MASTER_SITES= site1 \
site2
style continuation lines to be simple repeated
MASTER_SITES+= site1
MASTER_SITES+= site2
lines. As previewed on tech-pkg. With thanks to rillig for fixing pkglint
accordingly.
This will create two sendmail service instances, :mta and :msp, to start
the two sendmail instances that are usually required. The :mta instance
optionally depends on spamassassin and spamass-milter.
pkgsrc change: default to enable TLS
- this has been requested a couple of times and most systems are going
to have a recent enough version of openssl so in most cases there
won't be additional dependencies
8.15.2/8.15.2 2015/07/03
If FEATURE(`nopercenthack') is used then some bogus input triggered
a recursion which was caught and logged as
SYSERR: rewrite: excessive recursion (max 50) ...
Fix based on patch from Ondrej Holas.
DHParameters now by default uses an included 2048 bit prime.
The value 'none' previously caused a log entry claiming
there was an error "cannot read or set DH parameters".
Also note that this option applies to the server side only.
The U= mailer field didn't accept group names containing hyphens,
underbars, or periods. Based on patch from David Gwynne
of the University of Queensland.
CONFIG: Allow connections from IPv6:0:0:0:0:0:0:0:1 to relay again.
Patch from Lars-Johan Liman of Netnod Internet Exchange.
CONFIG: New option UseCompressedIPv6Addresses to select between
compressed and uncompressed IPv6 addresses. The default
value depends on the compile-time option IPV6_FULL:
For 1 the default is False, for 0 it is True, thus
preserving the current behaviour. Based on patch from
John Beck of Oracle.
CONFIG: Account for IPv6 localhost addresses in
FEATURE(`block_bad_helo'). Suggested by Andrey Chernov
from FreeBSD and Robert Scheck from the Fedora Project.
CONFIG: Account for IPv6 localhost addresses in check_mail ruleset.
LIBMILTER: Deal with more invalid protocol data to avoid potential
crashes. Problem noted by Dimitri Kirchner.
LIBMILTER: Allow a milter to specify an empty macro list ("", not
NULL) in smfi_setsymlist() so no macro is sent for the
selected stage.
MAKEMAP: A change to check TrustedUser in fewer cases which was
made in 2013 caused a potential regression when makemap
was run as root (which should not be done anyway).
Note: sendmail often contains options "For Future Releases"
(prefix _FFR_) which might be enabled in a subsequent
version or might simply be removed as they turned out not
to be really useful. These features are usually not
documented but if they are, then the required (FFR)
options are listed in
- doc/op/op.* for rulesets and macros,
- cf/README for mc/cf options.
Note that there was an incompatible config change for IPv6 users.
See the MESSAGE file for details.
pkgsrc change: delete a couple of patches that have been upstreamed
Proofpoint, Inc., and the Sendmail Consortium announce the availability
of sendmail 8.15.1. This release:
o offers more TLS related features,
o does not ignore temporary map lookup failures during header rewriting,
o uses uncompressed IPv6 addresses by default, which is an incompatible
change that requires to update IPv6 related configuration data.
as well as many other enhancements. For details see the release
notes below.
SENDMAIL RELEASE NOTES
This listing shows the version of the sendmail binary, the version
of the sendmail configuration files, the date of release, and a
summary of the changes in that release.
8.15.1/8.15.1 2014/12/06
SECURITY: Properly set the close-on-exec flag for file descriptors
(except stdin, stdout, and stderr) before executing mailers.
If header rewriting fails due to a temporary map lookup failure,
queue the mail for later retry instead of sending it
without rewriting the header. Note: this is done
while the mail is being sent and hence the transaction
is aborted, which only works for SMTP/LMTP mailers
hence the handling of temporary map failures is
suppressed for other mailers. SMTP/LMTP servers may
complain about aborted transactions when this problem
occurs.
See also "DNS Lookups" in sendmail/TUNING.
Incompatible Change: Use uncompressed IPv6 addresses by default,
i.e., they will not contain "::". For example,
instead of ::1 it will be 0:0:0:0:0:0:0:1. This
permits a zero subnet to have a more specific match,
such as different map entries for IPv6:0:0 vs IPv6:0.
This change requires that configuration data
(including maps, files, classes, custom ruleset,
etc) must use the same format, so make certain such
configuration data is updated before using 8.15.
As a very simple check search for patterns like
'IPv6:[0-9a-fA-F:]*::' and 'IPv6::'. If necessary,
the prior format can be retained by compiling with:
APPENDDEF(`conf_sendmail_ENVDEF', `-DIPV6_FULL=0')
in your devtools/Site/site.config.m4 file.
If debugging is turned on (-d0.14) also print the OpenSSL
versions, both build time and run time
(provided STARTTLS is compiled in).
If a connection to the MTA is dropped by the client before its
hostname can be validated, treat it as "may be forged",
so that the unvalidated hostname is not passed to a
milter in xxfi_connect().
Add a timeout for communication with socket map servers
which can be specified using the -d option.
Add a compile time option HESIOD_ALLOW_NUMERIC_LOGIN to allow
numeric logins even if HESIOD is enabled.
The new option CertFingerprintAlgorithm specifies the finger-
print algorithm (digest) to use for the presented cert.
If the option is not set, md5 is used and the macro
{cert_md5} contains the cert fingerprint.
However, if the option is set, the specified algorithm
(e.g., sha1) is used and the macro {cert_fp} contains
the cert fingerprint.
That is, as long as the option is not set, the behaviour
does not change, but otherwise, {cert_md5} is superseded
by {cert_fp} even if you set CertFingerprintAlgorithm
to md5.
The options ServerSSLOptions and ClientSSLOptions can be used
to set SSL options for the server and client side
respectively. See SSL_CTX_set_options(3) for a list.
Note: this change turns on SSL_OP_NO_SSLv2 and
SSL_OP_NO_TICKET for the client. See doc/op/op.me
for details.
A new map type "arpa" is available to reverse an IP (IPv4 or IPv6)
address. It returns the string for the PTR lookup, but
without trailing {ip6,in-addr}.arpa.
New operation mode 'C' just checks the configuration file, e.g.,
sendmail -C new.cf -bC
will perform a basic syntax/consistency check of new.cf.
The mailer flag 'I' is deprecated and will be removed in a
future version.
Allow local (not just TCP) socket connections to the server, e.g.,
O DaemonPortOptions=Family=local, Addr=/var/mta/server.sock
can be used.
If the new option MaxQueueAge is set to a value greater than zero,
entries in the queue will be retried during a queue run
only if the individual retry time has been reached which
is doubled for each attempt. The maximum retry time is
limited by the specified value.
New DontBlameSendmail option GroupReadableDefaultAuthInfoFile
to relax requirement for DefaultAuthInfo file.
Reset timeout after receiving a message to appropriate value if
STARTTLS is in use. Based on patch by Kelsey Cummings
of Sonic.net.
Report correct error messages from the LDAP library for a range of
small negative return values covering those used by OpenLDAP.
Fix compilation with Berkeley DB 5.0 and 6.0. Patch from
Allan E Johannesen of Worcester Polytechnic Institute.
CONFIG: FEATURE(`nopercenthack') takes one parameter: reject or
nospecial which describes whether to disallow "%" in the
local part of an address.
DEVTOOLS: Fix regression in auto-detection of libraries when only
shared libraries are available. Problem reported by
Bryan Costales.
LIBMILTER: Mark communication socket as close-on-exec in case
a user's filter starts other applications.
Based on patch from Paul Howarth.
Portability:
SunOS 5.12 has changed the API for sigwait(2) to conform
with XPG7. Based on patch from Roger Faulkner of Oracle.
Deleted Files:
libsm/path.c
This should be the last update during the freeze.
PR/48566 - Emmanuel Dreyfus -- typo in patch-aw leading to build failure
PR/48913 - Matthias Scheler -- libmilter fails on unprivileged builds
- remove some HTML cruft from netbsd-proto.mc
- stop trying to set file ownership and group during stage-install
- initialize sm_res earlier and test before calling res_ninit()
- clear SSL_OP_TLSEXT_PADDING by defualt to fix interoperability issues
- eliminate stray call to res_search()
- verified with nm that all deprecated resolver functions have been eradicated
The above should address the folling PRs:
- PR/47207 - Richard Palo -- attempt to set ownership when unprivileged
- PR/48566 - Emmanuel Dreyfus -- problem with TLS timeouts
- PR/48913 - Matthias Scheler -- attempt to set ownership when unprivileged
pkgsrc changes:
- consolidate several patches into site.config.m4
- pkgsrc LDFLAGS should always be used
- don't bother specifying file owner/group anywhere except in Makefile
- create include/sm/os/sm_os_netbsd.h to fix warnings and OS specific stuff
- install mail.local and rmail
- convert to use res_n* functions
- allows for linking against threaded libraries
- add a TODO file
- PR/35249 - Loren M. Lang
- can't find libraries on Linux, this should be fixed by using pkgsrc LDFLAGS
- PR/46694 - Makoto Fujiwara
- bring back netbsd-proto.mc from when sendmail was part of the base system
- PR/47207 - Richard Palo
- let pkgsrc infrastructure handle file ownership and group
- PR/48566 - Emmanuel Dreyfus
- always set _FFR_USE_GETPWNAM_ERRNO on NetBSD
- roll ffr_tls_1 and the suggested ffr_tls_ec into one new ffr_tls option
- not enabled by default because it changes behaviour
8.14.9/8.14.9 2014/05/21
SECURITY: Properly set the close-on-exec flag for file descriptors
(except stdin, stdout, and stderr) before executing mailers.
Fix a misformed comment in conf.c: "/*" within comment
which may cause a compilation error on some systems.
Problem reported by John Beck of Oracle.
DEVTOOLS: Fix regression in auto-detection of libraries when only
shared libraries are available. Problem reported by
Bryan Costales.
minor feature additions.
8.14.8/8.14.8 2014/01/26
Properly initialize all OpenSSL algorithms for versions before
OpenSSL 0.9.8o. Without this SHA2 algorithms may not
work properly, causing for example failures for certs
that use sha256WithRSAEncryption as signature algorithm.
When looking up hostnames, ensure only to return those records
for the requested family (AF_INET or AF_INET6).
On system that have NEEDSGETIPNODE and NETINET6
this may have failed and cause delivery problems.
Problem noted by Kees Cook.
A new mailer flag '!' is available to suppress an MH hack
that drops an explicit From: header if it is the
same as what sendmail would generate.
Add an FFR (for future release) to use uncompressed IPv6 addresses,
i.e., they will not contain "::". For example, instead
of ::1 it will be 0:0:0:0:0:0:0:1. This means that
configuration data (including maps, files, classes,
custom ruleset, etc) have to use the same format.
This will be turned on in 8.15. It can be enabled in 8.14
by compiling with:
APPENDDEF(`conf_sendmail_ENVDEF', `-D_FFR_IPV6_FULL')
in your devtools/Site/site.config.m4 file.
Add an additional case for the WorkAroundBrokenAAAA check when
dealing with broken nameservers by ignoring SERVFAIL
errors returned on T_AAAA (IPv6) lookups at delivery time.
Problem noted by Pavel Timofeev of OCS.
If available, pass LOGIN_SETCPUMASK and LOGIN_SETLOGINCLASS to
setusercontext() on deliveries as a different user.
Patch from Edward Tomasz Napierala from FreeBSD.
Avoid compiler warnings from a change in Cyrus-SASL 2.1.25.
Patch from Hajimu UMEMOTO from FreeBSD.
Add support for DHParameters 2048-bit primes.
CONFIG: Accept IPv6 literals when evaluating the HELO/EHLO argument
in FEATURE(`block_bad_helo'). Suggested by Andrey Chernov.
LIBSMDB: Add a missing check for malloc() in libsmdb/smndbm.c.
Patch from Bill Parker.
LIBSMDB: Fix minor memory leaks in libsmdb/ if allocations
fail. Patch from John Beck of Oracle.
Portability:
Add support for Darwin 12.x and 13.x (Mac OS X 10.8 and 10.9).
On Linux use socklen_t as the type for the 3rd argument
for getsockname/getpeername if the glibc version is at
least 2.1.
Added Files:
devtools/OS/Darwin.12.x
devtools/OS/Darwin.13.x
option for sendmail.cf. it is required in order to remove weak ciphers,
and enforce Forward Secrecy on modern MUA
Usage example:
O CipherList=DH@STRENGTH:HIGH:!MD5:!DES:!aNULL:!eNULL
8.14.7/8.14.7 2013/04/21
Drop support for IPv4-mapped IPv6 addresses to prevent the MTA
from using a mapped address over a legitimate IPv6 address
and to enforce the proper semantics over the IPv6
connection. Problem noted by Ulrich Sporlein.
Fix a regression introduced in 8.14.6: the wrong list of
macros was sent to a milter in the EHLO stage.
Problem found by Fabrice Bellet, reported via RedHat
(Jaroslav Skarvada).
Fix handling of ORCPT parameter for DSNs: xtext decoding
was not performed and a wrong syntax check was applied
to the "addr-type" field. Problem noted by Dan Lukes
of Obludarium.
Fix handling of NUL characters in the MIME conversion functions
so that message bodies containing them will be sent
on properly. Note: this usually also affects mails
that are not converted as those functions are used
for other purposes too. Problem noted by Elchonon
Edelson of Lockheed Martin.
Do not perform "duplicate" elimination of recipients if they
resolve to the error mailer using a temporary failure
(4xy) via ruleset 0. Problem noted by Akira Takahashi
of IIJ.
CONTRIB: Updated version of etrn.pl script from John Beck
of Oracle.
Portability:
Unlike gcc, clang doesn't apply full prototypes to K&R
definitions.
- will look at making recently requested changes in a subsequent commit
8.14.6/8.14.6 2012/12/23
Fix a regression introduced in 8.14.5: if a server offers
two AUTH lines, the MTA would not read them after
STARTTLS has been used and hence SMTP AUTH for
the client side would fail. Problem noted by Lena.
Do not cache hostnames internally in a non case sensitive way
as that may cause addresses to change from lower case
to upper case or vice versa. These header modifications
can cause problems with milters that rely on receiving
headers in the same way as they are being sent out such
as a DKIM signing milter.
If MaxQueueChildren is set then it was possible that new queue
runners could not be started anymore because an
internal counter was subject to a race condition.
If a milter decreases the timeout it waits for a communication
with the MTA, the MTA might experience a write() timeout.
In some situations, the resulting error might have been
ignored. Problem noted by Werner Wiethege.
Note: decreasing the communication timeout in a milter
should not be done without considering the potential
problems.
smfi_setsymlist() now properly sets the list of macros for
the milter which invoked it, instead of a global
list for all milters. Problem reported by
David Shrimpton of the University of Queensland.
If Timeout.resolver.retrans is set to a value larger than 20,
then resolver.retry was temporarily set to 0 for
gethostbyaddr() lookups. Now it is set to 1 instead.
Patch from Peter.
If sendmail could not lock the statistics file due to a system
error, and sendmail later sends a DSN for a mail that
triggered such an error, then sendmail tried to access
memory that was freed before (causing a crash on some
systems). Problem reported by Ryan Stone.
Do not log negative values for size= nor pri= to avoid confusing
log parsers, instead limit the values to LONG_MAX.
Account for an API change in newer versions of Cyrus-SASL.
Patch from Hajimu UMEMOTO from FreeBSD.
Do not try to resolve link-local addresses for IPv4 (just as it
is done for IPv6). Patch from John Beck of Oracle.
Improve logging of client and server STARTTLS connection failures
that may be due to incompatible cipher lists by including
the reason for the failure in a single log line. Suggested
by James Carey of Boeing.
Portability:
Add support for Darwin 11.x and 12.x (Mac OS X 10.7 and 10.8).
Add support for SunOS 5.12 (aka Solaris 12). Patch from
John Beck of Oracle.
8.14.5/8.14.5 2011/05/17
Do not cache SMTP extensions across connections as the cache
is based on hostname which may not be a unique identifier
for a server, i.e., different machines may have the
same hostname but provide different SMTP extensions.
Problem noted by Jim Hermann.
Avoid an out-of-bounds access in case a resolver reply for a DNS
map lookup returns a size larger than 1K. Based on a
patch from Dr. Werner Fink of SuSE.
If a job is aborted using the interrupt signal (e.g., control-C from
the keyboard), perform minimal cleanup to avoid invoking
functions that are not signal-safe. Note: in previous
versions the mail might have been queued up already
and would be delivered subsequently, now an interrupt
will always remove the queue files and thus prevent
delivery.
Per RFC 6176, when operating as a TLS client, do not offer SSLv2.
Since TLS session resumption is never used as a client, disable
use of RFC 4507-style session tickets.
Work around gcc4 versions which reverse 25 years of history and
no longer align char buffers on the stack, breaking calls
to resolver functions on strict alignment platforms.
Found by Stuart Henderson of OpenBSD.
Read at most two AUTH lines from a server greeting (up to two
lines are read because servers may use "AUTH mechs" and
"AUTH=mechs"). Otherwise a malicious server may exhaust
the memory of the client. Bug report by Nils of MWR
InfoSecurity.
Avoid triggering an assertion in the OpenLDAP code when the
connection to an LDAP server is lost while making a query.
Problem noted and patch provided by Andy Fiddaman.
If ConnectOnlyTo is set and sendmail is compiled with NETINET6
it would try to use an IPv6 address if an IPv4 (or
unparseable) address is specified.
If SASLv2 is used, make sure that the macro {auth_authen} is
stored in xtext format to avoid problems with parsing
it. Problem noted by Christophe Wolfhugel.
CONFIG: FEATURE(`ldap_routing') in 8.14.4 tried to add a missing
-T<TMPF> that is required, but failed for some cases
that did not use LDAP. This change has been undone
until a better solution can be implemented. Problem
found by Andy Fiddaman.
CONFIG: Add cf/ostype/solaris11.m4 for Solaris11 support.
Contributed by Casper Dik of Oracle.
CONTRIB: qtool.pl: Deal with H entries that do not have a
letter between the question marks. Patch from
Stefan Christensen.
DOC: Use a better description for the -i option in sendmail.
Patch from Mitchell Berger.
Portability:
Add support for Darwin 10.x (Mac OS X 10.6).
Enable HAVE_NANOSLEEP for FreeBSD 3 and later. Patch
from John Marshall.
Enable HAVE_NANOSLEEP for OpenBSD 4.3 and later.
Use new directory "/system/volatile" for PidFile on
Solaris 11. Patch from Casper Dik of Oracle.
Fix compilation on Solaris 11 (and maybe some other
OSs) when using OpenSSL 1.0. Based on patch from
Jan Pechanec of Oracle.
Set SOCKADDR_LEN_T and SOCKOPT_LEN_T to socklen_t
for Solaris 11. Patch from Roger Faulkner of Oracle.
New Files:
cf/ostype/solaris11.m4
8.14.4/8.14.4 2009/12/30
SECURITY: Handle bogus certificates containing NUL characters
in CNs by placing a string indicating a bad certificate
in the {cn_subject} or {cn_issuer} macro. Patch inspired
by Matthias Andree's changes for fetchmail.
During the generation of a queue identifier an integer overflow
could occur which might result in bogus characters
being used. Based on patch from John Vannoy of
Pepperdine University.
The value of headers, e.g., Precedence, Content-Type, et.al.,
was not processed correctly. Patch from Per Hedeland.
Between 8.11.7 and 8.12.0 the length limitation on a return
path was erroneously reduced from MAXNAME (256) to
MAXSHORTSTR (203). Patch from John Gardiner Myers
of Proofpoint; the problem was also noted by Steve
Hubert of University of Washington.
Prevent a crash when a hostname lookup returns a seemingly
valid result which contains a NULL pointer (this seems
to be happening on some Linux versions).
The process title was missing the current load average when
the MTA was delaying connections due to DelayLA.
Patch from Dick St.Peters of NetHeaven.
Do not reset the number of queue entries in shared memory if
only some of them are processed.
Fix overflow of an internal array when parsing some replies
from a milter. Problem found by Scott Rotondo
of Sun Microsystems.
If STARTTLS is turned off in the server (via M=S) then it
would not be initialized for use in the client either.
Patch from Kazuteru Okahashi of IIJ.
If a Diffie-Hellman cipher is selected for STARTTLS, the
handshake could fail with some TLS implementations
because the prime used by the server is not long enough.
Note: the initialization of the DSA/DH parameters for
the server can take a significant amount of time on slow
machines. This can be turned off by setting DHParameters
to none or a file (see doc/op/op.me). Patch from
Petr Lampa of the Brno University of Technology.
Fix handling of `b' modifier for DaemonPortOptions on little
endian machines for loopback address. Patch from
John Beck of Sun Microsystems.
Fix a potential memory leak in libsmdb/smdb1.c found by parfait.
Based on patch from Jonathan Gray of OpenBSD.
If a milter sets the reply code to "421" during the transfer
of the body, the SMTP server will terminate the SMTP session
with that error to match the behavior of the other callbacks.
Return EX_IOERR (instead of 0) if a mail submission fails due to
missing disk space in the mail queue. Based on patch
from Martin Poole of RedHat.
CONFIG: Using FEATURE(`ldap_routing')'s `nodomain' argument would
cause addresses not found in LDAP to be misparsed.
CONFIG: Using a CN restriction did not work for TLS_Clt as it
referred to a wrong macro. Patch from John Gardiner
Myers of Proofpoint.
CONFIG: The option relaytofulladdress of FEATURE(`access_db')
did not work if FEATURE(`relay_hosts_only') is used too.
Problem noted by Kristian Shaw.
CONFIG: The internal function lower() was broken and hence
strcasecmp() did not work either, which could cause
problems for some FEATURE()s if upper case arguments
were used. Patch from Vesa-Matti J Kari of the
University of Helsinki.
LIBMILTER: Fix internal check whether a milter application
is compiled against the same version of libmilter as
it is linked against (especially useful for dynamic
libraries).
LIBMILTER: Fix memory leak that occurred when smfi_setsymlist()
was used. Based on patch by Dan Lukes.
LIBMILTER: Document the effect of SMFIP_HDR_LEADSPC for filters
which add, insert, or replace headers. From Benjamin
Pineau.
LIBMILTER: Fix error messages which refer to "select()" to be
correct if SM_CONF_POLL is used. Based on patch from
John Nemeth.
LIBSM: Fix handling of LDAP search failures where the error is
carried in the search result itself, such as seen with
OpenLDAP proxy servers.
VACATION: Do not refer to a local variable outside its scope.
Based on patch from Mark Costlow of Southwest Cyberport.
Portability:
Enable HAVE_NANOSLEEP for SunOS 5.11. Patch from
John Beck of Sun Microsystems.
Drop NISPLUS from default SunOS 5.11 map definitions.
Patch from John Beck of Sun Microsystems.
unconditionally. All supported systems should have poll(2). If
one is found that doesn't then this can be revisited and some way
of making it conditional can be implemented.
This resolves an issue with applications that have a large
number of open files and want to bump FD_SETSIZE. Since libmilter
no longer uses select(2), the application is free to monkey with
FD_SETSIZE as it pleases.
