Postfix 2.7.2 imported into NetBSD-current

• Postfix no longer automatically appends the system default CA (certificate authority) certificates, when it reads the CA certificates specified with {smtp, lmtp, smtpd}_tls_CAfile or with {smtp, lmtp, smtpd}_tls_CApath. This prevents third-party certificates from getting mail relay permission with the permit_tls_all_clientcerts feature. Unfortunately, this change may cause compatibility problems with configurations that rely on certificate verification for other purposes. To get the old behavior, specify "tls_append_default_CA = yes".
• A prior fix for compatibility with Postfix < 2.3 was incomplete. When pipe-to-command delivery fails with a signal, mail is now correctly deferred, instead of being returned to sender.
• Poor smtpd_proxy_filter TCP performance over loopback (127.0.0.1) connections was fixed by adapting the output buffer size to the MTU.
• The SMTP server no longer applies the reject_rhsbl_helo feature to non-domain forms such as network addresses. This would cause false positives with dbl.spamhaus.org.
• The Postfix SMTP server failed to deliver a "421" response and hang up the connection after Milter error. Instead, the server delivered a "503 Access denied" response and left the connection open, due to some Postfix 1.1 workaround for RFC 2821.
• The milter_header_checks parser failed to enable any of the actions that have no effect on message delivery (warn, replace, prepend, ignore, dunno, and ok).