Import sendmail 8.12.7

8 files changed, 187 insertions, 96 deletions

diff --git a/contrib/sendmail/cf/README b/contrib/sendmail/cf/README
index 6a556c8..167d6a4 100644
--- a/contrib/sendmail/cf/README
+++ b/contrib/sendmail/cf/README
@@ -189,6 +189,13 @@ expanded.  This also applies to
 because ``define'' is an M4 keyword.  If you want to use them, surround
 them with directed quotes, `like this'.
 
+Since m4 uses single quotes (opening "`" and closing "'") to quote
+arguments, those quotes can't be used in arguments.  For example,
+it is not possible to define a rejection message containing a single
+quote. Usually there are simple workarounds by changing those
+messages; in the worst case it might be ok to change the value
+directly in the generated .cf file, which however is not advised.
+
 
 Notice:
 -------
@@ -466,6 +473,10 @@ CYRUSV2_MAILER_ARGS	[FILE /var/imap/socket/lmtp] The arguments passed
 			change the name of the Unix domain socket, or
 			to switch to delivery via TCP (e.g., `TCP $h lmtp')
 CYRUSV2_MAILER_QGRP	[undefined] The queue group for the cyrusv2 mailer.
+CYRUSV2_MAILER_CHARSET	[undefined] If defined, messages containing 8-bit data
+			that ARRIVE from an address that resolves to one the
+			Cyrus mailer and which are converted to MIME will
+			be labeled with this character set.
 confEBINDIR		[/usr/libexec] The directory for executables.
 			Currently used for FEATURE(`local_lmtp') and
 			FEATURE(`smrsh').
@@ -895,6 +906,12 @@ local_no_masquerade
 		if MASQUERADE_AS is used.  MASQUERADE_AS will only have effect
 		on addresses of mail going outside the local domain.
 
+masquerade_envelope
+		If masquerading is enabled (using MASQUERADE_AS) or the
+		genericstable is in use, this feature will cause envelope
+		addresses to also masquerade as being from the masquerade
+		host.  Normally only the header addresses are masqueraded.
+
 genericstable	This feature will cause unqualified addresses (i.e., without
 		a domain) and addresses with a domain listed in class {G}
 		to be looked up in a map and turned into another ("generic")
@@ -1058,6 +1075,9 @@ local_procmail	Use procmail or another delivery agent as the local mailer.
 		3. Flags for the mailer [default: SPfhn9]
 
 		Empty arguments cause the defaults to be taken.
+		Note that if you are on a system with a broken
+		setreuid() call, you may need to add -f $f to the procmail
+		argument vector to pass the proper sender to procmail.
 
 		For example, this allows it to use the maildrop
 		(http://www.flounder.net/~mrsam/maildrop/) mailer instead
@@ -1136,7 +1156,8 @@ relay_based_on_MX
 
 relay_mail_from
 		Allows relaying if the mail sender is listed as RELAY in
-		the access map.  If an optional argument `domain' is given,
+		the access map.  If an optional argument `domain' (this
+		is the literal word `domain', not a placeholder) is given,
 		relaying can be allowed just based on the domain portion
 		of the sender address.  This feature should only be used if
 		absolutely necessary as the sender address can be easily
@@ -1223,6 +1244,10 @@ dnsbl		Turns on rejection of hosts found in an DNS based rejection
 		to query different DNS based rejection lists.  See also
 		enhdnsbl for an enhanced version.
 
+		Set the DNSBL_MAP mc option to change the default map
+		definition from `host'.  Set the DNSBL_MAP_OPT mc option
+		to add additional options to the map specification used.
+
 		Some DNS based rejection lists cause failures if asked
 		for AAAA records. If your sendmail version is compiled
 		with IPv6 support (NETINET6) and you experience this
@@ -1259,6 +1284,9 @@ enhdnsbl	Enhanced version of dnsbl (see above).  Further arguments
 		i.e., `', is specified.  This feature requires that sendmail
 		has been compiled with the flag DNSMAP (see sendmail/README).
 
+		Set the EDNSBL_TO mc option to change the DNS retry count
+		from the default value of 5.
+
 lookupdotdomain	Look up also .domain in the access map.  This allows to
 		match only subdomains.  It does not work well with
 		FEATURE(`relay_hosts_only'), because most lookups for
@@ -1323,15 +1351,20 @@ msp		Defines config file for Message Submission Program.
 		Some more hints about possible changes can be found below
 		in the section MESSAGE SUBMISSION PROGRAM.
 
-		Note: if localhost doesn't resolve to the IP address
-		of your local system (127.0.0.1 or ::1 for IPv6),
-		then you either need to fix your hostname resolution
-		(localhost and localhost.YOUR.DOMAIN should resolve
-		to that address by convention) or you need to specify
-		the IP address as argument, e.g.,
+		Note: Due to many problems, submit.mc uses
 
 			FEATURE(`msp', `[127.0.0.1]')
 
+		by default.  If you have a machine with IPv6 only,
+		change it to
+
+			FEATURE(`msp', `[IPv6:::1]')
+
+		If you want to continue using '[localhost]', (the behavior
+		up to 8.12.6), use
+
+			FEATURE(`msp')
+
 queuegroup	A simple example how to select a queue group based
 		on the full e-mail address or the domain of the
 		recipient.  Selection is done via entries in the
@@ -2188,15 +2221,16 @@ A slightly better solution is
 	FEATURE(`relay_mail_from')
 
 which allows relaying if the mail sender is listed as RELAY in the
-access map.  If an optional argument `domain' is given, the domain
-portion of the mail sender is also checked to allowing relaying.
-This option only works together with the tag From: for the LHS of
-the access map entries (see below: Finer control...).  This feature
-allows spammers to abuse your mail server by specifying a return
-address that you enabled in your access file.  This may be harder
-to figure out for spammers, but it should not be used unless
-necessary.  Instead use SMTP AUTH or STARTTLS to allow relaying
-for roaming users.
+access map.  If an optional argument `domain' (this is the literal
+word `domain', not a placeholder) is given, the domain portion of
+the mail sender is also checked to allowing relaying.  This option
+only works together with the tag From: for the LHS of the access
+map entries (see below: Finer control...).  This feature allows
+spammers to abuse your mail server by specifying a return address
+that you enabled in your access file.  This may be harder to figure
+out for spammers, but it should not be used unless necessary.
+Instead use SMTP AUTH or STARTTLS to allow relaying for roaming
+users.
 
 
 If source routing is used in the recipient address (e.g.,
@@ -2341,7 +2375,7 @@ The value part of the map can contain:
 
 For example:
 
-	cyberspammer.com	ERROR:550 "We don't accept mail from spammers"
+	cyberspammer.com	ERROR:"550 We don't accept mail from spammers"
 	okay.cyberspammer.com	OK
 	sendmail.org		RELAY
 	128.32			RELAY
@@ -2465,11 +2499,15 @@ instead of just disabling the DNS lookups in the backlists.
 
 
 The features described above make use of the check_relay, check_mail,
-and check_rcpt rulesets.  If you wish to include your own checks,
-you can put your checks in the rulesets Local_check_relay,
-Local_check_mail, and Local_check_rcpt.  For example if you wanted to
-block senders with all numeric usernames (i.e. 2312343@bigisp.com),
-you would use Local_check_mail and the regex map:
+and check_rcpt rulesets.  Note that check_relay checks the SMTP
+client hostname and IP address when the connection is made to your
+server.  It does not check if a mail message is being relayed to
+another server.  That check is done in check_rcpt.  If you wish to
+include your own checks, you can put your checks in the rulesets
+Local_check_relay, Local_check_mail, and Local_check_rcpt.  For
+example if you wanted to block senders with all numeric usernames
+(i.e. 2312343@bigisp.com), you would use Local_check_mail and the
+regex map:
 
 	LOCAL_CONFIG
 	Kallnumbers regex -a@MATCH ^[0-9]+$
@@ -2574,8 +2612,9 @@ the friend option and having
 
 	Spam:abuse@	FRIEND
 
-in the access map, mail to abuse@localdomain will get through.  It is
-also possible to specify a full address or an address with +detail:
+in the access map, mail to abuse@localdomain will get through (where
+"localdomain" is any domain in class {w}).  It is also possible to
+specify a full address or an address with +detail:
 
 	Spam:abuse@my.domain	FRIEND
 	Spam:me+abuse@		FRIEND
@@ -2597,9 +2636,10 @@ This is done by adding a ruleset call to the 'H' header definition command
 in sendmail.cf.  For example, this can be used to check the validity of
 a Message-ID: header:
 
-	LOCAL_RULESETS
+	LOCAL_CONFIG
 	HMessage-Id: $>CheckMessageId
 
+	LOCAL_RULESETS
 	SCheckMessageId
 	R< $+ @ $+ >		$@ OK
 	R$*			$#error $: 553 Header Error
@@ -2636,10 +2676,9 @@ probably not be used in production.
 
 	LOCAL_CONFIG
 	Kstorage macro
-
-	LOCAL_RULESETS
 	HMessage-Id: $>CheckMessageId
 
+	LOCAL_RULESETS
 	SCheckMessageId
 	# Record the presence of the header
 	R$*			$: $(storage {MessageIdCheck} $@ OK $) $1
@@ -2714,22 +2753,22 @@ ${server_addr} the address of the server of the current outgoing SMTP
 Relaying
 --------
 
-SMTP STARTTLS can allow relaying for senders who have successfully
-authenticated themselves.  This is done in the ruleset RelayAuth.  If the
-verification of the cert failed (${verify} != OK), relaying is subject to
-the usual rules.  Otherwise the DN of the issuer is looked up in the access
-map using the tag CERTISSUER.  If the resulting value is RELAY, relaying is
-allowed.  If it is SUBJECT, the DN of the cert subject is looked up next in
-the access map using the tag CERTSUBJECT.  If the value is RELAY, relaying
-is allowed.
 
-To make things a bit more flexible (or complicated), the values for
+SMTP STARTTLS can allow relaying for remote SMTP clients which have
+successfully authenticated themselves.  This is done in the ruleset
+RelayAuth.  If the verification of the cert failed (${verify} != OK),
+relaying is subject to the usual rules.  Otherwise the DN of the issuer is
+looked up in the access map using the tag CERTISSUER.  If the resulting
+value is RELAY, relaying is allowed.  If it is SUBJECT, the DN of the cert
+subject is looked up next in the access map using the tag CERTSUBJECT.  If
+the value is RELAY, relaying is allowed.
+
 ${cert_issuer} and ${cert_subject} can be optionally modified by regular
 expressions defined in the m4 variables _CERT_REGEX_ISSUER_ and
 _CERT_REGEX_SUBJECT_, respectively.  To avoid problems with those macros in
 rulesets and map lookups, they are modified as follows: each non-printable
-character and the characters '<', '>', '(', ')', '"', '+' are replaced by
-their HEX value with a leading '+'.  For example:
+character and the characters '<', '>', '(', ')', '"', '+', ' ' are replaced
+by their HEX value with a leading '+'.  For example:
 
 /C=US/ST=California/O=endmail.org/OU=private/CN=Darth Mail (Cert)/Email=
 darth+cert@endmail.org
@@ -2741,6 +2780,9 @@ Darth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org
 
 (line breaks have been inserted for readability).
 
+The  macros  which are subject to this encoding are ${cert_subject},
+${cert_issuer},  ${cn_subject},  and ${cn_issuer}.
+
 Examples:
 
 To allow relaying for everyone who can present a cert signed by
@@ -2750,7 +2792,7 @@ Darth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org
 
 simply use:
 
-CERTIssuer:/C=US/ST=California/O=endmail.org/OU=private/CN=
+CertIssuer:/C=US/ST=California/O=endmail.org/OU=private/CN=
 Darth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org	RELAY
 
 To allow relaying only for a subset of machines that have a cert signed by
@@ -2760,9 +2802,9 @@ Darth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org
 
 use:
 
-CERTIssuer:/C=US/ST=California/O=endmail.org/OU=private/CN=
+CertIssuer:/C=US/ST=California/O=endmail.org/OU=private/CN=
 Darth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org	SUBJECT
-CERTSubject:/C=US/ST=California/O=endmail.org/OU=private/CN=
+CertSubject:/C=US/ST=California/O=endmail.org/OU=private/CN=
 DeathStar/Email=deathstar@endmail.org		RELAY
 
 Note: line breaks have been inserted after "CN=" for readability,
@@ -3898,9 +3940,9 @@ confLDAP_DEFAULT_SPEC	LDAPDefaultSpec	[undefined] Default map
 					maps unless they are specified in
 					the individual map specification
 					('K' command).
-confCACERT_PATH		CACERTPath	[undefined] Path to directory
+confCACERT_PATH		CACertPath	[undefined] Path to directory
 					with certs of CAs.
-confCACERT		CACERTFile	[undefined] File containing one CA
+confCACERT		CACertFile	[undefined] File containing one CA
 					cert.
 confSERVER_CERT		ServerCertFile	[undefined] File containing the
 					cert of the server, i.e., this cert
@@ -3959,17 +4001,25 @@ confINPUT_MAIL_FILTERS	InputMailFilters
 confMILTER_LOG_LEVEL	Milter.LogLevel	[9] Log level for input mail filter
 					actions, defaults to LogLevel.
 confMILTER_MACROS_CONNECT	Milter.macros.connect
-					[empty]	Macros to transmit to milters
-					when a session connection starts.
+					[j, _, {daemon_name}, {if_name},
+					{if_addr}] Macros to transmit to
+					milters when a session connection
+					starts.
 confMILTER_MACROS_HELO	Milter.macros.helo
-					[empty]	Macros to transmit to milters
-					after HELO command.
+					[{tls_version}, {cipher},
+					{cipher_bits}, {cert_subject},
+					{cert_issuer}] Macros to transmit to
+					milters after HELO/EHLO command.
 confMILTER_MACROS_ENVFROM	Milter.macros.envfrom
-					[empty]	Macros to transmit to milters
-					after MAIL FROM command.
+					[i, {auth_type}, {auth_authen},
+					{auth_ssf}, {auth_author},
+					{mail_mailer}, {mail_host},
+					{mail_addr}] Macros to transmit to
+					milters after MAIL FROM command.
 confMILTER_MACROS_ENVRCPT	Milter.macros.envrcpt
-					[empty]	Macros to transmit to milters
-					after RCPT TO command.
+					[{rcpt_mailer}, {rcpt_host},
+					{rcpt_addr}] Macros to transmit to
+					milters after RCPT TO command.
 
 
 See also the description of OSTYPE for some parameters that can be
@@ -4020,13 +4070,12 @@ Example 3: To listen on both IPv4 and IPv6 interfaces, use
 A "Message Submission Agent" still uses all of the same rulesets for
 processing the message (and therefore still allows message rejection via
 the check_* rulesets).  In accordance with the RFC, the MSA will ensure
-that all domains in the envelope are fully qualified if the message is
-relayed to another MTA.  It will also enforce the normal address syntax
-rules and log error messages.  Additionally, by using the M=a modifier
-you can require authentication before messages are accepted by the MSA.
-Notice: Do NOT use the 'a' modifier on a public accessible MTA!
-Finally, the M=E modifier shown above disables ETRN as required by RFC
-2476.
+that all domains in envelope addresses are fully qualified if the message
+is relayed to another MTA.  It will also enforce the normal address syntax
+rules and log error messages.  Additionally, by using the M=a modifier you
+can require authentication before messages are accepted by the MSA.
+Notice: Do NOT use the 'a' modifier on a public accessible MTA!  Finally,
+the M=E modifier shown above disables ETRN as required by RFC 2476.
 
 Mail filters can be defined using the INPUT_MAIL_FILTER() and MAIL_FILTER()
 commands:
@@ -4311,4 +4360,4 @@ M4 DIVERSIONS
    8	DNS based blacklists
    9	special local rulesets (1 and 2)
 
-$Revision: 8.623.2.1 $, Last updated $Date: 2002/08/07 23:14:56 $
+$Revision: 8.623.2.18 $, Last updated $Date: 2002/12/29 04:16:51 $
diff --git a/contrib/sendmail/cf/cf/submit.cf b/contrib/sendmail/cf/cf/submit.cf
index 5b85e7a..6024a97 100644
--- a/contrib/sendmail/cf/cf/submit.cf
+++ b/contrib/sendmail/cf/cf/submit.cf
@@ -24,15 +24,15 @@
 ######################################################################
 ######################################################################
 
-#####  $Id: cfhead.m4,v 8.108 2002/06/13 18:53:24 ca Exp $  #####
+#####  $Id: cfhead.m4,v 8.108.2.1 2002/08/27 20:19:08 gshapiro Exp $  #####
 #####  $Id: cf.m4,v 8.32 1999/02/07 07:26:14 gshapiro Exp $  #####
-#####  $Id: submit.mc,v 8.6 2002/03/26 03:30:58 ca Exp $  #####
+#####  $Id: submit.mc,v 8.6.2.4 2002/12/29 03:54:34 ca Exp $  #####
 #####  $Id: msp.m4,v 1.32 2002/03/26 22:02:03 ca Exp $  #####
 
 #####  $Id: no_default_msa.m4,v 8.2 2001/02/14 05:03:22 gshapiro Exp $  #####
 
 
-#####  $Id: proto.m4,v 8.649.2.5 2002/08/15 02:39:01 ca Exp $  #####
+#####  $Id: proto.m4,v 8.649.2.13 2002/12/04 00:12:18 ca Exp $  #####
 
 # level 10 config file format
 V10/Berkeley
@@ -106,11 +106,11 @@ Kdequote dequote
 DnMAILER-DAEMON
 
 
-D{MTAHost}[localhost]
+D{MTAHost}[127.0.0.1]
 
 
 # Configuration version number
-DZ8.12.6/Submit
+DZ8.12.7/Submit
 
 
 ###############
@@ -398,7 +398,7 @@ O UnixFromLine=From $g $d
 O OperatorChars=.:%@!^/[]+
 
 # shall I avoid calling initgroups(3) because of high NIS costs?
-#O DontInitGroups=False
+O DontInitGroups=True
 
 # are group-writable :include: and .forward files (un)trustworthy?
 # True (the default) means they are not trustworthy.
@@ -480,9 +480,9 @@ O PidFile=/var/spool/clientmqueue/sm-client.pid
 
 
 # CA directory
-#O CACERTPath
+#O CACertPath
 # CA file
-#O CACERTFile
+#O CACertFile
 # Server Cert
 #O ServerCertFile
 # Server private key
@@ -1010,7 +1010,7 @@ R<? $* <$->> $* < @ $+ >
 R<?> $*			$: $&{daemon_flags} $| <?> $1
 R$* u $* $| <?> $*	$: <OKR> $3
 R$* $| $*		$: $2
-R<?> $*			$: < ? $&{client_name} > $1
+R<?> $*			$: < ? $&{client_addr} > $1
 R<?> $*			$@ <OKR>			...local unqualed ok
 R<? $+> $*		$#error $@ 5.5.4 $: "553 Domain name required for sender address " $&f
 							...remote is not
@@ -1098,6 +1098,8 @@ SRelay_ok
 R$*			$: $&{client_addr}
 R$@			$@ RELAY		originated locally
 R0			$@ RELAY		originated locally
+R127.0.0.1		$@ RELAY		originated locally
+RIPv6:::1		$@ RELAY		originated locally
 R$=R $*			$@ RELAY		relayable IP address
 R$*			$: [ $1 ]		put brackets around it...
 R$=w			$@ RELAY		... and see if it is local
@@ -1109,7 +1111,6 @@ R<TEMP>			$#TEMP $@ 4.7.1 $: "450 Relaying temporarily denied. Cannot resolve PT
 R<FORGED>		$#error $@ 5.7.1 $: "550 Relaying denied. IP name possibly forged " $&{client_name}
 R<FAIL>			$#error $@ 5.7.1 $: "550 Relaying denied. IP name lookup failed " $&{client_name}
 R$*			$: <@> $&{client_name}
-R<@>			$@ RELAY
 # pass to name server to make hostname canonical
 R<@> $* $=P 		$:<?>  $1 $2
 R<@> $+			$:<?>  $[ $1 $]
diff --git a/contrib/sendmail/cf/cf/submit.mc b/contrib/sendmail/cf/cf/submit.mc
index 2ab5972..6177506 100644
--- a/contrib/sendmail/cf/cf/submit.mc
+++ b/contrib/sendmail/cf/cf/submit.mc
@@ -15,9 +15,12 @@ divert(-1)
 #
 
 divert(0)dnl
-VERSIONID(`$Id: submit.mc,v 8.6 2002/03/26 03:30:58 ca Exp $')
+VERSIONID(`$Id: submit.mc,v 8.6.2.4 2002/12/29 03:54:34 ca Exp $')
 define(`confCF_VERSION', `Submit')dnl
 define(`__OSTYPE__',`')dnl dirty hack to keep proto.m4 from complaining
 define(`_USE_DECNET_SYNTAX_', `1')dnl support DECnet
 define(`confTIME_ZONE', `USE_TZ')dnl
-FEATURE(`msp')dnl
+define(`confDONT_INIT_GROUPS', `True')dnl
+dnl
+dnl If you use IPv6 only, change [127.0.0.1] to [IPv6:::1]
+FEATURE(`msp', `[127.0.0.1]')dnl
diff --git a/contrib/sendmail/cf/feature/local_procmail.m4 b/contrib/sendmail/cf/feature/local_procmail.m4
index 29bb980..eaf83ea 100644
--- a/contrib/sendmail/cf/feature/local_procmail.m4
+++ b/contrib/sendmail/cf/feature/local_procmail.m4
@@ -1,6 +1,6 @@
 divert(-1)
 #
-# Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers.
+# Copyright (c) 1998, 1999, 2002 Sendmail, Inc. and its suppliers.
 #	All rights reserved.
 # Copyright (c) 1994 Eric P. Allman.  All rights reserved.
 # Copyright (c) 1988, 1993
@@ -13,7 +13,7 @@ divert(-1)
 #
 
 divert(0)
-VERSIONID(`$Id: local_procmail.m4,v 8.21 1999/11/18 05:06:23 ca Exp $')
+VERSIONID(`$Id: local_procmail.m4,v 8.21.42.1 2002/11/17 04:25:07 ca Exp $')
 divert(-1)
 
 ifdef(`_MAILER_local_',
@@ -30,3 +30,7 @@ define(`LOCAL_MAILER_ARGS',
 	ifelse(len(X`'_ARG2_), `1', `procmail -Y -a $h -d $u', _ARG2_))
 define(`LOCAL_MAILER_FLAGS',
 	ifelse(len(X`'_ARG3_), `1', `SPfhn9', _ARG3_))
+dnl local_procmail conflicts with local_lmtp but the latter might be
+dnl defined in an OS/ file (solaris8). Let's just undefine it.
+undefine(`_LOCAL_LMTP_')
+undefine(`LOCAL_MAILER_DSN_DIAGNOSTIC_CODE')
diff --git a/contrib/sendmail/cf/m4/cfhead.m4 b/contrib/sendmail/cf/m4/cfhead.m4
index f956365..80ab9bd 100644
--- a/contrib/sendmail/cf/m4/cfhead.m4
+++ b/contrib/sendmail/cf/m4/cfhead.m4
@@ -16,11 +16,11 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-ifdef(`unix', `dnl
+ifdef(`__win32__', `dnl', `dnl
 ifdef(`TEMPFILE', `dnl', `define(`TEMPFILE', maketemp(/tmp/cfXXXXXX))dnl
 syscmd(sh _CF_DIR_`'sh/makeinfo.sh _CF_DIR_ > TEMPFILE)dnl
 include(TEMPFILE)dnl
-syscmd(rm -f TEMPFILE)dnl')', `dnl')
+syscmd(rm -f TEMPFILE)dnl')')
 #####
 ######################################################################
 #####
@@ -303,4 +303,4 @@ define(`confMILTER_MACROS_ENVRCPT', ``{rcpt_mailer}, {rcpt_host}, {rcpt_addr}'')
 
 
 divert(0)dnl
-VERSIONID(`$Id: cfhead.m4,v 8.108 2002/06/13 18:53:24 ca Exp $')
+VERSIONID(`$Id: cfhead.m4,v 8.108.2.1 2002/08/27 20:19:08 gshapiro Exp $')
diff --git a/contrib/sendmail/cf/m4/proto.m4 b/contrib/sendmail/cf/m4/proto.m4
index 19a72f7..b3d81d1a 100644
--- a/contrib/sendmail/cf/m4/proto.m4
+++ b/contrib/sendmail/cf/m4/proto.m4
@@ -13,7 +13,7 @@ divert(-1)
 #
 divert(0)
 
-VERSIONID(`$Id: proto.m4,v 8.649.2.5 2002/08/15 02:39:01 ca Exp $')
+VERSIONID(`$Id: proto.m4,v 8.649.2.13 2002/12/04 00:12:18 ca Exp $')
 
 # level CF_LEVEL config file format
 V`'CF_LEVEL/ifdef(`VENDOR_NAME', `VENDOR_NAME', `Berkeley')
@@ -205,11 +205,13 @@ ifdef(`_CERT_REGEX_SUBJECT_', `dnl
 KCERTSubject regex _CERT_REGEX_SUBJECT_', `dnl')
 
 ifdef(`LOCAL_RELAY', `dnl
-# who I send unqualified names to (null means deliver locally)
+# who I send unqualified names to if FEATURE(stickyhost) is used
+# (null means deliver locally)
 DR`'LOCAL_RELAY')
 
 ifdef(`MAIL_HUB', `dnl
-# who gets all local email traffic ($R has precedence for unqualified names)
+# who gets all local email traffic
+# ($R has precedence for unqualified names if FEATURE(stickyhost) is used)
 DH`'MAIL_HUB')
 
 # dequoting map
@@ -630,9 +632,9 @@ _OPTION(Milter.macros.envfrom, `confMILTER_MACROS_ENVFROM', `')
 _OPTION(Milter.macros.envrcpt, `confMILTER_MACROS_ENVRCPT', `')')
 
 # CA directory
-_OPTION(CACERTPath, `confCACERT_PATH', `')
+_OPTION(CACertPath, `confCACERT_PATH', `')
 # CA file
-_OPTION(CACERTFile, `confCACERT', `')
+_OPTION(CACertFile, `confCACERT', `')
 # Server Cert
 _OPTION(ServerCertFile, `confSERVER_CERT', `')
 # Server private key
@@ -1697,6 +1699,9 @@ ifdef(`_ACCESS_TABLE_', `dnl
 dnl workspace: {client_name} $| {client_addr}
 R$+ $| $+		$: $>D < $1 > <?> <+ Connect> < $2 >
 dnl workspace: <result-of-lookup> <{client_addr}>
+dnl OR $| $+ if client_name is empty
+R   $| $+		$: $>A < $1 > <?> <+ Connect> <>	empty client_name
+dnl workspace: <result-of-lookup> <{client_addr}>
 R<?> <$+>		$: $>A < $1 > <?> <+ Connect> <>	no: another lookup
 dnl workspace: <result-of-lookup> (<>|<{client_addr}>)
 R<?> <$*>		$: OK				found nothing
@@ -1841,7 +1846,7 @@ dnl accept unqualified sender: change mark to avoid test
 R$* u $* $| <?> $*	$: <_RES_OK_> $3
 dnl remove daemon_flags
 R$* $| $*		$: $2
-R<?> $*			$: < ? $&{client_name} > $1
+R<?> $*			$: < ? $&{client_addr} > $1
 R<?> $*			$@ <_RES_OK_>			...local unqualed ok
 R<? $+> $*		$#error $@ 5.5.4 $: "_CODE553 Domain name required for sender address " $&f
 							...remote is not')
@@ -1896,7 +1901,7 @@ R$+			$: <?> $1
 R<?> <$+>		$: <@> <$1>
 R<?> $+			$: <@> <$1>
 R<@> < postmaster >	$: postmaster
-R<@> < $* @ $+ . $+ >	$: < $3 @ $4 . $5 >
+R<@> < $* @ $+ . $+ >	$: < $1 @ $2 . $3 >
 dnl prepend daemon_flags
 R<@> $*			$: $&{daemon_flags} $| <@> $1
 dnl workspace: ${daemon_flags} $| <@> <address>
@@ -2098,6 +2103,8 @@ SRelay_ok
 R$*			$: $&{client_addr}
 R$@			$@ RELAY		originated locally
 R0			$@ RELAY		originated locally
+R127.0.0.1		$@ RELAY		originated locally
+RIPv6:::1		$@ RELAY		originated locally
 R$=R $*			$@ RELAY		relayable IP address
 ifdef(`_ACCESS_TABLE_', `dnl
 R$*			$: $>A <$1> <?> <+ Connect> <$1>
@@ -2147,7 +2154,11 @@ R<FAIL>			$#error $@ 5.7.1 $: "550 Relaying denied. IP name lookup failed " $&{c
 dnl ${client_resolve} should be OK, so go ahead
 R$*			$: <@> $&{client_name}
 dnl should not be necessary since it has been done for client_addr already
-R<@>			$@ RELAY
+dnl this rule actually may cause a problem if {client_name} resolves to ""
+dnl however, this should not happen since the forward lookup should fail
+dnl and {client_resolve} should be TEMP or FAIL.
+dnl nevertheless, removing the rule doesn't hurt.
+dnl R<@>			$@ RELAY
 dnl workspace: <@> ${client_name} (not empty)
 # pass to name server to make hostname canonical
 R<@> $* $=P 		$:<?>  $1 $2
@@ -2180,14 +2191,37 @@ R$* <@ $+ . >		$1 <@ $2 >
 R$* <@ $* >		$@ $1 <@ $2 >
 R$+			$@ $1 <@ $j >
 
+SDelay_TLS_Client
+# authenticated?
+dnl code repeated here from Basic_check_mail
+dnl only called from check_rcpt in delay mode if checkrcpt returns $#
+R$*			$: $1 $| $>"tls_client" $&{verify} $| MAIL
+R$* $| $#$+		$#$2
+dnl return result from checkrcpt
+R$*			$# $1
+
+SDelay_TLS_Client2
+# authenticated?
+dnl code repeated here from Basic_check_mail
+dnl only called from check_rcpt in delay mode if stopping due to Friend/Hater
+R$*			$: $1 $| $>"tls_client" $&{verify} $| MAIL
+R$* $| $#$+		$#$2
+dnl return result from friend/hater check
+R$*			$@ $1
+
 # call all necessary rulesets
 Scheck_rcpt
 dnl this test should be in the Basic_check_rcpt ruleset
 dnl which is the correct DSN code?
 # R$@			$#error $@ 5.1.3 $: "553 Recipient address required"
+
 R$+			$: $1 $| $>checkrcpt $1
 dnl now we can simply stop checks by returning "$# xyz" instead of just "ok"
-R$+ $| $#$*		$#$2
+dnl on error (or discard) stop now
+R$+ $| $#error $*	$#error $2
+R$+ $| $#discard $*	$#discard $2
+dnl otherwise call tls_client; see above
+R$+ $| $#$*		$@ $>"Delay_TLS_Client" $2
 R$+ $| $*		$: <?> $>FullAddr $>CanonAddr $1
 ifdef(`_SPAM_FH_',
 `dnl lookup user@ and user@address
@@ -2207,15 +2241,15 @@ dnl', `dnl')
 ifdef(`_SPAM_FRIEND_',
 `# is the recipient a spam friend?
 ifdef(`_SPAM_HATER_',
-	`errprint(`*** ERROR: define either SpamHater or SpamFriend
+	`errprint(`*** ERROR: define either Hater or Friend -- not both.
 ')', `dnl')
-R<FRIEND> $+		$@ SPAMFRIEND
+R<FRIEND> $+		$@ $>"Delay_TLS_Client2" SPAMFRIEND
 R<$*> $+		$: $2',
 `dnl')
 ifdef(`_SPAM_HATER_',
 `# is the recipient no spam hater?
 R<HATER> $+		$: $1			spam hater: continue checks
-R<$*> $+		$@ NOSPAMHATER		everyone else: stop
+R<$*> $+		$@ $>"Delay_TLS_Client2" NOSPAMHATER	everyone else: stop
 dnl',`dnl')
 dnl run further checks: check_mail
 dnl should we "clean up" $&f?
@@ -2685,12 +2719,12 @@ dnl cert subject
 R<CS:$&{cert_subject}> $* $| <$+>	$@ $>"TLS_req" $1 $| <$2>
 dnl CS does not match
 dnl  1   2      3  4
-R<CS:$+> $* $| <$-:$+>	$#error $@ $4 $: $3 " CERT Subject " $&{cert_subject} " does not match " $1
+R<CS:$+> $* $| <$-:$+>	$#error $@ $4 $: $3 " Cert Subject " $&{cert_subject} " does not match " $1
 dnl match, check rest
 R<CI:$&{cert_issuer}> $* $| <$+>	$@ $>"TLS_req" $1 $| <$2>
 dnl CI does not match
 dnl  1   2      3  4
-R<CI:$+> $* $| <$-:$+>	$#error $@ $4 $: $3 " CERT Issuer " $&{cert_issuer} " does not match " $1
+R<CI:$+> $* $| <$-:$+>	$#error $@ $4 $: $3 " Cert Issuer " $&{cert_issuer} " does not match " $1
 dnl return from recursive call
 ROK			$@ OK
 
@@ -2719,7 +2753,7 @@ SRelayTLS
 # authenticated?
 dnl we do not allow relaying for anyone who can present a cert
 dnl signed by a "trusted" CA. For example, even if we put verisigns
-dnl CA in CERTPath so we can authenticate users, we do not allow
+dnl CA in CertPath so we can authenticate users, we do not allow
 dnl them to abuse our server (they might be easier to get hold of,
 dnl but anyway).
 dnl so here is the trick: if the verification succeeded
diff --git a/contrib/sendmail/cf/m4/version.m4 b/contrib/sendmail/cf/m4/version.m4
index 04757c8..40bf184 100644
--- a/contrib/sendmail/cf/m4/version.m4
+++ b/contrib/sendmail/cf/m4/version.m4
@@ -11,8 +11,8 @@ divert(-1)
 # the sendmail distribution.
 #
 #
-VERSIONID(`$Id: version.m4,v 8.92.2.5 2002/08/24 16:27:23 ca Exp $')
+VERSIONID(`$Id: version.m4,v 8.92.2.11 2002/12/28 19:45:55 ca Exp $')
 #
 divert(0)
 # Configuration version number
-DZ8.12.6`'ifdef(`confCF_VERSION', `/confCF_VERSION')
+DZ8.12.7`'ifdef(`confCF_VERSION', `/confCF_VERSION')
diff --git a/contrib/sendmail/cf/sendmail.schema b/contrib/sendmail/cf/sendmail.schema
index ebe4c96..f167822 100644
--- a/contrib/sendmail/cf/sendmail.schema
+++ b/contrib/sendmail/cf/sendmail.schema
@@ -5,7 +5,7 @@
 # forth in the LICENSE file which can be found at the top level of
 # the sendmail distribution.
 #
-# $Id: sendmail.schema,v 8.19 2002/06/04 17:31:43 gshapiro Exp $
+# $Id: sendmail.schema,v 8.19.2.1 2002/11/20 23:13:27 gshapiro Exp $
 
 # Note that this schema is experimental at this point as it has had little
 # public review.  Therefore, it may change in future versions.  Feedback
@@ -134,8 +134,8 @@ objectclass ( 1.3.6.1.4.1.6152.10.3.2.12
 attributetype ( 1.3.6.1.4.1.6152.10.3.1.18
 	NAME 'sendmailMTAAliasGrouping'
 	DESC 'name that identifies a particular aliases grouping'
-	EQUALITY caseIgnoreMatch
-	SUBSTR caseIgnoreSubstringsMatch
+	EQUALITY caseIgnoreIA5Match
+	SUBSTR caseIgnoreIA5SubstringsMatch
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
 
 # attribute sendmailMTAAliasValue	cis