1fff924f15
Note that there was an incompatible config change for IPv6 users. See the MESSAGE file for details. pkgsrc change: delete a couple of patches that have been upstreamed Proofpoint, Inc., and the Sendmail Consortium announce the availability of sendmail 8.15.1. This release: o offers more TLS related features, o does not ignore temporary map lookup failures during header rewriting, o uses uncompressed IPv6 addresses by default, which is an incompatible change that requires to update IPv6 related configuration data. as well as many other enhancements. For details see the release notes below. SENDMAIL RELEASE NOTES This listing shows the version of the sendmail binary, the version of the sendmail configuration files, the date of release, and a summary of the changes in that release. 8.15.1/8.15.1 2014/12/06 SECURITY: Properly set the close-on-exec flag for file descriptors (except stdin, stdout, and stderr) before executing mailers. If header rewriting fails due to a temporary map lookup failure, queue the mail for later retry instead of sending it without rewriting the header. Note: this is done while the mail is being sent and hence the transaction is aborted, which only works for SMTP/LMTP mailers hence the handling of temporary map failures is suppressed for other mailers. SMTP/LMTP servers may complain about aborted transactions when this problem occurs. See also "DNS Lookups" in sendmail/TUNING. Incompatible Change: Use uncompressed IPv6 addresses by default, i.e., they will not contain "::". For example, instead of ::1 it will be 0:0:0:0:0:0:0:1. This permits a zero subnet to have a more specific match, such as different map entries for IPv6:0:0 vs IPv6:0. This change requires that configuration data (including maps, files, classes, custom ruleset, etc) must use the same format, so make certain such configuration data is updated before using 8.15. As a very simple check search for patterns like 'IPv6:[0-9a-fA-F:]*::' and 'IPv6::'. If necessary, the prior format can be retained by compiling with: APPENDDEF(`conf_sendmail_ENVDEF', `-DIPV6_FULL=0') in your devtools/Site/site.config.m4 file. If debugging is turned on (-d0.14) also print the OpenSSL versions, both build time and run time (provided STARTTLS is compiled in). If a connection to the MTA is dropped by the client before its hostname can be validated, treat it as "may be forged", so that the unvalidated hostname is not passed to a milter in xxfi_connect(). Add a timeout for communication with socket map servers which can be specified using the -d option. Add a compile time option HESIOD_ALLOW_NUMERIC_LOGIN to allow numeric logins even if HESIOD is enabled. The new option CertFingerprintAlgorithm specifies the finger- print algorithm (digest) to use for the presented cert. If the option is not set, md5 is used and the macro {cert_md5} contains the cert fingerprint. However, if the option is set, the specified algorithm (e.g., sha1) is used and the macro {cert_fp} contains the cert fingerprint. That is, as long as the option is not set, the behaviour does not change, but otherwise, {cert_md5} is superseded by {cert_fp} even if you set CertFingerprintAlgorithm to md5. The options ServerSSLOptions and ClientSSLOptions can be used to set SSL options for the server and client side respectively. See SSL_CTX_set_options(3) for a list. Note: this change turns on SSL_OP_NO_SSLv2 and SSL_OP_NO_TICKET for the client. See doc/op/op.me for details. A new map type "arpa" is available to reverse an IP (IPv4 or IPv6) address. It returns the string for the PTR lookup, but without trailing {ip6,in-addr}.arpa. New operation mode 'C' just checks the configuration file, e.g., sendmail -C new.cf -bC will perform a basic syntax/consistency check of new.cf. The mailer flag 'I' is deprecated and will be removed in a future version. Allow local (not just TCP) socket connections to the server, e.g., O DaemonPortOptions=Family=local, Addr=/var/mta/server.sock can be used. If the new option MaxQueueAge is set to a value greater than zero, entries in the queue will be retried during a queue run only if the individual retry time has been reached which is doubled for each attempt. The maximum retry time is limited by the specified value. New DontBlameSendmail option GroupReadableDefaultAuthInfoFile to relax requirement for DefaultAuthInfo file. Reset timeout after receiving a message to appropriate value if STARTTLS is in use. Based on patch by Kelsey Cummings of Sonic.net. Report correct error messages from the LDAP library for a range of small negative return values covering those used by OpenLDAP. Fix compilation with Berkeley DB 5.0 and 6.0. Patch from Allan E Johannesen of Worcester Polytechnic Institute. CONFIG: FEATURE(`nopercenthack') takes one parameter: reject or nospecial which describes whether to disallow "%" in the local part of an address. DEVTOOLS: Fix regression in auto-detection of libraries when only shared libraries are available. Problem reported by Bryan Costales. LIBMILTER: Mark communication socket as close-on-exec in case a user's filter starts other applications. Based on patch from Paul Howarth. Portability: SunOS 5.12 has changed the API for sigwait(2) to conform with XPG7. Based on patch from Roger Faulkner of Oracle. Deleted Files: libsm/path.c
67 lines
3.1 KiB
Text
67 lines
3.1 KiB
Text
===========================================================================
|
|
$NetBSD: MESSAGE,v 1.8 2014/12/06 23:22:20 jnemeth Exp $
|
|
|
|
INCOMPATIBLE CONFIG CHANGE
|
|
|
|
If you are updating from a previous version to 8.15.1 or later,
|
|
note that there has been an incompatible config change for IPv6
|
|
addresses:
|
|
|
|
Incompatible Change: Use uncompressed IPv6 addresses by default,
|
|
i.e., they will not contain "::". For example,
|
|
instead of ::1 it will be 0:0:0:0:0:0:0:1. This
|
|
permits a zero subnet to have a more specific match,
|
|
such as different map entries for IPv6:0:0 vs IPv6:0.
|
|
This change requires that configuration data
|
|
(including maps, files, classes, custom ruleset,
|
|
etc) must use the same format, so make certain such
|
|
configuration data is updated before using 8.15.
|
|
As a very simple check search for patterns like
|
|
'IPv6:[0-9a-fA-F:]*::' and 'IPv6::'. If necessary,
|
|
the prior format can be retained by compiling with:
|
|
APPENDDEF(`conf_sendmail_ENVDEF', `-DIPV6_FULL=0')
|
|
in your devtools/Site/site.config.m4 file.
|
|
|
|
===========================================================================
|
|
|
|
To use "${PKGNAME}" as the system's mail transport agent you have
|
|
to install "${PREFIX}/share/examples/sendmail/mailer.conf" as global
|
|
mailwrapper configuration file. The command below will do that for you:
|
|
|
|
ln -fs ${PREFIX}/share/examples/sendmail/mailer.conf /etc/mailer.conf
|
|
|
|
You should also add a line to /etc/mtree/special.local so you won't
|
|
get a complaint in the daily insecurity e-mail like this:
|
|
|
|
./etc/mailer.conf type=link mode=0444
|
|
|
|
|
|
If you are changing the database format used by sendmail you must run
|
|
"newaliases" and "makemap" in order to re-create the databases.
|
|
|
|
You may also need to install (and/or customize) the configuration files
|
|
for Sendmail before it will be operational. "cd" to the directory
|
|
|
|
${PREFIX}/share/sendmail/cf
|
|
|
|
and read the file README for instructions on creating and installing
|
|
configuration files.
|
|
|
|
|
|
NOTE: If your system doesn't have mailwrapper and/or it won't
|
|
install on your system, then you will need to move aside system
|
|
supplied binaries and replace them with symlinks to the binaries
|
|
supplied with sendmail. The most important of these is the sendmail
|
|
binary itself. This is typically located at /usr/sbin/sendmail or
|
|
/usr/lib/sendmail. These will need to be moved aside, and you will
|
|
need to create a symlink from /usr/sbin/sendmail to
|
|
${PREFIX}/libexec/sendmail/sendmail. This is required because most
|
|
third party apps (or, even system supplied apps) will look for
|
|
sendmail at one of the above locations. There are a variety of
|
|
other apps such as: editmap, hoststat, mailq, mailstats, makemap,
|
|
newaliases, praliases, purgestat, and vacation. You can deal with
|
|
these either by having ${PREFIX}/bin and ${PREFIX}/sbin at the
|
|
beginning of your PATH, or creating symlinks. hoststat, mailq,
|
|
mailstats, newaliases, and purgestat are just links to sendmail.
|
|
|
|
===========================================================================
|