+NM/02 Bugzilla 1093 - eximstats DATA reject detection regexps
+ improved.
+
+NM/03 Bugzilla 1169 - primary_hostname spelling was incorrect in docs.
+
+PP/02 Implemented gsasl authenticator.
+
+PP/03 Implemented heimdal_gssapi authenticator with "server_keytab" option.
+
+PP/04 Local/Makefile support for (AUTH|LOOKUP)_*_PC=foo to use
+ `pkg-config foo` for cflags/libs.
+
+PP/05 Swapped $auth1/$auth2 for gsasl GSSAPI mechanism, to be more consistent
+ with rest of GSASL and with heimdal_gssapi.
+
+PP/06 Local/Makefile support for USE_(GNUTLS|OPENSSL)_PC=foo to use
+ `pkg-config foo` for cflags/libs for the TLS implementation.
+
+PP/07 New expansion variable $tls_bits; Cyrus SASL server connection
+ properties get this fed in as external SSF. A number of robustness
+ and debugging improvements to the cyrus_sasl authenticator.
+
+PP/08 cyrus_sasl server now expands the server_realm option.
+
+PP/09 Bugzilla 1214 - Log authentication information in reject log.
+ Patch by Jeremy Harris.
+
+PP/10 Added dbmjz lookup type.
+
+PP/11 Let heimdal_gssapi authenticator take a SASL message without an authzid.
+
+PP/12 MAIL args handles TAB as well as SP, for better interop with
+ non-compliant senders.
+ Analysis and variant patch by Todd Lyons.
+
+NM/04 Bugzilla 1237 - fix cases where printf format usage no indicated
+ Bug report from Lars Müller <lars@samba.org> (via SUSE),
+ Patch from Dirk Mueller <dmueller@suse.com>
+
+PP/13 tls_peerdn now print-escaped for spool files.
+ Observed some $tls_peerdn in wild which contained \n, which resulted
+ in spool file corruption.
+
+PP/14 TLS fixes for OpenSSL: support TLS 1.1 & 1.2; new "openssl_options"
+ values; set SSL_MODE_AUTO_RETRY so that OpenSSL will retry a read
+ or write after TLS renegotiation, which otherwise led to messages
+ "Got SSL error 2".
+
+TK/01 Bugzilla 1239 - fix DKIM verification when signature was not inserted
+ as a tracking header (ie: a signed header comes before the signature).
+ Patch from Wolfgang Breyha.
+