diff --git a/distrib/miniroot/install.sub b/distrib/miniroot/install.sub
index 94de170ab..343ac0f10 100644
--- a/distrib/miniroot/install.sub
+++ b/distrib/miniroot/install.sub
@@ -1,5 +1,5 @@
 #!/bin/ksh
-#	$OpenBSD: install.sub,v 1.1261 2024/03/05 19:47:58 kn Exp $
+#	$OpenBSD: install.sub,v 1.1263 2024/03/15 17:31:21 kn Exp $
 #
 # Copyright (c) 1997-2015 Todd Miller, Theo de Raadt, Ken Westerback
 # Copyright (c) 2015, Robert Peichaer <rpe@openbsd.org>
diff --git a/distrib/sets/lists/base/mi b/distrib/sets/lists/base/mi
index e988d4567..6d6340312 100644
--- a/distrib/sets/lists/base/mi
+++ b/distrib/sets/lists/base/mi
@@ -292,9 +292,14 @@
 ./etc/rmt
 ./etc/rpc
 ./etc/rpki
+./etc/rpki/afrinic.constraints
 ./etc/rpki/afrinic.tal
+./etc/rpki/apnic.constraints
 ./etc/rpki/apnic.tal
+./etc/rpki/arin.constraints
+./etc/rpki/lacnic.constraints
 ./etc/rpki/lacnic.tal
+./etc/rpki/ripe.constraints
 ./etc/rpki/ripe.tal
 ./etc/services
 ./etc/signify
diff --git a/distrib/sets/lists/etc/mi b/distrib/sets/lists/etc/mi
index 974ff7ca8..483d8e819 100644
--- a/distrib/sets/lists/etc/mi
+++ b/distrib/sets/lists/etc/mi
@@ -27,11 +27,6 @@
 ./etc/ppp/options
 ./etc/ppp/pap-secrets
 ./etc/pwd.db
-./etc/rpki/afrinic.constraints
-./etc/rpki/apnic.constraints
-./etc/rpki/arin.constraints
-./etc/rpki/lacnic.constraints
-./etc/rpki/ripe.constraints
 ./etc/shells
 ./etc/skel/.Xdefaults
 ./etc/skel/.cshrc
diff --git a/etc/skel/dot.version b/etc/skel/dot.version
index f6a2e7b7c..93e8d30e6 100644
--- a/etc/skel/dot.version
+++ b/etc/skel/dot.version
@@ -1 +1 @@
-# SecBSD 1.5-df5e0c0: Fri Mar  1 20:10:00 UTC 2024 (Yatagarasu)
+# SecBSD 1.5-eaddcb2: Sat Mar 16 00:00:00 UTC 2024 (Yatagarasu)
diff --git a/lib/libcrypto/bn/bn_rand.c b/lib/libcrypto/bn/bn_rand.c
index a5b163c82..9cfcd8e2c 100644
--- a/lib/libcrypto/bn/bn_rand.c
+++ b/lib/libcrypto/bn/bn_rand.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_rand.c,v 1.29 2023/08/03 18:53:55 tb Exp $ */
+/* $OpenBSD: bn_rand.c,v 1.30 2024/03/16 20:42:33 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -109,6 +109,7 @@
  *
  */
 
+#include <limits.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -133,6 +134,10 @@ bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
 		BNerror(BN_R_BITS_TOO_SMALL);
 		return (0);
 	}
+	if (bits > INT_MAX - 7) {
+		BNerror(BN_R_BIGNUM_TOO_LONG);
+		return (0);
+	}
 
 	if (bits == 0) {
 		BN_zero(rnd);
diff --git a/lib/libcrypto/man/CRYPTO_lock.3 b/lib/libcrypto/man/CRYPTO_lock.3
index 4187a96bf..afc5eb54c 100644
--- a/lib/libcrypto/man/CRYPTO_lock.3
+++ b/lib/libcrypto/man/CRYPTO_lock.3
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: CRYPTO_lock.3,v 1.2 2024/03/04 09:30:43 tb Exp $
+.\"	$OpenBSD: CRYPTO_lock.3,v 1.3 2024/03/14 22:09:40 tb Exp $
 .\"	OpenSSL doc/crypto/threads.pod fb552ac6 Sep 30 23:43:01 2009 +0000
 .\"
 .\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 4 2024 $
+.Dd $Mdocdate: March 14 2024 $
 .Dt CRYPTO_LOCK 3
 .Os
 .Sh NAME
@@ -53,6 +53,7 @@
 .Ed
 .Sh DESCRIPTION
 These functions are obsolete.
+.Pp
 .Fn CRYPTO_lock
 locks or unlocks a mutex lock.
 .Pp
diff --git a/lib/libcrypto/man/EVP_CIPHER_do_all.3 b/lib/libcrypto/man/EVP_CIPHER_do_all.3
index 9411a41f7..e91204497 100644
--- a/lib/libcrypto/man/EVP_CIPHER_do_all.3
+++ b/lib/libcrypto/man/EVP_CIPHER_do_all.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_CIPHER_do_all.3,v 1.2 2024/01/31 08:02:53 tb Exp $
+.\" $OpenBSD: EVP_CIPHER_do_all.3,v 1.3 2024/03/14 23:54:55 tb Exp $
 .\"
 .\" Copyright (c) 2023,2024 Theo Buehler <tb@openbsd.org>
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
@@ -15,14 +15,16 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 31 2024 $
+.Dd $Mdocdate: March 14 2024 $
 .Dt EVP_CIPHER_DO_ALL 3
 .Os
 .Sh NAME
 .Nm EVP_CIPHER_do_all ,
 .Nm EVP_CIPHER_do_all_sorted ,
 .Nm EVP_MD_do_all ,
-.Nm EVP_MD_do_all_sorted
+.Nm EVP_MD_do_all_sorted ,
+.Nm OBJ_NAME_do_all ,
+.Nm OBJ_NAME_do_all_sorted
 .Nd iterate over lookup tables for ciphers and digests
 .Sh SYNOPSIS
 .In openssl/evp.h
diff --git a/lib/libcrypto/man/X509_STORE_set1_param.3 b/lib/libcrypto/man/X509_STORE_set1_param.3
index 85d308c3f..527fe652e 100644
--- a/lib/libcrypto/man/X509_STORE_set1_param.3
+++ b/lib/libcrypto/man/X509_STORE_set1_param.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_set1_param.3,v 1.21 2024/03/04 09:24:07 tb Exp $
+.\" $OpenBSD: X509_STORE_set1_param.3,v 1.22 2024/03/14 22:19:12 tb Exp $
 .\" content checked up to:
 .\" OpenSSL man3/X509_STORE_add_cert b0edda11 Mar 20 13:00:17 2018 +0000
 .\" OpenSSL man3/X509_STORE_get0_param e90fc053 Jul 15 09:39:45 2017 -0400
@@ -17,7 +17,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 4 2024 $
+.Dd $Mdocdate: March 14 2024 $
 .Dt X509_STORE_SET1_PARAM 3
 .Os
 .Sh NAME
@@ -263,6 +263,6 @@ and
 first appeared in OpenSSL 1.1.0 and have been available since
 .Ox 6.3 .
 .Pp
-X509_STORE_get1_objects
+.Fn X509_STORE_get1_objects
 first appeared in BoringSSL and has been available since
 .Ox 7.5 .
diff --git a/lib/libz/deflate.c b/lib/libz/deflate.c
index 623119b1f..7ab6c9942 100644
--- a/lib/libz/deflate.c
+++ b/lib/libz/deflate.c
@@ -842,13 +842,13 @@ uLong ZEXPORT deflateBound(z_streamp strm, uLong sourceLen) {
     storelen = sourceLen + (sourceLen >> 5) + (sourceLen >> 7) +
                (sourceLen >> 11) + 7;
 
-    /* if can't get parameters, return larger bound plus a zlib wrapper */
+    /* if can't get parameters, return larger bound plus a wrapper */
     if (deflateStateCheck(strm))
-        return (fixedlen > storelen ? fixedlen : storelen) + 6;
+        return (fixedlen > storelen ? fixedlen : storelen) + 18;
 
     /* compute wrapper length */
     s = strm->state;
-    switch (s->wrap) {
+    switch (s->wrap < 0 ? -s->wrap : s->wrap) {
     case 0:                                 /* raw deflate */
         wraplen = 0;
         break;
@@ -878,7 +878,7 @@ uLong ZEXPORT deflateBound(z_streamp strm, uLong sourceLen) {
         break;
 #endif
     default:                                /* for compiler happiness */
-        wraplen = 6;
+        wraplen = 18;
     }
 
     /* if not default parameters, return one of the conservative bounds */
diff --git a/lib/libz/gzguts.h b/lib/libz/gzguts.h
index a6485ab7e..71dea740c 100644
--- a/lib/libz/gzguts.h
+++ b/lib/libz/gzguts.h
@@ -17,11 +17,16 @@
 #  define ZLIB_INTERNAL
 #endif
 
-#if defined(_WIN32) && !defined(_CRT_SECURE_NO_WARNINGS)
-#  define _CRT_SECURE_NO_WARNINGS
-#endif
-#if defined(_WIN32) && !defined(_CRT_NONSTDC_NO_DEPRECATE)
-#  define _CRT_NONSTDC_NO_DEPRECATE
+#if defined(_WIN32)
+#  ifndef WIN32_LEAN_AND_MEAN
+#    define WIN32_LEAN_AND_MEAN
+#  endif
+#  ifndef _CRT_SECURE_NO_WARNINGS
+#    define _CRT_SECURE_NO_WARNINGS
+#  endif
+#  ifndef _CRT_NONSTDC_NO_DEPRECATE
+#    define _CRT_NONSTDC_NO_DEPRECATE
+#  endif
 #endif
 
 #include <stdio.h>
diff --git a/lib/libz/gzlib.c b/lib/libz/gzlib.c
index e485a27bf..baa3e79d4 100644
--- a/lib/libz/gzlib.c
+++ b/lib/libz/gzlib.c
@@ -5,11 +5,9 @@
 
 #include "gzguts.h"
 
-#if defined(UNDER_CE)
-#  define LSEEK _wcelseek
-#elif defined(__DJGPP__)
+#if defined(__DJGPP__)
 #  define LSEEK llseek
-#elif defined(_WIN32) && !defined(__BORLANDC__)
+#elif defined(_WIN32) && !defined(__BORLANDC__) && !defined(UNDER_CE)
 #  define LSEEK _lseeki64
 #elif defined(_LARGEFILE64_SOURCE) && _LFS64_LARGEFILE-0
 #  define LSEEK lseek64
diff --git a/sys/arch/arm64/arm64/cpu.c b/sys/arch/arm64/arm64/cpu.c
index afcded566..597733506 100644
--- a/sys/arch/arm64/arm64/cpu.c
+++ b/sys/arch/arm64/arm64/cpu.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cpu.c,v 1.108 2024/03/05 18:42:20 kettenis Exp $	*/
+/*	$OpenBSD: cpu.c,v 1.110 2024/03/16 09:15:04 jsg Exp $	*/
 
 /*
  * Copyright (c) 2016 Dale Rahn <drahn@dalerahn.com>
@@ -52,6 +52,7 @@
 #define CPU_IMPL_AMCC		0x50
 #define CPU_IMPL_QCOM		0x51
 #define CPU_IMPL_APPLE		0x61
+#define CPU_IMPL_AMPERE		0xc0
 
 /* ARM */
 #define CPU_PART_CORTEX_A34	0xd02
@@ -86,6 +87,8 @@
 #define CPU_PART_CORTEX_A720	0xd81
 #define CPU_PART_CORTEX_X4	0xd82
 #define CPU_PART_NEOVERSE_V3	0xd84
+#define CPU_PART_CORTEX_A520AE	0xd88
+#define CPU_PART_CORTEX_A720AE	0xd89
 #define CPU_PART_NEOVERSE_N3	0xd8e
 
 /* Cavium */
@@ -115,6 +118,9 @@
 #define CPU_PART_BLIZZARD_MAX	0x038
 #define CPU_PART_AVALANCHE_MAX	0x039
 
+/* Ampere */
+#define CPU_PART_AMPERE1	0xac3
+
 #define CPU_IMPL(midr)  (((midr) >> 24) & 0xff)
 #define CPU_PART(midr)  (((midr) >> 4) & 0xfff)
 #define CPU_VAR(midr)   (((midr) >> 20) & 0xf)
@@ -148,9 +154,11 @@ struct cpu_cores cpu_cores_arm[] = {
 	{ CPU_PART_CORTEX_A78C, "Cortex-A78C" },
 	{ CPU_PART_CORTEX_A510, "Cortex-A510" },
 	{ CPU_PART_CORTEX_A520, "Cortex-A520" },
+	{ CPU_PART_CORTEX_A520AE, "Cortex-A520AE" },
 	{ CPU_PART_CORTEX_A710, "Cortex-A710" },
 	{ CPU_PART_CORTEX_A715, "Cortex-A715" },
 	{ CPU_PART_CORTEX_A720, "Cortex-A720" },
+	{ CPU_PART_CORTEX_A720AE, "Cortex-A720AE" },
 	{ CPU_PART_CORTEX_X1, "Cortex-X1" },
 	{ CPU_PART_CORTEX_X1C, "Cortex-X1C" },
 	{ CPU_PART_CORTEX_X2, "Cortex-X2" },
@@ -201,6 +209,11 @@ struct cpu_cores cpu_cores_apple[] = {
 	{ 0, NULL },
 };
 
+struct cpu_cores cpu_cores_ampere[] = {
+	{ CPU_PART_AMPERE1, "AmpereOne" },
+	{ 0, NULL },
+};
+
 /* arm cores makers */
 const struct implementers {
 	int			id;
@@ -212,6 +225,7 @@ const struct implementers {
 	{ CPU_IMPL_AMCC, "Applied Micro", cpu_cores_amcc },
 	{ CPU_IMPL_QCOM, "Qualcomm", cpu_cores_qcom },
 	{ CPU_IMPL_APPLE, "Apple", cpu_cores_apple },
+	{ CPU_IMPL_AMPERE, "Ampere", cpu_cores_ampere },
 	{ 0, NULL },
 };
 
@@ -230,6 +244,7 @@ int arm64_has_aes;
 
 extern char trampoline_vectors_none[];
 extern char trampoline_vectors_loop_8[];
+extern char trampoline_vectors_loop_11[];
 extern char trampoline_vectors_loop_24[];
 extern char trampoline_vectors_loop_32[];
 #if NPSCI > 0
@@ -419,8 +434,10 @@ cpu_identify(struct cpu_info *ci)
 	 * But we might still be vulnerable to Spectre-BHB.  If we know the
 	 * CPU, we can add a branchy loop that cleans the BHB.
 	 */
-	if (impl == CPU_IMPL_ARM) {
+	switch (impl) {
+	case CPU_IMPL_ARM:
 		switch (part) {
+		case CPU_PART_CORTEX_A57:
 		case CPU_PART_CORTEX_A72:
 			ci->ci_trampoline_vectors =
 			    (vaddr_t)trampoline_vectors_loop_8;
@@ -444,6 +461,15 @@ cpu_identify(struct cpu_info *ci)
 			    (vaddr_t)trampoline_vectors_loop_32;
 			break;
 		}
+		break;
+	case CPU_IMPL_AMPERE:
+		switch (part) {
+		case CPU_PART_AMPERE1:
+			ci->ci_trampoline_vectors =
+			    (vaddr_t)trampoline_vectors_loop_11;
+			break;
+		}
+		break;
 	}
 
 	/*
diff --git a/sys/arch/arm64/arm64/locore.S b/sys/arch/arm64/arm64/locore.S
index 6a5e76d4c..c426d3238 100644
--- a/sys/arch/arm64/arm64/locore.S
+++ b/sys/arch/arm64/arm64/locore.S
@@ -1,4 +1,4 @@
-/* $OpenBSD: locore.S,v 1.45 2023/12/12 07:37:20 deraadt Exp $ */
+/* $OpenBSD: locore.S,v 1.46 2024/03/16 20:46:28 kettenis Exp $ */
 /*-
  * Copyright (c) 2012-2014 Andrew Turner
  * All rights reserved.
@@ -57,6 +57,7 @@ drop_to_el1:
 
 	/* Configure the Hypervisor */
 	mov	x2, #(HCR_RW)
+	orr	x2, x2, #(HCR_API | HCR_APK)
 	msr	hcr_el2, x2
 
 	/* Load the Virtualization Process ID Register */
diff --git a/sys/arch/arm64/arm64/trampoline.S b/sys/arch/arm64/arm64/trampoline.S
index 79eca168e..c08dba0fe 100644
--- a/sys/arch/arm64/arm64/trampoline.S
+++ b/sys/arch/arm64/arm64/trampoline.S
@@ -1,4 +1,4 @@
-/*	$OpenBSD: trampoline.S,v 1.4 2022/12/10 10:13:58 patrick Exp $	*/
+/*	$OpenBSD: trampoline.S,v 1.5 2024/03/15 13:26:09 kettenis Exp $	*/
 
 /*
  * Copyright (c) 2018 Mark Kettenis <kettenis@openbsd.org>
@@ -45,6 +45,12 @@
 .macro	spectre_bhb_loop_8_late
 .endm
 
+.macro	spectre_bhb_loop_11_early
+	spectre_bhb_loop 11
+.endm
+.macro	spectre_bhb_loop_11_late
+.endm
+
 .macro	spectre_bhb_loop_24_early
 	spectre_bhb_loop 24
 .endm
@@ -92,7 +98,7 @@
 #endif
 
 .macro	spectre_bhb_clrbhb_early
-	hint	#22 /* clrbhb */
+	clrbhb
 	isb
 .endm
 .macro	spectre_bhb_clrbhb_late
@@ -147,6 +153,7 @@ trampoline_vectors_\bhb:
 trampoline_vectors:
 	tramp_vector none
 	tramp_vector loop_8
+	tramp_vector loop_11
 	tramp_vector loop_24
 	tramp_vector loop_32
 #if NPSCI > 0
diff --git a/sys/arch/arm64/include/hypervisor.h b/sys/arch/arm64/include/hypervisor.h
index 0b91a2afc..a3b8bb0f8 100644
--- a/sys/arch/arm64/include/hypervisor.h
+++ b/sys/arch/arm64/include/hypervisor.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: hypervisor.h,v 1.3 2021/02/21 13:14:47 kettenis Exp $ */
+/* $OpenBSD: hypervisor.h,v 1.4 2024/03/16 20:46:28 kettenis Exp $ */
 /*-
  * Copyright (c) 2013, 2014 Andrew Turner
  * All rights reserved.
@@ -82,6 +82,8 @@
 #define	HCR_CD		0x0000000100000000
 #define	HCR_ID		0x0000000200000000
 #define	HCR_E2H		0x0000000400000000
+#define	HCR_APK		0x0000010000000000
+#define	HCR_API		0x0000020000000000
 
 #endif
 
diff --git a/sys/lib/libz/deflate.c b/sys/lib/libz/deflate.c
index 598d5a2b2..e653d530c 100644
--- a/sys/lib/libz/deflate.c
+++ b/sys/lib/libz/deflate.c
@@ -842,13 +842,13 @@ uLong ZEXPORT deflateBound(z_streamp strm, uLong sourceLen) {
     storelen = sourceLen + (sourceLen >> 5) + (sourceLen >> 7) +
                (sourceLen >> 11) + 7;
 
-    /* if can't get parameters, return larger bound plus a zlib wrapper */
+    /* if can't get parameters, return larger bound plus a wrapper */
     if (deflateStateCheck(strm))
-        return (fixedlen > storelen ? fixedlen : storelen) + 6;
+        return (fixedlen > storelen ? fixedlen : storelen) + 18;
 
     /* compute wrapper length */
     s = strm->state;
-    switch (s->wrap) {
+    switch (s->wrap < 0 ? -s->wrap : s->wrap) {
     case 0:                                 /* raw deflate */
         wraplen = 0;
         break;
@@ -878,7 +878,7 @@ uLong ZEXPORT deflateBound(z_streamp strm, uLong sourceLen) {
         break;
 #endif
     default:                                /* for compiler happiness */
-        wraplen = 6;
+        wraplen = 18;
     }
 
     /* if not default parameters, return one of the conservative bounds */
diff --git a/sys/net80211/ieee80211_input.c b/sys/net80211/ieee80211_input.c
index e59ee178f..095559dfc 100644
--- a/sys/net80211/ieee80211_input.c
+++ b/sys/net80211/ieee80211_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ieee80211_input.c,v 1.250 2023/01/09 00:22:47 daniel Exp $	*/
+/*	$OpenBSD: ieee80211_input.c,v 1.251 2024/03/15 17:45:36 stsp Exp $	*/
 /*	$NetBSD: ieee80211_input.c,v 1.24 2004/05/31 11:12:24 dyoung Exp $	*/
 
 /*-
@@ -2838,6 +2838,11 @@ ieee80211_recv_addba_req(struct ieee80211com *ic, struct mbuf *m,
 	u_int8_t token, tid;
 	int err = 0;
 
+	/* Ignore if we are not ready to receive data frames. */
+	if (ic->ic_state != IEEE80211_S_RUN ||
+	    ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid))
+		return;
+
 	if (!(ni->ni_flags & IEEE80211_NODE_HT)) {
 		DPRINTF(("received ADDBA req from non-HT STA %s\n",
 		    ether_sprintf(ni->ni_macaddr)));
diff --git a/usr.bin/whois/whois.1 b/usr.bin/whois/whois.1
index 7477324bb..f5318951e 100644
--- a/usr.bin/whois/whois.1
+++ b/usr.bin/whois/whois.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: whois.1,v 1.39 2024/03/05 16:06:32 millert Exp $
+.\"	$OpenBSD: whois.1,v 1.40 2024/03/16 02:00:31 millert Exp $
 .\"	$NetBSD: whois.1,v 1.5 1995/08/31 21:51:32 jtc Exp $
 .\"
 .\" Copyright (c) 1985, 1990, 1993
@@ -30,7 +30,7 @@
 .\"
 .\"     @(#)whois.1	8.2 (Berkeley) 6/20/94
 .\"
-.Dd $Mdocdate: March 5 2024 $
+.Dd $Mdocdate: March 16 2024 $
 .Dt WHOIS 1
 .Os
 .Sh NAME
@@ -38,7 +38,7 @@
 .Nd Internet domain name and network number directory service
 .Sh SYNOPSIS
 .Nm whois
-.Op Fl AadgIilmPQRr
+.Op Fl AadgIilmPQRrS
 .Oo
 .Fl c Ar country-code | Fl h Ar host
 .Oc
@@ -201,6 +201,16 @@ Use the Reseaux IP Europeens
 .Pq Tn RIPE
 database.
 It contains network numbers and domain contact information for Europe.
+.It Fl S
+By default
+.Nm
+adjusts simple queries (without spaces) to produce more useful output
+from certain whois servers, and it suppresses some uninformative output.
+With the
+.Fl S
+option,
+.Nm
+sends the query and prints the output verbatim.
 .El
 .Pp
 The default action, unless directed otherwise with a special
diff --git a/usr.bin/whois/whois.c b/usr.bin/whois/whois.c
index 7f922488c..f45d0861f 100644
--- a/usr.bin/whois/whois.c
+++ b/usr.bin/whois/whois.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: whois.c,v 1.59 2024/03/05 16:06:32 millert Exp $   */
+/*      $OpenBSD: whois.c,v 1.61 2024/03/16 06:29:36 jmc Exp $   */
 
 /*
  * Copyright (c) 1980, 1993
@@ -64,8 +64,11 @@
 #define	WHOIS_PORT	"whois"
 #define	WHOIS_SERVER_ID	"Registrar WHOIS Server:"
 
-#define WHOIS_RECURSE		0x01
-#define WHOIS_QUICK		0x02
+#define WHOIS_RECURSE	0x01
+#define WHOIS_QUICK	0x02
+#define WHOIS_SPAM_ME	0x04
+
+#define CHOPSPAM	">>> Last update of WHOIS database:"
 
 const char *port_whois = WHOIS_PORT;
 const char *ip_whois[] = { LNICHOST, RNICHOST, PNICHOST, BNICHOST,
@@ -83,7 +86,7 @@ main(int argc, char *argv[])
 
 	country = host = NULL;
 	flags = rval = 0;
-	while ((ch = getopt(argc, argv, "aAc:dgh:iIlmp:PqQrR")) != -1)
+	while ((ch = getopt(argc, argv, "aAc:dgh:iIlmp:PqQrRS")) != -1)
 		switch (ch) {
 		case 'a':
 			host = ANICHOST;
@@ -133,6 +136,9 @@ main(int argc, char *argv[])
 		case 'R':
 			host = RUNICHOST;
 			break;
+		case 'S':
+			flags |= WHOIS_SPAM_ME;
+			break;
 		default:
 			usage();
 		}
@@ -206,11 +212,13 @@ whois(const char *query, const char *server, const char *port, int flags)
 		return (1);
 	}
 
-	if (strcmp(server, "whois.denic.de") == 0 ||
-	    strcmp(server, "de" QNICHOST_TAIL) == 0)
+	if (!(flags & WHOIS_SPAM_ME) &&
+	    (strcmp(server, "whois.denic.de") == 0 ||
+	    strcmp(server, "de" QNICHOST_TAIL) == 0))
 		fmt = "-T dn,ace -C ISO-8859-1 %s\r\n";
-	else if (strcmp(server, "whois.dk-hostmaster.dk") == 0 ||
-	    strcmp(server, "dk" QNICHOST_TAIL) == 0)
+	else if (!(flags & WHOIS_SPAM_ME) &&
+	    (strcmp(server, "whois.dk-hostmaster.dk") == 0 ||
+	    strcmp(server, "dk" QNICHOST_TAIL) == 0))
 		fmt = "--show-handles %s\r\n";
 	else
 		fmt = "%s\r\n";
@@ -222,6 +230,11 @@ whois(const char *query, const char *server, const char *port, int flags)
 	fflush(fp);
 	nhost = NULL;
 	while ((buf = fgetln(fp, &len)) != NULL) {
+		/* Nominet */
+		if (!(flags & WHOIS_SPAM_ME) &&
+		    len == 5 && strncmp(buf, "-- \r\n", 5) == 0)
+			break;
+
 		p = buf + len - 1;
 		if (isspace((unsigned char)*p)) {
 			do
@@ -236,31 +249,39 @@ whois(const char *query, const char *server, const char *port, int flags)
 		}
 		puts(buf);
 
-		if (nhost != NULL || !(flags & WHOIS_RECURSE))
-			continue;
-
-		if ((p = strstr(buf, WHOIS_SERVER_ID))) {
-			p += sizeof(WHOIS_SERVER_ID) - 1;
-			while (isblank((unsigned char)*p))
-				p++;
-			if ((len = strcspn(p, " \t\n\r"))) {
-				if ((nhost = malloc(len + 1)) == NULL)
-					err(1, "malloc");
-				memcpy(nhost, p, len);
-				nhost[len] = '\0';
-			}
-		} else if (strcmp(server, ANICHOST) == 0) {
-			for (p = buf; *p != '\0'; p++)
-				*p = tolower((unsigned char)*p);
-			for (i = 0; ip_whois[i] != NULL; i++) {
-				if (strstr(buf, ip_whois[i]) != NULL) {
-					nhost = strdup(ip_whois[i]);
-					if (nhost == NULL)
-						err(1, "strdup");
-					break;
+		if (nhost == NULL && (flags & WHOIS_RECURSE)) {
+			if ((p = strstr(buf, WHOIS_SERVER_ID))) {
+				p += sizeof(WHOIS_SERVER_ID) - 1;
+				while (isblank((unsigned char)*p))
+					p++;
+				if ((len = strcspn(p, " \t\n\r"))) {
+					if ((nhost = malloc(len + 1)) == NULL)
+						err(1, "malloc");
+					memcpy(nhost, p, len);
+					nhost[len] = '\0';
+				}
+			} else if (strcmp(server, ANICHOST) == 0) {
+				for (p = buf; *p != '\0'; p++)
+					*p = tolower((unsigned char)*p);
+				for (i = 0; ip_whois[i] != NULL; i++) {
+					if (strstr(buf, ip_whois[i]) != NULL) {
+						nhost = strdup(ip_whois[i]);
+						if (nhost == NULL)
+							err(1, "strdup");
+						break;
+					}
 				}
 			}
 		}
+
+		/* Verisign etc. */
+		if (!(flags & WHOIS_SPAM_ME) &&
+		    len >= sizeof(CHOPSPAM)-1 &&
+		    (strncasecmp(buf, CHOPSPAM, sizeof(CHOPSPAM)-1) == 0 ||
+		     strncasecmp(buf, &CHOPSPAM[4], sizeof(CHOPSPAM)-5) == 0)) {
+			printf("\n");
+			break;
+		}
 	}
 	fclose(fp);
 	free(nbuf);
@@ -352,7 +373,7 @@ usage(void)
 	extern char *__progname;
 
 	fprintf(stderr,
-	    "usage: %s [-AadgIilmPQRr] [-c country-code | -h host] "
+	    "usage: %s [-AadgIilmPQRrS] [-c country-code | -h host] "
 		"[-p port] name ...\n", __progname);
 	exit(1);
 }
diff --git a/usr.sbin/btrace/ksyms.c b/usr.sbin/btrace/ksyms.c
index 5d1ea4576..960b0d9e0 100644
--- a/usr.sbin/btrace/ksyms.c
+++ b/usr.sbin/btrace/ksyms.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ksyms.c,v 1.8 2024/03/14 00:54:54 cheloha Exp $ */
+/*	$OpenBSD: ksyms.c,v 1.9 2024/03/16 17:42:37 cheloha Exp $ */
 
 /*
  * Copyright (c) 2016 Martin Pieuchot <mpi@openbsd.org>
@@ -23,6 +23,7 @@
 #include <err.h>
 #include <fcntl.h>
 #include <gelf.h>
+#include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -30,60 +31,149 @@
 
 #include "btrace.h"
 
-struct syms {
-	int		 fd;
-	Elf		*elf;
-	Elf_Scn		*symtab;
-	size_t		 strtabndx, nsymb;
+struct sym {
+	char *sym_name;
+	unsigned long sym_value;	/* from st_value */
+	unsigned long sym_size;		/* from st_size */
 };
 
-int		 kelf_parse(struct syms *);
+struct syms {
+	struct sym *table;
+	size_t nsymb;
+};
+
+int sym_compare_search(const void *, const void *);
+int sym_compare_sort(const void *, const void *);
 
 struct syms *
 kelf_open(const char *path)
 {
-	struct syms *syms;
-	int error;
+	char *name;
+	Elf *elf;
+	Elf_Data *data = NULL;
+	Elf_Scn	*scn = NULL, *symtab;
+	GElf_Sym sym;
+	GElf_Shdr shdr;
+	size_t i, shstrndx, strtabndx = SIZE_MAX, symtab_size;
+	unsigned long diff;
+	struct sym *tmp;
+	struct syms *syms = NULL;
+	int fd;
 
 	if (elf_version(EV_CURRENT) == EV_NONE)
 		errx(1, "elf_version: %s", elf_errmsg(-1));
 
-	if ((syms = calloc(1, sizeof(*syms))) == NULL)
-		err(1, NULL);
-
-	syms->fd = open(path, O_RDONLY);
-	if (syms->fd == -1) {
+	fd = open(path, O_RDONLY);
+	if (fd == -1) {
 		warn("open: %s", path);
-		free(syms);
 		return NULL;
 	}
 
-	if ((syms->elf = elf_begin(syms->fd, ELF_C_READ, NULL)) == NULL) {
+	if ((elf = elf_begin(fd, ELF_C_READ, NULL)) == NULL) {
 		warnx("elf_begin: %s", elf_errmsg(-1));
 		goto bad;
 	}
 
-	if (elf_kind(syms->elf) != ELF_K_ELF)
+	if (elf_kind(elf) != ELF_K_ELF)
 		goto bad;
 
-	error = kelf_parse(syms);
-	if (error)
+	if (elf_getshdrstrndx(elf, &shstrndx) != 0) {
+		warnx("elf_getshdrstrndx: %s", elf_errmsg(-1));
+		goto bad;
+	}
+
+	while ((scn = elf_nextscn(elf, scn)) != NULL) {
+		if (gelf_getshdr(scn, &shdr) != &shdr) {
+			warnx("elf_getshdr: %s", elf_errmsg(-1));
+			goto bad;
+		}
+		if ((name = elf_strptr(elf, shstrndx, shdr.sh_name)) == NULL) {
+			warnx("elf_strptr: %s", elf_errmsg(-1));
+			goto bad;
+		}
+		if (strcmp(name, ELF_SYMTAB) == 0 &&
+		    shdr.sh_type == SHT_SYMTAB && shdr.sh_entsize != 0) {
+			symtab = scn;
+			symtab_size = shdr.sh_size / shdr.sh_entsize;
+		}
+		if (strcmp(name, ELF_STRTAB) == 0 &&
+		    shdr.sh_type == SHT_STRTAB) {
+			strtabndx = elf_ndxscn(scn);
+		}
+	}
+	if (symtab == NULL) {
+		warnx("%s: %s: section not found", path, ELF_SYMTAB);
+		goto bad;
+	}
+	if (strtabndx == SIZE_MAX) {
+		warnx("%s: %s: section not found", path, ELF_STRTAB);
+		goto bad;
+	}
+
+	data = elf_rawdata(symtab, data);
+	if (data == NULL)
 		goto bad;
 
-	return syms;
+	if ((syms = calloc(1, sizeof(*syms))) == NULL)
+		err(1, NULL);
+	syms->table = calloc(symtab_size, sizeof *syms->table);
+	if (syms->table == NULL)
+		err(1, NULL);
+	for (i = 0; i < symtab_size; i++) {
+		if (gelf_getsym(data, i, &sym) == NULL)
+			continue;
+		if (GELF_ST_TYPE(sym.st_info) != STT_FUNC)
+			continue;
+		name = elf_strptr(elf, strtabndx, sym.st_name);
+		if (name == NULL)
+			continue;
+		syms->table[syms->nsymb].sym_name = strdup(name);
+		if (syms->table[syms->nsymb].sym_name == NULL)
+			err(1, NULL);
+		syms->table[syms->nsymb].sym_value = sym.st_value;
+		syms->table[syms->nsymb].sym_size = sym.st_size;
+		syms->nsymb++;
+	}
+	tmp = reallocarray(syms->table, syms->nsymb, sizeof *syms->table);
+	if (tmp == NULL)
+		err(1, NULL);
+	syms->table = tmp;
+
+	/* Sort symbols in ascending order by address. */
+	qsort(syms->table, syms->nsymb, sizeof *syms->table, sym_compare_sort);
+
+	/*
+	 * Some functions, particularly those written in assembly, have an
+	 * st_size of zero.  We can approximate a size for these by assuming
+	 * that they extend from their st_value to that of the next function.
+	 */
+	for (i = 0; i < syms->nsymb; i++) {
+		if (syms->table[i].sym_size != 0)
+			continue;
+		/* Can't do anything for the last symbol. */
+		if (i + 1 == syms->nsymb)
+			continue;
+		diff = syms->table[i + 1].sym_value - syms->table[i].sym_value;
+		syms->table[i].sym_size = diff;
+	}
 
 bad:
-	kelf_close(syms);
-	return NULL;
+	elf_end(elf);
+	close(fd);
+	return syms;
 }
 
 void
 kelf_close(struct syms *syms)
 {
+	size_t i;
+
 	if (syms == NULL)
 		return;
-	elf_end(syms->elf);
-	close(syms->fd);
+
+	for (i = 0; i < syms->nsymb; i++)
+		free(syms->table[i].sym_name);
+	free(syms->table);
 	free(syms);
 }
 
@@ -91,106 +181,46 @@ int
 kelf_snprintsym(struct syms *syms, char *str, size_t size, unsigned long pc,
     unsigned long off)
 {
-	GElf_Sym	 sym;
-	Elf_Data	*data = NULL;
-	Elf_Addr	 offset, bestoff = 0;
-	size_t		 i, bestidx = 0;
-	char		*name;
-	int		 cnt;
+	struct sym key = { .sym_value = pc + off };
+	struct sym *entry;
+	Elf_Addr offset;
 
 	if (syms == NULL)
 		goto fallback;
 
-	data = elf_rawdata(syms->symtab, data);
-	if (data == NULL)
+	entry = bsearch(&key, syms->table, syms->nsymb, sizeof *syms->table,
+	    sym_compare_search);
+	if (entry == NULL)
 		goto fallback;
 
-	for (i = 0; i < syms->nsymb; i++) {
-		if (gelf_getsym(data, i, &sym) == NULL)
-			continue;
-		if (GELF_ST_TYPE(sym.st_info) != STT_FUNC)
-			continue;
-		if (pc >= sym.st_value + off) {
-			if (pc < (sym.st_value + off + sym.st_size))
-				break;
-			/* Workaround for symbols w/o size, usually asm ones. */
-			if (sym.st_size == 0 && sym.st_value + off > bestoff) {
-				bestidx = i;
-				bestoff = sym.st_value + off;
-			}
-		}
-	}
-
-	if (i == syms->nsymb) {
-		if (bestidx == 0 || gelf_getsym(data, bestidx, &sym) == NULL)
-			goto fallback;
-	}
-
-	name = elf_strptr(syms->elf, syms->strtabndx, sym.st_name);
-	if (name != NULL)
-		cnt = snprintf(str, size, "\n%s", name);
-	else
-		cnt = snprintf(str, size, "\n0x%llx", sym.st_value);
-	if (cnt < 0)
-		return cnt;
-
-	offset = pc - (sym.st_value + off);
+	offset = pc - (entry->sym_value + off);
 	if (offset != 0) {
-		int l;
-
-		l = snprintf(str + cnt, size > (size_t)cnt ? size - cnt : 0,
-		    "+0x%llx", (unsigned long long)offset);
-		if (l < 0)
-			return l;
-		cnt += l;
+		return snprintf(str, size, "\n%s+0x%llx",
+		    entry->sym_name, (unsigned long long)offset);
 	}
 
-	return cnt;
+	return snprintf(str, size, "\n%s", entry->sym_name);
 
 fallback:
 	return snprintf(str, size, "\n0x%lx", pc);
 }
 
 int
-kelf_parse(struct syms *syms)
+sym_compare_sort(const void *ap, const void *bp)
 {
-	GElf_Shdr	 shdr;
-	Elf_Scn		*scn, *scnctf;
-	char		*name;
-	size_t		 shstrndx;
+	const struct sym *a = ap, *b = bp;
 
-	if (elf_getshdrstrndx(syms->elf, &shstrndx) != 0) {
-		warnx("elf_getshdrstrndx: %s", elf_errmsg(-1));
-		return 1;
-	}
-
-	scn = scnctf = NULL;
-	while ((scn = elf_nextscn(syms->elf, scn)) != NULL) {
-		if (gelf_getshdr(scn, &shdr) != &shdr) {
-			warnx("elf_getshdr: %s", elf_errmsg(-1));
-			return 1;
-		}
-
-		if ((name = elf_strptr(syms->elf, shstrndx,
-		    shdr.sh_name)) == NULL) {
-			warnx("elf_strptr: %s", elf_errmsg(-1));
-			return 1;
-		}
-
-		if (strcmp(name, ELF_SYMTAB) == 0 &&
-		    shdr.sh_type == SHT_SYMTAB && shdr.sh_entsize != 0) {
-			syms->symtab = scn;
-			syms->nsymb = shdr.sh_size / shdr.sh_entsize;
-		}
-
-		if (strcmp(name, ELF_STRTAB) == 0 &&
-		    shdr.sh_type == SHT_STRTAB) {
-			syms->strtabndx = elf_ndxscn(scn);
-		}
-	}
-
-	if (syms->symtab == NULL)
-		warnx("symbol table not found");
-
-	return 0;
+	if (a->sym_value < b->sym_value)
+		return -1;
+	return a->sym_value > b->sym_value;
+}
+
+int
+sym_compare_search(const void *keyp, const void *entryp)
+{
+	const struct sym *entry = entryp, *key = keyp;
+
+	if (key->sym_value < entry->sym_value)
+		return -1;
+	return key->sym_value >= entry->sym_value + entry->sym_size;
 }
diff --git a/usr.sbin/rpki-client/constraints.c b/usr.sbin/rpki-client/constraints.c
index bd75e962e..1c08427bf 100644
--- a/usr.sbin/rpki-client/constraints.c
+++ b/usr.sbin/rpki-client/constraints.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: constraints.c,v 1.2 2023/12/27 07:15:55 tb Exp $ */
+/*	$OpenBSD: constraints.c,v 1.4 2024/03/15 05:14:16 tb Exp $ */
 /*
  * Copyright (c) 2023 Job Snijders <job@openbsd.org>
  * Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
@@ -24,6 +24,7 @@
 #include <err.h>
 #include <errno.h>
 #include <fcntl.h>
+#include <libgen.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -38,6 +39,7 @@
 struct tal_constraints {
 	int		 fd;		/* constraints file descriptor or -1. */
 	char		*fn;		/* constraints filename */
+	char		*warn;		/* warning msg used for violations */
 	struct cert_ip	*allow_ips;	/* list of allowed IP address ranges */
 	size_t		 allow_ipsz;	/* length of "allow_ips" */
 	struct cert_as	*allow_as;	/* allowed AS numbers and ranges */
@@ -59,7 +61,7 @@ static void
 constraints_load_talid(int talid)
 {
 	const char	*tal = tals[talid];
-	char		*constraints = NULL;
+	char		*constraints = NULL, *warning = NULL, *cbn;
 	int		 fd;
 	size_t		 len;
 	int		 saved_errno;
@@ -72,7 +74,13 @@ constraints_load_talid(int talid)
 	/* Replace .tal suffix with .constraints. */
 	len = strlen(tal) - 4;
 	if (asprintf(&constraints, "%.*s.constraints", (int)len, tal) == -1)
-		errx(1, NULL);
+		err(1, NULL);
+
+	/* prepare warning message for when violations are detected */
+	if ((cbn = basename(constraints)) == NULL)
+		err(1, "basename");
+	if (asprintf(&warning, "resource violates %s", cbn) == -1)
+		err(1, NULL);
 
 	saved_errno = errno;
 
@@ -82,6 +90,7 @@ constraints_load_talid(int talid)
 
 	tal_constraints[talid].fn = constraints;
 	tal_constraints[talid].fd = fd;
+	tal_constraints[talid].warn = warning;
 
 	errno = saved_errno;
 }
@@ -108,8 +117,10 @@ constraints_unload(void)
 		if (tal_constraints[talid].fd != -1)
 			close(tal_constraints[talid].fd);
 		free(tal_constraints[talid].fn);
+		free(tal_constraints[talid].warn);
 		tal_constraints[talid].fd = -1;
 		tal_constraints[talid].fn = NULL;
+		tal_constraints[talid].warn = NULL;
 	}
 	errno = saved_errno;
 }
@@ -578,7 +589,7 @@ constraints_validate(const char *fn, const struct cert *cert)
 		    deny_as, deny_asz))
 			continue;
 
-		as_warn(fn, "trust anchor constraints violation", &cert->as[i]);
+		as_warn(fn, tal_constraints[talid].warn, &cert->as[i]);
 		return 0;
 	}
 
@@ -592,8 +603,7 @@ constraints_validate(const char *fn, const struct cert *cert)
 		    allow_ipsz, deny_ips, deny_ipsz))
 			continue;
 
-		ip_warn(fn, "trust anchor constraints violation",
-		    &cert->ips[i]);
+		ip_warn(fn, tal_constraints[talid].warn, &cert->ips[i]);
 		return 0;
 	}
 
diff --git a/usr.sbin/smtpd/mda_unpriv.c b/usr.sbin/smtpd/mda_unpriv.c
index 1d59550ae..2c097fc04 100644
--- a/usr.sbin/smtpd/mda_unpriv.c
+++ b/usr.sbin/smtpd/mda_unpriv.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mda_unpriv.c,v 1.8 2021/06/14 17:58:15 eric Exp $	*/
+/*	$OpenBSD: mda_unpriv.c,v 1.9 2024/03/15 21:52:20 op Exp $	*/
 
 /*
  * Copyright (c) 2018 Gilles Chehade <gilles@poolp.org>
@@ -28,7 +28,7 @@ mda_unpriv(struct dispatcher *dsp, struct deliver *deliver,
     const char *pw_name, const char *pw_dir)
 {
 	int		idx;
-	char	       *mda_environ[11];
+	char	       *mda_environ[12];
 	char		mda_exec[LINE_MAX];
 	char		mda_wrapper[LINE_MAX];
 	const char     *mda_command;
@@ -54,6 +54,7 @@ mda_unpriv(struct dispatcher *dsp, struct deliver *deliver,
 	xasprintf(&mda_environ[idx++], "PATH=%s", _PATH_DEFPATH);
 	xasprintf(&mda_environ[idx++], "DOMAIN=%s", deliver->rcpt.domain);
 	xasprintf(&mda_environ[idx++], "HOME=%s", pw_dir);
+	xasprintf(&mda_environ[idx++], "ORIGINAL_RECIPIENT=%s@%s", deliver->rcpt.user, deliver->rcpt.domain);
 	xasprintf(&mda_environ[idx++], "RECIPIENT=%s@%s", deliver->dest.user, deliver->dest.domain);
 	xasprintf(&mda_environ[idx++], "SHELL=/bin/sh");
 	xasprintf(&mda_environ[idx++], "LOCAL=%s", deliver->rcpt.user);
diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5
index 257ad172d..161650059 100644
--- a/usr.sbin/smtpd/smtpd.conf.5
+++ b/usr.sbin/smtpd/smtpd.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: smtpd.conf.5,v 1.268 2024/02/03 20:46:57 jmc Exp $
+.\"	$OpenBSD: smtpd.conf.5,v 1.269 2024/03/15 21:56:22 op Exp $
 .\"
 .\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org>
 .\" Copyright (c) 2009 Jacek Masiulaniec <jacekm@dobremiasto.net>
@@ -17,7 +17,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
 .\"
-.Dd $Mdocdate: February 3 2024 $
+.Dd $Mdocdate: March 15 2024 $
 .Dt SMTPD.CONF 5
 .Os
 .Sh NAME
@@ -1113,6 +1113,34 @@ For example, with recipient
 .It %{rcpt}     Ta expands to Dq user+t:g@example.org
 .It %{rcpt:raw} Ta expands to Dq user+t?g@example.org
 .El
+.Ss MDA ENVIRONMENT
+When a MDA is invoked,
+.Xr smtpd 8
+will create a new process.
+Only the uid and gid of the destination user is set.
+The following environment variables will be set:
+.Bl -tag -width "ORIGINAL_RECIPIENT"
+.It Ev DOMAIN
+The recipient domain.
+.It Ev HOME
+The home directory of the destination user.
+.It Ev RECIPIENT
+The address of the final recipient.
+.It Ev ORIGINAL_RECIPIENT
+The address of the original recipient.
+.It Ev EXTENSION
+The sub address of the recipient, only set when there is a sub address.
+.It Ev SENDER
+The address of the sender (might be empty).
+.El
+.Pp
+This process gets the mail piped to
+.Xr stdin 3 .
+A mail is considered as delivered when the mda exit with
+.Dv EX_OK
+and
+.Xr stdin 3
+is completely read.
 .Sh FILES
 .Bl -tag -width "/etc/mail/smtpd.confXXX" -compact
 .It Pa /etc/mail/smtpd.conf