+JH/13 Bug 2929: Fix using $recipients after ${run...}. A change made for 4.96
+ resulted in the variable appearing empty. Find and fix by Ruben Jenster.
+
+JH/14 Bug 2933: Fix regex substring match variables for null matches. Since 4.96
+ a capture group which obtained no text (eg. "(abc)*" matching zero
+ occurrences) could cause a segfault if the corresponding $<n> was
+ expanded.
+
+JH/15 Fix argument parsing for ${run } expansion. Previously, when an argument
+ included a close-brace character (eg. it itself used an expansion) an
+ error occurred.
+
+JH/16 Move running the smtp connect ACL to before, for TLS-on-connect ports,
+ starting TLS. Previously it was after, meaning that attackers on such
+ ports had to be screened using the host_reject_connection main config
+ option. The new sequence aligns better with the STARTTLS behaviour, and
+ permits defences against crypto-processing load attacks, even though it
+ is strictly an incompatible change.
+ Also, avoid sending any SMTP fail response for either the connect ACL
+ or host_reject_connection, for TLS-on-connect ports.
+
+JH/17 Permit the ACL "encrypted" condition to be used in a HELO/EHLO ACL,
+ Previously this was not permitted, but it makes reasonable sense.
+ While there, restore a restriction on using it from a connect ACL; given
+ the change JH/16 it could only return false (and before 4.91 was not
+ permitted).
+
+JH/18 Fix a fencepost error in logging. Previously (since 4.92) when a log line
+ was exactly sized compared to the log buffer, a crash occurred with the
+ misleading message "bad memory reference; pool not found".
+ Found and traced by Jasen Betts.
+
+JH/19 Bug 2911: Fix a recursion in DNS lookups. Previously, if the main option
+ dns_again_means_nonexist included an element causing a DNS lookup which
+ iteslf returned DNS_AGAIN, unbounded recursion occurred. Possible results
+ included (though probably not limited to) a process crash from stack
+ memory limit, or from excessive open files. Replace this with a paniclog
+ whine (as this is likely a configuration error), and returning
+ DNS_NOMATCH.
+
+JH/20 Bug 2954: (OpenSSL) Fix setting of explicit EC curve/group. Previously
+ this always failed, probably leading to the usual downgrade to in-clear
+ connections.
+
+JH/20 Fix TLSA lookups. Previously dns_again_means_nonexist would affect
+ SERVFAIL results, which breaks the downgrade resistance of DANE. Change
+ to not checking that list for these looks.
+