This simplistic mail setup does not pass address as command line arguments,
so it is not subject to the vulnerability protected against by this option.

Use a special milter to do what postfix cannot do with its internal
mechanisms.
- fixes postfix-generated bounces so they reach postmaster mail address
  without being rewritten
- actually makes postfix relay rewritten mails (virtual_alias implicitly
  affects virtual_domains, in turn making all mail addresses considered
  locally hosted, which cannot and must not successfully deliver)
Also, backport a yet-unreleased-but-already-upstreamed patch fixing
rcpt value truncation, which breaks when recipient address is not
enclosed in angle brackets - making the mail still reach original
recipient.

Add support for "hosts" aliasing in Zope instances.
Add support for SASL relayhost with mandatory TLS encryption.
Add mandatory TSL + SASL authentication, to not be an open relay.
Wrap postfix commands with proper environment instead of symlink +
source-able script.
Add ipv6 listening support (untested).
Drop non-required main.cf configuration options.
Make postifx instance optional (requires postmaster address to be
provided).
Document and rework smtp-related parameters.
Expose an userhosts hostname for smtp server.
Add diversion support (solution to "prod clone sent mails to real customer").
Use etc/run rather than etc/service, for consistency (if it needs to be
changed, it must be changed for all software types).
Hook into syslog and setup local syslog daemon, with logrotate integration.
Update TODO entries.