diff --git a/TODO b/TODO
index f189d96..e29d33e 100644
--- a/TODO
+++ b/TODO
@@ -1,3 +1,22 @@
+Reports PROBATION even when rejecting message (works, but confusing in log).
+
+Bug in Auto-whitelist.  Recent Auto-whitelist doesn't override expired entry.
+
+Delayed_failure detection needs to handle multi-line header fields.  Also,
+delayed_failure should be recognized when addressed to postmaster@helodomain
+Idea: load headers into message object, and use header array.
+
+Need to use wildcards in blacklist.log: *.madcowsrecord.net
+Need to exclude emails like !*-admin@example.com in whitelist_sender.
+
+SPF permerror diagnostics should include corrected mechanism.
+
+Delay SPF check until RCPT TO.  Cache result to avoid repeating
+for multiple RCPT.  This avoids overhead for invalid RCPT, and
+allows for per RCPT local policy.
+
+Add auto-blacklisted senders to blacklist.log with timestamp.
+
 Received-SPF header field should show identity that was checked.
 
 Check SPF for outgoing mail (including local policy for internal addresses).
diff --git a/bms.py b/bms.py
index c182d4d..64ce7a1 100644
--- a/bms.py
+++ b/bms.py
@@ -1,6 +1,9 @@
 #!/usr/bin/env python
 # A simple milter that has grown quite a bit.
 # $Log$
+# Revision 1.65  2006/06/21 22:22:00  customdesigned
+# Handle multi-line headers in delayed dsns.
+#
 # Revision 1.64  2006/06/21 21:12:04  customdesigned
 # More delayed reject token headers.
 # Don't require HELO pass for CBV.
@@ -1233,7 +1236,7 @@ class bmsMilter(Milter.Milter):
 
       # check for delayed bounce of CBV
       if self.is_bounce and srs:
-        if refaildsn.match(lval):
+        if refaildsn.search(lval):
 	  self.delayed_failure = val.strip()
 	  # if confirmed by finding our signed Message-ID, 
 	  # original sender (encoded in Message-ID) is blacklisted
@@ -1768,7 +1771,7 @@ class bmsMilter(Milter.Milter):
 	m.add_header('Sender','"Python Milter" <%s>'%msgid)
       m = m.as_string()
       print >>open(template_name+'.last_dsn','w'),m
-      res = dsn.send_dsn(sender,self.receiver,m)
+      res = dsn.send_dsn(sender,self.receiver,m,timeout=timeout)
     if res:
       desc = "CBV: %d %s" % res[:2]
       if 400 <= res[0] < 500:
@@ -1803,6 +1806,7 @@ def main():
   if srs or len(discard_users) > 0 or smart_alias or dspam_userdir:
     flags = flags + Milter.DELRCPT
   Milter.set_flags(flags)
+  socket.setdefaulttimeout(60)
   milter_log.info("bms milter startup")
   sys.stdout.flush()
   Milter.runmilter("pythonfilter",socketname,timeout)
diff --git a/milter.spec b/milter.spec
index de70374..37a46fc 100644
--- a/milter.spec
+++ b/milter.spec
@@ -1,6 +1,6 @@
 %define name milter
 %define version 0.8.6
-%define release 1.RH7
+%define release 2.RH7
 # what version of RH are we building for?
 %define redhat9 0
 %define redhat7 1
@@ -91,6 +91,8 @@ cat >$RPM_BUILD_ROOT/etc/cron.daily/milter <<'EOF'
 #!/bin/sh
 
 find /var/log/milter/save -mtime +7 | xargs $R rm
+# work around memory leak
+/etc/init.d/milter restart
 EOF
 chmod a+x $RPM_BUILD_ROOT/etc/cron.daily/milter
 
@@ -174,13 +176,13 @@ rm -rf $RPM_BUILD_ROOT
 /usr/share/sendmail-cf/hack/rhsbl.m4
 
 %changelog
-* Thu Feb 23 2006 Stuart Gathman <stuart@bmsi.com> 0.8.6-1
-- Support fail template
+* Tue May 23 2006 Stuart Gathman <stuart@bmsi.com> 0.8.6-2
+- Support fail template, headers in templates
 - Create GOSSiP record only when connection will procede to DATA.
 - More SPF lax heuristics
 - Don't require SPF pass for white/black listing mail from trusted relay.
 - Support localpart wildcard for white and black lists.
-- Use signed Message-ID in delayed reject of DSNs to blacklist senders
+* Thu Feb 23 2006 Stuart Gathman <stuart@bmsi.com> 0.8.6-1
 - Delay reject of unsigned RCPT for postmaster and abuse only
 - Fix dsn reporting of hard permerror
 - Resolve FIXME for wrap_close in miltermodule.c