline. */
+
+      if (flags & FH_WANT_LIST)
+	while (t > s && t[-1] == '\n') t--;
+      else if (!(flags & FH_WANT_RAW))
+	{
+	while (t > s && isspace(t[-1])) t--;
 
-          if (!want_raw && ilen > 0)
-            {
-            if (comma != 0) *ptr++ = ',';
-            *ptr++ = '\n';
-            }
-          }
-        }
+	/* Set comma if handling a single header and it's one of those
+	that contains an address list, except when asked for raw headers. Only
+	need to do this once. */
+
+	if (name && !comma && Ustrchr("BCFRST", h->type)) comma = TRUE;
+	}
+
+      /* Trim the header roughly if we're approaching limits */
+      inc = t - s;
+      if ((g ? g->ptr : 0) + inc > header_insert_maxlen)
+	inc = header_insert_maxlen - (g ? g->ptr : 0);
+
+      /* For raw just copy the data; for a list, add the data as a colon-sep
+      list-element; for comma-list add as an unchecked comma,newline sep
+      list-elemment; for other nonraw add as an unchecked newline-sep list (we
+      stripped trailing WS above including the newline). We ignore the potential
+      expansion due to colon-doubling, just leaving the loop if the limit is met
+      or exceeded. */
+
+      if (flags & FH_WANT_LIST)
+        g = string_append_listele_n(g, ':', s, (unsigned)inc);
+      else if (flags & FH_WANT_RAW)
+	{
+	g = string_catn(g, s, (unsigned)inc);
+	(void) string_from_gstring(g);
+	}
+      else if (inc > 0)
+	if (comma)
+	  g = string_append2_listele_n(g, US",\n", s, (unsigned)inc);
+	else
+	  g = string_append2_listele_n(g, US"\n", s, (unsigned)inc);
 
-  /* At end of first pass, return NULL if no header found. Then truncate size
-  if necessary, and get the buffer to hold the data, returning the buffer size.
-  */
+      if (g && g->ptr >= header_insert_maxlen) break;
+      }
 
-  if (i == 0)
-    {
-    if (!found) return NULL;
-    if (size > header_insert_maxlen) size = header_insert_maxlen;
-    *newsize = size + 1;
-    ptr = yield = store_get(*newsize);
-    }
-  }
+if (!found) return NULL;	/* No header found */
+if (!g) return US"";
 
 /* That's all we do for raw header expansion. */
 
-if (want_raw)
-  *ptr = 0;
-
-/* Otherwise, remove a final newline and a redundant added comma. Then we do
-RFC 2047 decoding, translating the charset if requested. The rfc2047_decode2()
-function can return an error with decoded data if the charset translation
-fails. If decoding fails, it returns NULL. */
+*newsize = g->size;
+if (flags & FH_WANT_RAW)
+  return g->s;
+
+/* Otherwise do RFC 2047 decoding, translating the charset if requested.
+The rfc2047_decode2() function can return an error with decoded data if the
+charset translation fails. If decoding fails, it returns NULL. */
 
 else
   {
   uschar *decoded, *error;
-  if (ptr > yield && ptr[-1] == '\n') ptr--;
-  if (ptr > yield && comma != 0 && ptr[-1] == ',') ptr--;
-  *ptr = 0;
-  decoded = rfc2047_decode2(yield, check_rfc2047_length, charset, '?', NULL,
+
+  decoded = rfc2047_decode2(g->s, check_rfc2047_length, charset, '?', NULL,
     newsize, &error);
-  if (error != NULL)
+  if (error)
     {
     DEBUG(D_any) debug_printf("*** error in RFC 2047 decoding: %s\n"
-      "    input was: %s\n", error, yield);
+      "    input was: %s\n", error, g->s);
     }
-  if (decoded != NULL) yield = decoded;
+  return decoded ? decoded : g->s;
   }
-
-return yield;
 }
 
 
 
 
-/* Append a "local" element to an Autherntication-Results: header
+/* Append a "local" element to an Authentication-Results: header
 if this was a non-smtp message.
 */
 
 static gstring *
 authres_local(gstring * g, const uschar * sysname)
 {
-if (!authentication_local)
+if (!f.authentication_local)
   return g;
 g = string_append(g, 3, US";\n\tlocal=pass (non-smtp, ", sysname, US")");
 if (authenticated_id) g = string_append(g, 2, " u=", authenticated_id);
@@ -1677,7 +1670,7 @@
 }
 
 
-/* Append an "iprev" element to an Autherntication-Results: header
+/* Append an "iprev" element to an Authentication-Results: header
 if we have attempted to get the calling host's name.
 */
 
@@ -1685,11 +1678,16 @@
 authres_iprev(gstring * g)
 {
 if (sender_host_name)
-  return string_append(g, 3, US";\n\tiprev=pass (", sender_host_name, US")");
-if (host_lookup_deferred)
-  return string_catn(g, US";\n\tiprev=temperror", 19);
-if (host_lookup_failed)
-  return string_catn(g, US";\n\tiprev=fail", 13);
+  g = string_append(g, 3, US";\n\tiprev=pass (", sender_host_name, US")");
+else if (host_lookup_deferred)
+  g = string_catn(g, US";\n\tiprev=temperror", 19);
+else if (host_lookup_failed)
+  g = string_catn(g, US";\n\tiprev=fail", 13);
+else
+  return g;
+
+if (sender_host_address)
+  g = string_append(g, 2, US" smtp.remote-ip=", sender_host_address);
 return g;
 }
 
@@ -1705,18 +1703,18 @@
 static uschar *
 fn_recipients(void)
 {
+uschar * s;
 gstring * g = NULL;
 int i;
 
-if (!enable_dollar_recipients) return NULL;
+if (!f.enable_dollar_recipients) return NULL;
 
 for (i = 0; i < recipients_count; i++)
   {
-  /*XXX variant of list_appendele? */
-  if (i != 0) g = string_catn(g, US", ", 2);
-  g = string_cat(g, recipients_list[i].address);
+  s = recipients_list[i].address;
+  g = string_append2_listele_n(g, US", ", s, Ustrlen(s));
   }
-return string_from_gstring(g);
+return g ? g->s : NULL;
 }
 
 
@@ -1801,7 +1799,7 @@
 switch (vp->type)
   {
   case vtype_filter_int:
-    if (!filter_running) return NULL;
+    if (!f.filter_running) return NULL;
     /* Fall through */
     /* VVVVVVVVVVVV */
   case vtype_int:
@@ -1860,10 +1858,11 @@
     return (domain == NULL)? US"" : domain + 1;
 
   case vtype_msgheaders:
-    return find_header(NULL, exists_only, newsize, FALSE, NULL);
+    return find_header(NULL, newsize, exists_only ? FH_EXISTS_ONLY : 0, NULL);
 
   case vtype_msgheaders_raw:
-    return find_header(NULL, exists_only, newsize, TRUE, NULL);
+    return find_header(NULL, newsize,
+		exists_only ? FH_EXISTS_ONLY|FH_WANT_RAW : FH_WANT_RAW, NULL);
 
   case vtype_msgbody:                        /* Pointer to msgbody string */
   case vtype_msgbody_end:                    /* Ditto, the end of the msg */
@@ -1928,15 +1927,18 @@
     return tod_stamp(tod_log_datestamp_daily);
 
   case vtype_reply:                          /* Get reply address */
-    s = find_header(US"reply-to:", exists_only, newsize, TRUE,
-      headers_charset);
-    if (s != NULL) while (isspace(*s)) s++;
-    if (s == NULL || *s == 0)
+    s = find_header(US"reply-to:", newsize,
+		exists_only ? FH_EXISTS_ONLY|FH_WANT_RAW : FH_WANT_RAW,
+		headers_charset);
+    if (s) while (isspace(*s)) s++;
+    if (!s || !*s)
       {
       *newsize = 0;                            /* For the *s==0 case */
-      s = find_header(US"from:", exists_only, newsize, TRUE, headers_charset);
+      s = find_header(US"from:", newsize,
+		exists_only ? FH_EXISTS_ONLY|FH_WANT_RAW : FH_WANT_RAW,
+		headers_charset);
       }
-    if (s != NULL)
+    if (s)
       {
       uschar *t;
       while (isspace(*s)) s++;
@@ -1944,7 +1946,7 @@
       while (t > s && isspace(t[-1])) t--;
       *t = 0;
       }
-    return (s == NULL)? US"" : s;
+    return s ? s : US"";
 
   case vtype_string_func:
     {
@@ -1955,7 +1957,7 @@
   case vtype_pspace:
     {
     int inodes;
-    sprintf(CS var_buffer, "%d",
+    sprintf(CS var_buffer, PR_EXIM_ARITH,
       receive_statvfs(val == (void *)TRUE, &inodes));
     }
   return var_buffer;
@@ -2223,56 +2225,58 @@
   yield == NULL we are in a skipping state, and don't care about the answer. */
 
   case ECOND_DEF:
-  if (*s != ':')
     {
-    expand_string_message = US"\":\" expected after \"def\"";
-    return NULL;
-    }
+    uschar * t;
 
-  s = read_name(name, 256, s+1, US"_");
+    if (*s != ':')
+      {
+      expand_string_message = US"\":\" expected after \"def\"";
+      return NULL;
+      }
 
-  /* Test for a header's existence. If the name contains a closing brace
-  character, this may be a user error where the terminating colon has been
-  omitted. Set a flag to adjust a subsequent error message in this case. */
-
-  if (Ustrncmp(name, "h_", 2) == 0 ||
-      Ustrncmp(name, "rh_", 3) == 0 ||
-      Ustrncmp(name, "bh_", 3) == 0 ||
-      Ustrncmp(name, "header_", 7) == 0 ||
-      Ustrncmp(name, "rheader_", 8) == 0 ||
-      Ustrncmp(name, "bheader_", 8) == 0)
-    {
-    s = read_header_name(name, 256, s);
-    /* {-for-text-editors */
-    if (Ustrchr(name, '}') != NULL) malformed_header = TRUE;
-    if (yield != NULL) *yield =
-      (find_header(name, TRUE, NULL, FALSE, NULL) != NULL) == testfor;
-    }
+    s = read_name(name, 256, s+1, US"_");
 
-  /* Test for a variable's having a non-empty value. A non-existent variable
-  causes an expansion failure. */
+    /* Test for a header's existence. If the name contains a closing brace
+    character, this may be a user error where the terminating colon has been
+    omitted. Set a flag to adjust a subsequent error message in this case. */
+
+    if (  ( *(t = name) == 'h'
+	  || (*t == 'r' || *t == 'l' || *t == 'b') && *++t == 'h'
+	  )
+       && (*++t == '_' || Ustrncmp(t, "eader_", 6) == 0)
+       )
+      {
+      s = read_header_name(name, 256, s);
+      /* {-for-text-editors */
+      if (Ustrchr(name, '}') != NULL) malformed_header = TRUE;
+      if (yield) *yield =
+	(find_header(name, NULL, FH_EXISTS_ONLY, NULL) != NULL) == testfor;
+      }
 
-  else
-    {
-    uschar *value = find_variable(name, TRUE, yield == NULL, NULL);
-    if (value == NULL)
+    /* Test for a variable's having a non-empty value. A non-existent variable
+    causes an expansion failure. */
+
+    else
       {
-      expand_string_message = (name[0] == 0)?
-        string_sprintf("variable name omitted after \"def:\"") :
-        string_sprintf("unknown variable \"%s\" after \"def:\"", name);
-      check_variable_error_message(name);
-      return NULL;
+      if (!(t = find_variable(name, TRUE, yield == NULL, NULL)))
+	{
+	expand_string_message = (name[0] == 0)?
+	  string_sprintf("variable name omitted after \"def:\"") :
+	  string_sprintf("unknown variable \"%s\" after \"def:\"", name);
+	check_variable_error_message(name);
+	return NULL;
+	}
+      if (yield) *yield = (t[0] != 0) == testfor;
       }
-    if (yield != NULL) *yield = (value[0] != 0) == testfor;
-    }
 
-  return s;
+    return s;
+    }
 
 
   /* first_delivery tests for first delivery attempt */
 
   case ECOND_FIRST_DELIVERY:
-  if (yield != NULL) *yield = deliver_firsttime == testfor;
+  if (yield != NULL) *yield = f.deliver_firsttime == testfor;
   return s;
 
 
@@ -2427,7 +2431,7 @@
 	  break;
 
 	case DEFER:
-          expand_string_forcedfail = TRUE;
+          f.expand_string_forcedfail = TRUE;
 	  /*FALLTHROUGH*/
 	default:
           expand_string_message = string_sprintf("error from acl \"%s\"", sub[0]);
@@ -3254,8 +3258,8 @@
 be the case if we were already skipping). */
 
 sub1 = expand_string_internal(s, TRUE, &s, !yes, TRUE, resetok);
-if (sub1 == NULL && (yes || !expand_string_forcedfail)) goto FAILED;
-expand_string_forcedfail = FALSE;
+if (sub1 == NULL && (yes || !f.expand_string_forcedfail)) goto FAILED;
+f.expand_string_forcedfail = FALSE;
 if (*s++ != '}')
   {
   errwhere = US"'yes' part did not end with '}'";
@@ -3284,8 +3288,8 @@
 if (*s == '{')
   {
   sub2 = expand_string_internal(s+1, TRUE, &s, yes || skipping, TRUE, resetok);
-  if (sub2 == NULL && (!yes || !expand_string_forcedfail)) goto FAILED;
-  expand_string_forcedfail = FALSE;
+  if (sub2 == NULL && (!yes || !f.expand_string_forcedfail)) goto FAILED;
+  f.expand_string_forcedfail = FALSE;
   if (*s++ != '}')
     {
     errwhere = US"'no' part did not start with '{'";
@@ -3320,7 +3324,7 @@
 	}
       expand_string_message =
         string_sprintf("\"%s\" failed and \"fail\" requested", type);
-      expand_string_forcedfail = TRUE;
+      f.expand_string_forcedfail = TRUE;
       goto FAILED;
       }
     }
@@ -3549,6 +3553,26 @@
 }
 
 
+#ifdef SUPPORT_TLS
+static gstring *
+cat_file_tls(void * tls_ctx, gstring * yield, uschar * eol)
+{
+int rc;
+uschar * s;
+uschar buffer[1024];
+
+while ((rc = tls_read(tls_ctx, buffer, sizeof(buffer))) > 0)
+  for (s = buffer; rc--; s++)
+    yield = eol && *s == '\n'
+      ? string_cat(yield, eol) : string_catn(yield, s, 1);
+
+/* We assume that all errors, and any returns of zero bytes,
+are actually EOF. */
+
+(void) string_from_gstring(yield);
+return yield;
+}
+#endif
 
 
 /*************************************************
@@ -3825,6 +3849,87 @@
 
 
 
+/* Return pointer to dewrapped string, with enclosing specified chars removed.
+The given string is modified on return.  Leading whitespace is skipped while
+looking for the opening wrap character, then the rest is scanned for the trailing
+(non-escaped) wrap character.  A backslash in the string will act as an escape.
+
+A nul is written over the trailing wrap, and a pointer to the char after the
+leading wrap is returned.
+
+Arguments:
+  s	String for de-wrapping
+  wrap  Two-char string, the first being the opener, second the closer wrapping
+        character
+Return:
+  Pointer to de-wrapped string, or NULL on error (with expand_string_message set).
+*/
+
+static uschar *
+dewrap(uschar * s, const uschar * wrap)
+{
+uschar * p = s;
+unsigned depth = 0;
+BOOL quotesmode = wrap[0] == wrap[1];
+
+while (isspace(*p)) p++;
+
+if (*p == *wrap)
+  {
+  s = ++p;
+  wrap++;
+  while (*p)
+    {
+    if (*p == '\\') p++;
+    else if (!quotesmode && *p == wrap[-1]) depth++;
+    else if (*p == *wrap)
+      if (depth == 0)
+	{
+	*p = '\0';
+	return s;
+	}
+      else
+	depth--;
+    p++;
+    }
+  }
+expand_string_message = string_sprintf("missing '%c'", *wrap);
+return NULL;
+}
+
+
+/* Pull off the leading array or object element, returning
+a copy in an allocated string.  Update the list pointer.
+
+The element may itself be an abject or array.
+*/
+
+uschar *
+json_nextinlist(const uschar ** list)
+{
+unsigned array_depth = 0, object_depth = 0;
+const uschar * s = *list, * item;
+
+while (isspace(*s)) s++;
+
+for (item = s;
+     *s && (*s != ',' || array_depth != 0 || object_depth != 0);
+     s++)
+  switch (*s)
+    {
+    case '[': array_depth++; break;
+    case ']': array_depth--; break;
+    case '{': object_depth++; break;
+    case '}': object_depth--; break;
+    }
+*list = *s ? s+1 : s;
+item = string_copyn(item, s - item);
+DEBUG(D_expand) debug_printf_indent("  json ele: '%s'\n", item);
+return US item;
+}
+
+
+
 /*************************************************
 *                 Expand string                  *
 *************************************************/
@@ -3901,13 +4006,17 @@
 
 expand_level++;
 DEBUG(D_expand)
-  debug_printf_indent(UTF8_DOWN_RIGHT "%s: %s\n",
-    skipping
-    ? UTF8_HORIZ UTF8_HORIZ UTF8_HORIZ "scanning"
-    : "considering",
-    string);
+  DEBUG(D_noutf8)
+    debug_printf_indent("/%s: %s\n",
+      skipping ? "---scanning" : "considering", string);
+  else
+    debug_printf_indent(UTF8_DOWN_RIGHT "%s: %s\n",
+      skipping
+      ? UTF8_HORIZ UTF8_HORIZ UTF8_HORIZ "scanning"
+      : "considering",
+      string);
 
-expand_string_forcedfail = FALSE;
+f.expand_string_forcedfail = FALSE;
 expand_string_message = US"";
 
 while (*s != 0)
@@ -3973,6 +4082,7 @@
     int len;
     int newsize = 0;
     gstring * g = NULL;
+    uschar * t;
 
     s = read_name(name, sizeof(name), s, US"_");
 
@@ -3990,17 +4100,19 @@
 
     /* Header */
 
-    if (Ustrncmp(name, "h_", 2) == 0 ||
-        Ustrncmp(name, "rh_", 3) == 0 ||
-        Ustrncmp(name, "bh_", 3) == 0 ||
-        Ustrncmp(name, "header_", 7) == 0 ||
-        Ustrncmp(name, "rheader_", 8) == 0 ||
-        Ustrncmp(name, "bheader_", 8) == 0)
-      {
-      BOOL want_raw = (name[0] == 'r')? TRUE : FALSE;
-      uschar *charset = (name[0] == 'b')? NULL : headers_charset;
+    if (  ( *(t = name) == 'h'
+          || (*t == 'r' || *t == 'l' || *t == 'b') && *++t == 'h'
+	  )
+       && (*++t == '_' || Ustrncmp(t, "eader_", 6) == 0)
+       )
+      {
+      unsigned flags = *name == 'r' ? FH_WANT_RAW
+		      : *name == 'l' ? FH_WANT_RAW|FH_WANT_LIST
+		      : 0;
+      uschar * charset = *name == 'b' ? NULL : headers_charset;
+
       s = read_header_name(name, sizeof(name), s);
-      value = find_header(name, FALSE, &newsize, want_raw, charset);
+      value = find_header(name, &newsize, flags, charset);
 
       /* If we didn't find the header, and the header contains a closing brace
       character, this may be a user error where the terminating colon
@@ -4131,7 +4243,7 @@
 	  continue;
 
 	case DEFER:
-          expand_string_forcedfail = TRUE;
+          f.expand_string_forcedfail = TRUE;
 	  /*FALLTHROUGH*/
 	default:
           expand_string_message = string_sprintf("error from acl \"%s\"", sub[0]);
@@ -4191,15 +4303,21 @@
       if (next_s == NULL) goto EXPAND_FAILED;  /* message already set */
 
       DEBUG(D_expand)
-	{
-        debug_printf_indent(UTF8_VERT_RIGHT UTF8_HORIZ UTF8_HORIZ
-	  "condition: %.*s\n",
-	  (int)(next_s - s), s);
-        debug_printf_indent(UTF8_VERT_RIGHT UTF8_HORIZ UTF8_HORIZ
-	  UTF8_HORIZ UTF8_HORIZ UTF8_HORIZ
-	  "result: %s\n",
-	  cond ? "true" : "false");
-	}
+	DEBUG(D_noutf8)
+	  {
+	  debug_printf_indent("|--condition: %.*s\n", (int)(next_s - s), s);
+	  debug_printf_indent("|-----result: %s\n", cond ? "true" : "false");
+	  }
+	else
+	  {
+	  debug_printf_indent(UTF8_VERT_RIGHT UTF8_HORIZ UTF8_HORIZ
+	    "condition: %.*s\n",
+	    (int)(next_s - s), s);
+	  debug_printf_indent(UTF8_VERT_RIGHT UTF8_HORIZ UTF8_HORIZ
+	    UTF8_HORIZ UTF8_HORIZ UTF8_HORIZ
+	    "result: %s\n",
+	    cond ? "true" : "false");
+	  }
 
       s = next_s;
 
@@ -4429,7 +4547,7 @@
           }
         lookup_value = search_find(handle, filename, key, partial, affix,
           affixlen, starflags, &expand_setup);
-        if (search_find_defer)
+        if (f.search_find_defer)
           {
           expand_string_message =
             string_sprintf("lookup of \"%s\" gave DEFER: %s",
@@ -4538,7 +4656,7 @@
           expand_string_message =
             string_sprintf("Perl subroutine \"%s\" returned undef to force "
               "failure", sub_arg[0]);
-          expand_string_forcedfail = TRUE;
+          f.expand_string_forcedfail = TRUE;
           }
         goto EXPAND_FAILED;
         }
@@ -4546,7 +4664,7 @@
       /* Yield succeeded. Ensure forcedfail is unset, just in case it got
       set during a callback from Perl. */
 
-      expand_string_forcedfail = FALSE;
+      f.expand_string_forcedfail = FALSE;
       yield = new_yield;
       continue;
       }
@@ -4696,7 +4814,7 @@
           (void)sscanf(CS now,"%u",&inow);
           (void)sscanf(CS daystamp,"%u",&iexpire);
 
-          /* When "iexpire" is < 7, a "flip" has occured.
+          /* When "iexpire" is < 7, a "flip" has occurred.
              Adjust "inow" accordingly. */
           if ( (iexpire < 7) && (inow >= 993) ) inow = 0;
 
@@ -4796,10 +4914,14 @@
       int fd;
       int timeout = 5;
       int save_ptr = yield->ptr;
-      FILE *f;
-      uschar *arg;
-      uschar *sub_arg[4];
+      FILE * fp;
+      uschar * arg;
+      uschar * sub_arg[4];
+      uschar * server_name = NULL;
+      host_item host;
       BOOL do_shutdown = TRUE;
+      BOOL do_tls = FALSE;	/* Only set under SUPPORT_TLS */
+      void * tls_ctx = NULL;	/* ditto		      */
       blob reqstr;
 
       if (expand_forbid & RDO_READSOCK)
@@ -4842,10 +4964,14 @@
 
 	while ((item = string_nextinlist(&list, &sep, NULL, 0)))
 	  if (Ustrncmp(item, US"shutdown=", 9) == 0)
-	    if (Ustrcmp(item + 9, US"no") == 0)
-	      do_shutdown = FALSE;
+	    { if (Ustrcmp(item + 9, US"no") == 0) do_shutdown = FALSE; }
+#ifdef SUPPORT_TLS
+	  else if (Ustrncmp(item, US"tls=", 4) == 0)
+	    { if (Ustrcmp(item + 9, US"no") != 0) do_tls = TRUE; }
+#endif
         }
-      else sub_arg[3] = NULL;                     /* No eol if no timeout */
+      else
+	sub_arg[3] = NULL;                     /* No eol if no timeout */
 
       /* If skipping, we don't actually do anything. Otherwise, arrange to
       connect to either an IP or a Unix socket. */
@@ -4857,8 +4983,10 @@
         if (Ustrncmp(sub_arg[0], "inet:", 5) == 0)
           {
           int port;
-          uschar * server_name = sub_arg[0] + 5;
-          uschar * port_name = Ustrrchr(server_name, ':');
+          uschar * port_name;
+
+          server_name = sub_arg[0] + 5;
+          port_name = Ustrrchr(server_name, ':');
 
           /* Sort out the port */
 
@@ -4893,12 +5021,15 @@
             port = ntohs(service_info->s_port);
             }
 
+	  /*XXX we trust that the request is idempotent.  Hmm. */
 	  fd = ip_connectedsocket(SOCK_STREAM, server_name, port, port,
-		  timeout, NULL, &expand_string_message, &reqstr);
+		  timeout, &host, &expand_string_message,
+		  do_tls ? NULL : &reqstr);
 	  callout_address = NULL;
 	  if (fd < 0)
-              goto SOCK_FAIL;
-	  reqstr.len = 0;
+	    goto SOCK_FAIL;
+	  if (!do_tls)
+	    reqstr.len = 0;
           }
 
         /* Handle a Unix domain socket */
@@ -4918,11 +5049,12 @@
           sockun.sun_family = AF_UNIX;
           sprintf(sockun.sun_path, "%.*s", (int)(sizeof(sockun.sun_path)-1),
             sub_arg[0]);
+	  server_name = US sockun.sun_path;
 
           sigalrm_seen = FALSE;
-          alarm(timeout);
+          ALARM(timeout);
           rc = connect(fd, (struct sockaddr *)(&sockun), sizeof(sockun));
-          alarm(0);
+          ALARM_CLR(0);
           if (sigalrm_seen)
             {
             expand_string_message = US "socket connect timed out";
@@ -4934,12 +5066,32 @@
               "%s: %s", sub_arg[0], strerror(errno));
             goto SOCK_FAIL;
             }
+	  host.name = server_name;
+	  host.address = US"";
           }
 
         DEBUG(D_expand) debug_printf_indent("connected to socket %s\n", sub_arg[0]);
 
+#ifdef SUPPORT_TLS
+	if (do_tls)
+	  {
+	  tls_support tls_dummy = {.sni=NULL};
+	  uschar * errstr;
+
+	  if (!(tls_ctx = tls_client_start(fd, &host, NULL, NULL,
+# ifdef SUPPORT_DANE
+				NULL,
+# endif
+	  			&tls_dummy, &errstr)))
+	    {
+	    expand_string_message = string_sprintf("TLS connect failed: %s", errstr);
+	    goto SOCK_FAIL;
+	    }
+	  }
+#endif
+
 	/* Allow sequencing of test actions */
-	if (running_in_test_harness) millisleep(100);
+	if (f.running_in_test_harness) millisleep(100);
 
         /* Write the request string, if not empty or already done */
 
@@ -4947,7 +5099,11 @@
           {
           DEBUG(D_expand) debug_printf_indent("writing \"%s\" to socket\n",
             reqstr.data);
-          if (write(fd, reqstr.data, reqstr.len) != reqstr.len)
+          if ( (
+#ifdef SUPPORT_TLS
+	      tls_ctx ? tls_write(tls_ctx, reqstr.data, reqstr.len, FALSE) :
+#endif
+			write(fd, reqstr.data, reqstr.len)) != reqstr.len)
             {
             expand_string_message = string_sprintf("request write to socket "
               "failed: %s", strerror(errno));
@@ -4960,20 +5116,34 @@
         system doesn't have this function, make it conditional. */
 
 #ifdef SHUT_WR
-	if (do_shutdown) shutdown(fd, SHUT_WR);
+	if (!tls_ctx && do_shutdown) shutdown(fd, SHUT_WR);
 #endif
 
-	if (running_in_test_harness) millisleep(100);
+	if (f.running_in_test_harness) millisleep(100);
 
         /* Now we need to read from the socket, under a timeout. The function
         that reads a file can be used. */
 
-        f = fdopen(fd, "rb");
+	if (!tls_ctx)
+	  fp = fdopen(fd, "rb");
         sigalrm_seen = FALSE;
-        alarm(timeout);
-        yield = cat_file(f, yield, sub_arg[3]);
-        alarm(0);
-        (void)fclose(f);
+        ALARM(timeout);
+        yield =
+#ifdef SUPPORT_TLS
+	  tls_ctx ? cat_file_tls(tls_ctx, yield, sub_arg[3]) :
+#endif
+		    cat_file(fp, yield, sub_arg[3]);
+        ALARM_CLR(0);
+
+#ifdef SUPPORT_TLS
+	if (tls_ctx)
+	  {
+	  tls_close(tls_ctx, TRUE);
+	  close(fd);
+	  }
+	else
+#endif
+	  (void)fclose(fp);
 
         /* After a timeout, we restore the pointer in the result, that is,
         make sure we add nothing from the socket. */
@@ -5096,9 +5266,9 @@
 	resetok = FALSE;
         f = fdopen(fd_out, "rb");
         sigalrm_seen = FALSE;
-        alarm(60);
+        ALARM(60);
 	lookup_value = string_from_gstring(cat_file(f, NULL, NULL));
-        alarm(0);
+        ALARM_CLR(0);
         (void)fclose(f);
 
         /* Wait for the process to finish, applying the timeout, and inspect its
@@ -5476,6 +5646,16 @@
       uschar *sub[3];
       int save_expand_nmax =
         save_expand_strings(save_expand_nstring, save_expand_nlength);
+      enum {extract_basic, extract_json} fmt = extract_basic;
+
+      while (isspace(*s)) s++;
+
+      /* Check for a format-variant specifier */
+
+      if (*s != '{')					/*}*/
+	{
+	if (Ustrncmp(s, "json", 4) == 0) {fmt = extract_json; s += 4;}
+	}
 
       /* While skipping we cannot rely on the data for expansions being
       available (eg. $item) hence cannot decide on numeric vs. keyed.
@@ -5483,11 +5663,10 @@
 
       if (skipping)
 	{
-        while (isspace(*s)) s++;
-        for (j = 5; j > 0 && *s == '{'; j--)
+        for (j = 5; j > 0 && *s == '{'; j--)			/*'}'*/
 	  {
           if (!expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok))
-	    goto EXPAND_FAILED;					/*{*/
+	    goto EXPAND_FAILED;					/*'{'*/
           if (*s++ != '}')
 	    {
 	    expand_string_message = US"missing '{' for arg of extract";
@@ -5495,13 +5674,13 @@
 	    }
 	  while (isspace(*s)) s++;
 	  }
-	if (  Ustrncmp(s, "fail", 4) == 0
+	if (  Ustrncmp(s, "fail", 4) == 0			/*'{'*/
 	   && (s[4] == '}' || s[4] == ' ' || s[4] == '\t' || !s[4])
 	   )
 	  {
 	  s += 4;
 	  while (isspace(*s)) s++;
-	  }
+	  }							/*'{'*/
 	if (*s != '}')
 	  {
 	  expand_string_message = US"missing '}' closing extract";
@@ -5511,11 +5690,11 @@
 
       else for (i = 0, j = 2; i < j; i++) /* Read the proper number of arguments */
         {
-        while (isspace(*s)) s++;
-        if (*s == '{') 						/*}*/
+	while (isspace(*s)) s++;
+        if (*s == '{') 						/*'}'*/
           {
           sub[i] = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok);
-          if (sub[i] == NULL) goto EXPAND_FAILED;		/*{*/
+          if (sub[i] == NULL) goto EXPAND_FAILED;		/*'{'*/
           if (*s++ != '}')
 	    {
 	    expand_string_message = string_sprintf(
@@ -5526,7 +5705,7 @@
           /* After removal of leading and trailing white space, the first
           argument must not be empty; if it consists entirely of digits
           (optionally preceded by a minus sign), this is a numerical
-          extraction, and we expect 3 arguments. */
+          extraction, and we expect 3 arguments (normal) or 2 (json). */
 
           if (i == 0)
             {
@@ -5557,7 +5736,7 @@
 	    if (*p == 0)
 	      {
 	      field_number *= x;
-	      j = 3;               /* Need 3 args */
+	      if (fmt != extract_json) j = 3;               /* Need 3 args */
 	      field_number_set = TRUE;
 	      }
             }
@@ -5573,9 +5752,83 @@
       /* Extract either the numbered or the keyed substring into $value. If
       skipping, just pretend the extraction failed. */
 
-      lookup_value = skipping? NULL : field_number_set?
-        expand_gettokened(field_number, sub[1], sub[2]) :
-        expand_getkeyed(sub[0], sub[1]);
+      if (skipping)
+	lookup_value = NULL;
+      else switch (fmt)
+	{
+	case extract_basic:
+	  lookup_value = field_number_set
+	    ? expand_gettokened(field_number, sub[1], sub[2])
+	    : expand_getkeyed(sub[0], sub[1]);
+	  break;
+
+	case extract_json:
+	  {
+	  uschar * s, * item;
+	  const uschar * list;
+
+	  /* Array: Bracket-enclosed and comma-separated.
+	  Object: Brace-enclosed, comma-sep list of name:value pairs */
+
+	  if (!(s = dewrap(sub[1], field_number_set ? US"[]" : US"{}")))
+	    {
+	    expand_string_message =
+	      string_sprintf("%s wrapping %s for extract json",
+		expand_string_message,
+		field_number_set ? "array" : "object");
+	    goto EXPAND_FAILED_CURLY;
+	    }
+
+	  list = s;
+	  if (field_number_set)
+	    {
+	    if (field_number <= 0)
+	      {
+	      expand_string_message = US"first argument of \"extract\" must "
+		"be greater than zero";
+	      goto EXPAND_FAILED;
+	      }
+	    while (field_number > 0 && (item = json_nextinlist(&list)))
+	      field_number--;
+	    s = item;
+	    lookup_value = s;
+	    while (*s) s++;
+	    while (--s >= lookup_value && isspace(*s)) *s = '\0';
+	    }
+	  else
+	    {
+	    lookup_value = NULL;
+	    while ((item = json_nextinlist(&list)))
+	      {
+	      /* Item is:  string name-sep value.  string is quoted.
+	      Dequote the string and compare with the search key. */
+
+	      if (!(item = dewrap(item, US"\"\"")))
+		{
+		expand_string_message =
+		  string_sprintf("%s wrapping string key for extract json",
+		    expand_string_message);
+		goto EXPAND_FAILED_CURLY;
+		}
+	      if (Ustrcmp(item, sub[0]) == 0)	/*XXX should be a UTF8-compare */
+		{
+		s = item + Ustrlen(item) + 1;
+		while (isspace(*s)) s++;
+		if (*s != ':')
+		  {
+		  expand_string_message = string_sprintf(
+		    "missing object value-separator for extract json");
+		  goto EXPAND_FAILED_CURLY;
+		  }
+		s++;
+		while (isspace(*s)) s++;
+		lookup_value = s;
+		break;
+		}
+	      }
+	    }
+	  }
+	}
 
       /* If no string follows, $value gets substituted; otherwise there can
       be yes/no strings, as for lookup or if. */
@@ -5675,7 +5928,7 @@
       /* Extract the numbered element into $value. If
       skipping, just pretend the extraction failed. */
 
-      lookup_value = skipping? NULL : expand_getlistele(field_number, sub[1]);
+      lookup_value = skipping ? NULL : expand_getlistele(field_number, sub[1]);
 
       /* If no string follows, $value gets substituted; otherwise there can
       be yes/no strings, as for lookup or if. */
@@ -6240,7 +6493,7 @@
       else
         {
         expand_string_message = result == NULL ? US"(no message)" : result;
-        if(status == FAIL_FORCED) expand_string_forcedfail = TRUE;
+        if(status == FAIL_FORCED) f.expand_string_forcedfail = TRUE;
           else if(status != FAIL)
             log_write(0, LOG_MAIN|LOG_PANIC, "dlfunc{%s}{%s} failed (%d): %s",
               argv[0], argv[1], status, expand_string_message);
@@ -6294,7 +6547,9 @@
     int c;
     uschar *arg = NULL;
     uschar *sub;
+#ifdef SUPPORT_TLS
     var_entry *vp = NULL;
+#endif
 
     /* Owing to an historical mis-design, an underscore may be part of the
     operator name, or it may introduce arguments.  We therefore first scan the
@@ -6419,7 +6674,6 @@
 
       case EOP_BASE62D:
         {
-        uschar buf[16];
         uschar *tt = sub;
         unsigned long int n = 0;
         while (*tt != 0)
@@ -6434,8 +6688,7 @@
             }
           n = n * BASE_62 + (t - base62_chars);
           }
-        (void)sprintf(CS buf, "%ld", n);
-        yield = string_cat(yield, buf);
+        yield = string_fmt_append(yield, "%ld", n);
         continue;
         }
 
@@ -6484,11 +6737,10 @@
 	  md5 base;
 	  uschar digest[16];
 	  int j;
-	  char st[33];
 	  md5_start(&base);
 	  md5_end(&base, sub, Ustrlen(sub), digest);
-	  for(j = 0; j < 16; j++) sprintf(st+2*j, "%02x", digest[j]);
-	  yield = string_cat(yield, US st);
+	  for (j = 0; j < 16; j++)
+	    yield = string_fmt_append(yield, "%02x", digest[j]);
 	  }
         continue;
 
@@ -6505,11 +6757,10 @@
 	  hctx h;
 	  uschar digest[20];
 	  int j;
-	  char st[41];
 	  sha1_start(&h);
 	  sha1_end(&h, sub, Ustrlen(sub), digest);
-	  for(j = 0; j < 20; j++) sprintf(st+2*j, "%02X", digest[j]);
-	  yield = string_catn(yield, US st, 40);
+	  for (j = 0; j < 20; j++)
+	    yield = string_fmt_append(yield, "%02X", digest[j]);
 	  }
         continue;
 
@@ -6524,7 +6775,6 @@
 	  {
 	  hctx h;
 	  blob b;
-	  char st[3];
 
 	  if (!exim_sha_init(&h, HASH_SHA2_256))
 	    {
@@ -6534,10 +6784,7 @@
 	  exim_sha_update(&h, sub, Ustrlen(sub));
 	  exim_sha_finish(&h, &b);
 	  while (b.len-- > 0)
-	    {
-	    sprintf(st, "%02X", *b.data++);
-	    yield = string_catn(yield, US st, 2);
-	    }
+	    yield = string_fmt_append(yield, "%02X", *b.data++);
 	  }
 #else
 	  expand_string_message = US"sha256 only supported with TLS";
@@ -6549,7 +6796,6 @@
 	{
 	hctx h;
 	blob b;
-	char st[3];
 	hashmethod m = !arg ? HASH_SHA3_256
 	  : Ustrcmp(arg, "224") == 0 ? HASH_SHA3_224
 	  : Ustrcmp(arg, "256") == 0 ? HASH_SHA3_256
@@ -6566,10 +6812,7 @@
 	exim_sha_update(&h, sub, Ustrlen(sub));
 	exim_sha_finish(&h, &b);
 	while (b.len-- > 0)
-	  {
-	  sprintf(st, "%02X", *b.data++);
-	  yield = string_catn(yield, US st, 2);
-	  }
+	  yield = string_fmt_append(yield, "%02X", *b.data++);
 	}
         continue;
 #else
@@ -6633,7 +6876,7 @@
         while (*(++t) != 0)
           {
           if (*t < 0x21 || 0x7E < *t)
-            yield = string_catn(yield, string_sprintf("\\x%02x", *t), 4);
+            yield = string_fmt_append(yield, "\\x%02x", *t);
 	  else
 	    yield = string_catn(yield, t, 1);
           }
@@ -6646,12 +6889,10 @@
         {
 	int cnt = 0;
 	int sep = 0;
-	uschar * cp;
 	uschar buffer[256];
 
 	while (string_nextinlist(CUSS &sub, &sep, buffer, sizeof(buffer)) != NULL) cnt++;
-	cp = string_sprintf("%d", cnt);
-        yield = string_cat(yield, cp);
+	yield = string_fmt_append(yield, "%d", cnt);
         continue;
         }
 
@@ -6858,7 +7099,7 @@
               "missing in expanding ${addresses:%s}", --sub);
             goto EXPAND_FAILED;
             }
-        parse_allow_group = TRUE;
+        f.parse_allow_group = TRUE;
 
         for (;;)
           {
@@ -6907,7 +7148,7 @@
         separator. */
 
         if (yield->ptr != save_ptr) yield->ptr--;
-        parse_allow_group = FALSE;
+        f.parse_allow_group = FALSE;
         continue;
         }
 
@@ -7017,9 +7258,9 @@
       case EOP_RFC2047:
         {
         uschar buffer[2048];
-	const uschar *string = parse_quote_2047(sub, Ustrlen(sub), headers_charset,
-          buffer, sizeof(buffer), FALSE);
-        yield = string_cat(yield, string);
+        yield = string_cat(yield,
+			    parse_quote_2047(sub, Ustrlen(sub), headers_charset,
+			      buffer, sizeof(buffer), FALSE));
         continue;
         }
 
@@ -7065,12 +7306,13 @@
         {
         int seq_len = 0, index = 0;
         int bytes_left = 0;
-	long codepoint = -1;
+        long codepoint = -1;
+        int complete;
         uschar seq_buff[4];			/* accumulate utf-8 here */
 
         while (*sub != 0)
 	  {
-	  int complete = 0;
+	  complete = 0;
 	  uschar c = *sub++;
 
 	  if (bytes_left)
@@ -7135,6 +7377,13 @@
 			/* ASCII character follows incomplete sequence */
 	      yield = string_catn(yield, &c, 1);
 	  }
+        /* If given a sequence truncated mid-character, we also want to report ?
+        * Eg, ${length_1:フィル} is one byte, not one character, so we expect
+        * ${utf8clean:${length_1:フィル}} to yield '?' */
+        if (bytes_left != 0)
+          {
+          yield = string_catn(yield, UTF8_REPLACEMENT_CHAR, 1);
+          }
         continue;
         }
 
@@ -7218,7 +7467,7 @@
 	for (s = sub; (c = *s); s++)
 	  yield = c < 127 && c != '\\'
 	    ? string_catn(yield, s, 1)
-	    : string_catn(yield, string_sprintf("\\%03o", c), 4);
+	    : string_fmt_append(yield, "\\%03o", c);
 	continue;
 	}
 
@@ -7230,19 +7479,18 @@
         uschar *save_sub = sub;
         uschar *error = NULL;
         int_eximarith_t n = eval_expr(&sub, (c == EOP_EVAL10), &error, FALSE);
-        if (error != NULL)
+        if (error)
           {
           expand_string_message = string_sprintf("error in expression "
             "evaluation: %s (after processing \"%.*s\")", error,
 	    (int)(sub-save_sub), save_sub);
           goto EXPAND_FAILED;
           }
-        sprintf(CS var_buffer, PR_EXIM_ARITH, n);
-        yield = string_cat(yield, var_buffer);
+        yield = string_fmt_append(yield, PR_EXIM_ARITH, n);
         continue;
         }
 
-      /* Handle time period formating */
+      /* Handle time period formatting */
 
       case EOP_TIME_EVAL:
         {
@@ -7253,8 +7501,7 @@
             "Exim time interval in \"%s\" operator", sub, name);
           goto EXPAND_FAILED;
           }
-        sprintf(CS var_buffer, "%d", n);
-        yield = string_cat(yield, var_buffer);
+        yield = string_fmt_append(yield, "%d", n);
         continue;
         }
 
@@ -7306,12 +7553,8 @@
       /* strlen returns the length of the string */
 
       case EOP_STRLEN:
-        {
-        uschar buff[24];
-        (void)sprintf(CS buff, "%d", Ustrlen(sub));
-        yield = string_cat(yield, buff);
+        yield = string_fmt_append(yield, "%d", Ustrlen(sub));
         continue;
-        }
 
       /* length_n or l_n takes just the first n characters or the whole string,
       whichever is the shorter;
@@ -7344,7 +7587,7 @@
         int len;
         uschar *ret;
 
-        if (arg == NULL)
+        if (!arg)
           {
           expand_string_message = string_sprintf("missing values after %s",
             name);
@@ -7408,14 +7651,13 @@
 
       case EOP_STAT:
         {
-        uschar *s;
         uschar smode[12];
         uschar **modetable[3];
         int i;
         mode_t mode;
         struct stat st;
 
-        if ((expand_forbid & RDO_EXISTS) != 0)
+        if (expand_forbid & RDO_EXISTS)
           {
           expand_string_message = US"Use of the stat() expansion is not permitted";
           goto EXPAND_FAILED;
@@ -7449,13 +7691,13 @@
           }
 
         smode[10] = 0;
-        s = string_sprintf("mode=%04lo smode=%s inode=%ld device=%ld links=%ld "
+        yield = string_fmt_append(yield,
+	  "mode=%04lo smode=%s inode=%ld device=%ld links=%ld "
           "uid=%ld gid=%ld size=" OFF_T_FMT " atime=%ld mtime=%ld ctime=%ld",
           (long)(st.st_mode & 077777), smode, (long)st.st_ino,
           (long)st.st_dev, (long)st.st_nlink, (long)st.st_uid,
           (long)st.st_gid, st.st_size, (long)st.st_atime,
           (long)st.st_mtime, (long)st.st_ctime);
-        yield = string_cat(yield, s);
         continue;
         }
 
@@ -7463,14 +7705,11 @@
 
       case EOP_RANDINT:
         {
-        int_eximarith_t max;
-        uschar *s;
+        int_eximarith_t max = expanded_string_integer(sub, TRUE);
 
-        max = expanded_string_integer(sub, TRUE);
-        if (expand_string_message != NULL)
+        if (expand_string_message)
           goto EXPAND_FAILED;
-        s = string_sprintf("%d", vaguely_random_number((int)max));
-        yield = string_cat(yield, s);
+        yield = string_fmt_append(yield, "%d", vaguely_random_number((int)max));
         continue;
         }
 
@@ -7496,9 +7735,9 @@
       /* Unknown operator */
 
       default:
-      expand_string_message =
-        string_sprintf("unknown expansion operator \"%s\"", name);
-      goto EXPAND_FAILED;
+	expand_string_message =
+	  string_sprintf("unknown expansion operator \"%s\"", name);
+	goto EXPAND_FAILED;
       }
     }
 
@@ -7579,19 +7818,28 @@
 else if (resetok_p) *resetok_p = FALSE;
 
 DEBUG(D_expand)
-  {
-  debug_printf_indent(UTF8_VERT_RIGHT UTF8_HORIZ UTF8_HORIZ
-    "expanding: %.*s\n",
-    (int)(s - string), string);
-  debug_printf_indent("%s"
-    UTF8_HORIZ UTF8_HORIZ UTF8_HORIZ UTF8_HORIZ UTF8_HORIZ
-    "result: %s\n",
-    skipping ? UTF8_VERT_RIGHT : UTF8_UP_RIGHT,
-    yield->s);
-  if (skipping)
-    debug_printf_indent(UTF8_UP_RIGHT UTF8_HORIZ UTF8_HORIZ UTF8_HORIZ
-      "skipping: result is not used\n");
-  }
+  DEBUG(D_noutf8)
+    {
+    debug_printf_indent("|--expanding: %.*s\n", (int)(s - string), string);
+    debug_printf_indent("%sresult: %s\n",
+      skipping ? "|-----" : "\\_____", yield->s);
+    if (skipping)
+      debug_printf_indent("\\___skipping: result is not used\n");
+    }
+  else
+    {
+    debug_printf_indent(UTF8_VERT_RIGHT UTF8_HORIZ UTF8_HORIZ
+      "expanding: %.*s\n",
+      (int)(s - string), string);
+    debug_printf_indent("%s"
+      UTF8_HORIZ UTF8_HORIZ UTF8_HORIZ UTF8_HORIZ UTF8_HORIZ
+      "result: %s\n",
+      skipping ? UTF8_VERT_RIGHT : UTF8_UP_RIGHT,
+      yield->s);
+    if (skipping)
+      debug_printf_indent(UTF8_UP_RIGHT UTF8_HORIZ UTF8_HORIZ UTF8_HORIZ
+	"skipping: result is not used\n");
+    }
 expand_level--;
 return yield->s;
 
@@ -7613,16 +7861,25 @@
 EXPAND_FAILED:
 if (left) *left = s;
 DEBUG(D_expand)
-  {
-  debug_printf_indent(UTF8_VERT_RIGHT "failed to expand: %s\n",
-    string);
-  debug_printf_indent("%s" UTF8_HORIZ UTF8_HORIZ UTF8_HORIZ
-    "error message: %s\n",
-    expand_string_forcedfail ? UTF8_VERT_RIGHT : UTF8_UP_RIGHT,
-    expand_string_message);
-  if (expand_string_forcedfail)
-    debug_printf_indent(UTF8_UP_RIGHT "failure was forced\n");
-  }
+  DEBUG(D_noutf8)
+    {
+    debug_printf_indent("|failed to expand: %s\n", string);
+    debug_printf_indent("%serror message: %s\n",
+      f.expand_string_forcedfail ? "|---" : "\\___", expand_string_message);
+    if (f.expand_string_forcedfail)
+      debug_printf_indent("\\failure was forced\n");
+    }
+  else
+    {
+    debug_printf_indent(UTF8_VERT_RIGHT "failed to expand: %s\n",
+      string);
+    debug_printf_indent("%s" UTF8_HORIZ UTF8_HORIZ UTF8_HORIZ
+      "error message: %s\n",
+      f.expand_string_forcedfail ? UTF8_VERT_RIGHT : UTF8_UP_RIGHT,
+      expand_string_message);
+    if (f.expand_string_forcedfail)
+      debug_printf_indent(UTF8_UP_RIGHT "failure was forced\n");
+    }
 if (resetok_p && !resetok) *resetok_p = FALSE;
 expand_level--;
 return NULL;
@@ -7645,7 +7902,7 @@
   int old_pool = store_pool;
   uschar * s;
 
-  search_find_defer = FALSE;
+  f.search_find_defer = FALSE;
   malformed_header = FALSE;
   store_pool = POOL_MAIN;
     s = expand_string_internal(string, FALSE, NULL, FALSE, TRUE, NULL);
@@ -7838,7 +8095,7 @@
 expanded = expand_string(svalue);
 if (expanded == NULL)
   {
-  if (expand_string_forcedfail)
+  if (f.expand_string_forcedfail)
     {
     DEBUG(dbg_opt) debug_printf("expansion of \"%s\" forced failure\n", oname);
     *rvalue = bvalue;
@@ -7876,7 +8133,7 @@
 {
 return (  (  Ustrstr(s, "failed to expand") != NULL
 	  || Ustrstr(s, "expansion of ")    != NULL
-	  ) 
+	  )
        && (  Ustrstr(s, "mysql")   != NULL
 	  || Ustrstr(s, "pgsql")   != NULL
 	  || Ustrstr(s, "redis")   != NULL
@@ -7886,7 +8143,7 @@
 	  || Ustrstr(s, "ldapi:")  != NULL
 	  || Ustrstr(s, "ldapdn:") != NULL
 	  || Ustrstr(s, "ldapm:")  != NULL
-       )  ) 
+       )  )
   ? US"Temporary internal error" : s;
 }
 
@@ -8095,9 +8352,9 @@
     }
   else
     {
-    if (search_find_defer) printf("search_find deferred\n");
+    if (f.search_find_defer) printf("search_find deferred\n");
     printf("Failed: %s\n", expand_string_message);
-    if (expand_string_forcedfail) printf("Forced failure\n");
+    if (f.expand_string_forcedfail) printf("Forced failure\n");
     printf("\n");
     }
   }
diff -Nru exim4-4.91/src/filter.c exim4-4.92~RC4/src/filter.c
--- exim4-4.91/src/filter.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/filter.c	2018-12-27 13:36:19.000000000 +0000
@@ -950,7 +950,7 @@
         yield = FALSE;
         }
 
-      if (!system_filtering && second_argument.b != TRUE_UNSET)
+      if (!f.system_filtering && second_argument.b != TRUE_UNSET)
         {
         *error_pointer = string_sprintf("header addition and removal is "
           "available only in system filters: near line %d of filter file",
@@ -1452,7 +1452,7 @@
   scan Cc: (hence the FALSE argument). */
 
   case cond_personal:
-  yield = system_filtering? FALSE : filter_personal(c->left.a, FALSE);
+  yield = f.system_filtering? FALSE : filter_personal(c->left.a, FALSE);
   break;
 
   case cond_delivered:
@@ -1471,14 +1471,14 @@
   and filter testing and verification. */
 
   case cond_firsttime:
-  yield = filter_test != FTEST_NONE || message_id[0] == 0 || deliver_firsttime;
+  yield = filter_test != FTEST_NONE || message_id[0] == 0 || f.deliver_firsttime;
   break;
 
   /* Only TRUE if a message is actually being processed; FALSE for address
   testing and verification. */
 
   case cond_manualthaw:
-  yield = message_id[0] != 0 && deliver_manual_thaw;
+  yield = message_id[0] != 0 && f.deliver_manual_thaw;
   break;
 
   /* The foranyaddress condition loops through a list of addresses */
@@ -1494,7 +1494,7 @@
     }
 
   yield = FALSE;
-  parse_allow_group = TRUE;     /* Allow group syntax */
+  f.parse_allow_group = TRUE;     /* Allow group syntax */
 
   while (*pp != 0)
     {
@@ -1526,8 +1526,8 @@
     pp = p + 1;
     }
 
-  parse_allow_group = FALSE;      /* Reset group syntax flags */
-  parse_found_group = FALSE;
+  f.parse_allow_group = FALSE;      /* Reset group syntax flags */
+  f.parse_found_group = FALSE;
   break;
 
   /* All other conditions have left and right values that need expanding;
@@ -1774,7 +1774,7 @@
 
     s = expargs[1];
 
-    if (s != NULL && !system_filtering)
+    if (s != NULL && !f.system_filtering)
       {
       uschar *ownaddress = expand_string(US"$local_part@$domain");
       if (strcmpic(ownaddress, s) != 0)
@@ -2521,7 +2521,7 @@
 
 expect_endif = 0;
 output_indent = 0;
-filter_running = TRUE;
+f.filter_running = TRUE;
 for (i = 0; i < FILTER_VARIABLE_COUNT; i++) filter_n[i] = 0;
 
 /* To save having to pass certain values about all the time, make them static.
@@ -2590,7 +2590,7 @@
 
 if (log_fd >= 0) (void)close(log_fd);
 expand_nmax = -1;
-filter_running = FALSE;
+f.filter_running = FALSE;
 headers_charset = save_headers_charset;
 
 DEBUG(D_route) debug_printf("Filter: end of processing\n");
diff -Nru exim4-4.91/src/filtertest.c exim4-4.92~RC4/src/filtertest.c
--- exim4-4.91/src/filtertest.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/filtertest.c	2018-12-27 13:36:19.000000000 +0000
@@ -47,7 +47,7 @@
 
 if (!dot_ended && !feof(stdin))
   {
-  if (!dot_ends)
+  if (!f.dot_ends)
     {
     while ((ch = getc(stdin)) != EOF)
       {
@@ -259,13 +259,13 @@
 
 if (is_system)
   {
-  system_filtering = TRUE;
-  enable_dollar_recipients = TRUE; /* Permit $recipients in system filter */
+  f.system_filtering = TRUE;
+  f.enable_dollar_recipients = TRUE; /* Permit $recipients in system filter */
   yield = filter_interpret
     (filebuf,
     RDO_DEFER|RDO_FAIL|RDO_FILTER|RDO_FREEZE|RDO_REWRITE, &generated, &error);
-  enable_dollar_recipients = FALSE;
-  system_filtering = FALSE;
+  f.enable_dollar_recipients = FALSE;
+  f.system_filtering = FALSE;
   }
 else
   {
diff -Nru exim4-4.91/src/functions.h exim4-4.92~RC4/src/functions.h
--- exim4-4.91/src/functions.h	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/functions.h	2018-12-27 13:36:19.000000000 +0000
@@ -44,13 +44,13 @@
 extern uschar * tls_cert_fprt_sha1(void *);
 extern uschar * tls_cert_fprt_sha256(void *);
 
-extern int     tls_client_start(int, host_item *, address_item *,
+extern void *  tls_client_start(int, host_item *, address_item *,
 		 transport_instance *,
 # ifdef SUPPORT_DANE
 		dns_answer *,
 # endif
-		uschar **);
-extern void    tls_close(BOOL, int);
+		tls_support *, uschar **);
+extern void    tls_close(void *, int);
 extern BOOL    tls_could_read(void);
 extern int     tls_export_cert(uschar *, size_t, void *);
 extern int     tls_feof(void);
@@ -60,11 +60,11 @@
 extern uschar *tls_getbuf(unsigned *);
 extern void    tls_get_cache(void);
 extern int     tls_import_cert(const uschar *, void **);
-extern int     tls_read(BOOL, uschar *, size_t);
+extern int     tls_read(void *, uschar *, size_t);
 extern int     tls_server_start(const uschar *, uschar **);
 extern BOOL    tls_smtp_buffered(void);
 extern int     tls_ungetc(int);
-extern int     tls_write(BOOL, const uschar *, size_t, BOOL);
+extern int     tls_write(void *, const uschar *, size_t, BOOL);
 extern uschar *tls_validate_require_cipher(void);
 extern void    tls_version_report(FILE *);
 # ifndef USE_GNUTLS
@@ -95,6 +95,7 @@
 extern gstring *arc_sign(const uschar *, gstring *, uschar **);
 extern void     arc_sign_init(void);
 extern const uschar *acl_verify_arc(void);
+extern uschar * fn_arc_domains(void);
 #endif
 
 extern void    assert_no_variables(void *, int, const char *, int);
@@ -270,7 +271,7 @@
                  int, host_item *, uschar **, const blob *);
 extern int     ip_get_address_family(int);
 extern void    ip_keepalive(int, const uschar *, BOOL);
-extern int     ip_recv(int, uschar *, int, int);
+extern int     ip_recv(client_conn_ctx *, uschar *, int, int);
 extern int     ip_socket(int, int);
 
 extern int     ip_tcpsocket(const uschar *, uschar **, int);
@@ -321,6 +322,8 @@
 extern BOOL    moan_skipped_syntax_errors(uschar *, error_block *, uschar *,
                  BOOL, uschar *);
 extern void    moan_smtp_batch(uschar *, const char *, ...) PRINTF_FUNCTION(2,3);
+extern BOOL    moan_send_message(uschar *, int, error_block *eblock,
+		 header_line *, FILE *, uschar *);
 extern void    moan_tell_someone(uschar *, address_item *,
                  const uschar *, const char *, ...) PRINTF_FUNCTION(4,5);
 extern BOOL    moan_to_sender(int, error_block *, header_line *, FILE *, BOOL);
@@ -373,7 +376,7 @@
 extern BOOL    receive_check_fs(int);
 extern BOOL    receive_check_set_sender(uschar *);
 extern BOOL    receive_msg(BOOL);
-extern int     receive_statvfs(BOOL, int *);
+extern int_eximarith_t receive_statvfs(BOOL, int *);
 extern void    receive_swallow_smtp(void);
 #ifdef WITH_CONTENT_SCAN
 extern int     regex(const uschar **);
@@ -427,9 +430,12 @@
 extern void    sigalrm_handler(int);
 extern BOOL    smtp_buffered(void);
 extern void    smtp_closedown(uschar *);
+extern void    smtp_command_timeout_exit(void);
+extern void    smtp_command_sigterm_exit(void);
+extern void    smtp_data_timeout_exit(void);
+extern void    smtp_data_sigint_exit(void);
 extern uschar *smtp_cmd_hist(void);
-extern int     smtp_connect(host_item *, int, uschar *, int,
-	       	 transport_instance *);
+extern int     smtp_connect(smtp_connect_args *, const blob *);
 extern int     smtp_sock_connect(host_item *, int, int, uschar *,
 		 transport_instance * tb, int, const blob *);
 extern int     smtp_feof(void);
@@ -444,8 +450,8 @@
 extern int     smtp_handle_acl_fail(int, int, uschar *, uschar *);
 extern void    smtp_log_no_mail(void);
 extern void    smtp_message_code(uschar **, int *, uschar **, uschar **, BOOL);
-extern void    smtp_proxy_tls(uschar *, size_t, int *, int);
-extern BOOL    smtp_read_response(smtp_inblock *, uschar *, int, int, int);
+extern void    smtp_proxy_tls(void *, uschar *, size_t, int *, int);
+extern BOOL    smtp_read_response(void *, uschar *, int, int, int);
 extern void    smtp_reset(void *);
 extern void    smtp_respond(uschar *, int, BOOL, uschar *);
 extern void    smtp_notquit_exit(uschar *, uschar *, uschar *, ...);
@@ -455,7 +461,7 @@
 extern BOOL    smtp_start_session(void);
 extern int     smtp_ungetc(int);
 extern BOOL    smtp_verify_helo(void);
-extern int     smtp_write_command(smtp_outblock *, int, const char *, ...) PRINTF_FUNCTION(3,4);
+extern int     smtp_write_command(void *, int, const char *, ...) PRINTF_FUNCTION(3,4);
 #ifdef WITH_CONTENT_SCAN
 extern int     spam(const uschar **);
 extern FILE   *spool_mbox(unsigned long *, const uschar *, uschar **);
@@ -476,6 +482,7 @@
 extern gstring *string_append(gstring *, int, ...) WARN_UNUSED_RESULT;
 extern gstring *string_append_listele(gstring *, uschar, const uschar *) WARN_UNUSED_RESULT;
 extern gstring *string_append_listele_n(gstring *, uschar, const uschar *, unsigned) WARN_UNUSED_RESULT;
+extern gstring *string_append2_listele_n(gstring *, const uschar *, const uschar *, unsigned) WARN_UNUSED_RESULT;
 extern uschar *string_base62(unsigned long int);
 extern gstring *string_cat (gstring *, const uschar *     ) WARN_UNUSED_RESULT;
 extern gstring *string_catn(gstring *, const uschar *, int) WARN_UNUSED_RESULT;
@@ -485,6 +492,7 @@
 extern uschar *string_copylc(const uschar *);
 extern uschar *string_copynlc(uschar *, int);
 extern uschar *string_dequote(const uschar **);
+extern gstring *string_fmt_append(gstring *, const char *, ...) ALMOST_PRINTF(2,3);
 extern BOOL    string_format(uschar *, int, const char *, ...) ALMOST_PRINTF(3,4);
 extern uschar *string_format_size(int, uschar *);
 extern uschar *string_from_gstring(gstring *);
@@ -508,7 +516,7 @@
 extern uschar *string_localpart_alabel_to_utf8(const uschar *, uschar **);
 extern uschar *string_localpart_utf8_to_alabel(const uschar *, uschar **);
 #endif
-extern BOOL    string_vformat(uschar *, int, const char *, va_list);
+extern gstring *string_vformat(gstring *, BOOL, const char *, va_list);
 extern int     strcmpic(const uschar *, const uschar *);
 extern int     strncmpic(const uschar *, const uschar *, int);
 extern uschar *strstric(uschar *, uschar *, BOOL);
@@ -562,7 +570,7 @@
 extern int     verify_check_header_names_ascii(uschar **);
 extern int     verify_check_host(uschar **);
 extern int     verify_check_notblind(void);
-extern int     verify_check_given_host(uschar **, host_item *);
+extern int     verify_check_given_host(const uschar **, const host_item *);
 extern int     verify_check_this_host(const uschar **, unsigned int *,
 	         const uschar*, const uschar *, const uschar **);
 extern address_item *verify_checked_sender(uschar *);
diff -Nru exim4-4.91/src/globals.c exim4-4.92~RC4/src/globals.c
--- exim4-4.91/src/globals.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/globals.c	2018-12-27 13:36:19.000000000 +0000
@@ -98,10 +98,11 @@
 
 /* These variables are outside the #ifdef because it keeps the code less
 cluttered in several places (e.g. during logging) if we can always refer to
-them. Also, the tls_ variables are now always visible. */
+them. Also, the tls_ variables are now always visible.  Note that these are
+only used for smtp connections, not for service-daemon access. */
 
 tls_support tls_in = {
- .active =		-1,
+ .active =		{.sock = -1},
  .bits =		0,
  .certificate_verified = FALSE,
 #ifdef SUPPORT_DANE
@@ -118,7 +119,7 @@
  .ocsp =		OCSP_NOT_REQ
 };
 tls_support tls_out = {
- .active =		-1,
+ .active =		{.sock = -1},
  .bits =		0,
  .certificate_verified = FALSE,
 #ifdef SUPPORT_DANE
@@ -160,6 +161,11 @@
 uschar *tls_privatekey         = NULL;
 BOOL    tls_remember_esmtp     = FALSE;
 uschar *tls_require_ciphers    = NULL;
+# ifdef EXPERIMENTAL_REQUIRETLS
+uschar  tls_requiretls         = 0;	/* REQUIRETLS_MSG etc. bit #defines */
+uschar *tls_advertise_requiretls = US"*";
+const pcre *regex_REQUIRETLS   = NULL;
+# endif
 uschar *tls_try_verify_hosts   = NULL;
 uschar *tls_verify_certificates= US"system";
 uschar *tls_verify_hosts       = NULL;
@@ -222,7 +228,222 @@
 
 int address_expansions_count = sizeof(address_expansions)/sizeof(uschar **);
 
-/* General global variables */
+/******************************************************************************/
+/* General global variables.  Boolean flags are done as a group
+so that only one bit each is needed, packed, for all those we never
+need to take a pointer - and only a char for the rest.
+This means a struct, unfortunately since it clutters the sourcecode. */
+
+struct global_flags f =
+{
+	.acl_temp_details       = FALSE,
+	.active_local_from_check = FALSE,
+	.active_local_sender_retain = FALSE,
+	.address_test_mode      = FALSE,
+	.admin_user             = FALSE,
+	.allow_auth_unadvertised= FALSE,
+	.allow_unqualified_recipient = TRUE,    /* For local messages */
+	.allow_unqualified_sender = TRUE,       /* Reset for SMTP */
+	.authentication_local   = FALSE,
+
+	.background_daemon      = TRUE,
+
+	.chunking_offered       = FALSE,
+	.config_changed         = FALSE,
+	.continue_more          = FALSE,
+
+	.daemon_listen          = FALSE,
+	.debug_daemon           = FALSE,
+	.deliver_firsttime      = FALSE,
+	.deliver_force          = FALSE,
+	.deliver_freeze         = FALSE,
+	.deliver_force_thaw     = FALSE,
+	.deliver_manual_thaw    = FALSE,
+	.deliver_selectstring_regex = FALSE,
+	.deliver_selectstring_sender_regex = FALSE,
+	.disable_callout_flush  = FALSE,
+	.disable_delay_flush    = FALSE,
+	.disable_logging        = FALSE,
+#ifndef DISABLE_DKIM
+	.dkim_disable_verify      = FALSE,
+#endif
+#ifdef EXPERIMENTAL_DMARC
+	.dmarc_has_been_checked  = FALSE,
+	.dmarc_disable_verify    = FALSE,
+	.dmarc_enable_forensic   = FALSE,
+#endif
+	.dont_deliver           = FALSE,
+	.dot_ends               = TRUE,
+
+	.enable_dollar_recipients = FALSE,
+	.expand_string_forcedfail = FALSE,
+
+	.filter_running         = FALSE,
+
+	.header_rewritten       = FALSE,
+	.helo_verified          = FALSE,
+	.helo_verify_failed     = FALSE,
+	.host_checking_callout  = FALSE,
+	.host_find_failed_syntax= FALSE,
+
+	.inetd_wait_mode        = FALSE,
+	.is_inetd               = FALSE,
+
+	.local_error_message    = FALSE,
+	.log_testing_mode       = FALSE,
+
+#ifdef WITH_CONTENT_SCAN
+	.no_mbox_unspool        = FALSE,
+#endif
+	.no_multiline_responses = FALSE,
+
+	.parse_allow_group      = FALSE,
+	.parse_found_group      = FALSE,
+	.pipelining_enable      = TRUE,
+#if defined(SUPPORT_PROXY) || defined(SUPPORT_SOCKS)
+	.proxy_session_failed   = FALSE,
+#endif
+
+	.queue_2stage           = FALSE,
+	.queue_only_policy      = FALSE,
+	.queue_run_first_delivery = FALSE,
+	.queue_run_force        = FALSE,
+	.queue_run_local        = FALSE,
+	.queue_running          = FALSE,
+	.queue_smtp             = FALSE,
+
+	.really_exim            = TRUE,
+	.receive_call_bombout   = FALSE,
+	.recipients_discarded   = FALSE,
+	.running_in_test_harness = FALSE,
+
+	.search_find_defer      = FALSE,
+	.sender_address_forced  = FALSE,
+	.sender_host_notsocket  = FALSE,
+	.sender_host_unknown    = FALSE,
+	.sender_local           = FALSE,
+	.sender_name_forced     = FALSE,
+	.sender_set_untrusted   = FALSE,
+	.smtp_authenticated     = FALSE,
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+	.smtp_in_early_pipe_advertised = FALSE,
+	.smtp_in_early_pipe_no_auth = FALSE,
+	.smtp_in_early_pipe_used = FALSE,
+#endif
+	.smtp_in_pipelining_advertised = FALSE,
+	.smtp_in_pipelining_used = FALSE,
+	.spool_file_wireformat  = FALSE,
+	.submission_mode        = FALSE,
+	.suppress_local_fixups  = FALSE,
+	.suppress_local_fixups_default = FALSE,
+	.synchronous_delivery   = FALSE,
+	.system_filtering       = FALSE,
+
+	.tcp_fastopen_ok        = FALSE,
+	.tcp_in_fastopen        = FALSE,
+	.tcp_in_fastopen_data   = FALSE,
+	.tcp_in_fastopen_logged = FALSE,
+	.tcp_out_fastopen_logged= FALSE,
+	.timestamps_utc         = FALSE,
+	.transport_filter_timed_out = FALSE,
+	.trusted_caller         = FALSE,
+	.trusted_config         = TRUE,
+};
+
+/******************************************************************************/
+/* These are the flags which are either variables or mainsection options,
+so an address is needed for access, or are exported to local_scan. */
+
+BOOL    accept_8bitmime        = TRUE; /* deliberately not RFC compliant */
+BOOL    allow_domain_literals  = FALSE;
+BOOL    allow_mx_to_ip         = FALSE;
+BOOL    allow_utf8_domains     = FALSE;
+BOOL    authentication_failed  = FALSE;
+
+BOOL    bounce_return_body     = TRUE;
+BOOL    bounce_return_message  = TRUE;
+BOOL    check_rfc2047_length   = TRUE;
+BOOL    commandline_checks_require_admin = FALSE;
+
+#ifdef EXPERIMENTAL_DCC
+BOOL    dcc_direct_add_header  = FALSE;
+#endif
+BOOL    debug_store            = FALSE;
+BOOL    delivery_date_remove   = TRUE;
+BOOL    deliver_drop_privilege = FALSE;
+#ifdef ENABLE_DISABLE_FSYNC
+BOOL    disable_fsync          = FALSE;
+#endif
+BOOL    disable_ipv6           = FALSE;
+BOOL    dns_csa_use_reverse    = TRUE;
+BOOL    drop_cr                = FALSE;         /* No longer used */
+
+BOOL    envelope_to_remove     = TRUE;
+BOOL    exim_gid_set           = TRUE;          /* This gid is always set */
+BOOL    exim_uid_set           = TRUE;          /* This uid is always set */
+BOOL    extract_addresses_remove_arguments = TRUE;
+
+BOOL    host_checking          = FALSE;
+BOOL    host_lookup_deferred   = FALSE;
+BOOL    host_lookup_failed     = FALSE;
+BOOL    ignore_fromline_local  = FALSE;
+
+BOOL    local_from_check       = TRUE;
+BOOL    local_sender_retain    = FALSE;
+BOOL    log_timezone           = FALSE;
+BOOL    message_body_newlines  = FALSE;
+BOOL    message_logs           = TRUE;
+#ifdef SUPPORT_I18N
+BOOL    message_smtputf8       = FALSE;
+#endif
+BOOL    mua_wrapper            = FALSE;
+
+BOOL    preserve_message_logs  = FALSE;
+BOOL    print_topbitchars      = FALSE;
+BOOL    prod_requires_admin    = TRUE;
+#if defined(SUPPORT_PROXY) || defined(SUPPORT_SOCKS)
+BOOL    proxy_session          = FALSE;
+#endif
+
+BOOL    queue_list_requires_admin = TRUE;
+BOOL    queue_only             = FALSE;
+BOOL    queue_only_load_latch  = TRUE;
+BOOL    queue_only_override    = TRUE;
+BOOL    queue_run_in_order     = FALSE;
+BOOL    recipients_max_reject  = FALSE;
+BOOL    return_path_remove     = TRUE;
+
+BOOL    smtp_batched_input     = FALSE;
+BOOL    sender_helo_dnssec     = FALSE;
+BOOL    sender_host_dnssec     = FALSE;
+BOOL    smtp_accept_keepalive  = TRUE;
+BOOL    smtp_check_spool_space = TRUE;
+BOOL    smtp_enforce_sync      = TRUE;
+BOOL    smtp_etrn_serialize    = TRUE;
+BOOL    smtp_input             = FALSE;
+BOOL    smtp_return_error_details = FALSE;
+#ifdef SUPPORT_SPF
+BOOL    spf_result_guessed     = FALSE;
+#endif
+BOOL    split_spool_directory  = FALSE;
+BOOL    spool_wireformat       = FALSE;
+#ifdef EXPERIMENTAL_SRS
+BOOL    srs_usehash            = TRUE;
+BOOL    srs_usetimestamp       = TRUE;
+#endif
+BOOL    strict_acl_vars        = FALSE;
+BOOL    strip_excess_angle_brackets = FALSE;
+BOOL    strip_trailing_dot     = FALSE;
+BOOL    syslog_duplication     = TRUE;
+BOOL    syslog_pid             = TRUE;
+BOOL    syslog_timestamp       = TRUE;
+BOOL    system_filter_gid_set  = FALSE;
+BOOL    system_filter_uid_set  = FALSE;
+
+BOOL    tcp_nodelay            = TRUE;
+BOOL    write_rejectlog        = TRUE;
+
+/******************************************************************************/
 
 header_line *acl_added_headers = NULL;
 tree_node *acl_anchor          = NULL;
@@ -262,7 +483,6 @@
 uschar *acl_smtp_starttls      = NULL;
 uschar *acl_smtp_vrfy          = NULL;
 
-BOOL    acl_temp_details       = FALSE;
 tree_node *acl_var_c           = NULL;
 tree_node *acl_var_m           = NULL;
 uschar *acl_verify_message     = NULL;
@@ -321,9 +541,6 @@
 				   US"0"        /* unknown; not relevant */
                                  };
 
-BOOL    active_local_from_check = FALSE;
-BOOL    active_local_sender_retain = FALSE;
-BOOL    accept_8bitmime        = TRUE; /* deliberately not RFC compliant */
 uschar *add_environment        = NULL;
 address_item  *addr_duplicate  = NULL;
 
@@ -410,17 +627,9 @@
 
 uschar *address_file           = NULL;
 uschar *address_pipe           = NULL;
-BOOL    address_test_mode      = FALSE;
 tree_node *addresslist_anchor  = NULL;
 int     addresslist_count      = 0;
 gid_t  *admin_groups           = NULL;
-BOOL    admin_user             = FALSE;
-BOOL    allow_auth_unadvertised= FALSE;
-BOOL    allow_domain_literals  = FALSE;
-BOOL    allow_mx_to_ip         = FALSE;
-BOOL    allow_unqualified_recipient = TRUE;    /* For local messages */
-BOOL    allow_unqualified_sender = TRUE;       /* Reset for SMTP */
-BOOL    allow_utf8_domains	= FALSE;
 
 #ifdef EXPERIMENTAL_ARC
 struct arc_set *arc_received	= NULL;
@@ -433,8 +642,6 @@
 uschar *authenticated_fail_id  = NULL;
 uschar *authenticated_id       = NULL;
 uschar *authenticated_sender   = NULL;
-BOOL    authentication_failed  = FALSE;
-BOOL    authentication_local   = FALSE;
 auth_instance  *auths          = NULL;
 uschar *auth_advertise_hosts   = US"*";
 auth_instance auth_defaults    = {
@@ -461,12 +668,10 @@
 uschar *auth_vars[AUTH_VARS];
 int     auto_thaw              = 0;
 #ifdef WITH_CONTENT_SCAN
-BOOL    av_failed              = FALSE;
+int     av_failed              = FALSE;	/* boolean but accessed as vtype_int*/
 uschar *av_scanner             = US"sophie:/var/run/sophie";  /* AV scanner */
 #endif
 
-BOOL    background_daemon      = TRUE;
-
 #if BASE_62 == 62
 uschar *base62_chars=
     US"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
@@ -493,9 +698,7 @@
 uschar *bounce_message_file    = NULL;
 uschar *bounce_message_text    = NULL;
 uschar *bounce_recipient       = NULL;
-BOOL    bounce_return_body     = TRUE;
 int     bounce_return_linesize_limit = 998;
-BOOL    bounce_return_message  = TRUE;
 int     bounce_return_size_limit = 100*1024;
 uschar *bounce_sender_authentication = NULL;
 
@@ -507,15 +710,13 @@
 uschar *callout_random_local_part = US"$primary_hostname-$tod_epoch-testing";
 uschar *check_dns_names_pattern= US"(?i)^(?>(?(1)\\.|())[^\\W](?>[a-z0-9/_-]*[^\\W])?)+(\\.?)$";
 int     check_log_inodes       = 100;
-int     check_log_space        = 10*1024;	/* 10K Kbyte == 10MB */
-BOOL    check_rfc2047_length   = TRUE;
+int_eximarith_t check_log_space = 10*1024;	/* 10K Kbyte == 10MB */
 int     check_spool_inodes     = 100;
-int     check_spool_space      = 10*1024;	/* 10K Kbyte == 10MB */
+int_eximarith_t check_spool_space = 10*1024;	/* 10K Kbyte == 10MB */
 
 uschar *chunking_advertise_hosts = US"*";
 unsigned chunking_datasize     = 0;
 unsigned chunking_data_left    = 0;
-BOOL    chunking_offered       = FALSE;
 chunking_state_t chunking_state= CHUNKING_NOT_OFFERED;
 const pcre *regex_CHUNKING     = NULL;
 
@@ -524,8 +725,6 @@
 uschar *client_authenticated_sender = NULL;
 int     clmacro_count          = 0;
 uschar *clmacros[MAX_CLMACROS];
-BOOL    commandline_checks_require_admin = FALSE;
-BOOL    config_changed         = FALSE;
 FILE   *config_file            = NULL;
 const uschar *config_filename  = NULL;
 int     config_lineno          = 0;
@@ -549,7 +748,6 @@
 uschar *continue_proxy_cipher  = NULL;
 uschar *continue_hostname      = NULL;
 uschar *continue_host_address  = NULL;
-BOOL    continue_more          = FALSE;
 int     continue_sequence      = 1;
 uschar *continue_transport     = NULL;
 
@@ -559,31 +757,30 @@
   .delivery =		FALSE,				/* when to attempt */
   .defer_pass =		FALSE,				/* on defer: spool locally */
   .is_tls =		FALSE,				/* not a TLS conn yet */
-  .fd =			-1,				/* open connection */
+  .cctx =		{.sock = -1},			/* open connection */
   .nrcpt =		0,				/* number of addresses */
 };
 
-BOOL    daemon_listen          = FALSE;
 uschar *daemon_smtp_port       = US"smtp";
 int     daemon_startup_retries = 9;
 int     daemon_startup_sleep   = 30;
 
 #ifdef EXPERIMENTAL_DCC
-BOOL    dcc_direct_add_header  = FALSE;
 uschar *dcc_header             = NULL;
 uschar *dcc_result             = NULL;
 uschar *dccifd_address         = US"/usr/local/dcc/var/dccifd";
 uschar *dccifd_options         = US"header";
 #endif
 
-BOOL    debug_daemon           = FALSE;
 int     debug_fd               = -1;
 FILE   *debug_file             = NULL;
 int     debug_notall[]         = {
   Di_memory,
+  Di_noutf8,
   -1
 };
-bit_table debug_options[]      = { /* must be in alphabetical order */
+bit_table debug_options[]      = { /* must be in alphabetical order and use
+				 only the enum values from macro.h */
   BIT_TABLE(D, acl),
   BIT_TABLE(D, all),
   BIT_TABLE(D, auth),
@@ -602,6 +799,7 @@
   BIT_TABLE(D, local_scan),
   BIT_TABLE(D, lookup),
   BIT_TABLE(D, memory),
+  BIT_TABLE(D, noutf8),
   BIT_TABLE(D, pid),
   BIT_TABLE(D, process_info),
   BIT_TABLE(D, queue_run),
@@ -619,7 +817,6 @@
 int     debug_options_count    = nelem(debug_options);
 
 unsigned int debug_selector    = 0;
-BOOL    debug_store            = FALSE;
 int     delay_warning[DELAY_WARNING_SIZE] = { DELAY_WARNING_SIZE, 1, 24*60*60 };
 uschar *delay_warning_condition=
   US"${if or {"
@@ -627,17 +824,12 @@
             "{ match{$h_precedence:}{(?i)bulk|list|junk} }"
             "{ match{$h_auto-submitted:}{(?i)auto-generated|auto-replied} }"
             "} {no}{yes}}";
-BOOL    delivery_date_remove   = TRUE;
 uschar *deliver_address_data   = NULL;
 int     deliver_datafile       = -1;
 const uschar *deliver_domain   = NULL;
 uschar *deliver_domain_data    = NULL;
 const uschar *deliver_domain_orig = NULL;
 const uschar *deliver_domain_parent = NULL;
-BOOL    deliver_drop_privilege = FALSE;
-BOOL    deliver_firsttime      = FALSE;
-BOOL    deliver_force          = FALSE;
-BOOL    deliver_freeze         = FALSE;
 time_t  deliver_frozen_at      = 0;
 uschar *deliver_home           = NULL;
 const uschar *deliver_host     = NULL;
@@ -651,28 +843,17 @@
 uschar *deliver_localpart_parent = NULL;
 uschar *deliver_localpart_prefix = NULL;
 uschar *deliver_localpart_suffix = NULL;
-BOOL    deliver_force_thaw     = FALSE;
-BOOL    deliver_manual_thaw    = FALSE;
 uschar *deliver_out_buffer     = NULL;
 int     deliver_queue_load_max = -1;
 address_item  *deliver_recipients = NULL;
 uschar *deliver_selectstring   = NULL;
-BOOL    deliver_selectstring_regex = FALSE;
 uschar *deliver_selectstring_sender = NULL;
-BOOL    deliver_selectstring_sender_regex = FALSE;
-BOOL    disable_callout_flush  = FALSE;
-BOOL    disable_delay_flush    = FALSE;
-#ifdef ENABLE_DISABLE_FSYNC
-BOOL    disable_fsync          = FALSE;
-#endif
-BOOL    disable_ipv6           = FALSE;
-BOOL    disable_logging        = FALSE;
 
 #ifndef DISABLE_DKIM
-BOOL    dkim_collect_input       = FALSE;
+unsigned dkim_collect_input      = 0;
 uschar *dkim_cur_signer          = NULL;
-BOOL    dkim_disable_verify      = FALSE;
 int     dkim_key_length          = 0;
+void   *dkim_signatures		 = NULL;
 uschar *dkim_signers             = NULL;
 uschar *dkim_signing_domain      = NULL;
 uschar *dkim_signing_selector    = NULL;
@@ -682,7 +863,6 @@
 uschar *dkim_verify_reason	 = NULL;
 #endif
 #ifdef EXPERIMENTAL_DMARC
-BOOL    dmarc_has_been_checked  = FALSE;
 uschar *dmarc_domain_policy     = NULL;
 uschar *dmarc_forensic_sender   = NULL;
 uschar *dmarc_history_file      = NULL;
@@ -690,13 +870,11 @@
 uschar *dmarc_status_text       = NULL;
 uschar *dmarc_tld_file          = NULL;
 uschar *dmarc_used_domain       = NULL;
-BOOL    dmarc_disable_verify    = FALSE;
-BOOL    dmarc_enable_forensic   = FALSE;
 #endif
 
 uschar *dns_again_means_nonexist = NULL;
 int     dns_csa_search_limit   = 5;
-BOOL    dns_csa_use_reverse    = TRUE;
+int	dns_cname_loops	       = 1;
 #ifdef SUPPORT_DANE
 int     dns_dane_ok            = -1;
 #endif
@@ -712,13 +890,8 @@
 uschar *dnslist_value          = NULL;
 tree_node *domainlist_anchor   = NULL;
 int     domainlist_count       = 0;
-BOOL    dont_deliver           = FALSE;
-BOOL    dot_ends               = TRUE;
-BOOL    drop_cr                = FALSE;         /* No longer used */
 uschar *dsn_from               = US DEFAULT_DSN_FROM;
 
-BOOL    enable_dollar_recipients = FALSE;
-BOOL    envelope_to_remove     = TRUE;
 int     errno_quota            = ERRNO_QUOTA;
 uschar *errors_copy            = NULL;
 int     error_handling         = ERRORS_SENDER;
@@ -733,19 +906,15 @@
 
 
 gid_t   exim_gid               = EXIM_GID;
-BOOL    exim_gid_set           = TRUE;          /* This gid is always set */
 uschar *exim_path              = US BIN_DIRECTORY "/exim"
                         "\0<---------------Space to patch exim_path->";
 uid_t   exim_uid               = EXIM_UID;
-BOOL    exim_uid_set           = TRUE;          /* This uid is always set */
 int     expand_level	       = 0;		/* Nesting depth, indent for debug */
 int     expand_forbid          = 0;
 int     expand_nlength[EXPAND_MAXN+1];
 int     expand_nmax            = -1;
 uschar *expand_nstring[EXPAND_MAXN+1];
-BOOL    expand_string_forcedfail = FALSE;
 uschar *expand_string_message;
-BOOL    extract_addresses_remove_arguments = TRUE;
 uschar *extra_local_interfaces = NULL;
 
 int     fake_response          = OK;
@@ -754,7 +923,6 @@
                                    "legitimate message, it may still be "
                                    "delivered to the target recipient(s).";
 int     filter_n[FILTER_VARIABLE_COUNT];
-BOOL    filter_running         = FALSE;
 int     filter_sn[FILTER_VARIABLE_COUNT];
 int     filter_test            = FTEST_NONE;
 uschar *filter_test_sfile      = NULL;
@@ -770,6 +938,10 @@
 uschar *gecos_pattern          = NULL;
 rewrite_rule  *global_rewrite_rules = NULL;
 
+volatile sig_atomic_t had_command_timeout = 0;
+volatile sig_atomic_t had_command_sigterm = 0;
+volatile sig_atomic_t had_data_timeout    = 0;
+volatile sig_atomic_t had_data_sigint     = 0;
 uschar *headers_charset        = US HEADERS_CHARSET;
 int     header_insert_maxlen   = 64 * 1024;
 header_line  *header_last      = NULL;
@@ -796,23 +968,15 @@
 
 int header_names_size          = nelem(header_names);
 
-BOOL    header_rewritten       = FALSE;
 uschar *helo_accept_junk_hosts = NULL;
 uschar *helo_allow_chars       = US"";
 uschar *helo_lookup_domains    = US"@ : @[]";
 uschar *helo_try_verify_hosts  = NULL;
-BOOL    helo_verified          = FALSE;
-BOOL    helo_verify_failed     = FALSE;
 uschar *helo_verify_hosts      = NULL;
 const uschar *hex_digits       = CUS"0123456789abcdef";
 uschar *hold_domains           = NULL;
-BOOL    host_checking          = FALSE;
-BOOL    host_checking_callout  = FALSE;
 uschar *host_data              = NULL;
-BOOL    host_find_failed_syntax= FALSE;
 uschar *host_lookup            = NULL;
-BOOL    host_lookup_deferred   = FALSE;
-BOOL    host_lookup_failed     = FALSE;
 uschar *host_lookup_order      = US"bydns:byaddr";
 uschar *host_lookup_msg        = US"";
 int     host_number            = 0;
@@ -824,14 +988,11 @@
 uschar *hosts_connection_nolog = NULL;
 
 int     ignore_bounce_errors_after = 10*7*24*60*60;  /* 10 weeks */
-BOOL    ignore_fromline_local  = FALSE;
 uschar *ignore_fromline_hosts  = NULL;
-BOOL    inetd_wait_mode        = FALSE;
 int     inetd_wait_timeout     = -1;
 uschar *initial_cwd            = NULL;
 uschar *interface_address      = NULL;
 int     interface_port         = -1;
-BOOL    is_inetd               = FALSE;
 uschar *iterate_item           = NULL;
 
 int     journal_fd             = -1;
@@ -842,8 +1003,6 @@
 
 uschar *eldap_dn               = NULL;
 int     load_average           = -2;
-BOOL    local_error_message    = FALSE;
-BOOL    local_from_check       = TRUE;
 uschar *local_from_prefix      = NULL;
 uschar *local_from_suffix      = NULL;
 
@@ -853,9 +1012,10 @@
 uschar *local_interfaces       = US"0.0.0.0";
 #endif
 
+#ifdef HAVE_LOCAL_SCAN
 uschar *local_scan_data        = NULL;
 int     local_scan_timeout     = 5*60;
-BOOL    local_sender_retain    = FALSE;
+#endif
 gid_t   local_user_gid         = (gid_t)(-1);
 uid_t   local_user_uid         = (uid_t)(-1);
 
@@ -918,6 +1078,7 @@
   BIT_TABLE(L, outgoing_interface),
   BIT_TABLE(L, outgoing_port),
   BIT_TABLE(L, pid),
+  BIT_TABLE(L, pipelining),
 #if defined(SUPPORT_PROXY) || defined(SUPPORT_SOCKS)
   BIT_TABLE(L, proxy),
 #endif
@@ -955,8 +1116,6 @@
 unsigned int log_selector[log_selector_size]; /* initialized in main() */
 uschar *log_selector_string    = NULL;
 FILE   *log_stderr             = NULL;
-BOOL    log_testing_mode       = FALSE;
-BOOL    log_timezone           = FALSE;
 uschar *login_sender_address   = NULL;
 uschar *lookup_dnssec_authenticated = NULL;
 int     lookup_open_max        = 25;
@@ -972,7 +1131,6 @@
 int     message_age            = 0;
 uschar *message_body           = NULL;
 uschar *message_body_end       = NULL;
-BOOL    message_body_newlines  = FALSE;
 int     message_body_size      = 0;
 int     message_body_visible   = 500;
 int     message_ended          = END_NOTSTARTED;
@@ -984,11 +1142,9 @@
 uschar  message_id_option[MESSAGE_ID_LENGTH + 3];
 uschar *message_id_external;
 int     message_linecount      = 0;
-BOOL    message_logs           = TRUE;
 int     message_size           = 0;
 uschar *message_size_limit     = US"50M";
 #ifdef SUPPORT_I18N
-BOOL    message_smtputf8       = FALSE;
 int     message_utf8_downconvert = 0;	/* -1 ifneeded; 0 never; 1 always */
 #endif
 uschar  message_subdir[2]      = { 0, 0 };
@@ -1014,13 +1170,7 @@
 int     mime_part_count        = -1;
 #endif
 
-BOOL    mua_wrapper            = FALSE;
-
 uid_t  *never_users            = NULL;
-#ifdef WITH_CONTENT_SCAN
-BOOL    no_mbox_unspool        = FALSE;
-#endif
-BOOL    no_multiline_responses = FALSE;
 
 const int on                   = 1;	/* for setsockopt */
 const int off                  = 0;
@@ -1033,29 +1183,24 @@
 uschar *override_local_interfaces = NULL;
 uschar *override_pid_file_path = NULL;
 
-BOOL    parse_allow_group      = FALSE;
-BOOL    parse_found_group      = FALSE;
 uschar *percent_hack_domains   = NULL;
 uschar *pid_file_path          = US PID_FILE_PATH
                            "\0<--------------Space to patch pid_file_path->";
-BOOL    pipelining_enable      = TRUE;
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+uschar *pipe_connect_advertise_hosts = US"*";
+#endif
 uschar *pipelining_advertise_hosts = US"*";
-BOOL    preserve_message_logs  = FALSE;
 uschar *primary_hostname       = NULL;
-BOOL    print_topbitchars      = FALSE;
 uschar  process_info[PROCESS_INFO_SIZE];
 int     process_info_len       = 0;
 uschar *process_log_path       = NULL;
-BOOL    prod_requires_admin    = TRUE;
 
 #if defined(SUPPORT_PROXY) || defined(SUPPORT_SOCKS)
-uschar *hosts_proxy            = US"";
-uschar *proxy_external_address = US"";
+uschar *hosts_proxy            = NULL;
+uschar *proxy_external_address = NULL;
 int     proxy_external_port    = 0;
-uschar *proxy_local_address    = US"";
+uschar *proxy_local_address    = NULL;
 int     proxy_local_port       = 0;
-BOOL    proxy_session          = FALSE;
-BOOL    proxy_session_failed   = FALSE;
 #endif
 
 uschar *prvscheck_address      = NULL;
@@ -1065,29 +1210,17 @@
 
 const uschar *qualify_domain_recipient = NULL;
 uschar *qualify_domain_sender  = NULL;
-BOOL    queue_2stage           = FALSE;
 uschar *queue_domains          = NULL;
 int     queue_interval         = -1;
-BOOL    queue_list_requires_admin = TRUE;
 uschar *queue_name             = US"";
-BOOL    queue_only             = FALSE;
 uschar *queue_only_file        = NULL;
 int     queue_only_load        = -1;
-BOOL    queue_only_load_latch  = TRUE;
-BOOL    queue_only_override    = TRUE;
-BOOL    queue_only_policy      = FALSE;
-BOOL    queue_run_first_delivery = FALSE;
-BOOL    queue_run_force        = FALSE;
-BOOL    queue_run_in_order     = FALSE;
-BOOL    queue_run_local        = FALSE;
 uschar *queue_run_max          = US"5";
 pid_t   queue_run_pid          = (pid_t)0;
 int     queue_run_pipe         = -1;
-BOOL    queue_running          = FALSE;
-BOOL    queue_smtp             = FALSE;
 uschar *queue_smtp_domains     = NULL;
 
-unsigned int random_seed       = 0;
+uint32_t random_seed	       = 0;
 tree_node *ratelimiters_cmd    = NULL;
 tree_node *ratelimiters_conn   = NULL;
 tree_node *ratelimiters_mail   = NULL;
@@ -1101,8 +1234,6 @@
 int     rcpt_defer_count       = 0;
 gid_t   real_gid;
 uid_t   real_uid;
-BOOL    really_exim            = TRUE;
-BOOL    receive_call_bombout   = FALSE;
 int     receive_linecount      = 0;
 int     receive_messagecount   = 0;
 int     receive_timeout        = 0;
@@ -1136,17 +1267,18 @@
 uschar *recipient_unqualified_hosts = NULL;
 uschar *recipient_verify_failure = NULL;
 int     recipients_count       = 0;
-BOOL    recipients_discarded   = FALSE;
 recipient_item  *recipients_list = NULL;
 int     recipients_list_max    = 0;
 int     recipients_max         = 0;
-BOOL    recipients_max_reject  = FALSE;
 const pcre *regex_AUTH         = NULL;
 const pcre *regex_check_dns_names = NULL;
 const pcre *regex_From         = NULL;
 const pcre *regex_IGNOREQUOTA  = NULL;
 const pcre *regex_PIPELINING   = NULL;
 const pcre *regex_SIZE         = NULL;
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+const pcre *regex_EARLY_PIPE   = NULL;
+#endif
 const pcre *regex_ismsgid      = NULL;
 const pcre *regex_smtp_code    = NULL;
 uschar *regex_vars[REGEX_VARS];
@@ -1164,11 +1296,9 @@
 int     retry_maximum_timeout  = 0;        /* set from retry config */
 retry_config  *retries         = NULL;
 uschar *return_path            = NULL;
-BOOL    return_path_remove     = TRUE;
 int     rewrite_existflags     = 0;
 uschar *rfc1413_hosts          = US"@[]";
 int     rfc1413_query_timeout  = 0;
-/* BOOL    rfc821_domains         = FALSE;  <<< on the way out */
 uid_t   root_gid               = ROOT_GID;
 uid_t   root_uid               = ROOT_UID;
 
@@ -1256,7 +1386,6 @@
 uschar *router_name            = NULL;
 
 ip_address_item *running_interfaces = NULL;
-BOOL    running_in_test_harness = FALSE;
 
 /* This is a weird one. The following string gets patched in the binary by the
 script that sets up a copy of Exim for running in the test harness. It seems
@@ -1271,49 +1400,39 @@
 int     runrc                  = 0;
 
 uschar *search_error_message   = NULL;
-BOOL    search_find_defer      = FALSE;
 uschar *self_hostname          = NULL;
 uschar *sender_address         = NULL;
 unsigned int sender_address_cache[(MAX_NAMED_LIST * 2)/32];
 uschar *sender_address_data    = NULL;
-BOOL    sender_address_forced  = FALSE;
 uschar *sender_address_unrewritten = NULL;
 uschar *sender_data            = NULL;
 unsigned int sender_domain_cache[(MAX_NAMED_LIST * 2)/32];
 uschar *sender_fullhost        = NULL;
-BOOL    sender_helo_dnssec     = FALSE;
 uschar *sender_helo_name       = NULL;
 uschar **sender_host_aliases   = &no_aliases;
 uschar *sender_host_address    = NULL;
 uschar *sender_host_authenticated = NULL;
 uschar *sender_host_auth_pubname  = NULL;
 unsigned int sender_host_cache[(MAX_NAMED_LIST * 2)/32];
-BOOL    sender_host_dnssec     = FALSE;
 uschar *sender_host_name       = NULL;
 int     sender_host_port       = 0;
-BOOL    sender_host_notsocket  = FALSE;
-BOOL    sender_host_unknown    = FALSE;
 uschar *sender_ident           = NULL;
-BOOL    sender_local           = FALSE;
-BOOL    sender_name_forced     = FALSE;
 uschar *sender_rate            = NULL;
 uschar *sender_rate_limit      = NULL;
 uschar *sender_rate_period     = NULL;
 uschar *sender_rcvhost         = NULL;
-BOOL    sender_set_untrusted   = FALSE;
 uschar *sender_unqualified_hosts = NULL;
 uschar *sender_verify_failure = NULL;
 address_item *sender_verified_list  = NULL;
 address_item *sender_verified_failed = NULL;
 int     sender_verified_rc     = -1;
-BOOL    sender_verified_responded = FALSE;
 uschar *sending_ip_address     = NULL;
 int     sending_port           = -1;
 SIGNAL_BOOL sigalrm_seen       = FALSE;
+const uschar *sigalarm_setter  = NULL;
 uschar **sighup_argv           = NULL;
 int     slow_lookup_log        = 0;	/* millisecs, zero disables */
 int     smtp_accept_count      = 0;
-BOOL    smtp_accept_keepalive  = TRUE;
 int     smtp_accept_max        = 20;
 int     smtp_accept_max_nonmail= 10;
 uschar *smtp_accept_max_nonmail_hosts = US"*";
@@ -1323,12 +1442,9 @@
 int     smtp_accept_queue_per_connection = 10;
 int     smtp_accept_reserve    = 0;
 uschar *smtp_active_hostname   = NULL;
-BOOL    smtp_authenticated     = FALSE;
 uschar *smtp_banner            = US"$smtp_active_hostname ESMTP "
                              "Exim $version_number $tod_full"
                              "\0<---------------Space to patch smtp_banner->";
-BOOL    smtp_batched_input     = FALSE;
-BOOL    smtp_check_spool_space = TRUE;
 int     smtp_ch_index          = 0;
 uschar *smtp_cmd_argument      = NULL;
 uschar *smtp_cmd_buffer        = NULL;
@@ -1337,14 +1453,11 @@
 int     smtp_connect_backlog   = 20;
 double  smtp_delay_mail        = 0.0;
 double  smtp_delay_rcpt        = 0.0;
-BOOL    smtp_enforce_sync      = TRUE;
 FILE   *smtp_in                = NULL;
-BOOL    smtp_input             = FALSE;
 int     smtp_load_reserve      = -1;
 int     smtp_mailcmd_count     = 0;
 FILE   *smtp_out               = NULL;
 uschar *smtp_etrn_command      = NULL;
-BOOL    smtp_etrn_serialize    = TRUE;
 int     smtp_max_synprot_errors= 3;
 int     smtp_max_unknown_commands = 3;
 uschar *smtp_notquit_reason    = NULL;
@@ -1355,7 +1468,6 @@
 int     smtp_receive_timeout   = 5*60;
 uschar *smtp_receive_timeout_s = NULL;
 uschar *smtp_reserve_hosts     = NULL;
-BOOL    smtp_return_error_details = FALSE;
 int     smtp_rlm_base          = 0;
 double  smtp_rlm_factor        = 0.0;
 int     smtp_rlm_limit         = 0;
@@ -1383,15 +1495,12 @@
 uschar *spf_header_comment     = NULL;
 uschar *spf_received           = NULL;
 uschar *spf_result             = NULL;
-BOOL    spf_result_guessed     = FALSE;
 uschar *spf_smtp_comment       = NULL;
 #endif
 
-BOOL    split_spool_directory  = FALSE;
+FILE   *spool_data_file	       = NULL;
 uschar *spool_directory        = US SPOOL_DIRECTORY
                            "\0<--------------Space to patch spool_directory->";
-BOOL    spool_file_wireformat  = FALSE;
-BOOL    spool_wireformat       = FALSE;
 #ifdef EXPERIMENTAL_SRS
 uschar *srs_config             = NULL;
 uschar *srs_db_address         = NULL;
@@ -1404,26 +1513,14 @@
 uschar *srs_recipient          = NULL;
 uschar *srs_secrets            = NULL;
 uschar *srs_status             = NULL;
-BOOL    srs_usehash            = TRUE;
-BOOL    srs_usetimestamp       = TRUE;
 #endif
-BOOL    strict_acl_vars        = FALSE;
 int     string_datestamp_offset= -1;
 int     string_datestamp_length= 0;
 int     string_datestamp_type  = -1;
-BOOL    strip_excess_angle_brackets = FALSE;
-BOOL    strip_trailing_dot     = FALSE;
 uschar *submission_domain      = NULL;
-BOOL    submission_mode        = FALSE;
 uschar *submission_name        = NULL;
-BOOL    suppress_local_fixups  = FALSE;
-BOOL    suppress_local_fixups_default = FALSE;
-BOOL    synchronous_delivery   = FALSE;
-BOOL    syslog_duplication     = TRUE;
 int     syslog_facility        = LOG_MAIL;
-BOOL    syslog_pid             = TRUE;
 uschar *syslog_processname     = US"exim";
-BOOL    syslog_timestamp       = TRUE;
 uschar *system_filter          = NULL;
 
 uschar *system_filter_directory_transport = NULL;
@@ -1432,25 +1529,16 @@
 uschar *system_filter_reply_transport = NULL;
 
 gid_t   system_filter_gid      = 0;
-BOOL    system_filter_gid_set  = FALSE;
 uid_t   system_filter_uid      = (uid_t)-1;
-BOOL    system_filter_uid_set  = FALSE;
-BOOL    system_filtering       = FALSE;
 
-BOOL    tcp_fastopen_ok        = FALSE;
 blob	tcp_fastopen_nodata    = { .data = NULL, .len = 0 };
-BOOL    tcp_in_fastopen        = FALSE;
-BOOL    tcp_in_fastopen_logged = FALSE;
-BOOL    tcp_nodelay            = TRUE;
-int     tcp_out_fastopen       = 0;
-BOOL    tcp_out_fastopen_logged= FALSE;
+tfo_state_t tcp_out_fastopen   = TFO_NOT_USED;
 #ifdef USE_TCP_WRAPPERS
 uschar *tcp_wrappers_daemon_name = US TCP_WRAPPERS_DAEMON_NAME;
 #endif
 int     test_harness_load_avg  = 0;
 int     thismessage_size_limit = 0;
 int     timeout_frozen_after   = 0;
-BOOL    timestamps_utc         = FALSE;
 
 transport_instance  *transports = NULL;
 
@@ -1516,7 +1604,6 @@
 int     transport_newlines;
 const uschar **transport_filter_argv  = NULL;
 int     transport_filter_timeout;
-BOOL    transport_filter_timed_out = FALSE;
 int     transport_write_timeout= 0;
 
 tree_node  *tree_dns_fails     = NULL;
@@ -1524,8 +1611,6 @@
 tree_node  *tree_nonrecipients = NULL;
 tree_node  *tree_unusable      = NULL;
 
-BOOL    trusted_caller         = FALSE;
-BOOL    trusted_config         = TRUE;
 gid_t  *trusted_groups         = NULL;
 uid_t  *trusted_users          = NULL;
 uschar *timezone_string        = US TIMEZONE_DEFAULT;
@@ -1571,7 +1656,6 @@
 int     warning_count          = 0;
 uschar *warnmsg_delay          = NULL;
 uschar *warnmsg_recipients     = NULL;
-BOOL    write_rejectlog        = TRUE;
 
 
 /*  End of globals.c */
diff -Nru exim4-4.91/src/globals.h exim4-4.92~RC4/src/globals.h
--- exim4-4.91/src/globals.h	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/globals.h	2018-12-27 13:36:19.000000000 +0000
@@ -80,7 +80,7 @@
 them. Also, the tls_ variables are now always visible. */
 
 typedef struct {
-  int     active;             /* fd/socket when in a TLS session */
+  client_conn_ctx active;     /* fd/socket when in a TLS session, and ptr to TLS context */
   int     bits;               /* bits used in TLS session */
   BOOL    certificate_verified; /* Client certificate verified */
 #ifdef SUPPORT_DANE
@@ -120,6 +120,11 @@
 extern uschar *tls_ocsp_file;          /* OCSP stapling proof file */
 # endif
 extern uschar *tls_privatekey;         /* Private key file */
+# ifdef EXPERIMENTAL_REQUIRETLS
+extern uschar  tls_requiretls;         /* REQUIRETLS active for this message */
+extern uschar *tls_advertise_requiretls; /* hosts for which REQUIRETLS adv */
+extern const pcre *regex_REQUIRETLS;   /* for recognising the command */
+# endif
 extern BOOL    tls_remember_esmtp;     /* For YAEB */
 extern uschar *tls_require_ciphers;    /* So some can be avoided */
 extern uschar *tls_try_verify_hosts;   /* Optional client verification */
@@ -154,6 +159,124 @@
 
 extern const uschar **address_expansions[ADDRESS_EXPANSIONS_COUNT];
 
+/* Flags for which we don't need an address ever so can use a bitfield */
+
+extern struct global_flags {
+ BOOL   acl_temp_details		:1; /* TRUE to give details for 4xx error */
+ BOOL   active_local_from_check		:1; /* For adding Sender: (switchable) */
+ BOOL   active_local_sender_retain	:1; /* For keeping Sender: (switchable) */
+ BOOL   address_test_mode		:1; /* True for -bt */
+ BOOL   admin_user			:1; /* True if caller can do admin */
+ BOOL   allow_auth_unadvertised		:1; /* As it says */
+ BOOL   allow_unqualified_recipient	:1;    /* For local messages */ /* As it says */
+ BOOL   allow_unqualified_sender	:1;       /* Reset for SMTP */ /* Ditto */
+ BOOL   authentication_local		:1; /* TRUE if non-smtp (implicit authentication) */
+
+ BOOL   background_daemon		:1; /* Set FALSE to keep in foreground */
+
+ BOOL   chunking_offered		:1;
+ BOOL   config_changed			:1; /* True if -C used */
+ BOOL   continue_more			:1; /* Flag more addresses waiting */
+
+ BOOL   daemon_listen			:1; /* True if listening required */
+ BOOL   debug_daemon			:1; /* Debug the daemon process only */
+ BOOL   deliver_firsttime		:1; /* True for first delivery attempt */
+ BOOL   deliver_force			:1; /* TRUE if delivery was forced */
+ BOOL   deliver_freeze			:1; /* TRUE if delivery is frozen */
+ BOOL   deliver_force_thaw		:1; /* TRUE to force thaw in queue run */
+ BOOL   deliver_manual_thaw		:1; /* TRUE if manually thawed */
+ BOOL   deliver_selectstring_regex	:1; /* String is regex */
+ BOOL   deliver_selectstring_sender_regex :1; /* String is regex */
+ BOOL   disable_callout_flush		:1; /* Don't flush before callouts */
+ BOOL   disable_delay_flush		:1; /* Don't flush before "delay" in ACL */
+ BOOL   disable_logging			:1; /* Disables log writing when TRUE */
+#ifndef DISABLE_DKIM
+ BOOL   dkim_disable_verify		:1; /* Set via ACL control statement. When set, DKIM verification is disabled for the current message */
+#endif
+#ifdef EXPERIMENTAL_DMARC
+ BOOL   dmarc_has_been_checked		:1; /* Global variable to check if test has been called yet */
+ BOOL   dmarc_disable_verify		:1; /* Set via ACL control statement. When set, DMARC verification is disabled for the current message */
+ BOOL   dmarc_enable_forensic		:1; /* Set via ACL control statement. When set, DMARC forensic reports are enabled for the current message */
+#endif
+ BOOL   dont_deliver			:1; /* TRUE for -N option */
+ BOOL   dot_ends			:1; /* TRUE if "." ends non-SMTP input */
+
+ BOOL   enable_dollar_recipients	:1; /* Make $recipients available */
+ BOOL   expand_string_forcedfail	:1; /* TRUE if failure was "expected" */
+
+ BOOL   filter_running			:1; /* TRUE while running a filter */
+
+ BOOL   header_rewritten		:1; /* TRUE if header changed by router */
+ BOOL   helo_verified			:1; /* True if HELO verified */
+ BOOL   helo_verify_failed		:1; /* True if attempt failed */
+ BOOL   host_checking_callout		:1; /* TRUE if real callout wanted */
+ BOOL   host_find_failed_syntax		:1; /* DNS syntax check failure */
+
+ BOOL   inetd_wait_mode			:1; /* Whether running in inetd wait mode */
+ BOOL   is_inetd			:1; /* True for inetd calls */
+
+ BOOL   local_error_message		:1; /* True if handling one of these */
+ BOOL   log_testing_mode		:1; /* TRUE in various testing modes */
+
+#ifdef WITH_CONTENT_SCAN
+ BOOL   no_mbox_unspool			:1; /* don't unlink files in /scan directory */
+#endif
+ BOOL   no_multiline_responses		:1; /* For broken clients */
+
+ BOOL   parse_allow_group		:1; /* Allow group syntax */
+ BOOL   parse_found_group		:1; /* In the middle of a group */
+ BOOL   pipelining_enable		:1; /* As it says */
+#if defined(SUPPORT_PROXY) || defined(SUPPORT_SOCKS)
+ BOOL   proxy_session_failed		:1; /* TRUE if required proxy negotiation failed */
+#endif
+
+ BOOL   queue_2stage			:1; /* Run queue in 2-stage manner */
+ BOOL   queue_only_policy		:1; /* ACL or local_scan wants queue_only */
+ BOOL   queue_run_first_delivery	:1; /* If TRUE, first deliveries only */
+ BOOL   queue_run_force			:1; /* TRUE to force during queue run */
+ BOOL   queue_run_local			:1; /* Local deliveries only in queue run */
+ BOOL   queue_running			:1; /* TRUE for queue running process and */
+ BOOL   queue_smtp			:1; /* Disable all immediate SMTP (-odqs)*/
+
+ BOOL   really_exim			:1; /* FALSE in utilities */
+ BOOL   receive_call_bombout		:1; /* Flag for crashing log */
+ BOOL   recipients_discarded		:1; /* By an ACL */
+ BOOL   running_in_test_harness		:1; /*TRUE when running_status is patched */
+
+ BOOL   search_find_defer		:1; /* Set TRUE if lookup deferred */
+ BOOL   sender_address_forced		:1; /* Set by -f */
+ BOOL   sender_host_notsocket		:1; /* Set for -bs and -bS */
+ BOOL   sender_host_unknown		:1; /* TRUE for -bs and -bS except inetd */
+ BOOL   sender_local			:1; /* TRUE for local senders */
+ BOOL   sender_name_forced		:1; /* Set by -F */
+ BOOL   sender_set_untrusted		:1; /* Sender set by untrusted caller */
+ BOOL   smtp_authenticated		:1; /* Sending client has authenticated */
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+ BOOL   smtp_in_early_pipe_advertised	:1; /* server advertised PIPE_CONNECT */
+ BOOL	smtp_in_early_pipe_no_auth	:1; /* too many authenticator names */
+ BOOL   smtp_in_early_pipe_used		:1; /* client did send early data */
+#endif
+ BOOL   smtp_in_pipelining_advertised	:1; /* server advertised PIPELINING */
+ BOOL   smtp_in_pipelining_used		:1; /* server noted client using PIPELINING */
+ BOOL   spool_file_wireformat		:1; /* current -D file has CRLF rather than NL */
+ BOOL   submission_mode			:1; /* Can be forced from ACL */
+ BOOL   suppress_local_fixups		:1; /* Can be forced from ACL */
+ BOOL   suppress_local_fixups_default	:1; /* former is reset to this; override with -G */
+ BOOL   synchronous_delivery		:1; /* TRUE if -odi is set */
+ BOOL   system_filtering		:1; /* TRUE when running system filter */
+
+ BOOL   tcp_fastopen_ok			:1; /* appears to be supported by kernel */
+ BOOL   tcp_in_fastopen			:1; /* conn usefully used fastopen */
+ BOOL   tcp_in_fastopen_data		:1; /* fastopen carried data */
+ BOOL   tcp_in_fastopen_logged		:1; /* one-time logging */
+ BOOL   tcp_out_fastopen_logged		:1; /* one-time logging */
+ BOOL   timestamps_utc			:1; /* Use UTC for all times */
+ BOOL   transport_filter_timed_out	:1; /* True if it did */
+ BOOL   trusted_caller			:1; /* Caller is trusted */
+ BOOL   trusted_config			:1; /* Configuration file is trusted */
+} f;
+
+
 /* General global variables */
 
 extern BOOL    accept_8bitmime;        /* Allow *BITMIME incoming */
@@ -193,29 +316,21 @@
 extern uschar *acl_smtp_rcpt;          /* ACL run for RCPT */
 extern uschar *acl_smtp_starttls;      /* ACL run for STARTTLS */
 extern uschar *acl_smtp_vrfy;          /* ACL run for VRFY */
-extern BOOL    acl_temp_details;       /* TRUE to give details for 4xx error */
 extern tree_node *acl_var_c;           /* ACL connection variables */
 extern tree_node *acl_var_m;           /* ACL message variables */
 extern uschar *acl_verify_message;     /* User message for verify failure */
 extern string_item *acl_warn_logged;   /* Logged lines */
 extern uschar *acl_wherecodes[];       /* Response codes for ACL fails */
 extern uschar *acl_wherenames[];       /* Names for messages */
-extern BOOL    active_local_from_check;/* For adding Sender: (switchable) */
-extern BOOL    active_local_sender_retain; /* For keeping Sender: (switchable) */
 extern address_item *addr_duplicate;   /* Duplicate address list */
 extern address_item address_defaults;  /* Default data for address item */
 extern uschar *address_file;           /* Name of file when delivering to one */
 extern uschar *address_pipe;           /* Pipe command when delivering to one */
-extern BOOL    address_test_mode;      /* True for -bt */
 extern tree_node *addresslist_anchor;  /* Tree of defined address lists */
 extern int     addresslist_count;      /* Number defined */
 extern gid_t  *admin_groups;           /* List of admin groups */
-extern BOOL    admin_user;             /* True if caller can do admin */
-extern BOOL    allow_auth_unadvertised;/* As it says */
 extern BOOL    allow_domain_literals;  /* As it says */
 extern BOOL    allow_mx_to_ip;         /* Allow MX records to -> ip address */
-extern BOOL    allow_unqualified_recipient; /* As it says */
-extern BOOL    allow_unqualified_sender; /* Ditto */
 #ifdef EXPERIMENTAL_ARC
 struct arc_set *arc_received;	       /* highest ARC instance evaluation struct */
 extern int     arc_received_instance;  /* highest ARC instance number in headers */
@@ -228,7 +343,6 @@
 extern uschar *authenticated_id;       /* ID that was authenticated */
 extern uschar *authenticated_sender;   /* From AUTH on MAIL */
 extern BOOL    authentication_failed;  /* TRUE if AUTH was tried and failed */
-extern BOOL    authentication_local;   /* TRUE if non-smtp (implicit authentication) */
 extern uschar *auth_advertise_hosts;   /* Only advertise to these */
 extern auth_info auths_available[];    /* Vector of available auth mechanisms */
 extern auth_instance *auths;           /* Chain of instantiated auths */
@@ -238,11 +352,10 @@
 extern uschar *auth_vars[];            /* $authn variables */
 extern int     auto_thaw;              /* Auto-thaw interval */
 #ifdef WITH_CONTENT_SCAN
-extern BOOL    av_failed;              /* TRUE if the AV process failed */
+extern int     av_failed;              /* TRUE if the AV process failed */
 extern uschar *av_scanner;             /* AntiVirus scanner to use for the malware condition */
 #endif
 
-extern BOOL    background_daemon;      /* Set FALSE to keep in foreground */
 extern uschar *base62_chars;           /* Table of base-62 characters */
 extern uschar *bi_command;             /* Command for -bi option */
 extern uschar *big_buffer;             /* Used for various temp things */
@@ -275,14 +388,13 @@
 extern uschar *callout_random_local_part; /* Local part to be used to check if server called will accept any local part */
 extern uschar *check_dns_names_pattern;/* Regex for syntax check */
 extern int     check_log_inodes;       /* Minimum for message acceptance */
-extern int     check_log_space;        /* Minimum for message acceptance */
+extern int_eximarith_t check_log_space; /* Minimum for message acceptance */
 extern BOOL    check_rfc2047_length;   /* Check RFC 2047 encoded string length */
 extern int     check_spool_inodes;     /* Minimum for message acceptance */
-extern int     check_spool_space;      /* Minimum for message acceptance */
+extern int_eximarith_t check_spool_space; /* Minimum for message acceptance */
 extern uschar *chunking_advertise_hosts;    /* RFC 3030 CHUNKING */
 extern unsigned chunking_datasize;
 extern unsigned chunking_data_left;
-extern BOOL    chunking_offered;
 extern chunking_state_t chunking_state;
 extern uschar *client_authenticator;        /* Authenticator name used for smtp delivery */
 extern uschar *client_authenticated_id;     /* "login" name used for SMTP AUTH */
@@ -291,7 +403,6 @@
 extern uschar *clmacros[];             /* Copy of them, for re-exec */
 extern BOOL    commandline_checks_require_admin; /* belt and braces for insecure setups */
 extern int     connection_max_messages;/* Max down one SMTP connection */
-extern BOOL    config_changed;         /* True if -C used */
 extern FILE   *config_file;            /* Configuration file */
 extern const uschar *config_filename;  /* Configuration file name */
 extern gid_t   config_gid;             /* Additional group owner */
@@ -303,7 +414,6 @@
 extern uschar *continue_proxy_cipher;  /* TLS cipher for proxied continued delivery */
 extern uschar *continue_hostname;      /* Host for continued delivery */
 extern uschar *continue_host_address;  /* IP address for ditto */
-extern BOOL    continue_more;          /* Flag more addresses waiting */
 extern int     continue_sequence;      /* Sequence num for continued delivery */
 extern uschar *continue_transport;     /* Transport for continued delivery */
 
@@ -314,7 +424,7 @@
   unsigned     delivery:1;             /* When to attempt */
   unsigned     defer_pass:1;           /* Pass 4xx to caller rather than spooling */
   unsigned     is_tls:1;	       /* Conn has TLS active */
-  int          fd;                     /* Open connection */
+  client_conn_ctx cctx;                /* Open connection */
   int          nrcpt;                  /* Count of addresses */
   uschar *     transport;	       /* Name of transport */
   uschar *     interface;              /* (address of) */
@@ -326,7 +436,6 @@
 } cut_t;
 extern cut_t cutthrough;               /* Deliver-concurrently */
 
-extern BOOL    daemon_listen;          /* True if listening required */
 extern uschar *daemon_smtp_port;       /* Can be a list of ports */
 extern int     daemon_startup_retries; /* Number of times to retry */
 extern int     daemon_startup_sleep;   /* Sleep between retries */
@@ -339,7 +448,6 @@
 extern uschar *dccifd_options;         /* options for the dccifd daemon */
 #endif
 
-extern BOOL    debug_daemon;           /* Debug the daemon process only */
 extern int     debug_fd;               /* The fd for debug_file */
 extern FILE   *debug_file;             /* Where to write debugging info */
 extern int     debug_notall[];         /* Debug options excluded from +all */
@@ -357,9 +465,6 @@
 extern const uschar *deliver_domain_orig; /* The original local domain for delivery */
 extern const uschar *deliver_domain_parent; /* The parent domain for delivery */
 extern BOOL    deliver_drop_privilege; /* TRUE for unprivileged delivery */
-extern BOOL    deliver_firsttime;      /* True for first delivery attempt */
-extern BOOL    deliver_force;          /* TRUE if delivery was forced */
-extern BOOL    deliver_freeze;         /* TRUE if delivery is frozen */
 extern time_t  deliver_frozen_at;      /* Time of freezing */
 extern uschar *deliver_home;           /* Home directory for pipes */
 extern const uschar *deliver_host;     /* (First) host for routed local deliveries */
@@ -374,28 +479,21 @@
 extern uschar *deliver_localpart_parent; /* The parent local part for delivery */
 extern uschar *deliver_localpart_prefix; /* The stripped prefix, if any */
 extern uschar *deliver_localpart_suffix; /* The stripped suffix, if any */
-extern BOOL    deliver_force_thaw;     /* TRUE to force thaw in queue run */
-extern BOOL    deliver_manual_thaw;    /* TRUE if manually thawed */
 extern uschar *deliver_out_buffer;     /* Buffer for copying file */
 extern int     deliver_queue_load_max; /* Different value for queue running */
 extern address_item *deliver_recipients; /* Current set of addresses */
 extern uschar *deliver_selectstring;   /* For selecting by recipient */
-extern BOOL    deliver_selectstring_regex; /* String is regex */
 extern uschar *deliver_selectstring_sender; /* For selecting by sender */
-extern BOOL    deliver_selectstring_sender_regex; /* String is regex */
-extern BOOL    disable_callout_flush;  /* Don't flush before callouts */
-extern BOOL    disable_delay_flush;    /* Don't flush before "delay" in ACL */
 #ifdef ENABLE_DISABLE_FSYNC
 extern BOOL    disable_fsync;          /* Not for normal use */
 #endif
 extern BOOL    disable_ipv6;           /* Don't do any IPv6 things */
-extern BOOL    disable_logging;        /* Disables log writing when TRUE */
 
 #ifndef DISABLE_DKIM
-extern BOOL    dkim_collect_input;     /* Runtime flag that tracks wether SMTP input is fed to DKIM validation */
+extern unsigned dkim_collect_input;    /* Runtime count of dkim signtures; tracks whether SMTP input is fed to DKIM validation */
 extern uschar *dkim_cur_signer;        /* Expansion variable, holds the current "signer" domain or identity during a acl_smtp_dkim run */
-extern BOOL    dkim_disable_verify;    /* Set via ACL control statement. When set, DKIM verification is disabled for the current message */
 extern int     dkim_key_length;        /* Expansion variable, length of signing key in bits */
+extern void   *dkim_signatures;	       /* Actually a (pdkim_signature *) but most files do not need to know */
 extern uschar *dkim_signers;           /* Expansion variable, holds colon-separated list of domains and identities that have signed a message */
 extern uschar *dkim_signing_domain;    /* Expansion variable, domain used for signing a message. */
 extern uschar *dkim_signing_selector;  /* Expansion variable, selector used for signing a message. */
@@ -405,7 +503,6 @@
 extern uschar *dkim_verify_reason;     /* result for this signature */
 #endif
 #ifdef EXPERIMENTAL_DMARC
-extern BOOL    dmarc_has_been_checked; /* Global variable to check if test has been called yet */
 extern uschar *dmarc_domain_policy;    /* Expansion for declared policy of used domain */
 extern uschar *dmarc_forensic_sender;  /* Set sender address for forensic reports */
 extern uschar *dmarc_history_file;     /* Expansion variable, file to store dmarc results */
@@ -413,13 +510,12 @@
 extern uschar *dmarc_status_text;      /* Expansion variable, human readable value */
 extern uschar *dmarc_tld_file;         /* Mozilla TLDs text file */
 extern uschar *dmarc_used_domain;      /* Expansion variable, domain libopendmarc chose for DMARC policy lookup */
-extern BOOL    dmarc_disable_verify;   /* Set via ACL control statement. When set, DMARC verification is disabled for the current message */
-extern BOOL    dmarc_enable_forensic;  /* Set via ACL control statement. When set, DMARC forensic reports are enabled for the current message */
 #endif
 
 extern uschar *dns_again_means_nonexist; /* Domains that are badly set up */
 extern int     dns_csa_search_limit;   /* How deep to search for CSA SRV records */
 extern BOOL    dns_csa_use_reverse;    /* Check CSA in reverse DNS? (non-standard) */
+extern int     dns_cname_loops;	       /* Follow CNAMEs returned by resolver to this depth */
 extern uschar *dns_ipv4_lookup;        /* For these domains, don't look for AAAA (or A6) */
 #ifdef SUPPORT_DANE
 extern int     dns_dane_ok;            /* Ok to use DANE when checking TLS authenticity */
@@ -435,15 +531,12 @@
 extern uschar *dnslist_value;          /* DNS (black) list IP address */
 extern tree_node *domainlist_anchor;   /* Tree of defined domain lists */
 extern int     domainlist_count;       /* Number defined */
-extern BOOL    dont_deliver;           /* TRUE for -N option */
-extern BOOL    dot_ends;               /* TRUE if "." ends non-SMTP input */
 
 /* This option is now a no-opt, retained for compatibility */
 extern BOOL    drop_cr;                /* For broken local MUAs */
 
 extern uschar *dsn_from;               /* From: string for DSNs */
 
-extern BOOL    enable_dollar_recipients; /* Make $recipients available */
 extern BOOL    envelope_to_remove;     /* Remove envelope_to_headers */
 extern int     errno_quota;            /* Quota errno in this OS */
 extern int     error_handling;         /* Error handling style */
@@ -469,14 +562,12 @@
 extern int     expand_nlength[];       /* Lengths of numbered strings */
 extern int     expand_nmax;            /* Max numerical value */
 extern uschar *expand_nstring[];       /* Numbered strings */
-extern BOOL    expand_string_forcedfail; /* TRUE if failure was "expected" */
 extern BOOL    extract_addresses_remove_arguments; /* Controls -t behaviour */
 extern uschar *extra_local_interfaces; /* Local, non-listen interfaces */
 
 extern int     fake_response;          /* Fake FAIL or DEFER response to data */
 extern uschar *fake_response_text;     /* User defined message for the above. Default is in globals.c. */
 extern int     filter_n[FILTER_VARIABLE_COUNT]; /* filter variables */
-extern BOOL    filter_running;         /* TRUE while running a filter */
 extern int     filter_sn[FILTER_VARIABLE_COUNT]; /* variables set by system filter */
 extern int     filter_test;            /* Filter test type */
 extern uschar *filter_test_sfile;      /* System filter test file */
@@ -492,23 +583,22 @@
 extern uschar *gecos_pattern;          /* Pattern to match */
 extern rewrite_rule *global_rewrite_rules;  /* Chain of rewriting rules */
 
+extern volatile sig_atomic_t had_command_timeout;   /* Alarm sighandler called */
+extern volatile sig_atomic_t had_command_sigterm;   /* TERM  sighandler called */
+extern volatile sig_atomic_t had_data_timeout;      /* Alarm sighandler called */
+extern volatile sig_atomic_t had_data_sigint;       /* TERM/INT  sighandler called */
 extern int     header_insert_maxlen;   /* Max for inserting headers */
 extern int     header_maxsize;         /* Max total length for header */
 extern int     header_line_maxsize;    /* Max for an individual line */
 extern header_name header_names[];     /* Table of header names */
 extern int     header_names_size;      /* Number of entries */
-extern BOOL    header_rewritten;       /* TRUE if header changed by router */
 extern uschar *helo_accept_junk_hosts; /* Allowed to use junk arg */
 extern uschar *helo_allow_chars;       /* Rogue chars to allow in HELO/EHLO */
 extern uschar *helo_lookup_domains;    /* If these given, lookup host name */
 extern uschar *helo_try_verify_hosts;  /* Soft check HELO argument for these */
-extern BOOL    helo_verified;          /* True if HELO verified */
-extern BOOL    helo_verify_failed;     /* True if attempt failed */
 extern uschar *helo_verify_hosts;      /* Hard check HELO argument for these */
 extern const uschar *hex_digits;             /* Used in several places */
 extern uschar *hold_domains;           /* Hold up deliveries to these */
-extern BOOL    host_find_failed_syntax;/* DNS syntax check failure */
-extern BOOL    host_checking_callout;  /* TRUE if real callout wanted */
 extern uschar *host_data;              /* Obtained from lookup in ACL */
 extern uschar *host_lookup;            /* For which IP addresses are always looked up */
 extern BOOL    host_lookup_deferred;   /* TRUE if lookup deferred */
@@ -526,10 +616,8 @@
 extern int     ignore_bounce_errors_after; /* Keep them for this time. */
 extern BOOL    ignore_fromline_local;  /* Local SMTP ignore fromline */
 extern uschar *ignore_fromline_hosts;  /* Hosts permitted to send "From " */
-extern BOOL    inetd_wait_mode;        /* Whether running in inetd wait mode */
 extern int     inetd_wait_timeout;     /* Timeout for inetd wait mode */
 extern uschar *initial_cwd;            /* The directory we where in at startup */
-extern BOOL    is_inetd;               /* True for inetd calls */
 extern uschar *iterate_item;           /* Item from iterate list */
 
 extern int     journal_fd;             /* Fd for journal file */
@@ -539,15 +627,16 @@
 
 extern uschar *eldap_dn;               /* Where LDAP DNs are left */
 extern int     load_average;           /* Most recently read load average */
-extern BOOL    local_error_message;    /* True if handling one of these */
 extern BOOL    local_from_check;       /* For adding Sender: (global value) */
 extern uschar *local_from_prefix;      /* Permitted prefixes */
 extern uschar *local_from_suffix;      /* Permitted suffixes */
 extern uschar *local_interfaces;       /* For forcing specific interfaces */
+#ifdef HAVE_LOCAL_SCAN
 extern uschar *local_scan_data;        /* Text returned by local_scan() */
 extern optionlist local_scan_options[];/* Option list for local_scan() */
 extern int     local_scan_options_count; /* Size of the list */
 extern int     local_scan_timeout;     /* Timeout for local_scan() */
+#endif
 extern BOOL    local_sender_retain;    /* Retain Sender: (with no From: check) */
 extern gid_t   local_user_gid;         /* As it says; may be set in routers */
 extern uid_t   local_user_uid;         /* As it says; may be set in routers */
@@ -563,7 +652,6 @@
 extern unsigned int log_selector[];    /* Bit map of logging options */
 extern uschar *log_selector_string;    /* As supplied in the config */
 extern FILE   *log_stderr;             /* Copy of stderr for log use, or NULL */
-extern BOOL    log_testing_mode;       /* TRUE in various testing modes */
 extern BOOL    log_timezone;           /* TRUE to include the timezone in log lines */
 extern uschar *login_sender_address;   /* The actual sender address */
 extern lookup_info **lookup_list;      /* Array of pointers to available lookups */
@@ -630,9 +718,7 @@
 
 extern uid_t  *never_users;            /* List of uids never to be used */
 #ifdef WITH_CONTENT_SCAN
-extern BOOL    no_mbox_unspool;        /* don't unlink files in /scan directory */
 #endif
-extern BOOL    no_multiline_responses; /* For broken clients */
 
 extern const int on;                   /* For setsockopt */
 extern const int off;
@@ -652,12 +738,12 @@
 extern uschar *override_local_interfaces; /* Value of -oX argument */
 extern uschar *override_pid_file_path; /* Value of -oP argument */
 
-extern BOOL    parse_allow_group;      /* Allow group syntax */
-extern BOOL    parse_found_group;      /* In the middle of a group */
 extern uschar *percent_hack_domains;   /* Local domains for which '% operates */
 extern uschar *pid_file_path;          /* For writing daemon pids */
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+extern uschar *pipe_connect_advertise_hosts; /* for banner/EHLO pipelining */
+#endif
 extern uschar *pipelining_advertise_hosts; /* As it says */
-extern BOOL    pipelining_enable;      /* As it says */
 #ifndef DISABLE_PRDR
 extern BOOL    prdr_enable;            /* As it says */
 extern BOOL    prdr_requested;         /* Connecting mail server wants PRDR */
@@ -677,7 +763,6 @@
 extern uschar *proxy_local_address;    /* IP of local interface of proxy */
 extern int     proxy_local_port;       /* Port on local interface of proxy */
 extern BOOL    proxy_session;          /* TRUE if receiving mail from valid proxy  */
-extern BOOL    proxy_session_failed;   /* TRUE if required proxy negotiation failed */
 #endif
 
 extern uschar *prvscheck_address;      /* Set during prvscheck expansion item */
@@ -686,13 +771,8 @@
 
 extern const uschar *qualify_domain_recipient; /* Domain to qualify recipients with */
 extern uschar *qualify_domain_sender;  /* Domain to qualify senders with */
-extern BOOL    queue_2stage;           /* Run queue in 2-stage manner */
 extern uschar *queue_domains;          /* Queue these domains */
 extern BOOL    queue_list_requires_admin; /* TRUE if -bp requires admin */
-extern BOOL    queue_run_first_delivery; /* If TRUE, first deliveries only */
-extern BOOL    queue_run_force;        /* TRUE to force during queue run */
-extern BOOL    queue_run_local;        /* Local deliveries only in queue run */
-extern BOOL    queue_running;          /* TRUE for queue running process and */
                                        /*   immediate children */
 extern pid_t   queue_run_pid;          /* PID of the queue running process or 0 */
 extern int     queue_run_pipe;         /* Pipe for synchronizing */
@@ -703,10 +783,8 @@
 extern BOOL    queue_only_load_latch;  /* Latch queue_only_load TRUE */
 extern uschar *queue_only_file;        /* Queue if file exists/not-exists */
 extern BOOL    queue_only_override;    /* Allow override from command line */
-extern BOOL    queue_only_policy;      /* ACL or local_scan wants queue_only */
 extern BOOL    queue_run_in_order;     /* As opposed to random */
 extern uschar *queue_run_max;          /* Max queue runners */
-extern BOOL    queue_smtp;             /* Disable all immediate SMTP (-odqs)*/
 extern uschar *queue_smtp_domains;     /* Ditto, for these domains */
 
 extern unsigned int random_seed;       /* Seed for random numbers */
@@ -722,8 +800,6 @@
 extern int     rcpt_defer_count;       /* Those that got 4xx */
 extern gid_t   real_gid;               /* Real gid */
 extern uid_t   real_uid;               /* Real user running program */
-extern BOOL    really_exim;            /* FALSE in utilities */
-extern BOOL    receive_call_bombout;   /* Flag for crashing log */
 extern int     receive_linecount;      /* Mainly for BSMTP errors */
 extern int     receive_messagecount;   /* Mainly for BSMTP errors */
 extern int     receive_timeout;        /* For non-SMTP acceptance */
@@ -736,7 +812,6 @@
 extern uschar *recipient_data;         /* lookup data for recipients */
 extern uschar *recipient_unqualified_hosts; /* Permitted unqualified recipients */
 extern uschar *recipient_verify_failure; /* What went wrong */
-extern BOOL    recipients_discarded;   /* By an ACL */
 extern int     recipients_list_max;    /* Maximum number fitting in list */
 extern int     recipients_max;         /* Max permitted */
 extern BOOL    recipients_max_reject;  /* If TRUE, reject whole message */
@@ -747,6 +822,9 @@
 extern const pcre  *regex_IGNOREQUOTA; /* For recognizing IGNOREQUOTA (LMTP) */
 extern const pcre  *regex_PIPELINING;  /* For recognizing PIPELINING */
 extern const pcre  *regex_SIZE;        /* For recognizing SIZE settings */
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+extern const pcre  *regex_EARLY_PIPE;  /* For recognizing PIPE_CONNCT */
+#endif
 extern const pcre  *regex_ismsgid;     /* Compiled r.e. for message it */
 extern const pcre  *regex_smtp_code;   /* For recognizing SMTP codes */
 extern uschar *regex_vars[];           /* $regexN variables */
@@ -775,17 +853,14 @@
 extern router_instance *routers;       /* Chain of instantiated routers */
 extern router_instance router_defaults;/* Default values */
 extern uschar *router_name;            /* Name of router last started */
-extern BOOL    running_in_test_harness; /*TRUE when running_status is patched */
 extern ip_address_item *running_interfaces; /* Host's running interfaces */
 extern uschar *running_status;         /* Flag string for testing */
 extern int     runrc;                  /* rc from ${run} */
 
 extern uschar *search_error_message;   /* Details of lookup problem */
-extern BOOL    search_find_defer;      /* Set TRUE if lookup deferred */
 extern uschar *self_hostname;          /* Self host after routing->directors */
 extern unsigned int sender_address_cache[(MAX_NAMED_LIST * 2)/32]; /* Cache bits for sender */
 extern uschar *sender_address_data;    /* address_data from sender verify */
-extern BOOL    sender_address_forced;  /* Set by -f */
 extern uschar *sender_address_unrewritten; /* Set if rewritten by verify */
 extern uschar *sender_data;            /* lookup result for senders */
 extern unsigned int sender_domain_cache[(MAX_NAMED_LIST * 2)/32]; /* Cache bits for sender domain */
@@ -796,16 +871,11 @@
 extern uschar *sender_host_auth_pubname; /* Public-name of authentication method */
 extern unsigned int sender_host_cache[(MAX_NAMED_LIST * 2)/32]; /* Cache bits for incoming host */
 extern BOOL    sender_host_dnssec;     /* true if sender_host_name verified in DNSSEC */
-extern BOOL    sender_host_notsocket;  /* Set for -bs and -bS */
-extern BOOL    sender_host_unknown;    /* TRUE for -bs and -bS except inetd */
 extern uschar *sender_ident;           /* Sender identity via RFC 1413 */
-extern BOOL    sender_local;           /* TRUE for local senders */
-extern BOOL    sender_name_forced;     /* Set by -F */
 extern uschar *sender_rate;            /* Sender rate computed by ACL */
 extern uschar *sender_rate_limit;      /* Configured rate limit */
 extern uschar *sender_rate_period;     /* Configured smoothing period */
 extern uschar *sender_rcvhost;         /* Host data for Received: */
-extern BOOL    sender_set_untrusted;   /* Sender set by untrusted caller */
 extern uschar *sender_unqualified_hosts; /* Permitted unqualified senders */
 extern uschar *sender_verify_failure;  /* What went wrong */
 extern address_item *sender_verified_list; /* Saved chain of sender verifies */
@@ -813,6 +883,7 @@
 extern uschar *sending_ip_address;     /* Address of outgoing (SMTP) interface */
 extern int     sending_port;           /* Port of outgoing interface */
 extern SIGNAL_BOOL sigalrm_seen;       /* Flag for sigalrm_handler */
+extern const uschar *sigalarm_setter;  /* For debug, set to callpoint of alarm() */
 extern uschar **sighup_argv;           /* Args for re-execing after SIGHUP */
 extern int     slow_lookup_log;        /* Log DNS lookups taking longer than N millisecs */
 extern int     smtp_accept_count;      /* Count of connections */
@@ -826,7 +897,6 @@
 extern int     smtp_accept_queue_per_connection; /* Queue after so many msgs */
 extern int     smtp_accept_reserve;    /* Reserve these SMTP connections */
 extern uschar *smtp_active_hostname;   /* Hostname for this message */
-extern BOOL    smtp_authenticated;     /* Sending client has authenticated */
 extern uschar *smtp_banner;            /* Banner string (to be expanded) */
 extern BOOL    smtp_check_spool_space; /* TRUE to check SMTP SIZE value */
 extern int     smtp_ch_index;          /* Index in smtp_connection_had */
@@ -886,8 +956,8 @@
 extern uschar *spf_smtp_comment;       /* spf comment to include in SMTP reply */
 #endif
 extern BOOL    split_spool_directory;  /* TRUE to use multiple subdirs */
+extern FILE   *spool_data_file;	       /* handle for -D file */
 extern uschar *spool_directory;        /* Name of spool directory */
-extern BOOL    spool_file_wireformat;  /* current -D file has CRLF rather than NL */
 extern BOOL    spool_wireformat;       /* can write wireformat -D files */
 #ifdef EXPERIMENTAL_SRS
 extern uschar *srs_config;             /* SRS config secret:max age:hash length:use timestamp:use hash */
@@ -911,11 +981,7 @@
 extern BOOL    strip_excess_angle_brackets; /* Surrounding route-addrs */
 extern BOOL    strip_trailing_dot;     /* Remove dots at ends of domains */
 extern uschar *submission_domain;      /* Domain for submission mode */
-extern BOOL    submission_mode;        /* Can be forced from ACL */
 extern uschar *submission_name;        /* User name set from ACL */
-extern BOOL    suppress_local_fixups;  /* Can be forced from ACL */
-extern BOOL    suppress_local_fixups_default; /* former is reset to this; override with -G */
-extern BOOL    synchronous_delivery;   /* TRUE if -odi is set */
 extern BOOL    syslog_duplication;     /* FALSE => no duplicate logging */
 extern int     syslog_facility;        /* As defined by Syslog.h */
 extern BOOL    syslog_pid;             /* TRUE if PID on syslogs */
@@ -932,29 +998,22 @@
 extern BOOL    system_filter_gid_set;  /* TRUE if gid set */
 extern uid_t   system_filter_uid;      /* Uid for running system filter */
 extern BOOL    system_filter_uid_set;  /* TRUE if uid set */
-extern BOOL    system_filtering;       /* TRUE when running system filter */
 
-extern BOOL    tcp_fastopen_ok;	       /* appears to be supported by kernel */
 extern blob    tcp_fastopen_nodata;    /* for zero-data TFO connect requests */
-extern BOOL    tcp_in_fastopen;	       /* conn usefully used fastopen */
-extern BOOL    tcp_in_fastopen_logged; /* one-time logging */
 extern BOOL    tcp_nodelay;            /* Controls TCP_NODELAY on daemon */
-extern int     tcp_out_fastopen;       /* 0: no  1: conn used  2: useful */
-extern BOOL    tcp_out_fastopen_logged; /* one-time logging */
+extern tfo_state_t tcp_out_fastopen;   /* TCP fast open */
 #ifdef USE_TCP_WRAPPERS
 extern uschar *tcp_wrappers_daemon_name; /* tcpwrappers daemon lookup name */
 #endif
 extern int     test_harness_load_avg;  /* For use when testing */
 extern int     thismessage_size_limit; /* Limit for this message */
 extern int     timeout_frozen_after;   /* Max time to keep frozen messages */
-extern BOOL    timestamps_utc;         /* Use UTC for all times */
 
 extern uschar *transport_name;         /* Name of transport last started */
 extern int     transport_count;        /* Count of bytes transported */
 extern int     transport_newlines;     /* Accurate count of number of newline chars transported */
 extern const uschar **transport_filter_argv; /* For on-the-fly filtering */
 extern int     transport_filter_timeout; /* Timeout for same */
-extern BOOL    transport_filter_timed_out; /* True if it did */
 
 extern transport_info transports_available[]; /* Vector of available transports */
 extern transport_instance *transports; /* Chain of instantiated transports */
@@ -967,8 +1026,6 @@
 extern tree_node *tree_nonrecipients;  /* Tree of nonrecipient addresses */
 extern tree_node *tree_unusable;       /* Tree of unusable addresses */
 
-extern BOOL    trusted_caller;         /* Caller is trusted */
-extern BOOL    trusted_config;         /* Configuration file is trusted */
 extern gid_t  *trusted_groups;         /* List of trusted groups */
 extern uid_t  *trusted_users;          /* List of trusted users */
 extern uschar *timezone_string;        /* Required timezone setting */
diff -Nru exim4-4.91/src/header.c exim4-4.92~RC4/src/header.c
--- exim4-4.91/src/header.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/header.c	2018-12-27 13:36:19.000000000 +0000
@@ -98,16 +98,18 @@
 
 uschar *p, *q;
 uschar buffer[HEADER_ADD_BUFFER_SIZE];
+gstring gs = { .size = HEADER_ADD_BUFFER_SIZE, .ptr = 0, .s = buffer };
 
-if (header_last == NULL) return;
+if (!header_last) return;
 
-if (!string_vformat(buffer, sizeof(buffer), format, ap))
+if (!string_vformat(&gs, FALSE, format, ap))
   log_write(0, LOG_MAIN|LOG_PANIC_DIE, "string too long in header_add: "
-    "%.100s ...", buffer);
+    "%.100s ...", string_from_gstring(&gs));
+string_from_gstring(&gs);
 
 /* Find where to insert this header */
 
-if (name == NULL)
+if (!name)
   {
   if (after)
     {
@@ -122,7 +124,7 @@
     received header is allocated and when it is actually filled in. We want
     that header to be first, so skip it for now. */
 
-    if (header_list->text == NULL)
+    if (!header_list->text)
       hptr = &header_list->next;
     h = *hptr;
     }
@@ -134,15 +136,14 @@
 
   /* Find the first non-deleted header with the correct name. */
 
-  for (hptr = &header_list; (h = *hptr) != NULL; hptr = &(h->next))
-    {
-    if (header_testname(h, name, len, TRUE)) break;
-    }
+  for (hptr = &header_list; (h = *hptr); hptr = &h->next)
+    if (header_testname(h, name, len, TRUE))
+      break;
 
   /* Handle the case where no header is found. To insert at the bottom, nothing
   needs to be done. */
 
-  if (h == NULL)
+  if (!h)
     {
     if (topnot)
       {
@@ -155,14 +156,12 @@
   true. In this case, we want to include deleted headers in the block. */
 
   else if (after)
-    {
     for (;;)
       {
-      if (h->next == NULL || !header_testname(h, name, len, FALSE)) break;
+      if (!h->next || !header_testname(h, name, len, FALSE)) break;
       hptr = &(h->next);
       h = h->next;
       }
-    }
   }
 
 /* Loop for multiple header lines, taking care about continuations. At this
@@ -174,7 +173,7 @@
   for (;;)
     {
     q = Ustrchr(q, '\n');
-    if (q == NULL) q = p + Ustrlen(p);
+    if (!q) q = p + Ustrlen(p);
     if (*(++q) != ' ' && *q != '\t') break;
     }
 
@@ -187,7 +186,7 @@
   *hptr = new;
   hptr = &(new->next);
 
-  if (h == NULL) header_last = new;
+  if (!h) header_last = new;
   p = q;
   }
 }
diff -Nru exim4-4.91/src/host.c exim4-4.92~RC4/src/host.c
--- exim4-4.91/src/host.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/host.c	2018-12-27 13:36:19.000000000 +0000
@@ -84,7 +84,7 @@
   return 0;
 if (random_seed == 0)
   {
-  if (running_in_test_harness) random_seed = 42; else
+  if (f.running_in_test_harness) random_seed = 42; else
     {
     int p = (int)getpid();
     random_seed = (int)time(NULL) ^ ((p << 16) | p);
@@ -318,12 +318,12 @@
 int fake_mx = MX_NONE;          /* This value is actually -1 */
 uschar *name;
 
-if (list == NULL) return;
+if (!list) return;
 if (randomize) fake_mx--;       /* Start at -2 for randomizing */
 
 *anchor = NULL;
 
-while ((name = string_nextinlist(&list, &sep, NULL, 0)) != NULL)
+while ((name = string_nextinlist(&list, &sep, NULL, 0)))
   {
   host_item *h;
 
@@ -343,7 +343,7 @@
   h->why = hwhy_unknown;
   h->last_try = 0;
 
-  if (*anchor == NULL)
+  if (!*anchor)
     {
     h->next = NULL;
     *anchor = h;
@@ -358,7 +358,7 @@
       }
     else
       {
-      while (hh->next != NULL && h->sort_key >= (hh->next)->sort_key)
+      while (hh->next && h->sort_key >= hh->next->sort_key)
         hh = hh->next;
       h->next = hh->next;
       hh->next = h;
@@ -686,23 +686,21 @@
 uschar *
 host_and_ident(BOOL useflag)
 {
-if (sender_fullhost == NULL)
-  {
-  (void)string_format(big_buffer, big_buffer_size, "%s%s", useflag? "U=" : "",
-     (sender_ident == NULL)? US"unknown" : sender_ident);
-  }
+if (!sender_fullhost)
+  (void)string_format(big_buffer, big_buffer_size, "%s%s", useflag ? "U=" : "",
+     sender_ident ? sender_ident : US"unknown");
 else
   {
-  uschar *flag = useflag? US"H=" : US"";
-  uschar *iface = US"";
-  if (LOGGING(incoming_interface) && interface_address != NULL)
+  uschar * flag = useflag ? US"H=" : US"";
+  uschar * iface = US"";
+  if (LOGGING(incoming_interface) && interface_address)
     iface = string_sprintf(" I=[%s]:%d", interface_address, interface_port);
-  if (sender_ident == NULL)
-    (void)string_format(big_buffer, big_buffer_size, "%s%s%s",
-      flag, sender_fullhost, iface);
-  else
+  if (sender_ident)
     (void)string_format(big_buffer, big_buffer_size, "%s%s%s U=%s",
       flag, sender_fullhost, iface, sender_ident);
+  else
+    (void)string_format(big_buffer, big_buffer_size, "%s%s%s",
+      flag, sender_fullhost, iface);
   }
 return big_buffer;
 }
@@ -1674,7 +1672,7 @@
 /* For testing the case when a lookup does not complete, we have a special
 reserved IP address. */
 
-if (running_in_test_harness &&
+if (f.running_in_test_harness &&
     Ustrcmp(sender_host_address, "99.99.99.99") == 0)
   {
   HDEBUG(D_host_lookup)
@@ -1796,9 +1794,9 @@
 /* If we have failed to find a name, return FAIL and log when required.
 NB host_lookup_msg must be in permanent store.  */
 
-if (sender_host_name == NULL)
+if (!sender_host_name)
   {
-  if (host_checking || !log_testing_mode)
+  if (host_checking || !f.log_testing_mode)
     log_write(L_host_lookup_failed, LOG_MAIN, "no host name found for IP "
       "address %s", sender_host_address);
   host_lookup_msg = US" (failed to find host name from IP address)";
@@ -1832,15 +1830,9 @@
   {
   int rc;
   BOOL ok = FALSE;
-  host_item h;
-  dnssec_domains d;
-
-  h.next = NULL;
-  h.name = hname;
-  h.mx = MX_NONE;
-  h.address = NULL;
-  d.request = sender_host_dnssec ? US"*" : NULL;;
-  d.require = NULL;
+  host_item h = { .next = NULL, .name = hname, .mx = MX_NONE, .address = NULL };
+  dnssec_domains d =
+    { .request = sender_host_dnssec ? US"*" : NULL, .require = NULL };
 
   if (  (rc = host_find_bydns(&h, NULL, HOST_FIND_BY_A | HOST_FIND_BY_AAAA,
 	  NULL, NULL, NULL, &d, NULL, NULL)) == HOST_FOUND
@@ -2011,7 +2003,7 @@
 /* Initialize the flag that gets set for DNS syntax check errors, so that the
 interface to this function can be similar to host_find_bydns. */
 
-host_find_failed_syntax = FALSE;
+f.host_find_failed_syntax = FALSE;
 
 /* Loop to look up both kinds of address in an IPv6 world */
 
@@ -2033,7 +2025,7 @@
   if (slow_lookup_log) time_msec = get_time_in_ms();
 
   #if HAVE_IPV6
-  if (running_in_test_harness)
+  if (f.running_in_test_harness)
     hostdata = host_fake_gethostbyname(host->name, af, &error_num);
   else
     {
@@ -2046,7 +2038,7 @@
     }
 
   #else    /* not HAVE_IPV6 */
-  if (running_in_test_harness)
+  if (f.running_in_test_harness)
     hostdata = host_fake_gethostbyname(host->name, AF_INET, &error_num);
   else
     {
@@ -2171,7 +2163,7 @@
 
   HDEBUG(D_host_lookup) debug_printf("%s\n", msg);
   if (temp_error) goto RETURN_AGAIN;
-  if (host_checking || !log_testing_mode)
+  if (host_checking || !f.log_testing_mode)
     log_write(L_host_lookup_failed, LOG_MAIN, "%s", msg);
   return HOST_FIND_FAILED;
   }
@@ -2592,20 +2584,21 @@
 dns_init((whichrrs & HOST_FIND_QUALIFY_SINGLE) != 0,
          (whichrrs & HOST_FIND_SEARCH_PARENTS) != 0,
 	 dnssec_request);
-host_find_failed_syntax = FALSE;
+f.host_find_failed_syntax = FALSE;
 
 /* First, if requested, look for SRV records. The service name is given; we
 assume TCP protocol. DNS domain names are constrained to a maximum of 256
 characters, so the code below should be safe. */
 
-if ((whichrrs & HOST_FIND_BY_SRV) != 0)
+if (whichrrs & HOST_FIND_BY_SRV)
   {
-  uschar buffer[300];
-  uschar *temp_fully_qualified_name = buffer;
+  gstring * g;
+  uschar * temp_fully_qualified_name;
   int prefix_length;
 
-  (void)sprintf(CS buffer, "_%s._tcp.%n%.256s", srv_service, &prefix_length,
-    host->name);
+  g = string_fmt_append(NULL, "_%s._tcp.%n%.256s",
+	srv_service, &prefix_length, host->name);
+  temp_fully_qualified_name = string_from_gstring(g);
   ind_type = T_SRV;
 
   /* Search for SRV records. If the fully qualified name is different to
@@ -2614,7 +2607,8 @@
 
   dnssec = DS_UNK;
   lookup_dnssec_authenticated = NULL;
-  rc = dns_lookup_timerwrap(&dnsa, buffer, ind_type, CUSS &temp_fully_qualified_name);
+  rc = dns_lookup_timerwrap(&dnsa, temp_fully_qualified_name, ind_type,
+	CUSS &temp_fully_qualified_name);
 
   DEBUG(D_dns)
     if ((dnssec_request || dnssec_require)
@@ -2630,7 +2624,7 @@
       { dnssec = DS_NO; lookup_dnssec_authenticated = US"no"; }
     }
 
-  if (temp_fully_qualified_name != buffer && fully_qualified_name != NULL)
+  if (temp_fully_qualified_name != g->s && fully_qualified_name != NULL)
     *fully_qualified_name = temp_fully_qualified_name + prefix_length;
 
   /* On DNS failures, we give the "try again" error unless the domain is
@@ -2792,8 +2786,7 @@
      rr;
      rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT)) if (rr->type == ind_type)
   {
-  int precedence;
-  int weight = 0;        /* For SRV records */
+  int precedence, weight;
   int port = PORT_NONE;
   const uschar * s = rr->data;	/* MUST be unsigned for GETSHORT */
   uschar data[256];
@@ -2805,13 +2798,11 @@
 
   if (ind_type == T_MX)
     weight = random_number(500);
-
-  /* SRV records are specified with a port and a weight. The weight is used
-  in a special algorithm. However, to start with, we just use it to order the
-  records of equal priority (precedence). */
-
   else
     {
+    /* SRV records are specified with a port and a weight. The weight is used
+    in a special algorithm. However, to start with, we just use it to order the
+    records of equal priority (precedence). */
     GETSHORT(weight, s);
     GETSHORT(port, s);
     }
@@ -2826,17 +2817,16 @@
   never know what junk might get into the DNS (and this case has been seen on
   more than one occasion). */
 
-  if (last != NULL)       /* This is not the first record */
+  if (last)       /* This is not the first record */
     {
     host_item *prev = NULL;
 
     for (h = host; h != last->next; prev = h, h = h->next)
-      {
       if (strcmpic(h->name, data) == 0)
         {
         DEBUG(D_host_lookup)
           debug_printf("discarded duplicate host %s (MX=%d)\n", data,
-            (precedence > h->mx)? precedence : h->mx);
+            precedence > h->mx ? precedence : h->mx);
         if (precedence >= h->mx) goto NEXT_MX_RR; /* Skip greater precedence */
         if (h == host)                            /* Override first item */
           {
@@ -2852,14 +2842,13 @@
         if (h == last) last = prev;
         break;
         }
-      }
     }
 
   /* If this is the first MX or SRV record, put the data into the existing host
   block. Otherwise, add a new block in the correct place; if it has to be
   before the first block, copy the first block's data to a new second block. */
 
-  if (last == NULL)
+  if (!last)
     {
     host->name = string_copy_dnsdomain(data);
     host->address = NULL;
@@ -2871,10 +2860,9 @@
     host->dnssec = dnssec;
     last = host;
     }
+  else
 
   /* Make a new host item and seek the correct insertion place */
-
-  else
     {
     int sort_key = precedence * 1000 + weight;
     host_item *next = store_get(sizeof(host_item));
@@ -2899,21 +2887,18 @@
       host->next = next;
       if (last == host) last = next;
       }
+    else
 
     /* Else scan down the items we have inserted as part of this exercise;
     don't go further. */
-
-    else
       {
       for (h = host; h != last; h = h->next)
-        {
         if (sort_key < h->next->sort_key)
           {
           next->next = h->next;
           h->next = next;
           break;
           }
-        }
 
       /* Join on after the last host item that's part of this
       processing if we haven't stopped sooner. */
@@ -2990,10 +2975,9 @@
 
       for (ppptr = pptr, hhh = h;
            hhh != hh;
-           ppptr = &(hhh->next), hhh = hhh->next)
-        {
-        if (hhh->sort_key >= randomizer) break;
-        }
+           ppptr = &hhh->next, hhh = hhh->next)
+        if (hhh->sort_key >= randomizer)
+	  break;
 
       /* hhh now points to the host that should go first; ppptr points to the
       place that points to it. Unfortunately, if the start of the minilist is
@@ -3018,7 +3002,6 @@
           hhh->next = temp.next;
           h->next = hhh;
           }
-
         else
           {
           hhh->next = h;               /* The rest of the chain follows it */
@@ -3268,7 +3251,7 @@
   else if (Ustrcmp(buffer, "require_dnssec")    == 0) require_dnssec = TRUE;
   else if (Ustrcmp(buffer, "no_require_dnssec") == 0) require_dnssec = FALSE;
   else if (Ustrcmp(buffer, "test_harness") == 0)
-    running_in_test_harness = !running_in_test_harness;
+    f.running_in_test_harness = !f.running_in_test_harness;
   else if (Ustrcmp(buffer, "ipv6") == 0) disable_ipv6 = !disable_ipv6;
   else if (Ustrcmp(buffer, "res_debug") == 0)
     {
diff -Nru exim4-4.91/src/ip.c exim4-4.92~RC4/src/ip.c
--- exim4-4.91/src/ip.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/ip.c	2018-12-27 13:36:19.000000000 +0000
@@ -173,7 +173,7 @@
 if (  (sock = socket(SOCK_STREAM, AF_INET, 0)) < 0
    && setsockopt(sock, IPPROTO_TCP, TCP_FASTOPEN, &backlog, sizeof(backlog))
    )
-  tcp_fastopen_ok = TRUE;
+  f.tcp_fastopen_ok = TRUE;
 close(sock);
 # endif
 }
@@ -196,7 +196,7 @@
   port        the remote port
   timeout     a timeout (zero for indefinite timeout)
   fastopen_blob    non-null iff TCP_FASTOPEN can be used; may indicate early-data to
-		be sent in SYN segment
+		be sent in SYN segment.  Any such data must be idempotent.
 
 Returns:      0 on success; -1 on failure, with errno set
 */
@@ -243,26 +243,31 @@
 
 callout_address = string_sprintf("[%s]:%d", address, port);
 sigalrm_seen = FALSE;
-if (timeout > 0) alarm(timeout);
+if (timeout > 0) ALARM(timeout);
 
-#if defined(TCP_FASTOPEN) && defined(MSG_FASTOPEN)
+#ifdef TCP_FASTOPEN
 /* TCP Fast Open, if the system has a cookie from a previous call to
 this peer, can send data in the SYN packet.  The peer can send data
 before it gets our ACK of its SYN,ACK - the latter is useful for
 the SMTP banner.  Other (than SMTP) cases of TCP connections can
-possibly use the data-on-syn, so support that too.  */
+possibly use the data-on-syn, so support that too. */
 
-if (fastopen_blob && tcp_fastopen_ok)
+if (fastopen_blob && f.tcp_fastopen_ok)
   {
+# ifdef MSG_FASTOPEN
+  /* This is a Linux implementation.  It might be useable on FreeBSD; I have
+  not checked. */
+
   if ((rc = sendto(sock, fastopen_blob->data, fastopen_blob->len,
 		    MSG_FASTOPEN | MSG_DONTWAIT, s_ptr, s_len)) >= 0)
 	/* seen for with-data, experimental TFO option, with-cookie case */
 	/* seen for with-data, proper TFO opt, with-cookie case */
     {
     DEBUG(D_transport|D_v)
-      debug_printf("non-TFO mode connection attempt to %s, %lu data\n",
+      debug_printf("TFO mode connection attempt to %s, %lu data\n",
 	address, (unsigned long)fastopen_blob->len);
-    tcp_out_fastopen = fastopen_blob->len > 0 ?  2 : 1;
+    /*XXX also seen on successful TFO, sigh */
+    tcp_out_fastopen = fastopen_blob->len > 0 ?  TFO_ATTEMPTED_DATA : TFO_ATTEMPTED_NODATA;
     }
   else if (errno == EINPROGRESS)	/* expected if we had no cookie for peer */
 	/* seen for no-data, proper TFO option, both cookie-request and with-cookie cases */
@@ -275,7 +280,7 @@
       fastopen_blob->len > 0 ? "with"  : "no");
     if (!fastopen_blob->data)
       {
-      tcp_out_fastopen = 1;		/* we tried; unknown if useful yet */
+      tcp_out_fastopen = TFO_ATTEMPTED_NODATA;		/* we tried; unknown if useful yet */
       rc = 0;
       }
     else
@@ -287,9 +292,44 @@
       debug_printf("Tried TCP Fast Open but apparently not enabled by sysctl\n");
     goto legacy_connect;
     }
+# endif
+# ifdef EXIM_TFO_CONNECTX
+  /* MacOS */
+  sa_endpoints_t ends = {
+    .sae_srcif = 0, .sae_srcaddr = NULL, .sae_srcaddrlen = 0,
+    .sae_dstaddr = s_ptr, .sae_dstaddrlen = s_len };
+  struct iovec iov = {
+    .iov_base = fastopen_blob->data, .iov_len = fastopen_blob->len };
+  size_t len;
+
+  if ((rc = connectx(sock, &ends, SAE_ASSOCID_ANY,
+	     CONNECT_DATA_IDEMPOTENT, &iov, 1, &len, NULL)) == 0)
+    {
+    DEBUG(D_transport|D_v)
+      debug_printf("TFO mode connection attempt to %s, %lu data\n",
+	address, (unsigned long)fastopen_blob->len);
+    tcp_out_fastopen = fastopen_blob->len > 0 ?  TFO_ATTEMPTED_DATA : TFO_ATTEMPTED_NODATA;
+
+    if (len != fastopen_blob->len)
+      DEBUG(D_transport|D_v)
+	debug_printf(" only queued %lu data!\n", (unsigned long)len);
+    }
+  else if (errno == EINPROGRESS)
+    {
+    DEBUG(D_transport|D_v) debug_printf("TFO mode sendto, %s data: EINPROGRESS\n",
+      fastopen_blob->len > 0 ? "with"  : "no");
+    if (!fastopen_blob->data)
+      {
+      tcp_out_fastopen = TFO_ATTEMPTED_NODATA;		/* we tried; unknown if useful yet */
+      rc = 0;
+      }
+    else	/* assume that no data was queued; block in send */
+      rc = send(sock, fastopen_blob->data, fastopen_blob->len, 0);
+    }
+# endif
   }
 else
-#endif
+#endif	/*TCP_FASTOPEN*/
   {
 legacy_connect:
   DEBUG(D_transport|D_v) if (fastopen_blob)
@@ -302,13 +342,13 @@
   }
 
 save_errno = errno;
-alarm(0);
+ALARM_CLR(0);
 
 /* There is a testing facility for simulating a connection timeout, as I
 can't think of any other way of doing this. It converts a connection refused
 into a timeout if the timeout is set to 999999. */
 
-if (running_in_test_harness  && save_errno == ECONNREFUSED && timeout == 999999)
+if (f.running_in_test_harness  && save_errno == ECONNREFUSED && timeout == 999999)
   {
   rc = -1;
   save_errno = EINTR;
@@ -339,13 +379,13 @@
 Arguments:
   type          SOCK_DGRAM or SOCK_STREAM
   af            AF_INET6 or AF_INET for the socket type
-  address       the remote address, in text form
+  hostname	host name, or ip address (as text)
   portlo,porthi the remote port range
   timeout       a timeout
   connhost	if not NULL, host_item to be filled in with connection details
   errstr        pointer for allocated string on error
   fastopen_blob	with SOCK_STREAM, if non-null, request TCP Fast Open.
-		Additionally, optional early-data to send
+		Additionally, optional idempotent early-data to send
 
 Return:
   socket fd, or -1 on failure (having allocated an error string)
@@ -591,7 +631,7 @@
 result but no ready descriptor. Is this in fact possible?
 
 Arguments:
-  sock        the socket
+  cctx        the connection context (socket fd, possibly TLS context)
   buffer      to read into
   bufsize     the buffer size
   timeout     the timeout
@@ -601,24 +641,24 @@
 */
 
 int
-ip_recv(int sock, uschar *buffer, int buffsize, int timeout)
+ip_recv(client_conn_ctx * cctx, uschar * buffer, int buffsize, int timeout)
 {
 int rc;
 
-if (!fd_ready(sock, timeout))
+if (!fd_ready(cctx->sock, timeout))
   return -1;
 
 /* The socket is ready, read from it (via TLS if it's active). On EOF (i.e.
 close down of the connection), set errno to zero; otherwise leave it alone. */
 
 #ifdef SUPPORT_TLS
-if (tls_out.active == sock)
-  rc = tls_read(FALSE, buffer, buffsize);
-else if (tls_in.active == sock)
-  rc = tls_read(TRUE, buffer, buffsize);
+if (cctx->tls_ctx)					/* client TLS */
+  rc = tls_read(cctx->tls_ctx, buffer, buffsize);
+else if (tls_in.active.sock == cctx->sock)		/* server TLS */
+  rc = tls_read(NULL, buffer, buffsize);
 else
 #endif
-  rc = recv(sock, buffer, buffsize, 0);
+  rc = recv(cctx->sock, buffer, buffsize, 0);
 
 if (rc > 0) return rc;
 if (rc == 0) errno = 0;
diff -Nru exim4-4.91/src/local_scan.c exim4-4.92~RC4/src/local_scan.c
--- exim4-4.91/src/local_scan.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/local_scan.c	2018-12-27 13:36:19.000000000 +0000
@@ -12,6 +12,7 @@
 Local/local_scan.c, and edit the copy. To use your version instead of the
 default, you must set
 
+HAVE_LOCAL_SCAN=yes
 LOCAL_SCAN_SOURCE=Local/local_scan.c
 
 in your Local/Makefile. This makes it easy to copy your version for use with
diff -Nru exim4-4.91/src/log.c exim4-4.92~RC4/src/log.c
--- exim4-4.91/src/log.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/log.c	2018-12-27 13:36:19.000000000 +0000
@@ -145,8 +145,6 @@
 int len, pass;
 int linecount = 0;
 
-if (running_in_test_harness) return;
-
 if (!syslog_pid && LOGGING(pid))
   s = string_sprintf("%.*s%s", (int)pid_position[0], s, s + pid_position[1]);
 if (!syslog_timestamp)
@@ -159,13 +157,13 @@
 len = Ustrlen(s);
 
 #ifndef NO_OPENLOG
-if (!syslog_open)
+if (!syslog_open && !f.running_in_test_harness)
   {
-  #ifdef SYSLOG_LOG_PID
+# ifdef SYSLOG_LOG_PID
   openlog(CS syslog_processname, LOG_PID|LOG_CONS, syslog_facility);
-  #else
+# else
   openlog(CS syslog_processname, LOG_CONS, syslog_facility);
-  #endif
+# endif
   syslog_open = TRUE;
   }
 #endif
@@ -183,21 +181,29 @@
     int plen = tlen;
     uschar *nlptr = Ustrchr(ss, '\n');
     if (nlptr != NULL) plen = nlptr - ss;
-    #ifndef SYSLOG_LONG_LINES
+#ifndef SYSLOG_LONG_LINES
     if (plen > MAX_SYSLOG_LEN) plen = MAX_SYSLOG_LEN;
-    #endif
+#endif
     tlen -= plen;
     if (ss[plen] == '\n') tlen--;    /* chars left */
 
-    if (pass == 0) linecount++; else
-      {
+    if (pass == 0)
+      linecount++;
+    else if (f.running_in_test_harness)
+      if (linecount == 1)
+        fprintf(stderr, "SYSLOG: '%.*s'\n", plen, ss);
+      else
+        fprintf(stderr, "SYSLOG: '[%d%c%d] %.*s'\n", i,
+          ss[plen] == '\n' && tlen != 0 ? '\\' : '/',
+          linecount, plen, ss);
+    else
       if (linecount == 1)
         syslog(priority, "%.*s", plen, ss);
       else
         syslog(priority, "[%d%c%d] %.*s", i,
-          (ss[plen] == '\n' && tlen != 0)? '\\' : '/',
+          ss[plen] == '\n' && tlen != 0 ? '\\' : '/',
           linecount, plen, ss);
-      }
+
     ss += plen;
     if (*ss == '\n') ss++;
     }
@@ -232,10 +238,10 @@
   {
   write_syslog(LOG_CRIT, s1);
   if (debug_file) debug_printf("%s\n", s1);
-  if (log_stderr != NULL && log_stderr != debug_file)
+  if (log_stderr && log_stderr != debug_file)
     fprintf(log_stderr, "%s\n", s1);
   }
-if (receive_call_bombout) receive_bomb_out(NULL, s2);  /* does not return */
+if (f.receive_call_bombout) receive_bomb_out(NULL, s2);  /* does not return */
 if (smtp_input) smtp_closedown(s2);
 exim_exit(EXIT_FAILURE, NULL);
 }
@@ -432,20 +438,19 @@
 
 else if (string_datestamp_offset >= 0)
   {
-  uschar *from = buffer + string_datestamp_offset;
-  uschar *to = from + string_datestamp_length;
+  uschar * from = buffer + string_datestamp_offset;
+  uschar * to = from + string_datestamp_length;
+
   if (from == buffer || from[-1] == '/')
     {
     if (!isalnum(*to)) to++;
     }
   else
-    {
     if (!isalnum(from[-1])) from--;
-    }
-
-  /* This strcpy is ok, because we know that to is a substring of from. */
 
-  Ustrcpy(from, to);
+  /* This copy is ok, because we know that to is a substring of from. But
+  due to overlap we must use memmove() not Ustrcpy(). */
+  memmove(from, to, Ustrlen(to)+1);
   }
 
 /* If the file name is too long, it is an unrecoverable disaster */
@@ -549,23 +554,18 @@
 Returns:      updated pointer
 */
 
-static uschar *
-log_config_info(uschar *ptr, int flags)
+static gstring *
+log_config_info(gstring * g, int flags)
 {
-Ustrcpy(ptr, "Exim configuration error");
-ptr += 24;
+g = string_cat(g, US"Exim configuration error");
 
-if ((flags & (LOG_CONFIG_FOR & ~LOG_CONFIG)) != 0)
-  {
-  Ustrcpy(ptr, " for ");
-  return ptr + 5;
-  }
+if (flags & (LOG_CONFIG_FOR & ~LOG_CONFIG))
+  return string_cat(g, US" for ");
 
-if ((flags & (LOG_CONFIG_IN & ~LOG_CONFIG)) != 0)
-  ptr += sprintf(CS ptr, " in line %d of %s", config_lineno, config_filename);
+if (flags & (LOG_CONFIG_IN & ~LOG_CONFIG))
+  g = string_fmt_append(g, " in line %d of %s", config_lineno, config_filename);
 
-Ustrcpy(ptr, ":\n  ");
-return ptr + 4;
+return string_catn(g, US":\n  ", 4);
 }
 
 
@@ -736,10 +736,10 @@
 void
 log_write(unsigned int selector, int flags, const char *format, ...)
 {
-uschar * ptr;
-int length;
 int paniclogfd;
 ssize_t written_len;
+gstring gs = { .size = LOG_BUFFER_SIZE-1, .ptr = 0, .s = log_buffer };
+gstring * g;
 va_list ap;
 
 /* If panic_recurseflag is set, we have failed to open the panic log. This is
@@ -749,11 +749,11 @@
 
 if (panic_recurseflag)
   {
-  uschar *extra = (panic_save_buffer == NULL)? US"" : panic_save_buffer;
-  if (debug_file != NULL) debug_printf("%s%s", extra, log_buffer);
-  if (log_stderr != NULL && log_stderr != debug_file)
+  uschar *extra = panic_save_buffer ? panic_save_buffer : US"";
+  if (debug_file) debug_printf("%s%s", extra, log_buffer);
+  if (log_stderr && log_stderr != debug_file)
     fprintf(log_stderr, "%s%s", extra, log_buffer);
-  if (*extra != 0) write_syslog(LOG_CRIT, extra);
+  if (*extra) write_syslog(LOG_CRIT, extra);
   write_syslog(LOG_CRIT, log_buffer);
   die(US"exim: could not open panic log - aborting: see message(s) above",
     US"Unexpected log failure, please try later");
@@ -790,12 +790,14 @@
     int sep = ':';              /* Fixed separator - outside use */
     uschar *s;
     const uschar *ss = log_file_path;
+
     logging_mode = 0;
     while ((s = string_nextinlist(&ss, &sep, log_buffer, LOG_BUFFER_SIZE)))
       {
       if (Ustrcmp(s, "syslog") == 0)
         logging_mode |= LOG_MODE_SYSLOG;
-      else if ((logging_mode & LOG_MODE_FILE) != 0) multiple = TRUE;
+      else if (logging_mode & LOG_MODE_FILE)
+	multiple = TRUE;
       else
         {
         logging_mode |= LOG_MODE_FILE;
@@ -825,7 +827,7 @@
   /* Set up the ultimate default if necessary. Then revert to the old store
   pool, and record that we've sorted out the path. */
 
-  if ((logging_mode & LOG_MODE_FILE) != 0 && file_path[0] == 0)
+  if (logging_mode & LOG_MODE_FILE  &&  !file_path[0])
     file_path = string_sprintf("%s/log/%%slog", spool_directory);
   store_pool = old_pool;
   path_inspected = TRUE;
@@ -844,10 +846,8 @@
 DEBUG(D_any|D_v)
   {
   int i;
-  ptr = log_buffer;
 
-  Ustrcpy(ptr, "LOG:");
-  ptr += 4;
+  g = string_catn(&gs, US"LOG:", 4);
 
   /* Show the selector that was passed into the call. */
 
@@ -855,40 +855,43 @@
     {
     unsigned int bitnum = log_options[i].bit;
     if (bitnum < BITWORDSIZE && selector == BIT(bitnum))
-      {
-      *ptr++ = ' ';
-      Ustrcpy(ptr, log_options[i].name);
-      while (*ptr) ptr++;
-      }
+      g = string_fmt_append(g, " %s", log_options[i].name);
     }
 
-  ptr += sprintf(CS ptr, "%s%s%s%s\n  ",
-    ((flags & LOG_MAIN) != 0)?    " MAIN"   : "",
-    ((flags & LOG_PANIC) != 0)?   " PANIC"  : "",
-    ((flags & LOG_PANIC_DIE) == LOG_PANIC_DIE)? " DIE" : "",
-    ((flags & LOG_REJECT) != 0)?  " REJECT" : "");
+  g = string_fmt_append(g, "%s%s%s%s\n  ",
+    flags & LOG_MAIN ?    " MAIN"   : "",
+    flags & LOG_PANIC ?   " PANIC"  : "",
+    (flags & LOG_PANIC_DIE) == LOG_PANIC_DIE ? " DIE" : "",
+    flags & LOG_REJECT ?  " REJECT" : "");
 
-  if ((flags & LOG_CONFIG) != 0) ptr = log_config_info(ptr, flags);
+  if (flags & LOG_CONFIG) g = log_config_info(g, flags);
 
   va_start(ap, format);
-  if (!string_vformat(ptr, LOG_BUFFER_SIZE - (ptr-log_buffer)-1, format, ap))
-    Ustrcpy(ptr, "**** log string overflowed log buffer ****");
+  i = g->ptr;
+  if (!string_vformat(g, FALSE, format, ap))
+    {
+    g->ptr = i;
+    g = string_cat(g, US"**** log string overflowed log buffer ****");
+    }
   va_end(ap);
 
-  while(*ptr) ptr++;
-  Ustrcat(ptr, "\n");
-  debug_printf("%s", log_buffer);
+  g->size = LOG_BUFFER_SIZE;
+  g = string_catn(g, US"\n", 1);
+  debug_printf("%s", string_from_gstring(g));
+
+  gs.size = LOG_BUFFER_SIZE-1;	/* Having used the buffer for debug output, */
+  gs.ptr = 0;			/* reset it for the real use. */
+  gs.s = log_buffer;
   }
-
 /* If no log file is specified, we are in a mess. */
 
-if ((flags & (LOG_MAIN|LOG_PANIC|LOG_REJECT)) == 0)
+if (!(flags & (LOG_MAIN|LOG_PANIC|LOG_REJECT)))
   log_write(0, LOG_MAIN|LOG_PANIC_DIE, "log_write called with no log "
     "flags set");
 
 /* There are some weird circumstances in which logging is disabled. */
 
-if (disable_logging)
+if (f.disable_logging)
   {
   DEBUG(D_any) debug_printf("log writing disabled\n");
   return;
@@ -901,68 +904,75 @@
 /* Create the main message in the log buffer. Do not include the message id
 when called by a utility. */
 
-ptr = log_buffer;
-ptr += sprintf(CS ptr, "%s ", tod_stamp(tod_log));
+g = string_fmt_append(&gs, "%s ", tod_stamp(tod_log));
 
 if (LOGGING(pid))
   {
-  if (!syslog_pid) pid_position[0] = ptr - log_buffer;	/* remember begin … */
-  ptr += sprintf(CS ptr, "[%d] ", (int)getpid());
-  if (!syslog_pid) pid_position[1] = ptr - log_buffer;	/*  … and end+1 of the PID */
+  if (!syslog_pid) pid_position[0] = g->ptr;		/* remember begin … */
+  g = string_fmt_append(g, "[%d] ", (int)getpid());
+  if (!syslog_pid) pid_position[1] = g->ptr;		/*  … and end+1 of the PID */
   }
 
-if (really_exim && message_id[0] != 0)
-  ptr += sprintf(CS ptr, "%s ", message_id);
+if (f.really_exim && message_id[0] != 0)
+  g = string_fmt_append(g, "%s ", message_id);
 
-if ((flags & LOG_CONFIG) != 0) ptr = log_config_info(ptr, flags);
+if (flags & LOG_CONFIG)
+  g = log_config_info(g, flags);
 
 va_start(ap, format);
-if (!string_vformat(ptr, LOG_BUFFER_SIZE - (ptr-log_buffer)-1, format, ap))
-  Ustrcpy(ptr, "**** log string overflowed log buffer ****\n");
-while(*ptr) ptr++;
+  {
+  int i = g->ptr;
+  if (!string_vformat(g, FALSE, format, ap))
+    {
+    g->ptr = i;
+    g = string_cat(g, US"**** log string overflowed log buffer ****\n");
+    }
+  }
 va_end(ap);
 
 /* Add the raw, unrewritten, sender to the message if required. This is done
 this way because it kind of fits with LOG_RECIPIENTS. */
 
-if ((flags & LOG_SENDER) != 0 &&
-    ptr < log_buffer + LOG_BUFFER_SIZE - 10 - Ustrlen(raw_sender))
-  ptr += sprintf(CS ptr, " from <%s>", raw_sender);
+if (   flags & LOG_SENDER
+   && g->ptr < LOG_BUFFER_SIZE - 10 - Ustrlen(raw_sender))
+  g = string_fmt_append(g, " from <%s>", raw_sender);
 
 /* Add list of recipients to the message if required; the raw list,
 before rewriting, was saved in raw_recipients. There may be none, if an ACL
 discarded them all. */
 
-if ((flags & LOG_RECIPIENTS) != 0 && ptr < log_buffer + LOG_BUFFER_SIZE - 6 &&
-     raw_recipients_count > 0)
+if (  flags & LOG_RECIPIENTS
+   && g->ptr < LOG_BUFFER_SIZE - 6
+   && raw_recipients_count > 0)
   {
   int i;
-  ptr += sprintf(CS ptr, " for");
+  g = string_fmt_append(g, " for");
   for (i = 0; i < raw_recipients_count; i++)
     {
     uschar * s = raw_recipients[i];
-    if (log_buffer + LOG_BUFFER_SIZE - ptr < Ustrlen(s) + 3) break;
-    ptr += sprintf(CS ptr, " %s", s);
+    if (LOG_BUFFER_SIZE - g->ptr < Ustrlen(s) + 3) break;
+    g = string_fmt_append(g, " %s", s);
     }
   }
 
-ptr += sprintf(CS  ptr, "\n");
-length = ptr - log_buffer;
+g = string_catn(g, US"\n", 1);
+string_from_gstring(g);
 
 /* Handle loggable errors when running a utility, or when address testing.
 Write to log_stderr unless debugging (when it will already have been written),
 or unless there is no log_stderr (expn called from daemon, for example). */
 
-if (!really_exim || log_testing_mode)
+if (!f.really_exim || f.log_testing_mode)
   {
-  if (debug_selector == 0 && log_stderr != NULL &&
-      (selector == 0 || (selector & log_selector[0]) != 0))
-    {
+  if (  !debug_selector
+     && log_stderr
+     && (selector == 0 || (selector & log_selector[0]) != 0)
+    )
     if (host_checking)
       fprintf(log_stderr, "LOG: %s", CS(log_buffer + 20));  /* no timestamp */
     else
       fprintf(log_stderr, "%s", CS log_buffer);
-    }
+
   if ((flags & LOG_PANIC_DIE) == LOG_PANIC_DIE) exim_exit(EXIT_FAILURE, US"");
   return;
   }
@@ -1019,10 +1029,10 @@
 
     /* Failing to write to the log is disastrous */
 
-    written_len = write_to_fd_buf(mainlogfd, log_buffer, length);
-    if (written_len != length)
+    written_len = write_to_fd_buf(mainlogfd, g->s, g->ptr);
+    if (written_len != g->ptr)
       {
-      log_write_failed(US"main log", length, written_len);
+      log_write_failed(US"main log", g->ptr, written_len);
       /* That function does not return */
       }
     }
@@ -1033,40 +1043,45 @@
 the rejection is happening after the DATA phase), log the recipients and the
 headers. */
 
-if ((flags & LOG_REJECT) != 0)
+if (flags & LOG_REJECT)
   {
   header_line *h;
 
-  if (header_list != NULL && LOGGING(rejected_header))
+  if (header_list && LOGGING(rejected_header))
     {
+    uschar * p = g->s + g->ptr;
+    int i;
+
     if (recipients_count > 0)
       {
-      int i;
-
       /* List the sender */
 
-      string_format(ptr, LOG_BUFFER_SIZE - (ptr-log_buffer),
+      string_format(p, LOG_BUFFER_SIZE - g->ptr,
         "Envelope-from: <%s>\n", sender_address);
-      while (*ptr) ptr++;
+      while (*p) p++;
+      g->ptr = p - g->s;
 
       /* List up to 5 recipients */
 
-      string_format(ptr, LOG_BUFFER_SIZE - (ptr-log_buffer),
+      string_format(p, LOG_BUFFER_SIZE - g->ptr,
         "Envelope-to: <%s>\n", recipients_list[0].address);
-      while (*ptr) ptr++;
+      while (*p) p++;
+      g->ptr = p - g->s;
 
       for (i = 1; i < recipients_count && i < 5; i++)
         {
-        string_format(ptr, LOG_BUFFER_SIZE - (ptr-log_buffer), "    <%s>\n",
+        string_format(p, LOG_BUFFER_SIZE - g->ptr, "    <%s>\n",
           recipients_list[i].address);
-        while (*ptr) ptr++;
+	while (*p) p++;
+	g->ptr = p - g->s;
         }
 
       if (i < recipients_count)
         {
-        (void)string_format(ptr, LOG_BUFFER_SIZE - (ptr-log_buffer),
+        string_format(p, LOG_BUFFER_SIZE - g->ptr,
           "    ...\n");
-        while (*ptr) ptr++;
+	while (*p) p++;
+	g->ptr = p - g->s;
         }
       }
 
@@ -1074,33 +1089,31 @@
 
     for (h = header_list; h; h = h->next) if (h->text)
       {
-      BOOL fitted = string_format(ptr, LOG_BUFFER_SIZE - (ptr-log_buffer),
+      BOOL fitted = string_format(p, LOG_BUFFER_SIZE - g->ptr,
         "%c %s", h->type, h->text);
-      while(*ptr) ptr++;
+      while (*p) p++;
+      g->ptr = p - g->s;
       if (!fitted)         /* Buffer is full; truncate */
         {
-        ptr -= 100;        /* For message and separator */
-        if (ptr[-1] == '\n') ptr--;
-        Ustrcpy(ptr, "\n*** truncated ***\n");
-        while (*ptr) ptr++;
+        g->ptr -= 100;        /* For message and separator */
+        if (g->s[g->ptr-1] == '\n') g->ptr--;
+        g = string_cat(g, US"\n*** truncated ***\n");
         break;
         }
       }
-
-    length = ptr - log_buffer;
     }
 
   /* Write to syslog or to a log file */
 
-  if ((logging_mode & LOG_MODE_SYSLOG) != 0 &&
-      (syslog_duplication || (flags & LOG_PANIC) == 0))
-    write_syslog(LOG_NOTICE, log_buffer);
+  if (  logging_mode & LOG_MODE_SYSLOG
+     && (syslog_duplication || !(flags & LOG_PANIC)))
+    write_syslog(LOG_NOTICE, string_from_gstring(g));
 
   /* Check for a change to the rejectlog file name when datestamping is in
   operation. This happens at midnight, at which point we want to roll over
   the file. Closing it has the desired effect. */
 
-  if ((logging_mode & LOG_MODE_FILE) != 0)
+  if (logging_mode & LOG_MODE_FILE)
     {
     struct stat statbuf;
 
@@ -1122,7 +1135,6 @@
     happening. */
 
     if (rejectlogfd >= 0)
-      {
       if (Ustat(rejectlog_name, &statbuf) < 0 ||
            statbuf.st_ino != rejectlog_inode)
         {
@@ -1130,7 +1142,6 @@
         rejectlogfd = -1;
         rejectlog_inode = 0;
         }
-      }
 
     /* Open the file if necessary, and write the data */
 
@@ -1140,10 +1151,10 @@
       if (fstat(rejectlogfd, &statbuf) >= 0) rejectlog_inode = statbuf.st_ino;
       }
 
-    written_len = write_to_fd_buf(rejectlogfd, log_buffer, length);
-    if (written_len != length)
+    written_len = write_to_fd_buf(rejectlogfd, g->s, g->ptr);
+    if (written_len != g->ptr)
       {
-      log_write_failed(US"reject log", length, written_len);
+      log_write_failed(US"reject log", g->ptr, written_len);
       /* That function does not return */
       }
     }
@@ -1155,37 +1166,37 @@
 attempt to write to the system log as a last-ditch try at telling somebody. In
 all cases except mua_wrapper, try to write to log_stderr. */
 
-if ((flags & LOG_PANIC) != 0)
+if (flags & LOG_PANIC)
   {
-  if (log_stderr != NULL && log_stderr != debug_file && !mua_wrapper)
-    fprintf(log_stderr, "%s", CS log_buffer);
+  if (log_stderr && log_stderr != debug_file && !mua_wrapper)
+    fprintf(log_stderr, "%s", CS string_from_gstring(g));
 
-  if ((logging_mode & LOG_MODE_SYSLOG) != 0)
+  if (logging_mode & LOG_MODE_SYSLOG)
     write_syslog(LOG_ALERT, log_buffer);
 
   /* If this panic logging was caused by a failure to open the main log,
   the original log line is in panic_save_buffer. Make an attempt to write it. */
 
-  if ((logging_mode & LOG_MODE_FILE) != 0)
+  if (logging_mode & LOG_MODE_FILE)
     {
     panic_recurseflag = TRUE;
     open_log(&paniclogfd, lt_panic, NULL);  /* Won't return on failure */
     panic_recurseflag = FALSE;
 
-    if (panic_save_buffer != NULL)
+    if (panic_save_buffer)
       {
       int i = write(paniclogfd, panic_save_buffer, Ustrlen(panic_save_buffer));
       i = i;	/* compiler quietening */
       }
 
-    written_len = write_to_fd_buf(paniclogfd, log_buffer, length);
-    if (written_len != length)
+    written_len = write_to_fd_buf(paniclogfd, g->s, g->ptr);
+    if (written_len != g->ptr)
       {
       int save_errno = errno;
       write_syslog(LOG_CRIT, log_buffer);
       sprintf(CS log_buffer, "write failed on panic log: length=%d result=%d "
-        "errno=%d (%s)", length, (int)written_len, save_errno, strerror(save_errno));
-      write_syslog(LOG_CRIT, log_buffer);
+        "errno=%d (%s)", g->ptr, (int)written_len, save_errno, strerror(save_errno));
+      write_syslog(LOG_CRIT, string_from_gstring(g));
       flags |= LOG_PANIC_DIE;
       }
 
diff -Nru exim4-4.91/src/lookups/dnsdb.c exim4-4.92~RC4/src/lookups/dnsdb.c
--- exim4-4.91/src/lookups/dnsdb.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/lookups/dnsdb.c	2018-12-27 13:36:19.000000000 +0000
@@ -150,7 +150,7 @@
 
 gstring * yield = string_get(256);
 
-dns_record *rr;
+dns_record * rr;
 dns_answer dnsa;
 dns_scan dnss;
 
@@ -421,7 +421,7 @@
       else if (type == T_TLSA)
         {
         uint8_t usage, selector, matching_type;
-        uint16_t i, payload_length;
+        uint16_t payload_length;
         uschar s[MAX_TLSA_EXPANDED_SIZE];
 	uschar * sp = s;
         uschar * p = US rr->data;
@@ -434,10 +434,8 @@
         sp += sprintf(CS s, "%d%c%d%c%d%c", usage, *outsep2,
 		selector, *outsep2, matching_type, *outsep2);
         /* Now append the cert/identifier, one hex char at a time */
-        for (i=0;
-             i < payload_length && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4);
-             i++)
-          sp += sprintf(CS sp, "%02x", (unsigned char)p[i]);
+	while (payload_length-- > 0 && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4))
+          sp += sprintf(CS sp, "%02x", *p++);
 
         yield = string_cat(yield, s);
         }
diff -Nru exim4-4.91/src/lookups/oracle.c exim4-4.92~RC4/src/lookups/oracle.c
--- exim4-4.91/src/lookups/oracle.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/lookups/oracle.c	2018-12-27 13:36:19.000000000 +0000
@@ -415,7 +415,7 @@
     result = string_catn(result, s, slen);
     result = string_catn(result, US"=", 1);
 
-    /* int and float type wont ever need escaping. Otherwise, quote the value
+    /* int and float type won't ever need escaping. Otherwise, quote the value
     if it contains spaces or is empty. */
 
     if (desc[i].dbtype != INT_TYPE && desc[i].dbtype != FLOAT_TYPE &&
diff -Nru exim4-4.91/src/lookups/redis.c exim4-4.92~RC4/src/lookups/redis.c
--- exim4-4.91/src/lookups/redis.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/lookups/redis.c	2018-12-27 13:36:19.000000000 +0000
@@ -291,7 +291,7 @@
       switch (entry->type)
 	{
 	case REDIS_REPLY_INTEGER:
-	  result = string_cat(result, string_sprintf("%d", entry->integer));
+	  result = string_fmt_append(result, "%d", entry->integer);
 	  break;
 	case REDIS_REPLY_STRING:
 	  result = string_catn(result, US entry->str, entry->len);
@@ -307,7 +307,7 @@
 	    switch (tentry->type)
 	      {
 	      case REDIS_REPLY_INTEGER:
-		result = string_cat(result, string_sprintf("%d", tentry->integer));
+		result = string_fmt_append(result, "%d", tentry->integer);
 		break;
 	      case REDIS_REPLY_STRING:
 		result = string_catn(result, US tentry->str, tentry->len);
diff -Nru exim4-4.91/src/macro_predef.c exim4-4.92~RC4/src/macro_predef.c
--- exim4-4.91/src/macro_predef.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/macro_predef.c	2018-12-27 13:36:19.000000000 +0000
@@ -198,6 +198,12 @@
 #ifdef EXPERIMENTAL_DSN_INFO
   builtin_macro_create(US"_HAVE_DSN_INFO");
 #endif
+#ifdef EXPERIMENTAL_REQUIRETLS
+  builtin_macro_create(US"_HAVE_REQTLS");
+#endif
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+  builtin_macro_create(US"_HAVE_PIPE_CONNECT");
+#endif
 
 #ifdef LOOKUP_LSEARCH
   builtin_macro_create(US"_HAVE_LOOKUP_LSEARCH");
@@ -281,6 +287,10 @@
 options_routers();
 options_transports();
 options_auths();
+options_logging();
+#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
+options_tls();
+#endif
 }
 
 static void
diff -Nru exim4-4.91/src/macro_predef.h exim4-4.92~RC4/src/macro_predef.h
--- exim4-4.91/src/macro_predef.h	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/macro_predef.h	2018-12-27 13:36:19.000000000 +0000
@@ -18,5 +18,9 @@
 extern void options_routers(void);
 extern void options_transports(void);
 extern void options_auths(void);
+extern void options_logging(void);
 extern void params_dkim(void);
+#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
+extern void options_tls(void);
+#endif
 
diff -Nru exim4-4.91/src/macros.h exim4-4.92~RC4/src/macros.h
--- exim4-4.91/src/macros.h	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/macros.h	2018-12-27 13:36:19.000000000 +0000
@@ -24,7 +24,7 @@
 /* When running in the test harness, the load average is fudged. */
 
 #define OS_GETLOADAVG() \
-  (running_in_test_harness? (test_harness_load_avg += 10) : os_getloadavg())
+  (f.running_in_test_harness? (test_harness_load_avg += 10) : os_getloadavg())
 
 
 /* The address_item structure has a struct full of 1-bit flags. These macros
@@ -85,7 +85,7 @@
 a no-op once an SSL session is in progress. */
 
 #ifdef SUPPORT_TLS
-#define mac_smtp_fflush() if (tls_in.active < 0) fflush(smtp_out);
+#define mac_smtp_fflush() if (tls_in.active.sock < 0) fflush(smtp_out);
 #else
 #define mac_smtp_fflush() fflush(smtp_out);
 #endif
@@ -362,6 +362,7 @@
 
 /* Options bits for debugging. DEBUG_BIT() declares both a bit index and the
 corresponding mask. Di_all is a special value recognized by decode_bits().
+These must match the debug_options table in globals.c .
 
 Exim's code assumes in a number of places that the debug_selector is one
 word, and this is exposed in the local_scan ABI. The D_v and D_local_scan bit
@@ -391,6 +392,7 @@
   DEBUG_BIT(load),
   DEBUG_BIT(lookup),
   DEBUG_BIT(memory),
+  DEBUG_BIT(noutf8),
   DEBUG_BIT(pid),
   DEBUG_BIT(process_info),
   DEBUG_BIT(queue_run),
@@ -412,6 +414,7 @@
 
 #define D_any                        (D_all & \
                                        ~(D_v           | \
+					 D_noutf8      | \
                                          D_pid         | \
                                          D_timestamp)  )
 
@@ -422,6 +425,7 @@
                                          D_load        | \
                                          D_local_scan  | \
                                          D_memory      | \
+					 D_noutf8      | \
                                          D_pid         | \
                                          D_timestamp   | \
                                          D_resolver))
@@ -469,6 +473,7 @@
   Li_outgoing_interface,
   Li_outgoing_port,
   Li_pid,
+  Li_pipelining,
   Li_proxy,
   Li_queue_time,
   Li_queue_time_overall,
@@ -550,11 +555,16 @@
 #ifdef SUPPORT_I18N
 # define ERRNO_UTF8_FWD      (-49)   /* target not supporting SMTPUTF8 */
 #endif
+#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
+# define ERRNO_REQUIRETLS    (-50)   /* REQUIRETLS session not started */
+#endif
 
 /* These must be last, so all retry deferments can easily be identified */
 
 #define ERRNO_RETRY_BASE     (-51)   /* Base to test against */
 #define ERRNO_RRETRY         (-51)   /* Not time for routing */
+
+#define ERRNO_WARN_BASE      (-52)   /* Base to test against */
 #define ERRNO_LRETRY         (-52)   /* Not time for local delivery */
 #define ERRNO_HRETRY         (-53)   /* Not time for any remote host */
 #define ERRNO_LOCAL_ONLY     (-54)   /* Local-only delivery */
@@ -1006,14 +1016,20 @@
 
 /* Codes for ESMTP facilities offered by peer */
 
-#define OPTION_TLS	BIT(0)
-#define OPTION_IGNQ	BIT(1)
-#define OPTION_PRDR	BIT(2)
-#define OPTION_UTF8	BIT(3)
-#define OPTION_DSN	BIT(4)
-#define OPTION_PIPE	BIT(5)
-#define OPTION_SIZE	BIT(6)
-#define OPTION_CHUNKING	BIT(7)
+#define OPTION_TLS		BIT(0)
+#define OPTION_IGNQ		BIT(1)
+#define OPTION_PRDR		BIT(2)
+#define OPTION_UTF8		BIT(3)
+#define OPTION_DSN		BIT(4)
+#define OPTION_PIPE		BIT(5)
+#define OPTION_SIZE		BIT(6)
+#define OPTION_CHUNKING		BIT(7)
+#define OPTION_REQUIRETLS	BIT(8)
+#define OPTION_EARLY_PIPE	BIT(9)
+
+/* Codes for tls_requiretls requests (usually by sender) */
+
+#define REQUIRETLS_MSG		BIT(0)	/* REQUIRETLS onward use */
 
 /* Argument for *_getc */
 
@@ -1034,4 +1050,26 @@
 #define TLS_SHUTDOWN_WAIT	2
 
 
+#ifdef COMPILE_UTILITY
+# define ALARM(seconds) alarm(seconds);
+# define ALARM_CLR(seconds) alarm(seconds);
+#else
+/* For debugging of odd alarm-signal problems, stash caller info while the
+alarm is active.  Clear it down on cancelling the alarm so we can tell there
+should not be one active. */
+
+# define ALARM(seconds) \
+    debug_selector & D_any \
+    ? (sigalarm_setter = CUS __FUNCTION__, alarm(seconds)) : alarm(seconds);
+# define ALARM_CLR(seconds) \
+    debug_selector & D_any \
+    ? (sigalarm_setter = NULL, alarm(seconds)) : alarm(seconds);
+#endif
+
+#define AUTHS_REGEX US"\\n250[\\s\\-]AUTH\\s+([\\-\\w \\t]+)(?:\\n|$)"
+
+#define EARLY_PIPE_FEATURE_NAME "X_PIPE_CONNECT"
+#define EARLY_PIPE_FEATURE_LEN  14
+
+
 /* End of macros.h */
diff -Nru exim4-4.91/src/malware.c exim4-4.92~RC4/src/malware.c
--- exim4-4.91/src/malware.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/malware.c	2018-12-27 13:36:19.000000000 +0000
@@ -12,8 +12,45 @@
 #include "exim.h"
 #ifdef WITH_CONTENT_SCAN	/* entire file */
 
-typedef enum {M_FPROTD, M_DRWEB, M_AVES, M_FSEC, M_KAVD, M_CMDL,
-		M_SOPHIE, M_CLAMD, M_SOCK, M_MKSD, M_AVAST, M_FPROT6D} scanner_t;
+typedef enum {
+#ifndef DISABLE_MAL_FFROTD
+	M_FPROTD,
+#endif
+#ifndef DISABLE_MAL_FFROT6D
+	M_FPROT6D,
+#endif
+#ifndef DISABLE_MAL_DRWEB
+	M_DRWEB,
+#endif
+#ifndef DISABLE_MAL_AVE
+	M_AVES,
+#endif
+#ifndef DISABLE_MAL_FSECURE
+	M_FSEC,
+#endif
+#ifndef DISABLE_MAL_KAV
+	M_KAVD,
+#endif
+#ifndef DISABLE_MAL_SOPHIE
+	M_SOPHIE,
+#endif
+#ifndef DISABLE_MAL_CLAM
+	M_CLAMD,
+#endif
+#ifndef DISABLE_MAL_MKS
+	M_MKSD,
+#endif
+#ifndef DISABLE_MAL_AVAST
+	M_AVAST,
+#endif
+#ifndef DISABLE_MAL_SOCK
+	M_SOCK,
+#endif
+#ifndef DISABLE_MAL_CMDLINE
+	M_CMDL,
+#endif
+	M_DUMMY
+	} scanner_t;
 typedef enum {MC_NONE, MC_TCP, MC_UNIX, MC_STRM} contype_t;
 static struct scan
 {
@@ -155,11 +192,12 @@
 
 /******************************************************************************/
 
+#ifndef DISABLE_MAL_KAV
 /* Routine to check whether a system is big- or little-endian.
    Ripped from http://www.faqs.org/faqs/graphics/fileformats-faq/part4/section-7.html
    Needed for proper kavdaemon implementation. Sigh. */
-#define BIG_MY_ENDIAN      0
-#define LITTLE_MY_ENDIAN   1
+# define BIG_MY_ENDIAN      0
+# define LITTLE_MY_ENDIAN   1
 static int test_byte_order(void);
 static inline int
 test_byte_order()
@@ -168,6 +206,7 @@
   char *byte = CS  &word;
   return(byte[0] ? LITTLE_MY_ENDIAN : BIG_MY_ENDIAN);
 }
+#endif
 
 BOOL malware_ok = FALSE;
 
@@ -226,13 +265,6 @@
 (void) close(fd_to_close);
 return m_panic_defer(scanent, hostport, str);
 }
-static inline int
-m_log_defer_3(struct scan * scanent, const uschar * hostport,
-  const uschar * str, int fd_to_close)
-{
-(void) close(fd_to_close);
-return m_log_defer(scanent, hostport, str);
-}
 
 /*************************************************/
 
@@ -400,12 +432,13 @@
 static inline int
 mksd_read_lines (int sock, uschar *av_buffer, int av_buffer_size, int tmo)
 {
+client_conn_ctx cctx = {.sock = sock};
 int offset = 0;
 int i;
 
 do
   {
-  i = ip_recv(sock, av_buffer+offset, av_buffer_size-offset, tmo-time(NULL));
+  i = ip_recv(&cctx, av_buffer+offset, av_buffer_size-offset, tmo-time(NULL));
   if (i <= 0)
     {
     (void) malware_panic_defer(US"unable to read from mksd UNIX socket (/var/run/mksd/socket)");
@@ -540,7 +573,7 @@
 uschar * errstr;
 struct scan * scanent;
 const uschar * scanner_options;
-int sock = -1;
+client_conn_ctx malware_daemon_ctx = {.sock = -1};
 time_t tmo;
 uschar * eml_filename, * eml_dir;
 
@@ -621,12 +654,16 @@
     DEBUG(D_acl) debug_printf_indent("%15s%10s%s\n", "", "socket: ", scanner_options);
     switch(scanent->conn)
     {
-    case MC_TCP:  sock = ip_tcpsocket(scanner_options, &errstr, 5);	break;
-    case MC_UNIX: sock = ip_unixsocket(scanner_options, &errstr);	break;
-    case MC_STRM: sock = ip_streamsocket(scanner_options, &errstr, 5);  break;
-    default: /* compiler quietening */ break;
+    case MC_TCP:
+      malware_daemon_ctx.sock = ip_tcpsocket(scanner_options, &errstr, 5);	break;
+    case MC_UNIX:
+      malware_daemon_ctx.sock = ip_unixsocket(scanner_options, &errstr);	break;
+    case MC_STRM:
+      malware_daemon_ctx.sock = ip_streamsocket(scanner_options, &errstr, 5);	break;
+    default:
+      /* compiler quietening */ break;
     }
-    if (sock < 0)
+    if (malware_daemon_ctx.sock < 0)
       return m_panic_defer(scanent, CUS callout_address, errstr);
     break;
   }
@@ -657,10 +694,10 @@
 	scanner_name, scanrequest);
 
       /* send scan request */
-      if (m_sock_send(sock, scanrequest, Ustrlen(scanrequest)+1, &errstr) < 0)
+      if (m_sock_send(malware_daemon_ctx.sock, scanrequest, Ustrlen(scanrequest)+1, &errstr) < 0)
 	return m_panic_defer(scanent, CUS callout_address, errstr);
 
-      while ((len = recv_line(sock, buf, sizeof(buf), tmo)) >= 0)
+      while ((len = recv_line(malware_daemon_ctx.sock, buf, sizeof(buf), tmo)) >= 0)
 	if (len > 0)
 	  {
 	  if (Ustrstr(buf, US"<detected type=\"") != NULL)
@@ -682,7 +719,7 @@
 	  }
       if (len < -1)
 	{
-	(void)close(sock);
+	(void)close(malware_daemon_ctx.sock);
 	return DEFER;
 	}
       break;
@@ -706,28 +743,28 @@
       DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s: %s\n",
         scanner_name, scanrequest);
 
-      if (m_sock_send(sock, scanrequest, Ustrlen(scanrequest), &errstr) < 0)
+      if (m_sock_send(malware_daemon_ctx.sock, scanrequest, Ustrlen(scanrequest), &errstr) < 0)
         return m_panic_defer(scanent, CUS callout_address, errstr);
 
-      bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL));
+      bread = ip_recv(&malware_daemon_ctx, av_buffer, sizeof(av_buffer), tmo-time(NULL));
 
       if (bread <= 0)
         return m_panic_defer_3(scanent, CUS callout_address,
           string_sprintf("unable to read from socket (%s)", strerror(errno)),
-          sock);
+          malware_daemon_ctx.sock);
 
       if (bread == sizeof(av_buffer))
         return m_panic_defer_3(scanent, CUS callout_address,
-          US"buffer too small", sock);
+          US"buffer too small", malware_daemon_ctx.sock);
 
       av_buffer[bread] = '\0';
       linebuffer = string_copy(av_buffer);
 
-      m_sock_send(sock, US"QUIT\n", 5, 0);
+      m_sock_send(malware_daemon_ctx.sock, US"QUIT\n", 5, 0);
 
       if ((e = m_pcre_exec(fprot6d_re_error, linebuffer)))
         return m_panic_defer_3(scanent, CUS callout_address,
-          string_sprintf("scanner reported error (%s)", e), sock);
+          string_sprintf("scanner reported error (%s)", e), malware_daemon_ctx.sock);
 
       if (!(malware_name = m_pcre_exec(fprot6d_re_virus, linebuffer)))
         malware_name = NULL;
@@ -759,7 +796,7 @@
 	  return m_panic_defer_3(scanent, NULL,
 	    string_sprintf("can't open spool file %s: %s",
 	      eml_filename, strerror(errno)),
-	    sock);
+	    malware_daemon_ctx.sock);
 
 	if ((fsize = lseek(drweb_fd, 0, SEEK_END)) == -1)
 	  {
@@ -769,7 +806,7 @@
 	  return m_panic_defer_3(scanent, NULL,
 	    string_sprintf("can't seek spool file %s: %s",
 	      eml_filename, strerror(err)),
-	    sock);
+	    malware_daemon_ctx.sock);
 	  }
 	fsize_uint = (unsigned int) fsize;
 	if ((off_t)fsize_uint != fsize)
@@ -778,7 +815,7 @@
 	  return m_panic_defer_3(scanent, NULL,
 	    string_sprintf("seeking spool file %s, size overflow",
 	      eml_filename),
-	    sock);
+	    malware_daemon_ctx.sock);
 	  }
 	drweb_slen = htonl(fsize);
 	if (lseek(drweb_fd, 0, SEEK_SET) < 0)
@@ -788,15 +825,15 @@
 	    scanner_name, scanner_options);
 
 	/* send scan request */
-	if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) ||
-	    (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
-	    (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0) ||
-	    (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0))
+	if ((send(malware_daemon_ctx.sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) ||
+	    (send(malware_daemon_ctx.sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
+	    (send(malware_daemon_ctx.sock, &drweb_fin, sizeof(drweb_fin), 0) < 0) ||
+	    (send(malware_daemon_ctx.sock, &drweb_slen, sizeof(drweb_slen), 0) < 0))
 	  {
 	  (void)close(drweb_fd);
 	  return m_panic_defer_3(scanent, CUS callout_address, string_sprintf(
 	    "unable to send commands to socket (%s)", scanner_options),
-	    sock);
+	    malware_daemon_ctx.sock);
 	  }
 
 	if (!(drweb_fbuf = US malloc(fsize_uint)))
@@ -805,7 +842,7 @@
 	  return m_panic_defer_3(scanent, NULL,
 	    string_sprintf("unable to allocate memory %u for file (%s)",
 	      fsize_uint, eml_filename),
-	    sock);
+	    malware_daemon_ctx.sock);
 	  }
 
 	if ((result = read (drweb_fd, drweb_fbuf, fsize)) == -1)
@@ -816,17 +853,17 @@
 	  return m_panic_defer_3(scanent, NULL,
 	    string_sprintf("can't read spool file %s: %s",
 	      eml_filename, strerror(err)),
-	    sock);
+	    malware_daemon_ctx.sock);
 	  }
 	(void)close(drweb_fd);
 
 	/* send file body to socket */
-	if (send(sock, drweb_fbuf, fsize, 0) < 0)
+	if (send(malware_daemon_ctx.sock, drweb_fbuf, fsize, 0) < 0)
 	  {
 	  free(drweb_fbuf);
 	  return m_panic_defer_3(scanent, CUS callout_address, string_sprintf(
 	    "unable to send file body to socket (%s)", scanner_options),
-	    sock);
+	    malware_daemon_ctx.sock);
 	  }
 	}
       else
@@ -837,25 +874,25 @@
 	    scanner_name, scanner_options);
 
 	/* send scan request */
-	if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) ||
-	    (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
-	    (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0) ||
-	    (send(sock, eml_filename, Ustrlen(eml_filename), 0) < 0) ||
-	    (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0))
+	if ((send(malware_daemon_ctx.sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) ||
+	    (send(malware_daemon_ctx.sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
+	    (send(malware_daemon_ctx.sock, &drweb_slen, sizeof(drweb_slen), 0) < 0) ||
+	    (send(malware_daemon_ctx.sock, eml_filename, Ustrlen(eml_filename), 0) < 0) ||
+	    (send(malware_daemon_ctx.sock, &drweb_fin, sizeof(drweb_fin), 0) < 0))
 	  return m_panic_defer_3(scanent, CUS callout_address, string_sprintf(
 	    "unable to send commands to socket (%s)", scanner_options),
-	    sock);
+	    malware_daemon_ctx.sock);
 	}
 
       /* wait for result */
-      if (!recv_len(sock, &drweb_rc, sizeof(drweb_rc), tmo))
+      if (!recv_len(malware_daemon_ctx.sock, &drweb_rc, sizeof(drweb_rc), tmo))
 	return m_panic_defer_3(scanent, CUS callout_address,
-		    US"unable to read return code", sock);
+		    US"unable to read return code", malware_daemon_ctx.sock);
       drweb_rc = ntohl(drweb_rc);
 
-      if (!recv_len(sock, &drweb_vnum, sizeof(drweb_vnum), tmo))
+      if (!recv_len(malware_daemon_ctx.sock, &drweb_vnum, sizeof(drweb_vnum), tmo))
 	return m_panic_defer_3(scanent, CUS callout_address,
-			    US"unable to read the number of viruses", sock);
+			    US"unable to read the number of viruses", malware_daemon_ctx.sock);
       drweb_vnum = ntohl(drweb_vnum);
 
       /* "virus(es) found" if virus number is > 0 */
@@ -877,16 +914,16 @@
 	  int ovector[10*3];
 
 	  /* read the size of report */
-	  if (!recv_len(sock, &drweb_slen, sizeof(drweb_slen), tmo))
+	  if (!recv_len(malware_daemon_ctx.sock, &drweb_slen, sizeof(drweb_slen), tmo))
 	    return m_panic_defer_3(scanent, CUS callout_address,
-			      US"cannot read report size", sock);
+			      US"cannot read report size", malware_daemon_ctx.sock);
 	  drweb_slen = ntohl(drweb_slen);
 	  tmpbuf = store_get(drweb_slen);
 
 	  /* read report body */
-	  if (!recv_len(sock, tmpbuf, drweb_slen, tmo))
+	  if (!recv_len(malware_daemon_ctx.sock, tmpbuf, drweb_slen, tmo))
 	    return m_panic_defer_3(scanent, CUS callout_address,
-			      US"cannot read report string", sock);
+			      US"cannot read report string", malware_daemon_ctx.sock);
 	  tmpbuf[drweb_slen] = '\0';
 
 	  /* try matcher on the line, grab substring */
@@ -925,7 +962,7 @@
 	if (drweb_s)
 	  return m_panic_defer_3(scanent, CUS callout_address,
 	    string_sprintf("drweb daemon retcode 0x%x (%s)", drweb_rc, drweb_s),
-	    sock);
+	    malware_daemon_ctx.sock);
 
 	/* no virus found */
 	malware_name = NULL;
@@ -942,13 +979,13 @@
 
       /* read aveserver's greeting and see if it is ready (2xx greeting) */
       buf[0] = 0;
-      recv_line(sock, buf, sizeof(buf), tmo);
+      recv_line(malware_daemon_ctx.sock, buf, sizeof(buf), tmo);
 
       if (buf[0] != '2')		/* aveserver is having problems */
 	return m_panic_defer_3(scanent, CUS callout_address,
 	  string_sprintf("unavailable (Responded: %s).",
 			  ((buf[0] != 0) ? buf : US "nothing") ),
-	  sock);
+	  malware_daemon_ctx.sock);
 
       /* prepare our command */
       (void)string_format(buf, sizeof(buf), "SCAN bPQRSTUW %s\r\n",
@@ -957,13 +994,13 @@
       /* and send it */
       DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s %s\n",
 	scanner_name, buf);
-      if (m_sock_send(sock, buf, Ustrlen(buf), &errstr) < 0)
+      if (m_sock_send(malware_daemon_ctx.sock, buf, Ustrlen(buf), &errstr) < 0)
 	return m_panic_defer(scanent, CUS callout_address, errstr);
 
       malware_name = NULL;
       result = 0;
       /* read response lines, find malware name and final response */
-      while (recv_line(sock, buf, sizeof(buf), tmo) > 0)
+      while (recv_line(malware_daemon_ctx.sock, buf, sizeof(buf), tmo) > 0)
 	{
 	if (buf[0] == '2')
 	  break;
@@ -982,22 +1019,22 @@
 	  }
 	}
 
-      if (m_sock_send(sock, US"quit\r\n", 6, &errstr) < 0)
+      if (m_sock_send(malware_daemon_ctx.sock, US"quit\r\n", 6, &errstr) < 0)
 	return m_panic_defer(scanent, CUS callout_address, errstr);
 
       /* read aveserver's greeting and see if it is ready (2xx greeting) */
       buf[0] = 0;
-      recv_line(sock, buf, sizeof(buf), tmo);
+      recv_line(malware_daemon_ctx.sock, buf, sizeof(buf), tmo);
 
       if (buf[0] != '2')		/* aveserver is having problems */
 	return m_panic_defer_3(scanent, CUS callout_address,
 	  string_sprintf("unable to quit dialogue (Responded: %s).",
 			((buf[0] != 0) ? buf : US "nothing") ),
-	  sock);
+	  malware_daemon_ctx.sock);
 
       if (result == DEFER)
 	{
-	(void)close(sock);
+	(void)close(malware_daemon_ctx.sock);
 	return DEFER;
 	}
       break;
@@ -1024,15 +1061,15 @@
       for (i = 0; i != nelem(cmdopt); i++)
 	{
 
-	if (m_sock_send(sock, cmdopt[i], Ustrlen(cmdopt[i]), &errstr) < 0)
+	if (m_sock_send(malware_daemon_ctx.sock, cmdopt[i], Ustrlen(cmdopt[i]), &errstr) < 0)
 	  return m_panic_defer(scanent, CUS callout_address, errstr);
 
-	bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL));
+	bread = ip_recv(&malware_daemon_ctx, av_buffer, sizeof(av_buffer), tmo-time(NULL));
 	if (bread > 0) av_buffer[bread]='\0';
 	if (bread < 0)
 	  return m_panic_defer_3(scanent, CUS callout_address,
 	    string_sprintf("unable to read answer %d (%s)", i, strerror(errno)),
-	    sock);
+	    malware_daemon_ctx.sock);
 	for (j = 0; j < bread; j++)
 	  if (av_buffer[j] == '\r' || av_buffer[j] == '\n')
 	    av_buffer[j] ='@';
@@ -1041,7 +1078,7 @@
       /* pass the mailfile to fsecure */
       file_name = string_sprintf("SCAN\t%s\n", eml_filename);
 
-      if (m_sock_send(sock, file_name, Ustrlen(file_name), &errstr) < 0)
+      if (m_sock_send(malware_daemon_ctx.sock, file_name, Ustrlen(file_name), &errstr) < 0)
 	return m_panic_defer(scanent, CUS callout_address, errstr);
 
       /* set up match */
@@ -1059,10 +1096,10 @@
 	  {
 	  errno = ETIMEDOUT;
 	  i =  av_buffer+sizeof(av_buffer)-p;
-	  if ((bread= ip_recv(sock, p, i-1, tmo-time(NULL))) < 0)
+	  if ((bread= ip_recv(&malware_daemon_ctx, p, i-1, tmo-time(NULL))) < 0)
 	    return m_panic_defer_3(scanent, CUS callout_address,
 	      string_sprintf("unable to read result (%s)", strerror(errno)),
-	      sock);
+	      malware_daemon_ctx.sock);
 
 	  for (p[bread] = '\0'; (q = Ustrchr(p, '\n')); p = q+1)
 	    {
@@ -1119,13 +1156,13 @@
 	  scanner_name, scanner_options);
 
       /* send scan request */
-      if (m_sock_send(sock, scanrequest, Ustrlen(scanrequest)+1, &errstr) < 0)
+      if (m_sock_send(malware_daemon_ctx.sock, scanrequest, Ustrlen(scanrequest)+1, &errstr) < 0)
 	return m_panic_defer(scanent, CUS callout_address, errstr);
 
       /* wait for result */
-      if (!recv_len(sock, tmpbuf, 2, tmo))
+      if (!recv_len(malware_daemon_ctx.sock, tmpbuf, 2, tmo))
 	return m_panic_defer_3(scanent, CUS callout_address,
-			    US"unable to read 2 bytes from socket.", sock);
+			    US"unable to read 2 bytes from socket.", malware_daemon_ctx.sock);
 
       /* get errorcode from one nibble */
       kav_rc = tmpbuf[ test_byte_order()==LITTLE_MY_ENDIAN ? 0 : 1 ] & 0x0F;
@@ -1134,13 +1171,13 @@
       case 5: case 6: /* improper kavdaemon configuration */
 	return m_panic_defer_3(scanent, CUS callout_address,
 		US"please reconfigure kavdaemon to NOT disinfect or remove infected files.",
-		sock);
+		malware_daemon_ctx.sock);
       case 1:
 	return m_panic_defer_3(scanent, CUS callout_address,
-		US"reported 'scanning not completed' (code 1).", sock);
+		US"reported 'scanning not completed' (code 1).", malware_daemon_ctx.sock);
       case 7:
 	return m_panic_defer_3(scanent, CUS callout_address,
-		US"reported 'kavdaemon damaged' (code 7).", sock);
+		US"reported 'kavdaemon damaged' (code 7).", malware_daemon_ctx.sock);
       }
 
       /* code 8 is not handled, since it is ambiguous. It appears mostly on
@@ -1160,9 +1197,9 @@
 	if (report_flag == 1)
 	  {
 	  /* read report size */
-	  if (!recv_len(sock, &kav_reportlen, 4, tmo))
+	  if (!recv_len(malware_daemon_ctx.sock, &kav_reportlen, 4, tmo))
 	    return m_panic_defer_3(scanent, CUS callout_address,
-		  US"cannot read report size", sock);
+		  US"cannot read report size", malware_daemon_ctx.sock);
 
 	  /* it's possible that avp returns av_buffer[1] == 1 but the
 	  reportsize is 0 (!?) */
@@ -1185,7 +1222,7 @@
 	    /* coverity[tainted_data] */
 	    while (kav_reportlen > 0)
 	      {
-	      if ((bread = recv_line(sock, tmpbuf, sizeof(tmpbuf), tmo)) < 0)
+	      if ((bread = recv_line(malware_daemon_ctx.sock, tmpbuf, sizeof(tmpbuf), tmo)) < 0)
 		break;
 	      kav_reportlen -= bread+1;
 
@@ -1355,19 +1392,19 @@
       DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan [%s]\n",
 	  scanner_name, scanner_options);
 
-      if (  write(sock, file_name, Ustrlen(file_name)) < 0
-	 || write(sock, "\n", 1) != 1
+      if (  write(malware_daemon_ctx.sock, file_name, Ustrlen(file_name)) < 0
+	 || write(malware_daemon_ctx.sock, "\n", 1) != 1
 	 )
 	return m_panic_defer_3(scanent, CUS callout_address,
 	  string_sprintf("unable to write to UNIX socket (%s)", scanner_options),
-	  sock);
+	  malware_daemon_ctx.sock);
 
       /* wait for result */
       memset(av_buffer, 0, sizeof(av_buffer));
-      if ((bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL))) <= 0)
+      if ((bread = ip_recv(&malware_daemon_ctx, av_buffer, sizeof(av_buffer), tmo-time(NULL))) <= 0)
 	return m_panic_defer_3(scanent, CUS callout_address,
 	  string_sprintf("unable to read from UNIX socket (%s)", scanner_options),
-	  sock);
+	  malware_daemon_ctx.sock);
 
       /* infected ? */
       if (av_buffer[0] == '1') {
@@ -1378,7 +1415,7 @@
       }
       else if (!strncmp(CS av_buffer, "-1", 2))
 	return m_panic_defer_3(scanent, CUS callout_address,
-		US"scanner reported error", sock);
+		US"scanner reported error", malware_daemon_ctx.sock);
       else /* all ok, no virus */
 	malware_name = NULL;
 
@@ -1537,7 +1574,8 @@
 	   * on both connections (as one host could resolve to multiple ips) */
 	  for (;;)
 	    {
-	    if ((sock = m_tcpsocket(cd->hostspec, cd->tcp_port,
+	    /*XXX we trust that the cmd_str is ideempotent */
+	    if ((malware_daemon_ctx.sock = m_tcpsocket(cd->hostspec, cd->tcp_port,
 				    &connhost, &errstr, &cmd_str)) >= 0)
 	      {
 	      /* Connection successfully established with a server */
@@ -1548,7 +1586,7 @@
 	    if (cd->retry <= 0) break;
 	    while (cd->retry > 0) cd->retry = sleep(cd->retry);
 	    }
-	  if (sock >= 0)
+	  if (malware_daemon_ctx.sock >= 0)
 	    break;
 
 	  (void) m_panic_defer(scanent, CUS callout_address, errstr);
@@ -1565,7 +1603,7 @@
       else
 	for (;;)
 	  {
-	  if ((sock = ip_unixsocket(cv[0]->hostspec, &errstr)) >= 0)
+	  if ((malware_daemon_ctx.sock = ip_unixsocket(cv[0]->hostspec, &errstr)) >= 0)
 	    {
 	    hostname = cv[0]->hostspec;
 	    break;
@@ -1592,11 +1630,11 @@
 
 	/* Pass the string to ClamAV (10 = "zINSTREAM\0"), if not already sent */
 	if (cmd_str.len)
-	  if (send(sock, cmd_str.data, cmd_str.len, 0) < 0)
+	  if (send(malware_daemon_ctx.sock, cmd_str.data, cmd_str.len, 0) < 0)
 	    return m_panic_defer_3(scanent, CUS hostname,
 	      string_sprintf("unable to send zINSTREAM to socket (%s)",
 		strerror(errno)),
-	      sock);
+	      malware_daemon_ctx.sock);
 
 	/* calc file size */
 	if ((clam_fd = open(CS eml_filename, O_RDONLY)) < 0)
@@ -1605,7 +1643,7 @@
 	  return m_panic_defer_3(scanent, NULL,
 	    string_sprintf("can't open spool file %s: %s",
 	      eml_filename, strerror(err)),
-	    sock);
+	    malware_daemon_ctx.sock);
 	  }
 	if ((fsize = lseek(clam_fd, 0, SEEK_END)) < 0)
 	  {
@@ -1615,7 +1653,7 @@
 	  return m_panic_defer_3(scanent, NULL,
 	    string_sprintf("can't seek spool file %s: %s",
 	      eml_filename, strerror(err)),
-	    sock);
+	    malware_daemon_ctx.sock);
 	  }
 	fsize_uint = (unsigned int) fsize;
 	if ((off_t)fsize_uint != fsize)
@@ -1624,7 +1662,7 @@
 	  return m_panic_defer_3(scanent, NULL,
 	    string_sprintf("seeking spool file %s, size overflow",
 	      eml_filename),
-	    sock);
+	    malware_daemon_ctx.sock);
 	  }
 	if (lseek(clam_fd, 0, SEEK_SET) < 0)
 	  goto b_seek;
@@ -1635,7 +1673,7 @@
 	  return m_panic_defer_3(scanent, NULL,
 	    string_sprintf("unable to allocate memory %u for file (%s)",
 	      fsize_uint, eml_filename),
-	    sock);
+	    malware_daemon_ctx.sock);
 	  }
 
 	if ((result = read(clam_fd, clamav_fbuf, fsize_uint)) < 0)
@@ -1645,21 +1683,21 @@
 	  return m_panic_defer_3(scanent, NULL,
 	    string_sprintf("can't read spool file %s: %s",
 	      eml_filename, strerror(err)),
-	    sock);
+	    malware_daemon_ctx.sock);
 	  }
 	(void)close(clam_fd);
 
 	/* send file body to socket */
 	send_size = htonl(fsize_uint);
 	send_final_zeroblock = 0;
-	if ((send(sock, &send_size, sizeof(send_size), 0) < 0) ||
-	    (send(sock, clamav_fbuf, fsize_uint, 0) < 0) ||
-	    (send(sock, &send_final_zeroblock, sizeof(send_final_zeroblock), 0) < 0))
+	if ((send(malware_daemon_ctx.sock, &send_size, sizeof(send_size), 0) < 0) ||
+	    (send(malware_daemon_ctx.sock, clamav_fbuf, fsize_uint, 0) < 0) ||
+	    (send(malware_daemon_ctx.sock, &send_final_zeroblock, sizeof(send_final_zeroblock), 0) < 0))
 	  {
 	  free(clamav_fbuf);
 	  return m_panic_defer_3(scanent, NULL,
 	    string_sprintf("unable to send file body to socket (%s)", hostname),
-	    sock);
+	    malware_daemon_ctx.sock);
 	  }
 
 	free(clamav_fbuf);
@@ -1686,10 +1724,10 @@
 	    scanner_name, scanner_options);
 
 	if (cmd_str.len)
-	  if (send(sock, cmd_str.data, cmd_str.len, 0) < 0)
+	  if (send(malware_daemon_ctx.sock, cmd_str.data, cmd_str.len, 0) < 0)
 	    return m_panic_defer_3(scanent, CUS callout_address,
 	      string_sprintf("unable to write to socket (%s)", strerror(errno)),
-	      sock);
+	      malware_daemon_ctx.sock);
 
 	/* Do not shut down the socket for writing; a user report noted that
 	 * clamd 0.70 does not react well to this. */
@@ -1699,9 +1737,10 @@
 
       /* Read the result */
       memset(av_buffer, 0, sizeof(av_buffer));
-      bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL));
-      (void)close(sock);
-      sock = -1;
+      bread = ip_recv(&malware_daemon_ctx, av_buffer, sizeof(av_buffer), tmo-time(NULL));
+      (void)close(malware_daemon_ctx.sock);
+      malware_daemon_ctx.sock = -1;
+      malware_daemon_ctx.tls_ctx = NULL;
 
       if (bread <= 0)
 	return m_panic_defer(scanent, CUS callout_address,
@@ -1827,7 +1866,7 @@
 	if (s++)
 	  if ((*s != 's' && *s != '%') || Ustrchr(s+1, '%'))
 	    return m_panic_defer_3(scanent, NULL,
-				  US"unsafe sock scanner call spec", sock);
+				  US"unsafe sock scanner call spec", malware_daemon_ctx.sock);
       }
       else
 	sockline_scanner = sockline_scanner_default;
@@ -1838,13 +1877,13 @@
       sockline_trig_re = m_pcre_nextinlist(&av_scanner_work, &sep,
 				"missing trigger specification", &errstr);
       if (!sockline_trig_re)
-	return m_panic_defer_3(scanent, NULL, errstr, sock);
+	return m_panic_defer_3(scanent, NULL, errstr, malware_daemon_ctx.sock);
 
       /* find virus name regex */
       sockline_name_re = m_pcre_nextinlist(&av_scanner_work, &sep,
 			  "missing virus name regex specification", &errstr);
       if (!sockline_name_re)
-	return m_panic_defer_3(scanent, NULL, errstr, sock);
+	return m_panic_defer_3(scanent, NULL, errstr, malware_daemon_ctx.sock);
 
       /* prepare scanner call - security depends on expansions check above */
       commandline = string_sprintf( CS sockline_scanner, CS eml_filename);
@@ -1852,20 +1891,20 @@
 	string_printing(commandline));
 
       /* Pass the command string to the socket */
-      if (m_sock_send(sock, commandline, Ustrlen(commandline), &errstr) < 0)
+      if (m_sock_send(malware_daemon_ctx.sock, commandline, Ustrlen(commandline), &errstr) < 0)
 	return m_panic_defer(scanent, CUS callout_address, errstr);
 
       /* Read the result */
-      bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL));
+      bread = ip_recv(&malware_daemon_ctx, av_buffer, sizeof(av_buffer), tmo-time(NULL));
 
       if (bread <= 0)
 	return m_panic_defer_3(scanent, CUS callout_address,
 	  string_sprintf("unable to read from socket (%s)", strerror(errno)),
-	  sock);
+	  malware_daemon_ctx.sock);
 
       if (bread == sizeof(av_buffer))
 	return m_panic_defer_3(scanent, CUS callout_address,
-		US"buffer too small", sock);
+		US"buffer too small", malware_daemon_ctx.sock);
       av_buffer[bread] = '\0';
       linebuffer = string_copy(av_buffer);
       DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "answer: ",
@@ -1904,16 +1943,16 @@
 	    string_sprintf("invalid option '%s'", scanner_options));
 	}
 
-      if((sock = ip_unixsocket(US "/var/run/mksd/socket", &errstr)) < 0)
+      if((malware_daemon_ctx.sock = ip_unixsocket(US "/var/run/mksd/socket", &errstr)) < 0)
 	return m_panic_defer(scanent, CUS callout_address, errstr);
 
       malware_name = NULL;
 
       DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan\n", scanner_name);
 
-      if ((retval = mksd_scan_packed(scanent, sock, eml_filename, tmo)) != OK)
+      if ((retval = mksd_scan_packed(scanent, malware_daemon_ctx.sock, eml_filename, tmo)) != OK)
 	{
-	close (sock);
+	close (malware_daemon_ctx.sock);
 	return retval;
 	}
       break;
@@ -1938,7 +1977,7 @@
       and the [ ] marker.
       [+] - not infected
       [L] - infected
-      [E] - some error occured
+      [E] - some error occurred
       Such marker follows the first non-escaped TAB.  For more information
       see avast-protocol(5)
 
@@ -1982,7 +2021,7 @@
 
       /* wait for result */
       for (avast_stage = AVA_HELO;
-	   (nread = recv_line(sock, buf, sizeof(buf), tmo)) > 0;
+	   (nread = recv_line(malware_daemon_ctx.sock, buf, sizeof(buf), tmo)) > 0;
 	  )
 	{
 	int slen = Ustrlen(buf);
@@ -2036,12 +2075,12 @@
 
 	      /* send config-cmd or scan-request to socket */
 	      len = Ustrlen(scanrequest);
-	      if (send(sock, scanrequest, len, 0) == -1)
+	      if (send(malware_daemon_ctx.sock, scanrequest, len, 0) == -1)
 		{
 		scanrequest[len-1] = '\0';
 		return m_panic_defer_3(scanent, CUS callout_address, string_sprintf(
 		      "unable to send request '%s' to socket (%s): %s",
-		      scanrequest, scanner_options, strerror(errno)), sock);
+		      scanrequest, scanner_options, strerror(errno)), malware_daemon_ctx.sock);
 		}
 	      break;
 	      }
@@ -2100,20 +2139,20 @@
       else if (buf[0] != '2') error_message = buf;
 
       DEBUG(D_acl) debug_printf_indent("sent to avast QUIT\n");
-      if (send(sock, "QUIT\n", 5, 0) == -1)
+      if (send(malware_daemon_ctx.sock, "QUIT\n", 5, 0) == -1)
         return m_panic_defer_3(scanent, CUS callout_address,
           string_sprintf("unable to send quit request to socket (%s): %s",
-            scanner_options, strerror(errno)), sock);
+            scanner_options, strerror(errno)), malware_daemon_ctx.sock);
 
       if (error_message)
-        return m_panic_defer_3(scanent, CUS callout_address, error_message, sock);
+        return m_panic_defer_3(scanent, CUS callout_address, error_message, malware_daemon_ctx.sock);
 
       }
 #endif
   }	/* scanner type switch */
 
-  if (sock >= 0)
-    (void) close (sock);
+  if (malware_daemon_ctx.sock >= 0)
+    (void) close (malware_daemon_ctx.sock);
   malware_ok = TRUE;			/* set "been here, done that" marker */
   }
 
@@ -2184,7 +2223,7 @@
 return_path = US"";
 recipients_list = NULL;
 receive_add_recipient(US"malware-victim@example.net", -1);
-enable_dollar_recipients = TRUE;
+f.enable_dollar_recipients = TRUE;
 
 ret = malware_internal(US"*", eml_filename, 0);
 
@@ -2245,7 +2284,7 @@
 {
 struct scan * sc;
 fprintf(f, "Malware:");
-for (sc = m_scans; sc->scancode != -1; sc++) fprintf(f, " %s", sc->name);
+for (sc = m_scans; sc->scancode != (scanner_t)-1; sc++) fprintf(f, " %s", sc->name);
 fprintf(f, "\n");
 }
 
diff -Nru exim4-4.91/src/match.c exim4-4.92~RC4/src/match.c
--- exim4-4.91/src/match.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/match.c	2018-12-27 13:36:19.000000000 +0000
@@ -297,14 +297,13 @@
 for; partial matching is all handled inside search_find(). Note that there is
 no search_close() because of the caching arrangements. */
 
-handle = search_open(filename, search_type, 0, NULL, NULL);
-if (handle == NULL) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
-  search_error_message);
+if (!(handle = search_open(filename, search_type, 0, NULL, NULL)))
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s", search_error_message);
 result = search_find(handle, filename, keyquery, partial, affix, affixlen,
   starflags, &expand_setup);
 
-if (result == NULL) return search_find_defer? DEFER : FAIL;
-if (valueptr != NULL) *valueptr = result;
+if (!result) return f.search_find_defer? DEFER : FAIL;
+if (valueptr) *valueptr = result;
 
 expand_nmax = expand_setup;
 return OK;
@@ -494,7 +493,7 @@
 
   if (!list)
     {
-    if (expand_string_forcedfail)
+    if (f.expand_string_forcedfail)
       {
       HDEBUG(D_lists) debug_printf("expansion of \"%s\" forced failure: "
         "assume not in this list\n", *listptr);
diff -Nru exim4-4.91/src/mime.c exim4-4.92~RC4/src/mime.c
--- exim4-4.91/src/mime.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/mime.c	2018-12-27 13:36:19.000000000 +0000
@@ -338,17 +338,16 @@
     if ( ((c == '\t') || (c == ' ')) && (header_value_mode == 1) )
       continue;
 
-      /* we have hit a non-whitespace char, start copying value data */
-      header_value_mode = 2;
+    /* we have hit a non-whitespace char, start copying value data */
+    header_value_mode = 2;
 
-      if (c == '"')       /* flip "quoted" mode */
-        header_value_mode = header_value_mode==2 ? 3 : 2;
+    if (c == '"')       /* flip "quoted" mode */
+      header_value_mode = header_value_mode==2 ? 3 : 2;
 
-      /* leave value mode on unquoted ';' */
-      if (header_value_mode == 2 && c == ';') {
-        header_value_mode = 0;
-      };
-      /* -------------------------------- */
+    /* leave value mode on unquoted ';' */
+    if (header_value_mode == 2 && c == ';')
+      header_value_mode = 0;
+    /* -------------------------------- */
     }
   else
     {
diff -Nru exim4-4.91/src/moan.c exim4-4.92~RC4/src/moan.c
--- exim4-4.91/src/moan.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/moan.c	2018-12-27 13:36:19.000000000 +0000
@@ -29,7 +29,7 @@
 moan_write_from(FILE *f)
 {
 uschar *s = expand_string(dsn_from);
-if (s == NULL)
+if (!s)
   {
   log_write(0, LOG_MAIN|LOG_PANIC,
     "Failed to expand dsn_from (using default): %s", expand_string_message);
@@ -61,7 +61,7 @@
 Returns:         TRUE if message successfully sent
 */
 
-static BOOL
+BOOL
 moan_send_message(uschar *recipient, int ident, error_block *eblock,
   header_line *headers, FILE *message_file, uschar *firstline)
 {
@@ -70,10 +70,32 @@
 int status;
 int count = 0;
 int size_limit = bounce_return_size_limit;
-FILE *f;
-int pid = child_open_exim(&fd);
+FILE * fp;
+int pid;
+
+#ifdef EXPERIMENTAL_DMARC
+uschar * s, * s2;
 
-/* Creation of child failed */
+/* For DMARC if there is a specific sender set, expand the variable for the
+header From: and grab the address from that for the envelope FROM. */
+
+if (  ident == ERRMESS_DMARC_FORENSIC
+   && dmarc_forensic_sender
+   && (s = expand_string(dmarc_forensic_sender))
+   && *s
+   && (s2 = expand_string(string_sprintf("${address:%s}", s)))
+   && *s2
+   )
+  pid = child_open_exim2(&fd, s2, bounce_sender_authentication);
+else
+  {
+  s = NULL;
+  pid = child_open_exim(&fd);
+  }
+
+#else
+pid = child_open_exim(&fd);
+#endif
 
 if (pid < 0)
   {
@@ -85,48 +107,55 @@
 
 /* Creation of child succeeded */
 
-f = fdopen(fd, "wb");
-if (errors_reply_to) fprintf(f, "Reply-To: %s\n", errors_reply_to);
-fprintf(f, "Auto-Submitted: auto-replied\n");
-moan_write_from(f);
-fprintf(f, "To: %s\n", recipient);
+fp = fdopen(fd, "wb");
+if (errors_reply_to) fprintf(fp, "Reply-To: %s\n", errors_reply_to);
+fprintf(fp, "Auto-Submitted: auto-replied\n");
+
+#ifdef EXPERIMENTAL_DMARC
+if (s)
+  fprintf(fp, "From: %s\n", s);
+else
+#endif
+  moan_write_from(fp);
+
+fprintf(fp, "To: %s\n", recipient);
 
 switch(ident)
   {
   case ERRMESS_BADARGADDRESS:
-    fprintf(f,
+    fprintf(fp,
       "Subject: Mail failure - malformed recipient address\n\n");
-    fprintf(f,
+    fprintf(fp,
       "A message that you sent contained a recipient address that was incorrectly\n"
       "constructed:\n\n");
-    fprintf(f, "  %s  %s\n", eblock->text1, eblock->text2);
+    fprintf(fp, "  %s  %s\n", eblock->text1, eblock->text2);
     count = Ustrlen(eblock->text1);
     if (count > 0 && eblock->text1[count-1] == '.')
-      fprintf(f,
+      fprintf(fp,
 	"\nRecipient addresses must not end with a '.' character.\n");
-    fprintf(f,
+    fprintf(fp,
       "\nThe message has not been delivered to any recipients.\n");
     break;
 
   case ERRMESS_BADNOADDRESS:
   case ERRMESS_BADADDRESS:
-    fprintf(f,
+    fprintf(fp,
       "Subject: Mail failure - malformed recipient address\n\n");
-    fprintf(f,
+    fprintf(fp,
       "A message that you sent contained one or more recipient addresses that were\n"
       "incorrectly constructed:\n\n");
 
     while (eblock != NULL)
       {
-      fprintf(f, "  %s: %s\n", eblock->text1, eblock->text2);
+      fprintf(fp, "  %s: %s\n", eblock->text1, eblock->text2);
       count++;
       eblock = eblock->next;
       }
 
-    fprintf(f, (count == 1)? "\nThis address has been ignored. " :
+    fprintf(fp, (count == 1)? "\nThis address has been ignored. " :
       "\nThese addresses have been ignored. ");
 
-    fprintf(f, (ident == ERRMESS_BADADDRESS)?
+    fprintf(fp, (ident == ERRMESS_BADADDRESS)?
       "The other addresses in the message were\n"
       "syntactically valid and have been passed on for an attempt at delivery.\n" :
 
@@ -135,8 +164,8 @@
     break;
 
   case ERRMESS_IGADDRESS:
-    fprintf(f, "Subject: Mail failure - no recipient addresses\n\n");
-    fprintf(f,
+    fprintf(fp, "Subject: Mail failure - no recipient addresses\n\n");
+    fprintf(fp,
       "A message that you sent using the -t command line option contained no\n"
       "addresses that were not also on the command line, and were therefore\n"
       "suppressed. This left no recipient addresses, and so no delivery could\n"
@@ -144,75 +173,74 @@
     break;
 
   case ERRMESS_NOADDRESS:
-    fprintf(f, "Subject: Mail failure - no recipient addresses\n\n");
-    fprintf(f,
+    fprintf(fp, "Subject: Mail failure - no recipient addresses\n\n");
+    fprintf(fp,
       "A message that you sent contained no recipient addresses, and therefore no\n"
       "delivery could be attempted.\n");
     break;
 
   case ERRMESS_IOERR:
-    fprintf(f, "Subject: Mail failure - system failure\n\n");
-    fprintf(f,
+    fprintf(fp, "Subject: Mail failure - system failure\n\n");
+    fprintf(fp,
       "A system failure was encountered while processing a message that you sent,\n"
       "so it has not been possible to deliver it. The error was:\n\n%s\n",
       eblock->text1);
     break;
 
   case ERRMESS_VLONGHEADER:
-    fprintf(f, "Subject: Mail failure - overlong header section\n\n");
-    fprintf(f,
+    fprintf(fp, "Subject: Mail failure - overlong header section\n\n");
+    fprintf(fp,
       "A message that you sent contained a header section that was excessively\n"
       "long and could not be handled by the mail transmission software. The\n"
       "message has not been delivered to any recipients.\n");
     break;
 
   case ERRMESS_VLONGHDRLINE:
-    fprintf(f, "Subject: Mail failure - overlong header line\n\n");
-    fprintf(f,
+    fprintf(fp, "Subject: Mail failure - overlong header line\n\n");
+    fprintf(fp,
       "A message that you sent contained a header line that was excessively\n"
       "long and could not be handled by the mail transmission software. The\n"
       "message has not been delivered to any recipients.\n");
     break;
 
   case ERRMESS_TOOBIG:
-    fprintf(f, "Subject: Mail failure - message too big\n\n");
-    fprintf(f,
+    fprintf(fp, "Subject: Mail failure - message too big\n\n");
+    fprintf(fp,
       "A message that you sent was longer than the maximum size allowed on this\n"
       "system. It was not delivered to any recipients.\n");
     break;
 
   case ERRMESS_TOOMANYRECIP:
-    fprintf(f, "Subject: Mail failure - too many recipients\n\n");
-    fprintf(f,
+    fprintf(fp, "Subject: Mail failure - too many recipients\n\n");
+    fprintf(fp,
       "A message that you sent contained more recipients than allowed on this\n"
       "system. It was not delivered to any recipients.\n");
     break;
 
   case ERRMESS_LOCAL_SCAN:
   case ERRMESS_LOCAL_ACL:
-    fprintf(f, "Subject: Mail failure - rejected by local scanning code\n\n");
-    fprintf(f,
+    fprintf(fp, "Subject: Mail failure - rejected by local scanning code\n\n");
+    fprintf(fp,
       "A message that you sent was rejected by the local scanning code that\n"
       "checks incoming messages on this system.");
       if (eblock->text1)
-	fprintf(f, " The following error was given:\n\n  %s", eblock->text1);
-  fprintf(f, "\n");
+	fprintf(fp, " The following error was given:\n\n  %s", eblock->text1);
+  fprintf(fp, "\n");
   break;
 
 #ifdef EXPERIMENTAL_DMARC
   case ERRMESS_DMARC_FORENSIC:
     bounce_return_message = TRUE;
     bounce_return_body    = FALSE;
-    fprintf(f,
-          "Subject: DMARC Forensic Report for %s from IP %s\n\n",
-	  ((eblock == NULL) ? US"Unknown" : eblock->text2),
+    fprintf(fp, "Subject: DMARC Forensic Report for %s from IP %s\n\n",
+	  eblock ? eblock->text2 : US"Unknown",
           sender_host_address);
-    fprintf(f,
+    fprintf(fp,
       "A message claiming to be from you has failed the published DMARC\n"
       "policy for your domain.\n\n");
-    while (eblock != NULL)
+    while (eblock)
       {
-      fprintf(f, "  %s: %s\n", eblock->text1, eblock->text2);
+      fprintf(fp, "  %s: %s\n", eblock->text1, eblock->text2);
       count++;
       eblock = eblock->next;
       }
@@ -220,8 +248,8 @@
 #endif
 
   default:
-    fprintf(f, "Subject: Mail failure\n\n");
-    fprintf(f,
+    fprintf(fp, "Subject: Mail failure\n\n");
+    fprintf(fp,
       "A message that you sent has caused the error routine to be entered with\n"
       "an unknown error number (%d).\n", ident);
     break;
@@ -235,7 +263,7 @@
   {
   if (bounce_return_body)
     {
-    fprintf(f, "\n"
+    fprintf(fp, "\n"
       "------ This is a copy of your message, including all the headers.");
     if (size_limit == 0 || size_limit > thismessage_size_limit)
       size_limit = thismessage_size_limit;
@@ -248,15 +276,15 @@
         k = US"K";
         x >>= 10;
         }
-      fprintf(f, "\n"
+      fprintf(fp, "\n"
         "------ No more than %d%s characters of the body are included.\n\n",
           x, k);
       }
-    else fprintf(f, " ------\n\n");
+    else fprintf(fp, " ------\n\n");
     }
   else
     {
-    fprintf(f, "\n"
+    fprintf(fp, "\n"
       "------ This is a copy of the headers that were received before the "
       "error\n       was detected.\n\n");
     }
@@ -266,12 +294,12 @@
 
   while (headers)
     {
-    if (headers->text != NULL) fprintf(f, "%s", CS headers->text);
+    if (headers->text != NULL) fprintf(fp, "%s", CS headers->text);
     headers = headers->next;
     }
 
   if (ident != ERRMESS_VLONGHEADER && ident != ERRMESS_VLONGHDRLINE)
-    fputc('\n', f);
+    fputc('\n', fp);
 
   /* After early detection of an error, the message file may be STDIN,
   in which case we might have to terminate on a line containing just "."
@@ -279,10 +307,10 @@
 
   if (bounce_return_body && message_file)
     {
-    BOOL enddot = dot_ends && message_file == stdin;
+    BOOL enddot = f.dot_ends && message_file == stdin;
     uschar * buf = store_get(bounce_return_linesize_limit+2);
 
-    if (firstline) fprintf(f, "%s", CS firstline);
+    if (firstline) fprintf(fp, "%s", CS firstline);
 
     while (fgets(CS buf, bounce_return_linesize_limit+2, message_file))
       {
@@ -290,7 +318,7 @@
 
       if (enddot && *buf == '.' && buf[1] == '\n')
 	{
-	fputc('.', f);
+	fputc('.', fp);
 	break;
 	}
 
@@ -304,11 +332,11 @@
       if (size_limit > 0 && len > size_limit - written)
 	{
 	buf[size_limit - written] = '\0';
-	fputs(CS buf, f);
+	fputs(CS buf, fp);
 	break;
 	}
 
-      fputs(CS buf, f);
+      fputs(CS buf, fp);
       }
     }
 #ifdef EXPERIMENTAL_DMARC
@@ -318,14 +346,14 @@
     /*XXX limit line length here? */
     /* This doesn't print newlines, disable until can parse and fix
      * output to be legible.  */
-    fprintf(f, "%s", expand_string(US"$message_body"));
+    fprintf(fp, "%s", expand_string(US"$message_body"));
     }
 #endif
   }
 /* Close the file, which should send an EOF to the child process
 that is receiving the message. Wait for it to finish, without a timeout. */
 
-(void)fclose(f);
+(void)fclose(fp);
 status = child_close(pid, 0);  /* Waits for child to close */
 if (status != 0)
   {
@@ -382,7 +410,7 @@
 
 /* Find the sender from a From line if permitted and possible */
 
-if (check_sender && message_file && trusted_caller &&
+if (check_sender && message_file && f.trusted_caller &&
     Ufgets(big_buffer, BIG_BUFFER_SIZE, message_file) != NULL)
   {
   uschar *new_sender = NULL;
@@ -394,7 +422,7 @@
 
 /* If viable sender address, send a message */
 
-if (sender_address && sender_address[0] && !local_error_message)
+if (sender_address && sender_address[0] && !f.local_error_message)
   return moan_send_message(sender_address, ident, eblock, headers,
     message_file, firstline);
 
diff -Nru exim4-4.91/src/os.c exim4-4.92~RC4/src/os.c
--- exim4-4.91/src/os.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/os.c	2018-12-27 13:36:19.000000000 +0000
@@ -922,7 +922,7 @@
 printf("Testing restarting signal; wait for handler message, then type a line\n");
 strcpy(buffer, "*** default ***\n");
 os_restarting_signal(SIGALRM, sigalrm_handler);
-alarm(2);
+ALARM(2);
 if ((rc = read(fd, buffer, sizeof(buffer))) < 0)
   printf("No data read\n");
 else
@@ -930,12 +930,12 @@
   buffer[rc] = 0;
   printf("Read: %s", buffer);
   }
-alarm(0);
+ALARM_CLR(0);
 
 printf("Testing non-restarting signal; should read no data after handler message\n");
 strcpy(buffer, "*** default ***\n");
 os_non_restarting_signal(SIGALRM, sigalrm_handler);
-alarm(2);
+ALARM(2);
 if ((rc = read(fd, buffer, sizeof(buffer))) < 0)
   printf("No data read\n");
 else
@@ -943,7 +943,7 @@
   buffer[rc] = 0;
   printf("Read: %s", buffer);
   }
-alarm(0);
+ALARM_CLR(0);
 
 printf("Testing load averages (last test - ^C to kill)\n");
 for (;;)
diff -Nru exim4-4.91/src/parse.c exim4-4.92~RC4/src/parse.c
--- exim4-4.91/src/parse.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/parse.c	2018-12-27 13:36:19.000000000 +0000
@@ -658,7 +658,7 @@
   end of string will produce a null local_part and therefore fail. We don't
   need to keep updating t, as the phrase isn't to be kept. */
 
-  while (*s != '<' && (!parse_allow_group || *s != ':'))
+  while (*s != '<' && (!f.parse_allow_group || *s != ':'))
     {
     s = read_local_part(s, t, errorptr, FALSE);
     if (*errorptr)
@@ -670,8 +670,8 @@
 
   if (*s == ':')
     {
-    parse_found_group = TRUE;
-    parse_allow_group = FALSE;
+    f.parse_found_group = TRUE;
+    f.parse_allow_group = FALSE;
     s++;
     goto RESTART;
     }
@@ -790,10 +790,10 @@
 PARSE_SUCCEEDED:
 if (*s != 0)
   {
-  if (parse_found_group && *s == ';')
+  if (f.parse_found_group && *s == ';')
     {
-    parse_found_group = FALSE;
-    parse_allow_group = TRUE;
+    f.parse_found_group = FALSE;
+    f.parse_allow_group = TRUE;
     }
   else
     {
@@ -824,10 +824,10 @@
 this. We must, however, keep the flags correct. */
 
 PARSE_FAILED:
-if (parse_found_group && *s == ';')
+if (f.parse_found_group && *s == ';')
   {
-  parse_found_group = FALSE;
-  parse_allow_group = TRUE;
+  f.parse_found_group = FALSE;
+  f.parse_allow_group = TRUE;
   }
 return NULL;
 }
@@ -876,7 +876,7 @@
 BOOL coded = FALSE;
 BOOL first_byte = FALSE;
 
-if (charset == NULL) charset = US"iso-8859-1";
+if (!charset) charset = US"iso-8859-1";
 
 /* We don't expect this to fail! */
 
@@ -925,7 +925,7 @@
 *t++ = '=';
 *t = 0;
 
-return coded? buffer : string;
+return coded ? buffer : string;
 }
 
 
@@ -2149,7 +2149,7 @@
 
 printf("Testing parse_extract_address with group syntax\n");
 
-parse_allow_group = TRUE;
+f.parse_allow_group = TRUE;
 while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
   {
   uschar *out;
diff -Nru exim4-4.91/src/pdkim/pdkim.c exim4-4.92~RC4/src/pdkim/pdkim.c
--- exim4-4.91/src/pdkim/pdkim.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/pdkim/pdkim.c	2018-12-27 13:36:19.000000000 +0000
@@ -192,6 +192,7 @@
   case PDKIM_ERR_RSA_SIGNING:	return US"SIGNING";
   case PDKIM_ERR_LONG_LINE:	return US"LONG_LINE";
   case PDKIM_ERR_BUFFER_TOO_SMALL:	return US"BUFFER_TOO_SMALL";
+  case PDKIM_ERR_EXCESS_SIGS:	return US"EXCESS_SIGS";
   case PDKIM_SIGN_PRIVKEY_WRAP:	return US"PRIVKEY_WRAP";
   case PDKIM_SIGN_PRIVKEY_B64D:	return US"PRIVKEY_B64D";
   default: return US"(unknown)";
@@ -1008,6 +1009,13 @@
       while (last_sig->next) last_sig = last_sig->next;
       last_sig->next = sig;
       }
+
+    if (--dkim_collect_input == 0)
+      {
+      ctx->headers = pdkim_prepend_stringlist(ctx->headers, ctx->cur_header->s);
+      ctx->cur_header->s[ctx->cur_header->ptr = 0] = '\0';
+      return PDKIM_ERR_EXCESS_SIGS;
+      }
     }
 
   /* all headers are stored for signature verification */
@@ -1033,7 +1041,7 @@
 if (!data)
   pdkim_body_complete(ctx);
 
-else for (p = 0; p<len; p++)
+else for (p = 0; p < len; p++)
   {
   uschar c = data[p];
 
diff -Nru exim4-4.91/src/pdkim/pdkim.h exim4-4.92~RC4/src/pdkim/pdkim.h
--- exim4-4.91/src/pdkim/pdkim.h	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/pdkim/pdkim.h	2018-12-27 13:36:19.000000000 +0000
@@ -48,8 +48,9 @@
 #define PDKIM_ERR_RSA_SIGNING      -102
 #define PDKIM_ERR_LONG_LINE        -103
 #define PDKIM_ERR_BUFFER_TOO_SMALL -104
-#define PDKIM_SIGN_PRIVKEY_WRAP    -105
-#define PDKIM_SIGN_PRIVKEY_B64D    -106
+#define PDKIM_ERR_EXCESS_SIGS	   -105
+#define PDKIM_SIGN_PRIVKEY_WRAP    -106
+#define PDKIM_SIGN_PRIVKEY_B64D    -107
 
 /* -------------------------------------------------------------------------- */
 /* Main/Extended verification status */
diff -Nru exim4-4.91/src/pdkim/signing.c exim4-4.92~RC4/src/pdkim/signing.c
--- exim4-4.91/src/pdkim/signing.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/pdkim/signing.c	2018-12-27 13:36:19.000000000 +0000
@@ -90,14 +90,17 @@
 {
 gnutls_datum_t k = { .data = (void *)privkey_pem, .size = Ustrlen(privkey_pem) };
 gnutls_x509_privkey_t x509_key;
+const uschar * where;
 int rc;
 
-if (  (rc = gnutls_x509_privkey_init(&x509_key))
-   || (rc = gnutls_x509_privkey_import(x509_key, &k, GNUTLS_X509_FMT_PEM))
+if (  (where = US"internal init", rc = gnutls_x509_privkey_init(&x509_key))
    || (rc = gnutls_privkey_init(&sign_ctx->key))
-   || (rc = gnutls_privkey_import_x509(sign_ctx->key, x509_key, 0))
+   || (where = US"privkey PEM-block import",
+       rc = gnutls_x509_privkey_import(x509_key, &k, GNUTLS_X509_FMT_PEM))
+   || (where = US"internal privkey transfer",
+       rc = gnutls_privkey_import_x509(sign_ctx->key, x509_key, 0))
    )
-  return CUS gnutls_strerror(rc);
+  return string_sprintf("%s: %s", where, gnutls_strerror(rc));
 
 switch (rc = gnutls_privkey_get_pk_algorithm(sign_ctx->key, NULL))
   {
@@ -166,13 +169,13 @@
   {
   case KEYFMT_DER:
     if ((rc = gnutls_pubkey_import(verify_ctx->key, &k, GNUTLS_X509_FMT_DER)))
-      ret = gnutls_strerror(rc);
+      ret = US gnutls_strerror(rc);
     break;
 #ifdef SIGN_HAVE_ED25519
   case KEYFMT_ED25519_BARE:
     if ((rc = gnutls_pubkey_import_ecc_raw(verify_ctx->key,
 					  GNUTLS_ECC_CURVE_ED25519, &k, NULL)))
-      ret = gnutls_strerror(rc);
+      ret = US gnutls_strerror(rc);
     break;
 #endif
   default:
@@ -200,7 +203,7 @@
   {
   if ((rc = gnutls_pubkey_verify_data2(verify_ctx->key,
 				      GNUTLS_SIGN_EDDSA_ED25519, 0, &k, &s)) < 0)
-    ret = gnutls_strerror(rc);
+    ret = US gnutls_strerror(rc);
   }
 else
 #endif
@@ -215,7 +218,7 @@
     }
 
   if ((rc = gnutls_pubkey_verify_hash2(verify_ctx->key, algo, 0, &k, &s)) < 0)
-    ret = gnutls_strerror(rc);
+    ret = US gnutls_strerror(rc);
   }
 
 gnutls_pubkey_deinit(verify_ctx->key);
@@ -712,7 +715,8 @@
 BIO * bp = BIO_new_mem_buf(privkey_pem, -1);
 
 if (!(sign_ctx->key = PEM_read_bio_PrivateKey(bp, NULL, NULL, NULL)))
-  return US ERR_error_string(ERR_get_error(), NULL);
+  return string_sprintf("privkey PEM-block import: %s",
+		       	ERR_error_string(ERR_get_error(), NULL));
 
 sign_ctx->keytype =
 #ifdef SIGN_HAVE_ED25519
@@ -842,30 +846,38 @@
   {
   EVP_MD_CTX * ctx;
 
-  if (  (ctx = EVP_MD_CTX_new())
-     && EVP_DigestVerifyInit(ctx, NULL, md, NULL, verify_ctx->key) > 0
-     && EVP_DigestVerify(ctx, sig->data, sig->len, data->data, data->len) > 0
-     )
-    { EVP_MD_CTX_free(ctx); return NULL; }
-
-  if (ctx) EVP_MD_CTX_free(ctx);
+  if ((ctx = EVP_MD_CTX_new()))
+    {
+    if (  EVP_DigestVerifyInit(ctx, NULL, md, NULL, verify_ctx->key) > 0
+       && EVP_DigestVerify(ctx, sig->data, sig->len, data->data, data->len) > 0
+       )
+      { EVP_MD_CTX_free(ctx); return NULL; }
+    EVP_MD_CTX_free(ctx);
+    }
   }
 else
 #endif
   {
   EVP_PKEY_CTX * ctx;
 
-  if (  (ctx = EVP_PKEY_CTX_new(verify_ctx->key, NULL))
-     && EVP_PKEY_verify_init(ctx) > 0
-     && EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) > 0
-     && EVP_PKEY_CTX_set_signature_md(ctx, md) > 0
-     && EVP_PKEY_verify(ctx, sig->data, sig->len,
-	  data->data, data->len) == 1
-     )
-    { EVP_PKEY_CTX_free(ctx); return NULL; }
-
-  if (ctx) EVP_PKEY_CTX_free(ctx);
+  if ((ctx = EVP_PKEY_CTX_new(verify_ctx->key, NULL)))
+    {
+    if (  EVP_PKEY_verify_init(ctx) > 0
+       && EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) > 0
+       && EVP_PKEY_CTX_set_signature_md(ctx, md) > 0
+       && EVP_PKEY_verify(ctx, sig->data, sig->len,
+				      data->data, data->len) == 1
+       )
+      { EVP_PKEY_CTX_free(ctx); return NULL; }
+    EVP_PKEY_CTX_free(ctx);
+
+    DEBUG(D_tls)
+      if (Ustrcmp(ERR_reason_error_string(ERR_peek_error()), "wrong signature length") == 0)
+	debug_printf("sig len (from msg hdr): %d, expected (from dns pubkey) %d\n",
+	 (int) sig->len, EVP_PKEY_size(verify_ctx->key));
+    }
   }
+
 return US ERR_error_string(ERR_get_error(), NULL);
 }
 
diff -Nru exim4-4.91/src/perl.c exim4-4.92~RC4/src/perl.c
--- exim4-4.91/src/perl.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/perl.c	2018-12-27 13:36:19.000000000 +0000
@@ -62,7 +62,7 @@
   ST(0) = sv_newmortal();
   if (str != NULL)
     sv_setpv(ST(0), CCS  str);
-  else if (!expand_string_forcedfail)
+  else if (!f.expand_string_forcedfail)
     croak("syntax error in Exim::expand_string argument: %s",
       expand_string_message);
 }
diff -Nru exim4-4.91/src/queue.c exim4-4.92~RC4/src/queue.c
--- exim4-4.91/src/queue.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/queue.c	2018-12-27 13:36:19.000000000 +0000
@@ -373,7 +373,7 @@
 void
 queue_run(uschar *start_id, uschar *stop_id, BOOL recurse)
 {
-BOOL force_delivery = queue_run_force || deliver_selectstring != NULL ||
+BOOL force_delivery = f.queue_run_force || deliver_selectstring != NULL ||
   deliver_selectstring_sender != NULL;
 const pcre *selectstring_regex = NULL;
 const pcre *selectstring_regex_sender = NULL;
@@ -390,10 +390,10 @@
 
 queue_domains = NULL;
 queue_smtp_domains = NULL;
-queue_smtp = queue_2stage;
+f.queue_smtp = f.queue_2stage;
 
 queue_run_pid = getpid();
-queue_running = TRUE;
+f.queue_running = TRUE;
 
 /* Log the true start of a queue run, and fancy options */
 
@@ -402,11 +402,11 @@
   uschar extras[8];
   uschar *p = extras;
 
-  if (queue_2stage) *p++ = 'q';
-  if (queue_run_first_delivery) *p++ = 'i';
-  if (queue_run_force) *p++ = 'f';
-  if (deliver_force_thaw) *p++ = 'f';
-  if (queue_run_local) *p++ = 'l';
+  if (f.queue_2stage) *p++ = 'q';
+  if (f.queue_run_first_delivery) *p++ = 'i';
+  if (f.queue_run_force) *p++ = 'f';
+  if (f.deliver_force_thaw) *p++ = 'f';
+  if (f.queue_run_local) *p++ = 'l';
   *p = 0;
 
   p = big_buffer;
@@ -416,11 +416,11 @@
     p += sprintf(CS p, " -q%s", extras);
 
   if (deliver_selectstring)
-    p += sprintf(CS p, " -R%s %s", deliver_selectstring_regex? "r" : "",
+    p += sprintf(CS p, " -R%s %s", f.deliver_selectstring_regex? "r" : "",
       deliver_selectstring);
 
   if (deliver_selectstring_sender)
-    p += sprintf(CS p, " -S%s %s", deliver_selectstring_sender_regex? "r" : "",
+    p += sprintf(CS p, " -S%s %s", f.deliver_selectstring_sender_regex? "r" : "",
       deliver_selectstring_sender);
 
   log_detail = string_copy(big_buffer);
@@ -433,10 +433,10 @@
 
 /* If deliver_selectstring is a regex, compile it. */
 
-if (deliver_selectstring && deliver_selectstring_regex)
+if (deliver_selectstring && f.deliver_selectstring_regex)
   selectstring_regex = regex_must_compile(deliver_selectstring, TRUE, FALSE);
 
-if (deliver_selectstring_sender && deliver_selectstring_sender_regex)
+if (deliver_selectstring_sender && f.deliver_selectstring_sender_regex)
   selectstring_regex_sender =
     regex_must_compile(deliver_selectstring_sender, TRUE, FALSE);
 
@@ -459,7 +459,7 @@
      i <= (queue_run_in_order ? -1 : subcount);
      i++)
   {
-  queue_filename *f;
+  queue_filename * fq;
   void *reset_point1 = store_get(0);
 
   DEBUG(D_queue_run)
@@ -472,9 +472,9 @@
       debug_printf("queue running subdirectory '%c'\n", subdirs[i]);
     }
 
-  for (f = queue_get_spool_list(i, subdirs, &subcount, !queue_run_in_order);
-       f;
-       f = f->next)
+  for (fq = queue_get_spool_list(i, subdirs, &subcount, !queue_run_in_order);
+       fq;
+       fq = fq->next)
     {
     pid_t pid;
     int status;
@@ -485,7 +485,7 @@
     /* Unless deliveries are forced, if deliver_queue_load_max is non-negative,
     check that the load average is low enough to permit deliveries. */
 
-    if (!queue_run_force && deliver_queue_load_max >= 0)
+    if (!f.queue_run_force && deliver_queue_load_max >= 0)
       if ((load_average = os_getloadavg()) > deliver_queue_load_max)
         {
         log_write(L_queue_run, LOG_MAIN, "Abandon queue run: %s (load %.2f, max %.2f)",
@@ -502,15 +502,15 @@
 
     /* Skip this message unless it's within the ID limits */
 
-    if (stop_id && Ustrncmp(f->text, stop_id, MESSAGE_ID_LENGTH) > 0)
+    if (stop_id && Ustrncmp(fq->text, stop_id, MESSAGE_ID_LENGTH) > 0)
       continue;
-    if (start_id && Ustrncmp(f->text, start_id, MESSAGE_ID_LENGTH) < 0)
+    if (start_id && Ustrncmp(fq->text, start_id, MESSAGE_ID_LENGTH) < 0)
       continue;
 
     /* Check that the message still exists */
 
-    message_subdir[0] = f->dir_uschar;
-    if (Ustat(spool_fname(US"input", message_subdir, f->text, US""), &statbuf) < 0)
+    message_subdir[0] = fq->dir_uschar;
+    if (Ustat(spool_fname(US"input", message_subdir, fq->text, US""), &statbuf) < 0)
       continue;
 
     /* There are some tests that require the reading of the header file. Ensure
@@ -520,10 +520,10 @@
     message when many are not going to be delivered. */
 
     if (deliver_selectstring || deliver_selectstring_sender ||
-        queue_run_first_delivery)
+        f.queue_run_first_delivery)
       {
       BOOL wanted = TRUE;
-      BOOL orig_dont_deliver = dont_deliver;
+      BOOL orig_dont_deliver = f.dont_deliver;
       void *reset_point2 = store_get(0);
 
       /* Restore the original setting of dont_deliver after reading the header,
@@ -531,14 +531,14 @@
       follow. If the message is chosen for delivery, the header is read again
       in the deliver_message() function, in a subprocess. */
 
-      if (spool_read_header(f->text, FALSE, TRUE) != spool_read_OK) continue;
-      dont_deliver = orig_dont_deliver;
+      if (spool_read_header(fq->text, FALSE, TRUE) != spool_read_OK) continue;
+      f.dont_deliver = orig_dont_deliver;
 
       /* Now decide if we want to deliver this message. As we have read the
       header file, we might as well do the freeze test now, and save forking
       another process. */
 
-      if (deliver_freeze && !deliver_force_thaw)
+      if (f.deliver_freeze && !f.deliver_force_thaw)
         {
         log_write(L_skip_delivery, LOG_MAIN, "Message is frozen");
         wanted = FALSE;
@@ -546,9 +546,9 @@
 
       /* Check first_delivery in the case when there are no message logs. */
 
-      else if (queue_run_first_delivery && !deliver_firsttime)
+      else if (f.queue_run_first_delivery && !f.deliver_firsttime)
         {
-        DEBUG(D_queue_run) debug_printf("%s: not first delivery\n", f->text);
+        DEBUG(D_queue_run) debug_printf("%s: not first delivery\n", fq->text);
         wanted = FALSE;
         }
 
@@ -559,7 +559,7 @@
       /* Sender matching */
 
       else if (  deliver_selectstring_sender
-	      && !(deliver_selectstring_sender_regex
+	      && !(f.deliver_selectstring_sender_regex
 		  ? (pcre_exec(selectstring_regex_sender, NULL,
 		      CS sender_address, Ustrlen(sender_address), 0, PCRE_EOPT,
 		      NULL, 0) >= 0)
@@ -568,7 +568,7 @@
 	      )   )
         {
         DEBUG(D_queue_run) debug_printf("%s: sender address did not match %s\n",
-          f->text, deliver_selectstring_sender);
+          fq->text, deliver_selectstring_sender);
         wanted = FALSE;
         }
 
@@ -580,7 +580,7 @@
         for (i = 0; i < recipients_count; i++)
           {
           uschar *address = recipients_list[i].address;
-          if (  (deliver_selectstring_regex
+          if (  (f.deliver_selectstring_regex
 		? (pcre_exec(selectstring_regex, NULL, CS address,
 		     Ustrlen(address), 0, PCRE_EOPT, NULL, 0) >= 0)
                 : (strstric(address, deliver_selectstring, FALSE) != NULL)
@@ -594,7 +594,7 @@
           {
           DEBUG(D_queue_run)
             debug_printf("%s: no recipient address matched %s\n",
-              f->text, deliver_selectstring);
+              fq->text, deliver_selectstring);
           wanted = FALSE;
           }
         }
@@ -642,14 +642,14 @@
     /* Now deliver the message; get the id by cutting the -H off the file
     name. The return of the process is zero if a delivery was attempted. */
 
-    set_process_info("running queue: %s", f->text);
-    f->text[SPOOL_NAME_LENGTH-2] = 0;
+    set_process_info("running queue: %s", fq->text);
+    fq->text[SPOOL_NAME_LENGTH-2] = 0;
     if ((pid = fork()) == 0)
       {
       int rc;
-      if (running_in_test_harness) millisleep(100);
+      if (f.running_in_test_harness) millisleep(100);
       (void)close(pfd[pipe_read]);
-      rc = deliver_message(f->text, force_delivery, FALSE);
+      rc = deliver_message(fq->text, force_delivery, FALSE);
       _exit(rc == DELIVER_NOT_ATTEMPTED);
       }
     if (pid < 0)
@@ -660,20 +660,20 @@
     then wait for the first level process to terminate. */
 
     (void)close(pfd[pipe_write]);
-    set_process_info("running queue: waiting for %s (%d)", f->text, pid);
+    set_process_info("running queue: waiting for %s (%d)", fq->text, pid);
     while (wait(&status) != pid);
 
     /* A zero return means a delivery was attempted; turn off the force flag
     for any subsequent calls unless queue_force is set. */
 
-    if ((status & 0xffff) == 0) force_delivery = queue_run_force;
+    if ((status & 0xffff) == 0) force_delivery = f.queue_run_force;
 
     /* If the process crashed, tell somebody */
 
     else if ((status & 0x00ff) != 0)
       log_write(0, LOG_MAIN|LOG_PANIC,
         "queue run: process %d crashed with signal %d while delivering %s",
-        (int)pid, status & 0x00ff, f->text);
+        (int)pid, status & 0x00ff, fq->text);
 
     /* Before continuing, wait till the pipe gets closed at the far end. This
     tells us that any children created by the delivery to re-use any SMTP
@@ -690,7 +690,7 @@
     /* If we are in the test harness, and this is not the first of a 2-stage
     queue run, update fudged queue times. */
 
-    if (running_in_test_harness && !queue_2stage)
+    if (f.running_in_test_harness && !f.queue_2stage)
       {
       uschar *fqtnext = Ustrchr(fudged_queue_times, '/');
       if (fqtnext != NULL) fudged_queue_times = fqtnext + 1;
@@ -720,9 +720,9 @@
 /* If queue_2stage is true, we do it all again, with the 2stage flag
 turned off. */
 
-if (queue_2stage)
+if (f.queue_2stage)
   {
-  queue_2stage = FALSE;
+  f.queue_2stage = FALSE;
   queue_run(start_id, stop_id, TRUE);
   }
 
@@ -820,7 +820,7 @@
 int subcount;
 int now = (int)time(NULL);
 void *reset_point;
-queue_filename *f = NULL;
+queue_filename * qf = NULL;
 uschar subdirs[64];
 
 /* If given a list of messages, build a chain containing their ids. */
@@ -835,7 +835,7 @@
     sprintf(CS next->text, "%s-H", list[i]);
     next->dir_uschar = '*';
     next->next = NULL;
-    if (i == 0) f = next; else last->next = next;
+    if (i == 0) qf = next; else last->next = next;
     last = next;
     }
   }
@@ -843,7 +843,7 @@
 /* Otherwise get a list of the entire queue, in order if necessary. */
 
 else
-  f = queue_get_spool_list(
+  qf = queue_get_spool_list(
           -1,             /* entire queue */
           subdirs,        /* for holding sub list */
           &subcount,      /* for subcount */
@@ -855,8 +855,8 @@
 each time. */
 
 for (reset_point = store_get(0);
-    f;
-    spool_clear_header_globals(), store_reset(reset_point), f = f->next
+    qf;
+    spool_clear_header_globals(), store_reset(reset_point), qf = qf->next
     )
   {
   int rc, save_errno;
@@ -864,8 +864,8 @@
   BOOL env_read;
 
   message_size = 0;
-  message_subdir[0] = f->dir_uschar;
-  rc = spool_read_header(f->text, FALSE, count <= 0);
+  message_subdir[0] = qf->dir_uschar;
+  rc = spool_read_header(qf->text, FALSE, count <= 0);
   if (rc == spool_read_notopen && errno == ENOENT && count <= 0)
     continue;
   save_errno = errno;
@@ -877,7 +877,7 @@
     int ptr;
     FILE *jread;
     struct stat statbuf;
-    uschar * fname = spool_fname(US"input", message_subdir, f->text, US"");
+    uschar * fname = spool_fname(US"input", message_subdir, qf->text, US"");
 
     ptr = Ustrlen(fname)-1;
     fname[ptr] = 'D';
@@ -912,12 +912,12 @@
     }
 
   fprintf(stdout, "%s ", string_format_size(size, big_buffer));
-  for (i = 0; i < 16; i++) fputc(f->text[i], stdout);
+  for (i = 0; i < 16; i++) fputc(qf->text[i], stdout);
 
   if (env_read && sender_address)
     {
     printf(" <%s>", sender_address);
-    if (sender_set_untrusted) printf(" (%s)", originator_login);
+    if (f.sender_set_untrusted) printf(" (%s)", originator_login);
     }
 
   if (rc != spool_read_OK)
@@ -926,7 +926,7 @@
     if (save_errno == ERRNO_SPOOLFORMAT)
       {
       struct stat statbuf;
-      uschar * fname = spool_fname(US"input", message_subdir, f->text, US"");
+      uschar * fname = spool_fname(US"input", message_subdir, qf->text, US"");
 
       if (Ustat(fname, &statbuf) == 0)
         printf("*** spool format error: size=" OFF_T_FMT " ***",
@@ -941,7 +941,7 @@
       }
     }
 
-  if (deliver_freeze) printf(" *** frozen ***");
+  if (f.deliver_freeze) printf(" *** frozen ***");
 
   printf("\n");
 
@@ -1008,7 +1008,7 @@
   int fd, i, rc;
   uschar *subdirectory, *suffix;
 
-  if (!admin_user)
+  if (!f.admin_user)
     {
     printf("Permission denied\n");
     return FALSE;
@@ -1070,7 +1070,7 @@
     {
     yield = FALSE;
     printf("Spool data file for %s does not exist\n", id);
-    if (action != MSG_REMOVE || !admin_user) return FALSE;
+    if (action != MSG_REMOVE || !f.admin_user) return FALSE;
     printf("Continuing, to ensure all files removed\n");
     }
   else
@@ -1095,7 +1095,7 @@
     printf("Spool read error for %s: %s\n", spoolname, strerror(errno));
   else
     printf("Spool format error for %s\n", spoolname);
-  if (action != MSG_REMOVE || !admin_user)
+  if (action != MSG_REMOVE || !f.admin_user)
     {
     (void)close(deliver_datafile);
     deliver_datafile = -1;
@@ -1109,7 +1109,7 @@
 mess about, but the original sender is permitted to remove a message. That's
 why we leave this check until after the headers are read. */
 
-if (!admin_user && (action != MSG_REMOVE || real_uid != originator_uid))
+if (!f.admin_user && (action != MSG_REMOVE || real_uid != originator_uid))
   {
   printf("Permission denied\n");
   (void)close(deliver_datafile);
@@ -1135,21 +1135,21 @@
     deliver_in_buffer = store_malloc(DELIVER_IN_BUFFER_SIZE);
     deliver_out_buffer = store_malloc(DELIVER_OUT_BUFFER_SIZE);
     tctx.u.fd = 1;
-    transport_write_message(&tctx, 0);
+    (void) transport_write_message(&tctx, 0);
     break;
     }
 
 
   case MSG_FREEZE:
-  if (deliver_freeze)
+  if (f.deliver_freeze)
     {
     yield = FALSE;
     printf("is already frozen\n");
     }
   else
     {
-    deliver_freeze = TRUE;
-    deliver_manual_thaw = FALSE;
+    f.deliver_freeze = TRUE;
+    f.deliver_manual_thaw = FALSE;
     deliver_frozen_at = time(NULL);
     if (spool_write_header(id, SW_MODIFYING, &errmsg) >= 0)
       {
@@ -1166,15 +1166,15 @@
 
 
   case MSG_THAW:
-  if (!deliver_freeze)
+  if (!f.deliver_freeze)
     {
     yield = FALSE;
     printf("is not frozen\n");
     }
   else
     {
-    deliver_freeze = FALSE;
-    deliver_manual_thaw = TRUE;
+    f.deliver_freeze = FALSE;
+    f.deliver_manual_thaw = TRUE;
     if (spool_write_header(id, SW_MODIFYING, &errmsg) >= 0)
       {
       printf("is no longer frozen\n");
@@ -1255,6 +1255,38 @@
       else printf("has been removed or did not exist\n");
     if (removed)
       {
+#ifndef DISABLE_EVENT
+      for (i = 0; i < recipients_count; i++)
+	{
+	tree_node *delivered =
+	  tree_search(tree_nonrecipients, recipients_list[i].address);
+	if (!delivered)
+	  {
+	  uschar * save_local = deliver_localpart;
+	  const uschar * save_domain = deliver_domain;
+	  uschar * addr = recipients_list[i].address, * errmsg = NULL;
+	  int start, end, dom;
+
+	  if (!parse_extract_address(addr, &errmsg, &start, &end, &dom, TRUE))
+	    log_write(0, LOG_MAIN|LOG_PANIC,
+	      "failed to parse address '%.100s'\n: %s", addr, errmsg);
+	  else
+	    {
+	    deliver_localpart =
+	      string_copyn(addr+start, dom ? (dom-1) - start : end - start);
+	    deliver_domain = dom
+	      ? CUS string_copyn(addr+dom, end - dom) : CUS"";
+
+	    event_raise(event_action, US"msg:fail:internal",
+	      string_sprintf("message removed by %s", username));
+
+	    deliver_localpart = save_local;
+	    deliver_domain = save_domain;
+	    }
+	  }
+	}
+      (void) event_raise(event_action, US"msg:complete", NULL);
+#endif
       log_write(0, LOG_MAIN, "removed by %s", username);
       log_write(0, LOG_MAIN, "Completed");
       }
@@ -1264,9 +1296,8 @@
 
   case MSG_MARK_ALL_DELIVERED:
   for (i = 0; i < recipients_count; i++)
-    {
     tree_add_nonrecipient(recipients_list[i].address);
-    }
+
   if (spool_write_header(id, SW_MODIFYING, &errmsg) >= 0)
     {
     printf("has been modified\n");
@@ -1407,11 +1438,10 @@
 void
 queue_check_only(void)
 {
-BOOL *set;
 int sep = 0;
 struct stat statbuf;
 const uschar *s;
-uschar *ss, *name;
+uschar *ss;
 uschar buffer[1024];
 
 if (queue_only_file == NULL) return;
@@ -1421,20 +1451,20 @@
   {
   if (Ustrncmp(ss, "smtp", 4) == 0)
     {
-    name = US"queue_smtp";
-    set = &queue_smtp;
     ss += 4;
+    if (Ustat(ss, &statbuf) == 0)
+      {
+      f.queue_smtp = TRUE;
+      DEBUG(D_receive) debug_printf("queue_smtp set because %s exists\n", ss);
+      }
     }
   else
     {
-    name = US"queue_only";
-    set = &queue_only;
-    }
-
-  if (Ustat(ss, &statbuf) == 0)
-    {
-    *set = TRUE;
-    DEBUG(D_receive) debug_printf("%s set because %s exists\n", name, ss);
+    if (Ustat(ss, &statbuf) == 0)
+      {
+      queue_only = TRUE;
+      DEBUG(D_receive) debug_printf("queue_only set because %s exists\n", ss);
+      }
     }
   }
 }
diff -Nru exim4-4.91/src/rda.c exim4-4.92~RC4/src/rda.c
--- exim4-4.91/src/rda.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/rda.c	2018-12-27 13:36:19.000000000 +0000
@@ -110,7 +110,7 @@
   slash = Ustrrchr(big_buffer, '/');
   Ustrcpy(slash+1, ".");
 
-  alarm(30);
+  ALARM(30);
   rc = Ustat(big_buffer, &statbuf);
   if (rc != 0 && errno == EACCES && !sigalrm_seen)
     {
@@ -118,7 +118,7 @@
     rc = Ustat(big_buffer, &statbuf);
     }
   saved_errno = errno;
-  alarm(0);
+  ALARM_CLR(0);
 
   DEBUG(D_route) debug_printf("stat(%s)=%d\n", big_buffer, rc);
   }
@@ -358,7 +358,7 @@
   }
 else data = rdata->string;
 
-*filtertype = system_filtering? FILTER_EXIM : rda_is_filter(data);
+*filtertype = f.system_filtering ? FILTER_EXIM : rda_is_filter(data);
 
 /* Filter interpretation is done by a general function that is also called from
 the filter testing option (-bf). There are two versions: one for Exim filtering
@@ -492,7 +492,7 @@
 /* This function is passed a forward list string (unexpanded) or the name of a
 file (unexpanded) whose contents are the forwarding list. The list may in fact
 be a filter program if it starts with "#Exim filter" or "#Sieve filter". Other
-types of filter, with different inital tag strings, may be introduced in due
+types of filter, with different initial tag strings, may be introduced in due
 course.
 
 The job of the function is to process the forwarding list or filter. It is
@@ -566,7 +566,7 @@
 data = expand_string(rdata->string);
 if (data == NULL)
   {
-  if (expand_string_forcedfail) return FF_NOTDELIVERED;
+  if (f.expand_string_forcedfail) return FF_NOTDELIVERED;
   *error = string_sprintf("failed to expand \"%s\": %s", rdata->string,
     expand_string_message);
   return FF_ERROR;
@@ -672,7 +672,7 @@
   original header lines that were removed, and then any header lines that were
   added but not subsequently removed. */
 
-  if (system_filtering)
+  if (f.system_filtering)
     {
     int i = 0;
     header_line *h;
@@ -718,11 +718,13 @@
     for (addr = *generated; addr; addr = addr->next)
       {
       int reply_options = 0;
+      int ig_err = addr->prop.ignore_error ? 1 : 0;
 
       if (  rda_write_string(fd, addr->address) != 0
          || write(fd, &addr->mode, sizeof(addr->mode)) != sizeof(addr->mode)
          || write(fd, &addr->flags, sizeof(addr->flags)) != sizeof(addr->flags)
          || rda_write_string(fd, addr->prop.errors_address) != 0
+         || write(fd, &ig_err, sizeof(ig_err)) != sizeof(ig_err)
 	 )
 	goto bad;
 
@@ -825,7 +827,7 @@
 /* If this is a system filter, read the identify of any original header lines
 that were removed, and then read data for any new ones that were added. */
 
-if (system_filtering)
+if (f.system_filtering)
   {
   int hn = 0;
   header_line *h = header_list;
@@ -887,9 +889,13 @@
 
     /* Next comes the mode and the flags fields */
 
-    if (read(fd, &addr->mode, sizeof(addr->mode)) != sizeof(addr->mode) ||
-        read(fd, &addr->flags, sizeof(addr->flags)) != sizeof(addr->flags) ||
-        !rda_read_string(fd, &addr->prop.errors_address)) goto DISASTER;
+    if (  read(fd, &addr->mode, sizeof(addr->mode)) != sizeof(addr->mode)
+       || read(fd, &addr->flags, sizeof(addr->flags)) != sizeof(addr->flags)
+       || !rda_read_string(fd, &addr->prop.errors_address)
+       || read(fd, &i, sizeof(i)) != sizeof(i)
+       )
+      goto DISASTER;
+    addr->prop.ignore_error = (i != 0);
 
     /* Next comes a possible setting for $thisaddress and any numerical
     variables for pipe expansion, terminated by a NULL string. The maximum
diff -Nru exim4-4.91/src/readconf.c exim4-4.92~RC4/src/readconf.c
--- exim4-4.91/src/readconf.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/readconf.c	2018-12-27 13:36:19.000000000 +0000
@@ -15,6 +15,9 @@
 # include "macro_predef.h"
 #endif
 
+#define READCONF_DEBUG	if (FALSE)	/* Change to TRUE to enable */
+
+
 static uschar * syslog_facility_str;
 static void fn_smtp_receive_timeout(const uschar *, const uschar *);
 
@@ -123,6 +126,7 @@
 #endif
   { "dns_again_means_nonexist", opt_stringptr,   &dns_again_means_nonexist },
   { "dns_check_names_pattern",  opt_stringptr,   &check_dns_names_pattern },
+  { "dns_cname_loops",		opt_int,	 &dns_cname_loops },
   { "dns_csa_search_limit",     opt_int,         &dns_csa_search_limit },
   { "dns_csa_use_reverse",      opt_bool,        &dns_csa_use_reverse },
   { "dns_dnssec_ok",            opt_int,         &dns_dnssec_ok },
@@ -195,7 +199,9 @@
   { "local_from_prefix",        opt_stringptr,   &local_from_prefix },
   { "local_from_suffix",        opt_stringptr,   &local_from_suffix },
   { "local_interfaces",         opt_stringptr,   &local_interfaces },
+#ifdef HAVE_LOCAL_SCAN
   { "local_scan_timeout",       opt_time,        &local_scan_timeout },
+#endif
   { "local_sender_retain",      opt_bool,        &local_sender_retain },
   { "localhost_number",         opt_stringptr,   &host_number_string },
   { "log_file_path",            opt_stringptr,   &log_file_path },
@@ -234,6 +240,10 @@
 #endif
   { "pid_file_path",            opt_stringptr,   &pid_file_path },
   { "pipelining_advertise_hosts", opt_stringptr, &pipelining_advertise_hosts },
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+  { "pipelining_connect_advertise_hosts", opt_stringptr,
+						 &pipe_connect_advertise_hosts },
+#endif
 #ifndef DISABLE_PRDR
   { "prdr_enable",              opt_bool,        &prdr_enable },
 #endif
@@ -345,6 +355,9 @@
   { "timezone",                 opt_stringptr,   &timezone_string },
   { "tls_advertise_hosts",      opt_stringptr,   &tls_advertise_hosts },
 #ifdef SUPPORT_TLS
+# ifdef EXPERIMENTAL_REQUIRETLS
+  { "tls_advertise_requiretls", opt_stringptr,   &tls_advertise_requiretls },
+# endif
   { "tls_certificate",          opt_stringptr,   &tls_certificate },
   { "tls_crl",                  opt_stringptr,   &tls_crl },
   { "tls_dh_max_bits",          opt_int,         &tls_dh_max_bits },
@@ -403,6 +416,19 @@
   }
 }
 
+void
+options_logging(void)
+{
+bit_table * bp;
+uschar buf[64];
+
+for (bp = log_options; bp < log_options + log_options_count; bp++)
+  {
+  spf(buf, sizeof(buf), US"_LOG_%T", bp->name);
+  builtin_macro_create(buf);
+  }
+}
+
 
 #else	/*!MACRO_PREDEF*/
 
@@ -608,7 +634,7 @@
 {
 macro_item * m = store_get(sizeof(macro_item));
 
-/* fprintf(stderr, "%s: '%s' '%s'\n", __FUNCTION__, name, val); */
+READCONF_DEBUG fprintf(stderr, "%s: '%s' '%s'\n", __FUNCTION__, name, val);
 m->next = NULL;
 m->command_line = command_line;
 m->namelen = Ustrlen(name);
@@ -688,7 +714,7 @@
     if (!m->command_line && !redef)
       {
       log_write(0, LOG_CONFIG|LOG_PANIC, "macro \"%s\" is already "
-       "defined (use \"==\" if you want to redefine it", name);
+       "defined (use \"==\" if you want to redefine it)", name);
       return FALSE;
       }
     break;
@@ -801,7 +827,8 @@
     {
     int moveby;
 
-/* fprintf(stderr, "%s: matched '%s' in '%s'\n", __FUNCTION__, m->name, ss); */
+    READCONF_DEBUG fprintf(stderr, "%s: matched '%s' in '%.*s'\n", __FUNCTION__,
+      m->name, (int) Ustrlen(ss)-1, ss);
     /* Expand the buffer if necessary */
 
     while (*newlen - m->namelen + m->replen + 1 > big_buffer_size)
@@ -939,7 +966,7 @@
 
   /* Handle conditionals, which are also applied to physical lines. Conditions
   are of the form ".ifdef ANYTEXT" and are treated as true if any macro
-  expansion occured on the rest of the line. A preliminary test for the leading
+  expansion occurred on the rest of the line. A preliminary test for the leading
   '.' saves effort on most lines. */
 
   if (*ss == '.')
@@ -2103,7 +2130,7 @@
   inttype = US"octal ";
 
   /*  Integer: a simple(ish) case; allow octal and hex formats, and
-  suffixes K, M and G. The different types affect output, not input. */
+  suffixes K, M, G, and T.  The different types affect output, not input. */
 
   case opt_mkint:
   case opt_int:
@@ -2118,80 +2145,75 @@
       log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "%sinteger expected for %s",
         inttype, name);
 
-    if (errno != ERANGE)
-      if (tolower(*endptr) == 'k')
-        {
-        if (lvalue > INT_MAX/1024 || lvalue < INT_MIN/1024) errno = ERANGE;
-          else lvalue *= 1024;
-        endptr++;
-        }
-      else if (tolower(*endptr) == 'm')
-        {
-        if (lvalue > INT_MAX/(1024*1024) || lvalue < INT_MIN/(1024*1024))
-          errno = ERANGE;
-        else lvalue *= 1024*1024;
-        endptr++;
-        }
-      else if (tolower(*endptr) == 'g')
-        {
-        if (lvalue > INT_MAX/(1024*1024*1024) || lvalue < INT_MIN/(1024*1024*1024))
-          errno = ERANGE;
-        else lvalue *= 1024*1024*1024;
-        endptr++;
-        }
+    if (errno != ERANGE && *endptr)
+      {
+      uschar * mp = US"TtGgMmKk\0";	/* YyZzEePpTtGgMmKk */
+
+      if ((mp = Ustrchr(mp, *endptr)))
+	{
+	endptr++;
+	do
+	  {
+	  if (lvalue > INT_MAX/1024 || lvalue < INT_MIN/1024)
+	    {
+	    errno = ERANGE;
+	    break;
+	    }
+	  lvalue *= 1024;
+	  }
+	while (*(mp += 2));
+	}
+      }
 
     if (errno == ERANGE || lvalue > INT_MAX || lvalue < INT_MIN)
       log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
         "absolute value of integer \"%s\" is too large (overflow)", s);
 
     while (isspace(*endptr)) endptr++;
-    if (*endptr != 0)
+    if (*endptr)
       extra_chars_error(endptr, inttype, US"integer value for ", name);
 
     value = (int)lvalue;
     }
 
-  if (data_block == NULL)
-    *((int *)(ol->value)) = value;
+  if (data_block)
+    *(int *)(US data_block + (long int)ol->value) = value;
   else
-    *((int *)(US data_block + (long int)(ol->value))) = value;
+    *(int *)ol->value = value;
   break;
 
-  /*  Integer held in K: again, allow octal and hex formats, and suffixes K, M
-  and G. */
-  /*XXX consider moving to int_eximarith_t (but mind the overflow test 0415) */
+  /*  Integer held in K: again, allow formats and suffixes as above. */
 
   case opt_Kint:
     {
     uschar *endptr;
     errno = 0;
-    value = strtol(CS s, CSS &endptr, intbase);
+    int_eximarith_t lvalue = strtol(CS s, CSS &endptr, intbase);
 
     if (endptr == s)
       log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "%sinteger expected for %s",
         inttype, name);
 
-    if (errno != ERANGE)
-      if (tolower(*endptr) == 'g')
-        {
-        if (value > INT_MAX/(1024*1024) || value < INT_MIN/(1024*1024))
-	  errno = ERANGE;
-	else
-	  value *= 1024*1024;
-        endptr++;
-        }
-      else if (tolower(*endptr) == 'm')
-        {
-        if (value > INT_MAX/1024 || value < INT_MIN/1024)
-	  errno = ERANGE;
-	else
-	  value *= 1024;
-        endptr++;
-        }
-      else if (tolower(*endptr) == 'k')
-        endptr++;
+    if (errno != ERANGE && *endptr)
+      {
+      uschar * mp = US"ZzEePpTtGgMmKk\0";	/* YyZzEePpTtGgMmKk */
+
+      if ((mp = Ustrchr(mp, *endptr)))
+	{
+	endptr++;
+	while (*(mp += 2))
+	  {
+	  if (lvalue > EXIM_ARITH_MAX/1024 || lvalue < EXIM_ARITH_MIN/1024)
+	    {
+	    errno = ERANGE;
+	    break;
+	    }
+	  lvalue *= 1024;
+	  }
+	}
       else
-        value = (value + 512)/1024;
+	lvalue = (lvalue + 512)/1024;
+      }
 
     if (errno == ERANGE) log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
       "absolute value of integer \"%s\" is too large (overflow)", s);
@@ -2199,13 +2221,13 @@
     while (isspace(*endptr)) endptr++;
     if (*endptr != 0)
       extra_chars_error(endptr, inttype, US"integer value for ", name);
-    }
 
-  if (data_block == NULL)
-    *((int *)(ol->value)) = value;
-  else
-    *((int *)(US data_block + (long int)(ol->value))) = value;
-  break;
+    if (data_block)
+      *(int_eximarith_t *)(US data_block + (long int)ol->value) = lvalue;
+    else
+      *(int_eximarith_t *)ol->value = lvalue;
+    break;
+    }
 
   /*  Fixed-point number: held to 3 decimal places. */
 
@@ -2404,7 +2426,7 @@
 /* Non-admin callers cannot see options that have been flagged secure by the
 "hide" prefix. */
 
-if (!admin_user && ol->type & opt_secure)
+if (!f.admin_user && ol->type & opt_secure)
   {
   if (no_labels)
     printf("%s\n", hidden);
@@ -2462,11 +2484,13 @@
 
   case opt_Kint:
     {
-    int x = *((int *)value);
+    int_eximarith_t x = *((int_eximarith_t *)value);
     if (!no_labels) printf("%s = ", name);
     if (x == 0) printf("0\n");
-    else if ((x & 1023) == 0) printf("%dM\n", x >> 10);
-    else printf("%dK\n", x);
+    else if ((x & ((1<<30)-1)) == 0) printf(PR_EXIM_ARITH "T\n", x >> 30);
+    else if ((x & ((1<<20)-1)) == 0) printf(PR_EXIM_ARITH "G\n", x >> 20);
+    else if ((x & ((1<<10)-1)) == 0) printf(PR_EXIM_ARITH "M\n", x >> 10);
+    else printf(PR_EXIM_ARITH "K\n", x);
     }
     break;
 
@@ -2763,7 +2787,7 @@
 
   if (Ustrcmp(name, "config") == 0)
     {
-    print_config(admin_user, no_labels);
+    print_config(f.admin_user, no_labels);
     return TRUE;
     }
 
@@ -2864,7 +2888,7 @@
   {
   /* People store passwords in macros and they were previously not available
   for printing.  So we have an admin_users restriction. */
-  if (!admin_user)
+  if (!f.admin_user)
     {
     fprintf(stderr, "exim: permission denied\n");
     return FALSE;
@@ -2874,6 +2898,8 @@
       {
       if (names_only)
         printf("%s\n", CS m->name);
+      else if (no_labels)
+        printf("%s\n", CS m->replacement);
       else
         printf("%s=%s\n", CS m->name, CS m->replacement);
       if (name)
@@ -3269,7 +3295,7 @@
 /* Check the status of the file we have opened, if we have retained root
 privileges and the file isn't /dev/null (which *should* be 0666). */
 
-if (trusted_config && Ustrcmp(filename, US"/dev/null"))
+if (f.trusted_config && Ustrcmp(filename, US"/dev/null"))
   {
   if (fstat(fileno(config_file), &statbuf) != 0)
     log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to stat configuration file %s",
@@ -4185,6 +4211,9 @@
 auths_init(void)
 {
 auth_instance *au, *bu;
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+int nauths = 0;
+#endif
 
 readconf_driver_init(US"authenticator",
   (driver_instance **)(&auths),      /* chain anchor */
@@ -4208,7 +4237,13 @@
           "(%s and %s) have the same public name (%s)",
           au->client ? US"client" : US"server", au->name, bu->name,
           au->public_name);
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+  nauths++;
+#endif
   }
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+f.smtp_in_early_pipe_no_auth = nauths > 16;
+#endif
 }
 
 
@@ -4395,7 +4430,7 @@
 readconf_save_config(const uschar *s)
 {
 save_config_line(string_sprintf("# Exim Configuration (%s)",
-  running_in_test_harness ? US"X" : s));
+  f.running_in_test_harness ? US"X" : s));
 }
 
 static void
diff -Nru exim4-4.91/src/receive.c exim4-4.92~RC4/src/receive.c
--- exim4-4.91/src/receive.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/receive.c	2018-12-27 13:36:19.000000000 +0000
@@ -8,6 +8,7 @@
 /* Code for receiving a message and setting up spool files. */
 
 #include "exim.h"
+#include <setjmp.h>
 
 #ifdef EXPERIMENTAL_DCC
 extern int dcc_ok;
@@ -21,12 +22,17 @@
 *                Local static variables          *
 *************************************************/
 
-static FILE   *data_file = NULL;
 static int     data_fd = -1;
 static uschar *spool_name = US"";
 
 enum CH_STATE {LF_SEEN, MID_LINE, CR_SEEN};
 
+#ifdef HAVE_LOCAL_SCAN
+jmp_buf local_scan_env;		/* error-handling context for local_scan */
+unsigned had_local_scan_crash;
+unsigned had_local_scan_timeout;
+#endif
+
 
 /*************************************************
 *      Non-SMTP character reading functions      *
@@ -40,7 +46,27 @@
 int
 stdin_getc(unsigned lim)
 {
-return getc(stdin);
+int c = getc(stdin);
+
+if (had_data_timeout)
+  {
+  fprintf(stderr, "exim: timed out while reading - message abandoned\n");
+  log_write(L_lost_incoming_connection,
+            LOG_MAIN, "timed out while reading local message");
+  receive_bomb_out(US"data-timeout", NULL);   /* Does not return */
+  }
+if (had_data_sigint)
+  {
+  if (filter_test == FTEST_NONE)
+    {
+    fprintf(stderr, "\nexim: %s received - message abandoned\n",
+      had_data_sigint == SIGTERM ? "SIGTERM" : "SIGINT");
+    log_write(0, LOG_MAIN, "%s received while reading local message",
+      had_data_sigint == SIGTERM ? "SIGTERM" : "SIGINT");
+    }
+  receive_bomb_out(US"signal-exit", NULL);    /* Does not return */
+  }
+return c;
 }
 
 int
@@ -83,7 +109,7 @@
 receive_check_set_sender(uschar *newsender)
 {
 uschar *qnewsender;
-if (trusted_caller) return TRUE;
+if (f.trusted_caller) return TRUE;
 if (!newsender || !untrusted_set_sender) return FALSE;
 qnewsender = Ustrchr(newsender, '@')
   ? newsender : string_sprintf("%s@%s", newsender, qualify_domain_sender);
@@ -118,7 +144,7 @@
 All values are -1 if the STATFS functions are not available.
 */
 
-int
+int_eximarith_t
 receive_statvfs(BOOL isspool, int *inodeptr)
 {
 #ifdef HAVE_STATFS
@@ -197,7 +223,7 @@
 
 /* Disks are getting huge. Take care with computing the size in kilobytes. */
 
-return (int)(((double)statbuf.F_BAVAIL * (double)statbuf.F_FRSIZE)/1024.0);
+return (int_eximarith_t)(((double)statbuf.F_BAVAIL * (double)statbuf.F_FRSIZE)/1024.0);
 
 #else
 /* Unable to find partition sizes in this environment. */
@@ -232,22 +258,23 @@
 BOOL
 receive_check_fs(int msg_size)
 {
-int space, inodes;
+int_eximarith_t space;
+int inodes;
 
 if (check_spool_space > 0 || msg_size > 0 || check_spool_inodes > 0)
   {
   space = receive_statvfs(TRUE, &inodes);
 
   DEBUG(D_receive)
-    debug_printf("spool directory space = %dK inodes = %d "
-      "check_space = %dK inodes = %d msg_size = %d\n",
+    debug_printf("spool directory space = " PR_EXIM_ARITH "K inodes = %d "
+      "check_space = " PR_EXIM_ARITH "K inodes = %d msg_size = %d\n",
       space, inodes, check_spool_space, check_spool_inodes, msg_size);
 
   if ((space >= 0 && space < check_spool_space) ||
       (inodes >= 0 && inodes < check_spool_inodes))
     {
-    log_write(0, LOG_MAIN, "spool directory space check failed: space=%d "
-      "inodes=%d", space, inodes);
+    log_write(0, LOG_MAIN, "spool directory space check failed: space="
+      PR_EXIM_ARITH " inodes=%d", space, inodes);
     return FALSE;
     }
   }
@@ -257,15 +284,15 @@
   space = receive_statvfs(FALSE, &inodes);
 
   DEBUG(D_receive)
-    debug_printf("log directory space = %dK inodes = %d "
-      "check_space = %dK inodes = %d\n",
+    debug_printf("log directory space = " PR_EXIM_ARITH "K inodes = %d "
+      "check_space = " PR_EXIM_ARITH "K inodes = %d\n",
       space, inodes, check_log_space, check_log_inodes);
 
-  if ((space >= 0 && space < check_log_space) ||
-      (inodes >= 0 && inodes < check_log_inodes))
+  if (  space >= 0 && space < check_log_space
+     || inodes >= 0 && inodes < check_log_inodes)
     {
-    log_write(0, LOG_MAIN, "log directory space check failed: space=%d "
-      "inodes=%d", space, inodes);
+    log_write(0, LOG_MAIN, "log directory space check failed: space=" PR_EXIM_ARITH
+      " inodes=%d", space, inodes);
     return FALSE;
     }
   }
@@ -316,11 +343,13 @@
 
 /* Now close the file if it is open, either as a fd or a stream. */
 
-if (data_file != NULL)
+if (spool_data_file)
+  {
+  (void)fclose(spool_data_file);
+  spool_data_file = NULL;
+  }
+else if (data_fd >= 0)
   {
-  (void)fclose(data_file);
-  data_file = NULL;
-} else if (data_fd >= 0) {
   (void)close(data_fd);
   data_fd = -1;
   }
@@ -361,37 +390,29 @@
 static void
 data_timeout_handler(int sig)
 {
-uschar *msg = NULL;
-
-sig = sig;    /* Keep picky compilers happy */
-
-if (smtp_input)
-  {
-  msg = US"SMTP incoming data timeout";
-  log_write(L_lost_incoming_connection,
-            LOG_MAIN, "SMTP data timeout (message abandoned) on connection "
-            "from %s F=<%s>",
-            (sender_fullhost != NULL)? sender_fullhost : US"local process",
-            sender_address);
-  }
-else
-  {
-  fprintf(stderr, "exim: timed out while reading - message abandoned\n");
-  log_write(L_lost_incoming_connection,
-            LOG_MAIN, "timed out while reading local message");
-  }
-
-receive_bomb_out(US"data-timeout", msg);   /* Does not return */
+had_data_timeout = sig;
 }
 
 
 
+#ifdef HAVE_LOCAL_SCAN
 /*************************************************
 *              local_scan() timeout              *
 *************************************************/
 
 /* Handler function for timeouts that occur while running a local_scan()
-function.
+function.  Posix recommends against calling longjmp() from a signal-handler,
+but the GCC manual says you can so we will, and trust that it's better than
+calling probably non-signal-safe funxtions during logging from within the
+handler, even with other compilers.
+
+See also https://cwe.mitre.org/data/definitions/745.html which also lists
+it as unsafe.
+
+This is all because we have no control over what might be written for a
+local-scan function, so cannot sprinkle had-signal checks after each
+call-site.  At least with the default "do-nothing" function we won't
+ever get here.
 
 Argument:  the signal number
 Returns:   nothing
@@ -400,11 +421,8 @@
 static void
 local_scan_timeout_handler(int sig)
 {
-sig = sig;    /* Keep picky compilers happy */
-log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() function timed out - "
-  "message temporarily rejected (size %d)", message_size);
-/* Does not return */
-receive_bomb_out(US"local-scan-timeout", US"local verification problem");
+had_local_scan_timeout = sig;
+siglongjmp(local_scan_env, 1);
 }
 
 
@@ -423,12 +441,12 @@
 static void
 local_scan_crash_handler(int sig)
 {
-log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() function crashed with "
-  "signal %d - message temporarily rejected (size %d)", sig, message_size);
-/* Does not return */
-receive_bomb_out(US"local-scan-error", US"local verification problem");
+had_local_scan_crash = sig;
+siglongjmp(local_scan_env, 1);
 }
 
+#endif /*HAVE_LOCAL_SCAN*/
+
 
 /*************************************************
 *           SIGTERM or SIGINT received           *
@@ -444,26 +462,7 @@
 static void
 data_sigterm_sigint_handler(int sig)
 {
-uschar *msg = NULL;
-
-if (smtp_input)
-  {
-  msg = US"Service not available - SIGTERM or SIGINT received";
-  log_write(0, LOG_MAIN, "%s closed after %s", smtp_get_connection_info(),
-    (sig == SIGTERM)? "SIGTERM" : "SIGINT");
-  }
-else
-  {
-  if (filter_test == FTEST_NONE)
-    {
-    fprintf(stderr, "\nexim: %s received - message abandoned\n",
-      (sig == SIGTERM)? "SIGTERM" : "SIGINT");
-    log_write(0, LOG_MAIN, "%s received while reading local message",
-      (sig == SIGTERM)? "SIGTERM" : "SIGINT");
-    }
-  }
-
-receive_bomb_out(US"signal-exit", msg);    /* Does not return */
+had_data_sigint = sig;
 }
 
 
@@ -489,7 +488,7 @@
   {
   recipient_item *oldlist = recipients_list;
   int oldmax = recipients_list_max;
-  recipients_list_max = recipients_list_max? 2*recipients_list_max : 50;
+  recipients_list_max = recipients_list_max ? 2*recipients_list_max : 50;
   recipients_list = store_get(recipients_list_max * sizeof(recipient_item));
   if (oldlist != NULL)
     memcpy(recipients_list, oldlist, oldmax * sizeof(recipient_item));
@@ -621,7 +620,7 @@
 
 /* Handle the case when only EOF terminates the message */
 
-if (!dot_ends)
+if (!f.dot_ends)
   {
   register int last_ch = '\n';
 
@@ -1025,7 +1024,7 @@
 
 DEBUG(D_receive) debug_printf("CHUNKING: %s\n",
 	fout ? "writing spoolfile in wire format" : "flushing input");
-spool_file_wireformat = TRUE;
+f.spool_file_wireformat = TRUE;
 
 for (;;)
   {
@@ -1183,7 +1182,7 @@
   case ACL_WHERE_DKIM:
   case ACL_WHERE_MIME:
   case ACL_WHERE_DATA:
-    if (  cutthrough.fd >= 0 && cutthrough.delivery
+    if (  cutthrough.cctx.sock >= 0 && cutthrough.delivery
        && (acl_removed_headers || acl_added_headers))
     {
     log_write(0, LOG_MAIN|LOG_PANIC, "Header modification in data ACLs"
@@ -1307,21 +1306,30 @@
   if (LOGGING(dnssec) && sender_host_dnssec)	/*XXX sender_helo_dnssec? */
     g = string_catn(g, US" DS", 3);
   g = string_append(g, 2, US" H=", sender_fullhost);
-  if (LOGGING(incoming_interface) && interface_address != NULL)
-    {
-    g = string_cat(g,
-      string_sprintf(" I=[%s]:%d", interface_address, interface_port));
-    }
+  if (LOGGING(incoming_interface) && interface_address)
+    g = string_fmt_append(g, " I=[%s]:%d", interface_address, interface_port);
   }
-if (tcp_in_fastopen && !tcp_in_fastopen_logged)
+if (f.tcp_in_fastopen && !f.tcp_in_fastopen_logged)
   {
-  g = string_catn(g, US" TFO", 4);
-  tcp_in_fastopen_logged = TRUE;
+  g = string_catn(g, US" TFO*", f.tcp_in_fastopen_data ? 5 : 4);
+  f.tcp_in_fastopen_logged = TRUE;
   }
 if (sender_ident)
   g = string_append(g, 2, US" U=", sender_ident);
 if (received_protocol)
   g = string_append(g, 2, US" P=", received_protocol);
+if (LOGGING(pipelining) && f.smtp_in_pipelining_advertised)
+  {
+  g = string_catn(g, US" L", 2);
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+  if (f.smtp_in_early_pipe_used)
+    g = string_catn(g, US"*", 1);
+  else if (f.smtp_in_early_pipe_advertised)
+    g = string_catn(g, US".", 1);
+#endif
+  if (!f.smtp_in_pipelining_used)
+    g = string_catn(g, US"-", 1);
+  }
 return g;
 }
 
@@ -1450,10 +1458,12 @@
   {
   recipients_count = 0;
   *blackholed_by_ptr = US"MIME ACL";
+  cancel_cutthrough_connection(TRUE, US"mime acl discard");
   }
 else if (rc != OK)
   {
   Uunlink(spool_name);
+  cancel_cutthrough_connection(TRUE, US"mime acl not ok");
   unspool_mbox();
 #ifdef EXPERIMENTAL_DCC
   dcc_ok = 0;
@@ -1621,11 +1631,11 @@
 	? errors_sender_rc : EXIT_FAILURE;
 int  header_size = 256;
 int  start, end, domain;
-int  id_resolution;
+int  id_resolution = 0;
 int  had_zero = 0;
 int  prevlines_length = 0;
 
-register int ptr = 0;
+int ptr = 0;
 
 BOOL contains_resent_headers = FALSE;
 BOOL extracted_ignored = FALSE;
@@ -1678,6 +1688,7 @@
 uschar *timestamp;
 int tslen;
 
+
 /* Release any open files that might have been cached while preparing to
 accept the message - e.g. by verifying addresses - because reading a message
 might take a fair bit of real time. */
@@ -1710,7 +1721,7 @@
 yet, initialize the size and warning count, and deal with no size limit. */
 
 message_id[0] = 0;
-data_file = NULL;
+spool_data_file = NULL;
 data_fd = -1;
 spool_name = US"";
 message_size = 0;
@@ -1727,7 +1738,7 @@
 #ifndef DISABLE_DKIM
 /* Call into DKIM to set up the context.  In CHUNKING mode
 we clear the dot-stuffing flag */
-if (smtp_input && !smtp_batched_input && !dkim_disable_verify)
+if (smtp_input && !smtp_batched_input && !f.dkim_disable_verify)
   dkim_exim_verify_init(chunking_state <= CHUNKING_OFFERED);
 #endif
 
@@ -1751,7 +1762,9 @@
 /* If SMTP input, set the special handler for timeouts. The alarm() calls
 happen in the smtp_getc() function when it refills its buffer. */
 
-if (smtp_input) os_non_restarting_signal(SIGALRM, data_timeout_handler);
+had_data_timeout = 0;
+if (smtp_input)
+  os_non_restarting_signal(SIGALRM, data_timeout_handler);
 
 /* If not SMTP input, timeout happens only if configured, and we just set a
 single timeout for the whole message. */
@@ -1759,11 +1772,12 @@
 else if (receive_timeout > 0)
   {
   os_non_restarting_signal(SIGALRM, data_timeout_handler);
-  alarm(receive_timeout);
+  ALARM(receive_timeout);
   }
 
 /* SIGTERM and SIGINT are caught always. */
 
+had_data_sigint = 0;
 signal(SIGTERM, data_sigterm_sigint_handler);
 signal(SIGINT, data_sigterm_sigint_handler);
 
@@ -1856,7 +1870,7 @@
   prevent further reading), and break out of the loop, having freed the
   empty header, and set next = NULL to indicate no data line. */
 
-  if (ptr == 0 && ch == '.' && dot_ends)
+  if (ptr == 0 && ch == '.' && f.dot_ends)
     {
     ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
     if (ch == '\r')
@@ -1929,7 +1943,7 @@
 
     log_write(0, LOG_MAIN, "ridiculously long message header received from "
       "%s (more than %d characters): message abandoned",
-      sender_host_unknown? sender_ident : sender_fullhost, header_maxsize);
+      f.sender_host_unknown ? sender_ident : sender_fullhost, header_maxsize);
 
     if (smtp_input)
       {
@@ -2053,7 +2067,7 @@
      && regex_match_and_setup(regex_From, next->text, 0, -1)
      )
     {
-    if (!sender_address_forced)
+    if (!f.sender_address_forced)
       {
       uschar *uucp_sender = expand_string(uucp_from_sender);
       if (!uucp_sender)
@@ -2075,11 +2089,11 @@
             {
             sender_address = newsender;
 
-            if (trusted_caller || filter_test != FTEST_NONE)
+            if (f.trusted_caller || filter_test != FTEST_NONE)
               {
               authenticated_sender = NULL;
               originator_name = US"";
-              sender_local = FALSE;
+              f.sender_local = FALSE;
               }
 
             if (filter_test != FTEST_NONE)
@@ -2150,7 +2164,7 @@
       {
       log_write(0, LOG_MAIN, "overlong message header line received from "
         "%s (more than %d characters): message abandoned",
-        sender_host_unknown? sender_ident : sender_fullhost,
+        f.sender_host_unknown ? sender_ident : sender_fullhost,
         header_line_maxsize);
 
       if (smtp_input)
@@ -2377,9 +2391,9 @@
     set.) */
 
     case htype_sender:
-      h->type =    !active_local_sender_retain
-		&& (  sender_local && !trusted_caller && !suppress_local_fixups
-		   || submission_mode
+      h->type =    !f.active_local_sender_retain
+		&& (  f.sender_local && !f.trusted_caller && !f.suppress_local_fixups
+		   || f.submission_mode
 		   )
 		&& (!resents_exist || is_resent)
 	? htype_old : htype_sender;
@@ -2465,7 +2479,7 @@
       uschar *s = Ustrchr(h->text, ':') + 1;
       while (isspace(*s)) s++;
 
-      parse_allow_group = TRUE;          /* Allow address group syntax */
+      f.parse_allow_group = TRUE;          /* Allow address group syntax */
 
       while (*s != 0)
         {
@@ -2476,11 +2490,9 @@
         /* Check on maximum */
 
         if (recipients_max > 0 && ++rcount > recipients_max)
-          {
           give_local_error(ERRMESS_TOOMANYRECIP, US"too many recipients",
             US"message rejected: ", error_rc, stdin, NULL);
           /* Does not return */
-          }
 
         /* Make a copy of the address, and remove any internal newlines. These
         may be present as a result of continuations of the header line. The
@@ -2547,8 +2559,8 @@
         while (isspace(*s)) s++;
         }    /* Next address */
 
-      parse_allow_group = FALSE;      /* Reset group syntax flags */
-      parse_found_group = FALSE;
+      f.parse_allow_group = FALSE;      /* Reset group syntax flags */
+      f.parse_found_group = FALSE;
 
       /* If this was the bcc: header, mark it "old", which means it
       will be kept on the spool, but not transmitted as part of the
@@ -2621,7 +2633,7 @@
 
 if (host_number_string)
   {
-  id_resolution = (BASE_62 == 62)? 5000 : 10000;
+  id_resolution = BASE_62 == 62 ? 5000 : 10000;
   sprintf(CS(message_id + MESSAGE_ID_LENGTH - 3), "-%2s",
     string_base62((long int)(
       host_number * (1000000/id_resolution) +
@@ -2633,7 +2645,7 @@
 
 else
   {
-  id_resolution = (BASE_62 == 62)? 500 : 1000;
+  id_resolution = BASE_62 == 62 ? 500 : 1000;
   sprintf(CS(message_id + MESSAGE_ID_LENGTH - 3), "-%2s",
     string_base62((long int)(message_id_tv.tv_usec/id_resolution)) + 4);
   }
@@ -2656,7 +2668,7 @@
 any illegal characters therein. */
 
 if (  !msgid_header
-   && ((!sender_host_address && !suppress_local_fixups) || submission_mode))
+   && ((!sender_host_address && !f.suppress_local_fixups) || f.submission_mode))
   {
   uschar *p;
   uschar *id_text = US"";
@@ -2669,7 +2681,7 @@
     uschar *new_id_domain = expand_string(message_id_domain);
     if (!new_id_domain)
       {
-      if (!expand_string_forcedfail)
+      if (!f.expand_string_forcedfail)
         log_write(0, LOG_MAIN|LOG_PANIC,
           "expansion of \"%s\" (message_id_header_domain) "
           "failed: %s", message_id_domain, expand_string_message);
@@ -2690,7 +2702,7 @@
     uschar *new_id_text = expand_string(message_id_text);
     if (!new_id_text)
       {
-      if (!expand_string_forcedfail)
+      if (!f.expand_string_forcedfail)
         log_write(0, LOG_MAIN|LOG_PANIC,
           "expansion of \"%s\" (message_id_header_text) "
           "failed: %s", message_id_text, expand_string_message);
@@ -2742,7 +2754,7 @@
 From:) but we still want to ensure a valid Sender: if it is required. */
 
 if (  !from_header
-   && ((!sender_host_address && !suppress_local_fixups) || submission_mode))
+   && ((!sender_host_address && !f.suppress_local_fixups) || f.submission_mode))
   {
   uschar *oname = US"";
 
@@ -2753,8 +2765,8 @@
 
   if (!sender_host_address)
     {
-    if (!trusted_caller || sender_name_forced ||
-         (!smtp_input && !sender_address_forced))
+    if (!f.trusted_caller || f.sender_name_forced ||
+         (!smtp_input && !f.sender_address_forced))
       oname = originator_name;
     }
 
@@ -2773,12 +2785,12 @@
       resent_prefix, oname, *oname ? " <" : "");
     fromend = *oname ? US">" : US"";
 
-    if (sender_local || local_error_message)
+    if (f.sender_local || f.local_error_message)
       header_add(htype_from, "%s%s@%s%s\n", fromstart,
         local_part_quote(originator_login), qualify_domain_sender,
         fromend);
 
-    else if (submission_mode && authenticated_id)
+    else if (f.submission_mode && authenticated_id)
       {
       if (!submission_domain)
         header_add(htype_from, "%s%s@%s%s\n", fromstart,
@@ -2825,9 +2837,9 @@
 parse_extract_address fails, and a Sender: header is inserted, as required. */
 
 if (  from_header
-   && (  active_local_from_check
-      && (  sender_local && !trusted_caller && !suppress_local_fixups
-	 || submission_mode && authenticated_id
+   && (  f.active_local_from_check
+      && (  f.sender_local && !f.trusted_caller && !f.suppress_local_fixups
+	 || f.submission_mode && authenticated_id
    )  )  )
   {
   BOOL make_sender = TRUE;
@@ -2838,7 +2850,7 @@
       &start, &end, &domain, FALSE);
   uschar *generated_sender_address;
 
-  generated_sender_address = submission_mode
+  generated_sender_address = f.submission_mode
     ? !submission_domain
     ? string_sprintf("%s@%s",
 	local_part_quote(authenticated_id), qualify_domain_sender)
@@ -2876,19 +2888,19 @@
   appropriate rewriting rules. */
 
   if (make_sender)
-    if (submission_mode && !submission_name)
+    if (f.submission_mode && !submission_name)
       header_add(htype_sender, "%sSender: %s\n", resent_prefix,
         generated_sender_address);
     else
       header_add(htype_sender, "%sSender: %s <%s>\n",
         resent_prefix,
-        submission_mode? submission_name : originator_name,
+        f.submission_mode ? submission_name : originator_name,
         generated_sender_address);
 
   /* Ensure that a non-null envelope sender address corresponds to the
   submission mode sender address. */
 
-  if (submission_mode && *sender_address)
+  if (f.submission_mode && *sender_address)
     {
     if (!sender_address_unrewritten)
       sender_address_unrewritten = sender_address;
@@ -2953,7 +2965,7 @@
 */
 
 if (  !date_header_exists
-   && ((!sender_host_address && !suppress_local_fixups) || submission_mode))
+   && ((!sender_host_address && !f.suppress_local_fixups) || f.submission_mode))
   header_add_at_position(!resents_exist, NULL, FALSE, htype_other,
     "%sDate: %s\n", resent_prefix, tod_stamp(tod_full));
 
@@ -2993,7 +3005,7 @@
 so the timestamp behaviour is a change to the normal case.
 Having created it, send the headers to the destination. */
 
-if (cutthrough.fd >= 0 && cutthrough.delivery)
+if (cutthrough.cctx.sock >= 0 && cutthrough.delivery)
   {
   if (received_count > received_headers_max)
     {
@@ -3049,7 +3061,7 @@
 are problems when Exim is run under Cygwin (I'm told). See comments in
 spool_in.c, where the same locking is done. */
 
-data_file = fdopen(data_fd, "w+");
+spool_data_file = fdopen(data_fd, "w+");
 lock_data.l_type = F_WRLCK;
 lock_data.l_whence = SEEK_SET;
 lock_data.l_start = 0;
@@ -3066,31 +3078,32 @@
 format); write it (remembering that it might contain binary zeros). The result
 of fwrite() isn't inspected; instead we call ferror() below. */
 
-fprintf(data_file, "%s-D\n", message_id);
+fprintf(spool_data_file, "%s-D\n", message_id);
 if (next)
   {
   uschar *s = next->text;
   int len = next->slen;
-  len = fwrite(s, 1, len, data_file);  len = len; /* compiler quietening */
-  body_linecount++;                 /* Assumes only 1 line */
+  if (fwrite(s, 1, len, spool_data_file) == len) /* "if" for compiler quietening */
+    body_linecount++;                 /* Assumes only 1 line */
   }
 
 /* Note that we might already be at end of file, or the logical end of file
 (indicated by '.'), or might have encountered an error while writing the
 message id or "next" line. */
 
-if (!ferror(data_file) && !(receive_feof)() && message_ended != END_DOT)
+if (!ferror(spool_data_file) && !(receive_feof)() && message_ended != END_DOT)
   {
   if (smtp_input)
     {
     message_ended = chunking_state <= CHUNKING_OFFERED
-      ? read_message_data_smtp(data_file)
+      ? read_message_data_smtp(spool_data_file)
       : spool_wireformat
-      ? read_message_bdat_smtp_wire(data_file)
-      : read_message_bdat_smtp(data_file);
+      ? read_message_bdat_smtp_wire(spool_data_file)
+      : read_message_bdat_smtp(spool_data_file);
     receive_linecount++;                /* The terminating "." line */
     }
-  else message_ended = read_message_data(data_file);
+  else
+    message_ended = read_message_data(spool_data_file);
 
   receive_linecount += body_linecount;  /* For BSMTP errors mainly */
   message_linecount += body_linecount;
@@ -3137,10 +3150,10 @@
 	}
       else
 	{
-	fseek(data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
+	fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
 	give_local_error(ERRMESS_TOOBIG,
 	  string_sprintf("message too big (max=%d)", thismessage_size_limit),
-	  US"message rejected: ", error_rc, data_file, header_list);
+	  US"message rejected: ", error_rc, spool_data_file, header_list);
 	/* Does not return */
 	}
       break;
@@ -3170,8 +3183,8 @@
 the input in cases of output errors, since the far end doesn't expect to see
 anything until the terminating dot line is sent. */
 
-if (fflush(data_file) == EOF || ferror(data_file) ||
-    EXIMfsync(fileno(data_file)) < 0 || (receive_ferror)())
+if (fflush(spool_data_file) == EOF || ferror(spool_data_file) ||
+    EXIMfsync(fileno(spool_data_file)) < 0 || (receive_ferror)())
   {
   uschar *msg_errno = US strerror(errno);
   BOOL input_error = (receive_ferror)() != 0;
@@ -3199,8 +3212,8 @@
 
   else
     {
-    fseek(data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
-    give_local_error(ERRMESS_IOERR, msg, US"", error_rc, data_file,
+    fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
+    give_local_error(ERRMESS_IOERR, msg, US"", error_rc, spool_data_file,
       header_list);
     /* Does not return */
     }
@@ -3231,17 +3244,17 @@
     if (recipients_count == 0) debug_printf("*** No recipients\n");
     if (bad_addresses)
       {
-      error_block *eblock = bad_addresses;
+      error_block * eblock;
       debug_printf("*** Bad address(es)\n");
-      while (eblock != NULL)
-        {
+      for (eblock = bad_addresses; eblock; eblock = eblock->next)
         debug_printf("  %s: %s\n", eblock->text1, eblock->text2);
-        eblock = eblock->next;
-        }
       }
     }
 
-  fseek(data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
+  log_write(0, LOG_MAIN|LOG_PANIC, "%s %s found in headers",
+    message_id, bad_addresses ? "bad addresses" : "no recipients");
+
+  fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
 
   /* If configured to send errors to the sender, but this fails, force
   a failure error code. We use a special one for no recipients so that it
@@ -3252,38 +3265,34 @@
   if (error_handling == ERRORS_SENDER)
     {
     if (!moan_to_sender(
-          (bad_addresses == NULL)?
-            (extracted_ignored? ERRMESS_IGADDRESS : ERRMESS_NOADDRESS) :
-          (recipients_list == NULL)? ERRMESS_BADNOADDRESS : ERRMESS_BADADDRESS,
-          bad_addresses, header_list, data_file, FALSE))
-      error_rc = (bad_addresses == NULL)? EXIT_NORECIPIENTS : EXIT_FAILURE;
+          bad_addresses
+	  ? recipients_list ? ERRMESS_BADADDRESS : ERRMESS_BADNOADDRESS
+	  : extracted_ignored ? ERRMESS_IGADDRESS : ERRMESS_NOADDRESS,
+          bad_addresses, header_list, spool_data_file, FALSE
+       )	       )
+      error_rc = bad_addresses ? EXIT_FAILURE : EXIT_NORECIPIENTS;
     }
   else
     {
     if (!bad_addresses)
-      {
       if (extracted_ignored)
         fprintf(stderr, "exim: all -t recipients overridden by command line\n");
       else
         fprintf(stderr, "exim: no recipients in message\n");
-      }
     else
       {
       fprintf(stderr, "exim: invalid address%s",
-        (bad_addresses->next == NULL)? ":" : "es:\n");
-      while (bad_addresses != NULL)
-        {
+        bad_addresses->next ? "es:\n" : ":");
+      for ( ; bad_addresses; bad_addresses = bad_addresses->next)
         fprintf(stderr, "  %s: %s\n", bad_addresses->text1,
           bad_addresses->text2);
-        bad_addresses = bad_addresses->next;
-        }
       }
     }
 
   if (recipients_count == 0 || error_handling == ERRORS_STDERR)
     {
     Uunlink(spool_name);
-    (void)fclose(data_file);
+    (void)fclose(spool_data_file);
     exim_exit(error_rc, US"receiving");
     }
   }
@@ -3333,10 +3342,10 @@
 deliver_datafile = data_fd;
 user_msg = NULL;
 
-enable_dollar_recipients = TRUE;
+f.enable_dollar_recipients = TRUE;
 
 if (recipients_count == 0)
-  blackholed_by = recipients_discarded ? US"MAIL ACL" : US"RCPT ACL";
+  blackholed_by = f.recipients_discarded ? US"MAIL ACL" : US"RCPT ACL";
 
 else
   {
@@ -3346,7 +3355,7 @@
     {
 
 #ifndef DISABLE_DKIM
-    if (!dkim_disable_verify)
+    if (!f.dkim_disable_verify)
       {
       /* Finish verification */
       dkim_exim_verify_finish();
@@ -3575,7 +3584,7 @@
     if (acl_not_smtp)
       {
       uschar *user_msg, *log_msg;
-      authentication_local = TRUE;
+      f.authentication_local = TRUE;
       rc = acl_check(ACL_WHERE_NOTSMTP, NULL, acl_not_smtp, &user_msg, &log_msg);
       if (rc == DISCARD)
         {
@@ -3602,15 +3611,13 @@
 
         if (!user_msg) user_msg = US"local configuration problem";
         if (smtp_batched_input)
-          {
           moan_smtp_batch(NULL, "%d %s", 550, user_msg);
           /* Does not return */
-          }
         else
           {
-          fseek(data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
+          fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
           give_local_error(ERRMESS_LOCAL_ACL, user_msg,
-            US"message rejected by non-SMTP ACL: ", error_rc, data_file,
+            US"message rejected by non-SMTP ACL: ", error_rc, spool_data_file,
               header_list);
           /* Does not return */
           }
@@ -3621,8 +3628,8 @@
 
   /* The applicable ACLs have been run */
 
-  if (deliver_freeze) frozen_by = US"ACL";     /* for later logging */
-  if (queue_only_policy) queued_by = US"ACL";
+  if (f.deliver_freeze) frozen_by = US"ACL";     /* for later logging */
+  if (f.queue_only_policy) queued_by = US"ACL";
   }
 
 #ifdef WITH_CONTENT_SCAN
@@ -3634,47 +3641,70 @@
 #endif
 
 
+#ifdef HAVE_LOCAL_SCAN
 /* The final check on the message is to run the scan_local() function. The
 version supplied with Exim always accepts, but this is a hook for sysadmins to
 supply their own checking code. The local_scan() function is run even when all
 the recipients have been discarded. */
-/*XXS could we avoid this for the standard case, given that few people will use it? */
 
 lseek(data_fd, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
 
 /* Arrange to catch crashes in local_scan(), so that the -D file gets
 deleted, and the incident gets logged. */
 
-os_non_restarting_signal(SIGSEGV, local_scan_crash_handler);
-os_non_restarting_signal(SIGFPE, local_scan_crash_handler);
-os_non_restarting_signal(SIGILL, local_scan_crash_handler);
-os_non_restarting_signal(SIGBUS, local_scan_crash_handler);
-
-DEBUG(D_receive) debug_printf("calling local_scan(); timeout=%d\n",
-  local_scan_timeout);
-local_scan_data = NULL;
-
-os_non_restarting_signal(SIGALRM, local_scan_timeout_handler);
-if (local_scan_timeout > 0) alarm(local_scan_timeout);
-rc = local_scan(data_fd, &local_scan_data);
-alarm(0);
-os_non_restarting_signal(SIGALRM, sigalrm_handler);
-
-enable_dollar_recipients = FALSE;
-
-store_pool = POOL_MAIN;   /* In case changed */
-DEBUG(D_receive) debug_printf("local_scan() returned %d %s\n", rc,
-  local_scan_data);
-
-os_non_restarting_signal(SIGSEGV, SIG_DFL);
-os_non_restarting_signal(SIGFPE, SIG_DFL);
-os_non_restarting_signal(SIGILL, SIG_DFL);
-os_non_restarting_signal(SIGBUS, SIG_DFL);
+if (sigsetjmp(local_scan_env, 1) == 0)
+  {
+  had_local_scan_crash = 0;
+  os_non_restarting_signal(SIGSEGV, local_scan_crash_handler);
+  os_non_restarting_signal(SIGFPE, local_scan_crash_handler);
+  os_non_restarting_signal(SIGILL, local_scan_crash_handler);
+  os_non_restarting_signal(SIGBUS, local_scan_crash_handler);
+
+  DEBUG(D_receive) debug_printf("calling local_scan(); timeout=%d\n",
+    local_scan_timeout);
+  local_scan_data = NULL;
+
+  had_local_scan_timeout = 0;
+  os_non_restarting_signal(SIGALRM, local_scan_timeout_handler);
+  if (local_scan_timeout > 0) ALARM(local_scan_timeout);
+  rc = local_scan(data_fd, &local_scan_data);
+  ALARM_CLR(0);
+  os_non_restarting_signal(SIGALRM, sigalrm_handler);
+
+  f.enable_dollar_recipients = FALSE;
+
+  store_pool = POOL_MAIN;   /* In case changed */
+  DEBUG(D_receive) debug_printf("local_scan() returned %d %s\n", rc,
+    local_scan_data);
+
+  os_non_restarting_signal(SIGSEGV, SIG_DFL);
+  os_non_restarting_signal(SIGFPE, SIG_DFL);
+  os_non_restarting_signal(SIGILL, SIG_DFL);
+  os_non_restarting_signal(SIGBUS, SIG_DFL);
+  }
+else
+  {
+  if (had_local_scan_crash)
+    {
+    log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() function crashed with "
+      "signal %d - message temporarily rejected (size %d)",
+      had_local_scan_crash, message_size);
+    receive_bomb_out(US"local-scan-error", US"local verification problem");
+    /* Does not return */
+    }
+  if (had_local_scan_timeout)
+    {
+    log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() function timed out - "
+      "message temporarily rejected (size %d)", message_size);
+    receive_bomb_out(US"local-scan-timeout", US"local verification problem");
+    /* Does not return */
+    }
+  }
 
 /* The length check is paranoia against some runaway code, and also because
 (for a success return) lines in the spool file are read into big_buffer. */
 
-if (local_scan_data != NULL)
+if (local_scan_data)
   {
   int len = Ustrlen(local_scan_data);
   if (len > LOCAL_SCAN_MAX_RETURN) len = LOCAL_SCAN_MAX_RETURN;
@@ -3683,9 +3713,9 @@
 
 if (rc == LOCAL_SCAN_ACCEPT_FREEZE)
   {
-  if (!deliver_freeze)         /* ACL might have already frozen */
+  if (!f.deliver_freeze)         /* ACL might have already frozen */
     {
-    deliver_freeze = TRUE;
+    f.deliver_freeze = TRUE;
     deliver_frozen_at = time(NULL);
     frozen_by = US"local_scan()";
     }
@@ -3693,9 +3723,9 @@
   }
 else if (rc == LOCAL_SCAN_ACCEPT_QUEUE)
   {
-  if (!queue_only_policy)      /* ACL might have already queued */
+  if (!f.queue_only_policy)      /* ACL might have already queued */
     {
-    queue_only_policy = TRUE;
+    f.queue_only_policy = TRUE;
     queued_by = US"local_scan()";
     }
   rc = LOCAL_SCAN_ACCEPT;
@@ -3706,7 +3736,7 @@
 
 if (rc == LOCAL_SCAN_ACCEPT)
   {
-  if (local_scan_data != NULL)
+  if (local_scan_data)
     {
     uschar *s;
     for (s = local_scan_data; *s != 0; s++) if (*s == '\n') *s = ' ';
@@ -3779,16 +3809,14 @@
       goto TIDYUP;                  /* Skip to end of function */
       }
     else
-      {
       moan_smtp_batch(NULL, "%s %s", smtp_code, errmsg);
       /* Does not return */
-      }
     }
   else
     {
-    fseek(data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
+    fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
     give_local_error(ERRMESS_LOCAL_SCAN, errmsg,
-      US"message rejected by local scan code: ", error_rc, data_file,
+      US"message rejected by local scan code: ", error_rc, spool_data_file,
         header_list);
     /* Does not return */
     }
@@ -3799,11 +3827,12 @@
 
 signal(SIGTERM, SIG_IGN);
 signal(SIGINT, SIG_IGN);
+#endif	/* HAVE_LOCAL_SCAN */
 
 
 /* Ensure the first time flag is set in the newly-received message. */
 
-deliver_firsttime = TRUE;
+f.deliver_firsttime = TRUE;
 
 #ifdef EXPERIMENTAL_BRIGHTMAIL
 if (bmi_run == 1)
@@ -3827,8 +3856,8 @@
 
 if (mua_wrapper)
   {
-  deliver_freeze = FALSE;
-  queue_only_policy = FALSE;
+  f.deliver_freeze = FALSE;
+  f.queue_only_policy = FALSE;
   }
 
 /* Keep the data file open until we have written the header file, in order to
@@ -3836,12 +3865,12 @@
 don't write the header file, and we unlink the data file. If writing the header
 file fails, we have failed to accept this message. */
 
-if (host_checking || blackholed_by != NULL)
+if (host_checking || blackholed_by)
   {
   header_line *h;
   Uunlink(spool_name);
   msg_size = 0;                                  /* Compute size for log line */
-  for (h = header_list; h != NULL; h = h->next)
+  for (h = header_list; h; h = h->next)
     if (h->type != '*') msg_size += h->slen;
   }
 
@@ -3861,8 +3890,8 @@
       }
     else
       {
-      fseek(data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
-      give_local_error(ERRMESS_IOERR, errmsg, US"", error_rc, data_file,
+      fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
+      give_local_error(ERRMESS_IOERR, errmsg, US"", error_rc, spool_data_file,
         header_list);
       /* Does not return */
       }
@@ -3873,29 +3902,37 @@
 
 receive_messagecount++;
 
-/* In SMTP sessions we may receive several in one connection. After each one,
-we wait for the clock to tick at the level of message-id granularity. This is
-so that the combination of time+pid is unique, even on systems where the pid
-can be re-used within our time interval. We can't shorten the interval without
-re-designing the message-id. See comments above where the message id is
-created. This is Something For The Future. */
-
-message_id_tv.tv_usec = (message_id_tv.tv_usec/id_resolution) * id_resolution;
-exim_wait_tick(&message_id_tv, id_resolution);
-
 /* Add data size to written header size. We do not count the initial file name
 that is in the file, but we do add one extra for the notional blank line that
 precedes the data. This total differs from message_size in that it include the
 added Received: header and any other headers that got created locally. */
 
-fflush(data_file);
+if (fflush(spool_data_file))
+  {
+  errmsg = string_sprintf("Spool write error: %s", strerror(errno));
+  log_write(0, LOG_MAIN, "%s\n", errmsg);
+  Uunlink(spool_name);           /* Lose the data file */
+
+  if (smtp_input)
+    {
+    smtp_reply = US"451 Error in writing spool file";
+    message_id[0] = 0;          /* Indicate no message accepted */
+    goto TIDYUP;
+    }
+  else
+    {
+    fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
+    give_local_error(ERRMESS_IOERR, errmsg, US"", error_rc, spool_data_file,
+      header_list);
+    /* Does not return */
+    }
+  }
 fstat(data_fd, &statbuf);
 
 msg_size += statbuf.st_size - SPOOL_DATA_START_OFFSET + 1;
 
 /* Generate a "message received" log entry. We do this by building up a dynamic
-string as required. Since we commonly want to add two items at a time, use a
-macro to simplify the coding. We log the arrival of a new message while the
+string as required.  We log the arrival of a new message while the
 file is still locked, just in case the machine is *really* fast, and delivers
 it first! Include any message id that is in the message - since the syntax of a
 message id is actually an addr-spec, we can use the parse routine to canonicalize
@@ -4027,38 +4064,37 @@
 if (message_logs && !blackholed_by)
   {
   int fd;
-
-  spool_name = spool_fname(US"msglog", message_subdir, message_id, US"");
+  uschar * m_name = spool_fname(US"msglog", message_subdir, message_id, US"");
   
-  if (  (fd = Uopen(spool_name, O_WRONLY|O_APPEND|O_CREAT, SPOOL_MODE)) < 0
+  if (  (fd = Uopen(m_name, O_WRONLY|O_APPEND|O_CREAT, SPOOL_MODE)) < 0
      && errno == ENOENT
      )
     {
     (void)directory_make(spool_directory,
 			spool_sname(US"msglog", message_subdir),
 			MSGLOG_DIRECTORY_MODE, TRUE);
-    fd = Uopen(spool_name, O_WRONLY|O_APPEND|O_CREAT, SPOOL_MODE);
+    fd = Uopen(m_name, O_WRONLY|O_APPEND|O_CREAT, SPOOL_MODE);
     }
 
   if (fd < 0)
     log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't open message log %s: %s",
-      spool_name, strerror(errno));
+      m_name, strerror(errno));
   else
     {
     FILE *message_log = fdopen(fd, "a");
-    if (message_log == NULL)
+    if (!message_log)
       {
       log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't fdopen message log %s: %s",
-        spool_name, strerror(errno));
+        m_name, strerror(errno));
       (void)close(fd);
       }
     else
       {
       uschar *now = tod_stamp(tod_log);
       fprintf(message_log, "%s Received from %s\n", now, g->s+3);
-      if (deliver_freeze) fprintf(message_log, "%s frozen by %s\n", now,
+      if (f.deliver_freeze) fprintf(message_log, "%s frozen by %s\n", now,
         frozen_by);
-      if (queue_only_policy) fprintf(message_log,
+      if (f.queue_only_policy) fprintf(message_log,
         "%s no immediate delivery: queued%s%s by %s\n", now,
         *queue_name ? " in " : "", *queue_name ? CS queue_name : "",
 	queued_by);
@@ -4071,7 +4107,7 @@
 arrival, and outputting an SMTP response. While writing to the log, set a flag
 to cause a call to receive_bomb_out() if the log cannot be opened. */
 
-receive_call_bombout = TRUE;
+f.receive_call_bombout = TRUE;
 
 /* Before sending an SMTP response in a TCP/IP session, we check to see if the
 connection has gone away. This can only be done if there is no unconsumed input
@@ -4091,7 +4127,7 @@
 connection will vanish between the time of this test and the sending of the
 response, but the chance of this happening should be small. */
 
-if (smtp_input && sender_host_address != NULL && !sender_host_notsocket &&
+if (smtp_input && sender_host_address && !f.sender_host_notsocket &&
     !receive_smtp_buffered())
   {
   struct timeval tv;
@@ -4119,7 +4155,7 @@
 
       /* Delete the files for this aborted message. */
 
-      Uunlink(spool_fname(US"input", message_subdir, message_id, US"-D"));
+      Uunlink(spool_name);
       Uunlink(spool_fname(US"input", message_subdir, message_id, US"-H"));
       Uunlink(spool_fname(US"msglog", message_subdir, message_id, US""));
 
@@ -4144,7 +4180,7 @@
 
    XXX We do not handle queue-only, freezing, or blackholes.
 */
-if(cutthrough.fd >= 0 && cutthrough.delivery)
+if(cutthrough.cctx.sock >= 0 && cutthrough.delivery)
   {
   uschar * msg = cutthrough_finaldot();	/* Ask the target system to accept the message */
 					/* Logging was done in finaldot() */
@@ -4179,50 +4215,76 @@
 #endif
   {
   log_write(0, LOG_MAIN |
-    (LOGGING(received_recipients)? LOG_RECIPIENTS : 0) |
-    (LOGGING(received_sender)? LOG_SENDER : 0),
+    (LOGGING(received_recipients) ? LOG_RECIPIENTS : 0) |
+    (LOGGING(received_sender) ? LOG_SENDER : 0),
     "%s", g->s);
 
   /* Log any control actions taken by an ACL or local_scan(). */
 
-  if (deliver_freeze) log_write(0, LOG_MAIN, "frozen by %s", frozen_by);
-  if (queue_only_policy) log_write(L_delay_delivery, LOG_MAIN,
+  if (f.deliver_freeze) log_write(0, LOG_MAIN, "frozen by %s", frozen_by);
+  if (f.queue_only_policy) log_write(L_delay_delivery, LOG_MAIN,
     "no immediate delivery: queued%s%s by %s",
     *queue_name ? " in " : "", *queue_name ? CS queue_name : "",       
     queued_by);
   }
-receive_call_bombout = FALSE;
+f.receive_call_bombout = FALSE;
 
 store_reset(g);   /* The store for the main log message can be reused */
 
 /* If the message is frozen, and freeze_tell is set, do the telling. */
 
-if (deliver_freeze && freeze_tell != NULL && freeze_tell[0] != 0)
-  {
+if (f.deliver_freeze && freeze_tell && freeze_tell[0])
   moan_tell_someone(freeze_tell, NULL, US"Message frozen on arrival",
     "Message %s was frozen on arrival by %s.\nThe sender is <%s>.\n",
     message_id, frozen_by, sender_address);
-  }
 
 
 /* Either a message has been successfully received and written to the two spool
 files, or an error in writing the spool has occurred for an SMTP message, or
-an SMTP message has been rejected for policy reasons. (For a non-SMTP message
-we will have already given up because there's no point in carrying on!) In
-either event, we must now close (and thereby unlock) the data file. In the
-successful case, this leaves the message on the spool, ready for delivery. In
-the error case, the spool file will be deleted. Then tidy up store, interact
-with an SMTP call if necessary, and return.
+an SMTP message has been rejected for policy reasons, or a message was passed on
+by cutthrough delivery. (For a non-SMTP message we will have already given up
+because there's no point in carrying on!) For non-cutthrough we must now close
+(and thereby unlock) the data file. In the successful case, this leaves the
+message on the spool, ready for delivery. In the error case, the spool file will
+be deleted. Then tidy up store, interact with an SMTP call if necessary, and
+return.
+
+For cutthrough we hold the data file locked until we have deleted it, otherwise
+a queue-runner could grab it in the window.
 
 A fflush() was done earlier in the expectation that any write errors on the
 data file will be flushed(!) out thereby. Nevertheless, it is theoretically
 possible for fclose() to fail - but what to do? What has happened to the lock
-if this happens? */
+if this happens?  We can at least log it; if it is observed on some platform
+then we can think about properly declaring the message not-received. */
 
 
 TIDYUP:
-process_info[process_info_len] = 0;                /* Remove message id */
-if (data_file != NULL) (void)fclose(data_file);    /* Frees the lock */
+/* In SMTP sessions we may receive several messages in one connection. After
+each one, we wait for the clock to tick at the level of message-id granularity.
+This is so that the combination of time+pid is unique, even on systems where the
+pid can be re-used within our time interval. We can't shorten the interval
+without re-designing the message-id. See comments above where the message id is
+created. This is Something For The Future.
+Do this wait any time we have created a message-id, even if we rejected the
+message.  This gives unique IDs for logging done by ACLs. */
+
+if (id_resolution != 0)
+  {
+  message_id_tv.tv_usec = (message_id_tv.tv_usec/id_resolution) * id_resolution;
+  exim_wait_tick(&message_id_tv, id_resolution);
+  id_resolution = 0;
+  }
+
+
+process_info[process_info_len] = 0;			/* Remove message id */
+if (spool_data_file && cutthrough_done == NOT_TRIED)
+  {
+  if (fclose(spool_data_file))				/* Frees the lock */
+    log_write(0, LOG_MAIN|LOG_PANIC,
+      "spoolfile error on close: %s", strerror(errno));
+  spool_data_file = NULL;
+  }
 
 /* Now reset signal handlers to their defaults */
 
@@ -4280,8 +4342,8 @@
     /* smtp_reply is set non-empty */
 
     else if (smtp_reply[0] != 0)
-      if (fake_response != OK && (smtp_reply[0] == '2'))
-        smtp_respond((fake_response == DEFER)? US"450" : US"550", 3, TRUE,
+      if (fake_response != OK && smtp_reply[0] == '2')
+        smtp_respond(fake_response == DEFER ? US"450" : US"550", 3, TRUE,
           fake_response_text);
       else
         smtp_printf("%.1024s\r\n", FALSE, smtp_reply);
@@ -4292,7 +4354,7 @@
 	log_write(0, LOG_MAIN, "Completed");/* Delivery was done */
       case PERM_REJ:
 							 /* Delete spool files */
-	Uunlink(spool_fname(US"input", message_subdir, message_id, US"-D"));
+	Uunlink(spool_name);
 	Uunlink(spool_fname(US"input", message_subdir, message_id, US"-H"));
 	Uunlink(spool_fname(US"msglog", message_subdir, message_id, US""));
 	break;
@@ -4300,7 +4362,7 @@
       case TMP_REJ:
 	if (cutthrough.defer_pass)
 	  {
-	  Uunlink(spool_fname(US"input", message_subdir, message_id, US"-D"));
+	  Uunlink(spool_name);
 	  Uunlink(spool_fname(US"input", message_subdir, message_id, US"-H"));
 	  Uunlink(spool_fname(US"msglog", message_subdir, message_id, US""));
 	  }
@@ -4309,6 +4371,11 @@
       }
     if (cutthrough_done != NOT_TRIED)
       {
+      if (spool_data_file)
+	{
+	(void) fclose(spool_data_file);  /* Frees the lock; do not care if error */
+	spool_data_file = NULL;
+	}
       message_id[0] = 0;	  /* Prevent a delivery from starting */
       cutthrough.delivery = cutthrough.callout_hold_only = FALSE;
       cutthrough.defer_pass = FALSE;
@@ -4331,9 +4398,11 @@
 
 if (blackholed_by)
   {
-  const uschar *detail = local_scan_data
-    ? string_printing(local_scan_data)
-    : string_sprintf("(%s discarded recipients)", blackholed_by);
+  const uschar *detail =
+#ifdef HAVE_LOCAL_SCAN
+    local_scan_data ? string_printing(local_scan_data) :
+#endif
+    string_sprintf("(%s discarded recipients)", blackholed_by);
   log_write(0, LOG_MAIN, "=> blackhole %s%s", detail, blackhole_log_msg);
   log_write(0, LOG_MAIN, "Completed");
   message_id[0] = 0;
diff -Nru exim4-4.91/src/retry.c exim4-4.92~RC4/src/retry.c
--- exim4-4.91/src/retry.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/retry.c	2018-12-27 13:36:19.000000000 +0000
@@ -33,28 +33,27 @@
   dbdata_retry *retry_record, time_t now)
 {
 BOOL address_timeout;
+retry_config * retry;
 
 DEBUG(D_retry)
   {
   debug_printf("retry time not reached: checking ultimate address timeout\n");
-  debug_printf("  now=%d first_failed=%d next_try=%d expired=%d\n",
-    (int)now, (int)retry_record->first_failed,
-    (int)retry_record->next_try, retry_record->expired);
+  debug_printf("  now=" TIME_T_FMT " first_failed=" TIME_T_FMT
+		" next_try=" TIME_T_FMT " expired=%c\n",
+		now, retry_record->first_failed,
+		retry_record->next_try, retry_record->expired ? 'T' : 'F');
   }
 
-retry_config *retry =
-  retry_find_config(retry_key+2, domain,
+retry = retry_find_config(retry_key+2, domain,
     retry_record->basic_errno, retry_record->more_errno);
 
-if (retry != NULL && retry->rules != NULL)
+if (retry && retry->rules)
   {
   retry_rule *last_rule;
-  for (last_rule = retry->rules;
-       last_rule->next != NULL;
-       last_rule = last_rule->next);
+  for (last_rule = retry->rules; last_rule->next; last_rule = last_rule->next) ;
   DEBUG(D_retry)
-    debug_printf("  received_time=%d diff=%d timeout=%d\n",
-      (int)received_time.tv_sec, (int)(now - received_time.tv_sec), last_rule->timeout);
+    debug_printf("  received_time=" TIME_T_FMT " diff=%d timeout=%d\n",
+      received_time.tv_sec, (int)(now - received_time.tv_sec), last_rule->timeout);
   address_timeout = (now - received_time.tv_sec > last_rule->timeout);
   }
 else
@@ -217,7 +216,7 @@
   /* We have not reached the next try time. Check for the ultimate address
   timeout if the host has not expired. */
 
-  if (now < host_retry_record->next_try && !deliver_force)
+  if (now < host_retry_record->next_try && !f.deliver_force)
     {
     if (!host_retry_record->expired &&
         retry_ultimate_address_timeout(host_key, domain,
@@ -245,7 +244,7 @@
 if (message_retry_record)
   {
   *retry_message_key = message_key;
-  if (now < message_retry_record->next_try && !deliver_force)
+  if (now < message_retry_record->next_try && !f.deliver_force)
     {
     if (!retry_ultimate_address_timeout(host_key, domain,
         message_retry_record, now))
@@ -888,16 +887,17 @@
         for (;; addr = addr->next)
           {
           setflag(addr, af_retry_timedout);
-          addr->message = (addr->message == NULL)? US"retry timeout exceeded" :
-            string_sprintf("%s: retry timeout exceeded", addr->message);
-          addr->user_message = (addr->user_message == NULL)?
-            US"retry timeout exceeded" :
-            string_sprintf("%s: retry timeout exceeded", addr->user_message);
+          addr->message = addr->message
+            ? string_sprintf("%s: retry timeout exceeded", addr->message)
+	    : US"retry timeout exceeded";
+          addr->user_message = addr->user_message
+	    ? string_sprintf("%s: retry timeout exceeded", addr->user_message)
+	    : US"retry timeout exceeded";
           log_write(0, LOG_MAIN, "** %s%s%s%s: retry timeout exceeded",
             addr->address,
-           (addr->parent == NULL)? US"" : US" <",
-           (addr->parent == NULL)? US"" : addr->parent->address,
-           (addr->parent == NULL)? US"" : US">");
+            addr->parent ? US" <" : US"",
+            addr->parent ? addr->parent->address : US"",
+            addr->parent ? US">" : US"");
 
           if (addr == endaddr) break;
           }
diff -Nru exim4-4.91/src/rewrite.c exim4-4.92~RC4/src/rewrite.c
--- exim4-4.91/src/rewrite.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/rewrite.c	2018-12-27 13:36:19.000000000 +0000
@@ -142,7 +142,7 @@
     uschar *key = expand_string(rule->key);
     if (key == NULL)
       {
-      if (!expand_string_forcedfail)
+      if (!f.expand_string_forcedfail)
         log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand \"%s\" while "
           "checking for SMTP rewriting: %s", rule->key, expand_string_message);
       continue;
@@ -203,7 +203,7 @@
 
   if (new == NULL)
     {
-    if (expand_string_forcedfail)
+    if (f.expand_string_forcedfail)
       { if ((rule->flags & rewrite_quit) != 0) break; else continue; }
 
     expand_string_message = expand_hide_passwords(expand_string_message);
@@ -465,7 +465,7 @@
 DEBUG(D_rewrite)
   debug_printf("rewrite_one_header: type=%c:\n  %s", h->type, h->text);
 
-parse_allow_group = TRUE;     /* Allow group syntax */
+f.parse_allow_group = TRUE;     /* Allow group syntax */
 
 /* Loop for multiple addresses in the header. We have to go through them all
 in case any need qualifying, even if there's no rewriting. Pathological headers
@@ -544,8 +544,8 @@
 
     /* Can only qualify if permitted; if not, no rewrite. */
 
-    if (changed && ((is_recipient && !allow_unqualified_recipient) ||
-                    (!is_recipient && !allow_unqualified_sender)))
+    if (changed && ((is_recipient && !f.allow_unqualified_recipient) ||
+                    (!is_recipient && !f.allow_unqualified_sender)))
       {
       store_reset(loop_reset_point);
       continue;
@@ -673,8 +673,8 @@
     }
   }
 
-parse_allow_group = FALSE;  /* Reset group flags */
-parse_found_group = FALSE;
+f.parse_allow_group = FALSE;  /* Reset group flags */
+f.parse_found_group = FALSE;
 
 /* If a rewrite happened and "replace" is true, put the new header into the
 chain following the old one, and mark the old one as replaced. */
diff -Nru exim4-4.91/src/route.c exim4-4.92~RC4/src/route.c
--- exim4-4.91/src/route.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/route.c	2018-12-27 13:36:19.000000000 +0000
@@ -606,7 +606,7 @@
 
   if (!ss)
     {
-    if (expand_string_forcedfail) continue;
+    if (f.expand_string_forcedfail) continue;
     *perror = string_sprintf("failed to expand \"%s\" for require_files: %s",
       check, expand_string_message);
     goto RETURN_DEFER;
@@ -854,7 +854,7 @@
 sender_data = NULL;
 local_user_gid = (gid_t)(-1);
 local_user_uid = (uid_t)(-1);
-search_find_defer = FALSE;
+f.search_find_defer = FALSE;
 
 /* Skip this router if not verifying and it has verify_only set */
 
@@ -866,7 +866,7 @@
 
 /* Skip this router if testing an address (-bt) and address_test is not set */
 
-if (address_test_mode && !r->address_test)
+if (f.address_test_mode && !r->address_test)
   {
   DEBUG(D_route) debug_printf("%s router skipped: address_test is unset\n",
     r->name);
@@ -958,7 +958,7 @@
   uschar *router_home = expand_string(r->router_home_directory);
   if (!router_home)
     {
-    if (!expand_string_forcedfail)
+    if (!f.expand_string_forcedfail)
       {
       *perror = string_sprintf("failed to expand \"%s\" for "
         "router_home_directory: %s", r->router_home_directory,
@@ -1003,7 +1003,7 @@
   DEBUG(D_route) debug_printf("checking \"condition\" \"%.80s\"...\n", r->condition);
   if (!expand_check_condition(r->condition, r->name, US"router"))
     {
-    if (search_find_defer)
+    if (f.search_find_defer)
       {
       *perror = US"condition check lookup defer";
       DEBUG(D_route) debug_printf("%s\n", *perror);
@@ -1474,7 +1474,7 @@
 
   /* There are some weird cases where logging is disabled */
 
-  disable_logging = r->disable_logging;
+  f.disable_logging = r->disable_logging;
 
   /* Record the last router to handle the address, and set the default
   next router. */
@@ -1620,7 +1620,7 @@
     deliver_address_data = expand_string(r->address_data);
     if (!deliver_address_data)
       {
-      if (expand_string_forcedfail)
+      if (f.expand_string_forcedfail)
         {
         DEBUG(D_route) debug_printf("forced failure in expansion of \"%s\" "
             "(address_data): decline action taken\n", r->address_data);
@@ -1672,10 +1672,7 @@
     pw = &pwcopy;
     }
 
-  /* Run the router, and handle the consequences. */
-
-  /* ... but let us check on DSN before. If this should be the last hop for DSN
-  set flag. */
+  /* If this should be the last hop for DSN flag the addr. */
 
   if (r->dsn_lasthop && !(addr->dsn_flags & rf_dsnlasthop))
     {
@@ -1683,6 +1680,8 @@
     HDEBUG(D_route) debug_printf("DSN: last hop for %s\n", addr->address);
     }
 
+  /* Run the router, and handle the consequences. */
+
   HDEBUG(D_route) debug_printf("calling %s router\n", r->name);
 
   yield = (r->info->code)(r, addr, pw, verify, paddr_local, paddr_remote,
@@ -1766,7 +1765,7 @@
       uschar *expmessage = expand_string(addr->router->cannot_route_message);
       if (!expmessage)
         {
-        if (!expand_string_forcedfail)
+        if (!f.expand_string_forcedfail)
           log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand "
             "cannot_route_message in %s router: %s", addr->router->name,
             expand_string_message);
@@ -1835,7 +1834,7 @@
 
     if (!newaddress)
       {
-      if (expand_string_forcedfail) continue;
+      if (f.expand_string_forcedfail) continue;
       addr->basic_errno = ERRNO_EXPANDFAIL;
       addr->message = string_sprintf("translate_ip_address expansion "
         "failed: %s", expand_string_message);
@@ -1923,7 +1922,7 @@
 
 deliver_set_expansions(NULL);
 router_name = NULL;
-disable_logging = FALSE;
+f.disable_logging = FALSE;
 return yield;
 }
 
diff -Nru exim4-4.91/src/routers/accept.c exim4-4.92~RC4/src/routers/accept.c
--- exim4-4.91/src/routers/accept.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/routers/accept.c	2018-12-27 13:36:19.000000000 +0000
@@ -117,7 +117,7 @@
 rc = rf_get_errors_address(addr, rblock, verify, &errors_to);
 if (rc != OK) return rc;
 
-/* Set up the additional and removeable headers for the address. */
+/* Set up the additional and removable headers for the address. */
 
 rc = rf_get_munge_headers(addr, rblock, &extra_headers, &remove_headers);
 if (rc != OK) return rc;
diff -Nru exim4-4.91/src/routers/dnslookup.c exim4-4.92~RC4/src/routers/dnslookup.c
--- exim4-4.91/src/routers/dnslookup.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/routers/dnslookup.c	2018-12-27 13:36:19.000000000 +0000
@@ -183,7 +183,7 @@
 if (ob->check_srv)
   {
   if (  !(srv_service = expand_string(ob->check_srv))
-     && !expand_string_forcedfail)
+     && !f.expand_string_forcedfail)
     {
     addr->message = string_sprintf("%s router: failed to expand \"%s\": %s",
       rblock->name, ob->check_srv, expand_string_message);
@@ -266,12 +266,12 @@
   if (  ob->ipv4_only
      && expand_check_condition(ob->ipv4_only, rblock->name, US"router"))
     flags = flags & ~HOST_FIND_BY_AAAA | HOST_FIND_IPV4_ONLY;
-  else if (search_find_defer)
+  else if (f.search_find_defer)
     return DEFER;
   if (  ob->ipv4_prefer
      && expand_check_condition(ob->ipv4_prefer, rblock->name, US"router"))
     flags |= HOST_FIND_IPV4_FIRST;
-  else if (search_find_defer)
+  else if (f.search_find_defer)
     return DEFER;
 
   /* Set up the rest of the initial host item. Others may get chained on if
@@ -300,7 +300,9 @@
 
   rc = host_find_bydns(&h, CUS rblock->ignore_target_hosts, flags,
     srv_service, ob->srv_fail_domains, ob->mx_fail_domains,
-    &rblock->dnssec, &fully_qualified_name, &removed);
+    &rblock->dnssec,
+    &fully_qualified_name, &removed);
+
   if (removed) setflag(addr, af_local_host_removed);
 
   /* If host found with only address records, test for the domain's being in
@@ -397,7 +399,7 @@
   /* If there's a syntax error, do not continue with any widening, and note
   the error. */
 
-  if (host_find_failed_syntax)
+  if (f.host_find_failed_syntax)
     {
     addr->message = string_sprintf("mail domain \"%s\" is syntactically "
       "invalid", h.name);
@@ -457,7 +459,7 @@
 rc = rf_get_errors_address(addr, rblock, verify, &addr->prop.errors_address);
 if (rc != OK) return rc;
 
-/* Set up the additional and removeable headers for this address. */
+/* Set up the additional and removable headers for this address. */
 
 rc = rf_get_munge_headers(addr, rblock, &addr->prop.extra_headers,
   &addr->prop.remove_headers);
diff -Nru exim4-4.91/src/routers/ipliteral.c exim4-4.92~RC4/src/routers/ipliteral.c
--- exim4-4.91/src/routers/ipliteral.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/routers/ipliteral.c	2018-12-27 13:36:19.000000000 +0000
@@ -179,7 +179,7 @@
 rc = rf_get_errors_address(addr, rblock, verify, &addr->prop.errors_address);
 if (rc != OK) return rc;
 
-/* Set up the additional and removeable headers for this address. */
+/* Set up the additional and removable headers for this address. */
 
 rc = rf_get_munge_headers(addr, rblock, &addr->prop.extra_headers,
   &addr->prop.remove_headers);
diff -Nru exim4-4.91/src/routers/iplookup.c exim4-4.92~RC4/src/routers/iplookup.c
--- exim4-4.91/src/routers/iplookup.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/routers/iplookup.c	2018-12-27 13:36:19.000000000 +0000
@@ -230,7 +230,8 @@
 
   for (h = host; h; h = h->next)
     {
-    int host_af, query_socket;
+    int host_af;
+    client_conn_ctx query_cctx = {0};
 
     /* Skip any hosts for which we have no address */
 
@@ -241,9 +242,9 @@
 
     host_af = (Ustrchr(h->address, ':') != NULL)? AF_INET6 : AF_INET;
 
-    query_socket = ip_socket(ob->protocol == ip_udp ? SOCK_DGRAM:SOCK_STREAM,
+    query_cctx.sock = ip_socket(ob->protocol == ip_udp ? SOCK_DGRAM:SOCK_STREAM,
       host_af);
-    if (query_socket < 0)
+    if (query_cctx.sock < 0)
       {
       if (ob->optional) return PASS;
       addr->message = string_sprintf("failed to create socket in %s router",
@@ -256,10 +257,10 @@
     router will timeout later on the read call). */
 /*XXX could take advantage of TFO */
 
-    if (ip_connect(query_socket, host_af, h->address,ob->port, ob->timeout,
+    if (ip_connect(query_cctx.sock, host_af, h->address,ob->port, ob->timeout,
 		ob->protocol == ip_udp ? NULL : &tcp_fastopen_nodata) < 0)
       {
-      close(query_socket);
+      close(query_cctx.sock);
       DEBUG(D_route)
         debug_printf("connection to %s failed: %s\n", h->address,
           strerror(errno));
@@ -268,18 +269,18 @@
 
     /* Send the query. If it fails, just continue with the next address. */
 
-    if (send(query_socket, query, query_len, 0) < 0)
+    if (send(query_cctx.sock, query, query_len, 0) < 0)
       {
       DEBUG(D_route) debug_printf("send to %s failed\n", h->address);
-      (void)close(query_socket);
+      (void)close(query_cctx.sock);
       continue;
       }
 
     /* Read the response and close the socket. If the read fails, try the
     next IP address. */
 
-    count = ip_recv(query_socket, reply, sizeof(reply) - 1, ob->timeout);
-    (void)close(query_socket);
+    count = ip_recv(&query_cctx, reply, sizeof(reply) - 1, ob->timeout);
+    (void)close(query_cctx.sock);
     if (count <= 0)
       {
       DEBUG(D_route) debug_printf("%s from %s\n", (errno == ETIMEDOUT)?
@@ -403,7 +404,7 @@
 new_addr->next = *addr_new;
 *addr_new = new_addr;
 
-/* Set up the errors address, if any, and the additional and removeable headers
+/* Set up the errors address, if any, and the additional and removable headers
 for this new address. */
 
 rc = rf_get_errors_address(addr, rblock, verify, &new_addr->prop.errors_address);
diff -Nru exim4-4.91/src/routers/manualroute.c exim4-4.92~RC4/src/routers/manualroute.c
--- exim4-4.91/src/routers/manualroute.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/routers/manualroute.c	2018-12-27 13:36:19.000000000 +0000
@@ -159,15 +159,15 @@
 {
 while (*s != 0 && isspace(*s)) s++;
 
-if (domain != NULL)
+if (domain)
   {
-  if (*s == 0) return FALSE;            /* missing data */
+  if (!*s) return FALSE;            /* missing data */
   *domain = string_dequote(&s);
-  while (*s != 0 && isspace(*s)) s++;
+  while (*s && isspace(*s)) s++;
   }
 
 *hostlist = string_dequote(&s);
-while (*s != 0 && isspace(*s)) s++;
+while (*s && isspace(*s)) s++;
 *options = s;
 return TRUE;
 }
@@ -261,7 +261,7 @@
 /* The initialization check ensures that either route_list or route_data is
 set. */
 
-if (ob->route_list != NULL)
+if (ob->route_list)
   {
   int sep = -(';');             /* Default is semicolon */
   listptr = ob->route_list;
@@ -289,7 +289,7 @@
       }
     }
 
-  if (route_item == NULL) return DECLINE;  /* No pattern in the list matched */
+  if (!route_item) return DECLINE;  /* No pattern in the list matched */
   }
 
 /* Handle a single routing item in route_data. If it expands to an empty
@@ -297,17 +297,17 @@
 
 else
   {
-  route_item = rf_expand_data(addr, ob->route_data, &rc);
-  if (route_item == NULL) return rc;
+  if (!(route_item = rf_expand_data(addr, ob->route_data, &rc)))
+    return rc;
   (void) parse_route_item(route_item, NULL, &hostlist, &options);
-  if (hostlist[0] == 0) return DECLINE;
+  if (!hostlist[0]) return DECLINE;
   }
 
 /* Expand the hostlist item. It may then pointing to an empty string, or to a
 single host or a list of hosts; options is pointing to the rest of the
 routelist item, which is either empty or contains various option words. */
 
-DEBUG(D_route) debug_printf("original list of hosts = \"%s\" options = %s\n",
+DEBUG(D_route) debug_printf("original list of hosts = '%s' options = '%s'\n",
   hostlist, options);
 
 newhostlist = expand_string_copy(hostlist);
@@ -317,23 +317,23 @@
 /* If the expansion was forced to fail, just decline. Otherwise there is a
 configuration problem. */
 
-if (newhostlist == NULL)
+if (!newhostlist)
   {
-  if (expand_string_forcedfail) return DECLINE;
+  if (f.expand_string_forcedfail) return DECLINE;
   addr->message = string_sprintf("%s router: failed to expand \"%s\": %s",
     rblock->name, hostlist, expand_string_message);
   return DEFER;
   }
 else hostlist = newhostlist;
 
-DEBUG(D_route) debug_printf("expanded list of hosts = \"%s\" options = %s\n",
+DEBUG(D_route) debug_printf("expanded list of hosts = '%s' options = '%s'\n",
   hostlist, options);
 
 /* Set default lookup type and scan the options */
 
 lookup_type = LK_DEFAULT;
 
-while (*options != 0)
+while (*options)
   {
   unsigned n;
   const uschar *s = options;
@@ -380,7 +380,7 @@
 rc = rf_get_errors_address(addr, rblock, verify, &addr->prop.errors_address);
 if (rc != OK) return rc;
 
-/* Set up the additional and removeable headers for this address. */
+/* Set up the additional and removable headers for this address. */
 
 rc = rf_get_munge_headers(addr, rblock, &addr->prop.extra_headers,
   &addr->prop.remove_headers);
@@ -403,7 +403,7 @@
 
 if (transport && transport->info->local)
   {
-  if (hostlist[0] != 0)
+  if (hostlist[0])
     {
     host_item *h;
     addr->host_list = h = store_get(sizeof(host_item));
@@ -430,7 +430,7 @@
 list is mandatory in either case, except when verifying, in which case the
 address is just accepted. */
 
-if (hostlist[0] == 0)
+if (!hostlist[0])
   {
   if (verify != v_none) goto ROUTED;
   addr->message = string_sprintf("error in %s router: no host(s) specified "
@@ -442,7 +442,7 @@
 /* Otherwise we finish the routing here by building a chain of host items
 for the list of configured hosts, and then finding their addresses. */
 
-host_build_hostlist(&(addr->host_list), hostlist, randomize);
+host_build_hostlist(&addr->host_list, hostlist, randomize);
 rc = rf_lookup_hostlist(rblock, addr, rblock->ignore_target_hosts, lookup_type,
   ob->hff_code, addr_new);
 if (rc != OK) return rc;
diff -Nru exim4-4.91/src/routers/redirect.c exim4-4.92~RC4/src/routers/redirect.c
--- exim4-4.91/src/routers/redirect.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/routers/redirect.c	2018-12-27 13:36:19.000000000 +0000
@@ -359,7 +359,7 @@
 
   /* Don't do the "one_time" thing for the first pass of a 2-stage queue run. */
 
-  if (ob->one_time && !queue_2stage)
+  if (ob->one_time && !f.queue_2stage)
     {
     for (parent = addr; parent->parent; parent = parent->parent) ;
     next->onetime_parent = parent->address;
@@ -577,7 +577,7 @@
 /* When verifying and testing addresses, the "logwrite" command in filters
 must be bypassed. */
 
-if (verify == v_none && !address_test_mode) options |= RDO_REALLOG;
+if (verify == v_none && !f.address_test_mode) options |= RDO_REALLOG;
 
 /* Sort out the fixed or dynamic uid/gid. This uid is used (a) for reading the
 file (and interpreting a filter) and (b) for running the transports for
@@ -786,7 +786,7 @@
   high so that their completion does not mark the original address done. */
 
   case FF_FREEZE:
-  if (!deliver_manual_thaw)
+  if (!f.deliver_manual_thaw)
     {
     if ((xrc = sort_errors_and_headers(rblock, addr, verify, &addr_prop))
       != OK) return xrc;
@@ -855,7 +855,7 @@
   if (!moan_skipped_syntax_errors(
         rblock->name,                            /* For message content */
         eblock,                                  /* Ditto */
-        (verify != v_none || address_test_mode)?
+        (verify != v_none || f.address_test_mode)?
           NULL : ob->syntax_errors_to,           /* Who to mail */
         generated != NULL,                       /* True if not all failed */
         ob->syntax_errors_text))                 /* Custom message */
@@ -887,7 +887,7 @@
 
 if (frc == FF_DELIVERED)
   {
-  if (generated == NULL && verify == v_none && !address_test_mode)
+  if (generated == NULL && verify == v_none && !f.address_test_mode)
     {
     log_write(0, LOG_MAIN, "=> %s <%s> R=%s", discarded, addr->address,
       rblock->name);
diff -Nru exim4-4.91/src/routers/rf_change_domain.c exim4-4.92~RC4/src/routers/rf_change_domain.c
--- exim4-4.91/src/routers/rf_change_domain.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/routers/rf_change_domain.c	2018-12-27 13:36:19.000000000 +0000
@@ -76,7 +76,7 @@
     if (newh != NULL)
       {
       h = newh;
-      header_rewritten = TRUE;
+      f.header_rewritten = TRUE;
       }
     }
   }
diff -Nru exim4-4.91/src/routers/rf_expand_data.c exim4-4.92~RC4/src/routers/rf_expand_data.c
--- exim4-4.91/src/routers/rf_expand_data.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/routers/rf_expand_data.c	2018-12-27 13:36:19.000000000 +0000
@@ -31,7 +31,7 @@
 {
 uschar *yield = expand_string(s);
 if (yield != NULL) return yield;
-if (expand_string_forcedfail)
+if (f.expand_string_forcedfail)
   {
   DEBUG(D_route) debug_printf("forced failure for expansion of \"%s\"\n", s);
   *prc = DECLINE;
diff -Nru exim4-4.91/src/routers/rf_get_errors_address.c exim4-4.92~RC4/src/routers/rf_get_errors_address.c
--- exim4-4.91/src/routers/rf_get_errors_address.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/routers/rf_get_errors_address.c	2018-12-27 13:36:19.000000000 +0000
@@ -45,7 +45,7 @@
 
 if (s == NULL)
   {
-  if (expand_string_forcedfail)
+  if (f.expand_string_forcedfail)
     {
     DEBUG(D_route)
       debug_printf("forced expansion failure - ignoring errors_to\n");
@@ -81,7 +81,7 @@
   }
 else
   {
-  BOOL save_address_test_mode = address_test_mode;
+  BOOL save_address_test_mode = f.address_test_mode;
   int save1 = 0;
   int i;
   const uschar ***p;
@@ -96,7 +96,7 @@
 
   for (i = 0, p = address_expansions; *p != NULL;)
     address_expansions_save[i++] = **p++;
-  address_test_mode = FALSE;
+  f.address_test_mode = FALSE;
 
   /* NOTE: the address is verified as a recipient, not a sender. This is
   perhaps confusing. It isn't immediately obvious what to do: we want to have
@@ -118,7 +118,7 @@
   DEBUG(D_route|D_verify)
     debug_printf("------ End verifying errors address %s ------\n", s);
 
-  address_test_mode = save_address_test_mode;
+  f.address_test_mode = save_address_test_mode;
   for (i = 0, p = address_expansions; *p != NULL;)
     **p++ = address_expansions_save[i++];
 
diff -Nru exim4-4.91/src/routers/rf_get_munge_headers.c exim4-4.92~RC4/src/routers/rf_get_munge_headers.c
--- exim4-4.91/src/routers/rf_get_munge_headers.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/routers/rf_get_munge_headers.c	2018-12-27 13:36:19.000000000 +0000
@@ -44,7 +44,7 @@
   while ((s = string_nextinlist(&list, &sep, NULL, 0)))
     if (!(s = expand_string(s)))
       {
-      if (!expand_string_forcedfail)
+      if (!f.expand_string_forcedfail)
 	{
 	addr->message = string_sprintf(
 	  "%s router failed to expand add_headers item \"%s\": %s",
@@ -99,7 +99,7 @@
   while ((s = string_nextinlist(&list, &sep, NULL, 0)))
     if (!(s = expand_string(s)))
       {
-      if (!expand_string_forcedfail)
+      if (!f.expand_string_forcedfail)
 	{
 	addr->message = string_sprintf(
 	  "%s router failed to expand remove_headers item \"%s\": %s",
@@ -109,8 +109,9 @@
       }
     else if (*s)
       g = string_append_listele(g, ':', s);
-    if (g)
-      *remove_headers = g->s;
+
+  if (g)
+    *remove_headers = g->s;
   }
 
 return OK;
diff -Nru exim4-4.91/src/routers/rf_lookup_hostlist.c exim4-4.92~RC4/src/routers/rf_lookup_hostlist.c
--- exim4-4.91/src/routers/rf_lookup_hostlist.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/routers/rf_lookup_hostlist.c	2018-12-27 13:36:19.000000000 +0000
@@ -197,7 +197,7 @@
     addr->message =
       string_sprintf("lookup of host \"%s\" failed in %s router%s",
         h->name, rblock->name,
-        host_find_failed_syntax? ": syntax error in name" : "");
+        f.host_find_failed_syntax? ": syntax error in name" : "");
 
     if (hff_code == hff_defer) return DEFER;
     if (hff_code == hff_fail) return FAIL;
diff -Nru exim4-4.91/src/search.c exim4-4.92~RC4/src/search.c
--- exim4-4.91/src/search.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/search.c	2018-12-27 13:36:19.000000000 +0000
@@ -464,10 +464,10 @@
 static uschar *
 internal_search_find(void *handle, uschar *filename, uschar *keystring)
 {
-tree_node *t = (tree_node *)handle;
-search_cache *c = (search_cache *)(t->data.ptr);
-expiring_data *e;
-uschar *data = NULL;
+tree_node * t = (tree_node *)handle;
+search_cache * c = (search_cache *)(t->data.ptr);
+expiring_data * e = NULL;	/* compiler quietening */
+uschar * data = NULL;
 int search_type = t->name[0] - '0';
 int old_pool = store_pool;
 
@@ -475,7 +475,7 @@
 the callers don't have to test for NULL, set an empty string. */
 
 search_error_message = US"";
-search_find_defer = FALSE;
+f.search_find_defer = FALSE;
 
 DEBUG(D_lookup) debug_printf("internal_search_find: file=\"%s\"\n  "
   "type=%s key=\"%s\"\n", filename,
@@ -521,7 +521,7 @@
 
   if (lookup_list[search_type]->find(c->handle, filename, keystring, keylength,
       &data, &search_error_message, &do_cache) == DEFER)
-    search_find_defer = TRUE;
+    f.search_find_defer = TRUE;
 
   /* A record that has been found is now in data, which is either NULL
   or points to a bit of dynamic store. Cache the result of the lookup if
@@ -564,7 +564,7 @@
   {
   if (data)
     debug_printf("lookup yielded: %s\n", data);
-  else if (search_find_defer)
+  else if (f.search_find_defer)
     debug_printf("lookup deferred: %s\n", search_error_message);
   else debug_printf("lookup failed\n");
   }
@@ -669,7 +669,7 @@
 entry but could have been partial, flag to set up variables. */
 
 yield = internal_search_find(handle, filename, keystring);
-if (search_find_defer) return NULL;
+if (f.search_find_defer) return NULL;
 if (yield != NULL) { if (partial >= 0) set_null_wild = TRUE; }
 
 /* Not matched a complete entry; handle partial lookups, but only if the full
@@ -692,7 +692,7 @@
     Ustrcpy(keystring2 + affixlen, keystring);
     DEBUG(D_lookup) debug_printf("trying partial match %s\n", keystring2);
     yield = internal_search_find(handle, filename, keystring2);
-    if (search_find_defer) return NULL;
+    if (f.search_find_defer) return NULL;
     }
 
   /* The key in its entirety did not match a wild entry; try chopping off
@@ -730,7 +730,7 @@
 
       DEBUG(D_lookup) debug_printf("trying partial match %s\n", keystring3);
       yield = internal_search_find(handle, filename, keystring3);
-      if (search_find_defer) return NULL;
+      if (f.search_find_defer) return NULL;
       if (yield != NULL)
         {
         /* First variable is the wild part; second is the fixed part. Take care
@@ -772,7 +772,7 @@
     DEBUG(D_lookup) debug_printf("trying default match %s\n", atat);
     yield = internal_search_find(handle, filename, atat);
     *atat = savechar;
-    if (search_find_defer) return NULL;
+    if (f.search_find_defer) return NULL;
 
     if (yield != NULL && expand_setup != NULL && *expand_setup >= 0)
       {
diff -Nru exim4-4.91/src/sieve.c exim4-4.92~RC4/src/sieve.c
--- exim4-4.91/src/sieve.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/sieve.c	2018-12-27 13:36:19.000000000 +0000
@@ -21,7 +21,7 @@
 #include "exim.h"
 
 #if HAVE_ICONV
-#include <iconv.h>
+# include <iconv.h>
 #endif
 
 /* Define this for RFC compliant \r\n end-of-line terminators.      */
@@ -153,8 +153,10 @@
 static const struct String str_cc={ str_cc_c, 2 };
 static uschar str_bcc_c[]="Bcc";
 static const struct String str_bcc={ str_bcc_c, 3 };
+#ifdef ENVELOPE_AUTH
 static uschar str_auth_c[]="auth";
 static const struct String str_auth={ str_auth_c, 4 };
+#endif
 static uschar str_sender_c[]="Sender";
 static const struct String str_sender={ str_sender_c, 6 };
 static uschar str_resent_from_c[]="Resent-From";
@@ -2135,7 +2137,7 @@
         filter->errmsg=CUS "header string expansion failed";
         return -1;
         }
-      parse_allow_group = TRUE;
+      f.parse_allow_group = TRUE;
       while (*header_value && !*cond)
         {
         uschar *error;
@@ -2181,8 +2183,8 @@
         if (saveend == 0) break;
         header_value = end_addr + 1;
         }
-      parse_allow_group = FALSE;
-      parse_found_group = FALSE;
+      f.parse_allow_group = FALSE;
+      f.parse_found_group = FALSE;
       }
     }
   return 1;
@@ -3379,7 +3381,6 @@
             {
             uschar *mime_body,*reason_end;
             static const uschar nlnl[]="\r\n\r\n";
-	    gstring * g;
 
             for
               (
diff -Nru exim4-4.91/src/smtp_in.c exim4-4.92~RC4/src/smtp_in.c
--- exim4-4.91/src/smtp_in.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/smtp_in.c	2018-12-27 13:36:19.000000000 +0000
@@ -131,26 +131,38 @@
 *                Local static variables          *
 *************************************************/
 
-static auth_instance *authenticated_by;
-static BOOL auth_advertised;
+static struct {
+  BOOL auth_advertised			:1;
 #ifdef SUPPORT_TLS
-static BOOL tls_advertised;
+  BOOL tls_advertised			:1;
+# ifdef EXPERIMENTAL_REQUIRETLS
+  BOOL requiretls_advertised		:1;
+# endif
 #endif
-static BOOL dsn_advertised;
-static BOOL esmtp;
-static BOOL helo_required = FALSE;
-static BOOL helo_verify = FALSE;
-static BOOL helo_seen;
-static BOOL helo_accept_junk;
-static BOOL count_nonmail;
-static BOOL pipelining_advertised;
-static BOOL rcpt_smtp_response_same;
-static BOOL rcpt_in_progress;
-static int  nonmail_command_count;
-static BOOL smtp_exit_function_called = 0;
+  BOOL dsn_advertised			:1;
+  BOOL esmtp				:1;
+  BOOL helo_required			:1;
+  BOOL helo_verify			:1;
+  BOOL helo_seen			:1;
+  BOOL helo_accept_junk			:1;
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+  BOOL pipe_connect_acceptable		:1;
+#endif
+  BOOL rcpt_smtp_response_same		:1;
+  BOOL rcpt_in_progress			:1;
+  BOOL smtp_exit_function_called	:1;
 #ifdef SUPPORT_I18N
-static BOOL smtputf8_advertised;
+  BOOL smtputf8_advertised		:1;
 #endif
+} fl = {
+  .helo_required = FALSE,
+  .helo_verify = FALSE,
+  .smtp_exit_function_called = FALSE,
+};
+
+static auth_instance *authenticated_by;
+static int  count_nonmail;
+static int  nonmail_command_count;
 static int  synprot_error_count;
 static int  unknown_command_count;
 static int  sync_cmd_limit;
@@ -185,10 +197,10 @@
   { "helo",       sizeof("helo")-1,       HELO_CMD, TRUE,  FALSE },
   { "ehlo",       sizeof("ehlo")-1,       EHLO_CMD, TRUE,  FALSE },
   { "auth",       sizeof("auth")-1,       AUTH_CMD, TRUE,  TRUE  },
-  #ifdef SUPPORT_TLS
+#ifdef SUPPORT_TLS
   { "starttls",   sizeof("starttls")-1,   STARTTLS_CMD, FALSE, FALSE },
   { "tls_auth",   0,                      TLS_AUTH_CMD, FALSE, FALSE },
-  #endif
+#endif
 
 /* If you change anything above here, also fix the definitions below. */
 
@@ -256,6 +268,9 @@
 #ifdef SUPPORT_I18N
   ENV_MAIL_OPT_UTF8,
 #endif
+#ifdef EXPERIMENTAL_REQUIRETLS
+  ENV_MAIL_OPT_REQTLS,
+#endif
   };
 typedef struct {
   uschar *   name;  /* option requested during MAIL cmd */
@@ -275,6 +290,10 @@
 #ifdef SUPPORT_I18N
     { US"SMTPUTF8",ENV_MAIL_OPT_UTF8,  FALSE },		/* rfc6531 */
 #endif
+#ifdef EXPERIMENTAL_REQUIRETLS
+    /* https://tools.ietf.org/html/draft-ietf-uta-smtp-require-tls-03 */
+    { US"REQUIRETLS",ENV_MAIL_OPT_REQTLS,  FALSE },
+#endif
     /* keep this the last entry */
     { US"NULL",   ENV_MAIL_OPT_NULL,   FALSE },
   };
@@ -340,7 +359,7 @@
 struct timeval tzero;
 
 #ifdef SUPPORT_TLS
-if (tls_in.active >= 0)
+if (tls_in.active.sock >= 0)
  return !tls_could_read();
 #endif
 
@@ -365,7 +384,7 @@
 static BOOL
 check_sync(void)
 {
-if (!smtp_enforce_sync || !sender_host_address || sender_host_notsocket)
+if (!smtp_enforce_sync || !sender_host_address || f.sender_host_notsocket)
   return TRUE;
 
 return wouldblock_reading();
@@ -379,13 +398,27 @@
 pipeline_response(void)
 {
 if (  !smtp_enforce_sync || !sender_host_address
-   || sender_host_notsocket || !pipelining_advertised)
+   || f.sender_host_notsocket || !f.smtp_in_pipelining_advertised)
   return FALSE;
 
-return !wouldblock_reading();
+if (wouldblock_reading()) return FALSE;
+f.smtp_in_pipelining_used = TRUE;
+return TRUE;
 }
 
 
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+static BOOL
+pipeline_connect_sends(void)
+{
+if (!sender_host_address || f.sender_host_notsocket || !fl.pipe_connect_acceptable)
+  return FALSE;
+
+if (wouldblock_reading()) return FALSE;
+f.smtp_in_early_pipe_used = TRUE;
+return TRUE;
+}
+#endif
 
 /*************************************************
 *          Log incomplete transactions           *
@@ -424,6 +457,53 @@
 
 
 
+void
+smtp_command_timeout_exit(void)
+{
+log_write(L_lost_incoming_connection,
+	  LOG_MAIN, "SMTP command timeout on%s connection from %s",
+	  tls_in.active.sock >= 0 ? " TLS" : "", host_and_ident(FALSE));
+if (smtp_batched_input)
+  moan_smtp_batch(NULL, "421 SMTP command timeout"); /* Does not return */
+smtp_notquit_exit(US"command-timeout", US"421",
+  US"%s: SMTP command timeout - closing connection",
+  smtp_active_hostname);
+exim_exit(EXIT_FAILURE, US"receiving");
+}
+
+void
+smtp_command_sigterm_exit(void)
+{
+log_write(0, LOG_MAIN, "%s closed after SIGTERM", smtp_get_connection_info());
+if (smtp_batched_input)
+  moan_smtp_batch(NULL, "421 SIGTERM received");  /* Does not return */
+smtp_notquit_exit(US"signal-exit", US"421",
+  US"%s: Service not available - closing connection", smtp_active_hostname);
+exim_exit(EXIT_FAILURE, US"receiving");
+}
+
+void
+smtp_data_timeout_exit(void)
+{
+log_write(L_lost_incoming_connection,
+  LOG_MAIN, "SMTP data timeout (message abandoned) on connection from %s F=<%s>",
+  sender_fullhost ? sender_fullhost : US"local process", sender_address);
+receive_bomb_out(US"data-timeout", US"SMTP incoming data timeout");
+/* Does not return */
+}
+
+void
+smtp_data_sigint_exit(void)
+{
+log_write(0, LOG_MAIN, "%s closed after %s",
+  smtp_get_connection_info(), had_data_sigint == SIGTERM ? "SIGTERM":"SIGINT");
+receive_bomb_out(US"signal-exit",
+  US"Service not available - SIGTERM or SIGINT received");
+/* Does not return */
+}
+
+
+
 /* Refill the buffer, and notify DKIM verification code.
 Return false for error or EOF.
 */
@@ -434,25 +514,35 @@
 int rc, save_errno;
 if (!smtp_out) return FALSE;
 fflush(smtp_out);
-if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
+if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
 
 /* Limit amount read, so non-message data is not fed to DKIM.
 Take care to not touch the safety NUL at the end of the buffer. */
 
 rc = read(fileno(smtp_in), smtp_inbuffer, MIN(IN_BUFFER_SIZE-1, lim));
 save_errno = errno;
-alarm(0);
+if (smtp_receive_timeout > 0) ALARM_CLR(0);
 if (rc <= 0)
   {
   /* Must put the error text in fixed store, because this might be during
   header reading, where it releases unused store above the header. */
   if (rc < 0)
     {
+    if (had_command_timeout)		/* set by signal handler */
+      smtp_command_timeout_exit();	/* does not return */
+    if (had_command_sigterm)
+      smtp_command_sigterm_exit();
+    if (had_data_timeout)
+      smtp_data_timeout_exit();
+    if (had_data_sigint)
+      smtp_data_sigint_exit();
+
     smtp_had_error = save_errno;
     smtp_read_error = string_copy_malloc(
       string_sprintf(" (error: %s)", strerror(save_errno)));
     }
-  else smtp_had_eof = 1;
+  else
+    smtp_had_eof = 1;
   return FALSE;
   }
 #ifndef DISABLE_DKIM
@@ -538,7 +628,7 @@
 for(;;)
   {
 #ifndef DISABLE_DKIM
-  BOOL dkim_save;
+  unsigned dkim_save;
 #endif
 
   if (chunking_data_left > 0)
@@ -549,13 +639,13 @@
   receive_ungetc = lwr_receive_ungetc;
 #ifndef DISABLE_DKIM
   dkim_save = dkim_collect_input;
-  dkim_collect_input = FALSE;
+  dkim_collect_input = 0;
 #endif
 
   /* Unless PIPELINING was offered, there should be no next command
   until after we ack that chunk */
 
-  if (!pipelining_advertised && !check_sync())
+  if (!f.smtp_in_pipelining_advertised && !check_sync())
     {
     unsigned n = smtp_inend - smtp_inptr;
     if (n > 32) n = 32;
@@ -823,18 +913,20 @@
 void
 smtp_vprintf(const char *format, BOOL more, va_list ap)
 {
+gstring gs = { .size = big_buffer_size, .ptr = 0, .s = big_buffer };
 BOOL yield;
 
-yield = string_vformat(big_buffer, big_buffer_size, format, ap);
+yield = !! string_vformat(&gs, FALSE, format, ap);
+string_from_gstring(&gs);
 
 DEBUG(D_receive)
   {
   void *reset_point = store_get(0);
   uschar *msg_copy, *cr, *end;
-  msg_copy = string_copy(big_buffer);
-  end = msg_copy + Ustrlen(msg_copy);
+  msg_copy = string_copy(gs.s);
+  end = msg_copy + gs.ptr;
   while ((cr = Ustrchr(msg_copy, '\r')) != NULL)   /* lose CRs */
-  memmove(cr, cr + 1, (end--) - cr);
+    memmove(cr, cr + 1, (end--) - cr);
   debug_printf("SMTP>> %s", msg_copy);
   store_reset(reset_point);
   }
@@ -852,28 +944,28 @@
 do it that way, so as not to have to mess with the code for the RCPT command,
 which sometimes uses smtp_printf() and sometimes smtp_respond(). */
 
-if (rcpt_in_progress)
+if (fl.rcpt_in_progress)
   {
   if (rcpt_smtp_response == NULL)
     rcpt_smtp_response = string_copy(big_buffer);
-  else if (rcpt_smtp_response_same &&
+  else if (fl.rcpt_smtp_response_same &&
            Ustrcmp(rcpt_smtp_response, big_buffer) != 0)
-    rcpt_smtp_response_same = FALSE;
-  rcpt_in_progress = FALSE;
+    fl.rcpt_smtp_response_same = FALSE;
+  fl.rcpt_in_progress = FALSE;
   }
 
 /* Now write the string */
 
 #ifdef SUPPORT_TLS
-if (tls_in.active >= 0)
+if (tls_in.active.sock >= 0)
   {
-  if (tls_write(TRUE, big_buffer, Ustrlen(big_buffer), more) < 0)
+  if (tls_write(NULL, gs.s, gs.ptr, more) < 0)
     smtp_write_error = -1;
   }
 else
 #endif
 
-if (fprintf(smtp_out, "%s", big_buffer) < 0) smtp_write_error = -1;
+if (fprintf(smtp_out, "%s", gs.s) < 0) smtp_write_error = -1;
 }
 
 
@@ -894,7 +986,7 @@
 int
 smtp_fflush(void)
 {
-if (tls_in.active < 0 && fflush(smtp_out) != 0) smtp_write_error = -1;
+if (tls_in.active.sock < 0 && fflush(smtp_out) != 0) smtp_write_error = -1;
 return smtp_write_error;
 }
 
@@ -914,16 +1006,7 @@
 static void
 command_timeout_handler(int sig)
 {
-sig = sig;    /* Keep picky compilers happy */
-log_write(L_lost_incoming_connection,
-          LOG_MAIN, "SMTP command timeout on%s connection from %s",
-          (tls_in.active >= 0)? " TLS" : "",
-          host_and_ident(FALSE));
-if (smtp_batched_input)
-  moan_smtp_batch(NULL, "421 SMTP command timeout");  /* Does not return */
-smtp_notquit_exit(US"command-timeout", US"421",
-  US"%s: SMTP command timeout - closing connection", smtp_active_hostname);
-exim_exit(EXIT_FAILURE, US"receiving");
+had_command_timeout = sig;
 }
 
 
@@ -941,13 +1024,7 @@
 static void
 command_sigterm_handler(int sig)
 {
-sig = sig;    /* Keep picky compilers happy */
-log_write(0, LOG_MAIN, "%s closed after SIGTERM", smtp_get_connection_info());
-if (smtp_batched_input)
-  moan_smtp_batch(NULL, "421 SIGTERM received");  /* Does not return */
-smtp_notquit_exit(US"signal-exit", US"421",
-  US"%s: Service not available - closing connection", smtp_active_hostname);
-exim_exit(EXIT_FAILURE, US"receiving");
+had_command_sigterm = sig;
 }
 
 
@@ -1467,7 +1544,7 @@
     }
   else
     {
-    proxy_session_failed = TRUE;
+    f.proxy_session_failed = TRUE;
     DEBUG(D_receive)
       debug_printf("Failure to extract proxied host, only QUIT allowed\n");
     }
@@ -1507,6 +1584,7 @@
 smtp_cmd_list *p;
 BOOL hadnull = FALSE;
 
+had_command_timeout = 0;
 os_non_restarting_signal(SIGALRM, command_timeout_handler);
 
 while ((c = (receive_getc)(buffer_lim)) != '\n' && c != EOF)
@@ -1552,7 +1630,7 @@
   {
 #ifdef SUPPORT_PROXY
   /* Only allow QUIT command if Proxy Protocol parsing failed */
-  if (proxy_session && proxy_session_failed && p->cmd != QUIT_CMD)
+  if (proxy_session && f.proxy_session_failed && p->cmd != QUIT_CMD)
     continue;
 #endif
   if (  p->len
@@ -1567,7 +1645,7 @@
         check_sync &&                                  /* Local flag set */
         smtp_enforce_sync &&                           /* Global flag set */
         sender_host_address != NULL &&                 /* Not local input */
-        !sender_host_notsocket)                        /* Really is a socket */
+        !f.sender_host_notsocket)                        /* Really is a socket */
       return BADSYN_CMD;
 
     /* The variables $smtp_command and $smtp_command_argument point into the
@@ -1606,7 +1684,7 @@
 
 #ifdef SUPPORT_PROXY
 /* Only allow QUIT command if Proxy Protocol parsing failed */
-if (proxy_session && proxy_session_failed)
+if (proxy_session && f.proxy_session_failed)
   return PROXY_FAIL_IGNORE_CMD;
 #endif
 
@@ -1616,7 +1694,7 @@
    && check_sync			/* Local flag set */
    && smtp_enforce_sync			/* Global flag set */
    && sender_host_address		/* Not local input */
-   && !sender_host_notsocket)		/* Really is a socket */
+   && !f.sender_host_notsocket)		/* Really is a socket */
   return BADSYN_CMD;
 
 return OTHER_CMD;
@@ -1693,13 +1771,13 @@
 if (host_checking)
   return string_sprintf("SMTP connection from %s", hostname);
 
-if (sender_host_unknown || sender_host_notsocket)
+if (f.sender_host_unknown || f.sender_host_notsocket)
   return string_sprintf("SMTP connection from %s", sender_ident);
 
-if (is_inetd)
+if (f.is_inetd)
   return string_sprintf("SMTP connection from %s (via inetd)", hostname);
 
-if (LOGGING(incoming_interface) && interface_address != NULL)
+if (LOGGING(incoming_interface) && interface_address)
   return string_sprintf("SMTP connection from %s I=[%s]:%d", hostname,
     interface_address, interface_port);
 
@@ -1781,7 +1859,7 @@
 if (!(s = string_from_gstring(g))) s = US"";
 
 log_write(0, LOG_MAIN, "no MAIL in %sSMTP connection from %s D=%s%s",
-  tcp_in_fastopen ? US"TFO " : US"",
+  f.tcp_in_fastopen ? f.tcp_in_fastopen_data ? US"TFO* " : US"TFO " : US"",
   host_and_ident(FALSE), string_timesince(&smtp_connection_start), s);
 }
 
@@ -1832,7 +1910,7 @@
 {
 uschar *start = s;
 uschar *end = s + Ustrlen(s);
-BOOL yield = helo_accept_junk;
+BOOL yield = fl.helo_accept_junk;
 
 /* Discard any previous helo name */
 
@@ -1961,20 +2039,20 @@
 message_size = -1;
 acl_added_headers = NULL;
 acl_removed_headers = NULL;
-queue_only_policy = FALSE;
+f.queue_only_policy = FALSE;
 rcpt_smtp_response = NULL;
-rcpt_smtp_response_same = TRUE;
-rcpt_in_progress = FALSE;
-deliver_freeze = FALSE;                              /* Can be set by ACL */
+fl.rcpt_smtp_response_same = TRUE;
+fl.rcpt_in_progress = FALSE;
+f.deliver_freeze = FALSE;                              /* Can be set by ACL */
 freeze_tell = freeze_tell_config;                    /* Can be set by ACL */
 fake_response = OK;                                  /* Can be set by ACL */
 #ifdef WITH_CONTENT_SCAN
-no_mbox_unspool = FALSE;                             /* Can be set by ACL */
+f.no_mbox_unspool = FALSE;                             /* Can be set by ACL */
 #endif
-submission_mode = FALSE;                             /* Can be set by ACL */
-suppress_local_fixups = suppress_local_fixups_default; /* Can be set by ACL */
-active_local_from_check = local_from_check;          /* Can be set by ACL */
-active_local_sender_retain = local_sender_retain;    /* Can be set by ACL */
+f.submission_mode = FALSE;                             /* Can be set by ACL */
+f.suppress_local_fixups = f.suppress_local_fixups_default; /* Can be set by ACL */
+f.active_local_from_check = local_from_check;          /* Can be set by ACL */
+f.active_local_sender_retain = local_sender_retain;    /* Can be set by ACL */
 sending_ip_address = NULL;
 return_path = sender_address = NULL;
 sender_data = NULL;				     /* Can be set by ACL */
@@ -1994,32 +2072,34 @@
 bmi_verdicts = NULL;
 #endif
 dnslist_domain = dnslist_matched = NULL;
+#ifdef SUPPORT_SPF
+spf_header_comment = spf_received = spf_result = spf_smtp_comment = NULL;
+spf_result_guessed = FALSE;
+#endif
 #ifndef DISABLE_DKIM
 dkim_cur_signer = dkim_signers =
-dkim_signing_domain = dkim_signing_selector = NULL;
+dkim_signing_domain = dkim_signing_selector = dkim_signatures = NULL;
 dkim_cur_signer = dkim_signers = dkim_signing_domain = dkim_signing_selector = NULL;
-dkim_disable_verify = dkim_collect_input = FALSE;
+f.dkim_disable_verify = FALSE;
+dkim_collect_input = 0;
 dkim_verify_overall = dkim_verify_status = dkim_verify_reason = NULL;
 dkim_key_length = 0;
 dkim_verify_signers = US"$dkim_signers";
 #endif
+#ifdef EXPERIMENTAL_DMARC
+f.dmarc_has_been_checked = f.dmarc_disable_verify = f.dmarc_enable_forensic = FALSE;
+dmarc_domain_policy = dmarc_status = dmarc_status_text =
+dmarc_used_domain = NULL;
+#endif
+#ifdef EXPERIMENTAL_ARC
+arc_state = arc_state_reason = NULL;
+#endif
 dsn_ret = 0;
 dsn_envid = NULL;
 deliver_host = deliver_host_address = NULL;	/* Can be set by ACL */
 #ifndef DISABLE_PRDR
 prdr_requested = FALSE;
 #endif
-#ifdef SUPPORT_SPF
-spf_header_comment = spf_received = spf_result = spf_smtp_comment = NULL;
-spf_result_guessed = FALSE;
-#endif
-#ifdef EXPERIMENTAL_DMARC
-dmarc_has_been_checked = dmarc_disable_verify = dmarc_enable_forensic = FALSE;
-dmarc_domain_policy = dmarc_status = dmarc_status_text = dmarc_used_domain = NULL;
-#endif
-#ifdef EXPERIMENTAL_ARC
-arc_state = arc_state_reason = NULL;
-#endif
 #ifdef SUPPORT_I18N
 message_smtputf8 = FALSE;
 #endif
@@ -2170,7 +2250,7 @@
 
       if (  !sender_domain
          && sender_address[0] != 0 && sender_address[0] != '@')
-	if (allow_unqualified_sender)
+	if (f.allow_unqualified_sender)
 	  {
 	  sender_address = rewrite_address_qualify(sender_address, FALSE);
 	  DEBUG(D_receive) debug_printf("unqualified address %s accepted "
@@ -2226,7 +2306,7 @@
       add it to the list of recipients. */
 
       if (!recipient_domain)
-	if (allow_unqualified_recipient)
+	if (f.allow_unqualified_recipient)
 	  {
 	  DEBUG(D_receive) debug_printf("unqualified address %s accepted\n",
 	    recipient);
@@ -2304,6 +2384,7 @@
 
 
 
+#ifdef SUPPORT_TLS
 static BOOL
 smtp_log_tls_fail(uschar * errstr)
 {
@@ -2315,6 +2396,7 @@
 log_write(0, LOG_MAIN, "TLS error on %s %s", conn_info, errstr);
 return FALSE;
 }
+#endif
 
 
 
@@ -2327,13 +2409,20 @@
 struct tcp_info tinfo;
 socklen_t len = sizeof(tinfo);
 
-if (  getsockopt(fileno(smtp_out), IPPROTO_TCP, TCP_INFO, &tinfo, &len) == 0
-   && tinfo.tcpi_state == TCP_SYN_RECV
-   )
-  {
-  DEBUG(D_receive) debug_printf("TCP_FASTOPEN mode connection (state TCP_SYN_RECV)\n");
-  tcp_in_fastopen = TRUE;
-  }
+if (getsockopt(fileno(smtp_out), IPPROTO_TCP, TCP_INFO, &tinfo, &len) == 0)
+#ifdef TCPI_OPT_SYN_DATA	/* FreeBSD 11 does not seem to have this yet */
+  if (tinfo.tcpi_options & TCPI_OPT_SYN_DATA)
+    {
+    DEBUG(D_receive) debug_printf("TCP_FASTOPEN mode connection (ACKd data-on-SYN)\n");
+    f.tcp_in_fastopen_data = f.tcp_in_fastopen = TRUE;
+    }
+  else
+#endif
+    if (tinfo.tcpi_state == TCP_SYN_RECV)
+    {
+    DEBUG(D_receive) debug_printf("TCP_FASTOPEN mode connection (state TCP_SYN_RECV)\n");
+    f.tcp_in_fastopen = TRUE;
+    }
 # endif
 }
 #endif
@@ -2368,21 +2457,21 @@
 
 /* Default values for certain variables */
 
-helo_seen = esmtp = helo_accept_junk = FALSE;
+fl.helo_seen = fl.esmtp = fl.helo_accept_junk = FALSE;
 smtp_mailcmd_count = 0;
 count_nonmail = TRUE_UNSET;
 synprot_error_count = unknown_command_count = nonmail_command_count = 0;
 smtp_delay_mail = smtp_rlm_base;
-auth_advertised = FALSE;
-pipelining_advertised = FALSE;
-pipelining_enable = TRUE;
+fl.auth_advertised = FALSE;
+f.smtp_in_pipelining_advertised = f.smtp_in_pipelining_used = FALSE;
+f.pipelining_enable = TRUE;
 sync_cmd_limit = NON_SYNC_CMD_NON_PIPELINING;
-smtp_exit_function_called = FALSE;    /* For avoiding loop in not-quit exit */
+fl.smtp_exit_function_called = FALSE;    /* For avoiding loop in not-quit exit */
 
 /* If receiving by -bs from a trusted user, or testing with -bh, we allow
 authentication settings from -oMaa to remain in force. */
 
-if (!host_checking && !sender_host_notsocket)
+if (!host_checking && !f.sender_host_notsocket)
   sender_host_auth_pubname = sender_host_authenticated = NULL;
 authenticated_by = NULL;
 
@@ -2391,11 +2480,14 @@
 tls_in.ourcert = tls_in.peercert = NULL;
 tls_in.sni = NULL;
 tls_in.ocsp = OCSP_NOT_REQ;
-tls_advertised = FALSE;
+fl.tls_advertised = FALSE;
+# ifdef EXPERIMENTAL_REQUIRETLS
+fl.requiretls_advertised = FALSE;
+# endif
 #endif
-dsn_advertised = FALSE;
+fl.dsn_advertised = FALSE;
 #ifdef SUPPORT_I18N
-smtputf8_advertised = FALSE;
+fl.smtputf8_advertised = FALSE;
 #endif
 
 /* Reset ACL connection variables */
@@ -2469,7 +2561,7 @@
 If smtp_accept_max and smtp_accept_reserve are set, keep some connections in
 reserve for certain hosts and/or networks. */
 
-if (!sender_host_unknown)
+if (!f.sender_host_unknown)
   {
   int rc;
   BOOL reserved_host = FALSE;
@@ -2499,7 +2591,7 @@
 
   How to do this properly in IPv6 is not yet known. */
 
-  #if !HAVE_IPV6 && !defined(NO_IP_OPTIONS)
+#if !HAVE_IPV6 && !defined(NO_IP_OPTIONS)
 
   #ifdef GLIBC_IP_OPTIONS
     #if (!defined __GLIBC__) || (__GLIBC__ < 2)
@@ -2513,7 +2605,7 @@
     #define OPTSTYLE 3
   #endif
 
-  if (!host_checking && !sender_host_notsocket)
+  if (!host_checking && !f.sender_host_notsocket)
     {
     #if OPTSTYLE == 1
     EXIM_SOCKLEN_T optlen = sizeof(struct ip_options) + MAX_IPOPTLEN;
@@ -2654,13 +2746,13 @@
 
     else DEBUG(D_receive) debug_printf("no IP options found\n");
     }
-  #endif  /* HAVE_IPV6 && !defined(NO_IP_OPTIONS) */
+#endif  /* HAVE_IPV6 && !defined(NO_IP_OPTIONS) */
 
   /* Set keep-alive in socket options. The option is on by default. This
   setting is an attempt to get rid of some hanging connections that stick in
   read() when the remote end (usually a dialup) goes away. */
 
-  if (smtp_accept_keepalive && !sender_host_notsocket)
+  if (smtp_accept_keepalive && !f.sender_host_notsocket)
     ip_keepalive(fileno(smtp_out), sender_host_address, FALSE);
 
   /* If the current host matches host_lookup, set the name by doing a
@@ -2791,23 +2883,23 @@
   addresses in the headers. For a site that permits no qualification, this
   won't take long, however. */
 
-  allow_unqualified_sender =
+  f.allow_unqualified_sender =
     verify_check_host(&sender_unqualified_hosts) == OK;
 
-  allow_unqualified_recipient =
+  f.allow_unqualified_recipient =
     verify_check_host(&recipient_unqualified_hosts) == OK;
 
   /* Determine whether HELO/EHLO is required for this host. The requirement
   can be hard or soft. */
 
-  helo_required = verify_check_host(&helo_verify_hosts) == OK;
-  if (!helo_required)
-    helo_verify = verify_check_host(&helo_try_verify_hosts) == OK;
+  fl.helo_required = verify_check_host(&helo_verify_hosts) == OK;
+  if (!fl.helo_required)
+    fl.helo_verify = verify_check_host(&helo_try_verify_hosts) == OK;
 
   /* Determine whether this hosts is permitted to send syntactic junk
   after a HELO or EHLO command. */
 
-  helo_accept_junk = verify_check_host(&helo_accept_junk_hosts) == OK;
+  fl.helo_accept_junk = verify_check_host(&helo_accept_junk_hosts) == OK;
   }
 
 /* For batch SMTP input we are now done. */
@@ -2819,7 +2911,7 @@
 
 #ifdef SUPPORT_PROXY
 proxy_session = FALSE;
-proxy_session_failed = FALSE;
+f.proxy_session_failed = FALSE;
 if (check_proxy_protocol_host())
   setup_proxy_protocol_host();
 #endif
@@ -2919,22 +3011,39 @@
 /* Before we write the banner, check that there is no input pending, unless
 this synchronisation check is disabled. */
 
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+fl.pipe_connect_acceptable =
+  sender_host_address && verify_check_host(&pipe_connect_advertise_hosts) == OK;
+
 if (!check_sync())
-  {
-  unsigned n = smtp_inend - smtp_inptr;
-  if (n > 32) n = 32;
+  if (fl.pipe_connect_acceptable)
+    f.smtp_in_early_pipe_used = TRUE;
+  else
+#else
+if (!check_sync())
+#endif
+    {
+    unsigned n = smtp_inend - smtp_inptr;
+    if (n > 32) n = 32;
 
-  log_write(0, LOG_MAIN|LOG_REJECT, "SMTP protocol "
-    "synchronization error (input sent without waiting for greeting): "
-    "rejected connection from %s input=\"%s\"", host_and_ident(TRUE),
-    string_printing(string_copyn(smtp_inptr, n)));
-  smtp_printf("554 SMTP synchronization error\r\n", FALSE);
-  return FALSE;
-  }
+    log_write(0, LOG_MAIN|LOG_REJECT, "SMTP protocol "
+      "synchronization error (input sent without waiting for greeting): "
+      "rejected connection from %s input=\"%s\"", host_and_ident(TRUE),
+      string_printing(string_copyn(smtp_inptr, n)));
+    smtp_printf("554 SMTP synchronization error\r\n", FALSE);
+    return FALSE;
+    }
 
 /* Now output the banner */
+/*XXX the ehlo-resp code does its own tls/nontls bit.  Maybe subroutine that? */
 
-smtp_printf("%s", FALSE, string_from_gstring(ss));
+smtp_printf("%s",
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+  fl.pipe_connect_acceptable && pipeline_connect_sends(),
+#else
+  FALSE,
+#endif
+  string_from_gstring(ss));
 
 /* Attempt to see if we sent the banner before the last ACK of the 3-way
 handshake arrived.  If so we must have managed a TFO. */
@@ -3024,7 +3133,7 @@
 int esclen = 0;
 uschar *esc = US"";
 
-if (!final && no_multiline_responses) return;
+if (!final && f.no_multiline_responses) return;
 
 if (codelen > 4)
   {
@@ -3038,14 +3147,14 @@
 do it that way, so as not to have to mess with the code for the RCPT command,
 which sometimes uses smtp_printf() and sometimes smtp_respond(). */
 
-if (rcpt_in_progress)
+if (fl.rcpt_in_progress)
   {
   if (rcpt_smtp_response == NULL)
     rcpt_smtp_response = string_copy(msg);
-  else if (rcpt_smtp_response_same &&
+  else if (fl.rcpt_smtp_response_same &&
            Ustrcmp(rcpt_smtp_response, msg) != 0)
-    rcpt_smtp_response_same = FALSE;
-  rcpt_in_progress = FALSE;
+    fl.rcpt_smtp_response_same = FALSE;
+  fl.rcpt_in_progress = FALSE;
   }
 
 /* Now output the message, splitting it up into multiple lines if necessary.
@@ -3060,7 +3169,7 @@
     smtp_printf("%.3s%c%.*s%s\r\n", !final, code, final ? ' ':'-', esclen, esc, msg);
     return;
     }
-  else if (nl[1] == 0 || no_multiline_responses)
+  else if (nl[1] == 0 || f.no_multiline_responses)
     {
     smtp_printf("%.3s%c%.*s%.*s\r\n", !final, code, final ? ' ':'-', esclen, esc,
       (int)(nl - msg), msg);
@@ -3232,8 +3341,8 @@
 if (sender_verified_failed &&
     !testflag(sender_verified_failed, af_sverify_told))
   {
-  BOOL save_rcpt_in_progress = rcpt_in_progress;
-  rcpt_in_progress = FALSE;  /* So as not to treat these as the error */
+  BOOL save_rcpt_in_progress = fl.rcpt_in_progress;
+  fl.rcpt_in_progress = FALSE;  /* So as not to treat these as the error */
 
   setflag(sender_verified_failed, af_sverify_told);
 
@@ -3265,7 +3374,7 @@
         sender_verified_failed->address,
         sender_verified_failed->user_message));
 
-  rcpt_in_progress = save_rcpt_in_progress;
+  fl.rcpt_in_progress = save_rcpt_in_progress;
   }
 
 /* Sort out text for logging */
@@ -3290,7 +3399,7 @@
 be re-implemented in a tidier fashion. */
 
 else
-  if (acl_temp_details && user_msg)
+  if (f.acl_temp_details && user_msg)
     {
     if (  smtp_return_error_details
        && sender_verified_failed
@@ -3376,15 +3485,15 @@
 uschar *user_msg = NULL;
 uschar *log_msg = NULL;
 
-/* Check for recursive acll */
+/* Check for recursive call */
 
-if (smtp_exit_function_called)
+if (fl.smtp_exit_function_called)
   {
   log_write(0, LOG_PANIC, "smtp_notquit_exit() called more than once (%s)",
     reason);
   return;
   }
-smtp_exit_function_called = TRUE;
+fl.smtp_exit_function_called = TRUE;
 
 /* Call the not-QUIT ACL, if there is one, unless no reason is given. */
 
@@ -3397,10 +3506,11 @@
       log_msg);
   }
 
+/* If the connection was dropped, we certainly are no longer talking TLS */
+tls_in.active.sock = -1;
+
 /* Write an SMTP response if we are expected to give one. As the default
-responses are all internal, they should always fit in the buffer, but code a
-warning, just in case. Note that string_vformat() still leaves a complete
-string, even if it is incomplete. */
+responses are all internal, they should be reasonable size. */
 
 if (code && defaultrespond)
   {
@@ -3408,13 +3518,13 @@
     smtp_respond(code, 3, TRUE, user_msg);
   else
     {
-    uschar buffer[128];
+    gstring * g;
     va_list ap;
+
     va_start(ap, defaultrespond);
-    if (!string_vformat(buffer, sizeof(buffer), CS defaultrespond, ap))
-      log_write(0, LOG_MAIN|LOG_PANIC, "string too large in smtp_notquit_exit()");
-    smtp_printf("%s %s\r\n", FALSE, code, buffer);
+    g = string_vformat(NULL, TRUE, CS defaultrespond, ap);
     va_end(ap);
+    smtp_printf("%s %s\r\n", FALSE, code, string_from_gstring(g));
     }
   mac_smtp_fflush();
   }
@@ -3460,27 +3570,27 @@
 else if (sender_host_address == NULL)
   {
   HDEBUG(D_receive) debug_printf("no client IP address: assume success\n");
-  helo_verified = TRUE;
+  f.helo_verified = TRUE;
   }
 
 /* Deal with the more common case when there is a sending IP address */
 
 else if (sender_helo_name[0] == '[')
   {
-  helo_verified = Ustrncmp(sender_helo_name+1, sender_host_address,
+  f.helo_verified = Ustrncmp(sender_helo_name+1, sender_host_address,
     Ustrlen(sender_host_address)) == 0;
 
-  #if HAVE_IPV6
-  if (!helo_verified)
+#if HAVE_IPV6
+  if (!f.helo_verified)
     {
     if (strncmpic(sender_host_address, US"::ffff:", 7) == 0)
-      helo_verified = Ustrncmp(sender_helo_name + 1,
+      f.helo_verified = Ustrncmp(sender_helo_name + 1,
         sender_host_address + 7, Ustrlen(sender_host_address) - 7) == 0;
     }
-  #endif
+#endif
 
   HDEBUG(D_receive)
-    { if (helo_verified) debug_printf("matched host address\n"); }
+    { if (f.helo_verified) debug_printf("matched host address\n"); }
   }
 
 /* Do a reverse lookup if one hasn't already given a positive or negative
@@ -3495,7 +3605,7 @@
   /* If a host name is known, check it and all its aliases. */
 
   if (sender_host_name)
-    if ((helo_verified = strcmpic(sender_host_name, sender_helo_name) == 0))
+    if ((f.helo_verified = strcmpic(sender_host_name, sender_helo_name) == 0))
       {
       sender_helo_dnssec = sender_host_dnssec;
       HDEBUG(D_receive) debug_printf("matched host name\n");
@@ -3504,19 +3614,19 @@
       {
       uschar **aliases = sender_host_aliases;
       while (*aliases)
-        if ((helo_verified = strcmpic(*aliases++, sender_helo_name) == 0))
+        if ((f.helo_verified = strcmpic(*aliases++, sender_helo_name) == 0))
 	  {
 	  sender_helo_dnssec = sender_host_dnssec;
 	  break;
 	  }
 
-      HDEBUG(D_receive) if (helo_verified)
+      HDEBUG(D_receive) if (f.helo_verified)
           debug_printf("matched alias %s\n", *(--aliases));
       }
 
   /* Final attempt: try a forward lookup of the helo name */
 
-  if (!helo_verified)
+  if (!f.helo_verified)
     {
     int rc;
     host_item h;
@@ -3538,7 +3648,7 @@
       for (hh = &h; hh; hh = hh->next)
         if (Ustrcmp(hh->address, sender_host_address) == 0)
           {
-          helo_verified = TRUE;
+          f.helo_verified = TRUE;
 	  if (h.dnssec == DS_YES) sender_helo_dnssec = TRUE;
           HDEBUG(D_receive)
 	    {
@@ -3551,7 +3661,7 @@
     }
   }
 
-if (!helo_verified) helo_verify_failed = TRUE;  /* We've tried ... */
+if (!f.helo_verified) f.helo_verify_failed = TRUE;  /* We've tried ... */
 return yield;
 }
 
@@ -3641,7 +3751,7 @@
 
     received_protocol =
       (sender_host_address ? protocols : protocols_local)
-	[pextend + pauthed + (tls_in.active >= 0 ? pcrpted:0)];
+	[pextend + pauthed + (tls_in.active.sock >= 0 ? pcrpted:0)];
     *s = *ss = US"235 Authentication succeeded";
     authenticated_by = au;
     break;
@@ -3698,7 +3808,7 @@
 qualify_recipient(uschar ** recipient, uschar * smtp_cmd_data, uschar * tag)
 {
 int rd;
-if (allow_unqualified_recipient || strcmpic(*recipient, US"postmaster") == 0)
+if (f.allow_unqualified_recipient || strcmpic(*recipient, US"postmaster") == 0)
   {
   DEBUG(D_receive) debug_printf("unqualified address %s accepted\n",
     *recipient);
@@ -3735,7 +3845,7 @@
   smtp_printf("221 %s closing connection\r\n", FALSE, smtp_active_hostname);
 
 #ifdef SUPPORT_TLS
-tls_close(TRUE, TLS_SHUTDOWN_NOWAIT);
+tls_close(NULL, TLS_SHUTDOWN_NOWAIT);
 #endif
 
 log_write(L_smtp_connection, LOG_MAIN, "%s closed by QUIT",
@@ -3800,7 +3910,7 @@
 smtp_reset(reset_point);
 message_ended = END_NOTSTARTED;
 
-chunking_state = chunking_offered ? CHUNKING_OFFERED : CHUNKING_NOT_OFFERED;
+chunking_state = f.chunking_offered ? CHUNKING_OFFERED : CHUNKING_NOT_OFFERED;
 
 cmd_list[CMD_LIST_RSET].is_mail_cmd = TRUE;
 cmd_list[CMD_LIST_HELO].is_mail_cmd = TRUE;
@@ -3811,6 +3921,7 @@
 
 /* Set the local signal handler for SIGTERM - it tries to end off tidily */
 
+had_command_sigterm = 0;
 os_non_restarting_signal(SIGTERM, command_sigterm_handler);
 
 /* Batched SMTP is handled in a different function. */
@@ -3840,12 +3951,12 @@
   int c;
   auth_instance *au;
   uschar *orcpt = NULL;
-  int flags;
+  int dsn_flags;
   gstring * g;
 
 #ifdef AUTH_TLS
   /* Check once per STARTTLS or SSL-on-connect for a TLS AUTH */
-  if (  tls_in.active >= 0
+  if (  tls_in.active.sock >= 0
      && tls_in.peercert
      && tls_in.certificate_verified
      && cmd_list[CMD_LIST_TLS_AUTH].is_mail_cmd
@@ -3881,7 +3992,13 @@
 	    US &off, sizeof(off));
 #endif
 
-  switch(smtp_read_command(TRUE, GETC_BUFFER_UNLIMITED))
+  switch(smtp_read_command(
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+	  !fl.pipe_connect_acceptable,
+#else
+	  TRUE,
+#endif
+	  GETC_BUFFER_UNLIMITED))
     {
     /* The AUTH command is not permitted to occur inside a transaction, and may
     occur successfully only once per connection. Actually, that isn't quite
@@ -3898,86 +4015,86 @@
     AUTHS will eventually hit the nonmail threshold. */
 
     case AUTH_CMD:
-    HAD(SCH_AUTH);
-    authentication_failed = TRUE;
-    cmd_list[CMD_LIST_AUTH].is_mail_cmd = FALSE;
-
-    if (!auth_advertised && !allow_auth_unadvertised)
-      {
-      done = synprot_error(L_smtp_protocol_error, 503, NULL,
-        US"AUTH command used when not advertised");
-      break;
-      }
-    if (sender_host_authenticated)
-      {
-      done = synprot_error(L_smtp_protocol_error, 503, NULL,
-        US"already authenticated");
-      break;
-      }
-    if (sender_address)
-      {
-      done = synprot_error(L_smtp_protocol_error, 503, NULL,
-        US"not permitted in mail transaction");
-      break;
-      }
+      HAD(SCH_AUTH);
+      authentication_failed = TRUE;
+      cmd_list[CMD_LIST_AUTH].is_mail_cmd = FALSE;
 
-    /* Check the ACL */
+      if (!fl.auth_advertised && !f.allow_auth_unadvertised)
+	{
+	done = synprot_error(L_smtp_protocol_error, 503, NULL,
+	  US"AUTH command used when not advertised");
+	break;
+	}
+      if (sender_host_authenticated)
+	{
+	done = synprot_error(L_smtp_protocol_error, 503, NULL,
+	  US"already authenticated");
+	break;
+	}
+      if (sender_address)
+	{
+	done = synprot_error(L_smtp_protocol_error, 503, NULL,
+	  US"not permitted in mail transaction");
+	break;
+	}
 
-    if (  acl_smtp_auth
-       && (rc = acl_check(ACL_WHERE_AUTH, NULL, acl_smtp_auth,
-		  &user_msg, &log_msg)) != OK
-       )
-      {
-      done = smtp_handle_acl_fail(ACL_WHERE_AUTH, rc, user_msg, log_msg);
-      break;
-      }
+      /* Check the ACL */
 
-    /* Find the name of the requested authentication mechanism. */
+      if (  acl_smtp_auth
+	 && (rc = acl_check(ACL_WHERE_AUTH, NULL, acl_smtp_auth,
+		    &user_msg, &log_msg)) != OK
+	 )
+	{
+	done = smtp_handle_acl_fail(ACL_WHERE_AUTH, rc, user_msg, log_msg);
+	break;
+	}
 
-    s = smtp_cmd_data;
-    while ((c = *smtp_cmd_data) != 0 && !isspace(c))
-      {
-      if (!isalnum(c) && c != '-' && c != '_')
-        {
-        done = synprot_error(L_smtp_syntax_error, 501, NULL,
-          US"invalid character in authentication mechanism name");
-        goto COMMAND_LOOP;
-        }
-      smtp_cmd_data++;
-      }
+      /* Find the name of the requested authentication mechanism. */
 
-    /* If not at the end of the line, we must be at white space. Terminate the
-    name and move the pointer on to any data that may be present. */
+      s = smtp_cmd_data;
+      while ((c = *smtp_cmd_data) != 0 && !isspace(c))
+	{
+	if (!isalnum(c) && c != '-' && c != '_')
+	  {
+	  done = synprot_error(L_smtp_syntax_error, 501, NULL,
+	    US"invalid character in authentication mechanism name");
+	  goto COMMAND_LOOP;
+	  }
+	smtp_cmd_data++;
+	}
 
-    if (*smtp_cmd_data != 0)
-      {
-      *smtp_cmd_data++ = 0;
-      while (isspace(*smtp_cmd_data)) smtp_cmd_data++;
-      }
+      /* If not at the end of the line, we must be at white space. Terminate the
+      name and move the pointer on to any data that may be present. */
 
-    /* Search for an authentication mechanism which is configured for use
-    as a server and which has been advertised (unless, sigh, allow_auth_
-    unadvertised is set). */
+      if (*smtp_cmd_data != 0)
+	{
+	*smtp_cmd_data++ = 0;
+	while (isspace(*smtp_cmd_data)) smtp_cmd_data++;
+	}
 
-    for (au = auths; au; au = au->next)
-      if (strcmpic(s, au->public_name) == 0 && au->server &&
-          (au->advertised || allow_auth_unadvertised))
-	break;
+      /* Search for an authentication mechanism which is configured for use
+      as a server and which has been advertised (unless, sigh, allow_auth_
+      unadvertised is set). */
+
+      for (au = auths; au; au = au->next)
+	if (strcmpic(s, au->public_name) == 0 && au->server &&
+	    (au->advertised || f.allow_auth_unadvertised))
+	  break;
 
-    if (au)
-      {
-      c = smtp_in_auth(au, &s, &ss);
+      if (au)
+	{
+	c = smtp_in_auth(au, &s, &ss);
 
-      smtp_printf("%s\r\n", FALSE, s);
-      if (c != OK)
-	log_write(0, LOG_MAIN|LOG_REJECT, "%s authenticator failed for %s: %s",
-	  au->name, host_and_ident(FALSE), ss);
-      }
-    else
-      done = synprot_error(L_smtp_protocol_error, 504, NULL,
-        string_sprintf("%s authentication mechanism not supported", s));
+	smtp_printf("%s\r\n", FALSE, s);
+	if (c != OK)
+	  log_write(0, LOG_MAIN|LOG_REJECT, "%s authenticator failed for %s: %s",
+	    au->name, host_and_ident(FALSE), ss);
+	}
+      else
+	done = synprot_error(L_smtp_protocol_error, 504, NULL,
+	  string_sprintf("%s authentication mechanism not supported", s));
 
-    break;  /* AUTH_CMD */
+      break;  /* AUTH_CMD */
 
     /* The HELO/EHLO commands are permitted to appear in the middle of a
     session as well as at the beginning. They have the effect of a reset in
@@ -3996,395 +4113,421 @@
     it did the reset first. */
 
     case HELO_CMD:
-    HAD(SCH_HELO);
-    hello = US"HELO";
-    esmtp = FALSE;
-    goto HELO_EHLO;
+      HAD(SCH_HELO);
+      hello = US"HELO";
+      fl.esmtp = FALSE;
+      goto HELO_EHLO;
 
     case EHLO_CMD:
-    HAD(SCH_EHLO);
-    hello = US"EHLO";
-    esmtp = TRUE;
+      HAD(SCH_EHLO);
+      hello = US"EHLO";
+      fl.esmtp = TRUE;
 
     HELO_EHLO:      /* Common code for HELO and EHLO */
-    cmd_list[CMD_LIST_HELO].is_mail_cmd = FALSE;
-    cmd_list[CMD_LIST_EHLO].is_mail_cmd = FALSE;
+      cmd_list[CMD_LIST_HELO].is_mail_cmd = FALSE;
+      cmd_list[CMD_LIST_EHLO].is_mail_cmd = FALSE;
 
-    /* Reject the HELO if its argument was invalid or non-existent. A
-    successful check causes the argument to be saved in malloc store. */
+      /* Reject the HELO if its argument was invalid or non-existent. A
+      successful check causes the argument to be saved in malloc store. */
 
-    if (!check_helo(smtp_cmd_data))
-      {
-      smtp_printf("501 Syntactically invalid %s argument(s)\r\n", FALSE, hello);
+      if (!check_helo(smtp_cmd_data))
+	{
+	smtp_printf("501 Syntactically invalid %s argument(s)\r\n", FALSE, hello);
 
-      log_write(0, LOG_MAIN|LOG_REJECT, "rejected %s from %s: syntactically "
-        "invalid argument(s): %s", hello, host_and_ident(FALSE),
-        (*smtp_cmd_argument == 0)? US"(no argument given)" :
-                           string_printing(smtp_cmd_argument));
+	log_write(0, LOG_MAIN|LOG_REJECT, "rejected %s from %s: syntactically "
+	  "invalid argument(s): %s", hello, host_and_ident(FALSE),
+	  *smtp_cmd_argument == 0 ? US"(no argument given)" :
+			     string_printing(smtp_cmd_argument));
 
-      if (++synprot_error_count > smtp_max_synprot_errors)
-        {
-        log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
-          "syntax or protocol errors (last command was \"%s\")",
-          host_and_ident(FALSE), string_printing(smtp_cmd_buffer));
-        done = 1;
-        }
+	if (++synprot_error_count > smtp_max_synprot_errors)
+	  {
+	  log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
+	    "syntax or protocol errors (last command was \"%s\")",
+	    host_and_ident(FALSE), string_printing(smtp_cmd_buffer));
+	  done = 1;
+	  }
 
-      break;
-      }
+	break;
+	}
 
-    /* If sender_host_unknown is true, we have got here via the -bs interface,
-    not called from inetd. Otherwise, we are running an IP connection and the
-    host address will be set. If the helo name is the primary name of this
-    host and we haven't done a reverse lookup, force one now. If helo_required
-    is set, ensure that the HELO name matches the actual host. If helo_verify
-    is set, do the same check, but softly. */
+      /* If sender_host_unknown is true, we have got here via the -bs interface,
+      not called from inetd. Otherwise, we are running an IP connection and the
+      host address will be set. If the helo name is the primary name of this
+      host and we haven't done a reverse lookup, force one now. If helo_required
+      is set, ensure that the HELO name matches the actual host. If helo_verify
+      is set, do the same check, but softly. */
 
-    if (!sender_host_unknown)
-      {
-      BOOL old_helo_verified = helo_verified;
-      uschar *p = smtp_cmd_data;
+      if (!f.sender_host_unknown)
+	{
+	BOOL old_helo_verified = f.helo_verified;
+	uschar *p = smtp_cmd_data;
 
-      while (*p != 0 && !isspace(*p)) { *p = tolower(*p); p++; }
-      *p = 0;
+	while (*p != 0 && !isspace(*p)) { *p = tolower(*p); p++; }
+	*p = 0;
 
-      /* Force a reverse lookup if HELO quoted something in helo_lookup_domains
-      because otherwise the log can be confusing. */
+	/* Force a reverse lookup if HELO quoted something in helo_lookup_domains
+	because otherwise the log can be confusing. */
 
-      if (  !sender_host_name
-         && (deliver_domain = sender_helo_name,  /* set $domain */
-             match_isinlist(sender_helo_name, CUSS &helo_lookup_domains, 0,
-              &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL)) == OK)
-        (void)host_name_lookup();
-
-      /* Rebuild the fullhost info to include the HELO name (and the real name
-      if it was looked up.) */
-
-      host_build_sender_fullhost();  /* Rebuild */
-      set_process_info("handling%s incoming connection from %s",
-        (tls_in.active >= 0)? " TLS" : "", host_and_ident(FALSE));
-
-      /* Verify if configured. This doesn't give much security, but it does
-      make some people happy to be able to do it. If helo_required is set,
-      (host matches helo_verify_hosts) failure forces rejection. If helo_verify
-      is set (host matches helo_try_verify_hosts), it does not. This is perhaps
-      now obsolescent, since the verification can now be requested selectively
-      at ACL time. */
+	if (  !sender_host_name
+	   && match_isinlist(sender_helo_name, CUSS &helo_lookup_domains, 0,
+		&domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) == OK)
+	  (void)host_name_lookup();
+
+	/* Rebuild the fullhost info to include the HELO name (and the real name
+	if it was looked up.) */
+
+	host_build_sender_fullhost();  /* Rebuild */
+	set_process_info("handling%s incoming connection from %s",
+	  tls_in.active.sock >= 0 ? " TLS" : "", host_and_ident(FALSE));
+
+	/* Verify if configured. This doesn't give much security, but it does
+	make some people happy to be able to do it. If helo_required is set,
+	(host matches helo_verify_hosts) failure forces rejection. If helo_verify
+	is set (host matches helo_try_verify_hosts), it does not. This is perhaps
+	now obsolescent, since the verification can now be requested selectively
+	at ACL time. */
 
-      helo_verified = helo_verify_failed = sender_helo_dnssec = FALSE;
-      if (helo_required || helo_verify)
-        {
-        BOOL tempfail = !smtp_verify_helo();
-        if (!helo_verified)
-          {
-          if (helo_required)
-            {
-            smtp_printf("%d %s argument does not match calling host\r\n", FALSE,
-              tempfail? 451 : 550, hello);
-            log_write(0, LOG_MAIN|LOG_REJECT, "%srejected \"%s %s\" from %s",
-              tempfail? "temporarily " : "",
-              hello, sender_helo_name, host_and_ident(FALSE));
-            helo_verified = old_helo_verified;
-            break;                   /* End of HELO/EHLO processing */
-            }
-          HDEBUG(D_all) debug_printf("%s verification failed but host is in "
-            "helo_try_verify_hosts\n", hello);
-          }
-        }
-      }
+	f.helo_verified = f.helo_verify_failed = sender_helo_dnssec = FALSE;
+	if (fl.helo_required || fl.helo_verify)
+	  {
+	  BOOL tempfail = !smtp_verify_helo();
+	  if (!f.helo_verified)
+	    {
+	    if (fl.helo_required)
+	      {
+	      smtp_printf("%d %s argument does not match calling host\r\n", FALSE,
+		tempfail? 451 : 550, hello);
+	      log_write(0, LOG_MAIN|LOG_REJECT, "%srejected \"%s %s\" from %s",
+		tempfail? "temporarily " : "",
+		hello, sender_helo_name, host_and_ident(FALSE));
+	      f.helo_verified = old_helo_verified;
+	      break;                   /* End of HELO/EHLO processing */
+	      }
+	    HDEBUG(D_all) debug_printf("%s verification failed but host is in "
+	      "helo_try_verify_hosts\n", hello);
+	    }
+	  }
+	}
 
 #ifdef SUPPORT_SPF
-    /* set up SPF context */
-    spf_init(sender_helo_name, sender_host_address);
+      /* set up SPF context */
+      spf_init(sender_helo_name, sender_host_address);
 #endif
 
-    /* Apply an ACL check if one is defined; afterwards, recheck
-    synchronization in case the client started sending in a delay. */
+      /* Apply an ACL check if one is defined; afterwards, recheck
+      synchronization in case the client started sending in a delay. */
 
-    if (acl_smtp_helo)
-      if ((rc = acl_check(ACL_WHERE_HELO, NULL, acl_smtp_helo,
-		&user_msg, &log_msg)) != OK)
-        {
-        done = smtp_handle_acl_fail(ACL_WHERE_HELO, rc, user_msg, log_msg);
-	if (sender_helo_name)
+      if (acl_smtp_helo)
+	if ((rc = acl_check(ACL_WHERE_HELO, NULL, acl_smtp_helo,
+		  &user_msg, &log_msg)) != OK)
 	  {
-	  store_free(sender_helo_name);
-	  sender_helo_name = NULL;
+	  done = smtp_handle_acl_fail(ACL_WHERE_HELO, rc, user_msg, log_msg);
+	  if (sender_helo_name)
+	    {
+	    store_free(sender_helo_name);
+	    sender_helo_name = NULL;
+	    }
+	  host_build_sender_fullhost();  /* Rebuild */
+	  break;
 	  }
-        host_build_sender_fullhost();  /* Rebuild */
-        break;
-        }
-      else if (!check_sync()) goto SYNC_FAILURE;
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+	else if (!fl.pipe_connect_acceptable && !check_sync())
+#else
+	else if (!check_sync())
+#endif
+	  goto SYNC_FAILURE;
 
-    /* Generate an OK reply. The default string includes the ident if present,
-    and also the IP address if present. Reflecting back the ident is intended
-    as a deterrent to mail forgers. For maximum efficiency, and also because
-    some broken systems expect each response to be in a single packet, arrange
-    that the entire reply is sent in one write(). */
+      /* Generate an OK reply. The default string includes the ident if present,
+      and also the IP address if present. Reflecting back the ident is intended
+      as a deterrent to mail forgers. For maximum efficiency, and also because
+      some broken systems expect each response to be in a single packet, arrange
+      that the entire reply is sent in one write(). */
 
-    auth_advertised = FALSE;
-    pipelining_advertised = FALSE;
+      fl.auth_advertised = FALSE;
+      f.smtp_in_pipelining_advertised = FALSE;
 #ifdef SUPPORT_TLS
-    tls_advertised = FALSE;
+      fl.tls_advertised = FALSE;
+# ifdef EXPERIMENTAL_REQUIRETLS
+      fl.requiretls_advertised = FALSE;
+# endif
 #endif
-    dsn_advertised = FALSE;
+      fl.dsn_advertised = FALSE;
 #ifdef SUPPORT_I18N
-    smtputf8_advertised = FALSE;
+      fl.smtputf8_advertised = FALSE;
 #endif
 
-    smtp_code = US"250 ";        /* Default response code plus space*/
-    if (!user_msg)
-      {
-      s = string_sprintf("%.3s %s Hello %s%s%s",
-        smtp_code,
-        smtp_active_hostname,
-        sender_ident ? sender_ident : US"",
-        sender_ident ? US" at " : US"",
-        sender_host_name ? sender_host_name : sender_helo_name);
-      g = string_cat(NULL, s);
-
-      if (sender_host_address)
-        {
-        g = string_catn(g, US" [", 2);
-        g = string_cat (g, sender_host_address);
-        g = string_catn(g, US"]", 1);
-        }
-      }
-
-    /* A user-supplied EHLO greeting may not contain more than one line. Note
-    that the code returned by smtp_message_code() includes the terminating
-    whitespace character. */
-
-    else
-      {
-      char *ss;
-      int codelen = 4;
-      smtp_message_code(&smtp_code, &codelen, &user_msg, NULL, TRUE);
-      s = string_sprintf("%.*s%s", codelen, smtp_code, user_msg);
-      if ((ss = strpbrk(CS s, "\r\n")) != NULL)
-        {
-        log_write(0, LOG_MAIN|LOG_PANIC, "EHLO/HELO response must not contain "
-          "newlines: message truncated: %s", string_printing(s));
-        *ss = 0;
-        }
-      g = string_cat(NULL, s);
-      }
+      smtp_code = US"250 ";        /* Default response code plus space*/
+      if (!user_msg)
+	{
+	g = string_fmt_append(NULL, "%.3s %s Hello %s%s%s",
+	  smtp_code,
+	  smtp_active_hostname,
+	  sender_ident ? sender_ident : US"",
+	  sender_ident ? US" at " : US"",
+	  sender_host_name ? sender_host_name : sender_helo_name);
 
-    g = string_catn(g, US"\r\n", 2);
+	if (sender_host_address)
+	  g = string_fmt_append(g, " [%s]", sender_host_address);
+	}
 
-    /* If we received EHLO, we must create a multiline response which includes
-    the functions supported. */
+      /* A user-supplied EHLO greeting may not contain more than one line. Note
+      that the code returned by smtp_message_code() includes the terminating
+      whitespace character. */
 
-    if (esmtp)
-      {
-      g->s[3] = '-';
+      else
+	{
+	char *ss;
+	int codelen = 4;
+	smtp_message_code(&smtp_code, &codelen, &user_msg, NULL, TRUE);
+	s = string_sprintf("%.*s%s", codelen, smtp_code, user_msg);
+	if ((ss = strpbrk(CS s, "\r\n")) != NULL)
+	  {
+	  log_write(0, LOG_MAIN|LOG_PANIC, "EHLO/HELO response must not contain "
+	    "newlines: message truncated: %s", string_printing(s));
+	  *ss = 0;
+	  }
+	g = string_cat(NULL, s);
+	}
 
-      /* I'm not entirely happy with this, as an MTA is supposed to check
-      that it has enough room to accept a message of maximum size before
-      it sends this. However, there seems little point in not sending it.
-      The actual size check happens later at MAIL FROM time. By postponing it
-      till then, VRFY and EXPN can be used after EHLO when space is short. */
+      g = string_catn(g, US"\r\n", 2);
 
-      if (thismessage_size_limit > 0)
-        {
-        sprintf(CS big_buffer, "%.3s-SIZE %d\r\n", smtp_code,
-          thismessage_size_limit);
-        g = string_cat(g, big_buffer);
-        }
-      else
-        {
-        g = string_catn(g, smtp_code, 3);
-        g = string_catn(g, US"-SIZE\r\n", 7);
-        }
+      /* If we received EHLO, we must create a multiline response which includes
+      the functions supported. */
 
-      /* Exim does not do protocol conversion or data conversion. It is 8-bit
-      clean; if it has an 8-bit character in its hand, it just sends it. It
-      cannot therefore specify 8BITMIME and remain consistent with the RFCs.
-      However, some users want this option simply in order to stop MUAs
-      mangling messages that contain top-bit-set characters. It is therefore
-      provided as an option. */
+      if (fl.esmtp)
+	{
+	g->s[3] = '-';
 
-      if (accept_8bitmime)
-        {
-        g = string_catn(g, smtp_code, 3);
-        g = string_catn(g, US"-8BITMIME\r\n", 11);
-        }
+	/* I'm not entirely happy with this, as an MTA is supposed to check
+	that it has enough room to accept a message of maximum size before
+	it sends this. However, there seems little point in not sending it.
+	The actual size check happens later at MAIL FROM time. By postponing it
+	till then, VRFY and EXPN can be used after EHLO when space is short. */
+
+	if (thismessage_size_limit > 0)
+	  g = string_fmt_append(g, "%.3s-SIZE %d\r\n", smtp_code,
+	    thismessage_size_limit);
+	else
+	  {
+	  g = string_catn(g, smtp_code, 3);
+	  g = string_catn(g, US"-SIZE\r\n", 7);
+	  }
 
-      /* Advertise DSN support if configured to do so. */
-      if (verify_check_host(&dsn_advertise_hosts) != FAIL)
-        {
-        g = string_catn(g, smtp_code, 3);
-        g = string_catn(g, US"-DSN\r\n", 6);
-        dsn_advertised = TRUE;
-        }
+	/* Exim does not do protocol conversion or data conversion. It is 8-bit
+	clean; if it has an 8-bit character in its hand, it just sends it. It
+	cannot therefore specify 8BITMIME and remain consistent with the RFCs.
+	However, some users want this option simply in order to stop MUAs
+	mangling messages that contain top-bit-set characters. It is therefore
+	provided as an option. */
 
-      /* Advertise ETRN/VRFY/EXPN if there's are ACL checking whether a host is
-      permitted to issue them; a check is made when any host actually tries. */
+	if (accept_8bitmime)
+	  {
+	  g = string_catn(g, smtp_code, 3);
+	  g = string_catn(g, US"-8BITMIME\r\n", 11);
+	  }
 
-      if (acl_smtp_etrn)
-        {
-        g = string_catn(g, smtp_code, 3);
-        g = string_catn(g, US"-ETRN\r\n", 7);
-        }
-      if (acl_smtp_vrfy)
-        {
-        g = string_catn(g, smtp_code, 3);
-        g = string_catn(g, US"-VRFY\r\n", 7);
-        }
-      if (acl_smtp_expn)
-        {
-        g = string_catn(g, smtp_code, 3);
-        g = string_catn(g, US"-EXPN\r\n", 7);
-        }
+	/* Advertise DSN support if configured to do so. */
+	if (verify_check_host(&dsn_advertise_hosts) != FAIL)
+	  {
+	  g = string_catn(g, smtp_code, 3);
+	  g = string_catn(g, US"-DSN\r\n", 6);
+	  fl.dsn_advertised = TRUE;
+	  }
 
-      /* Exim is quite happy with pipelining, so let the other end know that
-      it is safe to use it, unless advertising is disabled. */
+	/* Advertise ETRN/VRFY/EXPN if there's are ACL checking whether a host is
+	permitted to issue them; a check is made when any host actually tries. */
 
-      if (pipelining_enable &&
-          verify_check_host(&pipelining_advertise_hosts) == OK)
-        {
-        g = string_catn(g, smtp_code, 3);
-        g = string_catn(g, US"-PIPELINING\r\n", 13);
-        sync_cmd_limit = NON_SYNC_CMD_PIPELINING;
-        pipelining_advertised = TRUE;
-        }
+	if (acl_smtp_etrn)
+	  {
+	  g = string_catn(g, smtp_code, 3);
+	  g = string_catn(g, US"-ETRN\r\n", 7);
+	  }
+	if (acl_smtp_vrfy)
+	  {
+	  g = string_catn(g, smtp_code, 3);
+	  g = string_catn(g, US"-VRFY\r\n", 7);
+	  }
+	if (acl_smtp_expn)
+	  {
+	  g = string_catn(g, smtp_code, 3);
+	  g = string_catn(g, US"-EXPN\r\n", 7);
+	  }
 
+	/* Exim is quite happy with pipelining, so let the other end know that
+	it is safe to use it, unless advertising is disabled. */
 
-      /* If any server authentication mechanisms are configured, advertise
-      them if the current host is in auth_advertise_hosts. The problem with
-      advertising always is that some clients then require users to
-      authenticate (and aren't configurable otherwise) even though it may not
-      be necessary (e.g. if the host is in host_accept_relay).
-
-      RFC 2222 states that SASL mechanism names contain only upper case
-      letters, so output the names in upper case, though we actually recognize
-      them in either case in the AUTH command. */
+	if (  f.pipelining_enable
+	   && verify_check_host(&pipelining_advertise_hosts) == OK)
+	  {
+	  g = string_catn(g, smtp_code, 3);
+	  g = string_catn(g, US"-PIPELINING\r\n", 13);
+	  sync_cmd_limit = NON_SYNC_CMD_PIPELINING;
+	  f.smtp_in_pipelining_advertised = TRUE;
 
-      if (  auths
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+	  if (fl.pipe_connect_acceptable)
+	    {
+	    f.smtp_in_early_pipe_advertised = TRUE;
+	    g = string_catn(g, smtp_code, 3);
+	    g = string_catn(g, US"-" EARLY_PIPE_FEATURE_NAME "\r\n", EARLY_PIPE_FEATURE_LEN+3);
+	    }
+#endif
+	  }
+
+
+	/* If any server authentication mechanisms are configured, advertise
+	them if the current host is in auth_advertise_hosts. The problem with
+	advertising always is that some clients then require users to
+	authenticate (and aren't configurable otherwise) even though it may not
+	be necessary (e.g. if the host is in host_accept_relay).
+
+	RFC 2222 states that SASL mechanism names contain only upper case
+	letters, so output the names in upper case, though we actually recognize
+	them in either case in the AUTH command. */
+
+	if (  auths
 #ifdef AUTH_TLS
-	 && !sender_host_authenticated
+	   && !sender_host_authenticated
 #endif
-         && verify_check_host(&auth_advertise_hosts) == OK
-	 )
-	{
-	auth_instance *au;
-	BOOL first = TRUE;
-	for (au = auths; au; au = au->next)
+	   && verify_check_host(&auth_advertise_hosts) == OK
+	   )
 	  {
-	  au->advertised = FALSE;
-	  if (au->server)
+	  auth_instance *au;
+	  BOOL first = TRUE;
+	  for (au = auths; au; au = au->next)
 	    {
-	    DEBUG(D_auth+D_expand) debug_printf_indent(
-	      "Evaluating advertise_condition for %s athenticator\n",
-	      au->public_name);
-	    if (  !au->advertise_condition
-	       || expand_check_condition(au->advertise_condition, au->name,
-		      US"authenticator")
-	       )
+	    au->advertised = FALSE;
+	    if (au->server)
 	      {
-	      int saveptr;
-	      if (first)
+	      DEBUG(D_auth+D_expand) debug_printf_indent(
+		"Evaluating advertise_condition for %s athenticator\n",
+		au->public_name);
+	      if (  !au->advertise_condition
+		 || expand_check_condition(au->advertise_condition, au->name,
+			US"authenticator")
+		 )
 		{
-		g = string_catn(g, smtp_code, 3);
-		g = string_catn(g, US"-AUTH", 5);
-		first = FALSE;
-		auth_advertised = TRUE;
+		int saveptr;
+		if (first)
+		  {
+		  g = string_catn(g, smtp_code, 3);
+		  g = string_catn(g, US"-AUTH", 5);
+		  first = FALSE;
+		  fl.auth_advertised = TRUE;
+		  }
+		saveptr = g->ptr;
+		g = string_catn(g, US" ", 1);
+		g = string_cat (g, au->public_name);
+		while (++saveptr < g->ptr) g->s[saveptr] = toupper(g->s[saveptr]);
+		au->advertised = TRUE;
 		}
-	      saveptr = g->ptr;
-	      g = string_catn(g, US" ", 1);
-	      g = string_cat (g, au->public_name);
-	      while (++saveptr < g->ptr) g->s[saveptr] = toupper(g->s[saveptr]);
-	      au->advertised = TRUE;
 	      }
 	    }
-	  }
 
-	if (!first) g = string_catn(g, US"\r\n", 2);
-	}
+	  if (!first) g = string_catn(g, US"\r\n", 2);
+	  }
 
-      /* RFC 3030 CHUNKING */
+	/* RFC 3030 CHUNKING */
 
-      if (verify_check_host(&chunking_advertise_hosts) != FAIL)
-        {
-        g = string_catn(g, smtp_code, 3);
-        g = string_catn(g, US"-CHUNKING\r\n", 11);
-	chunking_offered = TRUE;
-	chunking_state = CHUNKING_OFFERED;
-        }
+	if (verify_check_host(&chunking_advertise_hosts) != FAIL)
+	  {
+	  g = string_catn(g, smtp_code, 3);
+	  g = string_catn(g, US"-CHUNKING\r\n", 11);
+	  f.chunking_offered = TRUE;
+	  chunking_state = CHUNKING_OFFERED;
+	  }
 
-      /* Advertise TLS (Transport Level Security) aka SSL (Secure Socket Layer)
-      if it has been included in the binary, and the host matches
-      tls_advertise_hosts. We must *not* advertise if we are already in a
-      secure connection. */
+	/* Advertise TLS (Transport Level Security) aka SSL (Secure Socket Layer)
+	if it has been included in the binary, and the host matches
+	tls_advertise_hosts. We must *not* advertise if we are already in a
+	secure connection. */
 
 #ifdef SUPPORT_TLS
-      if (tls_in.active < 0 &&
-          verify_check_host(&tls_advertise_hosts) != FAIL)
-        {
-        g = string_catn(g, smtp_code, 3);
-        g = string_catn(g, US"-STARTTLS\r\n", 11);
-        tls_advertised = TRUE;
-        }
+	if (tls_in.active.sock < 0 &&
+	    verify_check_host(&tls_advertise_hosts) != FAIL)
+	  {
+	  g = string_catn(g, smtp_code, 3);
+	  g = string_catn(g, US"-STARTTLS\r\n", 11);
+	  fl.tls_advertised = TRUE;
+	  }
+
+# ifdef EXPERIMENTAL_REQUIRETLS
+	/* Advertise REQUIRETLS only once we are in a secure connection */
+	if (  tls_in.active.sock >= 0
+	   && verify_check_host(&tls_advertise_requiretls) != FAIL)
+	  {
+	  g = string_catn(g, smtp_code, 3);
+	  g = string_catn(g, US"-REQUIRETLS\r\n", 13);
+	  fl.requiretls_advertised = TRUE;
+	  }
+# endif
 #endif
 
 #ifndef DISABLE_PRDR
-      /* Per Recipient Data Response, draft by Eric A. Hall extending RFC */
-      if (prdr_enable)
-        {
-        g = string_catn(g, smtp_code, 3);
-        g = string_catn(g, US"-PRDR\r\n", 7);
-	}
+	/* Per Recipient Data Response, draft by Eric A. Hall extending RFC */
+	if (prdr_enable)
+	  {
+	  g = string_catn(g, smtp_code, 3);
+	  g = string_catn(g, US"-PRDR\r\n", 7);
+	  }
 #endif
 
 #ifdef SUPPORT_I18N
-      if (  accept_8bitmime
-         && verify_check_host(&smtputf8_advertise_hosts) != FAIL)
-	{
-        g = string_catn(g, smtp_code, 3);
-        g = string_catn(g, US"-SMTPUTF8\r\n", 11);
-        smtputf8_advertised = TRUE;
-	}
+	if (  accept_8bitmime
+	   && verify_check_host(&smtputf8_advertise_hosts) != FAIL)
+	  {
+	  g = string_catn(g, smtp_code, 3);
+	  g = string_catn(g, US"-SMTPUTF8\r\n", 11);
+	  fl.smtputf8_advertised = TRUE;
+	  }
 #endif
 
-      /* Finish off the multiline reply with one that is always available. */
+	/* Finish off the multiline reply with one that is always available. */
 
-      g = string_catn(g, smtp_code, 3);
-      g = string_catn(g, US" HELP\r\n", 7);
-      }
+	g = string_catn(g, smtp_code, 3);
+	g = string_catn(g, US" HELP\r\n", 7);
+	}
 
-    /* Terminate the string (for debug), write it, and note that HELO/EHLO
-    has been seen. */
+      /* Terminate the string (for debug), write it, and note that HELO/EHLO
+      has been seen. */
 
 #ifdef SUPPORT_TLS
-    if (tls_in.active >= 0) (void)tls_write(TRUE, g->s, g->ptr, FALSE); else
+      if (tls_in.active.sock >= 0)
+	(void)tls_write(NULL, g->s, g->ptr,
+# ifdef EXPERIMENTAL_PIPE_CONNECT
+			fl.pipe_connect_acceptable && pipeline_connect_sends());
+# else
+			FALSE);
+# endif
+      else
 #endif
 
-      {
-      int i = fwrite(g->s, 1, g->ptr, smtp_out); i = i; /* compiler quietening */
-      }
-    DEBUG(D_receive)
-      {
-      uschar *cr;
+	{
+	int i = fwrite(g->s, 1, g->ptr, smtp_out); i = i; /* compiler quietening */
+	}
+      DEBUG(D_receive)
+	{
+	uschar *cr;
 
-      (void) string_from_gstring(g);
-      while ((cr = Ustrchr(g->s, '\r')) != NULL)   /* lose CRs */
-        memmove(cr, cr + 1, (g->ptr--) - (cr - g->s));
-      debug_printf("SMTP>> %s", g->s);
-      }
-    helo_seen = TRUE;
+	(void) string_from_gstring(g);
+	while ((cr = Ustrchr(g->s, '\r')) != NULL)   /* lose CRs */
+	  memmove(cr, cr + 1, (g->ptr--) - (cr - g->s));
+	debug_printf("SMTP>> %s", g->s);
+	}
+      fl.helo_seen = TRUE;
 
-    /* Reset the protocol and the state, abandoning any previous message. */
-    received_protocol =
-      (sender_host_address ? protocols : protocols_local)
-	[ (esmtp
-	  ? pextend + (sender_host_authenticated ? pauthed : 0)
-	  : pnormal)
-	+ (tls_in.active >= 0 ? pcrpted : 0)
-	];
-    cancel_cutthrough_connection(TRUE, US"sent EHLO response");
-    smtp_reset(reset_point);
-    toomany = FALSE;
-    break;   /* HELO/EHLO */
+      /* Reset the protocol and the state, abandoning any previous message. */
+      received_protocol =
+	(sender_host_address ? protocols : protocols_local)
+	  [ (fl.esmtp
+	    ? pextend + (sender_host_authenticated ? pauthed : 0)
+	    : pnormal)
+	  + (tls_in.active.sock >= 0 ? pcrpted : 0)
+	  ];
+      cancel_cutthrough_connection(TRUE, US"sent EHLO response");
+      smtp_reset(reset_point);
+      toomany = FALSE;
+      break;   /* HELO/EHLO */
 
 
     /* The MAIL command requires an address as an operand. All we do
@@ -4394,407 +4537,445 @@
     it is the canonical extracted address which is all that is kept. */
 
     case MAIL_CMD:
-    HAD(SCH_MAIL);
-    smtp_mailcmd_count++;              /* Count for limit and ratelimit */
-    was_rej_mail = TRUE;               /* Reset if accepted */
-    env_mail_type_t * mail_args;       /* Sanity check & validate args */
-
-    if (helo_required && !helo_seen)
-      {
-      smtp_printf("503 HELO or EHLO required\r\n", FALSE);
-      log_write(0, LOG_MAIN|LOG_REJECT, "rejected MAIL from %s: no "
-        "HELO/EHLO given", host_and_ident(FALSE));
-      break;
-      }
+      HAD(SCH_MAIL);
+      smtp_mailcmd_count++;              /* Count for limit and ratelimit */
+      was_rej_mail = TRUE;               /* Reset if accepted */
+      env_mail_type_t * mail_args;       /* Sanity check & validate args */
 
-    if (sender_address != NULL)
-      {
-      done = synprot_error(L_smtp_protocol_error, 503, NULL,
-        US"sender already given");
-      break;
-      }
+      if (fl.helo_required && !fl.helo_seen)
+	{
+	smtp_printf("503 HELO or EHLO required\r\n", FALSE);
+	log_write(0, LOG_MAIN|LOG_REJECT, "rejected MAIL from %s: no "
+	  "HELO/EHLO given", host_and_ident(FALSE));
+	break;
+	}
 
-    if (smtp_cmd_data[0] == 0)
-      {
-      done = synprot_error(L_smtp_protocol_error, 501, NULL,
-        US"MAIL must have an address operand");
-      break;
-      }
+      if (sender_address)
+	{
+	done = synprot_error(L_smtp_protocol_error, 503, NULL,
+	  US"sender already given");
+	break;
+	}
 
-    /* Check to see if the limit for messages per connection would be
-    exceeded by accepting further messages. */
+      if (!*smtp_cmd_data)
+	{
+	done = synprot_error(L_smtp_protocol_error, 501, NULL,
+	  US"MAIL must have an address operand");
+	break;
+	}
 
-    if (smtp_accept_max_per_connection > 0 &&
-        smtp_mailcmd_count > smtp_accept_max_per_connection)
-      {
-      smtp_printf("421 too many messages in this connection\r\n", FALSE);
-      log_write(0, LOG_MAIN|LOG_REJECT, "rejected MAIL command %s: too many "
-        "messages in one connection", host_and_ident(TRUE));
-      break;
-      }
+      /* Check to see if the limit for messages per connection would be
+      exceeded by accepting further messages. */
 
-    /* Reset for start of message - even if this is going to fail, we
-    obviously need to throw away any previous data. */
+      if (smtp_accept_max_per_connection > 0 &&
+	  smtp_mailcmd_count > smtp_accept_max_per_connection)
+	{
+	smtp_printf("421 too many messages in this connection\r\n", FALSE);
+	log_write(0, LOG_MAIN|LOG_REJECT, "rejected MAIL command %s: too many "
+	  "messages in one connection", host_and_ident(TRUE));
+	break;
+	}
 
-    cancel_cutthrough_connection(TRUE, US"MAIL received");
-    smtp_reset(reset_point);
-    toomany = FALSE;
-    sender_data = recipient_data = NULL;
+      /* Reset for start of message - even if this is going to fail, we
+      obviously need to throw away any previous data. */
 
-    /* Loop, checking for ESMTP additions to the MAIL FROM command. */
+      cancel_cutthrough_connection(TRUE, US"MAIL received");
+      smtp_reset(reset_point);
+      toomany = FALSE;
+      sender_data = recipient_data = NULL;
 
-    if (esmtp) for(;;)
-      {
-      uschar *name, *value, *end;
-      unsigned long int size;
-      BOOL arg_error = FALSE;
-
-      if (!extract_option(&name, &value)) break;
-
-      for (mail_args = env_mail_type_list;
-           mail_args->value != ENV_MAIL_OPT_NULL;
-           mail_args++
-          )
-        if (strcmpic(name, mail_args->name) == 0)
-          break;
-      if (mail_args->need_value && strcmpic(value, US"") == 0)
-        break;
+      /* Loop, checking for ESMTP additions to the MAIL FROM command. */
 
-      switch(mail_args->value)
-        {
-        /* Handle SIZE= by reading the value. We don't do the check till later,
-        in order to be able to log the sender address on failure. */
-        case ENV_MAIL_OPT_SIZE:
-          if (((size = Ustrtoul(value, &end, 10)), *end == 0))
-            {
-            if ((size == ULONG_MAX && errno == ERANGE) || size > INT_MAX)
-              size = INT_MAX;
-            message_size = (int)size;
-            }
-          else
-            arg_error = TRUE;
-          break;
+      if (fl.esmtp) for(;;)
+	{
+	uschar *name, *value, *end;
+	unsigned long int size;
+	BOOL arg_error = FALSE;
+
+	if (!extract_option(&name, &value)) break;
+
+	for (mail_args = env_mail_type_list;
+	     mail_args->value != ENV_MAIL_OPT_NULL;
+	     mail_args++
+	    )
+	  if (strcmpic(name, mail_args->name) == 0)
+	    break;
+	if (mail_args->need_value && strcmpic(value, US"") == 0)
+	  break;
 
-        /* If this session was initiated with EHLO and accept_8bitmime is set,
-        Exim will have indicated that it supports the BODY=8BITMIME option. In
-        fact, it does not support this according to the RFCs, in that it does not
-        take any special action for forwarding messages containing 8-bit
-        characters. That is why accept_8bitmime is not the default setting, but
-        some sites want the action that is provided. We recognize both "8BITMIME"
-        and "7BIT" as body types, but take no action. */
-        case ENV_MAIL_OPT_BODY:
-          if (accept_8bitmime) {
-            if (strcmpic(value, US"8BITMIME") == 0)
-              body_8bitmime = 8;
-            else if (strcmpic(value, US"7BIT") == 0)
-              body_8bitmime = 7;
-            else
+	switch(mail_args->value)
+	  {
+	  /* Handle SIZE= by reading the value. We don't do the check till later,
+	  in order to be able to log the sender address on failure. */
+	  case ENV_MAIL_OPT_SIZE:
+	    if (((size = Ustrtoul(value, &end, 10)), *end == 0))
 	      {
-              body_8bitmime = 0;
-              done = synprot_error(L_smtp_syntax_error, 501, NULL,
-                US"invalid data for BODY");
-              goto COMMAND_LOOP;
-              }
-            DEBUG(D_receive) debug_printf("8BITMIME: %d\n", body_8bitmime);
+	      if ((size == ULONG_MAX && errno == ERANGE) || size > INT_MAX)
+		size = INT_MAX;
+	      message_size = (int)size;
+	      }
+	    else
+	      arg_error = TRUE;
 	    break;
-          }
-          arg_error = TRUE;
-          break;
 
-        /* Handle the two DSN options, but only if configured to do so (which
-        will have caused "DSN" to be given in the EHLO response). The code itself
-        is included only if configured in at build time. */
+	  /* If this session was initiated with EHLO and accept_8bitmime is set,
+	  Exim will have indicated that it supports the BODY=8BITMIME option. In
+	  fact, it does not support this according to the RFCs, in that it does not
+	  take any special action for forwarding messages containing 8-bit
+	  characters. That is why accept_8bitmime is not the default setting, but
+	  some sites want the action that is provided. We recognize both "8BITMIME"
+	  and "7BIT" as body types, but take no action. */
+	  case ENV_MAIL_OPT_BODY:
+	    if (accept_8bitmime) {
+	      if (strcmpic(value, US"8BITMIME") == 0)
+		body_8bitmime = 8;
+	      else if (strcmpic(value, US"7BIT") == 0)
+		body_8bitmime = 7;
+	      else
+		{
+		body_8bitmime = 0;
+		done = synprot_error(L_smtp_syntax_error, 501, NULL,
+		  US"invalid data for BODY");
+		goto COMMAND_LOOP;
+		}
+	      DEBUG(D_receive) debug_printf("8BITMIME: %d\n", body_8bitmime);
+	      break;
+	    }
+	    arg_error = TRUE;
+	    break;
 
-        case ENV_MAIL_OPT_RET:
-          if (dsn_advertised)
-	    {
-            /* Check if RET has already been set */
-            if (dsn_ret > 0)
-	      {
-              synprot_error(L_smtp_syntax_error, 501, NULL,
-                US"RET can be specified once only");
-              goto COMMAND_LOOP;
-	      }
-            dsn_ret = strcmpic(value, US"HDRS") == 0
-	      ? dsn_ret_hdrs
-	      : strcmpic(value, US"FULL") == 0
-	      ? dsn_ret_full
-	      : 0;
-            DEBUG(D_receive) debug_printf("DSN_RET: %d\n", dsn_ret);
-            /* Check for invalid invalid value, and exit with error */
-            if (dsn_ret == 0)
+	  /* Handle the two DSN options, but only if configured to do so (which
+	  will have caused "DSN" to be given in the EHLO response). The code itself
+	  is included only if configured in at build time. */
+
+	  case ENV_MAIL_OPT_RET:
+	    if (fl.dsn_advertised)
 	      {
-              synprot_error(L_smtp_syntax_error, 501, NULL,
-                US"Value for RET is invalid");
-              goto COMMAND_LOOP;
+	      /* Check if RET has already been set */
+	      if (dsn_ret > 0)
+		{
+		done = synprot_error(L_smtp_syntax_error, 501, NULL,
+		  US"RET can be specified once only");
+		goto COMMAND_LOOP;
+		}
+	      dsn_ret = strcmpic(value, US"HDRS") == 0
+		? dsn_ret_hdrs
+		: strcmpic(value, US"FULL") == 0
+		? dsn_ret_full
+		: 0;
+	      DEBUG(D_receive) debug_printf("DSN_RET: %d\n", dsn_ret);
+	      /* Check for invalid invalid value, and exit with error */
+	      if (dsn_ret == 0)
+		{
+		done = synprot_error(L_smtp_syntax_error, 501, NULL,
+		  US"Value for RET is invalid");
+		goto COMMAND_LOOP;
+		}
 	      }
-	    }
-          break;
-        case ENV_MAIL_OPT_ENVID:
-          if (dsn_advertised)
-	    {
-            /* Check if the dsn envid has been already set */
-            if (dsn_envid != NULL)
+	    break;
+	  case ENV_MAIL_OPT_ENVID:
+	    if (fl.dsn_advertised)
 	      {
-              synprot_error(L_smtp_syntax_error, 501, NULL,
-                US"ENVID can be specified once only");
-              goto COMMAND_LOOP;
+	      /* Check if the dsn envid has been already set */
+	      if (dsn_envid)
+		{
+		done = synprot_error(L_smtp_syntax_error, 501, NULL,
+		  US"ENVID can be specified once only");
+		goto COMMAND_LOOP;
+		}
+	      dsn_envid = string_copy(value);
+	      DEBUG(D_receive) debug_printf("DSN_ENVID: %s\n", dsn_envid);
 	      }
-            dsn_envid = string_copy(value);
-            DEBUG(D_receive) debug_printf("DSN_ENVID: %s\n", dsn_envid);
-	    }
-          break;
-
-        /* Handle the AUTH extension. If the value given is not "<>" and either
-        the ACL says "yes" or there is no ACL but the sending host is
-        authenticated, we set it up as the authenticated sender. However, if the
-        authenticator set a condition to be tested, we ignore AUTH on MAIL unless
-        the condition is met. The value of AUTH is an xtext, which means that +,
-        = and cntrl chars are coded in hex; however "<>" is unaffected by this
-        coding. */
-        case ENV_MAIL_OPT_AUTH:
-          if (Ustrcmp(value, "<>") != 0)
-            {
-            int rc;
-            uschar *ignore_msg;
-
-            if (auth_xtextdecode(value, &authenticated_sender) < 0)
-              {
-              /* Put back terminator overrides for error message */
-              value[-1] = '=';
-              name[-1] = ' ';
-              done = synprot_error(L_smtp_syntax_error, 501, NULL,
-                US"invalid data for AUTH");
-              goto COMMAND_LOOP;
-              }
-            if (!acl_smtp_mailauth)
-              {
-              ignore_msg = US"client not authenticated";
-              rc = sender_host_authenticated ? OK : FAIL;
-              }
-            else
-              {
-              ignore_msg = US"rejected by ACL";
-              rc = acl_check(ACL_WHERE_MAILAUTH, NULL, acl_smtp_mailauth,
-                &user_msg, &log_msg);
-              }
-
-            switch (rc)
-              {
-              case OK:
-		if (authenticated_by == NULL ||
-		    authenticated_by->mail_auth_condition == NULL ||
-		    expand_check_condition(authenticated_by->mail_auth_condition,
-			authenticated_by->name, US"authenticator"))
-		  break;     /* Accept the AUTH */
-
-		ignore_msg = US"server_mail_auth_condition failed";
-		if (authenticated_id != NULL)
-		  ignore_msg = string_sprintf("%s: authenticated ID=\"%s\"",
-		    ignore_msg, authenticated_id);
-
-              /* Fall through */
-
-              case FAIL:
-		authenticated_sender = NULL;
-		log_write(0, LOG_MAIN, "ignoring AUTH=%s from %s (%s)",
-		  value, host_and_ident(TRUE), ignore_msg);
-		break;
+	    break;
 
-              /* Should only get DEFER or ERROR here. Put back terminator
-              overrides for error message */
+	  /* Handle the AUTH extension. If the value given is not "<>" and either
+	  the ACL says "yes" or there is no ACL but the sending host is
+	  authenticated, we set it up as the authenticated sender. However, if the
+	  authenticator set a condition to be tested, we ignore AUTH on MAIL unless
+	  the condition is met. The value of AUTH is an xtext, which means that +,
+	  = and cntrl chars are coded in hex; however "<>" is unaffected by this
+	  coding. */
+	  case ENV_MAIL_OPT_AUTH:
+	    if (Ustrcmp(value, "<>") != 0)
+	      {
+	      int rc;
+	      uschar *ignore_msg;
 
-              default:
+	      if (auth_xtextdecode(value, &authenticated_sender) < 0)
+		{
+		/* Put back terminator overrides for error message */
 		value[-1] = '=';
 		name[-1] = ' ';
-		(void)smtp_handle_acl_fail(ACL_WHERE_MAILAUTH, rc, user_msg,
-		  log_msg);
+		done = synprot_error(L_smtp_syntax_error, 501, NULL,
+		  US"invalid data for AUTH");
 		goto COMMAND_LOOP;
-              }
-            }
-            break;
+		}
+	      if (!acl_smtp_mailauth)
+		{
+		ignore_msg = US"client not authenticated";
+		rc = sender_host_authenticated ? OK : FAIL;
+		}
+	      else
+		{
+		ignore_msg = US"rejected by ACL";
+		rc = acl_check(ACL_WHERE_MAILAUTH, NULL, acl_smtp_mailauth,
+		  &user_msg, &log_msg);
+		}
+
+	      switch (rc)
+		{
+		case OK:
+		  if (authenticated_by == NULL ||
+		      authenticated_by->mail_auth_condition == NULL ||
+		      expand_check_condition(authenticated_by->mail_auth_condition,
+			  authenticated_by->name, US"authenticator"))
+		    break;     /* Accept the AUTH */
+
+		  ignore_msg = US"server_mail_auth_condition failed";
+		  if (authenticated_id != NULL)
+		    ignore_msg = string_sprintf("%s: authenticated ID=\"%s\"",
+		      ignore_msg, authenticated_id);
+
+		/* Fall through */
+
+		case FAIL:
+		  authenticated_sender = NULL;
+		  log_write(0, LOG_MAIN, "ignoring AUTH=%s from %s (%s)",
+		    value, host_and_ident(TRUE), ignore_msg);
+		  break;
+
+		/* Should only get DEFER or ERROR here. Put back terminator
+		overrides for error message */
+
+		default:
+		  value[-1] = '=';
+		  name[-1] = ' ';
+		  (void)smtp_handle_acl_fail(ACL_WHERE_MAILAUTH, rc, user_msg,
+		    log_msg);
+		  goto COMMAND_LOOP;
+		}
+	      }
+	      break;
 
 #ifndef DISABLE_PRDR
-        case ENV_MAIL_OPT_PRDR:
-          if (prdr_enable)
-            prdr_requested = TRUE;
-          break;
+	  case ENV_MAIL_OPT_PRDR:
+	    if (prdr_enable)
+	      prdr_requested = TRUE;
+	    break;
 #endif
 
 #ifdef SUPPORT_I18N
-        case ENV_MAIL_OPT_UTF8:
-	  if (smtputf8_advertised)
-	    {
-	    int old_pool = store_pool;
+	  case ENV_MAIL_OPT_UTF8:
+	    if (!fl.smtputf8_advertised)
+	      {
+	      done = synprot_error(L_smtp_syntax_error, 501, NULL,
+		US"SMTPUTF8 used when not advertised");
+	      goto COMMAND_LOOP;
+	      }
 
 	    DEBUG(D_receive) debug_printf("smtputf8 requested\n");
 	    message_smtputf8 = allow_utf8_domains = TRUE;
-	    store_pool = POOL_PERM;
-	    received_protocol = string_sprintf("utf8%s", received_protocol);
-	    store_pool = old_pool;
+	    if (Ustrncmp(received_protocol, US"utf8", 4) != 0)
+	      {
+	      int old_pool = store_pool;
+	      store_pool = POOL_PERM;
+	      received_protocol = string_sprintf("utf8%s", received_protocol);
+	      store_pool = old_pool;
+	      }
+	    break;
+#endif
+
+#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
+	  case ENV_MAIL_OPT_REQTLS:
+	    {
+	    uschar * r, * t;
+
+	    if (!fl.requiretls_advertised)
+	      {
+	      done = synprot_error(L_smtp_syntax_error, 555, NULL,
+		US"unadvertised MAIL option: REQUIRETLS");
+	      goto COMMAND_LOOP;
+	      }
+
+	    DEBUG(D_receive) debug_printf("requiretls requested\n");
+	    tls_requiretls = REQUIRETLS_MSG;
+
+	    r = string_copy_malloc(received_protocol);
+	    if ((t = Ustrrchr(r, 's'))) *t = 'S';
+	    received_protocol = r;
 	    }
-	  break;
+	    break;
 #endif
-        /* No valid option. Stick back the terminator characters and break
-        the loop.  Do the name-terminator second as extract_option sets
-        value==name when it found no equal-sign.
-        An error for a malformed address will occur. */
-        case ENV_MAIL_OPT_NULL:
-          value[-1] = '=';
-          name[-1] = ' ';
-          arg_error = TRUE;
-          break;
 
-        default:  assert(0);
-        }
-      /* Break out of for loop if switch() had bad argument or
-         when start of the email address is reached */
-      if (arg_error) break;
-      }
+	  /* No valid option. Stick back the terminator characters and break
+	  the loop.  Do the name-terminator second as extract_option sets
+	  value==name when it found no equal-sign.
+	  An error for a malformed address will occur. */
+	  case ENV_MAIL_OPT_NULL:
+	    value[-1] = '=';
+	    name[-1] = ' ';
+	    arg_error = TRUE;
+	    break;
 
-    /* If we have passed the threshold for rate limiting, apply the current
-    delay, and update it for next time, provided this is a limited host. */
+	  default:  assert(0);
+	  }
+	/* Break out of for loop if switch() had bad argument or
+	   when start of the email address is reached */
+	if (arg_error) break;
+	}
 
-    if (smtp_mailcmd_count > smtp_rlm_threshold &&
-        verify_check_host(&smtp_ratelimit_hosts) == OK)
-      {
-      DEBUG(D_receive) debug_printf("rate limit MAIL: delay %.3g sec\n",
-        smtp_delay_mail/1000.0);
-      millisleep((int)smtp_delay_mail);
-      smtp_delay_mail *= smtp_rlm_factor;
-      if (smtp_delay_mail > (double)smtp_rlm_limit)
-        smtp_delay_mail = (double)smtp_rlm_limit;
-      }
+#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
+      if (tls_requiretls & REQUIRETLS_MSG)
+	{
+	/* Ensure headers-only bounces whether a RET option was given or not. */
 
-    /* Now extract the address, first applying any SMTP-time rewriting. The
-    TRUE flag allows "<>" as a sender address. */
+	DEBUG(D_receive) if (dsn_ret == dsn_ret_full)
+	  debug_printf("requiretls override: dsn_ret_full -> dsn_ret_hdrs\n");
+	dsn_ret = dsn_ret_hdrs;
+	}
+#endif
 
-    raw_sender = rewrite_existflags & rewrite_smtp
-      ? rewrite_one(smtp_cmd_data, rewrite_smtp, NULL, FALSE, US"",
-		    global_rewrite_rules)
-      : smtp_cmd_data;
-
-    raw_sender =
-      parse_extract_address(raw_sender, &errmess, &start, &end, &sender_domain,
-        TRUE);
+      /* If we have passed the threshold for rate limiting, apply the current
+      delay, and update it for next time, provided this is a limited host. */
 
-    if (!raw_sender)
-      {
-      done = synprot_error(L_smtp_syntax_error, 501, smtp_cmd_data, errmess);
-      break;
-      }
+      if (smtp_mailcmd_count > smtp_rlm_threshold &&
+	  verify_check_host(&smtp_ratelimit_hosts) == OK)
+	{
+	DEBUG(D_receive) debug_printf("rate limit MAIL: delay %.3g sec\n",
+	  smtp_delay_mail/1000.0);
+	millisleep((int)smtp_delay_mail);
+	smtp_delay_mail *= smtp_rlm_factor;
+	if (smtp_delay_mail > (double)smtp_rlm_limit)
+	  smtp_delay_mail = (double)smtp_rlm_limit;
+	}
 
-    sender_address = raw_sender;
+      /* Now extract the address, first applying any SMTP-time rewriting. The
+      TRUE flag allows "<>" as a sender address. */
 
-    /* If there is a configured size limit for mail, check that this message
-    doesn't exceed it. The check is postponed to this point so that the sender
-    can be logged. */
+      raw_sender = rewrite_existflags & rewrite_smtp
+	? rewrite_one(smtp_cmd_data, rewrite_smtp, NULL, FALSE, US"",
+		      global_rewrite_rules)
+	: smtp_cmd_data;
 
-    if (thismessage_size_limit > 0 && message_size > thismessage_size_limit)
-      {
-      smtp_printf("552 Message size exceeds maximum permitted\r\n", FALSE);
-      log_write(L_size_reject,
-          LOG_MAIN|LOG_REJECT, "rejected MAIL FROM:<%s> %s: "
-          "message too big: size%s=%d max=%d",
-          sender_address,
-          host_and_ident(TRUE),
-          (message_size == INT_MAX)? ">" : "",
-          message_size,
-          thismessage_size_limit);
-      sender_address = NULL;
-      break;
-      }
+      raw_sender =
+	parse_extract_address(raw_sender, &errmess, &start, &end, &sender_domain,
+	  TRUE);
 
-    /* Check there is enough space on the disk unless configured not to.
-    When smtp_check_spool_space is set, the check is for thismessage_size_limit
-    plus the current message - i.e. we accept the message only if it won't
-    reduce the space below the threshold. Add 5000 to the size to allow for
-    overheads such as the Received: line and storing of recipients, etc.
-    By putting the check here, even when SIZE is not given, it allow VRFY
-    and EXPN etc. to be used when space is short. */
-
-    if (!receive_check_fs(
-         (smtp_check_spool_space && message_size >= 0)?
-            message_size + 5000 : 0))
-      {
-      smtp_printf("452 Space shortage, please try later\r\n", FALSE);
-      sender_address = NULL;
-      break;
-      }
+      if (!raw_sender)
+	{
+	done = synprot_error(L_smtp_syntax_error, 501, smtp_cmd_data, errmess);
+	break;
+	}
 
-    /* If sender_address is unqualified, reject it, unless this is a locally
-    generated message, or the sending host or net is permitted to send
-    unqualified addresses - typically local machines behaving as MUAs -
-    in which case just qualify the address. The flag is set above at the start
-    of the SMTP connection. */
+      sender_address = raw_sender;
 
-    if (sender_domain == 0 && sender_address[0] != 0)
-      {
-      if (allow_unqualified_sender)
-        {
-        sender_domain = Ustrlen(sender_address) + 1;
-        sender_address = rewrite_address_qualify(sender_address, FALSE);
-        DEBUG(D_receive) debug_printf("unqualified address %s accepted\n",
-          raw_sender);
-        }
-      else
-        {
-        smtp_printf("501 %s: sender address must contain a domain\r\n", FALSE,
-          smtp_cmd_data);
-        log_write(L_smtp_syntax_error,
-          LOG_MAIN|LOG_REJECT,
-          "unqualified sender rejected: <%s> %s%s",
-          raw_sender,
-          host_and_ident(TRUE),
-          host_lookup_msg);
-        sender_address = NULL;
-        break;
-        }
-      }
+      /* If there is a configured size limit for mail, check that this message
+      doesn't exceed it. The check is postponed to this point so that the sender
+      can be logged. */
 
-    /* Apply an ACL check if one is defined, before responding. Afterwards,
-    when pipelining is not advertised, do another sync check in case the ACL
-    delayed and the client started sending in the meantime. */
+      if (thismessage_size_limit > 0 && message_size > thismessage_size_limit)
+	{
+	smtp_printf("552 Message size exceeds maximum permitted\r\n", FALSE);
+	log_write(L_size_reject,
+	    LOG_MAIN|LOG_REJECT, "rejected MAIL FROM:<%s> %s: "
+	    "message too big: size%s=%d max=%d",
+	    sender_address,
+	    host_and_ident(TRUE),
+	    (message_size == INT_MAX)? ">" : "",
+	    message_size,
+	    thismessage_size_limit);
+	sender_address = NULL;
+	break;
+	}
 
-    if (acl_smtp_mail)
-      {
-      rc = acl_check(ACL_WHERE_MAIL, NULL, acl_smtp_mail, &user_msg, &log_msg);
-      if (rc == OK && !pipelining_advertised && !check_sync())
-        goto SYNC_FAILURE;
-      }
-    else
-      rc = OK;
+      /* Check there is enough space on the disk unless configured not to.
+      When smtp_check_spool_space is set, the check is for thismessage_size_limit
+      plus the current message - i.e. we accept the message only if it won't
+      reduce the space below the threshold. Add 5000 to the size to allow for
+      overheads such as the Received: line and storing of recipients, etc.
+      By putting the check here, even when SIZE is not given, it allow VRFY
+      and EXPN etc. to be used when space is short. */
+
+      if (!receive_check_fs(
+	   (smtp_check_spool_space && message_size >= 0)?
+	      message_size + 5000 : 0))
+	{
+	smtp_printf("452 Space shortage, please try later\r\n", FALSE);
+	sender_address = NULL;
+	break;
+	}
 
-    if (rc == OK || rc == DISCARD)
-      {
-      BOOL more = pipeline_response();
+      /* If sender_address is unqualified, reject it, unless this is a locally
+      generated message, or the sending host or net is permitted to send
+      unqualified addresses - typically local machines behaving as MUAs -
+      in which case just qualify the address. The flag is set above at the start
+      of the SMTP connection. */
 
-      if (!user_msg)
-        smtp_printf("%s%s%s", more, US"250 OK",
-                  #ifndef DISABLE_PRDR
-                    prdr_requested ? US", PRDR Requested" : US"",
-		  #else
-                    US"",
-                  #endif
-                    US"\r\n");
+      if (!sender_domain && *sender_address)
+	if (f.allow_unqualified_sender)
+	  {
+	  sender_domain = Ustrlen(sender_address) + 1;
+	  sender_address = rewrite_address_qualify(sender_address, FALSE);
+	  DEBUG(D_receive) debug_printf("unqualified address %s accepted\n",
+	    raw_sender);
+	  }
+	else
+	  {
+	  smtp_printf("501 %s: sender address must contain a domain\r\n", FALSE,
+	    smtp_cmd_data);
+	  log_write(L_smtp_syntax_error,
+	    LOG_MAIN|LOG_REJECT,
+	    "unqualified sender rejected: <%s> %s%s",
+	    raw_sender,
+	    host_and_ident(TRUE),
+	    host_lookup_msg);
+	  sender_address = NULL;
+	  break;
+	  }
+
+      /* Apply an ACL check if one is defined, before responding. Afterwards,
+      when pipelining is not advertised, do another sync check in case the ACL
+      delayed and the client started sending in the meantime. */
+
+      if (acl_smtp_mail)
+	{
+	rc = acl_check(ACL_WHERE_MAIL, NULL, acl_smtp_mail, &user_msg, &log_msg);
+	if (rc == OK && !f.smtp_in_pipelining_advertised && !check_sync())
+	  goto SYNC_FAILURE;
+	}
       else
-        {
-      #ifndef DISABLE_PRDR
-        if (prdr_requested)
-           user_msg = string_sprintf("%s%s", user_msg, US", PRDR Requested");
-      #endif
-        smtp_user_msg(US"250", user_msg);
-        }
-      smtp_delay_rcpt = smtp_rlr_base;
-      recipients_discarded = (rc == DISCARD);
-      was_rej_mail = FALSE;
-      }
-    else
-      {
-      done = smtp_handle_acl_fail(ACL_WHERE_MAIL, rc, user_msg, log_msg);
-      sender_address = NULL;
-      }
-    break;
+	rc = OK;
+
+      if (rc == OK || rc == DISCARD)
+	{
+	BOOL more = pipeline_response();
+
+	if (!user_msg)
+	  smtp_printf("%s%s%s", more, US"250 OK",
+		    #ifndef DISABLE_PRDR
+		      prdr_requested ? US", PRDR Requested" : US"",
+		    #else
+		      US"",
+		    #endif
+		      US"\r\n");
+	else
+	  {
+	#ifndef DISABLE_PRDR
+	  if (prdr_requested)
+	     user_msg = string_sprintf("%s%s", user_msg, US", PRDR Requested");
+	#endif
+	  smtp_user_msg(US"250", user_msg);
+	  }
+	smtp_delay_rcpt = smtp_rlr_base;
+	f.recipients_discarded = (rc == DISCARD);
+	was_rej_mail = FALSE;
+	}
+      else
+	{
+	done = smtp_handle_acl_fail(ACL_WHERE_MAIL, rc, user_msg, log_msg);
+	sender_address = NULL;
+	}
+      break;
 
 
     /* The RCPT command requires an address as an operand. There may be any
@@ -4803,259 +4984,259 @@
     are not used, as we keep only the extracted address. */
 
     case RCPT_CMD:
-    HAD(SCH_RCPT);
-    rcpt_count++;
-    was_rcpt = rcpt_in_progress = TRUE;
-
-    /* There must be a sender address; if the sender was rejected and
-    pipelining was advertised, we assume the client was pipelining, and do not
-    count this as a protocol error. Reset was_rej_mail so that further RCPTs
-    get the same treatment. */
+      HAD(SCH_RCPT);
+      rcpt_count++;
+      was_rcpt = fl.rcpt_in_progress = TRUE;
+
+      /* There must be a sender address; if the sender was rejected and
+      pipelining was advertised, we assume the client was pipelining, and do not
+      count this as a protocol error. Reset was_rej_mail so that further RCPTs
+      get the same treatment. */
 
-    if (sender_address == NULL)
-      {
-      if (pipelining_advertised && last_was_rej_mail)
-        {
-        smtp_printf("503 sender not yet given\r\n", FALSE);
-        was_rej_mail = TRUE;
-        }
-      else
-        {
-        done = synprot_error(L_smtp_protocol_error, 503, NULL,
-          US"sender not yet given");
-        was_rcpt = FALSE;             /* Not a valid RCPT */
-        }
-      rcpt_fail_count++;
-      break;
-      }
+      if (sender_address == NULL)
+	{
+	if (f.smtp_in_pipelining_advertised && last_was_rej_mail)
+	  {
+	  smtp_printf("503 sender not yet given\r\n", FALSE);
+	  was_rej_mail = TRUE;
+	  }
+	else
+	  {
+	  done = synprot_error(L_smtp_protocol_error, 503, NULL,
+	    US"sender not yet given");
+	  was_rcpt = FALSE;             /* Not a valid RCPT */
+	  }
+	rcpt_fail_count++;
+	break;
+	}
 
-    /* Check for an operand */
+      /* Check for an operand */
 
-    if (smtp_cmd_data[0] == 0)
-      {
-      done = synprot_error(L_smtp_syntax_error, 501, NULL,
-        US"RCPT must have an address operand");
-      rcpt_fail_count++;
-      break;
-      }
+      if (smtp_cmd_data[0] == 0)
+	{
+	done = synprot_error(L_smtp_syntax_error, 501, NULL,
+	  US"RCPT must have an address operand");
+	rcpt_fail_count++;
+	break;
+	}
 
-    /* Set the DSN flags orcpt and dsn_flags from the session*/
-    orcpt = NULL;
-    flags = 0;
+      /* Set the DSN flags orcpt and dsn_flags from the session*/
+      orcpt = NULL;
+      dsn_flags = 0;
 
-    if (esmtp) for(;;)
-      {
-      uschar *name, *value;
+      if (fl.esmtp) for(;;)
+	{
+	uschar *name, *value;
 
-      if (!extract_option(&name, &value))
-        break;
+	if (!extract_option(&name, &value))
+	  break;
 
-      if (dsn_advertised && strcmpic(name, US"ORCPT") == 0)
-        {
-        /* Check whether orcpt has been already set */
-        if (orcpt)
+	if (fl.dsn_advertised && strcmpic(name, US"ORCPT") == 0)
 	  {
-          synprot_error(L_smtp_syntax_error, 501, NULL,
-            US"ORCPT can be specified once only");
-          goto COMMAND_LOOP;
-          }
-        orcpt = string_copy(value);
-        DEBUG(D_receive) debug_printf("DSN orcpt: %s\n", orcpt);
-        }
+	  /* Check whether orcpt has been already set */
+	  if (orcpt)
+	    {
+	    done = synprot_error(L_smtp_syntax_error, 501, NULL,
+	      US"ORCPT can be specified once only");
+	    goto COMMAND_LOOP;
+	    }
+	  orcpt = string_copy(value);
+	  DEBUG(D_receive) debug_printf("DSN orcpt: %s\n", orcpt);
+	  }
 
-      else if (dsn_advertised && strcmpic(name, US"NOTIFY") == 0)
-        {
-        /* Check if the notify flags have been already set */
-        if (flags > 0)
+	else if (fl.dsn_advertised && strcmpic(name, US"NOTIFY") == 0)
 	  {
-          synprot_error(L_smtp_syntax_error, 501, NULL,
-              US"NOTIFY can be specified once only");
-          goto COMMAND_LOOP;
-          }
-        if (strcmpic(value, US"NEVER") == 0)
-	  flags |= rf_notify_never;
-	else
-          {
-          uschar *p = value;
-          while (*p != 0)
-            {
-            uschar *pp = p;
-            while (*pp != 0 && *pp != ',') pp++;
-	    if (*pp == ',') *pp++ = 0;
-            if (strcmpic(p, US"SUCCESS") == 0)
-	      {
-	      DEBUG(D_receive) debug_printf("DSN: Setting notify success\n");
-	      flags |= rf_notify_success;
-              }
-            else if (strcmpic(p, US"FAILURE") == 0)
-	      {
-	      DEBUG(D_receive) debug_printf("DSN: Setting notify failure\n");
-	      flags |= rf_notify_failure;
-              }
-            else if (strcmpic(p, US"DELAY") == 0)
-	      {
-	      DEBUG(D_receive) debug_printf("DSN: Setting notify delay\n");
-	      flags |= rf_notify_delay;
-              }
-            else
+	  /* Check if the notify flags have been already set */
+	  if (dsn_flags > 0)
+	    {
+	    done = synprot_error(L_smtp_syntax_error, 501, NULL,
+		US"NOTIFY can be specified once only");
+	    goto COMMAND_LOOP;
+	    }
+	  if (strcmpic(value, US"NEVER") == 0)
+	    dsn_flags |= rf_notify_never;
+	  else
+	    {
+	    uschar *p = value;
+	    while (*p != 0)
 	      {
-              /* Catch any strange values */
-              synprot_error(L_smtp_syntax_error, 501, NULL,
-                US"Invalid value for NOTIFY parameter");
-              goto COMMAND_LOOP;
-              }
-            p = pp;
-            }
-            DEBUG(D_receive) debug_printf("DSN Flags: %x\n", flags);
-          }
-        }
+	      uschar *pp = p;
+	      while (*pp != 0 && *pp != ',') pp++;
+	      if (*pp == ',') *pp++ = 0;
+	      if (strcmpic(p, US"SUCCESS") == 0)
+		{
+		DEBUG(D_receive) debug_printf("DSN: Setting notify success\n");
+		dsn_flags |= rf_notify_success;
+		}
+	      else if (strcmpic(p, US"FAILURE") == 0)
+		{
+		DEBUG(D_receive) debug_printf("DSN: Setting notify failure\n");
+		dsn_flags |= rf_notify_failure;
+		}
+	      else if (strcmpic(p, US"DELAY") == 0)
+		{
+		DEBUG(D_receive) debug_printf("DSN: Setting notify delay\n");
+		dsn_flags |= rf_notify_delay;
+		}
+	      else
+		{
+		/* Catch any strange values */
+		done = synprot_error(L_smtp_syntax_error, 501, NULL,
+		  US"Invalid value for NOTIFY parameter");
+		goto COMMAND_LOOP;
+		}
+	      p = pp;
+	      }
+	      DEBUG(D_receive) debug_printf("DSN Flags: %x\n", dsn_flags);
+	    }
+	  }
 
-      /* Unknown option. Stick back the terminator characters and break
-      the loop. An error for a malformed address will occur. */
+	/* Unknown option. Stick back the terminator characters and break
+	the loop. An error for a malformed address will occur. */
 
-      else
-        {
-        DEBUG(D_receive) debug_printf("Invalid RCPT option: %s : %s\n", name, value);
-        name[-1] = ' ';
-        value[-1] = '=';
-        break;
-        }
-      }
+	else
+	  {
+	  DEBUG(D_receive) debug_printf("Invalid RCPT option: %s : %s\n", name, value);
+	  name[-1] = ' ';
+	  value[-1] = '=';
+	  break;
+	  }
+	}
 
-    /* Apply SMTP rewriting then extract the working address. Don't allow "<>"
-    as a recipient address */
+      /* Apply SMTP rewriting then extract the working address. Don't allow "<>"
+      as a recipient address */
 
-    recipient = rewrite_existflags & rewrite_smtp
-      ? rewrite_one(smtp_cmd_data, rewrite_smtp, NULL, FALSE, US"",
-	  global_rewrite_rules)
-      : smtp_cmd_data;
+      recipient = rewrite_existflags & rewrite_smtp
+	? rewrite_one(smtp_cmd_data, rewrite_smtp, NULL, FALSE, US"",
+	    global_rewrite_rules)
+	: smtp_cmd_data;
 
-    if (!(recipient = parse_extract_address(recipient, &errmess, &start, &end,
-      &recipient_domain, FALSE)))
-      {
-      done = synprot_error(L_smtp_syntax_error, 501, smtp_cmd_data, errmess);
-      rcpt_fail_count++;
-      break;
-      }
+      if (!(recipient = parse_extract_address(recipient, &errmess, &start, &end,
+	&recipient_domain, FALSE)))
+	{
+	done = synprot_error(L_smtp_syntax_error, 501, smtp_cmd_data, errmess);
+	rcpt_fail_count++;
+	break;
+	}
 
-    /* If the recipient address is unqualified, reject it, unless this is a
-    locally generated message. However, unqualified addresses are permitted
-    from a configured list of hosts and nets - typically when behaving as
-    MUAs rather than MTAs. Sad that SMTP is used for both types of traffic,
-    really. The flag is set at the start of the SMTP connection.
-
-    RFC 1123 talks about supporting "the reserved mailbox postmaster"; I always
-    assumed this meant "reserved local part", but the revision of RFC 821 and
-    friends now makes it absolutely clear that it means *mailbox*. Consequently
-    we must always qualify this address, regardless. */
-
-    if (!recipient_domain)
-      if (!(recipient_domain = qualify_recipient(&recipient, smtp_cmd_data,
-				  US"recipient")))
-        {
-        rcpt_fail_count++;
-        break;
-        }
+      /* If the recipient address is unqualified, reject it, unless this is a
+      locally generated message. However, unqualified addresses are permitted
+      from a configured list of hosts and nets - typically when behaving as
+      MUAs rather than MTAs. Sad that SMTP is used for both types of traffic,
+      really. The flag is set at the start of the SMTP connection.
+
+      RFC 1123 talks about supporting "the reserved mailbox postmaster"; I always
+      assumed this meant "reserved local part", but the revision of RFC 821 and
+      friends now makes it absolutely clear that it means *mailbox*. Consequently
+      we must always qualify this address, regardless. */
 
-    /* Check maximum allowed */
+      if (!recipient_domain)
+	if (!(recipient_domain = qualify_recipient(&recipient, smtp_cmd_data,
+				    US"recipient")))
+	  {
+	  rcpt_fail_count++;
+	  break;
+	  }
 
-    if (rcpt_count > recipients_max && recipients_max > 0)
-      {
-      if (recipients_max_reject)
-        {
-        rcpt_fail_count++;
-        smtp_printf("552 too many recipients\r\n", FALSE);
-        if (!toomany)
-          log_write(0, LOG_MAIN|LOG_REJECT, "too many recipients: message "
-            "rejected: sender=<%s> %s", sender_address, host_and_ident(TRUE));
-        }
-      else
-        {
-        rcpt_defer_count++;
-        smtp_printf("452 too many recipients\r\n", FALSE);
-        if (!toomany)
-          log_write(0, LOG_MAIN|LOG_REJECT, "too many recipients: excess "
-            "temporarily rejected: sender=<%s> %s", sender_address,
-            host_and_ident(TRUE));
-        }
+      /* Check maximum allowed */
 
-      toomany = TRUE;
-      break;
-      }
+      if (rcpt_count > recipients_max && recipients_max > 0)
+	{
+	if (recipients_max_reject)
+	  {
+	  rcpt_fail_count++;
+	  smtp_printf("552 too many recipients\r\n", FALSE);
+	  if (!toomany)
+	    log_write(0, LOG_MAIN|LOG_REJECT, "too many recipients: message "
+	      "rejected: sender=<%s> %s", sender_address, host_and_ident(TRUE));
+	  }
+	else
+	  {
+	  rcpt_defer_count++;
+	  smtp_printf("452 too many recipients\r\n", FALSE);
+	  if (!toomany)
+	    log_write(0, LOG_MAIN|LOG_REJECT, "too many recipients: excess "
+	      "temporarily rejected: sender=<%s> %s", sender_address,
+	      host_and_ident(TRUE));
+	  }
 
-    /* If we have passed the threshold for rate limiting, apply the current
-    delay, and update it for next time, provided this is a limited host. */
+	toomany = TRUE;
+	break;
+	}
 
-    if (rcpt_count > smtp_rlr_threshold &&
-        verify_check_host(&smtp_ratelimit_hosts) == OK)
-      {
-      DEBUG(D_receive) debug_printf("rate limit RCPT: delay %.3g sec\n",
-        smtp_delay_rcpt/1000.0);
-      millisleep((int)smtp_delay_rcpt);
-      smtp_delay_rcpt *= smtp_rlr_factor;
-      if (smtp_delay_rcpt > (double)smtp_rlr_limit)
-        smtp_delay_rcpt = (double)smtp_rlr_limit;
-      }
+      /* If we have passed the threshold for rate limiting, apply the current
+      delay, and update it for next time, provided this is a limited host. */
 
-    /* If the MAIL ACL discarded all the recipients, we bypass ACL checking
-    for them. Otherwise, check the access control list for this recipient. As
-    there may be a delay in this, re-check for a synchronization error
-    afterwards, unless pipelining was advertised. */
+      if (rcpt_count > smtp_rlr_threshold &&
+	  verify_check_host(&smtp_ratelimit_hosts) == OK)
+	{
+	DEBUG(D_receive) debug_printf("rate limit RCPT: delay %.3g sec\n",
+	  smtp_delay_rcpt/1000.0);
+	millisleep((int)smtp_delay_rcpt);
+	smtp_delay_rcpt *= smtp_rlr_factor;
+	if (smtp_delay_rcpt > (double)smtp_rlr_limit)
+	  smtp_delay_rcpt = (double)smtp_rlr_limit;
+	}
 
-    if (recipients_discarded)
-      rc = DISCARD;
-    else
-      if (  (rc = acl_check(ACL_WHERE_RCPT, recipient, acl_smtp_rcpt, &user_msg,
-		    &log_msg)) == OK
-	 && !pipelining_advertised && !check_sync())
-        goto SYNC_FAILURE;
+      /* If the MAIL ACL discarded all the recipients, we bypass ACL checking
+      for them. Otherwise, check the access control list for this recipient. As
+      there may be a delay in this, re-check for a synchronization error
+      afterwards, unless pipelining was advertised. */
 
-    /* The ACL was happy */
+      if (f.recipients_discarded)
+	rc = DISCARD;
+      else
+	if (  (rc = acl_check(ACL_WHERE_RCPT, recipient, acl_smtp_rcpt, &user_msg,
+		      &log_msg)) == OK
+	   && !f.smtp_in_pipelining_advertised && !check_sync())
+	  goto SYNC_FAILURE;
 
-    if (rc == OK)
-      {
-      BOOL more = pipeline_response();
+      /* The ACL was happy */
 
-      if (user_msg)
-        smtp_user_msg(US"250", user_msg);
-      else
-        smtp_printf("250 Accepted\r\n", more);
-      receive_add_recipient(recipient, -1);
+      if (rc == OK)
+	{
+	BOOL more = pipeline_response();
 
-      /* Set the dsn flags in the recipients_list */
-      recipients_list[recipients_count-1].orcpt = orcpt;
-      recipients_list[recipients_count-1].dsn_flags = flags;
-
-      DEBUG(D_receive) debug_printf("DSN: orcpt: %s  flags: %d\n",
-	recipients_list[recipients_count-1].orcpt,
-	recipients_list[recipients_count-1].dsn_flags);
-      }
+	if (user_msg)
+	  smtp_user_msg(US"250", user_msg);
+	else
+	  smtp_printf("250 Accepted\r\n", more);
+	receive_add_recipient(recipient, -1);
+
+	/* Set the dsn flags in the recipients_list */
+	recipients_list[recipients_count-1].orcpt = orcpt;
+	recipients_list[recipients_count-1].dsn_flags = dsn_flags;
+
+	DEBUG(D_receive) debug_printf("DSN: orcpt: %s  flags: %d\n",
+	  recipients_list[recipients_count-1].orcpt,
+	  recipients_list[recipients_count-1].dsn_flags);
+	}
 
-    /* The recipient was discarded */
+      /* The recipient was discarded */
 
-    else if (rc == DISCARD)
-      {
-      if (user_msg)
-        smtp_user_msg(US"250", user_msg);
-      else
-        smtp_printf("250 Accepted\r\n", FALSE);
-      rcpt_fail_count++;
-      discarded = TRUE;
-      log_write(0, LOG_MAIN|LOG_REJECT, "%s F=<%s> RCPT %s: "
-        "discarded by %s ACL%s%s", host_and_ident(TRUE),
-        sender_address_unrewritten? sender_address_unrewritten : sender_address,
-        smtp_cmd_argument, recipients_discarded? "MAIL" : "RCPT",
-        log_msg ? US": " : US"", log_msg ? log_msg : US"");
-      }
+      else if (rc == DISCARD)
+	{
+	if (user_msg)
+	  smtp_user_msg(US"250", user_msg);
+	else
+	  smtp_printf("250 Accepted\r\n", FALSE);
+	rcpt_fail_count++;
+	discarded = TRUE;
+	log_write(0, LOG_MAIN|LOG_REJECT, "%s F=<%s> RCPT %s: "
+	  "discarded by %s ACL%s%s", host_and_ident(TRUE),
+	  sender_address_unrewritten? sender_address_unrewritten : sender_address,
+	  smtp_cmd_argument, f.recipients_discarded? "MAIL" : "RCPT",
+	  log_msg ? US": " : US"", log_msg ? log_msg : US"");
+	}
 
-    /* Either the ACL failed the address, or it was deferred. */
+      /* Either the ACL failed the address, or it was deferred. */
 
-    else
-      {
-      if (rc == FAIL) rcpt_fail_count++; else rcpt_defer_count++;
-      done = smtp_handle_acl_fail(ACL_WHERE_RCPT, rc, user_msg, log_msg);
-      }
-    break;
+      else
+	{
+	if (rc == FAIL) rcpt_fail_count++; else rcpt_defer_count++;
+	done = smtp_handle_acl_fail(ACL_WHERE_RCPT, rc, user_msg, log_msg);
+	}
+      break;
 
 
     /* The DATA command is legal only if it follows successful MAIL FROM
@@ -5079,10 +5260,10 @@
     with the DATA rejection (an idea suggested by Tony Finch). */
 
     case BDAT_CMD:
-    HAD(SCH_BDAT);
       {
       int n;
 
+      HAD(SCH_BDAT);
       if (chunking_state != CHUNKING_OFFERED)
 	{
 	done = synprot_error(L_smtp_protocol_error, 503, NULL,
@@ -5114,94 +5295,97 @@
       receive_getc = bdat_getc;
       receive_ungetc = bdat_ungetc;
 
-      dot_ends = FALSE;
+      f.dot_ends = FALSE;
 
       goto DATA_BDAT;
       }
 
     case DATA_CMD:
-    HAD(SCH_DATA);
-    dot_ends = TRUE;
+      HAD(SCH_DATA);
+      f.dot_ends = TRUE;
 
     DATA_BDAT:		/* Common code for DATA and BDAT */
-    if (!discarded && recipients_count <= 0)
-      {
-      if (rcpt_smtp_response_same && rcpt_smtp_response != NULL)
-        {
-        uschar *code = US"503";
-        int len = Ustrlen(rcpt_smtp_response);
-        smtp_respond(code, 3, FALSE, US"All RCPT commands were rejected with "
-          "this error:");
-        /* Responses from smtp_printf() will have \r\n on the end */
-        if (len > 2 && rcpt_smtp_response[len-2] == '\r')
-          rcpt_smtp_response[len-2] = 0;
-        smtp_respond(code, 3, FALSE, rcpt_smtp_response);
-        }
-      if (pipelining_advertised && last_was_rcpt)
-        smtp_printf("503 Valid RCPT command must precede %s\r\n", FALSE,
-	  smtp_names[smtp_connection_had[smtp_ch_index-1]]);
-      else
-        done = synprot_error(L_smtp_protocol_error, 503, NULL,
-	  smtp_connection_had[smtp_ch_index-1] == SCH_DATA
-	  ? US"valid RCPT command must precede DATA"
-	  : US"valid RCPT command must precede BDAT");
-
-      if (chunking_state > CHUNKING_OFFERED)
-	bdat_flush_data();
-      break;
-      }
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+      fl.pipe_connect_acceptable = FALSE;
+#endif
+      if (!discarded && recipients_count <= 0)
+	{
+	if (fl.rcpt_smtp_response_same && rcpt_smtp_response != NULL)
+	  {
+	  uschar *code = US"503";
+	  int len = Ustrlen(rcpt_smtp_response);
+	  smtp_respond(code, 3, FALSE, US"All RCPT commands were rejected with "
+	    "this error:");
+	  /* Responses from smtp_printf() will have \r\n on the end */
+	  if (len > 2 && rcpt_smtp_response[len-2] == '\r')
+	    rcpt_smtp_response[len-2] = 0;
+	  smtp_respond(code, 3, FALSE, rcpt_smtp_response);
+	  }
+	if (f.smtp_in_pipelining_advertised && last_was_rcpt)
+	  smtp_printf("503 Valid RCPT command must precede %s\r\n", FALSE,
+	    smtp_names[smtp_connection_had[smtp_ch_index-1]]);
+	else
+	  done = synprot_error(L_smtp_protocol_error, 503, NULL,
+	    smtp_connection_had[smtp_ch_index-1] == SCH_DATA
+	    ? US"valid RCPT command must precede DATA"
+	    : US"valid RCPT command must precede BDAT");
 
-    if (toomany && recipients_max_reject)
-      {
-      sender_address = NULL;  /* This will allow a new MAIL without RSET */
-      sender_address_unrewritten = NULL;
-      smtp_printf("554 Too many recipients\r\n", FALSE);
-      break;
-      }
+	if (chunking_state > CHUNKING_OFFERED)
+	  bdat_flush_data();
+	break;
+	}
 
-    if (chunking_state > CHUNKING_OFFERED)
-      rc = OK;			/* No predata ACL or go-ahead output for BDAT */
-    else
-      {
-      /* If there is an ACL, re-check the synchronization afterwards, since the
-      ACL may have delayed.  To handle cutthrough delivery enforce a dummy call
-      to get the DATA command sent. */
+      if (toomany && recipients_max_reject)
+	{
+	sender_address = NULL;  /* This will allow a new MAIL without RSET */
+	sender_address_unrewritten = NULL;
+	smtp_printf("554 Too many recipients\r\n", FALSE);
+	break;
+	}
 
-      if (acl_smtp_predata == NULL && cutthrough.fd < 0)
-	rc = OK;
+      if (chunking_state > CHUNKING_OFFERED)
+	rc = OK;			/* No predata ACL or go-ahead output for BDAT */
       else
 	{
-	uschar * acl = acl_smtp_predata ? acl_smtp_predata : US"accept";
-	enable_dollar_recipients = TRUE;
-	rc = acl_check(ACL_WHERE_PREDATA, NULL, acl, &user_msg,
-	  &log_msg);
-	enable_dollar_recipients = FALSE;
-	if (rc == OK && !check_sync())
-	  goto SYNC_FAILURE;
+	/* If there is an ACL, re-check the synchronization afterwards, since the
+	ACL may have delayed.  To handle cutthrough delivery enforce a dummy call
+	to get the DATA command sent. */
 
-	if (rc != OK)
-	  {	/* Either the ACL failed the address, or it was deferred. */
-	  done = smtp_handle_acl_fail(ACL_WHERE_PREDATA, rc, user_msg, log_msg);
-	  break;
+	if (acl_smtp_predata == NULL && cutthrough.cctx.sock < 0)
+	  rc = OK;
+	else
+	  {
+	  uschar * acl = acl_smtp_predata ? acl_smtp_predata : US"accept";
+	  f.enable_dollar_recipients = TRUE;
+	  rc = acl_check(ACL_WHERE_PREDATA, NULL, acl, &user_msg,
+	    &log_msg);
+	  f.enable_dollar_recipients = FALSE;
+	  if (rc == OK && !check_sync())
+	    goto SYNC_FAILURE;
+
+	  if (rc != OK)
+	    {	/* Either the ACL failed the address, or it was deferred. */
+	    done = smtp_handle_acl_fail(ACL_WHERE_PREDATA, rc, user_msg, log_msg);
+	    break;
+	    }
 	  }
-	}
 
-      if (user_msg)
-	smtp_user_msg(US"354", user_msg);
-      else
-	smtp_printf(
-	  "354 Enter message, ending with \".\" on a line by itself\r\n", FALSE);
-      }
+	if (user_msg)
+	  smtp_user_msg(US"354", user_msg);
+	else
+	  smtp_printf(
+	    "354 Enter message, ending with \".\" on a line by itself\r\n", FALSE);
+	}
 
 #ifdef TCP_QUICKACK
-    if (smtp_in)	/* all ACKs needed to ramp window up for bulk data */
-      (void) setsockopt(fileno(smtp_in), IPPROTO_TCP, TCP_QUICKACK,
-	      US &on, sizeof(on));
+      if (smtp_in)	/* all ACKs needed to ramp window up for bulk data */
+	(void) setsockopt(fileno(smtp_in), IPPROTO_TCP, TCP_QUICKACK,
+		US &on, sizeof(on));
 #endif
-    done = 3;
-    message_ended = END_NOTENDED;   /* Indicate in middle of data */
+      done = 3;
+      message_ended = END_NOTENDED;   /* Indicate in middle of data */
 
-    break;
+      break;
 
 
     case VRFY_CMD:
@@ -5259,173 +5443,175 @@
 
 
     case EXPN_CMD:
-    HAD(SCH_EXPN);
-    rc = acl_check(ACL_WHERE_EXPN, NULL, acl_smtp_expn, &user_msg, &log_msg);
-    if (rc != OK)
-      done = smtp_handle_acl_fail(ACL_WHERE_EXPN, rc, user_msg, log_msg);
-    else
-      {
-      BOOL save_log_testing_mode = log_testing_mode;
-      address_test_mode = log_testing_mode = TRUE;
-      (void) verify_address(deliver_make_addr(smtp_cmd_data, FALSE),
-        smtp_out, vopt_is_recipient | vopt_qualify | vopt_expn, -1, -1, -1,
-        NULL, NULL, NULL);
-      address_test_mode = FALSE;
-      log_testing_mode = save_log_testing_mode;    /* true for -bh */
-      }
-    break;
+      HAD(SCH_EXPN);
+      rc = acl_check(ACL_WHERE_EXPN, NULL, acl_smtp_expn, &user_msg, &log_msg);
+      if (rc != OK)
+	done = smtp_handle_acl_fail(ACL_WHERE_EXPN, rc, user_msg, log_msg);
+      else
+	{
+	BOOL save_log_testing_mode = f.log_testing_mode;
+	f.address_test_mode = f.log_testing_mode = TRUE;
+	(void) verify_address(deliver_make_addr(smtp_cmd_data, FALSE),
+	  smtp_out, vopt_is_recipient | vopt_qualify | vopt_expn, -1, -1, -1,
+	  NULL, NULL, NULL);
+	f.address_test_mode = FALSE;
+	f.log_testing_mode = save_log_testing_mode;    /* true for -bh */
+	}
+      break;
 
 
     #ifdef SUPPORT_TLS
 
     case STARTTLS_CMD:
-    HAD(SCH_STARTTLS);
-    if (!tls_advertised)
-      {
-      done = synprot_error(L_smtp_protocol_error, 503, NULL,
-        US"STARTTLS command used when not advertised");
-      break;
-      }
-
-    /* Apply an ACL check if one is defined */
+      HAD(SCH_STARTTLS);
+      if (!fl.tls_advertised)
+	{
+	done = synprot_error(L_smtp_protocol_error, 503, NULL,
+	  US"STARTTLS command used when not advertised");
+	break;
+	}
 
-    if (  acl_smtp_starttls
-       && (rc = acl_check(ACL_WHERE_STARTTLS, NULL, acl_smtp_starttls,
-		  &user_msg, &log_msg)) != OK
-       )
-      {
-      done = smtp_handle_acl_fail(ACL_WHERE_STARTTLS, rc, user_msg, log_msg);
-      break;
-      }
+      /* Apply an ACL check if one is defined */
 
-    /* RFC 2487 is not clear on when this command may be sent, though it
-    does state that all information previously obtained from the client
-    must be discarded if a TLS session is started. It seems reasonable to
-    do an implied RSET when STARTTLS is received. */
-
-    incomplete_transaction_log(US"STARTTLS");
-    cancel_cutthrough_connection(TRUE, US"STARTTLS received");
-    smtp_reset(reset_point);
-    toomany = FALSE;
-    cmd_list[CMD_LIST_STARTTLS].is_mail_cmd = FALSE;
-
-    /* There's an attack where more data is read in past the STARTTLS command
-    before TLS is negotiated, then assumed to be part of the secure session
-    when used afterwards; we use segregated input buffers, so are not
-    vulnerable, but we want to note when it happens and, for sheer paranoia,
-    ensure that the buffer is "wiped".
-    Pipelining sync checks will normally have protected us too, unless disabled
-    by configuration. */
+      if (  acl_smtp_starttls
+	 && (rc = acl_check(ACL_WHERE_STARTTLS, NULL, acl_smtp_starttls,
+		    &user_msg, &log_msg)) != OK
+	 )
+	{
+	done = smtp_handle_acl_fail(ACL_WHERE_STARTTLS, rc, user_msg, log_msg);
+	break;
+	}
 
-    if (receive_smtp_buffered())
-      {
-      DEBUG(D_any)
-        debug_printf("Non-empty input buffer after STARTTLS; naive attack?\n");
-      if (tls_in.active < 0)
-        smtp_inend = smtp_inptr = smtp_inbuffer;
-      /* and if TLS is already active, tls_server_start() should fail */
-      }
+      /* RFC 2487 is not clear on when this command may be sent, though it
+      does state that all information previously obtained from the client
+      must be discarded if a TLS session is started. It seems reasonable to
+      do an implied RSET when STARTTLS is received. */
 
-    /* There is nothing we value in the input buffer and if TLS is successfully
-    negotiated, we won't use this buffer again; if TLS fails, we'll just read
-    fresh content into it.  The buffer contains arbitrary content from an
-    untrusted remote source; eg: NOOP <shellcode>\r\nSTARTTLS\r\n
-    It seems safest to just wipe away the content rather than leave it as a
-    target to jump to. */
-
-    memset(smtp_inbuffer, 0, IN_BUFFER_SIZE);
-
-    /* Attempt to start up a TLS session, and if successful, discard all
-    knowledge that was obtained previously. At least, that's what the RFC says,
-    and that's what happens by default. However, in order to work round YAEB,
-    there is an option to remember the esmtp state. Sigh.
+      incomplete_transaction_log(US"STARTTLS");
+      cancel_cutthrough_connection(TRUE, US"STARTTLS received");
+      smtp_reset(reset_point);
+      toomany = FALSE;
+      cmd_list[CMD_LIST_STARTTLS].is_mail_cmd = FALSE;
 
-    We must allow for an extra EHLO command and an extra AUTH command after
-    STARTTLS that don't add to the nonmail command count. */
+      /* There's an attack where more data is read in past the STARTTLS command
+      before TLS is negotiated, then assumed to be part of the secure session
+      when used afterwards; we use segregated input buffers, so are not
+      vulnerable, but we want to note when it happens and, for sheer paranoia,
+      ensure that the buffer is "wiped".
+      Pipelining sync checks will normally have protected us too, unless disabled
+      by configuration. */
 
-    s = NULL;
-    if ((rc = tls_server_start(tls_require_ciphers, &s)) == OK)
-      {
-      if (!tls_remember_esmtp)
-        helo_seen = esmtp = auth_advertised = pipelining_advertised = FALSE;
-      cmd_list[CMD_LIST_EHLO].is_mail_cmd = TRUE;
-      cmd_list[CMD_LIST_AUTH].is_mail_cmd = TRUE;
-      cmd_list[CMD_LIST_TLS_AUTH].is_mail_cmd = TRUE;
-      if (sender_helo_name)
-        {
-        store_free(sender_helo_name);
-        sender_helo_name = NULL;
-        host_build_sender_fullhost();  /* Rebuild */
-        set_process_info("handling incoming TLS connection from %s",
-          host_and_ident(FALSE));
-        }
-      received_protocol =
-	(sender_host_address ? protocols : protocols_local)
-	  [ (esmtp
-	    ? pextend + (sender_host_authenticated ? pauthed : 0)
-	    : pnormal)
-	  + (tls_in.active >= 0 ? pcrpted : 0)
-	  ];
+      if (receive_smtp_buffered())
+	{
+	DEBUG(D_any)
+	  debug_printf("Non-empty input buffer after STARTTLS; naive attack?\n");
+	if (tls_in.active.sock < 0)
+	  smtp_inend = smtp_inptr = smtp_inbuffer;
+	/* and if TLS is already active, tls_server_start() should fail */
+	}
 
-      sender_host_auth_pubname = sender_host_authenticated = NULL;
-      authenticated_id = NULL;
-      sync_cmd_limit = NON_SYNC_CMD_NON_PIPELINING;
-      DEBUG(D_tls) debug_printf("TLS active\n");
-      break;     /* Successful STARTTLS */
-      }
-    else
-      (void) smtp_log_tls_fail(s);
+      /* There is nothing we value in the input buffer and if TLS is successfully
+      negotiated, we won't use this buffer again; if TLS fails, we'll just read
+      fresh content into it.  The buffer contains arbitrary content from an
+      untrusted remote source; eg: NOOP <shellcode>\r\nSTARTTLS\r\n
+      It seems safest to just wipe away the content rather than leave it as a
+      target to jump to. */
+
+      memset(smtp_inbuffer, 0, IN_BUFFER_SIZE);
+
+      /* Attempt to start up a TLS session, and if successful, discard all
+      knowledge that was obtained previously. At least, that's what the RFC says,
+      and that's what happens by default. However, in order to work round YAEB,
+      there is an option to remember the esmtp state. Sigh.
 
-    /* Some local configuration problem was discovered before actually trying
-    to do a TLS handshake; give a temporary error. */
+      We must allow for an extra EHLO command and an extra AUTH command after
+      STARTTLS that don't add to the nonmail command count. */
 
-    if (rc == DEFER)
-      {
-      smtp_printf("454 TLS currently unavailable\r\n", FALSE);
-      break;
-      }
+      s = NULL;
+      if ((rc = tls_server_start(tls_require_ciphers, &s)) == OK)
+	{
+	if (!tls_remember_esmtp)
+	  fl.helo_seen = fl.esmtp = fl.auth_advertised = f.smtp_in_pipelining_advertised = FALSE;
+	cmd_list[CMD_LIST_EHLO].is_mail_cmd = TRUE;
+	cmd_list[CMD_LIST_AUTH].is_mail_cmd = TRUE;
+	cmd_list[CMD_LIST_TLS_AUTH].is_mail_cmd = TRUE;
+	if (sender_helo_name)
+	  {
+	  store_free(sender_helo_name);
+	  sender_helo_name = NULL;
+	  host_build_sender_fullhost();  /* Rebuild */
+	  set_process_info("handling incoming TLS connection from %s",
+	    host_and_ident(FALSE));
+	  }
+	received_protocol =
+	  (sender_host_address ? protocols : protocols_local)
+	    [ (fl.esmtp
+	      ? pextend + (sender_host_authenticated ? pauthed : 0)
+	      : pnormal)
+	    + (tls_in.active.sock >= 0 ? pcrpted : 0)
+	    ];
+
+	sender_host_auth_pubname = sender_host_authenticated = NULL;
+	authenticated_id = NULL;
+	sync_cmd_limit = NON_SYNC_CMD_NON_PIPELINING;
+	DEBUG(D_tls) debug_printf("TLS active\n");
+	break;     /* Successful STARTTLS */
+	}
+      else
+	(void) smtp_log_tls_fail(s);
 
-    /* Hard failure. Reject everything except QUIT or closed connection. One
-    cause for failure is a nested STARTTLS, in which case tls_in.active remains
-    set, but we must still reject all incoming commands. */
+      /* Some local configuration problem was discovered before actually trying
+      to do a TLS handshake; give a temporary error. */
 
-    DEBUG(D_tls) debug_printf("TLS failed to start\n");
-    while (done <= 0) switch(smtp_read_command(FALSE, GETC_BUFFER_UNLIMITED))
-      {
-      case EOF_CMD:
-	log_write(L_smtp_connection, LOG_MAIN, "%s closed by EOF",
-	  smtp_get_connection_info());
-	smtp_notquit_exit(US"tls-failed", NULL, NULL);
-	done = 2;
+      if (rc == DEFER)
+	{
+	smtp_printf("454 TLS currently unavailable\r\n", FALSE);
 	break;
+	}
 
-      /* It is perhaps arguable as to which exit ACL should be called here,
-      but as it is probably a situation that almost never arises, it
-      probably doesn't matter. We choose to call the real QUIT ACL, which in
-      some sense is perhaps "right". */
-
-      case QUIT_CMD:
-	user_msg = NULL;
-	if (  acl_smtp_quit
-	   && ((rc = acl_check(ACL_WHERE_QUIT, NULL, acl_smtp_quit, &user_msg,
-			      &log_msg)) == ERROR))
-	    log_write(0, LOG_MAIN|LOG_PANIC, "ACL for QUIT returned ERROR: %s",
-	      log_msg);
-	if (user_msg)
-	  smtp_respond(US"221", 3, TRUE, user_msg);
-	else
-	  smtp_printf("221 %s closing connection\r\n", FALSE, smtp_active_hostname);
-	log_write(L_smtp_connection, LOG_MAIN, "%s closed by QUIT",
-	  smtp_get_connection_info());
-	done = 2;
-	break;
+      /* Hard failure. Reject everything except QUIT or closed connection. One
+      cause for failure is a nested STARTTLS, in which case tls_in.active remains
+      set, but we must still reject all incoming commands.  Another is a handshake
+      failure - and there may some encrypted data still in the pipe to us, which we
+      see as garbage commands. */
 
-      default:
-	smtp_printf("554 Security failure\r\n", FALSE);
-	break;
-      }
-    tls_close(TRUE, TLS_SHUTDOWN_NOWAIT);
-    break;
+      DEBUG(D_tls) debug_printf("TLS failed to start\n");
+      while (done <= 0) switch(smtp_read_command(FALSE, GETC_BUFFER_UNLIMITED))
+	{
+	case EOF_CMD:
+	  log_write(L_smtp_connection, LOG_MAIN, "%s closed by EOF",
+	    smtp_get_connection_info());
+	  smtp_notquit_exit(US"tls-failed", NULL, NULL);
+	  done = 2;
+	  break;
+
+	/* It is perhaps arguable as to which exit ACL should be called here,
+	but as it is probably a situation that almost never arises, it
+	probably doesn't matter. We choose to call the real QUIT ACL, which in
+	some sense is perhaps "right". */
+
+	case QUIT_CMD:
+	  user_msg = NULL;
+	  if (  acl_smtp_quit
+	     && ((rc = acl_check(ACL_WHERE_QUIT, NULL, acl_smtp_quit, &user_msg,
+				&log_msg)) == ERROR))
+	      log_write(0, LOG_MAIN|LOG_PANIC, "ACL for QUIT returned ERROR: %s",
+		log_msg);
+	  if (user_msg)
+	    smtp_respond(US"221", 3, TRUE, user_msg);
+	  else
+	    smtp_printf("221 %s closing connection\r\n", FALSE, smtp_active_hostname);
+	  log_write(L_smtp_connection, LOG_MAIN, "%s closed by QUIT",
+	    smtp_get_connection_info());
+	  done = 2;
+	  break;
+
+	default:
+	  smtp_printf("554 Security failure\r\n", FALSE);
+	  break;
+	}
+      tls_close(NULL, TLS_SHUTDOWN_NOWAIT);
+      break;
     #endif
 
 
@@ -5434,23 +5620,23 @@
     message. */
 
     case QUIT_CMD:
-    smtp_quit_handler(&user_msg, &log_msg);
-    done = 2;
-    break;
+      smtp_quit_handler(&user_msg, &log_msg);
+      done = 2;
+      break;
 
 
     case RSET_CMD:
-    smtp_rset_handler();
-    cancel_cutthrough_connection(TRUE, US"RSET received");
-    smtp_reset(reset_point);
-    toomany = FALSE;
-    break;
+      smtp_rset_handler();
+      cancel_cutthrough_connection(TRUE, US"RSET received");
+      smtp_reset(reset_point);
+      toomany = FALSE;
+      break;
 
 
     case NOOP_CMD:
-    HAD(SCH_NOOP);
-    smtp_printf("250 OK\r\n", FALSE);
-    break;
+      HAD(SCH_NOOP);
+      smtp_printf("250 OK\r\n", FALSE);
+      break;
 
 
     /* Show ETRN/EXPN/VRFY if there's an ACL for checking hosts; if actually
@@ -5459,287 +5645,292 @@
     response. */
 
     case HELP_CMD:
-    HAD(SCH_HELP);
-    smtp_printf("214-Commands supported:\r\n", TRUE);
-      {
-      uschar buffer[256];
-      buffer[0] = 0;
-      Ustrcat(buffer, " AUTH");
-      #ifdef SUPPORT_TLS
-      if (tls_in.active < 0 &&
-          verify_check_host(&tls_advertise_hosts) != FAIL)
-        Ustrcat(buffer, " STARTTLS");
-      #endif
-      Ustrcat(buffer, " HELO EHLO MAIL RCPT DATA BDAT");
-      Ustrcat(buffer, " NOOP QUIT RSET HELP");
-      if (acl_smtp_etrn != NULL) Ustrcat(buffer, " ETRN");
-      if (acl_smtp_expn != NULL) Ustrcat(buffer, " EXPN");
-      if (acl_smtp_vrfy != NULL) Ustrcat(buffer, " VRFY");
-      smtp_printf("214%s\r\n", FALSE, buffer);
-      }
-    break;
+      HAD(SCH_HELP);
+      smtp_printf("214-Commands supported:\r\n", TRUE);
+	{
+	uschar buffer[256];
+	buffer[0] = 0;
+	Ustrcat(buffer, " AUTH");
+	#ifdef SUPPORT_TLS
+	if (tls_in.active.sock < 0 &&
+	    verify_check_host(&tls_advertise_hosts) != FAIL)
+	  Ustrcat(buffer, " STARTTLS");
+	#endif
+	Ustrcat(buffer, " HELO EHLO MAIL RCPT DATA BDAT");
+	Ustrcat(buffer, " NOOP QUIT RSET HELP");
+	if (acl_smtp_etrn != NULL) Ustrcat(buffer, " ETRN");
+	if (acl_smtp_expn != NULL) Ustrcat(buffer, " EXPN");
+	if (acl_smtp_vrfy != NULL) Ustrcat(buffer, " VRFY");
+	smtp_printf("214%s\r\n", FALSE, buffer);
+	}
+      break;
 
 
     case EOF_CMD:
-    incomplete_transaction_log(US"connection lost");
-    smtp_notquit_exit(US"connection-lost", US"421",
-      US"%s lost input connection", smtp_active_hostname);
-
-    /* Don't log by default unless in the middle of a message, as some mailers
-    just drop the call rather than sending QUIT, and it clutters up the logs.
-    */
-
-    if (sender_address || recipients_count > 0)
-      log_write(L_lost_incoming_connection, LOG_MAIN,
-	"unexpected %s while reading SMTP command from %s%s%s D=%s",
-	sender_host_unknown ? "EOF" : "disconnection",
-	tcp_in_fastopen && !tcp_in_fastopen_logged ? US"TFO " : US"",
-	host_and_ident(FALSE), smtp_read_error,
-	string_timesince(&smtp_connection_start)
-	);
+      incomplete_transaction_log(US"connection lost");
+      smtp_notquit_exit(US"connection-lost", US"421",
+	US"%s lost input connection", smtp_active_hostname);
+
+      /* Don't log by default unless in the middle of a message, as some mailers
+      just drop the call rather than sending QUIT, and it clutters up the logs.
+      */
+
+      if (sender_address || recipients_count > 0)
+	log_write(L_lost_incoming_connection, LOG_MAIN,
+	  "unexpected %s while reading SMTP command from %s%s%s D=%s",
+	  f.sender_host_unknown ? "EOF" : "disconnection",
+	  f.tcp_in_fastopen_logged
+	  ? US""
+	  : f.tcp_in_fastopen
+	  ? f.tcp_in_fastopen_data ? US"TFO* " : US"TFO "
+	  : US"",
+	  host_and_ident(FALSE), smtp_read_error,
+	  string_timesince(&smtp_connection_start)
+	  );
 
-    else
-      log_write(L_smtp_connection, LOG_MAIN, "%s %slost%s D=%s",
-        smtp_get_connection_info(),
-	tcp_in_fastopen && !tcp_in_fastopen_logged ? US"TFO " : US"",
-	smtp_read_error,
-	string_timesince(&smtp_connection_start)
-	);
+      else
+	log_write(L_smtp_connection, LOG_MAIN, "%s %slost%s D=%s",
+	  smtp_get_connection_info(),
+	  f.tcp_in_fastopen && !f.tcp_in_fastopen_logged ? US"TFO " : US"",
+	  smtp_read_error,
+	  string_timesince(&smtp_connection_start)
+	  );
 
-    done = 1;
-    break;
+      done = 1;
+      break;
 
 
     case ETRN_CMD:
-    HAD(SCH_ETRN);
-    if (sender_address)
-      {
-      done = synprot_error(L_smtp_protocol_error, 503, NULL,
-        US"ETRN is not permitted inside a transaction");
-      break;
-      }
-
-    log_write(L_etrn, LOG_MAIN, "ETRN %s received from %s", smtp_cmd_argument,
-      host_and_ident(FALSE));
+      HAD(SCH_ETRN);
+      if (sender_address)
+	{
+	done = synprot_error(L_smtp_protocol_error, 503, NULL,
+	  US"ETRN is not permitted inside a transaction");
+	break;
+	}
 
-    if ((rc = acl_check(ACL_WHERE_ETRN, NULL, acl_smtp_etrn,
-		&user_msg, &log_msg)) != OK)
-      {
-      done = smtp_handle_acl_fail(ACL_WHERE_ETRN, rc, user_msg, log_msg);
-      break;
-      }
+      log_write(L_etrn, LOG_MAIN, "ETRN %s received from %s", smtp_cmd_argument,
+	host_and_ident(FALSE));
 
-    /* Compute the serialization key for this command. */
+      if ((rc = acl_check(ACL_WHERE_ETRN, NULL, acl_smtp_etrn,
+		  &user_msg, &log_msg)) != OK)
+	{
+	done = smtp_handle_acl_fail(ACL_WHERE_ETRN, rc, user_msg, log_msg);
+	break;
+	}
 
-    etrn_serialize_key = string_sprintf("etrn-%s\n", smtp_cmd_data);
+      /* Compute the serialization key for this command. */
 
-    /* If a command has been specified for running as a result of ETRN, we
-    permit any argument to ETRN. If not, only the # standard form is permitted,
-    since that is strictly the only kind of ETRN that can be implemented
-    according to the RFC. */
+      etrn_serialize_key = string_sprintf("etrn-%s\n", smtp_cmd_data);
 
-    if (smtp_etrn_command)
-      {
-      uschar *error;
-      BOOL rc;
-      etrn_command = smtp_etrn_command;
-      deliver_domain = smtp_cmd_data;
-      rc = transport_set_up_command(&argv, smtp_etrn_command, TRUE, 0, NULL,
-        US"ETRN processing", &error);
-      deliver_domain = NULL;
-      if (!rc)
-        {
-        log_write(0, LOG_MAIN|LOG_PANIC, "failed to set up ETRN command: %s",
-          error);
-        smtp_printf("458 Internal failure\r\n", FALSE);
-        break;
-        }
-      }
+      /* If a command has been specified for running as a result of ETRN, we
+      permit any argument to ETRN. If not, only the # standard form is permitted,
+      since that is strictly the only kind of ETRN that can be implemented
+      according to the RFC. */
 
-    /* Else set up to call Exim with the -R option. */
+      if (smtp_etrn_command)
+	{
+	uschar *error;
+	BOOL rc;
+	etrn_command = smtp_etrn_command;
+	deliver_domain = smtp_cmd_data;
+	rc = transport_set_up_command(&argv, smtp_etrn_command, TRUE, 0, NULL,
+	  US"ETRN processing", &error);
+	deliver_domain = NULL;
+	if (!rc)
+	  {
+	  log_write(0, LOG_MAIN|LOG_PANIC, "failed to set up ETRN command: %s",
+	    error);
+	  smtp_printf("458 Internal failure\r\n", FALSE);
+	  break;
+	  }
+	}
 
-    else
-      {
-      if (*smtp_cmd_data++ != '#')
-        {
-        done = synprot_error(L_smtp_syntax_error, 501, NULL,
-          US"argument must begin with #");
-        break;
-        }
-      etrn_command = US"exim -R";
-      argv = CUSS child_exec_exim(CEE_RETURN_ARGV, TRUE, NULL, TRUE,
-        *queue_name ? 4 : 2,
-	US"-R", smtp_cmd_data,
-	US"-MCG", queue_name);
-      }
+      /* Else set up to call Exim with the -R option. */
 
-    /* If we are host-testing, don't actually do anything. */
+      else
+	{
+	if (*smtp_cmd_data++ != '#')
+	  {
+	  done = synprot_error(L_smtp_syntax_error, 501, NULL,
+	    US"argument must begin with #");
+	  break;
+	  }
+	etrn_command = US"exim -R";
+	argv = CUSS child_exec_exim(CEE_RETURN_ARGV, TRUE, NULL, TRUE,
+	  *queue_name ? 4 : 2,
+	  US"-R", smtp_cmd_data,
+	  US"-MCG", queue_name);
+	}
 
-    if (host_checking)
-      {
-      HDEBUG(D_any)
-        {
-        debug_printf("ETRN command is: %s\n", etrn_command);
-        debug_printf("ETRN command execution skipped\n");
-        }
-      if (user_msg == NULL) smtp_printf("250 OK\r\n", FALSE);
-        else smtp_user_msg(US"250", user_msg);
-      break;
-      }
+      /* If we are host-testing, don't actually do anything. */
 
+      if (host_checking)
+	{
+	HDEBUG(D_any)
+	  {
+	  debug_printf("ETRN command is: %s\n", etrn_command);
+	  debug_printf("ETRN command execution skipped\n");
+	  }
+	if (user_msg == NULL) smtp_printf("250 OK\r\n", FALSE);
+	  else smtp_user_msg(US"250", user_msg);
+	break;
+	}
 
-    /* If ETRN queue runs are to be serialized, check the database to
-    ensure one isn't already running. */
 
-    if (smtp_etrn_serialize && !enq_start(etrn_serialize_key, 1))
-      {
-      smtp_printf("458 Already processing %s\r\n", FALSE, smtp_cmd_data);
-      break;
-      }
+      /* If ETRN queue runs are to be serialized, check the database to
+      ensure one isn't already running. */
 
-    /* Fork a child process and run the command. We don't want to have to
-    wait for the process at any point, so set SIGCHLD to SIG_IGN before
-    forking. It should be set that way anyway for external incoming SMTP,
-    but we save and restore to be tidy. If serialization is required, we
-    actually run the command in yet another process, so we can wait for it
-    to complete and then remove the serialization lock. */
+      if (smtp_etrn_serialize && !enq_start(etrn_serialize_key, 1))
+	{
+	smtp_printf("458 Already processing %s\r\n", FALSE, smtp_cmd_data);
+	break;
+	}
 
-    oldsignal = signal(SIGCHLD, SIG_IGN);
+      /* Fork a child process and run the command. We don't want to have to
+      wait for the process at any point, so set SIGCHLD to SIG_IGN before
+      forking. It should be set that way anyway for external incoming SMTP,
+      but we save and restore to be tidy. If serialization is required, we
+      actually run the command in yet another process, so we can wait for it
+      to complete and then remove the serialization lock. */
 
-    if ((pid = fork()) == 0)
-      {
-      smtp_input = FALSE;       /* This process is not associated with the */
-      (void)fclose(smtp_in);    /* SMTP call any more. */
-      (void)fclose(smtp_out);
+      oldsignal = signal(SIGCHLD, SIG_IGN);
 
-      signal(SIGCHLD, SIG_DFL);      /* Want to catch child */
+      if ((pid = fork()) == 0)
+	{
+	smtp_input = FALSE;       /* This process is not associated with the */
+	(void)fclose(smtp_in);    /* SMTP call any more. */
+	(void)fclose(smtp_out);
 
-      /* If not serializing, do the exec right away. Otherwise, fork down
-      into another process. */
+	signal(SIGCHLD, SIG_DFL);      /* Want to catch child */
 
-      if (!smtp_etrn_serialize || (pid = fork()) == 0)
-        {
-        DEBUG(D_exec) debug_print_argv(argv);
-        exim_nullstd();                   /* Ensure std{in,out,err} exist */
-        execv(CS argv[0], (char *const *)argv);
-        log_write(0, LOG_MAIN|LOG_PANIC_DIE, "exec of \"%s\" (ETRN) failed: %s",
-          etrn_command, strerror(errno));
-        _exit(EXIT_FAILURE);         /* paranoia */
-        }
+	/* If not serializing, do the exec right away. Otherwise, fork down
+	into another process. */
 
-      /* Obey this if smtp_serialize and the 2nd fork yielded non-zero. That
-      is, we are in the first subprocess, after forking again. All we can do
-      for a failing fork is to log it. Otherwise, wait for the 2nd process to
-      complete, before removing the serialization. */
+	if (!smtp_etrn_serialize || (pid = fork()) == 0)
+	  {
+	  DEBUG(D_exec) debug_print_argv(argv);
+	  exim_nullstd();                   /* Ensure std{in,out,err} exist */
+	  execv(CS argv[0], (char *const *)argv);
+	  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "exec of \"%s\" (ETRN) failed: %s",
+	    etrn_command, strerror(errno));
+	  _exit(EXIT_FAILURE);         /* paranoia */
+	  }
 
-      if (pid < 0)
-        log_write(0, LOG_MAIN|LOG_PANIC, "2nd fork for serialized ETRN "
-          "failed: %s", strerror(errno));
-      else
-        {
-        int status;
-        DEBUG(D_any) debug_printf("waiting for serialized ETRN process %d\n",
-          (int)pid);
-        (void)wait(&status);
-        DEBUG(D_any) debug_printf("serialized ETRN process %d ended\n",
-          (int)pid);
-        }
+	/* Obey this if smtp_serialize and the 2nd fork yielded non-zero. That
+	is, we are in the first subprocess, after forking again. All we can do
+	for a failing fork is to log it. Otherwise, wait for the 2nd process to
+	complete, before removing the serialization. */
+
+	if (pid < 0)
+	  log_write(0, LOG_MAIN|LOG_PANIC, "2nd fork for serialized ETRN "
+	    "failed: %s", strerror(errno));
+	else
+	  {
+	  int status;
+	  DEBUG(D_any) debug_printf("waiting for serialized ETRN process %d\n",
+	    (int)pid);
+	  (void)wait(&status);
+	  DEBUG(D_any) debug_printf("serialized ETRN process %d ended\n",
+	    (int)pid);
+	  }
 
-      enq_end(etrn_serialize_key);
-      _exit(EXIT_SUCCESS);
-      }
+	enq_end(etrn_serialize_key);
+	_exit(EXIT_SUCCESS);
+	}
 
-    /* Back in the top level SMTP process. Check that we started a subprocess
-    and restore the signal state. */
+      /* Back in the top level SMTP process. Check that we started a subprocess
+      and restore the signal state. */
 
-    if (pid < 0)
-      {
-      log_write(0, LOG_MAIN|LOG_PANIC, "fork of process for ETRN failed: %s",
-        strerror(errno));
-      smtp_printf("458 Unable to fork process\r\n", FALSE);
-      if (smtp_etrn_serialize) enq_end(etrn_serialize_key);
-      }
-    else
-      {
-      if (user_msg == NULL) smtp_printf("250 OK\r\n", FALSE);
-        else smtp_user_msg(US"250", user_msg);
-      }
+      if (pid < 0)
+	{
+	log_write(0, LOG_MAIN|LOG_PANIC, "fork of process for ETRN failed: %s",
+	  strerror(errno));
+	smtp_printf("458 Unable to fork process\r\n", FALSE);
+	if (smtp_etrn_serialize) enq_end(etrn_serialize_key);
+	}
+      else
+	{
+	if (user_msg == NULL) smtp_printf("250 OK\r\n", FALSE);
+	  else smtp_user_msg(US"250", user_msg);
+	}
 
-    signal(SIGCHLD, oldsignal);
-    break;
+      signal(SIGCHLD, oldsignal);
+      break;
 
 
     case BADARG_CMD:
-    done = synprot_error(L_smtp_syntax_error, 501, NULL,
-      US"unexpected argument data");
-    break;
+      done = synprot_error(L_smtp_syntax_error, 501, NULL,
+	US"unexpected argument data");
+      break;
 
 
     /* This currently happens only for NULLs, but could be extended. */
 
     case BADCHAR_CMD:
-    done = synprot_error(L_smtp_syntax_error, 0, NULL,       /* Just logs */
-      US"NUL character(s) present (shown as '?')");
-    smtp_printf("501 NUL characters are not allowed in SMTP commands\r\n", FALSE);
-    break;
+      done = synprot_error(L_smtp_syntax_error, 0, NULL,       /* Just logs */
+	US"NUL character(s) present (shown as '?')");
+      smtp_printf("501 NUL characters are not allowed in SMTP commands\r\n",
+		  FALSE);
+      break;
 
 
     case BADSYN_CMD:
     SYNC_FAILURE:
-    if (smtp_inend >= smtp_inbuffer + IN_BUFFER_SIZE)
-      smtp_inend = smtp_inbuffer + IN_BUFFER_SIZE - 1;
-    c = smtp_inend - smtp_inptr;
-    if (c > 150) c = 150;	/* limit logged amount */
-    smtp_inptr[c] = 0;
-    incomplete_transaction_log(US"sync failure");
-    log_write(0, LOG_MAIN|LOG_REJECT, "SMTP protocol synchronization error "
-      "(next input sent too soon: pipelining was%s advertised): "
-      "rejected \"%s\" %s next input=\"%s\"",
-      pipelining_advertised? "" : " not",
-      smtp_cmd_buffer, host_and_ident(TRUE),
-      string_printing(smtp_inptr));
-    smtp_notquit_exit(US"synchronization-error", US"554",
-      US"SMTP synchronization error");
-    done = 1;   /* Pretend eof - drops connection */
-    break;
+      if (smtp_inend >= smtp_inbuffer + IN_BUFFER_SIZE)
+	smtp_inend = smtp_inbuffer + IN_BUFFER_SIZE - 1;
+      c = smtp_inend - smtp_inptr;
+      if (c > 150) c = 150;	/* limit logged amount */
+      smtp_inptr[c] = 0;
+      incomplete_transaction_log(US"sync failure");
+      log_write(0, LOG_MAIN|LOG_REJECT, "SMTP protocol synchronization error "
+	"(next input sent too soon: pipelining was%s advertised): "
+	"rejected \"%s\" %s next input=\"%s\"",
+	f.smtp_in_pipelining_advertised ? "" : " not",
+	smtp_cmd_buffer, host_and_ident(TRUE),
+	string_printing(smtp_inptr));
+      smtp_notquit_exit(US"synchronization-error", US"554",
+	US"SMTP synchronization error");
+      done = 1;   /* Pretend eof - drops connection */
+      break;
 
 
     case TOO_MANY_NONMAIL_CMD:
-    s = smtp_cmd_buffer;
-    while (*s != 0 && !isspace(*s)) s++;
-    incomplete_transaction_log(US"too many non-mail commands");
-    log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
-      "nonmail commands (last was \"%.*s\")",  host_and_ident(FALSE),
-      (int)(s - smtp_cmd_buffer), smtp_cmd_buffer);
-    smtp_notquit_exit(US"bad-commands", US"554", US"Too many nonmail commands");
-    done = 1;   /* Pretend eof - drops connection */
-    break;
+      s = smtp_cmd_buffer;
+      while (*s != 0 && !isspace(*s)) s++;
+      incomplete_transaction_log(US"too many non-mail commands");
+      log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
+	"nonmail commands (last was \"%.*s\")",  host_and_ident(FALSE),
+	(int)(s - smtp_cmd_buffer), smtp_cmd_buffer);
+      smtp_notquit_exit(US"bad-commands", US"554", US"Too many nonmail commands");
+      done = 1;   /* Pretend eof - drops connection */
+      break;
 
 #ifdef SUPPORT_PROXY
     case PROXY_FAIL_IGNORE_CMD:
-    smtp_printf("503 Command refused, required Proxy negotiation failed\r\n", FALSE);
-    break;
+      smtp_printf("503 Command refused, required Proxy negotiation failed\r\n", FALSE);
+      break;
 #endif
 
     default:
-    if (unknown_command_count++ >= smtp_max_unknown_commands)
-      {
-      log_write(L_smtp_syntax_error, LOG_MAIN,
-        "SMTP syntax error in \"%s\" %s %s",
-        string_printing(smtp_cmd_buffer), host_and_ident(TRUE),
-        US"unrecognized command");
-      incomplete_transaction_log(US"unrecognized command");
-      smtp_notquit_exit(US"bad-commands", US"500",
-        US"Too many unrecognized commands");
-      done = 2;
-      log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
-        "unrecognized commands (last was \"%s\")", host_and_ident(FALSE),
-        string_printing(smtp_cmd_buffer));
-      }
-    else
-      done = synprot_error(L_smtp_syntax_error, 500, NULL,
-        US"unrecognized command");
-    break;
+      if (unknown_command_count++ >= smtp_max_unknown_commands)
+	{
+	log_write(L_smtp_syntax_error, LOG_MAIN,
+	  "SMTP syntax error in \"%s\" %s %s",
+	  string_printing(smtp_cmd_buffer), host_and_ident(TRUE),
+	  US"unrecognized command");
+	incomplete_transaction_log(US"unrecognized command");
+	smtp_notquit_exit(US"bad-commands", US"500",
+	  US"Too many unrecognized commands");
+	done = 2;
+	log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
+	  "unrecognized commands (last was \"%s\")", host_and_ident(FALSE),
+	  string_printing(smtp_cmd_buffer));
+	}
+      else
+	done = synprot_error(L_smtp_syntax_error, 500, NULL,
+	  US"unrecognized command");
+      break;
     }
 
   /* This label is used by goto's inside loops that want to break out to
diff -Nru exim4-4.91/src/smtp_out.c exim4-4.92~RC4/src/smtp_out.c
--- exim4-4.91/src/smtp_out.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/smtp_out.c	2018-12-27 13:36:19.000000000 +0000
@@ -45,7 +45,7 @@
 
 if (!(expint = expand_string(istring)))
   {
-  if (expand_string_forcedfail) return TRUE;
+  if (f.expand_string_forcedfail) return TRUE;
   addr->transport_return = PANIC;
   addr->message = string_sprintf("failed to expand \"interface\" "
       "option for %s: %s", msg, expand_string_message);
@@ -148,46 +148,49 @@
 struct tcp_info tinfo;
 socklen_t len = sizeof(tinfo);
 
-if (getsockopt(sock, IPPROTO_TCP, TCP_INFO, &tinfo, &len) == 0)
+switch (tcp_out_fastopen)
   {
-  switch (tcp_out_fastopen)
-    {
-      /* This is a somewhat dubious detection method; totally undocumented so likely
-      to fail in future kernels.  There seems to be no documented way.  What we really
-      want to know is if the server sent smtp-banner data before our ACK of his SYN,ACK
-      hit him.  What this (possibly?) detects is whether we sent a TFO cookie with our
-      SYN, as distinct from a TFO request.  This gets a false-positive when the server
-      key is rotated; we send the old one (which this test sees) but the server returns
-      the new one and does not send its SMTP banner before we ACK his SYN,ACK.
-       To force that rotation case:
-       '# echo -n "00000000-00000000-00000000-0000000" >/proc/sys/net/ipv4/tcp_fastopen_key'
-      The kernel seems to be counting unack'd packets. */
+    /* This is a somewhat dubious detection method; totally undocumented so likely
+    to fail in future kernels.  There seems to be no documented way.  What we really
+    want to know is if the server sent smtp-banner data before our ACK of his SYN,ACK
+    hit him.  What this (possibly?) detects is whether we sent a TFO cookie with our
+    SYN, as distinct from a TFO request.  This gets a false-positive when the server
+    key is rotated; we send the old one (which this test sees) but the server returns
+    the new one and does not send its SMTP banner before we ACK his SYN,ACK.
+     To force that rotation case:
+     '# echo -n "00000000-00000000-00000000-0000000" >/proc/sys/net/ipv4/tcp_fastopen_key'
+    The kernel seems to be counting unack'd packets. */
+
+  case TFO_ATTEMPTED_NODATA:
+    if (  getsockopt(sock, IPPROTO_TCP, TCP_INFO, &tinfo, &len) == 0
+       && tinfo.tcpi_state == TCP_SYN_SENT
+       && tinfo.tcpi_unacked > 1
+       )
+      {
+      DEBUG(D_transport|D_v)
+	debug_printf("TCP_FASTOPEN tcpi_unacked %d\n", tinfo.tcpi_unacked);
+      tcp_out_fastopen = TFO_USED_NODATA;
+      }
+    break;
+
+    /* When called after waiting for received data we should be able
+    to tell if data we sent was accepted. */
 
-    case 1:
-      if (tinfo.tcpi_unacked > 1)
+  case TFO_ATTEMPTED_DATA:
+    if (  getsockopt(sock, IPPROTO_TCP, TCP_INFO, &tinfo, &len) == 0
+       && tinfo.tcpi_state == TCP_ESTABLISHED
+       )
+      if (tinfo.tcpi_options & TCPI_OPT_SYN_DATA)
 	{
-	DEBUG(D_transport|D_v)
-	  debug_printf("TCP_FASTOPEN tcpi_unacked %d\n", tinfo.tcpi_unacked);
-	tcp_out_fastopen = 2;
+	DEBUG(D_transport|D_v) debug_printf("TFO: data was acked\n");
+	tcp_out_fastopen = TFO_USED_DATA;
 	}
-      break;
-
-#ifdef notdef		/* This seems to always fire, meaning that we cannot tell
-			whether the server accepted data we sent.  For now assume
-			that it did. */
-
-      /* If there was data-on-SYN but we had to retrasnmit it, declare no TFO */
-
-    case 2:
-      if (!(tinfo.tcpi_options & TCPI_OPT_SYN_DATA))
+      else
 	{
 	DEBUG(D_transport|D_v) debug_printf("TFO: had to retransmit\n");
-	tcp_out_fastopen = 0;
+	tcp_out_fastopen = TFO_NOT_USED;
 	}
-      break;
-#endif
-    }
-
+    break;
   }
 # endif
 }
@@ -195,7 +198,8 @@
 
 
 /* Arguments as for smtp_connect(), plus
-  early_data	if non-NULL, data to be sent - preferably in the TCP SYN segment
+  early_data	if non-NULL, idenmpotent data to be sent -
+		preferably in the TCP SYN segment
 
 Returns:      connected socket number, or -1 with errno set
 */
@@ -259,20 +263,29 @@
 
 /* Connect to the remote host, and add keepalive to the socket before returning
 it, if requested.  If the build supports TFO, request it - and if the caller
-requested some early-data then include that in the TFO request. */
+requested some early-data then include that in the TFO request.  If there is
+early-data but no TFO support, send it after connecting. */
 
 else
   {
 #ifdef TCP_FASTOPEN
-  if (verify_check_given_host(&ob->hosts_try_fastopen, host) == OK)
+  if (verify_check_given_host(CUSS &ob->hosts_try_fastopen, host) == OK)
     fastopen_blob = early_data ? early_data : &tcp_fastopen_nodata;
 #endif
 
   if (ip_connect(sock, host_af, host->address, port, timeout, fastopen_blob) < 0)
     save_errno = errno;
   else if (early_data && !fastopen_blob && early_data->data && early_data->len)
+    {
+    HDEBUG(D_transport|D_acl|D_v)
+      debug_printf("sending %ld nonTFO early-data\n", (long)early_data->len);
+
+#ifdef TCP_QUICKACK
+    (void) setsockopt(sock, IPPROTO_TCP, TCP_QUICKACK, US &off, sizeof(off));
+#endif
     if (send(sock, early_data->data, early_data->len, 0) < 0)
       save_errno = errno;
+    }
   }
 
 /* Either bind() or connect() failed */
@@ -291,12 +304,13 @@
   return -1;
   }
 
-/* Both bind() and connect() succeeded */
+/* Both bind() and connect() succeeded, and any early-data */
 
 else
   {
   union sockaddr_46 interface_sock;
   EXIM_SOCKLEN_T size = sizeof(interface_sock);
+
   HDEBUG(D_transport|D_acl|D_v) debug_printf_indent("connected\n");
   if (getsockname(sock, (struct sockaddr *)(&interface_sock), &size) == 0)
     sending_ip_address = host_ntoa(-1, &interface_sock, NULL, &sending_port);
@@ -307,9 +321,10 @@
     close(sock);
     return -1;
     }
+
   if (ob->keepalive) ip_keepalive(sock, host->address, TRUE);
 #ifdef TCP_FASTOPEN
-  if (fastopen_blob) tfo_out_check(sock);
+  tfo_out_check(sock);
 #endif
   return sock;
   }
@@ -343,45 +358,62 @@
 host->address will always be an IPv4 address.
 
 Arguments:
-  host        host item containing name and address and port
-  host_af     AF_INET or AF_INET6
-  interface   outgoing interface address or NULL
-  timeout     timeout value or 0
-  tb          transport
+  sc	      details for making connection: host, af, interface, transport
+  early_data  if non-NULL, data to be sent - preferably in the TCP SYN segment
 
 Returns:      connected socket number, or -1 with errno set
 */
 
 int
-smtp_connect(host_item *host, int host_af, uschar *interface,
-  int timeout, transport_instance * tb)
+smtp_connect(smtp_connect_args * sc, const blob * early_data)
 {
-int port = host->port;
-#ifdef SUPPORT_SOCKS
-smtp_transport_options_block * ob =
-  (smtp_transport_options_block *)tb->options_block;
-#endif
+int port = sc->host->port;
+smtp_transport_options_block * ob = sc->ob;
 
-callout_address = string_sprintf("[%s]:%d", host->address, port);
+callout_address = string_sprintf("[%s]:%d", sc->host->address, port);
 
 HDEBUG(D_transport|D_acl|D_v)
   {
   uschar * s = US" ";
-  if (interface) s = string_sprintf(" from %s ", interface);
+  if (sc->interface) s = string_sprintf(" from %s ", sc->interface);
 #ifdef SUPPORT_SOCKS
   if (ob->socks_proxy) s = string_sprintf("%svia proxy ", s);
 #endif
-  debug_printf_indent("Connecting to %s %s%s... ", host->name, callout_address, s);
+  debug_printf_indent("Connecting to %s %s%s... ", sc->host->name, callout_address, s);
   }
 
 /* Create and connect the socket */
 
 #ifdef SUPPORT_SOCKS
 if (ob->socks_proxy)
-  return socks_sock_connect(host, host_af, port, interface, tb, timeout);
+  {
+  int sock = socks_sock_connect(sc->host, sc->host_af, port, sc->interface,
+				sc->tblock, ob->connect_timeout);
+  
+  if (sock >= 0)
+    {
+    if (early_data && early_data->data && early_data->len)
+      if (send(sock, early_data->data, early_data->len, 0) < 0)
+	{
+	int save_errno = errno;
+	HDEBUG(D_transport|D_acl|D_v)
+	  {
+	  debug_printf_indent("failed: %s", CUstrerror(save_errno));
+	  if (save_errno == ETIMEDOUT)
+	    debug_printf(" (timeout=%s)", readconf_printtime(ob->connect_timeout));
+	  debug_printf("\n");
+	  }
+	(void)close(sock);
+	sock = -1;
+	errno = save_errno;
+	}
+    }
+  return sock;
+  }
 #endif
 
-return smtp_sock_connect(host, host_af, port, interface, tb, timeout, NULL);
+return smtp_sock_connect(sc->host, sc->host_af, port, sc->interface,
+			  sc->tblock, ob->connect_timeout, early_data);
 }
 
 
@@ -411,17 +443,37 @@
   more ? " (more expected)" : "");
 
 #ifdef SUPPORT_TLS
-if (tls_out.active == outblock->sock)
-  rc = tls_write(FALSE, outblock->buffer, n, more);
+if (outblock->cctx->tls_ctx)
+  rc = tls_write(outblock->cctx->tls_ctx, outblock->buffer, n, more);
 else
 #endif
-  rc = send(outblock->sock, outblock->buffer, n,
+
+  {
+  if (outblock->conn_args)
+    {
+    blob early_data = { .data = outblock->buffer, .len = n };
+
+    /* We ignore the more-flag if we're doing a connect with early-data, which
+    means we won't get BDAT+data. A pity, but wise due to the idempotency
+    requirement: TFO with data can, in rare cases, replay the data to the
+    receiver. */
+
+    if (  (outblock->cctx->sock = smtp_connect(outblock->conn_args, &early_data))
+       < 0)
+      return FALSE;
+    outblock->conn_args = NULL;
+    rc = n;
+    }
+  else
+
+    rc = send(outblock->cctx->sock, outblock->buffer, n,
 #ifdef MSG_MORE
-	    more ? MSG_MORE : 0
+	      more ? MSG_MORE : 0
 #else
-	    0
+	      0
 #endif
-	   );
+	     );
+  }
 
 if (rc <= 0)
   {
@@ -444,7 +496,7 @@
 any error message.
 
 Arguments:
-  outblock   contains buffer for pipelining, and socket
+  sx	     SMTP connection, contains buffer for pipelining, and socket
   mode       buffer, write-with-more-likely, write
   format     a format, starting with one of
              of HELO, MAIL FROM, RCPT TO, DATA, ".", or QUIT.
@@ -457,36 +509,37 @@
 */
 
 int
-smtp_write_command(smtp_outblock * outblock, int mode, const char *format, ...)
+smtp_write_command(void * sx, int mode, const char *format, ...)
 {
-int count;
+smtp_outblock * outblock = &((smtp_context *)sx)->outblock;
 int rc = 0;
-va_list ap;
 
 if (format)
   {
+  gstring gs = { .size = big_buffer_size, .ptr = 0, .s = big_buffer };
+  va_list ap;
+
   va_start(ap, format);
-  if (!string_vformat(big_buffer, big_buffer_size, CS format, ap))
+  if (!string_vformat(&gs, FALSE, CS format, ap))
     log_write(0, LOG_MAIN|LOG_PANIC_DIE, "overlong write_command in outgoing "
       "SMTP");
   va_end(ap);
-  count = Ustrlen(big_buffer);
+  string_from_gstring(&gs);
 
-  if (count > outblock->buffersize)
+  if (gs.ptr > outblock->buffersize)
     log_write(0, LOG_MAIN|LOG_PANIC_DIE, "overlong write_command in outgoing "
       "SMTP");
 
-  if (count > outblock->buffersize - (outblock->ptr - outblock->buffer))
+  if (gs.ptr > outblock->buffersize - (outblock->ptr - outblock->buffer))
     {
     rc = outblock->cmd_count;                 /* flush resets */
     if (!flush_buffer(outblock, SCMD_FLUSH)) return -1;
     }
 
-  Ustrncpy(CS outblock->ptr, big_buffer, count);
-  outblock->ptr += count;
+  Ustrncpy(CS outblock->ptr, gs.s, gs.ptr);
+  outblock->ptr += gs.ptr;
   outblock->cmd_count++;
-  count -= 2;
-  big_buffer[count] = 0;     /* remove \r\n for error message */
+  gs.ptr -= 2; string_from_gstring(&gs); /* remove \r\n for error message */
 
   /* We want to hide the actual data sent in AUTH transactions from reflections
   and logs. While authenticating, a flag is set in the outblock to enable this.
@@ -546,7 +599,7 @@
 uschar *p = buffer;
 uschar *ptr = inblock->ptr;
 uschar *ptrend = inblock->ptrend;
-int sock = inblock->sock;
+client_conn_ctx * cctx = inblock->cctx;
 
 /* Loop for reading multiple packets or reading another packet after emptying
 a previously-read one. */
@@ -584,7 +637,7 @@
 
   /* Need to read a new input packet. */
 
-  if((rc = ip_recv(sock, inblock->buffer, inblock->buffersize, timeout)) <= 0)
+  if((rc = ip_recv(cctx, inblock->buffer, inblock->buffersize, timeout)) <= 0)
     {
     DEBUG(D_deliver|D_transport|D_acl)
       debug_printf_indent(errno ? "  SMTP(%s)<<\n" : "  SMTP(closed)<<\n",
@@ -623,7 +676,8 @@
 the error code will be in errno.
 
 Arguments:
-  inblock   the SMTP input block (contains holding buffer, socket, etc.)
+  sx        the SMTP connection (contains input block with holding buffer,
+		socket, etc.)
   buffer    where to put the response
   size      the size of the buffer
   okdigit   the expected first digit of the response
@@ -631,26 +685,37 @@
 
 Returns:    TRUE if a valid, non-error response was received; else FALSE
 */
+/*XXX could move to smtp transport; no other users */
 
 BOOL
-smtp_read_response(smtp_inblock *inblock, uschar *buffer, int size, int okdigit,
+smtp_read_response(void * sx0, uschar *buffer, int size, int okdigit,
    int timeout)
 {
+smtp_context * sx = sx0;
 uschar *ptr = buffer;
-int count;
+int count = 0;
 
 errno = 0;  /* Ensure errno starts out zero */
 
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+if (sx->pending_BANNER || sx->pending_EHLO)
+  if (smtp_reap_early_pipe(sx, &count) != OK)
+    {
+    DEBUG(D_transport) debug_printf("failed reaping pipelined cmd responsess\n");
+    return FALSE;
+    }
+#endif
+
 /* This is a loop to read and concatenate the lines that make up a multi-line
 response. */
 
 for (;;)
   {
-  if ((count = read_response_line(inblock, ptr, size, timeout)) < 0)
+  if ((count = read_response_line(&sx->inblock, ptr, size, timeout)) < 0)
     return FALSE;
 
   HDEBUG(D_transport|D_acl|D_v)
-    debug_printf_indent("  %s %s\n", (ptr == buffer)? "SMTP<<" : "      ", ptr);
+    debug_printf_indent("  %s %s\n", ptr == buffer ? "SMTP<<" : "      ", ptr);
 
   /* Check the format of the response: it must start with three digits; if
   these are followed by a space or end of line, the response is complete. If
@@ -684,6 +749,10 @@
   size -= count + 1;
   }
 
+#ifdef TCP_FASTOPEN
+  tfo_out_check(sx->cctx.sock);
+#endif
+
 /* Return a value that depends on the SMTP return code. On some systems a
 non-zero value of errno has been seen at this point, so ensure it is zero,
 because the caller of this function looks at errno when FALSE is returned, to
diff -Nru exim4-4.91/src/spam.c exim4-4.92~RC4/src/spam.c
--- exim4-4.91/src/spam.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/spam.c	2018-12-27 13:36:19.000000000 +0000
@@ -193,7 +193,7 @@
 uschar user_name_buffer[128];
 unsigned long mbox_size;
 FILE *mbox_file;
-int spamd_sock = -1;
+client_conn_ctx spamd_cctx = {.sock = -1};
 uschar spamd_buffer[32600];
 int i, j, offset, result;
 uschar spamd_version[8];
@@ -344,14 +344,14 @@
     for (;;)
       {
       /*XXX could potentially use TFO early-data here */
-      if (  (spamd_sock = ip_streamsocket(sd->hostspec, &errstr, 5)) >= 0
+      if (  (spamd_cctx.sock = ip_streamsocket(sd->hostspec, &errstr, 5)) >= 0
          || sd->retry <= 0
 	 )
 	break;
       DEBUG(D_acl) debug_printf_indent("spamd: server %s: retry conn\n", sd->hostspec);
       while (sd->retry > 0) sd->retry = sleep(sd->retry);
       }
-    if (spamd_sock >= 0)
+    if (spamd_cctx.sock >= 0)
       break;
 
     log_write(0, LOG_MAIN, "%s spamd: %s", loglabel, errstr);
@@ -367,8 +367,8 @@
     }
   }
 
-(void)fcntl(spamd_sock, F_SETFL, O_NONBLOCK);
-/* now we are connected to spamd on spamd_sock */
+(void)fcntl(spamd_cctx.sock, F_SETFL, O_NONBLOCK);
+/* now we are connected to spamd on spamd_cctx.sock */
 if (sd->is_rspamd)
   {
   gstring * req_str;
@@ -392,7 +392,7 @@
   if ((s = expand_string(US"$authenticated_id")) && *s)
     req_str = string_append(req_str, 3, "User: ", s, "\r\n");
   req_str = string_catn(req_str, US"\r\n", 2);
-  wrote = send(spamd_sock, req_str->s, req_str->ptr, 0);
+  wrote = send(spamd_cctx.sock, req_str->s, req_str->ptr, 0);
   }
 else
   {				/* spamassassin variant */
@@ -402,12 +402,12 @@
 	  user_name,
 	  mbox_size);
   /* send our request */
-  wrote = send(spamd_sock, spamd_buffer, Ustrlen(spamd_buffer), 0);
+  wrote = send(spamd_cctx.sock, spamd_buffer, Ustrlen(spamd_buffer), 0);
   }
 
 if (wrote == -1)
   {
-  (void)close(spamd_sock);
+  (void)close(spamd_cctx.sock);
   log_write(0, LOG_MAIN|LOG_PANIC,
        "%s spamd %s send failed: %s", loglabel, callout_address, strerror(errno));
   goto defer;
@@ -424,10 +424,10 @@
  *       broken in more recent versions (up to 10.4).
  */
 #ifndef NO_POLL_H
-pollfd.fd = spamd_sock;
+pollfd.fd = spamd_cctx.sock;
 pollfd.events = POLLOUT;
 #endif
-(void)fcntl(spamd_sock, F_SETFL, O_NONBLOCK);
+(void)fcntl(spamd_cctx.sock, F_SETFL, O_NONBLOCK);
 do
   {
   read = fread(spamd_buffer,1,sizeof(spamd_buffer),mbox_file);
@@ -443,8 +443,8 @@
     select_tv.tv_sec = 1;
     select_tv.tv_usec = 0;
     FD_ZERO(&select_fd);
-    FD_SET(spamd_sock, &select_fd);
-    result = select(spamd_sock+1, NULL, &select_fd, NULL, &select_tv);
+    FD_SET(spamd_cctx.sock, &select_fd);
+    result = select(spamd_cctx.sock+1, NULL, &select_fd, NULL, &select_tv);
 #endif
 /* End Erik's patch */
 
@@ -462,16 +462,16 @@
 	log_write(0, LOG_MAIN|LOG_PANIC,
 	  "%s timed out writing spamd %s, socket", loglabel, callout_address);
 	}
-      (void)close(spamd_sock);
+      (void)close(spamd_cctx.sock);
       goto defer;
       }
 
-    wrote = send(spamd_sock,spamd_buffer + offset,read - offset,0);
+    wrote = send(spamd_cctx.sock,spamd_buffer + offset,read - offset,0);
     if (wrote == -1)
       {
       log_write(0, LOG_MAIN|LOG_PANIC,
 	  "%s %s on spamd %s socket", loglabel, callout_address, strerror(errno));
-      (void)close(spamd_sock);
+      (void)close(spamd_cctx.sock);
       goto defer;
       }
     if (offset + wrote != read)
@@ -487,7 +487,7 @@
   {
   log_write(0, LOG_MAIN|LOG_PANIC,
     "%s error reading spool file: %s", loglabel, strerror(errno));
-  (void)close(spamd_sock);
+  (void)close(spamd_cctx.sock);
   goto defer;
   }
 
@@ -495,12 +495,12 @@
 
 /* we're done sending, close socket for writing */
 if (!sd->is_rspamd)
-  shutdown(spamd_sock,SHUT_WR);
+  shutdown(spamd_cctx.sock,SHUT_WR);
 
 /* read spamd response using what's left of the timeout.  */
 memset(spamd_buffer, 0, sizeof(spamd_buffer));
 offset = 0;
-while ((i = ip_recv(spamd_sock,
+while ((i = ip_recv(&spamd_cctx,
 		   spamd_buffer + offset,
 		   sizeof(spamd_buffer) - offset - 1,
 		   sd->timeout - time(NULL) + start)) > 0)
@@ -512,12 +512,12 @@
   {
   log_write(0, LOG_MAIN|LOG_PANIC,
        "%s error reading from spamd %s, socket: %s", loglabel, callout_address, strerror(errno));
-  (void)close(spamd_sock);
+  (void)close(spamd_cctx.sock);
   return DEFER;
   }
 
 /* reading done */
-(void)close(spamd_sock);
+(void)close(spamd_cctx.sock);
 
 if (sd->is_rspamd)
   {				/* rspamd variant of reply */
diff -Nru exim4-4.91/src/spf.c exim4-4.92~RC4/src/spf.c
--- exim4-4.91/src/spf.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/spf.c	2018-12-27 13:36:19.000000000 +0000
@@ -103,7 +103,7 @@
   rc = SPF_RESULT_PERMERROR;
 
 else if (SPF_request_set_env_from(spf_request, CS spf_envelope_sender))
-  /* Invalid sender address. This should be a real rare occurence */
+  /* Invalid sender address. This should be a real rare occurrence */
   rc = SPF_RESULT_PERMERROR;
 
 else
diff -Nru exim4-4.91/src/spool_in.c exim4-4.92~RC4/src/spool_in.c
--- exim4-4.91/src/spool_in.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/spool_in.c	2018-12-27 13:36:19.000000000 +0000
@@ -57,17 +57,25 @@
   fname = spool_fname(US"input", message_subdir, id, US"-D");
   DEBUG(D_deliver) debug_printf("Trying spool file %s\n", fname);
 
+  /* We protect against symlink attacks both in not propagating the
+   * file-descriptor to other processes as we exec, and also ensuring that we
+   * don't even open symlinks.
+   * No -D file inside the spool area should be a symlink.
+   */
   if ((fd = Uopen(fname,
 #ifdef O_CLOEXEC
 		      O_CLOEXEC |
 #endif
+#ifdef O_NOFOLLOW
+		      O_NOFOLLOW |
+#endif
 		      O_RDWR | O_APPEND, 0)) >= 0)
     break;
   save_errno = errno;
   if (errno == ENOENT)
     {
     if (i == 0) continue;
-    if (!queue_running)
+    if (!f.queue_running)
       log_write(0, LOG_MAIN, "Spool%s%s file %s-D not found",
 	*queue_name ? US" Q=" : US"",
 	*queue_name ? queue_name : US"",
@@ -216,22 +224,24 @@
 acl_var_c = acl_var_m = NULL;
 authenticated_id = NULL;
 authenticated_sender = NULL;
-allow_unqualified_recipient = FALSE;
-allow_unqualified_sender = FALSE;
+f.allow_unqualified_recipient = FALSE;
+f.allow_unqualified_sender = FALSE;
 body_linecount = 0;
 body_zerocount = 0;
-deliver_firsttime = FALSE;
-deliver_freeze = FALSE;
+f.deliver_firsttime = FALSE;
+f.deliver_freeze = FALSE;
 deliver_frozen_at = 0;
-deliver_manual_thaw = FALSE;
-/* dont_deliver must NOT be reset */
+f.deliver_manual_thaw = FALSE;
+/* f.dont_deliver must NOT be reset */
 header_list = header_last = NULL;
 host_lookup_deferred = FALSE;
 host_lookup_failed = FALSE;
 interface_address = NULL;
 interface_port = 0;
-local_error_message = FALSE;
+f.local_error_message = FALSE;
+#ifdef HAVE_LOCAL_SCAN
 local_scan_data = NULL;
+#endif
 max_received_linelength = 0;
 message_linecount = 0;
 received_protocol = NULL;
@@ -245,11 +255,11 @@
 sender_host_port = 0;
 sender_host_authenticated = NULL;
 sender_ident = NULL;
-sender_local = FALSE;
-sender_set_untrusted = FALSE;
+f.sender_local = FALSE;
+f.sender_set_untrusted = FALSE;
 smtp_active_hostname = primary_hostname;
 #ifndef COMPILE_UTILITY
-spool_file_wireformat = FALSE;
+f.spool_file_wireformat = FALSE;
 #endif
 tree_nonrecipients = NULL;
 
@@ -260,8 +270,8 @@
 
 #ifndef DISABLE_DKIM
 dkim_signers = NULL;
-dkim_disable_verify = FALSE;
-dkim_collect_input = FALSE;
+f.dkim_disable_verify = FALSE;
+dkim_collect_input = 0;
 #endif
 
 #ifdef SUPPORT_TLS
@@ -277,6 +287,9 @@
 tls_in.peerdn = NULL;
 tls_in.sni = NULL;
 tls_in.ocsp = OCSP_NOT_REQ;
+# if defined(EXPERIMENTAL_REQUIRETLS) && !defined(COMPILE_UTILITY)
+tls_requiretls = 0;
+# endif
 #endif
 
 #ifdef WITH_CONTENT_SCAN
@@ -327,7 +340,7 @@
 int
 spool_read_header(uschar *name, BOOL read_headers, BOOL subdir_set)
 {
-FILE *f = NULL;
+FILE * fp = NULL;
 int n;
 int rcount = 0;
 long int uid, gid;
@@ -349,7 +362,7 @@
   if (!subdir_set)
     message_subdir[0] = split_spool_directory == (n == 0) ? name[5] : 0;
 
-  if ((f = Ufopen(spool_fname(US"input", message_subdir, name, US""), "rb")))
+  if ((fp = Ufopen(spool_fname(US"input", message_subdir, name, US""), "rb")))
     break;
   if (n != 0 || subdir_set || errno != ENOENT)
     return spool_read_notopen;
@@ -364,7 +377,7 @@
 /* The first line of a spool file contains the message id followed by -H (i.e.
 the file name), in order to make the file self-identifying. */
 
-if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
+if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
 if (Ustrlen(big_buffer) != MESSAGE_ID_LENGTH + 3 ||
     Ustrncmp(big_buffer, name, MESSAGE_ID_LENGTH + 2) != 0)
   goto SPOOL_FORMAT_ERROR;
@@ -376,7 +389,7 @@
 sender, enclosed in <>. The third contains the time the message was received,
 and the number of warning messages for delivery delays that have been sent. */
 
-if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
+if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
 
 p = big_buffer + Ustrlen(big_buffer);
 while (p > big_buffer && isspace(p[-1])) p--;
@@ -397,7 +410,7 @@
 originator_gid = (gid_t)gid;
 
 /* envelope from */
-if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
+if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
 n = Ustrlen(big_buffer);
 if (n < 3 || big_buffer[0] != '<' || big_buffer[n-2] != '>')
   goto SPOOL_FORMAT_ERROR;
@@ -407,7 +420,7 @@
 sender_address[n-3] = 0;
 
 /* time */
-if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
+if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
 if (sscanf(CS big_buffer, TIME_T_FMT " %d", &received_time.tv_sec, &warning_count) != 2)
   goto SPOOL_FORMAT_ERROR;
 received_time.tv_usec = 0;
@@ -437,7 +450,7 @@
 for (;;)
   {
   int len;
-  if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
+  if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
   if (big_buffer[0] != '-') break;
   while (  (len = Ustrlen(big_buffer)) == big_buffer_size-1
 	&& big_buffer[len-1] != '\n'
@@ -448,7 +461,7 @@
     buf = store_get_perm(big_buffer_size *= 2);
     memcpy(buf, big_buffer, --len);
     big_buffer = buf;
-    if (Ufgets(big_buffer+len, big_buffer_size-len, f) == NULL)
+    if (Ufgets(big_buffer+len, big_buffer_size-len, fp) == NULL)
       goto SPOOL_READ_ERROR;
     }
   big_buffer[len-1] = 0;
@@ -475,14 +488,14 @@
       if (sscanf(CS endptr, " %d", &count) != 1) goto SPOOL_FORMAT_ERROR;
       node = acl_var_create(name);
       node->data.ptr = store_get(count + 1);
-      if (fread(node->data.ptr, 1, count+1, f) < count) goto SPOOL_READ_ERROR;
+      if (fread(node->data.ptr, 1, count+1, fp) < count) goto SPOOL_READ_ERROR;
       ((uschar*)node->data.ptr)[count] = 0;
       }
 
     else if (Ustrcmp(p, "llow_unqualified_recipient") == 0)
-      allow_unqualified_recipient = TRUE;
+      f.allow_unqualified_recipient = TRUE;
     else if (Ustrcmp(p, "llow_unqualified_sender") == 0)
-      allow_unqualified_sender = TRUE;
+      f.allow_unqualified_sender = TRUE;
 
     else if (Ustrncmp(p, "uth_id", 6) == 0)
       authenticated_id = string_copy(big_buffer + 9);
@@ -516,7 +529,7 @@
       node->data.ptr = store_get(count + 1);
       /* We sanity-checked the count, so disable the Coverity error */
       /* coverity[tainted_data] */
-      if (fread(node->data.ptr, 1, count+1, f) < count) goto SPOOL_READ_ERROR;
+      if (fread(node->data.ptr, 1, count+1, fp) < count) goto SPOOL_READ_ERROR;
       (US node->data.ptr)[count] = '\0';
       }
     break;
@@ -534,7 +547,7 @@
 
     case 'd':
     if (Ustrcmp(p, "eliver_firsttime") == 0)
-      deliver_firsttime = TRUE;
+      f.deliver_firsttime = TRUE;
     /* Check if the dsn flags have been set in the header file */
     else if (Ustrncmp(p, "sn_ret", 6) == 0)
       dsn_ret= atoi(CS big_buffer + 8);
@@ -545,7 +558,7 @@
     case 'f':
     if (Ustrncmp(p, "rozen", 5) == 0)
       {
-      deliver_freeze = TRUE;
+      f.deliver_freeze = TRUE;
       if (sscanf(CS big_buffer+7, TIME_T_FMT, &deliver_frozen_at) != 1)
 	goto SPOOL_READ_ERROR;
       }
@@ -586,21 +599,23 @@
 
     case 'l':
     if (Ustrcmp(p, "ocal") == 0)
-      sender_local = TRUE;
+      f.sender_local = TRUE;
     else if (Ustrcmp(big_buffer, "-localerror") == 0)
-      local_error_message = TRUE;
+      f.local_error_message = TRUE;
+#ifdef HAVE_LOCAL_SCAN
     else if (Ustrncmp(p, "ocal_scan ", 10) == 0)
       local_scan_data = string_copy(big_buffer + 12);
+#endif
     break;
 
     case 'm':
-    if (Ustrcmp(p, "anual_thaw") == 0) deliver_manual_thaw = TRUE;
+    if (Ustrcmp(p, "anual_thaw") == 0) f.deliver_manual_thaw = TRUE;
     else if (Ustrncmp(p, "ax_received_linelength", 22) == 0)
       max_received_linelength = Uatoi(big_buffer + 24);
     break;
 
     case 'N':
-    if (*p == 0) dont_deliver = TRUE;   /* -N */
+    if (*p == 0) f.dont_deliver = TRUE;   /* -N */
     break;
 
     case 'r':
@@ -616,7 +631,7 @@
 
     case 's':
     if (Ustrncmp(p, "ender_set_untrusted", 19) == 0)
-      sender_set_untrusted = TRUE;
+      f.sender_set_untrusted = TRUE;
 #ifdef WITH_CONTENT_SCAN
     else if (Ustrncmp(p, "pam_bar ", 8) == 0)
       spam_bar = string_copy(big_buffer + 10);
@@ -627,7 +642,7 @@
 #endif
 #ifndef COMPILE_UTILITY
     else if (Ustrncmp(p, "pool_file_wireformat", 20) == 0)
-      spool_file_wireformat = TRUE;
+      f.spool_file_wireformat = TRUE;
 #endif
 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
     else if (Ustrncmp(p, "mtputf8", 7) == 0)
@@ -637,22 +652,30 @@
 
 #ifdef SUPPORT_TLS
     case 't':
-    if (Ustrncmp(p, "ls_certificate_verified", 23) == 0)
-      tls_in.certificate_verified = TRUE;
-    else if (Ustrncmp(p, "ls_cipher", 9) == 0)
-      tls_in.cipher = string_copy(big_buffer + 12);
+    if (Ustrncmp(p, "ls_", 3) == 0)
+      {
+      uschar * q = p + 3;
+      if (Ustrncmp(q, "certificate_verified", 20) == 0)
+	tls_in.certificate_verified = TRUE;
+      else if (Ustrncmp(q, "cipher", 6) == 0)
+	tls_in.cipher = string_copy(big_buffer + 12);
 # ifndef COMPILE_UTILITY	/* tls support fns not built in */
-    else if (Ustrncmp(p, "ls_ourcert", 10) == 0)
-      (void) tls_import_cert(big_buffer + 13, &tls_in.ourcert);
-    else if (Ustrncmp(p, "ls_peercert", 11) == 0)
-      (void) tls_import_cert(big_buffer + 14, &tls_in.peercert);
+      else if (Ustrncmp(q, "ourcert", 7) == 0)
+	(void) tls_import_cert(big_buffer + 13, &tls_in.ourcert);
+      else if (Ustrncmp(q, "peercert", 8) == 0)
+	(void) tls_import_cert(big_buffer + 14, &tls_in.peercert);
 # endif
-    else if (Ustrncmp(p, "ls_peerdn", 9) == 0)
-      tls_in.peerdn = string_unprinting(string_copy(big_buffer + 12));
-    else if (Ustrncmp(p, "ls_sni", 6) == 0)
-      tls_in.sni = string_unprinting(string_copy(big_buffer + 9));
-    else if (Ustrncmp(p, "ls_ocsp", 7) == 0)
-      tls_in.ocsp = big_buffer[10] - '0';
+      else if (Ustrncmp(q, "peerdn", 6) == 0)
+	tls_in.peerdn = string_unprinting(string_copy(big_buffer + 12));
+      else if (Ustrncmp(q, "sni", 3) == 0)
+	tls_in.sni = string_unprinting(string_copy(big_buffer + 9));
+      else if (Ustrncmp(q, "ocsp", 4) == 0)
+	tls_in.ocsp = big_buffer[10] - '0';
+# if defined(EXPERIMENTAL_REQUIRETLS) && !defined(COMPILE_UTILITY)
+      else if (Ustrncmp(q, "requiretls", 10) == 0)
+	tls_requiretls = strtol(CS big_buffer+16, NULL, 0);
+# endif
+      }
     break;
 #endif
 
@@ -678,7 +701,7 @@
 
 #ifndef COMPILE_UTILITY
 DEBUG(D_deliver)
-  debug_printf("sender_local=%d ident=%s\n", sender_local,
+  debug_printf("sender_local=%d ident=%s\n", f.sender_local,
     (sender_ident == NULL)? US"unset" : sender_ident);
 #endif  /* COMPILE_UTILITY */
 
@@ -686,7 +709,7 @@
 containing "XX", indicating no tree. */
 
 if (Ustrncmp(big_buffer, "XX\n", 3) != 0 &&
-  !read_nonrecipients_tree(&tree_nonrecipients, f, big_buffer, big_buffer_size))
+  !read_nonrecipients_tree(&tree_nonrecipients, fp, big_buffer, big_buffer_size))
     goto SPOOL_FORMAT_ERROR;
 
 #ifndef COMPILE_UTILITY
@@ -701,7 +724,7 @@
 buffer. It contains the count of recipients which follow on separate lines.
 Apply an arbitrary sanity check.*/
 
-if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
+if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
 if (sscanf(CS big_buffer, "%d", &rcount) != 1 || rcount > 16384)
   goto SPOOL_FORMAT_ERROR;
 
@@ -725,7 +748,7 @@
   uschar *errors_to = NULL;
   uschar *p;
 
-  if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
+  if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
   nn = Ustrlen(big_buffer);
   if (nn < 2) goto SPOOL_FORMAT_ERROR;
 
@@ -865,17 +888,17 @@
 list if requested to do so. */
 
 inheader = TRUE;
-if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
+if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
 if (big_buffer[0] != '\n') goto SPOOL_FORMAT_ERROR;
 
-while ((n = fgetc(f)) != EOF)
+while ((n = fgetc(fp)) != EOF)
   {
   header_line *h;
   uschar flag[4];
   int i;
 
   if (!isdigit(n)) goto SPOOL_FORMAT_ERROR;
-  if(ungetc(n, f) == EOF  ||  fscanf(f, "%d%c ", &n, flag) == EOF)
+  if(ungetc(n, fp) == EOF  ||  fscanf(fp, "%d%c ", &n, flag) == EOF)
     goto SPOOL_READ_ERROR;
   if (flag[0] != '*') message_size += n;  /* Omit non-transmitted headers */
 
@@ -895,7 +918,7 @@
 
     for (i = 0; i < n; i++)
       {
-      int c = fgetc(f);
+      int c = fgetc(fp);
       if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
       if (c == '\n' && h->type != htype_old) message_linecount++;
       h->text[i] = c;
@@ -907,7 +930,7 @@
 
   else for (i = 0; i < n; i++)
     {
-    int c = fgetc(f);
+    int c = fgetc(fp);
     if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
     }
   }
@@ -923,7 +946,7 @@
 
 message_linecount += body_linecount;
 
-fclose(f);
+fclose(fp);
 return spool_read_OK;
 
 
@@ -940,7 +963,7 @@
   DEBUG(D_any) debug_printf("Error while reading spool file %s\n", name);
 #endif  /* COMPILE_UTILITY */
 
-  fclose(f);
+  fclose(fp);
   errno = n;
   return inheader? spool_read_hdrerror : spool_read_enverror;
   }
@@ -951,7 +974,7 @@
 DEBUG(D_any) debug_printf("Format error in spool file %s\n", name);
 #endif  /* COMPILE_UTILITY */
 
-fclose(f);
+fclose(fp);
 errno = ERRNO_SPOOLFORMAT;
 return inheader? spool_read_hdrerror : spool_read_enverror;
 }
diff -Nru exim4-4.91/src/spool_mbox.c exim4-4.92~RC4/src/spool_mbox.c
--- exim4-4.91/src/spool_mbox.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/spool_mbox.c	2018-12-27 13:36:19.000000000 +0000
@@ -35,9 +35,7 @@
 uschar buffer[16384];
 uschar *temp_string;
 uschar *mbox_path;
-FILE *mbox_file = NULL;
-FILE *data_file = NULL;
-FILE *yield = NULL;
+FILE *mbox_file = NULL, *l_data_file = NULL, *yield = NULL;
 header_line *my_headerlist;
 struct stat statbuf;
 int i, j;
@@ -108,21 +106,25 @@
     goto OUT;
     }
 
-  /* copy body file */
-  if (!source_file_override)
+  /* Copy body file.  If the main receive still has it open then it is holding
+  a lock, and we must not close it (which releases the lock), so just use the
+  global file handle. */
+  if (source_file_override)
+    l_data_file = Ufopen(source_file_override, "rb");
+  else if (spool_data_file)
+    l_data_file = spool_data_file;
+  else
     {
     message_subdir[1] = '\0';
     for (i = 0; i < 2; i++)
       {
       message_subdir[0] = split_spool_directory == (i == 0) ? message_id[5] : 0;
       temp_string = spool_fname(US"input", message_subdir, message_id, US"-D");
-      if ((data_file = Ufopen(temp_string, "rb"))) break;
+      if ((l_data_file = Ufopen(temp_string, "rb"))) break;
       }
     }
-  else
-    data_file = Ufopen(source_file_override, "rb");
 
-  if (!data_file)
+  if (!l_data_file)
     {
     log_write(0, LOG_MAIN|LOG_PANIC, "Could not open datafile for message %s",
       message_id);
@@ -131,7 +133,7 @@
 
   /* The code used to use this line, but it doesn't work in Cygwin.
 
-      (void)fread(data_buffer, 1, 18, data_file);
+      (void)fread(data_buffer, 1, 18, l_data_file);
 
      What's happening is that spool_mbox used to use an fread to jump over the
      file header. That fails under Cygwin because the header is locked, but
@@ -139,23 +141,23 @@
      explicitly, because the one in the file is parted of the locked area.  */
 
   if (!source_file_override)
-    (void)fseek(data_file, SPOOL_DATA_START_OFFSET, SEEK_SET);
+    (void)fseek(l_data_file, SPOOL_DATA_START_OFFSET, SEEK_SET);
 
   do
     {
     uschar * s;
 
-    if (!spool_file_wireformat || source_file_override)
-      j = fread(buffer, 1, sizeof(buffer), data_file);
+    if (!f.spool_file_wireformat || source_file_override)
+      j = fread(buffer, 1, sizeof(buffer), l_data_file);
     else						/* needs CRLF -> NL */
-      if ((s = US fgets(CS buffer, sizeof(buffer), data_file)))
+      if ((s = US fgets(CS buffer, sizeof(buffer), l_data_file)))
 	{
 	uschar * p = s + Ustrlen(s) - 1;
 
 	if (*p == '\n' && p[-1] == '\r')
 	  *--p = '\n';
 	else if (*p == '\r')
-	  ungetc(*p--, data_file);
+	  ungetc(*p--, l_data_file);
 
 	j = p - buffer;
 	}
@@ -190,7 +192,7 @@
   *mbox_file_size = statbuf.st_size;
 
 OUT:
-if (data_file) (void)fclose(data_file);
+if (l_data_file && !spool_data_file) (void)fclose(l_data_file);
 if (mbox_file) (void)fclose(mbox_file);
 store_reset(reset_point);
 return yield;
@@ -207,7 +209,7 @@
 spam_ok = 0;
 malware_ok = 0;
 
-if (spool_mbox_ok && !no_mbox_unspool)
+if (spool_mbox_ok && !f.no_mbox_unspool)
   {
   uschar *mbox_path;
   uschar *file_path;
diff -Nru exim4-4.91/src/spool_out.c exim4-4.92~RC4/src/spool_out.c
--- exim4-4.91/src/spool_out.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/spool_out.c	2018-12-27 13:36:19.000000000 +0000
@@ -130,7 +130,7 @@
 int fd;
 int i;
 int size_correction;
-FILE *f;
+FILE * fp;
 header_line *h;
 struct stat statbuf;
 uschar * tname;
@@ -141,7 +141,7 @@
 
 if ((fd = spool_open_temp(tname)) < 0)
   return spool_write_error(where, errmsg, US"open", NULL, NULL);
-f = fdopen(fd, "wb");
+fp = fdopen(fd, "wb");
 DEBUG(D_receive|D_deliver) debug_printf("Writing spool header file: %s\n", tname);
 
 /* We now have an open file to which the header data is to be written. Start
@@ -150,130 +150,136 @@
 address is enclosed in <> because it might be the null address. Then write the
 received time and the number of warning messages that have been sent. */
 
-fprintf(f, "%s-H\n", message_id);
-fprintf(f, "%.63s %ld %ld\n", originator_login, (long int)originator_uid,
+fprintf(fp, "%s-H\n", message_id);
+fprintf(fp, "%.63s %ld %ld\n", originator_login, (long int)originator_uid,
   (long int)originator_gid);
-fprintf(f, "<%s>\n", sender_address);
-fprintf(f, "%d %d\n", (int)received_time.tv_sec, warning_count);
+fprintf(fp, "<%s>\n", sender_address);
+fprintf(fp, "%d %d\n", (int)received_time.tv_sec, warning_count);
 
-fprintf(f, "-received_time_usec .%06d\n", (int)received_time.tv_usec);
+fprintf(fp, "-received_time_usec .%06d\n", (int)received_time.tv_usec);
 
 /* If there is information about a sending host, remember it. The HELO
 data can be set for local SMTP as well as remote. */
 
 if (sender_helo_name)
-  fprintf(f, "-helo_name %s\n", sender_helo_name);
+  fprintf(fp, "-helo_name %s\n", sender_helo_name);
 
 if (sender_host_address)
   {
-  fprintf(f, "-host_address %s.%d\n", sender_host_address, sender_host_port);
+  fprintf(fp, "-host_address %s.%d\n", sender_host_address, sender_host_port);
   if (sender_host_name)
-    fprintf(f, "-host_name %s\n", sender_host_name);
+    fprintf(fp, "-host_name %s\n", sender_host_name);
   if (sender_host_authenticated)
-    fprintf(f, "-host_auth %s\n", sender_host_authenticated);
+    fprintf(fp, "-host_auth %s\n", sender_host_authenticated);
   }
 
 /* Also about the interface a message came in on */
 
 if (interface_address)
-  fprintf(f, "-interface_address %s.%d\n", interface_address, interface_port);
+  fprintf(fp, "-interface_address %s.%d\n", interface_address, interface_port);
 
 if (smtp_active_hostname != primary_hostname)
-  fprintf(f, "-active_hostname %s\n", smtp_active_hostname);
+  fprintf(fp, "-active_hostname %s\n", smtp_active_hostname);
 
 /* Likewise for any ident information; for local messages this is
 likely to be the same as originator_login, but will be different if
 the originator was root, forcing a different ident. */
 
-if (sender_ident) fprintf(f, "-ident %s\n", sender_ident);
+if (sender_ident) fprintf(fp, "-ident %s\n", sender_ident);
 
 /* Ditto for the received protocol */
 
 if (received_protocol)
-  fprintf(f, "-received_protocol %s\n", received_protocol);
+  fprintf(fp, "-received_protocol %s\n", received_protocol);
 
 /* Preserve any ACL variables that are set. */
 
-tree_walk(acl_var_c, &acl_var_write, f);
-tree_walk(acl_var_m, &acl_var_write, f);
+tree_walk(acl_var_c, &acl_var_write, fp);
+tree_walk(acl_var_m, &acl_var_write, fp);
 
 /* Now any other data that needs to be remembered. */
 
-if (spool_file_wireformat)
-  fprintf(f, "-spool_file_wireformat\n");
+if (f.spool_file_wireformat)
+  fprintf(fp, "-spool_file_wireformat\n");
 else
-  fprintf(f, "-body_linecount %d\n", body_linecount);
-fprintf(f, "-max_received_linelength %d\n", max_received_linelength);
+  fprintf(fp, "-body_linecount %d\n", body_linecount);
+fprintf(fp, "-max_received_linelength %d\n", max_received_linelength);
 
-if (body_zerocount > 0) fprintf(f, "-body_zerocount %d\n", body_zerocount);
+if (body_zerocount > 0) fprintf(fp, "-body_zerocount %d\n", body_zerocount);
 
 if (authenticated_id)
-  fprintf(f, "-auth_id %s\n", authenticated_id);
+  fprintf(fp, "-auth_id %s\n", authenticated_id);
 if (authenticated_sender)
-  fprintf(f, "-auth_sender %s\n", authenticated_sender);
+  fprintf(fp, "-auth_sender %s\n", authenticated_sender);
 
-if (allow_unqualified_recipient) fprintf(f, "-allow_unqualified_recipient\n");
-if (allow_unqualified_sender) fprintf(f, "-allow_unqualified_sender\n");
-if (deliver_firsttime) fprintf(f, "-deliver_firsttime\n");
-if (deliver_freeze) fprintf(f, "-frozen " TIME_T_FMT "\n", deliver_frozen_at);
-if (dont_deliver) fprintf(f, "-N\n");
-if (host_lookup_deferred) fprintf(f, "-host_lookup_deferred\n");
-if (host_lookup_failed) fprintf(f, "-host_lookup_failed\n");
-if (sender_local) fprintf(f, "-local\n");
-if (local_error_message) fprintf(f, "-localerror\n");
-if (local_scan_data != NULL) fprintf(f, "-local_scan %s\n", local_scan_data);
+if (f.allow_unqualified_recipient) fprintf(fp, "-allow_unqualified_recipient\n");
+if (f.allow_unqualified_sender) fprintf(fp, "-allow_unqualified_sender\n");
+if (f.deliver_firsttime) fprintf(fp, "-deliver_firsttime\n");
+if (f.deliver_freeze) fprintf(fp, "-frozen " TIME_T_FMT "\n", deliver_frozen_at);
+if (f.dont_deliver) fprintf(fp, "-N\n");
+if (host_lookup_deferred) fprintf(fp, "-host_lookup_deferred\n");
+if (host_lookup_failed) fprintf(fp, "-host_lookup_failed\n");
+if (f.sender_local) fprintf(fp, "-local\n");
+if (f.local_error_message) fprintf(fp, "-localerror\n");
+#ifdef HAVE_LOCAL_SCAN
+if (local_scan_data) fprintf(fp, "-local_scan %s\n", local_scan_data);
+#endif
 #ifdef WITH_CONTENT_SCAN
-if (spam_bar)       fprintf(f,"-spam_bar %s\n",       spam_bar);
-if (spam_score)     fprintf(f,"-spam_score %s\n",     spam_score);
-if (spam_score_int) fprintf(f,"-spam_score_int %s\n", spam_score_int);
+if (spam_bar)       fprintf(fp,"-spam_bar %s\n",       spam_bar);
+if (spam_score)     fprintf(fp,"-spam_score %s\n",     spam_score);
+if (spam_score_int) fprintf(fp,"-spam_score_int %s\n", spam_score_int);
 #endif
-if (deliver_manual_thaw) fprintf(f, "-manual_thaw\n");
-if (sender_set_untrusted) fprintf(f, "-sender_set_untrusted\n");
+if (f.deliver_manual_thaw) fprintf(fp, "-manual_thaw\n");
+if (f.sender_set_untrusted) fprintf(fp, "-sender_set_untrusted\n");
 
 #ifdef EXPERIMENTAL_BRIGHTMAIL
-if (bmi_verdicts != NULL) fprintf(f, "-bmi_verdicts %s\n", bmi_verdicts);
+if (bmi_verdicts) fprintf(fp, "-bmi_verdicts %s\n", bmi_verdicts);
 #endif
 
 #ifdef SUPPORT_TLS
-if (tls_in.certificate_verified) fprintf(f, "-tls_certificate_verified\n");
-if (tls_in.cipher)       fprintf(f, "-tls_cipher %s\n", tls_in.cipher);
+if (tls_in.certificate_verified) fprintf(fp, "-tls_certificate_verified\n");
+if (tls_in.cipher)       fprintf(fp, "-tls_cipher %s\n", tls_in.cipher);
 if (tls_in.peercert)
   {
   (void) tls_export_cert(big_buffer, big_buffer_size, tls_in.peercert);
-  fprintf(f, "-tls_peercert %s\n", CS big_buffer);
+  fprintf(fp, "-tls_peercert %s\n", CS big_buffer);
   }
-if (tls_in.peerdn)       fprintf(f, "-tls_peerdn %s\n", string_printing(tls_in.peerdn));
-if (tls_in.sni)		 fprintf(f, "-tls_sni %s\n",    string_printing(tls_in.sni));
+if (tls_in.peerdn)       fprintf(fp, "-tls_peerdn %s\n", string_printing(tls_in.peerdn));
+if (tls_in.sni)		 fprintf(fp, "-tls_sni %s\n",    string_printing(tls_in.sni));
 if (tls_in.ourcert)
   {
   (void) tls_export_cert(big_buffer, big_buffer_size, tls_in.ourcert);
-  fprintf(f, "-tls_ourcert %s\n", CS big_buffer);
+  fprintf(fp, "-tls_ourcert %s\n", CS big_buffer);
   }
-if (tls_in.ocsp)	 fprintf(f, "-tls_ocsp %d\n",   tls_in.ocsp);
+if (tls_in.ocsp)	 fprintf(fp, "-tls_ocsp %d\n",   tls_in.ocsp);
+
+# ifdef EXPERIMENTAL_REQUIRETLS
+if (tls_requiretls)	 fprintf(fp, "-tls_requiretls 0x%x\n", tls_requiretls);
+# endif
 #endif
 
 #ifdef SUPPORT_I18N
 if (message_smtputf8)
   {
-  fprintf(f, "-smtputf8\n");
+  fprintf(fp, "-smtputf8\n");
   if (message_utf8_downconvert)
-    fprintf(f, "-utf8_%sdowncvt\n", message_utf8_downconvert < 0 ? "opt" : "");
+    fprintf(fp, "-utf8_%sdowncvt\n", message_utf8_downconvert < 0 ? "opt" : "");
   }
 #endif
 
 /* Write the dsn flags to the spool header file */
 DEBUG(D_deliver) debug_printf("DSN: Write SPOOL :-dsn_envid %s\n", dsn_envid);
-if (dsn_envid) fprintf(f, "-dsn_envid %s\n", dsn_envid);
+if (dsn_envid) fprintf(fp, "-dsn_envid %s\n", dsn_envid);
 DEBUG(D_deliver) debug_printf("DSN: Write SPOOL :-dsn_ret %d\n", dsn_ret);
-if (dsn_ret != 0) fprintf(f, "-dsn_ret %d\n", dsn_ret);
+if (dsn_ret) fprintf(fp, "-dsn_ret %d\n", dsn_ret);
 
 /* To complete the envelope, write out the tree of non-recipients, followed by
 the list of recipients. These won't be disjoint the first time, when no
 checking has been done. If a recipient is a "one-time" alias, it is followed by
 a space and its parent address number (pno). */
 
-tree_write(tree_nonrecipients, f);
-fprintf(f, "%d\n", recipients_count);
+tree_write(tree_nonrecipients, fp);
+fprintf(fp, "%d\n", recipients_count);
 for (i = 0; i < recipients_count; i++)
   {
   recipient_item *r = recipients_list + i;
@@ -281,7 +287,7 @@
   DEBUG(D_deliver) debug_printf("DSN: Flags :%d\n", r->dsn_flags);
 
   if (r->pno < 0 && r->errors_to == NULL && r->dsn_flags == 0)
-    fprintf(f, "%s\n", r->address);
+    fprintf(fp, "%s\n", r->address);
   else
     {
     uschar * errors_to = r->errors_to ? r->errors_to : US"";
@@ -289,7 +295,7 @@
     adding new values upfront and add flag 0x02 */
     uschar * orcpt = r->orcpt ? r->orcpt : US"";
 
-    fprintf(f, "%s %s %d,%d %s %d,%d#3\n", r->address, orcpt, Ustrlen(orcpt),
+    fprintf(fp, "%s %s %d,%d %s %d,%d#3\n", r->address, orcpt, Ustrlen(orcpt),
       r->dsn_flags, errors_to, Ustrlen(errors_to), r->pno);
     }
 
@@ -300,14 +306,14 @@
 
 /* Put a blank line before the headers */
 
-fprintf(f, "\n");
+fprintf(fp, "\n");
 
 /* Save the size of the file so far so we can subtract it from the final length
 to get the actual size of the headers. */
 
-fflush(f);
+fflush(fp);
 if (fstat(fd, &statbuf))
-  return spool_write_error(where, errmsg, US"fstat", tname, f);
+  return spool_write_error(where, errmsg, US"fstat", tname, fp);
 size_correction = statbuf.st_size;
 
 /* Finally, write out the message's headers. To make it easier to read them
@@ -320,28 +326,28 @@
 
 for (h = header_list; h; h = h->next)
   {
-  fprintf(f, "%03d%c %s", h->slen, h->type, h->text);
+  fprintf(fp, "%03d%c %s", h->slen, h->type, h->text);
   size_correction += 5;
   if (h->type == '*') size_correction += h->slen;
   }
 
 /* Flush and check for any errors while writing */
 
-if (fflush(f) != 0 || ferror(f))
-  return spool_write_error(where, errmsg, US"write", tname, f);
+if (fflush(fp) != 0 || ferror(fp))
+  return spool_write_error(where, errmsg, US"write", tname, fp);
 
 /* Force the file's contents to be written to disk. Note that fflush()
 just pushes it out of C, and fclose() doesn't guarantee to do the write
 either. That's just the way Unix works... */
 
-if (EXIMfsync(fileno(f)) < 0)
-  return spool_write_error(where, errmsg, US"sync", tname, f);
+if (EXIMfsync(fileno(fp)) < 0)
+  return spool_write_error(where, errmsg, US"sync", tname, fp);
 
 /* Get the size of the file, and close it. */
 
 if (fstat(fd, &statbuf) != 0)
   return spool_write_error(where, errmsg, US"fstat", tname, NULL);
-if (fclose(f) != 0)
+if (fclose(fp) != 0)
   return spool_write_error(where, errmsg, US"close", tname, NULL);
 
 /* Rename the file to its correct name, thereby replacing any previous
diff -Nru exim4-4.91/src/store.c exim4-4.92~RC4/src/store.c
--- exim4-4.91/src/store.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/store.c	2018-12-27 13:36:19.000000000 +0000
@@ -194,7 +194,7 @@
 #else
 DEBUG(D_memory)
   {
-  if (running_in_test_harness)
+  if (f.running_in_test_harness)
     debug_printf("---%d Get %5d\n", store_pool, size);
   else
     debug_printf("---%d Get %6p %5d %-14s %4d\n", store_pool,
@@ -286,7 +286,7 @@
 #else
 DEBUG(D_memory)
   {
-  if (running_in_test_harness)
+  if (f.running_in_test_harness)
     debug_printf("---%d Ext %5d\n", store_pool, newsize);
   else
     debug_printf("---%d Ext %6p %5d %-14s %4d\n", store_pool, ptr, newsize,
@@ -357,7 +357,7 @@
 if (debug_store)
   {
   assert_no_variables(ptr, newlength, filename, linenumber);
-  if (running_in_test_harness)
+  if (f.running_in_test_harness)
     {
     (void) VALGRIND_MAKE_MEM_DEFINED(ptr, newlength);
     memset(ptr, 0xF0, newlength);
@@ -411,7 +411,7 @@
 #else
 DEBUG(D_memory)
   {
-  if (running_in_test_harness)
+  if (f.running_in_test_harness)
     debug_printf("---%d Rst    ** %d\n", store_pool, pool_malloc);
   else
     debug_printf("---%d Rst %6p    ** %-14s %4d %d\n", store_pool, ptr,
@@ -462,13 +462,13 @@
     linenumber = linenumber;
 #else
     DEBUG(D_memory)
-      if (running_in_test_harness)
+      if (f.running_in_test_harness)
         debug_printf("-Release       %d\n", pool_malloc);
       else
         debug_printf("-Release %6p %-20s %4d %d\n", (void *)bb, filename,
           linenumber, pool_malloc);
 
-    if (running_in_test_harness)
+    if (f.running_in_test_harness)
       memset(bb, 0xF0, bb->length+ALIGNED_SIZEOF_STOREBLOCK);
 #endif  /* COMPILE_UTILITY */
 
@@ -558,7 +558,7 @@
 /* If running in test harness, spend time making sure all the new store
 is not filled with zeros so as to catch problems. */
 
-if (running_in_test_harness)
+if (f.running_in_test_harness)
   {
   memset(yield, 0xF0, (size_t)size);
   DEBUG(D_memory) debug_printf("--Malloc %5d %d %d\n", size, pool_malloc,
@@ -598,7 +598,7 @@
 #else
 DEBUG(D_memory)
   {
-  if (running_in_test_harness)
+  if (f.running_in_test_harness)
     debug_printf("----Free\n");
   else
     debug_printf("----Free %6p %-20s %4d\n", block, filename, linenumber);
diff -Nru exim4-4.91/src/string.c exim4-4.92~RC4/src/string.c
--- exim4-4.91/src/string.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/string.c	2018-12-27 13:36:19.000000000 +0000
@@ -10,6 +10,7 @@
 
 
 #include "exim.h"
+#include <assert.h>
 
 
 #ifndef COMPILE_UTILITY
@@ -650,18 +651,16 @@
 /* First find the end of the string */
 
 if (*s != '\"')
-  {
   while (*s != 0 && !isspace(*s)) s++;
-  }
 else
   {
   s++;
-  while (*s != 0 && *s != '\"')
+  while (*s && *s != '\"')
     {
     if (*s == '\\') (void)string_interpret_escape(&s);
     s++;
     }
-  if (*s != 0) s++;
+  if (*s) s++;
   }
 
 /* Get enough store to copy into */
@@ -701,7 +700,7 @@
 *          Format a string and save it           *
 *************************************************/
 
-/* The formatting is done by string_format, which checks the length of
+/* The formatting is done by string_vformat, which checks the length of
 everything.
 
 Arguments:
@@ -715,16 +714,33 @@
 uschar *
 string_sprintf(const char *format, ...)
 {
-va_list ap;
+#ifdef COMPILE_UTILITY
 uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
+gstring g = { .size = STRING_SPRINTF_BUFFER_SIZE, .ptr = 0, .s = buffer };
+gstring * gp = &g;
+#else
+gstring * gp = string_get(STRING_SPRINTF_BUFFER_SIZE);
+#endif
+gstring * gp2;
+va_list ap;
+
 va_start(ap, format);
-if (!string_vformat(buffer, sizeof(buffer), format, ap))
-  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
-    "string_sprintf expansion was longer than " SIZE_T_FMT
-    "; format string was (%s)\nexpansion started '%.32s'",
-    sizeof(buffer), format, buffer);
+gp2 = string_vformat(gp, FALSE, format, ap);
+gp->s[gp->ptr] = '\0';
 va_end(ap);
-return string_copy(buffer);
+
+if (!gp2)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+    "string_sprintf expansion was longer than %d; format string was (%s)\n"
+    "expansion started '%.32s'",
+    gp->size, format, gp->s);
+
+#ifdef COMPILE_UTILITY
+return string_copy(gp->s);
+#else
+gstring_reset_unused(gp);
+return gp->s;
+#endif
 }
 
 
@@ -830,6 +846,17 @@
 
 
 
+#ifdef COMPILE_UTILITY
+/* Dummy version for this function; it should never be called */
+static void
+gstring_grow(gstring * g, int p, int count)
+{
+assert(FALSE);
+}
+#endif
+
+
+
 #ifndef COMPILE_UTILITY
 /*************************************************
 *       Get next string from separated list      *
@@ -878,7 +905,7 @@
 const uschar *s = *listptr;
 BOOL sep_is_special;
 
-if (s == NULL) return NULL;
+if (!s) return NULL;
 
 /* This allows for a fixed specified separator to be an iscntrl() character,
 but at the time of implementation, this is never the case. However, it's best
@@ -894,19 +921,17 @@
   if (*s == '<' && (ispunct(s[1]) || iscntrl(s[1])))
     {
     sep = s[1];
-    s += 2;
+    if (*++s) ++s;
     while (isspace(*s) && *s != sep) s++;
     }
   else
-    {
-    sep = (sep == 0)? ':' : -sep;
-    }
+    sep = sep ? -sep : ':';
   *separator = sep;
   }
 
 /* An empty string has no list elements */
 
-if (*s == 0) return NULL;
+if (!*s) return NULL;
 
 /* Note whether whether or not the separator is an iscntrl() character. */
 
@@ -917,13 +942,13 @@
 if (buffer)
   {
   int p = 0;
-  for (; *s != 0; s++)
+  for (; *s; s++)
     {
     if (*s == sep && (*(++s) != sep || sep_is_special)) break;
     if (p < buflen - 1) buffer[p++] = *s;
     }
   while (p > 0 && isspace(buffer[p-1])) p--;
-  buffer[p] = 0;
+  buffer[p] = '\0';
   }
 
 /* Handle the case when a buffer is not provided. */
@@ -953,10 +978,10 @@
 
   for (;;)
     {
-    for (ss = s + 1; *ss != 0 && *ss != sep; ss++) ;
+    for (ss = s + 1; *ss && *ss != sep; ss++) ;
     g = string_catn(g, s, ss-s);
     s = ss;
-    if (*s == 0 || *(++s) != sep || sep_is_special) break;
+    if (!*s || *++s != sep || sep_is_special) break;
     }
   while (g->ptr > 0 && isspace(g->s[g->ptr-1])) g->ptr--;
   buffer = string_from_gstring(g);
@@ -1051,6 +1076,24 @@
 
 
 
+/* A slightly-bogus listmaker utility; the separator is a string so
+can be multiple chars - there is no checking for the element content
+containing any of the separator. */
+
+gstring *
+string_append2_listele_n(gstring * list, const uschar * sepstr,
+ const uschar * ele, unsigned len)
+{
+if (list && list->ptr)
+  list = string_cat(list, sepstr);
+
+list = string_catn(list, ele, len);
+(void) string_from_gstring(list);
+return list;
+}
+
+
+
 /************************************************/
 /* Create a growable-string with some preassigned space */
 
@@ -1080,12 +1123,11 @@
 store_reset(g->s + (g->size = g->ptr + 1));
 }
 
-/*************************************************
-*             Add chars to string                *
-*************************************************/
 
-/* Arguments:
-  g		the grawable-string
+/* Add more space to a growable-string.
+
+Arguments:
+  g		the growable-string
   p		current end of data
   count		amount to grow by
 */
@@ -1120,6 +1162,9 @@
 
 
 
+/*************************************************
+*             Add chars to string                *
+*************************************************/
 /* This function is used when building up strings of unknown length. Room is
 always left for a terminating zero to be added to the string that is being
 built. This function does not require the string that is being added to be NUL
@@ -1239,50 +1284,82 @@
 */
 
 BOOL
-string_format(uschar *buffer, int buflen, const char *format, ...)
+string_format(uschar * buffer, int buflen, const char * format, ...)
 {
-BOOL yield;
+gstring g = { .size = buflen, .ptr = 0, .s = buffer }, *gp;
 va_list ap;
 va_start(ap, format);
-yield = string_vformat(buffer, buflen, format, ap);
+gp = string_vformat(&g, FALSE, format, ap);
 va_end(ap);
-return yield;
+g.s[g.ptr] = '\0';
+return !!gp;
 }
 
 
-BOOL
-string_vformat(uschar *buffer, int buflen, const char *format, va_list ap)
+
+
+
+/* Bulid or append to a growing-string, sprintf-style.
+
+If the "extend" argument is true, the string passed in can be NULL,
+empty, or non-empty.
+
+If the "extend" argument is false, the string passed in may not be NULL,
+will not be grown, and is usable in the original place after return.
+The return value can be NULL to signify overflow.
+
+Returns the possibly-new (if copy for growth was needed) string,
+not nul-terminated.
+*/
+
+gstring *
+string_vformat(gstring * g, BOOL extend, const char *format, va_list ap)
 {
-/* We assume numbered ascending order, C does not guarantee that */
-enum { L_NORMAL=1, L_SHORT=2, L_LONG=3, L_LONGLONG=4, L_LONGDOUBLE=5, L_SIZE=6 };
+enum ltypes { L_NORMAL=1, L_SHORT=2, L_LONG=3, L_LONGLONG=4, L_LONGDOUBLE=5, L_SIZE=6 };
+
+int width, precision, off, lim;
+const char * fp = format;	/* Deliberately not unsigned */
 
-BOOL yield = TRUE;
-int width, precision;
-const char *fp = format;       /* Deliberately not unsigned */
-uschar *p = buffer;
-uschar *last = buffer + buflen - 1;
-
-string_datestamp_offset = -1;  /* Datestamp not inserted */
-string_datestamp_length = 0;   /* Datestamp not inserted */
-string_datestamp_type = 0;     /* Datestamp not inserted */
+string_datestamp_offset = -1;	/* Datestamp not inserted */
+string_datestamp_length = 0;	/* Datestamp not inserted */
+string_datestamp_type = 0;	/* Datestamp not inserted */
+
+#ifdef COMPILE_UTILITY
+assert(!extend);
+assert(g);
+#else
+
+/* Ensure we have a string, to save on checking later */
+if (!g) g = string_get(16);
+#endif	/*!COMPILE_UTILITY*/
+
+lim = g->size - 1;	/* leave one for a nul */
+off = g->ptr;		/* remember initial offset in gstring */
 
 /* Scan the format and handle the insertions */
 
-while (*fp != 0)
+while (*fp)
   {
   int length = L_NORMAL;
   int *nptr;
   int slen;
-  const char *null = "NULL";   /* ) These variables */
-  const char *item_start, *s;  /* ) are deliberately */
-  char newformat[16];          /* ) not unsigned */
+  const char *null = "NULL";		/* ) These variables */
+  const char *item_start, *s;		/* ) are deliberately */
+  char newformat[16];			/* ) not unsigned */
+  char * gp = CS g->s + g->ptr;		/* ) */
 
   /* Non-% characters just get copied verbatim */
 
   if (*fp != '%')
     {
-    if (p >= last) { yield = FALSE; break; }
-    *p++ = (uschar)*fp++;
+    /* Avoid string_copyn() due to COMPILE_UTILITY */
+    if (g->ptr >= lim - 1)
+      {
+      if (!extend) return NULL;
+      gstring_grow(g, g->ptr, 1);
+      lim = g->size - 1;
+      }
+    g->s[g->ptr++] = (uschar) *fp++;
     continue;
     }
 
@@ -1310,19 +1387,14 @@
     }
 
   if (*fp == '.')
-    {
     if (*(++fp) == '*')
       {
       precision = va_arg(ap, int);
       fp++;
       }
     else
-      {
-      precision = 0;
-      while (isdigit((uschar)*fp))
-        precision = precision*10 + *fp++ - '0';
-      }
-    }
+      for (precision = 0; isdigit((uschar)*fp); fp++)
+        precision = precision*10 + *fp - '0';
 
   /* Skip over 'h', 'L', 'l', 'll' and 'z', remembering the item length */
 
@@ -1331,18 +1403,10 @@
   else if (*fp == 'L')
     { fp++; length = L_LONGDOUBLE; }
   else if (*fp == 'l')
-    {
     if (fp[1] == 'l')
-      {
-      fp += 2;
-      length = L_LONGLONG;
-      }
+      { fp += 2; length = L_LONGLONG; }
     else
-      {
-      fp++;
-      length = L_LONG;
-      }
-    }
+      { fp++; length = L_LONG; }
   else if (*fp == 'z')
     { fp++; length = L_SIZE; }
 
@@ -1351,47 +1415,63 @@
   switch (*fp++)
     {
     case 'n':
-    nptr = va_arg(ap, int *);
-    *nptr = p - buffer;
-    break;
+      nptr = va_arg(ap, int *);
+      *nptr = g->ptr - off;
+      break;
 
     case 'd':
     case 'o':
     case 'u':
     case 'x':
     case 'X':
-    if (p >= last - ((length > L_LONG)? 24 : 12))
-      { yield = FALSE; goto END_FORMAT; }
-    strncpy(newformat, item_start, fp - item_start);
-    newformat[fp - item_start] = 0;
+      width = length > L_LONG ? 24 : 12;
+      if (g->ptr >= lim - width)
+	{
+	if (!extend) return NULL;
+	gstring_grow(g, g->ptr, width);
+	lim = g->size - 1;
+	gp = CS g->s + g->ptr;
+	}
+      strncpy(newformat, item_start, fp - item_start);
+      newformat[fp - item_start] = 0;
 
-    /* Short int is promoted to int when passing through ..., so we must use
-    int for va_arg(). */
+      /* Short int is promoted to int when passing through ..., so we must use
+      int for va_arg(). */
 
-    switch(length)
-      {
-      case L_SHORT:
-      case L_NORMAL:   p += sprintf(CS p, newformat, va_arg(ap, int)); break;
-      case L_LONG:     p += sprintf(CS p, newformat, va_arg(ap, long int)); break;
-      case L_LONGLONG: p += sprintf(CS p, newformat, va_arg(ap, LONGLONG_T)); break;
-      case L_SIZE:     p += sprintf(CS p, newformat, va_arg(ap, size_t)); break;
-      }
-    break;
+      switch(length)
+	{
+	case L_SHORT:
+	case L_NORMAL:
+	  g->ptr += sprintf(gp, newformat, va_arg(ap, int)); break;
+	case L_LONG:
+	  g->ptr += sprintf(gp, newformat, va_arg(ap, long int)); break;
+	case L_LONGLONG:
+	  g->ptr += sprintf(gp, newformat, va_arg(ap, LONGLONG_T)); break;
+	case L_SIZE:
+	  g->ptr += sprintf(gp, newformat, va_arg(ap, size_t)); break;
+	}
+      break;
 
     case 'p':
       {
       void * ptr;
-      if (p >= last - 24) { yield = FALSE; goto END_FORMAT; }
+      if (g->ptr >= lim - 24)
+	{
+	if (!extend) return NULL;
+	gstring_grow(g, g->ptr, 24);
+	lim = g->size - 1;
+	gp = CS g->s + g->ptr;
+	}
       /* sprintf() saying "(nil)" for a null pointer seems unreliable.
       Handle it explicitly. */
       if ((ptr = va_arg(ap, void *)))
 	{
 	strncpy(newformat, item_start, fp - item_start);
 	newformat[fp - item_start] = 0;
-	p += sprintf(CS p, newformat, ptr);
+	g->ptr += sprintf(gp, newformat, ptr);
 	}
       else
-	p += sprintf(CS p, "(nil)");
+	g->ptr += sprintf(gp, "(nil)");
       }
     break;
 
@@ -1407,123 +1487,151 @@
     case 'E':
     case 'g':
     case 'G':
-    if (precision < 0) precision = 6;
-    if (p >= last - precision - 8) { yield = FALSE; goto END_FORMAT; }
-    strncpy(newformat, item_start, fp - item_start);
-    newformat[fp-item_start] = 0;
-    if (length == L_LONGDOUBLE)
-      p += sprintf(CS p, newformat, va_arg(ap, long double));
-    else
-      p += sprintf(CS p, newformat, va_arg(ap, double));
-    break;
+      if (precision < 0) precision = 6;
+      if (g->ptr >= lim - precision - 8)
+	{
+	if (!extend) return NULL;
+	gstring_grow(g, g->ptr, precision+8);
+	lim = g->size - 1;
+	gp = CS g->s + g->ptr;
+	}
+      strncpy(newformat, item_start, fp - item_start);
+      newformat[fp-item_start] = 0;
+      if (length == L_LONGDOUBLE)
+	g->ptr += sprintf(gp, newformat, va_arg(ap, long double));
+      else
+	g->ptr += sprintf(gp, newformat, va_arg(ap, double));
+      break;
 
     /* String types */
 
     case '%':
-    if (p >= last) { yield = FALSE; goto END_FORMAT; }
-    *p++ = '%';
-    break;
+      if (g->ptr >= lim - 1)
+	{
+	if (!extend) return NULL;
+	gstring_grow(g, g->ptr, 1);
+	lim = g->size - 1;
+	}
+      g->s[g->ptr++] = (uschar) '%';
+      break;
 
     case 'c':
-    if (p >= last) { yield = FALSE; goto END_FORMAT; }
-    *p++ = va_arg(ap, int);
-    break;
+      if (g->ptr >= lim - 1)
+	{
+	if (!extend) return NULL;
+	gstring_grow(g, g->ptr, 1);
+	lim = g->size - 1;
+	}
+      g->s[g->ptr++] = (uschar) va_arg(ap, int);
+      break;
 
     case 'D':                   /* Insert daily datestamp for log file names */
-    s = CS tod_stamp(tod_log_datestamp_daily);
-    string_datestamp_offset = p - buffer;   /* Passed back via global */
-    string_datestamp_length = Ustrlen(s);   /* Passed back via global */
-    string_datestamp_type = tod_log_datestamp_daily;
-    slen = string_datestamp_length;
-    goto INSERT_STRING;
+      s = CS tod_stamp(tod_log_datestamp_daily);
+      string_datestamp_offset = g->ptr;		/* Passed back via global */
+      string_datestamp_length = Ustrlen(s);	/* Passed back via global */
+      string_datestamp_type = tod_log_datestamp_daily;
+      slen = string_datestamp_length;
+      goto INSERT_STRING;
 
     case 'M':                   /* Insert monthly datestamp for log file names */
-    s = CS tod_stamp(tod_log_datestamp_monthly);
-    string_datestamp_offset = p - buffer;   /* Passed back via global */
-    string_datestamp_length = Ustrlen(s);   /* Passed back via global */
-    string_datestamp_type = tod_log_datestamp_monthly;
-    slen = string_datestamp_length;
-    goto INSERT_STRING;
+      s = CS tod_stamp(tod_log_datestamp_monthly);
+      string_datestamp_offset = g->ptr;		/* Passed back via global */
+      string_datestamp_length = Ustrlen(s);	/* Passed back via global */
+      string_datestamp_type = tod_log_datestamp_monthly;
+      slen = string_datestamp_length;
+      goto INSERT_STRING;
 
     case 's':
     case 'S':                   /* Forces *lower* case */
     case 'T':                   /* Forces *upper* case */
-    s = va_arg(ap, char *);
+      s = va_arg(ap, char *);
 
-    if (s == NULL) s = null;
-    slen = Ustrlen(s);
+      if (!s) s = null;
+      slen = Ustrlen(s);
 
     INSERT_STRING:              /* Come to from %D or %M above */
 
-    /* If the width is specified, check that there is a precision
-    set; if not, set it to the width to prevent overruns of long
-    strings. */
-
-    if (width >= 0)
       {
-      if (precision < 0) precision = width;
-      }
+      BOOL truncated = FALSE;
 
-    /* If a width is not specified and the precision is specified, set
-    the width to the precision, or the string length if shorted. */
+      /* If the width is specified, check that there is a precision
+      set; if not, set it to the width to prevent overruns of long
+      strings. */
 
-    else if (precision >= 0)
-      {
-      width = (precision < slen)? precision : slen;
-      }
+      if (width >= 0)
+	{
+	if (precision < 0) precision = width;
+	}
 
-    /* If neither are specified, set them both to the string length. */
+      /* If a width is not specified and the precision is specified, set
+      the width to the precision, or the string length if shorted. */
 
-    else width = precision = slen;
+      else if (precision >= 0)
+	width = precision < slen ? precision : slen;
 
-    /* Check string space, and add the string to the buffer if ok. If
-    not OK, add part of the string (debugging uses this to show as
-    much as possible). */
+      /* If neither are specified, set them both to the string length. */
 
-    if (p == last)
-      {
-      yield = FALSE;
-      goto END_FORMAT;
-      }
-    if (p >= last - width)
-      {
-      yield = FALSE;
-      width = precision = last - p - 1;
-      if (width < 0) width = 0;
-      if (precision < 0) precision = 0;
+      else
+	width = precision = slen;
+
+      if (!extend)
+	{
+	if (g->ptr == lim) return NULL;
+	if (g->ptr >= lim - width)
+	  {
+	  truncated = TRUE;
+	  width = precision = lim - g->ptr - 1;
+	  if (width < 0) width = 0;
+	  if (precision < 0) precision = 0;
+	  }
+	}
+      else if (g->ptr >= lim - width)
+	{
+	gstring_grow(g, g->ptr, width - (lim - g->ptr));
+	lim = g->size - 1;
+	gp = CS g->s + g->ptr;
+	}
+
+      g->ptr += sprintf(gp, "%*.*s", width, precision, s);
+      if (fp[-1] == 'S')
+	while (*gp) { *gp = tolower(*gp); gp++; }
+      else if (fp[-1] == 'T')
+	while (*gp) { *gp = toupper(*gp); gp++; }
+
+      if (truncated) return NULL;
+      break;
       }
-    sprintf(CS p, "%*.*s", width, precision, s);
-    if (fp[-1] == 'S')
-      while (*p) { *p = tolower(*p); p++; }
-    else if (fp[-1] == 'T')
-      while (*p) { *p = toupper(*p); p++; }
-    else
-      while (*p) p++;
-    if (!yield) goto END_FORMAT;
-    break;
 
     /* Some things are never used in Exim; also catches junk. */
 
     default:
-    strncpy(newformat, item_start, fp - item_start);
-    newformat[fp-item_start] = 0;
-    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "string_format: unsupported type "
-      "in \"%s\" in \"%s\"", newformat, format);
-    break;
+      strncpy(newformat, item_start, fp - item_start);
+      newformat[fp-item_start] = 0;
+      log_write(0, LOG_MAIN|LOG_PANIC_DIE, "string_format: unsupported type "
+	"in \"%s\" in \"%s\"", newformat, format);
+      break;
     }
   }
 
-/* Ensure string is complete; return TRUE if got to the end of the format */
+return g;
+}
 
-END_FORMAT:
 
-*p = 0;
-return yield;
+
+#ifndef COMPILE_UTILITY
+
+gstring *
+string_fmt_append(gstring * g, const char *format, ...)
+{
+va_list ap;
+va_start(ap, format);
+g = string_vformat(g, TRUE, format, ap);
+va_end(ap);
+return g;
 }
 
 
 
-#ifndef COMPILE_UTILITY
 /*************************************************
 *       Generate an "open failed" message        *
 *************************************************/
@@ -1544,23 +1652,25 @@
 string_open_failed(int eno, const char *format, ...)
 {
 va_list ap;
-uschar buffer[1024];
+gstring * g = string_get(1024);
 
-Ustrcpy(buffer, "failed to open ");
-va_start(ap, format);
+g = string_catn(g, US"failed to open ", 15);
 
 /* Use the checked formatting routine to ensure that the buffer
 does not overflow. It should not, since this is called only for internally
 specified messages. If it does, the message just gets truncated, and there
 doesn't seem much we can do about that. */
 
-(void)string_vformat(buffer+15, sizeof(buffer) - 15, format, ap);
+va_start(ap, format);
+(void) string_vformat(g, FALSE, format, ap);
+string_from_gstring(g);
+gstring_reset_unused(g);
 va_end(ap);
 
-return (eno == EACCES)?
-  string_sprintf("%s: %s (euid=%ld egid=%ld)", buffer, strerror(eno),
-    (long int)geteuid(), (long int)getegid()) :
-  string_sprintf("%s: %s", buffer, strerror(eno));
+return eno == EACCES
+  ? string_sprintf("%s: %s (euid=%ld egid=%ld)", g->s, strerror(eno),
+    (long int)geteuid(), (long int)getegid())
+  : string_sprintf("%s: %s", g->s, strerror(eno));
 }
 #endif  /* COMPILE_UTILITY */
 
@@ -1582,6 +1692,7 @@
 
 
 
+
 /*************************************************
 **************************************************
 *             Stand-alone test program           *
diff -Nru exim4-4.91/src/structs.h exim4-4.92~RC4/src/structs.h
--- exim4-4.91/src/structs.h	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/structs.h	2018-12-27 13:36:19.000000000 +0000
@@ -65,6 +65,12 @@
 		CHUNKING_ACTIVE,
 		CHUNKING_LAST} chunking_state_t;
 
+typedef enum {	TFO_NOT_USED = 0,
+		TFO_ATTEMPTED_NODATA,
+		TFO_ATTEMPTED_DATA,
+		TFO_USED_NODATA,
+		TFO_USED_DATA } tfo_state_t;
+
 /* Structure for holding information about a host for use mainly by routers,
 but also used when checking lists of hosts and when transporting. Looking up
 host addresses is done using this structure. */
@@ -420,8 +426,7 @@
     uschar *);                    /* rest of AUTH command */
   int (*clientcode)(              /* client function */
     struct auth_instance *,
-    struct smtp_inblock *,        /* socket and input buffer */
-    struct smtp_outblock *,       /* socket and output buffer */
+    void *,			  /* smtp conn, with socket, output and input buffers */
     int,                          /* command timeout */
     uschar *,                     /* buffer for reading response */
     int);                         /* sizeof buffer */
@@ -614,7 +619,12 @@
     BOOL af_pass_message:1;		/* pass message in bounces */
     BOOL af_bad_reply:1;		/* filter could not generate autoreply */
     BOOL af_tcp_fastopen_conn:1;	/* delivery connection used TCP Fast Open */
-    BOOL af_tcp_fastopen:1;		/* delivery usefuly used TCP Fast Open */
+    BOOL af_tcp_fastopen:1;		/* delivery usefully used TCP Fast Open */
+    BOOL af_tcp_fastopen_data:1;	/* delivery sent SMTP commands on TCP Fast Open */
+    BOOL af_pipelining:1;		/* delivery used (traditional) pipelining */
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+    BOOL af_early_pipe:1;		/* delivery used connect-time pipelining */
+#endif
 #ifndef DISABLE_PRDR
     BOOL af_prdr_used:1;		/* delivery used SMTP PRDR */
 #endif
@@ -739,11 +749,12 @@
   const uschar *data;                   /* pointer to data */
 } dns_record;
 
-/* Structure for holding the result of a DNS query. */
+/* Structure for holding the result of a DNS query.  A touch over
+64k big, so take care to release as soon as possible. */
 
 typedef struct {
   int     answerlen;              /* length of the answer */
-  uschar  answer[MAXPACKET];      /* the answer itself */
+  uschar  answer[NS_MAXMSG];      /* the answer itself */
 } dns_answer;
 
 /* Structure for holding the intermediate data while scanning a DNS answer
@@ -780,15 +791,30 @@
 typedef struct sha1 {
   unsigned int H[5];
   unsigned int length;
-  }
-sha1;
+} sha1;
+
+/* Information for making an smtp connection */
+typedef struct {
+  transport_instance *  tblock;
+  void *		ob;	/* smtp_transport_options_block * */
+  host_item *           host;
+  int                   host_af;
+  uschar *              interface;
+} smtp_connect_args;
+
+/* A client-initiated connection. If TLS, the second element is non-NULL */
+typedef struct {
+  int	sock;
+  void * tls_ctx;
+} client_conn_ctx;
+
 
 /* Structure used to hold incoming packets of SMTP responses for a specific
 socket. The packets which may contain multiple lines (and in some cases,
 multiple responses). */
 
 typedef struct smtp_inblock {
-  int     sock;                   /* the socket */
+  client_conn_ctx * cctx;	  /* the connection */
   int     buffersize;             /* the size of the buffer */
   uschar *ptr;                    /* current position in the buffer */
   uschar *ptrend;                 /* end of data in the buffer */
@@ -800,12 +826,14 @@
 is in use. */
 
 typedef struct smtp_outblock {
-  int     sock;                   /* the socket */
+  client_conn_ctx * cctx;	  /* the connection */
   int     cmd_count;              /* count of buffered commands */
   int     buffersize;             /* the size of the buffer */
   BOOL    authenticating;         /* TRUE when authenticating */
   uschar *ptr;                    /* current position in the buffer */
   uschar *buffer;                 /* the buffer itself */
+
+  smtp_connect_args * conn_args;  /* to make connection, if not yet made */
 } smtp_outblock;
 
 /* Structure to hold information about the source of redirection information */
@@ -878,6 +906,7 @@
   uschar *dkim_sign_headers;
   uschar *dkim_strict;
   uschar *dkim_hash;
+  uschar *dkim_timestamps;
   BOOL    dot_stuffed;
   BOOL    force_bodyhash;
 #ifdef EXPERIMENTAL_ARC
diff -Nru exim4-4.91/src/tls.c exim4-4.92~RC4/src/tls.c
--- exim4-4.91/src/tls.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/tls.c	2018-12-27 13:36:19.000000000 +0000
@@ -19,6 +19,15 @@
 #include "exim.h"
 #include "transports/smtp.h"
 
+#if defined(MACRO_PREDEF) && defined(SUPPORT_TLS)
+# ifndef USE_GNUTLS
+#  include "macro_predef.h"
+#  include "tls-openssl.c"
+# endif
+#endif
+
+#ifndef MACRO_PREDEF
+
 /* This module is compiled only when it is specifically requested in the
 build-time configuration. However, some compilers don't like compiling empty
 modules, so keep them happy with a dummy when skipping the rest. Make it
@@ -69,7 +78,7 @@
 if (!s)
   *result = NULL;
 else if (  !(*result = expand_string(US s)) /* need to clean up const more */
-	&& !expand_string_forcedfail
+	&& !f.expand_string_forcedfail
 	)
   {
   *errstr = US"Internal error";
@@ -355,6 +364,7 @@
 return FALSE;
 }
 #endif	/*SUPPORT_TLS*/
+#endif	/*!MACRO_PREDEF*/
 
 /* vi: aw ai sw=2
 */
diff -Nru exim4-4.91/src/tlscert-gnu.c exim4-4.92~RC4/src/tlscert-gnu.c
--- exim4-4.91/src/tlscert-gnu.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/tlscert-gnu.c	2018-12-27 13:36:19.000000000 +0000
@@ -113,7 +113,7 @@
   return string_sprintf("%u", (unsigned)t);
 
 cp = store_get(len);
-if (timestamps_utc)
+if (f.timestamps_utc)
   {
   uschar * tz = to_tz(US"GMT0");
   len = strftime(CS cp, len, "%b %e %T %Y %Z", gmtime(&t));
@@ -255,14 +255,14 @@
 int ret;
 
 ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert,
-  oid, idx, CS cp1, &siz, &crit);
+  CS oid, idx, CS cp1, &siz, &crit);
 if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
   return g_err("ge0", __FUNCTION__, ret);
 
 cp1 = store_get(siz*4 + 1);
 
 ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert,
-  oid, idx, CS cp1, &siz, &crit);
+  CS oid, idx, CS cp1, &siz, &crit);
 if (ret < 0)
   return g_err("ge1", __FUNCTION__, ret);
 
diff -Nru exim4-4.91/src/tlscert-openssl.c exim4-4.92~RC4/src/tlscert-openssl.c
--- exim4-4.91/src/tlscert-openssl.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/tlscert-openssl.c	2018-12-27 13:36:19.000000000 +0000
@@ -156,7 +156,7 @@
 
     else
       {
-      if (!timestamps_utc)	/* decoded string in local TZ */
+      if (!f.timestamps_utc)	/* decoded string in local TZ */
 	{				/* shift to local TZ */
 	restore_tz(tz);
 	mod_tz = FALSE;
diff -Nru exim4-4.91/src/tls-gnu.c exim4-4.92~RC4/src/tls-gnu.c
--- exim4-4.91/src/tls-gnu.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/tls-gnu.c	2018-12-27 13:36:19.000000000 +0000
@@ -39,6 +39,7 @@
 #include <gnutls/x509.h>
 /* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
 #include <gnutls/crypto.h>
+
 /* needed to disable PKCS11 autoload unless requested */
 #if GNUTLS_VERSION_NUMBER >= 0x020c00
 # include <gnutls/pkcs11.h>
@@ -60,6 +61,9 @@
 #if GNUTLS_VERSION_NUMBER >= 0x030014
 # define SUPPORT_SYSDEFAULT_CABUNDLE
 #endif
+#if GNUTLS_VERSION_NUMBER >= 0x030104
+# define GNUTLS_CERT_VFY_STATUS_PRINT
+#endif
 #if GNUTLS_VERSION_NUMBER >= 0x030109
 # define SUPPORT_CORK
 #endif
@@ -124,8 +128,8 @@
   BOOL			peer_dane_verified;
   BOOL			trigger_sni_changes;
   BOOL			have_set_peerdn;
-  const struct host_item *host;
-  gnutls_x509_crt_t 	peercert;
+  const struct host_item *host;		/* NULL if server */
+  gnutls_x509_crt_t	peercert;
   uschar		*peerdn;
   uschar		*ciphersuite;
   uschar		*received_sni;
@@ -213,7 +217,7 @@
 XXX But see gnutls_session_get_ptr()
 */
 
-static exim_gnutls_state_st state_server, state_client;
+static exim_gnutls_state_st state_server;
 
 /* dh_params are initialised once within the lifetime of a process using TLS;
 if we used TLS in a long-lived daemon, we'd have to reconsider this.  But we
@@ -262,7 +266,7 @@
 
 #define exim_gnutls_err_check(rc, Label) do { \
   if ((rc) != GNUTLS_E_SUCCESS) \
-    return tls_error((Label), gnutls_strerror(rc), host, errstr); \
+    return tls_error((Label), US gnutls_strerror(rc), host, errstr); \
   } while (0)
 
 #define expand_check_tlsvar(Varname, errstr) \
@@ -328,11 +332,11 @@
 */
 
 static int
-tls_error(const uschar *prefix, const char *msg, const host_item *host,
+tls_error(const uschar *prefix, const uschar *msg, const host_item *host,
   uschar ** errstr)
 {
 if (errstr)
-  *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : "");
+  *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : US"");
 return host ? FAIL : DEFER;
 }
 
@@ -357,14 +361,14 @@
 static void
 record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
 {
-const char * msg;
+const uschar * msg;
 uschar * errstr;
 
 if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
-  msg = CS string_sprintf("%s: %s", US gnutls_strerror(rc),
+  msg = string_sprintf("%s: %s", US gnutls_strerror(rc),
     US gnutls_alert_get_name(gnutls_alert_get(state->session)));
 else
-  msg = gnutls_strerror(rc);
+  msg = US gnutls_strerror(rc);
 
 (void) tls_error(when, msg, state->host, &errstr);
 
@@ -448,7 +452,8 @@
 #endif
 tls_support * tlsp = state->tlsp;
 
-tlsp->active = state->fd_out;
+tlsp->active.sock = state->fd_out;
+tlsp->active.tls_ctx = state;
 
 cipher = gnutls_cipher_get(state->session);
 /* returns size in "bytes" */
@@ -556,7 +561,7 @@
 else if (exp_tls_dhparam[0] != '/')
   {
   if (!(m.data = US std_dh_prime_named(exp_tls_dhparam)))
-    return tls_error(US"No standard prime named", CS exp_tls_dhparam, NULL, errstr);
+    return tls_error(US"No standard prime named", exp_tls_dhparam, NULL, errstr);
   m.size = Ustrlen(m.data);
   }
 else
@@ -619,7 +624,7 @@
     {
     saved_errno = errno;
     (void)close(fd);
-    return tls_error(US"TLS cache stat failed", strerror(saved_errno), NULL, errstr);
+    return tls_error(US"TLS cache stat failed", US strerror(saved_errno), NULL, errstr);
     }
   if (!S_ISREG(statbuf.st_mode))
     {
@@ -631,21 +636,21 @@
     saved_errno = errno;
     (void)close(fd);
     return tls_error(US"fdopen(TLS cache stat fd) failed",
-        strerror(saved_errno), NULL, errstr);
+        US strerror(saved_errno), NULL, errstr);
     }
 
   m.size = statbuf.st_size;
   if (!(m.data = malloc(m.size)))
     {
     fclose(fp);
-    return tls_error(US"malloc failed", strerror(errno), NULL, errstr);
+    return tls_error(US"malloc failed", US strerror(errno), NULL, errstr);
     }
   if (!(sz = fread(m.data, m.size, 1, fp)))
     {
     saved_errno = errno;
     fclose(fp);
     free(m.data);
-    return tls_error(US"fread failed", strerror(saved_errno), NULL, errstr);
+    return tls_error(US"fread failed", US strerror(saved_errno), NULL, errstr);
     }
   fclose(fp);
 
@@ -681,11 +686,11 @@
 
   if ((PATH_MAX - Ustrlen(filename)) < 10)
     return tls_error(US"Filename too long to generate replacement",
-        CS filename, NULL, errstr);
+        filename, NULL, errstr);
 
-  temp_fn = string_copy(US "%s.XXXXXXX");
+  temp_fn = string_copy(US"%s.XXXXXXX");
   if ((fd = mkstemp(CS temp_fn)) < 0)	/* modifies temp_fn */
-    return tls_error(US"Unable to open temp file", strerror(errno), NULL, errstr);
+    return tls_error(US"Unable to open temp file", US strerror(errno), NULL, errstr);
   (void)fchown(fd, exim_uid, exim_gid);   /* Probably not necessary */
 
   /* GnuTLS overshoots!
@@ -722,7 +727,7 @@
     exim_gnutls_err_check(rc, US"gnutls_dh_params_export_pkcs3(NULL) sizing");
   m.size = sz;
   if (!(m.data = malloc(m.size)))
-    return tls_error(US"memory allocation failed", strerror(errno), NULL, errstr);
+    return tls_error(US"memory allocation failed", US strerror(errno), NULL, errstr);
 
   /* this will return a size 1 less than the allocation size above */
   rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
@@ -738,19 +743,19 @@
     {
     free(m.data);
     return tls_error(US"TLS cache write D-H params failed",
-        strerror(errno), NULL, errstr);
+        US strerror(errno), NULL, errstr);
     }
   free(m.data);
   if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
     return tls_error(US"TLS cache write D-H params final newline failed",
-        strerror(errno), NULL, errstr);
+        US strerror(errno), NULL, errstr);
 
   if ((rc = close(fd)))
-    return tls_error(US"TLS cache write close() failed", strerror(errno), NULL, errstr);
+    return tls_error(US"TLS cache write close() failed", US strerror(errno), NULL, errstr);
 
   if (Urename(temp_fn, filename) < 0)
     return tls_error(string_sprintf("failed to rename \"%s\" as \"%s\"",
-          temp_fn, filename), strerror(errno), NULL, errstr);
+          temp_fn, filename), US strerror(errno), NULL, errstr);
 
   DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
   }
@@ -782,15 +787,18 @@
 where = US"generating pkey";
 if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
 #ifdef SUPPORT_PARAM_TO_PK_BITS
-	    gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_LOW),
+# ifndef GNUTLS_SEC_PARAM_MEDIUM
+#  define GNUTLS_SEC_PARAM_MEDIUM GNUTLS_SEC_PARAM_HIGH
+# endif
+	    gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_MEDIUM),
 #else
-	    1024,
+	    2048,
 #endif
 	    0)))
   goto err;
 
 where = US"configuring cert";
-now = 0;
+now = 1;
 if (  (rc = gnutls_x509_crt_set_version(cert, 3))
    || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
    || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))
@@ -823,7 +831,7 @@
   return rc;
 
 err:
-  rc = tls_error(where, gnutls_strerror(rc), NULL, errstr);
+  rc = tls_error(where, US gnutls_strerror(rc), NULL, errstr);
   goto out;
 }
 
@@ -846,7 +854,7 @@
 if (rc < 0)
   return tls_error(
     string_sprintf("cert/key setup: cert=%s key=%s", certfile, keyfile),
-    gnutls_strerror(rc), host, errstr);
+    US gnutls_strerror(rc), host, errstr);
 return -rc;
 }
 
@@ -1262,6 +1270,7 @@
     const uschar *crl,
     const uschar *require_ciphers,
     exim_gnutls_state_st **caller_state,
+    tls_support * tlsp,
     uschar ** errstr)
 {
 exim_gnutls_state_st *state;
@@ -1295,7 +1304,7 @@
   DEBUG(D_tls)
     {
     gnutls_global_set_log_function(exim_gnutls_logger_cb);
-    /* arbitrarily chosen level; bump upto 9 for more */
+    /* arbitrarily chosen level; bump up to 9 for more */
     gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
     }
 #endif
@@ -1310,9 +1319,15 @@
 
 if (host)
   {
-  state = &state_client;
+  /* For client-side sessions we allocate a context. This lets us run
+  several in parallel. */
+  int old_pool = store_pool;
+  store_pool = POOL_PERM;
+  state = store_get(sizeof(exim_gnutls_state_st));
+  store_pool = old_pool;
+
   memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
-  state->tlsp = &tls_out;
+  state->tlsp = tlsp;
   DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
   rc = gnutls_init(&state->session, GNUTLS_CLIENT);
   }
@@ -1320,7 +1335,7 @@
   {
   state = &state_server;
   memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
-  state->tlsp = &tls_in;
+  state->tlsp = tlsp;
   DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
   rc = gnutls_init(&state->session, GNUTLS_SERVER);
   }
@@ -1510,14 +1525,14 @@
       cert_list, cert_list_size);
   if (state->verify_requirement >= VERIFY_REQUIRED)
     return tls_error(US"certificate verification failed",
-        "no certificate received from peer", state->host, errstr);
+        US"no certificate received from peer", state->host, errstr);
   return OK;
   }
 
 ct = gnutls_certificate_type_get(state->session);
 if (ct != GNUTLS_CRT_X509)
   {
-  const char *ctn = gnutls_certificate_type_get_name(ct);
+  const uschar *ctn = US gnutls_certificate_type_get_name(ct);
   DEBUG(D_tls)
     debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
   if (state->verify_requirement >= VERIFY_REQUIRED)
@@ -1533,7 +1548,7 @@
       DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
 	(Label), gnutls_strerror(rc)); \
       if (state->verify_requirement >= VERIFY_REQUIRED) \
-	return tls_error((Label), gnutls_strerror(rc), state->host, errstr); \
+	return tls_error((Label), US gnutls_strerror(rc), state->host, errstr); \
       return OK; \
       } \
     } while (0)
@@ -1590,6 +1605,7 @@
 if (state->verify_requirement == VERIFY_NONE)
   return TRUE;
 
+DEBUG(D_tls) debug_printf("TLS: checking peer certificate\n");
 *errstr = NULL;
 
 if ((rc = peer_status(state, errstr)) != OK)
@@ -1617,8 +1633,7 @@
 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
     /* Split the TLSA records into two sets, TA and EE selectors.  Run the
     dane-verification separately so that we know which selector verified;
-    then we know whether to do CA-chain-verification and name-verification
-    (needed for TA but not EE). */
+    then we know whether to do name-verification (needed for TA but not EE). */
 
     if (usage == ((1<<DANESSL_USAGE_DANE_TA) | (1<<DANESSL_USAGE_DANE_EE)))
       {						/* a mixed-usage bundle */
@@ -1700,20 +1715,31 @@
       *errstr = US str.data;	/* don't bother to free */
       goto badcert;
       }
-    state->peer_dane_verified = TRUE;
 
 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
     /* If a TA-mode TLSA record was used for verification we must additionally
-    verify the CA chain and the cert name.  For EE-mode, skip it. */
+    verify the cert name (but not the CA chain).  For EE-mode, skip it. */
 
     if (usage & (1 << DANESSL_USAGE_DANE_EE))
 # endif
       {
-      state->peer_cert_verified = TRUE;
+      state->peer_dane_verified = state->peer_cert_verified = TRUE;
       goto goodcert;
       }
+# ifdef GNUTLS_BROKEN_DANE_VALIDATION
+    /* Assume that the name on the A-record is the one that should be matching
+    the cert.  An alternate view is that the domain part of the email address
+    is also permissible. */
+
+    if (gnutls_x509_crt_check_hostname(state->tlsp->peercert,
+	  CS state->host->name))
+      {
+      state->peer_dane_verified = state->peer_cert_verified = TRUE;
+      goto goodcert;
+      }
+# endif
     }
-#endif
+#endif	/*SUPPORT_DANE*/
 
   rc = gnutls_certificate_verify_peers2(state->session, &verify);
   }
@@ -1724,8 +1750,24 @@
   {
   state->peer_cert_verified = FALSE;
   if (!*errstr)
+    {
+#ifdef GNUTLS_CERT_VFY_STATUS_PRINT
+    DEBUG(D_tls)
+      {
+      gnutls_datum_t txt;
+
+      if (gnutls_certificate_verification_status_print(verify,
+	    gnutls_certificate_type_get(state->session), &txt, 0)
+	  == GNUTLS_E_SUCCESS)
+	{
+	debug_printf("%s\n", txt.data);
+	gnutls_free(txt.data);
+	}
+      }
+#endif
     *errstr = verify & GNUTLS_CERT_REVOKED
       ? US"certificate revoked" : US"certificate invalid";
+    }
 
   DEBUG(D_tls)
     debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
@@ -1739,23 +1781,23 @@
 
 else
   {
-  if (state->exp_tls_verify_cert_hostnames)
+  /* Client side, check the server's certificate name versus the name on the
+  A-record for the connection we made.  What to do for server side - what name
+  to use for client?  We document that there is no such checking for server
+  side. */
+
+  if (  state->exp_tls_verify_cert_hostnames
+     && !gnutls_x509_crt_check_hostname(state->tlsp->peercert,
+		CS state->exp_tls_verify_cert_hostnames)
+     )
     {
-    int sep = 0;
-    const uschar * list = state->exp_tls_verify_cert_hostnames;
-    uschar * name;
-    while ((name = string_nextinlist(&list, &sep, NULL, 0)))
-      if (gnutls_x509_crt_check_hostname(state->tlsp->peercert, CS name))
-	break;
-    if (!name)
-      {
-      DEBUG(D_tls)
-	debug_printf("TLS certificate verification failed: cert name mismatch\n");
-      if (state->verify_requirement >= VERIFY_REQUIRED)
-	goto badcert;
-      return TRUE;
-      }
+    DEBUG(D_tls)
+      debug_printf("TLS certificate verification failed: cert name mismatch\n");
+    if (state->verify_requirement >= VERIFY_REQUIRED)
+      goto badcert;
+    return TRUE;
     }
+
   state->peer_cert_verified = TRUE;
   DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
       state->peerdn ? state->peerdn : US"<unset>");
@@ -1767,7 +1809,8 @@
 
 #ifdef SUPPORT_DANE
 tlsa_prob:
-  *errstr = string_sprintf("TLSA record problem: %s", dane_strerror(rc));
+  *errstr = string_sprintf("TLSA record problem: %s",
+    rc == DANE_E_REQUESTED_DATA_NOT_AVAILABLE ? "none usable" : dane_strerror(rc));
 #endif
 
 badcert:
@@ -1980,9 +2023,9 @@
 exim_gnutls_state_st * state = NULL;
 
 /* Check for previous activation */
-if (tls_in.active >= 0)
+if (tls_in.active.sock >= 0)
   {
-  tls_error(US"STARTTLS received after TLS started", "", NULL, errstr);
+  tls_error(US"STARTTLS received after TLS started", US "", NULL, errstr);
   smtp_printf("554 Already in TLS\r\n", FALSE);
   return FAIL;
   }
@@ -1994,7 +2037,7 @@
 
 if ((rc = tls_init(NULL, tls_certificate, tls_privatekey,
     NULL, tls_verify_certificates, tls_crl,
-    require_ciphers, &state, errstr)) != OK) return rc;
+    require_ciphers, &state, &tls_in, errstr)) != OK) return rc;
 
 /* If this is a host for which certificate verification is mandatory or
 optional, set up appropriately. */
@@ -2049,7 +2092,10 @@
   }
 
 /* Now negotiate the TLS session. We put our own timer on it, since it seems
-that the GnuTLS library doesn't. */
+that the GnuTLS library doesn't.
+From 3.1.0 there is gnutls_handshake_set_timeout() - but it requires you
+to set (and clear down afterwards) up a pull-timeout callback function that does
+a select, so we're no better off unless avoiding signals becomes an issue. */
 
 gnutls_transport_set_ptr2(state->session,
     (gnutls_transport_ptr_t)(long) fileno(smtp_in),
@@ -2058,11 +2104,11 @@
 state->fd_out = fileno(smtp_out);
 
 sigalrm_seen = FALSE;
-if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
+if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
 do
   rc = gnutls_handshake(state->session);
 while (rc == GNUTLS_E_AGAIN ||  rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
-alarm(0);
+ALARM_CLR(0);
 
 if (rc != GNUTLS_E_SUCCESS)
   {
@@ -2072,12 +2118,12 @@
 
   if (sigalrm_seen)
     {
-    tls_error(US"gnutls_handshake", "timed out", NULL, errstr);
+    tls_error(US"gnutls_handshake", US"timed out", NULL, errstr);
     gnutls_db_remove_session(state->session);
     }
   else
     {
-    tls_error(US"gnutls_handshake", gnutls_strerror(rc), NULL, errstr);
+    tls_error(US"gnutls_handshake", US gnutls_strerror(rc), NULL, errstr);
     (void) gnutls_alert_send_appropriate(state->session, rc);
     gnutls_deinit(state->session);
     gnutls_certificate_free_credentials(state->x509_cred);
@@ -2139,7 +2185,7 @@
 tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
   smtp_transport_options_block * ob)
 {
-if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
+if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
   {
   state->exp_tls_verify_cert_hostnames =
 #ifdef SUPPORT_I18N
@@ -2184,7 +2230,7 @@
 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS), i = 0;
      rr;
      rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
-    ) if (rr->type == T_TLSA)
+    ) if (rr->type == T_TLSA && rr->size > 3)
   {
   const uschar * p = rr->data;
   uint8_t usage = p[0], sel = p[1], type = p[2];
@@ -2208,7 +2254,7 @@
     }
 
   tls_out.tlsa_usage |= 1<<usage;
-  dane_data[i] = p;
+  dane_data[i] = CS p;
   dane_data_len[i++] = rr->size;
   }
 
@@ -2233,7 +2279,7 @@
 
 Arguments:
   fd                the fd of the connection
-  host              connected host (for messages)
+  host              connected host (for messages and option-tests)
   addr              the first address (not used)
   tb                transport (always smtp)
   tlsa_dnsa	    non-NULL, either request or require dane for this host, and
@@ -2241,31 +2287,33 @@
 		    Which implies cert must be requested and supplied, dane
 		    verify must pass, and cert verify irrelevant (incl.
 		    hostnames), and (caller handled) require_tls
+  tlsp		    record details of channel configuration
   errstr	    error string pointer
 
-Returns:            OK/DEFER/FAIL (because using common functions),
-                    but for a client, DEFER and FAIL have the same meaning
+Returns:            Pointer to TLS session context, or NULL on error
 */
 
-int
+void *
 tls_client_start(int fd, host_item *host,
     address_item *addr ARG_UNUSED,
     transport_instance * tb,
 #ifdef SUPPORT_DANE
     dns_answer * tlsa_dnsa,
 #endif
-    uschar ** errstr)
+    tls_support * tlsp, uschar ** errstr)
 {
-smtp_transport_options_block *ob =
-  (smtp_transport_options_block *)tb->options_block;
+smtp_transport_options_block *ob = tb
+  ? (smtp_transport_options_block *)tb->options_block
+  : &smtp_transport_option_defaults;
 int rc;
 exim_gnutls_state_st * state = NULL;
 uschar *cipher_list = NULL;
+
 #ifndef DISABLE_OCSP
 BOOL require_ocsp =
-  verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
+  verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
 BOOL request_ocsp = require_ocsp ? TRUE
-  : verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
+  : verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
 #endif
 
 DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd);
@@ -2276,7 +2324,7 @@
   /* not using expand_check_tlsvar because not yet in state */
   if (!expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
       &cipher_list, errstr))
-    return DEFER;
+    return NULL;
   cipher_list = cipher_list && *cipher_list
     ? ob->dane_require_tls_ciphers : ob->tls_require_ciphers;
   }
@@ -2285,10 +2333,10 @@
 if (!cipher_list)
   cipher_list = ob->tls_require_ciphers;
 
-if ((rc = tls_init(host, ob->tls_certificate, ob->tls_privatekey,
+if (tls_init(host, ob->tls_certificate, ob->tls_privatekey,
     ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
-    cipher_list, &state, errstr)) != OK)
-  return rc;
+    cipher_list, &state, tlsp, errstr) != OK)
+  return NULL;
 
   {
   int dh_min_bits = ob->tls_dh_min_bits;
@@ -2325,7 +2373,7 @@
 	  && !ob->tls_verify_hosts
 	  && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
 	  )
-	|| verify_check_given_host(&ob->tls_verify_hosts, host) == OK
+	|| verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
        )
   {
   tls_client_setup_hostname_checks(host, state, ob);
@@ -2334,7 +2382,7 @@
   state->verify_requirement = VERIFY_REQUIRED;
   gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
   }
-else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
+else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
   {
   tls_client_setup_hostname_checks(host, state, ob);
   DEBUG(D_tls)
@@ -2357,14 +2405,16 @@
   DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
   if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
 		    NULL, 0, NULL)) != OK)
-    return tls_error(US"cert-status-req",
-		    gnutls_strerror(rc), state->host, errstr);
-  tls_out.ocsp = OCSP_NOT_RESP;
+    {
+    tls_error(US"cert-status-req", US gnutls_strerror(rc), state->host, errstr);
+    return NULL;
+    }
+  tlsp->ocsp = OCSP_NOT_RESP;
   }
 #endif
 
 #ifndef DISABLE_EVENT
-if (tb->event_action)
+if (tb && tb->event_action)
   {
   state->event_action = tb->event_action;
   gnutls_session_set_ptr(state->session, state);
@@ -2380,27 +2430,33 @@
 /* There doesn't seem to be a built-in timeout on connection. */
 
 sigalrm_seen = FALSE;
-alarm(ob->command_timeout);
+ALARM(ob->command_timeout);
 do
   rc = gnutls_handshake(state->session);
 while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
-alarm(0);
+ALARM_CLR(0);
 
 if (rc != GNUTLS_E_SUCCESS)
+  {
   if (sigalrm_seen)
     {
     gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_USER_CANCELED);
-    return tls_error(US"gnutls_handshake", "timed out", state->host, errstr);
+    tls_error(US"gnutls_handshake", US"timed out", state->host, errstr);
     }
   else
-    return tls_error(US"gnutls_handshake", gnutls_strerror(rc), state->host, errstr);
+    tls_error(US"gnutls_handshake", US gnutls_strerror(rc), state->host, errstr);
+  return NULL;
+  }
 
 DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
 
 /* Verify late */
 
 if (!verify_certificate(state, errstr))
-  return tls_error(US"certificate verification failed", *errstr, state->host, errstr);
+  {
+  tls_error(US"certificate verification failed", *errstr, state->host, errstr);
+  return NULL;
+  }
 
 #ifndef DISABLE_OCSP
 if (require_ocsp)
@@ -2420,29 +2476,30 @@
       gnutls_free(printed.data);
       }
     else
-      (void) tls_error(US"ocsp decode", gnutls_strerror(rc), state->host, errstr);
+      (void) tls_error(US"ocsp decode", US gnutls_strerror(rc), state->host, errstr);
     }
 
   if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
     {
-    tls_out.ocsp = OCSP_FAILED;
-    return tls_error(US"certificate status check failed", NULL, state->host, errstr);
+    tlsp->ocsp = OCSP_FAILED;
+    tls_error(US"certificate status check failed", NULL, state->host, errstr);
+    return NULL;
     }
   DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
-  tls_out.ocsp = OCSP_VFIED;
+  tlsp->ocsp = OCSP_VFIED;
   }
 #endif
 
 /* Figure out peer DN, and if authenticated, etc. */
 
-if ((rc = peer_status(state, errstr)) != OK)
-  return rc;
+if (peer_status(state, errstr) != OK)
+  return NULL;
 
 /* Sets various Exim expansion variables; may need to adjust for ACL callouts */
 
 extract_exim_vars_from_tls_state(state);
 
-return OK;
+return state;
 }
 
 
@@ -2457,42 +2514,38 @@
 would tamper with the TLS session in the parent process).
 
 Arguments:
+  ct_ctx	client context pointer, or NULL for the one global server context
   shutdown	1 if TLS close-alert is to be sent,
- 		2 if also response to be waited for
+		2 if also response to be waited for
 
 Returns:     nothing
 */
 
 void
-tls_close(BOOL is_server, int shutdown)
+tls_close(void * ct_ctx, int shutdown)
 {
-exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
+exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
 
-if (!state->tlsp || state->tlsp->active < 0) return;  /* TLS was not active */
+if (!state->tlsp || state->tlsp->active.sock < 0) return;  /* TLS was not active */
 
 if (shutdown)
   {
   DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
     shutdown > 1 ? " (with response-wait)" : "");
 
-  alarm(2);
+  ALARM(2);
   gnutls_bye(state->session, shutdown > 1 ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
-  alarm(0);
+  ALARM_CLR(0);
   }
 
 gnutls_deinit(state->session);
 gnutls_certificate_free_credentials(state->x509_cred);
 
 
-state->tlsp->active = -1;
+state->tlsp->active.sock = -1;
+state->tlsp->active.tls_ctx = NULL;
 if (state->xfer_buffer) store_free(state->xfer_buffer);
 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
-
-if (!state_server.session && !state_client.session)
-  {
-  gnutls_global_deinit();
-  exim_gnutls_base_init_done = FALSE;
-  }
 }
 
 
@@ -2508,15 +2561,27 @@
   state->session, state->xfer_buffer, ssl_xfer_buffer_size);
 
 sigalrm_seen = FALSE;
-if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
-inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
-  MIN(ssl_xfer_buffer_size, lim));
-alarm(0);
-
-/* Timeouts do not get this far; see command_timeout_handler().
-   A zero-byte return appears to mean that the TLS session has been
-   closed down, not that the socket itself has been closed down. Revert to
-   non-TLS handling. */
+if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
+
+do
+  inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
+    MIN(ssl_xfer_buffer_size, lim));
+while (inbytes == GNUTLS_E_AGAIN);
+
+if (smtp_receive_timeout > 0) ALARM_CLR(0);
+
+if (had_command_timeout)		/* set by signal handler */
+  smtp_command_timeout_exit();		/* does not return */
+if (had_command_sigterm)
+  smtp_command_sigterm_exit();
+if (had_data_timeout)
+  smtp_data_timeout_exit();
+if (had_data_sigint)
+  smtp_data_sigint_exit();
+
+/* Timeouts do not get this far.  A zero-byte return appears to mean that the
+TLS session has been closed down, not that the socket itself has been closed
+down. Revert to non-TLS handling. */
 
 if (sigalrm_seen)
   {
@@ -2541,7 +2606,8 @@
   gnutls_certificate_free_credentials(state->x509_cred);
 
   state->session = NULL;
-  state->tlsp->active = -1;
+  state->tlsp->active.sock = -1;
+  state->tlsp->active.tls_ctx = NULL;
   state->tlsp->bits = 0;
   state->tlsp->certificate_verified = FALSE;
   tls_channelbinding_b64 = NULL;
@@ -2556,6 +2622,7 @@
 
 else if (inbytes < 0)
   {
+  DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv(\n", __FUNCTION__);
   record_io_error(state, (int) inbytes, US"recv", NULL);
   state->xfer_error = TRUE;
   return FALSE;
@@ -2578,7 +2645,7 @@
 
 This feeds DKIM and should be used for all message-body reads.
 
-Arguments:  lim		Maximum amount to read/bufffer
+Arguments:  lim		Maximum amount to read/buffer
 Returns:    the next character or EOF
 */
 
@@ -2650,17 +2717,18 @@
 then the caller must feed DKIM.
 
 Arguments:
+  ct_ctx    client context pointer, or NULL for the one global server context
   buff      buffer of data
   len       size of buffer
 
 Returns:    the number of bytes read
-            -1 after a failed read
+            -1 after a failed read, including EOF
 */
 
 int
-tls_read(BOOL is_server, uschar *buff, size_t len)
+tls_read(void * ct_ctx, uschar *buff, size_t len)
 {
-exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
+exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
 ssize_t inbytes;
 
 if (len > INT_MAX)
@@ -2676,13 +2744,20 @@
   debug_printf("Calling gnutls_record_recv(%p, %p, " SIZE_T_FMT ")\n",
       state->session, buff, len);
 
-inbytes = gnutls_record_recv(state->session, buff, len);
+do
+  inbytes = gnutls_record_recv(state->session, buff, len);
+while (inbytes == GNUTLS_E_AGAIN);
+
 if (inbytes > 0) return inbytes;
 if (inbytes == 0)
   {
   DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
   }
-else record_io_error(state, (int)inbytes, US"recv", NULL);
+else
+  {
+  DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv(\n", __FUNCTION__);
+  record_io_error(state, (int)inbytes, US"recv", NULL);
+  }
 
 return -1;
 }
@@ -2696,7 +2771,7 @@
 
 /*
 Arguments:
-  is_server channel specifier
+  ct_ctx    client context pointer, or NULL for the one global server context
   buff      buffer of data
   len       number of bytes
   more	    more data expected soon
@@ -2706,11 +2781,11 @@
 */
 
 int
-tls_write(BOOL is_server, const uschar *buff, size_t len, BOOL more)
+tls_write(void * ct_ctx, const uschar * buff, size_t len, BOOL more)
 {
 ssize_t outbytes;
 size_t left = len;
-exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
+exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
 #ifdef SUPPORT_CORK
 static BOOL corked = FALSE;
 
@@ -2724,11 +2799,15 @@
   {
   DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %p, " SIZE_T_FMT ")\n",
       buff, left);
-  outbytes = gnutls_record_send(state->session, buff, left);
+
+  do
+    outbytes = gnutls_record_send(state->session, buff, left);
+  while (outbytes == GNUTLS_E_AGAIN);
 
   DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
   if (outbytes < 0)
     {
+    DEBUG(D_tls) debug_printf("%s: gnutls_record_send err\n", __FUNCTION__);
     record_io_error(state, outbytes, US"send", NULL);
     return -1;
     }
diff -Nru exim4-4.91/src/tls-openssl.c exim4-4.92~RC4/src/tls-openssl.c
--- exim4-4.91/src/tls-openssl.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/tls-openssl.c	2018-12-27 13:36:19.000000000 +0000
@@ -51,7 +51,7 @@
 # define EXIM_HAVE_RAND_PSEUDO
 #endif
 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
-# define EXIM_HAVE_SHA256	/*MMMM*/
+# define EXIM_HAVE_SHA256
 #endif
 
 /*
@@ -70,6 +70,9 @@
 # if OPENSSL_VERSION_NUMBER >= 0x010100000L
 #  define EXIM_HAVE_OPENSSL_CHECKHOST
 #  define EXIM_HAVE_OPENSSL_DH_BITS
+#  define EXIM_HAVE_OPENSSL_TLS_METHOD
+# else
+#  define EXIM_NEED_OPENSSL_INIT
 # endif
 # if OPENSSL_VERSION_NUMBER >= 0x010000000L \
     && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
@@ -81,7 +84,7 @@
     || LIBRESSL_VERSION_NUMBER >= 0x20010000L
 # if !defined(OPENSSL_NO_ECDH)
 #  if OPENSSL_VERSION_NUMBER >= 0x0090800fL
-#   define EXIM_HAVE_ECDH	/*MMMM*/
+#   define EXIM_HAVE_ECDH
 #  endif
 #  if OPENSSL_VERSION_NUMBER >= 0x10002000L
 #   define EXIM_HAVE_OPENSSL_EC_NIST2NID
@@ -98,6 +101,142 @@
 # include <openssl/x509v3.h>
 #endif
 
+/*************************************************
+*        OpenSSL option parse                    *
+*************************************************/
+
+typedef struct exim_openssl_option {
+  uschar *name;
+  long    value;
+} exim_openssl_option;
+/* We could use a macro to expand, but we need the ifdef and not all the
+options document which version they were introduced in.  Policylet: include
+all options unless explicitly for DTLS, let the administrator choose which
+to apply.
+
+This list is current as of:
+  ==>  1.0.1b  <==
+Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
+Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev
+*/
+static exim_openssl_option exim_openssl_options[] = {
+/* KEEP SORTED ALPHABETICALLY! */
+#ifdef SSL_OP_ALL
+  { US"all", SSL_OP_ALL },
+#endif
+#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+  { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
+#endif
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+  { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
+#endif
+#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
+  { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
+#endif
+#ifdef SSL_OP_EPHEMERAL_RSA
+  { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
+#endif
+#ifdef SSL_OP_LEGACY_SERVER_CONNECT
+  { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
+#endif
+#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
+  { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
+#endif
+#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
+  { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
+#endif
+#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
+  { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
+#endif
+#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
+  { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
+#endif
+#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
+  { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
+#endif
+#ifdef SSL_OP_NO_COMPRESSION
+  { US"no_compression", SSL_OP_NO_COMPRESSION },
+#endif
+#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+  { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
+#endif
+#ifdef SSL_OP_NO_SSLv2
+  { US"no_sslv2", SSL_OP_NO_SSLv2 },
+#endif
+#ifdef SSL_OP_NO_SSLv3
+  { US"no_sslv3", SSL_OP_NO_SSLv3 },
+#endif
+#ifdef SSL_OP_NO_TICKET
+  { US"no_ticket", SSL_OP_NO_TICKET },
+#endif
+#ifdef SSL_OP_NO_TLSv1
+  { US"no_tlsv1", SSL_OP_NO_TLSv1 },
+#endif
+#ifdef SSL_OP_NO_TLSv1_1
+#if SSL_OP_NO_TLSv1_1 == 0x00000400L
+  /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
+#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
+#else
+  { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
+#endif
+#endif
+#ifdef SSL_OP_NO_TLSv1_2
+  { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
+#endif
+#ifdef SSL_OP_NO_TLSv1_3
+  { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
+#endif
+#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
+  { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
+#endif
+#ifdef SSL_OP_SINGLE_DH_USE
+  { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
+#endif
+#ifdef SSL_OP_SINGLE_ECDH_USE
+  { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
+#endif
+#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
+  { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
+#endif
+#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
+  { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
+#endif
+#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
+  { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
+#endif
+#ifdef SSL_OP_TLS_D5_BUG
+  { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
+#endif
+#ifdef SSL_OP_TLS_ROLLBACK_BUG
+  { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
+#endif
+};
+
+#ifndef MACRO_PREDEF
+static int exim_openssl_options_size = nelem(exim_openssl_options);
+#endif
+
+#ifdef MACRO_PREDEF
+void
+options_tls(void)
+{
+struct exim_openssl_option * o;
+uschar buf[64];
+
+for (o = exim_openssl_options;
+     o < exim_openssl_options + nelem(exim_openssl_options); o++)
+  {
+  /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
+  being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
+
+  spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
+  builtin_macro_create(buf);
+  }
+}
+#else
+
+/******************************************************************************/
+
 /* Structure for collecting random data for seeding. */
 
 typedef struct randstuff {
@@ -116,7 +255,9 @@
 Simple case: client, `client_ctx`
  As a client, we can be doing a callout or cut-through delivery while receiving
  a message.  So we have a client context, which should have options initialised
- from the SMTP Transport.
+ from the SMTP Transport.  We may also concurrently want to make TLS connections
+ to utility daemons, so client-contexts are allocated and passed around in call
+ args rather than using a gobal.
 
 Server:
  There are two cases: with and without ServerNameIndication from the client.
@@ -130,9 +271,12 @@
  configuration.
 */
 
-static SSL_CTX *client_ctx = NULL;
+typedef struct {
+  SSL_CTX *	ctx;
+  SSL *		ssl;
+} exim_openssl_client_tls_ctx;
+
 static SSL_CTX *server_ctx = NULL;
-static SSL     *client_ssl = NULL;
 static SSL     *server_ssl = NULL;
 
 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
@@ -222,11 +366,13 @@
 {
 if (!msg)
   {
-  ERR_error_string(ERR_get_error(), ssl_errstring);
+  ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
   msg = US ssl_errstring;
   }
 
-if (errstr) *errstr = string_sprintf("(%s): %s", prefix, msg);
+msg = string_sprintf("(%s): %s", prefix, msg);
+DEBUG(D_tls) debug_printf("TLS error '%s'\n", msg);
+if (errstr) *errstr = msg;
 return host ? FAIL : DEFER;
 }
 
@@ -266,7 +412,7 @@
 #endif
 
   {
-  ERR_error_string(ERR_get_error(), ssl_errstring);
+  ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
   log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
     ssl_errstring);
   return NULL;
@@ -290,10 +436,12 @@
   X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
   if(tmp_obj->type == X509_LU_X509)
     {
-    X509 * current_cert= tmp_obj->data.x509;
-    X509_NAME_oneline(X509_get_subject_name(current_cert), CS name, sizeof(name));
-	name[sizeof(name)-1] = '\0';
-    debug_printf(" %s\n", name);
+    X509_NAME * sn = X509_get_subject_name(tmp_obj->data.x509);
+    if (X509_NAME_oneline(sn, CS name, sizeof(name)))
+      {
+      name[sizeof(name)-1] = '\0';
+      debug_printf(" %s\n", name);
+      }
     }
   }
 }
@@ -374,14 +522,20 @@
 */
 
 static int
-verify_callback(int preverify_ok, X509_STORE_CTX *x509ctx,
-  tls_support *tlsp, BOOL *calledp, BOOL *optionalp)
+verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
+  tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
 {
 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
 uschar dn[256];
 
-X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
+if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
+  {
+  DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
+  log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
+    tlsp == &tls_out ? deliver_host_address : sender_host_address);
+  return 0;
+  }
 dn[sizeof(dn)-1] = '\0';
 
 if (preverify_ok == 0)
@@ -430,7 +584,7 @@
 
   if (  tlsp == &tls_out
      && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
-     	/* client, wanting hostname check */
+	/* client, wanting hostname check */
     {
 
 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
@@ -527,7 +681,13 @@
 BOOL dummy_called, optional = FALSE;
 #endif
 
-X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
+if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
+  {
+  DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
+  log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
+    deliver_host_address);
+  return 0;
+  }
 dn[sizeof(dn)-1] = '\0';
 
 DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
@@ -588,9 +748,33 @@
 static void
 info_callback(SSL *s, int where, int ret)
 {
-where = where;
-ret = ret;
-DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
+DEBUG(D_tls)
+  {
+  const uschar * str;
+
+  if (where & SSL_ST_CONNECT)
+     str = US"SSL_connect";
+  else if (where & SSL_ST_ACCEPT)
+     str = US"SSL_accept";
+  else
+     str = US"SSL info (undefined)";
+
+  if (where & SSL_CB_LOOP)
+     debug_printf("%s: %s\n", str, SSL_state_string_long(s));
+  else if (where & SSL_CB_ALERT)
+    debug_printf("SSL3 alert %s:%s:%s\n",
+	  str = where & SSL_CB_READ ? US"read" : US"write",
+	  SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
+  else if (where & SSL_CB_EXIT)
+     if (ret == 0)
+	debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
+     else if (ret < 0)
+	debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
+  else if (where & SSL_CB_HANDSHAKE_START)
+     debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
+  else if (where & SSL_CB_HANDSHAKE_DONE)
+     debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
+  }
 }
 
 
@@ -913,7 +1097,7 @@
   {
   DEBUG(D_tls)
     {
-    ERR_error_string(ERR_get_error(), ssl_errstring);
+    ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
     debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
     }
   goto bad;
@@ -954,7 +1138,7 @@
 return;
 
 bad:
-  if (running_in_test_harness)
+  if (f.running_in_test_harness)
     {
     extern char ** environ;
     uschar ** p;
@@ -992,7 +1176,7 @@
   goto err;
 
 where = US"generating pkey";
-if (!(rsa = rsa_callback(NULL, 0, 1024)))
+if (!(rsa = rsa_callback(NULL, 0, 2048)))
   goto err;
 
 where = US"assigning pkey";
@@ -1000,7 +1184,7 @@
   goto err;
 
 X509_set_version(x509, 2);				/* N+1 - version 3 */
-ASN1_INTEGER_set(X509_get_serialNumber(x509), 0);
+ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
 X509_gmtime_adj(X509_get_notBefore(x509), 0);
 X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60);	/* 1 hour */
 X509_set_pubkey(x509, pkey);
@@ -1088,7 +1272,7 @@
   {
   if (!cbinfo->is_server)		/* client */
     return OK;
-  					/* server */
+					/* server */
   if (tls_install_selfsign(sctx, errstr) != OK)
     return DEFER;
   }
@@ -1120,8 +1304,8 @@
       if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
 	return err;
 
-  if (cbinfo->privatekey != NULL &&
-      !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
+  if (  cbinfo->privatekey
+     && !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
     return DEFER;
 
   /* If expansion was forced to fail, key_expanded will be NULL. If the result
@@ -1216,11 +1400,15 @@
 not confident that memcpy wouldn't break some internal reference counting.
 Especially since there's a references struct member, which would be off. */
 
+#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
+if (!(server_sni = SSL_CTX_new(TLS_server_method())))
+#else
 if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
+#endif
   {
-  ERR_error_string(ERR_get_error(), ssl_errstring);
+  ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
   DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
-  return SSL_TLSEXT_ERR_NOACK;
+  goto bad;
   }
 
 /* Not sure how many of these are actually needed, since SSL object
@@ -1236,10 +1424,12 @@
 if (  !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
    || !init_ecdh(server_sni, NULL, &dummy_errstr)
    )
-  return SSL_TLSEXT_ERR_NOACK;
+  goto bad;
+
+if (  cbinfo->server_cipher_list
+   && !SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list))
+  goto bad;
 
-if (cbinfo->server_cipher_list)
-  SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
 #ifndef DISABLE_OCSP
 if (cbinfo->u_ocsp.server.file)
   {
@@ -1250,17 +1440,18 @@
 
 if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
 		      verify_callback_server, &dummy_errstr)) != OK)
-  return SSL_TLSEXT_ERR_NOACK;
+  goto bad;
 
 /* do this after setup_certs, because this can require the certs for verifying
 OCSP information. */
 if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
-  return SSL_TLSEXT_ERR_NOACK;
+  goto bad;
 
 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
 SSL_set_SSL_CTX(s, server_sni);
-
 return SSL_TLSEXT_ERR_OK;
+
+bad: return SSL_TLSEXT_ERR_ALERT_FATAL;
 }
 #endif /* EXIM_HAVE_OPENSSL_TLSEXT */
 
@@ -1528,8 +1719,10 @@
 cbinfo->event_action = NULL;
 #endif
 
+#ifdef EXIM_NEED_OPENSSL_INIT
 SSL_load_error_strings();          /* basic set up */
 OpenSSL_add_ssl_algorithms();
+#endif
 
 #ifdef EXIM_HAVE_SHA256
 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
@@ -1545,7 +1738,11 @@
 By disabling with openssl_options, we can let admins re-enable with the
 existing knob. */
 
+#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
+if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
+#else
 if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
+#endif
   return tls_error(US"SSL_CTX_new", host, NULL, errstr);
 
 /* It turns out that we need to seed the random number generator this early in
@@ -1635,7 +1832,7 @@
     }
 # endif
 
-if (host == NULL)		/* server */
+if (!host)		/* server */
   {
 # ifndef DISABLE_OCSP
   /* We check u_ocsp.server.file, not server.response, because we care about if
@@ -1704,15 +1901,13 @@
 static void
 construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
 {
-/* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
+/* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
 yet reflect that.  It should be a safe change anyway, even 0.9.8 versions have
 the accessor functions use const in the prototype. */
-const SSL_CIPHER *c;
-const uschar *ver;
 
-ver = (const uschar *)SSL_get_version(ssl);
+const uschar * ver = CUS SSL_get_version(ssl);
+const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
 
-c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
 SSL_CIPHER_get_bits(c, bits);
 
 string_format(cipherbuf, bsize, "%s:%s:%u", ver,
@@ -1723,25 +1918,27 @@
 
 
 static void
-peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned bsize)
+peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
 {
 /*XXX we might consider a list-of-certs variable for the cert chain.
 SSL_get_peer_cert_chain(SSL*).  We'd need a new variable type and support
 in list-handling functions, also consider the difference between the entire
 chain and the elements sent by the peer. */
 
+tlsp->peerdn = NULL;
+
 /* Will have already noted peercert on a verify fail; possibly not the leaf */
 if (!tlsp->peercert)
   tlsp->peercert = SSL_get_peer_certificate(ssl);
 /* Beware anonymous ciphers which lead to server_cert being NULL */
 if (tlsp->peercert)
-  {
-  X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, bsize);
-  peerdn[bsize-1] = '\0';
-  tlsp->peerdn = peerdn;		/*XXX a static buffer... */
-  }
-else
-  tlsp->peerdn = NULL;
+  if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
+    { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
+  else
+    {
+    peerdn[siz-1] = '\0';
+    tlsp->peerdn = peerdn;		/*XXX a static buffer... */
+    }
 }
 
 
@@ -1752,6 +1949,7 @@
 *        Set up for verifying certificates       *
 *************************************************/
 
+#ifndef DISABLE_OCSP
 /* Load certs from file, return TRUE on success */
 
 static BOOL
@@ -1769,6 +1967,7 @@
 BIO_free(bp);
 return TRUE;
 }
+#endif
 
 
 
@@ -1928,7 +2127,7 @@
   /* If verification is optional, don't fail if no certificate */
 
   SSL_CTX_set_verify(sctx,
-    SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
+    SSL_VERIFY_PEER | (optional ? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
     cert_vfy_cb);
   }
 
@@ -1966,7 +2165,7 @@
 
 /* Check for previous activation */
 
-if (tls_in.active >= 0)
+if (tls_in.active.sock >= 0)
   {
   tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
   smtp_printf("554 Already in TLS\r\n", FALSE);
@@ -1990,6 +2189,10 @@
 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
 were historically separated by underscores. So that I can use either form in my
 tests, and also for general convenience, we turn underscores into hyphens here.
+
+XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
+for TLS 1.3 .  Since we do not call it at present we get the default list:
+TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
 */
 
 if (expciphers)
@@ -2014,14 +2217,14 @@
 if (verify_check_host(&tls_verify_hosts) == OK)
   {
   rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
-  			FALSE, verify_callback_server, errstr);
+			FALSE, verify_callback_server, errstr);
   if (rc != OK) return rc;
   server_verify_optional = FALSE;
   }
 else if (verify_check_host(&tls_try_verify_hosts) == OK)
   {
   rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
-  			TRUE, verify_callback_server, errstr);
+			TRUE, verify_callback_server, errstr);
   if (rc != OK) return rc;
   server_verify_optional = TRUE;
   }
@@ -2067,9 +2270,9 @@
 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
 
 sigalrm_seen = FALSE;
-if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
+if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
 rc = SSL_accept(server_ssl);
-alarm(0);
+ALARM_CLR(0);
 
 if (rc <= 0)
   {
@@ -2078,6 +2281,8 @@
   }
 
 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
+ERR_clear_error();	/* Even success can leave errors in the stack. Seen with
+			anon-authentication ciphersuite negociated. */
 
 /* TLS has been set up. Adjust the input functions to read via TLS,
 and initialize things. */
@@ -2117,7 +2322,8 @@
 receive_ferror = tls_ferror;
 receive_smtp_buffered = tls_smtp_buffered;
 
-tls_in.active = fileno(smtp_out);
+tls_in.active.sock = fileno(smtp_out);
+tls_in.active.tls_ctx = NULL;	/* not using explicit ctx for server-side */
 return OK;
 }
 
@@ -2137,10 +2343,10 @@
 if (  (  !ob->tls_verify_hosts
       && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
       )
-   || (verify_check_given_host(&ob->tls_verify_hosts, host) == OK)
+   || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
    )
   client_verify_optional = FALSE;
-else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
+else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
   client_verify_optional = TRUE;
 else
   return OK;
@@ -2150,7 +2356,7 @@
       errstr)) != OK)
   return rc;
 
-if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
+if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
   {
   cbinfo->verify_cert_hostnames =
 #ifdef SUPPORT_I18N
@@ -2180,7 +2386,7 @@
 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
      rr;
      rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
-    ) if (rr->type == T_TLSA)
+    ) if (rr->type == T_TLSA && rr->size > 3)
   {
   const uschar * p = rr->data;
   uint8_t usage, selector, mtype;
@@ -2232,27 +2438,28 @@
 
 Argument:
   fd               the fd of the connection
-  host             connected host (for messages)
-  addr             the first address
+  host             connected host (for messages and option-tests)
+  addr             the first address (for some randomness; can be NULL)
   tb               transport (always smtp)
   tlsa_dnsa        tlsa lookup, if DANE, else null
+  tlsp		   record details of channel configuration here; must be non-NULL
   errstr	   error string pointer
 
-Returns:           OK on success
-                   FAIL otherwise - note that tls_error() will not give DEFER
-                     because this is not a server
+Returns:           Pointer to TLS session context, or NULL on error
 */
 
-int
+void *
 tls_client_start(int fd, host_item *host, address_item *addr,
   transport_instance * tb,
 #ifdef SUPPORT_DANE
   dns_answer * tlsa_dnsa,
 #endif
-  uschar ** errstr)
+  tls_support * tlsp, uschar ** errstr)
 {
-smtp_transport_options_block * ob =
-  (smtp_transport_options_block *)tb->options_block;
+smtp_transport_options_block * ob = tb
+  ? (smtp_transport_options_block *)tb->options_block
+  : &smtp_transport_option_defaults;
+exim_openssl_client_tls_ctx * exim_client_ctx;
 static uschar peerdn[256];
 uschar * expciphers;
 int rc;
@@ -2263,8 +2470,13 @@
 BOOL require_ocsp = FALSE;
 #endif
 
+rc = store_pool;
+store_pool = POOL_PERM;
+exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx));
+store_pool = rc;
+
 #ifdef SUPPORT_DANE
-tls_out.tlsa_usage = 0;
+tlsp->tlsa_usage = 0;
 #endif
 
 #ifndef DISABLE_OCSP
@@ -2284,26 +2496,26 @@
 # endif
 
   if ((require_ocsp =
-	verify_check_given_host(&ob->hosts_require_ocsp, host) == OK))
+	verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
     request_ocsp = TRUE;
   else
 # ifdef SUPPORT_DANE
     if (!request_ocsp)
 # endif
       request_ocsp =
-	verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
+	verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
   }
 #endif
 
-rc = tls_init(&client_ctx, host, NULL,
+rc = tls_init(&exim_client_ctx->ctx, host, NULL,
     ob->tls_certificate, ob->tls_privatekey,
 #ifndef DISABLE_OCSP
     (void *)(long)request_ocsp,
 #endif
     addr, &client_static_cbinfo, errstr);
-if (rc != OK) return rc;
+if (rc != OK) return NULL;
 
-tls_out.certificate_verified = FALSE;
+tlsp->certificate_verified = FALSE;
 client_verify_callback_called = FALSE;
 
 expciphers = NULL;
@@ -2315,7 +2527,7 @@
   if (ob->dane_require_tls_ciphers &&
       !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
         &expciphers, errstr))
-    return FAIL;
+    return NULL;
   if (expciphers && *expciphers == '\0')
     expciphers = NULL;
   }
@@ -2323,7 +2535,7 @@
 if (!expciphers &&
     !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
       &expciphers, errstr))
-  return FAIL;
+  return NULL;
 
 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
 are separated by underscores. So that I can use either form in my tests, and
@@ -2334,62 +2546,74 @@
   uschar *s = expciphers;
   while (*s) { if (*s == '_') *s = '-'; s++; }
   DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
-  if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers))
-    return tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
+  if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
+    {
+    tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
+    return NULL;
+    }
   }
 
 #ifdef SUPPORT_DANE
 if (tlsa_dnsa)
   {
-  SSL_CTX_set_verify(client_ctx,
+  SSL_CTX_set_verify(exim_client_ctx->ctx,
     SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
     verify_callback_client_dane);
 
   if (!DANESSL_library_init())
-    return tls_error(US"library init", host, NULL, errstr);
-  if (DANESSL_CTX_init(client_ctx) <= 0)
-    return tls_error(US"context init", host, NULL, errstr);
+    {
+    tls_error(US"library init", host, NULL, errstr);
+    return NULL;
+    }
+  if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
+    {
+    tls_error(US"context init", host, NULL, errstr);
+    return NULL;
+    }
   }
 else
 
 #endif
 
-  if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob,
-      client_static_cbinfo, errstr)) != OK)
-    return rc;
-
-if ((client_ssl = SSL_new(client_ctx)) == NULL)
-  return tls_error(US"SSL_new", host, NULL, errstr);
-SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
-SSL_set_fd(client_ssl, fd);
-SSL_set_connect_state(client_ssl);
+  if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
+	client_static_cbinfo, errstr) != OK)
+    return NULL;
+
+if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
+  {
+  tls_error(US"SSL_new", host, NULL, errstr);
+  return NULL;
+  }
+SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
+SSL_set_fd(exim_client_ctx->ssl, fd);
+SSL_set_connect_state(exim_client_ctx->ssl);
 
 if (ob->tls_sni)
   {
-  if (!expand_check(ob->tls_sni, US"tls_sni", &tls_out.sni, errstr))
-    return FAIL;
-  if (!tls_out.sni)
+  if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
+    return NULL;
+  if (!tlsp->sni)
     {
     DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
     }
-  else if (!Ustrlen(tls_out.sni))
-    tls_out.sni = NULL;
+  else if (!Ustrlen(tlsp->sni))
+    tlsp->sni = NULL;
   else
     {
 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
-    DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_out.sni);
-    SSL_set_tlsext_host_name(client_ssl, tls_out.sni);
+    DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
+    SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
 #else
     log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
-          tls_out.sni);
+          tlsp->sni);
 #endif
     }
   }
 
 #ifdef SUPPORT_DANE
 if (tlsa_dnsa)
-  if ((rc = dane_tlsa_load(client_ssl, host, tlsa_dnsa, errstr)) != OK)
-    return rc;
+  if (dane_tlsa_load(exim_client_ctx->ssl, host, tlsa_dnsa, errstr) != OK)
+    return NULL;
 #endif
 
 #ifndef DISABLE_OCSP
@@ -2405,57 +2629,60 @@
     {	/* Re-eval now $tls_out_tlsa_usage is populated.  If
     	this means we avoid the OCSP request, we wasted the setup
 	cost in tls_init(). */
-    require_ocsp = verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
+    require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
     request_ocsp = require_ocsp
-      || verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
+      || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
     }
   }
 # endif
 
 if (request_ocsp)
   {
-  SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp);
+  SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
   client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
-  tls_out.ocsp = OCSP_NOT_RESP;
+  tlsp->ocsp = OCSP_NOT_RESP;
   }
 #endif
 
 #ifndef DISABLE_EVENT
-client_static_cbinfo->event_action = tb->event_action;
+client_static_cbinfo->event_action = tb ? tb->event_action : NULL;
 #endif
 
 /* There doesn't seem to be a built-in timeout on connection. */
 
 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
 sigalrm_seen = FALSE;
-alarm(ob->command_timeout);
-rc = SSL_connect(client_ssl);
-alarm(0);
+ALARM(ob->command_timeout);
+rc = SSL_connect(exim_client_ctx->ssl);
+ALARM_CLR(0);
 
 #ifdef SUPPORT_DANE
 if (tlsa_dnsa)
-  DANESSL_cleanup(client_ssl);
+  DANESSL_cleanup(exim_client_ctx->ssl);
 #endif
 
 if (rc <= 0)
-  return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL,
-    errstr);
+  {
+  tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
+  return NULL;
+  }
 
 DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
 
-peer_cert(client_ssl, &tls_out, peerdn, sizeof(peerdn));
+peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
 
-construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits);
-tls_out.cipher = cipherbuf;
+construct_cipher_name(exim_client_ctx->ssl, cipherbuf, sizeof(cipherbuf), &tlsp->bits);
+tlsp->cipher = cipherbuf;
 
 /* Record the certificate we presented */
   {
-  X509 * crt = SSL_get_certificate(client_ssl);
-  tls_out.ourcert = crt ? X509_dup(crt) : NULL;
+  X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
+  tlsp->ourcert = crt ? X509_dup(crt) : NULL;
   }
 
-tls_out.active = fd;
-return OK;
+tlsp->active.sock = fd;
+tlsp->active.tls_ctx = exim_client_ctx;
+return exim_client_ctx;
 }
 
 
@@ -2471,61 +2698,74 @@
 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
   ssl_xfer_buffer, ssl_xfer_buffer_size);
 
-if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
+if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
 inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
 		  MIN(ssl_xfer_buffer_size, lim));
 error = SSL_get_error(server_ssl, inbytes);
-alarm(0);
+if (smtp_receive_timeout > 0) ALARM_CLR(0);
+
+if (had_command_timeout)		/* set by signal handler */
+  smtp_command_timeout_exit();		/* does not return */
+if (had_command_sigterm)
+  smtp_command_sigterm_exit();
+if (had_data_timeout)
+  smtp_data_timeout_exit();
+if (had_data_sigint)
+  smtp_data_sigint_exit();
 
 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
 closed down, not that the socket itself has been closed down. Revert to
 non-SSL handling. */
 
-if (error == SSL_ERROR_ZERO_RETURN)
+switch(error)
   {
-  DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
+  case SSL_ERROR_NONE:
+    break;
 
-  receive_getc = smtp_getc;
-  receive_getbuf = smtp_getbuf;
-  receive_get_cache = smtp_get_cache;
-  receive_ungetc = smtp_ungetc;
-  receive_feof = smtp_feof;
-  receive_ferror = smtp_ferror;
-  receive_smtp_buffered = smtp_buffered;
+  case SSL_ERROR_ZERO_RETURN:
+    DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
 
-  if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
- 	SSL_shutdown(server_ssl);
+    receive_getc = smtp_getc;
+    receive_getbuf = smtp_getbuf;
+    receive_get_cache = smtp_get_cache;
+    receive_ungetc = smtp_ungetc;
+    receive_feof = smtp_feof;
+    receive_ferror = smtp_ferror;
+    receive_smtp_buffered = smtp_buffered;
 
-  sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
-  SSL_free(server_ssl);
-  SSL_CTX_free(server_ctx);
-  server_static_cbinfo->verify_stack = NULL;
-  server_ctx = NULL;
-  server_ssl = NULL;
-  tls_in.active = -1;
-  tls_in.bits = 0;
-  tls_in.cipher = NULL;
-  tls_in.peerdn = NULL;
-  tls_in.sni = NULL;
+    if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
+	  SSL_shutdown(server_ssl);
 
-  return FALSE;
-  }
+#ifndef DISABLE_OCSP
+    sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
+    server_static_cbinfo->verify_stack = NULL;
+#endif
+    SSL_free(server_ssl);
+    SSL_CTX_free(server_ctx);
+    server_ctx = NULL;
+    server_ssl = NULL;
+    tls_in.active.sock = -1;
+    tls_in.active.tls_ctx = NULL;
+    tls_in.bits = 0;
+    tls_in.cipher = NULL;
+    tls_in.peerdn = NULL;
+    tls_in.sni = NULL;
 
-/* Handle genuine errors */
+    return FALSE;
 
-else if (error == SSL_ERROR_SSL)
-  {
-  ERR_error_string(ERR_get_error(), ssl_errstring);
-  log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
-  ssl_xfer_error = TRUE;
-  return FALSE;
-  }
+  /* Handle genuine errors */
+  case SSL_ERROR_SSL:
+    ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
+    log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
+    ssl_xfer_error = TRUE;
+    return FALSE;
 
-else if (error != SSL_ERROR_NONE)
-  {
-  DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
-  ssl_xfer_error = TRUE;
-  return FALSE;
+  default:
+    DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
+    DEBUG(D_tls) if (error == SSL_ERROR_SYSCALL)
+      debug_printf(" - syscall %s\n", strerror(errno));
+    ssl_xfer_error = TRUE;
+    return FALSE;
   }
 
 #ifndef DISABLE_DKIM
@@ -2609,19 +2849,20 @@
 
 /*
 Arguments:
+  ct_ctx    client context pointer, or NULL for the one global server context
   buff      buffer of data
   len       size of buffer
 
 Returns:    the number of bytes read
-            -1 after a failed read
+            -1 after a failed read, including EOF
 
 Only used by the client-side TLS.
 */
 
 int
-tls_read(BOOL is_server, uschar *buff, size_t len)
+tls_read(void * ct_ctx, uschar *buff, size_t len)
 {
-SSL *ssl = is_server ? server_ssl : client_ssl;
+SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
 int inbytes;
 int error;
 
@@ -2652,7 +2893,7 @@
 
 /*
 Arguments:
-  is_server channel specifier
+  ct_ctx    client context pointer, or NULL for the one global server context
   buff      buffer of data
   len       number of bytes
   more	    further data expected soon
@@ -2664,10 +2905,10 @@
 */
 
 int
-tls_write(BOOL is_server, const uschar *buff, size_t len, BOOL more)
+tls_write(void * ct_ctx, const uschar *buff, size_t len, BOOL more)
 {
 int outbytes, error, left;
-SSL *ssl = is_server ? server_ssl : client_ssl;
+SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
 static gstring * corked = NULL;
 
 DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
@@ -2677,10 +2918,22 @@
 "more" is notified.  This hack is only ok if small amounts are involved AND only
 one stream does it, in one context (i.e. no store reset).  Currently it is used
 for the responses to the received SMTP MAIL , RCPT, DATA sequence, only. */
+/*XXX + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's
+a store reset there. */
 
-if (is_server && (more || corked))
+if (!ct_ctx && (more || corked))
   {
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+  int save_pool = store_pool;
+  store_pool = POOL_PERM;
+#endif
+
   corked = string_catn(corked, buff, len);
+
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+  store_pool = save_pool;
+#endif
+
   if (more)
     return len;
   buff = CUS corked->s;
@@ -2690,14 +2943,14 @@
 
 for (left = len; left > 0;)
   {
-  DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
+  DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left);
   outbytes = SSL_write(ssl, CS buff, left);
   error = SSL_get_error(ssl, outbytes);
   DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
   switch (error)
     {
     case SSL_ERROR_SSL:
-      ERR_error_string(ERR_get_error(), ssl_errstring);
+      ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
       log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
       return -1;
 
@@ -2735,6 +2988,7 @@
 would tamper with the SSL session in the parent process).
 
 Arguments:
+  ct_ctx	client TLS context pointer, or NULL for the one global server context
   shutdown	1 if TLS close-alert is to be sent,
  		2 if also response to be waited for
 
@@ -2744,11 +2998,12 @@
 */
 
 void
-tls_close(BOOL is_server, int shutdown)
+tls_close(void * ct_ctx, int shutdown)
 {
-SSL_CTX **ctxp = is_server ? &server_ctx : &client_ctx;
-SSL **sslp = is_server ? &server_ssl : &client_ssl;
-int *fdp = is_server ? &tls_in.active : &tls_out.active;
+exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
+SSL_CTX **ctxp = o_ctx ? &o_ctx->ctx : &server_ctx;
+SSL **sslp =     o_ctx ? &o_ctx->ssl : &server_ssl;
+int *fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
 
 if (*fdp < 0) return;  /* TLS was not active */
 
@@ -2761,23 +3016,25 @@
   if (  (rc = SSL_shutdown(*sslp)) == 0	/* send "close notify" alert */
      && shutdown > 1)
     {
-    alarm(2);
+    ALARM(2);
     rc = SSL_shutdown(*sslp);		/* wait for response */
-    alarm(0);
+    ALARM_CLR(0);
     }
 
   if (rc < 0) DEBUG(D_tls)
     {
-    ERR_error_string(ERR_get_error(), ssl_errstring);
+    ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
     debug_printf("SSL_shutdown: %s\n", ssl_errstring);
     }
   }
 
-if (is_server)
+#ifndef DISABLE_OCSP
+if (!o_ctx)		/* server side */
   {
   sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
   server_static_cbinfo->verify_stack = NULL;
   }
+#endif
 
 SSL_CTX_free(*ctxp);
 SSL_free(*sslp);
@@ -2808,8 +3065,10 @@
 /* this duplicates from tls_init(), we need a better "init just global
 state, for no specific purpose" singleton function of our own */
 
+#ifdef EXIM_NEED_OPENSSL_INIT
 SSL_load_error_strings();
 OpenSSL_add_ssl_algorithms();
+#endif
 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
 list of available digests. */
@@ -2832,10 +3091,13 @@
 
 err = NULL;
 
-ctx = SSL_CTX_new(SSLv23_server_method());
-if (!ctx)
+#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
+if (!(ctx = SSL_CTX_new(TLS_server_method())))
+#else
+if (!(ctx = SSL_CTX_new(SSLv23_server_method())))
+#endif
   {
-  ERR_error_string(ERR_get_error(), ssl_errstring);
+  ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
   return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
   }
 
@@ -2844,7 +3106,7 @@
 
 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
   {
-  ERR_error_string(ERR_get_error(), ssl_errstring);
+  ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
   err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
 		      expciphers, ssl_errstring);
   }
@@ -2998,110 +3260,6 @@
 Returns   success or failure in parsing
 */
 
-struct exim_openssl_option {
-  uschar *name;
-  long    value;
-};
-/* We could use a macro to expand, but we need the ifdef and not all the
-options document which version they were introduced in.  Policylet: include
-all options unless explicitly for DTLS, let the administrator choose which
-to apply.
-
-This list is current as of:
-  ==>  1.0.1b  <==
-Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
-*/
-static struct exim_openssl_option exim_openssl_options[] = {
-/* KEEP SORTED ALPHABETICALLY! */
-#ifdef SSL_OP_ALL
-  { US"all", SSL_OP_ALL },
-#endif
-#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
-  { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
-#endif
-#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
-  { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
-#endif
-#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
-  { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
-#endif
-#ifdef SSL_OP_EPHEMERAL_RSA
-  { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
-#endif
-#ifdef SSL_OP_LEGACY_SERVER_CONNECT
-  { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
-#endif
-#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
-  { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
-#endif
-#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
-  { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
-#endif
-#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
-  { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
-#endif
-#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
-  { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
-#endif
-#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
-  { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
-#endif
-#ifdef SSL_OP_NO_COMPRESSION
-  { US"no_compression", SSL_OP_NO_COMPRESSION },
-#endif
-#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
-  { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
-#endif
-#ifdef SSL_OP_NO_SSLv2
-  { US"no_sslv2", SSL_OP_NO_SSLv2 },
-#endif
-#ifdef SSL_OP_NO_SSLv3
-  { US"no_sslv3", SSL_OP_NO_SSLv3 },
-#endif
-#ifdef SSL_OP_NO_TICKET
-  { US"no_ticket", SSL_OP_NO_TICKET },
-#endif
-#ifdef SSL_OP_NO_TLSv1
-  { US"no_tlsv1", SSL_OP_NO_TLSv1 },
-#endif
-#ifdef SSL_OP_NO_TLSv1_1
-#if SSL_OP_NO_TLSv1_1 == 0x00000400L
-  /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
-#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
-#else
-  { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
-#endif
-#endif
-#ifdef SSL_OP_NO_TLSv1_2
-  { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
-#endif
-#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
-  { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
-#endif
-#ifdef SSL_OP_SINGLE_DH_USE
-  { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
-#endif
-#ifdef SSL_OP_SINGLE_ECDH_USE
-  { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
-#endif
-#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
-  { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
-#endif
-#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
-  { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
-#endif
-#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
-  { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
-#endif
-#ifdef SSL_OP_TLS_D5_BUG
-  { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
-#endif
-#ifdef SSL_OP_TLS_ROLLBACK_BUG
-  { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
-#endif
-};
-static int exim_openssl_options_size =
-  sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
 
 
 static BOOL
@@ -3202,6 +3360,7 @@
 return TRUE;
 }
 
+#endif	/*!MACRO_PREDEF*/
 /* vi: aw ai sw=2
 */
 /* End of tls-openssl.c */
diff -Nru exim4-4.91/src/tod.c exim4-4.92~RC4/src/tod.c
--- exim4-4.91/src/tod.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/tod.c	2018-12-27 13:36:19.000000000 +0000
@@ -72,9 +72,9 @@
 
   case tod_zulu:
     t = gmtime(&now.tv_sec);
-    (void) sprintf(CS timebuf, "%04d%02d%02d%02d%02d%02dZ",
-      1900 + t->tm_year, 1 + t->tm_mon, t->tm_mday, t->tm_hour, t->tm_min,
-      t->tm_sec);
+    (void) sprintf(CS timebuf, "%04u%02u%02u%02u%02u%02uZ",
+      1900 + (uint)t->tm_year, 1 + (uint)t->tm_mon, (uint)t->tm_mday, (uint)t->tm_hour, (uint)t->tm_min,
+      (uint)t->tm_sec);
     return timebuf;
   }
 
@@ -84,21 +84,22 @@
 
 /* Convert to local time or UTC */
 
-t = timestamps_utc ? gmtime(&now.tv_sec) : localtime(&now.tv_sec);
+t = f.timestamps_utc ? gmtime(&now.tv_sec) : localtime(&now.tv_sec);
 
 switch(type)
   {
   case tod_log_bare:          /* Format used in logging without timezone */
 #ifndef COMPILE_UTILITY
     if (LOGGING(millisec))
-      sprintf(CS timebuf, "%04d-%02d-%02d %02d:%02d:%02d.%03d",
-      1900 + t->tm_year, 1 + t->tm_mon, t->tm_mday,
-      t->tm_hour, t->tm_min, t->tm_sec, (int)(now.tv_usec/1000));
+      sprintf(CS timebuf, "%04u-%02u-%02u %02u:%02u:%02u.%03u",
+	1900 + (uint)t->tm_year, 1 + (uint)t->tm_mon, (uint)t->tm_mday,
+	(uint)t->tm_hour, (uint)t->tm_min, (uint)t->tm_sec,
+	(uint)(now.tv_usec/1000));
     else
 #endif
-      sprintf(CS timebuf, "%04d-%02d-%02d %02d:%02d:%02d",
-      1900 + t->tm_year, 1 + t->tm_mon, t->tm_mday,
-      t->tm_hour, t->tm_min, t->tm_sec);
+      sprintf(CS timebuf, "%04u-%02u-%02u %02u:%02u:%02u",
+	1900 + (uint)t->tm_year, 1 + (uint)t->tm_mon, (uint)t->tm_mday,
+	(uint)t->tm_hour, (uint)t->tm_min, (uint)t->tm_sec);
 
     break;
 
@@ -108,20 +109,21 @@
 #ifdef TESTING_LOG_DATESTAMP
   case tod_log_datestamp_daily:
   case tod_log_datestamp_monthly:
-    sprintf(CS timebuf, "%04d%02d%02d%02d%02d",
-      1900 + t->tm_year, 1 + t->tm_mon, t->tm_mday, t->tm_hour, t->tm_min);
+    sprintf(CS timebuf, "%04u%02u%02u%02u%02u",
+      1900 + (uint)t->tm_year, 1 + (uint)t->tm_mon, (uint)t->tm_mday,
+      (uint)t->tm_hour, (uint)t->tm_min);
     break;
 
 #else
   case tod_log_datestamp_daily:
-    sprintf(CS timebuf, "%04d%02d%02d",
-      1900 + t->tm_year, 1 + t->tm_mon, t->tm_mday);
+    sprintf(CS timebuf, "%04u%02u%02u",
+      1900 + (uint)t->tm_year, 1 + (uint)t->tm_mon, (uint)t->tm_mday);
     break;
 
   case tod_log_datestamp_monthly:
 #ifndef COMPILE_UTILITY
-    sprintf(CS timebuf, "%04d%02d",
-      1900 + t->tm_year, 1 + t->tm_mon);
+    sprintf(CS timebuf, "%04u%02u",
+      1900 + (uint)t->tm_year, 1 + (uint)t->tm_mon);
 #endif
     break;
 #endif
@@ -148,7 +150,7 @@
       struct tm local;
       memcpy(&local, t, sizeof(struct tm));
 
-      if (timestamps_utc)
+      if (f.timestamps_utc)
 	diff_hour = diff_min = 0;
       else
 	{
@@ -169,16 +171,16 @@
 #ifndef COMPILE_UTILITY
 	  if (LOGGING(millisec))
 	    (void) sprintf(CS timebuf,
-	      "%04d-%02d-%02d %02d:%02d:%02d.%03d %+03d%02d",
-	      1900 + local.tm_year, 1 + local.tm_mon, local.tm_mday,
-	      local.tm_hour, local.tm_min, local.tm_sec, (int)(now.tv_usec/1000),
+	      "%04u-%02u-%02u %02u:%02u:%02u.%03u %+03d%02d",
+	      1900 + (uint)local.tm_year, 1 + (uint)local.tm_mon, (uint)local.tm_mday,
+	      (uint)local.tm_hour, (uint)local.tm_min, (uint)local.tm_sec, (uint)(now.tv_usec/1000),
 	      diff_hour, diff_min);
 	  else
 #endif
 	    (void) sprintf(CS timebuf,
-	      "%04d-%02d-%02d %02d:%02d:%02d %+03d%02d",
-	      1900 + local.tm_year, 1 + local.tm_mon, local.tm_mday,
-	      local.tm_hour, local.tm_min, local.tm_sec,
+	      "%04u-%02u-%02u %02u:%02u:%02u %+03d%02d",
+	      1900 + (uint)local.tm_year, 1 + (uint)local.tm_mon, (uint)local.tm_mday,
+	      (uint)local.tm_hour, (uint)local.tm_min, (uint)local.tm_sec,
 	      diff_hour, diff_min);
 	  break;
 
@@ -192,7 +194,7 @@
 	case tod_mbx:
 	    {
 	    int len;
-	    (void) sprintf(CS timebuf, "%02d-", local.tm_mday);
+	    (void) sprintf(CS timebuf, "%02u-", (uint)local.tm_mday);
 	    len = Ustrlen(timebuf);
 	    len += Ustrftime(timebuf + len, sizeof(timebuf) - len, "%b-%Y %H:%M:%S",
 	      &local);
@@ -207,7 +209,7 @@
 	default:
 	    {
 	    int len = Ustrftime(timebuf, sizeof(timebuf), "%a, ", &local);
-	    (void) sprintf(CS timebuf + len, "%02d ", local.tm_mday);
+	    (void) sprintf(CS timebuf + len, "%02u ", (uint)local.tm_mday);
 	    len += Ustrlen(timebuf + len);
 	    len += Ustrftime(timebuf + len, sizeof(timebuf) - len, "%b %Y %H:%M:%S",
 	      &local);
diff -Nru exim4-4.91/src/transport.c exim4-4.92~RC4/src/transport.c
--- exim4-4.91/src/transport.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/transport.c	2018-12-27 13:36:19.000000000 +0000
@@ -242,7 +242,7 @@
     {
     rc =
 #ifdef SUPPORT_TLS
-	tls_out.active == fd ? tls_write(FALSE, block, len, more) :
+	tls_out.active.sock == fd ? tls_write(tls_out.active.tls_ctx, block, len, more) :
 #endif
 #ifdef MSG_MORE
 	more && !(tctx->options & topt_not_socket)
@@ -256,11 +256,11 @@
 
   else
     {
-    alarm(local_timeout);
+    ALARM(local_timeout);
 
     rc =
 #ifdef SUPPORT_TLS
-	tls_out.active == fd ? tls_write(FALSE, block, len, more) :
+	tls_out.active.sock == fd ? tls_write(tls_out.active.tls_ctx, block, len, more) :
 #endif
 #ifdef MSG_MORE
 	more && !(tctx->options & topt_not_socket)
@@ -269,7 +269,7 @@
 	write(fd, block, len);
 
     save_errno = errno;
-    local_timeout = alarm(0);
+    local_timeout = ALARM_CLR(0);
     if (sigalrm_seen)
       {
       errno = ETIMEDOUT;
@@ -375,13 +375,15 @@
 transport_write_string(int fd, const char *format, ...)
 {
 transport_ctx tctx = {{0}};
+gstring gs = { .size = big_buffer_size, .ptr = 0, .s = big_buffer };
 va_list ap;
+
 va_start(ap, format);
-if (!string_vformat(big_buffer, big_buffer_size, format, ap))
+if (!string_vformat(&gs, FALSE, format, ap))
   log_write(0, LOG_MAIN|LOG_PANIC_DIE, "overlong formatted string in transport");
 va_end(ap);
 tctx.u.fd = fd;
-return transport_write_block(&tctx, big_buffer, Ustrlen(big_buffer), FALSE);
+return transport_write_block(&tctx, gs.s, gs.ptr, FALSE);
 }
 
 
@@ -495,7 +497,7 @@
 
   if (  *ptr == '\r' && ptr[1] == '\n'
      && !(tctx->options & topt_use_crlf)
-     && spool_file_wireformat
+     && f.spool_file_wireformat
      )
     ptr++;
 
@@ -505,7 +507,7 @@
 
     /* Insert CR before NL if required */
 
-    if (tctx->options & topt_use_crlf && !spool_file_wireformat)
+    if (tctx->options & topt_use_crlf && !f.spool_file_wireformat)
       *chunk_ptr++ = '\r';
     *chunk_ptr++ = '\n';
     transport_newlines++;
@@ -723,7 +725,7 @@
 	int len;
 
 	if (i == 0)
-	  if (!(s = expand_string(s)) && !expand_string_forcedfail)
+	  if (!(s = expand_string(s)) && !f.expand_string_forcedfail)
 	    {
 	    errno = ERRNO_CHHEADER_FAIL;
 	    return FALSE;
@@ -829,7 +831,7 @@
 	  }
 	}
       }
-    else if (!expand_string_forcedfail)
+    else if (!f.expand_string_forcedfail)
       { errno = ERRNO_CHHEADER_FAIL; return FALSE; }
   }
 
@@ -934,8 +936,8 @@
 
 if (!(tctx->options & topt_no_headers))
   {
-  BOOL save_wireformat = spool_file_wireformat;
-  spool_file_wireformat = FALSE;
+  BOOL save_wireformat = f.spool_file_wireformat;
+  f.spool_file_wireformat = FALSE;
 
   /* Add return-path: if requested. */
 
@@ -992,11 +994,11 @@
   if (!transport_headers_send(tctx, &write_chunk))
     {
 bad:
-    spool_file_wireformat = save_wireformat;
+    f.spool_file_wireformat = save_wireformat;
     return FALSE;
     }
 
-  spool_file_wireformat = save_wireformat;
+  f.spool_file_wireformat = save_wireformat;
   }
 
 /* When doing RFC3030 CHUNKING output, work out how much data would be in a
@@ -1025,7 +1027,7 @@
     if (size_limit > 0  &&  fsize > size_limit)
       fsize = size_limit;
     size = hsize + fsize;
-    if (tctx->options & topt_use_crlf  &&  !spool_file_wireformat)
+    if (tctx->options & topt_use_crlf  &&  !f.spool_file_wireformat)
       size += body_linecount;	/* account for CRLF-expansion */
 
     /* With topt_use_bdat we never do dot-stuffing; no need to
@@ -1072,10 +1074,10 @@
 dkim signing,  when we had CHUNKING input.  */
 
 #ifdef OS_SENDFILE
-if (  spool_file_wireformat
+if (  f.spool_file_wireformat
    && !(tctx->options & (topt_no_body | topt_end_dot))
    && !nl_check_length
-   && tls_out.active != tctx->u.fd
+   && tls_out.active.sock != tctx->u.fd
    )
   {
   ssize_t copied = 0;
@@ -1106,7 +1108,7 @@
 DEBUG(D_transport)
   if (!(tctx->options & topt_no_body))
     debug_printf("cannot use sendfile for body: %s\n",
-      !spool_file_wireformat ? "spoolfile not wireformat"
+      !f.spool_file_wireformat ? "spoolfile not wireformat"
       : tctx->options & topt_end_dot ? "terminating dot wanted"
       : nl_check_length ? "dot- or From-stuffing wanted"
       : "TLS output wanted");
@@ -1135,7 +1137,7 @@
 /* Finished with the check string, and spool-format consideration */
 
 nl_check_length = nl_escape_length = 0;
-spool_file_wireformat = FALSE;
+f.spool_file_wireformat = FALSE;
 
 /* If requested, add a terminating "." line (SMTP output). */
 
@@ -1172,12 +1174,12 @@
 transport_write_message(transport_ctx * tctx, int size_limit)
 {
 BOOL last_filter_was_NL = TRUE;
-BOOL save_spool_file_wireformat = spool_file_wireformat;
+BOOL save_spool_file_wireformat = f.spool_file_wireformat;
 int rc, len, yield, fd_read, fd_write, save_errno;
 int pfd[2] = {-1, -1};
 pid_t filter_pid, write_pid;
 
-transport_filter_timed_out = FALSE;
+f.transport_filter_timed_out = FALSE;
 
 /* If there is no filter command set up, call the internal function that does
 the actual work, passing it the incoming fd, and return its result. */
@@ -1277,7 +1279,7 @@
 
 /* When testing, let the subprocess get going */
 
-if (running_in_test_harness) millisleep(250);
+if (f.running_in_test_harness) millisleep(250);
 
 DEBUG(D_transport)
   debug_printf("process %d writing to transport filter\n", (int)write_pid);
@@ -1294,19 +1296,19 @@
 variable is TRUE).  The output should always be unix-format as we converted
 any wireformat source on writing input to the filter. */
 
-spool_file_wireformat = FALSE;
+f.spool_file_wireformat = FALSE;
 chunk_ptr = deliver_out_buffer;
 
 for (;;)
   {
   sigalrm_seen = FALSE;
-  alarm(transport_filter_timeout);
+  ALARM(transport_filter_timeout);
   len = read(fd_read, deliver_in_buffer, DELIVER_IN_BUFFER_SIZE);
-  alarm(0);
+  ALARM_CLR(0);
   if (sigalrm_seen)
     {
     errno = ETIMEDOUT;
-    transport_filter_timed_out = TRUE;
+    f.transport_filter_timed_out = TRUE;
     goto TIDY_UP;
     }
 
@@ -1334,7 +1336,7 @@
 sure. Also apply a paranoia timeout. */
 
 TIDY_UP:
-spool_file_wireformat = save_spool_file_wireformat;
+f.spool_file_wireformat = save_spool_file_wireformat;
 save_errno = errno;
 
 (void)close(fd_read);
@@ -1402,7 +1404,7 @@
 if (yield)
   {
   nl_check_length = nl_escape_length = 0;
-  spool_file_wireformat = FALSE;
+  f.spool_file_wireformat = FALSE;
   if (  tctx->options & topt_end_dot
      && ( last_filter_was_NL
         ? !write_chunk(tctx, US".\n", 2)
@@ -1870,19 +1872,19 @@
 
 argv = CUSS child_exec_exim(CEE_RETURN_ARGV, TRUE, &i, FALSE, 0);
 
-if (smtp_authenticated)				argv[i++] = US"-MCA";
+if (f.smtp_authenticated)			argv[i++] = US"-MCA";
 if (smtp_peer_options & OPTION_CHUNKING)	argv[i++] = US"-MCK";
 if (smtp_peer_options & OPTION_DSN)		argv[i++] = US"-MCD";
 if (smtp_peer_options & OPTION_PIPE)		argv[i++] = US"-MCP";
 if (smtp_peer_options & OPTION_SIZE)		argv[i++] = US"-MCS";
 #ifdef SUPPORT_TLS
 if (smtp_peer_options & OPTION_TLS)
-  if (tls_out.active >= 0 || continue_proxy_cipher)
+  if (tls_out.active.sock >= 0 || continue_proxy_cipher)
     {
     argv[i++] = US"-MCt";
     argv[i++] = sending_ip_address;
     argv[i++] = string_sprintf("%d", sending_port);
-    argv[i++] = tls_out.active >= 0 ? tls_out.cipher : continue_proxy_cipher;
+    argv[i++] = tls_out.active.sock >= 0 ? tls_out.cipher : continue_proxy_cipher;
     }
   else
     argv[i++] = US"-MCT";
@@ -1956,7 +1958,7 @@
     DEBUG(D_transport) debug_printf("transport_pass_socket succeeded (final-pid %d)\n", pid);
     _exit(EXIT_SUCCESS);
     }
-  if (running_in_test_harness) sleep(1);
+  if (f.running_in_test_harness) sleep(1);
 
   transport_do_pass_socket(transport_name, hostname, hostaddress,
     id, socket_fd);
@@ -2247,9 +2249,9 @@
     else
       {
       const uschar *expanded_arg;
-      enable_dollar_recipients = allow_dollar_recipients;
+      f.enable_dollar_recipients = allow_dollar_recipients;
       expanded_arg = expand_cstring(argv[i]);
-      enable_dollar_recipients = FALSE;
+      f.enable_dollar_recipients = FALSE;
 
       if (expanded_arg == NULL)
         {
diff -Nru exim4-4.91/src/transports/appendfile.c exim4-4.92~RC4/src/transports/appendfile.c
--- exim4-4.91/src/transports/appendfile.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/transports/appendfile.c	2018-12-27 13:36:19.000000000 +0000
@@ -310,7 +310,7 @@
       {
       *errmsg = string_sprintf("Expansion of \"%s\" in %s transport failed: "
         "%s", q, tblock->name, expand_string_message);
-      return search_find_defer ? DEFER : FAIL;
+      return f.search_find_defer ? DEFER : FAIL;
       }
 
     d = Ustrtod(s, &rest);
@@ -884,10 +884,10 @@
   {
   if (fcntltime > 0)
     {
-    alarm(fcntltime);
+    ALARM(fcntltime);
     yield = fcntl(fd, F_SETLKW, &lock_data);
     save_errno = errno;
-    alarm(0);
+    ALARM_CLR(0);
     errno = save_errno;
     }
   else yield = fcntl(fd, F_SETLK, &lock_data);
@@ -899,10 +899,10 @@
   int flocktype = (fcntltype == F_WRLCK) ? LOCK_EX : LOCK_SH;
   if (flocktime > 0)
     {
-    alarm(flocktime);
+    ALARM(flocktime);
     yield = flock(fd, flocktype);
     save_errno = errno;
-    alarm(0);
+    ALARM_CLR(0);
     errno = save_errno;
     }
   else yield = flock(fd, flocktype | LOCK_NB);
@@ -1435,7 +1435,7 @@
 
 /* If the -N option is set, can't do any more. */
 
-if (dont_deliver)
+if (f.dont_deliver)
   {
   DEBUG(D_transport)
     debug_printf("*** delivery by %s transport bypassed by -N option\n",
@@ -2551,7 +2551,7 @@
     $message_size is accurately known. */
 
     if (nametag != NULL && expand_string(nametag) == NULL &&
-        !expand_string_forcedfail)
+        !f.expand_string_forcedfail)
       {
       addr->transport_return = PANIC;
       addr->message = string_sprintf("Expansion of \"%s\" (maildir_tag "
@@ -2688,7 +2688,7 @@
       uschar *s = expand_string(ob->mailstore_prefix);
       if (s == NULL)
         {
-        if (!expand_string_forcedfail)
+        if (!f.expand_string_forcedfail)
           {
           addr->transport_return = PANIC;
           addr->message = string_sprintf("Expansion of \"%s\" (mailstore "
@@ -2717,7 +2717,7 @@
       uschar *s = expand_string(ob->mailstore_suffix);
       if (s == NULL)
         {
-        if (!expand_string_forcedfail)
+        if (!f.expand_string_forcedfail)
           {
           addr->transport_return = PANIC;
           addr->message = string_sprintf("Expansion of \"%s\" (mailstore "
@@ -3080,7 +3080,7 @@
         }
       else   /* Want a repeatable time when in test harness */
         {
-        addr->more_errno = running_in_test_harness ? 10 :
+        addr->more_errno = f.running_in_test_harness ? 10 :
           (int)time(NULL) - statbuf.st_mtime;
         }
       DEBUG(D_transport)
diff -Nru exim4-4.91/src/transports/autoreply.c exim4-4.92~RC4/src/transports/autoreply.c
--- exim4-4.91/src/transports/autoreply.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/transports/autoreply.c	2018-12-27 13:36:19.000000000 +0000
@@ -290,7 +290,7 @@
 header_line *h;
 time_t now = time(NULL);
 time_t once_repeat_sec = 0;
-FILE *f;
+FILE *fp;
 FILE *ff = NULL;
 
 autoreply_transport_options_block *ob =
@@ -403,7 +403,7 @@
 
 /* If the -N option is set, can't do any more. */
 
-if (dont_deliver)
+if (f.dont_deliver)
   {
   DEBUG(D_transport)
     debug_printf("*** delivery by %s transport bypassed by -N option\n",
@@ -577,14 +577,14 @@
 as the -t option is used. The "headers" stuff *must* be last in case there
 are newlines in it which might, if placed earlier, screw up other headers. */
 
-f = fdopen(fd, "wb");
+fp = fdopen(fd, "wb");
 
-if (from) fprintf(f, "From: %s\n", from);
-if (reply_to) fprintf(f, "Reply-To: %s\n", reply_to);
-if (to) fprintf(f, "To: %s\n", to);
-if (cc) fprintf(f, "Cc: %s\n", cc);
-if (bcc) fprintf(f, "Bcc: %s\n", bcc);
-if (subject) fprintf(f, "Subject: %s\n", subject);
+if (from) fprintf(fp, "From: %s\n", from);
+if (reply_to) fprintf(fp, "Reply-To: %s\n", reply_to);
+if (to) fprintf(fp, "To: %s\n", to);
+if (cc) fprintf(fp, "Cc: %s\n", cc);
+if (bcc) fprintf(fp, "Bcc: %s\n", bcc);
+if (subject) fprintf(fp, "Subject: %s\n", subject);
 
 /* Generate In-Reply-To from the message_id header; there should
 always be one, but code defensively. */
@@ -596,7 +596,7 @@
   {
   message_id = Ustrchr(h->text, ':') + 1;
   while (isspace(*message_id)) message_id++;
-  fprintf(f, "In-Reply-To: %s", message_id);
+  fprintf(fp, "In-Reply-To: %s", message_id);
   }
 
 /* Generate a References header if there is at least one of Message-ID:,
@@ -618,7 +618,7 @@
 
 if (h || message_id)
   {
-  fprintf(f, "References:");
+  fprintf(fp, "References:");
   if (h)
     {
     uschar *s, *id, *error;
@@ -627,7 +627,7 @@
     int i;
 
     s = Ustrchr(h->text, ':') + 1;
-    parse_allow_group = FALSE;
+    f.parse_allow_group = FALSE;
     while (*s != 0 && (s = parse_message_id(s, &id, &error)) != NULL)
       {
       if (reference_count == nelem(referenced_ids))
@@ -638,28 +638,28 @@
         }
       else referenced_ids[reference_count++] = id;
       }
-    for (i = 0; i < reference_count; ++i) fprintf(f, " %s", referenced_ids[i]);
+    for (i = 0; i < reference_count; ++i) fprintf(fp, " %s", referenced_ids[i]);
     }
 
   /* The message id will have a newline on the end of it. */
 
-  if (message_id) fprintf(f, " %s", message_id);
-  else fprintf(f, "\n");
+  if (message_id) fprintf(fp, " %s", message_id);
+  else fprintf(fp, "\n");
   }
 
 /* Add an Auto-Submitted: header */
 
-fprintf(f, "Auto-Submitted: auto-replied\n");
+fprintf(fp, "Auto-Submitted: auto-replied\n");
 
 /* Add any specially requested headers */
 
-if (headers) fprintf(f, "%s\n", headers);
-fprintf(f, "\n");
+if (headers) fprintf(fp, "%s\n", headers);
+fprintf(fp, "\n");
 
 if (text)
   {
-  fprintf(f, "%s", CS text);
-  if (text[Ustrlen(text)-1] != '\n') fprintf(f, "\n");
+  fprintf(fp, "%s", CS text);
+  if (text[Ustrlen(text)-1] != '\n') fprintf(fp, "\n");
   }
 
 if (ff)
@@ -675,9 +675,9 @@
           debug_printf("error while expanding line from file:\n  %s\n  %s\n",
             big_buffer, expand_string_message);
         }
-      fprintf(f, "%s", s ? CS s : CS big_buffer);
+      fprintf(fp, "%s", s ? CS s : CS big_buffer);
       }
-    else fprintf(f, "%s", CS big_buffer);
+    else fprintf(fp, "%s", CS big_buffer);
     }
   (void) fclose(ff);
   }
@@ -694,7 +694,7 @@
     :
     US"------ This is a copy of the message, including all the headers.\n";
   transport_ctx tctx = {
-    .u = {.fd = fileno(f)},
+    .u = {.fd = fileno(fp)},
     .tblock = tblock,
     .addr = addr,
     .check_string = NULL,
@@ -714,23 +714,23 @@
       DELIVER_IN_BUFFER_SIZE;
     if (fstat(deliver_datafile, &statbuf) == 0 && statbuf.st_size > max)
       {
-      fprintf(f, "\n%s"
+      fprintf(fp, "\n%s"
 "------ The body of the message is " OFF_T_FMT " characters long; only the first\n"
 "------ %d or so are included here.\n\n", rubric, statbuf.st_size,
         (max/1000)*1000);
       }
-    else fprintf(f, "\n%s\n", rubric);
+    else fprintf(fp, "\n%s\n", rubric);
     }
-  else fprintf(f, "\n%s\n", rubric);
+  else fprintf(fp, "\n%s\n", rubric);
 
-  fflush(f);
+  fflush(fp);
   transport_count = 0;
   transport_write_message(&tctx, bounce_return_size_limit);
   }
 
 /* End the message and wait for the child process to end; no timeout. */
 
-(void)fclose(f);
+(void)fclose(fp);
 rc = child_close(pid, 0);
 
 /* Update the "sent to" log whatever the yield. This errs on the side of
diff -Nru exim4-4.91/src/transports/lmtp.c exim4-4.92~RC4/src/transports/lmtp.c
--- exim4-4.91/src/transports/lmtp.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/transports/lmtp.c	2018-12-27 13:36:19.000000000 +0000
@@ -223,20 +223,21 @@
 static BOOL
 lmtp_write_command(int fd, const char *format, ...)
 {
-int count, rc;
+gstring gs = { .size = big_buffer_size, .ptr = 0, .s = big_buffer };
+int rc;
 va_list ap;
+
 va_start(ap, format);
-if (!string_vformat(big_buffer, big_buffer_size, CS format, ap))
+if (!string_vformat(&gs, FALSE, CS format, ap))
   {
   va_end(ap);
   errno = ERRNO_SMTPFORMAT;
   return FALSE;
   }
 va_end(ap);
-count = Ustrlen(big_buffer);
-DEBUG(D_transport|D_v) debug_printf("  LMTP>> %s", big_buffer);
-rc = write(fd, big_buffer, count);
-big_buffer[count-2] = 0;     /* remove \r\n for debug and error message */
+DEBUG(D_transport|D_v) debug_printf("  LMTP>> %s", string_from_gstring(&gs));
+rc = write(fd, gs.s, gs.ptr);
+gs.ptr -= 2; string_from_gstring(&gs); /* remove \r\n for debug and error message */
 if (rc > 0) return TRUE;
 DEBUG(D_transport) debug_printf("write failed: %s\n", strerror(errno));
 return FALSE;
@@ -299,10 +300,10 @@
 
     *readptr = 0;           /* In case nothing gets read */
     sigalrm_seen = FALSE;
-    alarm(timeout);
+    ALARM(timeout);
     rc = Ufgets(readptr, size-1, f);
     save_errno = errno;
-    alarm(0);
+    ALARM_CLR(0);
     errno = save_errno;
 
     if (rc != NULL) break;  /* A line has been read */
@@ -490,7 +491,7 @@
     return FALSE;
 
   /* If the -N option is set, can't do any more. Presume all has gone well. */
-  if (dont_deliver)
+  if (f.dont_deliver)
     goto MINUS_N;
 
 /* As this is a local transport, we are already running with the required
@@ -528,7 +529,7 @@
     }
 
   /* If the -N option is set, can't do any more. Presume all has gone well. */
-  if (dont_deliver)
+  if (f.dont_deliver)
     goto MINUS_N;
 
   sockun.sun_family = AF_UNIX;
diff -Nru exim4-4.91/src/transports/pipe.c exim4-4.92~RC4/src/transports/pipe.c
--- exim4-4.91/src/transports/pipe.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/transports/pipe.c	2018-12-27 13:36:19.000000000 +0000
@@ -481,7 +481,7 @@
 
   /* Allow $recipients in the expansion iff it comes from a system filter */
 
-  enable_dollar_recipients = addr && addr->parent &&
+  f.enable_dollar_recipients = addr && addr->parent &&
     Ustrcmp(addr->parent->address, "system-filter") == 0;
 
   if (p != NULL && (
@@ -509,11 +509,11 @@
   else
     argv[2] = expand_string(cmd);
 
-  enable_dollar_recipients = FALSE;
+  f.enable_dollar_recipients = FALSE;
 
   if (!argv[2])
     {
-    addr->transport_return = search_find_defer ? DEFER : expand_fail;
+    addr->transport_return = f.search_find_defer ? DEFER : expand_fail;
     addr->message = string_sprintf("Expansion of command \"%s\" "
       "in %s transport failed: %s",
       cmd, tname, expand_string_message);
@@ -679,7 +679,7 @@
 if (addr->host_list != NULL)
   envp[envcount++] = string_sprintf("HOST=%s", addr->host_list->name);
 
-if (timestamps_utc) envp[envcount++] = US"TZ=UTC";
+if (f.timestamps_utc) envp[envcount++] = US"TZ=UTC";
 else if (timezone_string != NULL && timezone_string[0] != 0)
   envp[envcount++] = string_sprintf("TZ=%s", timezone_string);
 
@@ -714,7 +714,7 @@
 
 /* If the -N option is set, can't do any more. */
 
-if (dont_deliver)
+if (f.dont_deliver)
   {
   DEBUG(D_transport)
     debug_printf("*** delivery by %s transport bypassed by -N option",
@@ -814,7 +814,7 @@
 ignore all writing errors. (When in the test harness, we do do a short sleep so
 any debugging output is likely to be in the same order.) */
 
-if (running_in_test_harness) millisleep(500);
+if (f.running_in_test_harness) millisleep(500);
 
 DEBUG(D_transport) debug_printf("Writing message to pipe\n");
 
@@ -837,7 +837,7 @@
   uschar *prefix = expand_string(ob->message_prefix);
   if (prefix == NULL)
     {
-    addr->transport_return = search_find_defer? DEFER : PANIC;
+    addr->transport_return = f.search_find_defer? DEFER : PANIC;
     addr->message = string_sprintf("Expansion of \"%s\" (prefix for %s "
       "transport) failed: %s", ob->message_prefix, tblock->name,
       expand_string_message);
@@ -881,7 +881,7 @@
   uschar *suffix = expand_string(ob->message_suffix);
   if (!suffix)
     {
-    addr->transport_return = search_find_defer? DEFER : PANIC;
+    addr->transport_return = f.search_find_defer? DEFER : PANIC;
     addr->message = string_sprintf("Expansion of \"%s\" (suffix for %s "
       "transport) failed: %s", ob->message_suffix, tblock->name,
       expand_string_message);
@@ -920,7 +920,7 @@
   if (errno == ETIMEDOUT)
     {
     addr->message = string_sprintf("%stimeout while writing to pipe",
-      transport_filter_timed_out? "transport filter " : "");
+      f.transport_filter_timed_out ? "transport filter " : "");
     addr->transport_return = ob->timeout_defer? DEFER : FAIL;
     timeout = 1;
     }
@@ -986,7 +986,7 @@
   This prevents the transport_filter timeout message from getting overwritten
   by the exit error which is not the cause of the problem. */
 
-  else if (transport_filter_timed_out)
+  else if (f.transport_filter_timed_out)
     {
     killpg(pid, SIGKILL);
     kill(outpid, SIGKILL);
diff -Nru exim4-4.91/src/transports/queuefile.c exim4-4.92~RC4/src/transports/queuefile.c
--- exim4-4.91/src/transports/queuefile.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/transports/queuefile.c	2018-12-27 13:36:19.000000000 +0000
@@ -232,7 +232,7 @@
   }
 can_link = (dstatbuf.st_dev == sstatbuf.st_dev);
 
-if (dont_deliver)
+if (f.dont_deliver)
   {
   DEBUG(D_transport)
     debug_printf("*** delivery by %s transport bypassed by -N option\n",
diff -Nru exim4-4.91/src/transports/smtp.c exim4-4.92~RC4/src/transports/smtp.c
--- exim4-4.91/src/transports/smtp.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/transports/smtp.c	2018-12-27 13:36:19.000000000 +0000
@@ -63,6 +63,8 @@
       (void *)offsetof(smtp_transport_options_block, dkim.dkim_sign_headers) },
   { "dkim_strict", opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, dkim.dkim_strict) },
+  { "dkim_timestamps", opt_stringptr,
+      (void *)offsetof(smtp_transport_options_block, dkim.dkim_timestamps) },
 #endif
   { "dns_qualify_single",   opt_bool,
       (void *)offsetof(smtp_transport_options_block, dns_qualify_single) },
@@ -104,6 +106,10 @@
 #endif
   { "hosts_override",       opt_bool,
       (void *)offsetof(smtp_transport_options_block, hosts_override) },
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+  { "hosts_pipe_connect",   opt_stringptr,
+      (void *)offsetof(smtp_transport_options_block, hosts_pipe_connect) },
+#endif
   { "hosts_randomize",      opt_bool,
       (void *)offsetof(smtp_transport_options_block, hosts_randomize) },
 #if defined(SUPPORT_TLS) && !defined(DISABLE_OCSP)
@@ -161,13 +167,13 @@
   { "serialize_hosts",      opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, serialize_hosts) },
   { "size_addition",        opt_int,
-      (void *)offsetof(smtp_transport_options_block, size_addition) }
+      (void *)offsetof(smtp_transport_options_block, size_addition) },
 #ifdef SUPPORT_SOCKS
- ,{ "socks_proxy",          opt_stringptr,
-      (void *)offsetof(smtp_transport_options_block, socks_proxy) }
+  { "socks_proxy",          opt_stringptr,
+      (void *)offsetof(smtp_transport_options_block, socks_proxy) },
 #endif
 #ifdef SUPPORT_TLS
- ,{ "tls_certificate",      opt_stringptr,
+  { "tls_certificate",      opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, tls_certificate) },
   { "tls_crl",              opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, tls_crl) },
@@ -188,15 +194,18 @@
   { "tls_verify_certificates", opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, tls_verify_certificates) },
   { "tls_verify_hosts",     opt_stringptr,
-      (void *)offsetof(smtp_transport_options_block, tls_verify_hosts) }
+      (void *)offsetof(smtp_transport_options_block, tls_verify_hosts) },
+#endif
+#ifdef SUPPORT_I18N
+  { "utf8_downconvert",	    opt_stringptr,
+      (void *)offsetof(smtp_transport_options_block, utf8_downconvert) },
 #endif
 };
 
 /* Size of the options list. An extern variable has to be used so that its
 address can appear in the tables drtables.c. */
 
-int smtp_transport_options_count =
-  sizeof(smtp_transport_options)/sizeof(optionlist);
+int smtp_transport_options_count = nelem(smtp_transport_options);
 
 
 #ifdef MACRO_PREDEF
@@ -243,6 +252,9 @@
   .hosts_avoid_tls =		NULL,
   .hosts_verify_avoid_tls =	NULL,
   .hosts_avoid_pipelining =	NULL,
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+  .hosts_pipe_connect =		NULL,
+#endif
   .hosts_avoid_esmtp =		NULL,
 #ifdef SUPPORT_TLS
   .hosts_nopass_tls =		NULL,
@@ -285,6 +297,9 @@
   .tls_try_verify_hosts =	US"*",
   .tls_verify_cert_hostnames =	US"*",
 #endif
+#ifdef SUPPORT_I18N
+  .utf8_downconvert =		NULL,
+#endif
 #ifndef DISABLE_DKIM
  .dkim =
    {.dkim_domain =		NULL,
@@ -295,6 +310,7 @@
     .dkim_sign_headers =	NULL,
     .dkim_strict =		NULL,
     .dkim_hash =		US"sha256",
+    .dkim_timestamps =		NULL,
     .dot_stuffed =		FALSE,
     .force_bodyhash =		FALSE,
 # ifdef EXPERIMENTAL_ARC
@@ -327,6 +343,9 @@
 static BOOL    pipelining_active;	/* current transaction is in pipe mode */
 
 
+static unsigned ehlo_response(uschar * buf, unsigned checks);
+
+
 /*************************************************
 *             Setup entry point                  *
 *************************************************/
@@ -353,8 +372,7 @@
 smtp_transport_setup(transport_instance *tblock, address_item *addrlist,
   transport_feedback *tf, uid_t uid, gid_t gid, uschar **errmsg)
 {
-smtp_transport_options_block *ob =
-  (smtp_transport_options_block *)(tblock->options_block);
+smtp_transport_options_block *ob = SOB tblock->options_block;
 
 errmsg = errmsg;    /* Keep picky compilers happy */
 uid = uid;
@@ -404,8 +422,7 @@
 void
 smtp_transport_init(transport_instance *tblock)
 {
-smtp_transport_options_block *ob =
-  (smtp_transport_options_block *)(tblock->options_block);
+smtp_transport_options_block *ob = SOB tblock->options_block;
 
 /* Retry_use_local_part defaults FALSE if unset */
 
@@ -414,9 +431,11 @@
 
 /* Set the default port according to the protocol */
 
-if (ob->port == NULL)
-  ob->port = (strcmpic(ob->protocol, US"lmtp") == 0)? US"lmtp" :
-    (strcmpic(ob->protocol, US"smtps") == 0)? US"smtps" : US"smtp";
+if (!ob->port)
+  ob->port = strcmpic(ob->protocol, US"lmtp") == 0
+  ? US"lmtp"
+  : strcmpic(ob->protocol, US"smtps") == 0
+  ? US"smtps" : US"smtp";
 
 /* Set up the setup entry point, to be called before subprocesses for this
 transport. */
@@ -649,24 +668,22 @@
 static void
 write_logs(const host_item *host, const uschar *suffix, int basic_errno)
 {
-
-
-uschar *message = LOGGING(outgoing_port)
-  ? string_sprintf("H=%s [%s]:%d", host->name, host->address,
+gstring * message = LOGGING(outgoing_port)
+  ? string_fmt_append(NULL, "H=%s [%s]:%d", host->name, host->address,
 		    host->port == PORT_NONE ? 25 : host->port)
-  : string_sprintf("H=%s [%s]", host->name, host->address);
+  : string_fmt_append(NULL, "H=%s [%s]", host->name, host->address);
 
 if (suffix)
   {
-  message = string_sprintf("%s: %s", message, suffix);
+  message = string_fmt_append(message, ": %s", suffix);
   if (basic_errno > 0)
-    message = string_sprintf("%s: %s", message, strerror(basic_errno));
+    message = string_fmt_append(message, ": %s", strerror(basic_errno));
   }
 else
-  message = string_sprintf("%s %s", message, exim_errstr(basic_errno));
+  message = string_fmt_append(message, " %s", exim_errstr(basic_errno));
 
-log_write(0, LOG_MAIN, "%s", message);
-deliver_msglog("%s %s\n", tod_stamp(tod_log), message);
+log_write(0, LOG_MAIN, "%s", string_from_gstring(message));
+deliver_msglog("%s %s\n", tod_stamp(tod_log), message->s);
 }
 
 static void
@@ -732,6 +749,267 @@
 #endif
 
 /*************************************************
+*           Reap SMTP specific responses         *
+*************************************************/
+static int
+smtp_discard_responses(smtp_context * sx, smtp_transport_options_block * ob,
+  int count)
+{
+uschar flushbuffer[4096];
+
+while (count-- > 0)
+  {
+  if (!smtp_read_response(sx, flushbuffer, sizeof(flushbuffer),
+	     '2', ob->command_timeout)
+      && (errno != 0 || flushbuffer[0] == 0))
+    break;
+  }
+return count;
+}
+
+
+/* Return boolean success */
+
+static BOOL
+smtp_reap_banner(smtp_context * sx)
+{
+BOOL good_response = smtp_read_response(sx, sx->buffer, sizeof(sx->buffer),
+  '2', (SOB sx->conn_args.ob)->command_timeout);
+#ifdef EXPERIMENTAL_DSN_INFO
+sx->smtp_greeting = string_copy(sx->buffer);
+#endif
+return good_response;
+}
+
+static BOOL
+smtp_reap_ehlo(smtp_context * sx)
+{
+if (!smtp_read_response(sx, sx->buffer, sizeof(sx->buffer), '2',
+       (SOB sx->conn_args.ob)->command_timeout))
+  {
+  if (errno != 0 || sx->buffer[0] == 0 || sx->lmtp)
+    {
+#ifdef EXPERIMENTAL_DSN_INFO
+    sx->helo_response = string_copy(sx->buffer);
+#endif
+    return FALSE;
+    }
+  sx->esmtp = FALSE;
+  }
+#ifdef EXPERIMENTAL_DSN_INFO
+sx->helo_response = string_copy(sx->buffer);
+#endif
+return TRUE;
+}
+
+
+
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+static uschar *
+ehlo_cache_key(const smtp_context * sx)
+{
+host_item * host = sx->conn_args.host;
+return Ustrchr(host->address, ':')
+  ? string_sprintf("[%s]:%d.EHLO", host->address,
+    host->port == PORT_NONE ? sx->port : host->port)
+  : string_sprintf("%s:%d.EHLO", host->address,
+    host->port == PORT_NONE ? sx->port : host->port);
+}
+
+static void
+write_ehlo_cache_entry(const smtp_context * sx)
+{
+open_db dbblock, * dbm_file;
+
+if ((dbm_file = dbfn_open(US"misc", O_RDWR, &dbblock, TRUE)))
+  {
+  uschar * ehlo_resp_key = ehlo_cache_key(sx);
+  dbdata_ehlo_resp er = { .data = sx->ehlo_resp };
+
+  dbfn_write(dbm_file, ehlo_resp_key, &er, (int)sizeof(er));
+  dbfn_close(dbm_file);
+  }
+}
+
+static void
+invalidate_ehlo_cache_entry(smtp_context * sx)
+{
+open_db dbblock, * dbm_file;
+
+if (  sx->early_pipe_active
+   && (dbm_file = dbfn_open(US"misc", O_RDWR, &dbblock, TRUE)))
+  {
+  uschar * ehlo_resp_key = ehlo_cache_key(sx);
+  dbfn_delete(dbm_file, ehlo_resp_key);
+  dbfn_close(dbm_file);
+  }
+}
+
+static BOOL
+read_ehlo_cache_entry(smtp_context * sx)
+{
+open_db dbblock;
+open_db * dbm_file;
+
+if (!(dbm_file = dbfn_open(US"misc", O_RDONLY, &dbblock, FALSE)))
+  { DEBUG(D_transport) debug_printf("ehlo-cache: no misc DB\n"); }
+else
+  {
+  uschar * ehlo_resp_key = ehlo_cache_key(sx);
+  dbdata_ehlo_resp * er;
+
+  if (!(er = dbfn_read(dbm_file, ehlo_resp_key)))
+    { DEBUG(D_transport) debug_printf("no ehlo-resp record\n"); }
+  else if (time(NULL) - er->time_stamp > retry_data_expire)
+    {
+    DEBUG(D_transport) debug_printf("ehlo-resp record too old\n");
+    dbfn_close(dbm_file);
+    if ((dbm_file = dbfn_open(US"misc", O_RDWR, &dbblock, TRUE)))
+      dbfn_delete(dbm_file, ehlo_resp_key);
+    }
+  else
+    {
+    sx->ehlo_resp = er->data;
+    dbfn_close(dbm_file);
+    DEBUG(D_transport) debug_printf(
+	"EHLO response bits from cache: cleartext 0x%04x crypted 0x%04x\n",
+	er->data.cleartext_features, er->data.crypted_features);
+    return TRUE;
+    }
+  dbfn_close(dbm_file);
+  }
+return FALSE;
+}
+
+
+
+/* Return an auths bitmap for the set of AUTH methods offered by the server
+which match our authenticators. */
+
+static unsigned short
+study_ehlo_auths(smtp_context * sx)
+{
+uschar * names;
+auth_instance * au;
+uschar authnum;
+unsigned short authbits = 0;
+
+if (!sx->esmtp) return 0;
+if (!regex_AUTH) regex_AUTH = regex_must_compile(AUTHS_REGEX, FALSE, TRUE);
+if (!regex_match_and_setup(regex_AUTH, sx->buffer, 0, -1)) return 0;
+expand_nmax = -1;						/* reset */
+names = string_copyn(expand_nstring[1], expand_nlength[1]);
+
+for (au = auths, authnum = 0; au; au = au->next, authnum++) if (au->client)
+  {
+  const uschar * list = names;
+  int sep = ' ';
+  uschar name[32];
+
+  while (string_nextinlist(&list, &sep, name, sizeof(name)))
+    if (strcmpic(au->public_name, name) == 0)
+      { authbits |= BIT(authnum); break; }
+  }
+
+DEBUG(D_transport)
+  debug_printf("server offers %s AUTH, methods '%s', bitmap 0x%04x\n",
+    tls_out.active.sock >= 0 ? "crypted" : "plaintext", names, authbits);
+
+if (tls_out.active.sock >= 0)
+  sx->ehlo_resp.crypted_auths = authbits;
+else
+  sx->ehlo_resp.cleartext_auths = authbits;
+return authbits;
+}
+
+
+
+
+/* Wait for and check responses for early-pipelining.
+
+Called from the lower-level smtp_read_response() function
+used for general code that assume synchronisation, if context
+flags indicate outstanding early-pipelining commands.  Also
+called fom sync_responses() which handles pipelined commands.
+
+Arguments:
+ sx	smtp connection context
+ countp	number of outstanding responses, adjusted on return
+
+Return:
+ OK	all well
+ FAIL	SMTP error in response
+*/
+int
+smtp_reap_early_pipe(smtp_context * sx, int * countp)
+{
+BOOL pending_BANNER = sx->pending_BANNER;
+BOOL pending_EHLO = sx->pending_EHLO;
+
+sx->pending_BANNER = FALSE;	/* clear early to avoid recursion */
+sx->pending_EHLO = FALSE;
+
+if (pending_BANNER)
+  {
+  DEBUG(D_transport) debug_printf("%s expect banner\n", __FUNCTION__);
+  (*countp)--;
+  if (!smtp_reap_banner(sx))
+    {
+    DEBUG(D_transport) debug_printf("bad banner\n");
+    goto fail;
+    }
+  }
+
+if (pending_EHLO)
+  {
+  unsigned peer_offered;
+  unsigned short authbits = 0, * ap;
+
+  DEBUG(D_transport) debug_printf("%s expect ehlo\n", __FUNCTION__);
+  (*countp)--;
+  if (!smtp_reap_ehlo(sx))
+    {
+    DEBUG(D_transport) debug_printf("bad response for EHLO\n");
+    goto fail;
+    }
+
+  /* Compare the actual EHLO response to the cached value we assumed;
+  on difference, dump or rewrite the cache and arrange for a retry. */
+
+  ap = tls_out.active.sock < 0
+      ? &sx->ehlo_resp.cleartext_auths : &sx->ehlo_resp.crypted_auths;
+
+  peer_offered = ehlo_response(sx->buffer,
+	  (tls_out.active.sock < 0 ?  OPTION_TLS : OPTION_REQUIRETLS)
+	| OPTION_CHUNKING | OPTION_PRDR | OPTION_DSN | OPTION_PIPE | OPTION_SIZE
+	| OPTION_UTF8 | OPTION_EARLY_PIPE
+	);
+  if (  peer_offered != sx->peer_offered
+     || (authbits = study_ehlo_auths(sx)) != *ap)
+    {
+    HDEBUG(D_transport)
+      debug_printf("EHLO extensions changed, 0x%04x/0x%04x -> 0x%04x/0x%04x\n",
+		    sx->peer_offered, *ap, peer_offered, authbits);
+    *ap = authbits;
+    if (peer_offered & OPTION_EARLY_PIPE)
+      write_ehlo_cache_entry(sx);
+    else
+      invalidate_ehlo_cache_entry(sx);
+
+    return OK;		/* just carry on */
+    }
+  }
+return OK;
+
+fail:
+  invalidate_ehlo_cache_entry(sx);
+  (void) smtp_discard_responses(sx, sx->conn_args.ob, *countp);
+  return FAIL;
+}
+#endif
+
+
+/*************************************************
 *           Synchronize SMTP responses           *
 *************************************************/
 
@@ -770,44 +1048,43 @@
              -1 timeout while reading RCPT response
              -2 I/O or other non-response error for RCPT
              -3 DATA or MAIL failed - errno and buffer set
+	     -4 banner or EHLO failed (early-pipelining)
 */
 
 static int
 sync_responses(smtp_context * sx, int count, int pending_DATA)
 {
-address_item *addr = sx->sync_addr;
-smtp_transport_options_block *ob =
-  (smtp_transport_options_block *)sx->tblock->options_block;
+address_item * addr = sx->sync_addr;
+smtp_transport_options_block * ob = sx->conn_args.ob;
 int yield = 0;
 
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+if (smtp_reap_early_pipe(sx, &count) != OK)
+  return -4;
+#endif
+
 /* Handle the response for a MAIL command. On error, reinstate the original
 command in big_buffer for error message use, and flush any further pending
 responses before returning, except after I/O errors and timeouts. */
 
 if (sx->pending_MAIL)
   {
+  DEBUG(D_transport) debug_printf("%s expect mail\n", __FUNCTION__);
   count--;
-  if (!smtp_read_response(&sx->inblock, sx->buffer, sizeof(sx->buffer),
+  if (!smtp_read_response(sx, sx->buffer, sizeof(sx->buffer),
 			  '2', ob->command_timeout))
     {
     DEBUG(D_transport) debug_printf("bad response for MAIL\n");
     Ustrcpy(big_buffer, mail_command);  /* Fits, because it came from there! */
     if (errno == 0 && sx->buffer[0] != 0)
       {
-      uschar flushbuffer[4096];
       int save_errno = 0;
       if (sx->buffer[0] == '4')
         {
         save_errno = ERRNO_MAIL4XX;
         addr->more_errno |= ((sx->buffer[1] - '0')*10 + sx->buffer[2] - '0') << 8;
         }
-      while (count-- > 0)
-        {
-        if (!smtp_read_response(&sx->inblock, flushbuffer, sizeof(flushbuffer),
-                   '2', ob->command_timeout)
-            && (errno != 0 || flushbuffer[0] == 0))
-          break;
-        }
+      count = smtp_discard_responses(sx, ob, count);
       errno = save_errno;
       }
 
@@ -815,7 +1092,7 @@
     while (count-- > 0)		/* Mark any pending addrs with the host used */
       {
       while (addr->transport_return != PENDING_DEFER) addr = addr->next;
-      addr->host_used = sx->host;
+      addr->host_used = sx->conn_args.host;
       addr = addr->next;
       }
     return -3;
@@ -835,9 +1112,10 @@
       return -2;
 
   /* The address was accepted */
-  addr->host_used = sx->host;
+  addr->host_used = sx->conn_args.host;
 
-  if (smtp_read_response(&sx->inblock, sx->buffer, sizeof(sx->buffer),
+  DEBUG(D_transport) debug_printf("%s expect rcpt\n", __FUNCTION__);
+  if (smtp_read_response(sx, sx->buffer, sizeof(sx->buffer),
 			  '2', ob->command_timeout))
     {
     yield |= 1;
@@ -861,7 +1139,7 @@
   else if (errno == ETIMEDOUT)
     {
     uschar *message = string_sprintf("SMTP timeout after RCPT TO:<%s>",
-		transport_rcpt_address(addr, sx->tblock->rcpt_include_affixes));
+		transport_rcpt_address(addr, sx->conn_args.tblock->rcpt_include_affixes));
     set_errno_nohost(sx->first_addr, ETIMEDOUT, message, DEFER, FALSE);
     retry_add_item(addr, addr->address_retry_key, 0);
     update_waiting = FALSE;
@@ -876,7 +1154,7 @@
   else if (errno != 0 || sx->buffer[0] == 0)
     {
     string_format(big_buffer, big_buffer_size, "RCPT TO:<%s>",
-      transport_rcpt_address(addr, sx->tblock->rcpt_include_affixes));
+      transport_rcpt_address(addr, sx->conn_args.tblock->rcpt_include_affixes));
     return -2;
     }
 
@@ -886,11 +1164,11 @@
     {
     addr->message =
       string_sprintf("SMTP error from remote mail server after RCPT TO:<%s>: "
-	"%s", transport_rcpt_address(addr, sx->tblock->rcpt_include_affixes),
+	"%s", transport_rcpt_address(addr, sx->conn_args.tblock->rcpt_include_affixes),
 	string_printing(sx->buffer));
     setflag(addr, af_pass_message);
     if (!sx->verify)
-      msglog_line(sx->host, addr->message);
+      msglog_line(sx->conn_args.host, addr->message);
 
     /* The response was 5xx */
 
@@ -918,9 +1196,14 @@
 	/* Log temporary errors if there are more hosts to be tried.
 	If not, log this last one in the == line. */
 
-	if (sx->host->next)
-	  log_write(0, LOG_MAIN, "H=%s [%s]: %s",
-	    sx->host->name, sx->host->address, addr->message);
+	if (sx->conn_args.host->next)
+	  if (LOGGING(outgoing_port))
+	    log_write(0, LOG_MAIN, "H=%s [%s]:%d %s", sx->conn_args.host->name,
+	      sx->conn_args.host->address,
+	      sx->port == PORT_NONE ? 25 : sx->port, addr->message);
+	  else
+	    log_write(0, LOG_MAIN, "H=%s [%s]: %s", sx->conn_args.host->name,
+	      sx->conn_args.host->address, addr->message);
 
 #ifndef DISABLE_EVENT
 	else
@@ -954,25 +1237,28 @@
 /* Handle a response to DATA. If we have not had any good recipients, either
 previously or in this block, the response is ignored. */
 
-if (pending_DATA != 0 &&
-    !smtp_read_response(&sx->inblock, sx->buffer, sizeof(sx->buffer),
-			'3', ob->command_timeout))
+if (pending_DATA != 0)
   {
-  int code;
-  uschar *msg;
-  BOOL pass_message;
-  if (pending_DATA > 0 || (yield & 1) != 0)
+  DEBUG(D_transport) debug_printf("%s expect data\n", __FUNCTION__);
+  if (!smtp_read_response(sx, sx->buffer, sizeof(sx->buffer),
+			'3', ob->command_timeout))
     {
-    if (errno == 0 && sx->buffer[0] == '4')
+    int code;
+    uschar *msg;
+    BOOL pass_message;
+    if (pending_DATA > 0 || (yield & 1) != 0)
       {
-      errno = ERRNO_DATA4XX;
-      sx->first_addr->more_errno |= ((sx->buffer[1] - '0')*10 + sx->buffer[2] - '0') << 8;
+      if (errno == 0 && sx->buffer[0] == '4')
+	{
+	errno = ERRNO_DATA4XX;
+	sx->first_addr->more_errno |= ((sx->buffer[1] - '0')*10 + sx->buffer[2] - '0') << 8;
+	}
+      return -3;
       }
-    return -3;
+    (void)check_response(sx->conn_args.host, &errno, 0, sx->buffer, &code, &msg, &pass_message);
+    DEBUG(D_transport) debug_printf("%s\nerror for DATA ignored: pipelining "
+      "is in use and there were no good recipients\n", msg);
     }
-  (void)check_response(sx->host, &errno, 0, sx->buffer, &code, &msg, &pass_message);
-  DEBUG(D_transport) debug_printf("%s\nerror for DATA ignored: pipelining "
-    "is in use and there were no good recipients\n", msg);
   }
 
 /* All responses read and handled; MAIL (if present) received 2xx and DATA (if
@@ -984,14 +1270,82 @@
 
 
 
-/* Do the client side of smtp-level authentication */
-/*
+
+
+/* Try an authenticator's client entry */
+
+static int
+try_authenticator(smtp_context * sx, auth_instance * au)
+{
+smtp_transport_options_block * ob = sx->conn_args.ob;	/* transport options */
+host_item * host = sx->conn_args.host;			/* host to deliver to */
+int rc;
+
+sx->outblock.authenticating = TRUE;
+rc = (au->info->clientcode)(au, sx, ob->command_timeout,
+			    sx->buffer, sizeof(sx->buffer));
+sx->outblock.authenticating = FALSE;
+DEBUG(D_transport) debug_printf("%s authenticator yielded %d\n", au->name, rc);
+
+/* A temporary authentication failure must hold up delivery to
+this host. After a permanent authentication failure, we carry on
+to try other authentication methods. If all fail hard, try to
+deliver the message unauthenticated unless require_auth was set. */
+
+switch(rc)
+  {
+  case OK:
+    f.smtp_authenticated = TRUE;   /* stops the outer loop */
+    client_authenticator = au->name;
+    if (au->set_client_id)
+      client_authenticated_id = expand_string(au->set_client_id);
+    break;
+
+  /* Failure after writing a command */
+
+  case FAIL_SEND:
+    return FAIL_SEND;
+
+  /* Failure after reading a response */
+
+  case FAIL:
+    if (errno != 0 || sx->buffer[0] != '5') return FAIL;
+    log_write(0, LOG_MAIN, "%s authenticator failed H=%s [%s] %s",
+      au->name, host->name, host->address, sx->buffer);
+    break;
+
+  /* Failure by some other means. In effect, the authenticator
+  decided it wasn't prepared to handle this case. Typically this
+  is the result of "fail" in an expansion string. Do we need to
+  log anything here? Feb 2006: a message is now put in the buffer
+  if logging is required. */
+
+  case CANCELLED:
+    if (*sx->buffer != 0)
+      log_write(0, LOG_MAIN, "%s authenticator cancelled "
+	"authentication H=%s [%s] %s", au->name, host->name,
+	host->address, sx->buffer);
+    break;
+
+  /* Internal problem, message in buffer. */
+
+  case ERROR:
+    set_errno_nohost(sx->addrlist, ERRNO_AUTHPROB, string_copy(sx->buffer),
+	      DEFER, FALSE);
+    return ERROR;
+  }
+return OK;
+}
+
+
+
+
+/* Do the client side of smtp-level authentication.
+
 Arguments:
-  buffer	EHLO response from server (gets overwritten)
-  addrlist      chain of potential addresses to deliver
-  host          host to deliver to
-  ob		transport options
-  ibp, obp	comms channel control blocks
+  sx		smtp connection context
+
+sx->buffer should have the EHLO response from server (gets overwritten)
 
 Returns:
   OK			Success, or failed (but not required): global "smtp_authenticated" set
@@ -1002,37 +1356,91 @@
   FAIL			- response
 */
 
-int
-smtp_auth(uschar *buffer, unsigned bufsize, address_item *addrlist, host_item *host,
-    smtp_transport_options_block *ob, BOOL is_esmtp,
-    smtp_inblock *ibp, smtp_outblock *obp)
+static int
+smtp_auth(smtp_context * sx)
 {
-int require_auth;
-uschar *fail_reason = US"server did not advertise AUTH support";
+host_item * host = sx->conn_args.host;			/* host to deliver to */
+smtp_transport_options_block * ob = sx->conn_args.ob;	/* transport options */
+int require_auth = verify_check_given_host(CUSS &ob->hosts_require_auth, host);
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+unsigned short authbits = tls_out.active.sock >= 0
+      ? sx->ehlo_resp.crypted_auths : sx->ehlo_resp.cleartext_auths;
+#endif
+uschar * fail_reason = US"server did not advertise AUTH support";
 
-smtp_authenticated = FALSE;
+f.smtp_authenticated = FALSE;
 client_authenticator = client_authenticated_id = client_authenticated_sender = NULL;
-require_auth = verify_check_given_host(&ob->hosts_require_auth, host);
 
-if (is_esmtp && !regex_AUTH) regex_AUTH =
-    regex_must_compile(US"\\n250[\\s\\-]AUTH\\s+([\\-\\w\\s]+)(?:\\n|$)",
-	  FALSE, TRUE);
+if (!regex_AUTH)
+  regex_AUTH = regex_must_compile(AUTHS_REGEX, FALSE, TRUE);
+
+/* Is the server offering AUTH? */
 
-if (is_esmtp && regex_match_and_setup(regex_AUTH, buffer, 0, -1))
+if (  sx->esmtp
+   &&
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+      sx->early_pipe_active ? authbits
+      :
+#endif
+	regex_match_and_setup(regex_AUTH, sx->buffer, 0, -1)
+   )
   {
-  uschar *names = string_copyn(expand_nstring[1], expand_nlength[1]);
+  uschar * names = NULL;
   expand_nmax = -1;                          /* reset */
 
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+  if (!sx->early_pipe_active)
+#endif
+    names = string_copyn(expand_nstring[1], expand_nlength[1]);
+
   /* Must not do this check until after we have saved the result of the
-  regex match above. */
+  regex match above as the check could be another RE. */
 
-  if (require_auth == OK ||
-      verify_check_given_host(&ob->hosts_try_auth, host) == OK)
+  if (  require_auth == OK
+     || verify_check_given_host(CUSS &ob->hosts_try_auth, host) == OK)
     {
-    auth_instance *au;
-    fail_reason = US"no common mechanisms were found";
+    auth_instance * au;
 
     DEBUG(D_transport) debug_printf("scanning authentication mechanisms\n");
+    fail_reason = US"no common mechanisms were found";
+
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+    if (sx->early_pipe_active)
+      {
+      /* Scan our authenticators (which support use by a client and were offered
+      by the server (checked at cache-write time)), not suppressed by
+      client_condition.  If one is found, attempt to authenticate by calling its
+      client function.  We are limited to supporting up to 16 authenticator
+      public-names by the number of bits in a short. */
+
+      uschar bitnum;
+      int rc;
+
+      for (bitnum = 0, au = auths;
+	   !f.smtp_authenticated && au && bitnum < 16;
+	   bitnum++, au = au->next) if (authbits & BIT(bitnum))
+	{
+	if (  au->client_condition
+	   && !expand_check_condition(au->client_condition, au->name,
+                   US"client authenticator"))
+	  {
+	  DEBUG(D_transport) debug_printf("skipping %s authenticator: %s\n",
+	    au->name, "client_condition is false");
+	  continue;
+	  }
+
+	/* Found data for a listed mechanism. Call its client entry. Set
+	a flag in the outblock so that data is overwritten after sending so
+	that reflections don't show it. */
+
+	fail_reason = US"authentication attempt(s) failed";
+
+	if ((rc = try_authenticator(sx, au)) != OK)
+	  return rc;
+	}
+      }
+    else
+#endif
 
     /* Scan the configured authenticators looking for one which is configured
     for use as a client, which is not suppressed by client_condition, and
@@ -1040,13 +1448,14 @@
     If one is found, attempt to authenticate by calling its client function.
     */
 
-    for (au = auths; !smtp_authenticated && au; au = au->next)
+    for (au = auths; !f.smtp_authenticated && au; au = au->next)
       {
       uschar *p = names;
-      if (!au->client ||
-	  (au->client_condition != NULL &&
-	   !expand_check_condition(au->client_condition, au->name,
-	     US"client authenticator")))
+
+      if (  !au->client
+         || (   au->client_condition
+	    &&  !expand_check_condition(au->client_condition, au->name,
+		   US"client authenticator")))
 	{
 	DEBUG(D_transport) debug_printf("skipping %s authenticator: %s\n",
 	  au->name,
@@ -1059,8 +1468,9 @@
 
       while (*p)
 	{
-	int rc;
 	int len = Ustrlen(au->public_name);
+	int rc;
+
 	while (isspace(*p)) p++;
 
 	if (strncmpic(au->public_name, p, len) != 0 ||
@@ -1075,60 +1485,9 @@
 	that reflections don't show it. */
 
 	fail_reason = US"authentication attempt(s) failed";
-	obp->authenticating = TRUE;
-	rc = (au->info->clientcode)(au, ibp, obp,
-	  ob->command_timeout, buffer, bufsize);
-	obp->authenticating = FALSE;
-	DEBUG(D_transport) debug_printf("%s authenticator yielded %d\n",
-	  au->name, rc);
-
-	/* A temporary authentication failure must hold up delivery to
-	this host. After a permanent authentication failure, we carry on
-	to try other authentication methods. If all fail hard, try to
-	deliver the message unauthenticated unless require_auth was set. */
-
-	switch(rc)
-	  {
-	  case OK:
-	  smtp_authenticated = TRUE;   /* stops the outer loop */
-	  client_authenticator = au->name;
-	  if (au->set_client_id != NULL)
-	    client_authenticated_id = expand_string(au->set_client_id);
-	  break;
-
-	  /* Failure after writing a command */
-
-	  case FAIL_SEND:
-	  return FAIL_SEND;
 
-	  /* Failure after reading a response */
-
-	  case FAIL:
-	  if (errno != 0 || buffer[0] != '5') return FAIL;
-	  log_write(0, LOG_MAIN, "%s authenticator failed H=%s [%s] %s",
-	    au->name, host->name, host->address, buffer);
-	  break;
-
-	  /* Failure by some other means. In effect, the authenticator
-	  decided it wasn't prepared to handle this case. Typically this
-	  is the result of "fail" in an expansion string. Do we need to
-	  log anything here? Feb 2006: a message is now put in the buffer
-	  if logging is required. */
-
-	  case CANCELLED:
-	  if (*buffer != 0)
-	    log_write(0, LOG_MAIN, "%s authenticator cancelled "
-	      "authentication H=%s [%s] %s", au->name, host->name,
-	      host->address, buffer);
-	  break;
-
-	  /* Internal problem, message in buffer. */
-
-	  case ERROR:
-	  set_errno_nohost(addrlist, ERRNO_AUTHPROB, string_copy(buffer),
-		    DEFER, FALSE);
-	  return ERROR;
-	  }
+	if ((rc = try_authenticator(sx, au)) != OK)
+	  return rc;
 
 	break;  /* If not authenticated, try next authenticator */
 	}       /* Loop for scanning supported server mechanisms */
@@ -1138,9 +1497,9 @@
 
 /* If we haven't authenticated, but are required to, give up. */
 
-if (require_auth == OK && !smtp_authenticated)
+if (require_auth == OK && !f.smtp_authenticated)
   {
-  set_errno_nohost(addrlist, ERRNO_AUTHFAIL,
+  set_errno_nohost(sx->addrlist, ERRNO_AUTHFAIL,
     string_sprintf("authentication required but %s", fail_reason), DEFER,
     FALSE);
   return DEFER;
@@ -1157,7 +1516,7 @@
   addrlist      chain of potential addresses to deliver
   ob		transport options
 
-Globals		smtp_authenticated
+Globals		f.smtp_authenticated
 		client_authenticated_sender
 Return	True on error, otherwise buffer has (possibly empty) terminated string
 */
@@ -1169,7 +1528,7 @@
 uschar *local_authenticated_sender = authenticated_sender;
 
 #ifdef notdef
-  debug_printf("smtp_mail_auth_str: as<%s> os<%s> SA<%s>\n", authenticated_sender, ob->authenticated_sender, smtp_authenticated?"Y":"N");
+  debug_printf("smtp_mail_auth_str: as<%s> os<%s> SA<%s>\n", authenticated_sender, ob->authenticated_sender, f.smtp_authenticated?"Y":"N");
 #endif
 
 if (ob->authenticated_sender != NULL)
@@ -1177,7 +1536,7 @@
   uschar *new = expand_string(ob->authenticated_sender);
   if (new == NULL)
     {
-    if (!expand_string_forcedfail)
+    if (!f.expand_string_forcedfail)
       {
       uschar *message = string_sprintf("failed to expand "
         "authenticated_sender: %s", expand_string_message);
@@ -1190,7 +1549,7 @@
 
 /* Add the authenticated sender address if present */
 
-if ((smtp_authenticated || ob->authenticated_sender_force) &&
+if ((f.smtp_authenticated || ob->authenticated_sender_force) &&
     local_authenticated_sender != NULL)
   {
   string_format(buffer, bufsize, " AUTH=%s",
@@ -1237,7 +1596,30 @@
     return DEFER; /* just defer this TLS'd conn */
 
   case DNS_SUCCEED:
-    if (sec) return OK;
+    if (sec)
+      {
+      DEBUG(D_transport)
+	{
+	dns_scan dnss;
+	dns_record * rr;
+	for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
+	     rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
+	  if (rr->type == T_TLSA && rr->size > 3)
+	    {
+	    uint16_t payload_length = rr->size - 3;
+	    uschar s[MAX_TLSA_EXPANDED_SIZE], * sp = s, * p = US rr->data;
+
+	    sp += sprintf(CS sp, "%d ", *p++); /* usage */
+	    sp += sprintf(CS sp, "%d ", *p++); /* selector */
+	    sp += sprintf(CS sp, "%d ", *p++); /* matchtype */
+	    while (payload_length-- > 0 && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4))
+	      sp += sprintf(CS sp, "%02x", *p++);
+
+	    debug_printf(" %s\n", s);
+	    }
+	}
+      return OK;
+      }
     log_write(0, LOG_MAIN,
       "DANE error: TLSA lookup for %s not DNSSEC", host->name);
     /*FALLTRHOUGH*/
@@ -1277,8 +1659,7 @@
 #endif
 uschar * save_sender_address = sender_address;
 uschar * local_identity = NULL;
-smtp_transport_options_block * ob =
-  (smtp_transport_options_block *)tblock->options_block;
+smtp_transport_options_block * ob = SOB tblock->options_block;
 
 sender_address = sender;
 
@@ -1333,16 +1714,24 @@
 
 
 
-static uschar
-ehlo_response(uschar * buf, uschar checks)
+static unsigned
+ehlo_response(uschar * buf, unsigned checks)
 {
 size_t bsize = Ustrlen(buf);
 
+/* debug_printf("%s: check for 0x%04x\n", __FUNCTION__, checks); */
+
 #ifdef SUPPORT_TLS
+# ifdef EXPERIMENTAL_REQUIRETLS
+if (  checks & OPTION_REQUIRETLS
+   && pcre_exec(regex_REQUIRETLS, NULL, CS buf,bsize, 0, PCRE_EOPT, NULL,0) < 0)
+# endif
+  checks &= ~OPTION_REQUIRETLS;
+
 if (  checks & OPTION_TLS
    && pcre_exec(regex_STARTTLS, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0)
-  checks &= ~OPTION_TLS;
 #endif
+  checks &= ~OPTION_TLS;
 
 if (  checks & OPTION_IGNQ
    && pcre_exec(regex_IGNOREQUOTA, NULL, CS buf, bsize, 0,
@@ -1356,14 +1745,14 @@
 #ifndef DISABLE_PRDR
 if (  checks & OPTION_PRDR
    && pcre_exec(regex_PRDR, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0)
-  checks &= ~OPTION_PRDR;
 #endif
+  checks &= ~OPTION_PRDR;
 
 #ifdef SUPPORT_I18N
 if (  checks & OPTION_UTF8
    && pcre_exec(regex_UTF8, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0)
-  checks &= ~OPTION_UTF8;
 #endif
+  checks &= ~OPTION_UTF8;
 
 if (  checks & OPTION_DSN
    && pcre_exec(regex_DSN, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0)
@@ -1378,6 +1767,14 @@
    && pcre_exec(regex_SIZE, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0)
   checks &= ~OPTION_SIZE;
 
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+if (  checks & OPTION_EARLY_PIPE
+   && pcre_exec(regex_EARLY_PIPE, NULL, CS buf, bsize, 0,
+		PCRE_EOPT, NULL, 0) < 0)
+#endif
+  checks &= ~OPTION_EARLY_PIPE;
+
+/* debug_printf("%s: found     0x%04x\n", __FUNCTION__, checks); */
 return checks;
 }
 
@@ -1405,8 +1802,7 @@
 smtp_chunk_cmd_callback(transport_ctx * tctx, unsigned chunk_size,
   unsigned flags)
 {
-smtp_transport_options_block * ob =
-  (smtp_transport_options_block *)(tctx->tblock->options_block);
+smtp_transport_options_block * ob = SOB tctx->tblock->options_block;
 smtp_context * sx = tctx->smtp_context;
 int cmd_count = 0;
 int prev_cmd_count;
@@ -1416,12 +1812,23 @@
 
 if (chunk_size > 0)
   {
-  if((cmd_count = smtp_write_command(&sx->outblock,
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+  BOOL new_conn = !!(sx->outblock.conn_args);
+#endif
+  if((cmd_count = smtp_write_command(sx,
 	      flags & tc_reap_prev ? SCMD_FLUSH : SCMD_MORE,
 	      "BDAT %u%s\r\n", chunk_size, flags & tc_chunk_last ? " LAST" : "")
      ) < 0) return ERROR;
   if (flags & tc_chunk_last)
     data_command = string_copy(big_buffer);  /* Save for later error message */
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+  /* That command write could have been the one that made the connection.
+  Copy the fd from the client conn ctx (smtp transport specific) to the
+  generic transport ctx. */
+
+  if (new_conn)
+    tctx->u.fd = sx->outblock.cctx->sock;
+#endif
   }
 
 prev_cmd_count = cmd_count += sx->cmd_count;
@@ -1446,6 +1853,9 @@
     case 0: break;			/* No 2xx or 5xx, but no probs */
 
     case -1:				/* Timeout on RCPT */
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+    case -4:				/* non-2xx for pipelined banner or EHLO */
+#endif
     default: return ERROR;		/* I/O error, or any MAIL/DATA error */
     }
   cmd_count = 1;
@@ -1459,7 +1869,7 @@
   {
   DEBUG(D_transport) debug_printf("look for one response for BDAT\n");
 
-  if (!smtp_read_response(&sx->inblock, sx->buffer, sizeof(sx->buffer), '2',
+  if (!smtp_read_response(sx, sx->buffer, sizeof(sx->buffer), '2',
        ob->command_timeout))
     {
     if (errno == 0 && sx->buffer[0] == '4')
@@ -1484,6 +1894,8 @@
 
 
 
+
+
 /*************************************************
 *       Make connection for given message        *
 *************************************************/
@@ -1509,15 +1921,16 @@
 #if defined(SUPPORT_TLS) && defined(SUPPORT_DANE)
 dns_answer tlsa_dnsa;
 #endif
+smtp_transport_options_block * ob = sx->conn_args.tblock->options_block;
 BOOL pass_message = FALSE;
 uschar * message = NULL;
 int yield = OK;
 int rc;
 
-sx->ob = (smtp_transport_options_block *) sx->tblock->options_block;
+sx->conn_args.ob = ob;
 
-sx->lmtp = strcmpic(sx->ob->protocol, US"lmtp") == 0;
-sx->smtps = strcmpic(sx->ob->protocol, US"smtps") == 0;
+sx->lmtp = strcmpic(ob->protocol, US"lmtp") == 0;
+sx->smtps = strcmpic(ob->protocol, US"smtps") == 0;
 sx->ok = FALSE;
 sx->send_rset = TRUE;
 sx->send_quit = TRUE;
@@ -1530,14 +1943,20 @@
 sx->dsn_all_lasthop = TRUE;
 #if defined(SUPPORT_TLS) && defined(SUPPORT_DANE)
 sx->dane = FALSE;
-sx->dane_required = verify_check_given_host(&sx->ob->hosts_require_dane, sx->host) == OK;
+sx->dane_required =
+  verify_check_given_host(CUSS &ob->hosts_require_dane, sx->conn_args.host) == OK;
+#endif
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+sx->early_pipe_active = sx->early_pipe_ok = FALSE;
+sx->ehlo_resp.cleartext_features = sx->ehlo_resp.crypted_features = 0;
+sx->pending_BANNER = sx->pending_EHLO = FALSE;
 #endif
 
-if ((sx->max_rcpt = sx->tblock->max_addresses) == 0) sx->max_rcpt = 999999;
+if ((sx->max_rcpt = sx->conn_args.tblock->max_addresses) == 0) sx->max_rcpt = 999999;
 sx->peer_offered = 0;
 sx->avoid_option = 0;
 sx->igquotstr = US"";
-if (!sx->helo_data) sx->helo_data = sx->ob->helo_data;
+if (!sx->helo_data) sx->helo_data = ob->helo_data;
 #ifdef EXPERIMENTAL_DSN_INFO
 sx->smtp_greeting = NULL;
 sx->helo_response = NULL;
@@ -1560,6 +1979,7 @@
 sx->outblock.ptr = sx->outbuffer;
 sx->outblock.cmd_count = 0;
 sx->outblock.authenticating = FALSE;
+sx->outblock.conn_args = NULL;
 
 /* Reset the parameters of a TLS session. */
 
@@ -1596,11 +2016,11 @@
 if (!continue_hostname)
   {
   if (sx->verify)
-    HDEBUG(D_verify) debug_printf("interface=%s port=%d\n", sx->interface, sx->port);
+    HDEBUG(D_verify) debug_printf("interface=%s port=%d\n", sx->conn_args.interface, sx->port);
 
-  /* Get the actual port the connection will use, into sx->host */
+  /* Get the actual port the connection will use, into sx->conn_args.host */
 
-  smtp_port_for_connect(sx->host, sx->port);
+  smtp_port_for_connect(sx->conn_args.host, sx->port);
 
 #if defined(SUPPORT_TLS) && defined(SUPPORT_DANE)
     /* Do TLSA lookup for DANE */
@@ -1608,34 +2028,38 @@
     tls_out.dane_verified = FALSE;
     tls_out.tlsa_usage = 0;
 
-    if (sx->host->dnssec == DS_YES)
+    if (sx->conn_args.host->dnssec == DS_YES)
       {
       if(  sx->dane_required
-	|| verify_check_given_host(&sx->ob->hosts_try_dane, sx->host) == OK
+	|| verify_check_given_host(CUSS &ob->hosts_try_dane, sx->conn_args.host) == OK
 	)
-	switch (rc = tlsa_lookup(sx->host, &tlsa_dnsa, sx->dane_required))
+	switch (rc = tlsa_lookup(sx->conn_args.host, &tlsa_dnsa, sx->dane_required))
 	  {
 	  case OK:		sx->dane = TRUE;
-				sx->ob->tls_tempfail_tryclear = FALSE;
+				ob->tls_tempfail_tryclear = FALSE;
 				break;
 	  case FAIL_FORCED:	break;
 	  default:		set_errno_nohost(sx->addrlist, ERRNO_DNSDEFER,
 				  string_sprintf("DANE error: tlsa lookup %s",
 				    rc == DEFER ? "DEFER" : "FAIL"),
 				  rc, FALSE);
-				(void) event_raise(sx->tblock->event_action,
+# ifndef DISABLE_EVENT
+				(void) event_raise(sx->conn_args.tblock->event_action,
 				  US"dane:fail", sx->dane_required
 				    ?  US"dane-required" : US"dnssec-invalid");
+# endif
 				return rc;
 	  }
       }
     else if (sx->dane_required)
       {
       set_errno_nohost(sx->addrlist, ERRNO_DNSDEFER,
-	string_sprintf("DANE error: %s lookup not DNSSEC", sx->host->name),
+	string_sprintf("DANE error: %s lookup not DNSSEC", sx->conn_args.host->name),
 	FAIL, FALSE);
-      (void) event_raise(sx->tblock->event_action,
+# ifndef DISABLE_EVENT
+      (void) event_raise(sx->conn_args.tblock->event_action,
 	US"dane:fail", US"dane-required");
+# endif
       return FAIL;
       }
     }
@@ -1643,30 +2067,50 @@
 
   /* Make the TCP connection */
 
-  sx->inblock.sock = sx->outblock.sock =
-    smtp_connect(sx->host, sx->host_af, sx->interface,
-		  sx->ob->connect_timeout, sx->tblock);
-
-  if (sx->inblock.sock < 0)
-    {
-    uschar * msg = NULL;
-    if (sx->verify)
-      {
-      msg = US strerror(errno);
-      HDEBUG(D_verify) debug_printf("connect: %s\n", msg);
-      }
-    set_errno_nohost(sx->addrlist,
-      errno == ETIMEDOUT ? ERRNO_CONNECTTIMEOUT : errno,
-      sx->verify ? string_sprintf("could not connect: %s", msg)
-	     : NULL,
-      DEFER, FALSE);
-    sx->send_quit = FALSE;
-    return DEFER;
+  sx->cctx.tls_ctx = NULL;
+  sx->inblock.cctx = sx->outblock.cctx = &sx->cctx;
+  sx->avoid_option = sx->peer_offered = smtp_peer_options = 0;
+
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+  if (verify_check_given_host(CUSS &ob->hosts_pipe_connect, sx->conn_args.host) == OK)
+    {
+    sx->early_pipe_ok = TRUE;
+    if (  read_ehlo_cache_entry(sx)
+       && sx->ehlo_resp.cleartext_features & OPTION_EARLY_PIPE)
+      {
+      DEBUG(D_transport) debug_printf("Using cached cleartext PIPE_CONNECT\n");
+      sx->early_pipe_active = TRUE;
+      sx->peer_offered = sx->ehlo_resp.cleartext_features;
+      }
     }
 
+  if (sx->early_pipe_active)
+    sx->outblock.conn_args = &sx->conn_args;
+  else
+#endif
+    {
+    if ((sx->cctx.sock = smtp_connect(&sx->conn_args, NULL)) < 0)
+      {
+      uschar * msg = NULL;
+      if (sx->verify)
+	{
+	msg = US strerror(errno);
+	HDEBUG(D_verify) debug_printf("connect: %s\n", msg);
+	}
+      set_errno_nohost(sx->addrlist,
+	errno == ETIMEDOUT ? ERRNO_CONNECTTIMEOUT : errno,
+	sx->verify ? string_sprintf("could not connect: %s", msg)
+	       : NULL,
+	DEFER, FALSE);
+      sx->send_quit = FALSE;
+      return DEFER;
+      }
+    }
   /* Expand the greeting message while waiting for the initial response. (Makes
   sense if helo_data contains ${lookup dnsdb ...} stuff). The expansion is
   delayed till here so that $sending_interface and $sending_port are set. */
+/*XXX early-pipe: they still will not be. Is there any way to find out what they
+will be?  Somehow I doubt it. */
 
   if (sx->helo_data)
     if (!(sx->helo_data = expand_string(sx->helo_data)))
@@ -1697,24 +2141,29 @@
 
   if (!sx->smtps)
     {
-    BOOL good_response;
-
-#ifdef TCP_QUICKACK
-    (void) setsockopt(sx->inblock.sock, IPPROTO_TCP, TCP_QUICKACK, US &off, sizeof(off));
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+    if (sx->early_pipe_active)
+      {
+      sx->pending_BANNER = TRUE;	/* sync_responses() must eventually handle */
+      sx->outblock.cmd_count = 1;
+      }
+    else
 #endif
-    good_response = smtp_read_response(&sx->inblock, sx->buffer, sizeof(sx->buffer),
-      '2', sx->ob->command_timeout);
-#ifdef EXPERIMENTAL_DSN_INFO
-    sx->smtp_greeting = string_copy(sx->buffer);
+      {
+#ifdef TCP_QUICKACK
+      (void) setsockopt(sx->cctx.sock, IPPROTO_TCP, TCP_QUICKACK, US &off,
+			sizeof(off));
 #endif
-    if (!good_response) goto RESPONSE_FAILED;
+      if (!smtp_reap_banner(sx))
+	goto RESPONSE_FAILED;
+      }
 
 #ifndef DISABLE_EVENT
       {
       uschar * s;
-      lookup_dnssec_authenticated = sx->host->dnssec==DS_YES ? US"yes"
-	: sx->host->dnssec==DS_NO ? US"no" : NULL;
-      s = event_raise(sx->tblock->event_action, US"smtp:connect", sx->buffer);
+      lookup_dnssec_authenticated = sx->conn_args.host->dnssec==DS_YES ? US"yes"
+	: sx->conn_args.host->dnssec==DS_NO ? US"no" : NULL;
+      s = event_raise(sx->conn_args.tblock->event_action, US"smtp:connect", sx->buffer);
       if (s)
 	{
 	set_errno_nohost(sx->addrlist, ERRNO_EXPANDFAIL,
@@ -1774,7 +2223,7 @@
   mailers use upper case for some reason (the RFC is quite clear about case
   independence) so, for peace of mind, I gave in. */
 
-  sx->esmtp = verify_check_given_host(&sx->ob->hosts_avoid_esmtp, sx->host) != OK;
+  sx->esmtp = verify_check_given_host(CUSS &ob->hosts_avoid_esmtp, sx->conn_args.host) != OK;
 
   /* Alas; be careful, since this goto is not an error-out, so conceivably
   we might set data between here and the target which we assume to exist
@@ -1784,7 +2233,7 @@
     {
     smtp_peer_options |= OPTION_TLS;
     suppress_tls = FALSE;
-    sx->ob->tls_tempfail_tryclear = FALSE;
+    ob->tls_tempfail_tryclear = FALSE;
     smtp_command = US"SSL-on-connect";
     goto TLS_NEGOTIATE;
     }
@@ -1792,68 +2241,116 @@
 
   if (sx->esmtp)
     {
-    if (smtp_write_command(&sx->outblock, SCMD_FLUSH, "%s %s\r\n",
-         sx->lmtp ? "LHLO" : "EHLO", sx->helo_data) < 0)
+    if (smtp_write_command(sx,
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+	  sx->early_pipe_active ? SCMD_BUFFER :
+#endif
+	    SCMD_FLUSH,
+	  "%s %s\r\n", sx->lmtp ? "LHLO" : "EHLO", sx->helo_data) < 0)
       goto SEND_FAILED;
     sx->esmtp_sent = TRUE;
-    if (!smtp_read_response(&sx->inblock, sx->buffer, sizeof(sx->buffer), '2',
-           sx->ob->command_timeout))
+
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+    if (sx->early_pipe_active)
       {
-      if (errno != 0 || sx->buffer[0] == 0 || sx->lmtp)
+      sx->pending_EHLO = TRUE;
+
+      /* If we have too many authenticators to handle and might need to AUTH
+      for this transport, pipeline no further as we will need the
+      list of auth methods offered.  Reap the banner and EHLO. */
+
+      if (  (ob->hosts_require_auth || ob->hosts_try_auth)
+	 && f.smtp_in_early_pipe_no_auth)
 	{
-#ifdef EXPERIMENTAL_DSN_INFO
-	sx->helo_response = string_copy(sx->buffer);
-#endif
-	goto RESPONSE_FAILED;
+	DEBUG(D_transport) debug_printf("may need to auth, so pipeline no further\n");
+	if (smtp_write_command(sx, SCMD_FLUSH, NULL) < 0)
+	  goto SEND_FAILED;
+	if (sync_responses(sx, 2, 0) != 0)
+	  {
+	  HDEBUG(D_transport)
+	    debug_printf("failed reaping pipelined cmd responses\n");
+	  goto RESPONSE_FAILED;
+	  }
+	sx->early_pipe_active = FALSE;
 	}
-      sx->esmtp = FALSE;
       }
-#ifdef EXPERIMENTAL_DSN_INFO
-    sx->helo_response = string_copy(sx->buffer);
+    else
 #endif
+      if (!smtp_reap_ehlo(sx))
+	goto RESPONSE_FAILED;
     }
   else
     DEBUG(D_transport)
       debug_printf("not sending EHLO (host matches hosts_avoid_esmtp)\n");
 
-  if (!sx->esmtp)
-    {
-    BOOL good_response;
-    int n = sizeof(sx->buffer);
-    uschar * rsp = sx->buffer;
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+  if (!sx->early_pipe_active)
+#endif
+    if (!sx->esmtp)
+      {
+      BOOL good_response;
+      int n = sizeof(sx->buffer);
+      uschar * rsp = sx->buffer;
 
-    if (sx->esmtp_sent && (n = Ustrlen(sx->buffer)) < sizeof(sx->buffer)/2)
-      { rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n; }
+      if (sx->esmtp_sent && (n = Ustrlen(sx->buffer)) < sizeof(sx->buffer)/2)
+	{ rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n; }
 
-    if (smtp_write_command(&sx->outblock, SCMD_FLUSH, "HELO %s\r\n", sx->helo_data) < 0)
-      goto SEND_FAILED;
-    good_response = smtp_read_response(&sx->inblock, rsp, n,
-      '2', sx->ob->command_timeout);
+      if (smtp_write_command(sx, SCMD_FLUSH, "HELO %s\r\n", sx->helo_data) < 0)
+	goto SEND_FAILED;
+      good_response = smtp_read_response(sx, rsp, n, '2', ob->command_timeout);
 #ifdef EXPERIMENTAL_DSN_INFO
-    sx->helo_response = string_copy(rsp);
+      sx->helo_response = string_copy(rsp);
 #endif
-    if (!good_response)
-      {
-      /* Handle special logging for a closed connection after HELO
-      when had previously sent EHLO */
-
-      if (rsp != sx->buffer && rsp[0] == 0 && (errno == 0 || errno == ECONNRESET))
+      if (!good_response)
 	{
-	errno = ERRNO_SMTPCLOSED;
-	goto EHLOHELO_FAILED;
+	/* Handle special logging for a closed connection after HELO
+	when had previously sent EHLO */
+
+	if (rsp != sx->buffer && rsp[0] == 0 && (errno == 0 || errno == ECONNRESET))
+	  {
+	  errno = ERRNO_SMTPCLOSED;
+	  goto EHLOHELO_FAILED;
+	  }
+	memmove(sx->buffer, rsp, Ustrlen(rsp));
+	goto RESPONSE_FAILED;
 	}
-      memmove(sx->buffer, rsp, Ustrlen(rsp));
-      goto RESPONSE_FAILED;
       }
-    }
-
-  sx->avoid_option = sx->peer_offered = smtp_peer_options = 0;
 
   if (sx->esmtp || sx->lmtp)
     {
-    sx->peer_offered = ehlo_response(sx->buffer,
-      OPTION_TLS	/* others checked later */
-      );
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+    if (!sx->early_pipe_active)
+#endif
+      {
+      sx->peer_offered = ehlo_response(sx->buffer,
+	OPTION_TLS	/* others checked later */
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+	| (sx->early_pipe_ok
+	  ?   OPTION_IGNQ
+	    | OPTION_CHUNKING | OPTION_PRDR | OPTION_DSN | OPTION_PIPE | OPTION_SIZE
+#ifdef SUPPORT_I18N
+	    | OPTION_UTF8
+#endif
+	    | OPTION_EARLY_PIPE
+	  : 0
+	  )
+#endif
+	);
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+      if (sx->early_pipe_ok)
+	{
+	sx->ehlo_resp.cleartext_features = sx->peer_offered;
+
+	if (  (sx->peer_offered & (OPTION_PIPE | OPTION_EARLY_PIPE))
+	   == (OPTION_PIPE | OPTION_EARLY_PIPE))
+	  {
+	  DEBUG(D_transport) debug_printf("PIPE_CONNECT usable in future for this IP\n");
+	  sx->ehlo_resp.cleartext_auths = study_ehlo_auths(sx);
+	  write_ehlo_cache_entry(sx);
+	  }
+	}
+#endif
+      }
 
   /* Set tls_offered if the response to EHLO specifies support for STARTTLS. */
 
@@ -1879,16 +2376,18 @@
 
 else
   {
-  if (cutthrough.fd >= 0 && cutthrough.callout_hold_only)
+  if (cutthrough.cctx.sock >= 0 && cutthrough.callout_hold_only)
     {
-    sx->inblock.sock = sx->outblock.sock = cutthrough.fd;
-    sx->host->port = sx->port = cutthrough.host.port;
+    sx->cctx = cutthrough.cctx;
+    sx->conn_args.host->port = sx->port = cutthrough.host.port;
     }
   else
     {
-    sx->inblock.sock = sx->outblock.sock = 0;	/* stdin */
-    smtp_port_for_connect(sx->host, sx->port);	/* Record the port that was used */
+    sx->cctx.sock = 0;				/* stdin */
+    sx->cctx.tls_ctx = NULL;
+    smtp_port_for_connect(sx->conn_args.host, sx->port);	/* Record the port that was used */
     }
+  sx->inblock.cctx = sx->outblock.cctx = &sx->cctx;
   smtp_command = big_buffer;
   sx->helo_data = NULL;		/* ensure we re-expand ob->helo_data */
 
@@ -1896,11 +2395,12 @@
   held-open verify connection with TLS, nothing more to do. */
 
   if (  continue_proxy_cipher
-     || (cutthrough.fd >= 0 && cutthrough.callout_hold_only && cutthrough.is_tls)
+     || (cutthrough.cctx.sock >= 0 && cutthrough.callout_hold_only
+         && cutthrough.is_tls)
      )
     {
     sx->peer_offered = smtp_peer_options;
-    pipelining_active = !!(smtp_peer_options & OPTION_PIPE);
+    sx->pipelining_used = pipelining_active = !!(smtp_peer_options & OPTION_PIPE);
     HDEBUG(D_transport) debug_printf("continued connection, %s TLS\n",
       continue_proxy_cipher ? "proxied" : "verify conn with");
     return OK;
@@ -1919,15 +2419,28 @@
 #ifdef SUPPORT_TLS
 if (  smtp_peer_options & OPTION_TLS
    && !suppress_tls
-   && verify_check_given_host(&sx->ob->hosts_avoid_tls, sx->host) != OK
+   && verify_check_given_host(CUSS &ob->hosts_avoid_tls, sx->conn_args.host) != OK
    && (  !sx->verify
-      || verify_check_given_host(&sx->ob->hosts_verify_avoid_tls, sx->host) != OK
+      || verify_check_given_host(CUSS &ob->hosts_verify_avoid_tls, sx->conn_args.host) != OK
    )  )
   {
   uschar buffer2[4096];
-  if (smtp_write_command(&sx->outblock, SCMD_FLUSH, "STARTTLS\r\n") < 0)
+
+  if (smtp_write_command(sx, SCMD_FLUSH, "STARTTLS\r\n") < 0)
     goto SEND_FAILED;
 
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+  /* If doing early-pipelining reap the banner and EHLO-response but leave
+  the response for the STARTTLS we just sent alone. */
+
+  if (sx->early_pipe_active && sync_responses(sx, 2, 0) != 0)
+    {
+    HDEBUG(D_transport)
+      debug_printf("failed reaping pipelined cmd responses\n");
+    goto RESPONSE_FAILED;
+    }
+#endif
+
   /* If there is an I/O error, transmission of this message is deferred. If
   there is a temporary rejection of STARRTLS and tls_tempfail_tryclear is
   false, we also defer. However, if there is a temporary rejection of STARTTLS
@@ -1935,12 +2448,11 @@
   STARTTLS, we carry on. This means we will try to send the message in clear,
   unless the host is in hosts_require_tls (tested below). */
 
-  if (!smtp_read_response(&sx->inblock, buffer2, sizeof(buffer2), '2',
-      sx->ob->command_timeout))
+  if (!smtp_read_response(sx, buffer2, sizeof(buffer2), '2', ob->command_timeout))
     {
     if (  errno != 0
        || buffer2[0] == 0
-       || (buffer2[0] == '4' && !sx->ob->tls_tempfail_tryclear)
+       || (buffer2[0] == '4' && !ob->tls_tempfail_tryclear)
        )
       {
       Ustrncpy(sx->buffer, buffer2, sizeof(sx->buffer));
@@ -1956,26 +2468,30 @@
     {
     address_item * addr;
     uschar * errstr;
-    int rc = tls_client_start(sx->inblock.sock, sx->host, sx->addrlist, sx->tblock,
+    sx->cctx.tls_ctx = tls_client_start(sx->cctx.sock, sx->conn_args.host,
+			    sx->addrlist, sx->conn_args.tblock,
 # ifdef SUPPORT_DANE
 			     sx->dane ? &tlsa_dnsa : NULL,
 # endif
-			     &errstr);
+			     &tls_out, &errstr);
 
-    /* TLS negotiation failed; give an error. From outside, this function may
-    be called again to try in clear on a new connection, if the options permit
-    it for this host. */
-
-    if (rc != OK)
+    if (!sx->cctx.tls_ctx)
       {
+      /* TLS negotiation failed; give an error. From outside, this function may
+      be called again to try in clear on a new connection, if the options permit
+      it for this host. */
+      DEBUG(D_tls) debug_printf("TLS session fail: %s\n", errstr);
+
 # ifdef SUPPORT_DANE
       if (sx->dane)
         {
 	log_write(0, LOG_MAIN,
 	  "DANE attempt failed; TLS connection to %s [%s]: %s",
-	  sx->host->name, sx->host->address, errstr);
-	(void) event_raise(sx->tblock->event_action,
+	  sx->conn_args.host->name, sx->conn_args.host->address, errstr);
+#  ifndef DISABLE_EVENT
+	(void) event_raise(sx->conn_args.tblock->event_action,
 	  US"dane:fail", US"validation-failure");	/* could do with better detail */
+#  endif
 	}
 # endif
 
@@ -2010,12 +2526,11 @@
 expand it here. $sending_ip_address and $sending_port are set up right at the
 start of the Exim process (in exim.c). */
 
-if (tls_out.active >= 0)
+if (tls_out.active.sock >= 0)
   {
-  char *greeting_cmd;
-  BOOL good_response;
+  uschar * greeting_cmd;
 
-  if (!sx->helo_data && !(sx->helo_data = expand_string(sx->ob->helo_data)))
+  if (!sx->helo_data && !(sx->helo_data = expand_string(ob->helo_data)))
     {
     uschar *message = string_sprintf("failed to expand helo_data: %s",
       expand_string_message);
@@ -2024,36 +2539,64 @@
     goto SEND_QUIT;
     }
 
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+  /* For SMTPS there is no cleartext early-pipe; use the crypted permission bit.
+  We're unlikely to get the group sent and delivered before the server sends its
+  banner, but it's still worth sending as a group.
+  For STARTTLS allow for cleartext early-pipe but no crypted early-pipe, but not
+  the reverse.  */
+
+  if (sx->smtps ? sx->early_pipe_ok : sx->early_pipe_active)
+    {
+    sx->peer_offered = sx->ehlo_resp.crypted_features;
+    if ((sx->early_pipe_active =
+	 !!(sx->ehlo_resp.crypted_features & OPTION_EARLY_PIPE)))
+      DEBUG(D_transport) debug_printf("Using cached crypted PIPE_CONNECT\n");
+    }
+#endif
+
   /* For SMTPS we need to wait for the initial OK response. */
   if (sx->smtps)
-    {
-    good_response = smtp_read_response(&sx->inblock, sx->buffer, sizeof(sx->buffer),
-      '2', sx->ob->command_timeout);
-#ifdef EXPERIMENTAL_DSN_INFO
-    sx->smtp_greeting = string_copy(sx->buffer);
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+    if (sx->early_pipe_active)
+      {
+      sx->pending_BANNER = TRUE;
+      sx->outblock.cmd_count = 1;
+      }
+    else
 #endif
-    if (!good_response) goto RESPONSE_FAILED;
-    }
+      if (!smtp_reap_banner(sx))
+	goto RESPONSE_FAILED;
 
-  if (sx->esmtp)
-    greeting_cmd = "EHLO";
+  if (sx->lmtp)
+    greeting_cmd = US"LHLO";
+  else if (sx->esmtp)
+    greeting_cmd = US"EHLO";
   else
     {
-    greeting_cmd = "HELO";
+    greeting_cmd = US"HELO";
     DEBUG(D_transport)
       debug_printf("not sending EHLO (host matches hosts_avoid_esmtp)\n");
     }
 
-  if (smtp_write_command(&sx->outblock, SCMD_FLUSH, "%s %s\r\n",
-        sx->lmtp ? "LHLO" : greeting_cmd, sx->helo_data) < 0)
+  if (smtp_write_command(sx,
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+	sx->early_pipe_active ? SCMD_BUFFER :
+#endif
+	  SCMD_FLUSH,
+	"%s %s\r\n", greeting_cmd, sx->helo_data) < 0)
     goto SEND_FAILED;
-  good_response = smtp_read_response(&sx->inblock, sx->buffer, sizeof(sx->buffer),
-    '2', sx->ob->command_timeout);
-#ifdef EXPERIMENTAL_DSN_INFO
-  sx->helo_response = string_copy(sx->buffer);
+
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+  if (sx->early_pipe_active)
+    sx->pending_EHLO = TRUE;
+  else
 #endif
-  if (!good_response) goto RESPONSE_FAILED;
-  smtp_peer_options = 0;
+    {
+    if (!smtp_reap_ehlo(sx))
+      goto RESPONSE_FAILED;
+    smtp_peer_options = 0;
+    }
   }
 
 /* If the host is required to use a secure channel, ensure that we
@@ -2063,16 +2606,23 @@
 # ifdef SUPPORT_DANE
 	|| sx->dane
 # endif
-	|| verify_check_given_host(&sx->ob->hosts_require_tls, sx->host) == OK
+# ifdef EXPERIMENTAL_REQUIRETLS
+	|| tls_requiretls & REQUIRETLS_MSG
+# endif
+	|| verify_check_given_host(CUSS &ob->hosts_require_tls, sx->conn_args.host) == OK
 	)
   {
-  errno = ERRNO_TLSREQUIRED;
+  errno =
+# ifdef EXPERIMENTAL_REQUIRETLS
+      tls_requiretls & REQUIRETLS_MSG ? ERRNO_REQUIRETLS :
+# endif
+      ERRNO_TLSREQUIRED;
   message = string_sprintf("a TLS session is required, but %s",
     smtp_peer_options & OPTION_TLS
     ? "an attempt to start TLS failed" : "the server did not offer TLS support");
-# ifdef SUPPORT_DANE
+# if defined(SUPPORT_DANE) && !defined(DISABLE_EVENT)
   if (sx->dane)
-    (void) event_raise(sx->tblock->event_action, US"dane:fail",
+    (void) event_raise(sx->conn_args.tblock->event_action, US"dane:fail",
       smtp_peer_options & OPTION_TLS
       ? US"validation-failure"		/* could do with better detail */
       : US"starttls-not-supported");
@@ -2088,26 +2638,47 @@
 
 if (continue_hostname == NULL
 #ifdef SUPPORT_TLS
-    || tls_out.active >= 0
+    || tls_out.active.sock >= 0
 #endif
     )
   {
   if (sx->esmtp || sx->lmtp)
     {
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+  if (!sx->early_pipe_active)
+#endif
+    {
     sx->peer_offered = ehlo_response(sx->buffer,
 	0 /* no TLS */
-	| (sx->lmtp && sx->ob->lmtp_ignore_quota ? OPTION_IGNQ : 0)
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+	| (sx->lmtp && ob->lmtp_ignore_quota ? OPTION_IGNQ : 0)
+	| OPTION_DSN | OPTION_PIPE | OPTION_SIZE
+	| OPTION_CHUNKING | OPTION_PRDR | OPTION_UTF8 | OPTION_REQUIRETLS
+	| (tls_out.active.sock >= 0 ? OPTION_EARLY_PIPE : 0) /* not for lmtp */
+
+#else
+
+	| (sx->lmtp && ob->lmtp_ignore_quota ? OPTION_IGNQ : 0)
 	| OPTION_CHUNKING
 	| OPTION_PRDR
-#ifdef SUPPORT_I18N
+# ifdef SUPPORT_I18N
 	| (sx->addrlist->prop.utf8_msg ? OPTION_UTF8 : 0)
 	  /*XXX if we hand peercaps on to continued-conn processes,
 		must not depend on this addr */
-#endif
+# endif
 	| OPTION_DSN
 	| OPTION_PIPE
-	| (sx->ob->size_addition >= 0 ? OPTION_SIZE : 0)
+	| (ob->size_addition >= 0 ? OPTION_SIZE : 0)
+# if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
+	| (tls_requiretls & REQUIRETLS_MSG ? OPTION_REQUIRETLS : 0)
+# endif
+#endif
       );
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+    if (tls_out.active.sock >= 0)
+      sx->ehlo_resp.crypted_features = sx->peer_offered;
+#endif
+    }
 
     /* Set for IGNOREQUOTA if the response to LHLO specifies support and the
     lmtp_ignore_quota option was set. */
@@ -2124,26 +2695,26 @@
     the current host matches hosts_avoid_pipelining, don't do it. */
 
     if (  sx->peer_offered & OPTION_PIPE
-       && verify_check_given_host(&sx->ob->hosts_avoid_pipelining, sx->host) != OK)
+       && verify_check_given_host(CUSS &ob->hosts_avoid_pipelining, sx->conn_args.host) != OK)
       smtp_peer_options |= OPTION_PIPE;
 
     DEBUG(D_transport) debug_printf("%susing PIPELINING\n",
       smtp_peer_options & OPTION_PIPE ? "" : "not ");
 
     if (  sx->peer_offered & OPTION_CHUNKING
-       && verify_check_given_host(&sx->ob->hosts_try_chunking, sx->host) != OK)
+       && verify_check_given_host(CUSS &ob->hosts_try_chunking, sx->conn_args.host) != OK)
       sx->peer_offered &= ~OPTION_CHUNKING;
 
     if (sx->peer_offered & OPTION_CHUNKING)
-      {DEBUG(D_transport) debug_printf("CHUNKING usable\n");}
+      DEBUG(D_transport) debug_printf("CHUNKING usable\n");
 
 #ifndef DISABLE_PRDR
     if (  sx->peer_offered & OPTION_PRDR
-       && verify_check_given_host(&sx->ob->hosts_try_prdr, sx->host) != OK)
+       && verify_check_given_host(CUSS &ob->hosts_try_prdr, sx->conn_args.host) != OK)
       sx->peer_offered &= ~OPTION_PRDR;
 
     if (sx->peer_offered & OPTION_PRDR)
-      {DEBUG(D_transport) debug_printf("PRDR usable\n");}
+      DEBUG(D_transport) debug_printf("PRDR usable\n");
 #endif
 
     /* Note if the server supports DSN */
@@ -2151,13 +2722,36 @@
     DEBUG(D_transport) debug_printf("%susing DSN\n",
 			sx->peer_offered & OPTION_DSN ? "" : "not ");
 
+#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
+    if (sx->peer_offered & OPTION_REQUIRETLS)
+      {
+      smtp_peer_options |= OPTION_REQUIRETLS;
+      DEBUG(D_transport) debug_printf(
+	tls_requiretls & REQUIRETLS_MSG
+	? "using REQUIRETLS\n" : "REQUIRETLS offered\n");
+      }
+#endif
+
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+    if (  sx->early_pipe_ok
+       && !sx->early_pipe_active
+       && tls_out.active.sock >= 0
+       && smtp_peer_options & OPTION_PIPE
+       && ( sx->ehlo_resp.cleartext_features | sx->ehlo_resp.crypted_features)
+	  & OPTION_EARLY_PIPE)
+      {
+      DEBUG(D_transport) debug_printf("PIPE_CONNECT usable in future for this IP\n");
+      sx->ehlo_resp.crypted_auths = study_ehlo_auths(sx);
+      write_ehlo_cache_entry(sx);
+      }
+#endif
+
     /* Note if the response to EHLO specifies support for the AUTH extension.
     If it has, check that this host is one we want to authenticate to, and do
     the business. The host name and address must be available when the
     authenticator's client driver is running. */
 
-    switch (yield = smtp_auth(sx->buffer, sizeof(sx->buffer), sx->addrlist, sx->host,
-			      sx->ob, sx->esmtp, &sx->inblock, &sx->outblock))
+    switch (yield = smtp_auth(sx))
       {
       default:		goto SEND_QUIT;
       case OK:		break;
@@ -2166,7 +2760,7 @@
       }
     }
   }
-pipelining_active = !!(smtp_peer_options & OPTION_PIPE);
+sx->pipelining_used = pipelining_active = !!(smtp_peer_options & OPTION_PIPE);
 
 /* The setting up of the SMTP call is now complete. Any subsequent errors are
 message-specific. */
@@ -2176,6 +2770,38 @@
 #ifdef SUPPORT_I18N
 if (sx->addrlist->prop.utf8_msg)
   {
+  uschar * s;
+
+  /* If the transport sets a downconversion mode it overrides any set by ACL
+  for the message. */
+
+  if ((s = ob->utf8_downconvert))
+    {
+    if (!(s = expand_string(s)))
+      {
+      message = string_sprintf("failed to expand utf8_downconvert: %s",
+        expand_string_message);
+      set_errno_nohost(sx->addrlist, ERRNO_EXPANDFAIL, message, DEFER, FALSE);
+      yield = DEFER;
+      goto SEND_QUIT;
+      }
+    switch (*s)
+      {
+      case '1':	sx->addrlist->prop.utf8_downcvt = TRUE;
+		sx->addrlist->prop.utf8_downcvt_maybe = FALSE;
+		break;
+      case '0':	sx->addrlist->prop.utf8_downcvt = FALSE;
+		sx->addrlist->prop.utf8_downcvt_maybe = FALSE;
+		break;
+      case '-':	if (s[1] == '1')
+		  {
+		  sx->addrlist->prop.utf8_downcvt = FALSE;
+		  sx->addrlist->prop.utf8_downcvt_maybe = TRUE;
+		  }
+		break;
+      }
+    }
+
   sx->utf8_needed = !sx->addrlist->prop.utf8_downcvt
 		    && !sx->addrlist->prop.utf8_downcvt_maybe;
   DEBUG(D_transport) if (!sx->utf8_needed)
@@ -2189,6 +2815,22 @@
   errno = ERRNO_UTF8_FWD;
   goto RESPONSE_FAILED;
   }
+#endif	/*SUPPORT_I18N*/
+
+#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
+  /*XXX should tls_requiretls actually be per-addr? */
+
+if (  tls_requiretls & REQUIRETLS_MSG
+   && !(sx->peer_offered & OPTION_REQUIRETLS)
+   )
+  {
+  sx->setting_up = TRUE;
+  errno = ERRNO_REQUIRETLS;
+  message = US"REQUIRETLS support is required from the server"
+    " but it was not offered";
+  DEBUG(D_transport) debug_printf("%s\n", message);
+  goto TLS_FAILED;
+  }
 #endif
 
 return OK;
@@ -2199,15 +2841,17 @@
 
   RESPONSE_FAILED:
     message = NULL;
-    sx->send_quit = check_response(sx->host, &errno, sx->addrlist->more_errno,
+    sx->send_quit = check_response(sx->conn_args.host, &errno, sx->addrlist->more_errno,
       sx->buffer, &code, &message, &pass_message);
+    yield = DEFER;
     goto FAILED;
 
   SEND_FAILED:
     code = '4';
     message = US string_sprintf("send() to %s [%s] failed: %s",
-      sx->host->name, sx->host->address, strerror(errno));
+      sx->conn_args.host->name, sx->conn_args.host->address, strerror(errno));
     sx->send_quit = FALSE;
+    yield = DEFER;
     goto FAILED;
 
   EHLOHELO_FAILED:
@@ -2215,6 +2859,7 @@
     message = string_sprintf("Remote host closed connection in response to %s"
       " (EHLO response was: %s)", smtp_command, sx->buffer);
     sx->send_quit = FALSE;
+    yield = DEFER;
     goto FAILED;
 
   /* This label is jumped to directly when a TLS negotiation has failed,
@@ -2224,7 +2869,13 @@
 
 #ifdef SUPPORT_TLS
   TLS_FAILED:
-    code = '4';
+# ifdef EXPERIMENTAL_REQUIRETLS
+    if (errno == ERRNO_REQUIRETLS)
+      code = '5', yield = FAIL;
+      /*XXX DSN will be labelled 500; prefer 530 5.7.4 */
+    else
+# endif
+      code = '4', yield = DEFER;
     goto FAILED;
 #endif
 
@@ -2245,29 +2896,32 @@
 FAILED:
   sx->ok = FALSE;                /* For when reached by GOTO */
   set_errno(sx->addrlist, errno, message,
-	    sx->host->next
+	    sx->conn_args.host->next
 	    ? DEFER
 	    : code == '5'
 #ifdef SUPPORT_I18N
 			|| errno == ERRNO_UTF8_FWD
 #endif
 	    ? FAIL : DEFER,
-	    pass_message, sx->host
+	    pass_message, sx->conn_args.host
 #ifdef EXPERIMENTAL_DSN_INFO
 	    , sx->smtp_greeting, sx->helo_response
 #endif
 	    );
-  yield = DEFER;
   }
 
 
 SEND_QUIT:
 
 if (sx->send_quit)
-  (void)smtp_write_command(&sx->outblock, SCMD_FLUSH, "QUIT\r\n");
+  (void)smtp_write_command(sx, SCMD_FLUSH, "QUIT\r\n");
 
 #ifdef SUPPORT_TLS
-tls_close(FALSE, TLS_SHUTDOWN_NOWAIT);
+if (sx->cctx.tls_ctx)
+  {
+  tls_close(sx->cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
+  sx->cctx.tls_ctx = NULL;
+  }
 #endif
 
 /* Close the socket, and return the appropriate value, first setting
@@ -2278,17 +2932,17 @@
 HDEBUG(D_transport|D_acl|D_v) debug_printf_indent("  SMTP(close)>>\n");
 if (sx->send_quit)
   {
-  shutdown(sx->outblock.sock, SHUT_WR);
-  if (fcntl(sx->inblock.sock, F_SETFL, O_NONBLOCK) == 0)
-    for (rc = 16; read(sx->inblock.sock, sx->inbuffer, sizeof(sx->inbuffer)) > 0 && rc > 0;)
+  shutdown(sx->cctx.sock, SHUT_WR);
+  if (fcntl(sx->cctx.sock, F_SETFL, O_NONBLOCK) == 0)
+    for (rc = 16; read(sx->cctx.sock, sx->inbuffer, sizeof(sx->inbuffer)) > 0 && rc > 0;)
       rc--;				/* drain socket */
   sx->send_quit = FALSE;
   }
-(void)close(sx->inblock.sock);
-sx->inblock.sock = sx->outblock.sock = -1;
+(void)close(sx->cctx.sock);
+sx->cctx.sock = -1;
 
 #ifndef DISABLE_EVENT
-(void) event_raise(sx->tblock->event_action, US"tcp:close", NULL);
+(void) event_raise(sx->conn_args.tblock->event_action, US"tcp:close", NULL);
 #endif
 
 continue_transport = NULL;
@@ -2324,12 +2978,12 @@
 /*XXX problem here under spool_files_wireformat?
 Or just forget about lines?  Or inflate by a fixed proportion? */
 
-  sprintf(CS p, " SIZE=%d", message_size+message_linecount+sx->ob->size_addition);
+  sprintf(CS p, " SIZE=%d", message_size+message_linecount+(SOB sx->conn_args.ob)->size_addition);
   while (*p) p++;
   }
 
 #ifndef DISABLE_PRDR
-/* If it supports Per-Recipient Data Reponses, and we have omre than one recipient,
+/* If it supports Per-Recipient Data Responses, and we have more than one recipient,
 request that */
 
 sx->prdr_active = FALSE;
@@ -2359,6 +3013,11 @@
   Ustrcpy(p, " SMTPUTF8"), p += 9;
 #endif
 
+#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
+if (tls_requiretls & REQUIRETLS_MSG)
+  Ustrcpy(p, " REQUIRETLS") , p += 11;
+#endif
+
 /* check if all addresses have DSN-lasthop flag; do not send RET and ENVID if so */
 for (sx->dsn_all_lasthop = TRUE, addr = addrlist, address_count = 0;
      addr && address_count < sx->max_rcpt;
@@ -2395,7 +3054,7 @@
 otherwise no check - this feature is expected to be used with LMTP and other
 cases where non-standard addresses (e.g. without domains) might be required. */
 
-if (smtp_mail_auth_str(p, sizeof(sx->buffer) - (p-sx->buffer), addrlist, sx->ob))
+if (smtp_mail_auth_str(p, sizeof(sx->buffer) - (p-sx->buffer), addrlist, sx->conn_args.ob))
   return ERROR;
 
 return OK;
@@ -2493,7 +3152,7 @@
     }
 #endif
 
-  rc = smtp_write_command(&sx->outblock, pipelining_active ? SCMD_BUFFER : SCMD_FLUSH,
+  rc = smtp_write_command(sx, pipelining_active ? SCMD_BUFFER : SCMD_FLUSH,
 	  "MAIL FROM:<%s>%s\r\n", s, sx->buffer);
   }
 
@@ -2505,8 +3164,8 @@
     return -5;
 
   case +1:                /* Cmd was sent */
-    if (!smtp_read_response(&sx->inblock, sx->buffer, sizeof(sx->buffer), '2',
-       sx->ob->command_timeout))
+    if (!smtp_read_response(sx, sx->buffer, sizeof(sx->buffer), '2',
+       (SOB sx->conn_args.ob)->command_timeout))
       {
       if (errno == 0 && sx->buffer[0] == '4')
 	{
@@ -2544,12 +3203,6 @@
   BOOL no_flush;
   uschar * rcpt_addr;
 
-  if (tcp_out_fastopen && !tcp_out_fastopen_logged)
-    {
-    setflag(addr, af_tcp_fastopen_conn);
-    if (tcp_out_fastopen > 1) setflag(addr, af_tcp_fastopen);
-    }
-
   addr->dsn_aware = sx->peer_offered & OPTION_DSN
     ? dsn_support_yes : dsn_support_no;
 
@@ -2564,7 +3217,7 @@
   yield as OK, because this error can often mean that there is a problem with
   just one address, so we don't want to delay the host. */
 
-  rcpt_addr = transport_rcpt_address(addr, sx->tblock->rcpt_include_affixes);
+  rcpt_addr = transport_rcpt_address(addr, sx->conn_args.tblock->rcpt_include_affixes);
 
 #ifdef SUPPORT_I18N
   if (  testflag(sx->addrlist, af_utf8_downcvt)
@@ -2577,7 +3230,7 @@
     }
 #endif
 
-  count = smtp_write_command(&sx->outblock, no_flush ? SCMD_BUFFER : SCMD_FLUSH,
+  count = smtp_write_command(sx, no_flush ? SCMD_BUFFER : SCMD_FLUSH,
     "RCPT TO:<%s>%s%s\r\n", rcpt_addr, sx->igquotstr, sx->buffer);
 
   if (count < 0) return -5;
@@ -2598,12 +3251,15 @@
       case -1: return -3;			/* Timeout on RCPT */
       case -2: return -2;			/* non-MAIL read i/o error */
       default: return -1;			/* any MAIL error */
+
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+      case -4: return -1;			/* non-2xx for pipelined banner or EHLO */
+#endif
       }
     sx->pending_MAIL = FALSE;            /* Dealt with MAIL */
     }
   }      /* Loop for next address */
 
-tcp_out_fastopen_logged = TRUE;
 sx->next_addr = addr;
 return 0;
 }
@@ -2621,6 +3277,7 @@
 channels are closed, exit the process.
 
 Arguments:
+  ct_ctx	tls context
   buf		space to use for buffering
   bufsiz	size of buffer
   pfd		pipe filedescriptor array; [0] is comms to proxied process
@@ -2628,10 +3285,11 @@
 */
 
 void
-smtp_proxy_tls(uschar * buf, size_t bsize, int * pfd, int timeout)
+smtp_proxy_tls(void * ct_ctx, uschar * buf, size_t bsize, int * pfd,
+  int timeout)
 {
 fd_set rfds, efds;
-int max_fd = MAX(pfd[0], tls_out.active) + 1;
+int max_fd = MAX(pfd[0], tls_out.active.sock) + 1;
 int rc, i, fd_bits, nbytes;
 
 close(pfd[1]);
@@ -2641,10 +3299,10 @@
   _exit(rc < 0 ? EXIT_FAILURE : EXIT_SUCCESS);
   }
 
-if (running_in_test_harness) millisleep(100); /* let parent debug out */
+if (f.running_in_test_harness) millisleep(100); /* let parent debug out */
 set_process_info("proxying TLS connection for continued transport");
 FD_ZERO(&rfds);
-FD_SET(tls_out.active, &rfds);
+FD_SET(tls_out.active.sock, &rfds);
 FD_SET(pfd[0], &rfds);
 
 for (fd_bits = 3; fd_bits; )
@@ -2670,21 +3328,21 @@
       goto done;
       }
 
-    if (FD_ISSET(tls_out.active, &efds) || FD_ISSET(pfd[0], &efds))
+    if (FD_ISSET(tls_out.active.sock, &efds) || FD_ISSET(pfd[0], &efds))
       {
       DEBUG(D_transport) debug_printf("select: exceptional cond on %s fd\n",
 	FD_ISSET(pfd[0], &efds) ? "proxy" : "tls");
       goto done;
       }
     }
-  while (rc < 0 || !(FD_ISSET(tls_out.active, &rfds) || FD_ISSET(pfd[0], &rfds)));
+  while (rc < 0 || !(FD_ISSET(tls_out.active.sock, &rfds) || FD_ISSET(pfd[0], &rfds)));
 
   /* handle inbound data */
-  if (FD_ISSET(tls_out.active, &rfds))
-    if ((rc = tls_read(FALSE, buf, bsize)) <= 0)
+  if (FD_ISSET(tls_out.active.sock, &rfds))
+    if ((rc = tls_read(ct_ctx, buf, bsize)) <= 0)
       {
       fd_bits &= ~1;
-      FD_CLR(tls_out.active, &rfds);
+      FD_CLR(tls_out.active.sock, &rfds);
       shutdown(pfd[0], SHUT_WR);
       timeout = 5;
       }
@@ -2694,19 +3352,20 @@
 	if ((i = write(pfd[0], buf + nbytes, rc - nbytes)) < 0) goto done;
       }
   else if (fd_bits & 1)
-    FD_SET(tls_out.active, &rfds);
+    FD_SET(tls_out.active.sock, &rfds);
 
   /* handle outbound data */
   if (FD_ISSET(pfd[0], &rfds))
     if ((rc = read(pfd[0], buf, bsize)) <= 0)
       {
       fd_bits = 0;
-      tls_close(FALSE, TLS_SHUTDOWN_NOWAIT);
+      tls_close(ct_ctx, TLS_SHUTDOWN_NOWAIT);
+      ct_ctx = NULL;
       }
     else
       {
       for (nbytes = 0; rc - nbytes > 0; nbytes += i)
-	if ((i = tls_write(FALSE, buf + nbytes, rc - nbytes, FALSE)) < 0)
+	if ((i = tls_write(ct_ctx, buf + nbytes, rc - nbytes, FALSE)) < 0)
 	  goto done;
       }
   else if (fd_bits & 2)
@@ -2714,7 +3373,7 @@
   }
 
 done:
-  if (running_in_test_harness) millisleep(100);	/* let logging complete */
+  if (f.running_in_test_harness) millisleep(100);	/* let logging complete */
   exim_exit(0, US"TLS proxy");
 }
 #endif
@@ -2771,6 +3430,7 @@
   BOOL *message_defer, BOOL suppress_tls)
 {
 address_item *addr;
+smtp_transport_options_block * ob = SOB tblock->options_block;
 int yield = OK;
 int save_errno;
 int rc;
@@ -2787,13 +3447,14 @@
 *message_defer = FALSE;
 
 sx.addrlist = addrlist;
-sx.host = host;
-sx.host_af = host_af,
+sx.conn_args.host = host;
+sx.conn_args.host_af = host_af,
 sx.port = defport;
-sx.interface = interface;
+sx.conn_args.interface = interface;
 sx.helo_data = NULL;
-sx.tblock = tblock;
+sx.conn_args.tblock = tblock;
 sx.verify = FALSE;
+sx.sync_addr = sx.first_addr = addrlist;
 
 /* Get the channel set up ready for a message (MAIL FROM being the next
 SMTP command to send */
@@ -2832,8 +3493,6 @@
     }
   }
 
-sx.first_addr = addrlist;
-
 /* For messages that have more than the maximum number of envelope recipients,
 we want to send several transactions down the same SMTP connection. (See
 comments in deliver.c as to how this reconciles, heuristically, with
@@ -2912,7 +3571,7 @@
 if (  !(sx.peer_offered & OPTION_CHUNKING)
    && (sx.ok || (pipelining_active && !mua_wrapper)))
   {
-  int count = smtp_write_command(&sx.outblock, SCMD_FLUSH, "DATA\r\n");
+  int count = smtp_write_command(&sx, SCMD_FLUSH, "DATA\r\n");
 
   if (count < 0) goto SEND_FAILED;
   switch(sync_responses(&sx, count, sx.ok ? +1 : -1))
@@ -2926,6 +3585,11 @@
     case 0: break;                       /* No 2xx or 5xx, but no probs */
 
     case -1: goto END_OFF;               /* Timeout on RCPT */
+
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+    case -4:  HDEBUG(D_transport)
+		debug_printf("failed reaping pipelined cmd responses\n");
+#endif
     default: goto RESPONSE_FAILED;       /* I/O error, or any MAIL/DATA error */
     }
   pipelining_active = FALSE;
@@ -2949,11 +3613,13 @@
 else
   {
   transport_ctx tctx = {
-    {sx.inblock.sock},
-    tblock,
-    addrlist,
-    US".", US"..",    /* Escaping strings */
-    topt_use_crlf | topt_escape_headers
+    .u = {.fd = sx.cctx.sock},	/*XXX will this need TLS info? */
+    .tblock =	tblock,
+    .addr =	addrlist,
+    .check_string = US".",
+    .escape_string = US"..",	/* Escaping strings */
+    .options =
+      topt_use_crlf | topt_escape_headers
     | (tblock->body_only	? topt_no_headers : 0)
     | (tblock->headers_only	? topt_no_body : 0)
     | (tblock->return_path_add	? topt_add_return_path : 0)
@@ -2988,7 +3654,7 @@
   sx.buffer[0] = 0;
 
   sigalrm_seen = FALSE;
-  transport_write_timeout = sx.ob->data_timeout;
+  transport_write_timeout = ob->data_timeout;
   smtp_command = US"sending data block";   /* For error messages */
   DEBUG(D_transport|D_v)
     if (sx.peer_offered & OPTION_CHUNKING)
@@ -3001,12 +3667,12 @@
   dkim_exim_sign_init();
 # ifdef EXPERIMENTAL_ARC
     {
-    uschar * s = sx.ob->arc_sign;
+    uschar * s = ob->arc_sign;
     if (s)
       {
-      if (!(sx.ob->dkim.arc_signspec = s = expand_string(s)))
+      if (!(ob->dkim.arc_signspec = s = expand_string(s)))
 	{
-	if (!expand_string_forcedfail)
+	if (!f.expand_string_forcedfail)
 	  {
 	  message = US"failed to expand arc_sign";
 	  sx.ok = FALSE;
@@ -3017,12 +3683,12 @@
 	{
 	/* Ask dkim code to hash the body for ARC */
 	(void) arc_ams_setup_sign_bodyhash();
-	sx.ob->dkim.force_bodyhash = TRUE;
+	ob->dkim.force_bodyhash = TRUE;
 	}
       }
     }
 # endif
-  sx.ok = dkim_transport_write_message(&tctx, &sx.ob->dkim, CUSS &message);
+  sx.ok = dkim_transport_write_message(&tctx, &ob->dkim, CUSS &message);
 #else
   sx.ok = transport_write_message(&tctx, 0);
 #endif
@@ -3064,19 +3730,23 @@
       case 0: break;                       /* No 2xx or 5xx, but no probs */
 
       case -1: goto END_OFF;               /* Timeout on RCPT */
+
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+      case -4:  HDEBUG(D_transport)
+		  debug_printf("failed reaping pipelined cmd responses\n");
+#endif
       default: goto RESPONSE_FAILED;       /* I/O error, or any MAIL/DATA error */
       }
     }
 
 #ifndef DISABLE_PRDR
-  /* For PRDR we optionally get a partial-responses warning
-   * followed by the individual responses, before going on with
-   * the overall response.  If we don't get the warning then deal
-   * with per non-PRDR. */
+  /* For PRDR we optionally get a partial-responses warning followed by the
+  individual responses, before going on with the overall response.  If we don't
+  get the warning then deal with per non-PRDR. */
+
   if(sx.prdr_active)
     {
-    sx.ok = smtp_read_response(&sx.inblock, sx.buffer, sizeof(sx.buffer), '3',
-      sx.ob->final_timeout);
+    sx.ok = smtp_read_response(&sx, sx.buffer, sizeof(sx.buffer), '3', ob->final_timeout);
     if (!sx.ok && errno == 0) switch(sx.buffer[0])
       {
       case '2': sx.prdr_active = FALSE;
@@ -3096,8 +3766,8 @@
 
   if (!sx.lmtp)
     {
-    sx.ok = smtp_read_response(&sx.inblock, sx.buffer, sizeof(sx.buffer), '2',
-      sx.ob->final_timeout);
+    sx.ok = smtp_read_response(&sx, sx.buffer, sizeof(sx.buffer), '2',
+      ob->final_timeout);
     if (!sx.ok && errno == 0 && sx.buffer[0] == '4')
       {
       errno = ERRNO_DATA4XX;
@@ -3160,8 +3830,8 @@
       if (sx.lmtp)
 #endif
         {
-        if (!smtp_read_response(&sx.inblock, sx.buffer, sizeof(sx.buffer), '2',
-            sx.ob->final_timeout))
+        if (!smtp_read_response(&sx, sx.buffer, sizeof(sx.buffer), '2',
+            ob->final_timeout))
           {
           if (errno != 0 || sx.buffer[0] == 0) goto RESPONSE_FAILED;
           addr->message = string_sprintf(
@@ -3204,6 +3874,17 @@
       addr->host_used = host;
       addr->special_action = flag;
       addr->message = conf;
+
+      if (tcp_out_fastopen)
+	{
+	setflag(addr, af_tcp_fastopen_conn);
+	if (tcp_out_fastopen >= TFO_USED_NODATA) setflag(addr, af_tcp_fastopen);
+	if (tcp_out_fastopen >= TFO_USED_DATA) setflag(addr, af_tcp_fastopen_data);
+	}
+      if (sx.pipelining_used) setflag(addr, af_pipelining);
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+      if (sx.early_pipe_active) setflag(addr, af_early_pipe);
+#endif
 #ifndef DISABLE_PRDR
       if (sx.prdr_active) setflag(addr, af_prdr_used);
 #endif
@@ -3240,8 +3921,8 @@
 	/* PRDR - get the final, overall response.  For any non-success
 	upgrade all the address statuses. */
 
-        sx.ok = smtp_read_response(&sx.inblock, sx.buffer, sizeof(sx.buffer), '2',
-          sx.ob->final_timeout);
+        sx.ok = smtp_read_response(&sx, sx.buffer, sizeof(sx.buffer), '2',
+          ob->final_timeout);
         if (!sx.ok)
 	  {
 	  if(errno == 0 && sx.buffer[0] == '4')
@@ -3403,9 +4084,20 @@
 
     else
       {
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+      /* If we were early-pipelinng and the actual EHLO response did not match
+      the cached value we assumed, we could have detected it and passed a
+      custom errno through to here.  It would be nice to RSET and retry right
+      away, but to reliably do that we eould need an extra synch point before
+      we committed to data and that would discard half the gained roundrips.
+      Or we could summarily drop the TCP connection. but that is also ugly.
+      Instead, we ignore the possibility (having freshened the cache) and rely
+      on the server telling us with a nonmessage error if we have tried to
+      do something it no longer supports. */
+#endif
       set_rc = DEFER;
       yield = (save_errno == ERRNO_CHHEADER_FAIL ||
-               save_errno == ERRNO_FILTER_FAIL)? ERROR : DEFER;
+               save_errno == ERRNO_FILTER_FAIL) ? ERROR : DEFER;
       }
     }
 
@@ -3425,7 +4117,7 @@
 many as to hit the configured limit. The function transport_check_waiting looks
 for a waiting message and returns its id. Then transport_pass_socket tries to
 set up a continued delivery by passing the socket on to another process. The
-variable send_rset is FALSE if a message has just been successfully transfered.
+variable send_rset is FALSE if a message has just been successfully transferred.
 
 If we are already sending down a continued channel, there may be further
 addresses not yet delivered that are aimed at the same host, but which have not
@@ -3448,7 +4140,7 @@
 DEBUG(D_transport)
   debug_printf("ok=%d send_quit=%d send_rset=%d continue_more=%d "
     "yield=%d first_address is %sNULL\n", sx.ok, sx.send_quit,
-    sx.send_rset, continue_more, yield, sx.first_addr ? "not " : "");
+    sx.send_rset, f.continue_more, yield, sx.first_addr ? "not " : "");
 
 if (sx.completed_addr && sx.ok && sx.send_quit)
   {
@@ -3459,11 +4151,11 @@
   t_compare.current_sender_address = sender_address;
 
   if (  sx.first_addr != NULL
-     || continue_more
+     || f.continue_more
      || (
 #ifdef SUPPORT_TLS
-	   (  tls_out.active < 0  &&  !continue_proxy_cipher
-           || verify_check_given_host(&sx.ob->hosts_nopass_tls, host) != OK
+	   (  tls_out.active.sock < 0  &&  !continue_proxy_cipher
+           || verify_check_given_host(CUSS &ob->hosts_nopass_tls, host) != OK
 	   )
         &&
 #endif
@@ -3476,14 +4168,14 @@
     BOOL pass_message;
 
     if (sx.send_rset)
-      if (! (sx.ok = smtp_write_command(&sx.outblock, SCMD_FLUSH, "RSET\r\n") >= 0))
+      if (! (sx.ok = smtp_write_command(&sx, SCMD_FLUSH, "RSET\r\n") >= 0))
         {
         msg = US string_sprintf("send() to %s [%s] failed: %s", host->name,
           host->address, strerror(errno));
         sx.send_quit = FALSE;
         }
-      else if (! (sx.ok = smtp_read_response(&sx.inblock, sx.buffer,
-		  sizeof(sx.buffer), '2', sx.ob->command_timeout)))
+      else if (! (sx.ok = smtp_read_response(&sx, sx.buffer, sizeof(sx.buffer),
+		  '2', ob->command_timeout)))
         {
         int code;
         sx.send_quit = check_response(host, &errno, 0, sx.buffer, &code, &msg,
@@ -3499,8 +4191,10 @@
 
     if (sx.ok)
       {
+#ifdef SUPPORT_TLS
       int pfd[2];
-      int socket_fd = sx.inblock.sock;
+#endif
+      int socket_fd = sx.cctx.sock;
 
 
       if (sx.first_addr != NULL)         /* More addresses still to be sent */
@@ -3515,9 +4209,9 @@
       the connection still open. */
 
 #ifdef SUPPORT_TLS
-      if (tls_out.active >= 0)
-	if (  continue_more
-	   || verify_check_given_host(&sx.ob->hosts_noproxy_tls, host) == OK)
+      if (tls_out.active.sock >= 0)
+	if (  f.continue_more
+	   || verify_check_given_host(CUSS &ob->hosts_noproxy_tls, host) == OK)
 	  {
 	  /* Before passing the socket on, or returning to caller with it still
 	  open, we must shut down TLS.  Not all MTAs allow for the continuation
@@ -3525,15 +4219,16 @@
 	  a new EHLO. If we don't get a good response, we don't attempt to pass
 	  the socket on. */
 
-	  tls_close(FALSE, TLS_SHUTDOWN_WAIT);
+	  tls_close(sx.cctx.tls_ctx, TLS_SHUTDOWN_WAIT);
+	  sx.cctx.tls_ctx = NULL;
 	  smtp_peer_options = smtp_peer_options_wrap;
 	  sx.ok = !sx.smtps
-	    && smtp_write_command(&sx.outblock, SCMD_FLUSH,
-				      "EHLO %s\r\n", sx.helo_data) >= 0
-	    && smtp_read_response(&sx.inblock, sx.buffer, sizeof(sx.buffer),
-				      '2', sx.ob->command_timeout);
+	    && smtp_write_command(&sx, SCMD_FLUSH, "EHLO %s\r\n", sx.helo_data)
+		>= 0
+	    && smtp_read_response(&sx, sx.buffer, sizeof(sx.buffer),
+				      '2', ob->command_timeout);
 
-	  if (sx.ok && continue_more)
+	  if (sx.ok && f.continue_more)
 	    return yield;		/* More addresses for another run */
 	  }
 	else
@@ -3553,7 +4248,7 @@
 	  }
       else
 #endif
-	if (continue_more)
+	if (f.continue_more)
 	  return yield;			/* More addresses for another run */
 
       /* If the socket is successfully passed, we mustn't send QUIT (or
@@ -3573,15 +4268,15 @@
 	get logging done asap.  Which way to place the work makes assumptions
 	about post-fork prioritisation which may not hold on all platforms. */
 #ifdef SUPPORT_TLS
-	if (tls_out.active >= 0)
+	if (tls_out.active.sock >= 0)
 	  {
 	  int pid = fork();
 	  if (pid == 0)		/* child; fork again to disconnect totally */
 	    {
-	    if (running_in_test_harness) millisleep(100); /* let parent debug out */
+	    if (f.running_in_test_harness) millisleep(100); /* let parent debug out */
 	    /* does not return */
-	    smtp_proxy_tls(sx.buffer, sizeof(sx.buffer), pfd,
-			    sx.ob->command_timeout);
+	    smtp_proxy_tls(sx.cctx.tls_ctx, sx.buffer, sizeof(sx.buffer), pfd,
+			    ob->command_timeout);
 	    }
 
 	  if (pid > 0)		/* parent */
@@ -3590,8 +4285,10 @@
 	    close(pfd[0]);
 	    /* tidy the inter-proc to disconn the proxy proc */
 	    waitpid(pid, NULL, 0);
-	    tls_close(FALSE, TLS_NO_SHUTDOWN);
-	    (void)close(sx.inblock.sock);
+	    tls_close(sx.cctx.tls_ctx, TLS_NO_SHUTDOWN);
+	    sx.cctx.tls_ctx = NULL;
+	    (void)close(sx.cctx.sock);
+	    sx.cctx.sock = -1;
 	    continue_transport = NULL;
 	    continue_hostname = NULL;
 	    return yield;
@@ -3631,12 +4328,13 @@
 operation, the old commented-out code was removed on 17-Sep-99. */
 
 SEND_QUIT:
-if (sx.send_quit) (void)smtp_write_command(&sx.outblock, SCMD_FLUSH, "QUIT\r\n");
+if (sx.send_quit) (void)smtp_write_command(&sx, SCMD_FLUSH, "QUIT\r\n");
 
 END_OFF:
 
 #ifdef SUPPORT_TLS
-tls_close(FALSE, TLS_SHUTDOWN_NOWAIT);
+tls_close(sx.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
+sx.cctx.tls_ctx = NULL;
 #endif
 
 /* Close the socket, and return the appropriate value, first setting
@@ -3652,12 +4350,13 @@
 HDEBUG(D_transport|D_acl|D_v) debug_printf_indent("  SMTP(close)>>\n");
 if (sx.send_quit)
   {
-  shutdown(sx.outblock.sock, SHUT_WR);
-  if (fcntl(sx.inblock.sock, F_SETFL, O_NONBLOCK) == 0)
-    for (rc = 16; read(sx.inblock.sock, sx.inbuffer, sizeof(sx.inbuffer)) > 0 && rc > 0;)
+  shutdown(sx.cctx.sock, SHUT_WR);
+  millisleep(f.running_in_test_harness ? 200 : 20);
+  if (fcntl(sx.cctx.sock, F_SETFL, O_NONBLOCK) == 0)
+    for (rc = 16; read(sx.cctx.sock, sx.inbuffer, sizeof(sx.inbuffer)) > 0 && rc > 0;)
       rc--;				/* drain socket */
   }
-(void)close(sx.inblock.sock);
+(void)close(sx.cctx.sock);
 
 #ifndef DISABLE_EVENT
 (void) event_raise(tblock->event_action, US"tcp:close", NULL);
@@ -3691,31 +4390,33 @@
 void
 smtp_transport_closedown(transport_instance *tblock)
 {
-smtp_transport_options_block *ob =
-  (smtp_transport_options_block *)tblock->options_block;
-smtp_inblock inblock;
-smtp_outblock outblock;
+smtp_transport_options_block * ob = SOB tblock->options_block;
+client_conn_ctx cctx;
+smtp_context sx;
 uschar buffer[256];
 uschar inbuffer[4096];
 uschar outbuffer[16];
 
-inblock.sock = fileno(stdin);
-inblock.buffer = inbuffer;
-inblock.buffersize = sizeof(inbuffer);
-inblock.ptr = inbuffer;
-inblock.ptrend = inbuffer;
-
-outblock.sock = inblock.sock;
-outblock.buffersize = sizeof(outbuffer);
-outblock.buffer = outbuffer;
-outblock.ptr = outbuffer;
-outblock.cmd_count = 0;
-outblock.authenticating = FALSE;
-
-(void)smtp_write_command(&outblock, SCMD_FLUSH, "QUIT\r\n");
-(void)smtp_read_response(&inblock, buffer, sizeof(buffer), '2',
-  ob->command_timeout);
-(void)close(inblock.sock);
+/*XXX really we need an active-smtp-client ctx, rather than assuming stdout */
+cctx.sock = fileno(stdin);
+cctx.tls_ctx = cctx.sock == tls_out.active.sock ? tls_out.active.tls_ctx : NULL;
+
+sx.inblock.cctx = &cctx;
+sx.inblock.buffer = inbuffer;
+sx.inblock.buffersize = sizeof(inbuffer);
+sx.inblock.ptr = inbuffer;
+sx.inblock.ptrend = inbuffer;
+
+sx.outblock.cctx = &cctx;
+sx.outblock.buffersize = sizeof(outbuffer);
+sx.outblock.buffer = outbuffer;
+sx.outblock.ptr = outbuffer;
+sx.outblock.cmd_count = 0;
+sx.outblock.authenticating = FALSE;
+
+(void)smtp_write_command(&sx, SCMD_FLUSH, "QUIT\r\n");
+(void)smtp_read_response(&sx, buffer, sizeof(buffer), '2', ob->command_timeout);
+(void)close(cctx.sock);
 }
 
 
@@ -3797,8 +4498,7 @@
 uschar *expanded_hosts = NULL;
 uschar *pistring;
 uschar *tid = string_sprintf("%s transport", tblock->name);
-smtp_transport_options_block *ob =
-  (smtp_transport_options_block *)(tblock->options_block);
+smtp_transport_options_block *ob = SOB tblock->options_block;
 host_item *hostlist = addrlist->host_list;
 host_item *host;
 
@@ -3816,7 +4516,7 @@
   if (continue_hostname)
     debug_printf("already connected to %s [%s] (on fd %d)\n",
       continue_hostname, continue_host_address,
-      cutthrough.fd >= 0 ? cutthrough.fd : 0);
+      cutthrough.cctx.sock >= 0 ? cutthrough.cctx.sock : 0);
   }
 
 /* Set the flag requesting that these hosts be added to the waiting
@@ -3831,6 +4531,12 @@
 a host list with hosts_override set, use the host list supplied with the
 transport. It is an error for this not to exist. */
 
+#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
+if (tls_requiretls & REQUIRETLS_MSG)
+  ob->tls_tempfail_tryclear = FALSE;	/*XXX surely we should have a local for this
+  					rather than modifying the transport? */
+#endif
+
 if (!hostlist || (ob->hosts_override && ob->hosts))
   {
   if (!ob->hosts)
@@ -3862,7 +4568,7 @@
         {
         addrlist->message = string_sprintf("failed to expand list of hosts "
           "\"%s\" in %s transport: %s", s, tblock->name, expand_string_message);
-        addrlist->transport_return = search_find_defer ? DEFER : PANIC;
+        addrlist->transport_return = f.search_find_defer ? DEFER : PANIC;
         return FALSE;     /* Only top address has status */
         }
       DEBUG(D_transport) debug_printf("expanded list of hosts \"%s\" to "
@@ -4150,7 +4856,7 @@
     were not in it. We don't want to hold up all SMTP deliveries! Except when
     doing a two-stage queue run, don't do this if forcing. */
 
-    if ((!deliver_force || queue_2stage) && (queue_smtp ||
+    if ((!f.deliver_force || f.queue_2stage) && (f.queue_smtp ||
         match_isinlist(addrlist->domain,
 	  (const uschar **)&queue_smtp_domains, 0,
           &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) == OK))
@@ -4221,10 +4927,10 @@
         incl_ip, &retry_host_key, &retry_message_key);
 
       DEBUG(D_transport) debug_printf("%s [%s]%s retry-status = %s\n", host->name,
-        (host->address == NULL)? US"" : host->address, pistring,
-        (host->status == hstatus_usable)? "usable" :
-        (host->status == hstatus_unusable)? "unusable" :
-        (host->status == hstatus_unusable_expired)? "unusable (expired)" : "?");
+        host->address ? host->address : US"", pistring,
+        host->status == hstatus_usable ? "usable"
+        : host->status == hstatus_unusable ? "unusable"
+        : host->status == hstatus_unusable_expired ? "unusable (expired)" : "?");
 
       /* Skip this address if not usable at this time, noting if it wasn't
       actually expired, both locally and in the address. */
@@ -4281,7 +4987,7 @@
     sending the message down a pre-existing connection. */
 
     if (  !continue_hostname
-       && verify_check_given_host(&ob->serialize_hosts, host) == OK)
+       && verify_check_given_host(CUSS &ob->serialize_hosts, host) == OK)
       {
       serialize_key = string_sprintf("host-serialize-%s", host->name);
       if (!enq_start(serialize_key, 1))
@@ -4307,14 +5013,14 @@
       message_id, host->name, host->address, addrlist->address,
       addrlist->next ? ", ..." : "");
 
-    set_process_info("delivering %s to %s [%s] (%s%s)",
-      message_id, host->name, host->address, addrlist->address,
+    set_process_info("delivering %s to %s [%s]%s (%s%s)",
+      message_id, host->name, host->address, pistring, addrlist->address,
       addrlist->next ? ", ..." : "");
 
     /* This is not for real; don't do the delivery. If there are
     any remaining hosts, list them. */
 
-    if (dont_deliver)
+    if (f.dont_deliver)
       {
       host_item *host2;
       set_errno_nohost(addrlist, 0, NULL, OK, FALSE);
@@ -4422,7 +5128,7 @@
       if (  rc == DEFER
 	 && first_addr->basic_errno == ERRNO_TLSFAILURE
 	 && ob->tls_tempfail_tryclear
-	 && verify_check_given_host(&ob->hosts_require_tls, host) != OK
+	 && verify_check_given_host(CUSS &ob->hosts_require_tls, host) != OK
 	 )
         {
         log_write(0, LOG_MAIN,
@@ -4448,8 +5154,8 @@
        : rc == ERROR ? US"ERROR"
        : US"?";
 
-    set_process_info("delivering %s: just tried %s [%s] for %s%s: result %s",
-      message_id, host->name, host->address, addrlist->address,
+    set_process_info("delivering %s: just tried %s [%s]%s for %s%s: result %s",
+      message_id, host->name, host->address, pistring, addrlist->address,
       addrlist->next ? " (& others)" : "", rs);
 
     /* Release serialization if set up */
@@ -4592,6 +5298,18 @@
           "hosts_max_try (message older than host's retry time)\n");
         }
       }
+
+    DEBUG(D_transport)
+      {
+      if (unexpired_hosts_tried >= ob->hosts_max_try)
+	debug_printf("reached transport hosts_max_try limit %d\n",
+	  ob->hosts_max_try);
+      if (total_hosts_tried >= ob->hosts_max_try_hardlimit)
+	debug_printf("reached transport hosts_max_try_hardlimit limit %d\n",
+	  ob->hosts_max_try_hardlimit);
+      }
+
+    if (f.running_in_test_harness) millisleep(500); /* let server debug out */
     }   /* End of loop for trying multiple hosts. */
 
   /* If we failed to find a matching host in the list, for an already-open
@@ -4601,21 +5319,27 @@
 
   if (continue_hostname && !continue_host_tried)
     {
-    int fd = cutthrough.fd >= 0 ? cutthrough.fd : 0;
+    int fd = cutthrough.cctx.sock >= 0 ? cutthrough.cctx.sock : 0;
 
     DEBUG(D_transport) debug_printf("no hosts match already-open connection\n");
 #ifdef SUPPORT_TLS
-    if (tls_out.active == fd)
-      {
-      (void) tls_write(FALSE, US"QUIT\r\n", 6, FALSE);
-      tls_close(FALSE, TLS_SHUTDOWN_NOWAIT);
+    /* A TLS conn could be open for a cutthrough, but not for a plain continued-
+    transport */
+/*XXX doublecheck that! */
+
+    if (cutthrough.cctx.sock >= 0 && cutthrough.is_tls)
+      {
+      (void) tls_write(cutthrough.cctx.tls_ctx, US"QUIT\r\n", 6, FALSE);
+      tls_close(cutthrough.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
+      cutthrough.cctx.tls_ctx = NULL;
+      cutthrough.is_tls = FALSE;
       }
     else
 #else
       (void) write(fd, US"QUIT\r\n", 6);
 #endif
     (void) close(fd);
-    cutthrough.fd = -1;
+    cutthrough.cctx.sock = -1;
     continue_hostname = NULL;
     goto retry_non_continued;
     }
@@ -4679,7 +5403,7 @@
       setflag(addr, af_retry_skipped);
       }
 
-  if (queue_smtp)    /* no deliveries attempted */
+  if (f.queue_smtp)    /* no deliveries attempted */
     {
     addr->transport_return = DEFER;
     addr->basic_errno = 0;
diff -Nru exim4-4.91/src/transports/smtp.h exim4-4.92~RC4/src/transports/smtp.h
--- exim4-4.91/src/transports/smtp.h	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/transports/smtp.h	2018-12-27 13:36:19.000000000 +0000
@@ -46,6 +46,9 @@
   uschar *hosts_avoid_tls;
   uschar *hosts_verify_avoid_tls;
   uschar *hosts_avoid_pipelining;
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+  uschar *hosts_pipe_connect;
+#endif
   uschar *hosts_avoid_esmtp;
 #ifdef SUPPORT_TLS
   uschar *hosts_nopass_tls;
@@ -88,6 +91,9 @@
   uschar *tls_try_verify_hosts;
   uschar *tls_verify_cert_hostnames;
 #endif
+#ifdef SUPPORT_I18N
+  uschar *utf8_downconvert;
+#endif
 #ifndef DISABLE_DKIM
   struct ob_dkim dkim;
 #endif
@@ -96,22 +102,29 @@
 #endif
 } smtp_transport_options_block;
 
+#define SOB (smtp_transport_options_block *)
+
+
 /* smtp connect context */
 typedef struct {
   uschar *		from_addr;
   address_item *	addrlist;
-  host_item *		host;
-  int			host_af;
+
+  smtp_connect_args	conn_args;
   int			port;
-  uschar *		interface;
 
   BOOL verify:1;
   BOOL lmtp:1;
   BOOL smtps:1;
   BOOL ok:1;
   BOOL setting_up:1;
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+  BOOL early_pipe_ok:1;
+  BOOL early_pipe_active:1;
+#endif
   BOOL esmtp:1;
   BOOL esmtp_sent:1;
+  BOOL pipelining_used:1;
 #ifndef DISABLE_PRDR
   BOOL prdr_active:1;
 #endif
@@ -123,6 +136,10 @@
   BOOL dane:1;
   BOOL dane_required:1;
 #endif
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+  BOOL pending_BANNER:1;
+  BOOL pending_EHLO:1;
+#endif
   BOOL pending_MAIL:1;
   BOOL pending_BDAT:1;
   BOOL good_RCPT:1;
@@ -133,31 +150,33 @@
   int		max_rcpt;
   int		cmd_count;
 
-  uschar	peer_offered;
-  uschar	avoid_option;
+  unsigned	peer_offered;
+  unsigned	avoid_option;
   uschar *	igquotstr;
   uschar *	helo_data;
 #ifdef EXPERIMENTAL_DSN_INFO
   uschar *	smtp_greeting;
   uschar *	helo_response;
 #endif
+#ifdef EXPERIMENTAL_PIPE_CONNECT
+  ehlo_resp_precis	ehlo_resp;
+#endif
 
   address_item *	first_addr;
   address_item *	next_addr;
   address_item *	sync_addr;
 
-  smtp_inblock  inblock;
-  smtp_outblock outblock;
+  client_conn_ctx	cctx;
+  smtp_inblock		inblock;
+  smtp_outblock		outblock;
   uschar	buffer[DELIVER_BUFFER_SIZE];
   uschar	inbuffer[4096];
   uschar	outbuffer[4096];
-
-  transport_instance *			tblock;
-  smtp_transport_options_block *	ob;
 } smtp_context;
 
 extern int smtp_setup_conn(smtp_context *, BOOL);
 extern int smtp_write_mail_and_rcpt_cmds(smtp_context *, int *);
+extern int smtp_reap_early_pipe(smtp_context *, int *);
 
 
 /* Data for reading the private options. */
@@ -177,9 +196,6 @@
 
 
 
-extern int     smtp_auth(uschar *, unsigned, address_item *, host_item *,
-		 smtp_transport_options_block *, BOOL,
-		 smtp_inblock *, smtp_outblock *);
 extern BOOL    smtp_mail_auth_str(uschar *, unsigned,
 		 address_item *, smtp_transport_options_block *);
 
diff -Nru exim4-4.91/src/transports/smtp_socks.c exim4-4.92~RC4/src/transports/smtp_socks.c
--- exim4-4.91/src/transports/smtp_socks.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/transports/smtp_socks.c	2018-12-27 13:36:19.000000000 +0000
@@ -85,7 +85,7 @@
 else if (Ustrncmp(opt, "pass=", 5) == 0)
   sob->auth_pwd = opt + 5;
 else if (Ustrncmp(opt, "port=", 5) == 0)
-  sob->port = atoi(opt + 5);
+  sob->port = atoi(CCS opt + 5);
 else if (Ustrncmp(opt, "tmo=", 4) == 0)
   sob->timeout = atoi(CCS opt + 4);
 else if (Ustrncmp(opt, "pri=", 4) == 0)
@@ -297,6 +297,7 @@
   proxy.address = proxy.name = sob->proxy_host;
   proxy_af = Ustrchr(sob->proxy_host, ':') ? AF_INET6 : AF_INET;
 
+  /*XXX we trust that the method-select command is idempotent */
   if ((fd = smtp_sock_connect(&proxy, proxy_af, sob->port,
 	      interface, tb, sob->timeout, &early_data)) >= 0)
     {
diff -Nru exim4-4.91/src/verify.c exim4-4.92~RC4/src/verify.c
--- exim4-4.91/src/verify.c	2018-04-14 23:18:10.000000000 +0000
+++ exim4-4.92~RC4/src/verify.c	2018-12-27 13:36:19.000000000 +0000
@@ -14,7 +14,7 @@
 
 #define CUTTHROUGH_CMD_TIMEOUT  30	/* timeout for cutthrough-routing calls */
 #define CUTTHROUGH_DATA_TIMEOUT 60	/* timeout for cutthrough-routing calls */
-static smtp_outblock ctblock;
+static smtp_context ctctx;
 uschar ctbuffer[8192];
 
 
@@ -39,7 +39,7 @@
 #define MT_NOT 1
 #define MT_ALL 2
 
-static uschar cutthrough_response(int, char, uschar **, int);
+static uschar cutthrough_response(client_conn_ctx *, char, uschar **, int);
 
 
 
@@ -172,7 +172,6 @@
     if (  cache_record->result == ccache_reject
        || *from_address == 0 && cache_record->result == ccache_reject_mfnull)
       {
-      setflag(addr, af_verify_nsfail);
       HDEBUG(D_verify)
 	debug_printf("callout cache: domain gave initial rejection, or "
 	  "does not accept HELO or MAIL FROM:<>\n");
@@ -196,6 +195,7 @@
       case ccache_accept:
 	HDEBUG(D_verify)
 	  debug_printf("callout cache: domain accepts random addresses\n");
+	*failure_ptr = US"random";
 	dbfn_close(dbm_file);
 	return TRUE;     /* Default yield is OK */
 
@@ -409,10 +409,11 @@
 
 	/* Match!  Send the RCPT TO, set done from the response */
 	done =
-	  smtp_write_command(&ctblock, SCMD_FLUSH, "RCPT TO:<%.1000s>\r\n",
-	    transport_rcpt_address(addr,
-	       addr->transport->rcpt_include_affixes)) >= 0 &&
-	  cutthrough_response(cutthrough.fd, '2', &resp, CUTTHROUGH_DATA_TIMEOUT) == '2';
+	     smtp_write_command(&ctctx, SCMD_FLUSH, "RCPT TO:<%.1000s>\r\n",
+	      transport_rcpt_address(addr,
+		 addr->transport->rcpt_include_affixes)) >= 0
+	  && cutthrough_response(&cutthrough.cctx, '2', &resp,
+	      CUTTHROUGH_DATA_TIMEOUT) == '2';
 
 	/* This would go horribly wrong if a callout fail was ignored by ACL.
 	We punt by abandoning cutthrough on a reject, like the
@@ -600,7 +601,7 @@
   and cause the client to time out. So in this case we forgo the PIPELINING
   optimization. */
 
-  if (smtp_out && !disable_callout_flush) mac_smtp_fflush();
+  if (smtp_out && !f.disable_callout_flush) mac_smtp_fflush();
 
   clearflag(addr, af_verify_pmfail);  /* postmaster callout flag */
   clearflag(addr, af_verify_nsfail);  /* null sender callout flag */
@@ -611,7 +612,7 @@
 coding means skipping this whole loop and doing the append separately.  */
 
   /* Can we re-use an open cutthrough connection? */
-  if (  cutthrough.fd >= 0
+  if (  cutthrough.cctx.sock >= 0
      && (options & (vopt_callout_recipsender | vopt_callout_recippmaster))
 	== vopt_callout_recipsender
      && !random_local_part
@@ -668,12 +669,12 @@
         addr->message);
 
     sx.addrlist = addr;
-    sx.host = host;
-    sx.host_af = host_af,
+    sx.conn_args.host = host;
+    sx.conn_args.host_af = host_af,
     sx.port = port;
-    sx.interface = interface;
+    sx.conn_args.interface = interface;
     sx.helo_data = tf->helo_data;
-    sx.tblock = addr->transport;
+    sx.conn_args.tblock = addr->transport;
     sx.verify = TRUE;
 
 tls_retry_connection:
@@ -692,7 +693,7 @@
     if (  yield == DEFER
        && addr->basic_errno == ERRNO_TLSFAILURE
        && ob->tls_tempfail_tryclear
-       && verify_check_given_host(&ob->hosts_require_tls, host) != OK
+       && verify_check_given_host(CUSS &ob->hosts_require_tls, host) != OK
        )
       {
       log_write(0, LOG_MAIN,
@@ -787,7 +788,7 @@
       The sync_responses() would need to be taught about it and we'd
       need another return code filtering out to here.
 
-      Avoid using a SIZE option on the MAIL for all randon-rcpt checks.
+      Avoid using a SIZE option on the MAIL for all random-rcpt checks.
       */
 
       sx.avoid_option = OPTION_SIZE;
@@ -802,6 +803,7 @@
 	    new_domain_record.random_result = ccache_accept;
 	    yield = OK;		/* Only usable verify result we can return */
 	    done = TRUE;
+	    *failure_ptr = US"random";
 	    goto no_conn;
 	  case FAIL:		/* rejected: the preferred result */
 	    new_domain_record.random_result = ccache_reject;
@@ -812,20 +814,19 @@
 	    XXX We don't care about that for postmaster_full.  Should we? */
 
 	    if ((done =
-	      smtp_write_command(&sx.outblock, SCMD_FLUSH, "RSET\r\n") >= 0 &&
-	      smtp_read_response(&sx.inblock, sx.buffer, sizeof(sx.buffer),
-		'2', callout)))
+	      smtp_write_command(&sx, SCMD_FLUSH, "RSET\r\n") >= 0 &&
+	      smtp_read_response(&sx, sx.buffer, sizeof(sx.buffer), '2', callout)))
 	      break;
 
 	    HDEBUG(D_acl|D_v)
 	      debug_printf_indent("problem after random/rset/mfrom; reopen conn\n");
 	    random_local_part = NULL;
 #ifdef SUPPORT_TLS
-	    tls_close(FALSE, TLS_SHUTDOWN_NOWAIT);
+	    tls_close(sx.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
 #endif
 	    HDEBUG(D_transport|D_acl|D_v) debug_printf_indent("  SMTP(close)>>\n");
-	    (void)close(sx.inblock.sock);
-	    sx.inblock.sock = sx.outblock.sock = -1;
+	    (void)close(sx.cctx.sock);
+	    sx.cctx.sock = -1;
 #ifndef DISABLE_EVENT
 	    (void) event_raise(addr->transport->event_action,
 			      US"tcp:close", NULL);
@@ -909,9 +910,8 @@
       cancel_cutthrough_connection(TRUE, US"postmaster verify");
       HDEBUG(D_acl|D_v) debug_printf_indent("Cutthrough cancelled by presence of postmaster verify\n");
 
-      done = smtp_write_command(&sx.outblock, SCMD_FLUSH, "RSET\r\n") >= 0
-          && smtp_read_response(&sx.inblock, sx.buffer,
-				sizeof(sx.buffer), '2', callout);
+      done = smtp_write_command(&sx, SCMD_FLUSH, "RSET\r\n") >= 0
+          && smtp_read_response(&sx, sx.buffer, sizeof(sx.buffer), '2', callout);
 
       if (done)
 	{
@@ -934,9 +934,9 @@
 	  done = TRUE;
 	else
 	  done = (options & vopt_callout_fullpm) != 0
-	      && smtp_write_command(&sx.outblock, SCMD_FLUSH,
+	      && smtp_write_command(&sx, SCMD_FLUSH,
 			    "RCPT TO:<postmaster>\r\n") >= 0
-	      && smtp_read_response(&sx.inblock, sx.buffer,
+	      && smtp_read_response(&sx, sx.buffer,
 			    sizeof(sx.buffer), '2', callout);
 
 	/* Sort out the cache record */
@@ -988,6 +988,13 @@
 	}
 	break;
 #endif
+#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
+      case ERRNO_REQUIRETLS:
+        addr->user_message = US"530 5.7.4 REQUIRETLS support required";
+	yield = FAIL;
+	done = TRUE;
+	break;
+#endif
       case ECONNREFUSED:
 	sx.send_quit = FALSE;
 	break;
@@ -1057,17 +1064,20 @@
 	   == vopt_callout_recipsender
        && !random_local_part
        && !pm_mailfrom
-       && cutthrough.fd < 0
+       && cutthrough.cctx.sock < 0
        && !sx.lmtp
        )
       {
+      address_item * parent, * caddr;
+
       HDEBUG(D_acl|D_v) debug_printf_indent("holding verify callout open for %s\n",
 	cutthrough.delivery
 	? "cutthrough delivery" : "potential further verifies and delivery");
 
       cutthrough.callout_hold_only = !cutthrough.delivery;
-      cutthrough.is_tls =	tls_out.active >= 0;
-      cutthrough.fd =	sx.outblock.sock;	/* We assume no buffer in use in the outblock */
+      cutthrough.is_tls =	tls_out.active.sock >= 0;
+      /* We assume no buffer in use in the outblock */
+      cutthrough.cctx =		sx.cctx;
       cutthrough.nrcpt =	1;
       cutthrough.transport =	addr->transport->name;
       cutthrough.interface =	interface;
@@ -1082,17 +1092,21 @@
 	cutthrough.host.address = string_copy(host->address);
 	store_pool = oldpool;
 	}
-      cutthrough.addr =		*addr;		/* Save the address_item for later logging */
+
+      /* Save the address_item and parent chain for later logging */
+      cutthrough.addr =		*addr;
       cutthrough.addr.next =	NULL;
       cutthrough.addr.host_used = &cutthrough.host;
-      if (addr->parent)
-        *(cutthrough.addr.parent = store_get(sizeof(address_item))) =
-	  *addr->parent;
-      ctblock.buffer = ctbuffer;
-      ctblock.buffersize = sizeof(ctbuffer);
-      ctblock.ptr = ctbuffer;
-      /* ctblock.cmd_count = 0; ctblock.authenticating = FALSE; */
-      ctblock.sock = cutthrough.fd;
+      for (caddr = &cutthrough.addr, parent = addr->parent;
+	   parent;
+	   caddr = caddr->parent, parent = parent->parent)
+        *(caddr->parent = store_get(sizeof(address_item))) = *parent;
+
+      ctctx.outblock.buffer = ctbuffer;
+      ctctx.outblock.buffersize = sizeof(ctbuffer);
+      ctctx.outblock.ptr = ctbuffer;
+      /* ctctx.outblock.cmd_count = 0; ctctx.outblock.authenticating = FALSE; */
+      ctctx.outblock.cctx = &cutthrough.cctx;
       }
     else
       {
@@ -1101,21 +1115,24 @@
         cancel_cutthrough_connection(TRUE, US"not usable for cutthrough");
       if (sx.send_quit)
 	{
-	(void) smtp_write_command(&sx.outblock, SCMD_FLUSH, "QUIT\r\n");
+	(void) smtp_write_command(&sx, SCMD_FLUSH, "QUIT\r\n");
 
 	/* Wait a short time for response, and discard it */
-	smtp_read_response(&sx.inblock, sx.buffer, sizeof(sx.buffer),
-	  '2', 1);
+	smtp_read_response(&sx, sx.buffer, sizeof(sx.buffer), '2', 1);
 	}
 
-      if (sx.inblock.sock >= 0)
+      if (sx.cctx.sock >= 0)
 	{
 #ifdef SUPPORT_TLS
-	tls_close(FALSE, TLS_SHUTDOWN_NOWAIT);
+	if (sx.cctx.tls_ctx)
+	  {
+	  tls_close(sx.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
+	  sx.cctx.tls_ctx = NULL;
+	  }
 #endif
 	HDEBUG(D_transport|D_acl|D_v) debug_printf_indent("  SMTP(close)>>\n");
-	(void)close(sx.inblock.sock);
-	sx.inblock.sock = sx.outblock.sock = -1;
+	(void)close(sx.cctx.sock);
+	sx.cctx.sock = -1;
 #ifndef DISABLE_EVENT
 	(void) event_raise(addr->transport->event_action, US"tcp:close", NULL);
 #endif
@@ -1180,7 +1197,7 @@
    one was requested and a recipient-verify wasn't subsequently done.
 */
 int
-open_cutthrough_connection( address_item * addr )
+open_cutthrough_connection(address_item * addr)
 {
 address_item addr2;
 int rc;
@@ -1208,18 +1225,20 @@
 static BOOL
 cutthrough_send(int n)
 {
-if(cutthrough.fd < 0)
+if(cutthrough.cctx.sock < 0)
   return TRUE;
 
 if(
 #ifdef SUPPORT_TLS
-   tls_out.active == cutthrough.fd ? tls_write(FALSE, ctblock.buffer, n, FALSE) :
+   cutthrough.is_tls
+   ? tls_write(cutthrough.cctx.tls_ctx, ctctx.outblock.buffer, n, FALSE)
+   :
 #endif
-   send(cutthrough.fd, ctblock.buffer, n, 0) > 0
+     send(cutthrough.cctx.sock, ctctx.outblock.buffer, n, 0) > 0
   )
 {
   transport_count += n;
-  ctblock.ptr= ctblock.buffer;
+  ctctx.outblock.ptr= ctctx.outblock.buffer;
   return TRUE;
 }
 
@@ -1234,11 +1253,11 @@
 {
 while(n--)
  {
- if(ctblock.ptr >= ctblock.buffer+ctblock.buffersize)
-   if(!cutthrough_send(ctblock.buffersize))
+ if(ctctx.outblock.ptr >= ctctx.outblock.buffer+ctctx.outblock.buffersize)
+   if(!cutthrough_send(ctctx.outblock.buffersize))
      return FALSE;
 
- *ctblock.ptr++ = *cp++;
+ *ctctx.outblock.ptr++ = *cp++;
  }
 return TRUE;
 }
@@ -1247,8 +1266,8 @@
 static BOOL
 cutthrough_puts(uschar * cp, int n)
 {
-if (cutthrough.fd < 0)       return TRUE;
-if (_cutthrough_puts(cp, n)) return TRUE;
+if (cutthrough.cctx.sock < 0) return TRUE;
+if (_cutthrough_puts(cp, n))  return TRUE;
 cancel_cutthrough_connection(TRUE, US"transmit failed");
 return FALSE;
 }
@@ -1264,7 +1283,7 @@
 static BOOL
 _cutthrough_flush_send(void)
 {
-int n = ctblock.ptr - ctblock.buffer;
+int n = ctctx.outblock.ptr - ctctx.outblock.buffer;
 
 if(n>0)
   if(!cutthrough_send(n))
@@ -1299,19 +1318,18 @@
 
 /* Get and check response from cutthrough target */
 static uschar
-cutthrough_response(int fd, char expect, uschar ** copy, int timeout)
+cutthrough_response(client_conn_ctx * cctx, char expect, uschar ** copy, int timeout)
 {
-smtp_inblock inblock;
+smtp_context sx = {0};
 uschar inbuffer[4096];
 uschar responsebuffer[4096];
 
-inblock.buffer = inbuffer;
-inblock.buffersize = sizeof(inbuffer);
-inblock.ptr = inbuffer;
-inblock.ptrend = inbuffer;
-inblock.sock = fd;
-/* this relies on (inblock.sock == tls_out.active) */
-if(!smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer), expect, timeout))
+sx.inblock.buffer = inbuffer;
+sx.inblock.buffersize = sizeof(inbuffer);
+sx.inblock.ptr = inbuffer;
+sx.inblock.ptrend = inbuffer;
+sx.inblock.cctx = cctx;
+if(!smtp_read_response(&sx, responsebuffer, sizeof(responsebuffer), expect, timeout))
   cancel_cutthrough_connection(TRUE, US"target timeout on read");
 
 if(copy)
@@ -1332,7 +1350,7 @@
 BOOL
 cutthrough_predata(void)
 {
-if(cutthrough.fd < 0 || cutthrough.callout_hold_only)
+if(cutthrough.cctx.sock < 0 || cutthrough.callout_hold_only)
   return FALSE;
 
 HDEBUG(D_transport|D_acl|D_v) debug_printf_indent("  SMTP>> DATA\n");
@@ -1340,7 +1358,7 @@
 cutthrough_flush_send();
 
 /* Assume nothing buffered.  If it was it gets ignored. */
-return cutthrough_response(cutthrough.fd, '3', NULL, CUTTHROUGH_DATA_TIMEOUT) == '3';
+return cutthrough_response(&cutthrough.cctx, '3', NULL, CUTTHROUGH_DATA_TIMEOUT) == '3';
 }
 
 
@@ -1367,7 +1385,7 @@
 {
 transport_ctx tctx;
 
-if(cutthrough.fd < 0 || cutthrough.callout_hold_only)
+if(cutthrough.cctx.sock < 0 || cutthrough.callout_hold_only)
   return FALSE;
 
 /* We share a routine with the mainline transport to handle header add/remove/rewrites,
@@ -1375,7 +1393,7 @@
 */
 HDEBUG(D_acl) debug_printf_indent("----------- start cutthrough headers send -----------\n");
 
-tctx.u.fd = cutthrough.fd;
+tctx.u.fd = cutthrough.cctx.sock;
 tctx.tblock = cutthrough.addr.transport;
 tctx.addr = &cutthrough.addr;
 tctx.check_string = US".";
@@ -1394,31 +1412,37 @@
 static void
 close_cutthrough_connection(const uschar * why)
 {
-int fd = cutthrough.fd;
+int fd = cutthrough.cctx.sock;
 if(fd >= 0)
   {
   /* We could be sending this after a bunch of data, but that is ok as
      the only way to cancel the transfer in dataphase is to drop the tcp
      conn before the final dot.
   */
-  ctblock.ptr = ctbuffer;
+  client_conn_ctx tmp_ctx = cutthrough.cctx;
+  ctctx.outblock.ptr = ctbuffer;
   HDEBUG(D_transport|D_acl|D_v) debug_printf_indent("  SMTP>> QUIT\n");
   _cutthrough_puts(US"QUIT\r\n", 6);	/* avoid recursion */
   _cutthrough_flush_send();
-  cutthrough.fd = -1;			/* avoid recursion via read timeout */
+  cutthrough.cctx.sock = -1;		/* avoid recursion via read timeout */
   cutthrough.nrcpt = 0;			/* permit re-cutthrough on subsequent message */
 
   /* Wait a short time for response, and discard it */
-  cutthrough_response(fd, '2', NULL, 1);
+  cutthrough_response(&tmp_ctx, '2', NULL, 1);
 
 #ifdef SUPPORT_TLS
-  tls_close(FALSE, TLS_SHUTDOWN_NOWAIT);
+  if (cutthrough.is_tls)
+    {
+    tls_close(cutthrough.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
+    cutthrough.cctx.tls_ctx = NULL;
+    cutthrough.is_tls = FALSE;
+    }
 #endif
   HDEBUG(D_transport|D_acl|D_v) debug_printf_indent("  SMTP(close)>>\n");
   (void)close(fd);
   HDEBUG(D_acl) debug_printf_indent("----------- cutthrough shutdown (%s) ------------\n", why);
   }
-ctblock.ptr = ctbuffer;
+ctctx.outblock.ptr = ctbuffer;
 }
 
 void
@@ -1433,9 +1457,10 @@
 void
 release_cutthrough_connection(const uschar * why)
 {
-if (cutthrough.fd < 0) return;
+if (cutthrough.cctx.sock < 0) return;
 HDEBUG(D_acl) debug_printf_indent("release cutthrough conn: %s\n", why);
-cutthrough.fd = -1;
+cutthrough.cctx.sock = -1;
+cutthrough.cctx.tls_ctx = NULL;
 cutthrough.delivery = cutthrough.callout_hold_only = FALSE;
 }
 
@@ -1461,7 +1486,8 @@
   )
   return cutthrough.addr.message;
 
-res = cutthrough_response(cutthrough.fd, '2', &cutthrough.addr.message, CUTTHROUGH_DATA_TIMEOUT);
+res = cutthrough_response(&cutthrough.cctx, '2', &cutthrough.addr.message,
+	CUTTHROUGH_DATA_TIMEOUT);
 for (addr = &cutthrough.addr; addr; addr = addr->next)
   {
   addr->message = cutthrough.addr.message;
@@ -1613,18 +1639,18 @@
 */
 
 int
-verify_address(address_item *vaddr, FILE *f, int options, int callout,
-  int callout_overall, int callout_connect, uschar *se_mailfrom,
+verify_address(address_item * vaddr, FILE * fp, int options, int callout,
+  int callout_overall, int callout_connect, uschar * se_mailfrom,
   uschar *pm_mailfrom, BOOL *routed)
 {
 BOOL allok = TRUE;
-BOOL full_info = (f == NULL)? FALSE : (debug_selector != 0);
+BOOL full_info = fp ? debug_selector != 0 : FALSE;
 BOOL expn         = (options & vopt_expn) != 0;
 BOOL success_on_redirect = (options & vopt_success_on_redirect) != 0;
 int i;
 int yield = OK;
 int verify_type = expn? v_expn :
-     address_test_mode? v_none :
+   f.address_test_mode? v_none :
           options & vopt_is_recipient? v_recipient : v_sender;
 address_item *addr_list;
 address_item *addr_new = NULL;
@@ -1657,10 +1683,10 @@
 
 if (parse_find_at(address) == NULL)
   {
-  if ((options & vopt_qualify) == 0)
+  if (!(options & vopt_qualify))
     {
-    if (f != NULL)
-      respond_printf(f, "%sA domain is required for \"%s\"%s\n",
+    if (fp)
+      respond_printf(fp, "%sA domain is required for \"%s\"%s\n",
         ko_prefix, address, cr);
     *failure_ptr = US"qualify";
     return FAIL;
@@ -1671,13 +1697,13 @@
 DEBUG(D_verify)
   {
   debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
-  debug_printf("%s %s\n", address_test_mode? "Testing" : "Verifying", address);
+  debug_printf("%s %s\n", f.address_test_mode? "Testing" : "Verifying", address);
   }
 
 /* Rewrite and report on it. Clear the domain and local part caches - these
 may have been set by domains and local part tests during an ACL. */
 
-if (global_rewrite_rules != NULL)
+if (global_rewrite_rules)
   {
   uschar *old = address;
   address = rewrite_address(address, options & vopt_is_recipient, FALSE,
@@ -1686,21 +1712,21 @@
     {
     for (i = 0; i < (MAX_NAMED_LIST * 2)/32; i++) vaddr->localpart_cache[i] = 0;
     for (i = 0; i < (MAX_NAMED_LIST * 2)/32; i++) vaddr->domain_cache[i] = 0;
-    if (f != NULL && !expn) fprintf(f, "Address rewritten as: %s\n", address);
+    if (fp && !expn) fprintf(fp, "Address rewritten as: %s\n", address);
     }
   }
 
 /* If this is the real sender address, we must update sender_address at
 this point, because it may be referred to in the routers. */
 
-if ((options & (vopt_fake_sender|vopt_is_recipient)) == 0)
+if (!(options & (vopt_fake_sender|vopt_is_recipient)))
   sender_address = address;
 
 /* If the address was rewritten to <> no verification can be done, and we have
 to return OK. This rewriting is permitted only for sender addresses; for other
 addresses, such rewriting fails. */
 
-if (address[0] == 0) return OK;
+if (!address[0]) return OK;
 
 /* Flip the legacy TLS-related variables over to the outbound set in case
 they're used in the context of a transport used by verification. Reset them
@@ -1752,29 +1778,29 @@
   if (testflag(addr, af_pfr))
     {
     allok = FALSE;
-    if (f != NULL)
+    if (fp)
       {
       BOOL allow;
 
       if (addr->address[0] == '>')
         {
         allow = testflag(addr, af_allow_reply);
-        fprintf(f, "%s -> mail %s", addr->parent->address, addr->address + 1);
+        fprintf(fp, "%s -> mail %s", addr->parent->address, addr->address + 1);
         }
       else
         {
-        allow = (addr->address[0] == '|')?
-          testflag(addr, af_allow_pipe) : testflag(addr, af_allow_file);
-        fprintf(f, "%s -> %s", addr->parent->address, addr->address);
+        allow = addr->address[0] == '|'
+          ? testflag(addr, af_allow_pipe) : testflag(addr, af_allow_file);
+        fprintf(fp, "%s -> %s", addr->parent->address, addr->address);
         }
 
       if (addr->basic_errno == ERRNO_BADTRANSPORT)
-        fprintf(f, "\n*** Error in setting up pipe, file, or autoreply:\n"
+        fprintf(fp, "\n*** Error in setting up pipe, file, or autoreply:\n"
           "%s\n", addr->message);
       else if (allow)
-        fprintf(f, "\n  transport = %s\n", addr->transport->name);
+        fprintf(fp, "\n  transport = %s\n", addr->transport->name);
       else
-        fprintf(f, " *** forbidden ***\n");
+        fprintf(fp, " *** forbidden ***\n");
       }
     continue;
     }
@@ -1884,16 +1910,16 @@
                 (void)host_find_byname(host, NULL, flags, NULL, TRUE);
               else
 		{
-		dnssec_domains * dnssec_domains = NULL;
+		const dnssec_domains * dsp = NULL;
 		if (Ustrcmp(tp->driver_name, "smtp") == 0)
 		  {
 		  smtp_transport_options_block * ob =
 		      (smtp_transport_options_block *) tp->options_block;
-		  dnssec_domains = &ob->dnssec;
+		  dsp = &ob->dnssec;
 		  }
 
                 (void) host_find_bydns(host, NULL, flags, NULL, NULL, NULL,
-		  dnssec_domains, NULL, NULL);
+		  dsp, NULL, NULL);
 		}
               }
             }
@@ -1906,7 +1932,7 @@
       if (host_list)
         {
         HDEBUG(D_verify) debug_printf("Attempting full verification using callout\n");
-        if (host_checking && !host_checking_callout)
+        if (host_checking && !f.host_checking_callout)
           {
           HDEBUG(D_verify)
             debug_printf("... callout omitted by default when host testing\n"
@@ -1919,12 +1945,15 @@
 #endif
           rc = do_callout(addr, host_list, &tf, callout, callout_overall,
             callout_connect, options, se_mailfrom, pm_mailfrom);
+#ifdef SUPPORT_TLS
+	  deliver_set_expansions(NULL);
+#endif
           }
         }
       else
         {
         HDEBUG(D_verify) debug_printf("Cannot do callout: neither router nor "
-          "transport provided a host list\n");
+          "transport provided a host list, or transport is not smtp\n");
         }
       }
     }
@@ -1944,29 +1973,29 @@
   if (rc == FAIL)
     {
     allok = FALSE;
-    if (f)
+    if (fp)
       {
       address_item *p = addr->parent;
 
-      respond_printf(f, "%s%s %s", ko_prefix,
+      respond_printf(fp, "%s%s %s", ko_prefix,
         full_info ? addr->address : address,
-        address_test_mode ? "is undeliverable" : "failed to verify");
-      if (!expn && admin_user)
+        f.address_test_mode ? "is undeliverable" : "failed to verify");
+      if (!expn && f.admin_user)
         {
         if (addr->basic_errno > 0)
-          respond_printf(f, ": %s", strerror(addr->basic_errno));
+          respond_printf(fp, ": %s", strerror(addr->basic_errno));
         if (addr->message)
-          respond_printf(f, ": %s", addr->message);
+          respond_printf(fp, ": %s", addr->message);
         }
 
       /* Show parents iff doing full info */
 
       if (full_info) while (p)
         {
-        respond_printf(f, "%s\n    <-- %s", cr, p->address);
+        respond_printf(fp, "%s\n    <-- %s", cr, p->address);
         p = p->parent;
         }
-      respond_printf(f, "%s\n", cr);
+      respond_printf(fp, "%s\n", cr);
       }
     cancel_cutthrough_connection(TRUE, US"routing hard fail");
 
@@ -1983,29 +2012,29 @@
   else if (rc == DEFER)
     {
     allok = FALSE;
-    if (f)
+    if (fp)
       {
       address_item *p = addr->parent;
-      respond_printf(f, "%s%s cannot be resolved at this time", ko_prefix,
+      respond_printf(fp, "%s%s cannot be resolved at this time", ko_prefix,
         full_info? addr->address : address);
-      if (!expn && admin_user)
+      if (!expn && f.admin_user)
         {
         if (addr->basic_errno > 0)
-          respond_printf(f, ": %s", strerror(addr->basic_errno));
+          respond_printf(fp, ": %s", strerror(addr->basic_errno));
         if (addr->message)
-          respond_printf(f, ": %s", addr->message);
+          respond_printf(fp, ": %s", addr->message);
         else if (addr->basic_errno <= 0)
-          respond_printf(f, ": unknown error");
+          respond_printf(fp, ": unknown error");
         }
 
       /* Show parents iff doing full info */
 
       if (full_info) while (p)
         {
-        respond_printf(f, "%s\n    <-- %s", cr, p->address);
+        respond_printf(fp, "%s\n    <-- %s", cr, p->address);
         p = p->parent;
         }
-      respond_printf(f, "%s\n", cr);
+      respond_printf(fp, "%s\n", cr);
       }
     cancel_cutthrough_connection(TRUE, US"routing soft fail");
 
@@ -2026,16 +2055,16 @@
 
     if (!addr_new)
       if (!addr_local && !addr_remote)
-        respond_printf(f, "250 mail to <%s> is discarded\r\n", address);
+        respond_printf(fp, "250 mail to <%s> is discarded\r\n", address);
       else
-        respond_printf(f, "250 <%s>\r\n", address);
+        respond_printf(fp, "250 <%s>\r\n", address);
 
     else do
       {
       address_item *addr2 = addr_new;
       addr_new = addr2->next;
       if (!addr_new) ok_prefix = US"250 ";
-      respond_printf(f, "%s<%s>\r\n", ok_prefix, addr2->address);
+      respond_printf(fp, "%s<%s>\r\n", ok_prefix, addr2->address);
       } while (addr_new);
     yield = OK;
     goto out;
@@ -2069,8 +2098,8 @@
 	  )  )
        )
       {
-      if (f) fprintf(f, "%s %s\n",
-        address, address_test_mode ? "is deliverable" : "verified");
+      if (fp) fprintf(fp, "%s %s\n",
+        address, f.address_test_mode ? "is deliverable" : "verified");
 
       /* If we have carried on to verify a child address, we want the value
       of $address_data to be that of the child */
@@ -2089,7 +2118,7 @@
   }     /* Loop for generated addresses */
 
 /* Display the full results of the successful routing, including any generated
-addresses. Control gets here only when full_info is set, which requires f not
+addresses. Control gets here only when full_info is set, which requires fp not
 to be NULL, and this occurs only when a top-level verify is called with the
 debugging switch on.
 
@@ -2099,7 +2128,7 @@
 
 if (allok && !addr_local && !addr_remote)
   {
-  fprintf(f, "mail to %s is discarded\n", address);
+  fprintf(fp, "mail to %s is discarded\n", address);
   goto out;
   }
 
@@ -2112,10 +2141,10 @@
 
     addr_list = addr->next;
 
-    fprintf(f, "%s", CS addr->address);
+    fprintf(fp, "%s", CS addr->address);
 #ifdef EXPERIMENTAL_SRS
     if(addr->prop.srs_sender)
-      fprintf(f, "    [srs = %s]", addr->prop.srs_sender);
+      fprintf(fp, "    [srs = %s]", addr->prop.srs_sender);
 #endif
 
     /* If the address is a duplicate, show something about it. */
@@ -2124,19 +2153,19 @@
       {
       tree_node *tnode;
       if ((tnode = tree_search(tree_duplicates, addr->unique)))
-        fprintf(f, "   [duplicate, would not be delivered]");
+        fprintf(fp, "   [duplicate, would not be delivered]");
       else tree_add_duplicate(addr->unique, addr);
       }
 
     /* Now show its parents */
 
     for (p = addr->parent; p; p = p->parent)
-      fprintf(f, "\n    <-- %s", p->address);
-    fprintf(f, "\n  ");
+      fprintf(fp, "\n    <-- %s", p->address);
+    fprintf(fp, "\n  ");
 
     /* Show router, and transport */
 
-    fprintf(f, "router = %s, transport = %s\n",
+    fprintf(fp, "router = %s, transport = %s\n",
       addr->router->name, tp ? tp->name : US"unset");
 
     /* Show any hosts that are set up by a router unless the transport
@@ -2156,20 +2185,20 @@
         }
       for (h = addr->host_list; h; h = h->next)
 	{
-	fprintf(f, "  host %-*s ", maxlen, h->name);
+	fprintf(fp, "  host %-*s ", maxlen, h->name);
 
 	if (h->address)
-	  fprintf(f, "[%s%-*c", h->address, maxaddlen+1 - Ustrlen(h->address), ']');
+	  fprintf(fp, "[%s%-*c", h->address, maxaddlen+1 - Ustrlen(h->address), ']');
 	else if (tp->info->local)
-	  fprintf(f, " %-*s ", maxaddlen, "");  /* Omit [unknown] for local */
+	  fprintf(fp, " %-*s ", maxaddlen, "");  /* Omit [unknown] for local */
 	else
-	  fprintf(f, "[%s%-*c", "unknown", maxaddlen+1 - 7, ']');
+	  fprintf(fp, "[%s%-*c", "unknown", maxaddlen+1 - 7, ']');
 
-        if (h->mx >= 0) fprintf(f, " MX=%d", h->mx);
-        if (h->port != PORT_NONE) fprintf(f, " port=%d", h->port);
-        if (running_in_test_harness  &&  h->dnssec == DS_YES) fputs(" AD", f);
-        if (h->status == hstatus_unusable) fputs(" ** unusable **", f);
-	fputc('\n', f);
+        if (h->mx >= 0) fprintf(fp, " MX=%d", h->mx);
+        if (h->port != PORT_NONE) fprintf(fp, " port=%d", h->port);
+        if (f.running_in_test_harness  &&  h->dnssec == DS_YES) fputs(" AD", fp);
+        if (h->status == hstatus_unusable) fputs(" ** unusable **", fp);
+	fputc('\n', fp);
         }
       }
     }
@@ -2225,7 +2254,7 @@
   /* Loop for multiple addresses in the header, enabling group syntax. Note
   that we have to reset this after the header has been scanned. */
 
-  parse_allow_group = TRUE;
+  f.parse_allow_group = TRUE;
 
   while (*s)
     {
@@ -2248,11 +2277,11 @@
       {
       if (h->type == htype_from || h->type == htype_sender)
         {
-        if (!allow_unqualified_sender) recipient = NULL;
+        if (!f.allow_unqualified_sender) recipient = NULL;
         }
       else
         {
-        if (!allow_unqualified_recipient) recipient = NULL;
+        if (!f.allow_unqualified_recipient) recipient = NULL;
         }
       if (recipient == NULL) errmess = US"unqualified address not permitted";
       }
@@ -2302,8 +2331,8 @@
     while (isspace(*s)) s++;
     }   /* Next address */
 
-  parse_allow_group = FALSE;
-  parse_found_group = FALSE;
+  f.parse_allow_group = FALSE;
+  f.parse_found_group = FALSE;
   }     /* Next header unless yield has been set FALSE */
 
 return yield;
@@ -2385,7 +2414,7 @@
     /* Loop for multiple addresses in the header, enabling group syntax. Note
     that we have to reset this after the header has been scanned. */
 
-    parse_allow_group = TRUE;
+    f.parse_allow_group = TRUE;
 
     while (*s != 0)
       {
@@ -2420,8 +2449,8 @@
       while (isspace(*s)) s++;
       }   /* Next address */
 
-    parse_allow_group = FALSE;
-    parse_found_group = FALSE;
+    f.parse_allow_group = FALSE;
+    f.parse_found_group = FALSE;
     }     /* Next header (if found is false) */
 
   if (!found) return FAIL;
@@ -2522,7 +2551,7 @@
     /* Scan the addresses in the header, enabling group syntax. Note that we
     have to reset this after the header has been scanned. */
 
-    parse_allow_group = TRUE;
+    f.parse_allow_group = TRUE;
 
     while (*s != 0)
       {
@@ -2640,8 +2669,8 @@
       s = ss;
       }     /* Next address */
 
-    parse_allow_group = FALSE;
-    parse_found_group = FALSE;
+    f.parse_allow_group = FALSE;
+    f.parse_found_group = FALSE;
     }       /* Next header, unless done */
   }         /* Next header type unless done */
 
@@ -2679,7 +2708,8 @@
 void
 verify_get_ident(int port)
 {
-int sock, host_af, qlen;
+client_conn_ctx ident_conn_ctx = {0};
+int host_af, qlen;
 int received_sender_port, received_interface_port, n;
 uschar *p;
 blob early_data;
@@ -2699,9 +2729,9 @@
 address, the incoming interface address will also be IPv6. */
 
 host_af = Ustrchr(sender_host_address, ':') == NULL ? AF_INET : AF_INET6;
-if ((sock = ip_socket(SOCK_STREAM, host_af)) < 0) return;
+if ((ident_conn_ctx.sock = ip_socket(SOCK_STREAM, host_af)) < 0) return;
 
-if (ip_bind(sock, host_af, interface_address, 0) < 0)
+if (ip_bind(ident_conn_ctx.sock, host_af, interface_address, 0) < 0)
   {
   DEBUG(D_ident) debug_printf("bind socket for ident failed: %s\n",
     strerror(errno));
@@ -2715,7 +2745,8 @@
 early_data.data = buffer;
 early_data.len = qlen;
 
-if (ip_connect(sock, host_af, sender_host_address, port,
+/*XXX we trust that the query is idempotent */
+if (ip_connect(ident_conn_ctx.sock, host_af, sender_host_address, port,
 		rfc1413_query_timeout, &early_data) < 0)
   {
   if (errno == ETIMEDOUT && LOGGING(ident_timeout))
@@ -2739,7 +2770,7 @@
   int size = sizeof(buffer) - (p - buffer);
 
   if (size <= 0) goto END_OFF;   /* Buffer filled without seeing \n. */
-  count = ip_recv(sock, p, size, rfc1413_query_timeout);
+  count = ip_recv(&ident_conn_ctx, p, size, rfc1413_query_timeout);
   if (count <= 0) goto END_OFF;  /* Read error or EOF */
 
   /* Scan what we just read, to see if we have reached the terminating \r\n. Be
@@ -2804,7 +2835,7 @@
 DEBUG(D_ident) debug_printf("sender_ident = %s\n", sender_ident);
 
 END_OFF:
-(void)close(sock);
+(void)close(ident_conn_ctx.sock);
 return;
 }
 
@@ -2998,8 +3029,8 @@
     log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s", search_error_message);
 
   result = search_find(handle, filename, key, -1, NULL, 0, 0, NULL);
-  if (valueptr != NULL) *valueptr = result;
-  return (result != NULL)? OK : search_find_defer? DEFER: FAIL;
+  if (valueptr) *valueptr = result;
+  return result ? OK : f.search_find_defer ? DEFER: FAIL;
   }
 
 /* The pattern is not an IP address or network reference of any kind. That is,
@@ -3214,9 +3245,9 @@
 *      Check the given host item matches a list  *
 *************************************************/
 int
-verify_check_given_host(uschar **listptr, host_item *host)
+verify_check_given_host(const uschar **listptr, const host_item *host)
 {
-return verify_check_this_host(CUSS listptr, NULL, host->name, host->address, NULL);
+return verify_check_this_host(listptr, NULL, host->name, host->address, NULL);
 }
 
 /*************************************************
@@ -3409,9 +3440,8 @@
 
   /* If the lookup succeeded, cache the RHS address. The code allows for
   more than one address - this was for complete generality and the possible
-  use of A6 records. However, A6 records have been reduced to experimental
-  status (August 2001) and may die out. So they may never get used at all,
-  let alone in dnsbl records. However, leave the code here, just in case.
+  use of A6 records. However, A6 records are no longer supported. Leave the code
+  here, just in case.
 
   Quite apart from one A6 RR generating multiple addresses, there are DNS
   lists that return more than one A record, so we must handle multiple
diff -Nru exim4-4.91/src/version.h exim4-4.92~RC4/src/version.h
--- exim4-4.91/src/version.h	1970-01-01 00:00:00.000000000 +0000
+++ exim4-4.92~RC4/src/version.h	2018-12-27 13:38:04.000000000 +0000
@@ -0,0 +1,8 @@
+/* automatically generated file - see ../scripts/reversion */
+#define EXIM_RELEASE_VERSION "4.92"
+#define EXIM_VARIANT_VERSION "RC4"
+#ifdef EXIM_VARIANT_VERSION
+#define EXIM_VERSION_STR EXIM_RELEASE_VERSION "-" EXIM_VARIANT_VERSION
+#else
+#define EXIM_VERSION_STR EXIM_RELEASE_VERSION
+#endif
diff -Nru exim4-4.91/src/version.sh exim4-4.92~RC4/src/version.sh
--- exim4-4.91/src/version.sh	2018-04-15 13:17:09.000000000 +0000
+++ exim4-4.92~RC4/src/version.sh	2018-12-27 13:38:04.000000000 +0000
@@ -1,4 +1,4 @@
-# initial version automatically generated from release-process/scripts/mk_exim_release
-EXIM_RELEASE_VERSION=4.91
-EXIM_VARIANT_VERSION=
-EXIM_COMPILE_NUMBER=0
+# automatically generated file - see ../scripts/reversion
+EXIM_RELEASE_VERSION="4.92"
+EXIM_VARIANT_VERSION="RC4"
+EXIM_COMPILE_NUMBER="1"