5b0945b570
Includes build infrastructure & config updates required for changes in 8.16.1 MFC after: 5 days
10860 lines
536 KiB
Plaintext
10860 lines
536 KiB
Plaintext
SENDMAIL RELEASE NOTES
|
||
|
||
|
||
This listing shows the version of the sendmail binary, the version
|
||
of the sendmail configuration files, the date of release, and a
|
||
summary of the changes in that release.
|
||
|
||
8.16.1/8.16.1 2020/07/05
|
||
SECURITY: If sendmail tried to reuse an SMTP session which had
|
||
already been closed by the server, then the connection
|
||
cache could have invalid information about the session.
|
||
One possible consequence was that STARTTLS was not
|
||
used even if offered. This problem has been fixed
|
||
by clearing out all relevant status information
|
||
when a closed session is encountered.
|
||
OpenSSL versions before 0.9.8 are no longer supported.
|
||
OpenSSL version 1.1.0 and 1.1.1 are supported.
|
||
Initial support for DANE (see RFC 7672 et.al.) is available if
|
||
the compile time option DANE is set. Only TLSA RR 3-1-x
|
||
is currently implemented.
|
||
New options SSLEngine and SSLEnginePath to support OpenSSL engines.
|
||
Note: this feature has so far only been tested with the
|
||
"chil" engine; please report problems with other engines
|
||
if you encounter any.
|
||
New option CRLPath to specify a directory which contains
|
||
hashes pointing to certificate revocations files.
|
||
Based on patch from Al Smith.
|
||
New rulesets tls_srv_features and tls_clt_features which
|
||
can return a (semicolon separated) list of TLS related
|
||
options, e.g., CipherList, CertFile, KeyFile,
|
||
see doc/op/op.me for details.
|
||
To automatically handle TLS interoperability problems for outgoing
|
||
mail, sendmail can now immediately try a connection again
|
||
without STARTTLS after a TLS handshake failure.
|
||
This can be configured globally via the option
|
||
TLSFallbacktoClear or per session via the 'C' flag
|
||
of tls_clt_features.
|
||
This also adds the new value "CLEAR" for the macro
|
||
{verify}: STARTTLS has been disabled internally for
|
||
a clear text delivery attempt.
|
||
Apply Timeout.starttls also to the server waiting for the TLS
|
||
handshake to begin. Based on patch from Simon Hradecky.
|
||
New compile time option TLS_EC to enable the use of elliptic
|
||
curve cryptography in STARTTLS (previously available as
|
||
_FFR_TLS_EC).
|
||
Handle MIME boundaries specified in headers which contain CRLF.
|
||
Fix detection of loopback net (it was broken when compiled
|
||
with NETINET6) and only set the macros {if_addr_out}
|
||
and {if_family_out} if the interface of the outgoing
|
||
connection does not belong to the loopback net.
|
||
Fix logic to enable a milter to delete a recipient in
|
||
DeliveryMode=interactive even if it might be subject
|
||
to alias expansion.
|
||
Log name of a milter making changes (this was missing for
|
||
some functions).
|
||
Log the actual reply of a server when an SMTP delivery problem
|
||
occurs in a "reply=" field if possible.
|
||
Log user= for failed AUTH attempts if possible. Based on
|
||
patch from Packet Hack, Jim Hranicky, Kevin A. McGrail,
|
||
and Joe Quinn.
|
||
Add CDB as map type. Note: CDB is a "Constant DataBase", i.e.,
|
||
no changes can be made after it is created, hence it
|
||
does not work with vacation(1) nor editmap(8) (except
|
||
for query mode).
|
||
Fix some memory leaks (mostly in error cases) and properly handle
|
||
copied varargs in sm_io_vfprintf(). The issues were found
|
||
using Coverity Scan and reported (including patches) by
|
||
Ondřej Lysoněk of Red Hat.
|
||
Do not override ServerSSLOptions and ClientSSLOptions when they
|
||
are specified on the command line. Based on patch from
|
||
Hiroki Sato.
|
||
Add RFC7505 Null MX support for domains that declare they do not
|
||
accept mail.
|
||
New compile time option LDAP_NETWORK_TIMEOUT which is set
|
||
automatically when LDAPMAP is used and
|
||
LDAP_OPT_NETWORK_TIMEOUT is available to enable the
|
||
new -c option for LDAP maps to specify the network timeout.
|
||
CONFIG: New FEATURE(`tls_session_features') to enable standard
|
||
rules for tls_srv_features and tls_clt_features; for
|
||
details see cf/README.
|
||
CONFIG: New options confSSL_ENGINE and confSSL_ENGINE_PATH
|
||
for SSLEngine and SSLEnginePath, respectively.
|
||
CONFIG: New options confDANE to enable DANE support.
|
||
CONFIG: New option confTLS_FALLBACK_TO_CLEAR for TLSFallbacktoClear.
|
||
CONFIG: New extension CITag: for TLS restrictions, see cf/README
|
||
for details.
|
||
CONFIG: FEATURE(`blacklist_recipients') renamed to
|
||
FEATURE(`blocklist_recipients').
|
||
CONTRIB: cidrexpand updated to support IPv6 CIDR ranges and to
|
||
canonicalize IPv6 addresses; if cidrexpand is used with IPv6
|
||
addresses then UseCompressedIPv6Addresses must be disabled.
|
||
DOC: The dns map can return multiple values in a single result
|
||
if the -z option is used.
|
||
DOC: Note to set MustQuoteChars=. due to DKIM signatures.
|
||
LIBMILTER: Fix typo in a macro. Patch from Ignacio Goyret
|
||
of Alcatel-Lucent.
|
||
LIBMILTER: Fix reference in xxfi_negotiate documentation.
|
||
Patch from Sven Neuhaus.
|
||
LIBMILTER: Fix function name in smfi_addrcpt_par documentation.
|
||
Patch from G.W. Haywood.
|
||
LIBMILTER: Fix a potential memory leak in smfi_setsymlist().
|
||
Patch from Martin Svec.
|
||
MAKEMAP: New map type "implicit" refers to the first available type,
|
||
i.e., it depends on the compile time options NEWDB, DBM,
|
||
and CDB. This can be used in conjunction with the
|
||
"implicit" map type in sendmail.cf.
|
||
Note: makemap, libsmdb, and sendmail must be compiled
|
||
with the same options (and library versions of course).
|
||
Portability:
|
||
Add support for Darwin 14-18 (Mac OS X 10.x).
|
||
New option HAS_GETHOSTBYNAME2: set if your system
|
||
supports gethostbyname2(2).
|
||
Set SM_CONF_SEM=2 for FreeBSD 12 and later due to
|
||
changes in sys/sem.h
|
||
On Linux set MAXHOSTNAMELEN (the maximum length
|
||
of a FQHN) to 256 if it is less than that value.
|
||
Added Files:
|
||
cf/feature/blocklist_recipients.m4
|
||
cf/feature/tls_failures.m4
|
||
devtools/OS/Darwin.14.x
|
||
devtools/OS/Darwin.15.x
|
||
devtools/OS/Darwin.16.x
|
||
libsmdb/smcdb.c
|
||
sendmail/ratectrl.h
|
||
|
||
8.15.2/8.15.2 2015/07/03
|
||
If FEATURE(`nopercenthack') is used then some bogus input triggered
|
||
a recursion which was caught and logged as
|
||
SYSERR: rewrite: excessive recursion (max 50) ...
|
||
Fix based on patch from Ondrej Holas.
|
||
DHParameters now by default uses an included 2048 bit prime.
|
||
The value 'none' previously caused a log entry claiming
|
||
there was an error "cannot read or set DH parameters".
|
||
Also note that this option applies to the server side only.
|
||
The U= mailer field didn't accept group names containing hyphens,
|
||
underbars, or periods. Based on patch from David Gwynne
|
||
of the University of Queensland.
|
||
CONFIG: Allow connections from IPv6:0:0:0:0:0:0:0:1 to relay again.
|
||
Patch from Lars-Johan Liman of Netnod Internet Exchange.
|
||
CONFIG: New option UseCompressedIPv6Addresses to select between
|
||
compressed and uncompressed IPv6 addresses. The default
|
||
value depends on the compile-time option IPV6_FULL:
|
||
For 1 the default is False, for 0 it is True, thus
|
||
preserving the current behaviour. Based on patch from
|
||
John Beck of Oracle.
|
||
CONFIG: Account for IPv6 localhost addresses in
|
||
FEATURE(`block_bad_helo'). Suggested by Andrey Chernov
|
||
from FreeBSD and Robert Scheck from the Fedora Project.
|
||
CONFIG: Account for IPv6 localhost addresses in check_mail ruleset.
|
||
LIBMILTER: Deal with more invalid protocol data to avoid potential
|
||
crashes. Problem noted by Dimitri Kirchner.
|
||
LIBMILTER: Allow a milter to specify an empty macro list ("", not
|
||
NULL) in smfi_setsymlist() so no macro is sent for the
|
||
selected stage.
|
||
MAKEMAP: A change to check TrustedUser in fewer cases which was
|
||
made in 2013 caused a potential regression when makemap
|
||
was run as root (which should not be done anyway).
|
||
Note: sendmail often contains options "For Future Releases"
|
||
(prefix _FFR_) which might be enabled in a subsequent
|
||
version or might simply be removed as they turned out not
|
||
to be really useful. These features are usually not
|
||
documented but if they are, then the required (FFR)
|
||
options are listed in
|
||
- doc/op/op.* for rulesets and macros,
|
||
- cf/README for mc/cf options.
|
||
|
||
8.15.1/8.15.1 2014/12/06
|
||
SECURITY: Properly set the close-on-exec flag for file descriptors
|
||
(except stdin, stdout, and stderr) before executing mailers.
|
||
If header rewriting fails due to a temporary map lookup failure,
|
||
queue the mail for later retry instead of sending it
|
||
without rewriting the header. Note: this is done
|
||
while the mail is being sent and hence the transaction
|
||
is aborted, which only works for SMTP/LMTP mailers
|
||
hence the handling of temporary map failures is
|
||
suppressed for other mailers. SMTP/LMTP servers may
|
||
complain about aborted transactions when this problem
|
||
occurs.
|
||
See also "DNS Lookups" in sendmail/TUNING.
|
||
Incompatible Change: Use uncompressed IPv6 addresses by default,
|
||
i.e., they will not contain "::". For example,
|
||
instead of ::1 it will be 0:0:0:0:0:0:0:1. This
|
||
permits a zero subnet to have a more specific match,
|
||
such as different map entries for IPv6:0:0 vs IPv6:0.
|
||
This change requires that configuration data
|
||
(including maps, files, classes, custom ruleset,
|
||
etc) must use the same format, so make certain such
|
||
configuration data is updated before using 8.15.
|
||
As a very simple check search for patterns like
|
||
'IPv6:[0-9a-fA-F:]*::' and 'IPv6::'. If necessary,
|
||
the prior format can be retained by compiling with:
|
||
APPENDDEF(`conf_sendmail_ENVDEF', `-DIPV6_FULL=0')
|
||
in your devtools/Site/site.config.m4 file.
|
||
If debugging is turned on (-d0.14) also print the OpenSSL
|
||
versions, both build time and run time
|
||
(provided STARTTLS is compiled in).
|
||
If a connection to the MTA is dropped by the client before its
|
||
hostname can be validated, treat it as "may be forged",
|
||
so that the unvalidated hostname is not passed to a
|
||
milter in xxfi_connect().
|
||
Add a timeout for communication with socket map servers
|
||
which can be specified using the -d option.
|
||
Add a compile time option HESIOD_ALLOW_NUMERIC_LOGIN to allow
|
||
numeric logins even if HESIOD is enabled.
|
||
The new option CertFingerprintAlgorithm specifies the finger-
|
||
print algorithm (digest) to use for the presented cert.
|
||
If the option is not set, md5 is used and the macro
|
||
{cert_md5} contains the cert fingerprint.
|
||
However, if the option is set, the specified algorithm
|
||
(e.g., sha1) is used and the macro {cert_fp} contains
|
||
the cert fingerprint.
|
||
That is, as long as the option is not set, the behaviour
|
||
does not change, but otherwise, {cert_md5} is superseded
|
||
by {cert_fp} even if you set CertFingerprintAlgorithm
|
||
to md5.
|
||
The options ServerSSLOptions and ClientSSLOptions can be used
|
||
to set SSL options for the server and client side
|
||
respectively. See SSL_CTX_set_options(3) for a list.
|
||
Note: this change turns on SSL_OP_NO_SSLv2 and
|
||
SSL_OP_NO_TICKET for the client. See doc/op/op.me
|
||
for details.
|
||
The option CipherList sets the list of ciphers for STARTTLS.
|
||
See ciphers(1) for possible values.
|
||
Do not log "STARTTLS: internal error: tls_verify_cb: ssl == NULL"
|
||
if a CRLFile is in use (and LogLevel is 14 or higher.)
|
||
Store a more specific TLS protocol version in ${tls_version}
|
||
instead of a generic one, e.g., TLSv1 instead of
|
||
TLSv1/SSLv3.
|
||
Properly set {client_port} value on little endian machines.
|
||
Patch from Kelsey Cummings of Sonic.net.
|
||
Per RFC 3848, indicate in the Received: header whether SSL or
|
||
SMTP AUTH was negotiated by setting the protocol clause
|
||
to ESMTPS, ESMTPA, or ESMTPSA instead of ESMTP.
|
||
If the 'C' flag is listed as TLSSrvOptions the requirement for the
|
||
TLS server to have a cert is removed. This only works
|
||
under very specific circumstances and should only be used
|
||
if the consequences are understood, e.g., clients
|
||
may not work with a server using this.
|
||
The options ClientCertFile, ClientKeyFile, ServerCertFile, and
|
||
ServerKeyFile can take a second file name, which must be
|
||
separated from the first with a comma (note: do not use
|
||
any spaces) to set up a second cert/key pair. This can
|
||
be used to have certs of different types, e.g., RSA
|
||
and DSA.
|
||
A new map type "arpa" is available to reverse an IP (IPv4 or IPv6)
|
||
address. It returns the string for the PTR lookup, but
|
||
without trailing {ip6,in-addr}.arpa.
|
||
New operation mode 'C' just checks the configuration file, e.g.,
|
||
sendmail -C new.cf -bC
|
||
will perform a basic syntax/consistency check of new.cf.
|
||
The mailer flag 'I' is deprecated and will be removed in a
|
||
future version.
|
||
Allow local (not just TCP) socket connections to the server, e.g.,
|
||
O DaemonPortOptions=Family=local, Addr=/var/mta/server.sock
|
||
can be used.
|
||
If the new option MaxQueueAge is set to a value greater than zero,
|
||
entries in the queue will be retried during a queue run
|
||
only if the individual retry time has been reached which
|
||
is doubled for each attempt. The maximum retry time is
|
||
limited by the specified value.
|
||
New DontBlameSendmail option GroupReadableDefaultAuthInfoFile
|
||
to relax requirement for DefaultAuthInfo file.
|
||
Reset timeout after receiving a message to appropriate value if
|
||
STARTTLS is in use. Based on patch by Kelsey Cummings
|
||
of Sonic.net.
|
||
Report correct error messages from the LDAP library for a range of
|
||
small negative return values covering those used by OpenLDAP.
|
||
Fix compilation with Berkeley DB 5.0 and 6.0. Patch from
|
||
Allan E Johannesen of Worcester Polytechnic Institute.
|
||
CONFIG: FEATURE(`nopercenthack') takes one parameter: reject or
|
||
nospecial which describes whether to disallow "%" in the
|
||
local part of an address.
|
||
DEVTOOLS: Fix regression in auto-detection of libraries when only
|
||
shared libraries are available. Problem reported by
|
||
Bryan Costales.
|
||
LIBMILTER: Mark communication socket as close-on-exec in case
|
||
a user's filter starts other applications.
|
||
Based on patch from Paul Howarth.
|
||
Portability:
|
||
SunOS 5.12 has changed the API for sigwait(2) to conform
|
||
with XPG7. Based on patch from Roger Faulkner of Oracle.
|
||
Deleted Files:
|
||
libsm/path.c
|
||
|
||
8.14.9/8.14.9 2014/05/21
|
||
SECURITY: Properly set the close-on-exec flag for file descriptors
|
||
(except stdin, stdout, and stderr) before executing mailers.
|
||
Fix a misformed comment in conf.c: "/*" within comment
|
||
which may cause a compilation error on some systems.
|
||
Problem reported by John Beck of Oracle.
|
||
DEVTOOLS: Fix regression in auto-detection of libraries when only
|
||
shared libraries are available. Problem reported by
|
||
Bryan Costales.
|
||
|
||
8.14.8/8.14.8 2014/01/26
|
||
Properly initialize all OpenSSL algorithms for versions before
|
||
OpenSSL 0.9.8o. Without this SHA2 algorithms may not
|
||
work properly, causing for example failures for certs
|
||
that use sha256WithRSAEncryption as signature algorithm.
|
||
When looking up hostnames, ensure only to return those records
|
||
for the requested family (AF_INET or AF_INET6).
|
||
On system that have NEEDSGETIPNODE and NETINET6
|
||
this may have failed and cause delivery problems.
|
||
Problem noted by Kees Cook.
|
||
A new mailer flag '!' is available to suppress an MH hack
|
||
that drops an explicit From: header if it is the
|
||
same as what sendmail would generate.
|
||
Add an FFR (for future release) to use uncompressed IPv6 addresses,
|
||
i.e., they will not contain "::". For example, instead
|
||
of ::1 it will be 0:0:0:0:0:0:0:1. This means that
|
||
configuration data (including maps, files, classes,
|
||
custom ruleset, etc) have to use the same format.
|
||
This will be turned on in 8.15. It can be enabled in 8.14
|
||
by compiling with:
|
||
APPENDDEF(`conf_sendmail_ENVDEF', `-D_FFR_IPV6_FULL')
|
||
in your devtools/Site/site.config.m4 file.
|
||
Add an additional case for the WorkAroundBrokenAAAA check when
|
||
dealing with broken nameservers by ignoring SERVFAIL
|
||
errors returned on T_AAAA (IPv6) lookups at delivery time.
|
||
Problem noted by Pavel Timofeev of OCS.
|
||
If available, pass LOGIN_SETCPUMASK and LOGIN_SETLOGINCLASS to
|
||
setusercontext() on deliveries as a different user.
|
||
Patch from Edward Tomasz Napierala from FreeBSD.
|
||
Avoid compiler warnings from a change in Cyrus-SASL 2.1.25.
|
||
Patch from Hajimu UMEMOTO from FreeBSD.
|
||
Add support for DHParameters 2048-bit primes.
|
||
CONFIG: Accept IPv6 literals when evaluating the HELO/EHLO argument
|
||
in FEATURE(`block_bad_helo'). Suggested by Andrey Chernov.
|
||
LIBSMDB: Add a missing check for malloc() in libsmdb/smndbm.c.
|
||
Patch from Bill Parker.
|
||
LIBSMDB: Fix minor memory leaks in libsmdb/ if allocations
|
||
fail. Patch from John Beck of Oracle.
|
||
Portability:
|
||
Add support for Darwin 12.x and 13.x (Mac OS X 10.8 and 10.9).
|
||
On Linux use socklen_t as the type for the 3rd argument
|
||
for getsockname/getpeername if the glibc version is at
|
||
least 2.1.
|
||
Added Files:
|
||
devtools/OS/Darwin.12.x
|
||
devtools/OS/Darwin.13.x
|
||
|
||
8.14.7/8.14.7 2013/04/21
|
||
Drop support for IPv4-mapped IPv6 addresses to prevent the MTA
|
||
from using a mapped address over a legitimate IPv6 address
|
||
and to enforce the proper semantics over the IPv6
|
||
connection. Problem noted by Ulrich Sporlein.
|
||
Fix a regression introduced in 8.14.6: the wrong list of
|
||
macros was sent to a milter in the EHLO stage.
|
||
Problem found by Fabrice Bellet, reported via RedHat
|
||
(Jaroslav Skarvada).
|
||
Fix handling of ORCPT parameter for DSNs: xtext decoding
|
||
was not performed and a wrong syntax check was applied
|
||
to the "addr-type" field. Problem noted by Dan Lukes
|
||
of Obludarium.
|
||
Fix handling of NUL characters in the MIME conversion functions
|
||
so that message bodies containing them will be sent
|
||
on properly. Note: this usually also affects mails
|
||
that are not converted as those functions are used
|
||
for other purposes too. Problem noted by Elchonon
|
||
Edelson of Lockheed Martin.
|
||
Do not perform "duplicate" elimination of recipients if they
|
||
resolve to the error mailer using a temporary failure
|
||
(4xy) via ruleset 0. Problem noted by Akira Takahashi
|
||
of IIJ.
|
||
CONTRIB: Updated version of etrn.pl script from John Beck
|
||
of Oracle.
|
||
Portability:
|
||
Unlike gcc, clang doesn't apply full prototypes to K&R
|
||
definitions.
|
||
|
||
8.14.6/8.14.6 2012/12/23
|
||
Fix a regression introduced in 8.14.5: if a server offers
|
||
two AUTH lines, the MTA would not read them after
|
||
STARTTLS has been used and hence SMTP AUTH for
|
||
the client side would fail. Problem noted by Lena.
|
||
Do not cache hostnames internally in a non case sensitive way
|
||
as that may cause addresses to change from lower case
|
||
to upper case or vice versa. These header modifications
|
||
can cause problems with milters that rely on receiving
|
||
headers in the same way as they are being sent out such
|
||
as a DKIM signing milter.
|
||
If MaxQueueChildren is set then it was possible that new queue
|
||
runners could not be started anymore because an
|
||
internal counter was subject to a race condition.
|
||
If a milter decreases the timeout it waits for a communication
|
||
with the MTA, the MTA might experience a write() timeout.
|
||
In some situations, the resulting error might have been
|
||
ignored. Problem noted by Werner Wiethege.
|
||
Note: decreasing the communication timeout in a milter
|
||
should not be done without considering the potential
|
||
problems.
|
||
smfi_setsymlist() now properly sets the list of macros for
|
||
the milter which invoked it, instead of a global
|
||
list for all milters. Problem reported by
|
||
David Shrimpton of the University of Queensland.
|
||
If Timeout.resolver.retrans is set to a value larger than 20,
|
||
then resolver.retry was temporarily set to 0 for
|
||
gethostbyaddr() lookups. Now it is set to 1 instead.
|
||
Patch from Peter.
|
||
If sendmail could not lock the statistics file due to a system
|
||
error, and sendmail later sends a DSN for a mail that
|
||
triggered such an error, then sendmail tried to access
|
||
memory that was freed before (causing a crash on some
|
||
systems). Problem reported by Ryan Stone.
|
||
Do not log negative values for size= nor pri= to avoid confusing
|
||
log parsers, instead limit the values to LONG_MAX.
|
||
Account for an API change in newer versions of Cyrus-SASL.
|
||
Patch from Hajimu UMEMOTO from FreeBSD.
|
||
Do not try to resolve link-local addresses for IPv4 (just as it
|
||
is done for IPv6). Patch from John Beck of Oracle.
|
||
Improve logging of client and server STARTTLS connection failures
|
||
that may be due to incompatible cipher lists by including
|
||
the reason for the failure in a single log line. Suggested
|
||
by James Carey of Boeing.
|
||
Portability:
|
||
Add support for Darwin 11.x (Mac OS X 10.7).
|
||
Add support for SunOS 5.12 (aka Solaris 12). Patch from
|
||
John Beck of Oracle.
|
||
Added Files:
|
||
devtools/OS/Darwin.11.x
|
||
devtools/OS/SunOS.5.12
|
||
|
||
8.14.5/8.14.5 2011/05/17
|
||
Do not cache SMTP extensions across connections as the cache
|
||
is based on hostname which may not be a unique identifier
|
||
for a server, i.e., different machines may have the
|
||
same hostname but provide different SMTP extensions.
|
||
Problem noted by Jim Hermann.
|
||
Avoid an out-of-bounds access in case a resolver reply for a DNS
|
||
map lookup returns a size larger than 1K. Based on a
|
||
patch from Dr. Werner Fink of SuSE.
|
||
If a job is aborted using the interrupt signal (e.g., control-C from
|
||
the keyboard), perform minimal cleanup to avoid invoking
|
||
functions that are not signal-safe. Note: in previous
|
||
versions the mail might have been queued up already
|
||
and would be delivered subsequently, now an interrupt
|
||
will always remove the queue files and thus prevent
|
||
delivery.
|
||
Per RFC 6176, when operating as a TLS client, do not offer SSLv2.
|
||
Since TLS session resumption is never used as a client, disable
|
||
use of RFC 4507-style session tickets.
|
||
Work around gcc4 versions which reverse 25 years of history and
|
||
no longer align char buffers on the stack, breaking calls
|
||
to resolver functions on strict alignment platforms.
|
||
Found by Stuart Henderson of OpenBSD.
|
||
Read at most two AUTH lines from a server greeting (up to two
|
||
lines are read because servers may use "AUTH mechs" and
|
||
"AUTH=mechs"). Otherwise a malicious server may exhaust
|
||
the memory of the client. Bug report by Nils of MWR
|
||
InfoSecurity.
|
||
Avoid triggering an assertion in the OpenLDAP code when the
|
||
connection to an LDAP server is lost while making a query.
|
||
Problem noted and patch provided by Andy Fiddaman.
|
||
If ConnectOnlyTo is set and sendmail is compiled with NETINET6
|
||
it would try to use an IPv6 address if an IPv4 (or
|
||
unparseable) address is specified.
|
||
If SASLv2 is used, make sure that the macro {auth_authen} is
|
||
stored in xtext format to avoid problems with parsing
|
||
it. Problem noted by Christophe Wolfhugel.
|
||
CONFIG: FEATURE(`ldap_routing') in 8.14.4 tried to add a missing
|
||
-T<TMPF> that is required, but failed for some cases
|
||
that did not use LDAP. This change has been undone
|
||
until a better solution can be implemented. Problem
|
||
found by Andy Fiddaman.
|
||
CONFIG: Add cf/ostype/solaris11.m4 for Solaris11 support.
|
||
Contributed by Casper Dik of Oracle.
|
||
CONTRIB: qtool.pl: Deal with H entries that do not have a
|
||
letter between the question marks. Patch from
|
||
Stefan Christensen.
|
||
DOC: Use a better description for the -i option in sendmail.
|
||
Patch from Mitchell Berger.
|
||
Portability:
|
||
Add support for Darwin 10.x (Mac OS X 10.6).
|
||
Enable HAVE_NANOSLEEP for FreeBSD 3 and later. Patch
|
||
from John Marshall.
|
||
Enable HAVE_NANOSLEEP for OpenBSD 4.3 and later.
|
||
Use new directory "/system/volatile" for PidFile on
|
||
Solaris 11. Patch from Casper Dik of Oracle.
|
||
Fix compilation on Solaris 11 (and maybe some other
|
||
OSs) when using OpenSSL 1.0. Based on patch from
|
||
Jan Pechanec of Oracle.
|
||
Set SOCKADDR_LEN_T and SOCKOPT_LEN_T to socklen_t
|
||
for Solaris 11. Patch from Roger Faulkner of Oracle.
|
||
New Files:
|
||
cf/ostype/solaris11.m4
|
||
|
||
8.14.4/8.14.4 2009/12/30
|
||
SECURITY: Handle bogus certificates containing NUL characters
|
||
in CNs by placing a string indicating a bad certificate
|
||
in the {cn_subject} or {cn_issuer} macro. Patch inspired
|
||
by Matthias Andree's changes for fetchmail.
|
||
During the generation of a queue identifier an integer overflow
|
||
could occur which might result in bogus characters
|
||
being used. Based on patch from John Vannoy of
|
||
Pepperdine University.
|
||
The value of headers, e.g., Precedence, Content-Type, et.al.,
|
||
was not processed correctly. Patch from Per Hedeland.
|
||
Between 8.11.7 and 8.12.0 the length limitation on a return
|
||
path was erroneously reduced from MAXNAME (256) to
|
||
MAXSHORTSTR (203). Patch from John Gardiner Myers
|
||
of Proofpoint; the problem was also noted by Steve
|
||
Hubert of University of Washington.
|
||
Prevent a crash when a hostname lookup returns a seemingly
|
||
valid result which contains a NULL pointer (this seems
|
||
to be happening on some Linux versions).
|
||
The process title was missing the current load average when
|
||
the MTA was delaying connections due to DelayLA.
|
||
Patch from Dick St.Peters of NetHeaven.
|
||
Do not reset the number of queue entries in shared memory if
|
||
only some of them are processed.
|
||
Fix overflow of an internal array when parsing some replies
|
||
from a milter. Problem found by Scott Rotondo
|
||
of Sun Microsystems.
|
||
If STARTTLS is turned off in the server (via M=S) then it
|
||
would not be initialized for use in the client either.
|
||
Patch from Kazuteru Okahashi of IIJ.
|
||
If a Diffie-Hellman cipher is selected for STARTTLS, the
|
||
handshake could fail with some TLS implementations
|
||
because the prime used by the server is not long enough.
|
||
Note: the initialization of the DSA/DH parameters for
|
||
the server can take a significant amount of time on slow
|
||
machines. This can be turned off by setting DHParameters
|
||
to none or a file (see doc/op/op.me). Patch from
|
||
Petr Lampa of the Brno University of Technology.
|
||
Fix handling of `b' modifier for DaemonPortOptions on little
|
||
endian machines for loopback address. Patch from
|
||
John Beck of Sun Microsystems.
|
||
Fix a potential memory leak in libsmdb/smdb1.c found by parfait.
|
||
Based on patch from Jonathan Gray of OpenBSD.
|
||
If a milter sets the reply code to "421" during the transfer
|
||
of the body, the SMTP server will terminate the SMTP session
|
||
with that error to match the behavior of the other callbacks.
|
||
Return EX_IOERR (instead of 0) if a mail submission fails due to
|
||
missing disk space in the mail queue. Based on patch
|
||
from Martin Poole of RedHat.
|
||
CONFIG: Using FEATURE(`ldap_routing')'s `nodomain' argument would
|
||
cause addresses not found in LDAP to be misparsed.
|
||
CONFIG: Using a CN restriction did not work for TLS_Clt as it
|
||
referred to a wrong macro. Patch from John Gardiner
|
||
Myers of Proofpoint.
|
||
CONFIG: The option relaytofulladdress of FEATURE(`access_db')
|
||
did not work if FEATURE(`relay_hosts_only') is used too.
|
||
Problem noted by Kristian Shaw.
|
||
CONFIG: The internal function lower() was broken and hence
|
||
strcasecmp() did not work either, which could cause
|
||
problems for some FEATURE()s if upper case arguments
|
||
were used. Patch from Vesa-Matti J Kari of the
|
||
University of Helsinki.
|
||
LIBMILTER: Fix internal check whether a milter application
|
||
is compiled against the same version of libmilter as
|
||
it is linked against (especially useful for dynamic
|
||
libraries).
|
||
LIBMILTER: Fix memory leak that occurred when smfi_setsymlist()
|
||
was used. Based on patch by Dan Lukes.
|
||
LIBMILTER: Document the effect of SMFIP_HDR_LEADSPC for filters
|
||
which add, insert, or replace headers. From Benjamin
|
||
Pineau.
|
||
LIBMILTER: Fix error messages which refer to "select()" to be
|
||
correct if SM_CONF_POLL is used. Based on patch from
|
||
John Nemeth.
|
||
LIBSM: Fix handling of LDAP search failures where the error is
|
||
carried in the search result itself, such as seen with
|
||
OpenLDAP proxy servers.
|
||
VACATION: Do not refer to a local variable outside its scope.
|
||
Based on patch from Mark Costlow of Southwest Cyberport.
|
||
Portability:
|
||
Enable HAVE_NANOSLEEP for SunOS 5.11. Patch from
|
||
John Beck of Sun Microsystems.
|
||
Drop NISPLUS from default SunOS 5.11 map definitions.
|
||
Patch from John Beck of Sun Microsystems.
|
||
|
||
8.14.3/8.14.3 2008/05/03
|
||
During ruleset processing the generation of a key for a map
|
||
lookup and the parsing of the default value was broken
|
||
for some macros, e.g., $|, which caused the BlankSub
|
||
character to be inserted into the workspace and thus
|
||
failures, e.g., rules that should have matched did not.
|
||
8.14.2 caused a regression: it accessed (macro) storage which was
|
||
freed before. First instance of the problem reported by
|
||
Matthew Dillon of DragonFlyBSD; variations of the same
|
||
bug reported by Todd C. Miller of OpenBSD, Moritz
|
||
Jodeit, and Dave Hayes.
|
||
Improve pathname length checks for persistent host status. Patch
|
||
from Joerg Sonnenberger of DragonFlyBSD.
|
||
Reword misleading SMTP reply text for FEATURE(`badmx'). Problem
|
||
noted by Beth Halsema.
|
||
The read timeout was fixed to be Timeout.datablock if STARTTLS
|
||
was activated. This may cause problems if that value
|
||
is lowered from its default. Problem noted by Jens Elkner.
|
||
CONFIG: Using LOCAL_TLS_CLIENT caused the tls_client ruleset
|
||
to operate incorrectly. Problem found by Werner Wiethege.
|
||
LIBMILTER: Omitting some protocol steps via the xxfi_negotiate()
|
||
callback did not work properly. The patchlevel of
|
||
libmilter has been set to 1 so a milter can determine
|
||
whether libmilter contains this fix.
|
||
MAKEMAP: If a delimiter is specified (-t) use that also when
|
||
dumping a map. Patch from Todd C. Miller of OpenBSD.
|
||
Portability:
|
||
Add support for Darwin 9.x (Mac OS X 10.5).
|
||
Support shared libraries in Darwin 8 and 9. Patch from
|
||
Chris Behrens of Concentric.
|
||
Add support for SCO OpenServer 6, patch from Boyd Gerber.
|
||
DEVTOOLS: Clarify that confSHAREDLIBDIR requires a trailing slash.
|
||
Added Files:
|
||
devtools/OS/Darwin.9.x
|
||
devtools/OS/OSR.i386
|
||
|
||
8.14.2/8.14.2 2007/11/01
|
||
If a message was queued and it contained 8 bit characters in
|
||
a From: or To: header, then those characters could be
|
||
"mistaken" for internal control characters during a queue
|
||
run and trigger various consistency checks. Problem
|
||
noted by Neil Rickert of Northern Illinois University.
|
||
If MaxMimeHeaderLength is set to a value greater than 0 (which
|
||
it is by default) then even if the Linelimit parameter
|
||
is 0, sendmail corrupted in the non-transfer-encoding
|
||
case every MAXLINE-1 characters. Patch from John Gardiner
|
||
Myers of Proofpoint.
|
||
Setting the suboption DeliveryMode for DaemonPortOptions did not
|
||
work in earlier 8.14 versions.
|
||
Note: DeliveryMode=interactive is silently converted to
|
||
background if a milter can reject or delete a recipient.
|
||
Prior to 8.14 this happened only if milter could delete
|
||
recipients.
|
||
ClientRate should trigger when the limit was exceeded (as
|
||
documented), not when it was reached. Patch from
|
||
John Beck of Sun Microsystems.
|
||
Force a queue run for -qGqueuegroup even if no runners are
|
||
specified (R=0) and forking (F=f) is requested.
|
||
When multiple results are requested for a DNS map lookup
|
||
(-z and -Z), return only those that are relevant for
|
||
the query (not also those in the "additional section".)
|
||
If the message transfer time to sendmail (when acting as server)
|
||
exceeds Timeout.queuewarn or Timeout.queuereturn and
|
||
the message is refused (by a milter), sendmail previously
|
||
created a delivery status notification (DSN). Patch
|
||
from Doug Heath of The Hertz Corporation.
|
||
A code change in Cyrus-SASL 2.1.22 for sasl_decode64() requires
|
||
the MTA to deal with some input (i.e., "=") itself.
|
||
Problem noted by Eliot Lear.
|
||
sendmail counted a delivery as successful if PIPELINING is
|
||
compiled in but not offered by the server and the
|
||
delivery failed temporarily. Patch from Werner Wiethege.
|
||
If getting the result of an LDAP query times out then close the
|
||
map so it will be reopened on the next lookup. This
|
||
should help "failover" configurations that specify more
|
||
than one LDAP server.
|
||
If check_compat returns $#discard then a "savemail panic" could
|
||
be triggered under some circumstances (e.g., requiring
|
||
a system which does not have the compile time flag
|
||
HASFLOCK set). Based on patch by Motonori Nakamura
|
||
of National Institute of Informatics, Japan.
|
||
If a milter rejected a recipient, the count for nrcpts= in the
|
||
logfile entry might have been wrong. Problem found by
|
||
Petra Humann of TU Dresden.
|
||
If a milter invoked smfi_chgfrom() where ESMTP arguments are not
|
||
NULL, the message body was lost. Patch from Motonori
|
||
Nakamura of National Institute of Informatics, Japan.
|
||
sendmail(8) had a bogus space in -qGname. Patch from Peng Haitao.
|
||
CONTRIB: buildvirtuser: Preserve ownership and permissions when
|
||
replacing files.
|
||
CONTRIB: buildvirtuser: Skip dot-files (e.g., .cvsignore) when
|
||
reading the /etc/mail/virtusers/ directory.
|
||
CONTRIB: buildvirtuser: Emit warnings instead of exiting where
|
||
appropriate.
|
||
LIBMILTER: Fix ABI backwards compatibility so milters compiled
|
||
against an older libmilter.so shared library can use an
|
||
8.14 libmilter.so shared library.
|
||
LIBMILTER: smfi_version() did not properly extract the patchlevel
|
||
from the version number, however, the returned value was
|
||
correct for the current libmilter version.
|
||
|
||
8.14.1/8.14.1 2007/04/03
|
||
Even though a milter rejects a recipient the MTA will still keep
|
||
it in its list of recipients and deliver to it if the
|
||
transaction is accepted. This is a regression introduced
|
||
in 8.14.0 due to the change for SMFIP_RCPT_REJ. Bug
|
||
found by Andy Fiddaman.
|
||
The new DaemonPortOptions which begin with a lower case character
|
||
could not be set in 8.14.0.
|
||
If a server shut down the connection in response to a STARTTLS
|
||
command, sendmail would log a misleading error message
|
||
due to an internal inconsistency. Problem found by
|
||
Werner Wiethege.
|
||
Document how some sendmail.cf options change the behavior of mailq.
|
||
Noted by Paul Menchini of the North Carolina School of
|
||
Science and Mathematics.
|
||
CONFIG: Add confSOFT_BOUNCE m4 option for setting SoftBounce.
|
||
CONFIG: 8.14.0's RELEASE_NOTES failed to mention the addition
|
||
of the confMAX_NOOP_COMMANDS and confSHARED_MEMORY_KEY_FILE
|
||
m4 options for setting MaxNOOPCommands and
|
||
SharedMemoryKeyFile.
|
||
CONFIG: Add confMILTER_MACROS_EOH and confMILTER_MACROS_DATA m4
|
||
options for setting Milter.macros.eoh and Milter.macros.data.
|
||
CONTRIB: Use flock() and fcntl() in qtool.pl if necessary.
|
||
Patch from Daniel Carroll of Mesa State College.
|
||
LIBMILTER: Make sure an unknown command does not affect the
|
||
currently available macros. Problem found by Andy Fiddaman.
|
||
LIBMILTER: The MTA did not offer SMFIF_SETSYMLIST during option
|
||
negotiation. Problem reported by Bryan Costales.
|
||
LIBMILTER: Fix several minor errors in the documentation.
|
||
Patches from Bryan Costales.
|
||
PORTABILITY FIXES:
|
||
AIX 5.{1,2}: libsm/util.c failed to compile due to
|
||
redefinition of several macros, e.g., SIG_ERR.
|
||
Patch from Jim Pirzyk with assistance by Bob
|
||
Booth, University of Illinois at Urbana-Champaign.
|
||
Add support for QNX.6. Patch from Sean Boudreau of QNX
|
||
Software Systems.
|
||
New Files:
|
||
devtools/M4/depend/QNX6.m4
|
||
devtools/OS/QNX.6.x
|
||
include/sm/os/sm_os_qnx.h
|
||
|
||
New Files added in 8.14.0, but not shown in the release notes entry:
|
||
libmilter/docs/smfi_chgfrom.html
|
||
libmilter/docs/smfi_version.html
|
||
|
||
8.14.0/8.14.0 2007/01/31
|
||
Header field values are now 8 bit clean. Notes:
|
||
- header field names are still restricted to 7 bit.
|
||
- RFC 2822 allows only 7 bit (US-ASCII) characters in
|
||
headers.
|
||
Preserve spaces after the colon in a header. Previously, any
|
||
number of spaces after the colon would be changed to
|
||
exactly one space.
|
||
In some cases of deeply nested aliases/forwarding, mail can
|
||
be silently lost. Moreover, the MaxAliasRecursion
|
||
limit may be reached too early, e.g., the counter
|
||
may be off by a factor of 4 in case of a sequence of
|
||
.forward files that refer to others. Patch from
|
||
Motonori Nakamura of Kyoto University.
|
||
Fix a regression in 8.13.8: if InputMailFilters is set then
|
||
"sendmail -bs" can trigger an assertion because the
|
||
hostname of the client is undefined. It is now set
|
||
to "localhost" for the xxfi_connect() callback.
|
||
Avoid referencing a freed variable during cleanup when terminating.
|
||
Problem reported and diagnosed by Joe Maimon.
|
||
New option HeloName to set the name for the HELO/EHLO command.
|
||
Patch from Nik Clayton.
|
||
New option SoftBounce to issue temporary errors (4xy) instead of
|
||
permanent errors (5xy). This can be useful for testing.
|
||
New suboptions for DaemonPortOptions to set them individually
|
||
per daemon socket:
|
||
DeliveryMode DeliveryMode
|
||
refuseLA RefuseLA
|
||
delayLA DelayLA
|
||
queueLA QueueLA
|
||
children MaxDaemonChildren
|
||
New option -K for LDAP maps to replace %1 through %9 in the
|
||
lookup key with the LDAP escaped contents of the
|
||
arguments specified in the map lookup. Loosely based
|
||
on patch from Wolfgang Hottgenroth.
|
||
Log the time after which a greet_pause delay triggered. Patch
|
||
from Nik Clayton.
|
||
If a client is rejected via TCP wrapper or some other check
|
||
performed by validate_connection() (in conf.c) then do
|
||
not also invoke greet_pause. Problem noted by Jim Pirzyk
|
||
of the University of Illinois at Urbana-Champaign.
|
||
If a client terminates the SMTP connection during a pause
|
||
introduced by greet_pause, then a misleading message
|
||
was logged previously. Problem noted by Vernon Schryver
|
||
et.al., patch from Matej Vela.
|
||
New command "mstat" for control socket to provide "machine
|
||
readable" status.
|
||
New named config file rule check_eom which is called at the end
|
||
of a message, its parameter is the size of the message.
|
||
If the macro {addr_type} indicates that the current address
|
||
is a header address it also distinguishes between
|
||
recipient and sender addresses (as it is done for
|
||
envelope addresses).
|
||
When a macro is set in check_relay, then its value is accessible
|
||
by all transactions in the same SMTP session.
|
||
Increase size of key for ldap lookups to 1024 (MAXKEY).
|
||
New option MaxNOOPCommands to override default of 20 for the
|
||
number of "useless" commands before the SMTP server will
|
||
slow down responding.
|
||
New option SharedMemoryKeyFile: if shared memory support is
|
||
enabled, the MTA can be asked to select a shared memory
|
||
key itself by setting SharedMemoryKey to -1 and specifying
|
||
a file where to store the selected key.
|
||
Try to deal with open HTTP proxies that are used to send spam
|
||
by recognizing some commands from them. If the first command
|
||
from the client is GET, POST, CONNECT, or USER, then the
|
||
connection is terminated immediately.
|
||
New PrivacyOptions noactualrecipient to avoid putting
|
||
X-Actual-Recipient lines in DSNs revealing the actual
|
||
account that addresses map to. Patch from Dan Harkless.
|
||
New options B, z, and Z for DNS maps:
|
||
-B: specify a domain that is always appended to queries.
|
||
-z: specify the delimiter at which to cut off the result of
|
||
a query if it is too long.
|
||
-Z: specify the maximum number of entries to be concatenated
|
||
to form the result of a lookup.
|
||
New target "check" in the Makefile of libsm: instead of running tests
|
||
implicitly while building libsm, they must be explicitly
|
||
started by using "make check".
|
||
Fixed some inconsistent checks for NULL pointers that have been
|
||
reported by the SATURN tool which has been developed by
|
||
Isil Dillig and Thomas Dillig of Stanford University.
|
||
Fix a potential race condition caused by a signal handler for
|
||
terminated child processes. Problem noted by David F. Skoll.
|
||
When a milter deleted a recipient, that recipient could cause a
|
||
queue group selection. This has been disabled as it was not
|
||
intended.
|
||
New operator 'r' for the arith map to return a random number.
|
||
Patch from Motonori Nakamura of Kyoto University.
|
||
New compile time option MILTER_NO_NAGLE to turn off the Nagle
|
||
algorithm for communication with libmilter ("cork" on Linux),
|
||
which may improve the communication performance on some
|
||
operating systems. Patch from John Gardiner Myers of
|
||
Proofpoint.
|
||
If sendmail received input that contained a CR without subsequent LF
|
||
(thus violating RFC 2821 (2.3.7)), it could previously
|
||
generate an additional blank line in the output as the last
|
||
line.
|
||
Restarting persistent queue runners by sending a HUP signal to
|
||
the "queue control process" (QCP) works now.
|
||
Increase the length of an input line to 12288 to deal with
|
||
really long lines during SMTP AUTH negotiations.
|
||
Problem noted by Werner Wiethege.
|
||
If ARPANET mode (-ba) was selected STARTTLS would fail (due to
|
||
a missing initialization call for that case). Problem
|
||
noted by Neil Rickert of Northern Illinois University.
|
||
If sendmail is linked against a library that initializes Cyrus-SASL
|
||
before sendmail did it (such as libnss-ldap), then SMTP AUTH
|
||
could fail for the sendmail client. A patch by Moritz Both
|
||
works around the API design flaw of Cyrus-SASLv2.
|
||
CONFIG: Make it possible to unset the StatusFile option by
|
||
undefining STATUS_FILE. By not setting StatusFile,
|
||
the MTA will not attempt to open a statistics file on
|
||
each delivery.
|
||
CONFIG: New FEATURE(`require_rdns') to reject messages from SMTP
|
||
clients whose IP address does not have proper reverse DNS.
|
||
Contributed by Neil Rickert of Northern Illinois University
|
||
and John Beck of Sun Microsystems.
|
||
CONFIG: New FEATURE(`block_bad_helo') to reject messages from SMTP
|
||
clients which provide a HELO/EHLO argument which is either
|
||
unqualified, or is one of our own names (i.e., the server
|
||
name instead of the client name). Contributed by Neil
|
||
Rickert of Northern Illinois University and John Beck of
|
||
Sun Microsystems.
|
||
CONFIG: New FEATURE(`badmx') to reject envelope sender addresses
|
||
(MAIL) whose domain part resolves to a "bad" MX record.
|
||
Based on contribution from William Dell Wisner.
|
||
CONFIG: New macros SMTP_MAILER_LL and RELAY_MAILER_LL to override
|
||
the maximum line length of the smtp mailers.
|
||
CONFIG: New option `relaytofulladdress' for FEATURE(`access_db')
|
||
to allow entries in the access map to be of the form
|
||
To:user@example.com RELAY
|
||
CONFIG: New subsuboptions eoh and data to specify the list of
|
||
macros a milter should receive at those stages in the
|
||
SMTP dialogue.
|
||
CONFIG: New option confHELO_NAME for HeloName to set the name
|
||
for the HELO/EHLO command.
|
||
CONFIG: dnsbl and enhdnsbl can now also discard or quarantine
|
||
messages by using those values as second argument.
|
||
Patches from Nelson Fung.
|
||
CONTRIB: cidrexpand uses a hash symbol as comment character and
|
||
ignores everything after it unless it is in quotes or
|
||
preceded by a backslash.
|
||
DEVTOOLS: New macro confMKDIR: if set to a program that creates
|
||
directories, then it used for "make install" to create
|
||
the required installation directories.
|
||
DEVTOOLS: New macro confCCLINK to specify the linker to use for
|
||
executables (defaults to confCC).
|
||
LIBMILTER: A new version of the milter API has been created that
|
||
has several changes which are listed below and documented
|
||
in the webpages reachable via libmilter/docs/index.html.
|
||
LIBMILTER: The meaning of the version macro SMFI_VERSION has been
|
||
changed. It now refers only to the version of libmilter,
|
||
not to the protocol version (which is used only internally,
|
||
it is not user/milter-programmer visible). Additionally,
|
||
a version function smfi_version() has been introduced such
|
||
that a milter program can check the libmilter version also
|
||
at runtime which is useful if a shared library is used.
|
||
LIBMILTER: A new callback xxfi_negotiate() can be used to
|
||
dynamically (i.e., at runtime) determine the available
|
||
protocol actions and features of the MTA and also to
|
||
specify which of these a milter wants to use. This allows
|
||
for more flexibility than hardcoding these flags in the
|
||
xxfi_flags field of the smfiDesc structure.
|
||
LIBMILTER: A new callback xxfi_data() is available so milters
|
||
can act on the DATA command.
|
||
LIBMILTER: A new callback xxfi_unknown() is available so milters
|
||
can receive also unknown SMTP commands.
|
||
LIBMILTER: A new return code SMFIS_NOREPLY has been added which
|
||
can be used by the xxfi_header() callback provided the
|
||
milter requested the SMFIP_NOHREPL protocol action.
|
||
LIBMILTER: The new return code SMFIS_SKIP can be used in the
|
||
xxfi_body() callback to skip over further body chunks
|
||
and directly advance to the xxfi_eom() callback. This
|
||
is useful if a milter can make a decision based on the
|
||
body chunks it already received without reading the entire
|
||
rest of the body and the milter wants to invoke functions
|
||
that are only available from the xxfi_eom() callback.
|
||
LIBMILTER: A new function smfi_addrcpt_par() can be used to add
|
||
new recipients including ESMTP parameters.
|
||
LIBMILTER: A new function smfi_chgfrom() can be used to change the
|
||
envelope sender including ESMTP parameters.
|
||
LIBMILTER: A milter can now request to be informed about rejected
|
||
recipients (RCPT) too. This requires to set the protocol
|
||
flag SMFIP_RCPT_REJ during option negotiation. Whether
|
||
a RCPT has been rejected can be checked by comparing the
|
||
value of the macro {rcpt_mailer} with "error".
|
||
LIBMILTER: A milter can now override the list of macros that it
|
||
wants to receive from the MTA for each protocol step
|
||
by invoking the function smfi_setsymlist() during option
|
||
negotiation.
|
||
LIBMILTER: A milter can receive header field values with all
|
||
leading spaces by requesting the SMFIP_HDR_LEADSPC
|
||
protocol action. Also, if the flag is set then the MTA
|
||
does not add a leading space to headers that are added,
|
||
inserted, or replaced.
|
||
LIBMILTER: If a milter sets the reply code to "421" for the HELO
|
||
callback, the SMTP server will terminate the SMTP session
|
||
with that error to match the behavior of all other callbacks.
|
||
New Files:
|
||
cf/feature/badmx.m4
|
||
cf/feature/block_bad_helo.m4
|
||
cf/feature/require_rdns.m4
|
||
devtools/M4/UNIX/check.m4
|
||
include/sm/misc.h
|
||
include/sm/sendmail.h
|
||
include/sm/tailq.h
|
||
libmilter/docs/smfi_addrcpt_par.html
|
||
libmilter/docs/smfi_setsymlist.html
|
||
libmilter/docs/xxfi_data.html
|
||
libmilter/docs/xxfi_negotiate.html
|
||
libmilter/docs/xxfi_unknown.html
|
||
libmilter/example.c
|
||
libmilter/monitor.c
|
||
libmilter/worker.c
|
||
libsm/memstat.c
|
||
libsm/t-memstat.c
|
||
libsm/t-qic.c
|
||
libsm/util.c
|
||
sendmail/daemon.h
|
||
sendmail/map.h
|
||
|
||
8.13.8/8.13.8 2006/08/09
|
||
Fix a regression in 8.13.7: if shared memory is activated, then
|
||
the server can erroneously report that there is
|
||
insufficient disk space. Additionally make sure that
|
||
an internal variable is set properly to avoid those
|
||
misleading errors. Based on patch from Steve Hubert
|
||
of University of Washington.
|
||
Fix a regression in 8.13.7: the PidFile could be removed after
|
||
the process that forks the daemon exited, i.e., if
|
||
sendmail -bd is invoked. Problem reported by Kan Sasaki
|
||
of Fusion Communications Corp. and Werner Wiethege.
|
||
Avoid opening qf files if QueueSortOrder is "none". Patch from
|
||
David F. Skoll.
|
||
Avoid a crash when finishing due to referencing a freed variable.
|
||
Problem reported and diagnosed by Moritz Jodeit.
|
||
CONTRIB: cidrexpand now deals with /0 by issuing the entire IPv4
|
||
range (0..255).
|
||
LIBMILTER: The "hostname" argument of the xxfi_connect() callback
|
||
previously was the equivalent of {client_ptr}. However,
|
||
this did not match the documentation of the function, hence
|
||
it has been changed to {client_name}. See doc/op/op.me
|
||
about these macros.
|
||
|
||
8.13.7/8.13.7 2006/06/14
|
||
A malformed MIME structure with many parts can cause sendmail to
|
||
crash while trying to send a mail due to a stack overflow,
|
||
e.g., if the stack size is limited (ulimit -s). This
|
||
happens because the recursion of the function mime8to7()
|
||
was not restricted. The function is called for MIME 8 to
|
||
7 bit conversion and also to enforce MaxMimeHeaderLength.
|
||
To work around this problem, recursive calls are limited to
|
||
a depth of MAXMIMENESTING (20); message content after this
|
||
limit is treated as opaque and is not checked further.
|
||
Problem noted by Frank Sheiness.
|
||
The changes to the I/O layer in 8.13.6 caused a regression for
|
||
SASL mechanisms that use the security layer, e.g.,
|
||
DIGEST-MD5. Problem noted by Robert Stampfli.
|
||
If a timeout occurs while reading a message (during the DATA phase)
|
||
a df file might have been left behind in the queue.
|
||
This was another side effect of the changes to the I/O
|
||
layer made in 8.13.6.
|
||
Several minor problems have been fixed that were found by a
|
||
Coverity scan of sendmail 8 as part of the NetBSD
|
||
distribution. See http://scan.coverity.com/
|
||
Note: the scan generated also a lot of "false positives",
|
||
e.g., "error" reports about situations that cannot happen.
|
||
Most of those code places are marked with lint(1) comments
|
||
like NOTREACHED, but Coverity does not understand those.
|
||
Hence an explicit assertion has been added in some cases
|
||
to avoid those false positives.
|
||
If the start of the sendmail daemon fails due to a configuration
|
||
error then in some cases shared memory segments or pid
|
||
files were not removed.
|
||
If DSN support is disabled via access_db, then related ESMTP
|
||
parameters for MAIL and RCPT should be rejected. Problem
|
||
reported by Akihiro Sagawa.
|
||
Enabling zlib compression in OpenSSL 0.9.8[ab] breaks the padding
|
||
bug work-around. Hence if sendmail is linked against
|
||
either of these versions and compression is available,
|
||
the padding bug work-around is turned off. Based on
|
||
patch from Victor Duchovni of Morgan Stanley.
|
||
CONFIG: FEATURE(`dnsbl') and FEATURE(`enhdnsbl') used
|
||
blackholes.mail-abuse.org as default domain for lookups,
|
||
however, that list is no longer available. To avoid
|
||
further problems, no default value is available anymore,
|
||
but an argument must be specified.
|
||
Portability:
|
||
Fix compilation on OSF/1 for sfsasl.c. Patch from
|
||
Pieter Bowman of the University of Utah.
|
||
|
||
8.13.6/8.13.6 2006/03/22
|
||
SECURITY: Replace unsafe use of setjmp(3)/longjmp(3) in the server
|
||
and client side of sendmail with timeouts in the libsm I/O
|
||
layer and fix problems in that code. Also fix handling of
|
||
a buffer in sm_syslog() which could have been used as an
|
||
attack vector to exploit the unsafe handling of
|
||
setjmp(3)/longjmp(3) in combination with signals.
|
||
Problem detected by Mark Dowd of ISS X-Force.
|
||
Handle theoretical integer overflows that could triggered if
|
||
the server accepted headers larger than the maximum
|
||
(signed) integer value. This is prevented in the default
|
||
configuration by restricting the size of a header, and on
|
||
most machines memory allocations would fail before reaching
|
||
those values. Problems found by Phil Brass of ISS.
|
||
If a server returns 421 for an RSET command when trying to start
|
||
another transaction in a session while sending mail, do
|
||
not trigger an internal consistency check. Problem found
|
||
by Allan E Johannesen of Worcester Polytechnic Institute.
|
||
If a server returns a 5xy error code (other than 501) in response
|
||
to a STARTTLS command despite the fact that it advertised
|
||
STARTTLS and that the code is not valid according to RFC
|
||
2487 treat it nevertheless as a permanent failure instead
|
||
of a protocol error (which has been changed to a
|
||
temporary error in 8.13.5). Problem reported by Jeff
|
||
A. Earickson of Colby College.
|
||
Clear SMTP state after a HELO/EHLO command. Patch from John
|
||
Myers of Proofpoint.
|
||
Observe MinQueueAge option when gathering entries from the queue
|
||
for sorting etc instead of waiting until the entries are
|
||
processed. Patch from Brian Fundakowski Feldman.
|
||
Set up TLS session cache to properly handle clients that try to
|
||
resume a stored TLS session.
|
||
Properly count the number of (direct) child processes such that
|
||
a configured value (MaxDaemonChildren) is not exceeded.
|
||
Based on patch from Attila Bruncsak.
|
||
LIBMILTER: Remove superfluous backslash in macro definition
|
||
(libmilter.h). Based on patch from Mike Kupfer of
|
||
Sun Microsystems.
|
||
LIBMILTER: Don't try to set SO_REUSEADDR on UNIX domain sockets.
|
||
This generates an error message from libmilter on
|
||
Solaris, though other systems appear to just discard the
|
||
request silently.
|
||
LIBMILTER: Deal with sigwait(2) implementations that return
|
||
-1 and set errno instead of returning an error code
|
||
directly. Patch from Chris Adams of HiWAAY Informations
|
||
Services.
|
||
Portability:
|
||
Fix compilation checks for closefrom(3) and statvfs(2)
|
||
in NetBSD. Problem noted by S. Moonesamy, patch from
|
||
Andrew Brown.
|
||
|
||
8.13.5/8.13.5 2005/09/16
|
||
Store the filesystem identifier of the df/ subdirectory (if it
|
||
exists) in an internal structure instead of the base
|
||
directory. This structure is used decide whether there
|
||
is enough free disk space when selecting a queue, hence
|
||
without this change queue selection could fail if a df/
|
||
subdirectory exists and is on a different filesystem
|
||
than the base directory.
|
||
Use the queue index of the df file (instead of the qf file) for
|
||
checking whether a link(2) operation can be used to split
|
||
an envelope across queue groups. Problem found by
|
||
Werner Wiethege.
|
||
If the list of items in the queue is larger than the maximum
|
||
number of items to process, sort the queue first and
|
||
then cut the list off instead of the other way around.
|
||
Patch from Matej Vela of Rudjer Boskovic Institute.
|
||
Fix helpfile to show full entry for ETRN. Problem noted by
|
||
Penelope Fudd, patch from Neil Rickert of Northern Illinois
|
||
University.
|
||
FallbackSmartHost should also be tried on temporary errors.
|
||
From John Beck of Sun Microsystems.
|
||
When a server responds with 421 to the STARTTLS command then treat
|
||
it as a temporary error, not as protocol error. Problem
|
||
noted by Andrey J. Melnikoff.
|
||
Properly define two functions in libsm as static because their
|
||
prototype used static too. Patch from Peter Klein.
|
||
Fix syntax errors in helpfile for MAIL and RCPT commands.
|
||
LIBMILTER: When smfi_replacebody() is called with bodylen equals
|
||
zero then do not silently ignore that call. Patch from
|
||
Gurusamy Sarathy of Active State.
|
||
LIBMILTER: Recognize "421" also in a multi-line reply to terminate
|
||
the SMTP session with that error. Fix from Brian Kantor.
|
||
Portability: New option HASSNPRINTF which can be set if the OS
|
||
has a properly working snprintf(3) to get rid
|
||
of the last two (safe) sprintf(3) calls in the
|
||
source code.
|
||
Add support for AIX 5.3.
|
||
Add support for SunOS 5.11 (aka Solaris 11).
|
||
Add support for Darwin 8.x. Patch from Lyndon Nerenberg.
|
||
OpenBSD 3.7 has removed support for NETISO.
|
||
CONFIG: Add OSTYPE(freebsd6) for FreeBSD 6.X.
|
||
Set DontBlameSendmail to AssumeSafeChown and
|
||
GroupWritableDirPathSafe for OSTYPE(darwin).
|
||
Patch from Lyndon Nerenberg.
|
||
Some features still used 4.7.1 as enhanced status code which
|
||
was supposed to be eliminated in 8.13.0 because some
|
||
broken systems misinterpret it as a permanent error.
|
||
Patch from Matej Vela of Rudjer Boskovic Institute.
|
||
Some default values in a generated cf file did not match
|
||
the defaults in the sendmail binary. Problem noted
|
||
by Mike Pechkin.
|
||
New Files:
|
||
cf/ostype/freebsd6.m4
|
||
devtools/OS/AIX.5.3
|
||
devtools/OS/Darwin.8.x
|
||
devtools/OS/SunOS.5.11
|
||
include/sm/time.h
|
||
|
||
8.13.4/8.13.4 2005/03/27
|
||
The bug fixes in 8.13.3 for connection handling uncovered a
|
||
different error which could result in connections that
|
||
stay in CLOSE_WAIT state due to a variable that was not
|
||
properly initialized. Problem noted by Michael Sims.
|
||
Deal with empty hostnames in hostsignature(). This bug could lead
|
||
to an endless loop when doing LMTP deliveries to another
|
||
host. Problem first reported by Martin Lathoud and
|
||
tracked down by Gael Roualland.
|
||
Make sure return parameters are initialized in getmxrr(). Problem
|
||
found by Gael Roualland using valgrind.
|
||
If shared memory is used and the RunAsUser option is set, then the
|
||
owner and group of the shared memory segment is set to
|
||
the ids specified RunAsUser and the access mode is set
|
||
to 0660 to allow for updates by sendmail processes.
|
||
The number of queue entries that is (optionally) kept in shared
|
||
memory was wrong in some cases, e.g., envelope splitting
|
||
and bounce generation.
|
||
Undo a change made in 8.13.0 to silently truncate long strings
|
||
in address rewriting because the message can be triggered
|
||
for header checks where long strings are legitimate.
|
||
Problem reported by Mary Verge DeSisto, and tracked
|
||
down with the help of John Beck of Sun Microsystems.
|
||
The internal stab map did not obey the -m flag. Patch from
|
||
Rob McMahon of Warwick University, England.
|
||
The socket map did not obey the -f flag. Problem noted by
|
||
Dan Ringdahl, forwarded by Andrzej Filip.
|
||
The addition of LDAP recursion in 8.13.0 broke enforcement of
|
||
the LDAP map -1 argument which tells the MTA to only
|
||
return success if and only if a single LDAP match is found.
|
||
Add additional error checks in the MTA for milter communication
|
||
to avoid a possible segmentation fault. Based on patch
|
||
by Joe Maimon.
|
||
Do not trigger an assertion if X509_digest() returns success but
|
||
does not assign a value to its output parameter. Based
|
||
on patch by Brian Kantor.
|
||
Add more checks when resetting internal AUTH data (applies only
|
||
to Cyrus SASL version 2). Otherwise an SMTP session might
|
||
be dropped after an AUTH failure.
|
||
Portability:
|
||
Add LA_LONGLONG as valid LA_TYPE type for systems that use
|
||
"long long" to read load average data, e.g.,
|
||
AIX 5.1 in 32 bit mode. Note: this has to be set
|
||
"by hand", it is not (yet) automatically detected.
|
||
Problem noted by Burak Bilen.
|
||
Use socklen_t for accept(), etc. on AIX 5.x. This should
|
||
fix problems when compiling in 64 bit mode.
|
||
Problem first reported by Harry Meiert of
|
||
University of Bremen.
|
||
New Files:
|
||
include/sm/sem.h
|
||
libsm/sem.c
|
||
libsm/t-sem.c
|
||
|
||
8.13.3/8.13.3 2005/01/11
|
||
Enhance handling of I/O errors, especially EOF, when STARTTLS
|
||
is active.
|
||
Make sure a connection is not reused after it has been closed
|
||
due to a 421 error. Problem found by Allan E Johannesen
|
||
of Worcester Polytechnic Institute.
|
||
Avoid triggering an assertion when sendmail is interrupted while
|
||
closing a connection. Problem found by Allan E Johannesen
|
||
of Worcester Polytechnic Institute.
|
||
Regression: a change in 8.13.2 caused sendmail not to try the
|
||
next MX host (or FallbackMXhost if configured) when, at
|
||
connection open, the current server returns a 4xy or 5xy
|
||
SMTP reply code. Problem noted by Mark Tranchant.
|
||
|
||
8.13.2/8.13.2 2004/12/15
|
||
Do not split the first header even if it exceeds the internal
|
||
buffer size. Previously a part of such a header would
|
||
end up in the body of the message. Problem noted by
|
||
Simple Nomad of BindView.
|
||
Do not complain about "cataddr: string too long" when checking
|
||
headers that do not contain RFC 2822 addresses.
|
||
Problem noted by Rich Graves of Brandeis University.
|
||
If a server returns a 421 reply to the RSET command between
|
||
message deliveries, do not attempt to deliver any more
|
||
messages on that connection. This prevents bogus "Bad
|
||
file number" recipient status. Problem noted by
|
||
Allan E Johannesen of Worcester Polytechnic Institute.
|
||
Allow trailing white space in EHLO command as recommended by RFC
|
||
2821. Problem noted by Ralph Santagato of SBC Services.
|
||
Deal with clients which use AUTH but negotiate a smaller buffer size
|
||
for data exchanges than the value used by sendmail, e.g.,
|
||
Cyrus IMAP lmtp server. Based on patch by Jamie Clark.
|
||
When passing ESMTP arguments for RCPT to a milter, do not cut
|
||
them off at a comma. Problem noted by Krzysztof Oledzki.
|
||
Add more logging to milter change header functions to
|
||
complement existing logging. Based on patch from
|
||
Gurusamy Sarathy of Active State.
|
||
Include <lber.h> in include/sm/config.h when LDAPMAP is defined.
|
||
Patch from Edgar Hoch of the University of Stuttgart.
|
||
Fix DNS lookup if IPv6 is enabled when converting an IP address
|
||
to a hostname for use with SASL. Problem noted by Ken Jones;
|
||
patch from Hajimu UMEMOTO.
|
||
CONFIG: For consistency enable MODIFY_MAILER_FLAGS for the prog
|
||
mailer. Patch from John Beck of Sun Microsystems.
|
||
LIBMILTER: It was possible that xxfi_abort() was called after
|
||
xxfi_eom() for a message if some timeouts were triggered.
|
||
Patch from Alexey Kravchuk.
|
||
LIBMILTER: Slightly rearrange mutex use in listener.c to allow
|
||
different threads to call smfi_opensocket() and smfi_main().
|
||
Patch from Jordan Ritter of Cloudmark.
|
||
MAIL.LOCAL: Properly terminate MBDB before exiting. Problem
|
||
noted by Nelson Fung.
|
||
MAIL.LOCAL: make strip-mail.local used a wrong path to access
|
||
mail.local. Problem noted by William Park.
|
||
VACATION: Properly terminate MBDB before exiting. Problem noted
|
||
by Nelson Fung.
|
||
Portability:
|
||
Add support for DragonFly BSD.
|
||
New Files:
|
||
cf/ostype/dragonfly.m4
|
||
devtools/OS/DragonFly
|
||
include/sm/os/sm_os_dragonfly.h
|
||
Deleted Files:
|
||
libsm/vsscanf.c
|
||
|
||
8.13.1/8.13.1 2004/07/30
|
||
Using the default AliasFile ldap: specification would cause the
|
||
objectClasses of the LDAP response to be included in the
|
||
alias expansion. Problem noted by Brenden Conte of
|
||
Rensselaer Polytechnic Institute.
|
||
Fix support for a fallback smart host for system where DNS is
|
||
(partially) available. From John Beck of Sun Microsystems.
|
||
Fix SuperSafe=PostMilter behavior when a milter replaces a body
|
||
but the data file is not yet stored on disk because it is
|
||
smaller than the size of the memory buffer. Problem noted
|
||
by David Russell.
|
||
Fix certificate revocation list support; if a CRL was specified
|
||
but the other side presented a cert that was signed by
|
||
a different (trusted) CA than the one which issued the CRL,
|
||
verification would always fail. Problem noted by Al Smith.
|
||
Run mailer programs as the RunAsUser when RunAsUser is set and
|
||
the F=S mailer flag is set without a U= mailer equate.
|
||
Problem noted by John Gardiner Myers of Proofpoint.
|
||
${nbadrcpts} was off by one if BadRcptThrottle is zero.
|
||
Patch from Sung-hoon Choi of DreamWiz Inc.
|
||
CONFIG: Emit a warning if FEATURE(`access_db') is used after
|
||
FEATURE(`greet_pause') because then the latter will not
|
||
use the access map. Note: if no default value is given
|
||
for FEATURE(`greet_pause') then it issues an error if
|
||
FEATURE(`access_db') is not specified before it.
|
||
Problem noted by Alexander Dalloz of University of
|
||
Bielefeld.
|
||
CONFIG: Invoke ruleset Local_greet_pause if FEATURE(`greet_pause')
|
||
is used to give more flexibility for local changes.
|
||
Portability:
|
||
Fix a 64 bit problem in the socket map code. Problem
|
||
noted by Geoff Adams.
|
||
NetBSD 2.0F has closefrom(3). Patch from Andrew Brown.
|
||
NetBSD can use sysctl(3) to get the number of CPUs in
|
||
a system. Patch from Andrew Brown.
|
||
Add a README file in doc/op/ to explain potential
|
||
incompatibilities with various *roff related
|
||
tools. Problem tracked down by Per Hedeland.
|
||
New Files:
|
||
doc/op/README
|
||
|
||
8.13.0/8.13.0 2004/06/20
|
||
Do not include AUTH data in a bounce to avoid leaking confidential
|
||
information. See also cf/README about MSP and the section
|
||
"Providing SMTP AUTH Data when sendmail acts as Client".
|
||
Problem noted by Neil Rickert of Northern Illinois
|
||
University.
|
||
Fix compilation error in libsm/clock.c for -D_FFR_SLEEP_USE_SELECT=n
|
||
and -DSM_CONF_SETITIMER=0. Problem noted by Juergen Georgi
|
||
of RUS University of Stuttgart.
|
||
Fix bug in conversion from 8bit to quoted-printable. Problem found
|
||
by Christof Haerens, patch from Per Hedeland.
|
||
Add support for LDAP recursion based on types given to attribute
|
||
specifications in an LDAP map definition. This allows
|
||
LDAP queries to return a new query, a DN, or an LDAP
|
||
URL which will in turn be queried. See the ``LDAP
|
||
Recursion'' section of doc/op/op.me for more information.
|
||
Based on patch from Andrew Baucom.
|
||
Extend the default LDAP specifications for AliasFile
|
||
(O AliasFile=ldap:) and file classes (F{X}@LDAP) to
|
||
include support for LDAP recursion via new attributes.
|
||
See ``USING LDAP FOR ALIASES, MAPS, and CLASSES'' section
|
||
of cf/README for more information.
|
||
New option for LDAP maps: the -w option allows you to specify the
|
||
LDAP API/protocol version to use. The default depends on
|
||
the LDAP library.
|
||
New option for LDAP maps: the -H option allows you to specify an
|
||
LDAP URI instead of specifying the LDAP server via -h host
|
||
and -p port. This also allows for the use of LDAP over
|
||
SSL and connections via named sockets if your LDAP
|
||
library supports it.
|
||
New compile time flag SM_CONF_LDAP_INITIALIZE: set this if
|
||
ldap_initialize(3) is available (and LDAPMAP is set).
|
||
If MaxDaemonChildren is set and a command is repeated too often
|
||
during a SMTP session then terminate it just like it is
|
||
done for too many bad SMTP commands.
|
||
Basic connection rate control support has been added: the daemon
|
||
maintains the number of incoming connections per client
|
||
IP address and total in the macros {client_rate} and
|
||
{total_rate}, respectively. These macros can be used
|
||
in the cf file to impose connection rate limits.
|
||
A new option ConnectionRateWindowSize (default: 60s)
|
||
determines the length of the interval for which the
|
||
number of connections is stored. Based on patch from
|
||
Jose Marcio Martins da Cruz, Ecole des Mines de Paris.
|
||
Add optional protection from open proxies and SMTP slammers which
|
||
send SMTP traffic without waiting for the SMTP greeting.
|
||
If enabled by the new ruleset greet_pause (see
|
||
FEATURE(`greet_pause')), sendmail will wait the specified
|
||
amount of time before sending the initial 220 SMTP
|
||
greeting. If any traffic is received before then, a 554
|
||
SMTP response is sent and all SMTP commands are rejected
|
||
during that connection.
|
||
If 32 NOOP (or unknown/bad) commands are issued by a client the SMTP
|
||
server could sleep for a very long time. Fix based on
|
||
patch from Tadashi Kobayashi of IIJ.
|
||
Fix a potential memory leak in persistent queue runners if the
|
||
number of entries in the queue exceeds the limit of jobs.
|
||
Problem noted by Steve Hubert of University of Washington.
|
||
Do not use 4.7.1 as enhanced status code because some broken systems
|
||
misinterpret it as a permanent error.
|
||
New value for SuperSafe: PostMilter which will delay fsync() until
|
||
all milters accepted the mail. This can increase
|
||
performance if many mails are rejected by milters due to
|
||
body scans. Based on patch from David F. Skoll.
|
||
New macro {msg_id} which contains the value of the Message-Id:
|
||
header, whether provided by the client or generated by
|
||
sendmail.
|
||
New macro {client_connections} which contains the number of open
|
||
connections in the SMTP server for the client IP address.
|
||
Based on patch from Jose Marcio Martins da Cruz, Ecole des
|
||
Mines de Paris.
|
||
sendmail will now remove its pidfile when it exits. This was done
|
||
to prevent confusion caused by running sendmail stop
|
||
scripts two or more times, where the second and subsequent
|
||
runs would report misleading error messages about sendmail's
|
||
pid no longer existing. See section 1.3.15 of doc/op/op.me
|
||
for a discussion of the implications of this, including
|
||
how to correct broken scripts which may have depended on
|
||
the old behavior. From John Beck of Sun Microsystems.
|
||
Support per-daemon input filter lists which override the default
|
||
filter list specified in InputMailFilters. The filters
|
||
can be listed in the I= equate of DaemonPortOptions.
|
||
Do not add all domain prefixes of the hostname to class 'w'. If
|
||
your configuration relies on this behavior, you have to
|
||
add those names to class 'w' yourself. Problem noted
|
||
by Sander Eerkes.
|
||
Support message quarantining in the mail queue. Quarantined
|
||
messages are not run on normal queue displays or runs
|
||
unless specifically requested with -qQ. Quarantined queue
|
||
files are named with an hf prefix instead of a qf prefix.
|
||
The -q command line option now can specify which queue to display
|
||
or run. -qQ operates on quarantined queue items. -qL
|
||
operates on lost queue items.
|
||
Restricted mail queue runs and displays can be done based on the
|
||
quarantined reason using -qQtext to run or display
|
||
quarantined items if the quarantine reason contains the
|
||
given text. Similarly, -q!Qtext will run or display
|
||
quarantined items which do not have the given text in the
|
||
quarantine reason.
|
||
Items in the queue can be quarantined or unquarantined using the
|
||
new -Q option. See doc/op/op.me for more information.
|
||
When displaying the quarantine mailq with 'mailq -qQ', the
|
||
quarantine reason is shown in a new line prefixed by
|
||
"QUARANTINE:".
|
||
A new error code for the $#error mailer, $@ quarantine, can be used
|
||
to quarantine messages in check_* (except check_compat) and
|
||
header check rulesets. The $: of the mailer triplet will
|
||
be used for the quarantine reason.
|
||
Add a new quarantine count to the mailstats collected.
|
||
Add a new macro ${quarantine} which is the quarantine reason for a
|
||
message if it is quarantined.
|
||
New map type "socket" for a trivial query protocol over UNIX domain
|
||
or TCP sockets (requires compile time option SOCKETMAP).
|
||
See sendmail/README and doc/op/op.me for details as well as
|
||
socketmapServer.pl and socketmapClient.pl in contrib.
|
||
Code donated by Bastiaan Bakker of LifeLine Networks.
|
||
Define new macro ${client_ptr} which holds the result of the PTR
|
||
lookup for the client IP address. Note: this is the same
|
||
as ${client_name} if and only if ${client_resolve} is OK.
|
||
Add a new macro ${nbadrcpts} which contains the number of bad
|
||
recipients received so far in a transaction.
|
||
Call check_relay with the value of ${client_name} to deal with bogus
|
||
DNS entries. See also FEATURE(`use_client_ptr'). Problem
|
||
noted by Kai Schlichting.
|
||
Treat Delivery-Receipt-To: headers the same as Return-Receipt-To:
|
||
headers (turn them into DSNs). Delivery-Receipt-To: is
|
||
apparently used by SIMS (Sun Internet Mail System).
|
||
Enable connection caching for LPC mailers. Patch from Christophe
|
||
Wolfhugel of France Telecom Oleane.
|
||
Do not silently truncate long strings in address rewriting.
|
||
Add support for Cyrus SASL version 2. From Kenneth Murchison of
|
||
Oceana Matrix Ltd.
|
||
Add a new AuthOption=m flag to require the use of mechanisms which
|
||
support mutual authentication. From Kenneth Murchison of
|
||
Oceana Matrix Ltd.
|
||
Fix logging of TLS related problems (introduced in 8.12.11).
|
||
The macros {auth_author} and {auth_authen} are stored in xtext
|
||
format just like the STARTTLS related macros to avoid
|
||
problems with parsing them. Problem noted by Pierangelo
|
||
Masarati of SysNet s.n.c.
|
||
New option AuthRealm to set the authentication realm that is
|
||
passed to the Cyrus SASL library. Patch from Gary Mills
|
||
of the University of Manitoba.
|
||
Enable AUTH mechanism EXTERNAL if STARTTLS verification was
|
||
successful, otherwise relaying would be allowed if
|
||
EXTERNAL is listed in TRUST_AUTH_MECH() and STARTTLS
|
||
is active.
|
||
Add basic support for certificate revocation lists. Note: if a
|
||
CRLFile is specified but the file is unusable, STARTTLS
|
||
is disabled. Based on patch by Ralf Hornik.
|
||
Enable workaround for inconsistent Cyrus SASLv1 API for mechanisms
|
||
DIGEST-MD5 and LOGIN.
|
||
Write pid to file also if sendmail only acts as persistent queue
|
||
runner. Proposed by Gary Mills of the University of Manitoba.
|
||
Keep daemon pid file(s) locked so other daemons don't try to
|
||
overwrite each other's pid files.
|
||
Increase maximum length of logfile fields for {cert_subject} and
|
||
{cert_issuer} from 128 to 256. Requested by Christophe
|
||
Wolfhugel of France Telecom.
|
||
Log the TLS verification message on the STARTTLS= log line at
|
||
LogLevel 12 or higher.
|
||
If the MSP is invoked with the verbose option (-v) then it will
|
||
try to use the SMTP command VERB to propagate this option
|
||
to the MTA which in turn will show the delivery just like
|
||
it was done before the default 8.12 separation of MSP and
|
||
MTA. Based on patch by Per Hedeland.
|
||
If a daemon is refusing connections for longer than the time specified
|
||
by the new option RejectLogInterval (default: 3 hours) due
|
||
to high load, log this information. Patch from John Beck
|
||
of Sun Microsystems.
|
||
Remove the ability for non-trusted users to raise the value of
|
||
CheckpointInterval on the command line.
|
||
New mailer flag 'B' to strip leading backslashes, which is a
|
||
subset of the functionality of the 's' flag.
|
||
New mailer flag 'W' to ignore long term host status information.
|
||
Patch from Juergen Georgi of RUS University of Stuttgart.
|
||
Enable generic mail filter API (milter) by default. To turn
|
||
it off, add -DMILTER=0 to the compile time options.
|
||
An internal SMTP session discard flag was lost after an RSET/HELO/EHLO
|
||
causing subsequent messages to be sent instead of being
|
||
discarded. This also caused milter callbacks to be called
|
||
out of order after the SMTP session was reset.
|
||
New option RequiresDirfsync to turn off the compile time flag
|
||
REQUIRES_DIR_FSYNC at runtime. See sendmail/README for
|
||
further information.
|
||
New command line option -D logfile to send debug output to
|
||
the indicated log file instead of stdout.
|
||
Add Timeout.queuereturn.dsn and Timeout.queuewarn.dsn to control
|
||
queue return and warning times for delivery status
|
||
notifications.
|
||
New queue sort order option: 'n'one for not sorting the queue entries
|
||
at all.
|
||
Several more return values for ruleset srv_features have been added
|
||
to enable/disable certain features in the server per
|
||
connection. See doc/op/op.me for details.
|
||
Support for SMTP over SSL (smtps), activated by Modifier=s
|
||
for DaemonPortOptions.
|
||
Continue with DNS lookups on ECONNREFUSED and TRY_AGAIN when
|
||
trying to canonify hostnames. Suggested by Neil Rickert
|
||
of Northern Illinois University.
|
||
Add support for a fallback smart host (option FallbackSmartHost) to
|
||
be tried as a last resort after all other fallbacks. This
|
||
is designed for sites with partial DNS (e.g., an accurate
|
||
view of inside the company, but an incomplete view of
|
||
outside). From John Beck of Sun Microsystems.
|
||
Enable timeout for STARTTLS even if client does not start the TLS
|
||
handshake. Based on patch by Andrey J. Melnikoff.
|
||
Remove deprecated -v option for PH map, use -k instead. Patch from
|
||
Mark Roth of the University of Illinois at Urbana-Champaign.
|
||
libphclient is version 1.2.x by default, if version 1.1.x is required
|
||
then compile with -DNPH_VERSION=10100. Patch from Mark Roth
|
||
of the University of Illinois at Urbana-Champaign.
|
||
Add Milter.macros.eom, allowing macros to be sent to milter
|
||
applications for use in the xxfi_eom() callback.
|
||
New macro {time} which contains the output of the time(3) function,
|
||
i.e., the number of seconds since 0 hours, 0 minutes,
|
||
0 seconds, January 1, 1970, Coordinated Universal Time (UTC).
|
||
If check_relay sets the reply code to "421" the SMTP server will
|
||
terminate the SMTP session with a 421 error message.
|
||
Get rid of dead code that tried to access the environment variable
|
||
HOSTALIASES.
|
||
Deprecate the use of ErrorMode=write. To enable this in 8.13
|
||
compile with -DUSE_TTYPATH=1.
|
||
Header check rulesets using $>+ (do not strip comments) will get
|
||
the header value passed in without balancing quotes,
|
||
parentheses, and angle brackets. Based on patch from
|
||
Oleg Bulyzhin.
|
||
Do not complain and fix up unbalanced quotes, parentheses, and
|
||
angle brackets when reading in rulesets. This allows
|
||
rules to be written for header checks to catch strings
|
||
that contain quotes, parentheses, and/or angle brackets.
|
||
Based on patch from Oleg Bulyzhin.
|
||
Do not close socket when accept(2) in the daemon encounters
|
||
some temporary errors like ECONNABORTED.
|
||
Added list of CA certificates that are used by members of the
|
||
sendmail consortium, see CACerts.
|
||
Portability:
|
||
Two new compile options have been added:
|
||
HASCLOSEFROM System has closefrom(3).
|
||
HASFDWALK System has fdwalk(3).
|
||
Based on patch from John Beck of Sun Microsystems.
|
||
The Linux kernel version 2.4 series has a broken flock() so
|
||
change to using fcntl() locking until they can fix
|
||
it. Be sure to update other sendmail related
|
||
programs to match locking techniques.
|
||
New compile time option NEEDINTERRNO which should be set
|
||
if <errno.h> does not declare errno itself.
|
||
Support for UNICOS/mk and UNICOS/mp added, some changes for
|
||
UNICOS. Patches contributed by Aaron Davis and
|
||
Brian Ginsbach, Cray Inc., and Manu Mahonen of
|
||
Center for Scientific Computing.
|
||
Add support for Darwin 7.0/Mac OS X 10.3 (a.k.a. Panther).
|
||
Extend support to Darwin 7.x/Mac OS X 10.3 (a.k.a. Panther).
|
||
Remove path from compiler definition for Interix because
|
||
Interix 3.0 and 3.5 put gcc in different locations.
|
||
Also use <sys/mkdev.h> to get the correct
|
||
major()/minor() definitions. Based on feedback
|
||
from Mark Funkenhauser.
|
||
CONFIG: Add support for LDAP recursion to the default LDAP searches
|
||
for maps via new attributes. See the ``USING LDAP FOR
|
||
ALIASES, MAPS, and CLASSES'' section of cf/README and
|
||
cf/sendmail.schema for more information.
|
||
CONFIG: Make sure confTRUSTED_USER is valid even if confRUN_AS_USER
|
||
is of the form "user:group" when used for submit.mc.
|
||
Problem noted by Carsten P. Gehrke, patch from Neil Rickert
|
||
of Northern Illinois University.
|
||
CONFIG: Add a new access DB value of QUARANTINE:reason which
|
||
instructs the check_* (except check_compat) to quarantine
|
||
the message using the given reason.
|
||
CONFIG: Use "dns -R A" as map type for dnsbl (just as for enhdnsbl)
|
||
instead of "host" to avoid problem with looking up other
|
||
DNS records than just A.
|
||
CONFIG: New option confCONNECTION_RATE_WINDOW_SIZE to define the
|
||
length of the interval for which the number of incoming
|
||
connections is maintained.
|
||
CONFIG: New FEATURE(`ratecontrol') to set the limits for connection
|
||
rate control for individual hosts or nets.
|
||
CONFIG: New FEATURE(`conncontrol') to set the limits for the
|
||
number of open SMTP connections for individual hosts or nets.
|
||
CONFIG: New FEATURE(`greet_pause') enables open proxy and SMTP
|
||
slamming protection described above. The feature can
|
||
take an argument specifying the milliseconds to wait and/or
|
||
use the access database to look the pause time based on
|
||
client hostname, domain, IP address, or subnet.
|
||
CONFIG: New FEATURE(`use_client_ptr') to have check_relay use
|
||
$&{client_ptr} as its first argument. This is useful for
|
||
rejections based on the unverified hostname of client,
|
||
which turns on the same behavior as in earlier sendmail
|
||
versions when delay_checks was not in use. See also entry
|
||
above about check_relay being invoked with ${client_name}.
|
||
CONFIG: New option confREJECT_LOG_INTERVAL to specify the log
|
||
interval when refusing connections for this long.
|
||
CONFIG: Remove quotes around usage of confREJECT_MSG; in some cases
|
||
this requires a change in a mc file. Requested by
|
||
Ted Roberts of Electronic Data Systems.
|
||
CONFIG: New option confAUTH_REALM to set the authentication realm
|
||
that is passed to the Cyrus SASL library. Patch from
|
||
Gary Mills of the University of Manitoba.
|
||
CONFIG: Rename the (internal) classes {tls}/{src} to {Tls}/{Src}
|
||
to follow the naming conventions.
|
||
CONFIG: Add a third optional argument to local_lmtp to specify
|
||
the A= argument.
|
||
CONFIG: Remove the f flag from the default mailer flags of
|
||
local_lmtp.
|
||
CONFIG: New option confREQUIRES_DIR_FSYNC to turn off the compile
|
||
time flag REQUIRES_DIR_FSYNC at runtime.
|
||
CONFIG: New LOCAL_UUCP macro to insert rules into the generated
|
||
cf file at the same place where MAILER(`uucp') inserts
|
||
its rules.
|
||
CONFIG: New options confTO_QUEUERETURN_DSN and confTO_QUEUEWARN_DSN
|
||
to control queue return and warning times for delivery
|
||
status notifications.
|
||
CONFIG: New option confFALLBACK_SMARTHOST to define FallbackSmartHost.
|
||
CONFIG: Add the mc file which has been used to create the cf
|
||
file to the end of the cf file when using make in cf/cf/.
|
||
Patch from Richard Rognlie.
|
||
CONFIG: FEATURE(nodns) has been removed, it was a no-op since 8.9.
|
||
Use ServiceSwitchFile to turn off DNS lookups, see
|
||
doc/op/op.me.
|
||
CONFIG: New option confMILTER_MACROS_EOM (sendmail Milter.macros.eom
|
||
option) defines macros to be sent to milter applications for
|
||
use in the xxfi_eom() callback.
|
||
CONFIG: New option confCRL to specify file which contains
|
||
certificate revocations lists.
|
||
CONFIG: Add a new value (sendertoo) for the third argument to
|
||
FEATURE(`ldap_routing') which will reject the SMTP
|
||
MAIL From: command if the sender address doesn't exist
|
||
in LDAP. See cf/README for more information.
|
||
CONFIG: Add a fifth argument to FEATURE(`ldap_routing') which
|
||
instructs the rulesets on whether or not to do a domain
|
||
lookup if a full address lookup doesn't match. See cf/README
|
||
for more information.
|
||
CONFIG: Add a sixth argument to FEATURE(`ldap_routing') which
|
||
instructs the rulesets on whether or not to queue the mail
|
||
or give an SMTP temporary error if the LDAP server can't be
|
||
reached. See cf/README for more information. Based on
|
||
patch from Billy Ray Miller of Caterpillar.
|
||
CONFIG: Experimental support for MTAMark, see cf/README for details.
|
||
CONFIG: New option confMESSAGEID_HEADER to define a different
|
||
Message-Id: header format. Patch from Bastiaan Bakker
|
||
of LifeLine Networks.
|
||
CONTRIB: New version of cidrexpand which uses Net::CIDR. From
|
||
Derek J. Balling.
|
||
CONTRIB: oldbind.compat.c has been removed due to security problems.
|
||
Found by code inspection done by Reasoning, Inc.
|
||
DEVTOOLS: Add an example file for devtools/Site/, contributed
|
||
by Neil Rickert of Northern Illinois University.
|
||
LIBMILTER: Add new function smfi_quarantine() which allows the
|
||
filter's EOM routine to quarantine the current message.
|
||
Filters which use this function must include the
|
||
SMFIF_QUARANTINE flag in the registered smfiDesc structure.
|
||
LIBMILTER: If a milter sets the reply code to "421", the SMTP server
|
||
will terminate the SMTP session with that error.
|
||
LIBMILTER: Upon filter shutdown, libmilter will not remove a
|
||
named socket in the file system if it is running as root.
|
||
LIBMILTER: Add new function smfi_progress() which allows the filter
|
||
to notify the MTA that an EOM operation is still in progress,
|
||
resetting the timeout.
|
||
LIBMILTER: Add new function smfi_opensocket() which allows the filter
|
||
to attempt to establish the interface socket, and detect
|
||
failure to do so before calling smfi_main().
|
||
LIBMILTER: Add new function smfi_setmlreply() which allows the
|
||
filter to return a multi-line SMTP reply.
|
||
LIBMILTER: Deal with more temporary errors in accept() by ignoring
|
||
them instead of stopping after too many occurred.
|
||
Suggested by James Carlson of Sun Microsystems.
|
||
LIBMILTER: Fix a descriptor leak in the sample program found in
|
||
docs/sample.html. Reported by Dmitry Adamushko.
|
||
LIBMILTER: The sample program also needs to use SMFIF_ADDRCPT.
|
||
Reported by Carl Byington of 510 Software Group.
|
||
LIBMILTER: Document smfi_stop() and smfi_setdbg(). Patches
|
||
from Bryan Costales.
|
||
LIBMILTER: New compile time option SM_CONF_POLL; define this if
|
||
poll(2) should be used instead of select(2).
|
||
LIBMILTER: New function smfi_insheader() and related protocol
|
||
amendments to support header insertion operations.
|
||
MAIL.LOCAL: Add support for hashed mail directories, see
|
||
mail.local/README. Contributed by Chris Adams of HiWAAY
|
||
Informations Services.
|
||
MAILSTATS: Display quarantine message counts.
|
||
MAKEMAP: Add new flag -D to specify the comment character to use
|
||
instead of '#'.
|
||
VACATION: Add new flag -j to auto-respond to messages regardless of
|
||
whether or not the recipient is listed in the To: or Cc:
|
||
headers.
|
||
VACATION: Add new flag -R to specify the envelope sender address
|
||
for the auto-response message.
|
||
New Files:
|
||
CACerts
|
||
cf/feature/conncontrol.m4
|
||
cf/feature/greet_pause.m4
|
||
cf/feature/mtamark.m4
|
||
cf/feature/ratecontrol.m4
|
||
cf/feature/use_client_ptr.m4
|
||
cf/ostype/unicos.m4
|
||
cf/ostype/unicosmk.m4
|
||
cf/ostype/unicosmp.m4
|
||
contrib/socketmapClient.pl
|
||
contrib/socketmapServer.pl
|
||
devtools/OS/Darwin.7.0
|
||
devtools/OS/UNICOS-mk
|
||
devtools/OS/UNICOS-mp
|
||
devtools/Site/site.config.m4.sample
|
||
include/sm/os/sm_os_unicos.h
|
||
include/sm/os/sm_os_unicosmk.h
|
||
include/sm/os/sm_os_unicosmp.h
|
||
libmilter/docs/smfi_insheader.html
|
||
libmilter/docs/smfi_progress.html
|
||
libmilter/docs/smfi_quarantine.html
|
||
libmilter/docs/smfi_setdbg.html
|
||
libmilter/docs/smfi_setmlreply.html
|
||
libmilter/docs/smfi_stop.html
|
||
sendmail/ratectrl.c
|
||
Deleted Files:
|
||
cf/feature/nodns.m4
|
||
contrib/oldbind.compat.c
|
||
devtools/OS/CRAYT3E.2.0.x
|
||
devtools/OS/CRAYTS.10.0.x
|
||
libsm/vsprintf.c
|
||
Renamed Files:
|
||
devtools/OS/Darwin.7.0 => devtools/OS/Darwin.7.x
|
||
|
||
8.12.11/8.12.11 2004/01/18
|
||
Use QueueFileMode when opening qf files. This error was a
|
||
regression in 8.12.10. Problem detected and diagnosed
|
||
Lech Szychowski of the Polish Power Grid Company.
|
||
Properly count the number of queue runners in a work group and
|
||
make sure the total limit of MaxQueueChildren is not
|
||
exceeded. Based on patch from Takayuki Yoshizawa of
|
||
Techfirm, Inc.
|
||
Take care of systems that can generate time values where the
|
||
seconds can exceed the usual range of 0 to 59.
|
||
Problem noted by Randy Diffenderfer of EDS.
|
||
Avoid regeneration of identical queue identifiers by processes
|
||
whose process id is the same as that of the initial
|
||
sendmail process that was used to start the daemon.
|
||
Problem noted by Randy Diffenderfer of EDS.
|
||
When a milter invokes smfi_delrcpt() compare the supplied
|
||
recipient address also against the printable addresses
|
||
of the current list to deal with rewritten addresses.
|
||
Based on patch from Sean Hanson of The Asylum.
|
||
BadRcptThrottle now also works for addresses which return the
|
||
error mailer, e.g., virtusertable entries with the
|
||
right hand side error:. Patch from Per Hedeland.
|
||
Fix printing of 8 bit characters as octals in log messages.
|
||
Based on patch by Andrey J. Melnikoff.
|
||
Undo change of algorithm for MIME 7-bit base64 encoding to 8-bit
|
||
text that has been introduced in 8.12.3. There are some
|
||
examples where the new code fails, but the old code works.
|
||
To get the 8.12.3-8.12.10 version, compile sendmail with
|
||
-DMIME7TO8_OLD=0. If you have an example of improper
|
||
7 to 8 bit conversion please send it to us.
|
||
Return normal error code for unknown SMTP commands instead of
|
||
the one specified by check_relay or a milter for a
|
||
connection. Problem noted by Andrzej Filip.
|
||
Some ident responses contain data after the terminating CRLF which
|
||
causes sendmail to log "POSSIBLE ATTACK...newline in string".
|
||
To avoid this everything after LF is ignored.
|
||
If the operating system supports O_EXLOCK and HASFLOCK is set
|
||
then a possible race condition for creating qf files
|
||
can be avoided. Note: the race condition does not
|
||
exist within sendmail, but between sendmail and an
|
||
external application that accesses qf files.
|
||
Log the proper options name for TLS related mising files for
|
||
the CACertPath, CACertFile, and DHParameters options.
|
||
Do not split an envelope if it will be discarded, otherwise df
|
||
files could be left behind. Problem found by Wolfgang
|
||
Breyha.
|
||
The use of the environment variables HOME and HOSTALIASES has been
|
||
deprecated and will be removed in version 8.13. This only
|
||
effects configuration which preserve those variable via the
|
||
'E' command in the cf file as sendmail clears out its entire
|
||
environment.
|
||
Portability:
|
||
Add support for Darwin 7.0/Mac OS X 10.3 (a.k.a. Panther).
|
||
Solaris 10 has unsetenv(), patch from Craig Mohrman of
|
||
Sun Microsystems.
|
||
LIBMILTER: Add extra checks in case a broken MTA sends bogus data
|
||
to libmilter. Based on code review by Rob Grzywinski.
|
||
SMRSH: Properly assemble commands that contain '&&' or '||'.
|
||
Problem noted by Eric Lee of Talking Heads.
|
||
New Files:
|
||
devtools/OS/Darwin.7.0
|
||
|
||
8.12.10/8.12.10 2003/09/24 (Released: 2003/09/17)
|
||
SECURITY: Fix a buffer overflow in address parsing. Problem
|
||
detected by Michal Zalewski, patch from Todd C. Miller
|
||
of Courtesan Consulting.
|
||
Fix a potential buffer overflow in ruleset parsing. This problem
|
||
is not exploitable in the default sendmail configuration;
|
||
only if non-standard rulesets recipient (2), final (4), or
|
||
mailer-specific envelope recipients rulesets are used then
|
||
a problem may occur. Problem noted by Timo Sirainen.
|
||
Accept 0 (and 0/0) as valid input for set MaxMimeHeaderLength.
|
||
Problem noted by Thomas Schulz.
|
||
Add several checks to avoid (theoretical) buffer over/underflows.
|
||
Properly count message size when performing 7->8 or 8->7 bit MIME
|
||
conversions. Problem noted by Werner Wiethege.
|
||
Properly compute message priority based on size of entire message,
|
||
not just header. Problem noted by Axel Holscher.
|
||
Reset SevenBitInput to its configured value between SMTP
|
||
transactions for broken clients which do not properly
|
||
announce 8 bit data. Problem noted by Stefan Roehrich.
|
||
Set {addr_type} during queue runs when processing recipients.
|
||
Based on patch from Arne Jansen.
|
||
Better error handling in case of (very unlikely) queue-id conflicts.
|
||
Perform better error recovery for address parsing, e.g., when
|
||
encountering a comment that is too long. Problem noted by
|
||
Tanel Kokk, Union Bank of Estonia.
|
||
Add ':' to the allowed character list for bogus HELO/EHLO
|
||
checking. It is used for IPv6 domain literals. Patch from
|
||
Iwaizako Takahiro of FreeBit Co., Ltd.
|
||
Reset SASL connection context after a failed authentication attempt.
|
||
Based on patch from Rob Siemborski of CMU.
|
||
Check Berkeley DB compile time version against run time version
|
||
to make sure they match.
|
||
Do not attempt AAAA (IPv6) DNS lookups if IPv6 is not enabled
|
||
in the kernel.
|
||
When a milter adds recipients and one of them causes an error,
|
||
do not ignore the other recipients. Problem noted by
|
||
Bart Duchesne.
|
||
CONFIG: Use specified SMTP error code in mailertable entries which
|
||
lack a DSN, i.e., "error:### Text". Problem noted by
|
||
Craig Hunt.
|
||
CONFIG: Call Local_trust_auth with the correct argument. Patch
|
||
from Jerome Borsboom.
|
||
CONTRIB: Better handling of temporary filenames for doublebounce.pl
|
||
and expn.pl to avoid file overwrites, etc. Patches from
|
||
Richard A. Nelson of Debian and Paul Szabo.
|
||
MAIL.LOCAL: Fix obscure race condition that could lead to an
|
||
improper mailbox truncation if close() fails after the
|
||
mailbox is fsync()'ed and a new message is delivered
|
||
after the close() and before the truncate().
|
||
MAIL.LOCAL: If mail delivery fails, do not leave behind a
|
||
stale lockfile (which is ignored after the lock timeout).
|
||
Patch from Oleg Bulyzhin of Cronyx Plus LLC.
|
||
Portability:
|
||
Port for AIX 5.2. Thanks to Steve Hubert of University
|
||
of Washington for providing access to a computer
|
||
with AIX 5.2.
|
||
setreuid(2) works on OpenBSD 3.3. Patch from
|
||
Todd C. Miller of Courtesan Consulting.
|
||
Allow for custom definition of SMRSH_CMDDIR and SMRSH_PATH
|
||
on all operating systems. Patch from Robert Harker
|
||
of Harker Systems.
|
||
Use strerror(3) on Linux. If this causes a problem on
|
||
your Linux distribution, compile with
|
||
-DHASSTRERROR=0 and tell sendmail.org about it.
|
||
Added Files:
|
||
devtools/OS/AIX.5.2
|
||
|
||
8.12.9/8.12.9 2003/03/29
|
||
SECURITY: Fix a buffer overflow in address parsing due to
|
||
a char to int conversion problem which is potentially
|
||
remotely exploitable. Problem found by Michal Zalewski.
|
||
Note: an MTA that is not patched might be vulnerable to
|
||
data that it receives from untrusted sources, which
|
||
includes DNS.
|
||
To provide partial protection to internal, unpatched sendmail MTAs,
|
||
8.12.9 changes by default (char)0xff to (char)0x7f in
|
||
headers etc. To turn off this conversion compile with
|
||
-DALLOW_255 or use the command line option -d82.101.
|
||
To provide partial protection for internal, unpatched MTAs that may be
|
||
performing 7->8 or 8->7 bit MIME conversions, the default
|
||
for MaxMimeHeaderLength has been changed to 2048/1024.
|
||
Note: this does have a performance impact, and it only
|
||
protects against frontal attacks from the outside.
|
||
To disable the checks and return to pre-8.12.9 defaults,
|
||
set MaxMimeHeaderLength to 0/0.
|
||
Do not complain about -ba when submitting mail. Problem noted
|
||
by Derek Wueppelmann.
|
||
Fix compilation with Berkeley DB 1.85 on systems that do not
|
||
have flock(2). Problem noted by Andy Harper of Kings
|
||
College London.
|
||
Properly initialize data structure for dns maps to avoid various
|
||
errors, e.g., looping processes. Problem noted by
|
||
Maurice Makaay of InterNLnet B.V.
|
||
CONFIG: Prevent multiple application of rule to add smart host.
|
||
Patch from Andrzej Filip.
|
||
CONFIG: Fix queue group declaration in MAILER(`usenet').
|
||
CONTRIB: buildvirtuser: New option -t builds the virtusertable
|
||
text file instead of the database map.
|
||
Portability:
|
||
Revert wrong change made in 8.12.7 and actually use the
|
||
builtin getopt() version in sendmail on Linux.
|
||
This can be overridden by using -DSM_CONF_GETOPT=0
|
||
in which case the OS supplied version will be used.
|
||
|
||
8.12.8/8.12.8 2003/02/11
|
||
SECURITY: Fix a remote buffer overflow in header parsing by
|
||
dropping sender and recipient header comments if the
|
||
comments are too long. Problem noted by Mark Dowd
|
||
of ISS X-Force.
|
||
Fix a potential non-exploitable buffer overflow in parsing the
|
||
.cf queue settings and potential buffer underflow in
|
||
parsing ident responses. Problem noted by Yichen Xie of
|
||
Stanford University Compilation Group.
|
||
Fix ETRN #queuegroup command: actually start a queue run for
|
||
the selected queue group. Problem noted by Jos Vos.
|
||
If MaxMimeHeaderLength is set and a malformed MIME header is fixed,
|
||
log the fixup as "Fixed MIME header" instead of "Truncated
|
||
MIME header". Problem noted by Ian J Hart.
|
||
CONFIG: Fix regression bug in proto.m4 that caused a bogus
|
||
error message: "FEATURE() should be before MAILER()".
|
||
MAIL.LOCAL: Be more explicit in some error cases, i.e., whether
|
||
a mailbox has more than one link or whether it is not
|
||
a regular file. Patch from John Beck of Sun Microsystems.
|
||
|
||
8.12.7/8.12.7 2002/12/29
|
||
Properly clean up macros to avoid persistence of session data
|
||
across various connections. This could cause session
|
||
oriented restrictions, e.g., STARTTLS requirements,
|
||
to erroneously allow a connection. Problem noted
|
||
by Tim Maletic of Priority Health.
|
||
Do not lookup MX records when sorting the MSP queue. The MSP
|
||
only needs to relay all mail to the MTA. Problem found
|
||
by Gary Mills of the University of Manitoba.
|
||
Do not restrict the length of connection information to 100
|
||
characters in some logging statements. Problem noted by
|
||
Erik Parker.
|
||
When converting an enhanced status code to an exit status, use
|
||
EX_CONFIG if the first digit is not 2, 4, or 5 or if *.1.5
|
||
is used.
|
||
Reset macro $x when receiving another MAIL command. Problem
|
||
noted by Vlado Potisk of Wigro s.r.o.
|
||
Don't bother setting the permissions on the build area statistics
|
||
file, the proper permissions will be put on the file at
|
||
install time. This fixes installation over NFS for some
|
||
users. Problem noted by Martin J. Dellwo of 3-Dimensional
|
||
Pharmaceuticals, Inc.
|
||
Fix problem of decoding SASLv2 encrypted data. Problem noted by
|
||
Alex Deiter of Mobile TeleSystems, Komi Republic.
|
||
Log milter socket open errors at MilterLogLevel 1 or higher instead
|
||
of 11 or higher.
|
||
Print early system errors to the console instead of silently
|
||
exiting. Problem noted by James Jong of IBM.
|
||
Do not process a queue group if Runners is set to 0, regardless
|
||
of whether F=f or sendmail is run in verbose mode (-v).
|
||
The use of -qGname will still force queue group "name"
|
||
to be run even if Runners=0.
|
||
Change the level for logging the fact that a daemon is refusing
|
||
connections due to high load from LOG_INFO to LOG_NOTICE.
|
||
Patch from John Beck of Sun Microsystems.
|
||
Use location information for submit.cf from NetInfo
|
||
(/locations/sendmail/submit.cf) if available.
|
||
Re-enable ForkEachJob which was lost in 8.12.0. Problem noted by
|
||
Neil Rickert of Northern Illinois University.
|
||
Make behavior of /canon in debug mode consistent with usage in
|
||
rulesets. Patch from Shigeno Kazutaka of IIJ.
|
||
Fix a potential memory leak in envelope splitting. Problem noted
|
||
by John Majikes of IBM.
|
||
Do not try to share an mailbox database LDAP connection across
|
||
different processes. Problem noted by Randy Kunkee.
|
||
Fix logging for undelivered recipients when the SMTP connection
|
||
times out during message collection. Problem noted by Neil
|
||
Rickert of Northern Illinois University.
|
||
Avoid problems with QueueSortOrder=random due to problems with
|
||
qsort() on Solaris (and maybe some other operating systems).
|
||
Problem noted by Stephan Schulz of Gruner+Jahr..
|
||
If -f "" is specified, set the sender address to "<>". Problem
|
||
noted by Matthias Andree.
|
||
Fix formatting problem of footnotes for plain text output on some
|
||
versions of tmac. Patch from Per Hedeland.
|
||
Portability:
|
||
Berkeley DB 4.1 support (requires at least 4.1.25).
|
||
Some getopt(3) implementations in GNU/Linux are broken
|
||
and pass a NULL pointer to an option which requires
|
||
an argument, hence the builtin version of
|
||
sendmail is used instead. This can be overridden
|
||
by using -DSM_CONF_GETOPT=0. Problem noted by
|
||
Vlado Potisk of Wigro s.r.o.
|
||
Support for nph-1.2.0 from Mark D. Roth of the University
|
||
of Illinois at Urbana-Champaign.
|
||
Support for FreeBSD 5.0's MAC labeling from Robert Watson
|
||
of the TrustedBSD Project.
|
||
Support for reading the number of processors on an IRIX
|
||
system from Michel Bourget of SGI.
|
||
Support for UnixWare 7.1 based on input from Larry Rosenman.
|
||
Interix support from Nedelcho Stanev of Atlantic Sky
|
||
Corporation.
|
||
Update Mac OS X/Darwin portability from Wilfredo Sanchez.
|
||
CONFIG: Enforce tls_client restrictions even if delay_checks
|
||
is used. Problem noted by Malte Starostik.
|
||
CONFIG: Deal with an empty hostname created via bogus
|
||
DNS entries to get around access restrictions.
|
||
Problem noted by Kai Schlichting.
|
||
CONFIG: Use FEATURE(`msp', `[127.0.0.1]') in submit.mc by default
|
||
to avoid problems with hostname resolution for localhost
|
||
which on many systems does not resolve to 127.0.0.1 (or
|
||
::1 for IPv6). If you do not use IPv4 but only IPv6 then
|
||
you need to change submit.mc accordingly, see the comment
|
||
in the file itself.
|
||
CONFIG: Set confDONT_INIT_GROUPS to True in submit.mc to avoid
|
||
error messages from initgroups(3) on AIX 4.3 when sending
|
||
mail to non-existing users. Problem noted by Mark Roth of
|
||
the University of Illinois at Urbana-Champaign.
|
||
CONFIG: Allow local_procmail to override local_lmtp settings.
|
||
CONFIG: Always allow connections from 127.0.0.1 or IPv6:::1 to
|
||
relay.
|
||
CONTRIB: cidrexpand: Deal with the prefix tags that may be included
|
||
in access_db.
|
||
CONTRIB: New version of doublebounce.pl contributed by Leo Bicknell.
|
||
LIBMILTER: On Solaris libmilter may get into an endless loop if
|
||
an error in the communication from/to the MTA occurs.
|
||
Patch from Gurusamy Sarathy of Active State.
|
||
LIBMILTER: Ignore EINTR from sigwait(3) which may happen on Tru64.
|
||
Patch from from Jose Marcio Martins da Cruz of Ecole
|
||
Nationale Superieure des Mines de Paris.
|
||
MAIL.LOCAL: Fix a truncation race condition if the close() on
|
||
the mailbox fails. Problem noted by Tomoko Fukuzawa of
|
||
Sun Microsystems.
|
||
MAIL.LOCAL: Fix a potential file descriptor leak if mkstemp(3)
|
||
fails. Patch from John Beck of Sun Microsystems.
|
||
SMRSH: SECURITY: Only allow regular files or symbolic links to be
|
||
used for a command. Problem noted by David Endler of
|
||
iDEFENSE, Inc.
|
||
New Files:
|
||
devtools/OS/Interix
|
||
include/sm/bdb.h
|
||
|
||
8.12.6/8.12.6 2002/08/26
|
||
Do not add the FallbackMXhost (or its MX records) to the list
|
||
returned by the bestmx map when -z is used as option.
|
||
Otherwise sendmail may act as an open relay if FallbackMXhost
|
||
and FEATURE(`relay_based_on_MX') are used together.
|
||
Problem noted by Alexander Ignatyev.
|
||
Properly split owner- mailing list messages when SuperSafe is set
|
||
to interactive. Problem noted by Todd C. Miller of
|
||
Courtesan Consulting.
|
||
Make sure that an envelope is queued in the selected queue group
|
||
even if some recipients are deleted or invalid. Problem
|
||
found by Chris Adams of HiWAAY Informations Services.
|
||
Do not send a bounce message if a message is completely collected
|
||
from the SMTP client. Problem noted by Kari Hurtta of the
|
||
Finnish Meteorological Institute.
|
||
Provide an 'install-submit-st' target for sendmail/Makefile to
|
||
install the MSP statistics file using the file named in the
|
||
confMSP_STFILE devtools variable. Requested by Jeff
|
||
Earickson of Colby College.
|
||
Queue up mail with a temporary error if setusercontext() fails
|
||
during a delivery attempt. Patch from Todd C. Miller of
|
||
Courtesan Consulting.
|
||
Fix handling of base64 encoded client authentication data for
|
||
SMTP AUTH. Patch from Elena Slobodnik of life medien GmbH.
|
||
Set the OpenLDAP option LDAP_OPT_RESTART so the client libraries
|
||
restart interrupted system calls. Problem noted by Luiz
|
||
Henrique Duma of BSIOne.
|
||
Prevent a segmentation fault if a program passed a NULL envp using
|
||
execve().
|
||
Document a problem with the counting of queue runners that may
|
||
cause delays if MaxQueueChildren is set too low. Problem
|
||
noted by Ian Duplisse of Cable Television Laboratories, Inc.
|
||
If discarding a message based on a recipient, don't try to look up
|
||
the recipient in the mailbox database if F=w is set. This
|
||
allows users to discard bogus recipients when dealing with
|
||
spammers without tipping them off. Problem noted by Neil
|
||
Rickert of Northern Illinois University.
|
||
If applying a header check to a header with unstructured data,
|
||
e.g., Subject:, then do not run syntax checks that are
|
||
supposed for addresses on the header content.
|
||
Count messages rejected/discarded via the check_data ruleset.
|
||
Portability:
|
||
Fix compilation on systems which do not allow simple
|
||
copying of the variable argument va_list. Based on
|
||
fix from Scott Walters.
|
||
Fix NSD map open bug. From Michel Bourget of SGI.
|
||
Add some additional IRIX shells to the default shell
|
||
list. From Michel Bourget of SGI.
|
||
Fix compilation issues on Mac OS X 10.2 (Darwin 6.0).
|
||
NETISO support has been dropped.
|
||
CONFIG: There was a seemingly minor change in 8.12.4 with respect
|
||
to handling entries of IP nets/addresses with RHS REJECT.
|
||
These would be rejected in check_rcpt instead of only
|
||
being activated in check_relay. This change has been made to
|
||
avoid potential bogus temporary rejection of relay attempts
|
||
"450 4.7.1 Relaying temporarily denied. Cannot resolve PTR
|
||
record for ..." if delay_checks is enabled. However, this
|
||
modification causes a change of behavior if an IP net/address
|
||
is listed in the access map with REJECT and a host/domain
|
||
name is listed with OK or RELAY, hence it has been reversed
|
||
such that the behavior of 8.12.3 is restored. The original
|
||
change was made on request of Neil Rickert of Northern
|
||
Illinois University, the side effect has been found by
|
||
Stefaan Van Hoornick.
|
||
CONFIG: Make sure delay_checks works even for sender addresses
|
||
using the local hostname ($j) or domains in class {P}.
|
||
Based on patch from Neil Rickert of Northern Illinois
|
||
University.
|
||
CONFIG: Fix temporary error handling for LDAP Routing lookups.
|
||
Fix from Andrzej Filip.
|
||
CONTRIB: New version of etrn.pl script and external man page
|
||
(etrn.0) from John Beck of Sun Microsystems.
|
||
LIBMILTER: Protect a free(3) operation from being called with a
|
||
NULL pointer. Problem noted by Andrey J. Melnikoff.
|
||
LIBMILTER: Protect against more interrupted select() calls. Based
|
||
on patch from Jose Marcio Martins da Cruz of Ecole Nationale
|
||
Superieure des Mines de Paris.
|
||
New Files:
|
||
contrib/etrn.0
|
||
|
||
8.12.5/8.12.5 2002/06/25
|
||
SECURITY: The DNS map can cause a buffer overflow if the user
|
||
specifies a dns map using TXT records in the configuration
|
||
file and a rogue DNS server is queried. None of the
|
||
sendmail supplied configuration files use this option hence
|
||
they are not vulnerable. Problem noted independently by
|
||
Joost Pol of PINE Internet and Anton Rang of Sun Microsystems.
|
||
Unprintable characters in responses from DNS servers for the DNS
|
||
map type are changed to 'X' to avoid potential problems
|
||
with rogue DNS servers.
|
||
Require a suboption when setting the Milter option. Problem noted
|
||
by Bryan Costales.
|
||
Do not silently overwrite command line settings for
|
||
DirectSubmissionModifiers. Problem noted by Bryan
|
||
Costales.
|
||
Prevent a segmentation fault when clearing the event list by
|
||
turning off alarms before checking if event list is
|
||
empty. Problem noted by Allan E Johannesen of Worcester
|
||
Polytechnic Institute.
|
||
Close a potential race condition in transitioning a memory buffered
|
||
file onto disk. From Janani Devarajan of Sun Microsystems.
|
||
Portability:
|
||
Include paths.h on Linux systems running glibc 2.0 or later
|
||
to get the definition for _PATH_SENDMAIL, used by
|
||
rmail and vacation. Problem noted by Kevin
|
||
A. McGrail of Peregrine Hardware.
|
||
NOTE: Linux appears to have broken flock() again. Unless
|
||
the bug is fixed before sendmail 8.13 is shipped,
|
||
8.13 will change the default locking method to
|
||
fcntl() for Linux kernel 2.4 and later. You may
|
||
want to do this in 8.12 by compiling with
|
||
-DHASFLOCK=0. Be sure to update other sendmail
|
||
related programs to match locking techniques.
|
||
|
||
8.12.4/8.12.4 2002/06/03
|
||
SECURITY: Inherent limitations in the UNIX file locking model
|
||
can leave systems open to a local denial of service
|
||
attack. Be sure to read the "FILE AND MAP PERMISSIONS"
|
||
section of the top level README for more information.
|
||
Problem noted by lumpy.
|
||
Use TempFileMode (defaults to 0600) for the permissions of PidFile
|
||
instead of 0644.
|
||
Change the default file permissions for new alias database files
|
||
from 0644 to 0640. This can be overridden at compile time
|
||
by setting the DBMMODE macro.
|
||
Fix a potential core dump problem if the environment variable
|
||
NAME is set. Problem noted by Beth A. Chaney of
|
||
Purdue University.
|
||
Expand macros before passing them to libmilter. Problem noted
|
||
by Jose Marcio Martins da Cruz of Ecole Nationale
|
||
Superieure des Mines de Paris.
|
||
Rewind the df (message body) before truncating it when libmilter
|
||
replaces the body of a message. Problem noted by Gisle Aas
|
||
of Active State.
|
||
Change SMTP reply code for AUTH failure from 500 to 535 and the
|
||
initial zero-length response to "=" per RFC 2554. Patches
|
||
from Kenneth Murchison of Oceana Matrix Ltd.
|
||
Do not try to fix broken message/rfc822 MIME attachments by
|
||
inserting a MIME-Version: header when MaxMimeHeaderLength
|
||
is set and no 8 to 7 bit conversion is needed. Based on
|
||
patch from Rehor Petr of ICZ (Czech Republic).
|
||
Do not log "did not issue MAIL/EXPN/VRFY/ETRN" if the connection
|
||
is rejected anyway. Noted by Chris Loelke.
|
||
Mention the submission mail queue in the mailq man page. Requested
|
||
by Bill Fenner of AT&T.
|
||
Set ${msg_size} macro when reading a message from the command line
|
||
or the queue.
|
||
Detach from shared memory before dropping privileges back to
|
||
user who started sendmail.
|
||
If AllowBogusHELO is set to false (default) then also complain if
|
||
the argument to HELO/EHLO contains white space. Suggested
|
||
by Seva Gluschenko of Cronyx Plus.
|
||
Allow symbolicly linked forward files in writable directory paths
|
||
if both ForwardFileInUnsafeDirPath and
|
||
LinkedForwardFileInWritableDir DontBlameSendmail options
|
||
are set. Problem noted by Werner Spirk of
|
||
Leibniz-Rechenzentrum Munich.
|
||
Portability:
|
||
Operating systems that lack the ftruncate() call will not
|
||
be able to use Milter's body replacement feature.
|
||
This only affects Altos, Maxion, and MPE/iX.
|
||
Digital UNIX 5.0 has changed flock() semantics to be
|
||
non-compliant. Problem noted by Martin Mokrejs of
|
||
Charles University in Prague.
|
||
The sparc64 port of FreeBSD 5.0 now supports shared
|
||
memory.
|
||
CONFIG: FEATURE(`preserve_luser_host') needs the macro map.
|
||
Problem noted by Andrzej Filip.
|
||
CONFIG: Using 'local:' as a mailertable value with
|
||
FEATURE(`preserve_luser_host') and LUSER_RELAY caused mail
|
||
to be misaddressed. Problem noted by Andrzej Filip.
|
||
CONFIG: Provide a workaround for DNS based rejection lists that
|
||
fail for AAAA queries. Problem noted by Chris Boyd.
|
||
CONFIG: Accept the machine's hostname as resolvable when checking
|
||
the sender address. This allows locally submitted mail to
|
||
be accepted if the machine isn't connected to a nameserver
|
||
and doesn't have an /etc/hosts entry for itself. Problem
|
||
noted by Robert Watson of the TrustedBSD Project.
|
||
CONFIG: Use deferred expansion for checking the ${deliveryMode}
|
||
macro in case the SMTP VERB command is used. Problem
|
||
noted by Bryan Costales.
|
||
CONFIG: Avoid a duplicate '@domain' virtusertable lookup if no
|
||
matches are found. Fix from Andrzej Filip.
|
||
CONFIG: Fix wording in default dnsbl rejection message. Suggested
|
||
by Lou Katz of Metron Computerware, Ltd.
|
||
CONFIG: Add mailer cyrusv2 for Cyrus V2. Contributed by
|
||
Kenneth Murchison of Oceana Matrix Ltd.
|
||
CONTRIB: Fix wording in default dnsblaccess rejection message to
|
||
match dnsbl change.
|
||
DEVTOOLS: Add new option for access mode of statistics file,
|
||
confSTMODE, which specifies the permissions when initially
|
||
installing the sendmail statistics file.
|
||
LIBMILTER: Mark the listening socket as close-on-exec in case
|
||
a user's filter starts other applications.
|
||
LIBSM: Allow the MBDB initialize, lookup, and/or terminate
|
||
functions in SmMbdbTypes to be set to NULL.
|
||
MAKEMAP: Change the default file permissions for new databases from
|
||
0644 to 0640. This can be overridden at compile time
|
||
by setting the DBMMODE macro.
|
||
SMRSH: Fix man page bug: replace SMRSH_CMDBIN with SMRSH_CMDDIR.
|
||
Problem noted by Dave Alden of Ohio State University.
|
||
VACATION: When listing the vacation database (-l), don't show
|
||
bogus timestamps for excluded (-x) addresses. Problem
|
||
noted by Bryan Costales.
|
||
New Files:
|
||
cf/mailer/cyrusv2.m4
|
||
|
||
8.12.3/8.12.3 2002/04/05
|
||
NOTICE: In general queue files should not be moved if queue groups
|
||
are used. In previous versions this could cause mail
|
||
not to be delivered if a queue file is repeatedly moved
|
||
by an external process whenever sendmail moved it back
|
||
into the right place. Some precautions have been taken
|
||
to avoid moving queue files if not really necessary.
|
||
sendmail may use links to refer to queue files and it
|
||
may store the path of data files in queue files. Hence
|
||
queue files should not be moved unless those internals
|
||
are understood and the integrity of the files is not
|
||
compromised. Problem noted by Anne Bennett of Concordia
|
||
University.
|
||
If an error mail is created, and the mail is split across different
|
||
queue directories, and SuperSafe is off, then write the mail
|
||
to disk before splitting it, otherwise an assertion is
|
||
triggered. Problem tracked down by Henning Schmiedehausen
|
||
of INTERMETA.
|
||
Fix possible race condition that could cause sendmail to forget
|
||
running queues. Problem noted by Jeff Wasilko of smoe.org.
|
||
Handle bogus qf files better without triggering assertions.
|
||
Problem noted by Guy Feltin.
|
||
Protect against interrupted select() call when enforcing Milter
|
||
read and write timeouts. Patch from Gurusamy Sarathy of
|
||
ActiveState.
|
||
Matching queue IDs with -qI should be case sensitive. Problem
|
||
noted by Anne Bennett of Concordia University.
|
||
If privileges have been dropped, don't try to change group ID to
|
||
the RunAsUser group. Problem noted by Neil Rickert of
|
||
Northern Illinois University.
|
||
Fix SafeFileEnvironment path munging when the specified path
|
||
contains a trailing slash. Based on patch from Dirk Meyer
|
||
of Dinoex.
|
||
Do not limit sendmail command line length to SM_ARG_MAX (usually
|
||
4096). Problem noted by Allan E Johannesen of Worcester
|
||
Polytechnic Institute.
|
||
Clear full name of sender for each new envelope to avoid bogus data
|
||
if several mails are sent in one session and some of them
|
||
do not have a From: header. Problem noted by Bas Haakman.
|
||
Change timeout check such that cached information about a connection
|
||
will be immediately invalid if ConnectionCacheTimeout is zero.
|
||
Based on patch from David Burns of Portland State University.
|
||
Properly count message size for mailstats during mail collection.
|
||
Problem noted by Werner Wiethege.
|
||
Log complete response from LMTP delivery agent on failure. Based on
|
||
patch from Motonori Nakamura of Kyoto University.
|
||
Provide workaround for getopt() implementations that do not catch
|
||
missing arguments.
|
||
Fix the message size calculation if the message body is replaced by
|
||
a milter filter and buffered file I/O is being used.
|
||
Problem noted by Sergey Akhapkin of Dr.Web.
|
||
Do not honor SIGUSR1 requests if running with extra privileges.
|
||
Problem noted by Werner Wiethege.
|
||
Prevent a file descriptor leak on mail delivery if the initial
|
||
connect fails and DialDelay is set. Patch from Servaas
|
||
Vandenberghe of Katholieke Universiteit Leuven.
|
||
Properly deal with a case where sendmail is called by root running
|
||
a set-user-ID (non-root) program. Problem noted by Jon
|
||
Lusky of ISS Atlanta.
|
||
Avoid leaving behind stray transcript (xf) files if multiple queue
|
||
directories are used and mail is sent to a mailing list
|
||
which has an owner- alias. Problem noted by Anne Bennett
|
||
of Concordia University.
|
||
Fix class map parsing code if optional key is specified. Problem
|
||
found by Mario Nigrovic.
|
||
The SMTP daemon no longer tries to fix up improperly dot-stuffed
|
||
incoming messages. A leading dot is always stripped by the
|
||
SMTP receiver regardless of whether or not it is followed by
|
||
another dot. Problem noted by Jordan Ritter of darkridge.com.
|
||
Fix corruption when doing automatic MIME 7-bit quoted-printable or
|
||
base64 encoding to 8-bit text. Problem noted by Mark
|
||
Elvers.
|
||
Correct the statistics gathered for total number of connections.
|
||
Instead of being the exact same number as the total number
|
||
of messages (T line in mailstats) it now represents the
|
||
total number of TCP connections.
|
||
Be more explicit about syntax errors in addresses, especially
|
||
non-ASCII characters, and properly create DSNs if necessary.
|
||
Problem noted by Leena Heino of the University of Tampere.
|
||
Prevent small timeouts from being lost on slow machines if itimers
|
||
are used. Problem noted by Suresh Ramasubramanian.
|
||
Prevent a race condition on child cleanup for delivery to files.
|
||
Problem noted by Fletcher Mattox of the University of
|
||
Texas.
|
||
Change the SMTP error code for temporary map failures from 421
|
||
to 451.
|
||
Do not assume that realloc(NULL, size) works on all OS (this was
|
||
only done in one place: queue group creation). Based on
|
||
patch by Bryan Costales.
|
||
Initialize Timeout.iconnect in the code to prevent randomly short
|
||
timeouts. Problem noted by Bradley Watts of AT&T Canada.
|
||
Do not try to send a second SMTP QUIT command if the remote
|
||
responds to a MAIL command with a 421 reply or on I/O
|
||
errors. By doing so, the host was marked as having a
|
||
temporary problem and other mail destined for that host was
|
||
queued for the next queue run. Problem noted by Fletcher
|
||
Mattox of the University of Texas, Allan E Johannesen of
|
||
Worcester Polytechnic Institute, Larry Greenfield of CMU,
|
||
and Neil Rickert of Northern Illinois University.
|
||
Ignore error replies from the SMTP QUIT command (including servers
|
||
which drop the connection instead of responding to the
|
||
command).
|
||
Portability:
|
||
Check LDAP_API_VERSION to determine if ldap_memfree() is
|
||
available.
|
||
Define HPUX10 when building on HP-UX 10.X. That platform
|
||
now gets the proper _PATH_SENDMAIL and SMRSH_CMDDIR
|
||
settings. Patch from Elias Halldor Agustsson of
|
||
Skyrr.
|
||
Fix dependency building on Mac OS X and Darwin. Problem
|
||
noted by John Beck.
|
||
Preliminary support for the sparc64 port of FreeBSD 5.0.
|
||
Add /sbin/sh as an acceptable user shell on HP-UX. From
|
||
Rajesh Somasund of Hewlett-Packard.
|
||
CONFIG: Add FEATURE(`authinfo') to allow a separate database for
|
||
SMTP AUTH information. This feature was actually added in
|
||
8.12.0 but a release note was not included.
|
||
CONFIG: Do not bounce mail if FEATURE(`ldap_routing')'s bounce
|
||
parameter is set and the LDAP lookup returns a temporary
|
||
error.
|
||
CONFIG: Honor FEATURE(`relay_hosts_only') when using
|
||
FEATURE(`relay_mail_from', `domain'). Problem noted by
|
||
Krzysztof Oledzki.
|
||
CONFIG: FEATURE(`msp') now disables any type of alias
|
||
initialization as aliases are not needed for the MSP.
|
||
CONFIG: Allow users to override RELAY_MAILER_ARGS when FEATURE(`msp')
|
||
is in use. Patch from Andrzej Filip.
|
||
CONFIG: FEATURE(`msp') uses `[localhost]' as default instead of
|
||
`localhost' and turns on MX lookups for the SMTP mailers.
|
||
This will only have an effect if a parameter is specified,
|
||
i.e., an MX lookup will be performed on the hostname unless
|
||
it is embedded in square brackets. Problem noted by
|
||
Theo Van Dinter of Collective Technologies.
|
||
CONFIG: Set confTIME_ZONE to USE_TZ in submit.mc (TimeZoneSpec= in
|
||
submit.cf) to use $TZ for time stamps. This is a compromise
|
||
to allow for the proper time zone on systems where the
|
||
default results in misleading time stamps. That is, syslog
|
||
time stamps and Date headers on submitted mail will use the
|
||
user's $TZ setting. Problem noted by Mark Roth of the
|
||
University of Illinois at Urbana-Champaign, solution proposed
|
||
by Neil Rickert of Northern Illinois University.
|
||
CONFIG: Mac OS X (Darwin) ships with mail.local as non-set-user-ID
|
||
binary. Adjust local mailer flags accordingly. Problem
|
||
noted by John Beck.
|
||
CONTRIB: Add a warning to qtool.pl to not move queue files around
|
||
if queue groups are used.
|
||
CONTRIB: buildvirtuser: Add -f option to force rebuild.
|
||
CONTRIB: smcontrol.pl: Add -f option to specify control socket.
|
||
CONTRIB: smcontrol.pl: Add support for 'memdump' command.
|
||
Suggested by Bryan Costales.
|
||
DEVTOOLS: Add dependency generation for test programs.
|
||
LIBMILTER: Remove conversion of port number for the socket
|
||
structure that is passed to xxfi_connect(). Notice:
|
||
this fix requires that sendmail and libmilter both have
|
||
this change; mixing versions may lead to wrong port
|
||
values depending on the endianness of the involved systems.
|
||
Problem noted by Gisle Aas of ActiveState.
|
||
LIBMILTER: If smfi_setreply() sets a custom reply code of '4XX' but
|
||
SMFI_REJECT is returned, ignore the custom reply. Do the
|
||
same if '5XX' is used and SMFI_TEMPFAIL is returned.
|
||
LIBMILTER: Install include files in ${INCLUDEDIR}/libmilter/ as
|
||
required by mfapi.h. Problem noted by Jose Marcio Martins
|
||
da Cruz of Ecole Nationale Superieure des Mines de Paris.
|
||
LIBSM: Add SM_CONF_LDAP_MEMFREE as a configuration define. Set
|
||
this to 1 if your LDAP client libraries include
|
||
ldap_memfree().
|
||
LIBSMDB: Avoid a file creation race condition for Berkeley DB 1.X
|
||
and NDBM on systems with the O_EXLOCK open(2) flag.
|
||
SMRSH: Fix compilation problem on some operating systems. Problem
|
||
noted by Christian Krackowizer of schuler technodat GmbH.
|
||
VACATION: Allow root to operate on user vacation databases. Based
|
||
on patch from Greg Couch of the University of California,
|
||
San Francisco.
|
||
VACATION: Don't ignore -C option. Based on patch by Bryan Costales.
|
||
VACATION: Clarify option usage in the man page. Problem noted by
|
||
Joe Barbish.
|
||
New Files:
|
||
libmilter/docs/smfi_setbacklog.html
|
||
|
||
8.12.2/8.12.2 2002/01/13
|
||
Don't complain too much if stdin, stdout, or stderr are missing
|
||
at startup, only log an error message.
|
||
Fix potential problem if an unknown operation mode (character
|
||
following -b) has been specified.
|
||
Prevent purgestat from looping even if someone changes the
|
||
permissions or owner of hoststatus files. Problem noted
|
||
by Kari Hurtta of the Finnish Meteorological Institute.
|
||
Properly record dropped connections in persistent host status.
|
||
Problem noted by Ulrich Windl of the Universitat
|
||
Regensburg.
|
||
Remove newlines from recipients read via sendmail -t to prevent
|
||
SMTP protocol errors when sending the RCPT command.
|
||
Problem noted by William D. Colburn of the New Mexico
|
||
Institute of Mining and Technology.
|
||
Only log milter body replacements once instead of for each body
|
||
chunk sent by a filter. Problem noted by Kari Hurtta of
|
||
the Finnish Meteorological Institute.
|
||
In 8.12.0 and 8.12.1, the headers were mistakenly not included in
|
||
the message size calculation. Problem noted by Kari Hurtta
|
||
of the Finnish Meteorological Institute.
|
||
Since 8.12 no longer forks at the SMTP MAIL command, the daemon
|
||
needs to collect children status to avoid zombie processes.
|
||
Problem noted by Chris Adams of HiWAAY Informations Services.
|
||
Shut down "nullserver" and ETRN-only connections after 25 bad
|
||
commands are issued. This makes it consistent with normal
|
||
SMTP connections.
|
||
Avoid duplicate logging of milter rejections. Problem noted by
|
||
William D. Colburn of the New Mexico Institute of Mining
|
||
and Technology.
|
||
Error and delay DSNs were being sent to postmaster instead of the
|
||
message sender if the sender had used a deprecated RFC822
|
||
source route. Problem noted by Kari Hurtta of the Finnish
|
||
Meteorological Institute.
|
||
Fix FallbackMXhost behavior for temporary errors during address
|
||
parsing. Problem noted by Jorg Bielak from Coastal Web
|
||
Online.
|
||
For systems on which stat(2) does not return a value for st_blksize
|
||
that is the "optimal blocksize for I/O" three new compile
|
||
time flags are available: SM_IO_MAX_BUF_FILE, SM_IO_MIN_BUF,
|
||
and SM_IO_MAX_BUF, which define an upper limit for
|
||
regular files, and a lower and upper limit for other file
|
||
types, respectively.
|
||
Fix a potential deadlock if two events are supposed to occur at
|
||
exactly the same time. Problem noted by Valdis Kletnieks
|
||
of Virginia Tech.
|
||
Perform envelope splitting for aliases listed directly in the
|
||
alias file, not just for include/.forward files.
|
||
Problem noted by John Beck of Sun Microsystems.
|
||
Allow selection of queue group for mailq using -qGgroup.
|
||
Based on patch by John Beck of Sun Microsystems.
|
||
Make sure cached LDAP connections used my multiple maps in the same
|
||
process are closed. Patch from Taso N. Devetzis.
|
||
If running as root, allow reading of class files in protected
|
||
directories. Patch from Alexander Talos of the University
|
||
of Vienna.
|
||
Correct a few LDAP related memory leaks. Patch from David Powell
|
||
of Sun Microsystems.
|
||
Allow specification of an empty realm via the authinfo ruleset.
|
||
This is necessary to interoperate as an SMTP AUTH client
|
||
with servers that do not support realms when using
|
||
CRAM-MD5. Problem noted by Bjoern Voigt of TU Berlin.
|
||
Avoid a potential information leak if AUTH PLAIN is used and the
|
||
server gets stuck while processing that command. Problem
|
||
noted by Chris Adams from HiWAAY Informations Services.
|
||
In addition to printing errors when parsing recipients during
|
||
command line invocations log them to make it simpler
|
||
to understand possible DSNs to postmaster.
|
||
Do not use FallbackMXhost on mailers which have the F=0 flag set.
|
||
Allow local mailers (F=l) to specify a host for TCP connections
|
||
instead of forcing localhost.
|
||
Obey ${DESTDIR} for installation of the client mail queue and
|
||
submit.cf. Patch from Peter 'Luna' Runestig.
|
||
Re-enable support for -M option which was broken in 8.12.1. Problem
|
||
noted by Neil Rickert of Northern Illinois University.
|
||
If a remote server violates the SMTP standard by unexpectedly
|
||
dropping the connection during an SMTP transaction, stop
|
||
sending commands. This prevents bogus "Bad file number"
|
||
recipient status. Problem noted by Allan E Johannesen of
|
||
Worcester Polytechnic Institute.
|
||
Do not use a size estimate of 100 for postmaster bounces, it's
|
||
almost always too small; do not guess the size at all.
|
||
New VENDOR_DEC for Compaq/DEC. Requested by James Seagraves of
|
||
Compaq Computer Corp.
|
||
Fix DaemonPortOptions IPv6 address parsing such that ::1 works
|
||
properly. Problem noted by Valdis Kletnieks of Virginia
|
||
Tech.
|
||
Portability:
|
||
Fix IPv6 network interface probing on HP-UX 11.X. Based on
|
||
patch provided by HP.
|
||
Mac OS X (aka Darwin) has a broken setreuid() call, but a
|
||
working seteuid() call. From Daniel J. Luke.
|
||
Use proper type for a 32-bit integer on SINIX. From Ganu
|
||
Sachin of Siemens.
|
||
Set SM_IO_MIN_BUF (4K) and SM_IO_MAX_BUF (8K) for HP-UX.
|
||
Reduce optimization from +O3 to +O2 on HP-UX 11. This
|
||
fixes a problem that caused additional bogus
|
||
characters to be written to the qf file. Problem
|
||
noted by Tapani Tarvainen.
|
||
Set LDA_USE_LOCKF by default for UnixWare. Problem noted
|
||
by Boyd Lynn Gerber.
|
||
Add support for HP MPE/iX. See sendmail/README for port
|
||
information. From Mark Bixby of Hewlett-Packard.
|
||
New portability defines HASNICE, HASRRESVPORT, USE_ENVIRON,
|
||
USE_DOUBLE_FORK, and NEEDLINK. See sendmail/README
|
||
for more information. From Mark Bixby of
|
||
Hewlett-Packard.
|
||
If an OS doesn't have a method of finding free disk space
|
||
(SFS_NONE), lie and say there is plenty of space.
|
||
From Mark Bixby of Hewlett-Packard.
|
||
Add support for AIX 5.1. From Valdis Kletnieks of
|
||
Virginia Tech.
|
||
Fix man page location for NeXTSTEP. From Hisanori Gogota
|
||
of the NTT/InterCommunication Center.
|
||
Do not assume that strerror() always returns a string.
|
||
Problem noted by John Beck of Sun Microsystems.
|
||
CONFIG: Add OSTYPE(freebsd5) for FreeBSD 5.X, which has removed
|
||
UUCP from the base operating system. From Mark Murray of
|
||
FreeBSD Services, Ltd.
|
||
CONFIG: Add OSTYPE(mpeix) and a generic .mc file for HP MPE/iX
|
||
systems. From Mark Bixby of Hewlett-Packard.
|
||
CONFIG: Add support for selecting a queue group for all mailers.
|
||
Based on proposal by Stephen L. Ulmer of the University of
|
||
Florida.
|
||
CONFIG: Fix error reporting for compat_check.m4. Problem noted by
|
||
Altin Waldmann.
|
||
CONFIG: Do not override user selections for confRUN_AS_USER and
|
||
confTRUSTED_USER in FEATURE(msp). From Mark Bixby of
|
||
Hewlett-Packard.
|
||
LIBMILTER: Fix bug that prevented the removal of a socket after
|
||
libmilter terminated. Problem reported by Andrey V. Pevnev
|
||
of MSFU.
|
||
LIBMILTER: Fix configuration error that required libsm for linking.
|
||
Problem noted by Kari Hurtta of the Finnish Meteorological
|
||
Institute.
|
||
LIBMILTER: Portability fix for OpenUNIX. Patch from Larry Rosenman.
|
||
LIBMILTER: Fix a theoretical memory leak and a possible attempt
|
||
to free memory twice.
|
||
LIBSM: Fix a potential segmentation violation in the I/O library.
|
||
Problem found and analyzed by John Beck and Tim Haley
|
||
of Sun Microsystems.
|
||
LIBSM: Do not clear the LDAP configuration information when
|
||
terminating the mailbox database connection in the LDAP
|
||
example code. Problem noted by Nikos Voutsinas of the
|
||
University of Athens.
|
||
New Files:
|
||
cf/cf/generic-mpeix.cf
|
||
cf/cf/generic-mpeix.mc
|
||
cf/ostype/freebsd5.m4
|
||
cf/ostype/mpeix.m4
|
||
devtools/OS/AIX.5.1
|
||
devtools/OS/MPE-iX
|
||
include/sm/os/sm_os_mpeix.h
|
||
libsm/mpeix.c
|
||
|
||
8.12.1/8.12.1 2001/10/01
|
||
SECURITY: Check whether dropping group privileges actually succeeded
|
||
to avoid possible compromises of the mail system by
|
||
supplying bogus data. Add configuration options for
|
||
different set*gid() calls to reset saved gid. Problem
|
||
found by Michal Zalewski.
|
||
PRIVACY: Prevent information leakage when sendmail has extra
|
||
privileges by disabling debugging (command line -d flag)
|
||
during queue runs and disabling ETRN when sendmail -bs is
|
||
used. Suggested by Michal Zalewski.
|
||
Avoid memory corruption problems resulting from bogus .cf files.
|
||
Problem found by Michal Zalewski.
|
||
Set the ${server_addr} macro to name of mailer when doing LMTP
|
||
delivery. LMTP systems may offer SMTP Authentication or
|
||
STARTTLS causing sendmail to use this macro in rulesets.
|
||
If debugging is turned on (-d0.10) print not just the default
|
||
values for configuration file and pid file but also the
|
||
selected values. Problem noted by Brad Chapman.
|
||
Continue dealing with broken nameservers by ignoring SERVFAIL
|
||
errors returned on T_AAAA (IPv6) lookups at delivery time
|
||
if ResolverOptions=WorkAroundBrokenAAAA is set. Previously
|
||
this only applied to hostname canonification. Problem
|
||
noted by Bill Fenner of AT&T Research.
|
||
Ignore comments in NIS host records when trying to find the
|
||
canonical name for a host.
|
||
When sendmail has extra privileges, limit mail submission command
|
||
line flags (i.e., -G, -h, -F, etc.) to mail submission
|
||
operating modes (i.e., -bm, -bs, -bv, etc.). Idea based on
|
||
suggestion from Michal Zalewski.
|
||
Portability:
|
||
AIX: Use `oslevel` if available to determine OS version.
|
||
`uname` does not given complete information.
|
||
Problem noted by Keith Neufeld of the Cessna
|
||
Aircraft Company.
|
||
OpenUNIX: Use lockf() for LDA delivery (affects mail.local).
|
||
Problem noticed by Boyd Lynn Gerber of ZENEX.
|
||
Avoid compiler warnings by not using pointers to pass
|
||
integers. Problem noted by Todd C. Miller of
|
||
Courtesan Consulting.
|
||
CONFIG: Add restrictqrun to PrivacyOptions for the MSP to minimize
|
||
problems with potential misconfigurations.
|
||
CONFIG: Fix comment showing default value of MaxHopCount. Problem
|
||
noted by Greg Robinson of the Defence Science and
|
||
Technology Organisation of Australia.
|
||
CONFIG: dnsbl: If an argument specifies an error message in case
|
||
of temporary lookup failures for DNS based blocklists
|
||
then use it.
|
||
LIBMILTER: Install mfdef.h, required by mfapi.h. Problem noted by
|
||
Richard A. Nelson of Debian.
|
||
LIBMILTER: Add __P definition for OS that lack it. Problem noted
|
||
by Chris Adams from HiWAAY Informations Services.
|
||
LIBSMDB: Fix a lock race condition that affects makemap, praliases,
|
||
and vacation.
|
||
MAKEMAP: Avoid going beyond the end of an input line if it does
|
||
not contain a value for a key. Based on patch from
|
||
Mark Bixby from Hewlett-Packard.
|
||
New Files:
|
||
test/Build
|
||
test/Makefile
|
||
test/Makefile.m4
|
||
test/README
|
||
test/t_dropgid.c
|
||
test/t_setgid.c
|
||
Deleted Files:
|
||
include/sm/stdio.h
|
||
include/sm/sysstat.h
|
||
|
||
8.12.0/8.12.0 2001/09/08
|
||
*NOTICE*: The default installation of sendmail does not use
|
||
set-user-ID root anymore. You need to create a new user and
|
||
a new group before installing sendmail (both called smmsp by
|
||
default). The installation process tries to install
|
||
/etc/mail/submit.cf and creates /var/spool/clientmqueue by
|
||
default. Please see sendmail/SECURITY for details.
|
||
SECURITY: Check for group and world writable forward and :include:
|
||
files. These checks can be turned off if absolutely
|
||
necessary using the DontBlameSendmail option and the new
|
||
flags:
|
||
GroupWritableForwardFile
|
||
WorldWritableForwardFile
|
||
GroupWritableIncludeFile
|
||
WorldWritableIncludeFile
|
||
Problem noted by Slawek Zak of Politechnika Warszawska,
|
||
SECURITY: Drop privileges when using address test mode. Suggested
|
||
by Michal Zalewski of the "Internet for Schools" project
|
||
(IdS).
|
||
Fixed problem of a global variable being used for a timeout jump
|
||
point where the variable could become overused for more than
|
||
one timeout concurrently. This erroneous behavior resulted in
|
||
a corrupted stack causing a core dump. The timeout is now
|
||
handled via libsm. Problem noted by Michael Shapiro,
|
||
John Beck, and Carl Smith of Sun Microsystems.
|
||
If sendmail is set-group-ID then that group ID is used for permission
|
||
checks (group ID of RunAsUser). This allows use of a
|
||
set-group-ID sendmail binary for initial message submission
|
||
and no set-user-ID root sendmail is needed. For details
|
||
see sendmail/SECURITY.
|
||
Log a warning if a non-trusted user changes the syslog label.
|
||
Based on notice from Bryan Costales of SL3D, Inc.
|
||
If sendmail is called for initial delivery, try to use submit.cf
|
||
with a fallback of sendmail.cf as configuration file. See
|
||
sendmail/SECURITY.
|
||
New configuration file option UseMSP to allow group writable queue
|
||
files if the group is the same as that of a set-group-ID
|
||
sendmail binary. See sendmail/SECURITY.
|
||
The .cf file is chosen based on the operation mode. For -bm (default),
|
||
-bs, and -t it is submit.cf if it exists for all others it
|
||
is sendmail.cf (to be backward compatible). This selection
|
||
can be changed by the new option -Ac or -Am (alternative .cf
|
||
file: client or mta). See sendmail/SECURITY.
|
||
The SMTP server no longer forks on each MAIL command. The ONEX
|
||
command has been removed.
|
||
Implement SMTP PIPELINING per RFC 2920. It can be turned off
|
||
at compile time or per host (ruleset).
|
||
New option MailboxDatabase specifies the type of mailbox database
|
||
used to look up local mail recipients; the default value
|
||
is "pw", which means to use getpwnam(). New mailbox database
|
||
types can be added by adding custom code to libsm/mbdb.c.
|
||
Queue file names are now 15 characters long, rather than 14 characters
|
||
long, to accommodate envelope splitting. File systems with
|
||
a 14 character file name length limit are no longer
|
||
supported.
|
||
Recipient list used for delivery now gets internally ordered by
|
||
hostsignature (character string version of MX RR). This orders
|
||
recipients for the same MX RR's together meaning smaller
|
||
portions of the list need to be scanned (instead of the whole
|
||
list) each delivery() pass to determine piggybacking. The
|
||
significance of the change is better the larger the recipient
|
||
list. Hostsignature is now created during recipient list
|
||
creation rather than just before delivery.
|
||
Enhancements for more opportunistic piggybacking. Previous
|
||
piggybacking (called coincidental) extended to coattail
|
||
piggybacking. Rather than complete MX RR matching
|
||
(coincidental) piggybacking is done if just the lowest value
|
||
preference matches (coattail).
|
||
If sendmail receives a temporary error on a RCPT TO: command, it will
|
||
try other MX hosts if available.
|
||
DefaultAuthInfo can contain a list of mechanisms to be used for
|
||
outgoing (client-side) SMTP Authentication.
|
||
New modifier 'A' for DaemonPortOptions/ClientPortOptions to disable
|
||
AUTH (overrides 'a' modifier in DaemonPortOptions). Based
|
||
on patch from Lyndon Nerenberg of Messaging Direct.
|
||
Enable AUTH mechanism EXTERNAL if STARTTLS is used.
|
||
A new ruleset authinfo can be used to return client side
|
||
authentication information for AUTH instead of DefaultAuthInfo.
|
||
Therefore the DefaultAuthInfo option is deprecated and will be
|
||
removed in future versions.
|
||
Accept any SMTP continuation code 3xy for AUTH even though RFC 2554
|
||
requires 334. Mercury 1.48 is a known offender.
|
||
Add new option AuthMaxBits to limit the overall encryption strength
|
||
for the security layer in SMTP AUTH (SASL). See
|
||
doc/op/op.me for details.
|
||
Introduce new STARTTLS related macros {cn_issuer}, {cn_subject},
|
||
{cert_md5} which hold the CN (common name) of the CA that
|
||
signed the presented certificate, the CN and the MD5 hash
|
||
of the presented certificate, respectively.
|
||
New ruleset try_tls to decide whether to try (as client) STARTTLS.
|
||
New ruleset srv_features to enable/disable certain features in the
|
||
server per connection. See doc/op/op.me for details.
|
||
New ruleset tls_rcpt to decide whether to send e-mail to a particular
|
||
recipient; useful to decide whether a connection is secure
|
||
enough on a per recipient basis.
|
||
New option TLSSrvOptions to modify some aspects of the server
|
||
for STARTTLS.
|
||
If no certificate has been requested, the macro {verify} has the
|
||
value "NOT".
|
||
New M=S modifier for ClientPortOptions/DaemonPortOptions to turn off
|
||
using/offering STARTTLS when delivering/receiving e-mail.
|
||
Macro expand filenames/directories for certs and keys in the .cf file.
|
||
Proposed by Neil Rickert of Northern Illinois University.
|
||
Generate an ephemeral RSA key for a STARTTLS connection only if
|
||
really required. This change results in a noticeable
|
||
performance gains on most machines. Moreover, if shared
|
||
memory is in use, reuse the key several times.
|
||
Add queue groups which can be used to group queue directories with
|
||
the same behavior together. See doc/op/op.me for details.
|
||
If the new option FastSplit (defaults to one) has a value greater
|
||
than zero, it suppresses the MX lookups on addresses when they
|
||
are initially sorted which may result in faster envelope
|
||
splitting. If the mail is submitted directly from the
|
||
command line, then the value also limits the number of
|
||
processes to deliver the envelopes; if more envelopes are
|
||
created they are only queued up and must be taken care of
|
||
by a queue run.
|
||
The check for 'enough disk space' now pays attention to which file
|
||
system each queue directory resides in.
|
||
All queue runners can be cleanly terminated via SIGTERM to parent.
|
||
New option QueueFileMode for the default permissions of queue files.
|
||
Add parallel queue runner code. Allows multiple queue runners per work
|
||
group (one or more queues in a multi-queue environment
|
||
collected together) to process the same work list at the
|
||
same time.
|
||
Option MaxQueueChildren added to limit the number of concurrently
|
||
active queue runner processes.
|
||
New option MaxRunnersPerQueue to specify the maximum number of queue
|
||
runners per queue group.
|
||
Queue member selection by substring pattern matching now allows
|
||
the pattern to be negated. For -qI, -qR and -qS it is
|
||
permissible for -q!I, -q!R and -q!S to mean remove members
|
||
of the queue that match during processing.
|
||
New -qp[time] option is similar to -qtime, except that instead of
|
||
periodically forking a child to process the queue, a single
|
||
child is forked for each queue that sleeps between queue
|
||
runs. A SIGHUP signal can be sent to restart this
|
||
persistent queue runner.
|
||
The SIGHUP signal now restarts a timed queue run process (i.e., a
|
||
sendmail process which only runs the queue at an interval:
|
||
sendmail -q15m).
|
||
New option NiceQueueRun to set the priority of queue runners.
|
||
Proposed by Thom O'Connor.
|
||
sendmail will run the queue(s) in the background when invoked with -q
|
||
unless the new -qf option or -v is used.
|
||
QueueSortOrder=Random sorts the queue randomly, which is useful if
|
||
several queue runners are started by hand to avoid contention.
|
||
QueueSortOrder=Modification sorts the queue by the modification time
|
||
of the qf file (older entries first).
|
||
Support Deliver By SMTP Service Extension (RFC 2852) which allows
|
||
a client to specify an amount of time within which an e-mail
|
||
should be delivered. New option DeliverByMin added to set the
|
||
minimum amount of time or disable the extension.
|
||
Non-printable characters (ASCII: 0-31, 127) in mailbox addresses are
|
||
not allowed unless escaped or quoted.
|
||
Add support for a generic DNS map. Based on a patch contributed
|
||
by Leif Johansson of Stockholm University, which was based on
|
||
work by Assar Westerlund of Swedish Institute of Computer
|
||
Science, Kista, and Johan Danielsson of Royal Institute of
|
||
Technology, Stockholm, Sweden.
|
||
MX records will be looked up for FallBackMXhost. To use the old
|
||
behavior (no MX lookups), put the name in square brackets.
|
||
Proposed by Thom O'Connor.
|
||
Use shared memory to store free space of filesystems that are used
|
||
for queues, if shared memory is available and if a key is set
|
||
via SharedMemoryKey. This minimizes the number of system
|
||
calls to check the available space. See doc/op/op.me for
|
||
details.
|
||
If shared memory is compiled in the option -bP can be used to print
|
||
the number of entries in the queue(s).
|
||
Enable generic mail filter API (milter). See libmilter/README
|
||
and the usual documentation for details.
|
||
Remove AutoRebuildAliases option, deprecated since 8.10.
|
||
Remove '-U' (initial user submission) command line option as
|
||
announced in 8.10.
|
||
Remove support for non-standard SMTP command XUSR. Use an MSA instead.
|
||
New macro {addr_type} which contains whether the current address is
|
||
an envelope sender or recipient address. Suggested by
|
||
Neil Rickert of Northern Illinois University.
|
||
Two new options for host maps: -d (retransmission timeout),
|
||
-r (number of retries).
|
||
New option for LDAP maps: the -V<sep> allows you to specify a
|
||
separator such that a lookup can return both an attribute
|
||
and value separated by the given separator.
|
||
Add new operators '%', '|', '&' (modulo, binary or, binary and)
|
||
to map class arith.
|
||
If DoubleBounceAddress expands to an empty string, ``double bounces''
|
||
(errors that occur when sending an error message) are dropped.
|
||
New DontBlameSendmail options GroupReadableSASLDBFile and
|
||
GroupWritableSASLDBFile to relax requirements for sasldb files.
|
||
New DontBlameSendmail options GroupReadableKeyFile to relax
|
||
requirements for files containing secret keys. This is
|
||
necessary for the MSP if client authentification is used.
|
||
Properly handle quoted filenames for class files (to allow for
|
||
filenames with spaces).
|
||
Honor the resolver option RES_NOALIASES when canonifying hostnames.
|
||
Add macros to avoid the reuse of {if_addr} etc:
|
||
{if_name_out} hostname of interface of outgoing connection.
|
||
{if_addr_out} address of interface of outgoing connection.
|
||
{if_family_out} family of interface of outgoing connection.
|
||
The latter two are only set if the interface does not belong
|
||
to the loopback net.
|
||
Add macro {nrcpts} which holds the number of (validated) recipients.
|
||
DialDelay option applies only to mailers with flag 'Z'. Patch from
|
||
Juergen Georgi of RUS University of Stuttgart.
|
||
New Timeout.lhlo,auth,starttls options to limit the time waiting for
|
||
an answer to the LMTP LHLO, SMTP AUTH or STARTTLS command.
|
||
New Timeout.aconnect option to limit the overall waiting time for
|
||
all connections for a single delivery attempt to succeed.
|
||
Limit the rate recipients in the SMTP envelope are accepted once
|
||
a threshold number of recipients has been rejected (option
|
||
BadRcptThrottle). From Gregory A Lundberg of the WU-FTPD
|
||
Development Group.
|
||
New option DelayLA to delay connections if the load averages
|
||
exceeds the specified value. The default of 0 does not
|
||
change the previous behavior. A value greater than 0
|
||
will cause sendmail to sleep for one second on most
|
||
SMTP commands and before accepting connections if that
|
||
load average is exceeded.
|
||
Use a dynamic (instead of fixed-size) buffer for the list of
|
||
recipients that are sent during a connection to a mailer.
|
||
This also introduces a new mailer field 'r' which defines
|
||
the maximum number of recipients (defaults to 100).
|
||
Based on patch by Motonori Nakamura of Kyoto University.
|
||
Add new F=1 mailer flag to disable sending of null characters ('\0').
|
||
Add new F=2 mailer flag to disable use of ESMTP, using SMTP instead.
|
||
The deprecated [TCP] builtin mailer pathname (P=) is gone. Use [IPC]
|
||
instead.
|
||
IPC is no longer available as first mailer argument (A=) for [IPC]
|
||
builtin mailer pathnames. Use TCP instead.
|
||
PH map code updated to use the new libphclient API instead of the
|
||
old libqiapi library. Contributed by Mark Roth of the
|
||
University of Illinois at Urbana-Champaign.
|
||
New option DirectSubmissionModifiers to define {daemon_flags}
|
||
for direct (command line) submissions.
|
||
New M=O modifier for DaemonPortOptions to ignore the socket in
|
||
case of failures. Based on patch by Jun-ichiro itojun
|
||
Hagino of the KAME Project.
|
||
Add Disposition-Notification-To: (RFC 2298) to the list of headers
|
||
whose content is rewritten similar to Reply-To:.
|
||
Proposed by Andrzej Filip.
|
||
Use STARTTLS/AUTH=server/client for logging incoming/outgoing
|
||
STARTTLS/AUTH connections; log incoming connections at level
|
||
9 or higher. Use AUTH/STARTTLS instead of SASL/TLS for SMTP
|
||
AUTH/STARTTLS related logfile entries.
|
||
Convert unprintable characters (and backslash) into octal or C format
|
||
before logging.
|
||
Log recipients if no message is transferred but QUIT/RSET is given
|
||
(at LogLevel 9/10 or higher).
|
||
Log discarded recipients at LogLevel 10 or higher.
|
||
Do not log "did not issue MAIL/EXPN/VRFY/ETRN" for connections
|
||
in which most commands are rejected due to check_relay or
|
||
TCP Wrappers if the host tries one of those commands anyway.
|
||
Change logging format for cloned envelopes to be similar to that for
|
||
DSNs ("old id: new id: clone"). Suggested by Ulrich Windl
|
||
of the Universitat Regensburg.
|
||
Added libsm, a C library of general purpose abstractions including
|
||
assertions, tracing and debugging with named debug categories,
|
||
exception handling, malloc debugging, resource pools,
|
||
portability abstractions, and an extensible buffered I/O
|
||
package. It will at some point replace libsmutil.
|
||
See libsm/index.html for details.
|
||
Fixed most memory leaks in sendmail which were previously taken
|
||
care of by fork() and exit().
|
||
Use new sm_io*() functions in place of stdio calls. Allows for
|
||
more consistent portablity amongst different platforms
|
||
new and old (from new libsm).
|
||
Common I/O pkg means just one buffering method needed instead of two
|
||
('bf_portable' and 'bf_torek' now just 'bf').
|
||
Sfio no longer needed as SASL/TLS code uses sm_io*() API's.
|
||
New possible value 'interactive' for SuperSafe which can be used
|
||
together with DeliveryMode=interactive is to avoid some disk
|
||
synchronizations calls.
|
||
Add per-recipient status information to mailq -v output.
|
||
T_ANY queries are no longer used by sendmail.
|
||
When compiling with "gcc -O -Wall" specify "-DSM_OMIT_BOGUS_WARNINGS"
|
||
too (see include/sm/cdefs.h for more info).
|
||
sendmail -d now has general support for named debug categories.
|
||
See libsm/debug.html and section 3.4 of doc/op/op.me
|
||
for details.
|
||
Eliminate the "postmaster warning" DSNs on address parsing errors
|
||
such as unbalanced angle brackets or parentheses. The DSNs
|
||
generated by this condition were illegal (not RFC conform).
|
||
Problem noted by Ulrich Windl of the Universitaet Regensburg.
|
||
Do not issue a DSN if the ruleset localaddr resolves to the $#error
|
||
mailer and the recipient has hence been rejected during the
|
||
SMTP dialogue. Problem reported by Larry Greenfield of CMU.
|
||
Deal with a case of multiple deliveries on misconfigured systems
|
||
that do not have postmaster defined. If an email was sent
|
||
from an address to which a DSN cannot be returned and
|
||
in which at least one recipient address is non-deliverable,
|
||
then that email had been delivered in each queue run.
|
||
Problem reported by Matteo HCE Valsasna of Universita
|
||
degli Studi dell'Insubria.
|
||
The compilation options SMTP, DAEMON, and QUEUE have been removed,
|
||
i.e., the corresponding code is always compiled in now.
|
||
Log the command line in daemon/queue-run mode at LogLevel 10 and
|
||
higher. Suggested by Robert Harker of Harker Systems.
|
||
New ResolverOptions setting: WorkAroundBrokenAAAA. When
|
||
attempting to canonify a hostname, some broken nameservers
|
||
will return SERVFAIL (a temporary failure) on T_AAAA (IPv6)
|
||
lookups. If you want to excuse this behavior, use this new
|
||
flag. Suggested by Chris Foote of SE Network Access and
|
||
Mark Roth of the University of Illinois at
|
||
Urbana-Champaign.
|
||
Free the memory allocated by getipnodeby{addr,name}(). Problem
|
||
noted by Joy Latten of IBM.
|
||
ConnectionRateThrottle limits the number of connections per second
|
||
to each daemon individually, not the overall number of
|
||
connections.
|
||
Specifying only "ldap:" as an AliasFile specification will force
|
||
sendmail to use a default alias schema as outlined in the
|
||
``USING LDAP FOR ALIASES, MAPS, and CLASSES'' section of
|
||
cf/README.
|
||
Add a new syntax for the 'F' (file class) sendmail.cf command. If
|
||
the first character after the class name is not a '/' or a
|
||
'|' and it contains an '@' (e.g., F{X}key@class:spec), the
|
||
rest of the line will be parsed as a map lookup. This
|
||
allows classes to be filled via a map lookup. See op.me
|
||
for more syntax information. Specifically, this can be
|
||
used for commands such as VIRTUSER_DOMAIN_FILE() to read
|
||
the list of domains via LDAP (see the ``USING LDAP FOR
|
||
ALIASES, MAPS, and CLASSES'' section of cf/README for an
|
||
example).
|
||
The new macro ${sendmailMTACluster} determines the LDAP cluster for
|
||
the default schema used in the above two items.
|
||
Unless DontBlameSendmail=RunProgramInUnsafeDirPath is set, log a
|
||
warning if a program being run from a mailer or file class
|
||
(e.g., F|/path/to/prog) is in an unsafe directory path.
|
||
Unless DontBlameSendmail=RunWritableProgram is set, log a warning
|
||
if a program being run from a mailer or file class
|
||
(e.g., F|/path/to/prog) is group or world writable.
|
||
Loopback interfaces (e.g., "lo0") are now probed for class {w}
|
||
hostnames. Setting DontProbeInterfaces to "loopback"
|
||
(without quotes) will disable this and return to the
|
||
pre-8.12 behavior of only probing non-loopback interfaces.
|
||
Suggested by Bryan Stansell of GNAC.
|
||
In accordance with RFC 2821 section 4.1.4, accept multiple
|
||
HELO/EHLO commands.
|
||
Multiple ClientPortOptions settings are now allowed, one for each
|
||
possible protocol family which may be used for outgoing
|
||
connections. Restrictions placed on one family only affect
|
||
outgoing connections on that particular family. Because of
|
||
this change, the ${client_flags} macro is not set until the
|
||
connection is established. Based on patch from Motonori
|
||
Nakamura of Kyoto University.
|
||
PrivacyOptions=restrictexpand instructs sendmail to drop privileges
|
||
when the -bv option is given by users who are neither root
|
||
nor the TrustedUser so users can not read private aliases,
|
||
forwards, or :include: files. It also will override the -v
|
||
(verbose) command line option.
|
||
If the M=b modifier is set in DaemonPortOptions and the interface
|
||
address can't be used for the outgoing connection, fall
|
||
back to the settings in ClientPortOptions (if set).
|
||
Problem noted by John Beck of Sun Microsystems.
|
||
New named config file rule check_data for DATA command (input:
|
||
number of recipients). Based on patch from Mark Roth of
|
||
the University of Illinois at Urbana-Champaign.
|
||
Add support for ETRN queue selection per RFC 1985. The queue group
|
||
can be specified using the '#' option character. For
|
||
example, 'ETRN #queuegroup'.
|
||
If an LDAP server times out or becomes unavailable, close the
|
||
current connection and reopen to get to one of the fallback
|
||
servers. Patch from Paul Hilchey of the University of
|
||
British Columbia.
|
||
Make default error number on $#error messages 550 instead of 501
|
||
because 501 is not allowed on all commands.
|
||
The .cf file option UnsafeGroupWrites is deprecated, it should be
|
||
replaced with the settings GroupWritableForwardFileSafe
|
||
and GroupWritableIncludeFileSafe in DontBlameSendmail
|
||
if required.
|
||
The deprecated ldapx map class has been removed. Use the ldap map
|
||
class instead.
|
||
Any IPv6 addresses used in configuration should be prefixed by the
|
||
"IPv6:" tag to identify the address properly. For example,
|
||
if you want to add the IPv6 address [2002:c0a8:51d2::23f4] to
|
||
class {w}, you would need to add [IPv6:2002:c0a8:51d2::23f4].
|
||
Change the $&{opMode} macro if the operation mode changes while the
|
||
MTA is running. For example, during a queue run.
|
||
Add "use_inet6" as a new ResolverOptions flag to control the
|
||
RES_USE_INET6 resolver option. Based on patch from Rick
|
||
Nelson of IBM.
|
||
The maximum number of commands before the MTA slows down when too
|
||
many "light weight" commands have been received are now
|
||
configurable during compile time. The current values and
|
||
their defaults are:
|
||
MAXBADCOMMANDS 25 unknown commands
|
||
MAXNOOPCOMMANDS 20 NOOP, VERB, ONEX, XUSR
|
||
MAXHELOCOMMANDS 3 HELO, EHLO
|
||
MAXVRFYCOMMANDS 6 VRFY, EXPN
|
||
MAXETRNCOMMANDS 8 ETRN
|
||
Setting a value to 0 disables the check. Patch from Bryan
|
||
Costales of SL3D, Inc.
|
||
The header syntax H?${MyMacro}?X-My-Header: now not only checks if
|
||
${MyMacro} is defined but also that it is not empty.
|
||
Properly quote usernames with special characters if they are used
|
||
in headers. Problem noted by Kari Hurtta of the Finnish
|
||
Meteorological Institute.
|
||
Be sure to include the proper Final-Recipient: DSN header in bounce
|
||
messages for messages for mailing list expanded addresses
|
||
which are not delivered on the initial attempt.
|
||
Do not treat errors as sticky when doing delivery via LMTP after
|
||
the final dot has been sent to avoid affecting future
|
||
deliveries. Problem reported by Larry Greenfield of CMU.
|
||
New compile time flag REQUIRES_DIR_FSYNC which turns on support for
|
||
file systems that require to call fsync() for a directory
|
||
if the meta-data in it has been changed. This should be
|
||
set at least for ReiserFS; it is enabled by default for Linux.
|
||
See sendmail/README for further information.
|
||
Avoid file locking deadlock when updating the statistics file if
|
||
sendmail is signaled to terminate. Problem noted by
|
||
Christophe Wolfhugel of France Telecom.
|
||
Set the $c macro (hop count) as it is being set instead of when the
|
||
envelope is initialized. Problem noted by Kari Hurtta of
|
||
the Finnish Meteorological Institute.
|
||
Properly count recipients for DeliveryMode defer and queue. Fix
|
||
from Peter A. Friend of EarthLink.
|
||
Treat invalid hesiod lookups as permanent errors instead of
|
||
temporary errors. Problem noted by Russell McOrmond of
|
||
flora.ca.
|
||
Portability:
|
||
Remove support for AIX 2, which supports only 14 character
|
||
filenames and is outdated anyway. Suggested by
|
||
Valdis Kletnieks of Virginia Tech.
|
||
Change several settings for Irix 6: remove confSBINDIR,
|
||
i.e., use default /usr/sbin, change owner/group
|
||
of man pages and user-executable to root/sys, set
|
||
optimization limit to 0 (unlimited). Based on patch
|
||
from Ayamura Kikuchi, M.D, and proposal from Kari
|
||
Hurtta of the Finnish Meteorological Institute.
|
||
Do not assume LDAP support is installed by default under
|
||
Solaris 8 and later.
|
||
Add support for OpenUNIX.
|
||
CONFIG: Increment version number of config file to 10.
|
||
CONFIG: Add an install target and a README file in cf/cf.
|
||
CONFIG: Don't accept addresses of the form a@b@, a@b@c, a@[b]c, etc.
|
||
CONFIG: Reject empty recipient addresses (in check_rcpt).
|
||
CONFIG: The access map uses an option of -T<TMPF> to deal with
|
||
temporary lookup failures.
|
||
CONFIG: New value for access map: SKIP, which causes the default
|
||
action to be taken by aborting the search for domain names
|
||
or IP nets.
|
||
CONFIG: check_rcpt can deal with TEMPFAIL for either recipient or
|
||
relay address as long as the other part allows the email
|
||
to get through.
|
||
CONFIG: Entries for virtusertable can make use of a third parameter
|
||
"%3" which contains "+detail" of a wildcard match, i.e., an
|
||
entry like user+*@domain. This allows handling of details by
|
||
using %1%3 as the RHS. Additionally, a "+" wildcard has been
|
||
introduced to match only non-empty details of addresses.
|
||
CONFIG: Numbers for rulesets used by MAILERs have been removed
|
||
and hence there is no required order within the MAILER
|
||
section anymore except for MAILER(`uucp') which must come
|
||
after MAILER(`smtp') if uucp-dom and uucp-uudom are used.
|
||
CONFIG: Hosts listed in the generics domain class {G}
|
||
(GENERICS_DOMAIN() and GENERICS_DOMAIN_FILE()) are treated
|
||
as canonical. Suggested by Per Hedeland of Ericsson.
|
||
CONFIG: If FEATURE(`delay_checks') is used, make sure that a lookup
|
||
in the access map which returns OK or RELAY actually
|
||
terminates check_* ruleset checking.
|
||
CONFIG: New tag TLS_Rcpt: for access map to be used by ruleset
|
||
tls_rcpt, see cf/README for details.
|
||
CONFIG: Change format of Received: header line which reveals whether
|
||
STARTTLS has been used to "(version=${tls_version}
|
||
cipher=${cipher} bits=${cipher_bits} verify=${verify})".
|
||
CONFIG: Use "Spam:" as tag for lookups for FEATURE(`delay_checks')
|
||
options friends/haters instead of "To:" and enable
|
||
specification of whole domains instead of just users.
|
||
Notice: this change is not backward compatible.
|
||
Suggested by Chris Adams from HiWAAY Informations Services.
|
||
CONFIG: Allow for local extensions for most new rulesets, see
|
||
cf/README for details.
|
||
CONFIG: New FEATURE(`lookupdotdomain') to lookup also .domain in
|
||
the access map. Proposed by Randall Winchester of the
|
||
University of Maryland.
|
||
CONFIG: New FEATURE(`local_no_masquerade') to avoid masquerading for
|
||
the local mailer. Proposed by Ingo Brueckl of Wupper Online.
|
||
CONFIG: confRELAY_MSG/confREJECT_MSG can override the default
|
||
messages for an unauthorized relaying attempt/for access
|
||
map entries with RHS REJECT, respectively.
|
||
CONFIG: FEATURE(`always_add_domain') takes an optional argument
|
||
to specify another domain to be added instead of the local one.
|
||
Suggested by Richard H. Gumpertz of Computer Problem
|
||
Solving.
|
||
CONFIG: confAUTH_OPTIONS allows setting of Cyrus-SASL specific
|
||
options, see doc/op/op.me for details.
|
||
CONFIG: confAUTH_MAX_BITS sets the maximum encryption strength for
|
||
the security layer in SMTP AUTH (SASL).
|
||
CONFIG: If Local_localaddr resolves to $#ok, localaddr is terminated
|
||
immediately.
|
||
CONFIG: FEATURE(`enhdnsbl') is an enhanced version of dnsbl which
|
||
allows checking of the return values of the DNS lookups.
|
||
See cf/README for details.
|
||
CONFIG: FEATURE(`dnsbl') allows now to specify the behavior for
|
||
temporary lookup failures.
|
||
CONFIG: New option confDELIVER_BY_MIN to specify minimum time for
|
||
Deliver By (RFC 2852) or to turn off the extension.
|
||
CONFIG: New option confSHARED_MEMORY_KEY to set the key for shared
|
||
memory use.
|
||
CONFIG: New FEATURE(`compat_check') to look up a key consisting
|
||
of the sender and the recipient address delimited by the
|
||
string "<@>", e.g., sender@sdomain<@>recipient@rdomain,
|
||
in the access map. Based on code contributed by Mathias
|
||
Koerber of Singapore Telecommunications Ltd.
|
||
CONFIG: Add EXPOSED_USER_FILE() command to allow an exposed user
|
||
file. Suggested by John Beck of Sun Microsystems.
|
||
CONFIG: Don't use MAILER-DAEMON for error messages delivered
|
||
via LMTP. Problem reported by Larry Greenfield of CMU.
|
||
CONFIG: New FEATURE(`preserve_luser_host') to preserve the name of
|
||
the recipient host if LUSER_RELAY is used.
|
||
CONFIG: New FEATURE(`preserve_local_plus_detail') to preserve the
|
||
+detail portion of the address when passing address to
|
||
local delivery agent. Disables alias and .forward +detail
|
||
stripping. Only use if LDA supports this.
|
||
CONFIG: Removed deprecated FEATURE(`rbl').
|
||
CONFIG: Add LDAPROUTE_EQUIVALENT() and LDAPROUTE_EQUIVALENT_FILE()
|
||
which allow you to specify 'equivalent' hosts for LDAP
|
||
Routing lookups. Equivalent hostnames are replaced by the
|
||
masquerade domain name for lookups. See cf/README for
|
||
additional details.
|
||
CONFIG: Add a fourth argument to FEATURE(`ldap_routing') which
|
||
instructs the rulesets on what to do if the address being
|
||
looked up has +detail information. See cf/README for more
|
||
information.
|
||
CONFIG: When chosing a new destination via LDAP Routing, also look
|
||
up the new routing address/host in the mailertable. Based
|
||
on patch from Don Badrak of the United States Census Bureau.
|
||
CONFIG: Do not reject the SMTP Mail from: command if LDAP Routing
|
||
is in use and the bounce option is enabled. Only reject
|
||
recipients as user unknown.
|
||
CONFIG: Provide LDAP support for the remaining database map
|
||
features. See the ``USING LDAP FOR ALIASES AND MAPS''
|
||
section of cf/README for more information.
|
||
CONFIG: Add confLDAP_CLUSTER which defines the ${sendmailMTACluster}
|
||
macro used for LDAP searches as described above in ``USING
|
||
LDAP FOR ALIASES, MAPS, AND CLASSES''.
|
||
CONFIG: confCLIENT_OPTIONS has been replaced by CLIENT_OPTIONS(),
|
||
which takes the options as argument and can be used
|
||
multiple times; see cf/README for details.
|
||
CONFIG: Add configuration macros for new options:
|
||
confBAD_RCPT_THROTTLE BadRcptThrottle
|
||
confDIRECT_SUBMISSION_MODIFIERS DirectSubmissionModifiers
|
||
confMAILBOX_DATABASE MailboxDatabase
|
||
confMAX_QUEUE_CHILDREN MaxQueueChildren
|
||
confMAX_RUNNERS_PER_QUEUE MaxRunnersPerQueue
|
||
confNICE_QUEUE_RUN NiceQueueRun
|
||
confQUEUE_FILE_MODE QueueFileMode
|
||
confFAST_SPLIT FastSplit
|
||
confTLS_SRV_OPTIONS TLSSrvOptions
|
||
See above (and related documentation) for further information.
|
||
CONFIG: Add configuration variables for new timeout options:
|
||
confTO_ACONNECT Timeout.aconnect
|
||
confTO_AUTH Timeout.auth
|
||
confTO_LHLO Timeout.lhlo
|
||
confTO_STARTTLS Timeout.starttls
|
||
CONFIG: Add configuration macros for mail filter API:
|
||
confINPUT_MAIL_FILTERS InputMailFilters
|
||
confMILTER_LOG_LEVEL Milter.LogLevel
|
||
confMILTER_MACROS_CONNECT Milter.macros.connect
|
||
confMILTER_MACROS_HELO Milter.macros.helo
|
||
confMILTER_MACROS_ENVFROM Milter.macros.envfrom
|
||
confMILTER_MACROS_ENVRCPT Milter.macros.envrcpt
|
||
Mail filters can be defined via INPUT_MAIL_FILTER() and
|
||
MAIL_FILTER(). See libmilter/README, cf/README, and
|
||
doc/op/op.me for details.
|
||
CONFIG: Add support for accepting temporarily unresolvable domains.
|
||
See cf/README for details. Based on patch by Motonori
|
||
Nakamura of Kyoto University.
|
||
CONFIG: confDEQUOTE_OPTS can be used to specify options for the
|
||
dequote map.
|
||
CONFIG: New macro QUEUE_GROUP() to define queue groups.
|
||
CONFIG: New FEATURE(`queuegroup') to select a queue group based
|
||
on the full e-mail address or the domain of the recipient.
|
||
CONFIG: Any IPv6 addresses used in configuration should be prefixed
|
||
by the "IPv6:" tag to identify the address properly. For
|
||
example, if you want to use the IPv6 address
|
||
2002:c0a8:51d2::23f4 in the access database, you would need
|
||
to use IPv6:2002:c0a8:51d2::23f4 on the left hand side.
|
||
This affects the access database as well as the
|
||
relay-domains and local-host-names files.
|
||
CONFIG: OSTYPE(aux) has been renamed to OSTYPE(a-ux).
|
||
CONFIG: Avoid expansion of m4 keywords in SMART_HOST.
|
||
CONFIG: Add MASQUERADE_EXCEPTION_FILE() for reading masquerading
|
||
exceptions from a file. Suggested by Trey Breckenridge of
|
||
Mississippi State University.
|
||
CONFIG: Add LOCAL_USER_FILE() for reading local users
|
||
(LOCAL_USER() -- $={L}) entries from a file.
|
||
CONTRIB: dnsblaccess.m4 is a further enhanced version of enhdnsbl.m4
|
||
which allows to lookup error codes in the access map.
|
||
Contributed by Neil Rickert of Northern Illinois University.
|
||
DEVTOOLS: Add new options for installation of include and library
|
||
files: confINCGRP, confINCMODE, confINCOWN, confLIBGRP,
|
||
confLIBMODE, confLIBOWN.
|
||
DEVTOOLS: Add new option confDONT_INSTALL_CATMAN to turn off
|
||
installation of the the formatted man pages on operating
|
||
systems which don't include cat directories.
|
||
EDITMAP: New program for editing maps as supplement to makemap.
|
||
MAIL.LOCAL: Mail.local now uses the libsm mbdb package to look up
|
||
local mail recipients. New option -D mbdb specifies the
|
||
mailbox database type.
|
||
MAIL.LOCAL: New option "-h filename" which instructs mail.local to
|
||
deliver the mail to the named file in the user's home
|
||
directory instead of the system mail spool area. Based on
|
||
patch from Doug Hardie of the Los Angeles Free-Net.
|
||
MAILSTATS: New command line option -P which acts the same as -p but
|
||
doesn't truncate the statistics file.
|
||
MAKEMAP: Add new option -t to specify a different delimiter
|
||
instead of white space.
|
||
RMAIL: Invoke sendmail with '-G' to indicate this is a gateway
|
||
submission. Problem noted by Kari Hurtta of the Finnish
|
||
Meteorological Institute.
|
||
SMRSH: Use the vendor supplied directory on FreeBSD 3.3 and later.
|
||
VACATION: Change Auto-Submitted: header value from auto-generated to
|
||
auto-replied. From Kenneth Murchison of Oceana Matrix Ltd.
|
||
VACATION: New option -d to send error/debug messages to stdout
|
||
instead of syslog.
|
||
VACATION: New option -U which prevents the attempt to lookup login
|
||
in the password file. The -f and -m options must be used
|
||
to specify the database and message file since there is no
|
||
home directory for the default settings for these options.
|
||
VACATION: Vacation now uses the libsm mbdb package to look up
|
||
local mail recipients; it reads the MailboxDatabase option
|
||
from the sendmail.cf file. New option -C cffile which
|
||
specifies the path of the sendmail.cf file.
|
||
New Directories:
|
||
libmilter/docs
|
||
New Files:
|
||
cf/cf/README
|
||
cf/cf/submit.cf
|
||
cf/cf/submit.mc
|
||
cf/feature/authinfo.m4
|
||
cf/feature/compat_check.m4
|
||
cf/feature/enhdnsbl.m4
|
||
cf/feature/msp.m4
|
||
cf/feature/local_no_masquerade.m4
|
||
cf/feature/lookupdotdomain.m4
|
||
cf/feature/preserve_luser_host.m4
|
||
cf/feature/preserve_local_plus_detail.m4
|
||
cf/feature/queuegroup.m4
|
||
cf/sendmail.schema
|
||
contrib/dnsblaccess.m4
|
||
devtools/M4/UNIX/sm-test.m4
|
||
devtools/OS/OpenUNIX.5.i386
|
||
editmap/*
|
||
include/sm/*
|
||
libsm/*
|
||
libsmutil/cf.c
|
||
libsmutil/err.c
|
||
sendmail/SECURITY
|
||
sendmail/TUNING
|
||
sendmail/bf.c
|
||
sendmail/bf.h
|
||
sendmail/sasl.c
|
||
sendmail/sm_resolve.c
|
||
sendmail/sm_resolve.h
|
||
sendmail/tls.c
|
||
Deleted Files:
|
||
cf/feature/rbl.m4
|
||
cf/ostype/aix2.m4
|
||
devtools/OS/AIX.2
|
||
include/sendmail/cdefs.h
|
||
include/sendmail/errstring.h
|
||
include/sendmail/useful.h
|
||
libsmutil/errstring.c
|
||
sendmail/bf_portable.c
|
||
sendmail/bf_portable.h
|
||
sendmail/bf_torek.c
|
||
sendmail/bf_torek.h
|
||
sendmail/clock.c
|
||
Renamed Files:
|
||
cf/cf/generic-solaris2.mc => cf/cf/generic-solaris.mc
|
||
cf/cf/generic-solaris2.cf => cf/cf/generic-solaris.cf
|
||
cf/ostype/aux.m4 => cf/ostype/a-ux.m4
|
||
|
||
8.11.7/8.11.7 2003/03/29
|
||
SECURITY: Fix a remote buffer overflow in header parsing by
|
||
dropping sender and recipient header comments if the
|
||
comments are too long. Problem noted by Mark Dowd
|
||
of ISS X-Force.
|
||
SECURITY: Fix a buffer overflow in address parsing due to
|
||
a char to int conversion problem which is potentially
|
||
remotely exploitable. Problem found by Michal Zalewski.
|
||
Note: an MTA that is not patched might be vulnerable to
|
||
data that it receives from untrusted sources, which
|
||
includes DNS.
|
||
To provide partial protection to internal, unpatched sendmail MTAs,
|
||
8.11.7 changes by default (char)0xff to (char)0x7f in
|
||
headers etc. To turn off this conversion compile with
|
||
-DALLOW_255 or use the command line option -d82.101.
|
||
To provide partial protection for internal, unpatched MTAs that may be
|
||
performing 7->8 or 8->7 bit MIME conversions, the default
|
||
for MaxMimeHeaderLength has been changed to 2048/1024.
|
||
Note: this does have a performance impact, and it only
|
||
protects against frontal attacks from the outside.
|
||
To disable the checks and return to pre-8.11.7 defaults,
|
||
set MaxMimeHeaderLength to 0/0.
|
||
Properly clean up macros to avoid persistence of session data
|
||
across various connections. This could cause session
|
||
oriented restrictions, e.g., STARTTLS requirements,
|
||
to erroneously allow a connection. Problem noted
|
||
by Tim Maletic of Priority Health.
|
||
Ignore comments in NIS host records when trying to find the
|
||
canonical name for a host.
|
||
Fix a memory leak when closing Hesiod maps.
|
||
Set ${msg_size} macro when reading a message from the command line
|
||
or the queue.
|
||
Prevent a segmentation fault when clearing the event list by
|
||
turning off alarms before checking if event list is
|
||
empty. Problem noted by Allan E Johannesen of Worcester
|
||
Polytechnic Institute.
|
||
Fix a potential core dump problem if the environment variable
|
||
NAME is set. Problem noted by Beth A. Chaney of
|
||
Purdue University.
|
||
Prevent a race condition on child cleanup for delivery to files.
|
||
Problem noted by Fletcher Mattox of the University of
|
||
Texas.
|
||
CONFIG: Do not bounce mail if FEATURE(`ldap_routing')'s bounce
|
||
parameter is set and the LDAP lookup returns a temporary
|
||
error.
|
||
CONFIG: Fix a syntax error in the try_tls ruleset if
|
||
FEATURE(`access_db') is not enabled.
|
||
LIBSMDB: Fix a lock race condition that affects makemap, praliases,
|
||
and vacation.
|
||
LIBSMDB: Avoid a file creation race condition for Berkeley DB 1.X
|
||
and NDBM on systems with the O_EXLOCK open(2) flag.
|
||
MAKEMAP: Avoid going beyond the end of an input line if it does
|
||
not contain a value for a key. Based on patch from
|
||
Mark Bixby from Hewlett-Packard.
|
||
MAIL.LOCAL: Fix a truncation race condition if the close() on
|
||
the mailbox fails. Problem noted by Tomoko Fukuzawa of
|
||
Sun Microsystems.
|
||
SMRSH: SECURITY: Only allow regular files or symbolic links to be
|
||
used for a command. Problem noted by David Endler of
|
||
iDEFENSE, Inc.
|
||
|
||
8.11.6/8.11.6 2001/08/20
|
||
SECURITY: Fix a possible memory access violation when specifying
|
||
out-of-bounds debug parameters. Problem detected by
|
||
Cade Cairns of SecurityFocus.
|
||
Avoid leaking recipient information in unrelated DSNs. This could
|
||
happen if a connection is aborted, several mails had been
|
||
scheduled for delivery via that connection, and the timeout
|
||
is reached such that several DSNs are sent next. Problem
|
||
noted by Dileepan Moorkanat of Hewlett-Packard.
|
||
Fix a possible segmentation violation when specifying too many
|
||
wildcard operators in a rule. Problem detected by
|
||
Werner Wiethege.
|
||
Avoid a segmentation fault on non-matching Hesiod lookups. Problem
|
||
noted by Russell McOrmond of flora.ca
|
||
|
||
8.11.5/8.11.5 2001/07/31
|
||
Fix a possible race condition when sending a HUP signal to restart
|
||
the daemon. This could terminate the current process without
|
||
starting a new daemon. Problem reported by Wolfgang Breyha
|
||
of SE Netway Communications.
|
||
Only apply MaxHeadersLength when receiving a message via SMTP or
|
||
the command line. Problem noted by Andrey J. Melnikoff.
|
||
When finding the system's local hostname on an IPv6-enabled system
|
||
which doesn't have any IPv6 interface addresses, fall back
|
||
to looking up only IPv4 addresses. Problem noted by Tim
|
||
Bosserman of EarthLink.
|
||
When commands were being rejected due to check_relay or TCP
|
||
Wrappers, the ETRN command was not giving a response.
|
||
Incoming IPv4 connections on a Family=inet6 daemon (using
|
||
IPv4-mapped addresses) were incorrectly labeled as "may be
|
||
forged". Problem noted by Per Steinar Iversen of Oslo
|
||
University College.
|
||
Shutdown address test mode cleanly on SIGTERM. Problem noted by
|
||
Greg King of the OAO Corporation.
|
||
Restore the original real uid (changed in main() to prevent
|
||
out of band signals) before invoking a delivery agent.
|
||
Some delivery agents use this for the "From " envelope
|
||
"header". Problem noted by Leslie Carroll of the
|
||
University at Albany.
|
||
Mark closed file descriptors properly to avoid reuse. Problem
|
||
noted by Jeff Bronson of J.D. Bronson, Inc.
|
||
Setting Timeout options on the command line will also override
|
||
their sub-suboptions in the .cf file, e.g., -O
|
||
Timeout.queuereturn=2d will set all queuereturn timeouts
|
||
to 2 days. Problem noted by Roger B.A. Klorese.
|
||
Portability:
|
||
BSD/OS has a broken setreuid() implementation. Problem
|
||
noted by Vernon Schryver of Rhyolite Software.
|
||
BSD/OS has /dev/urandom(4) (as of version 4.1/199910 ?).
|
||
Noted by Vernon Schryver of Rhyolite Software.
|
||
BSD/OS has fchown(2). Noted by Dave Yadallee of Netline
|
||
2000 Internet Solutions Inc.
|
||
Solaris 2.X and later have strerror(3). From Sebastian
|
||
Hagedorn of Cologne University.
|
||
CONFIG: Fix parsing for IPv6 domain literals in addresses
|
||
(user@[IPv6:address]). Problem noted by Liyuan Zhou.
|
||
|
||
8.11.4/8.11.4 2001/05/28
|
||
Clean up signal handling routines to reduce the chances of heap
|
||
corruption and other potential race conditions.
|
||
Terminating and restarting the daemon may not be
|
||
instantaneous due to this change. Also, non-root users can
|
||
no longer send out-of-band signals. Problem reported by
|
||
Michal Zalewski of BindView.
|
||
If LogLevel is greater than 9 and SASL fails to negotiate an
|
||
encryption layer, avoid core dump logging the encryption
|
||
strength. Problem noted by Miroslav Zubcic of Crol.
|
||
If a server offers "AUTH=" and "AUTH " and the list of mechanisms is
|
||
different in those two lines, sendmail might not have
|
||
recognized (and used) all of the offered mechanisms.
|
||
Fix an IP address lookup problem on Solaris 2.0 - 2.3. Patch
|
||
from Kenji Miyake.
|
||
This time, really don't use the .. directory when expanding
|
||
QueueDirectory wildcards.
|
||
If a process is interrupted while closing a map, don't try to close
|
||
the same map again while exiting.
|
||
Allow local mailers (F=l) to contact remote hosts (e.g., via
|
||
LMTP). Problem noted by Norbert Klasen of the University
|
||
of Tuebingen.
|
||
If Timeout.QueueReturn was set to a value less the time it took
|
||
to write a new queue file (e.g., 0 seconds), the bounce
|
||
message would be lost. Problem noted by Lorraine L Goff of
|
||
Oklahoma State University.
|
||
Pass map argument vector into map rewriting engine for the regex
|
||
and prog map types. Problem noted by Stephen Gildea of
|
||
InTouch Systems, Inc.
|
||
When closing an LDAP map due to a temporary error, close all of the
|
||
other LDAP maps which share the original map's connection
|
||
to the LDAP server. Patch from Victor Duchovni of
|
||
Morgan Stanley.
|
||
To detect changes of NDBM aliases files check the timestamp of the
|
||
.pag file instead of the .dir file. Problem noted by Neil
|
||
Rickert of Northern Illinois University.
|
||
Don't treat temporary hesiod lookup failures as permanent. Patch
|
||
from Werner Wiethege.
|
||
If ClientPortOptions is set, make sure to create the outgoing socket
|
||
with the family set in that option. Patch from Sean Farley.
|
||
Avoid a segmentation fault trying to dereference a NULL pointer
|
||
when logging a MaxHopCount exceeded error with an empty
|
||
recipient list. Problem noted by Chris Adams of HiWAAY
|
||
Internet Services.
|
||
Fix DSN for "Too many hops" bounces. Problem noticed by Ulrich
|
||
Windl of the Universitaet Regensburg.
|
||
Fix DSN for "mail loops back to me" bounces. Problem noticed by
|
||
Kari Hurtta of the Finnish Meteorological Institute.
|
||
Portability:
|
||
OpenBSD has a broken setreuid() implementation.
|
||
CONFIG: Undo change from 8.11.1: change 501 SMTP reply code back
|
||
to 553 since it is allowed by DRUMS.
|
||
CONFIG: Add OSTYPE(freebsd4) for FreeBSD 4.X.
|
||
DEVTOOLS: install.sh did not properly handle paths in the source
|
||
file name argument. Noted by Kari Hurtta of the Finnish
|
||
Meteorological Institute.
|
||
DEVTOOLS: Add FAST_PID_RECYCLE to compile time options for OpenBSD
|
||
since it generates random process ids.
|
||
PRALIASES: Add back adaptive algorithm to deal with different endings
|
||
of entries in the database (with/without trailing '\0').
|
||
Patch from John Beck of Sun Microsystems.
|
||
New Files:
|
||
cf/ostype/freebsd4.m4
|
||
|
||
8.11.3/8.11.3 2001/02/27
|
||
Prevent a segmentation fault when a bogus value was used in the
|
||
LDAPDefaultSpec option's -r, -s, or -M flags and if a bogus
|
||
option was used. Problem noted by Allan E Johannesen of
|
||
Worcester Polytechnic Institute.
|
||
Prevent "token too long" message by shortening {currHeader} which
|
||
could be too long if the last copied character was a quote.
|
||
Problem detected by Jan Krueger of digitalanswers
|
||
communications consulting gmbh.
|
||
Additional IPv6 check for unspecified addresses. Patch from
|
||
Jun-ichiro itojun Hagino of the KAME Project.
|
||
Do not ignore the ClientPortOptions setting if DaemonPortOptions
|
||
Modifier=b (bind to same interface) is set and the
|
||
connection came in from the command line.
|
||
Do not bind to the loopback address if DaemonPortOptions
|
||
Modifier=b (bind to same interface) is set. Patch from
|
||
John Beck of Sun Microsystems.
|
||
Properly deal with open failures on non-optional maps used in
|
||
check_* rulesets by returning a temporary failure.
|
||
Buffered file I/O files were not being properly fsync'ed to disk
|
||
when they were committed.
|
||
Properly encode '=' for the AUTH= parameter of the MAIL command.
|
||
Problem noted by Hadmut Danisch.
|
||
Under certain circumstances the macro {server_name} could be set
|
||
to the wrong hostname (of a previous connection), which may
|
||
cause some rulesets to return wrong results. This would
|
||
usually cause mail to be queued up and delivered later on.
|
||
Ignore F=z (LMTP) mailer flag if $u is given in the mailer A=
|
||
equate. Problem noted by Motonori Nakamura of Kyoto
|
||
University.
|
||
Work around broken accept() implementations which only partially
|
||
fill in the peer address if the socket is closed before
|
||
accept() completes.
|
||
Return an SMTP "421" temporary failure if the data file can't be
|
||
opened where the "354" reply would normally be given.
|
||
Prevent a CPU loop in trying to expand a macro which doesn't exist
|
||
in a queue run. Problem noted by Gordon Lack of Glaxo
|
||
Wellcome.
|
||
If delivering via a program and that program exits with EX_TEMPFAIL,
|
||
note that fact for the mailq display instead of just showing
|
||
"Deferred". Problem noted by Motonori Nakamura of Kyoto
|
||
University.
|
||
If doing canonification via /etc/hosts, try both the fully
|
||
qualified hostname as well as the first portion of the
|
||
hostname. Problem noted by David Bremner of the
|
||
University of New Brunswick.
|
||
Portability:
|
||
Fix a compilation problem for mail.local and rmail if SFIO
|
||
is in use. Problem noted by Auteria Wally
|
||
Winzer Jr. of Champion Nutrition.
|
||
IPv6 changes for platforms using KAME. Patch from
|
||
Jun-ichiro itojun Hagino of the KAME Project.
|
||
OpenBSD 2.7 and higher has srandomdev(3). OpenBSD 2.8 and
|
||
higher has BSDI-style login classes. Patch from
|
||
Todd C. Miller of Courtesan Consulting.
|
||
Unixware 7.1.1 doesn't allow h_errno to be set directly if
|
||
sendmail is being compiled with -kthread. Problem
|
||
noted by Orion Poplawski of CQG, Inc.
|
||
CONTRIB: buildvirtuser: Substitute current domain for $DOMAIN and
|
||
current left hand side for $LHS in virtuser files.
|
||
DEVTOOLS: Do not pass make targets to recursive Build invocations.
|
||
Problem noted by Jeff Bronson of J.D. Bronson, Inc.
|
||
MAIL.LOCAL: In LMTP mode, do not return errors regarding problems
|
||
storing the temporary message file until after the remote
|
||
side has sent the final DATA termination dot. Problem
|
||
noted by Allan E Johannesen of Worcester Polytechnic
|
||
Institute.
|
||
MAIL.LOCAL: If LMTP mode is set, give a temporary error if users
|
||
are also specified on the command line. Patch from
|
||
Motonori Nakamura of Kyoto University.
|
||
PRALIASES: Skip over AliasFile specifications which aren't based on
|
||
database files (i.e., only show dbm, hash, and btree).
|
||
Renamed Files:
|
||
devtools/OS/OSF1.V5.0 => devtools/OS/OSF1.V5.x
|
||
|
||
8.11.2/8.11.2 2000/12/29
|
||
Prevent a segmentation fault when trying to set a class in
|
||
address test mode due to a negative array index. Audit
|
||
other array indexing. This bug is not believed to be
|
||
exploitable. Noted by Michal Zalewski of the "Internet for
|
||
Schools" project (IdS).
|
||
Add an FFR (for future release) to drop privileges when using
|
||
address test mode. This will be turned on in 8.12. It can
|
||
be enabled by compiling with:
|
||
APPENDDEF(`conf_sendmail_ENVDEF', `-D_FFR_TESTMODE_DROP_PRIVS')
|
||
in your devtools/Site/site.config.m4 file. Suggested by
|
||
Michal Zalewski of the "Internet for Schools" project (IdS).
|
||
Fix potential problem with Cyrus-SASL security layer which may have
|
||
caused I/O errors, especially for mechanism DIGEST-MD5.
|
||
When QueueSortOrder was set to host, sendmail might not read
|
||
enough of the queue file to determine the host, making the
|
||
sort sub-optimal. Problem noted by Jeff Earickson of
|
||
Colby College.
|
||
Don't issue DSNs for addresses which use the NOTIFY parameter (per
|
||
RFC 1891) but don't have FAILURE as value.
|
||
Initialize Cyrus-SASL library before the SMTP daemon is started.
|
||
This implies that every change to SASL related files requires
|
||
a restart of the daemon, e.g., Sendmail.conf, new SASL
|
||
mechanisms (in form of shared libraries).
|
||
Properly set the STARTTLS related macros during a queue run for
|
||
a cached connection. Bug reported by Michael Kellen of
|
||
NxNetworks, Inc.
|
||
Log the server name in relay= for ruleset tls_server instead of the
|
||
client name.
|
||
Include original length of bad field/header when reporting
|
||
MaxMimeHeaderLength problems. Requested by Ulrich Windl of
|
||
the Universitat Regensburg.
|
||
Fix delivery to set-user-ID files that are expanded from aliases in
|
||
DeliveryMode queue. Problem noted by Ric Anderson of the
|
||
University of Arizona.
|
||
Fix LDAP map -m (match only) flag. Problem noted by Jeff Giuliano
|
||
of Collective Technologies.
|
||
Avoid using a negative argument for sleep() calls when delaying answers
|
||
to EXPN/VRFY commands on systems which respond very slowly.
|
||
Problem noted by Mikolaj J. Habryn of Optus Internet
|
||
Engineering.
|
||
Make sure the F=u flag is set in the default prog mailer
|
||
definition. Problem noted by Kari Hurtta of the Finnish
|
||
Meteorological Institute.
|
||
Fix IPv6 check for unspecified addresses. Patch from
|
||
Jun-ichiro itojun Hagino of the KAME Project.
|
||
Fix return values for IRIX nsd map. From Kari Hurtta of the Finnish
|
||
Meteorological Institute.
|
||
Fix parsing of DaemonPortOptions and ClientPortOptions. Read all
|
||
of the parameters to find Family= setting before trying to
|
||
interpret Addr= and Port=. Problem noted by Valdis
|
||
Kletnieks of Virginia Tech.
|
||
When delivering to a file directly from an alias, do not call
|
||
initgroups(); instead use the DefaultUser group information.
|
||
Problem noted by Marc Schaefer of ALPHANET NF.
|
||
RunAsUser now overrides the ownership of the control socket, if
|
||
created. Otherwise, sendmail can not remove it upon
|
||
close. Problem noted by Werner Wiethege.
|
||
Fix ConnectionRateThrottle counting as the option is the number of
|
||
overall connections, not the number of connections per
|
||
socket. A future version may change this to per socket
|
||
counting.
|
||
Portability:
|
||
Clean up libsmdb so it functions properly on platforms
|
||
where sizeof(u_int32_t) != sizeof(size_t). Problem
|
||
noted by Rein Tollevik of Basefarm AS.
|
||
Fix man page formatting for compatibility with Solaris'
|
||
whatis. From Stephen Gildea of InTouch Systems, Inc.
|
||
UnixWare 7 includes snprintf() support. From Larry
|
||
Rosenman.
|
||
IPv6 changes for platforms using KAME. Patch from
|
||
Jun-ichiro itojun Hagino of the KAME Project.
|
||
Avoid a typedef compile conflict with Berkeley DB 3.X and
|
||
Solaris 2.5 or earlier. Problem noted by Bob Hughes
|
||
of Pacific Access.
|
||
Add preliminary support for AIX 5. Contributed by
|
||
Valdis Kletnieks of Virginia Tech.
|
||
Solaris 9 load average support from Andrew Tucker of Sun
|
||
Microsystems.
|
||
CONFIG: Reject addresses of the form a!b if FEATURE(`nouucp', `r')
|
||
is used. Problem noted by Phil Homewood of Asia Online,
|
||
patch from Neil Rickert of Northern Illinois University.
|
||
CONFIG: Change the default DNS based blocklist server for
|
||
FEATURE(`dnsbl') to blackholes.mail-abuse.org.
|
||
CONFIG: Deal correctly with the 'C' flag in {daemon_flags}, i.e.,
|
||
implicitly assume canonical host names.
|
||
CONFIG: Deal with "::" in IPv6 addresses for access_db. Based on
|
||
patch by Motonori Nakamura of Kyoto University.
|
||
CONFIG: New OSTYPE(`aix5') contributed by Valdis Kletnieks of
|
||
Virginia Tech.
|
||
CONFIG: Pass the illegal header form <list:;> through untouched
|
||
instead of making it worse. Problem noted by Motonori
|
||
Nakamura of Kyoto University.
|
||
CONTRIB: Added buildvirtuser (see `perldoc contrib/buildvirtuser`).
|
||
CONTRIB: qtool.pl: An empty queue is not an error. Problem noted
|
||
by Jan Krueger of digitalanswers communications consulting
|
||
gmbh.
|
||
CONTRIB: domainmap.m4: Handle domains with '-' in them. From Mark
|
||
Roth of the University of Illinois at Urbana-Champaign.
|
||
DEVTOOLS: Change the internal devtools OS, REL, and ARCH m4
|
||
variables into bldOS, bldREL, and bldARCH to prevent
|
||
namespace collisions. Problem noted by Motonori Nakamura
|
||
of Kyoto University.
|
||
RMAIL: Undo the 8.11.1 change to use -G when calling sendmail. It
|
||
causes some changes in behavior and may break rmail for
|
||
installations where sendmail is actually a wrapper to
|
||
another MTA. The change will re-appear in a future
|
||
version.
|
||
SMRSH: Use the vendor supplied directory on HPUX 10.X, HPUX 11.X,
|
||
and SunOS 5.8. Requested by Jeff A. Earickson of Colby
|
||
College and John Beck of Sun Microsystems.
|
||
VACATION: Fix pattern matching for addresses to ignore.
|
||
VACATION: Don't reply to addresses of the form owner-*
|
||
or *-owner.
|
||
New Files:
|
||
cf/ostype/aix5.m4
|
||
contrib/buildvirtuser
|
||
devtools/OS/AIX.5.0
|
||
|
||
8.11.1/8.11.1 2000/09/27
|
||
Fix SMTP EXPN command output if the address expands to a single
|
||
name. Fix from John Beck of Sun Microsystems.
|
||
Don't try STARTTLS in the client if the PRNG has not been properly
|
||
seeded. This problem only occurs on systems without
|
||
/dev/urandom. Problem detected by Jan Krueger of
|
||
digitalanswers communications consulting gmbh and
|
||
Neil Rickert of Northern Illinois University.
|
||
Don't use the . and .. directories when expanding QueueDirectory
|
||
wildcards.
|
||
Do not try to cache LDAP connections across processes as a parent
|
||
process may close the connection before the child process
|
||
has completed. Problem noted by Lai Yiu Fai of the Hong
|
||
Kong University of Science and Technology and Wolfgang
|
||
Hottgenroth of UUNET.
|
||
Use Timeout.fileopen to limit the amount of time spent trying to
|
||
read the LDAP secret from a file.
|
||
Prevent SIGTERM from removing a command line submitted item after
|
||
the user submits the message and before the first delivery
|
||
attempt completes. Problem noted by Max France of AlphaNet.
|
||
Fix from Neil Rickert of Northern Illinois University.
|
||
Deal correctly with MaxMessageSize restriction if message size is
|
||
greater than 2^31. Problem noted by Tim "Darth Dice" Bosserman
|
||
of EarthLink.
|
||
Turn off queue checkpointing if CheckpointInterval is set to zero.
|
||
Treat an empty home directory (from getpw*() or $HOME) as
|
||
non-existent instead of treating it as /. Problem noted by
|
||
Todd C. Miller of Courtesan Consulting.
|
||
Don't drop duplicate headers when reading a queued item. Problem
|
||
noted by Motonori Nakamura of Kyoto University.
|
||
Avoid bogus error text when logging the savemail panic "cannot
|
||
save rejected email anywhere". Problem noted by Marc G.
|
||
Fournier of Acadia University.
|
||
If an LDAP search fails because the LDAP server went down, close
|
||
the map so subsequent searches reopen the map. If there are
|
||
multiple LDAP servers, the down server will be skipped and
|
||
one of the others may be able to take over.
|
||
Set the ${load_avg} macro to the current load average, not the
|
||
previous load average query result.
|
||
If a non-optional map used in a check_* ruleset can't be opened,
|
||
return a temporary failure to the remote SMTP client
|
||
instead of ignoring the map. Problem noted by Allan E
|
||
Johannesen of Worcester Polytechnic Institute.
|
||
Avoid a race condition when queuing up split envelopes by saving
|
||
the split envelopes before the original envelope.
|
||
Fix a bug in the PH_MAP code which caused mail to bounce instead of
|
||
defer if the PH server could not be contacted. From Mark
|
||
Roth of the University of Illinois at Urbana-Champaign.
|
||
Prevent QueueSortOrder=Filename from interfering with -qR, -qS, and
|
||
ETRN. Problem noted by Erik R. Leo of SoVerNet.
|
||
Change error code for unrecognized parameters to the SMTP MAIL and
|
||
RCPT commands from 501 to 555 per RFC 1869. Problem
|
||
reported to Postfix by Robert Norris of Monash University.
|
||
Prevent overwriting the argument of -B on certain OS. Problem
|
||
noted by Matteo Gelosa of I.NET S.p.A.
|
||
Use the proper routine for freeing memory with Netscape's LDAP
|
||
client libraries. Patch from Paul Hilchey of the
|
||
University of British Columbia.
|
||
Portability:
|
||
Move the NETINET6 define to devtools/OS/SunOS.5.{8,9}
|
||
instead of defining it in conf.h so users can
|
||
override the setting. Suggested by
|
||
Henrik Nordstrom of Ericsson.
|
||
On HP-UX 10.X and 11.X, use /usr/sbin/sendmail instead of
|
||
/usr/lib/sendmail for rmail and vacation. From
|
||
Jeff A. Earickson of Colby College.
|
||
On HP-UX 11.X, use /usr/sbin instead of /usr/libexec (which
|
||
does not exist). From Jeff A. Earickson of Colby
|
||
College.
|
||
Avoid using the UCB subsystem on NCR MP-RAS 3.x. From
|
||
Tom Moore of NCR.
|
||
NeXT 3.X and 4.X installs man pages in /usr/man. From
|
||
Hisanori Gogota of NTT/InterCommunicationCenter.
|
||
Solaris 8 and later include /var/run. The default PID file
|
||
location is now /var/run/sendmail.pid. From John
|
||
Beck of Sun Microsystems.
|
||
SFIO includes snprintf() for those operating systems
|
||
which do not. From Todd C. Miller of Courtesan
|
||
Consulting.
|
||
CONFIG: Use the result of _CERT_REGEX_SUBJECT_ not {cert_subject}.
|
||
Problem noted by Kaspar Brand of futureLab AG.
|
||
CONFIG: Change 553 SMTP reply code to 501 to avoid problems with
|
||
errors in the MAIL address.
|
||
CONFIG: Fix FEATURE(nouucp) usage in example .mc files. Problem
|
||
noted by Ron Jarrell of Virginia Tech.
|
||
CONFIG: Add support for Solaris 8 (and later) as OSTYPE(solaris8).
|
||
Contributed by John Beck of Sun Microsystems.
|
||
CONFIG: Set confFROM_HEADER such that the mail hub can possibly add
|
||
GECOS information for an address. This more closely
|
||
matches pre-8.10 nullclient behavior. From Per Hedeland of
|
||
Ericsson.
|
||
CONFIG: Fix MODIFY_MAILER_FLAGS(): apply the flag modifications for
|
||
SMTP to all *smtp* mailers and those for RELAY to the relay
|
||
mailer as described in cf/README.
|
||
MAIL.LOCAL: Open the mailbox as the recipient not root so quotas
|
||
are obeyed. Problem noted by Damian Kuczynski of NIK.
|
||
MAKEMAP: Do not change a map's owner to the TrustedUser if using
|
||
makemap to 'unmake' the map.
|
||
RMAIL: Avoid overflowing the list of recipients being passed to
|
||
sendmail.
|
||
RMAIL: Invoke sendmail with '-G' to indicate this is a gateway
|
||
submission. Problem noted by Kari Hurtta of the Finnish
|
||
Meteorological Institute.
|
||
VACATION: Read the complete message to avoid "broken pipe" signals.
|
||
VACATION: Do not cut off vacation.msg files which have a single
|
||
dot as the only character on the line.
|
||
New Files:
|
||
cf/ostype/solaris8.m4
|
||
|
||
8.11.0/8.11.0 2000/07/19
|
||
SECURITY: If sendmail is installed as a non-root set-user-ID binary
|
||
(not the normal case), some operating systems will still
|
||
keep a saved-uid of the effective-uid when sendmail tries
|
||
to drop all of its privileges. If sendmail needs to drop
|
||
these privileges and the operating system doesn't set the
|
||
saved-uid as well, exit with an error. Problem noted by
|
||
Kari Hurtta of the Finnish Meteorological Institute.
|
||
SECURITY: sendmail depends on snprintf() NUL terminating the string
|
||
it populates. It is possible that some broken
|
||
implementations of snprintf() exist that do not do this.
|
||
Systems in this category should compile with
|
||
-DSNPRINTF_IS_BROKEN=1. Use test/t_snprintf.c to test your
|
||
system and report broken implementations to
|
||
sendmail-bugs@sendmail.org and your OS vendor. Problem
|
||
noted by Slawomir Piotrowski of TELSAT GP.
|
||
Support SMTP Service Extension for Secure SMTP (RFC 2487) (STARTTLS).
|
||
Implementation influenced by the example programs of
|
||
OpenSSL and the work of Lutz Jaenicke of TU Cottbus.
|
||
Add new STARTTLS related options CACERTPath, CACERTFile,
|
||
ClientCertFile, ClientKeyFile, DHParameters, RandFile,
|
||
ServerCertFile, and ServerKeyFile. These are documented in
|
||
cf/README and doc/op/op.me.
|
||
New STARTTLS related macros: ${cert_issuer}, ${cert_subject},
|
||
${tls_version}, ${cipher}, ${cipher_bits}, ${verify},
|
||
${server_name}, and ${server_addr}. These are documented
|
||
in cf/README and doc/op/op.me.
|
||
Add support for the Entropy Gathering Daemon (EGD) for better
|
||
random data.
|
||
New DontBlameSendmail option InsufficientEntropy for systems which
|
||
don't properly seed the PRNG for OpenSSL but want to
|
||
try to use STARTTLS despite the security problems.
|
||
Support the security layer in SMTP AUTH for mechanisms which
|
||
support encryption. Based on code contributed by Tim
|
||
Martin of CMU.
|
||
Add new macro ${auth_ssf} to reflect the SMTP AUTH security
|
||
strength factor.
|
||
LDAP's -1 (single match only) flag was not honored if the -z
|
||
(delimiter) flag was not given. Problem noted by ST Wong of
|
||
the Chinese University of Hong Kong. Fix from Mark Adamson
|
||
of CMU.
|
||
Add more protection from accidentally tripping OpenLDAP 1.X's
|
||
ld_errno == LDAP_DECODING_ERROR hack on ldap_next_attribute().
|
||
Suggested by Kurt Zeilenga of OpenLDAP.
|
||
Fix the default family selection for DaemonPortOptions. As
|
||
documented, unless a family is specified in a
|
||
DaemonPortOptions option, "inet" is the default. It is
|
||
also the default if no DaemonPortOptions value is set.
|
||
Therefore, IPv6 users should configure additional sockets
|
||
by adding DaemonPortOptions settings with Family=inet6 if
|
||
they wish to also listen on IPv6 interfaces. Problem noted
|
||
by Jun-ichiro itojun Hagino of the KAME Project.
|
||
Set ${if_family} when setting ${if_addr} and ${if_name} to reflect
|
||
the interface information for an outgoing connection.
|
||
Not doing so was creating a mismatch between the socket
|
||
family and address used in subsequent connections if the
|
||
M=b modifier was set in DaemonPortOptions. Problem noted
|
||
by John Beck of Sun Microsystems.
|
||
If DaemonPortOptions modifier M=b is used, determine the socket
|
||
family based on the IP address. ${if_family} is no longer
|
||
persistent (i.e., saved in qf files). Patch from John Beck
|
||
of Sun Microsystems.
|
||
sendmail 8.10 and 8.11 reused the ${if_addr} and ${if_family}
|
||
macros for both the incoming interface address/family and
|
||
the outgoing interface address/family. In order for M=b
|
||
modifier in DaemonPortOptions to work properly, preserve
|
||
the incoming information in the queue file for later
|
||
delivery attempts.
|
||
Use SMTP error code and enhanced status code from check_relay in
|
||
responses to commands. Problem noted by Jeff Wasilko of
|
||
smoe.org.
|
||
Add more vigilance in checking for putc() errors on output streams
|
||
to protect from a bug in Solaris 2.6's putc(). Problem
|
||
noted by Graeme Hewson of Oracle.
|
||
The LDAP map -n option (return attribute names only) wasn't working.
|
||
Problem noted by Ajay Matia.
|
||
Under certain circumstances, an address could be listed as deferred
|
||
but would be bounced back to the sender as failed to be
|
||
delivered when it really should have been queued. Problem
|
||
noted by Allan E Johannesen of Worcester Polytechnic Institute.
|
||
Prevent a segmentation fault in a child SMTP process from getting
|
||
the SMTP transaction out of sync. Problem noted by Per
|
||
Hedeland of Ericsson.
|
||
Turn off RES_DEBUG if SFIO is defined unless SFIO_STDIO_COMPAT
|
||
is defined to avoid a core dump due to incompatibilities
|
||
between sfio and stdio. Problem noted by Neil Rickert
|
||
of Northern Illinois University.
|
||
Don't log useless envelope ID on initial connection log. Problem
|
||
noted by Kari Hurtta of the Finnish Meteorological Institute.
|
||
Convert the free disk space shown in a control socket status query
|
||
to kilobyte units.
|
||
If TryNullMXList is True and there is a temporary DNS failure
|
||
looking up the hostname, requeue the message for a later
|
||
attempt. Problem noted by Ari Heikkinen of Pohjois-Savo
|
||
Polytechnic.
|
||
Under the proper circumstances, failed connections would be recorded
|
||
as "Bad file number" instead of "Connection failed" in the
|
||
queue file and persistent host status. Problem noted by
|
||
Graeme Hewson of Oracle.
|
||
Avoid getting into an endless loop if a non-hoststat directory exists
|
||
within the hoststatus directory (e.g., lost+found).
|
||
Patch from Valdis Kletnieks of Virginia Tech.
|
||
Make sure Timeout.queuereturn=now returns a bounce message to the
|
||
sender. Problem noted by Per Hedeland of Ericsson.
|
||
If a message data file can't be opened at delivery time, panic and
|
||
abort the attempt instead of delivering a message that
|
||
states "<<< No Message Collected >>>".
|
||
Fixup the GID checking code from 8.10.2 as it was overly
|
||
restrictive. Problem noted by Mark G. Thomas of Mark
|
||
G. Thomas Consulting.
|
||
Preserve source port number instead of replacing it with the ident
|
||
port number (113).
|
||
Document the queue status characters in the mailq man page.
|
||
Suggested by Ulrich Windl of the Universitat Regensburg.
|
||
Process queued items in which none of the recipient addresses have
|
||
host portions (or there are no recipients). Problem noted
|
||
by Valdis Kletnieks of Virginia Tech.
|
||
If a cached LDAP connection is used for multiple maps, make sure
|
||
only the first to open the connection is allowed to close
|
||
it so a later map close doesn't break the connection for
|
||
other maps. Problem noted by Wolfgang Hottgenroth of UUNET.
|
||
Netscape's LDAP libraries do not support Kerberos V4
|
||
authentication. Patch from Rainer Schoepf of the
|
||
University of Mainz.
|
||
Provide workaround for inconsistent handling of data passed
|
||
via callbacks to Cyrus SASL prior to version 1.5.23.
|
||
Mention ENHANCEDSTATUSCODES in the SMTP HELP helpfile. Omission
|
||
noted by Ulrich Windl of the Universitat Regensburg.
|
||
Portability:
|
||
Add the ability to read IPv6 interface addresses into class
|
||
'w' under FreeBSD (and possibly others). From Jun
|
||
Kuriyama of IMG SRC, Inc. and the FreeBSD Project.
|
||
Replace code for finding the number of CPUs on HPUX.
|
||
NCRUNIX MP-RAS 3.02 SO_REUSEADDR socket option does not
|
||
work properly causing problems if the accept()
|
||
fails and the socket needs to be reopened. Patch
|
||
from Tom Moore of NCR.
|
||
NetBSD uses a .0 extension of formatted man pages. From
|
||
Andrew Brown of Crossbar Security.
|
||
Return to using the IPv6 AI_DEFAULT flag instead of AI_V4MAPPED
|
||
for calls to getipnodebyname(). The Linux
|
||
implementation is broken so AI_ADDRCONFIG is stripped
|
||
under Linux. From John Beck of Sun Microsystems and
|
||
John Kennedy of Cal State University, Chico.
|
||
CONFIG: Catch invalid addresses containing a ',' at the wrong place.
|
||
Patch from Neil Rickert of Northern Illinois University.
|
||
CONFIG: New variables for the new sendmail options:
|
||
confCACERT_PATH CACERTPath
|
||
confCACERT CACERTFile
|
||
confCLIENT_CERT ClientCertFile
|
||
confCLIENT_KEY ClientKeyFile
|
||
confDH_PARAMETERS DHParameters
|
||
confRAND_FILE RandFile
|
||
confSERVER_CERT ServerCertFile
|
||
confSERVER_KEY ServerKeyFile
|
||
CONFIG: Provide basic rulesets for TLS policy control and add new
|
||
tags to the access database to support these policies. See
|
||
cf/README for more information.
|
||
CONFIG: Add TLS information to the Received: header.
|
||
CONFIG: Call tls_client ruleset from check_mail in case it wasn't
|
||
called due to a STARTTLS command.
|
||
CONFIG: If TLS_PERM_ERR is defined, TLS related errors are permanent
|
||
instead of temporary.
|
||
CONFIG: FEATURE(`relay_hosts_only') didn't work in combination with
|
||
the access map and relaying to a domain without using a To:
|
||
tag. Problem noted by Mark G. Thomas of Mark G. Thomas
|
||
Consulting.
|
||
CONFIG: Set confEBINDIR to /usr/sbin to match the devtools entry in
|
||
OSTYPE(`linux') and OSTYPE(`mklinux'). From Tim Pierce of
|
||
RootsWeb.com.
|
||
CONFIG: Make sure FEATURE(`nullclient') doesn't use aliasing and
|
||
forwarding to make it as close to the old behavior as
|
||
possible. Problem noted by George W. Baltz of the
|
||
University of Maryland.
|
||
CONFIG: Added OSTYPE(`darwin') for Mac OS X and Darwin users. From
|
||
Wilfredo Sanchez of Apple Computer, Inc.
|
||
CONFIG: Changed the map names used by FEATURE(`ldap_routing') from
|
||
ldap_mailhost and ldap_mailroutingaddress to ldapmh and
|
||
ldapmra as underscores in map names cause problems if
|
||
underscore is in OperatorChars. Problem noted by Bob Zeitz
|
||
of the University of Alberta.
|
||
CONFIG: Apply blacklist_recipients also to hosts in class {w}.
|
||
Patch from Michael Tratz of Esosoft Corporation.
|
||
CONFIG: Use A=TCP ... instead of A=IPC ... in SMTP mailers.
|
||
CONTRIB: Add link_hash.sh to create symbolic links to the hash
|
||
of X.509 certificates.
|
||
CONTRIB: passwd-to-alias.pl: More protection from special characters;
|
||
treat special shells as root aliases; skip entries where the
|
||
GECOS full name and username match. From Ulrich Windl of the
|
||
Universitat Regensburg.
|
||
CONTRIB: qtool.pl: Add missing last_modified_time method and fix a
|
||
typo. Patch from Graeme Hewson of Oracle.
|
||
CONTRIB: re-mqueue.pl: Improve handling of a race between re-mqueue
|
||
and sendmail. Patch from Graeme Hewson of Oracle.
|
||
CONTRIB: re-mqueue.pl: Don't exit(0) at end so can be called as
|
||
subroutine Patch from Graeme Hewson of Oracle.
|
||
CONTRIB: Add movemail.pl (move old mail messages between queues by
|
||
calling re-mqueue.pl) and movemail.conf (configuration
|
||
script for movemail.pl). From Graeme Hewson of Oracle.
|
||
CONTRIB: Add cidrexpand (expands CIDR blocks as a preprocessor to
|
||
makemap). From Derek J. Balling of Yahoo,Inc.
|
||
DEVTOOLS: INSTALL_RAWMAN installation option mistakenly applied any
|
||
extension modifications (e.g., MAN8EXT) to the installation
|
||
target. Patch from James Ralston of Carnegie Mellon
|
||
University.
|
||
DEVTOOLS: Add support for SunOS 5.9.
|
||
DEVTOOLS: New option confLN contains the command used to create
|
||
links.
|
||
LIBSMDB: Berkeley DB 2.X and 3.X errors might be lost and not
|
||
reported.
|
||
MAIL.LOCAL: DG/UX portability. Problem noted by Tim Boyer of
|
||
Denman Tire Corporation.
|
||
MAIL.LOCAL: Prevent a possible DoS attack when compiled with
|
||
-DCONTENTLENGTH. Based on patch from 3APA3A@SECURITY.NNOV.RU.
|
||
MAILSTATS: Fix usage statement (-p and -o are optional).
|
||
MAKEMAP: Change man page layout as workaround for problem with nroff
|
||
and -man on Solaris 7. Patch from Larry Williamson.
|
||
RMAIL: AIX 4.3 has snprintf(). Problem noted by David Hayes of
|
||
Black Diamond Equipment, Limited.
|
||
RMAIL: Prevent a segmentation fault if the incoming message does not
|
||
have a From line.
|
||
VACATION: Read all of the headers before deciding whether or not
|
||
to respond instead of stopping after finding recipient.
|
||
Added Files:
|
||
cf/ostype/darwin.m4
|
||
contrib/cidrexpand
|
||
contrib/link_hash.sh
|
||
contrib/movemail.conf
|
||
contrib/movemail.pl
|
||
devtools/OS/SunOS.5.9
|
||
test/t_snprintf.c
|
||
|
||
8.10.2/8.10.2 2000/06/07
|
||
SECURITY: Work around broken Linux setuid() implementation.
|
||
On Linux, a normal user process has the ability to subvert
|
||
the setuid() call such that it is impossible for a root
|
||
process to drop its privileges. Problem noted by Wojciech
|
||
Purczynski of elzabsoft.pl.
|
||
SECURITY: Add more vigilance around set*uid(), setgid(), setgroups(),
|
||
initgroups(), and chroot() calls.
|
||
Added Files:
|
||
test/t_setuid.c
|
||
|
||
8.10.1/8.10.1 2000/04/06
|
||
SECURITY: Limit the choice of outgoing (client-side) SMTP
|
||
Authentication mechanisms to those specified in
|
||
AuthMechanisms to prevent information leakage. We do not
|
||
recommend use of PLAIN for outgoing mail as it sends the
|
||
password in clear text to possibly untrusted servers. See
|
||
cf/README's DefaultAuthInfo section for additional information.
|
||
Copy the ident argument for openlog() to avoid problems on some
|
||
OSs. Based on patch from Rob Bajorek from Webhelp.com.
|
||
Avoid bogus error message when reporting an alias line as too long.
|
||
Avoid bogus socket error message if sendmail.cf version level is
|
||
greater than sendmail binary supported version. Patch
|
||
from John Beck of Sun Microsystems.
|
||
Prevent a malformed ruleset (missing right hand side) from causing
|
||
a segmentation fault when using address test mode. Based on
|
||
patch from John Beck of Sun Microsystems.
|
||
Prevent memory leak from use of NIS maps and yp_match(3). Problem
|
||
noted by Gil Kloepfer of the University of Texas at Austin.
|
||
Fix queue file permission checks to allow for TrustedUser ownership.
|
||
Change logging of errors from the trust_auth ruleset to LogLevel 10
|
||
or higher.
|
||
Avoid simple password cracking attacks against SMTP AUTH by using
|
||
exponential delay after too many tries within one connection.
|
||
Encode an initial empty AUTH challenge as '=', not as empty string.
|
||
Avoid segmentation fault on EX_SOFTWARE internal error logs.
|
||
Problem noted by Allan E Johannesen of Worcester
|
||
Polytechnic Institute.
|
||
Ensure that a header check which resolves to $#discard actually
|
||
discards the message.
|
||
Emit missing value warnings for aliases with no right hand side
|
||
when newaliases is run instead of only when delivery is
|
||
attempted to the alias.
|
||
Remove AuthOptions missing value warning for consistency with other
|
||
flag options.
|
||
Portability:
|
||
SECURITY: Specify a run-time shared library search path for
|
||
AIX 4.X instead of using the dangerous AIX 4.X
|
||
linker semantics. AIX 4.X users should consult
|
||
sendmail/README for further information. Problem
|
||
noted by Valdis Kletnieks of Virginia Tech.
|
||
Avoid use of strerror(3) call. Problem noted by Charles
|
||
Levert of Ecole Polytechnique de Montreal.
|
||
DGUX requires -lsocket -lnsl and has a non-standard install
|
||
program. From Tim Boyer of Denman Tire Corporation.
|
||
HPUX 11.0 has a broken res_search() function.
|
||
Updates to devtools/OS/NeXT.3.X, NeXT.4.X, and NEXTSTEP.4.X
|
||
from J. P. McCann of E I A.
|
||
Digital UNIX/Compaq Tru64 5.0 now includes snprintf(3).
|
||
Problem noted by Michael Long of Info Avenue Internet
|
||
Services, LLC.
|
||
Modern (post-199912) OpenBSD versions include working
|
||
strlc{at,py}(3) functions. From Todd C. Miller of
|
||
Courtesan Consulting.
|
||
SINIX doesn't have random(3). From Gerald Rinske of
|
||
Siemens Business Services.
|
||
CONFIG: Change error message about unresolvable sender domain to
|
||
include the sender address. Proposed by Wolfgang Rupprecht
|
||
of WSRCC.
|
||
CONFIG: Fix usenet mailer calls.
|
||
CONFIG: If RELAY_MAILER_FLAGS is not defined, use SMTP_MAILER_FLAGS
|
||
to be backward compatible with 8.9.
|
||
CONFIG: Change handling of default case @domain for virtusertable
|
||
to allow for +*@domain to deal with +detail.
|
||
CONTRIB: Remove converting.sun.configs -- it is obsolete.
|
||
DEVTOOLS: confUBINMODE was being ignored. Fix from KITAZIMA, Tuneki
|
||
of NEC.
|
||
DEVTOOLS: Add to NCR platform list and include the architecture
|
||
(i486). From Tom J. Moore of NCR.
|
||
DEVTOOLS: SECURITY: Change method of linking with sendmail utility
|
||
libraries to work around the AIX 4.X and SunOS 4.X linker's
|
||
overloaded -L option. Problem noted by Valdis Kletnieks of
|
||
Virginia Tech.
|
||
DEVTOOLS: configure.sh was overriding the user's choice for
|
||
confNROFF. Problem noted by Glenn A. Malling of Syracuse
|
||
University.
|
||
DEVTOOLS: New variables conf_prog_LIB_POST and confBLDVARIANT added
|
||
for other internal projects but included in the open source
|
||
release.
|
||
LIBSMDB: Check for ".db" instead of simply "db" at the end of the
|
||
map name to determine whether or not to add the extension.
|
||
This fixes makemap when building the userdb file. Problem
|
||
noted by Andrew J Cole of the University of Leeds.
|
||
LIBSMDB: Allow a database to be opened for updating and created if
|
||
it doesn't already exist. Problem noted by Rand Wacker of
|
||
Sendmail.
|
||
LIBSMDB: If type is SMDB_TYPE_DEFAULT and both NEWDB and NDBM are
|
||
available, fall back to NDBM if NEWDB open fails. This
|
||
fixes praliases. Patch from John Beck of Sun Microsystems.
|
||
LIBSMUTIL: safefile()'s SFF_NOTEXCL check was being misinterpreted
|
||
as SFF_NOWRFILES.
|
||
OP.ME: Clarify some issues regarding mailer flags. Suggested by
|
||
Martin Mokrejs of The Charles University and Neil Rickert of
|
||
Northern Illinois University.
|
||
PRALIASES: Restore 8.9.X functionality of being able to search for
|
||
particular keys in a database by specifying the keys on the
|
||
command line. Man page updated accordingly. Patch from
|
||
John Beck of Sun Microsystems.
|
||
VACATION: SunOS 4.X portability from Charles Levert of Ecole
|
||
Polytechnique de Montreal.
|
||
VACATION: Fix -t option which is ignored but available for
|
||
compatibility with Sun's version, based on patch from
|
||
Volker Dobler of Infratest Burke.
|
||
Added Files:
|
||
devtools/M4/UNIX/smlib.m4
|
||
devtools/OS/OSF1.V5.0
|
||
Deleted Files:
|
||
contrib/converting.sun.configs
|
||
Deleted Directories (already done in 8.10.0 but not listed):
|
||
doc/intro
|
||
doc/usenix
|
||
doc/changes
|
||
|
||
8.10.0/8.10.0 2000/03/01
|
||
*************************************************************
|
||
* The engineering department at Sendmail, Inc. has suffered *
|
||
* the tragic loss of a key member of our engineering team. *
|
||
* Julie Van Bourg was the Vice President of Engineering *
|
||
* at Sendmail, Inc. during the development and deployment *
|
||
* of this release. It was her vision, dedication, and *
|
||
* support that has made this release a success. Julie died *
|
||
* on October 26, 1999 of cancer. We have lost a leader, a *
|
||
* coach, and a friend. *
|
||
* *
|
||
* This release is dedicated to her memory and to the joy, *
|
||
* strength, ideals, and hope that she brought to all of us. *
|
||
* Julie, we miss you! *
|
||
*************************************************************
|
||
SECURITY: The safe file checks now back track through symbolic
|
||
links to make sure the files can't be compromised due
|
||
to poor permissions on the parent directories of the
|
||
symbolic link target.
|
||
SECURITY: Only root, TrustedUser, and users in class t can rebuild
|
||
the alias map. Problem noted by Michal Zalewski of the
|
||
"Internet for Schools" project (IdS).
|
||
SECURITY: There is a potential for a denial of service attack if
|
||
the AutoRebuildAliases option is set as a user can kill the
|
||
sendmail process while it is rebuilding the aliases file
|
||
(leaving it in an inconsistent state). This option and
|
||
its use is deprecated and will be removed from a future
|
||
version of sendmail.
|
||
SECURITY: Make sure all file descriptors (besides stdin, stdout, and
|
||
stderr) are closed before restarting sendmail. Problem noted
|
||
by Michal Zalewski of the "Internet for Schools" project
|
||
(IdS).
|
||
Begin using /etc/mail/ for sendmail related files. This affects
|
||
a large number of files. See cf/README for more details.
|
||
The directory structure of the distribution has changed slightly
|
||
for easier code sharing among the programs.
|
||
Support SMTP AUTH (see RFC 2554). New macros for this purpose
|
||
are ${auth_authen}, ${auth_type}, and ${auth_author}
|
||
which hold the client's authentication credentials,
|
||
the mechanism used for authentication, and the
|
||
authorization identity (i.e., the AUTH= parameter if
|
||
supplied). Based on code contributed by Tim Martin of CMU.
|
||
On systems which use the Torek stdio library (all of the BSD
|
||
distributions), use memory-buffered files to reduce
|
||
file system overhead by not creating temporary files on
|
||
disk. Contributed by Exactis.com, Inc.
|
||
New option DataFileBufferSize to control the maximum size of a
|
||
memory-buffered data (df) file before a disk-based file is
|
||
used. Contributed by Exactis.com, Inc.
|
||
New option XscriptFileBufferSize to control the maximum size of a
|
||
memory-buffered transcript (xf) file before a disk-based
|
||
file is used. Contributed by Exactis.com, Inc.
|
||
sendmail implements RFC 2476 (Message Submission), e.g., it can
|
||
now listen on several different ports. Use:
|
||
O DaemonPortOptions=Name=MSA, Port=587, M=E
|
||
to run a Message Submission Agent (MSA); this is turned
|
||
on by default in m4-generated .cf files; it can be turned
|
||
off with FEATURE(`no_default_msa').
|
||
The 'XUSR' SMTP command is deprecated. Mail user agents should
|
||
begin using RFC 2476 Message Submission for initial user
|
||
message submission. XUSR may disappear from a future release.
|
||
The new '-G' (relay (gateway) submission) command line option
|
||
indicates that the message being submitted from the command
|
||
line is for relaying, not initial submission. This means
|
||
the message will be rejected if the addresses are not fully
|
||
qualified and no canonicalization will be done. Future
|
||
releases may even reject improperly formed messages.
|
||
The '-U' (initial user submission) command line option is
|
||
deprecated and may be removed from a future release.
|
||
Mail user agents should begin using '-G' to indicate that
|
||
this is a relay submission (the inverse of -U).
|
||
The next release of sendmail will assume that any message submitted
|
||
from the command line is an initial user submission and act
|
||
accordingly.
|
||
If sendmail doesn't have enough privileges to run a .forward
|
||
program or deliver to file as the owner of that file, the
|
||
address is marked as unsafe. This means if RunAsUser is
|
||
set, users won't be able to use programs or delivery to
|
||
files in their .forward files. Administrators can override
|
||
this by setting the DontBlameSendmail option to the new
|
||
setting NonRootSafeAddr.
|
||
Allow group or world writable directories if the sticky bit is set
|
||
on the directory and DontBlameSendmail is set to
|
||
TrustStickyBit. Based on patch from Chris Metcalf of
|
||
InCert Software.
|
||
Prevent logging of unsafe directory paths for non-existent forward
|
||
files if the new DontWarnForwardFileInUnsafeDirPath bit is
|
||
set in the DontBlameSendmail option. Requested by many.
|
||
New Timeout.control option to limit the total time spent satisfying
|
||
a control socket request.
|
||
New Timeout.resolver options for controlling BIND resolver
|
||
settings:
|
||
Timeout.resolver.retrans
|
||
Sets the resolver's retransmission time interval (in
|
||
seconds). Sets both Timeout.resolver.retrans.first
|
||
and Timeout.resolver.retrans.normal.
|
||
Timeout.resolver.retrans.first
|
||
Sets the resolver's retransmission time interval (in
|
||
seconds) for the first attempt to deliver a message.
|
||
Timeout.resolver.retrans.normal
|
||
Sets the resolver's retransmission time interval (in
|
||
seconds) for all resolver lookups except the first
|
||
delivery attempt.
|
||
Timeout.resolver.retry
|
||
Sets the number of times to retransmit a resolver
|
||
query. Sets both Timeout.resolver.retry.first
|
||
and Timeout.resolver.retry.normal.
|
||
Timeout.resolver.retry.first
|
||
Sets the number of times to retransmit a resolver
|
||
query for the first attempt to deliver a message.
|
||
Timeout.resolver.retry.normal
|
||
Sets the number of times to retransmit a resolver
|
||
query for all resolver lookups except the first
|
||
delivery attempt.
|
||
Contributed by Exactis.com, Inc.
|
||
Support multiple queue directories. To use multiple queues, supply
|
||
a QueueDirectory option value ending with an asterisk. For
|
||
example, /var/spool/mqueue/q* will use all of the
|
||
directories or symbolic links to directories beginning with
|
||
'q' in /var/spool/mqueue as queue directories. Keep in
|
||
mind, the queue directory structure should not be changed
|
||
while sendmail is running. Queue runs create a separate
|
||
process for running each queue unless the verbose flag is
|
||
given on a non-daemon queue run. New items are randomly
|
||
assigned to a queue. Contributed by Exactis.com, Inc.
|
||
Support different directories for qf, df, and xf queue files; if
|
||
subdirectories or symbolic links to directories of those names
|
||
exist in the queue directories, they are used for the
|
||
corresponding queue files. Keep in mind, the queue
|
||
directory structure should not be changed while sendmail is
|
||
running. Proposed by Mathias Koerber of Singapore
|
||
Telecommunications Ltd.
|
||
New queue file naming system which uses a filename guaranteed to be
|
||
unique for 60 years. This allows queue IDs to be assigned
|
||
without fancy file system locking. Queued items can be
|
||
moved between queues easily. Contributed by Exactis.com,
|
||
Inc.
|
||
Messages which are undeliverable due to temporary address failures
|
||
(e.g., DNS failure) will now go to the FallBackMX host, if
|
||
set. Contributed by Exactis.com, Inc.
|
||
New command line option '-L tag' which sets the identifier used for
|
||
syslog. Contributed by Exactis.com, Inc.
|
||
QueueSortOrder=Filename will sort the queue by filename. This
|
||
avoids opening and reading each queue file when preparing
|
||
to run the queue. Contributed by Exactis.com, Inc.
|
||
Shared memory counters and microtimers functionality has been
|
||
donated by Exactis.com, Inc.
|
||
The SCCS ID tags have been replaced with RCS ID tags.
|
||
Allow trusted users (those on a T line or in $=t) to set the
|
||
QueueDirectory (Q) option without an X-Authentication-Warning:
|
||
being added. Suggested by Michael K. Sanders.
|
||
IPv6 support based on patches from John Kennedy of Cal State
|
||
University, Chico, Motonori Nakamura of Kyoto University,
|
||
and John Beck of Sun Microsystems.
|
||
In low-disk space situations, where sendmail would previously refuse
|
||
connections, still accept them, but only allow ETRN commands.
|
||
Suggested by Mathias Koerber of Singapore Telecommunications
|
||
Ltd.
|
||
The [IPC] builtin mailer now allows delivery to a UNIX domain socket
|
||
on systems which support them. This can be used with LMTP
|
||
local delivery agents which listen on a named socket. An
|
||
example mailer might be:
|
||
Mexecmail, P=[IPC], F=lsDFMmnqSXzA5@/:|, E=\r\n,
|
||
S=10, R=20/40, T=DNS/RFC822/X-Unix,
|
||
A=FILE /var/run/lmtpd
|
||
Code contributed by Lyndon Nerenberg of Messaging Direct.
|
||
The [TCP] builtin mailer name is now deprecated. Use [IPC]
|
||
instead.
|
||
The first mailer argument in the [IPC] mailer is now checked for a
|
||
legitimate value. Possible values are TCP (for TCP/IP
|
||
connections), IPC (which will be deprecated in a future
|
||
version), and FILE (for UNIX domain socket delivery).
|
||
PrivacyOptions=goaway no longer includes the noetrn and the noreceipts
|
||
flags.
|
||
PrivacyOptions=nobodyreturn instructs sendmail not to include the
|
||
body of the original message on delivery status
|
||
notifications.
|
||
Don't announce DSN if PrivacyOptions=noreceipts is set. Problem noted
|
||
by Dan Bernstein, fix from Robert Harker of Harker Systems.
|
||
Accept the SMTP RSET command even when rejecting commands due to TCP
|
||
Wrappers or the check_relay ruleset. Problem noted by
|
||
Steve Schweinhart of America Online.
|
||
Warn if OperatorChars is set multiple times. OperatorChars should
|
||
not be set after rulesets are defined. Suggested by
|
||
Mitchell Blank Jr of Exec-PC.
|
||
Do not report temporary failure on delivery to files. In
|
||
interactive delivery mode, this would result in two SMTP
|
||
responses after the DATA command. Problem noted by
|
||
Nik Conwell of Boston University.
|
||
Check file close when mailing to files. Problem noted by Nik
|
||
Conwell of Boston University.
|
||
Avoid a segmentation fault when using the LDAP map. Patch from
|
||
Curtis W. Hillegas of Princeton University.
|
||
Always bind to the LDAP server regardless of whether you are using
|
||
ldap_open() or ldap_init(). Fix from Raj Kunjithapadam of
|
||
@Home Network.
|
||
New ruleset trust_auth to determine whether a given AUTH=
|
||
parameter of the MAIL command should be trusted. See SMTP
|
||
AUTH, cf/README, and doc/op/op.ps.
|
||
Allow new named config file rules check_vrfy, check_expn, and
|
||
check_etrn for VRFY, EXPN, and ETRN commands, respectively,
|
||
similar to check_rcpt etc.
|
||
Introduce new macros ${rcpt_mailer}, ${rcpt_host}, ${rcpt_addr},
|
||
${mail_mailer}, ${mail_host}, ${mail_addr} that hold
|
||
the results of parsing the RCPT and MAIL arguments, i.e.
|
||
the resolved triplet from $#mailer $@host $:addr.
|
||
From Kari Hurtta of the Finnish Meteorological Institute.
|
||
New macro ${client_resolve} which holds the result of the resolve
|
||
call for ${client_name}: OK, FAIL, FORGED, TEMP. Proposed
|
||
by Kari Hurtta of the Finnish Meteorological Institute.
|
||
New macros ${dsn_notify}, ${dsn_envid}, and ${dsn_ret} that hold
|
||
the corresponding DSN parameter values. Proposed by
|
||
Mathias Herberts.
|
||
New macro ${msg_size} which holds the value of the SIZE= parameter,
|
||
i.e., usually the size of the message (in an ESMTP dialogue),
|
||
before the message has been collected, thereafter it holds
|
||
the message size as computed by sendmail (and can be used
|
||
in check_compat).
|
||
The macro ${deliveryMode} now specifies the current delivery mode
|
||
sendmail is using instead of the value of the DeliveryMode
|
||
option.
|
||
New macro ${ntries} holds the number of delivery attempts.
|
||
Drop explicit From: if same as what would be generated only if it is
|
||
a local address. From Motonori Nakamura of Kyoto University.
|
||
Write pid to file also if sendmail only processes the queue.
|
||
Proposed by Roy J. Mongiovi of Georgia Tech.
|
||
Log "low on disk space" only when necessary.
|
||
New macro ${load_avg} can be used to check the current load average.
|
||
Suggested by Scott Gifford of The Internet Ramp.
|
||
Return-Receipt-To: header implies DSN request if option RrtImpliesDsn
|
||
is set.
|
||
Flag -S for maps to specify the character which is substituted
|
||
for spaces (instead of the default given by O BlankSub).
|
||
Flag -D for maps: perform no lookup in deferred delivery mode.
|
||
This flag is set by default for the host map. Based on a
|
||
proposal from Ian MacPhedran of the University of Saskatchewan.
|
||
Open maps only on demand, not at startup.
|
||
Log warning about unsupported IP address families.
|
||
New option MaxHeadersLength allows to specify a maximum length
|
||
of the sum of all headers. This can be used to prevent
|
||
a denial-of-service attack.
|
||
New option MaxMimeHeaderLength which limits the size of MIME
|
||
headers and parameters within those headers. This option
|
||
is intended to protect mail user agents from buffer
|
||
overflow attacks.
|
||
Added option MaxAliasRecursion to specify the maximum depth of
|
||
alias recursion.
|
||
New flag F=6 for mailers to strip headers to seven bit.
|
||
Map type syslog to log the key via syslogd.
|
||
Entries in the alias file can be continued by putting a backslash
|
||
directly before the newline.
|
||
New option DeadLetterDrop to define the location of the system-wide
|
||
dead.letter file, formerly hardcoded to
|
||
/usr/tmp/dead.letter. If this option is not set (the
|
||
default), sendmail will not attempt to save to a
|
||
system-wide dead.letter file if it can not bounce the mail
|
||
to the user nor postmaster. Instead, it will rename the qf
|
||
file as it has in the past when the dead.letter file
|
||
could not be opened.
|
||
New option PidFile to define the location of the pid file. The
|
||
value of this option is macro expanded.
|
||
New option ProcessTitlePrefix specifies a prefix string for the
|
||
process title shown in 'ps' listings.
|
||
New macros for use with the PidFile and ProcessTitlePrefix options
|
||
(along with the already existing macros):
|
||
${daemon_info} Daemon information, e.g.
|
||
SMTP+queueing@00:30:00
|
||
${daemon_addr} Daemon address, e.g., 0.0.0.0
|
||
${daemon_family} Daemon family, e.g., inet, inet6, etc.
|
||
${daemon_name} Daemon name, e.g., MSA.
|
||
${daemon_port} Daemon port, e.g., 25
|
||
${queue_interval} Queue run interval, e.g., 00:30:00
|
||
New macros especially for virtual hosting:
|
||
${if_name} hostname of interface of incoming connection.
|
||
${if_addr} address of interface of incoming connection.
|
||
The latter is only set if the interface does not belong to the
|
||
loopback net.
|
||
If a message being accepted via a method other than SMTP and
|
||
would be rejected by a header check, do not send the message.
|
||
Suggested by Phil Homewood of Mincom Pty Ltd.
|
||
Don't strip comments for header checks if $>+ is used instead of $>.
|
||
Provide header value as quoted string in the macro
|
||
${currHeader} (possibly truncated to MAXNAME). Suggested by
|
||
Jan Krueger of Unix-AG of University of Hannover.
|
||
The length of the header value is stored in ${hdrlen}.
|
||
H*: allows to specify a default ruleset for header checks. This
|
||
ruleset will only be called if the individual header does
|
||
not have its own ruleset assigned. Suggested by Jan
|
||
Krueger of Unix-AG of University of Hannover.
|
||
The name of the header field stored in ${hdr_name}.
|
||
Comments (i.e., text within parentheses) in rulesets are not
|
||
removed if the config file version is greater than or equal
|
||
to 9. For example, "R$+ ( 1 ) $@ 1" matches the
|
||
input "token (1)" but does not match "token".
|
||
Avoid removing the Content-Transfer-Encoding MIME header on
|
||
MIME messages. Problem noted by Sigurbjorn B. Larusson of
|
||
Multimedia Consumer Services. Fix from Per Hedeland of
|
||
Ericsson.
|
||
Avoid duplicate Content-Transfer-Encoding MIME header on
|
||
messages with 8-bit text in headers. Problem noted by
|
||
Per Steinar Iversen of Oslo College. Fix from Per Hedeland
|
||
of Ericsson.
|
||
Avoid keeping maps locked longer than necessary when re-opening a
|
||
modified database map file. Problem noted by Chris Adams
|
||
of Renaissance Internet Services.
|
||
Resolving to the $#error mailer with a temporary failure code (e.g.,
|
||
$#error $@ tempfail $: "400 Temporary failure") will now
|
||
queue up the message instead of bouncing it.
|
||
Be more liberal in acceptable responses to an SMTP RSET command as
|
||
standard does not provide any indication of what to do when
|
||
something other than 250 is received. Based on a patch
|
||
from Steve Schweinhart of America Online.
|
||
New option TrustedUser allows to specify a user who can own
|
||
important files instead of root. This requires HASFCHOWN.
|
||
Fix USERDB conditional so compiling with NEWDB or HESIOD and
|
||
setting USERDB=0 works. Fix from Jorg Zanger of Schock.
|
||
Fix another instance (similar to one in 8.9.3) of a network failure
|
||
being mis-logged as "Illegal Seek" instead of whatever
|
||
really went wrong. From John Beck of Sun Microsystems.
|
||
$? tests also whether the macro is non-null.
|
||
Print an error message if a mailer definition contains an invalid
|
||
equate name.
|
||
New mailer equate /= to specify a directory to chroot() into before
|
||
executing the mailer program. Suggested by Igor Vinokurov.
|
||
New mailer equate W= to specify the maximum time to wait for the
|
||
mailer to return after sending all data to it.
|
||
Only free memory from the process list when adding a new process
|
||
into a previously filled slot. Previously, the memory was
|
||
freed at removal time. Since removal can happen in a
|
||
signal handler, this may leave the memory map in an
|
||
inconsistent state. Problem noted by Jeff A. Earickson and
|
||
David Cooley of Colby College.
|
||
When using the UserDB @hostname catch-all, do not try to lookup
|
||
local users in the passwd file. The UserDB code has
|
||
already decided the message will be passed to another host
|
||
for processing. Fix from Tony Landells of Burdett
|
||
Buckeridge Young Limited.
|
||
Support LDAP authorization via either a file containing the
|
||
password or Kerberos V4 using the new map options
|
||
'-ddistinguished_name', '-Mmethod', and '-Pfilename'. The
|
||
distinguished_name is who to login as. The method can be
|
||
one of LDAP_AUTH_NONE, LDAP_AUTH_SIMPLE, or
|
||
LDAP_AUTH_KRBV4. The filename is the file containing the
|
||
secret key for LDAP_AUTH_SIMPLE or the name of the Kerberos
|
||
ticket file for LDAP_AUTH_KRBV4. Patch from Booker Bense
|
||
of Stanford University.
|
||
The ldapx map has been renamed to ldap. The use of ldapx is
|
||
deprecated and will be removed in a future version.
|
||
If the result of an LDAP search returns a multi-valued attribute
|
||
and the map has the column delimiter set, it turns that
|
||
response into a delimiter separated string. The LDAP map
|
||
will traverse multiple entries as well. LDAP alias maps
|
||
automatically set the column delimiter to the comma.
|
||
Based on patch from Booker Bense of Stanford University and
|
||
idea from Philip A. Prindeville of Mirapoint, Inc.
|
||
Support return of multiple values for a single LDAP lookup. The
|
||
values to be returned should be in a comma separated string.
|
||
For example, `-v "email,emailother"'. Patch from
|
||
Curtis W. Hillegas of Princeton University.
|
||
Allow the use of LDAP for alias maps.
|
||
If no LDAP attributes are specified in an LDAP map declaration, all
|
||
attributes found in the match will be returned.
|
||
Prevent commas in quoted strings in the AliasFile value from
|
||
breaking up a single entry into multiple entries. This is
|
||
needed for LDAP alias file specifications to allow for
|
||
comma separated key and value strings.
|
||
Keep connections to LDAP server open instead of opening and closing
|
||
for each lookup. To reduce overhead, sendmail will cache
|
||
connections such that multiple maps which use the same
|
||
host, port, bind DN, and authentication will only result in
|
||
a single connection to that host.
|
||
Put timeout in the proper place for USE_LDAP_INIT.
|
||
Be more careful about checking for errors and freeing memory on
|
||
LDAP lookups.
|
||
Use asynchronous LDAP searches to save memory and network
|
||
resources.
|
||
Do not copy LDAP query results if the map's match only flag is set.
|
||
Increase portability to the Netscape LDAP libraries.
|
||
Change the parsing of the LDAP filter specification. '%s' is still
|
||
replaced with the literal contents of the map lookup key --
|
||
note that this means a lookup can be done using the LDAP
|
||
special characters. The new '%0' token can be used instead
|
||
of '%s' to encode the key buffer according to RFC 2254.
|
||
For example, if the LDAP map specification contains '-k
|
||
"(user=%s)"' and a lookup is done on "*", this would be
|
||
equivalent to '-k "(user=*)"' -- matching ANY record with a
|
||
user attribute. Instead, if the LDAP map specification
|
||
contains '-k "(user=%0)"' and a lookup is done on "*", this
|
||
would be equivalent to '-k "(user=\2A)"' -- matching a user
|
||
with the name "*".
|
||
New LDAP map flags: "-1" requires a single match to be returned, if
|
||
more than one is returned, it is equivalent to no records
|
||
being found; "-r never|always|search|find" sets the LDAP
|
||
alias dereference option; "-Z size" limits the number of
|
||
matches to return.
|
||
New option LDAPDefaultSpec allows a default map specification for
|
||
LDAP maps. The value should only contain LDAP specific
|
||
settings such as "-h host -p port -d bindDN", etc. The
|
||
settings will be used for all LDAP maps unless they are
|
||
specified in the individual map specification ('K'
|
||
command). This option should be set before any LDAP maps
|
||
are defined.
|
||
Prevent an NDBM alias file opening loop when the NDBM open
|
||
continually fails. Fix from Roy J. Mongiovi of Georgia
|
||
Tech.
|
||
Reduce memory utilization for smaller symbol table entries. In
|
||
particular, class entries get much smaller, which can be
|
||
important if you have large classes.
|
||
On network-related temporary failures, record the hostname which
|
||
gave error in the queued status message. Requested by
|
||
Ulrich Windl of the Universitat Regensburg.
|
||
Add new F=% mailer flag to allow for a store and forward
|
||
configuration. Mailers which have this flag will not attempt
|
||
delivery on initial receipt of a message or on queue runs
|
||
unless the queued message is selected using one of the
|
||
-qI/-qR/-qS queue run modifiers or an ETRN request. Code
|
||
provided by Philip Guenther of Gustavus Adolphus College.
|
||
New option ControlSocketName which, when set, creates a daemon
|
||
control socket. This socket allows an external program to
|
||
control and query status from the running sendmail daemon
|
||
via a named socket, similar to the ctlinnd interface to the
|
||
INN news server. Access to this interface is controlled by
|
||
the UNIX file permissions on the named socket on most UNIX
|
||
systems (see sendmail/README for more information). An
|
||
example control program is provided as contrib/smcontrol.pl.
|
||
Change the default values of QueueLA from 8 to (8 * numproc) and
|
||
RefuseLA from 12 to (12 * numproc) where numproc is the
|
||
number of processors online on the system (if that can be
|
||
determined). For single processor machines, this change
|
||
has no effect.
|
||
Don't return body of message to postmaster on "Too many hops" bounces.
|
||
Based on fix from Motonori Nakamura of Kyoto University.
|
||
Give more detailed DSN descriptions for some cases. Patch from
|
||
Motonori Nakamura of Kyoto University.
|
||
Logging of alias, forward file, and UserDB expansion now happens
|
||
at LogLevel 11 or higher instead of 10 or higher.
|
||
Logging of an envelope's complete delivery (the "done" message) now
|
||
happens at LogLevel 10 or higher instead of 11 or higher.
|
||
Logging of TCP/IP or UNIX standard input connections now happens at
|
||
LogLevel 10 or higher. Previously, only TCP/IP connections
|
||
were logged, and on at LogLevel 12 or higher. Setting
|
||
LogLevel to 10 will now assist users in tracking frequent
|
||
connection-based denial of service attacks.
|
||
Log basic information about authenticated connections at LogLevel
|
||
10 or higher.
|
||
Log SMTP Authentication mechanism and author when logging the sender
|
||
information (from= syslog line).
|
||
Log the DSN code for each recipient if one is available as a new
|
||
equate (dsn=).
|
||
Macro expand PostmasterCopy and DoubleBounceAddress options.
|
||
New "ph" map for performing ph queries in rulesets, see
|
||
sendmail/README for details. Contributed by Mark Roth
|
||
of the University of Illinois at Urbana-Champaign.
|
||
Detect temporary lookup failures in the host map if looking up a
|
||
bracketed IP address. Problem noted by Kari Hurtta of the
|
||
Finnish Meteorological Institute.
|
||
Do not report a Remote-MTA on local deliveries. Problem noted by
|
||
Kari Hurtta of the Finnish Meteorological Institute.
|
||
When a forward file points to an alias which runs a program, run
|
||
the program as the default user and the default group, not
|
||
the forward file user. This change also assures the
|
||
:include: directives in aliases are also processed using
|
||
the default user and group. Problem noted by Sergiu
|
||
Popovici of DNT Romania.
|
||
Prevent attempts to save a dead.letter file for a user with
|
||
no home directory (/no/such/directory). Problem noted by
|
||
Michael Brown of Finnigan FT/MS.
|
||
Include message delay and number of tries when logging that a
|
||
message has been completely delivered (LogLevel of 10 or
|
||
above). Suggested by Nick Hilliard of Ireland Online.
|
||
Log the sender of a message even if none of the recipients were
|
||
accepted. If some of the recipients were rejected, it is
|
||
helpful to know the sender of the message.
|
||
Check the root directory (/) when checking a path for safety.
|
||
Problem noted by John Beck of Sun Microsystems.
|
||
Prevent multiple responses to the DATA command if DeliveryMode is
|
||
interactive and delivering to an alias which resolves to
|
||
multiple files.
|
||
Macros in the helpfile are expanded if the helpfile version is 2 or
|
||
greater (see below); the help function doesn't print the
|
||
version of sendmail any longer, instead it is placed in
|
||
the helpfile ($v). Suggested by Chuck Foster of UUNET
|
||
PIPEX. Additionally, comment lines (starting with #) are
|
||
skipped and a version line (#vers) is introduced. The
|
||
helpfile version for 8.10.0 is 2, if no version or an older
|
||
version is found, a warning is logged. The '#vers'
|
||
directive should be placed at the top of the help file.
|
||
Use fsync() when delivering to a file to guarantee the delivery to
|
||
disk succeeded. Suggested by Nick Christenson.
|
||
If delivery to a file is unsuccessful, truncate the file back to its
|
||
length before the attempt.
|
||
If a forward points to a filename for delivery, change to the
|
||
user's uid before checking permissions on the file. This
|
||
allows delivery to files on NFS mounted directories where
|
||
root is remapped to nobody. Problem noted by Harald
|
||
Daeubler of Universitaet Ulm.
|
||
purgestat and sendmail -bH purge only expired (Timeout.hoststatus)
|
||
host status files, not all files.
|
||
Any macros stored in the class $={persistentMacros} will be saved
|
||
in the queue file for the message and set when delivery
|
||
is attempted on the queued item. Suggested by Kyle Jones of
|
||
Wonderworks Inc.
|
||
Add support for storing information between rulesets using the new
|
||
macro map class. This can be used to store information
|
||
between queue runs as well using $={persistentMacros}.
|
||
Based on an idea from Jan Krueger of Unix-AG of University
|
||
of Hannover.
|
||
New map class arith to allow for computations in rules. The
|
||
operation (+, -, *, /, l (for less than), and =) is given
|
||
as key. The two operands are specified as arguments; the
|
||
lookup returns the result of the computation. For example,
|
||
"$(arith l $@ 4 $@ 2 $)" will return "FALSE" and
|
||
"$(arith + $@ 4 $@ 2 $)" will return "6".
|
||
Add new syntax for header declarations which decide whether to
|
||
include the header based on a macro rather than a mailer
|
||
flag:
|
||
H?${MyMacro}?X-My-Header: ${MyMacro}
|
||
This should be used along with $={persistentMacros}.
|
||
It can be used for adding headers to a message based on
|
||
the results of check_* and header check rulesets.
|
||
Allow new named config file rule check_eoh which is called after
|
||
all of the headers have been collected. The input to the
|
||
ruleset the number of headers and the size of all of the
|
||
headers in bytes separated by $|. This ruleset along with
|
||
the macro storage map can be used to correlate information
|
||
gathered between headers and to check for missing headers.
|
||
See cf/README or doc/op/op.ps for an example.
|
||
Change the default for the MeToo option to True to correspond
|
||
to the clarification in the DRUMS SMTP Update spec. This
|
||
option is deprecated and will be removed from a future
|
||
version.
|
||
Change the sendmail binary default for SendMimeErrors to True.
|
||
Change the sendmail binary default for SuperSafe to True.
|
||
Display ruleset names in debug and address test mode output
|
||
if referencing a named ruleset.
|
||
New mailer equate m= which will limit the number of messages
|
||
delivered per connection on an SMTP or LMTP mailer.
|
||
Improve QueueSortOrder=Host by reversing the hostname before
|
||
using it to sort. Now all the same domains are really run
|
||
through the queue together. If they have the same MX host,
|
||
then they will have a much better opportunity to use the
|
||
connection cache if available. This should be a reasonable
|
||
performance improvement. Patch from Randall Winchester of
|
||
the University of Maryland.
|
||
If a message is rejected by a header check ruleset, log who would
|
||
have received the message if it had not been rejected.
|
||
New "now" value for Timeout.queuereturn to bounce entries from the
|
||
queue immediately. No delivery attempt is made.
|
||
Increase sleeping time exponentially after too many "bad" commands
|
||
up to 4 minutes delay (compare MAX{BAD,NOOP,HELO,VRFY,ETRN}-
|
||
COMMANDS).
|
||
New option ClientPortOptions similar to DaemonPortOptions
|
||
but for outgoing connections.
|
||
New suboptions for DaemonPortOptions: Name (a name used for
|
||
error messages and logging) and Modifiers, i.e.
|
||
a require authentication
|
||
b bind to interface through which mail has
|
||
been received
|
||
c perform hostname canonification
|
||
f require fully qualified hostname
|
||
h use name of interface for outgoing HELO
|
||
command
|
||
C don't perform hostname canonification
|
||
E disallow ETRN (see RFC 2476)
|
||
New suboption for ClientPortOptions: Modifiers, i.e.
|
||
h use name of interface for HELO command
|
||
The version number for queue files (qf) has been incremented to 4.
|
||
Log unacceptable HELO/EHLO domain name attempts if LogLevel is set
|
||
to 10 or higher. Suggested by Rick Troxel of the National
|
||
Institutes of Health.
|
||
If a mailer dies, print the status in decimal instead of octal
|
||
format. Suggested by Michael Shapiro of Sun Microsystems.
|
||
Limit the length of all MX records considered for delivery to 8k.
|
||
Move message priority from sender to recipient logging. Suggested by
|
||
Ulrich Windl of the Universitat Regensburg.
|
||
Add support for Berkeley DB 3.X.
|
||
Add fix for Berkeley DB 2.X fcntl() locking race condition.
|
||
Requires a post-2.7.5 version of Berkeley DB.
|
||
Support writing traffic log (sendmail -X option) to a FIFO.
|
||
Patch submitted by Rick Heaton of Network Associates, Inc.
|
||
Do not ignore Timeout settings in the .cf file when a Timeout
|
||
sub-options is set on the command line. Problem noted by
|
||
Graeme Hewson of Oracle.
|
||
Randomize equal preference MX records each time delivery is
|
||
attempted via a new connection to a host instead of once per
|
||
session. Suggested by Scott Salvidio of Compaq.
|
||
Implement enhanced status codes as defined by RFC 2034.
|
||
Add [hostname] to class w for the names of all interfaces unless
|
||
DontProbeInterfaces is set. This is useful for sending mails
|
||
to hosts which have dynamically assigned names.
|
||
If a message is bounced due to bad MIME conformance, avoid bouncing
|
||
the bounce for the same reason. If the body is not 8-bit
|
||
clean, and EightBitMode isn't set to pass8, the body will
|
||
not be included in the bounce. Problem noted by Valdis
|
||
Kletnieks of Virginia Tech.
|
||
The timeout for sending a message via SMTP has been changed from
|
||
'${msgsize} / 16 + (${nrcpts} * 300)' to a timeout which
|
||
simply checks for progress on sending data every 5 minutes.
|
||
This will detect the inability to send information quicker
|
||
and reduce the number of processes simply waiting to
|
||
timeout.
|
||
Prevent a segmentation fault on systems which give a partial filled
|
||
interface address structure when loading the system network
|
||
interface addresses. Fix from Reinier Bezuidenhout of
|
||
Nanoteq.
|
||
Add a compile-time configuration macro, MAXINTERFACES, which
|
||
indicates the number of interfaces to read when probing
|
||
for hostnames and IP addresses for class w ($=w). The
|
||
default value is 512. Based on idea from Reinier
|
||
Bezuidenhout of Nanoteq.
|
||
If the RefuseLA option is set to 0, do not reject connections based
|
||
on load average.
|
||
Allow ruleset 0 to have a name. Problem noted by Neil Rickert of
|
||
Northern Illinois University.
|
||
Expand the Return-Path: header at delivery time, after "owner-"
|
||
envelope splitting has occurred.
|
||
Don't try to sort the queue if there are no entries. Patch from
|
||
Luke Mewburn from RMIT University.
|
||
Add a "/quit" command to address test mode.
|
||
Include the proper sender in the UNIX "From " line and Return-Path:
|
||
header when undeliverable mail is saved to ~/dead.letter.
|
||
Problem noted by Kari Hurtta of the Finnish Meteorological
|
||
Institute.
|
||
The contents of a class can now be copied to another class using
|
||
the syntax: "C{Dest} $={Source}". This would copy all of
|
||
the items in class $={Source} into the class $={Dest}.
|
||
Include original envelope's error transcript in bounces created for
|
||
split (owner-) envelopes to see the original errors when
|
||
the recipients were added. Based on fix from Motonori
|
||
Nakamura of Kyoto University.
|
||
Show reason for permanent delivery errors directly after the
|
||
addresses. From Motonori Nakamura of Kyoto University.
|
||
Prevent a segmentation fault when bouncing a split-envelope
|
||
message. Patch from Motonori Nakamura of Kyoto University.
|
||
If the specification for the queue run interval (-q###) has a
|
||
syntax error, consider the error fatal and exit.
|
||
Pay attention to CheckpointInterval during LMTP delivery. Problem
|
||
noted by Motonori Nakamura of Kyoto University.
|
||
On operating systems which have setlogin(2), use it to set the
|
||
login name to the RunAsUserName when starting as a daemon.
|
||
This is for delivery to programs which use getlogin().
|
||
Based on fix from Motonori Nakamura of Kyoto University.
|
||
Differentiate between "command not implemented" and "command
|
||
unrecognized" in the SMTP dialogue.
|
||
Strip returns from forward and include files. Problem noted by
|
||
Allan E Johannesen of Worcester Polytechnic Institute.
|
||
Prevent a core dump when using 'sendmail -bv' on an address which
|
||
resolves to the $#error mailer with a temporary failure.
|
||
Based on fix from Neil Rickert of Northern Illinois
|
||
University.
|
||
Prevent multiple deliveries of a message with a "non-local alias"
|
||
pointing to a local user, if canonicalization fails
|
||
the message was requeued *and* delivered to the alias.
|
||
If an invalid ruleset is declared, the ruleset name could be
|
||
ignored and its rules added to S0. Instead, ignore the
|
||
ruleset lines as well.
|
||
Avoid incorrect Final-Recipient, Action, and X-Actual-Recipient
|
||
success DSN fields as well as duplicate entries for a
|
||
single address due to S5 and UserDB processing. Problems
|
||
noted by Kari Hurtta of the Finnish Meteorological
|
||
Institute.
|
||
Turn off timeouts when exiting sendmail due to an interrupt signal
|
||
to prevent the timeout from firing during the exit process.
|
||
Problem noted by Michael Shapiro of Sun Microsystems.
|
||
Do not append @MyHostName to non-RFC822 addresses output by the EXPN
|
||
command or on Final-Recipient: and X-Actual-Recipient: DSN
|
||
headers. Non-RFC822 addresses include deliveries to
|
||
programs, file, DECnet, etc.
|
||
Fix logic for determining if a local user is using -f or -bs to
|
||
spoof their return address. Based on idea from Neil Rickert
|
||
of Northern Illinois University and patch from Per Hedeland
|
||
of Ericsson.
|
||
Report the proper UID in the bounce message if an :include: file is
|
||
owned by a uid that doesn't map to a username and the
|
||
:include: file contains delivery to a file or program.
|
||
Problem noted by John Beck of Sun Microsystems.
|
||
Avoid the attempt of trying to send a second SMTP QUIT command if
|
||
the remote server responds to the first QUIT with a 4xx
|
||
response code and drops the connection. This behavior was
|
||
noted by Ulrich Windl of the Universitat Regensburg when
|
||
sendmail was talking to the Mercury 1.43 MTA.
|
||
If a hostname lookup times out and ServiceSwitchFile is set but the
|
||
file is not present, the lookup failure would be marked as
|
||
a permanent failure instead of a temporary failure. Fix
|
||
from Russell King of the ARM Linux Project.
|
||
Handle aliases or forwards which deliver to programs using tabs
|
||
instead of spaces between arguments. Problem noted by Randy
|
||
Wormser. Fix from Neil Rickert of Northern Illinois
|
||
University.
|
||
Allow MaxRecipientsPerMessage option to be set on the command line
|
||
by normal users (e.g., sendmail won't drop its root
|
||
privileges) to allow overrides for message submission via
|
||
'sendmail -bs'.
|
||
Set the names for help file and statistics file to "helpfile" and
|
||
"statistics", respectively, if no parameters are given for
|
||
them in the .cf file.
|
||
Avoid bogus 'errbody: I/O Error -7' log messages when sending
|
||
success DSN messages for messages relayed to non-DSN aware
|
||
systems. Problem noted by Juergen Georgi of RUS University
|
||
of Stuttgart and Kyle Tucker of Parexel International.
|
||
Prevent +detail information from interfering with local delivery to
|
||
multiple users in the same transaction (F=m).
|
||
Add H_FORCE flag for the X-Authentication-Warning: header, so it
|
||
will be added even if one already exists. Problem noted
|
||
by Michal Zalewski of Marchew Industries.
|
||
Stop processing SMTP commands if the SMTP connection is dropped.
|
||
This prevents a remote system from flooding the connection
|
||
with commands and then disconnecting. Previously, the
|
||
server would process all of the buffered commands. Problem
|
||
noted by Michal Zalewski of Marchew Industries.
|
||
Properly process user-supplied headers beginning with '?'. Problem
|
||
noted by Michal Zalewski of Marchew Industries.
|
||
If multiple header checks resolve to the $#error mailer, use the
|
||
last permanent (5XX) failure if any exist. Otherwise, use
|
||
the last temporary (4XX) failure.
|
||
RFC 1891 requires "hexchar" in a "xtext" to be upper case. Patch
|
||
from Ronald F. Guilmette of Infinite Monkeys & Co.
|
||
Timeout.ident now defaults to 5 seconds instead of 30 seconds to
|
||
prevent the now common delays associated with mailing to a
|
||
site which drops IDENT packets. Suggested by many.
|
||
Persistent host status data is not reloaded disk when current data
|
||
is available in the in-memory cache. Problem noted by Per
|
||
Hedeland of Ericsson.
|
||
mailq displays unprintable characters in addresses as their octal
|
||
representation and a leading backslash. This avoids problems
|
||
with "unprintable" characters. Problem noted by Michal
|
||
Zalewski of the "Internet for Schools" project (IdS).
|
||
The mail line length limit (L= equate) was adding the '!' indicator
|
||
one character past the limit. This would cause subsequent
|
||
hops to break the line again. The '!' is now placed in
|
||
the last column of the limit if the line needs to be broken.
|
||
Problem noted by Joe Pruett of Q7 Enterprises. Based on fix
|
||
from Per Hedeland of Ericsson.
|
||
If a resolver ANY query is larger than the UDP packet size, the
|
||
resolver will fall back to TCP. However, some
|
||
misconfigured firewalls block 53/TCP so the ANY lookup
|
||
fails whereas an MX or A record might succeed. Therefore,
|
||
don't fail on ANY queries.
|
||
If an SMTP recipient is rejected due to syntax errors in the
|
||
address, do not send an empty postmaster notification DSN
|
||
to the postmaster. Problem noted by Neil Rickert of
|
||
Northern Illinois University.
|
||
Allow '_' and '.' in map names when parsing a sequence map
|
||
specification. Patch from William Setzer of North Carolina
|
||
State University.
|
||
Fix hostname in logging of read timeouts for the QUIT command on
|
||
cached connections. Problem noted by Neil Rickert of
|
||
Northern Illinois University.
|
||
Use a more descriptive entry to log "null" connections, i.e.,
|
||
"host did not issue MAIL/EXPN/VRFY/ETRN during connection".
|
||
Fix a file descriptor leak in ONEX mode.
|
||
Portability:
|
||
Reverse signal handling logic such that sigaction(2) with
|
||
the SA_RESTART flag is the preferred method and the
|
||
other signal methods are only tried if SA_RESTART
|
||
is not available. Problem noted by Allan E
|
||
Johannesen of Worcester Polytechnic Institute.
|
||
AIX 4.x supports the sa_len member of struct sockaddr.
|
||
This allows network interface probing to work
|
||
properly. Fix from David Bronder of the
|
||
University of Iowa.
|
||
AIX 4.3 has snprintf() support.
|
||
Use "PPC" as the architecture name when building under
|
||
AIX. This will be reflected in the obj.* directory
|
||
name.
|
||
Apple Darwin support based on Apple Rhapsody port.
|
||
Fixed AIX 'make depend' method from Valdis Kletnieks of
|
||
Virginia Tech.
|
||
Digital UNIX has uname(2).
|
||
GNU Hurd updates from Mark Kettenis of the University of
|
||
Amsterdam.
|
||
Improved HPUX 11.0 portability.
|
||
Properly determine the number of CPUs on FreeBSD 2.X,
|
||
FreeBSD 3.X, HP/UX 10.X and HP/UX 11.X.
|
||
Remove special IRIX ABI cases from Build script and the OS
|
||
files. Use the standard 'cc' options used by SGI
|
||
in building the operating system. Users can
|
||
override the defaults by setting confCC and
|
||
confLIBSEARCHPATH appropriately.
|
||
IRIX nsd map support from Bob Mende of SGI.
|
||
Minor devtools fixes for IRIX from Bob Mende of SGI.
|
||
Linux patch for IP_SRCROUTE support from Joerg Dorchain
|
||
of MW EDV & ELECTRONIC.
|
||
Linux now uses /usr/sbin for confEBINDIR in the build
|
||
system. From MATSUURA Takanori of Osaka University.
|
||
Remove special treatment for Linux PPC in the build
|
||
system. From MATSUURA Takanori of Osaka University.
|
||
Motorolla UNIX SYSTEM V/88 Release 4.0 support from
|
||
Sergey Rusanov of the Republic of Udmurtia.
|
||
NCR MP-RAS 3.x includes regular expression support. From
|
||
Tom J. Moore of NCR.
|
||
NEC EWS-UX/V series settings for _PATH_VENDOR_CF and
|
||
_PATH_SENDMAILPID from Oota Toshiya of
|
||
NEC Computers Group Planning Division.
|
||
Minor NetBSD owner/group tweaks from Ayamura Kikuchi, M.D.
|
||
NEWS-OS 6.X listed SYSLOG_BUFSIZE as 256 in confENVDEF and
|
||
1024 in conf.h. Since confENVDEF would be used,
|
||
use that value in conf.h.
|
||
Use NeXT's NETINFO to get domain name. From Gerd Knops of
|
||
BITart Consulting.
|
||
Use NeXT's NETINFO for alias and hostname resolution if
|
||
AUTO_NETINFO_ALIASES and AUTO_NETINFO_HOSTS are
|
||
defined. Patch from Wilfredo Sanchez of Apple
|
||
Computer, Inc.
|
||
NeXT portability tweaks. Problems reported by Dragan
|
||
Milicic of the University of Utah and J. P. McCann
|
||
of E I A.
|
||
New compile flag FAST_PID_RECYCLE: set this if your system
|
||
can reuse the same PID in the same second.
|
||
New compile flag HASFCHOWN: set this if your OS has
|
||
fchown(2).
|
||
New compile flag HASRANDOM: set this to 0 if your OS does
|
||
not have random(3). rand() will be used instead.
|
||
New compile flag HASSRANDOMDEV: set this if your OS has
|
||
srandomdev(3).
|
||
New compile flag HASSETLOGIN: set this if your OS has
|
||
setlogin(2).
|
||
Replace SINIX and ReliantUNIX support with version
|
||
specific SINIX files. From Gerald Rinske of
|
||
Siemens Business Services.
|
||
Use the 60-second load average instead of the 5 second load
|
||
average on Compaq Tru64 UNIX (formerly Digital
|
||
UNIX). From Chris Teakle of the University of Qld.
|
||
Use ANSI C by default for Compaq Tru64 UNIX. Suggested by
|
||
Randall Winchester of Swales Aerospace.
|
||
Correct setgroups() prototype for Compaq Tru64 UNIX.
|
||
Problem noted by Randall Winchester of Swales
|
||
Aerospace.
|
||
Hitachi 3050R/3050RX and 3500 Workstations running
|
||
HI-UX/WE2 4.02, 6.10 and 7.10 from Motonori
|
||
NAKAMURA of Kyoto University.
|
||
New compile flag NO_GETSERVBYNAME: set this to disable
|
||
use of getservbyname() on systems which can
|
||
not lookup a service by name over NIS, such as
|
||
HI-UX. Patch from Motonori NAKAMURA of Kyoto
|
||
University.
|
||
Use devtools/bin/install.sh on SCO 5.x. Problem noted
|
||
by Sun Wenbing of the China Engineering and
|
||
Technology Information Network.
|
||
make depend didn't work properly on UNIXWARE 4.2. Problem
|
||
noted by Ariel Malik of Netology, Ltd.
|
||
Use /usr/lbin as confEBINDIR for Compaq Tru64 (Digital UNIX).
|
||
Set confSTDIO_TYPE to torek for BSD-OS, FreeBSD, NetBSD,
|
||
and OpenBSD.
|
||
A recent Compaq Ultrix 4.5 Y2K patch has broken detection
|
||
of local_hostname_length(). See sendmail/README
|
||
for more details. Problem noted by Allan E
|
||
Johannesen of Worcester Polytechnic Institute.
|
||
CONFIG: Begin using /etc/mail/ for sendmail related files. This
|
||
affects a large number of files. See cf/README for more
|
||
details.
|
||
CONFIG: New macro MAIL_SETTINGS_DIR contains the path (including
|
||
trailing slash) for the mail settings directory.
|
||
CONFIG: Increment version number of config file to 9.
|
||
CONFIG: OSTYPE(`bsdi1.0') and OSTYPE(`bsdi2.0') have been
|
||
deprecated and may be removed from a future release.
|
||
BSD/OS users should begin using OSTYPE(`bsdi').
|
||
CONFIG: OpenBSD 2.4 installs mail.local non-set-user-ID root. This
|
||
requires a new OSTYPE(`openbsd'). From Todd C. Miller of
|
||
Courtesan Consulting.
|
||
CONFIG: New OSTYPE(`hpux11') for HP/UX 11.X.
|
||
CONFIG: A syntax error in check_mail would cause fake top-level
|
||
domains (.BITNET, .DECNET, .FAX, .USENET, and .UUCP) to
|
||
be improperly rejected as unresolvable.
|
||
CONFIG: New FEATURE(`dnsbl') takes up to two arguments (name of
|
||
DNS server, rejection message) and can be included
|
||
multiple times.
|
||
CONFIG: New FEATURE(`relay_mail_from') allows relaying if the
|
||
mail sender is listed as RELAY in the access map (and tagged
|
||
with From:).
|
||
CONFIG: Optional tagging of LHS in the access map (Connect:,
|
||
From:, To:) to enable finer control.
|
||
CONFIG: New FEATURE(`ldap_routing') implements LDAP address
|
||
routing. See cf/README for a complete description of the
|
||
new functionality.
|
||
CONFIG: New variables for the new sendmail options:
|
||
confAUTH_MECHANISMS AuthMechanisms
|
||
confAUTH_OPTIONS AuthOptions
|
||
confCLIENT_OPTIONS ClientPortOptions
|
||
confCONTROL_SOCKET_NAME ControlSocketName
|
||
confDEAD_LETTER_DROP DeadLetterDrop
|
||
confDEF_AUTH_INFO DefaultAuthInfo
|
||
confDF_BUFFER_SIZE DataFileBufferSize
|
||
confLDAP_DEFAULT_SPEC LDAPDefaultSpec
|
||
confMAX_ALIAS_RECURSION MaxAliasRecursion
|
||
confMAX_HEADERS_LENGTH MaxHeadersLength
|
||
confMAX_MIME_HEADER_LENGTH MaxMimeHeaderLength
|
||
confPID_FILE PidFile
|
||
confPROCESS_TITLE_PREFIX ProcessTitlePrefix
|
||
confRRT_IMPLIES_DSN RrtImpliesDsn
|
||
confTO_CONTROL Timeout.control
|
||
confTO_RESOLVER_RETRANS Timeout.resolver.retrans
|
||
confTO_RESOLVER_RETRANS_FIRST Timeout.resolver.retrans.first
|
||
confTO_RESOLVER_RETRANS_NORMAL Timeout.resolver.retrans.normal
|
||
confTO_RESOLVER_RETRY Timeout.resolver.retry
|
||
confTO_RESOLVER_RETRY_FIRST Timeout.resolver.retry.first
|
||
confTO_RESOLVER_RETRY_NORMAL Timeout.resolver.retry.normal
|
||
confTRUSTED_USER TrustedUser
|
||
confXF_BUFFER_SIZE XscriptFileBufferSize
|
||
CONFIG: confDAEMON_OPTIONS has been replaced by DAEMON_OPTIONS(),
|
||
which takes the options as argument and can be used
|
||
multiple times; see cf/README for details.
|
||
CONFIG: Add a fifth mailer definition to MAILER(`smtp') called
|
||
"dsmtp". This mail provides on-demand delivery using the
|
||
F=% mailer flag described above. The "dsmtp" mailer
|
||
definition uses the new DSMTP_MAILER_ARGS which defaults
|
||
to "IPC $h".
|
||
CONFIG: New variables LOCAL_MAILER_MAXMSGS, SMTP_MAILER_MAXMSGS,
|
||
and RELAY_MAILER_MAXMSGS for setting the m= equate for the
|
||
local, smtp, and relay mailers respectively.
|
||
CONFIG: New variable LOCAL_MAILER_DSN_DIAGNOSTIC_CODE for setting
|
||
the DSN Diagnostic-Code type for the local mailer. The
|
||
value should be changed with care.
|
||
CONFIG: FEATURE(`local_lmtp') now sets the DSN Diagnostic-Code type
|
||
for the local mailer to the proper value of "SMTP".
|
||
CONFIG: All included maps are no longer optional by default; if
|
||
there there is a problem with a map, sendmail will
|
||
complain.
|
||
CONFIG: Removed root from class E; use EXPOSED_USER(`root')
|
||
to get the old behavior. Suggested by Joe Pruett
|
||
of Q7 Enterprises.
|
||
CONFIG: MASQUERADE_EXCEPTION() defines hosts/subdomains which
|
||
will not be masqueraded. Proposed by Arne Wichmann
|
||
of MPI Saarbruecken, Griff Miller of PGS Tensor,
|
||
Jayme Cox of Broderbund Software Inc.
|
||
CONFIG: A list of exceptions for FEATURE(`nocanonify') can be
|
||
specified by CANONIFY_DOMAIN or CANONIFY_DOMAIN_FILE,
|
||
i.e., a list of domains which are passed to $[ ... $]
|
||
for canonification. Based on an idea from Neil Rickert
|
||
of Northern Illinois University.
|
||
CONFIG: If `canonify_hosts' is specified as parameter for
|
||
FEATURE(`nocanonify') then addresses which have only
|
||
a hostname, e.g., <user@host>, will be canonified.
|
||
CONFIG: If FEATURE(`nocanonify') is turned on, a trailing dot is
|
||
nevertheless added to addresses with more than one component
|
||
in it.
|
||
CONFIG: Canonification is no longer attempted for any host or domain
|
||
in class 'P' ($=P).
|
||
CONFIG: New class for matching virtusertable entries $={VirtHost} that
|
||
can be populated by VIRTUSER_DOMAIN or VIRTUSER_DOMAIN_FILE.
|
||
FEATURE(`virtuser_entire_domain') can be used to apply this
|
||
class also to entire subdomains. Hosts in this class are
|
||
treated as canonical in SCanonify2, i.e., a trailing dot
|
||
is added.
|
||
CONFIG: If VIRTUSER_DOMAIN() or VIRTUSER_DOMAIN_FILE() are used,
|
||
include $={VirtHost} in $=R (hosts allowed to relay).
|
||
CONFIG: FEATURE(`generics_entire_domain') can be used to apply the
|
||
genericstable also to subdomains of $=G.
|
||
CONFIG: Pass "+detail" as %2 for virtusertable lookups.
|
||
Patch from Noam Freedman from University of Chicago.
|
||
CONFIG: Pass "+detail" as %1 for genericstable lookups. Suggested
|
||
by Raymond S Brand of rsbx.net.
|
||
CONFIG: Allow @domain in genericstable to override masquerading.
|
||
Suggested by Owen Duffy from Owen Duffy & Associates.
|
||
CONFIG: LOCAL_DOMAIN() adds entries to class w. Suggested by Steve
|
||
Hubert of University of Washington.
|
||
CONFIG: OSTYPE(`gnuhurd') has been replaced by OSTYPE(`gnu') as
|
||
GNU is now the canonical system name. From Mark
|
||
Kettenis of the University of Amsterdam.
|
||
CONFIG: OSTYPE(`unixware7') updates from Larry Rosenman.
|
||
CONFIG: Do not include '=' in option expansion if there is no value
|
||
associated with the option. From Andrew Brown of
|
||
Graffiti World Wide, Inc.
|
||
CONFIG: Add MAILER(`qpage') to define a new pager mailer. Contributed
|
||
by Philip A. Prindeville of Enteka Enterprise Technology
|
||
Services.
|
||
CONFIG: MAILER(`cyrus') was not preserving case for mail folder
|
||
names. Problem noted by Randall Winchester of Swales
|
||
Aerospace.
|
||
CONFIG: RELAY_MAILER_FLAGS can be used to define additional flags
|
||
for the relay mailer. Suggested by Doug Hughes of Auburn
|
||
University and Brian Candler.
|
||
CONFIG: LOCAL_MAILER_FLAGS now includes 'P' (Add Return-Path:
|
||
header) by default. Suggested by Per Hedeland of Ericsson.
|
||
CONFIG: Use SMART_HOST for bracketed addresses, e.g., user@[host].
|
||
Suggested by Kari Hurtta of the Finnish Meteorological
|
||
Institute.
|
||
CONFIG: New macro MODIFY_MAILER_FLAGS to tweak *_MAILER_FLAGS;
|
||
i.e., to set, add, or delete flags.
|
||
CONFIG: If SMTP AUTH is used then relaying is allowed for any user
|
||
who authenticated via a "trusted" mechanism, i.e., one that
|
||
is defined via TRUST_AUTH_MECH(`list of mechanisms').
|
||
CONFIG: FEATURE(`delay_checks') delays check_mail and check_relay
|
||
after check_rcpt and allows for exceptions from the checks.
|
||
CONFIG: Map declarations have been moved into their associated
|
||
feature files to allow greater flexibility in use of
|
||
sequence maps. Suggested by Per Hedeland of Ericsson.
|
||
CONFIG: New macro LOCAL_MAILER_EOL to override the default end of
|
||
line string for the local mailer. Requested by Il Oh of
|
||
Willamette Industries, Inc.
|
||
CONFIG: Route addresses are stripped, i.e., <@a,@b,@c:user@d> is
|
||
converted to <user@d>
|
||
CONFIG: Reject bogus return address of <@@hostname>, generated by
|
||
Sun's older, broken configuration files.
|
||
CONFIG: FEATURE(`nullclient') now provides the full rulesets of a
|
||
normal configuration, allowing anti-spam checks to be
|
||
performed.
|
||
CONFIG: Don't return a permanent error (Relaying denied) if
|
||
${client_name} can't be resolved just temporarily.
|
||
Suggested by Kari Hurtta of the Finnish Meteorological
|
||
Institute.
|
||
CONFIG: Change numbered rulesets into named (which still can
|
||
be accessed by their numbers).
|
||
CONFIG: FEATURE(`nouucp') takes one parameter: reject or nospecial
|
||
which describes whether to disallow "!" in the local part
|
||
of an address.
|
||
CONFIG: Call Local_localaddr from localaddr (S5) which can be used
|
||
to rewrite an address from a mailer which has the F=5 flag
|
||
set. If the ruleset returns a mailer, the appropriate
|
||
action is taken, otherwise the returned tokens are ignored.
|
||
CONFIG: cf/ostype/solaris.m4 has been renamed to solaris2.pre5.m4
|
||
and cf/ostype/solaris2.m4 is now a copy of solaris2.ml.m4.
|
||
The latter is kept around for backward compatibility.
|
||
CONFIG: Allow ":D.S.N:" for mailer/virtusertable "error:" entries,
|
||
where "D.S.N" is an RFC 1893 compliant error code.
|
||
CONFIG: Use /usr/lbin as confEBINDIR for Compaq Tru64 (Digital UNIX).
|
||
CONFIG: Remove second space between username and date in UNIX From_
|
||
line. Noted by Allan E Johannesen of Worcester Polytechnic
|
||
Institute.
|
||
CONFIG: Make sure all of the mailers have complete T= equates.
|
||
CONFIG: Extend FEATURE(`local_procmail') so it can now take
|
||
arguments overriding the mailer program, arguments, and
|
||
mailer definition flags. This makes it possible to use
|
||
other programs such as maildrop for local delivery.
|
||
CONFIG: Emit warning if FEATURE(`local_lmtp') or
|
||
FEATURE(`local_procmail') is given after MAILER(`local').
|
||
Patch from Richard A. Nelson of IBM.
|
||
CONFIG: Add SMTP Authentication information to Received: header
|
||
default value (confRECEIVED_HEADER).
|
||
CONFIG: Remove `l' flag from USENET_MAILER_FLAGS as it is not a
|
||
local mailer. Problem noted by Per Hedeland of Ericsson.
|
||
CONTRIB: Added bounce-resender.pl from Brian R. Gaeke of the
|
||
University of California at Berkeley.
|
||
CONTRIB: Added domainmap.m4 from Mark D. Roth of the University of
|
||
Illinois at Urbana-Champaign.
|
||
CONTRIB: etrn.pl now recognizes bogus host names. Patch from
|
||
Bruce Barnett of GE's R&D Lab.
|
||
CONTRIB: Patches for re-mqueue.pl by Graeme Hewson of Oracle
|
||
Corporation UK.
|
||
CONTRIB: Added qtool.pl to assist in managing the queues.
|
||
DEVTOOLS: Prevent user environment variables from interfering with
|
||
the Build scripts. Problem noted by Ezequiel H. Panepucci of
|
||
Yale University.
|
||
DEVTOOLS: 'Build -M' will display the obj.* directory which will
|
||
be used for building.
|
||
DEVTOOLS: 'Build -A' will display the architecture that would be
|
||
used for a fresh build.
|
||
DEVTOOLS: New variable confRANLIB, set automatically by configure.sh.
|
||
DEVTOOLS: New variable confRANLIBOPTS for the options to send to
|
||
ranlib.
|
||
DEVTOOLS: 'Build -O <path>' will have the object files build in
|
||
<path>/obj.*. Suggested by Bryan Costales of Exactis.
|
||
DEVTOOLS: New variable confNO_MAN_BUILD which will prevent the
|
||
building of the man pages when defined. Suggested by Bryan
|
||
Costales.
|
||
DEVTOOLS: New variables confNO_HELPFILE_INSTALL and
|
||
confNO_STATISTICS_INSTALL which will prevent the
|
||
installation of the sendmail helpfile and statistics file
|
||
respectively. Suggested by Bryan Costales.
|
||
DEVTOOLS: Recognize ReliantUNIX as SINIX. Patch from Gerald Rinske
|
||
of Siemens Business Services.
|
||
DEVTOOLS: New variable confSTDIO_TYPE which defines the type of
|
||
stdio library. The new buffered file I/O depends on the
|
||
Torek stdio library. This option can be either portable or
|
||
torek.
|
||
DEVTOOLS: New variables confSRCADD and confSMSRCADD which
|
||
correspond to confOBJADD and confSMOBJADD respectively.
|
||
They should contain the C source files for the object files
|
||
listed in confOBJADD and confSMOBJADD. These file names
|
||
will be passed to the 'make depend' stage of compilation.
|
||
DEVTOOLS: New program specific variables for each of the programs
|
||
in the sendmail distribution. Each has the form
|
||
`conf_prog_ENVDEF', for example, `conf_sendmail_ENVDEF'.
|
||
The new variables are conf_prog_ENVDEF, conf_prog_LIBS,
|
||
conf_prog_SRCADD, and conf_prog_OBJADD.
|
||
DEVTOOLS: Build system redesign. This should have little affect on
|
||
building the distribution, but documentation on the changes
|
||
are in devtools/README.
|
||
DEVTOOLS: Don't allow 'Build -f file' if an object directory already
|
||
exists. Suggested by Valdis Kletnieks of Virginia Tech.
|
||
DEVTOOLS: Rename confSRCDIR to confSMSRCDIR since it only identifies
|
||
the path to the sendmail source directory. confSRCDIR is a
|
||
new variable which identifies the root of the source
|
||
directories for all of the programs in the distribution.
|
||
DEVTOOLS: confSRCDIR and confSMSRCDIR are now determined at Build
|
||
time. They can both still be overridden by setting the m4
|
||
macro.
|
||
DEVTOOLS: confSBINGRP now defaults to bin instead of kmem.
|
||
DEVTOOLS: 'Build -Q prefix' uses devtools/Site/prefix.*.m4 for
|
||
build configurations, and places objects in obj.prefix.*/.
|
||
Complains as 'Build -f file' does for existing object
|
||
directories. Suggested by Tom Smith of Digital Equipment
|
||
Corporation.
|
||
DEVTOOLS: Setting confINSTALL_RAWMAN will install unformatted
|
||
manual pages in the directory tree specified by
|
||
confMANROOTMAN.
|
||
DEVTOOLS: If formatting the manual pages fails, copy in the
|
||
preformatted pages from the distribution. The new variable
|
||
confCOPY specifies the copying program.
|
||
DEVTOOLS: Defining confFORCE_RMAIL will install rmail without
|
||
question. Suggested by Terry Lambert of Whistle
|
||
Communications.
|
||
DEVTOOLS: confSTFILE and confHFFILE can be used to change the names
|
||
of the installed statistics and help files, respectively.
|
||
DEVTOOLS: Remove spaces in `uname -r` output when determining
|
||
operating system identity. Problem noted by Erik
|
||
Wachtenheim of Dartmouth College.
|
||
DEVTOOLS: New variable confLIBSEARCHPATH to specify the paths that
|
||
will be search for the libraries specified in confLIBSEARCH.
|
||
Defaults to "/lib /usr/lib /usr/shlib".
|
||
DEVTOOLS: New variables confSTRIP and confSTRIPOPTS for specifying
|
||
how to strip binaries. These are used by the new
|
||
install-strip target.
|
||
DEVTOOLS: New config file site.post.m4 which is included after
|
||
the others (if it exists).
|
||
DEVTOOLS: Change order of LIBS: first product specific libraries
|
||
then the default ones.
|
||
MAIL.LOCAL: Will not be installed set-user-ID root. To use mail.local
|
||
as local delivery agent without LMTP mode, use
|
||
MODIFY_MAILER_FLAGS(`LOCAL', `+S')
|
||
to set the S flag.
|
||
MAIL.LOCAL: Do not reject addresses which would otherwise be
|
||
accepted by sendmail. Suggested by Neil Rickert of
|
||
Northern Illinois University.
|
||
MAIL.LOCAL: New -7 option which causes LMTP mode not to advertise
|
||
8BITMIME in the LHLO response. Suggested by Kari Hurtta of
|
||
the Finnish Meteorological Institute.
|
||
MAIL.LOCAL: Add support for the maillock() routines by defining
|
||
MAILLOCK when compiling. Also requires linking with
|
||
-lmail. Patch from Neil Rickert of Northern Illinois
|
||
University.
|
||
MAIL.LOCAL: Create a Content-Length: header if CONTENTLENGTH is
|
||
defined when compiling. Automatically set for Solaris 2.3
|
||
and later. Patch from Neil Rickert of Northern Illinois
|
||
University.
|
||
MAIL.LOCAL: Move the initialization of the 'notifybiff' address
|
||
structure to the beginning of the program. This ensures that
|
||
the getservbyname() is done before any seteuid to a possibly
|
||
unauthenticated user. If you are using NIS+ and secure RPC
|
||
on a Solaris system, this avoids syslog messages such as,
|
||
"authdes_refresh: keyserv(1m) is unable to encrypt session
|
||
key." Patch from Neil Rickert of Northern Illinois
|
||
University.
|
||
MAIL.LOCAL: Support group writable mail spool files when MAILGID is
|
||
set to the gid to use (-DMAILGID=6) when compiling.
|
||
Patch from Neil Rickert of Northern Illinois University.
|
||
MAIL.LOCAL: When a mail message included lines longer than 2046
|
||
characters (in LMTP mode), mail.local split the incoming
|
||
line up into 2046-character output lines (excluding the
|
||
newline). If an input line was 2047 characters long
|
||
(excluding CR-LF) and the last character was a '.',
|
||
mail.local saw it as the end of input, transferred it to the
|
||
user mailbox and tried to write an `ok' back to sendmail.
|
||
If the message was much longer, both sendmail and
|
||
mail.local would deadlock waiting for each other to read
|
||
what they have written. Problem noted by Peter Jeremy of
|
||
Alcatel Australia Limited.
|
||
MAIL.LOCAL: New option -b to return a permanent error instead of a
|
||
temporary error if a mailbox exceeds quota. Suggested by
|
||
Neil Rickert of Northern Illinois University.
|
||
MAIL.LOCAL: The creation of a lockfile is subject to a global
|
||
timeout to avoid starvation.
|
||
MAIL.LOCAL: Properly parse addresses with multiple quoted
|
||
local-parts. Problem noted by Ronald F. Guilmette of
|
||
Infinite Monkeys & Co.
|
||
MAIL.LOCAL: NCR MP/RAS 3.X portability from Tom J. Moore of NCR.
|
||
MAILSTATS: New -p option to invoke program mode in which stats are
|
||
printed in a machine readable fashion and the stats file
|
||
is reset. Patch from Kevin Hildebrand of the University
|
||
of Maryland.
|
||
MAKEMAP: If running as root, automatically change the ownership of
|
||
generated maps to the TrustedUser as specified in the
|
||
sendmail configuration file.
|
||
MAKEMAP: New -C option to accept an alternate sendmail
|
||
configuration file to use for finding the TrustedUser
|
||
option.
|
||
MAKEMAP: New -u option to dump (unmap) a database. Based on
|
||
code contributed by Roy Mongiovi of Georgia Tech.
|
||
MAKEMAP: New -e option to allow empty values. Suggested by Philip
|
||
A. Prindeville of Enteka Enterprise Technology Services.
|
||
MAKEMAP: Compile cleanly on 64-bit operating systems. Problem
|
||
noted by Gerald Rinske of Siemens Business Services.
|
||
OP.ME: Correctly document interaction between F=S and U= mailer
|
||
equates. Problem noted by Bob Halley of Internet Engines.
|
||
OP.ME: Fixup Timeout documentation. From Graeme Hewson of Oracle
|
||
Corporation UK.
|
||
OP.ME: The Timeout [r] option was incorrectly listed as "safe"
|
||
(e.g., sendmail would not drop root privileges if the
|
||
option was specified on the command line). Problem noted
|
||
by Todd C. Miller of Courtesan Consulting.
|
||
PRALIASES: Handle the hash and btree map specifications for
|
||
Berkeley DB. Patch from Brian J. Coan of the
|
||
Institute for Global Communications.
|
||
PRALIASES: Read the sendmail.cf file for the location(s) of the
|
||
alias file(s) if the -f option is not used. Patch from
|
||
John Beck of Sun Microsystems.
|
||
PRALIASES: New -C option to specify an alternate sendmail
|
||
configuration file to use for finding alias file(s). Patch
|
||
from John Beck of Sun Microsystems.
|
||
SMRSH: allow shell commands echo, exec, and exit. Allow command
|
||
lists using || and &&. Based on patch from Brian J. Coan
|
||
of the Institute for Global Communications.
|
||
SMRSH: Update README for the new Build system. From Tim Pierce
|
||
of RootsWeb Genealogical Data Cooperative.
|
||
VACATION: Added vacation auto-responder to sendmail distribution.
|
||
LIBSMDB: Added abstracted database library. Works with Berkeley
|
||
DB 1.85, Berkeley DB 2.X, Berkeley DB 3.X, and NDBM.
|
||
Changed Files:
|
||
The Build script in the various program subdirectories are
|
||
no longer symbolic links. They are now scripts
|
||
which execute the actual Build script in
|
||
devtools/bin.
|
||
All the manual pages are now written against -man and not
|
||
-mandoc as they were previously.
|
||
Add a simple Makefile to every directory so make instead
|
||
of Build will work (unless parameters are
|
||
required for Build).
|
||
New Directories:
|
||
devtools/M4/UNIX
|
||
include
|
||
libmilter
|
||
libsmdb
|
||
libsmutil
|
||
vacation
|
||
Renamed Directories:
|
||
BuildTools => devtools
|
||
src => sendmail
|
||
Deleted Files:
|
||
cf/m4/nullrelay.m4
|
||
devtools/OS/Linux.ppc
|
||
devtools/OS/ReliantUNIX
|
||
devtools/OS/SINIX
|
||
sendmail/ldap_map.h
|
||
New Files:
|
||
INSTALL
|
||
PGPKEYS
|
||
cf/cf/generic-linux.cf
|
||
cf/cf/generic-linux.mc
|
||
cf/feature/delay_checks.m4
|
||
cf/feature/dnsbl.m4
|
||
cf/feature/generics_entire_domain.m4
|
||
cf/feature/no_default_msa.m4
|
||
cf/feature/relay_mail_from.m4
|
||
cf/feature/virtuser_entire_domain.m4
|
||
cf/mailer/qpage.m4
|
||
cf/ostype/bsdi.m4
|
||
cf/ostype/hpux11.m4
|
||
cf/ostype/openbsd.m4
|
||
contrib/bounce-resender.pl
|
||
contrib/domainmap.m4
|
||
contrib/qtool.8
|
||
contrib/qtool.pl
|
||
devtools/M4/depend/AIX.m4
|
||
devtools/M4/list.m4
|
||
devtools/M4/string.m4
|
||
devtools/M4/subst_ext.m4
|
||
devtools/M4/switch.m4
|
||
devtools/OS/Darwin
|
||
devtools/OS/GNU
|
||
devtools/OS/SINIX.5.43
|
||
devtools/OS/SINIX.5.44
|
||
devtools/OS/m88k
|
||
devtools/bin/find_in_path.sh
|
||
mail.local/Makefile
|
||
mailstats/Makefile
|
||
makemap/Makefile
|
||
praliases/Makefile
|
||
rmail/Makefile
|
||
sendmail/Makefile
|
||
sendmail/bf.h
|
||
sendmail/bf_portable.c
|
||
sendmail/bf_portable.h
|
||
sendmail/bf_torek.c
|
||
sendmail/bf_torek.h
|
||
sendmail/shmticklib.c
|
||
sendmail/statusd_shm.h
|
||
sendmail/timers.c
|
||
sendmail/timers.h
|
||
smrsh/Makefile
|
||
vacation/Makefile
|
||
Renamed Files:
|
||
cf/ostype/gnuhurd.m4 => cf/ostype/gnu.m4
|
||
sendmail/cdefs.h => include/sendmail/cdefs.h
|
||
sendmail/sendmail.hf => sendmail/helpfile
|
||
sendmail/mailstats.h => include/sendmail/mailstats.h
|
||
sendmail/pathnames.h => include/sendmail/pathnames.h
|
||
sendmail/safefile.c => libsmutil/safefile.c
|
||
sendmail/snprintf.c => libsmutil/snprintf.c
|
||
sendmail/useful.h => include/sendmail/useful.h
|
||
cf/ostype/solaris2.m4 => cf/ostype/solaris2.pre5.m4
|
||
Copied Files:
|
||
cf/ostype/solaris2.ml.m4 => cf/ostype/solaris2.m4
|
||
|
||
8.9.3/8.9.3 1999/02/04
|
||
SECURITY: Limit message headers to a maximum of 32K bytes (total
|
||
of all headers in a single message) to prevent a denial of
|
||
service attack. This limit will be configurable in 8.10.
|
||
Problem noted by Michal Zalewski of the "Internet for
|
||
Schools" project (IdS).
|
||
Prevent segmentation fault on an LDAP lookup if the LDAP map
|
||
was closed due to an earlier failure. Problem noted by
|
||
Jeff Wasilko of smoe.org. Fix from Booker Bense of
|
||
Stanford University and Per Hedeland of Ericsson.
|
||
Preserve the order of the MIME headers in multipart messages
|
||
when performing the MIME header length check. This
|
||
will allow PGP signatures to function properly. Problem
|
||
noted by Lars Hecking of University College, Cork, Ireland.
|
||
If ruleset 5 rewrote the local address to an :include: directive,
|
||
the delivery would fail with an "aliasing/forwarding loop
|
||
broken" error. Problem noted by Eric C Hagberg of Morgan
|
||
Stanley. Fix from Per Hedeland of Ericsson.
|
||
Allow -T to work for bestmx maps. Fix from Aaron Schrab of
|
||
ExecPC Internet Systems.
|
||
During the transfer of a message in an SMTP transaction, if a
|
||
TCP timeout occurs, the message would be properly queued
|
||
for later retry but the failure would be logged as
|
||
"Illegal Seek" instead of a timeout. Problem noted by
|
||
Piotr Kucharski of the Warsaw School of Economics (SGH)
|
||
and Carles Xavier Munyoz Baldo of CTV Internet.
|
||
Prevent multiple deliveries on a self-referencing alias if the
|
||
F=w mailer flag is not set. Problem noted by Murray S.
|
||
Kucherawy of Concentric Network Corporation and Per
|
||
Hedeland of Ericsson.
|
||
Do not strip empty headers but if there is no value and a
|
||
default is defined in sendmail.cf, use the default.
|
||
Problem noted by Philip Guenther of Gustavus Adolphus
|
||
College and Christopher McCrory of Netus, Inc.
|
||
Don't inherit information about the sender (notably the full name)
|
||
in SMTP (-bs) mode, since this might be called from inetd.
|
||
Accept any 3xx reply code in response to DATA command instead of
|
||
requiring 354. This change will match the wording to be
|
||
published in the updated SMTP specification from the DRUMS
|
||
group of the IETF.
|
||
Portability:
|
||
AIX 4.2.0 or 4.2.1 may become updated by the fileset
|
||
bos.rte.net level 4.2.0.2. This introduces the
|
||
softlink /usr/lib/libbind.a which should
|
||
not be used. It conflicts with the resolver
|
||
built into libc.a. "bind" has been removed
|
||
from the confLIBSEARCH BuildTools variable.
|
||
Users who have installed BIND 8.X will have
|
||
to add it back in their site.config.m4 file.
|
||
Problem noted by Ole Holm Nielsen of the
|
||
Technical University of Denmark.
|
||
CRAY TS 10.0.x from Sven Nielsen of San Diego
|
||
Supercomputer Center.
|
||
Improved LDAP version 3 integration based on input
|
||
from Kurt D. Zeilenga of the OpenLDAP Foundation,
|
||
John Beck of Sun Microsystems, and Booker Bense
|
||
of Stanford University.
|
||
Linux doesn't have a standard way to get the timezone
|
||
between different releases. Back out the
|
||
change in 8.9.2 and don't attempt to derive
|
||
a timezone. Problem reported by Igor S. Livshits
|
||
of the University of Illinois at Urbana-Champaign
|
||
and Michael Dickens of Tetranet Communications.
|
||
Reliant UNIX, the new name for SINIX, from Gert-Jan Looy
|
||
of Siemens/SNI.
|
||
SunOS 5.8 from John Beck of Sun Microsystems.
|
||
CONFIG: SCO UnixWare 2.1 and 7.0 need TZ to get the proper
|
||
timezone. Problem noted by Petr Lampa of Technical
|
||
University of Brno.
|
||
CONFIG: Handle <@bestmx-host:user@otherhost> addressing properly
|
||
when using FEATURE(bestmx_is_local). Patch from Neil W.
|
||
Rickert of Northern Illinois University.
|
||
CONFIG: Properly handle source routed and %-hack addresses on
|
||
hosts which the mailertable remaps to local:. Patch from
|
||
Neil W. Rickert of Northern Illinois University.
|
||
CONFIG: Internal fixup of mailertable local: map value. Patch from
|
||
Larry Parmelee of Cornell University.
|
||
CONFIG: Only add back +detail from host portion of mailer triplet
|
||
on local mailer triplets if it was originally +detail.
|
||
Patch from Neil W. Rickert of Northern Illinois University.
|
||
CONFIG: The bestmx_is_local checking done in check_rcpt would
|
||
cause later checks to fail. Patch from Paul J Murphy of
|
||
MIDS Europe.
|
||
New Files:
|
||
BuildTools/OS/CRAYTS.10.0.x
|
||
BuildTools/OS/ReliantUNIX
|
||
BuildTools/OS/SunOS.5.8
|
||
|
||
8.9.2/8.9.2 1998/12/30
|
||
SECURITY: Remove five second sleep on accepting daemon connections
|
||
due to an accept() failure. This sleep could be used
|
||
for a denial of service attack.
|
||
Do not silently ignore queue files with names which are too long.
|
||
Patch from Bryan Costales of InfoBeat, Inc.
|
||
Do not store failures closing an SMTP session in persistent
|
||
host status. Reported by Graeme Hewson of Oracle
|
||
Corporation UK.
|
||
Allow symbolic link forward files if they are in safe directories.
|
||
Problem noted by Andreas Schott of the Max Planck Society.
|
||
Missing columns in a text map could cause a segmentation fault.
|
||
Fix from David Lee of the University of Durham.
|
||
Note that for 8.9.X, PrivacyOptions=goaway also includes the
|
||
noetrn flag. This is scheduled to change in a future
|
||
version of sendmail. Problem noted by Theo Van Dinter of
|
||
Chrysalis Symbolic Designa and Alan Brown of Manawatu
|
||
Internet Services.
|
||
When trying to do host canonification in a Wildcard MX
|
||
environment, try an MX lookup of the hostname without the
|
||
default domain appended. Problem noted by Olaf Seibert of
|
||
Polderland Language & Speech Technology.
|
||
Reject SMTP RCPT To: commands with only comments (i.e.
|
||
'RCPT TO: (comment)'. Problem noted by Earle Ake of
|
||
Hassler Communication Systems Technology, Inc.
|
||
Handle any number of %s in the LDAP filter spec. Patch from
|
||
Per Hedeland of Ericsson.
|
||
Clear ldapx open timeouts even if the map open failed to prevent
|
||
a segmentation fault. Patch from Wayne Knowles of the
|
||
National Institute of Water & Atmospheric Research Ltd.
|
||
Do not syslog envelope clone messages when using address
|
||
verification (-bv). Problem noted by Kari Hurtta of the
|
||
Finnish Meteorological Institute.
|
||
Continue to perform queue runs while in daemon mode even if the
|
||
daemon is rejecting connections due to a disk full
|
||
condition. Problem noted by JR Oldroyd of TerraNet
|
||
Internet Services.
|
||
Include full filename on installation of the sendmail.hf file
|
||
in case the $HFDIR directory does not exist. Problem
|
||
noted by Josef Svitak of Montana State University.
|
||
Close all maps when exiting the process with one exception.
|
||
Berkeley DB can use internal shared memory locking for
|
||
its memory pool. Closing a map opened by another process
|
||
will interfere with the shared memory and locks of the
|
||
parent process leaving things in a bad state. For
|
||
Berkeley DB, only close the map if the current process
|
||
is also the one that opened the map, otherwise only close
|
||
the map file descriptor. Thanks to Yoseff Francus of
|
||
Collective Technologies for volunteering his system for
|
||
extended testing.
|
||
Avoid null pointer dereference on XDEBUG output for SMTP reply
|
||
failures. Problem noted by Carlos Canau of EUnet Portugal.
|
||
On mailq and hoststat listings being piped to another program, such
|
||
as more, if the pipe closes (i.e., the user quits more),
|
||
stop sending output and exit. Patch from Allan E Johannesen
|
||
of Worcester Polytechnic Institute.
|
||
In accordance with the documentation, LDAP map lookup failures
|
||
are now considered temporary failures instead of permanent
|
||
failures unless the -t flag is used in the map definition.
|
||
Problem noted by Booker Bense of Stanford University and
|
||
Eric C. Hagberg of Morgan Stanley.
|
||
Fix by one error reporting on long alias names. Problem noted by
|
||
H. Paul Hammann of the Missouri Research and Education
|
||
Network.
|
||
Fix DontBlameSendmail=IncludeFileInUnsafeDirPath behavior. Problem
|
||
noted by Barry S. Finkel of Argonne National Laboratory.
|
||
When automatically converting from 8 bit to quoted printable MIME,
|
||
be careful not to miss a multi-part boundary if that
|
||
boundary is preceded by a boundary-like line. Problem
|
||
noted by Andreas Raschle of Ansid Inc. Fix from
|
||
Kari Hurtta of the Finnish Meteorological Institute.
|
||
Avoid bogus reporting of "LMTP tobuf overflow" when the buffer
|
||
has enough space for the additional address. Problem
|
||
noted by Steve Cliffe of the University of Wollongong.
|
||
Fix DontBlameSendmail=FileDeliveryToSymlink behavior. Problem
|
||
noted by Alex Vorobiev of Swarthmore College.
|
||
If the check_compat ruleset resolves to the $#discard mailer,
|
||
discard the current recipient. Unlike check_relay,
|
||
check_mail, and check_rcpt, the entire envelope is not
|
||
discarded. Problem noted by RZ D. Rahlfs. Fix from
|
||
Claus Assmann of Christian-Albrechts-University of Kiel.
|
||
Avoid segmentation fault when reading ServiceSwitchFile files with
|
||
bogus formatting. Patch from Kari Hurtta of the Finnish
|
||
Meteorological Institute.
|
||
Support Berkeley DB 2.6.4 API change.
|
||
OP.ME: Pages weren't properly output on duplexed printers. Fix
|
||
from Matthew Black of CSU Long Beach.
|
||
Portability:
|
||
Apple Rhapsody from Wilfredo Sanchez of Apple Computer, Inc.
|
||
Avoid a clash with IRIX 6.2 getopt.h and the UserDatabase
|
||
option structure. Problem noted by Ashley M.
|
||
Kirchner of Photo Craft Laboratories, Inc.
|
||
Break out IP address to hostname translation for
|
||
reading network interface addresses into
|
||
class 'w'. Patch from John Kennedy of
|
||
Cal State University, Chico.
|
||
AIX 4.x use -qstrict with -O3 to prevent the optimized
|
||
from changing the semantics of the compiled
|
||
program. From Simon Travaglia of the
|
||
University of Waikato, New Zealand.
|
||
FreeBSD 2.2.2 and later support setusercontext(). From
|
||
Peter Wemm of DIALix.
|
||
FreeBSD 3.x fix from Peter Wemm of DIALix.
|
||
IRIX 5.x has a syslog buffer size of 512 bytes. From
|
||
Nao NINOMIYA of Utsunomiya University.
|
||
IRIX 6.5 64-bit Build support.
|
||
LDAP Version 3 support from John Beck and Ravi Iyer
|
||
of Sun Microsystems.
|
||
Linux does not implement seteuid() properly. From
|
||
John Kennedy of Cal State University, Chico.
|
||
Linux timezone type was set improperly. From Takeshi Itoh
|
||
of Bits Co., Ltd.
|
||
NCR MP-RAS 3.x needs -lresolv for confLIBS. From
|
||
Tom J. Moore of NCR.
|
||
NeXT 4.x correction to man page path. From J. P. McCann
|
||
of E I A.
|
||
System V Rel 5.x (a.k.a UnixWare7 w/o BSD-Compatibility Libs)
|
||
from Paul Gampe of the Asia Pacific Network
|
||
Information Center.
|
||
ULTRIX now requires an optimization limit of 970 from
|
||
Allan E Johannesen of Worcester Polytechnic
|
||
Institute.
|
||
Fix extern declaration for sm_dopr(). Fix from Henk
|
||
van Oers of Algemeen Nederlands Persbureau.
|
||
CONFIG: Catch @hostname,user@anotherhost.domain as relaying.
|
||
Problem noted by Mark Rogov of AirMedia, Inc. Fix from
|
||
Claus Assmann of Christian-Albrechts-University of Kiel.
|
||
CONFIG: Do not refer to http://maps.vix.com/ on RBL rejections as
|
||
there are multiple RBL's available and the MAPS RBL may
|
||
not be the one in use. Suggested by Alan Brown of
|
||
Manawatu Internet Services.
|
||
CONFIG: Properly strip route addresses (i.e., @host1:user@host2)
|
||
when stripping down a recipient address to check for
|
||
relaying. Patch from Claus Assmann of
|
||
Christian-Albrechts-University of Kiel and Neil W Rickert
|
||
of Northern Illinois University.
|
||
CONFIG: Allow the access database to override RBL lookups. Patch
|
||
from Claus Assmann of Christian-Albrechts-University of
|
||
Kiel.
|
||
CONFIG: UnixWare 7 support from Phillip P. Porch of The Porch
|
||
Dot Com.
|
||
CONFIG: Fixed check for deferred delivery mode warning. Patch
|
||
from Claus Assmann of Christian-Albrechts-University of
|
||
Kiel and Per Hedeland of Ericsson.
|
||
CONFIG: If a recipient using % addressing is used, e.g.
|
||
user%site@othersite, and othersite's MX records are now
|
||
checked for local hosts if FEATURE(relay_based_on_MX) is
|
||
used. Problem noted by Alexander Litvin of Lucky Net Ltd.
|
||
Patch from Alexander Litvin of Lucky Net Ltd and
|
||
Claus Assmann of Christian-Albrechts-University of Kiel.
|
||
MAIL.LOCAL: Prevent warning messages from appearing in the LMTP
|
||
stream. Do not allow more than one response per recipient.
|
||
MAIL.LOCAL: Handle routed addresses properly when using LMTP. Fix
|
||
from John Beck of Sun Microsystems.
|
||
MAIL.LOCAL: Properly check for CRLF when using LMTP. Fix from
|
||
John Beck of Sun Microsystems.
|
||
MAIL.LOCAL: Substitute MAILER-DAEMON for the LMTP empty sender in
|
||
the envelope From header.
|
||
MAIL.LOCAL: Accept underscores in hostnames in LMTP mode.
|
||
Problem noted by Glenn A. Malling of Syracuse University.
|
||
MAILSTATS: Document msgsrej and msgsdis fields in the man page.
|
||
Problem noted by Richard Wong of Princeton University.
|
||
MAKEMAP: Build group list so group writable files are allowed with
|
||
the -s flag. Problem noted by Curt Sampson of Internet
|
||
Portal Services, Inc.
|
||
PRALIASES: Automatically handle alias files created without the
|
||
NULL byte at the end of the key. Patch from John Beck of
|
||
Sun Microsystems.
|
||
PRALIASES: Support Berkeley DB 2.6.4 API change.
|
||
New Files:
|
||
BuildTools/OS/IRIX64.6.5
|
||
BuildTools/OS/UnixWare.5.i386
|
||
cf/ostype/unixware7.m4
|
||
contrib/smcontrol.pl
|
||
src/control.c
|
||
|
||
8.9.1/8.9.1 1998/07/02
|
||
If both an OS specific site configuration file and a generic
|
||
site.config.m4 file existed, only the latter was used
|
||
instead of both. Problem noted by Geir Johannessen of
|
||
the Norwegian University of Science and Technology.
|
||
Fix segmentation fault while converting 8 bit to 7 bit MIME
|
||
multipart messages by trying to write to an unopened
|
||
file descriptor. Fix from Kari Hurtta of the Finnish
|
||
Meteorological Institute.
|
||
Do not assume Message: and Text: headers indicate the end of
|
||
the header area when parsing MIME headers. Problem noted
|
||
by Kari Hurtta of the Finnish Meteorological Institute.
|
||
Setting the confMAN#SRC Build variable would only effect the
|
||
installation commands. The man pages would still be
|
||
built with .0 extensions. Problem noted by Bryan
|
||
Costales of InfoBeat, Inc.
|
||
Installation of manual pages didn't honor the DESTDIR environment
|
||
variable. Problem noted by Bryan Costales of InfoBeat, Inc.
|
||
If the check_relay ruleset resolved to the discard mailer, messages
|
||
were still delivered. Problem noted by Mirek Luc of NASK.
|
||
Mail delivery to files would fail with an Operating System Error
|
||
if sendmail was not running as root, i.e., RunAsUser was set.
|
||
Problem noted by Leonard N. Zubkoff of Dandelion Digital.
|
||
Prevent MinQueueAge from interfering from queued items created
|
||
in the future, i.e., if the system clock was set ahead
|
||
and then back. Problem noted by Michael Miller of the
|
||
University of Natal, Pietermaritzburg.
|
||
Do not advertise ETRN support in ESTMP EHLO reply if noetrn is
|
||
set in the PrivacyOptions option. Fix from Ted Rule of
|
||
Flextech TV.
|
||
Log invalid persistent host status file lines instead of
|
||
bouncing the message. Problem noted by David Lindes of
|
||
DaveLtd Enterprises.
|
||
Move creation of empty sendmail.st file from installation to
|
||
compilation. Installation may be done from a read-only
|
||
mount. Fix from Bryan Costales of InfoBeat, Inc. and Ric
|
||
Anderson of the Oasis Research Center, Inc.
|
||
Enforce the maximum number of User Database entries limit. Problem
|
||
noted by Gary Buchanan of Credence Systems Inc.
|
||
Allow dead.letter files in root's home directory. Problem noted
|
||
by Anna Ullman of Sun Microsystems.
|
||
Program deliveries in forward files could be marked unsafe if
|
||
any directory listed in the ForwardPath option did not
|
||
exist. Problem noted by Jorg Bielak of Coastal Web Online.
|
||
Do not trust the length of the address structure returned by
|
||
gethostbyname(). Problem noted by Chris Evans of Oxford
|
||
University.
|
||
If the SIZE= MAIL From: ESMTP parameter is too large, use the
|
||
5.3.4 DSN status code instead of 5.2.2. Similarly, for
|
||
non-local deliveries, if the message is larger than the
|
||
mailer maximum message size, use 5.3.4 instead of 5.2.3.
|
||
Suggested by Antony Bowesman of
|
||
Fujitsu/TeaWARE Mail/MIME System.
|
||
Portability:
|
||
Fix the check for an IP address reverse lookup for
|
||
use in $&{client_name} on 64 bit platforms.
|
||
From Gilles Gallot of Institut for Development
|
||
and Resources in Intensive Scientific computing.
|
||
BSD-OS uses .0 for man page extensions. From Jeff Polk
|
||
of BSDI.
|
||
DomainOS detection for Build. Also, version 10.4 and later
|
||
ship a unistd.h. Fixes from Takanobu Ishimura of
|
||
PICT Inc.
|
||
NeXT 4.x uses /usr/lib/man/cat for its man pages. From
|
||
J. P. McCann of E I A.
|
||
SCO 4.X and 5.X include NDBM support. From Vlado Potisk
|
||
of TEMPEST, Ltd.
|
||
CONFIG: Do not pass spoofed PTR results through resolver for
|
||
qualification. Problem noted by Michiel Boland of
|
||
Digital Valley Internet Professionals; fix from
|
||
Kari Hurtta of the Finnish Meteorological Institute.
|
||
CONFIG: Do not try to resolve non-DNS hostnames such as UUCP,
|
||
BITNET, and DECNET addresses for resolvable senders.
|
||
Problem noted by Alexander Litvin of Lucky Net Ltd.
|
||
CONFIG: Work around Sun's broken configuration which sends bounce
|
||
messages as coming from @@hostname instead of <>. LMTP
|
||
would not accept @@hostname.
|
||
OP.ME: Corrections to complex sendmail startup script from Rick
|
||
Troxel of the National Institutes of Health.
|
||
RMAIL: Do not install rmail by default, require 'make force-install'
|
||
as this rmail isn't the same as others. Suggested by
|
||
Kari Hurtta of the Finnish Meteorological Institute.
|
||
New Files:
|
||
BuildTools/OS/DomainOS.10.4
|
||
|
||
8.9.0/8.9.0 1998/05/19
|
||
SECURITY: To prevent users from reading files not normally
|
||
readable, sendmail will no longer open forward, :include:,
|
||
class, ErrorHeader, or HelpFile files located in unsafe
|
||
(i.e., group or world writable) directory paths. Sites
|
||
which need the ability to override security can use the
|
||
DontBlameSendmail option. See the README file for more
|
||
information.
|
||
SECURITY: Problems can occur on poorly managed systems, specifically,
|
||
if maps or alias files are in world writable directories.
|
||
This fixes the change added to 8.8.6 to prevent links in these
|
||
world writable directories.
|
||
SECURITY: Make sure ServiceSwitchFile option file is not a link if
|
||
it is in a world writable directory.
|
||
SECURITY: Never pass a tty to a mailer -- if a mailer can get at the
|
||
tty it may be able to push bytes back to the senders input.
|
||
Unfortunately this breaks -v mode. Problem noted by
|
||
Wietse Venema of the Global Security Analysis Lab at
|
||
IBM T.J. Watson Research.
|
||
SECURITY: Empty group list if DontInitGroups is set to true to
|
||
prevent program deliveries from picking up extra group
|
||
privileges. Problem reported by Wolfgang Ley of DFN-CERT.
|
||
SECURITY: The default value for DefaultUser is now set to the uid and
|
||
gid of the first existing user mailnull, sendmail, or daemon
|
||
that has a non-zero uid. If none of these exist, sendmail
|
||
reverts back to the old behavior of using uid 1 and gid 1.
|
||
This is a security problem for Linux which has chosen that
|
||
uid and gid for user bin instead of daemon. If DefaultUser
|
||
is set in the configuration file, that value overrides this
|
||
default.
|
||
SECURITY: Since 8.8.7, the check for non-set-user-ID binaries
|
||
interfered with setting an alternate group id for the
|
||
RunAsUser option. Problem noted by Randall Winchester of
|
||
the University of Maryland.
|
||
Add support for Berkeley DB 2.X. Based on patch from John Kennedy
|
||
of Cal State University, Chico.
|
||
Remove support for OLD_NEWDB (pre-1.5 version of Berkeley DB). Users
|
||
which previously defined OLD_NEWDB=1 must now upgrade to the
|
||
current version of Berkeley DB.
|
||
Added support for regular expressions using the new map class regex.
|
||
From Jan Krueger of Unix-AG of University of Hannover.
|
||
Support for BIND 8.1.1's hesiod for hesiod maps and hesiod
|
||
UserDatabases from Randall Winchester of the University
|
||
of Maryland.
|
||
Allow any shell for user shell on program deliveries on V1
|
||
configurations for backwards compatibility on machines which
|
||
do not have getusershell(). Fix from John Beck of Sun
|
||
Microsystems.
|
||
On operating systems which change the process title by reusing the
|
||
argument vector memory, sendmail could corrupt memory if the
|
||
last argument was either "-q" or "-d". Problem noted by
|
||
Frank Langbein of the University of Stuttgart.
|
||
Support Local Mail Transfer Protocol (LMTP) between sendmail and
|
||
mail.local on the F=z flag.
|
||
Macro-expand the contents of the ErrMsgFile. Previously this was
|
||
only done if you had magic characters (0x81) to indicate
|
||
macro expansion. Now $x will be expanded. This means that
|
||
real dollar signs have to be backslash escaped.
|
||
TCP Wrappers expects "unknown" in the hostname argument if the
|
||
reverse DNS lookup for the incoming connection fails.
|
||
Problem noted by Randy Grimshaw of Syracuse University and
|
||
Wietse Venema of the Global Security Analysis Lab at
|
||
IBM T.J. Watson Research.
|
||
DSN success bounces generated from an invocation of sendmail -t
|
||
would be sent to both the sender and MAILER-DAEMON.
|
||
Problem noted by Claus Assmann of
|
||
Christian-Albrechts-University of Kiel.
|
||
Avoid "Error 0" messages on delivery mailers which exit with a
|
||
valid exit value such as EX_NOPERM. Fix from Andreas Luik
|
||
of ISA Informationssysteme GmbH.
|
||
Tokenize $&x expansions on right hand side of rules. This eliminates
|
||
the need to use tricks like $(dequote "" $&{client_name} $)
|
||
to cause the ${client_name} macro to be properly tokenized.
|
||
Add the MaxRecipientsPerMessage option: this limits the number of
|
||
recipients that will be accepted in a single SMTP
|
||
transaction. After this number is reached, sendmail
|
||
starts returning "452 Too many recipients" to all RCPT
|
||
commands. This can be used to limit the number of recipients
|
||
per envelope (in particular, to discourage use of the server
|
||
for spamming). Note: a better approach is to restrict
|
||
relaying entirely.
|
||
Fixed pointer initialization for LDAP lmap struct, fixed -s option
|
||
to ldapx map and added timeout for ldap_open call to
|
||
avoid hanging sendmail in the event of hung LDAP servers.
|
||
Patch from Booker Bense of Stanford University.
|
||
Allow multiple -qI, -qR, or -qS queue run limiters. For example,
|
||
'-qRfoo -qRbar' would deliver mail to recipients with foo or
|
||
bar in their address. Patch from Allan E Johannesen of
|
||
Worcester Polytechnic Institute.
|
||
The bestmx map will now return a list of the MX servers for a host if
|
||
passed a column delimiter via the -z map flag. This can be
|
||
used to check if the server is an MX server for the recipient
|
||
of a message. This can be used to help prevent relaying.
|
||
Patch from Mitchell Blank Jr of Exec-PC.
|
||
Mark failures for the *file* mailer and return bounce messages to the
|
||
sender for those failures.
|
||
Prevent bogus syslog timestamps on errors in sendmail.cf by
|
||
preserving the TZ environment variable until TimeZoneSpec
|
||
has been determined. Problem noted by Ralf Hildebrandt of
|
||
Technical University of Braunschweig. Patch from Per Hedeland
|
||
of Ericsson.
|
||
Print test input in address test mode when input is not from the tty
|
||
when the -v flag is given (i.e., sendmail -bt -v) to make
|
||
output easier to decipher. Problem noted by Aidan Nichol
|
||
of Procter & Gamble.
|
||
The LDAP map -s flag was not properly parsed and the error message
|
||
given included the remainder of the arguments instead of
|
||
solely the argument in error. Problem noted by Aidan Nichol
|
||
of Procter & Gamble.
|
||
New DontBlameSendmail option. This option allows administrators to
|
||
bypass some of sendmail's file security checks at the expense
|
||
of system security. This should only be used if you are
|
||
absolutely sure you know the consequences. The available
|
||
DontBlameSendmail options are:
|
||
Safe
|
||
AssumeSafeChown
|
||
ClassFileInUnsafeDirPath
|
||
ErrorHeaderInUnsafeDirPath
|
||
GroupWritableDirPathSafe
|
||
GroupWritableForwardFileSafe
|
||
GroupWritableIncludeFileSafe
|
||
GroupWritableAliasFile
|
||
HelpFileinUnsafeDirPath
|
||
WorldWritableAliasFile
|
||
ForwardFileInGroupWritableDirPath
|
||
IncludeFileInGroupWritableDirPath
|
||
ForwardFileInUnsafeDirPath
|
||
IncludeFileInUnsafeDirPath
|
||
ForwardFileInUnsafeDirPathSafe
|
||
IncludeFileInUnsafeDirPathSafe
|
||
MapInUnsafeDirPath
|
||
LinkedAliasFileInWritableDir
|
||
LinkedClassFileInWritableDir
|
||
LinkedForwardFileInWritableDir
|
||
LinkedIncludeFileInWritableDir
|
||
LinkedMapInWritableDir
|
||
LinkedServiceSwitchFileInWritableDir
|
||
FileDeliveryToHardLink
|
||
FileDeliveryToSymLink
|
||
WriteMapToHardLink
|
||
WriteMapToSymLink
|
||
WriteStatsToHardLink
|
||
WriteStatsToSymLink
|
||
RunProgramInUnsafeDirPath
|
||
RunWritableProgram
|
||
New DontProbeInterfaces option to turn off the inclusion of all the
|
||
interface names in $=w on startup. In particular, if you
|
||
have lots of virtual interfaces, this option will speed up
|
||
startup. However, unless you make other arrangements, mail
|
||
sent to those addresses will be bounced.
|
||
Automatically create alias databases if they don't exist and
|
||
AutoRebuildAliases is set.
|
||
Add PrivacyOptions=noetrn flag to disable the SMTP ETRN command.
|
||
Suggested by Christophe Wolfhugel of the Institut Pasteur.
|
||
Add PrivacyOptions=noverb flag to disable the SMTP VERB command.
|
||
When determining the client host name ($&{client_name} macro), do
|
||
a forward (A) DNS lookup on the result of the PTR lookup
|
||
and compare results. If they differ or if the PTR lookup
|
||
fails, &{client_name} will contain the IP address
|
||
surrounded by square brackets (e.g., [127.0.0.1]).
|
||
New map flag: -Tx appends "x" to lookups that return temporary failure
|
||
(i.e, it is like -ax for the temporary failure case, in
|
||
contrast to the success case).
|
||
New syntax to do limited checking of header syntax. A config line
|
||
of the form:
|
||
HHeader: $>Ruleset
|
||
causes the indicated Ruleset to be invoked on the Header
|
||
when read. This ruleset works like the check_* rulesets --
|
||
that is, it can reject mail on the basis of the contents.
|
||
Limit the size of the HELO/EHLO parameter to prevent spammers
|
||
from hiding their connection information in Received:
|
||
headers.
|
||
When SingleThreadDelivery is active, deliveries to locked hosts
|
||
are skipped. This will cause the delivering process to
|
||
try the next MX host or queue the message if no other MX
|
||
hosts are available. Suggested by Alexander Litvin.
|
||
The [FILE] mailer type now delivers to the file specified in the
|
||
A= equate of the mailer definition instead of $u. It also
|
||
obeys all of the F= mailer flags such as the MIME
|
||
7/8 bit conversion flags. This is useful for defining
|
||
a mailer which delivers to the same file regardless of the
|
||
recipient (e.g., 'A=FILE /dev/null' to discard unwanted mail).
|
||
Do not assume the identity of a remote connection is root@localhost
|
||
if the remote connection closes the socket before the
|
||
remote identity can be queried.
|
||
Change semantics of the F=S mailer flag back to 8.7.5 behavior.
|
||
Some mailers, including procmail, require that the real
|
||
uid is left unchanged by sendmail. Problem noted by Per
|
||
Hedeland of Ericsson.
|
||
No longer is the src/obj*/Makefile selected from a large list -- it
|
||
is now generated using the information in BuildTools/OS/ --
|
||
some of the details are determined dynamically via
|
||
BuildTools/bin/configure.sh.
|
||
The other programs in the sendmail distribution -- mail.local,
|
||
mailstats, makemap, praliases, rmail, and smrsh -- now use
|
||
the new Build method which creates an operating system
|
||
specific Makefile using the information in BuildTools.
|
||
Make 4xx reply codes to the SMTP MAIL command be non-sticky (i.e.,
|
||
a failure on one message won't affect future messages to the
|
||
same host). This is necessary if the remote host sends
|
||
a 451 error if the domain of the sender does not resolve
|
||
as is common in anti-spam configurations. Problem noted
|
||
by Mitchell Blank Jr of Exec-PC.
|
||
New "discard" mailer for check_* rulesets and header checking
|
||
rulesets. If one of the above rulesets resolves to the
|
||
$#discard mailer, the commands will be accepted but the
|
||
message will be completely discarded after it is accepting.
|
||
This means that even if only one of the recipients
|
||
resolves to the $#discard mailer, none of the recipients
|
||
will receive the mail. Suggested by Brian Kantor.
|
||
All but the last cloned envelope of a split envelope were queued
|
||
instead of being delivered. Problem noted by John Caruso
|
||
of CNET: The Computer Network.
|
||
Fix deadlock situation in persistent host status file locking.
|
||
Syslog an error if a user forward file could not be read due to
|
||
an error. Patch from John Beck of Sun Microsystems.
|
||
Use the first name returned on machine lookups when canonifying a
|
||
hostname via NetInfo. Patch from Timm Wetzel of GWDG.
|
||
Clear the $&{client_addr}, $&{client_name}, and $&{client_port}
|
||
macros when delivering a bounce message to prevent
|
||
rejection by a check_compat ruleset which uses these macros.
|
||
Problem noted by Jens Hamisch of AgiX Internetservices GmbH.
|
||
If the check_relay ruleset resolves to the the error mailer, the
|
||
error in the $: portion of the resolved triplet is used
|
||
in the rejection message given to the remote machine.
|
||
Suggested by Scott Gifford of The Internet Ramp.
|
||
Set the $&{client_addr}, $&{client_name}, and $&{client_port} macros
|
||
before calling the check_relay ruleset. Suggested by Scott
|
||
Gifford of The Internet Ramp.
|
||
Sendmail would get a segmentation fault if a mailer exited with an
|
||
exit code of 79. Problem noted by Aaron Schrab of ExecPC
|
||
Internet. Fix from Christophe Wolfhugel of the Pasteur
|
||
Institute.
|
||
Separate snprintf/vsnprintf routines into separate file for use by
|
||
mail.local.
|
||
Allow multiple map lookups on right hand side, e.g.,
|
||
R$* $( host $1 $) $| $( passwd $1 $). Patch from
|
||
Christophe Wolfhugel of the Pasteur Institute.
|
||
Properly generate success DSN messages if requested for aliases
|
||
which have owner- aliases. Problem noted by Kari Hurtta
|
||
of the Finnish Meteorological Institute.
|
||
Properly display delayed-expansion macros ($&{macroname}) in
|
||
address test mode (-bt). Problem noted by Bryan Costales
|
||
of InfoBeat, Inc.
|
||
-qR could sometimes match names incorrectly. Problem noted by
|
||
Lutz Euler of Lavielle EDV Systemberatung GmbH & Co.
|
||
Include a magic number and version in the StatusFile for the
|
||
mailstats command.
|
||
Record the number of rejected and discarded messages in the
|
||
StatusFile for display by the mailstats command. Patch
|
||
from Randall Winchester of the University of Maryland.
|
||
IDENT returns where the OSTYPE field equals "OTHER" now list the
|
||
user portion as IDENT:username@site instead of
|
||
username@site to differentiate the two. Suggested by
|
||
Kari Hurtta of the Finnish Meteorological Institute.
|
||
Enforce timeout for LDAP queries. Patch from Per Hedeland of
|
||
Ericsson.
|
||
Change persistent host status filename substitution so '/' is
|
||
replaced by ':' instead of '|' to avoid clashes. Also
|
||
avoid clashes with hostnames with leading dots. Fix from
|
||
Mitchell Blank Jr. of Exec-PC.
|
||
If the system lock table is full, only attempt to create a new
|
||
queue entry five times before giving up. Previously, it
|
||
was attempted indefinitely which could cause the partition
|
||
to run out of inodes. Problem noted by Suzie Weigand of
|
||
Stratus Computer, Inc.
|
||
In verbose mode, warn if the sendmail.cf version is less than the
|
||
currently supported version.
|
||
Sorting for QueueSortOrder=host is now case insensitive. Patch
|
||
from Randall S. Winchester of the University of Maryland.
|
||
Properly quote a full name passed via the -F command line option,
|
||
the Full-Name: header, or the NAME environment variable if
|
||
it contains characters which must be quoted. Problem noted
|
||
by Kari Hurtta of the Finnish Meteorological Institute.
|
||
Avoid possible race condition that unlocked a mail job before
|
||
releasing the transcript file on systems that use flock(2).
|
||
In some cases, this might result in a "Transcript Unavailable"
|
||
message in error bounces.
|
||
Accept SMTP replies which contain only a reply code and no
|
||
accompanying text. Problem noted by Fernando Fraticelli of
|
||
Digital Equipment Corporation.
|
||
Portability:
|
||
AIX 4.1 uses int for SOCKADDR_LEN_T from Motonori Nakamura
|
||
of Kyoto University.
|
||
AIX 4.2 requires <userpw.h> before <usersec.h>. Patch from
|
||
Randall S. Winchester of the University of
|
||
Maryland.
|
||
AIX 4.3 from Valdis Kletnieks of Virginia Tech CNS.
|
||
CRAY T3E from Manu Mahonen of Center for Scientific Computing
|
||
in Finland.
|
||
Digital UNIX now uses statvfs for determining free
|
||
disk space. Patch from Randall S. Winchester of
|
||
the University of Maryland.
|
||
HP-UX 11.x from Richard Allen of Opin Kerfi HF and
|
||
Regis McEwen of Progress Software Corporation.
|
||
IRIX 64 bit fixes from Kari Hurtta of the Finnish
|
||
Meteorological Institute.
|
||
IRIX 6.2 configuration fix for mail.local from Michael Kyle
|
||
of CIC/Advanced Computing Laboratory.
|
||
IRIX 6.5 from Thomas H Jones II of SGI.
|
||
IRIX 6.X load average code from Bob Mende of SGI.
|
||
QNX from Glen McCready <glen@qnx.com>.
|
||
SCO 4.2 and 5.x use /usr/bin instead of /usr/ucb for links
|
||
to sendmail. Install with group bin instead of kmem
|
||
as kmem does not exist. From Guillermo Freige of
|
||
Gobernacion de la Pcia de Buenos Aires and Paul
|
||
Fischer of BTG, Inc.
|
||
SunOS 4.X does not include memmove(). Patch from
|
||
Per Hedeland of Ericsson.
|
||
SunOS 5.7 includes getloadavg() function for determining
|
||
load average. Patch from John Beck of Sun
|
||
Microsystems.
|
||
CONFIG: Increment version number of config file.
|
||
CONFIG: add DATABASE_MAP_TYPE to set the default type of database
|
||
map for the various maps. The default is hash. Patch from
|
||
Robert Harker of Harker Systems.
|
||
CONFIG: new confEBINDIR m4 variable for defining the executable
|
||
directory for certain programs.
|
||
CONFIG: new FEATURE(local_lmtp) to use the new LMTP support for
|
||
local mail delivery. By the default, /usr/libexec/mail.local
|
||
is used. This is expected to be the mail.local shipped
|
||
with 8.9 which is LMTP capable. The path is based on the
|
||
new confEBINDIR m4 variable.
|
||
CONFIG: Use confEBINDIR in determining path to smrsh for
|
||
FEATURE(smrsh). Note that this changes the default from
|
||
/usr/local/etc/smrsh to /usr/libexec/smrsh. To obtain the
|
||
old path for smrsh, use FEATURE(smrsh, /usr/local/etc/smrsh).
|
||
CONFIG: DOMAIN(generic) changes the default confFORWARD_PATH to
|
||
include $z/.forward.$w+$h and $z/.forward+$h which allow
|
||
the user to setup different .forward files for
|
||
user+detail addressing.
|
||
CONFIG: add confMAX_RCPTS_PER_MESSAGE, confDONT_PROBE_INTERFACES,
|
||
and confDONT_BLAME_SENDMAIL to set MaxRecipientsPerMessage,
|
||
DontProbeInterfaces, and DontBlameSendmail options.
|
||
CONFIG: by default do not allow relaying (that is, accepting mail
|
||
from outside your domain and sending it to another host
|
||
outside your domain).
|
||
CONFIG: new FEATURE(promiscuous_relay) to allow mail relaying from
|
||
any site to any site.
|
||
CONFIG: new FEATURE(relay_entire_domain) allows any host in your
|
||
domain as defined by the 'm' class ($=m) to relay.
|
||
CONFIG: new FEATURE(relay_based_on_MX) to allow relaying based on
|
||
the MX records of the host portion of an incoming recipient.
|
||
CONFIG: new FEATURE(access_db) which turns on the access database
|
||
feature. This database gives you the ability to allow
|
||
or refuse to accept mail from specified domains for
|
||
administrative reasons. By default, names that are listed
|
||
as "OK" in the access db are domain names, not host names.
|
||
CONFIG: new confCR_FILE m4 variable for defining the name of the file
|
||
used for class 'R'. Defaults to /etc/mail/relay-domains.
|
||
CONFIG: new command RELAY_DOMAIN(domain) and RELAY_DOMAIN_FILE(file)
|
||
to add items to class 'R' ($=R) for hosts allowed to relay.
|
||
CONFIG: new FEATURE(relay_hosts_only) to change the behavior
|
||
of FEATURE(access_db) and class 'R' to lookup individual
|
||
host names only.
|
||
CONFIG: new FEATURE(loose_relay_check). Normally, if a recipient
|
||
using % addressing is used, e.g. user%site@othersite,
|
||
and othersite is in class 'R', the check_rcpt ruleset
|
||
will strip @othersite and recheck user@site for relaying.
|
||
This feature changes that behavior. It should not be
|
||
needed for most installations.
|
||
CONFIG: new FEATURE(relay_local_from) to allow relaying if the
|
||
domain portion of the mail sender is a local host. This
|
||
should only be used if absolutely necessary as it opens
|
||
a window for spammers. Patch from Randall S. Winchester of
|
||
the University of Maryland.
|
||
CONFIG: new FEATURE(blacklist_recipients) turns on the ability to
|
||
block incoming mail destined for certain recipient
|
||
usernames, hostnames, or addresses.
|
||
CONFIG: By default, MAIL FROM: commands in the SMTP session will be
|
||
refused if the host part of the argument to MAIL FROM: cannot
|
||
be located in the host name service (e.g., DNS).
|
||
CONFIG: new FEATURE(accept_unresolvable_domains) accepts
|
||
unresolvable hostnames in MAIL FROM: SMTP commands.
|
||
CONFIG: new FEATURE(accept_unqualified_senders) accepts
|
||
MAIL FROM: senders which do not include a domain.
|
||
CONFIG: new FEATURE(rbl) Turns on rejection of hosts found in the
|
||
Realtime Blackhole List. You can specify the RBL name
|
||
server to contact by specifying it as an optional argument.
|
||
The default is rbl.maps.vix.com. For details, see
|
||
http://maps.vix.com/rbl/.
|
||
CONFIG: Call Local_check_relay, Local_check_mail, and
|
||
Local_check_rcpt from check_relay, check_mail, and
|
||
check_rcpt. Users with local rulesets should place the
|
||
rules using LOCAL_RULESETS. If a Local_check_* ruleset
|
||
returns $#OK, the message is accepted. If the ruleset
|
||
returns a mailer, the appropriate action is taken, else
|
||
the return of the ruleset is ignored.
|
||
CONFIG: CYRUS_MAILER_FLAGS now includes the /:| mailer flags by
|
||
default to support file, :include:, and program deliveries.
|
||
CONFIG: Remove the default for confDEF_USER_ID so the binary can
|
||
pick the proper default value. See the SECURITY note
|
||
above for more information.
|
||
CONFIG: FEATURE(nodns) now warns the user that the feature is a
|
||
no-op. Patch from Kari Hurtta of the Finnish
|
||
Meteorological Institute.
|
||
CONFIG: OSTYPE(osf1) now sets DefaultUser (confDEF_USER_ID) to
|
||
daemon since DEC's /bin/mail will drop the envelope
|
||
sender if run as mailnull. See the Digital UNIX section
|
||
of src/README for more information. Problem noted by
|
||
Kari Hurtta of the Finnish Meteorological Institute.
|
||
CONFIG: .cf files are now stored in the same directory with the
|
||
.mc files instead of in the obj directory.
|
||
CONFIG: New options confSINGLE_LINE_FROM_HEADER,
|
||
confALLOW_BOGUS_HELO, and confMUST_QUOTE_CHARS for
|
||
setting SingleLineFromHeader, AllowBogusHELO, and
|
||
MustQuoteChars respectively.
|
||
MAIL.LOCAL: support -l flag to run LMTP on stdin/stdout. This
|
||
SMTP-like protocol allows detailed reporting of delivery
|
||
status on a per-user basis. Code donated by John Myers of
|
||
CMU (now of Netscape).
|
||
MAIL.LOCAL: HP-UX support from Randall S. Winchester of the
|
||
University of Maryland. NOTE: mail.local is not
|
||
compatible with the stock HP-UX mail format. Be sure to
|
||
read mail.local/README.
|
||
MAIL.LOCAL: Prevent other mail delivery agents from stealing a
|
||
mailbox lock. Patch from Randall S. Winchester of the
|
||
University of Maryland.
|
||
MAIL.LOCAL: glibc portability from John Kennedy of Cal State
|
||
University, Chico.
|
||
MAIL.LOCAL: IRIX portability from Kari Hurtta of the Finnish
|
||
Meteorological Institute.
|
||
MAILSTATS: Display the number of rejected and discarded messages
|
||
in the StatusFile. Patch from Randall Winchester of the
|
||
University of Maryland.
|
||
MAKEMAP: New -s flag to ignore safety checks on database map files
|
||
such as linked files in world writable directories.
|
||
MAKEMAP: Add support for Berkeley DB 2.X. Remove OLD_NEWDB support.
|
||
PRALIASES: Add support for Berkeley DB 2.X.
|
||
PRALIASES: Do not automatically include NDBM support. Problem
|
||
noted by Ralf Hildebrandt of the Technical University of
|
||
Braunschweig.
|
||
RMAIL: Improve portability for other platforms. Patches from
|
||
Randall S. Winchester of the University of Maryland and
|
||
Kari Hurtta of the Finnish Meteorological Institute.
|
||
Changed Files:
|
||
src/Makefiles/Makefile.* files have been modified to use
|
||
the new build mechanism and are now BuildTools/OS/*.
|
||
src/makesendmail changed to symbolic link to src/Build.
|
||
New Files:
|
||
BuildTools/M4/header.m4
|
||
BuildTools/M4/depend/BSD.m4
|
||
BuildTools/M4/depend/CC-M.m4
|
||
BuildTools/M4/depend/NCR.m4
|
||
BuildTools/M4/depend/Solaris.m4
|
||
BuildTools/M4/depend/X11.m4
|
||
BuildTools/M4/depend/generic.m4
|
||
BuildTools/OS/AIX.4.2
|
||
BuildTools/OS/AIX.4.x
|
||
BuildTools/OS/CRAYT3E.2.0.x
|
||
BuildTools/OS/HP-UX.11.x
|
||
BuildTools/OS/IRIX.6.5
|
||
BuildTools/OS/NEXTSTEP.4.x
|
||
BuildTools/OS/NeXT.4.x
|
||
BuildTools/OS/NetBSD.8.3
|
||
BuildTools/OS/QNX
|
||
BuildTools/OS/SunOS.5.7
|
||
BuildTools/OS/dcosx.1.x.NILE
|
||
BuildTools/README
|
||
BuildTools/Site/README
|
||
BuildTools/bin/Build
|
||
BuildTools/bin/configure.sh
|
||
BuildTools/bin/find_m4.sh
|
||
BuildTools/bin/install.sh
|
||
Makefile
|
||
cf/cf/Build
|
||
cf/cf/generic-hpux10.cf
|
||
cf/feature/accept_unqualified_senders.m4
|
||
cf/feature/accept_unresolvable_domains.m4
|
||
cf/feature/access_db.m4
|
||
cf/feature/blacklist_recipients.m4
|
||
cf/feature/loose_relay_check.m4
|
||
cf/feature/local_lmtp.m4
|
||
cf/feature/promiscuous_relay.m4
|
||
cf/feature/rbl.m4
|
||
cf/feature/relay_based_on_MX.m4
|
||
cf/feature/relay_entire_domain.m4
|
||
cf/feature/relay_hosts_only.m4
|
||
cf/feature/relay_local_from.m4
|
||
cf/ostype/qnx.m4
|
||
contrib/doublebounce.pl
|
||
mail.local/Build
|
||
mail.local/Makefile.m4
|
||
mail.local/README
|
||
mailstats/Build
|
||
mailstats/Makefile.m4
|
||
makemap/Build
|
||
makemap/Makefile.m4
|
||
praliases/Build
|
||
praliases/Makefile.m4
|
||
rmail/Build
|
||
rmail/Makefile.m4
|
||
rmail/rmail.0
|
||
smrsh/Build
|
||
smrsh/Makefile.m4
|
||
src/Build
|
||
src/Makefile.m4
|
||
src/snprintf.c
|
||
Deleted Files:
|
||
cf/cf/Makefile (replaced by Makefile.dist)
|
||
mail.local/Makefile
|
||
mail.local/Makefile.dist
|
||
mailstats/Makefile
|
||
mailstats/Makefile.dist
|
||
makemap/Makefile
|
||
makemap/Makefile.dist
|
||
praliases/Makefile
|
||
praliases/Makefile.dist
|
||
rmail/Makefile
|
||
smrsh/Makefile
|
||
smrsh/Makefile.dist
|
||
src/Makefile
|
||
src/Makefiles/Makefile.AIX.4 (split into AIX.4.x and AIX.4.2)
|
||
src/Makefiles/Makefile.SMP_DC.OSx.NILE
|
||
(renamed BuildTools/OS/dcosx.1.x.NILE)
|
||
src/Makefiles/Makefile.Utah (obsolete platform)
|
||
Renamed Files:
|
||
READ_ME => README
|
||
cf/cf/Makefile.dist => Makefile
|
||
cf/cf/obj/* => cf/cf/*
|
||
src/READ_ME => src/README
|
||
|
||
8.8.8/8.8.8 1997/10/24
|
||
If the check_relay ruleset failed, the relay= field was logged
|
||
incorrectly. Problem noted by Kari Hurtta of the Finnish
|
||
Meteorological Institute.
|
||
If /usr/tmp/dead.letter already existed, sendmail could not
|
||
add additional bounces to it. Problem noted by Thomas J.
|
||
Arseneault of SRI International.
|
||
If an SMTP mailer used a non-standard port number for the outgoing
|
||
connection, it would be displayed incorrectly in verbose mode.
|
||
Problem noted by John Kennedy of Cal State University, Chico.
|
||
Log the ETRN parameter specified by the client before altering them
|
||
to internal form. Suggested by Bob Kupiec of GES-Verio.
|
||
EXPN and VRFY SMTP commands on malformed addresses were logging as
|
||
User unknown with bogus delay= values. Change them to log
|
||
the same as compliant addresses. Problem noted by Kari E.
|
||
Hurtta of the Finnish Meteorological Institute.
|
||
Ignore the debug resolver option unless using sendmail debug trace
|
||
option for resolver. Problem noted by Greg Nichols of Wind
|
||
River Systems.
|
||
If SingleThreadDelivery was enabled and the remote server returned a
|
||
protocol error on the DATA command, the connection would be
|
||
closed but the persistent host status file would not be
|
||
unlocked so other sendmail processes could not deliver to
|
||
that host. Problem noted by Peter Wemm of DIALix.
|
||
If queueing up a message due to an expensive mailer, don't increment
|
||
the number of delivery attempts or set the last delivery
|
||
attempt time so the message will be delivered on the next
|
||
queue run regardless of MinQueueAge. Problem noted by
|
||
Brian J. Coan of the Institute for Global Communications.
|
||
Authentication warnings of "Processed from queue _directory_" and
|
||
"Processed by _username_ with -C _filename_" would be logged
|
||
with the incorrect timestamp. Problem noted by Kari E. Hurtta
|
||
of the Finnish Meteorological Institute.
|
||
Use a better heuristic for detecting GDBM.
|
||
Log null connections on dropped connections. Problem noted by
|
||
Jon Lewis of Florida Digital Turnpike.
|
||
If class dbm maps are rebuilt, sendmail will now detect this and
|
||
reopen the map. Previously, they could give stale
|
||
results during a single message processing (but would
|
||
recover when the next message was received). Fix from
|
||
Joe Pruett of Q7 Enterprises.
|
||
Do not log failures such as "User unknown" on -bv or SMTP VRFY
|
||
requests. Problem noted by Kari E. Hurtta of the
|
||
Finnish Meteorological Institute.
|
||
Do not send a bounce message back to the sender regarding bad
|
||
recipients if the SMTP connection is dropped before the
|
||
message is accepted. Problem noted by Kari E. Hurtta of the
|
||
Finnish Meteorological Institute.
|
||
Use "localhost" instead of "[UNIX: localhost]" when connecting to
|
||
sendmail via a UNIX pipe. This will allow rulesets using
|
||
$&{client_name} to process without sending the string through
|
||
dequote. Problem noted by Alan Barrett of Internet Africa.
|
||
A combination of deferred delivery mode, a double bounce situation,
|
||
and the inability to save a bounce message to
|
||
/var/tmp/dead.letter would cause sendmail to send a bounce
|
||
to postmaster but not remove the offending envelope from the
|
||
queue causing it to create a new bounce message each time the
|
||
queue was run. Problem noted by Brad Doctor of Net Daemons
|
||
Associates.
|
||
Remove newlines from hostname information returned via DNS. There are
|
||
no known security implications of newlines in hostnames as
|
||
sendmail filters newlines in all vital areas; however, this
|
||
could cause confusing error messages.
|
||
Starting with sendmail 8.8.6, mail sent with the '-t' option would be
|
||
rejected if any of the specified addresses were bad. This
|
||
behavior was modified to only reject the bad addresses and not
|
||
the entire message. Problem noted by Jozsef Hollosi of
|
||
SuperNet, Inc.
|
||
Use Timeout.fileopen when delivering mail to a file. Suggested by
|
||
Bryan Costales of InfoBeat, Inc.
|
||
Display the proper Final-Recipient on DSN messages for non-SMTP
|
||
mailers. Problem noted by Kari E. Hurtta of the
|
||
Finnish Meteorological Institute.
|
||
An error in calculating the available space in the list of addresses
|
||
for logging deliveries could cause an address to be silently
|
||
dropped.
|
||
Include the initial user environment if sendmail is restarted via
|
||
a HUP signal. This will give room for the process title.
|
||
Problem noted by Jon Lewis of Florida Digital Turnpike.
|
||
Mail could be delivered without a body if the machine does not
|
||
support flock locking and runs out of processes during
|
||
delivery. Fix from Chuck Lever of the University of Michigan.
|
||
Drop recipient address from 251 and 551 SMTP responses per RFC 821.
|
||
Problem noted by Kari E. Hurtta of the Finnish Meteorological
|
||
Institute.
|
||
Make sure non-rebuildable database maps are opened before the
|
||
rebuildable maps (i.e., alias files) in case the database maps
|
||
are needed for verifying the left hand side of the aliases.
|
||
Problem noted by Lloyd Parkes of Victoria University.
|
||
Make sure sender RFC822 source route addresses are alias expanded for
|
||
bounce messages. Problem noted by Juergen Georgi of
|
||
RUS University of Stuttgart.
|
||
Minor lint fixes.
|
||
Return a temporary error instead of a permanent error if an LDAP map
|
||
search returns an error. This will allow sequenced maps which
|
||
use other LDAP servers to be checked. Fix from Booker Bense
|
||
of Stanford University.
|
||
When automatically converting from quoted printable to 8bit text do
|
||
not pad bare linefeeds with a space. Problem noted by Theo
|
||
Nolte of the University of Technology Aachen, Germany.
|
||
Portability:
|
||
Non-standard C compilers may have had a problem compiling
|
||
conf.c due to a standard C external declaration of
|
||
setproctitle(). Problem noted by Ted Roberts of
|
||
Electronic Data Systems.
|
||
AUX: has a broken O_EXCL implementation. Reported by Jim
|
||
Jagielski of jaguNET Access Services.
|
||
BSD/OS: didn't compile if HASSETUSERCONTEXT was defined.
|
||
Digital UNIX: Digital UNIX (and possibly others) moves
|
||
loader environment variables into the loader memory
|
||
area. If one of these environment variables (such as
|
||
LD_LIBRARY_PATH) was the last environment variable,
|
||
an invalid memory address would be used by the process
|
||
title routine causing memory corruption. Problem
|
||
noted by Sam Hartman of Mesa Internet Systems.
|
||
GNU libc: uses an enum for _PC_CHOWN_RESTRICTED which caused
|
||
chownsafe() to always return 0 even if the OS does
|
||
not permit file giveaways. Problem noted by
|
||
Yasutaka Sumi of The University of Tokyo.
|
||
IRIX6: Syslog buffer size set to 512 bytes. Reported by
|
||
Gerald Rinske of Siemens Business Services VAS.
|
||
Linux: Pad process title with NULLs. Problem noted by
|
||
Jon Lewis of Florida Digital Turnpike.
|
||
SCO OpenServer 5.0: SIOCGIFCONF ioctl call returns an
|
||
incorrect value for the number of interfaces.
|
||
Problem noted by Chris Loelke of JetStream Internet
|
||
Services.
|
||
SINIX: Update for Makefile and syslog buffer size from Gerald
|
||
Rinske of Siemens Business Services VAS.
|
||
Solaris: Make sure HASGETUSERSHELL setting for SunOS is not
|
||
used on a Solaris machine. Problem noted by
|
||
Stephen Ma of Jtec Pty Limited.
|
||
CONFIG: SINIX: Update from Gerald Rinske of Siemens Business
|
||
Services VAS.
|
||
MAKEMAP: Use a better heuristic for detecting GDBM.
|
||
CONTRIB: expn.pl: Updated version from the author, David Muir Sharnoff.
|
||
OP.ME: Document the F=i mailer flag. Problem noted by Per Hedeland of
|
||
Ericsson.
|
||
|
||
8.8.7/8.8.7 1997/08/03
|
||
If using Berkeley DB on systems without O_EXLOCK (open a file with
|
||
an exclusive lock already set -- i.e., almost all systems
|
||
except 4.4-BSD derived systems), the initial attempt at
|
||
rebuilding aliases file if the database didn't already
|
||
exist would fail. Patch from Raymund Will of LST Software
|
||
GmbH.
|
||
Bogus incoming SMTP commands would reset the SMTP conversation.
|
||
Problem noted by Fredrik J<>nsson of the Royal Institute
|
||
of Technology, Stockholm.
|
||
Since TCP Wrappers includes setenv(), unsetenv(), and putenv(),
|
||
some environments could give "multiple definitions" for these
|
||
routines during compilation. If using TCP Wrappers, assume
|
||
that these routines are included as though they were in the
|
||
C library. Patch from Robert La Ferla.
|
||
When a NEWDB database map was rebuilt at the same time it was being
|
||
used by a queue run, the maps could be left locked for the
|
||
duration of the queue run, causing other processes to hang.
|
||
Problem noted by Kendall Libby of Shore.NET.
|
||
In some cases, NoRecipientAction=add-bcc was being ignored, so the
|
||
mail was passed on without any recipient header. This could
|
||
cause problems downstream. Problem noted by Xander Jansen
|
||
of SURFnet ExpertiseCentrum.
|
||
Give error when GDBM is used with sendmail. GDBM's locking and
|
||
linking of the .dir and .pag files interferes with sendmail's
|
||
locking and security checks. Problems noted by Fyodor
|
||
Yarochkin of the Kyrgyz Republic FreeNet.
|
||
Don't fsync qf files if SuperSafe option is not set.
|
||
Avoid extra calls to gethostbyname for addresses for which a
|
||
gethostbyaddr found no value. Also, ignore any returns
|
||
from gethostbyaddr that look like a dotted quad.
|
||
If PTR lookup fails when looking up an SMTP peer, don't tag it as
|
||
"may be forged", since at the network level we pretty much
|
||
have to assume that the information is good.
|
||
In some cases, errors during an SMTP session could leave files
|
||
open or locked.
|
||
Better handling of missing file descriptors (0, 1, 2) on startup.
|
||
Better handling of non-set-user-ID binaries -- avoids certain obnoxious
|
||
errors during testing.
|
||
Errors in file locking of NEWDB maps had the incorrect file name
|
||
printed in the error message.
|
||
If the AllowBogusHELO option were set and an EHLO with a bad or
|
||
missing parameter were issued, the EHLO behaved like a HELO.
|
||
Load limiting never kicked in for incoming SMTP transactions if the
|
||
DeliveryMode=background and any recipient was an alias or
|
||
had a .forward file. From Nik Conwell of Boston University.
|
||
On some non-Posix systems, the decision of whether chown(2) permits
|
||
file giveaway was undefined. From Tetsu Ushijima of the
|
||
Tokyo Institute of Technology.
|
||
Fix race condition that could cause the body of a message to be
|
||
lost (so only the header was delivered). This only occurs
|
||
on systems that do not use flock(2), and only when a queue
|
||
runner runs during a critical section in another message
|
||
delivery. Based on a patch from Steve Schweinhart of
|
||
Results Computing.
|
||
If a qf file was found in a mail queue directory that had a problem
|
||
(wrong ownership, bad format, etc.) and the file name was
|
||
exactly MAXQFNAME bytes long, then instead of being tried
|
||
once, it would be tried on every queue run. Problem noted
|
||
by Bryan Costales of Mercury Mail.
|
||
If the system supports an st_gen field in the status structure,
|
||
include it when reporting that a file has changed after open.
|
||
This adds a new compile flag, HAS_ST_GEN (0/1 option).
|
||
This out to be checked as well as reported, since it is
|
||
theoretically possible for an attacker to remove a file after
|
||
it is opened and replace it with another file that has the
|
||
same i-number, but some filesystems (notably AFS) return
|
||
garbage in this field, and hence always look like the file
|
||
has changed. As a practical matter this is not a security
|
||
problem, since the files can be neither hard nor soft links,
|
||
and on no filesystem (that I am aware of) is it possible to
|
||
have two files on the same filesystem with the same i-number
|
||
simultaneously.
|
||
Delete the root Makefile from the distribution -- it is only for
|
||
use internally, and does not work at customer sites.
|
||
Fix botch that caused the second MAIL FROM: command in a single
|
||
transaction to clear the entire transaction. Problem
|
||
noted by John Kennedy of Cal State University, Chico.
|
||
Work properly on machines that have _PATH_VARTMP defined without
|
||
a trailing slash. (And a pox on vendors that decide to
|
||
ignore the established conventions!) Problem noted by
|
||
Gregory Neil Shapiro of WPI.
|
||
Internal changes to make it easier to add another protocol family
|
||
(intended for IPv6). Patches are from John Kennedy of
|
||
CSU Chico.
|
||
In certain cases, 7->8 bit MIME decoding of Base64 text could leave
|
||
an extra space at the beginning of some lines. Problem
|
||
noted by Charles Karney of Princeton University; fix based
|
||
on a patch from Christophe Wolfhugel.
|
||
Portability:
|
||
Allow _PATH_VENDOR_CF to be set in Makefile for consistency
|
||
with the _Sendmail_ book, 2nd edition. Note that
|
||
the book is actually wrong: _PATH_SENDMAILCF should
|
||
be used instead.
|
||
AIX 3.x: Include <sys/select.h>. Patch from Gene Rackow
|
||
of Argonne National Laboratory.
|
||
OpenBSD from from Paul DuBois of the University of Wisconsin.
|
||
RISC/os 4.0 from Paul DuBois of the University of Wisconsin.
|
||
SunOS: Include <memory.h> to fix warning from util.c. From
|
||
James Aldridge of EUnet Ltd.
|
||
Solaris: Change STDIR (location of status file) to /etc/mail
|
||
in Makefiles.
|
||
Linux, Dynix, UNICOS: Remove -DNDBM and -lgdbm from
|
||
Makefiles. Use NEWDB on Linux instead.
|
||
NCR MP-RAS 3.x with STREAMware TCP/IP: SIOCGIFNUM ioctl
|
||
exists but behaves differently than other OSes.
|
||
Add SIOCGIFNUM_IS_BROKEN compile flag to get
|
||
around the problem. Problem noted by Tom Moore of
|
||
NCR Corp.
|
||
HP-UX 9.x: fix compile warnings for old select API. Problem
|
||
noted by Tom Smith of Digital Equipment Corp.
|
||
UnixWare 2.x: compile warnings on offsetof macro. Problem
|
||
noted by Tom Good of the Community Access Information
|
||
Resource Network
|
||
SCO 4.2: compile problems caused by a change in the type of
|
||
the "length" parameters passed to accept, getpeername,
|
||
getsockname, and getsockopt. Adds new compile flags
|
||
SOCKADDR_SIZE_T and SOCKOPT_SIZE_T. Problem reported
|
||
by Tom Good of St. Vincent's North Richmond Community
|
||
Mental Health Center Residential Services.
|
||
AIX 4: Use size_t for SOCKADDR_SIZE_T and SOCKOPT_SIZE_T.
|
||
Suggested by Brett Hogden of Rochester Gas & Electric
|
||
Corp.
|
||
Linux: avoid compile problem for versions of <setjmp.h> that
|
||
#define both setjmp and longjmp. Problem pointed out
|
||
by J.R. Oldroyd of TerraNet.
|
||
CONFIG: SCO UnixWare 2.1: Support for OSTYPE(sco-uw-2.1)
|
||
from Christopher Durham of SCO.
|
||
CONFIG: NEXTSTEP: define confCW_FILE to
|
||
/etc/sendmail/sendmail.cw to match the usual
|
||
configuration. Patch from Dennis Glatting of
|
||
PlainTalk.
|
||
CONFIG: MAILER(fax) called a program that hasn't existed for a long
|
||
time. Convert to use the HylaFAX 4.0 conventions. Suggested
|
||
by Harry Styron.
|
||
CONFIG: Improve sample anti-spam rulesets in cf/cf/knecht.mc. These
|
||
are the rulesets in use on sendmail.org.
|
||
MAKEMAP: give error on GDBM files.
|
||
MAIL.LOCAL: Make error messages a bit more explicit, for example,
|
||
telling more details on what actually changed when "file
|
||
changed after open".
|
||
CONTRIB: etrn.pl: Ignore comments in Fw files. Support multiple Fw
|
||
files.
|
||
CONTRIB: passwd-to-alias.pl: Handle 8 bit characters and '-'.
|
||
NEW FILES:
|
||
src/Makefiles/Makefile.OpenBSD
|
||
src/Makefiles/Makefile.RISCos.4_0
|
||
test/t_exclopen.c
|
||
cf/ostype/sco-uw-2.1.m4
|
||
DELETED FILES:
|
||
Makefile
|
||
|
||
8.8.6/8.8.6 1997/06/14
|
||
*************************************************************
|
||
* The extensive assistance of Gregory Neil Shapiro of WPI *
|
||
* in preparing this release is gratefully appreciated. *
|
||
* Sun Microsystems has also provided resources toward *
|
||
* continued sendmail development. *
|
||
*************************************************************
|
||
SECURITY: A few systems allow an open with the O_EXCL|O_CREAT open
|
||
mode bits set to create a file that is a symbolic link that
|
||
points nowhere. This makes it possible to create a root
|
||
owned file in an arbitrary directory by inserting the symlink
|
||
into a writable directory after the initial lstat(2) check
|
||
determined that the file did not exist. The only verified
|
||
example of a system having these odd semantics for O_EXCL
|
||
and symbolic links was HP-UX prior to version 9.07. Most
|
||
systems do not have the problem, since a exclusive create
|
||
of a file disallows symbolic links. Systems that have been
|
||
verified to NOT have the problem include AIX 3.x, *BSD,
|
||
DEC OSF/1, HP-UX 9.07 and higher, Linux, SunOS, Solaris,
|
||
and Ultrix. This is a potential exposure on systems that
|
||
have this bug and which do not have a MAILER-DAEMON alias
|
||
pointing at a legitimate account, since this will cause old
|
||
mail to be dropped in /var/tmp/dead.letter.
|
||
SECURITY: Problems can occur on poorly managed systems, specifically,
|
||
if maps or alias files are in world writable directories.
|
||
If your system has alias maps in writable directories, it
|
||
is potentially possible for an attacker to replace the .db
|
||
(or .dir and .pag) files by symbolic links pointing at
|
||
another database; this can be used either to expose
|
||
information (e.g., by pointing an alias file at /etc/spwd.db
|
||
and probing for accounts), or as a denial-of-service attack
|
||
(by trashing the password database). The fix disallows
|
||
symbolic links entirely when rebuilding alias files or on
|
||
maps that are in writable directories, and always warns on
|
||
writable directories; 8.9 will probably consider writable
|
||
directories to be fatal errors. This does not represent an
|
||
exposure on systems that have alias files in unwritable
|
||
system directories.
|
||
SECURITY: disallow .forward or :include: files that are links (hard
|
||
or soft) if the parent directory (or any directory in the
|
||
path) is writable by anyone other than the owner. This is
|
||
similar to the previous case for user files. This change
|
||
should not affect most systems, but is necessary to prevent
|
||
an attacker who can write the directory from pointing such
|
||
files at other files that are readable only by the owner.
|
||
SECURITY: Tighten safechown rules: many systems will say that they
|
||
have a safe (restricted to root) chown even on files that
|
||
are mounted from another system that allows owners to give
|
||
away files. The new rules are very strict, trusting file
|
||
ownership only in those few cases where the system has
|
||
been verified to be at least as paranoid as necessary.
|
||
However, it is possible to relax the rules to partially
|
||
trust the ownership if the directory path is not world or
|
||
group writable. This might allow someone who has a legitimate
|
||
:include: file (referenced directly from /etc/aliases) to
|
||
become another non-root user if the :include: file is in a
|
||
non-writable directory on an NFS-mounted filesystem where
|
||
the local system says that giveaway is denied but it is
|
||
actually permitted. I believe this to be a very small set
|
||
of cases. If in doubt, do not point :include: aliases at
|
||
NFS-mounted filesystems.
|
||
SECURITY: When setting a numeric group id using the RunAsUser option
|
||
(e.g., "O RunAsUser=10:20", the group id would not be set.
|
||
Implicit group ids (e.g., "O RunAsUser=mailnull") or alpha
|
||
group ids (e.g., "O RunAsUser=mailuser:mailgrp") worked fine.
|
||
The user id was still set properly. Problem noted by Uli
|
||
Pralle of the Technical University of Berlin.
|
||
Save the initial gid set for use when checking for if the
|
||
PrivacyOptions=restrictmailq option is set. Problem reported
|
||
by Wolfgang Ley of DFN-CERT.
|
||
Make 55x reply codes to the SMTP DATA-"." be non-sticky (i.e., a
|
||
failure on one message won't affect future messages to the
|
||
same host).
|
||
IP source route printing had an "off by one" error that would
|
||
affect any options that came after the route option. Patch
|
||
from Theo de Raadt.
|
||
The "Message is too large" error didn't successfully bounce the error
|
||
back to the sender. Problem reported by Stephen More of
|
||
PSI; patch from Gregory Neil Shapiro of WPI.
|
||
Change SMTP status code 553 to map into Extended code 5.1.0 (instead
|
||
of 5.1.3); it apparently gets used in multiple ways.
|
||
Suggested by John Myers of Portola Communications.
|
||
Fix possible extra null byte generated during collection if errors
|
||
occur at the beginning of the stream. Patch contributed by
|
||
Andrey A. Chernov and Gregory Neil Shapiro.
|
||
Code changes to avoid possible reentrant call of malloc/free within
|
||
a signal handler. Problem noted by John Beck of Sun
|
||
Microsystems.
|
||
Move map initialization to be earlier so that check_relay ruleset
|
||
will have the latest version of the map data. Problem noted
|
||
by Paul Forgey of Metainfo; patch from Gregory Neil Shapiro.
|
||
If there are fatal errors during the collection phase (e.g., message
|
||
too large) don't send the bogus message.
|
||
Avoid "cannot open xfAAA00000" messages when sending to aliases that
|
||
have errors and have owner- aliases. Problem noted by Michael
|
||
Barber of MTU; fix from Gregory Neil Shapiro of WPI.
|
||
Avoid null pointer dereference on illegal Boundary= parameters in
|
||
multipart/mixed Content-Type: header. Problem noted by
|
||
Richard Muirden of RMIT University.
|
||
Always print error messages during newaliases (-bi) even if the
|
||
ErrorMode is not set to "print". Fix from Gregory Neil
|
||
Shapiro.
|
||
Test mode could core dump if you did a /map lookup in an optional map
|
||
that could not be opened. Based on a fix from John Beck of
|
||
Sun Microsystems.
|
||
If DNS is misconfigured so that the last MX record tried points to
|
||
a host that does not have an A record, but other MX records
|
||
pointed to something reasonable, don't bounce the message
|
||
with a "host unknown" error. Note that this should really
|
||
be fixed in the zone file for the domain. Problem noted by
|
||
Joe Rhett of Navigist, Inc.
|
||
If a map fails (e.g., DNS times out) on all recipient addresses, mark
|
||
the message as having been tried; otherwise the next queue
|
||
run will not realize that this is a second attempt and will
|
||
retry immediately. Problem noted by Bryan Costales of
|
||
Mercury Mail.
|
||
If the clock is set backwards, and a MinQueueAge is set, no jobs
|
||
will be run until the later setting of the clock is reached.
|
||
"Problem" (I use the term loosely) noted by Eric Hagberg of
|
||
Morgan Stanley.
|
||
If the load average rises above the cutoff threshold (above which
|
||
sendmail will not process the queue at all) during a queue
|
||
run, abort the queue run immediately. Problem noted by
|
||
Bryan Costales of Mercury Mail.
|
||
The variable queue processing algorithm (based on the message size,
|
||
number of recipients, message precedence, and job age) was
|
||
non-functional -- either the entire queue was processed or
|
||
none of the queue was processed. The updated algorithm
|
||
does no queue run if a single recipient zero size job will
|
||
not be run.
|
||
If there is a fatal ("panic") message that will cause sendmail to
|
||
die immediately, never hold the error message for future
|
||
printing.
|
||
Force ErrorMode=print in -bt mode so that all errors are printed
|
||
regardless of the setting of the ErrorMode option in the
|
||
configuration file. Patch from Gregory Neil Shapiro.
|
||
New compile flag HASSTRERROR says that this OS has the strerror(3)
|
||
routine available in one of the libraries. Use it in conf.h.
|
||
The -m (match only) flag now works on host class maps.
|
||
If class hash or btree maps are rebuilt, sendmail will now detect
|
||
this and reopen the map. Previously, they could give
|
||
erroneous results during a single message processing
|
||
(but would recover when the next message was received).
|
||
Don't delete zero length queue files when doing queue runs until the
|
||
files are at least ten minutes old. This avoids a potential
|
||
race condition: the creator creates the qf file, getting back
|
||
a file descriptor. The queue runner locks it and deletes it
|
||
because it is zero length. The creator then writes the
|
||
descriptor that is now for a disconnected file, and the
|
||
job goes away. Based on a suggestion by Bryan Costales.
|
||
When determining the "validated" host name ($_ macro), do a forward
|
||
(A) DNS lookup on the result of the PTR lookup and compare
|
||
results. If they differ or if the PTR lookup fails, tag the
|
||
address as "may be forged".
|
||
Log null connections (i.e., hosts that connect but do not do any
|
||
substantive activity on the connection before disconnecting;
|
||
"substantive" is defined to be MAIL, EXPN, VRFY, or ETRN.
|
||
Always permit "writes" to /dev/null regardless of the link count.
|
||
This is safe because /dev/null is special cased, and no open
|
||
or write is ever actually attempted. Patch from Villy Kruse
|
||
of TwinCom.
|
||
If a message cannot be sent because of a 552 (exceeded storage
|
||
allocation) response to the MAIL FROM:<>, and a SIZE= parameter
|
||
was given, don't return the body in the bounce, since there
|
||
is a very good chance that the message will double-bounce.
|
||
Fix possible line truncation if a quoted-printable had an =00 escape
|
||
in the body. Problem noted by Charles Karney of the Princeton
|
||
Plasma Physics Laboratory.
|
||
Notify flags (e.g., -NSUCCESS) were lost on user+detail addresses.
|
||
Problem noted by Kari Hurtta of the Finnish Meteorological
|
||
Institute.
|
||
The MaxDaemonChildren option wasn't applying to queue runs as
|
||
documented. Note that this increases the potential denial
|
||
of service problems with this option: an attacker can
|
||
connect many times, and thereby lock out queue runs as well
|
||
as incoming connections. If you use this option, you should
|
||
run the "sendmail -bd" and "sendmail -q30m" jobs separately
|
||
to avoid this attack. Failure to limit noted by Matthew
|
||
Dillon of BEST Internet Communications.
|
||
Always give a message in newaliases if alias files cannot be
|
||
opened instead of failing silently. Suggested by Gregory
|
||
Neil Shapiro. This change makes the code match the O'Reilly
|
||
book (2nd edition).
|
||
Some older versions of the resolver could return with h_errno == -1
|
||
if no name server could be reached, causing mail to bounce
|
||
instead of queueing. Treat this like TRY_AGAIN. Fix from
|
||
John Beck of SunSoft.
|
||
If a :include: file is owned by a user that does not have an entry
|
||
in the passwd file, sendmail could dereference a null pointer.
|
||
Problem noted by Satish Mynam of Sun Microsystems.
|
||
Take precautions to make sure that the SMTP protocol cannot get out
|
||
of sync if (for example) an alias file cannot be opened.
|
||
Fix a possible race condition that can cause a SIGALRM to come in
|
||
immediately after a SIGHUP, causing the new sendmail to die.
|
||
Avoid possible hang on SVr3 systems when doing child reaping. Patch
|
||
from Villy Kruse of TwinCom.
|
||
Ignore improperly formatted SMTP reply codes. Previously these were
|
||
partially processed, which could cause confusing error
|
||
returns.
|
||
Fix possible bogus pointer dereference when doing ldapx map lookups
|
||
on some architectures.
|
||
Portability:
|
||
A/UX: from Jim Jagielski of NASA/GSFC.
|
||
glibc: SOCK_STREAM was changed from a #define to an enum,
|
||
thus breaking #ifdef SOCK_STREAM. Only option seems
|
||
to be to assume SOCK_STREAM if __GNU_LIBRARY__ is
|
||
defined. Problem reported by A Sun of the University
|
||
of Washington.
|
||
Solaris: use SIOCGIFNUM to get the number of interfaces on
|
||
the system rather than guessing at compile time.
|
||
Patch contributed by John Beck of Sun Microsystems.
|
||
Intel Paragon: from Wendy Lin of Purdue University.
|
||
GNU Hurd: from Miles Bader of the GNU project.
|
||
RISC/os 4.50 from Harlan Stenn of PFCS Corporation.
|
||
ISC Unix: wait never returns if SIGCLD signals are blocked.
|
||
Unfortunately releasing them opens a race condition,
|
||
but there appears to be no fix for this. Patch from
|
||
Gregory Neil Shapiro.
|
||
BIND 8.1 for IPv6 compatibility from John Kennedy.
|
||
Solaris: a bug in strcasecmp caused characters with the
|
||
high order bit set to apparently randomly match
|
||
letters -- for example, $| (0233) matches "i" and "I".
|
||
Problem noted by John Gregson of the University of
|
||
Cambridge.
|
||
IRIX 6.x: make Makefile.IRIX.6.2 apply to all 6.x. From
|
||
Kari Hurtta.
|
||
IRIX 6.x: Create Makefiles for systems that claim to be
|
||
IRIX64 but are 6.2 or higher (so use the regular
|
||
IRIX Makefile).
|
||
IRIX 6.x: Fix load average computation on 64 bit kernels.
|
||
Problem noted by Eric Hagberg of Morgan Stanley.
|
||
CONFIG: Some canonification was still done for UUCP-like addresses
|
||
even if FEATURE(nocanonify) was set. Problem pointed out by
|
||
Brian Candler.
|
||
CONFIG: In some cases UUCP mailers wouldn't properly recognize all
|
||
local names as local. Problem noted by Jeff Polk of BSDI;
|
||
fix provided by Gregory Neil Shapiro.
|
||
CONFIG: The "local:user" syntax entries in mailertables and other
|
||
"mailer:user" syntax locations returned an incorrect value
|
||
for the $h macro. Problem noted by Gregory Neil Shapiro.
|
||
CONFIG: Retain "+detail" information when forwarding mail to a
|
||
MAIL_HUB, LUSER_RELAY, or LOCAL_RELAY. Patch from Philip
|
||
Guenther of Gustavus Adolphus College.
|
||
CONFIG: Make sure user+detail works for FEATURE(virtusertable);
|
||
rules are the same as for aliasing. Based on a patch from
|
||
Gregory Neil Shapiro.
|
||
CONFIG: Break up parsing rules into several pieces; this should
|
||
have no functional change in this release, but makes it
|
||
possible to have better anti-spam rulesets in the future.
|
||
CONFIG: Disallow double dots in host names to avoid having the
|
||
HostStatusDirectory store status under the wrong name.
|
||
In some cases this can be used as a denial-of-service attack.
|
||
Problem noted by Ron Jarrell of Virginia Tech, patch from
|
||
Gregory Neil Shapiro.
|
||
CONFIG: Don't use F=m (multiple recipients per invocation) for
|
||
MAILER(procmail), but do pass F=Pn9 (include Return-Path:,
|
||
don't include From_, and convert to 8-bit). Suggestions
|
||
from Kimmo Suominen and Roderick Schertler.
|
||
CONFIG: Domains under $=M (specified with MASQUERADE_DOMAIN) were
|
||
being masqueraded as though FEATURE(masquerade_entire_domain)
|
||
was specified, even when it wasn't.
|
||
MAIL.LOCAL: Solaris 2.6 has snprintf. From John Beck of SunSoft.
|
||
MAIL.LOCAL: SECURITY: check to make sure that an attacker doesn't
|
||
"slip in" a symbolic link between the lstat(2) call and the
|
||
exclusive open. This is only a problem on System V derived
|
||
systems that allow an exclusive create on files that are
|
||
symbolic links pointing nowhere.
|
||
MAIL.LOCAL: If the final mailbox close() failed, the user id was
|
||
not reset back to root, which on some systems would cause
|
||
later mailboxes to fail. Also, any partial message would
|
||
not be truncated, which could result in repeated deliveries.
|
||
Problem noted by Bruce Evans via Peter Wemm (FreeBSD
|
||
developers).
|
||
MAKEMAP: Handle cases where O_EXLOCK is #defined to be 0. A similar
|
||
change to the sendmail map code was made in 8.8.3. Problem
|
||
noted by Gregory Neil Shapiro.
|
||
MAKEMAP: Give warnings on file problems such as map files that are
|
||
symbolic links; although makemap is not set-user-ID root, it is
|
||
often run as root and hence has the potential for the same
|
||
sorts of problems as alias rebuilds.
|
||
MAKEMAP: Change compilation so that it will link properly on
|
||
NEXTSTEP.
|
||
CONTRIB: etrn.pl: search for Cw as well as Fw lines in sendmail.cf.
|
||
Accept an optional list of arguments following the server
|
||
name for the ETRN arguments to use (instead of $=w). Other
|
||
miscellaneous bug fixes. From Christian von Roques via
|
||
John Beck of Sun Microsystems.
|
||
CONTRIB: Add passwd-to-alias.pl, contributed by Kari Hurtta. This
|
||
Perl script converts GECOS information in the /etc/passwd
|
||
file into aliases, allowing for faster access to full name
|
||
lookups; it is also clever about adding aliases (to root)
|
||
for system accounts.
|
||
NEW FILES:
|
||
src/safefile.c
|
||
cf/ostype/gnuhurd.m4
|
||
cf/ostype/irix6.m4
|
||
contrib/passwd-to-alias.pl
|
||
src/Makefiles/Makefile.IRIX64.6.1
|
||
src/Makefiles/Makefile.IRIX64.6.x
|
||
RENAMED FILES:
|
||
src/Makefiles/Makefile.IRIX.6.2 => Makefile.IRIX.6.x
|
||
src/Makefiles/Makefile.IRIX64 => Makefile.IRIX64.6.0
|
||
|
||
8.8.5/8.8.5 1997/01/21
|
||
SECURITY: Clear out group list during startup. Without this, sendmail
|
||
will continue to run with the group permissions of the caller,
|
||
even if RunAsUser is specified.
|
||
SECURITY: Make purgestat (-bH) be root-only. This is not in response
|
||
to any known attack, but it's best to be conservative.
|
||
Suggested by Peter Wemm of DIALix.
|
||
SECURITY: Fix buffer overrun problem in MIME code that has possible
|
||
security implications. Patch from Alex Garthwaite of the
|
||
University of Pennsylvania.
|
||
Use of a -f flag with a phrase attached (e.g., "-f 'Full Name <addr>'")
|
||
would truncate the address after "Full". Although the -f
|
||
syntax is incorrect (since it is in the envelope, it
|
||
shouldn't have comments and full names), the failure mode
|
||
was unnecessarily awful.
|
||
Fix a possible null pointer dereference when converting 8-bit data
|
||
to a 7-bit format. Problem noted by Jim Hutchins of
|
||
Sandia National Labs and David James of British Telecom.
|
||
Clear out stale state that affected F=9 on SMTP mailers in queue
|
||
runs. Although this really shouldn't be used (F=9 is for
|
||
final delivery only, and using it on an SMTP mailer makes
|
||
it possible for a message to be converted from 8->7->8->7
|
||
bits several times), it shouldn't have failed with a syserr.
|
||
Problem noted by Eric Hagberg of Morgan Stanley.
|
||
_Really_ fix the multiple :maildrop code in the user database
|
||
module. Patch from Roy Mongiovi of Georgia Tech.
|
||
Let F lines in the configuration file actually read root-only
|
||
files if the configuration file is safe. Based on a
|
||
patch from Keith Reynolds of SCO.
|
||
ETRN followed by QUIT would hold the connection open until the queue
|
||
run completed. Problem noted by Truck Lewis of TDK
|
||
Semiconductor Corp.
|
||
It turns out that despite the documentation, the TCP wrappers library
|
||
does _not_ log rejected connections. Do the logging ourselves.
|
||
Problem noted by Fletcher Mattox of the University of Texas
|
||
at Austin.
|
||
If sendmail finds a qf file in its queue directory that is an unknown
|
||
version (e.g., when backing out to an old version), the
|
||
error is reported on every queue run. Change it to only
|
||
give the error once (and rename the qf => Qf). Patch from
|
||
William A. Gianopoulos of Raytheon Company.
|
||
Start a new session when doing background delivery; currently it
|
||
ignored signals but didn't start a new signal, that caused
|
||
some problems if a background process tried to send mail
|
||
under certain circumstances. Problem noted by Eric Hagberg
|
||
of Morgan Stanley; fix from Kari Hurtta.
|
||
Simplify test for skipping a queue run to just check if the current
|
||
load average is >= the queueing load average. Previously
|
||
the check factored in some other parameters that caused it
|
||
to essentially never skip the queue run. Patch from Bryan
|
||
Costales.
|
||
If the SMTP server is running in "nullserver" mode (that is, it is
|
||
rejecting all commands), start sleeping after MAXBADCOMMAND
|
||
(25) commands; this helps prevent a bad guy from putting
|
||
you into a tight loop as a denial-of-service attack. Based
|
||
on an e-mail conversation with Brad Knowles of AOL.
|
||
Slow down when too many "light weight" commands have been issued;
|
||
this helps prevent a class of denial-of-service attacks.
|
||
The current values and defaults are:
|
||
MAXNOOPCOMMANDS 20 NOOP, VERB, ONEX, XUSR
|
||
MAXHELOCOMMANDS 3 HELO, EHLO
|
||
MAXVRFYCOMMANDS 6 VRFY, EXPN
|
||
MAXETRNCOMMANDS 8 ETRN
|
||
These will probably be configurable in a future release.
|
||
On systems that have uid_t typedefed to be an unsigned short, programs
|
||
that had the F=S flag and no U= equate would be invoked with
|
||
the real uid set to 65535 rather than being left unchanged.
|
||
In some cases, NOTIFY=NEVER was not being honored. Problem noted
|
||
by Steve Hubert of the University of Washington, Seattle.
|
||
Mail that was Quoted-Printable encoded and had a soft line break on
|
||
the last line (i.e., an incomplete continuation) had the last
|
||
line dropped. Since this appears to be illegal it isn't
|
||
clear what to do with it, but flushing the last line seems
|
||
to be a better "fail soft" approach. Based on a patch from
|
||
Eric Hagberg.
|
||
If AllowBogusHELO and PrivacyOptions=needmailhelo are both set, a
|
||
bogus HELO command still causes the "Polite people say HELO
|
||
first" error message. Problem pointed out by Chris Thomas
|
||
of UCLA; patch from John Beck of SunSoft.
|
||
Handle "sendmail -bp -qSfoobar" properly if restrictqrun is set
|
||
in PrivacyOptions. The -q shouldn't turn this command off.
|
||
Problem noted by Murray Kucherawy of Pacific Bell Internet;
|
||
based on a patch from Gregory Neil Shapiro of WPI.
|
||
Don't consider SMTP reply codes 452 or 552 (exceeded storage allocation)
|
||
in a DATA transaction to be sticky; these can occur because
|
||
a message is too large, and smaller messages should still go
|
||
through. Problem noted by Matt Dillon of Best Internet
|
||
Communications.
|
||
In some cases bounces were saved in /var/tmp/dead.letter even if they
|
||
had been successfully delivered to the envelope sender.
|
||
Problem noted Eric Hagberg of Morgan Stanley; solution from
|
||
Gregory Neil Shapiro of WPI.
|
||
Give better diagnostics on long alias lines. Based on code contributed
|
||
by Patrick Gosling of the University of Cambridge.
|
||
Increase the number of virtual interfaces that will be probed for
|
||
alternate names. Problem noted by Amy Rich of Shore.Net.
|
||
PORTABILITY:
|
||
UXP/DS V20L10 for Fujitsu DS/90: Makefile patches from
|
||
Toshiaki Nomura of Fujitsu Limited.
|
||
SunOS with LDAP support: compile problems with struct timeval.
|
||
Patch from Nick Cuccia of TCSI Corporation.
|
||
SCO: from Keith Reynolds of SCO.
|
||
Solaris: kstat load average computation wasn't being used.
|
||
Fixes from Michael Ju. Tokarev of Telecom Service, JSC
|
||
(Moscow).
|
||
OpenBSD: from Jason Downs of teeny.org.
|
||
Altos System V: from Tim Rice.
|
||
Solaris 2.5: from Alan Perry of SunSoft.
|
||
Solaris 2.6: from John Beck of SunSoft.
|
||
Harris Nighthawk PowerUX (mh6000 box): from Bob Miorelli
|
||
of Pratt & Whitney <miorelli@pweh.com>.
|
||
CONFIG: It seems that I hadn't gotten the Received: line syntax
|
||
_just_right_ yet. Tweak it again. I'll omit the names
|
||
of the "contributors" (quantity two) in this one case.
|
||
As of now, NO MORE DISCUSSION about the syntax of the
|
||
Received: line.
|
||
CONFIG: Although FEATURE(nullclient) uses EXPOSED_USER (class $=E),
|
||
it never inserts that class into the output file. Fix it
|
||
so it will honor EXPOSED_USER but will _not_ include root
|
||
automatically in this class. Problem noted by Ronan KERYELL
|
||
of Centre de Recherche en Informatique de l'<27>cole Nationale
|
||
Sup<75>rieure des Mines de Paris (CRI-ENSMP).
|
||
CONFIG: Clean up handling of "local:" syntax in relay specifications
|
||
such as LUSER_RELAY. This change permits the following
|
||
syntaxes: ``local:'' will send to the same user on the
|
||
local machine (e.g., in a mailertable entry for "host",
|
||
``local:'' will cause an address addressed to user@host to
|
||
go to user on the local machone). ``local:user'' will send
|
||
to the named user on the local machine. ``local:user@host''
|
||
is equivalent to ``local:user'' (the host is ignored). In
|
||
all cases, the original user@host is passed in $@ (i.e., the
|
||
detail information). Inspired by a report from Michael Fuhr.
|
||
CONFIG: Strip quotes from the first word of an "error:" host
|
||
indication. This lets you set (for example) the LUSER_RELAY
|
||
to be ``error:\"5.1.1\" Your Message Here''. Note the use
|
||
of the \" so that the resulting string is properly quoted.
|
||
Problem noted by Gregory Neil Shapiro of WPI.
|
||
OP.ME: documentation was inconsistent about whether sendmail did a
|
||
NOOP or a RSET to probe the connection (it does a RSET).
|
||
Inconsistency noted by Deeran Peethamparam.
|
||
OP.ME: insert additional blank pages so it will print properly on
|
||
a duplex printer. From Matthew Black of Cal State University,
|
||
Long Beach.
|
||
|
||
8.8.4/8.8.4 1996/12/02
|
||
SECURITY: under some circumstances, an attacker could get additional
|
||
permissions by hard linking to files that were group
|
||
writable by the attacker. The solution is to disallow any
|
||
files that have hard links -- this will affect .forward,
|
||
:include:, and output files. Problem noted by Terry
|
||
Kyriacopoulos of Interlog Internet Services. As a
|
||
workaround, set UnsafeGroupWrites -- always a good idea.
|
||
SECURITY: the TryNullMXList (w) option should not be safe -- if it
|
||
is, it is possible to do a denial-of-service attack on
|
||
MX hosts that rely on the use of the null MX list. There
|
||
is no danger if you have this option turned off (the default).
|
||
Problem noted by Dan Bernstein. Also, make the DontInitGroups
|
||
unsafe. I know of no specific attack against this, although
|
||
a denial-of-service attack is probably possible, but in theory
|
||
you should not be able to safely tweak anything that affects
|
||
the permissions that are used when mail is delivered.
|
||
Purgestat could go into an infinite loop if one of the host status
|
||
directories somehow became empty. Problem noted by Roy
|
||
Mongiovi of Georgia Tech.
|
||
Processes got "lost" when counting children due to a race condition.
|
||
This caused "proc_list_probe: lost pid" messages to be logged.
|
||
Problem noted by several people.
|
||
On systems with System V SIGCLD child signal semantics (notably AIX
|
||
and HP-UX), mail transactions would print the message "451
|
||
SMTP-MAIL: lost child: No child processes". Problem noted
|
||
by several people.
|
||
Miscellaneous compiler warnings on picky compilers (or when setting
|
||
gcc to high warning levels). From Tom Moore of NCR Corp.
|
||
SMTP protocol errors, and most errors on MAIL FROM: lines should
|
||
not be persistent between runs, since they are based on the
|
||
message rather than the host. Problem noted by Matt Dillon
|
||
of Best Internet Communications.
|
||
The F=7 flag was ignored on SMTP mailers. Problem noted by Tom Moore
|
||
of NCR (a.k.a., AT&T Global Information Solutions).
|
||
Avoid the possibility of having a child daemon run to completion
|
||
(including closing the SMTP socket) before the parent has
|
||
had a chance to close the socket; this can cause the parent
|
||
to hang for a long time waiting for the socket to drain.
|
||
Patch from Don Lewis of TDK Semiconductor.
|
||
If the fork() failed in a queue run, the queue runners would not be
|
||
rescheduled (so queue runs would stop). Patch from Don Lewis.
|
||
Some error conditions in ETRN could cause output without an SMTP
|
||
status code. Problem noted by Don Lewis.
|
||
Multiple :maildrop addresses in the user database didn't work properly.
|
||
Patch from Roy Mongiovi of Georgia Tech.
|
||
Add ".db" automatically onto any user database spec that does not
|
||
already have it; this is for consistency with makemap, the
|
||
K line, and the documentation. Inconsistency pointed out
|
||
by Roy Mongiovi.
|
||
Allow sendmail to be properly called in nohup mode. Patch from
|
||
Kyle Jones of UUNET.
|
||
Change ETRN to ignore but still update host status files; previously
|
||
it would ignore them and not save the updated status, which
|
||
caused stale information to be maintained. Based on a patch
|
||
from Christopher Davis of Kapor Enterprises Inc. Also, have
|
||
ETRN ignore the MinQueueAge option.
|
||
Patch long term host status to recover more gracefully from an empty
|
||
host status file condition. Patch from NAKAMURA Motonori
|
||
of Kyoto University.
|
||
Several patches to signal handling code to fix potential race
|
||
conditions from Don Lewis.
|
||
Make it possible to compile with -DDAEMON=0 (previously it had some
|
||
compile errors). This turns DAEMON, QUEUE, and SMTP into
|
||
0/1 compilation flags. Note that DAEMON is an obsolete
|
||
compile flag; use NETINET instead. Solution based on a
|
||
patch from Bryan Costales.
|
||
PORTABILITY FIXES:
|
||
AIX4: getpwnam() and getpwuid() do a sequential scan of the
|
||
/etc/security/passwd file when called as root. This
|
||
is very slow on some systems. To speed it up, use the
|
||
(undocumented) _getpw{nam,uid}_shadow() routines.
|
||
Patch from Chris Thomas of UCLA/OAC Systems Group.
|
||
SCO 5.x: include -lprot in the Makefile. Patch from Bill
|
||
Glicker of Burrelle's Information Service.
|
||
NEWS-OS 4.x: need a definition for MODE_T to compile. Patch
|
||
from Makoto MATSUSHITA of Osaka University.
|
||
SunOS 4.0.3: compile problems. Patches from Andrew Cole of
|
||
Leeds University and SASABE Tetsuro of the University
|
||
of Tokyo.
|
||
DG/UX 5.4.4.11 from Brian J. Murrell of InterLinx Support
|
||
Services, Inc.
|
||
Domain/OS from Don (Truck) Lewis of TDK Semiconductor Corp.
|
||
I believe this to have only been a problem if you
|
||
compiled with -DUSE_VENDOR_CF_PATH -- another reason
|
||
to stick with /etc/sendmail.cf as your One True Path.
|
||
Digital UNIX (OSF/1 on Alpha) load average computation from
|
||
Martin Laubach of the Technischen Universit<69>t Wien.
|
||
CONFIG: change default Received: line to be multiple lines rather
|
||
than one long one. By popular demand.
|
||
MAIL.LOCAL: warnings weren't being logged on some systems. Patch
|
||
from Jerome Berkman of U.C. Berkeley.
|
||
MAKEMAP: be sure to zero hinfo to avoid cruft that can cause runs
|
||
to take a very long time. Problem noted by Yoshiro YONEYA
|
||
of NTT Software Corporation.
|
||
CONTRIB: add etrn.pl, contributed by John Beck.
|
||
NEW FILES:
|
||
contrib/etrn.pl
|
||
|
||
8.8.3/8.8.3 1996/11/17
|
||
SECURITY: it was possible to get a root shell by lying to sendmail
|
||
about argv[0] and then sending it a signal. Problem noted
|
||
by Leshka Zakharoff <leshka@leshka.chuvashia.su> on the
|
||
best-of-security list.
|
||
Log sendmail binary version number in "Warning: .cf version level
|
||
(%d) exceeds program functionality (%d) message" -- this
|
||
should make it clearer to people that they are running
|
||
the wrong binary.
|
||
Fix a problem that occurs when you open an SMTP connection and then
|
||
do one or more ETRN commands followed by a MAIL command; at
|
||
the end of the DATA phase sendmail would incorrectly report
|
||
"451 SMTP-MAIL: lost child: No child processes". Problem
|
||
noted by Eric Bishop of Virginia Tech.
|
||
When doing text-based host canonification (typically /etc/hosts
|
||
lookup), a null host name would match any /etc/hosts entry
|
||
with space at the end of the line. Problem noted by Steve
|
||
Hubert of the University of Washington, Seattle.
|
||
7 to 8 bit BASE64 MIME conversions could duplicate bits of text.
|
||
Problem reported by Tom Smith of Digital Equipment Corp.
|
||
Increase the size of the DNS answer buffer -- the standard UDP packet
|
||
size PACKETSZ (512) is not sufficient for some nameserver
|
||
answers containing very many resource records. The resolver
|
||
may also switch to TCP and retry if it detects UDP packet
|
||
overflow. Also, allow for the fact that the resolver
|
||
routines res_query and res_search return the size of the
|
||
*un*truncated answer in case the supplied answer buffer it
|
||
not big enough to accommodate the entire answer. Patch from
|
||
Eric Wassenaar.
|
||
Improvements to MaxDaemonChildren code. If you think you have too
|
||
many children, probe the ones you have to verify that they
|
||
are still around. Suggested by Jared Mauch of CICnet, Inc.
|
||
Also, do this probe before growing the vector of children
|
||
pids; this previously caused the vector to grow indefinitely
|
||
due to a race condition. Problem reported by Kyle Jones of
|
||
UUNET.
|
||
On some architectures, <db.h> (from the Berkeley DB library) defines
|
||
O_EXLOCK to zero; this fools the map compilation code into
|
||
thinking that it can avoid race conditions by locking on open.
|
||
Change it to check for O_EXLOCK non-zero. Problem noted by
|
||
Leif Erlingsson of Data Lege.
|
||
Always call res_init() on startup (if compiled in, of course) to
|
||
allow the sendmail.cf file to tweak resolver flags; without
|
||
it, flag tweaks in ResolverOptions are ignored. Patch from
|
||
Andrew Sun of Merrill Lynch.
|
||
Improvements to host status printing code. Suggested by Steve Hubert
|
||
of the University of Washington, Seattle.
|
||
Change MinQueueAge option processing to do the check for the job age
|
||
when reading the queue file, rather than at the end; this
|
||
avoids parsing the addresses, which can do DNS lookups.
|
||
Problem noted by John Beck of InReference, Inc.
|
||
When MIME was being 7->8 bit decoded, "From " lines weren't being
|
||
properly escaped. Problem noted by Peter Nilsson of the
|
||
University of Linkoping.
|
||
In some cases, sendmail would retain root permissions during queue
|
||
runs even if RunAsUser was set. Problem noted by Mark
|
||
Thomas of Mark G. Thomas Consulting.
|
||
If the F=l flag was set on an SMTP mailer to indicate that it is
|
||
actually local delivery, and NOTIFY=SUCCESS is specified in
|
||
the envelope, and the receiving SMTP server speaks DSN, then
|
||
the DSN would be both generated locally and propagated to the
|
||
other end.
|
||
The U= mailer field didn't correctly extract the group id if the
|
||
user id was numeric. Problem noted by Kenneth Herron of
|
||
MCI Telecommunications Communications.
|
||
If a message exceeded the fixed maximum size on input, the body of
|
||
the message was included in the bounce. Note that this did
|
||
not occur if it exceeded the maximum _output_ size. Problem
|
||
reported by Kyle Jones of UUNET.
|
||
PORTABILITY FIXES:
|
||
AIX4: 4.1 doesn't have a working setreuid(2); change the
|
||
AIX4 defines to use seteuid(2) instead, which
|
||
works on 4.1 as well as 4.2. Problem noted by
|
||
H<>kan Lindholm of interAF, Sweden.
|
||
AIX4: use tzname[] vector to determine time zone name.
|
||
Patch from NAKAMURA Motonori of Kyoto University.
|
||
MkLinux: add Makefile.Linux.ppc and OSTYPE(mklinux) support.
|
||
Contributed by Paul DuBois <dubois@primate.wisc.edu>.
|
||
Solaris: kstat(3k) support for retrieving the load average.
|
||
This adds the LA_KSTAT definition for LA_TYPE.
|
||
The outline of the implementation was contributed
|
||
by Michael Tokarev of Telecom Service, JSC, Moscow.
|
||
HP-UX 10.0 gripes about the (perfectly legal!) forward
|
||
declaration of struct rusage at the top of conf.h;
|
||
change it to only be included if you are using gcc,
|
||
which is apparently the only compiler that requires
|
||
it in the first place. Problem noted by Jeff
|
||
Earickson of Colby College.
|
||
IRIX: don't default to using gcc. IRIX is a civilized
|
||
operating system that comes with a decent compiler
|
||
by default. Problem noted by Barry Bouwsma and
|
||
Kari Hurtta.
|
||
CONFIG: specify F=9 as default in FEATURE(local_procmail) for
|
||
consistency with other local mailers. Inconsistency
|
||
pointed out by Teddy Hogeborn <teddy@fukt.hk-r.se>.
|
||
CONFIG: if the "limited best mx" feature is used (to reduce DNS
|
||
overhead) as part of the bestmx_is_local feature, the
|
||
domain part was dropped from the name. Patch from Steve
|
||
Hubert of the University of Washington, Seattle.
|
||
CONFIG: catch addresses of the form "user@.dom.ain"; these could
|
||
end up being translated to the null host name, which would
|
||
return any entry in /etc/hosts that had a space at the end
|
||
of the line. Problem noted by Steve Hubert of the
|
||
University of Washington, Seattle.
|
||
CONFIG: add OSTYPE(aix4). From Michael Sofka of Rensselaer
|
||
Polytechnic Institute.
|
||
MAKEMAP: tweak hash and btree parameters for better performance.
|
||
Patch from Matt Dillon of Best Internet Communications.
|
||
NEW FILES:
|
||
src/Makefiles/Makefile.Linux.ppc
|
||
cf/ostype/aix4.m4
|
||
cf/ostype/mklinux.m4
|
||
|
||
8.8.2/8.8.2 1996/10/18
|
||
SECURITY: fix a botch in the 7-bit MIME patch; the previous patch
|
||
changed the code but didn't fix the problem.
|
||
PORTABILITY FIXES:
|
||
Solaris: Don't use the system getusershell(3); it can
|
||
apparently corrupt the heap in some circumstances.
|
||
Problem found by Ken Pizzini of Spry, Inc.
|
||
OP.ME: document several mailer flags that were accidentally omitted
|
||
from this document. These flags were F=d, F=j, F=R, and F=9.
|
||
CONFIG: no changes.
|
||
|
||
8.8.1/8.8.1 1996/10/17
|
||
SECURITY: unset all environment variables that the resolver will
|
||
examine during queue runs and daemon mode. Problem noted
|
||
by Dan Bernstein of the University of Illinois at Chicago.
|
||
SECURITY: in some cases an illegal 7-bit MIME-encoded text/plain
|
||
message could overflow a buffer if it was converted back
|
||
to 8 bits. This caused core dumps and has the potential
|
||
for a remote attack. Problem first noted by Gregory Shapiro
|
||
of WPI.
|
||
Avoid duplicate deliveries of error messages on systems that don't
|
||
have flock(2) support. Patch from Motonori Nakamura of
|
||
Kyoto University.
|
||
Ignore null FallBackMX (V) options. If this option is null (as
|
||
opposed to undefined) it can cause "null signature" syserrs
|
||
on illegal host names.
|
||
If a Base64 encoded text/plain message has no trailing newline in
|
||
the encoded text, conversion back to 8 bits will drop the
|
||
final line. Problem noted by Pierre David.
|
||
If running with a RunAsUser, sendmail would give bogus "cannot
|
||
setuid" (or seteuid, or setreuid) messages on some systems.
|
||
Problem pointed out by Jordan Mendelson of Web Services, Inc.
|
||
Always print error messages in -bv mode -- previously, -bv would
|
||
be absolutely silent on errors if the error mode was sent
|
||
to (say) mail-back. Problem noted by Kyle Jones of UUNET.
|
||
If -qI/R/S is set (or the ETRN command is used), ignore all long
|
||
term host status. This is necessary because it is common
|
||
to do this when you know a host has just come back up.
|
||
Disallow duplicate HELO/EHLO commands as required by RFC 1651 section
|
||
4.2. Excessive permissiveness noted by Lee Flight of the
|
||
University of Leicester.
|
||
If a service (such as NIS) is specified as the last entry in the
|
||
service switch, but that service is not compiled in, sendmail
|
||
would return a temporary failure when an entry was not found
|
||
in the map. This caused the message to be queued instead of
|
||
bouncing immediately. Problem noted by Harry Edmon of the
|
||
University of Washington.
|
||
PORTABILITY FIXES:
|
||
Solaris 2.3 had compilation problems in conf.c. Several
|
||
people pointed this out.
|
||
NetBSD from Charles Hannum of MIT.
|
||
AIX4 improvements based on info from Steve Bauer of South
|
||
Dakota School of Mines & Technology.
|
||
CONFIG: ``error:code message'' syntax was broken in virtusertable.
|
||
Patch from Gil Kloepfer Jr.
|
||
CONFIG: if FEATURE(nocanonify) was specified, hosts in $=M (set
|
||
using MASQUERADE_DOMAIN) were not masqueraded unless they
|
||
were also in $=w. Problem noted by Zoltan Basti of
|
||
Softec.
|
||
MAIL.LOCAL: patches to compile and link cleanly on AIX. Based
|
||
on a patch from Eric Hagberg of Morgan Stanley.
|
||
MAIL.LOCAL: patches to compile on NEXTSTEP. From Patrick Nolan
|
||
of Stanford via Robert La Ferla.
|
||
|
||
8.8.0/8.8.0 1996/09/26
|
||
Under some circumstances, Bcc: headers would not be properly
|
||
deleted. Pointed out by Jonathan Kamens of OpenVision.
|
||
Log a warning if the sendmail daemon is invoked without a full
|
||
pathname, which prevents "kill -1" from working. I was
|
||
urged to put this in by Andrey A. Chernov of DEMOS (Russia).
|
||
Fix small buffer overflow. Since the data in this buffer was not
|
||
read externally, there was no security problem (and in fact
|
||
probably wouldn't really overflow on most compilers). Pointed
|
||
out by KIZU takashi of Osaka University.
|
||
Fix problem causing domain literals such as [1.2.3.4] to be ignored
|
||
if a FallbackMXHost was specified in the configuration file
|
||
-- all mail would be sent to the fallback even if the original
|
||
host was accessible. Pointed out by Munenari Hirayama of
|
||
NSC (Japan).
|
||
A message that didn't terminate with a newline would (sometimes) not
|
||
have the trailing "." added properly in the SMTP dialogue,
|
||
causing SMTP to hang. Patch from Per Hedeland of Ericsson.
|
||
The DaemonPortOptions suboption to bind to a particular address was
|
||
incorrect and nonfunctional due to a misunderstanding of the
|
||
semantics of binding on a passive socket. Patch from
|
||
NIIBE Yutaka of Mitsubishi Research Institute.
|
||
Increase the number of MX hosts for a single name to 100 to better
|
||
handle the truly huge service providers such as AOL, which
|
||
has 13 at the moment (and climbing). In order to avoid
|
||
trashing memory, the buffer for all names has only been
|
||
slightly increased in size, to 12.8K from 10.2K -- this means
|
||
that if a single name had 100 MX records, the average size
|
||
of those records could not exceed 128 bytes. Requested by
|
||
Brad Knowles of America On Line.
|
||
Restore use of IDENT returns where the OSTYPE field equals "OTHER".
|
||
Urged by Dan Bernstein of U.C. Berkeley.
|
||
Print q_statdate and q_specificity in address structure debugging
|
||
printout.
|
||
Expand MCI structure flag bits for debugging output.
|
||
Support IPv6-style domain literals, which can have colons between
|
||
square braces.
|
||
Log open file descriptors for the "cannot dup" messages in deliver();
|
||
this is an attempt to track down a bug that one person seems
|
||
to be having (it may be a Solaris bug!).
|
||
DSN NOTIFY parameters were not properly propagated across queue runs;
|
||
this caused the NOTIFY info to sometimes be lost. Problem
|
||
pointed out by Claus Assmann of the
|
||
Christian-Albrechts-University of Kiel.
|
||
The statistics gathered in the sendmail.st file were too high; in
|
||
some cases failures (e.g., user unknown or temporary failure)
|
||
would count as a delivery as far as the statistics were
|
||
concerned. Problem noted by Tom Moore of AT&T GIS.
|
||
Systems that don't have flock() would not send split envelopes in
|
||
the initial run. Problem pointed out by Leonard Zubkoff of
|
||
Dandelion Digital.
|
||
Move buffer overflow checking -- these primarily involve distrusting
|
||
results that may come from NIS and DNS.
|
||
4.4-BSD-derived systems, including FreeBSD, NetBSD, and BSD/OS didn't
|
||
include <paths.h> and hence had the wrong pathnames for a few
|
||
things like /var/tmp. Reported by Matthew Green.
|
||
Conditions were reversed for the Priority: header, resulting in all
|
||
values being interpreted as non-urgent except for non-urgent,
|
||
which was interpreted as normal. Patch from Bryan Costales.
|
||
The -o (optional) flag was being ignored on hash and btree maps
|
||
since 8.7.2. Fix from Bryan Costales.
|
||
Content-Types listed in class "q" will always be encoded as
|
||
Quoted-Printable (or more accurately, will never be encoded
|
||
as base64). The class can have primary types (e.g., "text")
|
||
or full types (e.g., "text/plain"). Based on a suggestion by
|
||
Marius Olafsson of the University of Iceland.
|
||
Define ${envid} to be the original envelope id (from the ESMTP DSN
|
||
dialogue) so it can be passed to programs in mailers.
|
||
Define ${bodytype} to be the body type (from the -B flag or the
|
||
BODY= ESMTP parameter) so it can be passed to programs in
|
||
mailers.
|
||
Cause the VRFY command to return 252 instead of 250 unless the F=q
|
||
flag is set in the mailer descriptor. Suggested by John
|
||
Myers of CMU.
|
||
Implement ESMTP ETRN command to flush the queue for a specific host.
|
||
The command takes a host name; data for that host is
|
||
immediately (and asynchronously) flushed. Because this shares
|
||
the -qR implementation, other hosts may be attempted, but
|
||
there should be no security implications. Implementation
|
||
from John Beck of InReference, Inc. See RFC 1985 for details.
|
||
Add three new command line flags to pass in DSN parameters: -V envid
|
||
(equivalent to ENVID=envid on the MAIL command), -R ret
|
||
(equivalent to RET=ret on the MAIL command), and -Nnotify
|
||
(equivalent to NOTIFY=notify on the RCPT command). Note
|
||
that the -N flag applies to all recipients; there is no way
|
||
to specify per-address notifications on the command line,
|
||
nor is there an equivalent for the ORCPT= per-address
|
||
parameter.
|
||
Restore LogLevel option to be safe (it can only be increased);
|
||
apparently I went into paranoid mode between 8.6 and 8.7
|
||
and made it unsafe. Pointed out by Dabe Murphy of the
|
||
University of Maryland.
|
||
New logging on log level 15: all SMTP traffic. Patches from
|
||
Andrew Gross of San Diego Supercomputer Center.
|
||
NetInfo property value searching code wasn't stopping when it found
|
||
a match. This was causing the wrong values to be found (and
|
||
had a memory leak). Found by Bastian Schleuter of TU-Berlin.
|
||
Add new F=0 (zero) mailer flag to turn off MX lookups. It was pointed
|
||
out by Bill Wisner of Electronics for Imaging that you can't
|
||
use the bracket address form for the MAIL_HUB macro, since
|
||
that causes the brackets to remain in the envelope recipient
|
||
address used for delivery. The simple fix (stripping off the
|
||
brackets in the config file) breaks the use of IP literal
|
||
addresses. This flag will solve that problem.
|
||
Add MustQuoteChars option. This is a list of characters that must
|
||
be quoted if they are found in the phrase part of an address
|
||
(that is, the full name part). The characters @,;:\()[] are
|
||
always in this list and cannot be removed. The default is
|
||
this list plus . and ' to match RFC 822.
|
||
Add AllowBogusHELO option; if set, sendmail will allow HELO commands
|
||
that do not include a host name for back compatibility with
|
||
some stupid SMTP clients. Setting this violates RFC 1123
|
||
section 5.2.5.
|
||
Add MaxDaemonChildren option; if this is set, sendmail will start
|
||
rejecting connections if it has more than this many
|
||
outstanding children accepting mail. Note that you may
|
||
see more processes than this because of outgoing mail; this
|
||
is for incoming connections only.
|
||
Add ConnectionRateThrottle option. If set to a positive value, the
|
||
number of incoming SMTP connections that will be permitted
|
||
in a single second is limited to this number. Connections are
|
||
not refused during this time, just deferred. The intent is to
|
||
flatten out demand so that load average limiting can kick in.
|
||
It is less radical than MaxDaemonChildren, which will stop
|
||
accepting connections even if all the connections are idle
|
||
(e.g., due to connection caching).
|
||
Add Timeout.hoststatus option. This interval (defaulting to 30m)
|
||
specifies how long cached information about the state of a
|
||
host will be kept before they are considered stale and the
|
||
host is retried. If you are using persistent host status
|
||
(i.e., the HostStatusDirectory option is set) this will apply
|
||
between runs; otherwise, it applies only within a single queue
|
||
run and hence is useful only for hosts that have large queues
|
||
that take a very long time to run.
|
||
Add SingleLineFromHeader option. If set, From: headers are coerced
|
||
into being a single line even if they had newlines in them
|
||
when read. This is to get around a botch in Lotus Notes.
|
||
Text class maps were totally broken -- if you ever retrieved the last
|
||
item in a table it would be truncated. Problem noted by
|
||
Gregory Neil Shapiro of WPI.
|
||
Extend the lines printed by the mailq command (== the -bp flag) when
|
||
-v is given to 120 characters; this allows more information
|
||
to be displayed. Suggested by Gregory Neil Shapiro of WPI.
|
||
Allow macro definitions (`D' lines) with unquoted commas; previously
|
||
this was treated as end-of-input. Problem noted by Bryan
|
||
Costales.
|
||
The RET= envelope parameter (used for DSNs) wasn't properly written
|
||
to the queue file. Fix from John Hughes of Atlantic
|
||
Technologies, Inc.
|
||
Close /var/tmp/dead.letter after a successful write -- otherwise
|
||
if this happens in a queue run it can cause nasty delays.
|
||
Problem noted by Mark Horton of AT&T.
|
||
If userdb entries pointed to userdb entries, and there were multiple
|
||
values for a given key, the database cursor would get
|
||
trashed by the recursive call. Problem noted by Roy Mongiovi
|
||
of Georgia Tech. Fixed by reading all the values and creating
|
||
a comma-separated list; thus, the -v output will be somewhat
|
||
different for this case.
|
||
Fix buffer allocation problem with Hesiod-based userdb maps when
|
||
HES_GETMAILHOST is defined. Based on a patch by Betty Lee
|
||
of Stanford University.
|
||
When envelopes were split due to aliases with owner- aliases, and
|
||
there was some error on one of the lists, more than one of
|
||
the owners would get the message. Problem pointed out by
|
||
Roy Mongiovi of Georgia Tech.
|
||
Detect excessive recursion in macro expansions, e.g., $X defined
|
||
in terms of $Y which is defined in terms of $X. Problem
|
||
noted by Bryan Costales; patch from Eric Wassenaar.
|
||
When using F=U to get "ugly UUCP" From_ lines, a buffer could in
|
||
some cases get trashed causing bogus From_ lines. Fix from
|
||
Kyle Jones of UUNET.
|
||
When doing load average initialization, if the nlist call for avenrun
|
||
failed, the second and subsequent lookups wouldn't notice
|
||
that fact causing bogus load averages to be returned. Noted
|
||
by Casper Dik of Sun Holland.
|
||
Fix problem with incompatibility with some versions of inet_aton that
|
||
have changed the return value to unsigned, so a check for an
|
||
error return of -1 doesn't work. Use INADDR_NONE instead.
|
||
This could cause mail to addresses such as [foo.com] to bounce
|
||
or get dropped. Problem noted by Christophe Wolfhugel of the
|
||
Pasteur Institute.
|
||
DSNs were inconsistent if a failure occurred during the DATA phase
|
||
rather than the RCPT phase: the Action: would be correct, but
|
||
the detailed status information would be wrong. Problem noted
|
||
by Bob Snyder of General Electric Company.
|
||
Add -U command line flag and the XUSR ESMTP extension, both indicating
|
||
that this is the initial MUA->MTA submission. The flag current
|
||
does nothing, but in future releases (when MUAs start using
|
||
these flags) it will probably turn on things like DNS
|
||
canonification.
|
||
Default end-of-line string (E= specification on mailer [M] lines)
|
||
to \r\n on SMTP mailers. Default remains \n on non-SMTP
|
||
mailers.
|
||
Change the internal definition for the *file* and *include* mailers
|
||
to have $u in the argument vectors so that they aren't
|
||
misinterpreted as SMTP mailers and thus use \r\n line
|
||
termination. This will affect anyone who has redefined
|
||
either of these in their configuration file.
|
||
Don't assume that IDENT servers close the connection after a query;
|
||
responses can be newline terminated. From Terry Kennedy of
|
||
St. Peter's College.
|
||
Avoid core dumps on erroneous configuration files that have
|
||
$#mailer with nothing following. From Bryan Costales.
|
||
Avoid null pointer dereference with high debug values in unlockqueue.
|
||
Fix from Randy Martin of Clemson University.
|
||
Fix possible buffer overrun when expanding very large macros. Fix
|
||
from Kyle Jones of UUNET.
|
||
After 25 EXPN or VRFY commands, start pausing for a second before
|
||
processing each one. This avoids a certain form of denial
|
||
of service attack. Potential attack pointed out by Bryan
|
||
Costales.
|
||
Allow new named (not numbered!) config file rules to do validity
|
||
checking on SMTP arguments: check_mail for MAIL commands and
|
||
check_rcpt for RCPT commands. These rulesets can do anything
|
||
they want; their result is ignored unless they resolve to the
|
||
$#error mailer, in which case the indicated message is printed
|
||
and the command is rejected. Similarly, the check_compat
|
||
ruleset is called before delivery with "from_addr $| to_addr"
|
||
(the $| is a meta-symbol used to separate the two addresses);
|
||
it can give a "this sender can't send to this recipient"
|
||
notification. Note that this patch allows $| to stand alone
|
||
in rulesets.
|
||
Define new macros ${client_name}, ${client_addr}, and ${client_port}
|
||
that have the name, IP address, and port number (respectively)
|
||
of the SMTP client (that is, the entity at the other end of
|
||
the connection. These can be used in (e.g.) check_rcpt to
|
||
verify that someone isn't trying to relay mail through your
|
||
host inappropriately. Be sure to use the deferred evaluation
|
||
form, for example $&{client_name}, to avoid having these bound
|
||
when sendmail reads the configuration file.
|
||
Add new config file rule check_relay to check the incoming connection
|
||
information. Like check_compat, it is passed the host name
|
||
and host address separated by $| and can reject connections
|
||
on that basis.
|
||
Allow IDA-style recursive function calls. Code contributed by Mark
|
||
Lovell and Paul Vixie.
|
||
Eliminate the "No ! in UUCP From address!" message" -- instead, create
|
||
a virtual UUCP address using either a domain address or the $k
|
||
macro. Based on code contributed by Mark Lovell and Paul
|
||
Vixie.
|
||
Add Stanford LDAP map. Requires special libraries that are not
|
||
included with sendmail. Contributed by Booker C. Bense
|
||
<bbense@networking.stanford.edu>; contact him for support.
|
||
See also the src/READ_ME file.
|
||
Allow -dANSI to turn on ANSI escape sequences in debug output; this
|
||
puts metasymbols (e.g., $+) in reverse video. Really useful
|
||
only for debugging deep bits of code where it is important to
|
||
distinguish between the single-character metasymbol $+ and the
|
||
two characters $, +.
|
||
Changed ruleset 89 (executed in dumpstate()) to a named ruleset,
|
||
debug_dumpstate.
|
||
Add new UnsafeGroupWrites option; if set, .forward and :include:
|
||
files that are group writable are considered "unsafe" -- that
|
||
is, programs and files referenced from such files are not
|
||
valid recipients.
|
||
Delete bogosity test for FallBackMX host; this prevented it to be a
|
||
name that was not in DNS or was a domain-literal. Problem
|
||
noted by Tom May.
|
||
Change the introduction to error messages to more clearly delineate
|
||
permanent from temporary failures; if both existed in a
|
||
single message it could be confusing. Suggested by John
|
||
Beck of InReference, Inc.
|
||
The IngoreDot (i) option didn't work for lines that were terminated
|
||
with CRLF. Problem noted by Ted Stockwell of Secure
|
||
Computing Corporation.
|
||
Add a heuristic to improve the handling of unbalanced `<' signs in
|
||
message headers. Problem reported by Matt Dillon of Best
|
||
Internet Communications.
|
||
Check for bogus characters in the 0200-0237 range; since these are
|
||
used internally, very strange errors can occur if those
|
||
characters appear in headers. Problem noted by Anders Gertz
|
||
of Lysator.
|
||
Implement 7 -> 8 bit MIME conversions. This only takes place if the
|
||
recipient mailer has the F=9 flag set, and only works on
|
||
text/plain body types. Code contributed by Marius Olafsson
|
||
of the University of Iceland.
|
||
Special case "postmaster" name so that it is always treated as lower
|
||
case in alias files regardless of configuration settings;
|
||
this prevents some potential problems where "Postmaster" or
|
||
"POSTMASTER" might not match "postmaster". In most cases
|
||
this change is a no-op.
|
||
The -o map flag was ignored for text maps. Problem noted by Bryan
|
||
Costales.
|
||
The -a map flag was ignored for dequote maps. Problem noted by
|
||
Bryan Costales.
|
||
Fix core dump when a lookup of a class "prog" map returns no
|
||
response. Patch from Bryan Costales.
|
||
Log instances where sendmail is deferring or rejecting connections
|
||
on LogLevel 14. Suggested by Kyle Jones of UUNET.
|
||
Include port number in process title for network daemons. Suggested
|
||
by Kyle Jones of UUNET.
|
||
Send ``double bounces'' (errors that occur when sending an error
|
||
message) to the address indicated in the DoubleBounceAddress
|
||
option (default: postmaster). Previously they were always
|
||
sent to postmaster. Suggested by Kyle Jones of UUNET.
|
||
Add new mode, -bD, that acts like -bd in all respects except that
|
||
it runs in foreground. This is useful for using with a
|
||
wrapper that "watches" system services. Suggested by Kyle
|
||
Jones of UUNET.
|
||
Fix botch in spacing around (parenthesized) comments in addresses
|
||
when the comment comes before the address. Patch from
|
||
Motonori Nakamura of Kyoto University.
|
||
Use the prefix "Postmaster notify" on the Subject: lines of messages
|
||
that are being bounced to postmaster, rather than "Returned
|
||
mail". This permits the person who is postmaster more
|
||
easily determine what messages are to their role as
|
||
postmaster versus bounces to mail they actually sent. Based
|
||
on a suggestion by Motonori Nakamura.
|
||
Add new value "time" for QueueSortOrder option; this causes the queue
|
||
to be sorted strictly by the time of submission. Note that
|
||
this can cause very bad behavior over slow lines (because
|
||
large jobs will tend to delay small jobs) and on nodes with
|
||
heavy traffic (because old things in the queue for hosts that
|
||
are down delay processing of new jobs). Also, this does not
|
||
guarantee that jobs will be delivered in submission order
|
||
unless you also set DeliveryMode=queue. In general, it should
|
||
probably only be used on the command line, and only in
|
||
conjunction with -qRhost.domain. In fact, there are very few
|
||
cases where it should be used at all. Based on an
|
||
implementation by Motonori Nakamura.
|
||
If a map lookup in ruleset 5 returns tempfail, queue the message in
|
||
the same manner as other rulesets. Previously a temporary
|
||
failure in ruleset 5 was ignored. Patch from Booker Bense
|
||
of Stanford University.
|
||
Don't proceed to the next MX host if an SMTP MAIL command returns a
|
||
5yz (permanent failure) code. The next MX host will still be
|
||
tried if the connection cannot be opened in the first place
|
||
or if the MAIL command returns a 4yz (temporary failure) code.
|
||
(It's hard to know what to do here, since neither RFC 974 nor
|
||
RFC 1123 specify when to proceed to the next MX host.)
|
||
Suggested by Jonathan Kamens of OpenVision, Inc.
|
||
Add new "-t" flag for map definitions (the "K" line in the .cf file).
|
||
This causes map lookups that get a temporary failure (e.g.,
|
||
name server failure) to _not_ defer the delivery of the
|
||
message. This should only be used if your configuration file
|
||
is prepared to do something sensible in this case. Based on
|
||
an idea by Gregory Shapiro of WPI.
|
||
Fix problem finding network interface addresses. Patch from
|
||
Motonori Nakamura.
|
||
Don't reject qf entries that are not owned by your effective uid if
|
||
you are not running set-user-ID; this makes management of
|
||
certain kinds of firewall setups difficult. Patch
|
||
suggested by Eamonn Coleman of Qualcomm.
|
||
Add persistent host status. This keeps the information normally
|
||
maintained within a single queue run in disk files that are
|
||
shared between sendmail instances. The HostStatusDirectory
|
||
is the directory in which the information is maintained. If
|
||
not set, persistent host status is turned off. If not a full
|
||
pathname, it is relative to the queue directory. A common
|
||
value is ".hoststat".
|
||
There are also two new operation modes:
|
||
* -bh prints the status of hosts that have had recent
|
||
connections.
|
||
* -bH purges the host statuses. No attempt is made to save
|
||
recent status information.
|
||
This feature was originally written by Paul Vixie of Vixie
|
||
Enterprises for KJS and adapted for V8 by Mark Lovell of
|
||
Bigrock Consulting. Paul's funding of Mark and Mark's patience
|
||
with my insistence that things fit cleanly into the V8
|
||
framework is gratefully appreciated.
|
||
New SingleThreadDelivery option (requires HostStatusDirectory to
|
||
operate). Avoids letting two sendmails on the local machine
|
||
open connections to the same remote host at the same time.
|
||
This reduces load on the other machine, but can cause mail to
|
||
be delayed (for example, if one sendmail is delivering a huge
|
||
message, other sendmails won't be able to send even small
|
||
messages). Also, it requires another file descriptor (for the
|
||
lock file) per connection, so you may have to reduce
|
||
ConnectionCacheSize to avoid running out of per-process
|
||
file descriptors. Based on the persistent host status code
|
||
contributed by Paul Vixie and Mark Lovell.
|
||
Allow sending to non-simple files (e.g., /dev/null) even if the
|
||
SafeFileEnvironment option is set. Problem noted by Bryan
|
||
Costales.
|
||
The -qR flag mistakenly matched flags in the "R" line of the queue
|
||
file. Problem noted by Bryan Costales.
|
||
If a job was aborted using the interrupt signal (e.g., control-C from
|
||
the keyboard), on some occasions an empty df file would be
|
||
left around; these would collect in the queue directory.
|
||
Problem noted by Bryan Costales.
|
||
Change the makesendmail script to enhance the search for Makefiles
|
||
based on release number. For example, on SunOS 5.5.1, it will
|
||
search for Makefile.SunOS.5.5.1, Makefile.SunOS.5.5, and then
|
||
Makefile.SunOS.5.x (in addition to the other rules, e.g.,
|
||
adding $arch). Problem noted by Jason Mastaler of Atlanta
|
||
Webmasters.
|
||
When creating maps using "newaliases", always map the keys to lower
|
||
case when creating the map unless the -f flag is specified on
|
||
the map itself. Previously this was done based on the F=u
|
||
flag in the local mailer, which meant you could create aliases
|
||
that you could never access. Problem noted by Bob Wu of DEC.
|
||
When a job was read from the queue, the bits causing notification on
|
||
failure or delay were always set. This caused those
|
||
notifications to be sent even if NOTIFY=NEVER had been
|
||
specified. Problem noted by Steve Hubert of the University
|
||
of Washington, Seattle.
|
||
Add new configurable routine validate_connection (in conf.c). This
|
||
lets you decide if you are willing to accept traffic from
|
||
this host. If it returns FALSE, all SMTP commands will return
|
||
"550 Access denied". -DTCPWRAPPERS will include support for
|
||
TCP wrappers; you will need to add -lwrap to the link line.
|
||
(See src/READ_ME for details.)
|
||
Don't include the "THIS IS A WARNING MESSAGE ONLY" banner on postmaster
|
||
bounces. Some people seemed to think that this could be
|
||
confusing (even though it is true). Suggested by Motonori
|
||
Nakamura.
|
||
Add new RunAsUser option; this causes sendmail to do a setuid to that
|
||
user early in processing to avoid potential security problems.
|
||
However, this means that all .forward and :include: files must
|
||
be readable by that user, and all files to be written must be
|
||
writable by that user and all programs will be executed by that
|
||
user. It is also incompatible with the SafeFileEnvironment
|
||
option. In other words, it may not actually add much to
|
||
security. However, it should be useful on firewalls and other
|
||
places where users don't have accounts and the aliases file is
|
||
well constrained.
|
||
Add Timeout.iconnect. This is like Timeout.connect except it is used
|
||
only on the first attempt to delivery to an address. It could
|
||
be set to be lower than Timeout.connect on the principle that
|
||
the mail should go through quickly to responsive hosts; less
|
||
responsive hosts get to wait for the next queue run.
|
||
Fix a problem on Solaris that occasionally causes programs
|
||
(such as vacation) to hang with their standard input connected
|
||
to a UDP port. It also created some signal handling problems.
|
||
The problems turned out to be an interaction between vfork(2)
|
||
and some of the libraries, particularly NIS/NIS+. I am
|
||
indebted to Tor Egge <tegge@idt.ntnu.no> for this fix.
|
||
Change user class map to do the same matching that actual delivery
|
||
will do instead of just a /etc/passwd lookup. This adds
|
||
fuzzy matching to the user map. Patch from Dan Oscarsson.
|
||
The Timeout.* options are not safe -- they can be used to create a
|
||
denial-of-service attack. Problem noted by Christophe
|
||
Wolfhugel.
|
||
Don't send PostmasterCopy messages in the event of a "delayed"
|
||
notification. Suggested by Barry Bouwsma.
|
||
Don't advertise "VERB" ESMTP extension if the "noexpn" privacy
|
||
option is set, since this disables VERB mode. Suggested
|
||
by John Hawkinson of MIT.
|
||
Complain if the QueueDirectory (Q) option is not set. Problem noted
|
||
by Motonori Nakamura of Kyoto University.
|
||
Only queue messages on transient .forward open failures if there
|
||
were no successful opens. The previous behavior caused it
|
||
to queue even if a "fall back" .forward was found. Problem
|
||
noted by Ann-Kian Yeo of the Dept. of Information Systems
|
||
and Computer Science (DISCS), NUS, Singapore.
|
||
Don't do 8->7 bit conversions when bouncing a MIME message that
|
||
is bouncing because of a MIME error during 8->7 bit conversion;
|
||
the encapsulated message will bounce again, causing a loop.
|
||
Problem noted by Steve Hubert of the University of Washington.
|
||
Create xf (transcript) files using the TempFileMode option value
|
||
instead of 0644. Suggested by Ann-Kian Yeo of the
|
||
National University of Singapore.
|
||
Print errors if setgid/setuid/etc. fail during delivery. This helps
|
||
detect cases where DefaultUser is set to something that the
|
||
system can't cope with.
|
||
PORTABILITY FIXES:
|
||
Support for AIX/RS 2.2.1 from Mark Whetzel of Western
|
||
Atlas International.
|
||
Patches for Intel Paragon OSF/1 1.3 from Leo Bicknell
|
||
<bicknell@ufp.org>.
|
||
On DEC OSF/1 3.2 and earlier, the MatchGECOS code would only
|
||
work on the first recipient of a message due to a
|
||
bug in the getpwent family. If this is something you
|
||
use, you can define DEC_OSF_BROKEN_GETPWENT=1 for a
|
||
workaround. From Maximum Entropy of Sanford C.
|
||
Bernstein and Associates.
|
||
FreeBSD 1.1.5.1 uname -r returns a string containing
|
||
parentheses, which breaks makesendmail. Reported
|
||
by Piero Serini <piero@strider.ibenet.it>.
|
||
Sequent DYNIX/ptx 4.0.2 patches from Jack Woolley of
|
||
Systems and Computer Technology Corporation.
|
||
Solaris 2.x: omit the UUCP grade parameter (-g flag) because
|
||
it is system-dependent. Problem noted by J.J. Bailey
|
||
of Bailey Computer Consulting.
|
||
Pyramid NILE running DC/OSx support from Earle F. Ake of
|
||
Hassler Communication Systems Technology, Inc.
|
||
HP-UX 10.x compile glitches, reported by Anne Brink of the
|
||
U.S. Army and James Byrne of Harte & Lyne Limited.
|
||
NetBSD from Matthew Green of the NetBSD crew.
|
||
SCO 5.x from Keith Reynolds of SCO.
|
||
IRIX 6.2 from Robert Tarrall of the University of
|
||
Colorado and Kari Hurtta of the Finnish Meteorological
|
||
Institute.
|
||
UXP/DS (Fujitsu/ICL DS/90 series) support from Diego R.
|
||
Lopez, CICA (Seville).
|
||
NCR SVR4 MP-RAS 3.x support from Tom Moore of NCR.
|
||
PTX 3.2.0 from Kenneth Stailey of the US Department of Labor
|
||
Employment Standards Administration.
|
||
Altos System V (5.3.1) from Tim Rice of Multitalents.
|
||
Concurrent Systems Corporation Maxion from Donald R. Laster
|
||
Jr.
|
||
NetInfo maps (improved debugging and multi-valued aliases)
|
||
from Adrian Steinmann of Steinmann Consulting.
|
||
ConvexOS 11.5 (including SecureWare C2 and the Share Scheduler)
|
||
from Eric Schnoebelen of Convex.
|
||
Linux 2.0 mail.local patches from Horst von Brand.
|
||
NEXTSTEP 3.x compilation from Robert La Ferla.
|
||
NEXTSTEP 3.x code changes from Allan J. Nathanson of NeXT.
|
||
Solaris 2.5 configuration fixes for mail.local by Jim Davis
|
||
of the University of Arizona.
|
||
Solaris 2.5 has a working setreuid. Noted by David Linn of
|
||
Vanderbilt University.
|
||
Solaris changes for praliases, makemap, mailstats, and smrsh.
|
||
Previously you had to add -DSOLARIS in Makefile.dist;
|
||
this auto-detects. Based on a patch from Randall
|
||
Winchester of the University of Maryland.
|
||
CONFIG: add generic-nextstep3.3.mc file. Contributed by
|
||
Robert La Ferla of Hot Software.
|
||
CONFIG: allow mailertables to resolve to ``error:code message''
|
||
(where "code" is an exit status) on domains (previously
|
||
worked only on hosts). Patch from Cor Bosman of Xs4all
|
||
Foundation.
|
||
CONFIG: hooks for IPv6-style domain literals.
|
||
CONFIG: predefine ALIAS_FILE and change the prototype file so that
|
||
if it is undefined the AliasFile option is never set; this
|
||
should be transparent for most everyone. Suggested by John
|
||
Myers of CMU.
|
||
CONFIG: add FEATURE(limited_masquerade). Without this feature, any
|
||
domain listed in $=w is masqueraded. With it, only those
|
||
domains listed in a MASQUERADE_DOMAIN macro are masqueraded.
|
||
CONFIG: add FEATURE(masquerade_entire_domain). This causes
|
||
masquerading specified by MASQUERADE_DOMAIN to apply to all
|
||
hosts under those domains as well as the domain headers
|
||
themselves. For example, if a configuration had
|
||
MASQUERADE_DOMAIN(foo.com), then without this feature only
|
||
foo.com would be masqueraded; with it, *.foo.com would be
|
||
masqueraded as well. Based on an implementation by Richard
|
||
(Pug) Bainter of U. Texas.
|
||
CONFIG: add FEATURE(genericstable) to do a more general rewriting of
|
||
outgoing addresses. Defaults to ``hash -o /etc/genericstable''.
|
||
Keys are user names; values are outgoing mail addresses. Yes,
|
||
this does overlap with the user database, and figuring out
|
||
just when to use which one may be tricky. Based on code
|
||
contributed by Richard (Pug) Bainter of U. Texas with updates
|
||
from Per Hedeland of Ericsson.
|
||
CONFIG: add FEATURE(virtusertable) to do generalized rewriting of
|
||
incoming addresses. Defaults to ``hash -o /etc/virtusertable''.
|
||
Keys are either fully qualified addresses or just the host
|
||
part (with the @ sign). For example, a table containing:
|
||
info@foo.com foo-info
|
||
info@bar.com bar-info
|
||
@baz.org jane@elsewhere.net
|
||
would send all mail destined for info@foo.com to foo-info
|
||
(which is presumably an alias), mail addressed to info@bar.com
|
||
to bar-info, and anything addressed to anyone at baz.org will
|
||
be sent to jane@elsewhere.net. The names foo.com, bar.com,
|
||
and baz.org must all be in $=w. Based on discussions with
|
||
a great many people.
|
||
CONFIG: add nullclient configurations to define SMTP_MAILER_FLAGS.
|
||
Suggested by Richard Bainter.
|
||
CONFIG: add FAX_MAILER_ARGS to tweak the arguments passed to the
|
||
"fax" mailer.
|
||
CONFIG: allow mailertable entries to resolve to local:user; this
|
||
passes the original user@host in to procmail-style local
|
||
mailers as the "detail" information to allow them to do
|
||
additional clever processing. From Joe Pruett of
|
||
Teleport Corporation. Delivery to the original user can
|
||
be done by specifying "local:" (with nothing after the colon).
|
||
CONFIG: allow any context that takes "mailer:domain" to also take
|
||
"mailer:user@domain" to force mailing to the given user;
|
||
"local:user" can also be used to do local delivery. This
|
||
applies on *_RELAY and in the mailertable entries. Based
|
||
on a suggestion by Ribert Kiessling of Easynet.
|
||
CONFIG: Allow FEATURE(bestmx_is_local) to take an argument that
|
||
limits the possible domains; this reduces the number of DNS
|
||
lookups required to support this feature. For example,
|
||
FEATURE(bestmx_is_local, my.site.com) limits the lookups
|
||
to domains under my.site.com. Code contributed by Anthony
|
||
Thyssen <anthony@cit.gu.edu.au>.
|
||
CONFIG: LOCAL_RULESETS introduces any locally defined rulesets,
|
||
such as the check_rcpt ruleset. Suggested by Gregory Shapiro
|
||
of WPI.
|
||
CONFIG: MAILER_DEFINITIONS introduces any mailer definitions, in the
|
||
event you have to define local mailers. Suggested by
|
||
Gregory Shapiro of WPI.
|
||
CONFIG: fix cases where a three- (or more-) stage route-addr could
|
||
be misinterpreted as a list:...; syntax. Based on a patch by
|
||
Vlado Potisk <Vlado_Potisk@tempest.sk>.
|
||
CONFIG: Fix masquerading of UUCP addresses when the UUCP relay is
|
||
remotely connected. The address host!user was being
|
||
converted to host!user@thishost instead of host!user@uurelay.
|
||
Problem noted by William Gianopoulos of Raytheon Company.
|
||
CONFIG: add confTO_ICONNECT to set Timeout.iconnect.
|
||
CONFIG: change FEATURE(redirect) message from "User not local" to
|
||
"User has moved"; the former wording was confusing if the
|
||
new address is still on the local host. Based on a suggestion
|
||
by Andreas Luik.
|
||
CONFIG: add support in FEATURE(nullclient) for $=E (exposed users).
|
||
However, the class is not pre-initialized to contain root.
|
||
Suggested by Gregory Neil Shapiro.
|
||
CONTRIB: Remove XLA code at the request of the author, Christophe
|
||
Wolfhugel.
|
||
CONTRIB: Add re-mqueue.pl, contributed by Paul Pomes of Qualcomm.
|
||
MAIL.LOCAL: make it possible to compile mail.local on Solaris. Note
|
||
well: this produces a slightly different mailbox format (no
|
||
Content-Length: headers), file ownerships and modes are
|
||
different (not owned by group mail; mode 600 instead of 660),
|
||
and the local mailer flags will have to be tweaked (make them
|
||
match bsd4.4) in order to use this mailer. Patches from Paul
|
||
Hammann of the Missouri Research and Education Network.
|
||
MAIL.LOCAL: in some cases it could return EX_OK even though there
|
||
was a delivery error, such as if the ownership on the file
|
||
was wrong or the mode changed between the initial stat and
|
||
the open. Problem reported by William Colburn of the New
|
||
Mexico Institute of Mining and Technology.
|
||
MAILSTATS: handle zero length files more reliably. Patch from Bryan
|
||
Costales.
|
||
MAILSTATS: add man page contributed by Keith Bostic of BSDI.
|
||
MAKEMAP: The -d flag (to allow duplicate keys) to a btree map wasn't
|
||
honored. Fix from Michael Scott Shappe.
|
||
PRALIASES: add man page contributed by Keith Bostic of BSDI.
|
||
NEW FILES:
|
||
src/Makefiles/Makefile.AIX.2
|
||
src/Makefiles/Makefile.IRIX.6.2
|
||
src/Makefiles/Makefile.maxion
|
||
src/Makefiles/Makefile.NCR.MP-RAS.3.x
|
||
src/Makefiles/Makefile.SCO.5.x
|
||
src/Makefiles/Makefile.UXPDSV20
|
||
mailstats/mailstats.8
|
||
praliases/praliases.8
|
||
cf/cf/generic-nextstep3.3.mc
|
||
cf/feature/genericstable.m4
|
||
cf/feature/limited_masquerade.m4
|
||
cf/feature/masquerade_entire_domain.m4
|
||
cf/feature/virtusertable.m4
|
||
cf/ostype/aix2.m4
|
||
cf/ostype/altos.m4
|
||
cf/ostype/maxion.m4
|
||
cf/ostype/solaris2.ml.m4
|
||
cf/ostype/uxpds.m4
|
||
contrib/re-mqueue.pl
|
||
DELETED FILES:
|
||
src/Makefiles/Makefile.Solaris
|
||
contrib/xla/README
|
||
contrib/xla/xla.c
|
||
RENAMED FILES:
|
||
src/Makefiles/Makefile.NCR3000 => Makefile.NCR.MP-RAS.2.x
|
||
src/Makefiles/Makefile.SCO.3.2v4.2 => Makefile.SCO.4.2
|
||
src/Makefiles/Makefile.UXPDS => Makefile.UXPDSV10
|
||
src/Makefiles/Makefile.NeXT => Makefile.NeXT.2.x
|
||
src/Makefiles/Makefile.NEXTSTEP => Makefile.NeXT.3.x
|
||
|
||
8.7.6/8.7.3 1996/09/17
|
||
SECURITY: It is possible to force getpwuid to fail when writing the
|
||
queue file, causing sendmail to fall back to running programs
|
||
as the default user. This is not exploitable from off-site.
|
||
Workarounds include using a unique user for the DefaultUser
|
||
(old u & g options) and using smrsh as the local shell.
|
||
SECURITY: fix some buffer overruns; in at least one case this allows
|
||
a local user to get root. This is not known to be exploitable
|
||
from off-site. The workaround is to disable chfn(1) commands.
|
||
|
||
8.7.5/8.7.3 1996/03/04
|
||
Fix glitch in 8.7.4 when putting certain internal lines; this can
|
||
in some case cause connections to hang or messages to have
|
||
extra spaces in odd places. Patch from Eric Wassenaar;
|
||
reports from Eric Hall of Chiron Corporation, Stephen
|
||
Hansen of Stanford University, Dean Gaudet of HotWired,
|
||
and others.
|
||
|
||
8.7.4/8.7.3 1996/02/18
|
||
SECURITY: In some cases it was still possible for an attacker to
|
||
insert newlines into a queue file, thus allowing access to
|
||
any user (except root).
|
||
CONFIG: no changes -- it is not a bug that the configuration
|
||
version number is unchanged.
|
||
|
||
8.7.3/8.7.3 1995/12/03
|
||
Fix botch in name server timeout in RCPT code; this problem caused
|
||
two responses in SMTP, which breaks things horribly. Fix
|
||
from Gregory Neil Shapiro of WPI.
|
||
Verify that L= value on M lines cannot be negative, which could cause
|
||
negative array subscripting. Not a security problem since
|
||
this has to be in the config file, but it could have caused
|
||
core dumps. Pointed out by Bryan Costales.
|
||
Fix -d21 debug output for long macro names. Pointed out by Bryan
|
||
Costales.
|
||
PORTABILITY FIXES:
|
||
SCO doesn't have ftruncate. From Bill Aten of Computerizers.
|
||
IBM's version of arpa/nameser.h defaults to the wrong byte
|
||
order. Tweak it to work properly. Based on fixes
|
||
from Fletcher Mattox of UTexas and Betty Lee of
|
||
Stanford University.
|
||
CONFIG: add confHOSTS_FILE m4 variable to set HostsFile option.
|
||
Deficiency pointed out by Bryan Costales of ICSI.
|
||
|
||
8.7.2/8.7.2 1995/11/19
|
||
REALLY fix the backslash escapes in SmtpGreetingMessage,
|
||
OperatorChars, and UnixFromLine options. They were not
|
||
properly repaired in 8.7.1.
|
||
Completely delete the Bcc: header if and only if there are other
|
||
valid recipient headers (To:, Cc: or Apparently-To:, the
|
||
last being a historic botch, of course). If Bcc: is the
|
||
only recipient header in the message, its value is tossed,
|
||
but the header name is kept. The old behavior (always keep
|
||
the header name and toss the value) allowed primary recipients
|
||
to see that a Bcc: went to _someone_.
|
||
Include queue id on ``Authentication-Warning: <host>: <user> set
|
||
sender to <address> using -f'' syslog messages. Suggested
|
||
by Kari Hurtta.
|
||
If a sequence or switch map lookup entry gets a tempfail but then
|
||
continues on to another map type, but the name is not found,
|
||
return a temporary failure from the sequence or switch map.
|
||
For example, if hosts search ``dns files'' and DNS fails
|
||
with a tempfail, the hosts map will go on and search files,
|
||
but if it fails the whole thing should be a tempfail, not
|
||
a permanent (host unknown) failure, even though that is the
|
||
failure in the hosts.files map. This error caused hard
|
||
bounces when it should have requeued.
|
||
Aliases to files such as /users/bar/foo/inbox, with /users/bar/foo
|
||
owned by bar mode 700 and inbox being set-user-ID bar stopped
|
||
working properly due to excessive paranoia. Pointed out by
|
||
John Hawkinson of Panix.
|
||
An SMTP RCPT command referencing a host that gave a nameserver
|
||
timeout would return a 451 command (8.6 accepted it and
|
||
queued it locally). Revert to the 8.6 behavior in order
|
||
to simplify queue management for clustered systems. Suggested
|
||
by Gregory Neil Shapiro of WPI. The same problem could break
|
||
MH, which assumes that the SMTP session will succeed (tsk, tsk
|
||
-- mail gets lost!); this was pointed out by Stuart Pook of
|
||
Infobiogen.
|
||
Fix possible buffer overflow in munchstring(). This was not a security
|
||
problem because you couldn't specify any argument to this
|
||
without first giving up root privileges, but it is still a
|
||
good idea to avoid future problems. Problem noted by John
|
||
Hawkinson and Sam Hartman of MIT.
|
||
``452 Out of disk space for temp file'' messages weren't being
|
||
printed. Fix from David Perlin of Nanosoft.
|
||
Don't advertise the ESMTP DSN extension if the SendMimeErrors option
|
||
is not set, since this is required to get the actual DSNs
|
||
created. Problem pointed out by John Gardiner Myers of CMU.
|
||
Log permission problems that cause .forward and :include: files to
|
||
be untrusted or ignored on log level 12 and higher. Suggested
|
||
by Randy Martin of Clemson University.
|
||
Allow user ids in U= clauses of M lines to have hyphens and
|
||
underscores.
|
||
Fix overcounting of recipients -- only happened when sending to an
|
||
alias. Pointed out by Mark Andrews of SGI and Jack Woolley
|
||
of Systems and Computer Technology Corporation.
|
||
If a message is sent to an address that fails, the error message that
|
||
is returned could show some extraneous "success" information
|
||
included even if the user did not request success notification,
|
||
which was confusing. Pointed out by Allan Johannesen of WPI.
|
||
Config files that had no AliasFile definition were defaulting to
|
||
using /etc/aliases; this caused problems with nullclient
|
||
configurations. Change it back to the 8.6 semantics of
|
||
having no local alias file unless it is declared. Problem
|
||
noted by Charles Karney of Princeton University.
|
||
Fix compile problem if NOTUNIX is defined. Pointed out by Bryan
|
||
Costales of ICSI.
|
||
Map lookups of class "userdb" maps were always case sensitive; they
|
||
should be controlled by the -f flag like other maps. Pointed
|
||
out by Bjart Kvarme <bjart.kvarme@usit.uio.no>.
|
||
Fix problem that caused some addresses to be passed through ruleset 5
|
||
even when they were tagged as "sticky" by prefixing the
|
||
address with an "@". Patch from Thomas Dwyer III of Michigan
|
||
Technological University.
|
||
When converting a message to Quoted-Printable, prevent any lines with
|
||
dots alone on a line by themselves. This is because of the
|
||
preponderance of broken mailers that still get this wrong.
|
||
Code contributed by Per Hedeland of Ericsson.
|
||
Fix F{macro}/file construct -- it previously did nothing. Pointed
|
||
out by Bjart Kvarme of USIT/UiO (Norway).
|
||
Announce whether a cached connection is SMTP or ESMTP (in -v mode).
|
||
Requested by Allan Johannesen.
|
||
Delete check for text format of alias files -- it should be legal
|
||
to have the database format of the alias files without the
|
||
text version. Problem pointed out by Joe Rhett of Navigist,
|
||
Inc.
|
||
If "Ot" was specified with no value, the TZ variable was not properly
|
||
imported from the environment. Pointed out by Frank Crawford
|
||
<frank@ansto.gov.au>.
|
||
Some architectures core dumped on "program" maps that didn't have
|
||
extra arguments. Patch from Booker C. Bense of Stanford
|
||
University.
|
||
Queue run processes would re-spawn daemons when given a SIGHUP; only
|
||
the parent should do this. Fix from Brian Coan of the
|
||
Association for Progressive Communications.
|
||
If MinQueueAge was set and a message was considered but not run
|
||
during a queue run and the Timeout.queuereturn interval was
|
||
reached, a "timed out" error message would be returned that
|
||
didn't include the failed address (and claimed to be a warning
|
||
even though it was fatal). The fix is to not return such
|
||
messages until they are actually tried, i.e., in the next
|
||
MinQueueAge interval. Problem noted by Rein Tollevik of
|
||
SINTEF RUNIT, Oslo.
|
||
Add HES_GETMAILHOST compile flag to support MIT Hesiod distributions
|
||
that have the hes_getmailhost() routine. DEC Hesiod
|
||
distributions do not have this routine. Based on a patch
|
||
from Betty Lee of Stanford University.
|
||
Extensive cleanups to map open code to handle a locking race condition
|
||
in ndbm, hash, and btree format database files on some (most
|
||
non-4.4-BSD based) OS architectures. This should solve the
|
||
occasional "user unknown" problem during alias rebuilds that
|
||
has plagued me for quite some time. Based on a patch from
|
||
Thomas Dwyer III of Michigan Technological University.
|
||
PORTABILITY FIXES:
|
||
Solaris: Change location of newaliases and mailq from
|
||
/usr/ucb to /usr/bin to match Sun settings. From
|
||
James B. Davis of TCI.
|
||
DomainOS: Makefile.DomainOS doesn't require -ldbm. From
|
||
Don Lewis of Silicon Systems.
|
||
HP-UX 10: rename Makefile.HP-UX.10 => Makefile.HP-UX.10.x
|
||
so that the makesendmail script will find it. Pointed
|
||
out by Richard Allen of the University of Iceland.
|
||
Also, use -Aa -D_HPUX_SOURCE instead of -Ae, which
|
||
isn't supported on all compilers.
|
||
UXPDS: compilation fixes from Diego R. Lopez.
|
||
CONFIG: FAX mailer wasn't setting .FAX as a pseudo-domain unless
|
||
you also had a FAX_RELAY. From Thomas.Tornblom@Hax.SE.
|
||
CONFIG: Minor glitch in S21 -- attachment of local domain name
|
||
didn't have trailing dot. From Jim Hickstein of Teradyne.
|
||
CONFIG: Fix best_mx_is_local feature to allow nested addresses such as
|
||
user%host@thishost. From Claude Scarpelli of Infobiogen
|
||
(France).
|
||
CONFIG: OSTYPE(hpux10) failed to define the location of the help file.
|
||
Pointed out by Hannu Martikka of Nokia Telecommunications.
|
||
CONFIG: Diagnose some inappropriate ordering in configuration files,
|
||
such as FEATURE(smrsh) listed after MAILER(local). Based on
|
||
a bug report submitted by Paul Hoffman of Proper Publishing.
|
||
CONFIG: Make OSTYPE files consistently not override settings that
|
||
have already been set. Previously it worked differently
|
||
for different files.
|
||
CONFIG: Change relay mailer to do masquerading like 8.6 did. My take
|
||
is that this is wrong, but the change was causing problems
|
||
for some people. From Per Hedeland of Ericsson.
|
||
CONTRIB: bitdomain.c patch from John Gardiner Myers <jgm+@CMU.EDU>;
|
||
portability changes for Posix environments (no functional
|
||
changes).
|
||
|
||
8.7.1/8.7.1 1995/10/01
|
||
Old macros that have become options (SmtpGreetingMessage,
|
||
OperatorChars, and UnixFromLine) didn't allow backslash
|
||
escapes in the options, where they previously had. Bug
|
||
pointed out by John Hawkinson of MIT.
|
||
Fix strange case of an executable called by a program map that
|
||
returns a value but also a non-zero exit status; this
|
||
would give contradictory results in the higher level; in
|
||
particular, the default clause in the map lookup would be
|
||
ignored. Change to ignore the value if the program returns
|
||
non-zero exit status. From Tom Moore of AT&T GIS.
|
||
Shorten parameters passed to syslog() in some contexts to avoid a
|
||
bug in many vendors' implementations of that routine. Although
|
||
this isn't really a bug in sendmail per se, and my solution
|
||
has to assume that syslog() has at least a 1K buffer size
|
||
internally (I know some vendors have shortened this
|
||
dramatically -- they're on their own), sendmail is a popular
|
||
target. Also, limit the size of %s arguments in sprintf.
|
||
These both have possible security implications. Solutions
|
||
suggested by Casper Dik of Sun's Network Security Group
|
||
(Holland), Mark Seiden, and others.
|
||
Fix a problem that might cause a non-standard -B (body type)
|
||
parameter to be passed to the next server with undefined
|
||
results. This could have security implications.
|
||
If a filesystem was at > 100% utilization, the freediskspace()
|
||
routine incorrectly returned an error rather than zero.
|
||
Problem noted by G. Paul Ziemba of Alantec.
|
||
Change MX sort order so that local hostnames (those in $=w) always
|
||
sort first within a given preference. This forces the bestmx
|
||
map to always return the local host first, if it is included
|
||
in the list of highest priority MX records. From K. Robert
|
||
Elz.
|
||
Avoid some possible null pointer dereferences. Fixes from Randy
|
||
Martin <WOLF@CLEMSON.EDU>
|
||
When sendmail starts up on systems that have no fully qualified
|
||
domain name (FQDN) anywhere in the first matching host map
|
||
(e.g., /etc/hosts if the hosts service searches "files dns"),
|
||
sendmail would sleep to try to find a FQDN, which it really
|
||
really needs. This has been changed to fall through to the
|
||
next map type if it can't find a FQDN -- i.e., if the hosts
|
||
file doesn't have a FQDN, it will try dns even though the
|
||
short name was found in /etc/hosts. This is probably a crock,
|
||
but many people have hosts files without FQDNs. Remember:
|
||
domain names are your friends.
|
||
Log a high-priority message if you can't find your FQDN during startup.
|
||
Suggested by Simon Barnes of Schlumberger Limited.
|
||
When using Hesiod, initialize it early to improve error reporting.
|
||
Patch from Don Lewis of Silicon Systems, Inc.
|
||
Apparently at least some versions of Linux have a 90 !minute! TCP
|
||
connection timeout in the kernel. Add a new "connect" timeout
|
||
to limit this time. Defaults to zero (use whatever the
|
||
kernel provides). Based on code contributed by J.R. Oldroyd
|
||
of TerraNet.
|
||
Under some circumstances, a failed message would not be properly
|
||
removed from the queue, causing tons of bogus error messages.
|
||
(This fix eliminates the problematic EF_KEEPQUEUE flag.)
|
||
Problem noted by Allan E Johannesen and Gregory Neil Shapiro
|
||
of WPI.
|
||
PORTABILITY FIXES:
|
||
On IRIX 5.x, there was an inconsistency in the setting
|
||
of sendmail.st location. Change the Makefile to
|
||
install it in /var/sendmail.st to match the OSTYPE
|
||
file and SGI standards. From Andre
|
||
<andre@curry.zfe.siemens.de>.
|
||
Support for Fujitsu/ICL UXP/DS (For the DS/90 Series)
|
||
from Diego R. Lopez <drlopez@cica.es>.
|
||
Linux compilation patches from J.R. Oldroyd of TerraNet, Inc.
|
||
LUNA 2 Mach patches from Motonori Nakamura.
|
||
SunOS Makefile was including -ldbm, which is for the old
|
||
dbm library. The ndbm library is part of libc.
|
||
CONFIG: avoid bouncing ``user@host.'' (note trailing dot) with
|
||
``local configuration error'' in nullclient configuration.
|
||
Patch from Gregory Neil Shapiro of WPI.
|
||
CONFIG: don't allow an alias file in nullclient configurations --
|
||
since all addresses are relayed, they give errors during
|
||
rebuild. Suggested by Per Hedeland of Ericsson.
|
||
CONFIG: local mailer on Solaris 2 should always get a -f flag because
|
||
otherwise the F=S causes the From_ line to imply that root is
|
||
the sender. Problem pointed out by Claude Scarpelli of
|
||
Infobiogen (France).
|
||
NEW FILES:
|
||
cf/feature/use_ct_file.m4 (omitted from 8.7 by mistake)
|
||
src/Makefiles/Makefile.KSR (omitted from 8.7 by mistake)
|
||
src/Makefiles/Makefile.UXPDS
|
||
|
||
8.7/8.7 1995/09/16
|
||
Fix a problem that could cause sendmail to run out of file
|
||
descriptors due to a trashed data structure after a
|
||
vfork. Fix from Brian Coan of the Institute for
|
||
Global Communications.
|
||
Change the VRFY response if you have disabled VRFY -- some
|
||
people seemed to think that it was too rude.
|
||
Avoid reference to uninitialized file descriptor if HASFLOCK
|
||
was not defined. This was used "safely" in the sense
|
||
that it only did a stat, but it would have set the
|
||
map modification time improperly. Problem pointed out
|
||
by Roy Mongiovi of Georgia Tech.
|
||
Clean up the Subject: line on warning messages and return
|
||
receipts so that they don't say "Returned mail:"; this
|
||
can be confusing.
|
||
Move ruleset entry/exit debugging from 21.2 to 21.1 -- this is
|
||
useful enough to make it worthwhile printing on "-d".
|
||
Avoid logging alias statistics every time you read the alias
|
||
file on systems with no database method compiled in.
|
||
If you have a name with a trailing dot, and you try looking it
|
||
up using gethostbyname without the dot (for /etc/hosts
|
||
compatibility), be sure to turn off RES_DEFNAMES and
|
||
RES_DNSRCH to avoid finding the wrong name accidentally.
|
||
Problem noted by Charles Amos of the University of
|
||
Maryland.
|
||
Don't do timeouts in collect if you are not running SMTP.
|
||
There is nothing that says you can't have a long
|
||
running program piped into sendmail (possibly via
|
||
/bin/mail, which just execs sendmail). Problem reported
|
||
by Don "Truck" Lewis of Silicon Systems.
|
||
Try gethostbyname() even if the DNS lookup fails iff option I
|
||
is not set. This allows you to have hosts listed in
|
||
NIS or /etc/hosts that are not known to DNS. It's normally
|
||
a bad idea, but can be useful on firewall machines. This
|
||
should really be broken out on a separate flag, I suppose.
|
||
Avoid compile warnings against BIND 4.9.3, which uses function
|
||
prototypes. From Don Lewis of Silicon Systems.
|
||
Avoid possible incorrect diagnosis of DNS-related errors caused
|
||
by things like attempts to resolve uucp names using
|
||
$[ ... $] -- the fix is to clear h_errno at appropriate
|
||
times. From Kyle Jones of UUNET.
|
||
SECURITY: avoid denial-of-service attacks possible by destroying
|
||
the alias database file by setting resource limits low.
|
||
This involves adding two new compile-time options:
|
||
HASSETRLIMIT (indicating that setrlimit(2) support is
|
||
available) and HASULIMIT (indicating that ulimit(2) support
|
||
is available -- the Release 3 form is used). The former
|
||
is assumed on BSD-based systems, the latter on System
|
||
V-based systems. Attack noted by Phil Brandenberger of
|
||
Swarthmore University.
|
||
New syntaxes in test (-bt) mode:
|
||
``.Dmvalue'' will define macro "m" to "value".
|
||
``.Ccvalue'' will add "value" to class "c".
|
||
``=Sruleset'' will dump the contents of the indicated
|
||
ruleset.
|
||
``=M'' will display the known mailers.
|
||
``-ddebug-spec'' is equivalent to the command-line
|
||
-d debug flag.
|
||
``$m'' will print the value of macro $m.
|
||
``$=c'' will print the contents of class $=c.
|
||
``/mx host'' returns the MX records for ``host''.
|
||
``/parse address'' will parse address, returning the value of
|
||
crackaddr (essentially, the comment information)
|
||
and the parsed address.
|
||
``/try mailer address'' will rewrite address into the form
|
||
it will have when presented to the indicated mailer.
|
||
``/tryflags flags'' will set flags used by parsing. The
|
||
flags can be `H' for header or `E' for envelope,
|
||
and `S' for sender or `R' for recipient. These
|
||
can be combined, so `HR' sets flags for header
|
||
recipients.
|
||
``/canon hostname'' will try to canonify hostname and
|
||
return the result.
|
||
``/map mapname key'' will look up `key' in the indicated
|
||
`mapname' and return the result.
|
||
Somewhat better handling of UNIX-domain socket addresses -- it
|
||
should show the pathname rather than hex bytes.
|
||
Restore ``-ba'' mode -- this reads a file from stdin and parses
|
||
the header for envelope sender information and uses
|
||
CR-LF as message terminators. It was thought to be
|
||
obsolete (used only for Arpanet NCP protocols), but it
|
||
turns out that the UK ``Grey Book'' protocols require
|
||
that functionality.
|
||
Fix a fix in previous release -- if gethostname and gethostbyname
|
||
return a name without dots, and if an attempt to canonify
|
||
that name fails, wait one minute and try again. This can
|
||
result in an extra 60 second delay on startup if your system
|
||
hostname (as returned by hostname(1)) has no dot and no names
|
||
listed in /etc/hosts or your NIS map have a dot.
|
||
Check for proper domain name on HELO and EHLO commands per
|
||
RFC 1123 section 5.2.5. Problem noted by Thomas Dwyer III
|
||
of Michigan Technological University.
|
||
Relax chownsafe rules slightly -- old version said that if you
|
||
can't tell if _POSIX_CHOWN_RESTRICTED is set (that is,
|
||
if fpathconf returned EINVAL or ENOSYS), assume that
|
||
chown is not safe. The new version falls back to whether
|
||
you are on a BSD system or not. This is important for
|
||
SunOS, which apparently always returns one of those
|
||
error codes. This impacts whether you can mail to files
|
||
or not.
|
||
Syntax errors such as unbalanced parentheses in the configuration
|
||
file could be omitted if you had "Oem" prior to the
|
||
syntax error in the config file. Change to always print
|
||
the error message. It was especially weird because it
|
||
would cause a "warning" message to be sent to the Postmaster
|
||
for every message sent (but with no transcript). Problem
|
||
noted by Gregory Paris of Motorola.
|
||
Rewrite collect and putbody to handle full 8-bit data, including
|
||
zero bytes. These changes are internally extensive, but
|
||
should have minimal impact on external function.
|
||
Allow full words for option names -- if the option letter is
|
||
(apparently) a space, then take the word following -- e.g.,
|
||
O MatchGECOS=TRUE
|
||
The full list of old and new names is as follows:
|
||
7 SevenBitInput
|
||
8 EightBitMode
|
||
A AliasFile
|
||
a AliasWait
|
||
B BlankSub
|
||
b MinFreeBlocks/MaxMessageSize
|
||
C CheckpointInterval
|
||
c HoldExpensive
|
||
D AutoRebuildAliases
|
||
d DeliveryMode
|
||
E ErrorHeader
|
||
e ErrorMode
|
||
f SaveFromLine
|
||
F TempFileMode
|
||
G MatchGECOS
|
||
H HelpFile
|
||
h MaxHopCount
|
||
i IgnoreDots
|
||
I ResolverOptions
|
||
J ForwardPath
|
||
j SendMimeErrors
|
||
k ConnectionCacheSize
|
||
K ConnectionCacheTimeout
|
||
L LogLevel
|
||
l UseErrorsTo
|
||
m MeToo
|
||
n CheckAliases
|
||
O DaemonPortOptions
|
||
o OldStyleHeaders
|
||
P PostmasterCopy
|
||
p PrivacyOptions
|
||
Q QueueDirectory
|
||
q QueueFactor
|
||
R DontPruneRoutes
|
||
r, T Timeout
|
||
S StatusFile
|
||
s SuperSafe
|
||
t TimeZoneSpec
|
||
u DefaultUser
|
||
U UserDatabaseSpec
|
||
V FallbackMXHost
|
||
v Verbose
|
||
w TryNullMXList
|
||
x QueueLA
|
||
X RefuseLA
|
||
Y ForkEachJob
|
||
y RecipientFactor
|
||
z ClassFactor
|
||
Z RetryFactor
|
||
The old macros that passed information into sendmail have
|
||
been changed to options; those correspondences are:
|
||
$e SmtpGreetingMessage
|
||
$l UnixFromLine
|
||
$o OperatorChars
|
||
$q (deleted -- not necessary)
|
||
To avoid possible problems with an older sendmail,
|
||
configuration level 6 is accepted by this version of
|
||
sendmail; any config file using the new names should
|
||
specify "V6" in the configuration.
|
||
Change address parsing to properly note that a phrase before a
|
||
colon and a trailing semicolon are essentially the same
|
||
as text outside of angle brackets (i.e., sendmail should
|
||
treat them as comments). This is to handle the
|
||
``group name: addr1, addr2, ..., addrN;'' syntax (it will
|
||
assume that ``group name:'' is a comment on the first
|
||
address and the ``;'' is a comment on the last address).
|
||
This requires config file support to get right. It does
|
||
understand that :: is NOT this syntax, and can be turned
|
||
off completely by setting the ColonOkInAddresses option.
|
||
Level 6 config files added with new mailer flags:
|
||
A Addresses are aliasable.
|
||
i Do udb rewriting on envelope as well as header
|
||
sender lines. Applies to the from address mailer
|
||
flags rather than the recipient mailer flags.
|
||
j Do udb rewriting on header recipient addresses.
|
||
Applies to the sender mailer flags rather than the
|
||
recipient mailer flags.
|
||
k Disable check for loops when doing HELO command.
|
||
o Always run as the mail recipient, even on local
|
||
delivery.
|
||
w Check for an /etc/passwd entry for this user.
|
||
5 Pass addresses through ruleset 5.
|
||
: Check for :include: on this address.
|
||
| Check for |program on this address.
|
||
/ Check for /file on this address.
|
||
@ Look up sender header addresses in the user
|
||
database. Applies to the mailer flags for the
|
||
mailer corresponding to the envelope sender
|
||
address, rather than to recipient mailer flags.
|
||
Pre-level 6 configuration files set A, w, 5, :, |, /, and @
|
||
on the "local" mailer, the o flag on the "prog" and "*file*"
|
||
mailers, and the ColonOkInAddresses option.
|
||
Eight-to-seven bit MIME conversions. This borrows ideas from
|
||
John Beck of Hewlett-Packard, who generously contributed
|
||
their implementation to me, which I then didn't use (see
|
||
mime.c for an explanation of why). This adds the
|
||
EightBitMode option (a.k.a. `8') and an F=8 mailer flag
|
||
to control handling of 8-bit data. These have to cope with
|
||
two types of 8-bit data: unlabelled 8-bit data (that is,
|
||
8-bit data that is entered without declaring it as 8-bit
|
||
MIME -- technically this is illegal according to the
|
||
specs) and labelled 8-bit data (that is, it was declared
|
||
as 8BITMIME in the ESMTP session or by using the
|
||
-B8BITMIME command line flag). If the F=8 mailer flag is
|
||
set then 8-bit data is sent to non-8BITMIME machines
|
||
instead of converting to 7 bit (essentially using
|
||
just-send-8 semantics). The values for EightBitMode are:
|
||
m convert unlabelled 8-bit input to 8BITMIME, and do
|
||
any necessary conversion of 8BITMIME to 7BIT
|
||
(essentially, the full MIME option).
|
||
p pass unlabelled 8-bit input, but convert labelled
|
||
8BITMIME input to 7BIT as required (default).
|
||
s strict adherence: reject unlabelled 8-bit input,
|
||
convert 8BITMIME to 7BIT as required. The F=8
|
||
flag is ignored.
|
||
Unlabelled 8-bit data is rejected in mode `s' regardless of
|
||
the setting of F=8.
|
||
Add new internal class 'n', which is the set of MIME Content-Types
|
||
which can not be 8 to 7 bit encoded because of other
|
||
considerations. Types "multipart/*" and "message/*" are
|
||
never directly encoded (although their components can be).
|
||
Add new internal class 's', which is the set of subtypes of the
|
||
MIME message/* content type that can be treated as though
|
||
they are an RFC822 message. It is predefined to have
|
||
"rfc822". Suggested By Kari Hurtta.
|
||
Add new internal class 'e'. This is the set of MIME
|
||
Content-Transfer-Encodings that can be converted to
|
||
a seven bit format (Quoted-Printable or Base64). It is
|
||
preinitialized to contain "7bit", "8bit", and "binary".
|
||
Add C=charset mailer parameter and the the DefaultCharSet option (no
|
||
short name) to set the default character set to use in the
|
||
Content-Type: header when doing encoding of an 8-bit message
|
||
which isn't marked as MIME into MIME format. If the C=
|
||
parameter is set on the Envelope From address, use that as
|
||
the default encoding; else use the DefaultCharSet option.
|
||
If neither is set, it defaults to "unknown-8bit" as
|
||
suggested by RFC 1428 section 3.
|
||
Allow ``U=user:group'' field in mailer definition to set a default
|
||
user and group that a mailer will be executed as. This
|
||
overrides the 'u' and 'g' options, and if the `F=S' flag is
|
||
also set, it is the uid/gid that will always be used (that
|
||
is, the controlling address is ignored). The values may be
|
||
numeric or symbolic; if only a symbolic user is given (no
|
||
group) that user's default group in the passwd file is used
|
||
as the group. Based on code donated by Chip Rosenthal of
|
||
Unicom.
|
||
Allow `u' option to also accept user:group as a value, in the same
|
||
fashion as the U= mailer option.
|
||
Add the symbolic time zone name in the Arpanet format dates (as
|
||
a comment). This adds a new compile-time configuration
|
||
flag: TZ_TYPE can be set to TZ_TM_NAME (use the value
|
||
of (struct tm *)->tm_name), TZ_TM_ZONE (use the value
|
||
of (struct tm *)->tm_zone), TZ_TZNAME (use extern char
|
||
*tzname[(struct tm *)->tm_isdst]), TZ_TIMEZONE (use
|
||
timezone()), or TZ_NONE (don't include the comment). Code
|
||
from Chip Rosenthal.
|
||
The "Timeout" option (formerly "r") is extended to allow suboptions.
|
||
For example,
|
||
O Timeout.helo = 2m
|
||
There are also two new suboptions "queuereturn" and
|
||
"queuewarn"; these subsume the old T option. Thus, to
|
||
set them both the preferred new syntax is
|
||
O Timeout.queuereturn = 5d
|
||
O Timeout.queuewarn = 4h
|
||
Sort queue by host name instead of by message priority if the
|
||
QueueSortOrder option (no short name) is set is set to
|
||
``host''. This makes better use of the connection cache,
|
||
but may delay more ``interactive'' messages behind large
|
||
backlogs under some circumstances. This is probably a
|
||
good option if you have high speed links or don't do lots
|
||
of ``batch'' messages, but less good if you are using
|
||
something like PPP on a 14.4 modem. Based on code
|
||
contributed by Roy Mongiovi of Georgia Tech (my main
|
||
contribution was to make it configurable).
|
||
Save i-number of df file in qf file to simplify rebuilding of queue
|
||
after disastrous disk crash. Suggested by Kyle Jones of
|
||
UUNET; closely based on code from KJS DECWRL code written
|
||
by Paul Vixie. NOTA BENE: The qf files produced by 8.7
|
||
are NOT back compatible with 8.6 -- that is, you can convert
|
||
from 8.6 to 8.7, but not the other direction.
|
||
Add ``F=d'' mailer flag to disable all use of angle brackets in
|
||
route-addrs in envelopes; this is because in some cases
|
||
they can be sent to the shell, which interprets them as
|
||
I/O redirection.
|
||
Don't include error file (option E) with return-receipts; this
|
||
can be confusing.
|
||
Don't send "Warning: cannot send" messages to owner-* or
|
||
*-request addresses. Suggested by Christophe Wolfhugel
|
||
of the Institut Pasteur, Paris.
|
||
Allow -O command line flag to set long form options.
|
||
Add "MinQueueAge" option to set the minimum time between attempts
|
||
to run the queue. For example, if the queue interval
|
||
(-q value) is five minutes, but the minimum queue age
|
||
is fifteen minutes, jobs won't be tried more often than
|
||
once every fifteen minutes. This can be used to give
|
||
you more responsiveness if your delivery mode is set to
|
||
queue-only.
|
||
Allow "fileopen" timeout (default: 60 seconds) for opening
|
||
:include: and .forward files.
|
||
Add "-k", "-v", and "-z" flags to map definitions; these set the
|
||
key field name, the value field name, and the field
|
||
delimiter. The field delimiter can be a single character
|
||
or the sequence "\t" or "\n" for tab or newline.
|
||
These are for use by NIS+ and similar access methods.
|
||
Change maps to always strip quotes before lookups; the -q flag
|
||
turns off this behavior. Suggested by Motonori Nakamura.
|
||
Add "nisplus" map class. Takes -k and -v flags to choose the
|
||
key and value field names respectively. Code donated by
|
||
Sun Microsystems.
|
||
Add "hesiod" map class. The "file name" is used as the
|
||
"HesiodNameType" parameter to hes_resolve(3). Returns the
|
||
first value found for the match. Code donated by Scott
|
||
Hutton of Indiana University.
|
||
Add "netinfo" (NeXT NetInfo) map class. Maps can have a -k flag to
|
||
specify the name of the property that is searched as the
|
||
key and a -v flag to specify the name of the property that
|
||
is returned as the value (defaults to "members"). The
|
||
default map is "/aliases". Some code based on code
|
||
contributed by Robert La Ferla of Hot Software.
|
||
Add "text" map class. This does slow, linear searches through
|
||
text files. The -z flag specifies a column delimiter
|
||
(defaults to any sequence of white space), the -k flag
|
||
sets the key column number, and the -v flag sets the
|
||
value column number. Lines beginning with `#' are treated
|
||
as comments.
|
||
Add "program" map class to execute arbitrary programs. The search
|
||
key is presented as the last argument; the output is one
|
||
line read from the programs standard output. Exit statuses
|
||
are from sysexits.h.
|
||
Add "sequence" map class -- searches maps in sequence until it
|
||
finds a match. For example, the declarations:
|
||
Kmap1 ...
|
||
Kmap2 ...
|
||
Kmapseq sequence map1 map2
|
||
defines a map "mapseq" that first searches map1; if the
|
||
value is found it is returned immediately, otherwise
|
||
map2 is searched and the value returned.
|
||
Add "switch" map class. This is much like "sequence" except that
|
||
the ordering is fetched from an external file, usually
|
||
the system service switch. The parameter is the name of
|
||
the service to switch on, and the maps that it will use
|
||
are the name of the switch map followed by ".service_type".
|
||
For example, if the declaration of the map is
|
||
Ksample switch hosts
|
||
and the system service switch specifies that hosts are
|
||
looked up using dns and nis in that order, then this is
|
||
equivalent to
|
||
Ksample sequence sample.dns sample.nis
|
||
The subordinate maps (sample.*) must already be defined.
|
||
Add "user" map class -- looks up users using getpwnam. Takes a
|
||
"-v field" flag on the definition that tells what passwd
|
||
entry to return -- legal values are name, passwd, uid, gid,
|
||
gecos, dir, and shell. Generally expected to be used with
|
||
the -m (matchonly) flag.
|
||
Add "bestmx" map class -- returns the best MX value for the host
|
||
listed as the value. If there are several "best" MX records
|
||
for this host, one will be chosen at random.
|
||
Add "userdb" map class -- looks up entries in the user database.
|
||
The "file name" is actually the tag that will be used,
|
||
typically "mailname". If there are multiple entries
|
||
matching the name, the one chosen is undefined.
|
||
Add multiple queue timeouts (both return and warning). These are
|
||
set by the Precedence: or Priority: header fields to one of
|
||
three values. If a Priority: is set and has value "normal",
|
||
"urgent", or "non-urgent" the corresponding timeouts are
|
||
used. If no priority is set, the Precedence: is consulted;
|
||
if negative, non-urgent timeouts are used; if greater than
|
||
zero, urgent timeouts are used. Otherwise, normal timeouts
|
||
are used. The timeouts are set by setting the six timeouts
|
||
queue{warn,return}.{urgent,normal,non-urgent}.
|
||
Fix problem when a mail address is resolved to a $#error mailer
|
||
with a temporary failure indication; it works in SMTP,
|
||
but when delivering locally the mail is silently discarded.
|
||
This patch, from Kyle Jones of UUNET, bounces it instead
|
||
of queueing it (queueing is very hard).
|
||
When using /etc/hosts or NIS-style lookups, don't assume that
|
||
the first name in the list is the best one -- instead,
|
||
search for the first one with a dot. For example, if
|
||
an /etc/hosts entry reads
|
||
128.32.149.68 mammoth mammoth.CS.Berkeley.EDU
|
||
this change will use the second name as the canonical
|
||
machine name instead of the initial, unqualified name.
|
||
Change dequote map to replace spaces in quoted text with a value
|
||
indicated by the -s flag on the dequote map definition.
|
||
For example, ``Mdequote dequote -s_'' will change
|
||
"Foo Bar" into an unquoted Foo_Bar instead of leaving it
|
||
quoted (because of the space character). Suggested by Dan
|
||
Oscarsson for use in X.400 addresses.
|
||
Implement long macro names as ${name}; long class names can
|
||
be similarly referenced as $={name} and $~{name}.
|
||
Definitions are (e.g.) ``D{name}value''. Names that have
|
||
a leading lower case letter or punctuation characters are
|
||
reserved for internal use by sendmail; i.e., config files
|
||
should use names that begin with a capital letter. Based
|
||
on code contributed by Dan Oscarsson.
|
||
Fix core dump if getgrgid returns a null group list (as opposed
|
||
to an empty group list, that is, a pointer to a list
|
||
with no members). Fix from Andrew Chang of Sun Microsystems.
|
||
Fix possible core dump if malloc fails -- if the malloc in xalloc
|
||
failed, it called syserr which called newstr which called
|
||
xalloc.... The newstr is now avoided for "panic" messages.
|
||
Reported by Stuart Kemp of James Cook University.
|
||
Improve connection cache timeouts; previously, they were not even
|
||
checked if you were delivering to anything other than an
|
||
IPC-connected host, so a series of (say) local mail
|
||
deliveries could cause cached connections to be open
|
||
much longer than the specified timeout.
|
||
If an incoming message exceeds the maximum message size, stop
|
||
writing the incoming bytes to the queue data file, since
|
||
this can fill your mqueue partition -- this is a possible
|
||
denial-of-service attack.
|
||
Don't reject all numeric local user names unless HESIOD is
|
||
defined. It turns out that Posix allows all-numeric
|
||
user names. Fix from Tony Sanders of BSDI.
|
||
Add service switch support. If the local OS has a service
|
||
switch (e.g., /etc/nsswitch.conf on Solaris or /etc/svc.conf
|
||
on DEC systems) that will be used; otherwise, it falls back
|
||
to using a local mechanism based on the ServiceSwitchFile
|
||
option (default: /etc/service.switch). For example, if the
|
||
service switch lists "files" and "nis" for the aliases
|
||
service, that will be the default lookup order. the "files"
|
||
("local" on DEC) service type expands to any alias files
|
||
you listed in the configuration file, even if they aren't
|
||
actually file lookups.
|
||
Option I (NameServerOptions) no longer sets the "UseNameServer"
|
||
variable which tells whether or not DNS should be considered
|
||
canonical. This is now determined based on whether or not
|
||
"dns" is in the service list for "hosts".
|
||
Add preliminary support for the ESMTP "DSN" extension (Delivery
|
||
Status Notifications). DSN notifications override
|
||
Return-Receipt-To: headers, which are bogus anyhow --
|
||
support for them has been removed.
|
||
Add T=mts-name-type/address-type/diagnostic-type keyletter to mailer
|
||
definitions to define the types used in DSN returns for
|
||
MTA names, addresses, and diagnostics respectively.
|
||
Extend heuristic to force running in ESMTP mode to look for the
|
||
five-character string "ESMTP" anywhere in the 220 greeting
|
||
message (not just the second line). This is to provide
|
||
better compatibility with other ESMTP servers.
|
||
Print sequence number of job when running the queue so you can
|
||
easily see how much progress you have made. Suggested
|
||
by Peter Wemm of DIALix.
|
||
Map newlines to spaces in logged message-ids; some versions of
|
||
syslog truncate the rest of the line after newlines.
|
||
Suggested by Fletcher Mattox of U. Texas.
|
||
Move up forking for job runs so that if a message is split into
|
||
multiple envelopes you don't get "fork storms" -- this
|
||
also improves the connection cache utilization.
|
||
Accept "<<>>", "<<<>>>", and so forth as equivalent to "<>" for
|
||
the purposes of refusing to send error returns. Suggested
|
||
by Motonori Nakamura of Ritsumeikan University.
|
||
Relax rules on when a file can be written when referenced from
|
||
the aliases file: use the default uid/gid instead of the
|
||
real uid/gid. This allows you to create a file owned by
|
||
and writable only by the default uid/gid that will work
|
||
all the time (without having the set-user-ID bit set). Change
|
||
suggested by Shau-Ping Lo and Andrew Cheng of Sun
|
||
Microsystems.
|
||
Add "DialDelay" option (no short name) to provide an "extra"
|
||
delay for dial on demand systems. If this is non-zero
|
||
and a connect fails, sendmail will wait this long and
|
||
then try again. If it takes longer than the kernel
|
||
timeout interval to establish the connection, this
|
||
option can give the network software time to establish
|
||
the link. The default units are seconds.
|
||
Move logging of sender information to be as early as possible;
|
||
previously, it could be delayed a while for SMTP mail
|
||
sent to aliases. Suggested by Brad Knowles of the
|
||
Defense Information Systems Agency.
|
||
Call res_init() before setting RES_DEBUG; this is required by
|
||
BIND 4.9.3, or so I'm told. From Douglas Anderson of
|
||
the National Computer Security Center.
|
||
Add xdelay= field in logs -- this is a transaction delay, telling
|
||
you how long it took to deliver to this address on the
|
||
last try. It is intended to be used for sorting mailing
|
||
lists to favor "quick" addresses. Provided for use by
|
||
the mailprio scripts (see below).
|
||
If a map cannot be opened, and that map is non-optional, and
|
||
an address requires that map for resolution, queue the
|
||
map instead of bouncing it. This involves creating a
|
||
pseudo-class of maps called "bogus-map" -- if a required
|
||
map cannot be opened, the class is changed to bogus-map;
|
||
all queries against bogus-map return "tempfail". The
|
||
bogus-map class is not directly accessible. A sample
|
||
implementation was donated by Jem Taylor of Glasgow
|
||
University Computing Service.
|
||
Fix a possible core dump when mailing to a program that talks
|
||
SMTP on its standard input. Fix from Keith Moore of
|
||
the University of Kentucky.
|
||
Make it possible to resolve filenames to $#local $: @ /filename;
|
||
previously, the "@" would cause it to not be recognized
|
||
as a file. Problem noted by Brian Hill of U.C. Davis.
|
||
Accept a -1 signal to re-exec the daemon. This only works if
|
||
argv[0] is a full path to sendmail.
|
||
Fix bug in "addr=..." field in O option on little-endian machines
|
||
-- the network number wasn't being converted to network
|
||
byte order. Patch from Kurt Lidl of Pix Technologies
|
||
Corporation.
|
||
Pre-initialize the resolver early on; this is to avoid a bug with
|
||
BIND 4.9.3 that can cause the _res.retry field to get
|
||
reset to zero, causing all name server lookups to time
|
||
out. Fix from Matt Day of Artisoft.
|
||
Restore T line (trusted users) in config file -- but instead of
|
||
locking out the -f flag, they just tell whether or not
|
||
an X-Authentication-Warning: will be added. This really
|
||
just creates new entries in class 't', so "Ft/file/name"
|
||
can be used to read trusted user names from a file.
|
||
Trusted users are also allowed to execute programs even
|
||
if they have a shell that isn't in /etc/shells.
|
||
Improve NEWDB alias file rebuilding so it will create them
|
||
properly if they do not already exist. This had been
|
||
a MAYBENEXTRELEASE feature in 8.6.9.
|
||
Check for @:@ entry in NIS maps before starting up to avoid
|
||
(but not prevent, sigh) race conditions. This ought to
|
||
be handled properly in ypserv, but isn't. Suggested by
|
||
Michael Beirne of Motorola.
|
||
Refuse connections if there isn't enough space on the filesystem
|
||
holding the queue. Contributed by Robert Dana of Wolf
|
||
Communications.
|
||
Skip checking for directory permissions in the path to a file
|
||
when checking for file permissions iff setreuid()
|
||
succeeded -- it is unnecessary in that case. This avoids
|
||
significant performance problems when looking for .forward
|
||
files. Based on a suggestion by Win Bent of USC.
|
||
Allow symbolic ruleset names. Syntax can be "Sname" to get an
|
||
arbitrary ruleset number assigned or "Sname = integer"
|
||
to assign a specific ruleset number. Reference is
|
||
$>name_or_number. Names can be composed of alphas, digits,
|
||
underscore, or hyphen (first character must be non-numeric).
|
||
Allow -o flag on AliasFile lines to make the alias file optional.
|
||
From Bryan Costales of ICSI.
|
||
Add NoRecipientAction option to handle the case where there is
|
||
no legal recipient header in the message. It can take
|
||
on values:
|
||
None Leave the message as is. The
|
||
message will be passed on even
|
||
though it is in technically
|
||
illegal syntax.
|
||
Add-To Add a To: header with any
|
||
recipients that it can find from
|
||
the envelope. This risks exposing
|
||
Bcc: recipients.
|
||
Add-Apparently-To Add an Apparently-To: header. This
|
||
has almost no redeeming social value,
|
||
and is provided only for back
|
||
compatibility.
|
||
Add-To-Undisclosed Add a header reading
|
||
To: undisclosed-recipients:;
|
||
which will have the effect of
|
||
making the message legal without
|
||
exposing Bcc: recipients.
|
||
Add-Bcc To add an empty Bcc: header.
|
||
There is a chance that mailers down
|
||
the line will delete this header,
|
||
which could cause exposure of Bcc:
|
||
recipients.
|
||
The default is NoRecipientAction=None.
|
||
Truncate (rather than delete) Bcc: lines in the header. This
|
||
should prevent later sendmails (at least, those that don't
|
||
themselves delete Bcc:) from considering this message to
|
||
be non-conforming -- although it does imply that non-blind
|
||
recipients can see that a Bcc: was sent, albeit not to whom.
|
||
Add SafeFileEnvironment option. If declared, files named as delivery
|
||
targets must be regular files in addition to the regular
|
||
checks. Also, if the option is non-null then it is used as
|
||
the name of a directory that is used as a chroot(2)
|
||
environment for the delivery; the file names listed in an
|
||
alias or forward should include the name of this root.
|
||
For example, if you run with
|
||
O SafeFileEnvironment=/arch
|
||
then aliases should reference "/arch/rest/of/path". If a
|
||
value is given, sendmail also won't try to save to
|
||
/usr/tmp/dead.letter (instead it just leaves the job in the
|
||
queue as Qfxxxxxx). Inspired by *Hobbit*'s sendmail patch kit.
|
||
Support -A flag for alias files; this will comma concatenate like
|
||
entries. For example, given the aliases:
|
||
list: member1
|
||
list: member2
|
||
and an alias file declared as:
|
||
OAhash:-A /etc/aliases
|
||
the final alias inserted will be "list: member1,member2";
|
||
without -A you will get an error on the second and subsequent
|
||
alias for "list". Contributed by Bryan Costales of ICSI.
|
||
Line-buffer transcript file. Suggested by Liudvikas Bukys.
|
||
Fix a problem that could cause very long addresses to core dump in
|
||
some special circumstances. Problem pointed out by Allan
|
||
Johannesen.
|
||
(Internal change.) Change interface to expand() (macro expansion)
|
||
to be simpler and more consistent.
|
||
Delete check for funny qf file names. This didn't really give
|
||
any extra security and caused some people some problems.
|
||
(If you -really- want this, define PICKY_QF_NAME_CHECK
|
||
at compile time.) Suggested by Kyle Jones of UUNET.
|
||
(Internal change.) Change EF_NORETURN to EF_NO_BODY_RETN and
|
||
merge with DSN code; this is simpler and more consistent.
|
||
This may affect some people who have written their own
|
||
checkcompat() routine.
|
||
(Internal change.) Eliminate `D' line in qf file. The df file
|
||
is now assumed to be the same name as the qf file (with
|
||
the `q' changed to a `d', of course).
|
||
Avoid forking for delivery if all recipient mailers are marked as
|
||
"expensive" -- this can be a major cost on some systems.
|
||
Essentially, this forces sendmail into "queue only" mode
|
||
if all it is going to do is queue anyway.
|
||
Avoid sending a null message in some rather unusual circumstances
|
||
(specifically, the RCPT command returns a temporary
|
||
failure but the connection is lost before the DATA
|
||
command). Fix from Scott Hammond of Secure Computing
|
||
Corporation.
|
||
Change makesendmail to use a somewhat more rational naming scheme:
|
||
Makefiles and obj directories are named $os.$rel.$arch,
|
||
where $os is the operating system (e.g., SunOS), $rel is
|
||
the release number (e.g., 5.3), and $arch is the machine
|
||
architecture (e.g., sun4). Any of these can be omitted,
|
||
and anything after the first dot in a release number can
|
||
be replaced with "x" (e.g., SunOS.4.x.sun4). The previous
|
||
version used $os.$arch.$rel and was rather less general.
|
||
Change makesendmail to do a "make depend" in the target directory
|
||
when it is being created. This involves adding an empty
|
||
"depend:" entry in most Makefiles.
|
||
Ignore IDENT return value if the OSTYPE field returns "OTHER",
|
||
as indicated by RFC 1413. Pointed out by Kari Hurtta
|
||
of the Finnish Meteorological Institute.
|
||
Fix problem that could cause multiple responses to DATA command
|
||
on header syntax errors (e.g., lines beginning with colons).
|
||
Problem noted by Jens Thomassen of the University of Oslo.
|
||
Don't let null bytes in headers cause truncation of the rest of
|
||
the header.
|
||
Log Authentication-Warning:s. Suggested by Motonori Nakamura.
|
||
Increase timeouts on message data puts to allow time for receivers
|
||
to canonify addresses in headers on the fly. This is still
|
||
a rather ugly heuristic. From Motonori Nakamura.
|
||
Add "HasWildcardMX" suboption to ResolverOptions; if set, MX
|
||
records are not used when canonifying names, and when MX
|
||
lookups are done for addressing they must be fully
|
||
qualified. This is useful if you have a wildcard MX record,
|
||
although it may cause other problems. In general, don't use
|
||
wildcard MX records. Patch from Motonori Nakamura.
|
||
Eliminate default two-line SMTP greeting message. Instead of
|
||
adding an extra "ESMTP spoken here" line, the word "ESMTP"
|
||
is added between the first and second word of the first
|
||
line of the greeting message (i.e., immediately after the
|
||
host name). This eliminates the need for the BROKEN_SMTP_PEERS
|
||
compile flag. Old sendmails won't see the ESMTP, but that's
|
||
acceptable because SIZE was the only useful extension that
|
||
old sendmails understand.
|
||
Avoid gethostbyname calls on UNIX domain sockets during SIGUSR1
|
||
invoked state dumps. From Masaharu Onishi.
|
||
Allow on-line comments in .forward and :include: files; they are
|
||
introduced by the string "<LWSP>#@#<LWSP>", where <LWSP>
|
||
is a space or a tab. This is intended for native
|
||
representation of non-ASCII sets such as Japanese, where
|
||
existing encodings would be unreadable or would lose
|
||
data -- for example,
|
||
<motonori@cs.ritsumei.ac.jp> NAKAMURA Motonori
|
||
(romanized/less information)
|
||
<motonori@cs.ritsumei.ac.jp> =?ISO-2022-JP?B?GyRCQ2ZCPBsoQg==?=
|
||
=?ISO-2022-JP?B?GyRCQUdFNRsoQg==?=
|
||
(with MIME encoding, not human readable)
|
||
<motonori@cs.ritsumei.ac.jp> #@# ^[$BCfB<^[(B ^[$BAGE5^[(B
|
||
(native encoding with ISO-2022-JP)
|
||
The last form is human readable in the Japanese environment.
|
||
Based on a fix from (surprise!) Motonori Nakamura.
|
||
Don't make SMTP error returns on MAIL FROM: line be "sticky" for all
|
||
messages to that host; these are most frequently associated
|
||
with addresses rather than the host, with the exception of
|
||
421 (service shutting down). The effect was to cause queues
|
||
to sometimes take an excessive time to flush. Reported by
|
||
Robert Sargent of Southern Geographics Technologies and
|
||
Eric Prestemon of American University.
|
||
Add Nice=N mailer option to set the niceness at which a mailer will
|
||
run. This is actually a relative niceness (that is, an
|
||
increment on the background value).
|
||
Log queue runs that are skipped due to high loads. They are logged
|
||
at LOG_INFO priority iff the log level is > 8. Contributed
|
||
by Bruce Nagel of Data General.
|
||
Allow the error mailer to accept a DSN-style error status code
|
||
instead of an sysexits status code in the host part.
|
||
Anything with a dot will be interpreted as a DSN-style code.
|
||
Add new mailer flag: F=3 will tell translations to Quoted-Printable
|
||
to encode characters that might be munged by an EBCDIC system
|
||
in addition to the set required by RFC 1521. The additional
|
||
characters are !, ", #, $, @, [, \, ], ^, `, {, |, }, and ~.
|
||
(Think of "IBM 360" as the mnemonic for this flag.)
|
||
Change check for mailing to files to look for a pathname of [FILE]
|
||
rather than looking for the mailer named *file*. The mapping
|
||
of leading slashes still goes to the *file* mailer. This
|
||
allows you to implement the *file* mailer as a separate
|
||
program, for example, to insert a Content-Length: header
|
||
or do special security policy. However, note that the usual
|
||
initial checking for the file permissions is still done, and
|
||
the program in question needs to be very careful about how
|
||
it does the file write to avoid security problems.
|
||
Be able to read ~root/.forward even if the path isn't accessible to
|
||
regular users. This is disrecommended because sendmail
|
||
sometimes does not run as root (e.g., when an unsafe option
|
||
is specified on the command line), but should otherwise be
|
||
safe because .forward files must be owned by the user for
|
||
whom mail is being forwarded, and cannot be a symbolic link.
|
||
Suggested by Forrest Aldrich of Wang Laboratories.
|
||
Add new "HostsFile" option that is the pathname to the /etc/hosts
|
||
file. This is used for canonifying hostnames when the
|
||
service type is "files".
|
||
Implement programs on F (read class from file) line. The syntax is
|
||
Fc|/path/to/program to read the output from the program
|
||
into class "c".
|
||
Probe the network interfaces to find alternate names for this
|
||
host. Requires the SIOCGIFCONF ioctl call. Code
|
||
contributed by SunSoft.
|
||
Add "E" configuration line to set or propagate environment
|
||
variables into children. "E<envar>" will propagate
|
||
the named variable from the environment when sendmail
|
||
was invoked into any children it calls; "E<envar>=<value>"
|
||
sets the named variable to the indicated value. Any
|
||
variables not explicitly named will not be in the child
|
||
environment. However, sendmail still forces an
|
||
"AGENT=sendmail" environment variable, in part to enforce
|
||
at least one environment variable, since many programs and
|
||
libraries die horribly if this is not guaranteed.
|
||
Change heuristic for rebuilding both NEWDB and NDBM versions of
|
||
alias databases -- new algorithm looks for the substring
|
||
"/yp/" in the file name. This is more portable and involves
|
||
less overhead. Suggested by Motonori Nakamura.
|
||
Dynamically allocate the queue work list so that you don't lose
|
||
jobs in large queue runs. The old QUEUESIZE compile parameter
|
||
is replaced by QUEUESEGSIZE (the unit of allocation, which
|
||
should not need to be changed) and the MaxQueueRunSize option,
|
||
which is the absolute maximum number of jobs that will ever
|
||
be handled in a single queue run. Based on code contributed
|
||
by Brian Coan of the Institute for Global Communications.
|
||
Log message when a message is dropped because it exceeds the maximum
|
||
message size. Suggested by Leo Bicknell of Virginia Tech.
|
||
Allow trusted users (those on a T line or in $=t) to use -bs without
|
||
an X-Authentication-Warning: added. Suggested by Mark Thomas
|
||
of Mark G. Thomas Consulting.
|
||
Announce state of compile flags on -d0.1 (-d0.10 throws in the
|
||
OS-dependent defines). The old semantic of -d0.1 to not
|
||
run the daemon in background has been moved to -d99.100,
|
||
and the old 52.5 flag (to avoid disconnect() from closing
|
||
all output files) has been moved to 52.100. This makes
|
||
things more consistent (flags below .100 don't change
|
||
semantics) and separates out the backgrounding so that
|
||
it doesn't happen automatically on other unrelated debugging
|
||
flags.
|
||
If -t is used but no addresses are found in the header, give an
|
||
error message rather than just doing nothing. Fix from
|
||
Motonori Nakamura.
|
||
On systems (like SunOS) where the effective gid is not necessarily
|
||
included in the group list returned by getgroups(), the
|
||
`restrictmailq' option could sometimes cause an authorized
|
||
user to not be able to use `mailq'. Fix from Charles Hannum
|
||
of MIT.
|
||
Allow symbolic service names for [IPC] mailers. Suggested by
|
||
Gerry Magennis of Logica International.
|
||
Add DontExpandCnames option to prevent $[ ... $] from expanding CNAMEs
|
||
when running DNS. For example, if the name FTP.Foo.ORG is
|
||
a CNAME for Cruft.Foo.ORG, then when sitting on a machine in
|
||
the Foo.ORG domain a lookup of "FTP" returns "Cruft.Foo.ORG"
|
||
if this option is not set, or "FTP.Foo.ORG" if it is set.
|
||
This is technically illegal under RFC 822 and 1123, but the
|
||
IETF is moving toward legalizing it. Note that turning on
|
||
this option is not sufficient to guarantee that a downstream
|
||
neighbor won't rewrite the address for you.
|
||
Add "-m" flag to makesendmail script -- this tells you what object
|
||
directory and Makefile it will use, but doesn't actually do
|
||
the make.
|
||
Do some additional checking on the contents of the qf file to try
|
||
to detect attacks against the qf file. In particular,
|
||
abort on any line beginning "From ", and add an "end of
|
||
file" line -- any data after that line is prohibited.
|
||
Always use /etc/sendmail.cf, regardless of the arbitrary vendor
|
||
choices. This can be overridden in the Makefile by using
|
||
either -DUSE_VENDOR_CF_PATH to get the vendor location
|
||
(to the extent that we know it) or by defining
|
||
_PATH_SENDMAILCF (which is a "hard override"). This allows
|
||
sendmail 8 to have more consistent installation instructions.
|
||
Allow macros on `K' line in config file. Suggested by Andrew Chang
|
||
of Sun Microsystems.
|
||
Improved symbol table hash function from Eric Wassenaar. This one
|
||
is at least 50% faster.
|
||
Fix problem that didn't notice that timeout on file open was a
|
||
transient error. Fix from Larry Parmelee of Cornell
|
||
University.
|
||
Allow comments (lines beginning with a `#') in files read for
|
||
classes. Suggested by Motonori Nakamura.
|
||
Make SIGINT (usually ^C) in test mode return to the prompt instead
|
||
of dropping out entirely. This makes testing some of the
|
||
name server lookups easier to deal with when there are
|
||
hung servers. From Motonori Nakamura.
|
||
Add new ${opMode} macro that is set to the current operation mode
|
||
(e.g., `s' for -bs, `t' for -bt, etc.). Suggested by
|
||
Claude Marinier <MARINIER@emp.ewd.dreo.dnd.ca>.
|
||
Add new delivery mode (Odd) that defers all map lookups to queue runs.
|
||
Kind of like queue-only mode (Odq) except it tries to avoid
|
||
any external service requests; for dial-on-demand hosts that
|
||
want to minimize DNS lookups when mail is being queued. For
|
||
this to work you will also have to make sure that gethostbyname
|
||
of your local host name does not do a DNS lookup.
|
||
Improved handling of "out of space" conditions from John Myers of
|
||
Carnegie Mellon.
|
||
Improved security for mailing to files on systems that have fchmod(2)
|
||
support.
|
||
Improve "cannot send message for N days" message -- now says "could
|
||
not send for past N days". Suggested by Tom Moore of AT&T
|
||
Global Information Solutions.
|
||
Less misleading Subject: line on messages sent to postmaster only.
|
||
From Motonori Nakamura.
|
||
Avoid duplicate error messages on bad command line flags. From
|
||
Motonori Nakamura.
|
||
Better error message for case where ruleset 0 falls off the end
|
||
or otherwise does not resolve to a canonical triple.
|
||
Fix a problem that could cause multiple bounce messages if a bad
|
||
address was sent along with a good address to an SMTP
|
||
site where that SMTP site returned a 4yz code in response
|
||
to the final dot of the data. Problem reported by David
|
||
James of British Telecom.
|
||
Add "volatile" declarations so that gcc -O2 will work. Patches
|
||
from Alexander Dupuy of System Management ARTS.
|
||
Delete duplicates in MX lists -- believe it or not, there are sites
|
||
that list the same host twice in an MX list. This deletion
|
||
only works on adjacent preferences, so an MX list that
|
||
had A=5, B=10, A=15 would leave both As, but one that had
|
||
A=5, A=10, B=15 would reduce to A, B. This is intentional,
|
||
just in case there is something weird I haven't thought of.
|
||
Suggested by Barry Shein of Software Tool & Die.
|
||
SECURITY: .forward files cannot be symbolic links. If they are,
|
||
a bad guy can read your private files.
|
||
PORTABILITY FIXES:
|
||
Solaris 2 from Rob McMahon <cudcv@csv.warwick.ac.uk>.
|
||
System V Release 4 from Motonori Nakamura of Ritsumeikan
|
||
University. This expands the disk size
|
||
checking to include all (?) SVR4 configurations.
|
||
System V Release 4 from Kimmo Suominen -- initgroups(3)
|
||
and setrlimit(2) are both available.
|
||
System V Release 4 from sob@sculley.ffg.com -- some versions
|
||
apparently "have EX_OK defined in other headerfiles."
|
||
Linux Makefile typo.
|
||
Linux getusershell(3) is broken in Slackware 2.0 --
|
||
from Andrew Pam of Xanadu Australia.
|
||
More Linux tweaking from John Kennedy of California State
|
||
University, Chico.
|
||
Cray changes from Eric Wassenaar: ``On Cray, shorts,
|
||
ints, and longs are all 64 bits, and all structs
|
||
are multiples of 64 bits. This means that the
|
||
sizeof operator returns only multiples of 8.
|
||
This requires adaptation of code that really
|
||
deals with 32 bit or 16 bit fields, such as IP
|
||
addresses or nameserver fields.''
|
||
DG/UX 5.4.3 from Mark T. Robinson <mtr@ornl.gov>. To
|
||
get the old behavior, use -DDGUX_5_4_2.
|
||
DG/UX hack: add _FORCE_MAIL_LOCAL_=yes environment
|
||
variable to fix bogus /bin/mail behavior.
|
||
Tandem NonStop-UX from Rick McCarty <mccarty@mpd.tandem.com>.
|
||
This also cleans up some System V Release 4 compile
|
||
problems.
|
||
Solaris 2: sendmail.cw file should be in /etc/mail to
|
||
match all the other configuration files. Fix
|
||
from Glenn Barry of Emory University.
|
||
Solaris 2.3: compile problem in conf.c. Fix from Alain
|
||
Nissen of the University of Liege, Belgium.
|
||
Ultrix: freespace calculation was incorrect. Fix from
|
||
Takashi Kizu of Osaka University.
|
||
SVR4: running in background gets a SIGTTOU because the
|
||
emulation code doesn't realize that "getpeername"
|
||
doesn't require reading the file. Fix from Peter
|
||
Wemm of DIALix.
|
||
Solaris 2.3: due to an apparent bug in the socket emulation
|
||
library, sockets can get into a "wedged" state where
|
||
they just return EPROTO; closing and re-opening the
|
||
socket clears the problem. Fix from Bob Manson
|
||
of Ohio State University.
|
||
Hitachi 3050R & 3050RX running HI-UX/WE2: portability
|
||
fixes from Akihiro Hashimoto ("Hash") of Chiba
|
||
University.
|
||
AIX changes to allow setproctitle to work from Rainer Sch<63>pf
|
||
of Zentrum f<>r Datenverarbeitung der Universit<69>t
|
||
Mainz.
|
||
AIX changes for load average from Ed Ravin of NASA/Goddard.
|
||
SCO Unix from Chip Rosenthal of Unicom (code was using the
|
||
wrong statfs call).
|
||
ANSI C fixes from Adam Glass (NetBSD project).
|
||
Stardent Titan/ANSI C fixes from Kate Hedstrom of Rutgers
|
||
University.
|
||
DG-UX fixes from Bruce Nagel of Data General.
|
||
IRIX64 updates from Mark Levinson of the University of
|
||
Rochester Medical Center.
|
||
Altos System V (``the first UNIX/XENIX merge the Altos
|
||
did for their Series 1000 & Series 2000 line;
|
||
their merged code was licensed back to AT&T and
|
||
Microsoft and became System V release 3.2'') from
|
||
Tim Rice <timr@crl.com>.
|
||
OSF/1 running on Intel Paragon from Jeff A. Earickson
|
||
<jeff@ssd.intel.com> of Intel Scalable Systems
|
||
Division.
|
||
Amdahl UTS System V 2.1.5 (SVr3-based) from Janet Jackson
|
||
<janet@dialix.oz.au>.
|
||
System V Release 4 (statvfs semantic fix) from Alain
|
||
Durand of I.M.A.G.
|
||
HP-UX 10.x multiprocessor load average changes from
|
||
Scott Hutton and Jeff Sumler of Indiana University.
|
||
Cray CSOS from Scott Bolte of Cray Computer Corporation.
|
||
Unicos 8.0 from Douglas K. Rand of the University of North
|
||
Dakota, Scientific Computing Center.
|
||
Solaris 2.4 fixes from Sanjay Dani of Dani Communications.
|
||
ConvexOS 11.0 from Christophe Wolfhugel.
|
||
IRIX 4.0.5 from David Ashton-Reader of CADcentre.
|
||
ISC UNIX from J. J. Bailey.
|
||
HP-UX 9.xx on the 8xx series machines from Remy Giraud
|
||
of Meteo France.
|
||
HP-UX configuration from Tom Lane <tgl@sss.pgh.pa.us>.
|
||
IRIX 5.2 and 5.3 from Kari E. Hurtta.
|
||
FreeBSD 2.0 from Mike Hickey of Federal Data Corporation.
|
||
Sony NEWS-OS 4.2.1R and 6.0.3 from Motonori Nakamura.
|
||
Omron LUNA unios-b, mach from Motonori Nakamura.
|
||
NEC EWS-UX/V 4.2 from Motonori Nakamura.
|
||
NeXT 2.1 from Bryan Costales.
|
||
AUX patch thanks to Mike Erwin of Apple Computer.
|
||
HP-UX 10.0 from John Beck of Hewlett-Packard.
|
||
Ultrix: allow -DBROKEN_RES_SEARCH=0 if you are using a
|
||
non-DEC resolver. Suggested by Allan Johannesen.
|
||
UnixWare 2.0 fixes from Petr Lampa of the Technical
|
||
University of Brno (Czech Republic).
|
||
KSR OS 1.2.2 support from Todd Miller of the University
|
||
of Colorado.
|
||
UX4800 support from Kazuhisa Shimizu of NEC.
|
||
MAKEMAP: allow -d flag to allow insertion of duplicate aliases
|
||
in type ``btree'' maps. The semantics of this are undefined
|
||
for regular maps, but it can be useful for the user database.
|
||
MAKEMAP: lock database file while rebuilding to avoid sendmail
|
||
lookups while the rebuild is going on. There is a race
|
||
condition between the open(... O_TRUNC ...) and the lock
|
||
on the file, but it should be quite small.
|
||
SMRSH: sendmail restricted shell added to the release. This can
|
||
be used as an alternative to /bin/sh for the "prog" mailer,
|
||
giving the local administrator more control over what
|
||
programs can be run from sendmail.
|
||
MAIL.LOCAL: add this local mailer to the tape. It is not really
|
||
part of the release proper, and isn't fully supported; in
|
||
particular, it does not run on System V based systems and
|
||
never will.
|
||
CONTRIB: a patch to rmail.c from Bill Gianopoulos of Raytheon
|
||
to allow rmail to compile on systems that don't have
|
||
function prototypes and systems that don't have snprintf.
|
||
CONTRIB: add the "mailprio" scripts that will help you sort mailing
|
||
lists by transaction delay times so that addresses that
|
||
respond quickly get sent first. This is to prevent very
|
||
sluggish servers from delaying other peoples' mail.
|
||
Contributed by Tony Sanders of BSDI.
|
||
CONTRIB: add the "bsdi.mc" file as contributed by Tony Sanders
|
||
of BSDI. This has a lot of comments to help people out.
|
||
CONFIG: Don't have .mc files include(../m4/cf.m4) -- instead,
|
||
put this on the m4 command line. On GNU m4 (which
|
||
supports the __file__ primitive) you can run m4 in an
|
||
arbitrary directory -- use either:
|
||
m4 ${CFDIR}/m4/cf.m4 config.mc > config.cf
|
||
or
|
||
m4 -I${CFDIR} m4/cf.m4 config.mc > config.cf
|
||
On other versions of m4 that don't support __file__, you
|
||
can use:
|
||
m4 -D_CF_DIR_=${CFDIR}/ ${CFDIR}/m4/cf.m4 ...
|
||
(Note the trailing slash on the _CF_DIR_ definition.)
|
||
Old versions of m4 will default to _CF_DIR_=.. for back
|
||
compatibility.
|
||
CONFIG: fix mail from <> so it will properly convert to
|
||
MAILER-DAEMON on local addresses.
|
||
CONFIG: fix code that was supposed to catch colons in host
|
||
names. Problem noted by John Gardiner Myers of CMU.
|
||
CONFIG: allow use of SMTP_MAILER_MAX in nullclient configuration.
|
||
From Paul Riddle of the University of Maryland, Baltimore
|
||
County.
|
||
CONFIG: Catch and reject "." as a host address.
|
||
CONFIG: Generalize domaintable to look up all domains, not
|
||
just unqualified ones.
|
||
CONFIG: Delete OLD_SENDMAIL support -- as near as I can tell, it
|
||
was never used and didn't work anyway.
|
||
CONFIG: Set flags A, w, 5, :, /, |, and @ on the "local" mailer
|
||
and d on all mailers in the UUCP class.
|
||
CONFIG: Allow "user+detail" to be aliased specially: it will first
|
||
look for an alias for "user+detail", then for "user+*", and
|
||
finally for "user". This is intended for forwarding mail
|
||
for system aliases such as root and postmaster to a
|
||
centralized hub.
|
||
CONFIG: add confEIGHT_BIT_HANDLING to set option 8 (see above).
|
||
CONFIG: add smtp8 mailer; this has the F=8 (just-send-8) flag set.
|
||
The F=8 flag is also set on the "relay" mailer, since
|
||
this is expected to be another sendmail.
|
||
CONFIG: avoid qualifying all UUCP addresses sent via SMTP with
|
||
the name of the UUCP_RELAY -- in some cases, this is the
|
||
wrong value (e.g., when we have local UUCP connections),
|
||
and this can create unreplyable addresses. From Chip
|
||
Rosenthal of Unicom.
|
||
CONFIG: add confRECEIVED_HEADER to change the format of the
|
||
Received: header inserted into all messages. Suggested by
|
||
Gary Mills of the University of Manitoba.
|
||
CONFIG: Make "notsticky" the default; use FEATURE(stickyhost)
|
||
to get the old behavior. I did this upon observing
|
||
that almost everyone needed this feature, and that the
|
||
concept I was trying to make happen didn't work with
|
||
some user agents anyway. FEATURE(notsticky) still works,
|
||
but it is a no-op.
|
||
CONFIG: Add LUSER_RELAY -- the host to which unrecognized user
|
||
names are sent, rather than immediately diagnosing them
|
||
as User Unknown.
|
||
CONFIG: Add SMTP_MAILER_ARGS, ESMTP_MAILER_ARGS, SMTP8_MAILER_ARGS,
|
||
and RELAY_MAILER_ARGS to set the arguments for the
|
||
indicated mailers. All default to "IPC $h". Patch from
|
||
Larry Parmelee of Cornell University.
|
||
CONFIG: pop mailer needs F=n flag to avoid "annoying side effects
|
||
on the client side" and F=P to get an appropriate
|
||
return-path. From Kimmo Suominen.
|
||
CONFIG: add FEATURE(local_procmail) to use the procmail program
|
||
as the local mailer. For addresses of the form "user+detail"
|
||
the "detail" part is passed to procmail via the -a flag.
|
||
Contributed by Kimmo Suominen.
|
||
CONFIG: add MAILER(procmail) to add an interface to procmail for
|
||
use from mailertables. This lets you execute arbitrary
|
||
procmail scripts. Contributed by Kimmo Suominen.
|
||
CONFIG: add T= fields (MTS type) to local, smtp, and uucp mailers.
|
||
CONFIG: add OSTYPE(ptx2) for DYNIX/ptx 2.x from Sequent. From
|
||
Paul Southworth of CICNet Systems Support.
|
||
CONFIG: use -a$g as default to UUCP mailers, instead of -a$f.
|
||
This causes the null return path to be rewritten as
|
||
MAILER-DAEMON; otherwise UUCP gets horribly confused.
|
||
From Michael Hohmuth of Technische Universitat Dresden.
|
||
CONFIG: Add FEATURE(bestmx_is_local) to cause any hosts that
|
||
list us as the best possible MX record to be treated as
|
||
though they were local (essentially, assume that they
|
||
are included in $=w). This can cause additional DNS
|
||
traffic, but is easier to administer if this fits your
|
||
local model. It does not work reliably if there are
|
||
multiple hosts that share the best MX preference.
|
||
Code contributed by John Oleynick of Rutgers.
|
||
CONFIG: Add FEATURE(smrsh) to use smrsh (the SendMail Restricted
|
||
SHell) instead of /bin/sh as the program used for delivery
|
||
to programs. If an argument is included, it is used as
|
||
the path to smrsh; otherwise, /usr/local/etc/smrsh is
|
||
assumed.
|
||
CONFIG: Add LOCAL_MAILER_MAX and PROCMAILER_MAILER_MAX to limit the
|
||
size of messages to the local and procmail mailers
|
||
respectively. Contributed by Brad Knowles of the Defense
|
||
Information Systems Agency.
|
||
CONFIG: Handle leading ``phrase:'' and trailing ``;'' as comments
|
||
(just like text outside of angle brackets) in order to
|
||
properly deal with ``group: addr1, ... addrN;'' syntax.
|
||
CONFIG: Require OSTYPE macro (the defaults really don't apply to
|
||
any real systems any more) and tweak the DOMAIN macro
|
||
so that it is less likely that users will accidentally use
|
||
the Berkeley defaults. Also, create some generic files
|
||
that really can be used in the real world.
|
||
CONFIG: Add new configuration macros to set character sets for
|
||
messages _arriving from_ various mailers: LOCAL_MAILER_CHARSET,
|
||
SMTP_MAILER_CHARSET, and UUCP_MAILER_CHARSET.
|
||
CONFIG: Change UUCP_MAX_SIZE to UUCP_MAILER_MAX for consistency.
|
||
The old name will still be accepted for a while at least.
|
||
CONFIG: Implement DECNET_RELAY as spec for host to which DECNET
|
||
mail (.DECNET pseudo-domain or node::user) will be sent.
|
||
As with all relays, it can be ``mailer:hostname''. Suggested
|
||
by Scott Hutton.
|
||
CONFIG: Add MAILER(mail11) to get DECnet support. Code contributed
|
||
by Barb Dijker of Labyrinth Computer Services.
|
||
CONFIG: change confCHECK_ALIASES to default to False -- it has poor
|
||
performance for large alias files, and this confused many
|
||
people.
|
||
CONFIG: Add confCF_VERSION to append local information to the
|
||
configuration version number displayed during SMTP startup.
|
||
CONFIG: fix some.newsgroup.usenet@local.host syntax (previously it
|
||
would only work when locally addressed. Fix from
|
||
Edvard Tuinder of Cistron Internet Services.
|
||
CONFIG: use ${opMode} to avoid error on .REDIRECT addresses if option
|
||
"n" (CheckAliases) is set when rebuilding alias database.
|
||
Based on code contributed by Claude Marinier.
|
||
CONFIG: Allow mailertable to have values of the form
|
||
``error:code message''. The ``code'' is a status code
|
||
derived from the sysexits codes -- e.g., NOHOST or UNAVAILABLE.
|
||
Contributed by David James <dwj@agw.bt.co.uk>.
|
||
CONFIG: add MASQUERADE_DOMAIN(domain list) to extend the list of
|
||
sender domains that will be replaced with the masquerade name.
|
||
These domains will not be treated as local, but if mail passes
|
||
through with sender addresses in those domains they will be
|
||
replaced by the masquerade name. These can also be specified
|
||
in a file using MASQUERADE_DOMAIN_FILE(filename).
|
||
CONFIG: add FEATURE(masquerade_envelope) to masquerade the envelope
|
||
as well as the header. Substantial improvements to this
|
||
code were contributed by Per Hedeland.
|
||
CONFIG: add MAILER(phquery) to define a new "ph" mailer; this can be
|
||
accessed from a mailertable to do CCSO ph lookups. Contributed
|
||
by Kimmo Suominen.
|
||
CONFIG: add MAILER(cyrus) to define a new Cyrus mailer; this can be
|
||
used to define cyrus and cyrusbb mailers (for IMAP support).
|
||
Contributed by John Gardiner Myers of Carnegie Mellon.
|
||
CONFIG: add confUUCP_MAILER to select default mailer to use for
|
||
UUCP addressing. Suggested by Tom Moore of AT&T GIS.
|
||
NEW FILES:
|
||
cf/cf/cs-hpux10.mc
|
||
cf/cf/cs-solaris2.mc
|
||
cf/cf/cyrusproto.mc
|
||
cf/cf/generic-bsd4.4.mc
|
||
cf/cf/generic-hpux10.mc
|
||
cf/cf/generic-hpux9.mc
|
||
cf/cf/generic-osf1.mc
|
||
cf/cf/generic-solaris2.mc
|
||
cf/cf/generic-sunos4.1.mc
|
||
cf/cf/generic-ultrix4.mc
|
||
cf/cf/huginn.cs.mc
|
||
cf/domain/berkeley-only.m4
|
||
cf/domain/generic.m4
|
||
cf/feature/bestmx_is_local.m4
|
||
cf/feature/local_procmail.m4
|
||
cf/feature/masquerade_envelope.m4
|
||
cf/feature/smrsh.m4
|
||
cf/feature/stickyhost.m4
|
||
cf/feature/use_ct_file.m4
|
||
cf/m4/cfhead.m4
|
||
cf/mailer/cyrus.m4
|
||
cf/mailer/mail11.m4
|
||
cf/mailer/phquery.m4
|
||
cf/mailer/procmail.m4
|
||
cf/ostype/amdahl-uts.m4
|
||
cf/ostype/bsdi2.0.m4
|
||
cf/ostype/hpux10.m4
|
||
cf/ostype/irix5.m4
|
||
cf/ostype/isc4.1.m4
|
||
cf/ostype/ptx2.m4
|
||
cf/ostype/unknown.m4
|
||
contrib/bsdi.mc
|
||
contrib/mailprio
|
||
contrib/rmail.oldsys.patch
|
||
mail.local/mail.local.0
|
||
makemap/makemap.0
|
||
smrsh/README
|
||
smrsh/smrsh.0
|
||
smrsh/smrsh.8
|
||
smrsh/smrsh.c
|
||
src/Makefiles/Makefile.CSOS
|
||
src/Makefiles/Makefile.EWS-UX_V
|
||
src/Makefiles/Makefile.HP-UX.10
|
||
src/Makefiles/Makefile.IRIX.5.x
|
||
src/Makefiles/Makefile.IRIX64
|
||
src/Makefiles/Makefile.ISC
|
||
src/Makefiles/Makefile.KSR
|
||
src/Makefiles/Makefile.NEWS-OS.4.x
|
||
src/Makefiles/Makefile.NEWS-OS.6.x
|
||
src/Makefiles/Makefile.NEXTSTEP
|
||
src/Makefiles/Makefile.NonStop-UX
|
||
src/Makefiles/Makefile.Paragon
|
||
src/Makefiles/Makefile.SCO.3.2v4.2
|
||
src/Makefiles/Makefile.SunOS.5.3
|
||
src/Makefiles/Makefile.SunOS.5.4
|
||
src/Makefiles/Makefile.SunOS.5.5
|
||
src/Makefiles/Makefile.UNIX_SV.4.x.i386
|
||
src/Makefiles/Makefile.uts.systemV
|
||
src/Makefiles/Makefile.UX4800
|
||
src/aliases.0
|
||
src/mailq.0
|
||
src/mime.c
|
||
src/newaliases.0
|
||
src/sendmail.0
|
||
test/t_seteuid.c
|
||
RENAMED FILES:
|
||
cf/cf/alpha.mc => cf/cf/s2k-osf1.mc
|
||
cf/cf/chez.mc => cf/cf/chez.cs.mc
|
||
cf/cf/hpux-cs-exposed.mc => cf/cf/cs-hpux9.mc
|
||
cf/cf/osf1-cs-exposed.mc => cf/cf/cs-osf1.mc
|
||
cf/cf/s2k.mc => cf/cf/s2k-ultrix4.mc
|
||
cf/cf/sunos4.1-cs-exposed.mc => cf/cf/cs-sunos4.1.mc
|
||
cf/cf/ultrix4.1-cs-exposed.mc => cf/cf/cs-ultrix4.mc
|
||
cf/cf/vangogh.mc => cf/cf/vangogh.cs.mc
|
||
cf/domain/Berkeley.m4 => cf/domain/Berkeley.EDU.m4
|
||
cf/domain/cs-exposed.m4 => cf/domain/CS.Berkeley.EDU.m4
|
||
cf/domain/eecs-hidden.m4 => cf/domain/EECS.Berkeley.EDU.m4
|
||
cf/domain/s2k.m4 => cf/domain/S2K.Berkeley.EDU.m4
|
||
cf/ostype/hpux.m4 => cf/ostype/hpux9.m4
|
||
cf/ostype/irix.m4 => cf/ostype/irix4.m4
|
||
cf/ostype/ultrix4.1.m4 => cf/ostype/ultrix4.m4
|
||
src/Makefile.* => src/Makefiles/Makefile.*
|
||
src/Makefile.AUX => src/Makefiles/Makefile.A-UX
|
||
src/Makefile.BSDI => src/Makefiles/Makefile.BSD-OS
|
||
src/Makefile.DGUX => src/Makefiles/Makefile.dgux
|
||
src/Makefile.RISCos => src/Makefiles/Makefile.UMIPS
|
||
src/Makefile.SunOS.4.0.3 => src/Makefiles/Makefile.SunOS.4.0
|
||
OBSOLETED FILES:
|
||
cf/cf/cogsci.mc
|
||
cf/cf/cs-exposed.mc
|
||
cf/cf/cs-hidden.mc
|
||
cf/cf/hpux-cs-hidden.mc
|
||
cf/cf/knecht.mc
|
||
cf/cf/osf1-cs-hidden.mc
|
||
cf/cf/sunos3.5-cs-exposed.mc
|
||
cf/cf/sunos3.5-cs-hidden.mc
|
||
cf/cf/sunos4.1-cs-hidden.mc
|
||
cf/cf/ultrix4.1-cs-hidden.mc
|
||
cf/domain/cs-hidden.m4
|
||
contrib/rcpt-streaming
|
||
src/Makefiles/Makefile.SunOS.5.x
|
||
|
||
8.6.13/8.6.12 1996/01/25
|
||
SECURITY: In some cases it was still possible for an attacker to
|
||
insert newlines into a queue file, thus allowing access to
|
||
any user (except root).
|
||
CONFIG: no changes -- it is not a bug that the configuration
|
||
version number is unchanged.
|
||
|
||
8.6.12/8.6.12 1995/03/28
|
||
Fix to IDENT code (it was getting the size of the reply buffer
|
||
too small, so nothing was ever accepted). Fix from several
|
||
people, including Allan Johannesen, Shane Castle of the
|
||
Boulder County Information Services, and Jeff Smith of
|
||
Warwick University (all arrived within a few hours of
|
||
each other!).
|
||
Fix a problem that could cause large jobs to run out of
|
||
file descriptors on systems that use vfork() rather
|
||
than fork().
|
||
|
||
8.6.11/8.6.11 1995/03/08
|
||
The ``possible attack'' message would be logged more often
|
||
than necessary if you are using Pine as a user agent.
|
||
The wrong host would be reported in the ``possible attack''
|
||
message when attempted from IDENT.
|
||
In some cases the syslog buffer could be overflowed when
|
||
reporting the ``possible attack'' message. This can
|
||
cause denial of service attacks. Truncate the message
|
||
to 80 characters to prevent this problem.
|
||
When reading the IDENT response a loop is needed around the
|
||
read from the network to ensure that you don't get
|
||
partial lines.
|
||
Password entries without any shell listed (that is, a null
|
||
shell) wouldn't match as "ok". Problem noted by
|
||
Rob McMahon.
|
||
When running BIND 4.9.x a problem could occur because the
|
||
_res.options field is initialized differently than it
|
||
was historically -- this requires that sendmail call
|
||
res_init before it tweaks any bits.
|
||
Fix an incompatibility in openxscript() between the file open mode
|
||
and the stdio mode passed to fdopen. This caused UnixWare
|
||
2.0 to have conniptions. Fix from Martin Sohnius of
|
||
Novell Labs Europe.
|
||
Fix problem with static linking of local getopt routine when
|
||
using GNU's ld command. Fix from John Kennedy of
|
||
Cal State Chico.
|
||
It was possible to turn off privacy flags. Problem noted by
|
||
*Hobbit*.
|
||
Be more paranoid about writing files. Suggestions by *Hobbit*
|
||
and Liudvikas Bukys.
|
||
MAKEMAP: fixes for 64 bit machines (DEC Alphas in particular)
|
||
from Spider Boardman.
|
||
CONFIG: No changes (version number only, to keep it in sync
|
||
with the binaries).
|
||
|
||
8.6.10/8.6.10 1995/02/10
|
||
SECURITY: Diagnose bogus values to some command line flags that
|
||
could allow trash to get into headers and qf files.
|
||
Validate the name of the user returned by the IDENT protocol.
|
||
Some systems that really dislike IDENT send intentionally
|
||
bogus information. Problem pointed out by Michael Bushnell
|
||
of the Free Software Foundation. Has some security
|
||
implications.
|
||
Fix a problem causing error messages about DNS problems when
|
||
the host name contained a percent sign to act oddly
|
||
because it was passed as a printf-style format string.
|
||
In some cases this could cause core dumps.
|
||
Avoid possible buffer overrun in returntosender() if error
|
||
message is quite long. From Fletcher Mattox of the
|
||
University of Texas.
|
||
Fix a problem that would silently drop "too many hops" error
|
||
messages if and only if you were sending to an alias.
|
||
From Jon Giltner of the University of Colorado and
|
||
Dan Harton of Oak Ridge National Laboratory.
|
||
Fix a bug that caused core dumps on some systems if -d11.2 was
|
||
set and e->e_message was null. Fix from Bruce Nagel of
|
||
Data General.
|
||
Fix problem that can still cause df files to be left around
|
||
after "hop count exceeded" messages. Fix from Andrew
|
||
Chang and Shau-Ping Lo of SunSoft.
|
||
Fix a problem that can cause buffer overflows on very long
|
||
user names (as might occur if you piped to a program
|
||
with a lot of arguments).
|
||
Avoid returning an error and re-queueing if the host signature
|
||
is null; this can occur on addresses like ``user@.''.
|
||
Problem noted by Wesley Craig and the University of
|
||
Michigan.
|
||
Avoid possible calls to malloc(0) if MCI caching is turned
|
||
off. Bug fix from Pierre David of the Laboratoire
|
||
Parallelisme, Reseaux, Systemes et Modelisation (PRiSM),
|
||
Universite de Versailles - St Quentin, and Jacky
|
||
Thibault.
|
||
Make a local copy of the line being sent via senttolist() -- in
|
||
some cases, buffers could get trashed by map lookups
|
||
causing it to do unexpected things. This also simplifies
|
||
some of the map code.
|
||
CONFIG: No changes (version number only, to keep it in sync
|
||
with the binaries).
|
||
|
||
8.6.9/8.6.9 1994/04/19
|
||
Do all mail delivery completely disconnected from any terminal.
|
||
This provides consistency with daemon delivery and
|
||
may have some security implications.
|
||
Make sure that malloc doesn't get called with zero size,
|
||
since that fails on some systems. Reported by Ed
|
||
Hill of the University of Iowa.
|
||
Fix multi-line values for $e (SMTP greeting message). Reported
|
||
by Mike O'Connor of Ford Motor Company.
|
||
Avoid syserr if no NIS domain name is defined, but the map it
|
||
is trying to open is optional. From Win Bent of USC.
|
||
Changes for picky compilers from Ed Gould of Digital Equipment.
|
||
Hesiod support for UDB from Todd Miller of the University of
|
||
Colorado. Use "hesiod" as the service name in the U
|
||
option.
|
||
Fix a problem that failed to set the "authentic" host name (that
|
||
is, the one derived from the socket info) if you called
|
||
sendmail -bs from inetd. Based on code contributed by
|
||
Todd Miller (this problem was also reported by Guy Helmer
|
||
of Dakota State University). This also fixes a related
|
||
problem reported by Liudvikas Bukys of the University of
|
||
Rochester.
|
||
Parameterize "nroff -h" in all the Makefiles so people with
|
||
variant versions can use them easily. Suggested by
|
||
Peter Collinson of Hillside Systems.
|
||
SMTP "MAIL" commands with multiple ESMTP parameters required two
|
||
spaces between parameters instead of one. Reported by
|
||
Valdis Kletnieks of Virginia Tech.
|
||
Reduce the number of system calls during message collection by
|
||
using global timeouts around the collect() loop. This
|
||
code was contributed by Eric Wassenaar.
|
||
If the initial hostname name gathering results in a name
|
||
without a dot (usually caused by NIS misconfiguration)
|
||
and BIND is compiled in, directly access DNS to get
|
||
the canonical name. This should make life easier for
|
||
Solaris systems. If it still can't be resolved, and
|
||
if the name server is listed as "required", try again
|
||
in 30 seconds. If that also fails, exit immediately to
|
||
avoid bogus "config error: mail loops back to myself"
|
||
messages.
|
||
Improve the "MAIL DELETED BECAUSE OF LACK OF DISK SPACE" error
|
||
message to explain how much space was available and
|
||
sound a bit less threatening. Suggested by Stan Janet
|
||
of the National Institute of Standards and Technology.
|
||
If mail is delivered to an alias that has an owner, deliver any
|
||
requested return-receipt immediately, and strip the
|
||
Return-Receipt-To: header from the subsequent message.
|
||
This prevents a certain class of denial of service
|
||
attack, arguably gives more reasonable semantics, and
|
||
moves things more towards what will probably become a
|
||
network standard. Suggested by Christopher Davis of
|
||
Kapor Enterprises.
|
||
Add a "noreceipts" privacy flag to turn off all return receipts
|
||
without recompiling.
|
||
Avoid printing ESMTP parameters as part of the error message
|
||
if there are errors during parsing. This change is
|
||
purely cosmetic.
|
||
Avoid sending out error messages during the collect phase of
|
||
SMTP; there is an MVS mailer from UCLA that gets
|
||
confused by this. Of course, I think it's their bug....
|
||
Check for the $j macro getting undefined, losing a dot, or getting
|
||
lost from $=w in the daemon before accepting a connection;
|
||
if it is, it dumps state, prints a LOG_ALERT message,
|
||
and drops core for debugging. This is an attempt to
|
||
track down a bug that I thought was long since gone.
|
||
If you see this, please forward the log fragment to
|
||
sendmail@sendmail.ORG.
|
||
Change OLD_NEWDB from a #ifdef to a #if so it can be turned off
|
||
with -DOLD_NEWDB=0 on the command line. From Christophe
|
||
Wolfhugel.
|
||
Instead of trying to truncate the listen queue for the server
|
||
SMTP port when the load average is too high, just close
|
||
the port completely and reopen it later as needed.
|
||
This ensures that the other end gets a quick "connection
|
||
refused" response, and that the connection can be
|
||
recovered later. In particular, some socket emulations
|
||
seem to get confused if you tweak the listen queue
|
||
size around and can never start listening to connections
|
||
again. The down side is that someone could start up
|
||
another daemon process in the interim, so you could
|
||
have multiple daemons all not listening to connections;
|
||
this could in turn cause the sendmail.pid file to be
|
||
incorrect. A better approach might be to accept the
|
||
connection and give a 421 code, but that could break
|
||
other mailers in mysterious ways and have paging behavior
|
||
implications.
|
||
Fix a glitch in TCP-level debugging that caused flag 16.101 to
|
||
set debugging on the wrong socket. From Eric Wassenaar.
|
||
When creating a df* temporary file, be sure you truncate any
|
||
existing data in the file -- otherwise system crashes
|
||
and the like could result in extra data being sent.
|
||
DOC: Replace the CHANGES-R5-R8 readme file with a paper in the
|
||
doc directory. This includes some additional
|
||
information.
|
||
CONFIG: change UUCP rules to never add $U! or $k! on the front
|
||
of recipient envelope addresses. This should have been
|
||
handled by the $&h trick, but broke if people were
|
||
mixing domainized and UUCP addresses. They should
|
||
probably have converted all the way over to uucp-uudom
|
||
instead of uucp-{new,old}, but the failure mode was to
|
||
loop the mail, which was bad news.
|
||
Portability fixes:
|
||
Newer BSDI systems (several people).
|
||
Older BSDI systems from Christophe Wolfhugel.
|
||
Intergraph CLIX, from Paul Southworth of CICNet.
|
||
UnixWare, from Evan Champion.
|
||
NetBSD from Adam Glass.
|
||
Solaris from Quentin Campbell of the University of
|
||
Newcastle upon Tyne.
|
||
IRIX from Dean Cookson and Bill Driscoll of Mitre
|
||
Corporation.
|
||
NCR 3000 from Kevin Darcy of Chrysler Financial Corporation.
|
||
SunOS (it has setsid() and setvbuf() calls) from
|
||
Jonathan Kamens of OpenVision Technologies.
|
||
HP-UX from Tor Lillqvist.
|
||
New Files:
|
||
src/Makefile.CLIX
|
||
src/Makefile.NCR3000
|
||
doc/changes/Makefile
|
||
doc/changes/changes.me
|
||
doc/changes/changes.ps
|
||
|
||
8.6.8/8.6.6 1994/03/21
|
||
SECURITY: it was possible to read any file as root using the
|
||
E (error message) option. Reported by Richard Jones;
|
||
fixed by Michael Corrigan and Christophe Wolfhugel.
|
||
|
||
8.6.7/8.6.6 1994/03/14
|
||
SECURITY: it was possible to get root access by using weird
|
||
values to the -d flag. Thanks to Alain Durand of
|
||
INRIA for forwarding me the notice from the bugtraq
|
||
list.
|
||
|
||
8.6.6/8.6.6 1994/03/13
|
||
SECURITY: the ability to give files away on System V-based
|
||
systems proved dangerous -- don't run as the owner
|
||
of a :include: file on a system that allows giveaways.
|
||
Unfortunately, this also applies to determining a
|
||
valid shell.
|
||
IMPORTANT: Previous versions weren't expiring old connections
|
||
in the connection cache for a long time under some
|
||
circumstances. This could result in resource exhaustion,
|
||
both at your end and at the other end. This checks the
|
||
connections for timeouts much more frequently. From
|
||
Doug Anderson of NCSC.
|
||
Fix a glitch that snuck in that caused programs to be run as
|
||
the sender instead of the recipient if the mail was
|
||
from a local user to another local user. From
|
||
Motonori Nakamura of Kyoto University.
|
||
Fix "wildcard" on /etc/shells matching -- instead of looking
|
||
for "*", look for "/SENDMAIL/ANY/SHELL/". From
|
||
Bryan Costales of ICSI.
|
||
Change the method used to declare the "statfs" availability;
|
||
instead of HASSTATFS and/or HASUSTAT with a ton of
|
||
tweaking in conf.c, there is a single #define called
|
||
SFS_TYPE which takes on one of six values (SFS_NONE
|
||
for no statfs availability, SFS_USTAT for the ustat(2)
|
||
syscall, SFS_4ARGS for a four argument statfs(2) call,
|
||
and SFS_VFS, SFS_MOUNT, or SFS_STATFS for a two argument
|
||
statfs(2) call with the declarations in <sys/vfs.h>,
|
||
<sys/mount.h>, or <sys/statfs.h> respectively).
|
||
Fix glitch in NetInfo support that could return garbage if
|
||
there was no "/locations/sendmail" property. From
|
||
David Meyer of the University of Virginia.
|
||
Change HASFLOCK from defined/not-defined to a 0/1 definition
|
||
to allow Linux to turn it off even though it is a
|
||
BSD-like system.
|
||
Allow setting of "ident" timeout to zero to turn off the ident
|
||
protocol entirely.
|
||
Make 7-bit stripping local to a connection (instead of to a
|
||
mailer); this allows you to specify that SMTP is a
|
||
7-bit channel, but revert to 8-bit should it advertise
|
||
that it supports 8BITMIME. You still have to specify
|
||
mailer flag 7 to get this stripping at all.
|
||
Improve makesendmail script so it handles more cases automatically.
|
||
Tighten up restrictions on taking ownership of :include: files
|
||
to avoid problems on systems that allow you to give away
|
||
files.
|
||
Fix a problem that made it impossible to rebuild the alias
|
||
file if it was on a read-only file system. From
|
||
Harry Edmon of the University of Washington.
|
||
Improve MX randomization function. From John Gardiner Myers
|
||
of CMU.
|
||
Fix a minor glitch causing a bogus message to be printed (used
|
||
%s instead of %d in a printf string for the line number)
|
||
when a bad queue file was read. From Harry Edmon.
|
||
Allow $s to remain NULL on locally generated mail. I'm not
|
||
sure this is necessary, but a lot of people have complained
|
||
about it, and there is a legitimate question as to whether
|
||
"localhost" is legal as an 822-style domain.
|
||
Fix a problem with very short line lengths (mailer L= flag) in
|
||
headers. This causes a leading space to be added onto
|
||
continuation lines (including in the body!), and also
|
||
tries to wrap headers containing addresses (From:, To:,
|
||
etc) intelligently at the shorter line lengths. Problem
|
||
Reported by Lars-Johan Liman of SUNET Operations Center.
|
||
Log the real user name when logging syserrs, since these can have
|
||
security implications. Suggested by several people.
|
||
Fix address logging of cached connections -- it used to always
|
||
log the numeric address as zero. This is a somewhat
|
||
bogus implementation in that it does an extra system
|
||
call, but it should be an inexpensive one. Fix from
|
||
Motonori Nakamura.
|
||
Tighten up handling of short syslog buffers even more -- there
|
||
were cases where the outgoing relay= name was too long
|
||
to share a line with delay= and mailer= logging.
|
||
Limit the overhead on split envelopes to one open file descriptor
|
||
per envelope -- previously the overhead was three
|
||
descriptors. This was in response to a problem reported
|
||
by P{r (Pell) Emanuelsson.
|
||
Fixes to better handle the case of unexpected connection closes;
|
||
this redirects the output to the transcript so the info
|
||
is not lost. From Eric Wassenaar.
|
||
Fix potential string overrun if you macro evaluate a string that
|
||
has a naked $ at the end. Problem noted by James Matheson
|
||
<jmrm@eng.cam.ac.uk>.
|
||
Make default error number on $#error messages 553 (``Requested
|
||
action not taken: mailbox name not allowed'') instead of
|
||
501 (``Syntax error in parameters or arguments'') to
|
||
avoid bogus "protocol error" messages.
|
||
Strip off any existing trailing dot on names during $[ ... $]
|
||
lookup. This prevents it from ending up with two dots
|
||
on the end of dot terminated names. From Wesley Craig
|
||
of the University of Michigan and Bryan Costales of ICSI.
|
||
Clean up file class reading so that the debugging information is
|
||
more informative. It hadn't been using setclass, so you
|
||
didn't see the class items being added.
|
||
Avoid core dump if you are running a version of sendmail where
|
||
NIS is compiled in, and you specify an NIS map, but
|
||
NIS is not running. Fix from John Oleynick of
|
||
Rutgers.
|
||
Diagnose bizarre case where res_search returns a failure value,
|
||
but sets h_errno to a success value.
|
||
Make sure that "too many hops" messages are considered important
|
||
enough to send an error to the Postmaster (that is, the
|
||
address specified in the P option). This fix should
|
||
help problems that cause the df file to be left around
|
||
sometimes -- unfortunately, I can't seem to reproduce
|
||
the problem myself.
|
||
Avoid core dump (null pointer reference) on EXPN command; this
|
||
only occurred if your log level was set to 10 or higher
|
||
and the target account was an alias or had a .forward file.
|
||
Problem noted by Janne Himanka.
|
||
Avoid "denial of service" attacks by someone who is flooding your
|
||
SMTP port with bad commands by shutting the connection
|
||
after 25 bad commands are issued. From Kyle Jones of
|
||
UUNET.
|
||
Fix core dump on error messages with very long "to" buffers;
|
||
fmtmsg overflows the message buffer. Fixed by trimming
|
||
the to address to 203 characters. Problem reported by
|
||
John Oleynick.
|
||
Fix configuration for HASFLOCK -- there were some spots where
|
||
a #ifndef was incorrectly #ifdef. Pointed out by
|
||
George Baltz of the University of Maryland.
|
||
Fix a typo in savemail() that could cause the error message To:
|
||
lists to be incorrect in some places. From Motonori
|
||
Nakamura.
|
||
Fix a glitch that can cause duplicate error messages on split
|
||
envelopes where an address on one of the lists has a
|
||
name server failure. Fix from Voradesh Yenbut of the
|
||
University of Washington.
|
||
Fix possible bogus pointer reference on ESMTP parameters that
|
||
don't have an ``=value'' part.
|
||
CNAME loops caused an error message to be generated, but also
|
||
re-queued the message. Changed to just re-queue the
|
||
message (it's really hard to just bounce it because
|
||
of the weird way the name server works in the presence
|
||
of CNAME loops). Problem noted by James M.R.Matheson
|
||
of Cambridge University.
|
||
Avoid giving ``warning: foo owned process doing -bs'' messages
|
||
if they use ``MAIL FROM:<foo>'' where foo is their true
|
||
user name. Suggested by Andreas Stolcke of ICSI.
|
||
Change the NAMED_BIND compile flag to be a 0/1 flag so you can
|
||
override it easily in the Makefile -- that is, you can
|
||
turn it off using -DNAMED_BIND=0.
|
||
If a gethostbyname(...) of an address with a trailing dot fails,
|
||
try it without the trailing dot. This is because if
|
||
you have a version of gethostbyname() that falls back
|
||
to NIS or the /etc/hosts file it will fail to find
|
||
perfectly reasonable names that just don't happen to
|
||
be dot terminated in the hosts file. You don't want to
|
||
strip the dot first though because we're trying to ensure
|
||
that country names that match one of your subdomains get
|
||
a chance.
|
||
PRALIASES: fix bogus output on non-null-terminated strings.
|
||
From Bill Gianopoulos of Raytheon.
|
||
CONFIG: Avoid rewriting anything that matches $w to be $j.
|
||
This was in code intended to only catch the self-literal
|
||
address (that is, [1.2.3.4], where 1.2.3.4 is your
|
||
IP address), but the code was broken. However, it will
|
||
still do this if $M is defined; this is necessary to
|
||
get client configurations to work (sigh). Note that this
|
||
means that $M overrides :mailname entries in the user
|
||
database! Problem noted by Paul Southworth.
|
||
CONFIG: Fix definition of Solaris help file location. From
|
||
Steve Cliffe <steve@gorgon.cs.uow.edu.au>.
|
||
CONFIG: Fix bug that broke news.group.USENET mappings.
|
||
CONFIG: Allow declaration of SMTP_MAILER_MAX, FAX_MAILER_MAX,
|
||
and USENET_MAILER_MAX to tweak the maximum message
|
||
size for various mailers.
|
||
CONFIG: Change definition of USENET_MAILER_ARGS to include argv[0]
|
||
instead of assuming that it is "inews" for consistency
|
||
with other mailers. From Michael Corrigan of UC San Diego.
|
||
CONFIG: When mail is forwarded to a LOCAL_RELAY or a MAIL_HUB,
|
||
qualify the address in the SMTP envelope as user@{relay|hub}
|
||
instead of user@$j. From Bill Wisner of The Well.
|
||
CONFIG: Fix route-addr syntax in nullrelay configuration set.
|
||
CONFIG: Don't turn off case mapping of user names in the local
|
||
mailer for IRIX. This was different than most every other
|
||
system.
|
||
CONFIG: Avoid infinite loops on certainly list:; syntaxes in
|
||
envelope. Noted by Thierry Besancon
|
||
<besancon@excalibur.ens.fr>.
|
||
CONFIG: Don't include -z by default on uux line -- most systems
|
||
don't want it set by default. Pointed out by Philippe
|
||
Michel of Thomson CSF.
|
||
CONFIG: Fix some bugs with mailertables -- for example, if your
|
||
host name was foo.bar.ray.com and you matched against
|
||
".ray.com", the old implementation bound %1 to "bar"
|
||
instead of "foo.bar". Also, allow "." in the mailertable
|
||
to match anything -- essentially, take over SMART_HOST.
|
||
This also moves matching of explicit local host names
|
||
before the mailertable so they don't have to be special
|
||
cased in the mailertable data. Reported by Bill
|
||
Gianopoulos of Raytheon; the fix for the %1 binding
|
||
problem was contributed by Nicholas Comanos of the
|
||
University of Sydney.
|
||
CONFIG: Don't include "root" in class $=L (users to deliver
|
||
locally, even if a hub or relay exists) by default.
|
||
This is because of the known bug where definition of
|
||
both a LOCAL_RELAY and a MAIL_HUB causes $=L to ignore
|
||
both and deliver into the local mailbox.
|
||
CONFIG: Move up bitdomain and uudomain handling so that they
|
||
are done before .UUCP class matching; uudomain was
|
||
reported as ineffective before. This also frees up
|
||
diversion 8 for future use. Problem reported by Kimmo
|
||
Suominen.
|
||
CONFIG: Don't try to convert dotted IP address (e.g., [1.2.3.4])
|
||
into host names. As pointed out by Jonathan Kamens,
|
||
these are often used because either the forward or reverse
|
||
mapping is broken; this translation makes it broken again.
|
||
DOC: Clarify $@ and $: in the Install & Op Guide. From Kimmo
|
||
Suominen.
|
||
Portability fixes:
|
||
Unicos from David L. Kensiski of Sterling Software.
|
||
DomainOS from Don Lewis of Silicon Systems.
|
||
GNU m4 1.0.3 from Karst Koymans of Utrecht University.
|
||
Convex from Kimmo Suominen <kim@tac.nyc.ny.us>.
|
||
NetBSD from Adam Glass <glass@sun-lamp.cs.berkeley.edu>.
|
||
BSD/386 from Tony Sanders of BSDI.
|
||
Apollo from Eric Wassenaar.
|
||
DGUX from Doug Anderson.
|
||
Sequent DYNIX/ptx 2.0 from Tim Wright of Sequent.
|
||
NEW FILES:
|
||
src/Makefile.DomainOS
|
||
src/Makefile.PTX
|
||
src/Makefile.SunOS.5.1
|
||
src/Makefile.SunOS.5.2
|
||
src/Makefile.SunOS.5.x
|
||
src/mailq.1
|
||
cf/ostype/domainos.m4
|
||
doc/op/Makefile
|
||
doc/intro/Makefile
|
||
doc/usenix/Makefile
|
||
|
||
8.6.5/8.6.5 1994/01/13
|
||
Security fix: /.forward could be owned by anyone (the test
|
||
to allow root to own any file was backwards). From
|
||
Bob Campbell at U.C. Berkeley.
|
||
Security fix: group ids were not completely set when programs
|
||
were invoked. This caused programs to have group
|
||
permissions they should not have had (usually group
|
||
daemon instead of their own group). In particular,
|
||
Perl scripts would refuse to run.
|
||
Security: check to make sure files that are written are not
|
||
symbolic links (at least under some circumstances).
|
||
Although this does not respond to a specific known
|
||
attack, it's just a good idea. Suggested by
|
||
Christian Wettergren.
|
||
Security fix: if a user had an NFS mounted home directory on
|
||
a system with a restricted shell listed in their
|
||
/etc/passwd entry, they could still execute any
|
||
program by putting that in their .forward file.
|
||
This fix prevents that by insisting that their shell
|
||
appear in /etc/shells before allowing a .forward to
|
||
execute a program or write a file. You can disable
|
||
this by putting "*" in /etc/shells. It also won't
|
||
permit world-writable :include: files to reference
|
||
programs or files (there's no way to disable this).
|
||
These behaviors are only one level deep -- for
|
||
example, it is legal for a world-writable :include:
|
||
file to reference an alias that writes a file, on
|
||
the assumption that the alias file is well controlled.
|
||
Security fix: root was not treated suspiciously enough when
|
||
looking into subdirectories. This would potentially
|
||
allow a cracker to examine files that were publicly
|
||
readable but in a non-publicly searchable directory.
|
||
Fix a problem that causes an error on QUIT on a cached
|
||
connection to create problems on the current job.
|
||
These are typically unrelated, so errors occur in
|
||
the wrong place.
|
||
Reset CurrentLA in sendall() -- this makes sendmail queue
|
||
runs more responsive to load average, and fixes a
|
||
problem that ignored the load average in locally
|
||
generated mail. From Eric Wassenaar.
|
||
Fix possible core dump on aliases with null LHS. From
|
||
John Orthoefer of BB&N.
|
||
Revert to using flock() whenever possible -- there are just
|
||
too many bugs in fcntl() locking, particularly over
|
||
NFS, that cause sendmail to fail in perverse ways.
|
||
Fix a bug that causes the connection cache to get confused
|
||
when sending error messages. This resulted in
|
||
"unexpected close" messages. It should fix itself
|
||
on the following queue run. Problem noted by
|
||
Liudvikas Bukys of the University of Rochester.
|
||
Include $k in $=k as documented in the Install & Op Guide.
|
||
This seems odd, but it was documented.... From
|
||
Michael Corrigan of UCSD.
|
||
Fix problem that caused :include:s from alias files to be
|
||
forced to be owned by root instead of daemon
|
||
(actually DefUid). From Tim Irvin.
|
||
Diagnose unrecognized I option values -- from Mortin Forssen
|
||
of the Chalmers University of Technology.
|
||
Make "error" mailer work consistently when there is no error
|
||
code associated with it -- previously it returned OK
|
||
even though there was a real problem. Now it assumes
|
||
EX_UNAVAILABLE.
|
||
Fix bug that caused the last header line of messages that had
|
||
no body and which were terminated with EOF instead of
|
||
"." to be discarded. Problem noted by Liudvikas Bukys.
|
||
Fix core dump on SMTP mail to programs that failed -- it tried
|
||
to go to a "next MX host" when none existed, causing
|
||
a core dump. From der Mouse at McGill University.
|
||
Change IDENTPROTO from a defined/not defined to a 0/1 switch;
|
||
this makes it easier to turn it off (using
|
||
-DIDENTPROTO=0 in the Makefile). From der Mouse.
|
||
Fix YP_MASTER_NAME store to use the unupdated result of
|
||
gethostname() (instead of myhostname(), which tries
|
||
to fully qualify the name) to be consistent with
|
||
SunOS. If your hostname is unqualified, this fixes
|
||
transfers to secondary servers. Bug noted by Keith
|
||
McMillan of Ameritech Services, Inc.
|
||
Fix Ultrix problem: gethostbyname() can return a very large
|
||
(> 500) h_length field, which causes the sockaddr
|
||
to be trashed. Use the size of the sockaddr instead.
|
||
Fix from Bob Manson of Ohio State.
|
||
Don't assume "-a." on host lookups if NAMED_BIND is not
|
||
defined -- this confuses gethostbyname on hosts
|
||
file lookups, which doesn't understand the trailing
|
||
dot convention.
|
||
Log SMTP server subprocesses that die with a signal instead
|
||
of from a clean exit.
|
||
If you don't have option "I" set, don't assume that a DNS
|
||
"host unknown" message is authoritative -- it
|
||
might still be found in /etc/hosts.
|
||
Fix a problem that would cause Deferred: messages to be sent
|
||
as the subject of an error message, even though the
|
||
actual cause of a message was more severe than that.
|
||
Problem noted by Chris Seabrook of OSSI.
|
||
Fix race condition in DBM alias file locking. From Kyle
|
||
Jones of UUNET.
|
||
Limit delivery syslog line length to avoid bugs in some
|
||
versions of syslog(3). This adds a new compile time
|
||
variable SYSLOG_BUFSIZE. From Jay Plett of Princeton
|
||
University, which is in turn derived from IDA.
|
||
Fix quotes inside of comments in addresses -- previously
|
||
it insisted that they be balanced, but the 822 spec
|
||
says that they should be ignored.
|
||
Dump open file state to syslog upon receiving SIGUSR1 (for
|
||
debugging). This also evaluates ruleset 89, if set
|
||
(with the null input), and logs the result. This
|
||
should be used sparingly, since the rewrite process
|
||
is not reentrant.
|
||
Change -qI, -qR, and -qS flags to be case-insensitive as
|
||
documented in the Bat Book.
|
||
If the mailer returned EX_IOERR or EX_OSERR, sendmail did not
|
||
return an error message and did not requeue the message.
|
||
Fix based on code from Roland Dirlewanger of
|
||
Reseau Regional Aquarel, Bordeaux, France.
|
||
Fix a problem that caused a seg fault if you got a 421 error
|
||
code during some parts of connection initialization.
|
||
I've only seen this when talking to buggy mailers on
|
||
the other end, but it shouldn't give a seg fault in
|
||
any case. From Amir Plivatsky.
|
||
Fix core dump caused by a ruleset call that returns null.
|
||
Fix from Bryan Costales of ICSI.
|
||
Full-Name: field was being ignored. Fix from Motonori Nakamura
|
||
of Kyoto University.
|
||
Fix a possible problem with very long input lines in setproctitle.
|
||
From P{r Emanuelsson.
|
||
Avoid putting "This is a warning message" out on return receipts.
|
||
Suggested by Douglas Anderson.
|
||
Detect loops caused by recursive ruleset calls. Suggested by
|
||
Bryan Costales.
|
||
Initialize non-alias maps during alias rebuilds -- they may be
|
||
needed for parsing. Problem noted by Douglas Anderson.
|
||
Log sender address even if no message was collected in SMTP
|
||
(e.g., if all RCPTs failed). Suggested by Motonori
|
||
Nakamura.
|
||
Don't reflect the owner-list contents into the envelope sender
|
||
address if the value contains ", :, /, or | (to avoid
|
||
illegal addresses appearing there).
|
||
Efficiency hack for toktype macro -- from Craig Partridge of
|
||
BB&N.
|
||
Clean up DNS error printing so that a host name is always
|
||
included.
|
||
Remember to set $i during queue runs. Reported by Stephen
|
||
Campbell of Dartmouth University.
|
||
If the environment variable HOSTALIASES is set, use it during
|
||
canonification as the name of a file with per-user host
|
||
translations so that headers are properly mapped. Reported
|
||
by Anne Bennett of Concordia University.
|
||
Avoid printing misleading error message if SMTP mailer (not
|
||
using [IPC]) should die on a core dump.
|
||
Avoid incorrect diagnosis of "file 1 closed" when it is caused
|
||
by the other end closing the connection. From
|
||
Dave Morrison of Oracle.
|
||
Improve several of the error messages printed by "mailq"
|
||
to include a host name or other useful information.
|
||
Add NetInfo preliminary support for NeXT systems. From Vince
|
||
DeMarco.
|
||
Fix a glitch that sometimes caused :include:s that pointed to
|
||
NFS filesystems that were down to give an "aliasing/
|
||
forwarding loop broken" message instead of queueing
|
||
the message for retry. Noted by William C Fenner of
|
||
the NRL Connection Machine Facility.
|
||
Fix a problem that could cause a core dump if the input sequence
|
||
had (or somehow acquired) a \231 character.
|
||
Make sure that route-addrs always have <angle brackets> around
|
||
them in non-SMTP envelopes (SMTP envelopes already do
|
||
this properly).
|
||
Avoid weird headers on unbalanced punctuation of the form:
|
||
``Joe User <user)'' -- this caused reference to the
|
||
null macro. Fix from Rick McCarty of IO.COM.
|
||
Fix a problem that caused an alias "user: user@local.host" to
|
||
not have the QNOTREMOTE bit set; this caused configs
|
||
to act as if FEATURE(notsticky) was defined even when
|
||
it was not. The effect of the problem was to make it
|
||
very hard to to set up satellite sites that had a few
|
||
local accounts, with everything else forwarded to a
|
||
corporate hub. Reported by Detlef Drewanz of the
|
||
University of Rostock and Mark Frost of NCD.
|
||
Change queuing to not call rulesets 3, {1 or 2}, 4 on header
|
||
addresses. This is more efficient (fewer name server
|
||
calls) and fixes certain unusual configurations, such
|
||
as those that have ruleset 4 do something that is
|
||
non-idempotent unless a mailer-specific ruleset did
|
||
something else. Problem reported by Brian J. Coan
|
||
of the Institute for Global Communications.
|
||
Fix the "obsolete argument" routine in main to better understand
|
||
new arguments. For example, if you used ``sendmail
|
||
-C config -v -q'' it would choke on the -q because
|
||
the -C would stop looking for old-format arguments.
|
||
Fix the code that was intended to allow two users to forward their
|
||
mail to the same program and have them appear unique.
|
||
Portability fixes for:
|
||
SCO UNIX from Murray Kucherawy.
|
||
SCO Open Server 3.2v4 from Philippe Brand.
|
||
System V Release 4 from Rick Ellis and others.
|
||
OSF/1 from Steve Campbell.
|
||
DG/UX from Ben Mesander of the USGS and Bryan Curnutt
|
||
of Stoner Associates.
|
||
Motorola SysV88 from Kevin Johnson of Motorola.
|
||
Solaris 2.3 from Casper H.S. Dik of the University
|
||
of Amsterdam and John Caruso of University
|
||
of Maryland.
|
||
FreeBSD from Ollivier Robert.
|
||
NetBSD from Adam Glass.
|
||
TitanOS from Kate Hedstrom of Rutgers University.
|
||
Irix from Bryan Curnutt.
|
||
Dynix from Jim Davis of the University of Arizona.
|
||
RISC/os.
|
||
Linux from John Kennedy of California State University
|
||
at Chico.
|
||
Solaris 2.x from Tony Boner of the U.S. Air Force.
|
||
NEXTSTEP 3.x from Vince DeMarco.
|
||
HP-UX from various people. NOTA BENE: the location
|
||
of the config file has moved to /usr/lib
|
||
to match the HP-UX version of sendmail.
|
||
CONFIG: Don't do any recipient rewriting on relay mailer;
|
||
since this is intended only for internal use, the
|
||
usual RFC 821/822/1123 rules can be relaxed. The
|
||
main point of this is to avoid munging (ugh) UUCP
|
||
addresses when relaying internally.
|
||
CONFIG: fix typo in mailer/uucp.m4 that mutilates list:;
|
||
syntax addresses delivered via UUCP. Solution
|
||
provided by Peter Wemm.
|
||
CONFIG: fix thumb-fumble in default UUCP relaying in ruleset
|
||
zero; it caused double @ signs in addresses. From
|
||
Irving Reid of the University of Toronto.
|
||
CONFIG: Portability fixes for SCO Unix 3.2 with TCP/IP 1.2.1
|
||
from Markku Toijala of ICL Personal Systems Oy.
|
||
CONFIG: Add trailing "." on pseudo-domains for consistency;
|
||
this fixes a problem (noted by Al Whaley of Sunnyside)
|
||
that made it hard to recognize your own pseudodomain
|
||
names.
|
||
CONFIG: catch "@host" syntax errors (i.e., null local-parts)
|
||
rather than letting them get "local configuration
|
||
error"s. Problem noted by John Gardiner Myers.
|
||
CONFIG: add uucp-uudom mailer variant, based on code posted
|
||
by Spider Boardman <spider@Orb.Nashua.NH.US>; this
|
||
has uucp-dom semantics but old UUCP syntax. This
|
||
also permits "uucp-old" as an alias for "uucp" and
|
||
"uucp-new" as a synonym for "suucp" for consistency.
|
||
CONFIG: add POP mailer support (from Kimmo Suominen
|
||
<kim@grendel.lut.fi>).
|
||
CONFIG: drop CSNET_RELAY support -- CSNET is long gone.
|
||
CONFIG: fix bug caused with domain literal addresses (e.g.,
|
||
``[128.32.131.12]'') when FEATURE(allmasquerade)
|
||
was set; it would get an additional @masquerade.host
|
||
added to the address. Problem noted by Peter Wan
|
||
of Georgia Tech.
|
||
CONFIG: make sure that the local UUCP name is in $=w. From
|
||
Jim Murray of Stratus.
|
||
CONFIG: changes to UUCP rewriting to simulate IDA-style "V"
|
||
mailer flag. Briefly, if you are sending to host
|
||
"foo", then it rewrites "foo!...!baz" to "...!baz",
|
||
"foo!baz" remains "foo!baz", and anything else has
|
||
the local name prepended.
|
||
CONFIG: portability fixes for HP-UX.
|
||
DOC: several minor problems fixed in the Install & Op Guide.
|
||
MAKEMAP: fix core dump problem on lines that are too long or
|
||
which lack newline. From Mark Delany.
|
||
MAILSTATS: print sums of columns (total messages & kbytes
|
||
in and out of the system). From Tom Ferrin of UC
|
||
San Francisco Computer Graphics Lab.
|
||
SIGNIFICANT USER- OR SYSAD-VISIBLE CHANGES:
|
||
On HP-UX, /etc/sendmail.cf has been moved to
|
||
/usr/lib/sendmail.cf to match HP sendmail.
|
||
Permissions have been tightened up on world-writable
|
||
:include: files and accounts that have shells
|
||
that are not listed in /etc/shells. This may
|
||
cause some .forward files that have worked
|
||
before to start failing.
|
||
SIGUSR1 dumps some state to the log.
|
||
NEW FILES:
|
||
src/Makefile.DGUX
|
||
src/Makefile.Dynix
|
||
src/Makefile.FreeBSD
|
||
src/Makefile.Mach386
|
||
src/Makefile.NetBSD
|
||
src/Makefile.RISCos
|
||
src/Makefile.SCO
|
||
src/Makefile.SVR4
|
||
src/Makefile.Titan
|
||
cf/mailer/pop.m4
|
||
cf/ostype/bsdi1.0.m4
|
||
cf/ostype/dgux.m4
|
||
cf/ostype/dynix3.2.m4
|
||
cf/ostype/sco3.2.m4
|
||
makemap/Makefile.dist
|
||
praliases/Makefile.dist
|
||
|
||
8.6.4/8.6.4 1993/10/31
|
||
Repair core-dump problem (write to read-only memory segment)
|
||
if you fall back to the return-to-Postmaster case in
|
||
savemail. Problem reported by Richard Liu.
|
||
Immediately diagnose bogus sender addresses in SMTP. This
|
||
makes quite certain that crackers can't use this
|
||
class of attack.
|
||
Reliability Fix: check return value from fclose() and fsync()
|
||
in a few critical places.
|
||
Minor problem in initsys() that reversed a condition for
|
||
redirecting the output channel on queue runs. It's
|
||
not clear this code even does anything. From Eric
|
||
Wassenaar of the Dutch National Institute for Nuclear
|
||
and High-Energy Physics.
|
||
Fix some problems that caused queue runs to do "too much work",
|
||
such as double-reading the Errors-To: header. From
|
||
Eric Wassenaar.
|
||
Error messages on writing the temporary file (including the
|
||
data file) were getting suppressed in SMTP -- this
|
||
fix causes them to be properly reported. From Eric
|
||
Wassenaar.
|
||
Some changes to support AF_UNIX sockets -- this will only
|
||
really become relevant in the next release, but some
|
||
people need it for local patches. From Michael
|
||
Corrigan of UC San Diego.
|
||
Use dynamically allocated memory (instead of static buffers)
|
||
for macros defined in initsys() and settime(); since
|
||
these can have different values depending on which
|
||
envelope they are in. From Eric Wassenaar.
|
||
Improve logging to show ctladdr on to= logging; this tells you
|
||
what uid/gid processes ran as.
|
||
Fix a problem that caused error messages to be discarded if
|
||
the sender address was unparseable for some reason;
|
||
this was supposed to fall back to the "return to
|
||
postmaster" case.
|
||
Improve aliaswait backoff algorithm.
|
||
Portability patches for Linux (8.6.3 required another header
|
||
file) (from Karl London) and SCO UNIX.
|
||
CONFIG: patch prog mailer to not strip host name off of envelope
|
||
addresses (so that it matches local again). From
|
||
Christopher Davis.
|
||
CONFIG: change uucp-dom mailer so that "<>" translates to $n;
|
||
this prevents uux from seeing lines with null names like
|
||
``From Sat Oct 30 14:55:31 1993''. From Motonori
|
||
Nakamura of Kyoto University.
|
||
CONFIG: handle <list:;> syntax correctly. This isn't legal, but
|
||
it shouldn't fail miserably. From Motonori Nakamura.
|
||
|
||
8.6.2/8.6.2 1993/10/15
|
||
Put a "successful delivery" message in the transcript for
|
||
addresses that get return-receipts.
|
||
Put a prominent "this is only a warning" message in warning
|
||
messages -- some people don't read carefully enough
|
||
and end up sending the message several times.
|
||
Include reason for temporary failure in the "warning" return
|
||
message. Currently, it just says "cannot send for
|
||
four hours".
|
||
Fix the "Original message received" time generated for
|
||
returntosender messages. It was previously listed as
|
||
the current time. Bug reported by Eric Hagberg of
|
||
Cornell University Medical College.
|
||
If there is an error when writing the body of a message,
|
||
don't send the trailing dot and wait for a response
|
||
in sender SMTP, as this could cause the connection to
|
||
hang up under some bizarre circumstances. From Eric
|
||
Wassenaar.
|
||
Fix some server SMTP synchronization problems caused when
|
||
connections fail during message collection. From
|
||
Eric Wassenaar.
|
||
Fix a problem that can cause srvrsmtp to reject mail if the
|
||
name server is down -- it accepts the RCPT but rejects
|
||
the DATA command. Problem reported by Jim Murray of
|
||
Stratus.
|
||
Fix a problem that can cause core dumps if the config file
|
||
incorrectly resolves to a null hostname. Reported by
|
||
Allan Johannesen of WPI.
|
||
Non-root use of -C flag, dangerous -f flags, and use of -oQ
|
||
by non-root users were not put into
|
||
X-Authentication-Warning:s as intended because the
|
||
config file hadn't set the PrivacyOptions yet. Fix
|
||
from Sven-Ove Westberg of the University of Lulea.
|
||
Under very odd circumstances, the alias file rebuild code
|
||
could get confused as to whether a database was
|
||
open or not.
|
||
Check "vendor code" on the end of V lines -- this is
|
||
intended to provide a hook for vendor-specific
|
||
configuration syntax. (This is a "new feature",
|
||
but I've made an exception to my rule in a belief
|
||
that this is a highly exceptional case.)
|
||
Portability fixes for DG/UX (from Douglas Anderson of NCSC),
|
||
SCO Unix (from Murray Kucherawy), A/UX, and OSF/1
|
||
(from Jon Forrest of UC Berkeley)
|
||
CONFIG: fix ``mailer:host'' form of UUCP relay naming.
|
||
|
||
8.6.1/8.6 1993/10/08
|
||
Portability fixes for A/UX and Encore UMAX V.
|
||
Fix error message handling -- if you had a name server down
|
||
causing an error during parsing, that message was never
|
||
propagated to the queue file.
|
||
|
||
8.6/8.6 1993/10/05
|
||
Configuration cleanup: make it easier to undo IDENTPROTO in
|
||
conf.h (other systems have the same bug).
|
||
If HASGETDTABLESIZE and _SC_OPEN_MAX are both defined, assume
|
||
getdtablesize() instead of sysconf(); a disturbingly
|
||
large number of systems defined _SC_OPEN_MAX in the
|
||
header files but don't have the syscall.
|
||
Another patch to really truly ignore MX records in getcanonname
|
||
if trymx == FALSE.
|
||
Fix problem that caused the "250 IAA25499 Message accepted for
|
||
delivery" message to be omitted if there was an error
|
||
in the header of the message (e.g., a bad Errors-To:
|
||
line). Pointed out by Michael Corrigan of UCSD.
|
||
Announce name of host we are chatting when we get errors; this
|
||
is an IDA-ism suggested by Christophe Wolfhugel.
|
||
Portability fixes for Alpha OSF/1 (from Anthony Baxter of the
|
||
Australian Artificial Intelligence Institute), SCO Unix
|
||
(from Murray Kucherawy of Hookup Communication Corp.),
|
||
NeXT (from Vince DeMarco and myself), Linux (from
|
||
Karl London <karl@borg.demon.co.uk>), BSDI (from
|
||
Christophe Wolfhugel, and SVR4 on Dell (from Kimmo
|
||
Suominen), AUX 3.0 on Macintosh, and ANSI C compilers.
|
||
Some changes to get around gcc optimizer bugs. From Takahiro
|
||
Kanbe.
|
||
Fix error recovery in queueup if another tf file of the same
|
||
name already exists. Problem stumbled over by Bill
|
||
Wisner of The Well.
|
||
Output YP_MASTER_NAME and YP_LAST_MODIFIED without null bytes.
|
||
Problem noted by Keith McMillan of Ameritech Services.
|
||
Deal with group permissions properly when opening .forward and
|
||
:include: files. This relaxes the 8.1C restrictions
|
||
slightly more. This includes proper setting of groups
|
||
when reading :include: files, allowing you to read some
|
||
files that you should be able to read but have previously
|
||
been denied unless you owned them or they had "other"
|
||
read permission.
|
||
Make certain that $j is in $=w (after the .cf is read) so that
|
||
if the user is forced to override some silly system,
|
||
MX suppression will still work.
|
||
Fix a couple of efficiency problems where newstr was double-
|
||
calling expensive routines. In at least one case, it
|
||
wasn't guaranteed that they would always return the
|
||
same result. Problem noted by Christophe Wolfhugel.
|
||
Fix null pointer dereference in putoutmsg -- only on an error
|
||
condition from a non-SMTP mailer. From Motonori
|
||
Nakamura.
|
||
Macro expand "C" line class definitions before scanning so that
|
||
"CX $Z" works.
|
||
Fix problem that caused error message to be sent while still
|
||
trying to send the original message if the connection
|
||
is closed during a DATA command after getting an error
|
||
on an RCPT command (pretty obscure). Problem reported
|
||
by John Myers of CMU.
|
||
Fix reply to NOOP to be 250 instead of 200 -- this is a long
|
||
term bug.
|
||
Fix a nasty bug causing core dumps when returning the "warning:
|
||
cannot deliver for N hours -- will keep trying" message;
|
||
it only occurred if you had PostmasterCopy set and
|
||
only on some architectures. Although sendmail would
|
||
keep trying, it would send error messages on each
|
||
queue interval. This is an important fix.
|
||
Allow u and g options to take user and group names respectively.
|
||
Don't do a chdir into the queue directory in -bt mode to make
|
||
ruleset testing a bit easier.
|
||
Don't allow users to turn off logging (using -oL) on the command
|
||
line -- command line can only raise, not lower, logging
|
||
level.
|
||
Set $u to the original recipient on the SMTP transaction or on
|
||
the command line. This is only done if there is exactly
|
||
one recipient. Technically, this does not meet the
|
||
specs, because it does not guarantee a domain on the
|
||
address.
|
||
Fix a problem that dumped error messages on bad addresses if
|
||
you used the -t flag. Problem noted by Josh Smith of
|
||
Harvey Mudd College.
|
||
Given an address such as ``<foo> <bar>'', auto-quote the first
|
||
``<foo>'' part, giving ``"<foo>" <bar>''. This is to
|
||
avoid the problem of people who use angle brackets in
|
||
their full name information.
|
||
Fix a null pointer dereference if you set option "l", have
|
||
an Errors-To: header in the message, and have Errors-To:
|
||
defined in the config file H lines. From J.R. Oldroyd.
|
||
Put YPCOMPAT on #ifdef NIS instead -- it's one less thing to get
|
||
wrong when compiling. Suggested by Rick McCarty of TI.
|
||
Fix a problem that could pass negative SIZE parameter if the
|
||
df file got lost; this would cause servers to always
|
||
give a temporary failure, making the problem even worse.
|
||
Problem noted by Allan Johannesen of WPI.
|
||
Add "ident" timeout (one of the "r" option selectors) for IDENT
|
||
protocol timeouts (30s default). Requested by Murray
|
||
Kucherawy of HookUp Communication Corp. to handle bogus
|
||
PC TCP/IP implementations.
|
||
Change $w default definition to be just the first component of
|
||
the domain name on config level 5. The $j macro defaults
|
||
to the FQDN; $m remains as before. This lets well-behaved
|
||
config files use any of the short, long, or subdomain
|
||
names.
|
||
Add makesendmail script in src to try to automate multi-architecture
|
||
builds. I know, this is sub-optimal, but it is still
|
||
helpful.
|
||
Fix very obscure race condition that can cause a queue run to
|
||
get a queue file for an already completed job. This
|
||
problem has existed for years. Problem noted by the
|
||
long suffering Allan Johannesen of WPI.
|
||
Fix a problem that caused the raw sender name to be passed to
|
||
udbsender instead of the canonified name -- this caused
|
||
it to sometimes miss records that it should have found.
|
||
Relax check of name on HELO packet so that a program using -bs
|
||
that claims to be itself works properly.
|
||
Restore rewriting of $: part of address through 2, R, 4 in
|
||
buildaddr -- this requires passing a lot of flags to get
|
||
it right. Unlike old versions, this ONLY rewrites
|
||
recipient addresses, not sender addresses.
|
||
Fix a bug that caused core dumps in config files that cannot
|
||
resolve /file/name style addresses. Fix from Jonathan
|
||
Kamens of OpenVision Technologies.
|
||
Fix problem with fcntl locking that can cause error returns to
|
||
be lost if the lock is lost; this required fully
|
||
queueing everything, dropping the envelope (so errors
|
||
would get returned), and then re-reading the queue from
|
||
scratch.
|
||
Fix a problem that caused aliases that redefine an otherwise
|
||
true address to still send to the original address
|
||
if and only if the alias failed in certain bizarre
|
||
ways (e.g, if they pointed at a list:; syntax address).
|
||
Problem pointed out by Jonathan Kamens.
|
||
Remove support for frozen configuration files. They caused
|
||
more trouble than it was worth.
|
||
Fix problem that can cause error messages to get ignored when
|
||
using both -odb and -t flags. Problem noted by Rob
|
||
McNicholas at U.C. Berkeley.
|
||
Include all "normal" variations on hostname in $=w. For example,
|
||
if the host name is vangogh.cs.berkeley.edu, $=w will
|
||
contain vangogh, vangogh.cs, and vangogh.cs.berkeley.edu.
|
||
Add "restrictqrun" privacy flag -- without this, anyone can run
|
||
the queue.
|
||
Reset SmtpPhase global on initial connection creation so that
|
||
messages don't come out with stale information.
|
||
Pass an "ext" argument to lockfile so that error/log messages
|
||
will properly reflect the true filename being locked.
|
||
Put all [...] address forms into $=w -- this eliminates the need
|
||
for MAXIPADDR in conf.h. Suggested by John Gardiner
|
||
Myers of CMU.
|
||
Fix a bug that can cause qf files to be left around even after
|
||
an SMTP RSET command. Problem and fix from Michael
|
||
Corrigan.
|
||
Don't send a PostmasterCopy to errors when the Precedence: is
|
||
negative. Error reports still go to the envelope
|
||
sender address.
|
||
Add LA_SHORT for load averages.
|
||
Lock sendmail.st file when posting statistics.
|
||
Add "SendBufSize" and "RcvBufSize" suboptions to "O" option to
|
||
set the size of the TCP send and receive buffers; if you
|
||
run over a slow slip line you may need to set these down
|
||
(although it would be better to fix the SLIP implementation
|
||
so that it's not necessary to recompile every program
|
||
that does bulk data transfer).
|
||
Allow null defaults on $( ... $) lookups. Problem reported by
|
||
Amir Plivatsky.
|
||
Diagnose crufty S and V config lines. This resulted from an
|
||
observation that some people were using the SITE macro
|
||
without the SITECONFIG macro first, which was causing
|
||
bogus config files that were not caught.
|
||
Fix makemap -f flag to turn off case folding (it was turning it
|
||
on instead). THIS IS A USER VISIBLE CHANGE!!!
|
||
Fix a problem that caused multiple error messages to be sent if
|
||
you used "sendmail -t -oem -odb", your system uses fcntl
|
||
locking, and one of the recipient addresses is unknown.
|
||
Reset uid earlier in include() so that recursive .forwards or
|
||
:include:s don't use the wrong uid.
|
||
If file descriptor 0, 1, or 2 was closed when sendmail was
|
||
called, the code to recover the descriptor was broken.
|
||
This sometimes (only sometimes) caused problems with the
|
||
alias file. Fix from Motonori Nakamura.
|
||
Fix a problem that caused aliaswait to go into infinite recursion
|
||
if the @:@ metasymbol wasn't found in the alias file.
|
||
Improve error message on newaliases if database files cannot be
|
||
opened or if running with no database format defined.
|
||
Do a better estimation of the size of error messages when NoReturn
|
||
is set. Problem noted by P{r (Pell) Emanuelsson.
|
||
Fix a problem causing the "c" option (don't connect to expensive
|
||
mailers) to be ignored in SMTP. Problem noted and the
|
||
solution suggested by Robert Elz of The University of
|
||
Melbourne.
|
||
Improve connection caching algorithm by passing "[host]" to
|
||
hostsignature, which strips the square brackets and
|
||
returns the real name. This allows mailertable entries
|
||
to match regular entries.
|
||
Re-enable Return-Receipt-To: -- people seem to want this stupid
|
||
feature, even if it doesn't work right.
|
||
Catch and log attempts to try the "wiz" command in server SMTP.
|
||
This also ups the log level from LOG_NOTICE to LOG_CRIT.
|
||
Be more generous at assigning $z to the home directory -- do this
|
||
for programs that are specified through a .forward file.
|
||
Fix from Andrew Chang of Sun Microsystems.
|
||
Always save a fatal error message in preference to a non-fatal
|
||
error message so that the "subject" line of return
|
||
messages is the best possible.
|
||
CONFIG: reduce the number of quotes needed to quote configuration
|
||
parameters with commas: two quotes should work now, e.g.,
|
||
define(ALIAS_FILE, ``/etc/aliases,/etc/aliases.local'').
|
||
CONFIG: class $=Z is a set of UUCP hosts that use uucp-dom
|
||
connections (domain-ized UUCP).
|
||
CONFIG: fix bug in default maps (-o must be before database file
|
||
name). Pointed out by Christophe Wolfhugel.
|
||
CONFIG: add FEATURE(nodns) to state that we are not relying on
|
||
DNS. This would presumably be used in UUCP islands.
|
||
CONFIG: add OSTYPE(nextstep) and OSTYPE(linux).
|
||
CONFIG: log $u in Received: line. This is in technical violation
|
||
of the standards, since it doesn't guarantee a domain
|
||
on the address.
|
||
CONFIG: don't assume "m" in local mailer flags -- this means that
|
||
if you redefine LOCAL_MAILER_FLAGS you will have to include
|
||
the "m" flag should you want it. Apparently some Solaris 2.2
|
||
installations can't handle multiple local recipients.
|
||
Problem noted by Josh Smith.
|
||
CONFIG: add confDOMAIN_NAME to set $j (if undefined, $j defaults).
|
||
CONFIG: change default version level from 4 to 5.
|
||
CONFIG: add FEATURE(nullclient) to create a config file that
|
||
forwards all mail to a hub without ever looking at the
|
||
addresses in any detail.
|
||
CONFIG: properly strip mailer: information off of relays when
|
||
used to change .BITNET form into %-hack form.
|
||
CONFIG: fix a problem that caused infinite loops if presented
|
||
with an address such as "!foo".
|
||
CONFIG: check for self literal (e.g., [128.32.131.12]) even if
|
||
the reverse "PTR" mapping is broken. There's a better
|
||
way to do this, but the change is fairly major and I
|
||
want to hold it for another release. Problem noted by
|
||
Bret Marquis.
|
||
|
||
8.5/8.5 1993/07/23
|
||
Serious bug: if you used a command line recipient that was unknown
|
||
sendmail would not send a return message (it was treating
|
||
everything as though it had an SMTP-style client that
|
||
would do the return itself). Problem noted by Josh Smith.
|
||
Change "trymx" option in getcanonname() to ignore all MX data,
|
||
even during a T_ANY query. This actually didn't break
|
||
anything, because the only time you called getcanonname
|
||
with !trymx was if you already knew there were no MX
|
||
records, but it is somewhat cleaner. From Motonori
|
||
Nakamura.
|
||
Don't call getcanonname from getmxrr if you already know there
|
||
are no DNS records matching the name.
|
||
Fix a problem causing error messages to always include "The
|
||
original message was received ... from localhost".
|
||
The correct original host information is now included.
|
||
Previous change to cf/sh/makeinfo.sh doesn't port to Ultrix (their
|
||
version of "test" doesn't have the -x flag). Change it
|
||
to use -f instead. From John Myers.
|
||
CONFIG: 8.4 mistakenly set the default SMTP-style mailer to
|
||
esmtp -- it should be smtp.
|
||
CONFIG: send all relayed mail using confRELAY_MAILER (defaults
|
||
to "relay" (a variant of "smtp") if MAILER(smtp) is used,
|
||
else "suucp" if MAILER(uucp) is used, else "unknown");
|
||
this cleans up the configs somewhat. This fixes a serious
|
||
problem that caused route-addrs to get mistaken as relays,
|
||
pointed out by John Myers. WARNING: this also causes
|
||
the default on SMART_HOST to change from "suucp" to
|
||
"relay" if you have MAILER(smtp) specified.
|
||
|
||
8.4/8.4 1993/07/22
|
||
Add option `w'. If you receive a message that comes to you because
|
||
you are the best (lowest preference) target of an MX, and
|
||
you haven't explicitly recognized the source MX host in
|
||
your .cf file, this option will cause you to try the target
|
||
host directly (as if there were no MX for it at all). If
|
||
`w' is not set, this case is a configuration error.
|
||
Beware: if `w' is set, senders may get bogus errors like
|
||
"message timed out" or "host unknown" for problems that
|
||
are really configuration errors. This option is
|
||
disrecommended, provided only for compatibility with
|
||
UIUC sendmail.
|
||
Fix a problem that caused the incoming socket to be left open
|
||
when sendmail forks after the DATA command. This caused
|
||
calling systems to wait in FIN_WAIT_2 state until the
|
||
entire list was processed and the child closed -- a
|
||
potentially prodigious amount of time. Problem noted
|
||
by Neil Rickert.
|
||
Fix problem (created in 6.64) that caused mail sent to multiple
|
||
addresses, one of which was a bad address, to completely
|
||
suppress the sending of the message. This changes
|
||
handling of EF_FATALERRS somewhat, and adds an
|
||
EF_GLOBALERRS flag. This also fixes a potential problem
|
||
with duplicate error messages if there is a syntax error
|
||
in the header of a message that isn't noticed until late
|
||
in processing. Original problem pointed out by Josh Smith
|
||
of Harvey Mudd College. This release includes quite a bit
|
||
of dickering with error handling (see below).
|
||
Back out SMTP transaction if MAIL gets nested 501 error. This
|
||
will only hurt already-broken software and should help
|
||
humans.
|
||
Fix a problem that broke aliases when neither NDBM nor NEWDB were
|
||
compiled in. It would never read the alias file.
|
||
Repair unbalanced `)' and `>' (the "open" versions are already
|
||
repaired).
|
||
Logging of "done" in dropenvelope() was incorrect: it would
|
||
log this even when the queue file still existed. Change
|
||
this to only log "done" (at log level 11) when the
|
||
queue file is actually removed. From John Myers.
|
||
Log "lost connection" in server SMTP at log level 20 if there
|
||
is no pending transaction. Some senders just close the
|
||
connection rather than sending QUIT.
|
||
Fix a bug causing getmxrr to add a dot to the end of unqualified
|
||
domains that do not have MX records -- this would cause
|
||
the subsequent host name lookup to fail. The problem
|
||
only occurred if you had FEATURE(nocanonify) set.
|
||
Problem noted by Rick McCarty of Texas Instruments.
|
||
Fix invocation of setvbuf when passed a -X flag -- I had
|
||
unwittingly used an ANSI C extension, and this caused
|
||
core dumps on some machines.
|
||
Diagnose self-destructive alias loops on RCPT as well as EXPN.
|
||
Previously it just gave an empty send queue, which
|
||
then gave either "Need RCPT (recipient)" at the DATA
|
||
(confusing, since you had given an RCPT command which
|
||
returned 250) or just dropped the email, depending on
|
||
whether you were running VERBose mode. Now it usually
|
||
diagnoses this case as "aliasing/forwarding loop broken".
|
||
Unfortunately, it still doesn't adequately diagnose
|
||
some true error conditions.
|
||
Add internal concept of "warning messages" using 6xx codes.
|
||
These are not reported only to Postmaster. Unbalanced
|
||
parens, brackets, and quotes are printed as 653 codes.
|
||
They are always mapped to 5xx codes before use in SMTP.
|
||
Clean up error messages to tell both the actual address that
|
||
failed and the alias they arose from. This makes it
|
||
somewhat easier to diagnose problems. Difficulty noted
|
||
by Motonori Nakamura.
|
||
Fix a problem that inappropriately added a ctladdr to addresses
|
||
that shouldn't have had one during a queue run. This
|
||
caused error messages to be handled differently during
|
||
a queue run than a direct run.
|
||
Don't print the qf name and line number if you get errors during
|
||
the direct run of the queue from srvrsmtp -- this was
|
||
just extra stuff for users to crawl through.
|
||
Put command line flags on second line of pid file so you can
|
||
auto-restart the daemon with all appropriate arguments.
|
||
Use "kill `head -1 /etc/sendmail.pid`" to stop the
|
||
daemon, and "eval `tail -1 /etc/sendmail.pid`" to
|
||
restart it.
|
||
Remove the ``setuid(getuid())'' in main -- this caused the
|
||
IDENT daemon to screw up. This required that I change
|
||
HASSETEUID to HASSETREUID and complicate the mode
|
||
changing somewhat because both Ultrix and SunOS seem
|
||
to have a bug causing seteuid() to set the saved uid
|
||
as well as the effective. The program test/t_setreuid.c
|
||
will test to see if your implementation of setreuid(2)
|
||
is appropriately functional.
|
||
The FallBackMX (option V) handling failed to properly identify
|
||
fallback to yourself -- most of the code was there,
|
||
but it wasn't being enabled. Problem noted by Murray
|
||
Kucherawy of the University of Waterloo.
|
||
Change :include: open timeout from ETIMEDOUT to an internal
|
||
code EOPENTIMEOUT; this avoids adding "during SmtpPhase
|
||
with CurHostName" in error messages, which can be
|
||
confusing. Reported by Jonathan Kamens of OpenVision
|
||
Technologies.
|
||
Back out setpgrp (setpgid on POSIX systems) call to reset the
|
||
process group id. The original fix was to get around
|
||
some problems with recalcitrant MUAs, but it breaks
|
||
any call from a shell that creates a process group id
|
||
different from the process id. I could try to fix
|
||
this by diddling the tty owner (using tcsetpgrp or
|
||
equivalent) but this is too likely to break other
|
||
things.
|
||
Portability changes:
|
||
Support -M as equivalent to -oM on Ultrix -- apparently
|
||
DECnet calls sendmail with -MrDECnet -Ms<HOST> -bs
|
||
instead of using standard flags. Oh joy. This
|
||
behavior reported by Jon Giltner of University
|
||
of Colorado.
|
||
SGI IRIX -- this includes several changes that should
|
||
help other strict ANSI compilers.
|
||
SCO Unix -- from Murray Kucherawy of HookUp Communication
|
||
Corporation.
|
||
Solaris running the Sun C compiler (which despite the
|
||
documentation apparently doesn't define
|
||
__STDC__ by default).
|
||
ConvexOS from Eric Schnoebelen of Convex.
|
||
Sony NEWS workstations and Omron LUNA workstations from
|
||
Motonori Nakamura.
|
||
CONFIG: add confTRY_NULL_MX_LIST to set option `w'.
|
||
CONFIG: delete `C' and `e' from default SMTP mailers flags;
|
||
several people have made a good argument that this
|
||
creates more problems than it solves (although this
|
||
may prove painful in the short run).
|
||
CONFIG: generalize all the relays to accept a "mailer:host"
|
||
format.
|
||
CONFIG: move local processing in ruleset 0 into a new ruleset
|
||
98 (8 on old sendmail). Domain literal [a.b.c.d]
|
||
addresses are also passed through this ruleset.
|
||
CONFIG: if neither SMART_HOST nor MAILER(smtp) were defined,
|
||
internet-style addresses would "fall off the end" of
|
||
ruleset zero and be interpreted as local -- however,
|
||
the angle brackets confused the recursive call.
|
||
These are now diagnosed as "Unrecognized host name".
|
||
CONFIG: USENET rules weren't included in S0 because of a mistaken
|
||
ifdef(`_MAILER_USENET_') instead of
|
||
ifdef(`_MAILER_usenet_'). Problem found by Rein Tollevik
|
||
of SINTEF RUNIT, Oslo.
|
||
CONFIG: move up LOCAL_RULE_0 processing so that it happens very
|
||
early in ruleset 0; this allows .mc authors to bypass
|
||
things like the "short circuit" code for local addresses.
|
||
Prompted by a comment by Bill Wisner of The Well.
|
||
CONFIG: add confSMTP_MAILER to define the mailer used (smtp or
|
||
esmtp) to send SMTP mail. This allows you to default
|
||
to esmtp but use a mailertable or other override to
|
||
deal with broken servers. This logic was pointed out
|
||
to me by Bill Wisner. Ditto for confLOCAL_MAILER.
|
||
Changes to cf/sh/makeinfo.sh to make it portable to SVR4
|
||
environments. Ugly as sin.
|
||
|
||
8.3/8.3 1993/07/13
|
||
Fix setuid problems introduced in 8.2 that caused messages
|
||
like "Cannot create qfXXXXXX: Invalid argument"
|
||
or "Cannot reopen dfXXXXXX: Permission denied". This
|
||
involved a new compile flag "HASSETEUID" that takes
|
||
the place of the old _POSIX_SAVED_IDS -- it turns out
|
||
that the POSIX interface is broken enough to break
|
||
some systems badly. This includes some fixes for
|
||
HP-UX. Also fixes problems where the real uid is
|
||
not reset properly on startup (from Neil Rickert).
|
||
Fix a problem that caused timed out messages to not report the
|
||
addresses that timed out. Error messages are also more
|
||
"user friendly".
|
||
Drop required bandwidth on connections from 64 bytes/sec to
|
||
16 bytes/sec.
|
||
Further Solaris portability changes -- doesn't require the BSD
|
||
compatibility library. This also adds a new
|
||
"HASGETDTABLESIZE" compile flag which can be used if
|
||
you want to use getdtablesize(2) instead of sysconf(2).
|
||
These are loosely based on changes from David Meyer at
|
||
University of Oregon. This now seems to work, at least
|
||
for quick test cases.
|
||
Fix a problem that can cause duplicate error messages to be
|
||
sent if you are in SMTP, you send to multiple addresses,
|
||
and at least one of those addresses is good and points
|
||
to an account that has a .forward file (whew!).
|
||
Fix a problem causing messages to be discarded if checkcompat()
|
||
returned EX_TEMPFAIL (because it didn't properly mark
|
||
the "to" address). Problem noted by John Myers.
|
||
Fix dfopen to return NULL if the open failed; I was depending
|
||
on fdopen(-1) returning NULL, which isn't the case. This
|
||
isn't serious, but does result in weird error diagnoses.
|
||
From Michael Corrigan.
|
||
CONFIG: add UUCP_MAX_SIZE M4 macro to set the maximum size of
|
||
messages sent through UUCP-family mailers. Suggested
|
||
by Bill Wisner of The Well.
|
||
CONFIG: if both MAILER(uucp) and MAILER(smtp) are specified,
|
||
include a "uucp-dom" mailer that uses domain-style
|
||
addressing. Suggested by Bill Wisner.
|
||
CONFIG: Add LOCAL_SHELL_FLAGS and LOCAL_SHELL_ARGS to match
|
||
LOCAL_MAILER_FLAGS and LOCAL_MAILER_ARGS. Suggested by
|
||
Christophe Wolfhugel.
|
||
CONFIG: Add OSTYPE(aix3). From Christophe Wolfhugel.
|
||
|
||
8.2/8.2 1993/07/11
|
||
Don't drop out on config file parse errors in -bt mode.
|
||
On older configuration files, assume option "l" (use Errors-To
|
||
header) for back compatibility. NOTE: this DOES NOT
|
||
imply an endorsement of the Errors-To: header in any way.
|
||
Accept -x flag on AIX-3 as well as OSF/1. Why, why, why???
|
||
Don't log errors on EHLO -- it isn't a "real" error for an old
|
||
SMTP server to give an error on this command, and
|
||
logging it in the transcript can be confusing. Fix
|
||
from Bill Wisner.
|
||
IRIX compatibility changes provided by Dan Rich
|
||
<drich@sandman.lerc.nasa.gov>.
|
||
Solaris 2 compatibility changes. Provided by Bob Cunningham
|
||
<bob@kahala.soest.hawaii.edu>, John Oleynick
|
||
<juo@klinzhai.rutgers.edu>
|
||
Debugging: -d17 was overloaded (hostsignature and usersmtp.c);
|
||
move usersmtp (smtpinit and smtpmailfrom) to -d18 to
|
||
match the other flags in that file.
|
||
Flush transcript before fork in mailfile(). From Eric Wassenaar.
|
||
Save h_errno in mci struct and improve error message display.
|
||
Changes from Eric Wassenaar.
|
||
Open /dev/null for the transcript if the create of the xf file
|
||
failed; this avoids at least one possible null pointer
|
||
reference in very weird cases. From Eric Wassenaar.
|
||
Clean up statistics gathering; it was over-reporting because of
|
||
forks. From Eric Wassenaar.
|
||
Fix problem that causes old Return-Path: line to override new
|
||
Return-Path: line (conf.c needs H_FORCE to avoid
|
||
re-using old value). From Motonori Nakamura.
|
||
Fix broken -m flag in K definition -- even if -m (match only)
|
||
was specified, it would still replace the key with the
|
||
value. Noted by Rick McCarty of Texas Instruments.
|
||
If the name server timed out over several days, no "timed out"
|
||
message would ever be sent back. The timeout code
|
||
has been moved from markfailure() to dropenvelope()
|
||
so that all such failures should be diagnosed. Pointed
|
||
out by Christophe Wolfhugel and others.
|
||
Relax safefile() constraints: directories in an include or
|
||
forward path must be readable by self if the controlling
|
||
user owns the entry, readable by all otherwise (e.g.,
|
||
when reading your .forward file, you have to own and
|
||
have X permission in it; everyone needs X permission in
|
||
the root and directories leading up to your home);
|
||
include files must be readable by anyone, but need not
|
||
be owned by you.
|
||
If _POSIX_SAVED_IDS is defined, setuid to the owner before
|
||
reading a .forward file; this gets around some problems
|
||
on NFS mounts if root permission is not exported and
|
||
the user's home directory isn't x'able.
|
||
Additional NeXT portability enhancements from Axel Zinser.
|
||
Additional HP-UX portability enhancements from Brian Bullen.
|
||
Add a timeout around SMTP message writes; this assumes you can
|
||
get throughput of at least 64 bytes/second. Note that
|
||
this does not impact the "datafinal" default, which
|
||
is separate; this is just intended to work around
|
||
network clogs that will occur before the final dot
|
||
is sent. From Eric Wassenaar.
|
||
Change map code to set the "include null" flag adaptively --
|
||
it initially tries both, but if it finds anything
|
||
matching without a null it never tries again with a
|
||
null and vice versa. If -N is specified, it never
|
||
tries without the null and creates new maps with a
|
||
null byte. If -O is specified, it never tries with
|
||
the null (for efficiency). If -N and -O are specified,
|
||
you get -NO (get it?) lookup at all, so this would
|
||
be a bad idea. If you don't specify either -N or -O,
|
||
it adapts.
|
||
Fix recognition of "same from address" so that MH submissions
|
||
will insert the appropriate full name information;
|
||
this used to work and got broken somewhere along the
|
||
way.
|
||
Some changes to eliminate some unnecessary SYSERRs in the
|
||
log. For example, if you lost a connection, don't
|
||
bother reporting that fact on the connection you lost.
|
||
Add some "extended debugging" flags to try to track down
|
||
why we get occasional problems with file descriptor
|
||
one being closed when execing a mailer; it seems to
|
||
only happen when there has been another error in the
|
||
same transaction. This requires XDEBUG, defined
|
||
by default in conf.h.
|
||
Add "-X filename" command line flag, which logs both sides of
|
||
all SMTP transactions. This is intended ONLY for
|
||
debugging bad implementations of other mailers; start
|
||
it up, send a message from a mailer that is failing,
|
||
and then kill it off and examine the indicated log.
|
||
This output is not intended to be particularly human
|
||
readable. This also adds the HASSETVBUF compile
|
||
flag, defaulted on if your compiler defines __STDC__.
|
||
CONFIG: change SMART_HOST to override an SMTP mailer. If you
|
||
have a local net that should get direct connects, you
|
||
will need to use LOCAL_NET_CONFIG to catch these hosts.
|
||
See cf/README for an example.
|
||
CONFIG: add LOCAL_MAILER_ARGS (default: `mail -d $u') to handle
|
||
sites that don't use the -d flag.
|
||
CONFIG: hide recipient addresses as well as sender addresses
|
||
behind $M if FEATURE(allmasquerade) is specified; this
|
||
has been requested by several people, but can break
|
||
local aliases. For example, if you mail to "localalias"
|
||
this will be rewritten as "localalias@masqueradehost";
|
||
although initial delivery will work, replies will be
|
||
broken. Use it sparingly.
|
||
CONFIG: add FEATURE(domaintable). This maps unqualified domains
|
||
to qualified domains in headers. I believe this is
|
||
largely equivalent to the IDA feature of the same name.
|
||
CONFIG: use $U as UUCP name instead of $k. This permits you
|
||
to override the "system name" as your UUCP name --
|
||
in particular, to use domain-ized UUCP names. From
|
||
Bill Wisner of The Well.
|
||
CONFIG: create new mailer "esmtp" that always tries EHLO
|
||
first. This is currently unused in the config files,
|
||
but could be used in a mailertable entry.
|
||
|
||
8.1C/8.1B 1993/06/27
|
||
Serious security bug fix: it was possible to read any file on
|
||
the system, regardless of ownership and permissions.
|
||
If a subroutine returns a fully qualified address, return it
|
||
immediately instead of feeding it back into rewriting.
|
||
This fixes a problem with mailertable lookups.
|
||
CONFIG: fix some M4 frotz (concat => CONCAT)
|
||
|
||
8.1B/8.1A 1993/06/12
|
||
Serious bug fix: pattern matching backup algorithm stepped by
|
||
two tokens in classes instead of one. Found by Claus
|
||
Assmann at University of Kiel, Germany.
|
||
|
||
8.1A/8.1A 1993/06/08
|
||
Another mailertable fix....
|
||
|
||
8.1/8.1 1993/06/07
|
||
4.4BSD freeze. No semantic changes.
|