diff -ur src.orig/smtpd/Makefile.in src/smtpd/Makefile.in
--- src.orig/smtpd/Makefile.in	Tue Jan 15 08:25:19 2002
+++ src/smtpd/Makefile.in	Thu Jul 11 18:03:04 2002
@@ -9,12 +9,12 @@
 WARN	= -W -Wformat -Wimplicit -Wmissing-prototypes \
 	-Wparentheses -Wstrict-prototypes -Wswitch -Wuninitialized \
 	-Wunused
-DEFS	= -I. -I$(INC_DIR) -D$(SYSTYPE)
+DEFS	= -I. -I$(INC_DIR) -I/usr/include/postfix -D$(SYSTYPE)
 CFLAGS	= $(DEBUG) $(OPT) $(DEFS)
 TESTPROG= smtpd_token smtpd_check
 PROG	= smtpd
-INC_DIR	= ../../include
-LIBS	= ../../lib/libmaster.a ../../lib/libglobal.a ../../lib/libdns.a ../../lib/libutil.a
+INC_DIR	= /usr/include/postfix
+LIBS	= -lpostfix-master -lpostfix-global -lpostfix-dns -lpostfix-util ../../lib/libtlsglobal.a
 
 .c.o:;	$(CC) $(CFLAGS) -c $*.c
 
@@ -48,7 +48,7 @@
 	cp *.h printfck
 	sed '1,/^# do not edit/!d' Makefile >printfck/Makefile
 	set -e; for i in *.c; do printfck -f .printfck $$i >printfck/$$i; done
-	cd printfck; make "INC_DIR=../../../include" `cd ..; ls *.o`
+	cd printfck; make "INC_DIR=/usr/include/postfix" `cd ..; ls *.o`
 
 lint:
 	lint $(DEFS) $(SRCS) $(LINTFIX)
@@ -94,43 +94,44 @@
 
 # do not edit below this line - it is generated by 'make depend'
 smtpd.o: smtpd.c
-smtpd.o: ../../include/sys_defs.h
-smtpd.o: ../../include/msg.h
-smtpd.o: ../../include/mymalloc.h
-smtpd.o: ../../include/vstring.h
-smtpd.o: ../../include/vbuf.h
-smtpd.o: ../../include/vstream.h
-smtpd.o: ../../include/vstring_vstream.h
-smtpd.o: ../../include/stringops.h
-smtpd.o: ../../include/events.h
-smtpd.o: ../../include/smtp_stream.h
-smtpd.o: ../../include/valid_hostname.h
-smtpd.o: ../../include/dict.h
-smtpd.o: ../../include/argv.h
-smtpd.o: ../../include/watchdog.h
-smtpd.o: ../../include/mail_params.h
-smtpd.o: ../../include/record.h
-smtpd.o: ../../include/rec_type.h
-smtpd.o: ../../include/mail_proto.h
-smtpd.o: ../../include/iostuff.h
-smtpd.o: ../../include/attr.h
-smtpd.o: ../../include/cleanup_user.h
-smtpd.o: ../../include/mail_date.h
-smtpd.o: ../../include/mail_conf.h
-smtpd.o: ../../include/off_cvt.h
-smtpd.o: ../../include/debug_peer.h
-smtpd.o: ../../include/mail_error.h
-smtpd.o: ../../include/name_mask.h
-smtpd.o: ../../include/flush_clnt.h
-smtpd.o: ../../include/mail_stream.h
-smtpd.o: ../../include/mail_queue.h
-smtpd.o: ../../include/tok822.h
-smtpd.o: ../../include/resolve_clnt.h
-smtpd.o: ../../include/verp_sender.h
-smtpd.o: ../../include/string_list.h
-smtpd.o: ../../include/match_list.h
-smtpd.o: ../../include/match_ops.h
-smtpd.o: ../../include/mail_server.h
+smtpd.o: /usr/include/postfix/sys_defs.h
+smtpd.o: /usr/include/postfix/msg.h
+smtpd.o: /usr/include/postfix/mymalloc.h
+smtpd.o: /usr/include/postfix/vstring.h
+smtpd.o: /usr/include/postfix/vbuf.h
+smtpd.o: /usr/include/postfix/vstream.h
+smtpd.o: /usr/include/postfix/vstring_vstream.h
+smtpd.o: /usr/include/postfix/stringops.h
+smtpd.o: /usr/include/postfix/events.h
+smtpd.o: /usr/include/postfix/smtp_stream.h
+smtpd.o: /usr/include/postfix/valid_hostname.h
+smtpd.o: /usr/include/postfix/dict.h
+smtpd.o: /usr/include/postfix/argv.h
+smtpd.o: /usr/include/postfix/watchdog.h
+smtpd.o: /usr/include/postfix/tls_mail_params.h
+smtpd.o: /usr/include/postfix/record.h
+smtpd.o: /usr/include/postfix/rec_type.h
+smtpd.o: /usr/include/postfix/mail_proto.h
+smtpd.o: /usr/include/postfix/iostuff.h
+smtpd.o: /usr/include/postfix/attr.h
+smtpd.o: /usr/include/postfix/cleanup_user.h
+smtpd.o: /usr/include/postfix/mail_date.h
+smtpd.o: /usr/include/postfix/mail_conf.h
+smtpd.o: /usr/include/postfix/off_cvt.h
+smtpd.o: /usr/include/postfix/debug_peer.h
+smtpd.o: /usr/include/postfix/mail_error.h
+smtpd.o: /usr/include/postfix/name_mask.h
+smtpd.o: /usr/include/postfix/flush_clnt.h
+smtpd.o: /usr/include/postfix/mail_stream.h
+smtpd.o: /usr/include/postfix/mail_queue.h
+smtpd.o: /usr/include/postfix/tok822.h
+smtpd.o: /usr/include/postfix/resolve_clnt.h
+smtpd.o: /usr/include/postfix/verp_sender.h
+smtpd.o: /usr/include/postfix/string_list.h
+smtpd.o: /usr/include/postfix/match_list.h
+smtpd.o: /usr/include/postfix/match_ops.h
+smtpd.o: /usr/include/postfix/mail_server.h
+smtpd.o: /usr/include/postfix/pfixtls.h
 smtpd.o: smtpd_token.h
 smtpd.o: smtpd.h
 smtpd.o: smtpd_check.h
@@ -138,137 +139,142 @@
 smtpd.o: smtpd_sasl_proto.h
 smtpd.o: smtpd_sasl_glue.h
 smtpd_chat.o: smtpd_chat.c
-smtpd_chat.o: ../../include/sys_defs.h
-smtpd_chat.o: ../../include/msg.h
-smtpd_chat.o: ../../include/argv.h
-smtpd_chat.o: ../../include/vstring.h
-smtpd_chat.o: ../../include/vbuf.h
-smtpd_chat.o: ../../include/vstream.h
-smtpd_chat.o: ../../include/stringops.h
-smtpd_chat.o: ../../include/line_wrap.h
-smtpd_chat.o: ../../include/mymalloc.h
-smtpd_chat.o: ../../include/smtp_stream.h
-smtpd_chat.o: ../../include/record.h
-smtpd_chat.o: ../../include/rec_type.h
-smtpd_chat.o: ../../include/mail_proto.h
-smtpd_chat.o: ../../include/iostuff.h
-smtpd_chat.o: ../../include/attr.h
-smtpd_chat.o: ../../include/mail_params.h
-smtpd_chat.o: ../../include/mail_addr.h
-smtpd_chat.o: ../../include/post_mail.h
-smtpd_chat.o: ../../include/cleanup_user.h
-smtpd_chat.o: ../../include/mail_error.h
-smtpd_chat.o: ../../include/name_mask.h
+smtpd_chat.o: /usr/include/postfix/sys_defs.h
+smtpd_chat.o: /usr/include/postfix/msg.h
+smtpd_chat.o: /usr/include/postfix/argv.h
+smtpd_chat.o: /usr/include/postfix/vstring.h
+smtpd_chat.o: /usr/include/postfix/vbuf.h
+smtpd_chat.o: /usr/include/postfix/vstream.h
+smtpd_chat.o: /usr/include/postfix/stringops.h
+smtpd_chat.o: /usr/include/postfix/line_wrap.h
+smtpd_chat.o: /usr/include/postfix/mymalloc.h
+smtpd_chat.o: /usr/include/postfix/smtp_stream.h
+smtpd_chat.o: /usr/include/postfix/record.h
+smtpd_chat.o: /usr/include/postfix/rec_type.h
+smtpd_chat.o: /usr/include/postfix/mail_proto.h
+smtpd_chat.o: /usr/include/postfix/iostuff.h
+smtpd_chat.o: /usr/include/postfix/attr.h
+smtpd_chat.o: /usr/include/postfix/tls_mail_params.h
+smtpd_chat.o: /usr/include/postfix/mail_addr.h
+smtpd_chat.o: /usr/include/postfix/post_mail.h
+smtpd_chat.o: /usr/include/postfix/cleanup_user.h
+smtpd_chat.o: /usr/include/postfix/mail_error.h
+smtpd_chat.o: /usr/include/postfix/name_mask.h
+smtpd_chat.o: /usr/include/postfix/pfixtls.h
 smtpd_chat.o: smtpd.h
-smtpd_chat.o: ../../include/mail_stream.h
+smtpd_chat.o: /usr/include/postfix/mail_stream.h
 smtpd_chat.o: smtpd_chat.h
 smtpd_check.o: smtpd_check.c
-smtpd_check.o: ../../include/sys_defs.h
-smtpd_check.o: ../../include/msg.h
-smtpd_check.o: ../../include/vstring.h
-smtpd_check.o: ../../include/vbuf.h
-smtpd_check.o: ../../include/split_at.h
-smtpd_check.o: ../../include/fsspace.h
-smtpd_check.o: ../../include/stringops.h
-smtpd_check.o: ../../include/valid_hostname.h
-smtpd_check.o: ../../include/argv.h
-smtpd_check.o: ../../include/mymalloc.h
-smtpd_check.o: ../../include/dict.h
-smtpd_check.o: ../../include/vstream.h
-smtpd_check.o: ../../include/htable.h
-smtpd_check.o: ../../include/ctable.h
-smtpd_check.o: ../../include/dns.h
-smtpd_check.o: ../../include/namadr_list.h
-smtpd_check.o: ../../include/match_list.h
-smtpd_check.o: ../../include/match_ops.h
-smtpd_check.o: ../../include/domain_list.h
-smtpd_check.o: ../../include/mail_params.h
-smtpd_check.o: ../../include/canon_addr.h
-smtpd_check.o: ../../include/resolve_clnt.h
-smtpd_check.o: ../../include/mail_error.h
-smtpd_check.o: ../../include/name_mask.h
-smtpd_check.o: ../../include/resolve_local.h
-smtpd_check.o: ../../include/own_inet_addr.h
-smtpd_check.o: ../../include/mail_conf.h
-smtpd_check.o: ../../include/maps.h
-smtpd_check.o: ../../include/mail_addr_find.h
-smtpd_check.o: ../../include/match_parent_style.h
-smtpd_check.o: ../../include/split_addr.h
+smtpd_check.o: /usr/include/postfix/sys_defs.h
+smtpd_check.o: /usr/include/postfix/msg.h
+smtpd_check.o: /usr/include/postfix/vstring.h
+smtpd_check.o: /usr/include/postfix/vbuf.h
+smtpd_check.o: /usr/include/postfix/split_at.h
+smtpd_check.o: /usr/include/postfix/fsspace.h
+smtpd_check.o: /usr/include/postfix/stringops.h
+smtpd_check.o: /usr/include/postfix/valid_hostname.h
+smtpd_check.o: /usr/include/postfix/argv.h
+smtpd_check.o: /usr/include/postfix/mymalloc.h
+smtpd_check.o: /usr/include/postfix/dict.h
+smtpd_check.o: /usr/include/postfix/vstream.h
+smtpd_check.o: /usr/include/postfix/htable.h
+smtpd_check.o: /usr/include/postfix/ctable.h
+smtpd_check.o: /usr/include/postfix/dns.h
+smtpd_check.o: /usr/include/postfix/namadr_list.h
+smtpd_check.o: /usr/include/postfix/match_list.h
+smtpd_check.o: /usr/include/postfix/match_ops.h
+smtpd_check.o: /usr/include/postfix/domain_list.h
+smtpd_check.o: /usr/include/postfix/tls_mail_params.h
+smtpd_check.o: /usr/include/postfix/canon_addr.h
+smtpd_check.o: /usr/include/postfix/resolve_clnt.h
+smtpd_check.o: /usr/include/postfix/mail_error.h
+smtpd_check.o: /usr/include/postfix/name_mask.h
+smtpd_check.o: /usr/include/postfix/resolve_local.h
+smtpd_check.o: /usr/include/postfix/own_inet_addr.h
+smtpd_check.o: /usr/include/postfix/mail_conf.h
+smtpd_check.o: /usr/include/postfix/maps.h
+smtpd_check.o: /usr/include/postfix/mail_addr_find.h
+smtpd_check.o: /usr/include/postfix/match_parent_style.h
+smtpd_check.o: /usr/include/postfix/split_addr.h
+smtpd_check.o: /usr/include/postfix/pfixtls.h
 smtpd_check.o: smtpd.h
-smtpd_check.o: ../../include/mail_stream.h
+smtpd_check.o: /usr/include/postfix/mail_stream.h
 smtpd_check.o: smtpd_sasl_glue.h
 smtpd_check.o: smtpd_check.h
 smtpd_peer.o: smtpd_peer.c
-smtpd_peer.o: ../../include/sys_defs.h
-smtpd_peer.o: ../../include/msg.h
-smtpd_peer.o: ../../include/mymalloc.h
-smtpd_peer.o: ../../include/valid_hostname.h
-smtpd_peer.o: ../../include/stringops.h
-smtpd_peer.o: ../../include/vstring.h
-smtpd_peer.o: ../../include/vbuf.h
+smtpd_peer.o: /usr/include/postfix/sys_defs.h
+smtpd_peer.o: /usr/include/postfix/msg.h
+smtpd_peer.o: /usr/include/postfix/mymalloc.h
+smtpd_peer.o: /usr/include/postfix/valid_hostname.h
+smtpd_peer.o: /usr/include/postfix/stringops.h
+smtpd_peer.o: /usr/include/postfix/vstring.h
+smtpd_peer.o: /usr/include/postfix/vbuf.h
 smtpd_peer.o: smtpd.h
-smtpd_peer.o: ../../include/vstream.h
-smtpd_peer.o: ../../include/argv.h
-smtpd_peer.o: ../../include/mail_stream.h
+smtpd_peer.o: /usr/include/postfix/vstream.h
+smtpd_peer.o: /usr/include/postfix/argv.h
+smtpd_peer.o: /usr/include/postfix/mail_stream.h
+smtpd_peer.o: /usr/include/postfix/pfixtls.h
 smtpd_sasl_glue.o: smtpd_sasl_glue.c
-smtpd_sasl_glue.o: ../../include/sys_defs.h
-smtpd_sasl_glue.o: ../../include/msg.h
-smtpd_sasl_glue.o: ../../include/mymalloc.h
-smtpd_sasl_glue.o: ../../include/namadr_list.h
-smtpd_sasl_glue.o: ../../include/match_list.h
-smtpd_sasl_glue.o: ../../include/match_ops.h
-smtpd_sasl_glue.o: ../../include/name_mask.h
-smtpd_sasl_glue.o: ../../include/mail_params.h
-smtpd_sasl_glue.o: ../../include/smtp_stream.h
-smtpd_sasl_glue.o: ../../include/vstring.h
-smtpd_sasl_glue.o: ../../include/vbuf.h
-smtpd_sasl_glue.o: ../../include/vstream.h
+smtpd_sasl_glue.o: /usr/include/postfix/sys_defs.h
+smtpd_sasl_glue.o: /usr/include/postfix/msg.h
+smtpd_sasl_glue.o: /usr/include/postfix/mymalloc.h
+smtpd_sasl_glue.o: /usr/include/postfix/namadr_list.h
+smtpd_sasl_glue.o: /usr/include/postfix/match_list.h
+smtpd_sasl_glue.o: /usr/include/postfix/match_ops.h
+smtpd_sasl_glue.o: /usr/include/postfix/name_mask.h
+smtpd_sasl_glue.o: /usr/include/postfix/tls_mail_params.h
+smtpd_sasl_glue.o: /usr/include/postfix/smtp_stream.h
+smtpd_sasl_glue.o: /usr/include/postfix/vstring.h
+smtpd_sasl_glue.o: /usr/include/postfix/vbuf.h
+smtpd_sasl_glue.o: /usr/include/postfix/vstream.h
 smtpd_sasl_glue.o: smtpd.h
-smtpd_sasl_glue.o: ../../include/argv.h
-smtpd_sasl_glue.o: ../../include/mail_stream.h
+smtpd_sasl_glue.o: /usr/include/postfix/argv.h
+smtpd_sasl_glue.o: /usr/include/postfix/mail_stream.h
 smtpd_sasl_glue.o: smtpd_sasl_glue.h
 smtpd_sasl_glue.o: smtpd_chat.h
 smtpd_sasl_proto.o: smtpd_sasl_proto.c
-smtpd_sasl_proto.o: ../../include/sys_defs.h
-smtpd_sasl_proto.o: ../../include/msg.h
-smtpd_sasl_proto.o: ../../include/mymalloc.h
-smtpd_sasl_proto.o: ../../include/mail_params.h
-smtpd_sasl_proto.o: ../../include/mail_proto.h
-smtpd_sasl_proto.o: ../../include/vstream.h
-smtpd_sasl_proto.o: ../../include/vbuf.h
-smtpd_sasl_proto.o: ../../include/iostuff.h
-smtpd_sasl_proto.o: ../../include/attr.h
-smtpd_sasl_proto.o: ../../include/mail_error.h
-smtpd_sasl_proto.o: ../../include/name_mask.h
+smtpd_sasl_proto.o: /usr/include/postfix/sys_defs.h
+smtpd_sasl_proto.o: /usr/include/postfix/msg.h
+smtpd_sasl_proto.o: /usr/include/postfix/mymalloc.h
+smtpd_sasl_proto.o: /usr/include/postfix/tls_mail_params.h
+smtpd_sasl_proto.o: /usr/include/postfix/mail_proto.h
+smtpd_sasl_proto.o: /usr/include/postfix/vstream.h
+smtpd_sasl_proto.o: /usr/include/postfix/vbuf.h
+smtpd_sasl_proto.o: /usr/include/postfix/iostuff.h
+smtpd_sasl_proto.o: /usr/include/postfix/attr.h
+smtpd_sasl_proto.o: /usr/include/postfix/mail_error.h
+smtpd_sasl_proto.o: /usr/include/postfix/name_mask.h
 smtpd_sasl_proto.o: smtpd.h
-smtpd_sasl_proto.o: ../../include/vstring.h
-smtpd_sasl_proto.o: ../../include/argv.h
-smtpd_sasl_proto.o: ../../include/mail_stream.h
+smtpd_sasl_proto.o: /usr/include/postfix/vstring.h
+smtpd_sasl_proto.o: /usr/include/postfix/argv.h
+smtpd_sasl_proto.o: /usr/include/postfix/mail_stream.h
 smtpd_sasl_proto.o: smtpd_token.h
 smtpd_sasl_proto.o: smtpd_chat.h
 smtpd_sasl_proto.o: smtpd_sasl_proto.h
 smtpd_sasl_proto.o: smtpd_sasl_glue.h
 smtpd_state.o: smtpd_state.c
-smtpd_state.o: ../../include/sys_defs.h
-smtpd_state.o: ../../include/events.h
-smtpd_state.o: ../../include/mymalloc.h
-smtpd_state.o: ../../include/vstream.h
-smtpd_state.o: ../../include/vbuf.h
-smtpd_state.o: ../../include/name_mask.h
-smtpd_state.o: ../../include/msg.h
-smtpd_state.o: ../../include/cleanup_user.h
-smtpd_state.o: ../../include/mail_params.h
-smtpd_state.o: ../../include/mail_error.h
+smtpd_state.o: /usr/include/postfix/sys_defs.h
+smtpd_state.o: /usr/include/postfix/events.h
+smtpd_state.o: /usr/include/postfix/mymalloc.h
+smtpd_state.o: /usr/include/postfix/vstream.h
+smtpd_state.o: /usr/include/postfix/vbuf.h
+smtpd_state.o: /usr/include/postfix/name_mask.h
+smtpd_state.o: /usr/include/postfix/msg.h
+smtpd_state.o: /usr/include/postfix/cleanup_user.h
+smtpd_state.o: /usr/include/postfix/tls_mail_params.h
+smtpd_state.o: /usr/include/postfix/mail_error.h
 smtpd_state.o: smtpd.h
-smtpd_state.o: ../../include/vstring.h
-smtpd_state.o: ../../include/argv.h
-smtpd_state.o: ../../include/mail_stream.h
+smtpd_state.o: /usr/include/postfix/vstring.h
+smtpd_state.o: /usr/include/postfix/argv.h
+smtpd_state.o: /usr/include/postfix/mail_stream.h
+smtpd_state.o: /usr/include/postfix/pfixtls.h
 smtpd_state.o: smtpd_chat.h
 smtpd_state.o: smtpd_sasl_glue.h
 smtpd_token.o: smtpd_token.c
-smtpd_token.o: ../../include/sys_defs.h
-smtpd_token.o: ../../include/mymalloc.h
-smtpd_token.o: ../../include/mvect.h
+smtpd_token.o: /usr/include/postfix/sys_defs.h
+smtpd_token.o: /usr/include/postfix/mymalloc.h
+smtpd_token.o: /usr/include/postfix/mvect.h
 smtpd_token.o: smtpd_token.h
-smtpd_token.o: ../../include/vstring.h
-smtpd_token.o: ../../include/vbuf.h
+smtpd_token.o: /usr/include/postfix/vstring.h
+smtpd_token.o: /usr/include/postfix/vbuf.h
+smtpd_token.o: /usr/include/postfix/pfixtls.h
diff -ur src.orig/smtpd/smtpd.c src/smtpd/smtpd.c
--- src.orig/smtpd/smtpd.c	Thu Jul 11 15:09:52 2002
+++ src/smtpd/smtpd.c	Thu Jul 11 17:48:38 2002
@@ -296,7 +296,7 @@
 
 /* Global library. */
 
-#include <mail_params.h>
+#include <tls_mail_params.h>
 #include <record.h>
 #include <rec_type.h>
 #include <mail_proto.h>
@@ -312,6 +312,7 @@
 #include <tok822.h>
 #include <verp_sender.h>
 #include <string_list.h>
+#include <pfixtls.h>
 
 /* Single-threaded server skeleton. */
 
@@ -336,6 +337,7 @@
   */
 int     var_smtpd_rcpt_limit;
 int     var_smtpd_tmout;
+char   *var_relay_ccerts;
 int     var_smtpd_soft_erlim;
 int     var_smtpd_hard_erlim;
 int     var_queue_minfree;		/* XXX use off_t */
@@ -383,6 +385,15 @@
 char   *var_smtpd_noop_cmds;
 char   *var_smtpd_null_key;
 int     var_smtpd_hist_thrsh;
+int     var_smtpd_starttls_tmout;
+int     var_smtpd_tls_wrappermode;
+int     var_smtpd_use_tls;
+int     var_smtpd_enforce_tls;
+int     var_smtpd_tls_auth_only;
+int     var_smtpd_tls_ask_ccert;
+int     var_smtpd_tls_req_ccert;
+int     var_smtpd_tls_ccert_vd;
+int     var_smtpd_tls_received_header;
 
  /*
   * Silly little macros.
@@ -487,11 +498,21 @@
     if (var_disable_vrfy_cmd == 0)
 	smtpd_chat_reply(state, "250-VRFY");
     smtpd_chat_reply(state, "250-ETRN");
+#ifdef HAS_SSL
+    if ((state->tls_use_tls || state->tls_enforce_tls) && (!state->tls_active))
+	smtpd_chat_reply(state, "250-STARTTLS");
+#endif
 #ifdef USE_SASL_AUTH
     if (var_smtpd_sasl_enable) {
+#ifdef HAS_SSL
+      if (!state->tls_auth_only || state->tls_active) {
+#endif
 	smtpd_chat_reply(state, "250-AUTH %s", state->sasl_mechanism_list);
 	if (var_broken_auth_clients)
 	    smtpd_chat_reply(state, "250-AUTH=%s", state->sasl_mechanism_list);
+#ifdef HAS_SSL
+      }
+#endif
     }
 #endif
     smtpd_chat_reply(state, "250-%s", VERP_CMD);
@@ -900,11 +921,76 @@
     state->rcpt_count = 0;
 }
 
+/* CN_sanitize - make sure, the CN-string is well behaved */
+
+static void CN_sanitize(char *CNstring)
+{
+    int i;
+    int len;
+    int parencount;
+
+    /*
+     * The information included in the CN (CommonName) of the peer and its
+     * issuer can be included into the Received: header line. The characters
+     * allowed as well as comment nesting are limited by RFC822.
+     */
+
+    len = strlen(CNstring);
+    /*
+     * The Received: header can only contain characters. Make sure that only
+     * acceptable characters are printed. Maybe we could allow more, but
+     * not everything makes sense inside a CommonName.
+     */
+    for (i = 0; i < len; i++) 
+	if (!((CNstring[i] >= 'A') && (CNstring[i] <='Z')) &&
+	    !((CNstring[i] >= 'a') && (CNstring[i] <='z')) &&
+	    !((CNstring[i] >= '0') && (CNstring[i] <='9')) &&
+	    (CNstring[i] != '(') && (CNstring[i] != ')') &&
+	    (CNstring[i] != '[') && (CNstring[i] != ']') &&
+	    (CNstring[i] != '{') && (CNstring[i] != '}') &&
+	    (CNstring[i] != '<') && (CNstring[i] != '>') &&
+	    (CNstring[i] != '?') && (CNstring[i] != '!') &&
+	    (CNstring[i] != ';') && (CNstring[i] != ':') &&
+	    (CNstring[i] != '"') && (CNstring[i] != '\'') &&
+	    (CNstring[i] != '/') && (CNstring[i] != '|') &&
+	    (CNstring[i] != '+') && (CNstring[i] != '&') &&
+	    (CNstring[i] != '~') && (CNstring[i] != '@') &&
+	    (CNstring[i] != '#') && (CNstring[i] != '$') &&
+	    (CNstring[i] != '%') && (CNstring[i] != '&') &&
+	    (CNstring[i] != '^') && (CNstring[i] != '*') &&
+	    (CNstring[i] != '_') && (CNstring[i] != '-') &&
+	    (CNstring[i] != '.') && (CNstring[i] != ' '))
+	    CNstring[i] = '?';
+
+    /*
+     * This information will go into the Received: header inside a comment.
+     * Since comments can be nested, parentheses '(' and ')' must match.
+     */
+    parencount = 0;
+    for (i = 0; i < len; i++) {
+	if (CNstring[i] == '(')
+	    parencount++;
+	else if (CNstring[i] == ')')
+	    parencount--;
+    }
+    /*
+     * The necessary condition is violated. Do YOU know, where to correct?
+     * I don't know, so I will practically remove all parentheses.
+     */
+    if (parencount != 0) {
+	for (i = 0; i < len; i++)
+	    if ((CNstring[i] == '(') || (CNstring[i] == ')'))
+		CNstring[i] = '/';
+    }
+}
+
 /* data_cmd - process DATA command */
 
 static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
 {
     char   *start;
+    char   *peer_CN;
+    char   *issuer_CN;
     int     len;
     int     curr_rec_type;
     int     prev_rec_type;
@@ -943,6 +1029,35 @@
 		"Received: from %s (%s [%s])",
 		state->helo_name ? state->helo_name : state->name,
 		state->name, state->addr);
+    if (var_smtpd_tls_received_header && state->tls_active) {
+	rec_fprintf(state->cleanup, REC_TYPE_NORM,
+		    "\t(using %s with cipher %s (%d/%d bits))",
+		    state->tls_info.protocol, state->tls_info.cipher_name,
+		    state->tls_info.cipher_usebits,
+		    state->tls_info.cipher_algbits);
+	if (state->tls_info.peer_CN) {
+            peer_CN = mystrdup(state->tls_info.peer_CN);
+	    CN_sanitize(peer_CN);
+            issuer_CN = mystrdup(state->tls_info.issuer_CN);
+	    CN_sanitize(issuer_CN);
+	    if (state->tls_info.peer_verified)
+		rec_fprintf(state->cleanup, REC_TYPE_NORM,
+			"\t(Client CN \"%s\", Issuer \"%s\" (verified OK))",
+			peer_CN, issuer_CN);
+	    else
+		rec_fprintf(state->cleanup, REC_TYPE_NORM,
+			"\t(Client CN \"%s\", Issuer \"%s\" (not verified))",
+			peer_CN, issuer_CN);
+	    myfree(issuer_CN);
+	    myfree(peer_CN);
+	}
+	else if (var_smtpd_tls_ask_ccert)
+	    rec_fprintf(state->cleanup, REC_TYPE_NORM,
+			"\t(Client did not present a certificate)");
+	else
+	    rec_fprintf(state->cleanup, REC_TYPE_NORM,
+			"\t(No client certificate requested)");
+    }
     if (state->rcpt_count == 1 && state->recipient) {
 	rec_fprintf(state->cleanup, REC_TYPE_NORM,
 		    "\tby %s (%s) with %s id %s",
@@ -1292,6 +1407,77 @@
     }
 }
 
+static int starttls_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
+{
+    char   *err;
+
+#ifdef HAS_SSL
+    if (argc != 1) {
+	state->error_mask |= MAIL_ERROR_PROTOCOL;
+	smtpd_chat_reply(state, "501 Syntax: STARTTLS");
+	return (-1);
+    }
+    if (state->tls_active != 0) {
+	state->error_mask |= MAIL_ERROR_PROTOCOL;
+	smtpd_chat_reply(state, "554 Error: TLS already active");
+	return (-1);
+    }
+    if (state->tls_use_tls == 0) {
+	state->error_mask |= MAIL_ERROR_PROTOCOL;
+	smtpd_chat_reply(state, "502 Error: command not implemented");
+	return (-1);
+    }
+    if (!pfixtls_serverengine) {
+	smtpd_chat_reply(state, "454 TLS not available due to temporary reason");
+	return (0);
+    }
+    smtpd_chat_reply(state, "220 Ready to start TLS");
+    vstream_fflush(state->client);
+    /*
+     * When deciding about continuing the handshake, we will stop when a
+     * client certificate was _required_ and none was presented or the
+     * verification failed. This however does only make sense when TLS is
+     * enforced. Otherwise we would happily perform perform the SMTP
+     * transaction without any STARTTLS at all! So only have the handshake
+     * fail when TLS is also enforced.
+     */
+    if (pfixtls_start_servertls(state->client, var_smtpd_starttls_tmout,
+				state->name, state->addr, &(state->tls_info),
+			(var_smtpd_tls_req_ccert && state->tls_enforce_tls))) {
+	/*
+         * Typically the connection is hanging at this point, so
+         * we should try to shut it down by force! Unfortunately this
+         * problem is not addressed in postfix!
+         */
+	return (-1);
+    }
+    state->tls_active = 1;
+    helo_reset(state);
+    mail_reset(state);
+    rcpt_reset(state);
+    return (0);
+#else
+    state->error_mask |= MAIL_ERROR_PROTOCOL;
+    smtpd_chat_reply(state, "502 Error: command not implemented");
+    return (-1);
+#endif
+}
+
+static void tls_reset(SMTPD_STATE *state)
+{
+    int failure = 0;
+
+    if (state->reason && state->where && strcmp(state->where, SMTPD_AFTER_DOT))
+	failure = 1;
+#ifdef HAS_SSL
+    vstream_fflush(state->client);
+    if (state->tls_active)
+	pfixtls_stop_servertls(state->client, var_smtpd_starttls_tmout,
+			       failure, &(state->tls_info));
+#endif
+    state->tls_active = 0;
+}
+
  /*
   * The table of all SMTP commands that we know. Set the junk limit flag on
   * any command that can be repeated an arbitrary number of times without
@@ -1310,6 +1496,10 @@
     "HELO", helo_cmd, SMTPD_CMD_FLAG_LIMIT,
     "EHLO", ehlo_cmd, SMTPD_CMD_FLAG_LIMIT,
 
+#ifdef HAS_SSL
+    "STARTTLS", starttls_cmd, 0,
+#endif
+
 #ifdef USE_SASL_AUTH
     "AUTH", smtpd_sasl_auth_cmd, 0,
 #endif
@@ -1418,9 +1608,28 @@
 		state->error_count++;
 		continue;
 	    }
+	    if (state->tls_enforce_tls &&
+		!state->tls_active &&
+		cmdp->action != starttls_cmd &&
+		cmdp->action != noop_cmd &&
+		cmdp->action != ehlo_cmd &&
+		cmdp->action != quit_cmd) {
+		smtpd_chat_reply(state,
+				 "530 Must issue a STARTTLS command first");
+		state->error_count++;
+		continue;
+	    }
 	    state->where = cmdp->name;
-	    if (cmdp->action(state, argc, argv) != 0)
+	    if (cmdp->action(state, argc, argv) != 0) {
 		state->error_count++;
+		/*
+		 * Die after TLS negotiation failure, as there is no
+		 * stable way to recover from a possible mixture of
+		 * TLS and SMTP protocol from the client.
+		 */
+		if (cmdp->action == starttls_cmd)
+		    break;
+	    }
 	    if ((cmdp->flags & SMTPD_CMD_FLAG_LIMIT)
 		&& state->junk_cmds++ > var_smtpd_junk_cmd_limit)
 		state->error_count++;
@@ -1444,6 +1653,7 @@
      * Cleanup whatever information the client gave us during the SMTP
      * dialog.
      */
+    tls_reset(state);
     helo_reset(state);
 #ifdef USE_SASL_AUTH
     if (var_smtpd_sasl_enable)
@@ -1476,6 +1686,39 @@
      * machines.
      */
     smtpd_state_init(&state, stream);
+#ifdef HAS_SSL
+    state.tls_use_tls = var_smtpd_use_tls | var_smtpd_enforce_tls;
+    state.tls_enforce_tls = var_smtpd_enforce_tls;
+    if (var_smtpd_tls_wrappermode) {
+	/*
+	 * TLS has been set to wrapper mode, meaning that we run on a
+	 * seperate port and we must switch to TLS layer before actually
+	 * performing the SMTP protocol. This implies enforce-mode.
+	 */
+	state.tls_use_tls = state.tls_enforce_tls = 1;
+	if (pfixtls_start_servertls(state.client, var_smtpd_starttls_tmout,
+                                    state.name, state.addr, &state.tls_info,
+				    var_smtpd_tls_req_ccert)) {
+            /*
+             * Typically the connection is hanging at this point, so
+             * we should try to shut it down by force! Unfortunately this
+             * problem is not addressed in postfix!
+             */
+            return;
+	}
+	state.tls_active = 1;
+    }
+    if (var_smtpd_tls_auth_only || state.tls_enforce_tls)
+	state.tls_auth_only = 1;
+#else
+    state.tls_use_tls = 0;
+    state.tls_enforce_tls = 0;
+    state.tls_auth_only = 0;
+#endif
+
+    /*
+     * Provide the SMTP service.
+     */
 
     /*
      * See if we need to turn on verbose logging for this client.
@@ -1493,10 +1736,6 @@
 	smtpd_chat_reply(&state, "220 %s", var_smtpd_banner);
 	msg_info("connect from %s[%s]", state.name, state.addr);
     }
-
-    /*
-     * Provide the SMTP service.
-     */
     smtpd_proto(&state);
 
     /*
@@ -1522,7 +1761,6 @@
 
 static void pre_jail_init(char *unused_name, char **unused_argv)
 {
-
     /*
      * Initialize blacklist/etc. patterns before entering the chroot jail, in
      * case they specify a filename pattern.
@@ -1538,6 +1776,12 @@
 	msg_warn("%s is true, but SASL support is not compiled in",
 		 VAR_SMTPD_SASL_ENABLE);
 #endif
+
+#ifdef HAS_SSL
+    if (var_smtpd_use_tls || var_smtpd_enforce_tls || var_smtpd_tls_wrappermode)
+	pfixtls_init_serverengine(var_smtpd_tls_ccert_vd,
+				  var_smtpd_tls_ask_ccert);
+#endif
 }
 
 /* main - the main program */
@@ -1560,11 +1804,15 @@
 	VAR_NON_FQDN_CODE, DEF_NON_FQDN_CODE, &var_non_fqdn_code, 0, 0,
 	VAR_SMTPD_JUNK_CMD, DEF_SMTPD_JUNK_CMD, &var_smtpd_junk_cmd_limit, 1, 0,
 	VAR_SMTPD_HIST_THRSH, DEF_SMTPD_HIST_THRSH, &var_smtpd_hist_thrsh, 1, 0,
+	VAR_SMTPD_TLS_CCERT_VD, DEF_SMTPD_TLS_CCERT_VD, &var_smtpd_tls_ccert_vd, 0, 0,
+	VAR_SMTPD_TLS_LOGLEVEL, DEF_SMTPD_TLS_LOGLEVEL, &var_smtpd_tls_loglevel, 0, 0,
+	VAR_TLS_DAEMON_RAND_BYTES, DEF_TLS_DAEMON_RAND_BYTES, &var_tls_daemon_rand_bytes, 0, 0,
 	0,
     };
     static CONFIG_TIME_TABLE time_table[] = {
 	VAR_SMTPD_TMOUT, DEF_SMTPD_TMOUT, &var_smtpd_tmout, 1, 0,
 	VAR_SMTPD_ERR_SLEEP, DEF_SMTPD_ERR_SLEEP, &var_smtpd_err_sleep, 0, 0,
+	VAR_SMTPD_TLS_SCACHTIME, DEF_SMTPD_TLS_SCACHTIME, &var_smtpd_tls_scache_timeout, 0, 0,
 	0,
     };
     static CONFIG_BOOL_TABLE bool_table[] = {
@@ -1575,6 +1823,13 @@
 	VAR_ALLOW_UNTRUST_ROUTE, DEF_ALLOW_UNTRUST_ROUTE, &var_allow_untrust_route,
 	VAR_SMTPD_SASL_ENABLE, DEF_SMTPD_SASL_ENABLE, &var_smtpd_sasl_enable,
 	VAR_BROKEN_AUTH_CLNTS, DEF_BROKEN_AUTH_CLNTS, &var_broken_auth_clients,
+	VAR_SMTPD_TLS_WRAPPER, DEF_SMTPD_TLS_WRAPPER, &var_smtpd_tls_wrappermode,
+	VAR_SMTPD_USE_TLS, DEF_SMTPD_USE_TLS, &var_smtpd_use_tls,
+	VAR_SMTPD_ENFORCE_TLS, DEF_SMTPD_ENFORCE_TLS, &var_smtpd_enforce_tls,
+	VAR_SMTPD_TLS_AUTH_ONLY, DEF_SMTPD_TLS_AUTH_ONLY, &var_smtpd_tls_auth_only,
+	VAR_SMTPD_TLS_ACERT, DEF_SMTPD_TLS_ACERT, &var_smtpd_tls_ask_ccert,
+	VAR_SMTPD_TLS_RCERT, DEF_SMTPD_TLS_RCERT, &var_smtpd_tls_req_ccert,
+	VAR_SMTPD_TLS_RECHEAD, DEF_SMTPD_TLS_RECHEAD, &var_smtpd_tls_received_header,
 	0,
     };
     static CONFIG_STR_TABLE str_table[] = {
@@ -1603,6 +1858,19 @@
 	VAR_SMTPD_SND_AUTH_MAPS, DEF_SMTPD_SND_AUTH_MAPS, &var_smtpd_snd_auth_maps, 0, 0,
 	VAR_SMTPD_NOOP_CMDS, DEF_SMTPD_NOOP_CMDS, &var_smtpd_noop_cmds, 0, 0,
 	VAR_SMTPD_NULL_KEY, DEF_SMTPD_NULL_KEY, &var_smtpd_null_key, 0, 0,
+	VAR_RELAY_CCERTS, DEF_RELAY_CCERTS, &var_relay_ccerts, 0, 0,
+	VAR_TLS_RAND_EXCH_NAME, DEF_TLS_RAND_EXCH_NAME, &var_tls_rand_exch_name, 0, 0,
+	VAR_TLS_DAEMON_RAND_SOURCE, DEF_TLS_DAEMON_RAND_SOURCE, &var_tls_daemon_rand_source, 0, 0,
+	VAR_SMTPD_TLS_CERT_FILE, DEF_SMTPD_TLS_CERT_FILE, &var_smtpd_tls_cert_file, 0, 0,
+	VAR_SMTPD_TLS_KEY_FILE, DEF_SMTPD_TLS_KEY_FILE, &var_smtpd_tls_key_file, 0, 0,
+	VAR_SMTPD_TLS_DCERT_FILE, DEF_SMTPD_TLS_DCERT_FILE, &var_smtpd_tls_dcert_file, 0, 0,
+	VAR_SMTPD_TLS_DKEY_FILE, DEF_SMTPD_TLS_DKEY_FILE, &var_smtpd_tls_dkey_file, 0, 0,
+	VAR_SMTPD_TLS_CA_FILE, DEF_SMTPD_TLS_CA_FILE, &var_smtpd_tls_CAfile, 0, 0,
+	VAR_SMTPD_TLS_CA_PATH, DEF_SMTPD_TLS_CA_PATH, &var_smtpd_tls_CApath, 0, 0,
+	VAR_SMTPD_TLS_CLIST, DEF_SMTPD_TLS_CLIST, &var_smtpd_tls_cipherlist, 0, 0,
+	VAR_SMTPD_TLS_512_FILE, DEF_SMTPD_TLS_512_FILE, &var_smtpd_tls_dh512_param_file, 0, 0,
+	VAR_SMTPD_TLS_1024_FILE, DEF_SMTPD_TLS_1024_FILE, &var_smtpd_tls_dh1024_param_file, 0, 0,
+	VAR_SMTPD_TLS_SCACHE_DB, DEF_SMTPD_TLS_SCACHE_DB, &var_smtpd_tls_scache_db, 0, 0,
 	0,
     };
 
@@ -1618,3 +1886,4 @@
 		       MAIL_SERVER_PRE_ACCEPT, pre_accept,
 		       0);
 }
+
diff -ur src.orig/smtpd/smtpd.h src/smtpd/smtpd.h
--- src.orig/smtpd/smtpd.h	Sun Nov 25 19:30:06 2001
+++ src/smtpd/smtpd.h	Thu Jul 11 17:48:38 2002
@@ -32,6 +32,7 @@
   * Global library.
   */
 #include <mail_stream.h>
+#include <pfixtls.h>
 
  /*
   * Variables that keep track of conversation state. There is only one SMTP
@@ -77,6 +78,11 @@
     VSTRING *sasl_decoded;
 #endif
     int     warn_if_reject;
+    int     tls_active;
+    int     tls_use_tls;
+    int     tls_enforce_tls;
+    int     tls_auth_only;
+    tls_info_t tls_info;
 } SMTPD_STATE;
 
 extern void smtpd_state_init(SMTPD_STATE *, VSTREAM *);
diff -ur src.orig/smtpd/smtpd_chat.c src/smtpd/smtpd_chat.c
--- src.orig/smtpd/smtpd_chat.c	Wed Dec 26 14:51:25 2001
+++ src/smtpd/smtpd_chat.c	Thu Jul 11 17:48:38 2002
@@ -78,7 +78,7 @@
 #include <record.h>
 #include <rec_type.h>
 #include <mail_proto.h>
-#include <mail_params.h>
+#include <tls_mail_params.h>
 #include <mail_addr.h>
 #include <post_mail.h>
 #include <mail_error.h>
diff -ur src.orig/smtpd/smtpd_check.c src/smtpd/smtpd_check.c
--- src.orig/smtpd/smtpd_check.c	Thu Jul 11 15:09:52 2002
+++ src/smtpd/smtpd_check.c	Thu Jul 11 17:48:38 2002
@@ -280,7 +280,8 @@
 
 #include <namadr_list.h>
 #include <domain_list.h>
-#include <mail_params.h>
+#include <string_list.h>
+#include <tls_mail_params.h>
 #include <canon_addr.h>
 #include <resolve_clnt.h>
 #include <mail_error.h>
@@ -345,6 +346,9 @@
 static DOMAIN_LIST *relay_domains;
 static NAMADR_LIST *mynetworks;
 static NAMADR_LIST *perm_mx_networks;
+#ifdef HAS_SSL
+static MAPS *relay_ccerts;
+#endif
 
  /*
   * How to do parent domain wildcard matching, if any.
@@ -530,6 +534,10 @@
     perm_mx_networks =
 	namadr_list_init(match_parent_style(VAR_PERM_MX_NETWORKS),
 			 var_perm_mx_networks);
+#ifdef HAS_SSL
+    relay_ccerts = maps_create(VAR_RELAY_CCERTS, var_relay_ccerts,
+			       DICT_FLAG_LOCK);
+#endif
 
     /*
      * Pre-parse and pre-open the recipient maps.
@@ -966,6 +974,36 @@
 
 static int permit_auth_destination(SMTPD_STATE *state, char *recipient);
 
+/* permit_tls_clientcerts - OK/DUNNO for message relaying */
+
+#ifdef HAS_SSL
+static int permit_tls_clientcerts(SMTPD_STATE *state, int permit_all_certs)
+{
+    char   *low_name;
+    const char *found;
+
+    if (state->tls_info.peer_verified && permit_all_certs) {
+	if (msg_verbose)
+	    msg_info("Relaying allowed for all verified client certificates");
+	return(SMTPD_CHECK_OK);
+    }
+
+    if (state->tls_info.peer_verified && state->tls_info.peer_fingerprint) {
+	low_name = lowercase(mystrdup(state->tls_info.peer_fingerprint));
+	found = maps_find(relay_ccerts, low_name, DICT_FLAG_FIXED);
+	myfree(low_name);
+	if (found) {
+	    if (msg_verbose)
+		msg_info("Relaying allowed for certified client: %s", found);
+	    return (SMTPD_CHECK_OK);
+	} else if (msg_verbose)
+	    msg_info("relay_clientcerts: No match for fingerprint '%s'",
+		     state->tls_info.peer_fingerprint);
+    }
+    return (SMTPD_CHECK_DUNNO);
+}
+#endif
+
 /* check_relay_domains - OK/FAIL for message relaying */
 
 static int check_relay_domains(SMTPD_STATE *state, char *recipient,
@@ -2164,7 +2202,13 @@
 		status = permit_sasl_auth(state,
 					  SMTPD_CHECK_OK, SMTPD_CHECK_DUNNO);
 #else
-		msg_warn("restriction `%s' ignored: no SASL support", name);
+		msg_warn("restriction `%s' ignored: no SASL support",name);
+#endif
+#ifdef HAS_SSL
+	} else if (strcasecmp(name, PERMIT_TLS_ALL_CLIENTCERTS) == 0) {
+	  status = permit_tls_clientcerts(state, 1);
+	} else if (strcasecmp(name, PERMIT_TLS_CLIENTCERTS) == 0) {
+	  status = permit_tls_clientcerts(state, 0);
 #endif
 	} else if (strcasecmp(name, REJECT_UNKNOWN_RCPTDOM) == 0) {
 	    if (state->recipient)
@@ -2600,6 +2644,7 @@
 char   *var_rcpt_checks = "";
 char   *var_etrn_checks = "";
 char   *var_relay_domains = "";
+char   *var_relay_ccerts = "";
 char   *var_mynetworks = "";
 char   *var_notify_classes = "";
 
diff -ur src.orig/smtpd/smtpd_sasl_glue.c src/smtpd/smtpd_sasl_glue.c
--- src.orig/smtpd/smtpd_sasl_glue.c	Mon Apr 22 21:58:54 2002
+++ src/smtpd/smtpd_sasl_glue.c	Thu Jul 11 17:48:38 2002
@@ -94,7 +94,7 @@
 
 /* Global library. */
 
-#include <mail_params.h>
+#include <tls_mail_params.h>
 #include <smtp_stream.h>
 
 /* Application-specific. */
diff -ur src.orig/smtpd/smtpd_sasl_proto.c src/smtpd/smtpd_sasl_proto.c
--- src.orig/smtpd/smtpd_sasl_proto.c	Mon Sep 11 16:45:40 2000
+++ src/smtpd/smtpd_sasl_proto.c	Thu Jul 11 17:48:38 2002
@@ -96,7 +96,7 @@
 
 /* Global library. */
 
-#include <mail_params.h>
+#include <tls_mail_params.h>
 #include <mail_proto.h>
 #include <mail_error.h>
 
@@ -128,6 +128,13 @@
 	smtpd_chat_reply(state, "503 Error: authentication not enabled");
 	return (-1);
     }
+#ifdef HAS_SSL
+    if (state->tls_auth_only && !state->tls_active) {
+	state->error_mask |= MAIL_ERROR_PROTOCOL;
+	smtpd_chat_reply(state, "538 Encryption required for requested authentication mechanism");
+	return (-1);
+    }
+#endif
     if (state->sasl_username) {
 	state->error_mask |= MAIL_ERROR_PROTOCOL;
 	smtpd_chat_reply(state, "503 Error: already authenticated");
diff -ur src.orig/smtpd/smtpd_state.c src/smtpd/smtpd_state.c
--- src.orig/smtpd/smtpd_state.c	Sun Nov 25 19:30:07 2001
+++ src/smtpd/smtpd_state.c	Thu Jul 11 17:48:38 2002
@@ -50,7 +50,7 @@
 /* Global library. */
 
 #include <cleanup_user.h>
-#include <mail_params.h>
+#include <tls_mail_params.h>
 #include <mail_error.h>
 
 /* Application-specific. */
@@ -92,6 +92,11 @@
     state->msg_size = 0;
     state->junk_cmds = 0;
     state->warn_if_reject = 0;
+    state->tls_active = 0;
+    state->tls_use_tls = 0;
+    state->tls_enforce_tls = 0;
+    state->tls_info = tls_info_zero;
+    state->tls_auth_only = 0;
 
 #ifdef USE_SASL_AUTH
     if (SMTPD_STAND_ALONE(state))
