d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Import sendmail 8.15.2

Browse Source
This commit is contained in:
Gregory Neil Shapiro 2015-07-06 04:29:34 +00:00
parent ba87e25c2e
commit 934381a7c5
41 changed files with 7623 additions and 6346 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
CACerts
View File

@ -6,6 +6,102 @@
# a certificate signed by one of these CA certificates.
#
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
92:91:67:de:e0:ef:2c:e4
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=California, L=Berkeley, O=Endmail Org, OU=MTA, CN=Claus Assmann CA RSA 2015/emailAddress=ca+ca-rsa2015@esmtp.org
Validity
Not Before: Mar 2 19:15:29 2015 GMT
Not After : Mar 1 19:15:29 2018 GMT
Subject: C=US, ST=California, L=Berkeley, O=Endmail Org, OU=MTA, CN=Claus Assmann CA RSA 2015/emailAddress=ca+ca-rsa2015@esmtp.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b9:1a:a1:56:ce:cb:16:af:4f:96:ba:2a:70:31:
70:d3:86:6c:7a:46:26:47:42:3f:de:49:57:3e:08:
1e:10:25:bf:06:8f:ca:fd:f4:5e:6a:01:7d:31:4d:
50:88:18:43:71:66:65:42:9c:90:97:0d:95:f2:14:
ef:d7:5e:77:ef:7d:b5:49:3f:02:bb:83:20:f7:e6:
fc:9a:cd:13:df:60:41:28:8e:39:07:a6:a4:40:98:
15:1e:46:b6:04:2e:f9:ab:32:d1:8b:fe:52:81:f1:
d2:e1:c3:cf:bf:ab:40:a7:f0:e4:e5:a2:82:37:30:
8c:10:7d:aa:a8:7c:7e:76:cc:5f:1a:24:d0:8c:94:
f6:f2:7f:4a:be:2f:38:67:c0:06:e6:9e:51:ad:55:
d0:cb:26:71:cf:f4:af:7d:5a:41:81:16:fb:26:ec:
f0:35:01:6e:db:f9:e9:00:d7:d0:89:7b:cf:88:16:
8b:1c:8f:77:1f:5d:ef:70:04:28:76:c5:1b:c6:23:
8d:49:6b:f0:b8:21:56:d6:7d:68:6c:be:21:e3:e6:
e3:1d:6f:a5:ea:dc:83:e4:27:b3:6f:5f:1b:3d:33:
a1:d5:d3:f0:73:1a:12:eb:d9:95:00:71:59:16:b4:
e4:60:38:b2:2e:7f:b7:d4:c5:e9:3f:74:e4:48:38:
29:89
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
B1:69:DB:5E:9B:CE:1A:B4:1D:B2:6A:FC:5A:22:97:B6:24:14:6F:32
X509v3 Authority Key Identifier:
keyid:B1:69:DB:5E:9B:CE:1A:B4:1D:B2:6A:FC:5A:22:97:B6:24:14:6F:32
DirName:/C=US/ST=California/L=Berkeley/O=Endmail Org/OU=MTA/CN=Claus Assmann CA RSA 2015/emailAddress=ca+ca-rsa2015@esmtp.org
serial:92:91:67:DE:E0:EF:2C:E4
X509v3 Basic Constraints:
CA:TRUE
X509v3 Subject Alternative Name:
email:ca+ca-rsa2015@esmtp.org
X509v3 Issuer Alternative Name:
email:ca+ca-rsa2015@esmtp.org
Signature Algorithm: sha1WithRSAEncryption
0a:ce:07:39:77:08:c5:3a:00:04:e8:a0:3b:f7:d2:4c:79:02:
23:0b:da:c0:55:39:82:71:0a:0c:83:e2:de:f2:3b:fe:23:bc:
9b:13:34:d1:29:0a:16:3f:01:7d:9f:fb:4b:aa:12:dc:3b:7e:
b9:27:7b:ec:0c:3f:c0:d9:f5:d8:a8:a1:9c:1c:3a:2f:40:df:
27:1a:1a:a0:74:00:19:b7:82:0e:f9:45:86:bf:32:da:0e:72:
0a:4c:2c:39:21:63:c3:1f:61:6e:e2:4d:ba:7a:26:1a:15:ce:
b1:f6:1a:59:04:70:ed:e8:72:05:4c:fc:84:c6:a5:f4:e2:4a:
40:e4:42:70:87:9a:a7:02:26:3a:47:34:09:e0:7b:88:ca:fb:
99:d9:9b:bb:0c:52:8a:93:d5:59:30:0b:55:42:b4:bb:d2:b1:
49:55:81:a4:70:a0:49:19:f2:4f:61:94:af:e9:d7:62:68:65:
97:67:00:26:b8:9b:b2:2c:d0:2c:83:7d:3e:b3:31:73:b9:55:
49:53:fa:a3:ad:1b:02:67:08:9e:ce:9e:eb:9f:47:0d:6c:95:
e9:6c:30:92:c1:94:67:ad:d9:e3:b9:61:ea:a9:72:98:81:3a:
62:80:70:20:9a:3e:c4:1f:6f:bd:b4:00:ec:b1:fe:71:da:91:
15:89:f7:8f
-----BEGIN CERTIFICATE-----
MIIFJzCCBA+gAwIBAgIJAJKRZ97g7yzkMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTERMA8GA1UEBwwIQmVya2VsZXkx
FDASBgNVBAoMC0VuZG1haWwgT3JnMQwwCgYDVQQLDANNVEExIjAgBgNVBAMMGUNs
YXVzIEFzc21hbm4gQ0EgUlNBIDIwMTUxJjAkBgkqhkiG9w0BCQEWF2NhK2NhLXJz
YTIwMTVAZXNtdHAub3JnMB4XDTE1MDMwMjE5MTUyOVoXDTE4MDMwMTE5MTUyOVow
gaUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMREwDwYDVQQHDAhC
ZXJrZWxleTEUMBIGA1UECgwLRW5kbWFpbCBPcmcxDDAKBgNVBAsMA01UQTEiMCAG
A1UEAwwZQ2xhdXMgQXNzbWFubiBDQSBSU0EgMjAxNTEmMCQGCSqGSIb3DQEJARYX
Y2ErY2EtcnNhMjAxNUBlc210cC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQC5GqFWzssWr0+WuipwMXDThmx6RiZHQj/eSVc+CB4QJb8Gj8r99F5q
AX0xTVCIGENxZmVCnJCXDZXyFO/XXnfvfbVJPwK7gyD35vyazRPfYEEojjkHpqRA
mBUeRrYELvmrMtGL/lKB8dLhw8+/q0Cn8OTlooI3MIwQfaqofH52zF8aJNCMlPby
f0q+LzhnwAbmnlGtVdDLJnHP9K99WkGBFvsm7PA1AW7b+ekA19CJe8+IFoscj3cf
Xe9wBCh2xRvGI41Ja/C4IVbWfWhsviHj5uMdb6Xq3IPkJ7NvXxs9M6HV0/BzGhLr
2ZUAcVkWtORgOLIuf7fUxek/dORIOCmJAgMBAAGjggFWMIIBUjAdBgNVHQ4EFgQU
sWnbXpvOGrQdsmr8WiKXtiQUbzIwgdoGA1UdIwSB0jCBz4AUsWnbXpvOGrQdsmr8
WiKXtiQUbzKhgaukgagwgaUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9y
bmlhMREwDwYDVQQHDAhCZXJrZWxleTEUMBIGA1UECgwLRW5kbWFpbCBPcmcxDDAK
BgNVBAsMA01UQTEiMCAGA1UEAwwZQ2xhdXMgQXNzbWFubiBDQSBSU0EgMjAxNTEm
MCQGCSqGSIb3DQEJARYXY2ErY2EtcnNhMjAxNUBlc210cC5vcmeCCQCSkWfe4O8s
5DAMBgNVHRMEBTADAQH/MCIGA1UdEQQbMBmBF2NhK2NhLXJzYTIwMTVAZXNtdHAu
b3JnMCIGA1UdEgQbMBmBF2NhK2NhLXJzYTIwMTVAZXNtdHAub3JnMA0GCSqGSIb3
DQEBBQUAA4IBAQAKzgc5dwjFOgAE6KA799JMeQIjC9rAVTmCcQoMg+Le8jv+I7yb
EzTRKQoWPwF9n/tLqhLcO365J3vsDD/A2fXYqKGcHDovQN8nGhqgdAAZt4IO+UWG
vzLaDnIKTCw5IWPDH2Fu4k26eiYaFc6x9hpZBHDt6HIFTPyExqX04kpA5EJwh5qn
AiY6RzQJ4HuIyvuZ2Zu7DFKKk9VZMAtVQrS70rFJVYGkcKBJGfJPYZSv6ddiaGWX
ZwAmuJuyLNAsg30+szFzuVVJU/qjrRsCZwiezp7rn0cNbJXpbDCSwZRnrdnjuWHq
qXKYgTpigHAgmj7EH2+9tADssf5x2pEVifeP
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)

180
PGPKEYS
View File

@ -141,6 +141,185 @@ gpExpdV7qPrw9k01j5rod5PjZlG8zV0=
=SR28
-----END PGP PUBLIC KEY BLOCK-----
pub 2048R/0xAAF5B5DE05BDCC53 2015-01-02
fingerprint: 30BC A747 05FA 4154 5573 1D7B AAF5 B5DE 05BD CC53
uid Sendmail Signing Key/2015 <sendmail@Sendmail.ORG>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQENBFSl4rQBCADRCzgFSJkzyoOHw9/9L/+G3mzA1fWR7TgCE0WxGX7PDzyLDaUS
a4XpCDtadjXyr7c5YPo1T7ybxUH39yvUgEHBiPQDssik+bbpOiHL7V0sUDAYfKSq
YC8/MG42Oj/zd+0WUhnI+RckFYPBNDQ+sZC6ErLDxCYDZMYhG4vhJOGqAKpglNTb
w4Fdx4LNmL3e4t3z4IEtnzAqeGVxIZm8MGGFhKkb8ufpgh8Jiz4Q6cOis0ZD9K6f
LvMPRJXSBy9jBtmS2oI2e9Q5LLhmzd1PVyA8jwAlK0QfJLmlRrgRUfHFKhkf+EuW
tTi592OYCZ9bw7QVSiGVQUK+7VACfM+FQR81ABEBAAG0MVNlbmRtYWlsIFNpZ25p
bmcgS2V5LzIwMTUgPHNlbmRtYWlsQFNlbmRtYWlsLk9SRz6JATgEEwECACIFAlSl
4rQCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEKr1td4FvcxTTPMH/29J
kNmt6EGNo/eLQySB8HTenfJjZaQxwPRhq22kWgr/7WP1BR2411bopyNk4IZ0rcDr
tnyeJj4UWKJljVuXyTDQPtU8uUlgiOT8QiHEbge7MOzxrn0cy6KIOgKq+vtuxa28
McaxjENR7XVIDFkesQ7P/yLkcCjlE6jaD4r9OIKpqEVMPs1WUFff+rsgTo7mdcgR
QowQOgYqNil5awQ5Y2Gol71hZ6oRcpqMwSd6w4dEEx2U8rF8oqJuoxeUTgNCSv0n
iFtewLznocmxlrxe1mQAeLfRmUAG4LSL6p5wx1lRjJA3gtyWRjY0404jGxkATLG4
AtK2OkHj8MbrWLP7PKyJARwEEAECAAYFAlSl5AQACgkQYd4R7OJ2OnPHXAf/Y6Rk
rROF45+SgbsEIiDXQBcBOoO1GKe0nFTc1jfAKUHAQ94fqcDxNeFRA9fNIA2d7XNI
0Lw6W7X3RcEkF58xytIe/Y+EXDmOt/BUbpch9KIz6J9pqBhPdyHvG+ZeyA3A+TGT
ZGnnnAxNFtCjt2IID9lzZSLuWhH8+DNC2Vp15NngDTa1VIk17n5iIvi7r3V5cdIE
MblKLGm+ZaiTeccVLjwMKIUSgrLP87+yF/aaZH2kotuI7f3tD1ycN0sVZJxcFS+c
GFw7uvOarDBSm0Q/FgfhDUOJLy4w5SqVmgPEIAeogz94q0JXxSSr1XWQBD8X9XwF
f3+dPXmgMHXLGRWclYkBHAQQAQIABgUCVKXkPAAKCRA9aLJdUgfK08cnB/96BV+v
xyBx35TPg8eI/WIskdQAIpCQsm6FoO1ejbMzfWn9bImCewOp1UMlowdfQC52Hdp8
EXnuwCpJ3rtnZctRld5dNM/clbZ+r3lr78wX7hqPUajlvxe+TMpyZbJirLn1f5Ba
yoysE4oICfzJivPfixZd7oFVr9EkftbatYenl0rgf/0lJTKRDIqNGezeeyfxaKdX
qd545wqis7PrrXDOrEq815aosG09KQBhIoPgti2us1R95nSm9z6dVCY/nSDOxL+a
Vyq/XD5KSUqbZVocY+fbR3dNX5haTvawuG0GPvl+YvYb2lW4hhi7Q4aUL7Dd4c9c
vk5+WAvfJwHtbxrgiQEcBBABAgAGBQJUpeREAAoJEI5a6fvO7vQ7OWUH/2NNxhlI
JEtvD+Nj2oPGgVQJrlFI1pbzyMCtD+6iy8Lfnp2DK+qKPMjBw96LUqcXC32VFPQr
17iyZDv26MSb/acmdIfTPpPTwJ6zEmMI8mXradeuoiWxeVHSg7n+D3u0xtikmb9Y
uRKv0yx43fcL70bqV5DzyXQte0chfRnOiwMrImWdgDekkmxE9udbtgK24rifNVGa
TBB6eHJAsFVu5Y38hsZLe10bCKyUCqT6Qywfy3RCMpXYeo6fXOk0fKatG2oi3CZp
LI+AnjmAJ0t2oMkrwUxogkK3LkShJT/aJYIR24eZm0GdzwRHZxXKClGFvdJslIea
TKHSXNK41eEIfreJARwEEAECAAYFAlSl5EgACgkQOaTHfal4hLAXfwf+M0YmlHd4
1sfvckYhOYf99n1BGnfQx5RJn+X+EBjGyOfPKMBPQuZIlwAI20T+cFnR3WmgrmlO
IBG8qVcSDoValzNPcr0V3WGDrT75fYhf5iYj2ZsZDBUqE1VF3dAVUw40x2c1n+98
7lbq3NtolSPYk07h5rhEhmkjdNcixv/exVCTGVwaT4X9ZHY8heETmF5tsCtPavpr
i/DjcDQQQ0sQ8um1eX41j2bhrN4MERUC5oadvSULaA2QUoWgCrzVG8zx715Au77N
jLtfA31hJI0GP/dpSREaYlqA0nwVDR5tz1TyTNwPN1ylxjQmjKXtJwx3jUtlT9Zh
qxRf+ngYHpWArokBHAQQAQIABgUCVKXkTAAKCRBgTfvyhUEKvl11B/9aYJBEEQZp
JWAT6HPmQK//i2x4y1euQfaHsjqJALvvPrgiTp/ZE3o6dKHhs+SbawsB57RtootN
maQr7x2drvBojWhJJdaouAh345qOfZYb0bD9klkr6W+Mjl5T0xWIKFEyIZn0Tcbr
8ekHgSIx2trL8LduSJou2bdPMh46PORzEpuQQ4IAyV0uRyBdNFOPwTy2OdXs51fr
M7lp1hJp84+y2a6z3vz3VCs2A9LzlnXKZ6bXljpd5dQfrmrSNXltPKA3jVLkWi8+
rh9f1rAGsj1e6N1aVF2uJ1Y3u+U0XQ/dwa1vDF3y4KVObxYM9eNGbF4J8lGkUy2a
gZ1s1X8QzEDUiJwEEAECAAYFAlSl5FAACgkQEolum6d/JCmUSQP+KEz6xSvPSbFP
Hip4JiX1Wbvd+t3TyL0u9Fv/POwUrFIHVpTkCwOz6jsBH3TdGGiYOP5F8k/US2jU
3WB0J1mK5Rn3GwLhUGNTEeuaJZCuKE+j3qwMFmDqC/2IxEvlWtrIbTqkgf7cRv/O
O7VNv+EL0axtsrOcwZlUWe6Lc4571oaInAQQAQIABgUCVKXkUwAKCRDYqvDK9rMH
KX7xBACUFTBRCmboY/GRTHMZW1DGfcO2vMxwnYKqWomuzi/YonDCWtoTpeMDaAhY
NnIchC1mlYteIE94/+ZsoYsZeaR3fe7CN6h/deBu4tW/dQ+TW1ZPF6EuVhoviKgz
rd3rb+gcS0f0PgSPyg5LGtoMGMD9/gx1NJOTFec83jmBI95Gb4icBBABAgAGBQJU
peRXAAoJEJdDARhwk7hBAUED/0oyeD2Z4wMQ6IQEprOAWbR+vIRzaThemmCGobRw
UlM44nUXqKSM1+naLEVz/JzBuKWG00zTz6Su3NesWoFzDDUGYcIJggbOm39Pc+V8
eXV86An64/v3P6gypJc+q9P+FFGGO884wFmYN634Mi4SDBVFUzffcghueAFcxtzt
0mH5iJwEEAECAAYFAlSl5FoACgkQHnuzyK+VliVGdwP/fmdK9MdWIzPD/6eYm6JZ
zbksaGWiqpwgp9IEr/OhSmGkXuwUsP35PFJ8FsJbEV5x/y6pP3UNp6EFRN/116ue
jp5vVM7nnj2K3V8f85J4dXCRbv+kek+Ufo1Qzm5kgvRuBxX1sXpxFX6yBM0Y6WuV
gszdbTVNlS04q6bnPFE9L4uInAQQAQIABgUCVKXkXgAKCRBwoCRNHvmSUZ/7A/9W
yQJrrdrs2SuYtoxov/pL/TVMejbnxsF8Y0dRtM/KiquP57PMQSmLqy4fTRzAMHBv
XK1aKfewTVfGKLcHIzfMfv2XcPpWfwcyMeZKtcSr25lWl9GJZP221rCok76XYwqk
BPPp0pjSwdy0Qq4sd3N3ESZmqAMWJ7ouMmlQ7VWReYicBBABAgAGBQJUpeRhAAoJ
EMjV7SmV9hdxLv0EALX3yjI2KDNG1mo5ctCSYlIlhXHQ6csHuUK9lzj9R1gVEzDU
0dEZH0+a5UXh5xf8nyTDLytUe8PxTtPit3AOP6TvTJlANULh/3MKS6317RwUe2e0
OitWbhQAOYfpYAkSdXZACzPacxrefkxmSM3Pq+SYoumZTI2N6AvVu8MeCS0GiJwE
EAECAAYFAlSl5GQACgkQIYPhsTlvB4mWJgP/XAlvlBityADJkdN+3mp/OtdYzw04
+dBdNtmLqWUiMZg6rPPHUQi7dfBKi95FFe2U8hxSRk8oLzSzmh/M/CP72mxKh4pi
PbmEkmKHYlNdyfCCNqXdjkBXFAKXAes/4DaBlZwvLjPtrupEaW2eYdU8cSrdeGuv
1PMLRPxRr3nPCb+InAQQAQIABgUCVKXkaAAKCRCJaWK4Z4wKA3ZVA/4iYD+xrYv0
8I+0GZJRdEL5f7T97a7Vtf5xSxUhHDww4xC9gs8LzEGWZXoNaZEVl4j+63EnCIbY
o4g+c4m81D5NWFqeJWhWpcyvejo9hfGM3ZK/XbiF+ZTzznU5YJclGaZ7t8TY8gcx
GSWxUzxBJQcSEzAKKi286ielMAXocNx10oicBBABAgAGBQJUpeRrAAoJEDgi20fM
N08tDkwD/2F5j5irsDw+MQyLKpfPv3GRJ5J3ebOPpLQkQ5T34+qeIw4LkcXW9OJA
ohW47JLb7R8zwAlUoqmmNXtxTM0r0FlTYGPOVEnSEkMqqa3KR68B3jWAGXXdqig9
yBxYRleawQ4ltnegBn8q7gC4MwnIAZxzK+Y8cM0Rk/FjC9+NhwrviJwEEAECAAYF
AlSl5G8ACgkQnBy94uNcVjUfvgQAlQijnoE3de1CanB0JqIN+h+XOLOpalFti+B7
Swc2ZlnlQ9mofYPK5UHlbsiC7/TilD6xm4YEFKim9sOIMi8FNka8+EH+/d1DmS4M
qVPDssxTG6VOzn7tYOuC9qIw15IpfbHW2bk/YIImwP9nViKCMLIGw+ZgK+uiRQx9
fT8O1NqInAQQAQIABgUCVKXkcgAKCRBvUpPYo5umVYKeA/9n63K1nF3DNY3Hckvz
tN8OrPmyCIOh+7t4sc5NHhTK0+BQTv+cgG6ig7K2cdI6VBAovs/c/u7+RrcMhp7l
45AVnycfKcNaMHKFyMHDk9FZgpRG/bv1zwDxdh+scUc3IekqkSiQ2wTjDQ5Q/BMK
L5zfOSnTOoltWjpVgsjdM75Ol4icBBABAgAGBQJUpeR2AAoJEO9YlmTUMuGd8R0D
/3mhriMu/cp3DXHnlDykqLJI1q5K4xCHOWwFYZ8DxW116AVjluJYYW1HmWcJrjK3
cwuN3FUcsIjafanIJWCsdeZaPAyFEfUBEW0YXIIpBXRw2N7jNtrd5X6Zjptd+zW+
4dUzvT1pqVtdPHjova3fcGLSmcdZYbddotaGi7xi7kXviJwEEAECAAYFAlSl5HoA
CgkQwZwdJRLTRh0iwwP/Y/pwp9ttAMuQUz6oH71BTkUrzu9LiI7vhrYxEquFdzCO
dE4jBNB3LGfwzjhJRtjmQ/gVhjXWWrDYnOXt3gNxb9KzmTHmSDu65cBxX54Un0pZ
+MXjjWOT2l8+GA1lXeICIoZjJL88/zEZAiaH67ch2LEix1fOaJmXJzUSmP1pR3KI
nAQQAQIABgUCVKXkfgAKCRDAKcpAFvTM6XVwA/9Eb+Dwn2lmEFFo64gj8ocpWzP8
/sD86PP5KkZ+b/HQnGB3lsQTwsGytDvJfutLDa05sS/HWZ9wXPltX/G3omp/A1G5
qEKzVSe0vEWedpf9wn82Ll6hzaiS5qX7r0+FpyUjY8arNrze5S4Q6Q2kjl8YduXl
wG877igRHkGpAtApxYhGBBARAgAGBQJUpeSHAAoJEBj1A4AkwngCRCMAnjHfd5db
KK6DJxrWVnEbyXs/QJGKAJsErKkiUX55B8k/P3cyzyXIaOujBYicBBABAgAGBQJU
peSOAAoJEHxLZ22gDhVjCDQD/j7DE5wyhpjHrtf0hsQcaQoVHWZb2JTLZUMRAQyj
zKMTSs0GslamlxLZmyV1HqkB+41zuJeBQtRV4gjqa5DQmWDRC2mHl7o9A40v4SDa
O1jmfU5hfJSMecucPyEcfaAG4BIMvBo6TL484uHBi45SN4Ik3f2wc6D1XOluD1vB
gIwpiJwEEAECAAYFAlSl5JMACgkQ1uCh/k++Kt2s6gP/RNcMKtx4u61vz+Aji/Fa
H9q03JxQaRgmN1q2AvZQ/NTWTXU7Y5GnH4kW/8rOoUQiR+agJsvTt4ciM+y33pZ/
ZZLkAuo0uKelEHhdQhtRbSktKBHSgDWbiqaJJIxazeLpxcSgaoM6RW/7aIFdMtEl
ALAzTACYlTN/nKWWICn8GnGIRgQQEQIABgUCVKXkmAAKCRAh+cW892qb9aWOAKCg
aznvUX8PIvKPzoHld39xWlJ+FgCg76wrEc1h9IiIgUoqH5NWVCxcHneInAQQAQIA
BgUCVKXkngAKCRC92o/WP+p9/ancA/0Z4JHZT7NRBMr47zQvSwE4eLpSE5QDGXi7
RNmOUgZxrxsFWRZLJCVupXDBQVZEhOBRZYqXPw1eDglOU952oj5OjaHsYnSEu7jz
VUwlp2BxZQ3mnepdUcQz1A3k2cPZ0I6KFP9hP88GU+77nubB7IqRH/Q3QKMgO0eW
yd5kYugyYYkBHAQQAQIABgUCVKXkpwAKCRC9J20ub8+ohR46CADMEvAns+L+BkVN
d9INsiR1rONrNRPT6w4dnBeTLaykkuMjc6+7s+UuXm6AMAelI28pG+fJyt/lZAGx
QLS9zFgREge0lVbOZVeAYeC1YyFsrJE4Lr2quq3fajj23tnsHmCv16znMHrh/E1m
Udm4145NprijrZn+PsjuVWYV+pxiLpLM0YBdGNwCEMi/KCQ1fcaiAZZWSqLmHIe0
ubWDdqq8/5JRQ22SEnqP2FT/lfOmKTxMNmE0uEr4+C4fG2nd38BvzpHu9eN/4Nwx
IwzK5DhbAj+I57+VDncgkNGe1q4QY/5LaZQh/nHIcmX1ln23f9Lxkr6EYYZ1ptq+
A8buvD+XiQEcBBABAgAGBQJUp+zrAAoJEBCQryClqlvm6AgIAKAR8HY4G9AD2jDb
ouS4Al4QICagwQ0Y7Rc2/fHyPQEAP714EimakPFVFDbSD6SW569Qtdxr+ggH4wFI
bzd21pCgIUC6nVoDotIjplMdYkNfq8AODpxn3HTBnNQ7e609xnWxFo/+httKoWok
fEP9qZk4MJq7lE75iX+wohjLwoF6v0tCB8CrBFJcfKrDvXQSGvKiaEp4g0sEfyXv
gL6X0xKMflupofdnFLJliV0WqGhBOGUghPdLsA02E3e1utj6WABmudMytRxWB8is
SWGaywaEKLSdCgi+XlQVypKeWNMbZZZcftVZ91r4iNTAkw4cv5Wea+YnngfurGCq
J/jUq7aJAiIEEgEKAAwFAlSn7r4FgweGH4AACgkQZhs61tgqu9C9Aw/+JMTXzwni
NPwBxkbcNWbnWODVEElmDloHNpr3z+ryF1XNgbiOY8dn7uwRnPoeCDhIDwvNkK+x
h4xmjH0970v1ltbzcZv0wnK6UeHQssqN9NGsXM9rbodYRIam4yxbwd1ddOC9QZFM
ToRVWiqCzGOVYL50a24OYKClGjm4ncRznXJrNwYMEjxQ3j5FOkXIn0096z3szWCY
6yDpPzOsl2TPwdjMKZWoMEDh/SvY3AxAXo1XqDCj2/+C8dDwO7kn+QAl3fUGmkI6
dUHCAJm/WtSyvINdphzhZ1ZdkPhqDUKcR0JTX03QJ6bnu5vmmOncWm2NA7rP74fq
KE9XzT808xP0GBwR1co7Eq+/751j2TA33JSlt/hIgi5aEWc4laCingJ02yaW8tUS
DCoVNITaXcF/B47hjBgovQk8TOTsQ0nkSYvOoh05OYBmzl17G57QuPx1stRJ29QA
VLGem1v1mXAuNdHH0kNE+/Rv0A2vGqauLx9ba84RfbXMM4SJw8CjhX6OxhAM8xoU
tO6T56XZS8qLtWLkNQNZNdNlAo6tYk/cTrjdX1M63nYjoVbuc0nic6Wp+dQk/DEb
wsiIpFoisvMK6EH49v70/c9Gtg6rk5z2yBHMZsjo2Y0TheTKwKIUEz0MuTncH8jD
yB/NtQkrbiBdEqRJUoKKUtS0B4cUYTUyd+SJAhwEEAEKAAYFAlSn8agACgkQ8Ar2
6sJF0gs2yA//cgc+g1wPRFzJeQGv5UFR3TCAMtS+/bzY3UU/eG2Jmbv2qwPbn+kx
RH5dYlZ72VHXEggBaEweCBrBWsweX5dGEMNDLNlI9ArAjjhBAZFFUQKj55EzIZpp
YTbvgxOD2ENKU2HfeQYCGFYZr3L2DXQ1k0U7VnaElBQV3o88CMi7bIsQq2aWk+c6
Cy15UVr0niVLm95EUZM4yYm2gOGJXUeaGIExSBtiwuzvAiDEGaqfPGAi1ePkNmLJ
3UzYfgiQumSh1kDVlQkCc8UQiF6ckEma618cmmaHs5vZvHsTX5O2/qPkLpXunA/7
5yM/Jde8a5VbNGWyZ4rmstlWR5rPd7r3uP85miHn7Arait3aGo8RQeAHzOdTvMqS
n3oCotQlOvBhOo7qA8oYQVlU0+77gOfZZeEXDZG13lU95ptFhdsGstIQH67jPQ6z
TpVnd28ip92ysrwvxPhOzO74yKcYoKtzwLctcvptlKTkrFMHP3wJwqbaSfJGK4JE
rjT8WnnWyHY465nTDN9AKkoH4WQNozniWX8OkF3CpPj7ow8roFXlPOxXH4QsaQu3
Kk31APn/A925d4xyYuWYHZ7A/FzsHafFHPMoG3iwZyuFhfl1UXVvEd8w9mEcxXoh
2iCy87TdpesG0GDzSmWwEYEPkg20BD2+vdc0EekALDjAGM+lfBxN67KIRgQQEQIA
BgUCVKgM0gAKCRAJp6JK0eWCB94UAJ98O6S6r1hFnCLrbU3GeqrA4DCtBQCfcza/
WoVLc3/+bOf1jzjJ/eJ20IyJAiIEEwEKAAwFAlSoCRMFgweGH4AACgkQhS2G+DXA
JIrWURAAvgl1LkqB9pRPViK1U+xa3b5zt0O/fLbov59aLhA4uPJ10BgaKptflLim
aE2EsS4Mnk0DQgGEBjlywJ5Ft3aMk3vbRz7lDE3zQ3oWa7+N4fcG7WWsAxmh0NtX
Ak7orN6rQcyGgWgpF7wOau79i4VO7oLHKeS7QNs7X59CW+k64TAJabxi74PRoVMz
843qWPjsuFIYM7n/nF0vdECwhSE8zUgcYG2n5CdA0Lq7XRE+II11VOT2XEXFMyR/
Qh2m7l+jy12MEzHQfGC1HYBo/Zi/MRIN53Rd2LLJWQdMxz/BDiuSxZhKVeCRe7gT
Mc2k3VrmfViBoaUE0zqMbx0j29XUbNQNU3afE8MOBkmyd6AQjoswBEsgU9uyCJYD
Jq3V1stwSVBm9G7X/l8GFlPawLg/uM9gTYb2JYUYPlphTAwVcL469rKQNMhPj2ww
zT7NzjwFb9XrmyiIrqH5z2ieG+LRjajOPVPwBsqZ3gOA+z9QkU1lRYEJOTlEYCkv
8oA6ZeFm31S4JoeogbCDaMiqDszkFtYGBUgGEbnHoCgXi7aINSb17VZ8LTzpD4V9
vGdFVuE3vJf2POMERP+buLV8OiG38cBJXb+JVSC+pkpm+32nY0UR5ccDPwAC3cGq
SbI6ftKlQeaYp3UEncFUaB8NNZings3jzRexPjzUzo0vhRkkIs2InAQQAQIABgUC
VKg5iQAKCRBfHshviAyeVbEVBACL9Vve0dF0UqO+DN4PzrTOx2JzRw7ujhcrZ6I/
TCXjANGLWUheylRWhvxMojvbhZEg2835+9l6tpD7BVnrfkBE+LYIKFTusye+WYre
dAaHFpuN6XfmsXmhXaSodhH9gKS+oftYX61qUmiE7L98nvINNBMnFVkptCQVDl8o
GWiMRYhGBBMRAgAGBQJUqBAmAAoJEMSxB5iFeWojCtoAoLa2/SUyfC5EiKdvEbap
49v6XPyxAJ9mPvhe75aTOU7uWoa+c0wn6fXIcrkBDQRUpeK0AQgA7ctg3cJD4eTw
j4sQ94AtSYjwT+Yp7r2s6h4cHUge6AMZy9ixtyg87JnviRFob2zeo2JFDAwtl7Zs
GHo+py/mJwfQKmUsXUmQqgHJFXDiiux+4+dYOXZyVYKP5bTV0JVlKjRjSWNnh7Bv
yZNUZlrLz5ZKF1NAYKJAw4fx3TFbC4K3hvDwHQW3croPQYq0wNq6as956LHYjUOB
Q5K0uy4TXY2EcIyAy253UX9MAFgacuP1jf3ITEVZpcebzl+gcaB54gXqOfmgQQP5
PmQDyb96ZxFsKa5UfsS3Kh0PeERa5TDlgiw55O55pUSGKKfYfOXvqpJ/ZKYl+ado
wgsmbq09UwARAQABiQEfBBgBAgAJBQJUpeK0AhsMAAoJEKr1td4FvcxTNO0IAJ2b
V48mulcdCS8G3t8qRHlEXGbxgYBQRa500M9fdgRyIWBxubP7r6/nLFDGiIpdUVmT
g9F3r1JsyK6Q7+VUp9XLirj/gT1kwxXT/UHHIQO8ObtPbfFtqISaBjaklTOUPCud
+nOpzRIfct6CZM0xAVIoqm4kaRFaWefxRiyeosDQ7tCD4lDRwxNJE2deE1WmOeN1
YCJHa8QaewJXtUvqMq6pRmTlzSn+5/w3gV3XVF+CHjGD/COeSm7CGazLmlypN4n8
ib9eRg0K2rAqKfUbn+aFwmqSBhBcw/UhOoXnteNQvd9KNdKiHERJEI3qZ2rLAlYf
uYT6oSAR9rPSpsZpyTI=
=Jib4
-----END PGP PUBLIC KEY BLOCK-----
Type Bits KeyID Created Expires Algorithm Use
pub 2048 E2763A73 2014-01-02 ------- RSA Sign & Encrypt
fingerprint: 49F6 A8BE 8473 3949 5191 6F3B 61DE 11EC E276 3A73
@ -2613,4 +2792,3 @@ DnF3FZZEzV7oqPwC2jzv/1dD6GFhtgy0cnyoPGUJCyc=
=nES8
-----END PGP PUBLIC KEY BLOCK-----
$Revision: 8.46 $, Last updated $Date: 2014-01-18 00:20:24 $

41
RELEASE_NOTES
View File

@ -5,6 +5,47 @@ This listing shows the version of the sendmail binary, the version
of the sendmail configuration files, the date of release, and a
summary of the changes in that release.
8.15.2/8.15.2 2015/07/03
If FEATURE(`nopercenthack') is used then some bogus input triggered
a recursion which was caught and logged as
SYSERR: rewrite: excessive recursion (max 50) ...
Fix based on patch from Ondrej Holas.
DHParameters now by default uses an included 2048 bit prime.
The value 'none' previously caused a log entry claiming
there was an error "cannot read or set DH parameters".
Also note that this option applies to the server side only.
The U= mailer field didn't accept group names containing hyphens,
underbars, or periods. Based on patch from David Gwynne
of the University of Queensland.
CONFIG: Allow connections from IPv6:0:0:0:0:0:0:0:1 to relay again.
Patch from Lars-Johan Liman of Netnod Internet Exchange.
CONFIG: New option UseCompressedIPv6Addresses to select between
compressed and uncompressed IPv6 addresses. The default
value depends on the compile-time option IPV6_FULL:
For 1 the default is False, for 0 it is True, thus
preserving the current behaviour. Based on patch from
John Beck of Oracle.
CONFIG: Account for IPv6 localhost addresses in
FEATURE(`block_bad_helo'). Suggested by Andrey Chernov
from FreeBSD and Robert Scheck from the Fedora Project.
CONFIG: Account for IPv6 localhost addresses in check_mail ruleset.
LIBMILTER: Deal with more invalid protocol data to avoid potential
crashes. Problem noted by Dimitri Kirchner.
LIBMILTER: Allow a milter to specify an empty macro list ("", not
NULL) in smfi_setsymlist() so no macro is sent for the
selected stage.
MAKEMAP: A change to check TrustedUser in fewer cases which was
made in 2013 caused a potential regression when makemap
was run as root (which should not be done anyway).
Note: sendmail often contains options "For Future Releases"
(prefix _FFR_) which might be enabled in a subsequent
version or might simply be removed as they turned out not
to be really useful. These features are usually not
documented but if they are, then the required (FFR)
options are listed in
- doc/op/op.* for rulesets and macros,
- cf/README for mc/cf options.
8.15.1/8.15.1 2014/12/06
SECURITY: Properly set the close-on-exec flag for file descriptors
(except stdin, stdout, and stderr) before executing mailers.

93
cf/README
View File

@ -158,6 +158,26 @@ FEATURE(`local_procmail').
*******************************************************************
Note:
Some rulesets, features, and options are only useful if the sendmail
binary has been compiled with the appropriate options, e.g., the
ruleset tls_server is only invoked if sendmail has been compiled
with STARTTLS. This is usually obvious from the context and hence
not further specified here.
There are also so called "For Future Releases" (FFR) compile time
options which might be included in a subsequent version or might
simply be removed as they turned out not to be really useful.
These are generally not documented but if they are, then the required
compile time options are listed in doc/op/op.* for rulesets and
macros, and for mc/cf specific options they are usually listed here.
In addition to compile time options for the sendmail binary, there
can also be FFRs for mc/cf which in general can be enabled when the
configuration file is generated by defining them at the top of your
.mc file:
define(`_FFR_NAME_HERE', 1)
+----------------------------+
| A BRIEF INTRODUCTION TO M4 |
+----------------------------+
@ -1455,7 +1475,7 @@ msp Defines config file for Message Submission Program.
by default. If you have a machine with IPv6 only,
change it to
FEATURE(`msp', `[IPv6:::1]')
FEATURE(`msp', `[IPv6:0:0:0:0:0:0:0:1]')
If you want to continue using '[localhost]', (the behavior
up to 8.12.6), use
@ -1513,8 +1533,12 @@ block_bad_helo Reject messages from SMTP clients which provide a HELO/EHLO
- connections from IP addresses in class $={R}.
Currently access_db lookups can not be used to
(selectively) disable this test, moreover,
FEATURE(`delay_checks')
is required.
is required. Note, the block_bad_helo feature automatically
adds the IPv6 and IPv4 localhost IP addresses to $={w} (local
host names) and $={R} (relay permitted).
require_rdns Reject mail from connecting SMTP clients without proper
rDNS (reverse DNS), functional gethostbyaddr() resolution.
@ -3176,17 +3200,49 @@ TLS_Clt:laptop.example.com PERM+VERIFY:112
TLS_Rcpt:darth@endmail.org ENCR:112+CN:smtp.endmail.org
Disabling STARTTLS And Setting SMTP Server Features
---------------------------------------------------
TLS Options per Session
-----------------------
By default STARTTLS is used whenever possible. However, there are
some broken MTAs that don't properly implement STARTTLS. To be able
to send to (or receive from) those MTAs, the ruleset try_tls
(srv_features) can be used that work together with the access map.
Entries for the access map must be tagged with Try_TLS (Srv_Features)
and refer to the hostname or IP address of the connecting system.
A default case can be specified by using just the tag. For example,
the following entries in the access map:
MTAs with STARTTLS interoperability issues. To be able to send to
(or receive from) those MTAs several features are available:
1) Various TLS options be be set per IP/domain.
2) STARTTLS can be turned off for specific IP addresses/domains.
About 1): the rulesets tls_srv_features and tls_clt_features can
be used to return a (semicolon separated) list of TLS related
options:
- Options: compare {Server,Client}SSLOptions.
- CipherList: same as the global option.
- CertFile, KeyFile: {Server,Client}{Cert,Key}File
If FEATURE(`tls_session_features') is used, then default rulesets
are activated which look up entries in the access map with the tags
TLS_Srv_features and TLS_Clt_features, respectively.
For example, these entries:
TLS_Srv_features:10.0.2.4 CipherList=MEDIUM+aRSA;
TLS_Clt_features:10.1.0.1 Options=SSL_OP_NO_TLSv1_2; CipherList=ALL:-EXPORT
specify a cipherlist with MEDIUM strength ciphers that use RSA
certificates only for the client with the IP address 10.0.2.4,
and turn off TLSv1.2 when connecting to the server with the IP
address 10.1.0.1 as well as setting a specific cipherlist.
If FEATURE(`tls_session_features') is not used the user can provide
their own rulesets which must return the appropriate data.
If the rulesets are not defined or do not return a value, the
default TLS options are not modified.
(These rulesets require the sendmail binary to be built with
_FFR_TLS_SE_OPTS enabled.)
About 2): the ruleset try_tls (srv_features) can be used that work
together with the access map. Entries for the access map must be
tagged with Try_TLS (Srv_Features) and refer to the hostname or IP
address of the connecting system. A default case can be specified
by using just the tag. For example, the following entries in the
access map:
Try_TLS:broken.server NO
Srv_Features:my.domain v
@ -3772,6 +3828,12 @@ confSINGLE_THREAD_DELIVERY SingleThreadDelivery
cached but otherwise idle connection
to a host will prevent other sendmails
from connecting to the other host.
confUSE_COMPRESSED_IPV6_ADDRESSES
UseCompressedIPv6Addresses
[undefined] If set, use the compressed
form of IPv6 addresses, such as
IPV6:::1, instead of the uncompressed
form, such as IPv6:0:0:0:0:0:0:0:1.
confUSE_ERRORS_TO* UseErrorsTo [False] Use the Errors-To: header to
deliver error messages. This should
not be necessary because of general
@ -4281,10 +4343,11 @@ confLDAP_DEFAULT_SPEC LDAPDefaultSpec [undefined] Default map
maps unless they are specified in
the individual map specification
('K' command).
confCACERT_PATH CACertPath [undefined] Path to directory
with certs of CAs.
confCACERT CACertFile [undefined] File containing one CA
cert.
confCACERT_PATH CACertPath [undefined] Path to directory with
certificates of CAs which must contain
their hashes as filenames or links.
confCACERT CACertFile [undefined] File containing at least
one CA certificate.
confSERVER_CERT ServerCertFile [undefined] File containing the
cert of the server, i.e., this cert
is used when sendmail acts as

5
cf/cf/Makefile
View File

@ -100,6 +100,7 @@ M4FILES=\
${CFDIR}/feature/access_db.m4 \
${CFDIR}/feature/allmasquerade.m4 \
${CFDIR}/feature/always_add_domain.m4 \
${CFDIR}/feature/bcc.m4 \
${CFDIR}/feature/bestmx_is_local.m4 \
${CFDIR}/feature/bitdomain.m4 \
${CFDIR}/feature/blacklist_recipients.m4 \
@ -118,9 +119,11 @@ M4FILES=\
${CFDIR}/feature/masquerade_envelope.m4 \
${CFDIR}/feature/no_default_msa.m4 \
${CFDIR}/feature/nocanonify.m4 \
${CFDIR}/feature/nopercenthack.m4 \
${CFDIR}/feature/notsticky.m4 \
${CFDIR}/feature/nouucp.m4 \
${CFDIR}/feature/nullclient.m4 \
${CFDIR}/feature/prefixmod.m4 \
${CFDIR}/feature/promiscuous_relay.m4 \
${CFDIR}/feature/redirect.m4 \
${CFDIR}/feature/ratecontrol.m4 \
@ -131,12 +134,14 @@ M4FILES=\
${CFDIR}/feature/relay_mail_from.m4 \
${CFDIR}/feature/smrsh.m4 \
${CFDIR}/feature/stickyhost.m4 \
${CFDIR}/feature/tls_session_features.m4 \
${CFDIR}/feature/use_ct_file.m4 \
${CFDIR}/feature/use_cw_file.m4 \
${CFDIR}/feature/uucpdomain.m4 \
${CFDIR}/feature/virtuser_entire_domain.m4 \
${CFDIR}/feature/virtusertable.m4 \
${CFDIR}/hack/cssubdomain.m4 \
${CFDIR}/hack/xconnect.m4 \
${CFDIR}/m4/cf.m4 \
${CFDIR}/m4/cfhead.m4 \
${CFDIR}/m4/proto.m4 \

18
cf/cf/generic-bsd4.4.cf
View File

@ -16,8 +16,8 @@
#####
##### SENDMAIL CONFIGURATION FILE
#####
##### built by ca@sandman.dev-lab.sendmail.com on Tue Dec 2 16:21:20 PST 2014
##### in /x/ca/sm8.git/sendmail/OpenSource/sendmail-8.15.1/cf/cf
##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
##### using ../ as configuration include directory
#####
######################################################################
@ -122,7 +122,7 @@ DnMAILER-DAEMON
CPREDIRECT
# Configuration version number
DZ8.15.1
DZ8.15.2
###############
@ -210,6 +210,9 @@ O ConnectionCacheTimeout=5m
# use Errors-To: header?
O UseErrorsTo=False
# use compressed IPv6 address format?
#O UseCompressedIPv6Addresses
# log level
O LogLevel=9
@ -662,8 +665,8 @@ R$+ ! $+ $@ $>Canonify2 $2 < @ $1 .UUCP > uucp subdomains
# if we have % signs, take the rightmost one
R$* % $* $1 @ $2 First make them all @s.
R$* @ $* @ $* $1 % $2 @ $3 Undo all but the last.
R$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish
R$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish
# else we must be a local name
R$* $@ $>Canonify2 $1
@ -1052,6 +1055,10 @@ R$* $| $* $: $2
R<@> < $* @ localhost > $: < ? $&{client_name} > < $1 @ localhost >
R<@> < $* @ [127.0.0.1] >
$: < ? $&{client_name} > < $1 @ [127.0.0.1] >
R<@> < $* @ [IPv6:0:0:0:0:0:0:0:1] >
$: < ? $&{client_name} > < $1 @ [IPv6:0:0:0:0:0:0:0:1] >
R<@> < $* @ [IPv6:::1] >
$: < ? $&{client_name} > < $1 @ [IPv6:::1] >
R<@> < $* @ localhost.$m >
$: < ? $&{client_name} > < $1 @ localhost.$m >
R<@> < $* @ localhost.UUCP >
@ -1166,6 +1173,7 @@ R$* $: $&{client_addr}
R$@ $@ RELAY originated locally
R0 $@ RELAY originated locally
R127.0.0.1 $@ RELAY originated locally
RIPv6:0:0:0:0:0:0:0:1 $@ RELAY originated locally
RIPv6:::1 $@ RELAY originated locally
R$=R $* $@ RELAY relayable IP address
R$* $: [ $1 ] put brackets around it...
@ -1270,6 +1278,8 @@ STLS_connection
RSOFTWARE $#error $@ 4.7.0 $: "403 TLS handshake."
######################################################################
### RelayTLS: allow relaying based on TLS authentication
###

18
cf/cf/generic-hpux10.cf
View File

@ -16,8 +16,8 @@
#####
##### SENDMAIL CONFIGURATION FILE
#####
##### built by ca@sandman.dev-lab.sendmail.com on Tue Dec 2 16:21:20 PST 2014
##### in /x/ca/sm8.git/sendmail/OpenSource/sendmail-8.15.1/cf/cf
##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
##### using ../ as configuration include directory
#####
######################################################################
@ -123,7 +123,7 @@ DnMAILER-DAEMON
CPREDIRECT
# Configuration version number
DZ8.15.1
DZ8.15.2
###############
@ -211,6 +211,9 @@ O ConnectionCacheTimeout=5m
# use Errors-To: header?
O UseErrorsTo=False
# use compressed IPv6 address format?
#O UseCompressedIPv6Addresses
# log level
O LogLevel=9
@ -663,8 +666,8 @@ R$+ ! $+ $@ $>Canonify2 $2 < @ $1 .UUCP > uucp subdomains
# if we have % signs, take the rightmost one
R$* % $* $1 @ $2 First make them all @s.
R$* @ $* @ $* $1 % $2 @ $3 Undo all but the last.
R$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish
R$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish
# else we must be a local name
R$* $@ $>Canonify2 $1
@ -1053,6 +1056,10 @@ R$* $| $* $: $2
R<@> < $* @ localhost > $: < ? $&{client_name} > < $1 @ localhost >
R<@> < $* @ [127.0.0.1] >
$: < ? $&{client_name} > < $1 @ [127.0.0.1] >
R<@> < $* @ [IPv6:0:0:0:0:0:0:0:1] >
$: < ? $&{client_name} > < $1 @ [IPv6:0:0:0:0:0:0:0:1] >
R<@> < $* @ [IPv6:::1] >
$: < ? $&{client_name} > < $1 @ [IPv6:::1] >
R<@> < $* @ localhost.$m >
$: < ? $&{client_name} > < $1 @ localhost.$m >
R<@> < $* @ localhost.UUCP >
@ -1167,6 +1174,7 @@ R$* $: $&{client_addr}
R$@ $@ RELAY originated locally
R0 $@ RELAY originated locally
R127.0.0.1 $@ RELAY originated locally
RIPv6:0:0:0:0:0:0:0:1 $@ RELAY originated locally
RIPv6:::1 $@ RELAY originated locally
R$=R $* $@ RELAY relayable IP address
R$* $: [ $1 ] put brackets around it...
@ -1271,6 +1279,8 @@ STLS_connection
RSOFTWARE $#error $@ 4.7.0 $: "403 TLS handshake."
######################################################################
### RelayTLS: allow relaying based on TLS authentication
###

18
cf/cf/generic-hpux9.cf
View File

@ -16,8 +16,8 @@
#####
##### SENDMAIL CONFIGURATION FILE
#####
##### built by ca@sandman.dev-lab.sendmail.com on Tue Dec 2 16:21:20 PST 2014
##### in /x/ca/sm8.git/sendmail/OpenSource/sendmail-8.15.1/cf/cf
##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
##### using ../ as configuration include directory
#####
######################################################################
@ -123,7 +123,7 @@ DnMAILER-DAEMON
CPREDIRECT
# Configuration version number
DZ8.15.1
DZ8.15.2
###############
@ -211,6 +211,9 @@ O ConnectionCacheTimeout=5m
# use Errors-To: header?
O UseErrorsTo=False
# use compressed IPv6 address format?
#O UseCompressedIPv6Addresses
# log level
O LogLevel=9
@ -663,8 +666,8 @@ R$+ ! $+ $@ $>Canonify2 $2 < @ $1 .UUCP > uucp subdomains
# if we have % signs, take the rightmost one
R$* % $* $1 @ $2 First make them all @s.
R$* @ $* @ $* $1 % $2 @ $3 Undo all but the last.
R$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish
R$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish
# else we must be a local name
R$* $@ $>Canonify2 $1
@ -1053,6 +1056,10 @@ R$* $| $* $: $2
R<@> < $* @ localhost > $: < ? $&{client_name} > < $1 @ localhost >
R<@> < $* @ [127.0.0.1] >
$: < ? $&{client_name} > < $1 @ [127.0.0.1] >
R<@> < $* @ [IPv6:0:0:0:0:0:0:0:1] >
$: < ? $&{client_name} > < $1 @ [IPv6:0:0:0:0:0:0:0:1] >
R<@> < $* @ [IPv6:::1] >
$: < ? $&{client_name} > < $1 @ [IPv6:::1] >
R<@> < $* @ localhost.$m >
$: < ? $&{client_name} > < $1 @ localhost.$m >
R<@> < $* @ localhost.UUCP >
@ -1167,6 +1174,7 @@ R$* $: $&{client_addr}
R$@ $@ RELAY originated locally
R0 $@ RELAY originated locally
R127.0.0.1 $@ RELAY originated locally
RIPv6:0:0:0:0:0:0:0:1 $@ RELAY originated locally
RIPv6:::1 $@ RELAY originated locally
R$=R $* $@ RELAY relayable IP address
R$* $: [ $1 ] put brackets around it...
@ -1271,6 +1279,8 @@ STLS_connection
RSOFTWARE $#error $@ 4.7.0 $: "403 TLS handshake."
######################################################################
### RelayTLS: allow relaying based on TLS authentication
###

18
cf/cf/generic-linux.cf
View File

@ -16,8 +16,8 @@
#####
##### SENDMAIL CONFIGURATION FILE
#####
##### built by ca@sandman.dev-lab.sendmail.com on Tue Dec 2 16:21:20 PST 2014
##### in /x/ca/sm8.git/sendmail/OpenSource/sendmail-8.15.1/cf/cf
##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
##### using ../ as configuration include directory
#####
######################################################################
@ -127,7 +127,7 @@ DnMAILER-DAEMON
CPREDIRECT
# Configuration version number
DZ8.15.1
DZ8.15.2
###############
@ -215,6 +215,9 @@ O ConnectionCacheTimeout=5m
# use Errors-To: header?
O UseErrorsTo=False
# use compressed IPv6 address format?
#O UseCompressedIPv6Addresses
# log level
O LogLevel=9
@ -667,8 +670,8 @@ R$+ ! $+ $@ $>Canonify2 $2 < @ $1 .UUCP > uucp subdomains
# if we have % signs, take the rightmost one
R$* % $* $1 @ $2 First make them all @s.
R$* @ $* @ $* $1 % $2 @ $3 Undo all but the last.
R$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish
R$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish
# else we must be a local name
R$* $@ $>Canonify2 $1
@ -1057,6 +1060,10 @@ R$* $| $* $: $2
R<@> < $* @ localhost > $: < ? $&{client_name} > < $1 @ localhost >
R<@> < $* @ [127.0.0.1] >
$: < ? $&{client_name} > < $1 @ [127.0.0.1] >
R<@> < $* @ [IPv6:0:0:0:0:0:0:0:1] >
$: < ? $&{client_name} > < $1 @ [IPv6:0:0:0:0:0:0:0:1] >
R<@> < $* @ [IPv6:::1] >
$: < ? $&{client_name} > < $1 @ [IPv6:::1] >
R<@> < $* @ localhost.$m >
$: < ? $&{client_name} > < $1 @ localhost.$m >
R<@> < $* @ localhost.UUCP >
@ -1171,6 +1178,7 @@ R$* $: $&{client_addr}
R$@ $@ RELAY originated locally
R0 $@ RELAY originated locally
R127.0.0.1 $@ RELAY originated locally
RIPv6:0:0:0:0:0:0:0:1 $@ RELAY originated locally
RIPv6:::1 $@ RELAY originated locally
R$=R $* $@ RELAY relayable IP address
R$* $: [ $1 ] put brackets around it...
@ -1275,6 +1283,8 @@ STLS_connection
RSOFTWARE $#error $@ 4.7.0 $: "403 TLS handshake."
######################################################################
### RelayTLS: allow relaying based on TLS authentication
###

18
cf/cf/generic-mpeix.cf
View File

@ -16,8 +16,8 @@
#####
##### SENDMAIL CONFIGURATION FILE
#####
##### built by ca@sandman.dev-lab.sendmail.com on Tue Dec 2 16:21:20 PST 2014
##### in /x/ca/sm8.git/sendmail/OpenSource/sendmail-8.15.1/cf/cf
##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
##### using ../ as configuration include directory
#####
######################################################################
@ -123,7 +123,7 @@ DnMAILER-DAEMON
CPREDIRECT
# Configuration version number
DZ8.15.1
DZ8.15.2
###############
@ -211,6 +211,9 @@ O ConnectionCacheTimeout=5m
# use Errors-To: header?
O UseErrorsTo=False
# use compressed IPv6 address format?
#O UseCompressedIPv6Addresses
# log level
O LogLevel=9
@ -663,8 +666,8 @@ R$+ ! $+ $@ $>Canonify2 $2 < @ $1 .UUCP > uucp subdomains
# if we have % signs, take the rightmost one
R$* % $* $1 @ $2 First make them all @s.
R$* @ $* @ $* $1 % $2 @ $3 Undo all but the last.
R$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish
R$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish
# else we must be a local name
R$* $@ $>Canonify2 $1
@ -1053,6 +1056,10 @@ R$* $| $* $: $2
R<@> < $* @ localhost > $: < ? $&{client_name} > < $1 @ localhost >
R<@> < $* @ [127.0.0.1] >
$: < ? $&{client_name} > < $1 @ [127.0.0.1] >
R<@> < $* @ [IPv6:0:0:0:0:0:0:0:1] >
$: < ? $&{client_name} > < $1 @ [IPv6:0:0:0:0:0:0:0:1] >
R<@> < $* @ [IPv6:::1] >
$: < ? $&{client_name} > < $1 @ [IPv6:::1] >
R<@> < $* @ localhost.$m >
$: < ? $&{client_name} > < $1 @ localhost.$m >
R<@> < $* @ localhost.UUCP >
@ -1167,6 +1174,7 @@ R$* $: $&{client_addr}
R$@ $@ RELAY originated locally
R0 $@ RELAY originated locally
R127.0.0.1 $@ RELAY originated locally
RIPv6:0:0:0:0:0:0:0:1 $@ RELAY originated locally
RIPv6:::1 $@ RELAY originated locally
R$=R $* $@ RELAY relayable IP address
R$* $: [ $1 ] put brackets around it...
@ -1271,6 +1279,8 @@ STLS_connection
RSOFTWARE $#error $@ 4.7.0 $: "403 TLS handshake."
######################################################################
### RelayTLS: allow relaying based on TLS authentication
###

18
cf/cf/generic-nextstep3.3.cf
View File

@ -16,8 +16,8 @@
#####
##### SENDMAIL CONFIGURATION FILE
#####
##### built by ca@sandman.dev-lab.sendmail.com on Tue Dec 2 16:21:20 PST 2014
##### in /x/ca/sm8.git/sendmail/OpenSource/sendmail-8.15.1/cf/cf
##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
##### using ../ as configuration include directory
#####
######################################################################
@ -122,7 +122,7 @@ DnMAILER-DAEMON
CPREDIRECT
# Configuration version number
DZ8.15.1
DZ8.15.2
###############
@ -210,6 +210,9 @@ O ConnectionCacheTimeout=5m
# use Errors-To: header?
O UseErrorsTo=False
# use compressed IPv6 address format?
#O UseCompressedIPv6Addresses
# log level
O LogLevel=9
@ -662,8 +665,8 @@ R$+ ! $+ $@ $>Canonify2 $2 < @ $1 .UUCP > uucp subdomains
# if we have % signs, take the rightmost one
R$* % $* $1 @ $2 First make them all @s.
R$* @ $* @ $* $1 % $2 @ $3 Undo all but the last.
R$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish
R$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish
# else we must be a local name
R$* $@ $>Canonify2 $1
@ -1052,6 +1055,10 @@ R$* $| $* $: $2
R<@> < $* @ localhost > $: < ? $&{client_name} > < $1 @ localhost >
R<@> < $* @ [127.0.0.1] >
$: < ? $&{client_name} > < $1 @ [127.0.0.1] >
R<@> < $* @ [IPv6:0:0:0:0:0:0:0:1] >
$: < ? $&{client_name} > < $1 @ [IPv6:0:0:0:0:0:0:0:1] >
R<@> < $* @ [IPv6:::1] >
$: < ? $&{client_name} > < $1 @ [IPv6:::1] >
R<@> < $* @ localhost.$m >
$: < ? $&{client_name} > < $1 @ localhost.$m >
R<@> < $* @ localhost.UUCP >
@ -1166,6 +1173,7 @@ R$* $: $&{client_addr}
R$@ $@ RELAY originated locally
R0 $@ RELAY originated locally
R127.0.0.1 $@ RELAY originated locally
RIPv6:0:0:0:0:0:0:0:1 $@ RELAY originated locally
RIPv6:::1 $@ RELAY originated locally
R$=R $* $@ RELAY relayable IP address
R$* $: [ $1 ] put brackets around it...
@ -1270,6 +1278,8 @@ STLS_connection
RSOFTWARE $#error $@ 4.7.0 $: "403 TLS handshake."
######################################################################
### RelayTLS: allow relaying based on TLS authentication
###

18
cf/cf/generic-osf1.cf
View File

@ -16,8 +16,8 @@
#####
##### SENDMAIL CONFIGURATION FILE
#####
##### built by ca@sandman.dev-lab.sendmail.com on Tue Dec 2 16:21:20 PST 2014
##### in /x/ca/sm8.git/sendmail/OpenSource/sendmail-8.15.1/cf/cf
##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
##### using ../ as configuration include directory
#####
######################################################################
@ -123,7 +123,7 @@ DnMAILER-DAEMON
CPREDIRECT
# Configuration version number
DZ8.15.1
DZ8.15.2
###############
@ -211,6 +211,9 @@ O ConnectionCacheTimeout=5m
# use Errors-To: header?
O UseErrorsTo=False
# use compressed IPv6 address format?
#O UseCompressedIPv6Addresses
# log level
O LogLevel=9
@ -663,8 +666,8 @@ R$+ ! $+ $@ $>Canonify2 $2 < @ $1 .UUCP > uucp subdomains
# if we have % signs, take the rightmost one
R$* % $* $1 @ $2 First make them all @s.
R$* @ $* @ $* $1 % $2 @ $3 Undo all but the last.
R$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish
R$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish
# else we must be a local name
R$* $@ $>Canonify2 $1
@ -1053,6 +1056,10 @@ R$* $| $* $: $2
R<@> < $* @ localhost > $: < ? $&{client_name} > < $1 @ localhost >
R<@> < $* @ [127.0.0.1] >
$: < ? $&{client_name} > < $1 @ [127.0.0.1] >
R<@> < $* @ [IPv6:0:0:0:0:0:0:0:1] >
$: < ? $&{client_name} > < $1 @ [IPv6:0:0:0:0:0:0:0:1] >
R<@> < $* @ [IPv6:::1] >
$: < ? $&{client_name} > < $1 @ [IPv6:::1] >
R<@> < $* @ localhost.$m >
$: < ? $&{client_name} > < $1 @ localhost.$m >
R<@> < $* @ localhost.UUCP >
@ -1167,6 +1174,7 @@ R$* $: $&{client_addr}
R$@ $@ RELAY originated locally
R0 $@ RELAY originated locally
R127.0.0.1 $@ RELAY originated locally
RIPv6:0:0:0:0:0:0:0:1 $@ RELAY originated locally
RIPv6:::1 $@ RELAY originated locally
R$=R $* $@ RELAY relayable IP address
R$* $: [ $1 ] put brackets around it...
@ -1271,6 +1279,8 @@ STLS_connection
RSOFTWARE $#error $@ 4.7.0 $: "403 TLS handshake."
######################################################################
### RelayTLS: allow relaying based on TLS authentication
###

18
cf/cf/generic-solaris.cf
View File

@ -16,8 +16,8 @@
#####
##### SENDMAIL CONFIGURATION FILE
#####
##### built by ca@sandman.dev-lab.sendmail.com on Tue Dec 2 16:21:20 PST 2014
##### in /x/ca/sm8.git/sendmail/OpenSource/sendmail-8.15.1/cf/cf
##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
##### using ../ as configuration include directory
#####
######################################################################
@ -122,7 +122,7 @@ DnMAILER-DAEMON
CPREDIRECT
# Configuration version number
DZ8.15.1
DZ8.15.2
###############
@ -210,6 +210,9 @@ O ConnectionCacheTimeout=5m
# use Errors-To: header?
O UseErrorsTo=False
# use compressed IPv6 address format?
#O UseCompressedIPv6Addresses
# log level
O LogLevel=9
@ -662,8 +665,8 @@ R$+ ! $+ $@ $>Canonify2 $2 < @ $1 .UUCP > uucp subdomains
# if we have % signs, take the rightmost one
R$* % $* $1 @ $2 First make them all @s.
R$* @ $* @ $* $1 % $2 @ $3 Undo all but the last.
R$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish
R$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish
# else we must be a local name
R$* $@ $>Canonify2 $1
@ -1052,6 +1055,10 @@ R$* $| $* $: $2
R<@> < $* @ localhost > $: < ? $&{client_name} > < $1 @ localhost >
R<@> < $* @ [127.0.0.1] >
$: < ? $&{client_name} > < $1 @ [127.0.0.1] >
R<@> < $* @ [IPv6:0:0:0:0:0:0:0:1] >
$: < ? $&{client_name} > < $1 @ [IPv6:0:0:0:0:0:0:0:1] >
R<@> < $* @ [IPv6:::1] >
$: < ? $&{client_name} > < $1 @ [IPv6:::1] >
R<@> < $* @ localhost.$m >
$: < ? $&{client_name} > < $1 @ localhost.$m >
R<@> < $* @ localhost.UUCP >
@ -1166,6 +1173,7 @@ R$* $: $&{client_addr}
R$@ $@ RELAY originated locally
R0 $@ RELAY originated locally
R127.0.0.1 $@ RELAY originated locally
RIPv6:0:0:0:0:0:0:0:1 $@ RELAY originated locally
RIPv6:::1 $@ RELAY originated locally
R$=R $* $@ RELAY relayable IP address
R$* $: [ $1 ] put brackets around it...
@ -1270,6 +1278,8 @@ STLS_connection
RSOFTWARE $#error $@ 4.7.0 $: "403 TLS handshake."
######################################################################
### RelayTLS: allow relaying based on TLS authentication
###

18
cf/cf/generic-sunos4.1.cf
View File

@ -16,8 +16,8 @@
#####
##### SENDMAIL CONFIGURATION FILE
#####
##### built by ca@sandman.dev-lab.sendmail.com on Tue Dec 2 16:21:20 PST 2014
##### in /x/ca/sm8.git/sendmail/OpenSource/sendmail-8.15.1/cf/cf
##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
##### using ../ as configuration include directory
#####
######################################################################
@ -123,7 +123,7 @@ DnMAILER-DAEMON
CPREDIRECT
# Configuration version number
DZ8.15.1
DZ8.15.2
###############
@ -211,6 +211,9 @@ O ConnectionCacheTimeout=5m
# use Errors-To: header?
O UseErrorsTo=False
# use compressed IPv6 address format?
#O UseCompressedIPv6Addresses
# log level
O LogLevel=9
@ -663,8 +666,8 @@ R$+ ! $+ $@ $>Canonify2 $2 < @ $1 .UUCP > uucp subdomains
# if we have % signs, take the rightmost one
R$* % $* $1 @ $2 First make them all @s.
R$* @ $* @ $* $1 % $2 @ $3 Undo all but the last.
R$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish
R$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish
# else we must be a local name
R$* $@ $>Canonify2 $1
@ -1053,6 +1056,10 @@ R$* $| $* $: $2
R<@> < $* @ localhost > $: < ? $&{client_name} > < $1 @ localhost >
R<@> < $* @ [127.0.0.1] >
$: < ? $&{client_name} > < $1 @ [127.0.0.1] >
R<@> < $* @ [IPv6:0:0:0:0:0:0:0:1] >
$: < ? $&{client_name} > < $1 @ [IPv6:0:0:0:0:0:0:0:1] >
R<@> < $* @ [IPv6:::1] >
$: < ? $&{client_name} > < $1 @ [IPv6:::1] >
R<@> < $* @ localhost.$m >
$: < ? $&{client_name} > < $1 @ localhost.$m >
R<@> < $* @ localhost.UUCP >
@ -1167,6 +1174,7 @@ R$* $: $&{client_addr}
R$@ $@ RELAY originated locally
R0 $@ RELAY originated locally
R127.0.0.1 $@ RELAY originated locally
RIPv6:0:0:0:0:0:0:0:1 $@ RELAY originated locally
RIPv6:::1 $@ RELAY originated locally
R$=R $* $@ RELAY relayable IP address
R$* $: [ $1 ] put brackets around it...
@ -1271,6 +1279,8 @@ STLS_connection
RSOFTWARE $#error $@ 4.7.0 $: "403 TLS handshake."
######################################################################
### RelayTLS: allow relaying based on TLS authentication
###

18
cf/cf/generic-ultrix4.cf
View File

@ -16,8 +16,8 @@
#####
##### SENDMAIL CONFIGURATION FILE
#####
##### built by ca@sandman.dev-lab.sendmail.com on Tue Dec 2 16:21:20 PST 2014
##### in /x/ca/sm8.git/sendmail/OpenSource/sendmail-8.15.1/cf/cf
##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
##### using ../ as configuration include directory
#####
######################################################################
@ -123,7 +123,7 @@ DnMAILER-DAEMON
CPREDIRECT
# Configuration version number
DZ8.15.1
DZ8.15.2
###############
@ -211,6 +211,9 @@ O ConnectionCacheTimeout=5m
# use Errors-To: header?
O UseErrorsTo=False
# use compressed IPv6 address format?
#O UseCompressedIPv6Addresses
# log level
O LogLevel=9
@ -663,8 +666,8 @@ R$+ ! $+ $@ $>Canonify2 $2 < @ $1 .UUCP > uucp subdomains
# if we have % signs, take the rightmost one
R$* % $* $1 @ $2 First make them all @s.
R$* @ $* @ $* $1 % $2 @ $3 Undo all but the last.
R$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish
R$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish
# else we must be a local name
R$* $@ $>Canonify2 $1
@ -1053,6 +1056,10 @@ R$* $| $* $: $2
R<@> < $* @ localhost > $: < ? $&{client_name} > < $1 @ localhost >
R<@> < $* @ [127.0.0.1] >
$: < ? $&{client_name} > < $1 @ [127.0.0.1] >
R<@> < $* @ [IPv6:0:0:0:0:0:0:0:1] >
$: < ? $&{client_name} > < $1 @ [IPv6:0:0:0:0:0:0:0:1] >
R<@> < $* @ [IPv6:::1] >
$: < ? $&{client_name} > < $1 @ [IPv6:::1] >
R<@> < $* @ localhost.$m >
$: < ? $&{client_name} > < $1 @ localhost.$m >
R<@> < $* @ localhost.UUCP >
@ -1167,6 +1174,7 @@ R$* $: $&{client_addr}
R$@ $@ RELAY originated locally
R0 $@ RELAY originated locally
R127.0.0.1 $@ RELAY originated locally
RIPv6:0:0:0:0:0:0:0:1 $@ RELAY originated locally
RIPv6:::1 $@ RELAY originated locally
R$=R $* $@ RELAY relayable IP address
R$* $: [ $1 ] put brackets around it...
@ -1271,6 +1279,8 @@ STLS_connection
RSOFTWARE $#error $@ 4.7.0 $: "403 TLS handshake."
######################################################################
### RelayTLS: allow relaying based on TLS authentication
###

22
cf/cf/submit.cf
View File

@ -16,8 +16,8 @@
#####
##### SENDMAIL CONFIGURATION FILE
#####
##### built by ca@sandman.dev-lab.sendmail.com on Tue Dec 2 16:21:20 PST 2014
##### in /x/ca/sm8.git/sendmail/OpenSource/sendmail-8.15.1/cf/cf
##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
##### using ../ as configuration include directory
#####
######################################################################
@ -114,7 +114,7 @@ D{MTAHost}[127.0.0.1]
# Configuration version number
DZ8.15.1/Submit
DZ8.15.2/Submit
###############
@ -202,6 +202,9 @@ O ConnectionCacheTimeout=5m
# use Errors-To: header?
O UseErrorsTo=False
# use compressed IPv6 address format?
#O UseCompressedIPv6Addresses
# log level
O LogLevel=9
@ -658,8 +661,8 @@ R$- . $- :: $+ $@ $>Canonify2 $3 < @ $1.$2 .DECNET > numeric DECnet addr
# if we have % signs, take the rightmost one
R$* % $* $1 @ $2 First make them all @s.
R$* @ $* @ $* $1 % $2 @ $3 Undo all but the last.
R$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish
R$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish
# else we must be a local name
R$* $@ $>Canonify2 $1
@ -1044,6 +1047,10 @@ R$* $| $* $: $2
R<@> < $* @ localhost > $: < ? $&{client_name} > < $1 @ localhost >
R<@> < $* @ [127.0.0.1] >
$: < ? $&{client_name} > < $1 @ [127.0.0.1] >
R<@> < $* @ [IPv6:0:0:0:0:0:0:0:1] >
$: < ? $&{client_name} > < $1 @ [IPv6:0:0:0:0:0:0:0:1] >
R<@> < $* @ [IPv6:::1] >
$: < ? $&{client_name} > < $1 @ [IPv6:::1] >
R<@> < $* @ localhost.$m >
$: < ? $&{client_name} > < $1 @ localhost.$m >
R<@> < $* @ localhost.UUCP >
@ -1158,6 +1165,7 @@ R$* $: $&{client_addr}
R$@ $@ RELAY originated locally
R0 $@ RELAY originated locally
R127.0.0.1 $@ RELAY originated locally
RIPv6:0:0:0:0:0:0:0:1 $@ RELAY originated locally
RIPv6:::1 $@ RELAY originated locally
R$=R $* $@ RELAY relayable IP address
R$* $: [ $1 ] put brackets around it...
@ -1262,6 +1270,8 @@ STLS_connection
RSOFTWARE $#error $@ 4.7.0 $: "403 TLS handshake."
######################################################################
### RelayTLS: allow relaying based on TLS authentication
###
@ -1459,7 +1469,7 @@ Mrelay, P=[IPC], F=mDFMuXa8k, S=EnvFromSMTP/HdrFromSMTP, R=MasqSMTP, E=\r\n, L=
### submit.mc ###
# divert(-1)
# #
# # Copyright (c) 2001-2003 Proofpoint, Inc. and its suppliers.
# # Copyright (c) 2001-2003, 2014 Proofpoint, Inc. and its suppliers.
# # All rights reserved.
# #
# # By using this file, you agree to the terms and conditions set
@ -1481,5 +1491,5 @@ Mrelay, P=[IPC], F=mDFMuXa8k, S=EnvFromSMTP/HdrFromSMTP, R=MasqSMTP, E=\r\n, L=
# define(`confTIME_ZONE', `USE_TZ')dnl
# define(`confDONT_INIT_GROUPS', `True')dnl
# dnl
# dnl If you use IPv6 only, change [127.0.0.1] to [IPv6:::1]
# dnl If you use IPv6 only, change [127.0.0.1] to [IPv6:0:0:0:0:0:0:0:1]
# FEATURE(`msp', `[127.0.0.1]')dnl

4
cf/cf/submit.mc
View File

@ -1,6 +1,6 @@
divert(-1)
#
# Copyright (c) 2001-2003 Proofpoint, Inc. and its suppliers.
# Copyright (c) 2001-2003, 2014 Proofpoint, Inc. and its suppliers.
# All rights reserved.
#
# By using this file, you agree to the terms and conditions set
@ -22,5 +22,5 @@ define(`_USE_DECNET_SYNTAX_', `1')dnl support DECnet
define(`confTIME_ZONE', `USE_TZ')dnl
define(`confDONT_INIT_GROUPS', `True')dnl
dnl
dnl If you use IPv6 only, change [127.0.0.1] to [IPv6:::1]
dnl If you use IPv6 only, change [127.0.0.1] to [IPv6:0:0:0:0:0:0:0:1]
FEATURE(`msp', `[127.0.0.1]')dnl

2
cf/feature/block_bad_helo.m4
View File

@ -15,4 +15,6 @@ divert(-1)
define(`_BLOCK_BAD_HELO_', `')dnl
RELAY_DOMAIN(`127.0.0.1')dnl
RELAY_DOMAIN(`IPv6:0:0:0:0:0:0:0:1 IPv6:::1')dnl
LOCAL_DOMAIN(`[127.0.0.1]')dnl
LOCAL_DOMAIN(`[IPv6:0:0:0:0:0:0:0:1] [IPv6:::1]')dnl

16
cf/feature/tls_session_features.m4 Normal file
View File

@ -0,0 +1,16 @@
divert(-1)
#
# Copyright (c) 2015 Proofpoint, Inc. and its suppliers.
# All rights reserved.
#
# By using this file, you agree to the terms and conditions set
# forth in the LICENSE file which can be found at the top level of
# the sendmail distribution.
#
#
divert(0)
VERSIONID(`$Id: tls_session_features.m4,v 8.1 2015-02-25 20:51:11 ca Exp $')
divert(-1)
define(`_TLS_SESSION_FEATURES_', 1)

2
cf/m4/cfhead.m4
View File

@ -16,7 +16,7 @@
#####
##### SENDMAIL CONFIGURATION FILE
#####
ifdef(`__win32__', `dnl', `dnl
ifdef(`_NO_MAKEINFO_', `dnl', `dnl
ifdef(`TEMPFILE', `dnl', `define(`TEMPFILE', maketemp(/tmp/cfXXXXXX))dnl
syscmd(sh _CF_DIR_`'sh/makeinfo.sh _CF_DIR_ > TEMPFILE)dnl
include(TEMPFILE)dnl

31
cf/m4/proto.m4
View File

@ -326,6 +326,9 @@ _OPTION(SingleThreadDelivery, `confSINGLE_THREAD_DELIVERY', `False')
# use Errors-To: header?
_OPTION(UseErrorsTo, `confUSE_ERRORS_TO', `False')
# use compressed IPv6 address format?
_OPTION(UseCompressedIPv6Addresses, `confUSE_COMPRESSED_IPV6_ADDRESSES', `')
# log level
_OPTION(LogLevel, `confLOG_LEVEL', `10')
@ -827,8 +830,8 @@ ifdef(`_NO_PERCENTHACK_', `dnl',
`# if we have % signs, take the rightmost one
R$* % $* $1 @ $2 First make them all @s.
R$* @ $* @ $* $1 % $2 @ $3 Undo all but the last.
R$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish
')
R$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish
# else we must be a local name
R$* $@ $>Canonify2 $1
@ -1889,6 +1892,10 @@ R$* $| $* $: $2
R<@> < $* @ localhost > $: < ? $&{client_name} > < $1 @ localhost >
R<@> < $* @ [127.0.0.1] >
$: < ? $&{client_name} > < $1 @ [127.0.0.1] >
R<@> < $* @ [IPv6:0:0:0:0:0:0:0:1] >
$: < ? $&{client_name} > < $1 @ [IPv6:0:0:0:0:0:0:0:1] >
R<@> < $* @ [IPv6:::1] >
$: < ? $&{client_name} > < $1 @ [IPv6:::1] >
R<@> < $* @ localhost.$m >
$: < ? $&{client_name} > < $1 @ localhost.$m >
ifdef(`_NO_UUCP_', `dnl',
@ -2248,6 +2255,8 @@ R$* $: $&{client_addr}
R$@ $@ RELAY originated locally
R0 $@ RELAY originated locally
R127.0.0.1 $@ RELAY originated locally
RIPv6:0:0:0:0:0:0:0:1 $@ RELAY originated locally
dnl if compiled with IPV6_FULL=0
RIPv6:::1 $@ RELAY originated locally
R$=R $* $@ RELAY relayable IP address
ifdef(`_ACCESS_TABLE_', `dnl
@ -2920,6 +2929,26 @@ R$-:$-:$- $: $2
dnl endif _ACCESS_TABLE_
divert(0)
ifdef(`_TLS_SESSION_FEATURES_', `dnl
Stls_srv_features
ifdef(`_ACCESS_TABLE_', `dnl
R$* $| $* $: $>D <$1> <?> <! TLS_Srv_Features> <$2>
R<?> <$*> $: $>A <$1> <?> <! TLS_Srv_Features> <$1>
R<?> <$*> $@ ""
R<$+> <$*> $@ $1
', `dnl
R$* $@ ""')
Stls_clt_features
ifdef(`_ACCESS_TABLE_', `dnl
R$* $| $* $: $>D <$1> <?> <! TLS_Clt_Features> <$2>
R<?> <$*> $: $>A <$1> <?> <! TLS_Clt_Features> <$1>
R<?> <$*> $@ ""
R<$+> <$*> $@ $1
', `dnl
R$* $@ ""')
')
######################################################################
### RelayTLS: allow relaying based on TLS authentication
###

4
cf/m4/version.m4
View File

@ -1,6 +1,6 @@
divert(-1)
#
# Copyright (c) 1998-2014 Proofpoint, Inc. and its suppliers.
# Copyright (c) 1998-2015 Proofpoint, Inc. and its suppliers.
# All rights reserved.
# Copyright (c) 1983 Eric P. Allman. All rights reserved.
# Copyright (c) 1988, 1993
@ -15,4 +15,4 @@ VERSIONID(`$Id: version.m4,v 8.237 2014-01-27 12:55:17 ca Exp $')
#
divert(0)
# Configuration version number
DZ8.15.1`'ifdef(`confCF_VERSION', `/confCF_VERSION')
DZ8.15.2`'ifdef(`confCF_VERSION', `/confCF_VERSION')

127
doc/op/op.me
View File

@ -4483,8 +4483,76 @@ ruleset is called when sendmail connects to another MTA.
If the ruleset does resolve to the
.q error
mailer, sendmail does not try STARTTLS even if it is offered.
This is useful to interact with MTAs that have broken
STARTTLS implementations by simply not using it.
This is useful to deal with STARTTLS interoperability issues
by simply not using it.
.sh 4 "tls_srv_features and tls_clt_features"
.pp
The
.i tls_clt_features
ruleset is called when sendmail connects to another MTA
and the
.i tls_srv_features
ruleset is called when a client connects to
.i sendmail .
The arguments for the rulesets are the host name and IP address
of the other side separated by
.b $|
(which is a metacharacter).
They should return a list of
.i key=value
pairs separated by semicolons;
the list can be empty if no options should be applied to the connection.
Available keys are and their allowed values are:
.nr ii 0.2i
.ip Options
A comma separated list of SSL related options.
See
.i ServerSSLOptions
and
.i ClientSSLOptions
for details, as well as
.i SSL_set_options (3)
and note this warning:
Options already set before are not cleared!
.ip CipherList
Specify cipher list for STARTTLS,
see
.i ciphers (1)
for possible values.
This overrides the global
.i CipherList
for the session.
.ip CertFile
File containing a certificate.
.ip KeyFile
File containing the private key for the certificate.
.lp
.lp
Example:
.(b
.ta 1.5i
Stls_srv_features
R$* $| 10.$+ $: cipherlist=HIGH
.)b
.lp
Notes:
.pp
Errors in these features (e.g., unknown keys or invalid values)
are logged
and the current session is aborted to avoid using STARTTLS
with features that should have been changed.
.pp
The keys are case-insensitive.
.pp
Both
.i CertFile
and
.i KeyFile
must be specified together;
specifying only one is an error.
.pp
These rulesets require the sendmail binary to be built with _FFR_TLS_SE_OPTS
enabled (see the "For Future Release" section).
.sh 4 "authinfo"
.pp
The
@ -6674,7 +6742,7 @@ in order to give settings for each protocol family
A restriction placed on one family only affects
outgoing connections on that particular family.
.ip ClientSSLOptions
A space separated list of SSL related options for client side.
A space or comma separated list of SSL related options for the client side.
See
.i SSL_CTX_set_options (3)
for a list;
@ -6787,26 +6855,35 @@ CRL checking requires at least OpenSSL version 0.9.7.
Note: if a CRLFile is specified but the file is unusable,
STARTTLS is disabled.
.ip DHParameters
This option applies to the server side only.
Possible values are:
.(b
.ta 1i
5 use precomputed 512 bit prime
.ta 2i
5 use precomputed 512 bit prime.
1 generate 1024 bit prime
2 generate 2048 bit prime
none do not use Diffie-Hellman
NAME load prime from file
2 generate 2048 bit prime.
i use included precomputed 2048 bit prime (default).
none do not use Diffie-Hellman.
/path/to/file load prime from file.
.)b
This is only required if a ciphersuite containing DSA/DH is used.
The default is ``i'' which selects a precomputed, fixed 2048 bit prime.
If ``5'' is selected, then precomputed, fixed primes are used.
This is the default for the client side.
Note: this option should not be used
(unless necessary for compatibility with old implementations).
If ``1'' or ``2'' is selected, then prime values are computed during startup.
The server side default is ``1''.
Note: this operation can take a significant amount of time on a
slow machine (several seconds), but it is only done once at startup.
If ``none'' is selected, then TLS ciphersuites containing DSA/DH
cannot be used.
If a file name is specified (which must be an absolute path),
then the primes are read from it.
It is recommended to generate such a file using a command like this:
.(b
openssl dhparam -out /etc/mail/dhparams.pem 2048
.)b
If the file is not readable or contains unusable data,
the default ``i'' is used instead.
.ip DaemonPortOptions=\fIoptions\fP
[O]
Set server SMTP options.
@ -8100,7 +8177,7 @@ is used when sendmail acts as server
File containing the private key belonging to the server certificate
(used for STARTTLS).
.ip ServerSSLOptions
A space separated list of SSL related options for client side.
A space or comma separated list of SSL related options for the server side.
See
.i SSL_CTX_set_options (3)
for a list;
@ -8360,6 +8437,12 @@ are always unsafe.
Note: use
.b DontBlameSendmail
instead; this option is deprecated.
.ip UseCompressedIPv6Addresses
[no short name]
If set, the compressed format of IPv6 addresses,
such as IPV6:::1, will be used,
instead of the uncompressed format,
such as IPv6:0:0:0:0:0:0:0:1.
.ip UseErrorsTo
[l]
If there is an
@ -9969,6 +10052,26 @@ and
.q _SCO_unix_ .
See the sendmail/README
file for the latest scoop on these flags.
.sh 3 "For Future Releases"
.pp
.i sendmail
often contains compile time options
.i "For Future Releases"
(prefix _FFR_)
which might be enabled in a subsequent version
or might simply be removed as they turned out not to be really useful.
These features are usually not documented but if they are,
then the required (FFR) compile
time options are listed here for rulesets and macros,
and in
.i cf/README
for mc/cf options.
FFR compile times options must be enabled when the sendmail binary
is built from source.
Enabled FFRs in a binary can be listed with
.(b
sendmail -d0.13 < /dev/null | grep FFR
.)b
.sh 2 "Parameters in sendmail/conf.h"
.pp
Parameters and compilation options
@ -10771,7 +10874,7 @@ one as certificate for the server (ServerCertFile and corresponding
private ServerKeyFile)
at least one root CA (CACertFile),
i.e., a certificate that is used to sign other certificates,
and a path to a directory which contains other CAs (CACertPath).
and a path to a directory which contains (zero or more) other CAs (CACertPath).
The file specified via
CACertFile
can contain several certificates of CAs.

12062
doc/op/op.ps
View File

File diff suppressed because it is too large Load Diff

6
include/sm/conf.h
View File

@ -2978,6 +2978,12 @@ typedef void (*sigfunc_t) __P((int));
# define SM_UINT16 uint16_t
# endif /* ! SM_UINT16 */
/* additional valid chars in user/group names in passwd */
# ifndef SM_PWN_CHARS
# define SM_PWN_CHARS "-_."
# endif
/*
** SVr4 and similar systems use different routines for setjmp/longjmp
** with signal support

5
libmilter/docs/smfi_setsymlist.html
View File

@ -62,6 +62,9 @@ milter wants to receive from the MTA.
<TR><TD>macros</TD>
<TD>list of macros (separated by space).
Example: "{rcpt_mailer} {rcpt_host}"
<BR>
An empty string ("", not NULL) can be used to specify that no macros
should be sent.
</TD></TR>
</TABLE>
@ -74,7 +77,7 @@ milter wants to receive from the MTA.
<TD>MI_FAILURE is returned if
<UL>
<LI>there is not enough free memory to make a copy of the macro list,
<LI><CODE>macros</CODE> is <CODE>NULL</CODE> or empty,
<LI><CODE>macros</CODE> is <CODE>NULL</CODE>,
<LI><CODE>stage</CODE> is not a valid protocol stage,
<LI>the macro list for
<CODE>stage</CODE> has been set before.

48
libmilter/engine.c
View File

@ -42,13 +42,8 @@ struct cmdfct_t
typedef struct cmdfct_t cmdfct;
/* possible values for cm_argt */
#define CM_ARG0 0 /* no args */
#define CM_ARG1 1 /* one arg (string) */
#define CM_ARG2 2 /* two args (strings) */
#define CM_ARGA 4 /* one string and _SOCK_ADDR */
#define CM_ARGO 5 /* two integers */
#define CM_ARGV 8 /* \0 separated list of args, NULL-terminated */
#define CM_ARGN 9 /* \0 separated list of args (strings) */
#define CM_BUF 0
#define CM_NULLOK 1
/* possible values for cm_todo */
#define CT_CONT 0x0000 /* continue reading commands */
@ -200,21 +195,21 @@ static int next_states[] =
/* commands received by milter */
static cmdfct cmds[] =
{
{SMFIC_ABORT, CM_ARG0, ST_ABRT, CT_CONT, CI_NONE, st_abortfct }
, {SMFIC_MACRO, CM_ARGV, ST_NONE, CT_KEEP, CI_NONE, st_macros }
, {SMFIC_BODY, CM_ARG1, ST_BODY, CT_CONT, CI_NONE, st_bodychunk }
, {SMFIC_CONNECT, CM_ARG2, ST_CONN, CT_CONT, CI_CONN, st_connectinfo }
, {SMFIC_BODYEOB, CM_ARG1, ST_ENDM, CT_CONT, CI_EOM, st_bodyend }
, {SMFIC_HELO, CM_ARG1, ST_HELO, CT_CONT, CI_HELO, st_helo }
, {SMFIC_HEADER, CM_ARG2, ST_HDRS, CT_CONT, CI_NONE, st_header }
, {SMFIC_MAIL, CM_ARGV, ST_MAIL, CT_CONT, CI_MAIL, st_sender }
, {SMFIC_OPTNEG, CM_ARGO, ST_OPTS, CT_CONT, CI_NONE, st_optionneg }
, {SMFIC_EOH, CM_ARG0, ST_EOHS, CT_CONT, CI_EOH, st_eoh }
, {SMFIC_QUIT, CM_ARG0, ST_QUIT, CT_END, CI_NONE, st_quit }
, {SMFIC_DATA, CM_ARG0, ST_DATA, CT_CONT, CI_DATA, st_data }
, {SMFIC_RCPT, CM_ARGV, ST_RCPT, CT_IGNO, CI_RCPT, st_rcpt }
, {SMFIC_UNKNOWN, CM_ARG1, ST_UNKN, CT_IGNO, CI_NONE, st_unknown }
, {SMFIC_QUIT_NC, CM_ARG0, ST_Q_NC, CT_CONT, CI_NONE, st_quit }
{SMFIC_ABORT, CM_NULLOK, ST_ABRT, CT_CONT, CI_NONE, st_abortfct}
, {SMFIC_MACRO, CM_BUF, ST_NONE, CT_KEEP, CI_NONE, st_macros }
, {SMFIC_BODY, CM_BUF, ST_BODY, CT_CONT, CI_NONE, st_bodychunk}
, {SMFIC_CONNECT, CM_BUF, ST_CONN, CT_CONT, CI_CONN, st_connectinfo}
, {SMFIC_BODYEOB, CM_NULLOK, ST_ENDM, CT_CONT, CI_EOM, st_bodyend }
, {SMFIC_HELO, CM_BUF, ST_HELO, CT_CONT, CI_HELO, st_helo }
, {SMFIC_HEADER, CM_BUF, ST_HDRS, CT_CONT, CI_NONE, st_header }
, {SMFIC_MAIL, CM_BUF, ST_MAIL, CT_CONT, CI_MAIL, st_sender }
, {SMFIC_OPTNEG, CM_BUF, ST_OPTS, CT_CONT, CI_NONE, st_optionneg}
, {SMFIC_EOH, CM_NULLOK, ST_EOHS, CT_CONT, CI_EOH, st_eoh }
, {SMFIC_QUIT, CM_NULLOK, ST_QUIT, CT_END, CI_NONE, st_quit }
, {SMFIC_DATA, CM_NULLOK, ST_DATA, CT_CONT, CI_DATA, st_data }
, {SMFIC_RCPT, CM_BUF, ST_RCPT, CT_IGNO, CI_RCPT, st_rcpt }
, {SMFIC_UNKNOWN, CM_BUF, ST_UNKN, CT_IGNO, CI_NONE, st_unknown }
, {SMFIC_QUIT_NC, CM_NULLOK, ST_Q_NC, CT_CONT, CI_NONE, st_quit }
};
/*
@ -390,6 +385,15 @@ mi_engine(ctx)
continue;
}
}
if (cmds[i].cm_argt != CM_NULLOK && buf == NULL)
{
/* stop for now */
if (ctx->ctx_dbg > 1)
sm_dprintf("[%lu] cmd='%c', buf=NULL\n",
(long) ctx->ctx_id, cmd);
ret = MI_FAILURE;
break;
}
arg.a_len = len;
arg.a_buf = buf;
if (newstate != ST_NONE)

2
libmilter/smfi.c
View File

@ -325,7 +325,7 @@ smfi_setsymlist(ctx, where, macros)
{
SM_ASSERT(ctx != NULL);
if (macros == NULL || *macros == '\0')
if (macros == NULL)
return MI_FAILURE;
if (where < SMFIM_FIRST || where > SMFIM_LAST)
return MI_FAILURE;

102
makemap/makemap.c
View File

@ -234,71 +234,67 @@ main(argc, argv)
}
#if HASFCHOWN
if (!unmake && geteuid() == 0)
/* Find TrustedUser value in sendmail.cf */
if ((cfp = sm_io_open(SmFtStdio, SM_TIME_DEFAULT, cfile, SM_IO_RDONLY,
NULL)) == NULL)
{
/* Find TrustedUser value in sendmail.cf */
if ((cfp = sm_io_open(SmFtStdio, SM_TIME_DEFAULT, cfile,
SM_IO_RDONLY, NULL)) == NULL)
{
sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
"makemap: %s: %s\n",
cfile, sm_errstring(errno));
exit(EX_NOINPUT);
}
while (sm_io_fgets(cfp, SM_TIME_DEFAULT, buf, sizeof(buf)) >= 0)
{
register char *b;
sm_io_fprintf(smioerr, SM_TIME_DEFAULT, "makemap: %s: %s\n",
cfile, sm_errstring(errno));
exit(EX_NOINPUT);
}
while (sm_io_fgets(cfp, SM_TIME_DEFAULT, buf, sizeof(buf)) >= 0)
{
register char *b;
if ((b = strchr(buf, '\n')) != NULL)
*b = '\0';
if ((b = strchr(buf, '\n')) != NULL)
*b = '\0';
b = buf;
switch (*b++)
b = buf;
switch (*b++)
{
case 'O': /* option */
if (strncasecmp(b, " TrustedUser", 12) == 0 &&
!(isascii(b[12]) && isalnum(b[12])))
{
case 'O': /* option */
if (strncasecmp(b, " TrustedUser", 12) == 0 &&
!(isascii(b[12]) && isalnum(b[12])))
b = strchr(b, '=');
if (b == NULL)
continue;
while (isascii(*++b) && isspace(*b))
continue;
if (isascii(*b) && isdigit(*b))
TrustedUid = atoi(b);
else
{
b = strchr(b, '=');
if (b == NULL)
continue;
while (isascii(*++b) && isspace(*b))
continue;
if (isascii(*b) && isdigit(*b))
TrustedUid = atoi(b);
else
{
TrustedUid = 0;
pw = getpwnam(b);
if (pw == NULL)
(void) sm_io_fprintf(smioerr,
SM_TIME_DEFAULT,
"TrustedUser: unknown user %s\n", b);
else
TrustedUid = pw->pw_uid;
}
# ifdef UID_MAX
if (TrustedUid > UID_MAX)
{
TrustedUid = 0;
pw = getpwnam(b);
if (pw == NULL)
(void) sm_io_fprintf(smioerr,
SM_TIME_DEFAULT,
"TrustedUser: uid value (%ld) > UID_MAX (%ld)",
(long) TrustedUid,
(long) UID_MAX);
TrustedUid = 0;
}
# endif /* UID_MAX */
break;
"TrustedUser: unknown user %s\n", b);
else
TrustedUid = pw->pw_uid;
}
default:
continue;
# ifdef UID_MAX
if (TrustedUid > UID_MAX)
{
(void) sm_io_fprintf(smioerr,
SM_TIME_DEFAULT,
"TrustedUser: uid value (%ld) > UID_MAX (%ld)",
(long) TrustedUid,
(long) UID_MAX);
TrustedUid = 0;
}
# endif /* UID_MAX */
break;
}
default:
continue;
}
(void) sm_io_close(cfp, SM_TIME_DEFAULT);
}
(void) sm_io_close(cfp, SM_TIME_DEFAULT);
#endif /* HASFCHOWN */
if (!params.smdbp_allow_dup && !allowreplace)

11
src/conf.c
View File

@ -379,6 +379,9 @@ setdefaults(e)
}
else
InetMode = AF_INET;
#if !IPV6_FULL
UseCompressedIPv6Addresses = true;
#endif
#else /* NETINET6 */
InetMode = AF_INET;
#endif /* NETINET6 */
@ -5756,7 +5759,7 @@ char *CompileOptions[] =
"HES_GETMAILHOST",
#endif
#if IPV6_FULL
/* Use uncompressed IPv6 address format (no "::") */
/* Use uncompressed IPv6 address format (no "::") by default */
"IPV6_FULL",
#endif
#if LDAPMAP
@ -6277,7 +6280,7 @@ char *FFRCompileOptions[] =
#if _FFR_HANDLE_ISO8859_GECOS
/*
** Allow ISO 8859 characters in GECOS field: replace them
** ith ASCII "equivalent".
** with ASCII "equivalent".
*/
/* Peter Eriksson of Linkopings universitet */
@ -6550,6 +6553,10 @@ char *FFRCompileOptions[] =
"_FFR_TLS_USE_CERTIFICATE_CHAIN_FILE",
#endif
#if _FFR_TLS_SE_OPTS
/* TLS session options */
"_FFR_TLS_SE_OPTS",
#endif
#if _FFR_TRUSTED_QF
/*
** If we don't own the file mark it as unsafe.

10
src/daemon.c
View File

@ -4261,12 +4261,10 @@ anynet_ntop(s6a, dst, dst_len)
return NULL;
dst += sz;
dst_len -= sz;
# if IPV6_FULL
ap = sm_inet6_ntop(s6a, dst, dst_len);
# else /* IPV6_FULL */
ap = (char *) inet_ntop(AF_INET6, s6a, dst, dst_len);
# endif /* IPV6_FULL */
if (UseCompressedIPv6Addresses)
ap = (char *) inet_ntop(AF_INET6, s6a, dst, dst_len);
else
ap = sm_inet6_ntop(s6a, dst, dst_len);
/* Restore pointer to beginning of string */
if (ap != NULL)
ap = d;

12
src/deliver.c
View File

@ -6218,11 +6218,18 @@ starttls(m, mci, e)
}
return EX_SOFTWARE;
}
/* SSL_clear(clt_ssl); ? */
if (get_tls_se_options(e, clt_ssl, false) != 0)
{
sm_syslog(LOG_ERR, NOQID,
"STARTTLS=client, get_tls_se_options=fail");
return EX_SOFTWARE;
}
rfd = sm_io_getinfo(mci->mci_in, SM_IO_WHAT_FD, NULL);
wfd = sm_io_getinfo(mci->mci_out, SM_IO_WHAT_FD, NULL);
/* SSL_clear(clt_ssl); ? */
if (rfd < 0 || wfd < 0 ||
(result = SSL_set_rfd(clt_ssl, rfd)) != 1 ||
(result = SSL_set_wfd(clt_ssl, wfd)) != 1)
@ -6244,6 +6251,7 @@ ssl_retry:
if ((result = SSL_connect(clt_ssl)) <= 0)
{
int i, ssl_err;
int save_errno = errno;
ssl_err = SSL_get_error(clt_ssl, result);
i = tls_retry(clt_ssl, rfd, wfd, tlsstart,
@ -6261,7 +6269,7 @@ ssl_retry:
sm_syslog(LOG_WARNING, NOQID,
"STARTTLS=client, error: connect failed=%d, reason=%s, SSL_error=%d, errno=%d, retry=%d",
result, sr == NULL ? "unknown" : sr, ssl_err,
errno, i);
save_errno, i);
if (LogLevel > 9)
tlslogerr(LOG_WARNING, "client");
}

12
src/milter.c
View File

@ -2317,6 +2317,8 @@ milter_getsymlist(m, buf, rlen, offset)
offset += MILTER_LEN_BYTES;
macros = NULL;
#define SM_M_MACRO_NAME(i) (((i) < SM_ARRAY_SIZE(MilterOptTab) && (i) >= 0) \
? MilterOptTab[i].mo_name : "?")
switch (i)
{
case SMFIM_CONNECT:
@ -2330,23 +2332,23 @@ milter_getsymlist(m, buf, rlen, offset)
macros = MilterMacros[i][m->mf_idx];
m->mf_lflags |= MI_LFLAGS_SYM(i);
len = strlen(buf + offset);
if (len > 0)
if (len >= 0)
{
r = milter_set_macros(m->mf_name, macros,
buf + offset, nummac);
if (r >= 0)
nummac = r;
if (tTd(64, 5))
sm_dprintf("milter_getsymlist(%s, %s)=%d\n",
m->mf_name, buf + offset, r);
sm_dprintf("milter_getsymlist(%s, %s, \"%s\")=%d\n",
m->mf_name,
SM_M_MACRO_NAME(i),
buf + offset, r);
}
break;
default:
return -1;
}
if (len == 0)
return -1;
offset += len + 1;
}

12
src/parseaddr.c
View File

@ -2204,8 +2204,9 @@ badaddr:
** use entire pvp.
** buf -- buffer to build the string into.
** sz -- size of buf.
** spacesub -- the space separator character; if '\0',
** use SpaceSub.
** spacesub -- the space separator character;
** '\0': SpaceSub.
** NOSPACESEP: no separator
** external -- convert to external form?
** (no metacharacters; METAQUOTEs removed, see below)
**
@ -2268,7 +2269,7 @@ cataddr(pvp, evp, buf, sz, spacesub, external)
char *q;
natomtok = (IntTokenTab[**pvp & 0xff] == ATM);
if (oatomtok && natomtok)
if (oatomtok && natomtok && spacesub != NOSPACESEP)
{
*p++ = spacesub;
if (--sz <= 0)
@ -3165,11 +3166,12 @@ rscheck(rwset, p1, p2, e, flags, logl, host, logid, addr, addrstr)
if (bitset(RSF_UNSTRUCTURED, flags))
SuprErrs = saveSuprErrs;
if (pvp[0] != NULL && (pvp[0][0] & 0377) != CANONNET &&
bitset(RSF_ADDR, flags) && addrstr != NULL)
{
cataddr(&(pvp[0]), NULL, ubuf, sizeof(ubuf), ' ', true);
cataddr(&(pvp[0]), NULL, ubuf, sizeof(ubuf),
bitset(RSF_STRING, flags) ? NOSPACESEP : ' ',
true);
*addrstr = sm_rpool_strdup_x(e->e_rpool, ubuf);
goto finis;
}

5
src/queue.c
View File

@ -6733,11 +6733,12 @@ upd_qs(e, count, space, where)
if (QSHM_ENTRIES(idx) >= 0 && count != 0)
{
# if _FFR_USE_SEM_LOCKING
r = sm_sem_acq(SemId, 0, 1);
if (SemId >= 0)
r = sm_sem_acq(SemId, 0, 1);
# endif /* _FFR_USE_SEM_LOCKING */
QSHM_ENTRIES(idx) += count;
# if _FFR_USE_SEM_LOCKING
if (r >= 0)
if (SemId >= 0 && r >= 0)
r = sm_sem_rel(SemId, 0, 1);
# endif /* _FFR_USE_SEM_LOCKING */
}

628
src/readcf.c
View File

@ -1285,12 +1285,10 @@ setupdynmailers()
** for multiple flags!
*/
#define SM_ARRAY_SIZE(array) (sizeof(array) / sizeof((array)[0]))
bool
newmodmailer(rcpt, fl)
ADDRESS *rcpt;
char fl;
int fl;
{
int idx;
struct mailer *m;
@ -1589,7 +1587,11 @@ makemailer(line)
struct passwd *pw;
while (*p != '\0' && isascii(*p) &&
# if _FFR_DOTTED_USERNAMES
(isalnum(*p) || strchr(SM_PWN_CHARS, *p) != NULL))
# else /* _FFR_DOTTED_USERNAMES */
(isalnum(*p) || strchr("-_", *p) != NULL))
# endif /* _FFR_DOTTED_USERNAMES */
p++;
while (isascii(*p) && isspace(*p))
*p++ = '\0';
@ -1633,7 +1635,8 @@ makemailer(line)
char *q = p;
struct group *gr;
while (isascii(*p) && isalnum(*p))
while (isascii(*p) &&
(isalnum(*p) || strchr(SM_PWN_CHARS, *p) != NULL))
p++;
*p++ = '\0';
if (*q == '\0')
@ -2113,6 +2116,438 @@ printmailer(fp, m)
(void) sm_io_fprintf(fp, SM_TIME_DEFAULT, "\n");
}
#if STARTTLS
static struct ssl_options
{
const char *sslopt_name; /* name of the flag */
long sslopt_bits; /* bits to set/clear */
} SSL_Option[] =
{
/* Workaround for bugs are turned on by default (as well as some others) */
#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
{ "SSL_OP_MICROSOFT_SESS_ID_BUG", SSL_OP_MICROSOFT_SESS_ID_BUG },
#endif
#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
{ "SSL_OP_NETSCAPE_CHALLENGE_BUG", SSL_OP_NETSCAPE_CHALLENGE_BUG },
#endif
#ifdef SSL_OP_LEGACY_SERVER_CONNECT
{ "SSL_OP_LEGACY_SERVER_CONNECT", SSL_OP_LEGACY_SERVER_CONNECT },
#endif
#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
{ "SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
#endif
#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
{ "SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
#endif
#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
{ "SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
#endif
#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
{ "SSL_OP_MSIE_SSLV2_RSA_PADDING", SSL_OP_MSIE_SSLV2_RSA_PADDING },
#endif
#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
{ "SSL_OP_SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
#endif
#ifdef SSL_OP_TLS_D5_BUG
{ "SSL_OP_TLS_D5_BUG", SSL_OP_TLS_D5_BUG },
#endif
#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
{ "SSL_OP_TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG },
#endif
#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
{ "SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
#endif
#ifdef SSL_OP_ALL
{ "SSL_OP_ALL", SSL_OP_ALL },
#endif
#ifdef SSL_OP_NO_QUERY_MTU
{ "SSL_OP_NO_QUERY_MTU", SSL_OP_NO_QUERY_MTU },
#endif
#ifdef SSL_OP_COOKIE_EXCHANGE
{ "SSL_OP_COOKIE_EXCHANGE", SSL_OP_COOKIE_EXCHANGE },
#endif
#ifdef SSL_OP_NO_TICKET
{ "SSL_OP_NO_TICKET", SSL_OP_NO_TICKET },
#endif
#ifdef SSL_OP_CISCO_ANYCONNECT
{ "SSL_OP_CISCO_ANYCONNECT", SSL_OP_CISCO_ANYCONNECT },
#endif
#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
{ "SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
#endif
#ifdef SSL_OP_NO_COMPRESSION
{ "SSL_OP_NO_COMPRESSION", SSL_OP_NO_COMPRESSION },
#endif
#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
{ "SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
#endif
#ifdef SSL_OP_SINGLE_ECDH_USE
{ "SSL_OP_SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE },
#endif
#ifdef SSL_OP_SINGLE_DH_USE
{ "SSL_OP_SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE },
#endif
#ifdef SSL_OP_EPHEMERAL_RSA
{ "SSL_OP_EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA },
#endif
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
{ "SSL_OP_CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE },
#endif
#ifdef SSL_OP_TLS_ROLLBACK_BUG
{ "SSL_OP_TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG },
#endif
#ifdef SSL_OP_NO_SSLv2
{ "SSL_OP_NO_SSLv2", SSL_OP_NO_SSLv2 },
#endif
#ifdef SSL_OP_NO_SSLv3
{ "SSL_OP_NO_SSLv3", SSL_OP_NO_SSLv3 },
#endif
#ifdef SSL_OP_NO_TLSv1
{ "SSL_OP_NO_TLSv1", SSL_OP_NO_TLSv1 },
#endif
#ifdef SSL_OP_NO_TLSv1_2
{ "SSL_OP_NO_TLSv1_2", SSL_OP_NO_TLSv1_2 },
#endif
#ifdef SSL_OP_NO_TLSv1_1
{ "SSL_OP_NO_TLSv1_1", SSL_OP_NO_TLSv1_1 },
#endif
#ifdef SSL_OP_PKCS1_CHECK_1
{ "SSL_OP_PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1 },
#endif
#ifdef SSL_OP_PKCS1_CHECK_2
{ "SSL_OP_PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2 },
#endif
#ifdef SSL_OP_NETSCAPE_CA_DN_BUG
{ "SSL_OP_NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG },
#endif
#ifdef SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
{ "SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG },
#endif
#ifdef SSL_OP_CRYPTOPRO_TLSEXT_BUG
{ "SSL_OP_CRYPTOPRO_TLSEXT_BUG", SSL_OP_CRYPTOPRO_TLSEXT_BUG },
#endif
#ifdef SSL_OP_TLSEXT_PADDING
{ "SSL_OP_TLSEXT_PADDING", SSL_OP_TLSEXT_PADDING },
#endif
{ NULL, 0 }
};
/*
** READSSLOPTIONS -- read SSL_OP_* values
**
** Parameters:
** opt -- name of option (can be NULL)
** val -- string with SSL_OP_* values or hex value
** delim -- end of string (e.g., '\0' or ';')
** pssloptions -- return value (output)
**
** Returns:
** 0 on success.
*/
#define SSLOPERR_NAN 1
#define SSLOPERR_NOTFOUND 2
#define SM_ISSPACE(c) (isascii(c) && isspace(c))
static int
readssloptions(opt, val, pssloptions, delim)
char *opt;
char *val;
unsigned long *pssloptions;
int delim;
{
char *p;
int ret;
ret = 0;
for (p = val; *p != '\0' && *p != delim; )
{
bool clearmode;
char *q;
unsigned long sslopt_val;
struct ssl_options *sslopts;
while (*p == ' ')
p++;
if (*p == '\0')
break;
clearmode = false;
if (*p == '-' || *p == '+')
clearmode = *p++ == '-';
q = p;
while (*p != '\0' && !(SM_ISSPACE(*p)) && *p != ',')
p++;
if (*p != '\0')
*p++ = '\0';
sslopt_val = 0;
if (isdigit(*q))
{
char *end;
sslopt_val = strtoul(q, &end, 0);
/* not a complete "syntax" check but good enough */
if (end == q)
{
errno = 0;
ret = SSLOPERR_NAN;
if (opt != NULL)
syserr("readcf: %s option value %s not a number",
opt, q);
sslopt_val = 0;
}
}
else
{
for (sslopts = SSL_Option;
sslopts->sslopt_name != NULL; sslopts++)
{
if (sm_strcasecmp(q, sslopts->sslopt_name) == 0)
{
sslopt_val = sslopts->sslopt_bits;
break;
}
}
if (sslopts->sslopt_name == NULL)
{
errno = 0;
ret = SSLOPERR_NOTFOUND;
if (opt != NULL)
syserr("readcf: %s option value %s unrecognized",
opt, q);
}
}
if (sslopt_val != 0)
{
if (clearmode)
*pssloptions &= ~sslopt_val;
else
*pssloptions |= sslopt_val;
}
}
return ret;
}
# if _FFR_TLS_SE_OPTS
/*
** GET_TLS_SE_OPTIONS -- get TLS session options (from ruleset)
**
** Parameters:
** e -- envelope
** ssl -- TLS session context
** srv -- server?
**
** Returns:
** 0 on success.
*/
int
get_tls_se_options(e, ssl, srv)
ENVELOPE *e;
SSL *ssl;
bool srv;
{
bool saveQuickAbort, saveSuprErrs, ok;
char *optionlist, *opt, *val;
char *keyfile, *certfile;
size_t len, i;
int ret;
# define who (srv ? "server" : "client")
# define NAME_C_S macvalue(macid(srv ? "{client_name}" : "{server_name}"), e)
# define ADDR_C_S macvalue(macid(srv ? "{client_addr}" : "{server_addr}"), e)
# define WHICH srv ? "srv" : "clt"
ret = 0;
keyfile = certfile = opt = val = NULL;
saveQuickAbort = QuickAbort;
saveSuprErrs = SuprErrs;
SuprErrs = true;
QuickAbort = false;
optionlist = NULL;
ok = rscheck(srv ? "tls_srv_features" : "tls_clt_features",
NAME_C_S, ADDR_C_S, e,
RSF_RMCOMM|RSF_ADDR|RSF_STRING,
5, NULL, NOQID, NULL, &optionlist) == EX_OK;
if (!ok && LogLevel > 8)
{
sm_syslog(LOG_NOTICE, NOQID,
"rscheck(tls_%s_features)=failed, relay=%s [%s], errors=%d",
WHICH, NAME_C_S, ADDR_C_S,
Errors);
}
QuickAbort = saveQuickAbort;
SuprErrs = saveSuprErrs;
if (ok && LogLevel > 9)
{
sm_syslog(LOG_INFO, NOQID,
"tls_%s_features=%s, relay=%s [%s]",
WHICH, optionlist, NAME_C_S, ADDR_C_S);
}
if (!ok || optionlist == NULL || (len = strlen(optionlist)) < 2)
{
if (LogLevel > 9)
sm_syslog(LOG_INFO, NOQID,
"tls_%s_features=empty, relay=%s [%s]",
WHICH, NAME_C_S, ADDR_C_S);
return ok ? 0 : 1;
}
i = 0;
if (optionlist[0] == '"' && optionlist[len - 1] == '"')
{
optionlist[0] = ' ';
optionlist[--len] = '\0';
if (len <= 2)
{
if (LogLevel > 9 && len > 1)
sm_syslog(LOG_INFO, NOQID,
"tls_%s_features=too_short, relay=%s [%s]",
WHICH, NAME_C_S, ADDR_C_S);
/* this is not treated as error! */
return 0;
}
i = 1;
}
# define INVALIDSYNTAX \
do { \
if (LogLevel > 7) \
sm_syslog(LOG_INFO, NOQID, \
"tls_%s_features=invalid_syntax, opt=%s, relay=%s [%s]", \
WHICH, opt, NAME_C_S, ADDR_C_S); \
return -1; \
} while (0)
# define CHECKLEN \
do { \
if (i >= len) \
INVALIDSYNTAX; \
} while (0)
# define SKIPWS \
do { \
while (i < len && SM_ISSPACE(optionlist[i])) \
++i; \
CHECKLEN; \
} while (0)
/* parse and handle opt=val; */
do {
char sep;
SKIPWS;
opt = optionlist + i;
sep = '=';
while (i < len && optionlist[i] != sep
&& optionlist[i] != '\0' && !SM_ISSPACE(optionlist[i]))
++i;
CHECKLEN;
while (i < len && SM_ISSPACE(optionlist[i]))
optionlist[i++] = '\0';
CHECKLEN;
if (optionlist[i] != sep)
INVALIDSYNTAX;
optionlist[i++] = '\0';
SKIPWS;
val = optionlist + i;
sep = ';';
while (i < len && optionlist[i] != sep && optionlist[i] != '\0')
++i;
if (optionlist[i] != '\0')
{
CHECKLEN;
optionlist[i++] = '\0';
}
if (LogLevel > 13)
sm_syslog(LOG_DEBUG, NOQID,
"tls_%s_features=parsed, %s=%s, relay=%s [%s]",
WHICH, opt, val, NAME_C_S, ADDR_C_S);
if (sm_strcasecmp(opt, "options") == 0)
{
unsigned long ssloptions;
ssloptions = 0;
ret = readssloptions(NULL, val, &ssloptions, ';');
if (ret == 0)
(void) SSL_set_options(ssl, (long) ssloptions);
else if (LogLevel > 8)
{
sm_syslog(LOG_WARNING, NOQID,
"tls_%s_features=%s, error=%s, relay=%s [%s]",
WHICH, val,
(ret == SSLOPERR_NAN) ? "not a number" :
((ret == SSLOPERR_NOTFOUND) ? "SSL_OP not found" :
"unknown"),
NAME_C_S, ADDR_C_S);
}
}
else if (sm_strcasecmp(opt, "cipherlist") == 0)
{
if (SSL_set_cipher_list(ssl, val) <= 0)
{
ret = 1;
if (LogLevel > 7)
{
sm_syslog(LOG_WARNING, NOQID,
"STARTTLS=%s, error: SSL_set_cipher_list(%s) failed",
who, val);
if (LogLevel > 9)
tlslogerr(LOG_WARNING, who);
}
}
}
else if (sm_strcasecmp(opt, "keyfile") == 0)
keyfile = val;
else if (sm_strcasecmp(opt, "certfile") == 0)
certfile = val;
else
{
ret = 1;
if (LogLevel > 7)
{
sm_syslog(LOG_INFO, NOQID,
"tls_%s_features=unknown_option, opt=%s, relay=%s [%s]",
WHICH, opt, NAME_C_S, ADDR_C_S);
}
}
} while (optionlist[i] != '\0' && i < len);
/* need cert and key before we can use the options */
/* does not implement the "," hack for 2nd cert/key pair */
if (keyfile != NULL && certfile != NULL)
{
load_certkey(ssl, srv, certfile, keyfile);
keyfile = certfile = NULL;
}
else if (keyfile != NULL || certfile != NULL)
{
ret = 1;
if (LogLevel > 7)
{
sm_syslog(LOG_INFO, NOQID,
"tls_%s_features=only_one_of_CertFile/KeyFile_specified, relay=%s [%s]",
WHICH, NAME_C_S, ADDR_C_S);
}
}
return ret;
# undef who
# undef NAME_C_S
# undef ADDR_C_S
# undef WHICH
}
# endif /* _FFR_TLS_SE_OPTS */
#endif /* STARTTLS */
/*
** SETOPTION -- set global processing option
**
@ -2473,128 +2908,12 @@ static struct optioninfo
# define O_ADDBCC 0xeb
{ "AddBcc", O_ADDBCC, OI_NONE },
#endif
#define O_USECOMPRESSEDIPV6ADDRESSES 0xec
{ "UseCompressedIPv6Addresses", O_USECOMPRESSEDIPV6ADDRESSES, OI_NONE },
{ NULL, '\0', OI_NONE }
};
#if STARTTLS
static struct ssl_options
{
const char *sslopt_name; /* name of the flag */
unsigned long sslopt_bits; /* bits to set/clear */
} SSL_Option[] =
{
/* Workaround for bugs are turned on by default (as well as some others) */
#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
{ "SSL_OP_MICROSOFT_SESS_ID_BUG", SSL_OP_MICROSOFT_SESS_ID_BUG },
#endif
#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
{ "SSL_OP_NETSCAPE_CHALLENGE_BUG", SSL_OP_NETSCAPE_CHALLENGE_BUG },
#endif
#ifdef SSL_OP_LEGACY_SERVER_CONNECT
{ "SSL_OP_LEGACY_SERVER_CONNECT", SSL_OP_LEGACY_SERVER_CONNECT },
#endif
#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
{ "SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
#endif
#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
{ "SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
#endif
#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
{ "SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
#endif
#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
{ "SSL_OP_MSIE_SSLV2_RSA_PADDING", SSL_OP_MSIE_SSLV2_RSA_PADDING },
#endif
#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
{ "SSL_OP_SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
#endif
#ifdef SSL_OP_TLS_D5_BUG
{ "SSL_OP_TLS_D5_BUG", SSL_OP_TLS_D5_BUG },
#endif
#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
{ "SSL_OP_TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG },
#endif
#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
{ "SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
#endif
#ifdef SSL_OP_ALL
{ "SSL_OP_ALL", SSL_OP_ALL },
#endif
#ifdef SSL_OP_NO_QUERY_MTU
{ "SSL_OP_NO_QUERY_MTU", SSL_OP_NO_QUERY_MTU },
#endif
#ifdef SSL_OP_COOKIE_EXCHANGE
{ "SSL_OP_COOKIE_EXCHANGE", SSL_OP_COOKIE_EXCHANGE },
#endif
#ifdef SSL_OP_NO_TICKET
{ "SSL_OP_NO_TICKET", SSL_OP_NO_TICKET },
#endif
#ifdef SSL_OP_CISCO_ANYCONNECT
{ "SSL_OP_CISCO_ANYCONNECT", SSL_OP_CISCO_ANYCONNECT },
#endif
#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
{ "SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
#endif
#ifdef SSL_OP_NO_COMPRESSION
{ "SSL_OP_NO_COMPRESSION", SSL_OP_NO_COMPRESSION },
#endif
#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
{ "SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
#endif
#ifdef SSL_OP_SINGLE_ECDH_USE
{ "SSL_OP_SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE },
#endif
#ifdef SSL_OP_SINGLE_DH_USE
{ "SSL_OP_SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE },
#endif
#ifdef SSL_OP_EPHEMERAL_RSA
{ "SSL_OP_EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA },
#endif
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
{ "SSL_OP_CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE },
#endif
#ifdef SSL_OP_TLS_ROLLBACK_BUG
{ "SSL_OP_TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG },
#endif
#ifdef SSL_OP_NO_SSLv2
{ "SSL_OP_NO_SSLv2", SSL_OP_NO_SSLv2 },
#endif
#ifdef SSL_OP_NO_SSLv3
{ "SSL_OP_NO_SSLv3", SSL_OP_NO_SSLv3 },
#endif
#ifdef SSL_OP_NO_TLSv1
{ "SSL_OP_NO_TLSv1", SSL_OP_NO_TLSv1 },
#endif
#ifdef SSL_OP_NO_TLSv1_2
{ "SSL_OP_NO_TLSv1_2", SSL_OP_NO_TLSv1_2 },
#endif
#ifdef SSL_OP_NO_TLSv1_1
{ "SSL_OP_NO_TLSv1_1", SSL_OP_NO_TLSv1_1 },
#endif
#ifdef SSL_OP_PKCS1_CHECK_1
{ "SSL_OP_PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1 },
#endif
#ifdef SSL_OP_PKCS1_CHECK_2
{ "SSL_OP_PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2 },
#endif
#ifdef SSL_OP_NETSCAPE_CA_DN_BUG
{ "SSL_OP_NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG },
#endif
#ifdef SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
{ "SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG },
#endif
#ifdef SSL_OP_CRYPTOPRO_TLSEXT_BUG
{ "SSL_OP_CRYPTOPRO_TLSEXT_BUG", SSL_OP_CRYPTOPRO_TLSEXT_BUG },
#endif
#ifdef SSL_OP_TLSEXT_PADDING
{ "SSL_OP_TLSEXT_PADDING", SSL_OP_TLSEXT_PADDING },
#endif
{ NULL, 0 }
};
#endif /* STARTTLS */
# define CANONIFY(val)
# define SET_OPT_DEFAULT(opt, val) opt = val
@ -3937,67 +4256,7 @@ setoption(opt, val, safe, sticky, e)
case O_CLT_SSL_OPTIONS:
if (pssloptions == NULL)
pssloptions = &Clt_SSL_Options;
for (p = val; *p != 0; )
{
bool clearmode;
char *q;
unsigned long sslopt_val;
struct ssl_options *sslopts;
while (*p == ' ')
p++;
if (*p == '\0')
break;
clearmode = false;
if (*p == '-' || *p == '+')
clearmode = *p++ == '-';
q = p;
while (*p != '\0' && !(isascii(*p) && isspace(*p)))
p++;
if (*p != '\0')
*p++ = '\0';
sslopt_val = 0;
if (isdigit(*q))
{
char *end;
sslopt_val = strtoul(q, &end, 0);
/* not a complete "syntax" check but good enough */
if (end == q)
{
errno = 0;
syserr("readcf: %s option value %s not a number",
o->o_name, q);
sslopt_val = 0;
}
}
else
{
for (sslopts = SSL_Option;
sslopts->sslopt_name != NULL; sslopts++)
{
if (sm_strcasecmp(q, sslopts->sslopt_name) == 0)
{
sslopt_val = sslopts->sslopt_bits;
break;
}
}
if (sslopts->sslopt_name == NULL)
{
errno = 0;
syserr("readcf: %s option value %s unrecognized",
o->o_name, q);
}
}
if (sslopt_val != 0)
{
if (clearmode)
*pssloptions &= ~sslopt_val;
else
*pssloptions |= sslopt_val;
}
}
(void) readssloptions(o->o_name, val, pssloptions, '\0');
if (tTd(37, 8))
sm_dprintf("ssloptions=%#lx\n", *pssloptions);
@ -4277,6 +4536,9 @@ setoption(opt, val, safe, sticky, e)
AddBcc = atobool(val);
break;
#endif
case O_USECOMPRESSEDIPV6ADDRESSES:
UseCompressedIPv6Addresses = atobool(val);
break;
default:
if (tTd(37, 1))

25
src/sendmail.h
View File

@ -211,6 +211,7 @@ typedef int (*sasl_callback_ft)(void);
# define _FFR_ERRCODE 1
#endif
#define SM_ARRAY_SIZE(array) (sizeof(array) / sizeof((array)[0]))
/*
** An 'argument class' describes the storage allocation status
@ -362,6 +363,9 @@ typedef struct address ADDRESS;
extern ADDRESS NullAddress; /* a null (template) address [main.c] */
/* for cataddr() */
#define NOSPACESEP 256
/* functions */
extern void cataddr __P((char **, char **, char *, int, int, bool));
extern char *crackaddr __P((char *, ENVELOPE *));
@ -1777,6 +1781,7 @@ EXTERN unsigned long PrivacyFlags; /* privacy flags */
#define RSF_UNSTRUCTURED 0x0002 /* unstructured, ignore syntax errors */
#define RSF_COUNT 0x0004 /* count rejections (statistics)? */
#define RSF_ADDR 0x0008 /* reassemble address */
#define RSF_STRING 0x0010 /* reassemble address as string */
/*
** Flags passed to mime8to7 and putheader.
@ -1971,6 +1976,7 @@ struct termescape
#define TLS_I_KEY_OUNR 0x00400000 /* Key must be other unreadable */
#define TLS_I_CRLF_EX 0x00800000 /* CRL file must exist */
#define TLS_I_CRLF_UNR 0x01000000 /* CRL file must be g/o unreadable */
#define TLS_I_DHFIXED 0x02000000 /* use fixed DH param */
/* require server cert */
#define TLS_I_SRV_CERT (TLS_I_CERT_EX | TLS_I_KEY_EX | \
@ -1980,8 +1986,7 @@ struct termescape
/* server requirements */
#define TLS_I_SRV (TLS_I_SRV_CERT | TLS_I_RSA_TMP | TLS_I_VRFY_PATH | \
TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH512 | \
TLS_I_CACHE)
TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_CACHE)
/* client requirements */
#define TLS_I_CLT (TLS_I_KEY_UNR | TLS_I_KEY_OUNR)
@ -2384,6 +2389,7 @@ EXTERN bool UseMSP; /* mail submission: group writable queue ok? */
EXTERN bool WorkAroundBrokenAAAA; /* some nameservers return SERVFAIL on AAAA queries */
EXTERN bool UseErrorsTo; /* use Errors-To: header (back compat) */
EXTERN bool UseNameServer; /* using DNS -- interpret h_errno & MX RRs */
EXTERN bool UseCompressedIPv6Addresses; /* for more specific zero-subnet matches */
EXTERN char InetMode; /* default network for daemon mode */
EXTERN char OpMode; /* operation mode, see below */
EXTERN char SpaceSub; /* substitution for <lwsp> */
@ -2707,6 +2713,14 @@ extern int getla __P((void));
extern char *getmodifiers __P((char *, BITMAP256));
extern BITMAP256 *getrequests __P((ENVELOPE *));
extern char *getvendor __P((int));
#if _FFR_TLS_SE_OPTS && STARTTLS
# ifndef TLS_VRFY_PER_CTX
# define TLS_VRFY_PER_CTX 1
# endif
extern int get_tls_se_options __P((ENVELOPE *, SSL *, bool));
#else
# define get_tls_se_options(e, s, w) 0
#endif
extern void help __P((char *, ENVELOPE *));
extern void init_md __P((int, char **));
extern void initdaemon __P((void));
@ -2717,6 +2731,9 @@ extern void init_vendor_macros __P((ENVELOPE *));
extern SIGFUNC_DECL intsig __P((int));
extern bool isatom __P((const char *));
extern bool isloopback __P((SOCKADDR sa));
#if _FFR_TLS_SE_OPTS && STARTTLS
extern bool load_certkey __P((SSL *, bool, char *, char *));
#endif
extern void load_if_names __P((void));
extern bool lockfile __P((int, char *, char *, int));
extern void log_sendmail_pid __P((ENVELOPE *));
@ -2825,7 +2842,7 @@ extern int waitfor __P((pid_t));
extern bool writable __P((char *, ADDRESS *, long));
#if SM_HEAP_CHECK
# define xalloc(size) xalloc_tagged(size, __FILE__, __LINE__)
extern char *xalloc_tagged __P((int, char*, int));
extern char *xalloc_tagged __P((int, char *, int));
#else /* SM_HEAP_CHECK */
extern char *xalloc __P((int));
#endif /* SM_HEAP_CHECK */
@ -2839,7 +2856,7 @@ extern int xunlink __P((char *));
extern char *xuntextify __P((char *));
#if _FFR_RCPTFLAGS
extern bool newmodmailer __P((ADDRESS *, char fl));
extern bool newmodmailer __P((ADDRESS *, int));
#endif
#undef EXTERN

4
src/sfsasl.c
View File

@ -627,8 +627,8 @@ tls_retry(ssl, rfd, wfd, tlsstart, timeout, err, where)
sm_syslog(LOG_ERR, NOQID,
"STARTTLS=%s, error: fd %d/%d too large",
where, rfd, wfd);
if (LogLevel > 8)
tlslogerr(LOG_WARNING, where);
if (LogLevel > 8)
tlslogerr(LOG_WARNING, where);
}
errno = EINVAL;
}

11
src/srvrsmtp.c
View File

@ -2119,6 +2119,14 @@ smtp(nullserver, d_flags, e)
goto tls_done;
}
if (get_tls_se_options(e, srv_ssl, true) != 0)
{
message("454 4.3.3 TLS not available: error setting options");
SSL_free(srv_ssl);
srv_ssl = NULL;
goto tls_done;
}
# if !TLS_VRFY_PER_CTX
/*
** this could be used if it were possible to set
@ -2154,6 +2162,7 @@ smtp(nullserver, d_flags, e)
if ((r = SSL_accept(srv_ssl)) <= 0)
{
int i, ssl_err;
int save_errno = errno;
ssl_err = SSL_get_error(srv_ssl, r);
i = tls_retry(srv_ssl, rfd, wfd, tlsstart,
@ -2173,7 +2182,7 @@ smtp(nullserver, d_flags, e)
"STARTTLS=server, error: accept failed=%d, reason=%s, SSL_error=%d, errno=%d, retry=%d, relay=%.100s",
r, sr == NULL ? "unknown"
: sr,
ssl_err, errno, i,
ssl_err, save_errno, i,
CurSmtpClient);
if (LogLevel > 9)
tlslogerr(LOG_WARNING, "server");

207
src/tls.c
View File

@ -73,6 +73,62 @@ get_dh512()
return NULL;
return dh;
}
# if 0
This is the data from which the C code has been generated:
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEArDcgcLpxEksQHPlolRKCUJ2szKRziseWV9cUSQNZGxoGw7KkROz4
HF9QSbg5axyNIG+QbZYtx0jp3l6/GWq1dLOj27yZkgYgaYgFrvKPiZ2jJ5xETQVH
UpZwbjRcyjyWkWYJVsx1aF4F/iY4kT0n/+iGEoimI3C9V3KXTJ2S6jIkyJ6M/CrN
EtrDynMlUMGlc7S1ouXVOTrtKeqy3S2L9eBLxVI+sChEijGIfELupdVeXihK006p
MgnABPDbkTx6OOtYmSZaGQX+OLW2FPmwvcrzgCz9t9cAsuUcBZv1LeHEqZZttyLU
oK0jjSXgFyeU4/NfyA+zuNeWzUL6bHmigwIBAg==
-----END DH PARAMETERS-----
# endif /* 0 */
static DH *
get_dh2048()
{
static unsigned char dh2048_p[]={
0xAC,0x37,0x20,0x70,0xBA,0x71,0x12,0x4B,0x10,0x1C,0xF9,0x68,
0x95,0x12,0x82,0x50,0x9D,0xAC,0xCC,0xA4,0x73,0x8A,0xC7,0x96,
0x57,0xD7,0x14,0x49,0x03,0x59,0x1B,0x1A,0x06,0xC3,0xB2,0xA4,
0x44,0xEC,0xF8,0x1C,0x5F,0x50,0x49,0xB8,0x39,0x6B,0x1C,0x8D,
0x20,0x6F,0x90,0x6D,0x96,0x2D,0xC7,0x48,0xE9,0xDE,0x5E,0xBF,
0x19,0x6A,0xB5,0x74,0xB3,0xA3,0xDB,0xBC,0x99,0x92,0x06,0x20,
0x69,0x88,0x05,0xAE,0xF2,0x8F,0x89,0x9D,0xA3,0x27,0x9C,0x44,
0x4D,0x05,0x47,0x52,0x96,0x70,0x6E,0x34,0x5C,0xCA,0x3C,0x96,
0x91,0x66,0x09,0x56,0xCC,0x75,0x68,0x5E,0x05,0xFE,0x26,0x38,
0x91,0x3D,0x27,0xFF,0xE8,0x86,0x12,0x88,0xA6,0x23,0x70,0xBD,
0x57,0x72,0x97,0x4C,0x9D,0x92,0xEA,0x32,0x24,0xC8,0x9E,0x8C,
0xFC,0x2A,0xCD,0x12,0xDA,0xC3,0xCA,0x73,0x25,0x50,0xC1,0xA5,
0x73,0xB4,0xB5,0xA2,0xE5,0xD5,0x39,0x3A,0xED,0x29,0xEA,0xB2,
0xDD,0x2D,0x8B,0xF5,0xE0,0x4B,0xC5,0x52,0x3E,0xB0,0x28,0x44,
0x8A,0x31,0x88,0x7C,0x42,0xEE,0xA5,0xD5,0x5E,0x5E,0x28,0x4A,
0xD3,0x4E,0xA9,0x32,0x09,0xC0,0x04,0xF0,0xDB,0x91,0x3C,0x7A,
0x38,0xEB,0x58,0x99,0x26,0x5A,0x19,0x05,0xFE,0x38,0xB5,0xB6,
0x14,0xF9,0xB0,0xBD,0xCA,0xF3,0x80,0x2C,0xFD,0xB7,0xD7,0x00,
0xB2,0xE5,0x1C,0x05,0x9B,0xF5,0x2D,0xE1,0xC4,0xA9,0x96,0x6D,
0xB7,0x22,0xD4,0xA0,0xAD,0x23,0x8D,0x25,0xE0,0x17,0x27,0x94,
0xE3,0xF3,0x5F,0xC8,0x0F,0xB3,0xB8,0xD7,0x96,0xCD,0x42,0xFA,
0x6C,0x79,0xA2,0x83,
};
static unsigned char dh2048_g[]={ 0x02, };
DH *dh;
if ((dh=DH_new()) == NULL)
return(NULL);
dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
if ((dh->p == NULL) || (dh->g == NULL))
{
DH_free(dh);
return(NULL);
}
return(dh);
}
# endif /* !NO_DH */
@ -336,7 +392,7 @@ init_tls_library(fipsmode)
** Parameters:
** ctx -- TLS context
** ssl -- TLS structure
** vrfy -- require certificate?
** vrfy -- request certificate?
**
** Returns:
** none.
@ -522,6 +578,109 @@ tls_safe_f(var, sff, srv)
ok = false; \
}
# if _FFR_TLS_SE_OPTS
/*
** LOAD_CERTKEY -- load cert/key for TLS session
**
** Parameters:
** ssl -- TLS session context
** certfile -- filename of certificate
** keyfile -- filename of private key
**
** Returns:
** succeeded?
*/
bool
load_certkey(ssl, srv, certfile, keyfile)
SSL *ssl;
bool srv;
char *certfile;
char *keyfile;
{
bool ok;
int r;
long sff, status;
unsigned long req;
char *who;
ok = true;
who = srv ? "server" : "client";
status = TLS_S_NONE;
req = TLS_I_CERT_EX|TLS_I_KEY_EX;
TLS_OK_F(certfile, "CertFile", bitset(TLS_I_CERT_EX, req),
TLS_S_CERT_EX, srv ? TLS_T_SRV : TLS_T_CLT);
TLS_OK_F(keyfile, "KeyFile", bitset(TLS_I_KEY_EX, req),
TLS_S_KEY_EX, srv ? TLS_T_SRV : TLS_T_CLT);
/* certfile etc. must be "safe". */
sff = SFF_REGONLY | SFF_SAFEDIRPATH | SFF_NOWLINK
| SFF_NOGWFILES | SFF_NOWWFILES
| SFF_MUSTOWN | SFF_ROOTOK | SFF_OPENASROOT;
if (DontLockReadFiles)
sff |= SFF_NOLOCK;
TLS_SAFE_F(certfile, sff | TLS_UNR(TLS_I_CERT_UNR, req),
bitset(TLS_I_CERT_EX, req),
bitset(TLS_S_CERT_EX, status), TLS_S_CERT_OK, srv);
TLS_SAFE_F(keyfile, sff | TLS_KEYSFF(req),
bitset(TLS_I_KEY_EX, req),
bitset(TLS_S_KEY_EX, status), TLS_S_KEY_OK, srv);
# define SSL_use_cert(ssl, certfile) \
SSL_use_certificate_file(ssl, certfile, SSL_FILETYPE_PEM)
# define SSL_USE_CERT "SSL_use_certificate_file"
if (bitset(TLS_S_CERT_OK, status) &&
SSL_use_cert(ssl, certfile) <= 0)
{
if (LogLevel > 7)
{
sm_syslog(LOG_WARNING, NOQID,
"STARTTLS=%s, error: %s(%s) failed",
who, SSL_USE_CERT, certfile);
if (LogLevel > 9)
tlslogerr(LOG_WARNING, who);
}
if (bitset(TLS_I_USE_CERT, req))
return false;
}
if (bitset(TLS_S_KEY_OK, status) &&
SSL_use_PrivateKey_file(ssl, keyfile, SSL_FILETYPE_PEM) <= 0)
{
if (LogLevel > 7)
{
sm_syslog(LOG_WARNING, NOQID,
"STARTTLS=%s, error: SSL_use_PrivateKey_file(%s) failed",
who, keyfile);
if (LogLevel > 9)
tlslogerr(LOG_WARNING, who);
}
if (bitset(TLS_I_USE_KEY, req))
return false;
}
/* check the private key */
if (bitset(TLS_S_KEY_OK, status) &&
(r = SSL_check_private_key(ssl)) <= 0)
{
/* Private key does not match the certificate public key */
if (LogLevel > 5)
{
sm_syslog(LOG_WARNING, NOQID,
"STARTTLS=%s, error: SSL_check_private_key failed(%s): %d",
who, keyfile, r);
if (LogLevel > 9)
tlslogerr(LOG_WARNING, who);
}
if (bitset(TLS_I_USE_KEY, req))
return false;
}
return true;
}
# endif /* _FFR_TLS_SE_OPTS */
/*
** INITTLS -- initialize TLS
**
@ -655,13 +814,19 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
/*
** valid values for dhparam are (only the first char is checked)
** none no parameters: don't use DH
** i use precomputed 2048 bit parameters
** 512 use precomputed 512 bit parameters
** 1024 generate 1024 bit parameters
** 2048 generate 2048 bit parameters
** /file/name read parameters from /file/name
** default is: 1024 for server, 512 for client (OK? XXX)
*/
#define SET_DH_DFL \
do { \
dhparam = "I"; \
req |= TLS_I_DHFIXED; \
} while (0)
if (bitset(TLS_I_TRY_DH, req))
{
if (dhparam != NULL)
@ -670,24 +835,25 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
if (c == '1')
req |= TLS_I_DH1024;
else if (c == 'I' || c == 'i')
req |= TLS_I_DHFIXED;
else if (c == '2')
req |= TLS_I_DH2048;
else if (c == '5')
req |= TLS_I_DH512;
else if (c != 'n' && c != 'N' && c != '/')
else if (c == 'n' || c == 'N')
req &= ~TLS_I_TRY_DH;
else if (c != '/')
{
if (LogLevel > 12)
sm_syslog(LOG_WARNING, NOQID,
"STARTTLS=%s, error: illegal value '%s' for DHParam",
"STARTTLS=%s, error: illegal value '%s' for DHParameters",
who, dhparam);
dhparam = NULL;
}
}
if (dhparam == NULL)
{
dhparam = srv ? "1" : "5";
req |= (srv ? TLS_I_DH1024 : TLS_I_DH512);
}
SET_DH_DFL;
else if (*dhparam == '/')
{
TLS_OK_F(dhparam, "DHParameters",
@ -714,9 +880,14 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
TLS_SAFE_F(cacertfile, sff | TLS_UNR(TLS_I_CERTF_UNR, req),
bitset(TLS_I_CERTF_EX, req),
bitset(TLS_S_CERTF_EX, status), TLS_S_CERTF_OK, srv);
TLS_SAFE_F(dhparam, sff | TLS_UNR(TLS_I_DHPAR_UNR, req),
bitset(TLS_I_DHPAR_EX, req),
bitset(TLS_S_DHPAR_EX, status), TLS_S_DHPAR_OK, srv);
if (dhparam != NULL && *dhparam == '/')
{
TLS_SAFE_F(dhparam, sff | TLS_UNR(TLS_I_DHPAR_UNR, req),
bitset(TLS_I_DHPAR_EX, req),
bitset(TLS_S_DHPAR_EX, status), TLS_S_DHPAR_OK, srv);
if (!bitset(TLS_S_DHPAR_OK, status))
SET_DH_DFL;
}
# if OPENSSL_VERSION_NUMBER > 0x00907000L
TLS_SAFE_F(CRLFile, sff | TLS_UNR(TLS_I_CRLF_UNR, req),
bitset(TLS_I_CRLF_EX, req),
@ -991,6 +1162,10 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
#if _FFR_TLS_EC
EC_KEY *ecdh;
#endif /* _FFR_TLS_EC */
if (tTd(96, 8))
sm_dprintf("inittls: req=%#lx, status=%#lx\n",
req, status);
if (bitset(TLS_S_DHPAR_OK, status))
{
BIO *bio;
@ -1010,6 +1185,7 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
ERR_error_string(err, NULL));
if (LogLevel > 9)
tlslogerr(LOG_WARNING, who);
SET_DH_DFL;
}
}
else
@ -1039,8 +1215,13 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
dh = DSA_dup_DH(dsa);
DSA_free(dsa);
}
else
if (dh == NULL && bitset(TLS_I_DH512, req))
else if (dh == NULL && bitset(TLS_I_DHFIXED, req))
{
if (tTd(96, 2))
sm_dprintf("inittls: Using precomputed 2048 bit DH parameters\n");
dh = get_dh2048();
}
else if (dh == NULL && bitset(TLS_I_DH512, req))
{
if (tTd(96, 2))
sm_dprintf("inittls: Using precomputed 512 bit DH parameters\n");

4
src/version.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1998-2014 Proofpoint, Inc. and its suppliers.
* Copyright (c) 1998-2015 Proofpoint, Inc. and its suppliers.
* All rights reserved.
* Copyright (c) 1983 Eric P. Allman. All rights reserved.
* Copyright (c) 1988, 1993
@ -15,4 +15,4 @@
SM_RCSID("@(#)$Id: version.c,v 8.250 2014-01-27 12:55:16 ca Exp $")
char Version[] = "8.15.1";
char Version[] = "8.15.2";