diff -Nur mess822-0.58-auth/Makefile mess822-0.58-auth-ucspitls/Makefile
--- mess822-0.58-auth/Makefile	2006-06-18 23:41:19.000000000 +0200
+++ mess822-0.58-auth-ucspitls/Makefile	2006-06-18 23:40:14.000000000 +0200
@@ -547,13 +547,14 @@
 base64.o byte_zero.o \
 timeoutread.o timeoutwrite.o commands.o env.a cdb.a mess822.a \
 libtai.a getln.a strerr.a substdio.a stralloc.a alloc.a error.a \
-case.a str.a fs.a open.a wait.a sig.a fd.a
+case.a str.a fs.a open.a wait.a sig.a fd.a \
+ucspitls.o
 	./load ofmipd rewritehost.o rwhconfig.o config.o qmail.o \
 	auto_qmail.o timeoutread.o timeoutwrite.o commands.o env.a \
 	base64.o byte_zero.o \
 	cdb.a mess822.a libtai.a getln.a strerr.a substdio.a \
 	stralloc.a alloc.a error.a case.a str.a fs.a open.a wait.a \
-	sig.a fd.a 
+	sig.a fd.a ucspitls.o
 
 ofmipd.0: \
 ofmipd.8
diff -Nur mess822-0.58-auth/TARGETS mess822-0.58-auth-ucspitls/TARGETS
--- mess822-0.58-auth/TARGETS	1998-09-05 04:33:37.000000000 +0200
+++ mess822-0.58-auth-ucspitls/TARGETS	2006-06-18 23:40:14.000000000 +0200
@@ -184,3 +184,8 @@
 instcheck.o
 instcheck
 check
+base64.o
+byte_zero.o
+envread.o
+str_cpy.o
+ucspitls.o
diff -Nur mess822-0.58-auth/hier.c mess822-0.58-auth-ucspitls/hier.c
--- mess822-0.58-auth/hier.c	1998-09-05 04:33:37.000000000 +0200
+++ mess822-0.58-auth-ucspitls/hier.c	2006-06-18 23:40:14.000000000 +0200
@@ -66,5 +66,5 @@
   c(auto_home,"man/cat3","mess822_token.0",-1,-1,0644);
   c(auto_home,"man/cat3","mess822_when.0",-1,-1,0644);
 
-  c("/etc",".","leapsecs.dat",-1,-1,0644);
+  /*c("/etc",".","leapsecs.dat",-1,-1,0644);*/
 }
diff -Nur mess822-0.58-auth/ofmipd.c mess822-0.58-auth-ucspitls/ofmipd.c
--- mess822-0.58-auth/ofmipd.c	2006-06-18 23:41:20.000000000 +0200
+++ mess822-0.58-auth-ucspitls/ofmipd.c	2006-06-18 23:40:14.000000000 +0200
@@ -21,10 +21,14 @@
 #include "fd.h"
 #include "byte.h"
 #include "case.h"
+#include "ucspitls.h"
   
 #undef AUTHCRAM			/* don't define, not fully implemented */
 
 int timeout = 1200;
+int tls_available = 0;
+int tls_force = 0;
+int tls_started = 0;
 
 char *relayclient;
 
@@ -45,6 +49,7 @@
 void die_read() { _exit(1); }
 void nomem() { out("451 out of memory (#4.3.0)\r\n"); flush(); _exit(1); }
 void die_config() { out("451 unable to read configuration (#4.3.0)\r\n"); flush(); _exit(1); }
+void die_syserr() { out("421 system error (#4.3.0)\r\n"); flush(); _exit(1); }
 void smtp_quit() { out("221 ofmipd.local\r\n"); flush(); _exit(0); }
 void smtp_help() { out("214 qmail home page: http://pobox.com/~djb/qmail.html\r\n"); }
 void smtp_noop() { out("250 ok\r\n"); }
@@ -65,6 +70,7 @@
 int err_authabrt() { out("501 auth exchange cancelled (#5.0.0)\r\n"); return -1; }
 int err_input() { out("501 malformed auth input (#5.5.4)\r\n"); return -1; }
 int err_notauth() { out("503 authorize or check your mail before sending (#5.5.1)\r\n"); return -1; }
+int err_notls() { out("530 Must issue a STARTTLS command first (#5.7.0)\r\n"); return -1; }
 
 config_str rewrite = CONFIG_STR;
 stralloc idappend = {0};
@@ -136,13 +142,17 @@
 {
   seenmail = 0;
   out("250-ofmipd.local");
+  if (!tls_force || (tls_force && tls_started)) {
 #ifdef AUTHCRAM
-  out("\r\n250-AUTH LOGIN CRAM-MD5 PLAIN");
-  out("\r\n250-AUTH=LOGIN CRAM-MD5 PLAIN");
+    out("\r\n250-AUTH LOGIN CRAM-MD5 PLAIN");
+    out("\r\n250-AUTH=LOGIN CRAM-MD5 PLAIN");
 #else
-  out("\r\n250-AUTH LOGIN PLAIN");
-  out("\r\n250-AUTH=LOGIN PLAIN");
+    out("\r\n250-AUTH LOGIN PLAIN");
+    out("\r\n250-AUTH=LOGIN PLAIN");
 #endif
+  }
+  if (tls_available && !tls_started)
+    out("\r\n250-STARTTLS");
   out("\r\n250-PIPELINING\r\n250 8BITMIME\r\n");
 }
 void smtp_rset()
@@ -152,6 +162,7 @@
 }
 void smtp_mail(arg) char *arg;
 {
+  if (tls_force && !tls_started) { err_notls(); return; }
   if (!relayclient) { err_notauth(); return; }
   if (!addrparse(arg)) { err_syntax(); return; }
 
@@ -180,6 +191,7 @@
   out("250 ok\r\n");
 }
 void smtp_rcpt(arg) char *arg; {
+  if (tls_force && !tls_started) { err_notls(); return; }
   if (!relayclient) { err_notauth(); return; }
   if (!seenmail) { err_wantmail(); return; }
   if (!addrparse(arg)) { err_syntax(); return; }
@@ -190,6 +202,23 @@
   out("250 ok\r\n");
 }
 
+void smtp_starttls(arg) char *arg; {
+  unsigned long long_fd;
+  int fd;
+  char *fdstr;
+  if (!tls_available || tls_started)
+    return smtp_unimpl(arg);
+  out("220 2.0.0 Ready to start TLS\r\n");
+  flush();
+
+  if (!ucspitls())
+    die_syserr();
+
+  tls_started = 1;
+  /* reset SMTP state */
+  seenmail = 0;
+}
+
 struct qmail qqt;
 void put(buf,len) char *buf; int len; { qmail_put(&qqt,buf,len); }
 void puts(buf) char *buf; { qmail_puts(&qqt,buf); }
@@ -418,6 +447,7 @@
   datastart.known = 1;
   if (!mess822_date(&datastamp,&datastart)) nomem();
  
+  if (tls_force && !tls_started) { err_notls(); return; }
   if (!relayclient) { err_notauth(); return; }
   if (!seenmail) { err_wantmail(); return; }
   if (!rcptto.len) { err_wantrcpt(); return; }
@@ -667,6 +697,7 @@
 , { "rset", smtp_rset, 0 }
 , { "help", smtp_help, flush }
 , { "noop", smtp_noop, flush }
+, { "starttls", smtp_starttls, flush }
 , { "vrfy", smtp_vrfy, flush }
 , { 0, smtp_unimpl, flush }
 } ;
@@ -691,6 +722,10 @@
   if (leapsecs_init() == -1) die_config();
   if (chdir(auto_qmail) == -1) die_config();
   if (rwhconfig(&rewrite,&idappend) == -1) die_config();
+  tls_available = !!env_get("UCSPITLS");
+  tls_force = !!env_get("FORCETLS");
+
+  if (tls_force && !tls_available) die_syserr();
 
   out("220 ofmipd.local ESMTP\r\n");
   commands(&ssin,&smtpcommands);
diff -Nur mess822-0.58-auth/ucspitls.c mess822-0.58-auth-ucspitls/ucspitls.c
--- mess822-0.58-auth/ucspitls.c	1970-01-01 01:00:00.000000000 +0100
+++ mess822-0.58-auth-ucspitls/ucspitls.c	2006-06-18 23:40:14.000000000 +0200
@@ -0,0 +1,31 @@
+#include "scan.h"
+#include "env.h"
+
+int ucspitls(void)
+{
+  unsigned long fd;
+  char *fdstr;
+   
+  if (!(fdstr=env_get("SSLCTLFD")))
+    return 0;
+  if (!scan_ulong(fdstr,&fd))
+    return 0;
+  if (write((int)fd, "y", 1) < 1)
+    return 0;
+ 
+  if (!(fdstr=env_get("SSLREADFD")))
+    return 0;
+  if (!scan_ulong(fdstr,&fd))
+    return 0;
+  if (dup2((int)fd,0) == -1)
+    return 0;
+ 
+  if (!(fdstr=env_get("SSLWRITEFD")))
+    return 0; 
+  if (!scan_ulong(fdstr,&fd))
+    return 0;
+  if (dup2((int)fd,1) == -1)
+    return 0;
+ 
+  return 1;
+}
diff -Nur mess822-0.58-auth/ucspitls.h mess822-0.58-auth-ucspitls/ucspitls.h
--- mess822-0.58-auth/ucspitls.h	1970-01-01 01:00:00.000000000 +0100
+++ mess822-0.58-auth-ucspitls/ucspitls.h	2006-06-18 23:40:14.000000000 +0200
@@ -0,0 +1 @@
+int ucspitls(void);