Wish list:

	Make event_drain() a proper event loop; update the zero mask,
	and don't ignore a non-empty timer queue.

	Combine smtpd_peer.c and qmqpd_peer.c into a single function
	that produces a client context object, and provide attribute
	print/scan routines that pass these client context objects
	around. With this, we no longer have to update a multiple
	pieces of code when a client attribute is added. Ditto for
	SASL and TLS context.

	Make TLS_BIO_BUFSIZE run-time adjustable, to future-proof
	Postfix for remote connections with MSS > 8 kbytes.

	Absent a formal spec, model IPv6 RBL lookups after the IPv6
	PTR lookups (one zone per hex nibble, nibbles in reversed
	order). How to specify whether to query an RBL server for
	status info about an IPv6 address? One could argue that as
	long as IPv6 traffic is small an unsupported lookup doesn't
	matter; and once IPv6 takes off, the RBL servers better
	start supporting IPv6 client status information.

	Don't log "warning: XXXXX: undeliverable postmaster
	notification discarded" for spam from outside.

	Really need a cleanup driver that allows testing against
	Milter applications instead of synthetic events. This would
	have to provide stubs for clients that talk to Postfix
	daemon processes. See if this approach can also be used for
	other daemons.

	smtpd(8) exempts $address_verify_sender from access controls,
	but it doesn't know whether cleanup(8) or delivery agents
	modify the sender. Would it be possible to "calibrate" this
	exemption, perhaps by having delivery agents pass the probe
	sender to the verify server, keeping in mind that the probe
	sender may differ per delivery agent due to output rewriting.

	Update attr_print/scan() so they can send/receive file
	descriptors. This simplifies kludgy code in many daemons.

	Make adding date/from/etc. conditional. Perhaps on header
	rewrite context? Do we need a more powerful concept than
	local_header_rewrite_clients/remote_header_rewrite_domain?

	Would there be a problem adding $smtpd_mumble_restrictions
	and $smtpd_sender_login_maps to the default proxy_read_maps
	settings?

	Remove defer(8) and trace(8) references and man pages. These
	are services not program names.

	Bind all deliveries to the same local delivery process,
	making Postfix perform as poorly as monolithic mailers, but
	giving a possibility to eliminate duplicate deliveries.

	Maybe declare loop when resolve_local(mxhost) is true?

	Update message content length when adding/removing headers.

	Need scache size limit.

	Update BACKSCATTER_README to use PCRE because that's what I
	am using now.

	Make postcat header/body aware so people can grep headers.

	Make postmap header/body aware so people can test multi-line
	header checks.

	REDIRECT should override original recipient info, and
	probably override DSN as well.

	Find out if with Sendmail, a Milter "add recipient" request
	results in NOTIFY=NONE as Postfix does now.

	Update FILTER_README with mailing list suggestions to tag
	with a badness indicator and then filter down-stream.

	Either document or remove the internal_mail_filter_classes
	feature (it's disabled by default).

	Build a command-line test driver for the cleanup engine.
	This allows us to test it with arbitrary record sequences
	without having to use a live mail queue.

	Make null local-part handling configurable: either expand
	into mailer-daemon (current bahavior) or disallow (strict
	behavior, currently implemented only in the SMTP server).

	Plan for time_t larger than long, or wait for LP64 to
	dominate the world?

	The type of var_message_limit (and other file size/offset
	configuration parameters or internal protocol attributes)
	should be changed from int to off_t.  This also requires
	checking all expressions in which var_message_limit etc.
	appears: qmqpd, netstring, deliver_request, ...

	Add M flag (enable multi-recipient delivery) to pipe daemon.

	The usage of TLScontext->cache_type is unclear. It specifies
	a TLS session cache type (smtpd, smtp, or lmtp), but it is
	sometimes used as an indicator that TLS session caching is
	unavailable.  In reality, that decision is made by not
	registering call-back functions for cache maintenance.

	Postfix TLS library code should copy any strings that it
	receives from the application, instead of passing them
	around as pointers. TLScontext->cache_type is a case in
	point.

	Are transport:nexthop null fields the same as in the case
	of default_transport etc. parameters?

	Don't lose bits when converting st_dev into maildir file
	name. It's 64 bits on Linux. Found with the BEAM source
	code analyzer. Is this really a problem, or are they just
	using 64 bits for upwards compatibility with LP64 systems?

	Do or don't introduce unknown_reverse_client_reject_code.

	Check that "UINT32 == unsigned int" choice is ok (i.e. LP64
	UNIX).

	Tempfail when a Milter application wants content access,
	while it is configured in an SMTP server that runs before
	the smtpd_proxy filter.

	Log DSN original recipient when rejecting mail.

	Keep whitespace between label and ":"?

	Make the map case folding/locking options configurable, if
	not at run-time then at least at compile time so we get
	consistent behavior across applications.

	Investigate what it would take to eliminate oqmgr, and to
	make the old behavior configurable in a unified queue
	manager.  This would shave another 2.7 KLOC from the source
	footprint.

	Document the case folding strategy for match_list like
	features.

	Eliminate the (incoming,deferred)->active rename operation.

	Softbounce fallback-to-ISP for SOHO users. This requires
	playing with the soft_error test in the smtp_trouble.c
	module, and avoiding delivery to backup MX hosts.

	In the SMTP server, set a "pipelining detected" flag at the
	start of a session and at protocol synchronization points,
	so that reject_unauth_pipelining can be specified in any
	access rule.

	Centralize main.cf parameter input so that defaults work
	consistently. What about parameter names that are prefixed
	with mail delivery transport names?

	Fix default time unit handling so that we can have a default
	bounce lifetime of $maximal_queue_lifetime, without causing
	panics when a non-default maximal_queue_lifetime setting
	includes no time unit.

	After the 20051222 ISASCII paranoia, lowercase() lowercases
	ASCII text only.

	Privacy: remove local command/pathname details from remote
	delivery status reports, and log them via local msg_warn().

	Is it safe to cache a connection after it has been used for
	more than some number of address verification probes?

	Try to recognize that Resent- headers appear in blocks,
	newest block first. But don't break on incorrect header
	block organization.

	Hard limits on cache sizes (anvil, specifically).

	Laptop friendliness: make the qmgr remember when the next
	deferred queue scan needs to be done, and have the pickup
	server stat() the maildrop directory before searching it.

	Low: replace_sender/replace_recipient actions in access
	maps?

	Low: configurable order of local(8) delivery methods.

	Med: local and remote source port and IP address for smtpd
	policy hook.

	Med: smtp_connect_timeout_budget (default: 3x smtp_connect_timeout)
	to limit the total time spent trying to connect.

	Med: transform IPv4-in-IPv6 address literals to IPv4 form
	when comparing against local IP addresses?

	Med: transform IPv4-in-IPv6 address literals to IPv4 form
	when eliminating MX mailer loops?

	Med: Postfix requires [] around IPv6 address information
	in match lists such as mynetworks, debug_peer_list etc.,
	but the [] must not be specified in access(5) maps. Other
	places don't care.  For now, this gotcha is documented in
	IPV6_README and in postconf(5) with each feature that may
	use IPv6 address information. The general recommendation
	is not to use [] unless absolutely necessary.

	Med: the partial address matching of IPv6 addresses in
	access(5) maps is a bit lame: it repeatedly truncates the
	last ":octetpair" from the printable address representation
	until a match is found or until truncation is no longer
	possible.  Since one or more ":" are usually omitted from
	the printable IPv6 address representation, this does not
	really try all the possibilities that one might expect to
	be tried. For now, this gotcha is documented in access(5).

	Med: the TLS certificate verification depth parameters never
	worked.

	Low: reject HELO with any domain name or IP address that
	this MTA is the final destination for.

	Low: should the Delivered-To: test in local(8) be configurable?

	Low: make mail_addr_find() lookup configurable.

	Low: update events.c so that 1-second timer requests do not
	suffer from rounding errors. This is needed for 1-second
	SMTP session caching time limits. A 1-second interval would
	become arbitrarily short when an event is scheduled just
	before the current second rolls over.

	Low: configurable internal/system locking method.

	Low: add INSTALL section for pre-existing Postfix systems.

	Low: add INSTALL section for pre-existing RPM Postfixes.

	Low: disallow smtpd_recipient_limit < 100 (the RFC minimum).

	Low: noise filter: allow smtp(8) to retry immediately if
	all MXes return a quick ECONNRESET or 4xx reply during the
	initial handshake. Retry once? How many times?

	Low: make post-install a "postfix-only script" so it can
	take data from the environment instead of main.cf.

	Low: randomize deferred mail backoff.

	Med: separate ulimit for delivery to command?

	Med: option to open queue file early, after MAIL FROM.  This
	would allow correlation of rejected RCPT TO requests with
	accepted requests for the same mail transaction.

	Med: postsuper -r should do something with recipients in
	bounce logfiles, to make sure the sender will be notified.
	To be perfectly safe, no process other than the queue manager
	should move a queue file away from the active queue.

	This could involve tagging a queue file, and use up another
	permission bit (postsuper tags a "hot" file, qmgr requeues it).

	Low: postsuper re-run after renaming files, but only a
	limited number of times.

	Low: smtp-source may block when sending large test messages.

	Med: find a way to log the sender address when MAIL FROM
	is rejected due to lack of disk space.

	Low: revise other local delivery agent duplicate filters.

	Low: all table lookups should consistently use internalized
	(unquoted) or externalized (quoted) forms as lookup keys.
	smtpd, qmgr, local, etc. use unquoted address forms as keys.
	cleanup uses quoted forms.

	Low: have a configurable list of errno values for mailbox
	or maildir delivery that result in deferral rather than
	bouncing mail. What about "killed by signal" exits?

	Low: after reorganizing configuration parameters, add flags
	to all parameters whose value can be read from file.

	Medium: need in-process caching for map lookups. LDAP servers
	seem to need this in particular. Need a way to expire cached
	results that are too old.

	Low: generic showq protocol, to allow for more intelligent
	processing than just mailq. Maybe marry this with postsuper.

	Low: default domain for appending to unqualified recipients,
	so that unqualified names can be delivered locally.

	Low: The $process_id_directory setting is not used anywhere
	in Postfix. Problem reported by Michael Smith, texas.net.
	This should be documented, or better, the code should warn
	about attempts to set read-only parameters.

	Low: postconf -e edits parameters that postconf won't list.

	Low: while converting 8bit text to quoted-printable, perhaps
	use =46rom to avoid having to produce >From when delivering
	to mailbox.

	virtual_mailbox_path expression like forward_path, so that
	people can specify prefix and suffix.
