freebsd-skq/contrib/sendmail/KNOWNBUGS

202 lines
8.7 KiB
Plaintext
Raw Normal View History

K N O W N B U G S I N S E N D M A I L
(for 8.9.3)
The following are bugs or deficiencies in sendmail that I am aware of
but which have not been fixed in the current release. You probably
want to get the most up to date version of this from ftp.sendmail.org
in /pub/sendmail/KNOWNBUGS. For descriptions of bugs that have been
fixed, see the file RELEASE_NOTES (in the root directory of the sendmail
distribution).
This list is not guaranteed to be complete.
* Null bytes are not handled properly in headers.
Sendmail should handle full binary data. As it stands, it handles
all values in the body, but only 0x01-0x80 and 0xA0-0xFF in
the header. Notably missing is 0x00, which would require a major
restructuring of the code -- for example, almost no C library support
could be used to handle strings.
* Duplicate error messages.
Sometimes identical, duplicate error messages can be generated. As
near as I can tell, this is rare and relatively innocuous.
* $c (hop count) macro improperly set.
The $c macro is supposed to contain the current hop count, for use
when calling a mailer. This macro is initialized too early, and
is always zero (or the value of the -c command line flag, if any).
This macro will probably be removed entirely in a future release;
I don't believe there are any mailers left that require it.
* \231 considered harmful.
Header addresses that have the \231 character (and possibly others
in the range \201 - \237) behave in odd and usually unexpected ways.
* accept() problem on SVR4.
Apparently, the sendmail daemon loop (doing accept()s on the network)
can get into a weird state on SVR4; it starts logging ``SYSERR:
getrequests: accept: Protocol Error''. The workaround is to kill
and restart the sendmail daemon. We don't have an SVR4 system at
Berkeley that carries more than token mail load, so I can't validate
this. It is likely to be a glitch in the sockets emulation, since
"Protocol Error" is not possible error code with Berkeley TCP/IP.
I've also had someone report the message ``sendmail: accept:
SIOCGPGRP failed errno 22'' on an SVR4 system. This message is
not in the sendmail source code, so I assume it is also a bug
in the sockets emulation. (Errno 22 is EINVAL "Invalid Argument"
on all the systems I have available, including Solaris 2.x.)
Apparently, this problem is due to linking -lc before -lsocket;
if you are having this problem, check your Makefile.
* accept() problem on Linux.
The accept() in sendmail daemon loop can return ETIMEDOUT. An
error is reported to syslog:
Jun 9 17:14:12 hostname sendmail[207]: NOQUEUE: SYSERR(root):
getrequests: accept: Connection timed out
"Connection timed out" is not documented as a valid return from
accept(2) and this was believed to be a bug in the Linux kernel.
Later information from the Linux kernel group states that Linux
2.0 kernels follow RFC1122 while sendmail follows the original BSD
(now POSIX 1003.1g draft) specification. The 2.1.X and later kernels
will follow the POSIX draft.
* Excessive mailing list nesting can run out of file descriptors.
If you have a mailing list that includes lots of other mailing
lists, each of which has a separate owner, you can run out of
file descriptors. Each mailing list with a separate owner uses
one open file descriptor (prior to 8.6.6 it was three open
file descriptors per list). This is particularly egregious if
you have your connection cache set to be large.
* Connection caching breaks if you pass the port number as an argument.
If you have a definition such as:
Mport, P=[IPC], F=kmDFMuX, S=11/31, R=21,
M=2100000, T=DNS/RFC822/SMTP,
A=IPC [127.0.0.1] $h
(i.e., where $h is the port number instead of the host name) the
connection caching code will break because it won't notice that
two messages addressed to different ports should use different
connections.
* ESMTP SIZE underestimates the size of a message
Sendmail makes no allowance for headers that it adds, nor does it
account for the SMTP on-the-wire \r\n expansion. It probably doesn't
allow for 8->7 bit MIME conversions either.
* Paths to programs being executed and the mode of program files are
not checked. Essentially, the RunProgramInUnsafeDirPath and
RunWritableProgram bits in the DontBlameSendmail option are always
set. This is not a problem if your system is well managed (that is,
if binaries and system directories are mode 755 instead of something
foolish like 777).
* 8-bit data in GECOS field
If the GECOS (personal name) information in the passwd file contains
8-bit characters, those characters can be included in the message
header, which can cause problems when sending SMTP to hosts that
only accept 7-bit characters.
* 8->7 bit MIME conversion
When sendmail is doing 8->7 bit MIME conversions, and the message
contains certain MIME body types that cannot be converted to 7-bit,
sendmail will strip the message to 7-bit.
* 7->8 bit MIME conversion
If a message that is encoded as 7-bit MIME is converted to 8-bit and
that message when decoded is illegal (e.g., because of long lines or
illegal characters), sendmail can produce an illegal message.
* MIME encoded full name phrases in the From: header
If a full name phrase includes characters from MustQuoteChars, sendmail
will quote the entire full name phrase. If MustQuoteChars includes
characters which are not special characters according to STD 11 (RFC
822), this quotation can interfere with MIME encoded full name phrases.
By default, sendmail includes the single quote character (') in
MustQuoteChars even though it is not listed as a special character in
STD 11.
* bestmx map with -z flag truncates the list of MX hosts
A bestmx map configured with the -z flag will truncate the list
of MX hosts. This prevents creation of strings which are too
long for ruleset parsing. This can have an adverse effect on the
relay_based_on_MX feature.
* Saving to ~sender/dead.letter fails if su'ed to root
If ErrorMode is set to print and an error in sending mail occurs,
the normal action is to print a message to the screen and append
the message to a dead.letter file in the sender's home directory.
In the case where the sender is using su to act as root, the file
safety checks prevent sendmail from saving the dead.letter file
because the sender's uid and the current real uid do not match.
* Berkeley DB 2.X race condition with fcntl() locking
There is a race condition for Berkeley DB 2.X databases on
operating systems which use fcntl() style locking, such as
Solaris. Sendmail locks the map before calling db_open() to
prevent others from modifying the map while it is being opened.
Unfortunately, Berkeley DB opens the map, closes it, and then
reopens it. fcntl() locking drops the lock when any file
descriptor pointing to the file is closed, even if it is a
different file descriptor than the one used to initially lock
the file. As a result there is a possibility that entries in a
map might not be found during a map rebuild. As a workaround,
you can use makemap to build a map with a new name and then
"mv" the new db file to replace the old one.
Sleepycat Software has added code to avoid this race condition to
Berkeley DB versions after 2.7.5.
* File open timeouts not available on hard mounted NFS file systems
Since SIGALRM does not interrupt an RPC call for hard mounted
NFS file systems, it is impossible to implement a timeout on a file
open operation. Therefore, while the NFS server is not responding,
attempts to open a file on that server will hang. Systems with
local mail delivery and NFS hard mounted home directories should be
avoided, as attempts to open the forward files could hang.
* Race condition for delivery to setuid files
Sendmail will deliver to a fail if the file is owned by the DefaultUser
or has the setuid bit set. Unfortunately, some systems clear that bit
when a file is modified. Sendmail compensates by resetting the file mode
back to it's original settings. Unfortunately, there's still a
permission failure race as sendmail checks the permissions before locking
the file. This is unavoidable as sendmail must verify the file is safe
to open before opening it. A file can not be locked until it is open.
* Potential denial of service attack with AutoRebuildAliases
There is a potential for a denial of service attack if the
AutoRebuildAliases option is set as a user can kill the sendmail process
while it is rebuilding the aliases file leaving it in an inconsistent
state. This option and it's use is deprecated and will be removed from a
future version of sendmail.
$Revision: 8.43 $, Last updated $Date: 1999/11/17 18:56:09 $