diff --git a/sendmail/envelope.c b/sendmail/envelope.c

index bae6b00..beb91a1 100644

--- a/sendmail/envelope.c

+++ b/sendmail/envelope.c

@@ -323,7 +323,7 @@ dropenvelope(e, fulldrop, split)

 			/* don't free, allocated from e_rpool */

 			e->e_message = sm_rpool_strdup_x(e->e_rpool, buf);

-			message(buf);

+			message("%s", buf);

 			e->e_flags |= EF_CLRQUEUE;

 		}

 		if (msg_timeout == MSG_NOT_BY)

@@ -420,7 +420,7 @@ dropenvelope(e, fulldrop, split)

 				/* don't free, allocated from e_rpool */

 				e->e_message = sm_rpool_strdup_x(e->e_rpool,

 								 buf);

-				message(buf);

+				message("%s", buf);

 				e->e_flags |= EF_WARNING;

 			}

 			if (msg_timeout == MSG_WARN_BY)

diff --git a/sendmail/parseaddr.c b/sendmail/parseaddr.c

index 2adb39c..ba99414 100644

--- a/sendmail/parseaddr.c

+++ b/sendmail/parseaddr.c

@@ -218,7 +218,7 @@ parseaddr(addr, a, flags, delim, delimptr, e, isrcpt)

 			msg = "Deferring message until queue run";

 		if (tTd(20, 1))

 			sm_dprintf("parseaddr: queueing message\n");

-		message(msg);

+		message("%s", msg);

 		if (e->e_message == NULL && e->e_sendmode != SM_DEFER)

 			e->e_message = sm_rpool_strdup_x(e->e_rpool, msg);

 		a->q_state = QS_QUEUEUP;

diff --git a/sendmail/srvrsmtp.c b/sendmail/srvrsmtp.c

index ba636a8..46c5356 100644

--- a/sendmail/srvrsmtp.c

+++ b/sendmail/srvrsmtp.c

@@ -122,6 +122,26 @@ extern ENVELOPE	BlankEnvelope;

 #define SKIP_SPACE(s)	while (isascii(*s) && isspace(*s))	\

 				(s)++

+static inline void

+message1(fmt)

+	char *fmt;

+{

+	if (strchr(fmt, '%') == NULL)

+		message(fmt, NULL);

+	else

+		message("%s", fmt);

+}

+

+static inline void

+usrerr1(fmt)

+	char *fmt;

+{

+	if (strchr(fmt, '%') == NULL)

+		usrerr(fmt, NULL);

+	else

+		usrerr("%s", fmt);

+}

+

 /*

 **  PARSE_ESMTP_ARGS -- parse EMSTP arguments (for MAIL, RCPT)

 **

@@ -578,13 +598,13 @@ static bool	smtp_data __P((SMTP_T *, ENVELOPE *));

 				bool tsave = QuickAbort;		\

 									\

 				QuickAbort = false;			\

-				usrerr(response);			\

+				usrerr1(response);			\

 				QuickAbort = tsave;			\

 				e->e_sendqueue = NULL;			\

 				goto doquit;				\

 			}						\

 			else						\

-				usrerr(response);			\

+				usrerr1(response);			\

 			break;						\

 									\

 		  case SMFIR_REJECT:					\

@@ -931,7 +951,7 @@ smtp(nullserver, d_flags, e)

 	}

 	else if (strncmp(nullserver, "421 ", 4) == 0)

 	{

-		message(nullserver);

+		message1(nullserver);

 		goto doquit;

 	}

@@ -1849,7 +1869,7 @@ smtp(nullserver, d_flags, e)

 				if (nullserver != NULL)

 				{

 					if (ISSMTPREPLY(nullserver))

-						usrerr(nullserver);

+						usrerr1(nullserver);

 					else

 						usrerr("550 5.0.0 %s",

 						       nullserver);

@@ -2449,7 +2469,7 @@ smtp(nullserver, d_flags, e)

 					tempfail = true;

 					smtp.sm_milterize = false;

 					if (response != NULL)

-						usrerr(response);

+						usrerr1(response);

 					else

 						message("421 4.7.0 %s closing connection",

 							MyHostName);

@@ -3656,7 +3676,7 @@ smtp_data(smtp, e)

 				(void) extenhsc(response + 4, ' ', e->e_enhsc);

 #endif /* _FFR_MILTER_ENHSC */

-			usrerr(response);

+			usrerr1(response);

 			if (strncmp(response, "421 ", 4) == 0

 			    || strncmp(response, "421-", 4) == 0)

 			{

@@ -3776,7 +3796,7 @@ smtp_data(smtp, e)

 			if (ISSMTPCODE(response))

 				(void) extenhsc(response + 4, ' ', e->e_enhsc);

 #endif /* _FFR_MILTER_ENHSC */

-			usrerr(response);

+			usrerr1(response);

 			if (strncmp(response, "421 ", 4) == 0

 			    || strncmp(response, "421-", 4) == 0)

 				rv = false;