diff --git a/README b/README
index 8f93d44..ffa6291 100644
--- a/README
+++ b/README
@@ -14,11 +14,13 @@ currently Maildir and IMAP4 mailboxes are supported. New messages, message
 deletions and flag changes can be propagated both ways.
 ``mbsync'' is suitable for use in IMAP-disconnected mode.
 
-Synchronization is based on unique message identifiers (UIDs), so no
-identification conflicts can occur (as opposed to some other mail
+Synchronization is based on unique message identifiers (UIDs), so
+no identification conflicts can occur (unlike with some other mail
 synchronizers).
 Synchronization state is kept in one local text file per mailbox pair;
-multiple replicas of a mailbox can be maintained.
+these files are protected against concurrent ``mbsync'' processes.
+Mailboxes can be safely modified while ``mbsync'' operates.
+Multiple replicas of each mailbox can be maintained.
 
 isync is the project name, while mbsync is the current executable name; this
 change was necessary because of massive changes in the user interface. An
@@ -31,9 +33,8 @@ isync executable still exists; it is a compatibility wrapper around mbsync.
     * Partial mirrors possible: keep only the latest messages locally
     * Trash functionality: backup messages before removing them
     * IMAP features:
-	* Supports TLS/SSL via imaps: (port 993) and STARTTLS (RFC2595)
-	* Supports SASL (RFC4422) for authentication
-	* Supports NAMESPACE (RFC2342) for simplified configuration
+	* Supports TLS/SSL via imaps: (port 993) and STARTTLS
+	* Supports SASL for authentication
 	* Pipelining for maximum speed
 
 * Compatibility
@@ -66,6 +67,8 @@ isync executable still exists; it is a compatibility wrapper around mbsync.
 
     Berkeley DB 4.1+ (optional)
     OpenSSL for TLS/SSL support (optional)
+    Cyrus SASL (optional)
+    zlib (optional)
 
 * Installation
 
diff --git a/configure.ac b/configure.ac
index fbd5b88..b103f71 100644
--- a/configure.ac
+++ b/configure.ac
@@ -36,10 +36,10 @@ AC_CHECK_LIB(nsl, inet_ntoa, [SOCK_LIBS="$SOCK_LIBS -lnsl"])
 AC_SUBST(SOCK_LIBS)
 
 have_ipv6=true
-sav_LDFLAGS=$LDFLAGS
-LDFLAGS="$LDFLAGS $SOCK_LIBS"
+sav_LIBS=$LIBS
+LIBS="$LIBS $SOCK_LIBS"
 AC_CHECK_FUNCS(getaddrinfo inet_ntop, , [have_ipv6=false])
-LDFLAGS=$sav_LDFLAGS
+LIBS=$sav_LIBS
 if $have_ipv6; then
     AC_DEFINE(HAVE_IPV6, 1, [if your libc has IPv6 support])
 fi
@@ -141,15 +141,15 @@ AC_SUBST(SASL_LIBS)
 
 AC_CACHE_CHECK([for Berkeley DB >= 4.1], ac_cv_berkdb4,
   [ac_cv_berkdb4=no
-    sav_LDFLAGS=$LDFLAGS
-    LDFLAGS="$LDFLAGS -ldb"
+    sav_LIBS=$LIBS
+    LIBS="$LIBS -ldb"
    AC_TRY_LINK([#include <db.h>],
                [DB *db;
 	        db_create(&db, 0, 0);
 	        db->truncate(db, 0, 0, 0);
 	        db->open(db, 0, "foo", "foo", DB_HASH, DB_CREATE, 0)],
 	       [ac_cv_berkdb4=yes])
-    LDFLAGS=$sav_LDFLAGS
+    LIBS=$sav_LIBS
   ])
 if test "x$ac_cv_berkdb4" = xyes; then
   AC_SUBST([DB_LIBS], ["-ldb"])
diff --git a/src/common.h b/src/common.h
index 238af79..18390f3 100644
--- a/src/common.h
+++ b/src/common.h
@@ -116,6 +116,7 @@ void *memrchr( const void *s, int c, size_t n );
 #endif
 
 int starts_with( const char *str, int strl, const char *cmp, int cmpl );
+int starts_with_upper( const char *str, int strl, const char *cmp, int cmpl );
 int equals( const char *str, int strl, const char *cmp, int cmpl );
 
 #ifndef HAVE_TIMEGM
diff --git a/src/compat/isync.1 b/src/compat/isync.1
index 527ca6a..fb9900f 100644
--- a/src/compat/isync.1
+++ b/src/compat/isync.1
@@ -259,7 +259,12 @@ established with the IMAP server.  (Default: \fIyes\fR)
 ..
 .TP
 \fBCertificateFile\fR \fIpath\fR
-File containing X.509 CA certificates used to verify server identities.
+File containing additional X.509 certificates used to verify server
+identities. Directly matched peer certificates are always trusted,
+regardless of validity.
+.br
+Note that the system's default certificate store is always used
+and should not be specified here.
 ..
 .TP
 \fBUseSSLv2\fR \fIyes\fR|\fIno\fR
diff --git a/src/compat/isyncrc.sample b/src/compat/isyncrc.sample
index 5a6cf10..0bc5d35 100644
--- a/src/compat/isyncrc.sample
+++ b/src/compat/isyncrc.sample
@@ -3,7 +3,7 @@
 #   doesn't specify it.
 
 # SSL server certificate file
-CertificateFile /etc/ssl/certs/ca-certificates.crt
+CertificateFile ~/.isync.certs
 
 # by default, expunge deleted messages (same as -e on command line)
 Expunge yes
diff --git a/src/drv_imap.c b/src/drv_imap.c
index 663dbef..4911f18 100644
--- a/src/drv_imap.c
+++ b/src/drv_imap.c
@@ -971,7 +971,7 @@ parse_fetch_rsp( imap_store_t *ctx, list_t *list, char *s ATTR_UNUSED )
 					tmp = tmp->next;
 					if (!is_atom( tmp ))
 						goto bfail;
-					if (starts_with( tmp->val, tmp->len, "X-TUID: ", 8 ))
+					if (starts_with_upper( tmp->val, tmp->len, "X-TUID: ", 8 ))
 						tuid = tmp->val + 8;
 				} else {
 				  bfail:
diff --git a/src/drv_maildir.c b/src/drv_maildir.c
index a91b7cc..9be0ca8 100644
--- a/src/drv_maildir.c
+++ b/src/drv_maildir.c
@@ -33,15 +33,10 @@
 #include <stdio.h>
 #include <unistd.h>
 #include <sys/stat.h>
-#include <sys/file.h>
 #include <errno.h>
 #include <time.h>
 #include <utime.h>
 
-#ifdef __linux__
-# define LEGACY_FLOCK 1
-#endif
-
 #if !defined(_POSIX_SYNCHRONIZED_IO) || _POSIX_SYNCHRONIZED_IO <= 0
 # define fdatasync fsync
 #endif
@@ -621,13 +616,6 @@ maildir_uidval_lock( maildir_store_t *ctx )
 		/* The unlock timer is active, so we are obviously already locked. */
 		return DRV_OK;
 	}
-#ifdef LEGACY_FLOCK
-	/* This is legacy only */
-	if (flock( ctx->uvfd, LOCK_EX ) < 0) {
-		error( "Maildir error: cannot flock UIDVALIDITY.\n" );
-		return DRV_BOX_BAD;
-	}
-#endif
 	/* This (theoretically) works over NFS. Let's hope nobody else did
 	   the same in the opposite order, as we'd deadlock then. */
 #if SEEK_SET != 0
@@ -699,10 +687,6 @@ maildir_uidval_unlock( maildir_store_t *ctx )
 #endif /* USE_DB */
 	lck.l_type = F_UNLCK;
 	fcntl( ctx->uvfd, F_SETLK, &lck );
-#ifdef LEGACY_FLOCK
-	/* This is legacy only */
-	flock( ctx->uvfd, LOCK_UN );
-#endif
 }
 
 static void
diff --git a/src/mbsync.1 b/src/mbsync.1
index daa8d41..3149341 100644
--- a/src/mbsync.1
+++ b/src/mbsync.1
@@ -35,11 +35,14 @@ New messages, message deletions and flag changes can be propagated both ways;
 the operation set can be selected in a fine-grained manner.
 .br
 Synchronization is based on unique message identifiers (UIDs), so no
-identification conflicts can occur (as opposed to some other mail synchronizers).
+identification conflicts can occur (unlike with some other mail synchronizers).
 OTOH, \fBmbsync\fR is susceptible to UID validity changes (that \fIshould\fR
 never happen, but see "Compatibility" in the README).
 Synchronization state is kept in one local text file per mailbox pair;
-multiple replicas of a mailbox can be maintained.
+these files are protected against concurrent \fBmbsync\fR processes.
+Mailboxes can be safely modified while \fBmbsync\fR operates
+(see \fBINHERENT PROBLEMS\fR below for a minor exception).
+Multiple replicas of each mailbox can be maintained.
 ..
 .SH OPTIONS
 .TP
diff --git a/src/mbsyncrc.sample b/src/mbsyncrc.sample
index d7c5b53..ef842fe 100644
--- a/src/mbsyncrc.sample
+++ b/src/mbsyncrc.sample
@@ -26,7 +26,6 @@ Pass xxxxxxxx
 #  "Account Name" USERNAME
 #  "Password" PASSWORD
 #PassCmd "/usr/bin/security find-internet-password -w -a USERNAME -s IMAPSERVER ~/Library/Keychains/login.keychain"
-CertificateFile /etc/ssl/certs/ca-certificates.crt
 
 Channel work
 Master :work:
diff --git a/src/sync.c b/src/sync.c
index 9672734..5ec377c 100644
--- a/src/sync.c
+++ b/src/sync.c
@@ -338,7 +338,7 @@ msg_fetched( int sts, void *aux )
 					if (c == '\r')
 						lcrs++;
 					else if (c == '\n') {
-						if (starts_with( fmap + start, len - start, "X-TUID: ", 8 )) {
+						if (starts_with_upper( fmap + start, len - start, "X-TUID: ", 8 )) {
 							extra = (sbreak = start) - (ebreak = i);
 							goto oke;
 						}
diff --git a/src/util.c b/src/util.c
index 570d426..e5a6632 100644
--- a/src/util.c
+++ b/src/util.c
@@ -27,6 +27,7 @@
 #include <unistd.h>
 #include <fcntl.h>
 #include <string.h>
+#include <ctype.h>
 #include <pwd.h>
 
 static int need_nl;
@@ -241,6 +242,21 @@ starts_with( const char *str, int strl, const char *cmp, int cmpl )
 	return (strl >= cmpl) && !memcmp( str, cmp, cmpl );
 }
 
+int
+starts_with_upper( const char *str, int strl, const char *cmp, int cmpl )
+{
+	int i;
+
+	if (strl < 0)
+		strl = strnlen( str, cmpl + 1 );
+	if (strl < cmpl)
+		return 0;
+	for (i = 0; i < cmpl; i++)
+		if (str[i] != cmp[i] && toupper( str[i] ) != cmp[i])
+			return 0;
+	return 1;
+}
+
 int
 equals( const char *str, int strl, const char *cmp, int cmpl )
 {