diff options
Diffstat (limited to 'contrib/sendmail/RELEASE_NOTES')
-rw-r--r-- | contrib/sendmail/RELEASE_NOTES | 6323 |
1 files changed, 6323 insertions, 0 deletions
diff --git a/contrib/sendmail/RELEASE_NOTES b/contrib/sendmail/RELEASE_NOTES new file mode 100644 index 0000000..2b3475f --- /dev/null +++ b/contrib/sendmail/RELEASE_NOTES @@ -0,0 +1,6323 @@ + SENDMAIL RELEASE NOTES + @(#)RELEASE_NOTES 8.9.1.1 (Berkeley) 7/2/98 + + +This listing shows the version of the sendmail binary, the version +of the sendmail configuration files, the date of release, and a +summary of the changes in that release. + +8.9.1/8.9.1 98/07/02 + If both an OS specific site configuration file and a generic + site.config.m4 file existed, only the latter was used + instead of both. Problem noted by Geir Johannessen of + the Norwegian University of Science and Technology. + Fix segmentation fault while converting 8 bit to 7 bit MIME + multipart messages by trying to write to an unopened + file descriptor. Fix from Kari Hurtta of the Finnish + Meteorological Institute. + Do not assume Message: and Text: headers indicate the end of + the header area when parsing MIME headers. Problem noted + by Kari Hurtta of the Finnish Meteorological Institute. + Setting the confMAN#SRC Build variable would only effect the + installation commands. The man pages would still be + built with .0 extensions. Problem noted by Bryan + Costales of InfoBeat, Inc. + Installation of manual pages didn't honor the DESTDIR environment + variable. Problem noted by Bryan Costales of InfoBeat, Inc. + If the check_relay ruleset resolved to the discard mailer, messages + were still delivered. Problem noted by Mirek Luc of NASK. + Mail delivery to files would fail with an Operating System Error + if sendmail was not running as root, i.e. RunAsUser was set. + Problem noted by Leonard N. Zubkoff of Dandelion Digital. + Prevent MinQueueAge from interfering from queued items created + in the future, i.e. if the system clock was set ahead + and then back. Problem noted by Michael Miller of the + University of Natal, Pietermaritzburg. + Do not advertise ETRN support in ESTMP EHLO reply if noetrn is + set in the PrivacyFlags option. Fix from Ted Rule of + Flextech TV. + Log invalid persistent host status file lines instead of + bouncing the message. Problem noted by David Lindes of + DaveLtd Enterprises. + Move creation of empty sendmail.st file from installation to + compilation. Installation may be done from a read-only + mount. Fix from Bryan Costales of InfoBeat, Inc. and Ric + Anderson of the Oasis Research Center, Inc. + Enforce the maximum number of User Database entries limit. Problem + noted by Gary Buchanan of Credence Systems Inc. + Allow dead.letter files in root's home directory. Problem noted + by Anna Ullman of Sun Microsystems. + Program deliveries in forward files could be marked unsafe if + any directory listed in the ForwardPath option did not + exist. Problem noted by Jorg Bielak of Coastal Web Online. + Do not trust the length of the address structure returned by + gethostbyname(). Problem noted by Chris Evans of Oxford + University. + If the SIZE= MAIL From: ESMTP parameter is too large, use the + 5.3.4 DSN status code instead of 5.2.2. Similarly, for + non-local deliveries, if the message is larger than the + mailer maximum message size, use 5.3.4 instead of 5.2.3. + Suggested by Antony Bowesman of + Fujitsu/TeaWARE Mail/MIME System. + Portability: + Fix the check for an IP address reverse lookup for + use in $&{client_name} on 64 bit platforms. + From Gilles Gallot of Institut for Development + and Resources in Intensive Scientific computing. + BSD-OS uses .0 for man page extensions. From Jeff Polk + of BSDI. + DomainOS detection for Build. Also, version 10.4 and later + ship a unistd.h. Fixes from Takanobu Ishimura of + PICT Inc. + NeXT 4.x uses /usr/lib/man/cat for its man pages. From + J. P. McCann of E I A. + SCO 4.X and 5.X include NDBM support. From Vlado Potisk + of TEMPEST, Ltd. + CONFIG: Do not pass spoofed PTR results through resolver for + qualification. Problem noted by Michiel Boland of + Digital Valley Internet Professionals; fix from + Kari Hurtta of the Finnish Meteorological Institute. + CONFIG: Do not try to resolve non-DNS hostnames such as UUCP, + BITNET, and DECNET addresses for resolvable senders. + Problem noted by Alexander Litvin of Lucky Net Ltd. + CONFIG: Work around Sun's broken configuration which sends bounce + messages as coming from @@hostname instead of <>. LMTP + would not accept @@hostname. + OP.ME: Corrections to complex sendmail startup script from Rick + Troxel of the National Institutes of Health. + RMAIL: Do not install rmail by default, require 'make force-install' + as this rmail isn't the same as others. Suggested by + Kari Hurtta of the Finnish Meteorological Institute. + +8.9.0/8.9.0 98/05/19 + SECURITY: To prevent users from reading files not normally + readable, sendmail will no longer open forward, :include:, + class, ErrorHeader, or HelpFile files located in unsafe + (i.e. group or world writable) directory paths. Sites + which need the ability to override security can use the + DontBlameSendmail option. See the README file for more + information. + SECURITY: Problems can occur on poorly managed systems, specifically, + if maps or alias files are in world writable directories. + This fixes the change added to 8.8.6 to prevent links in these + world writable directories. + SECURITY: Make sure ServiceSwitchFile option file is not a link if + it is in a world writable directory. + SECURITY: Never pass a tty to a mailer -- if a mailer can get at the + tty it may be able to push bytes back to the senders input. + Unfortunately this breaks -v mode. Problem noted by + Wietse Venema of the Global Security Analysis Lab at + IBM T.J. Watson Research. + SECURITY: Empty group list if DontInitGroups is set to true to + prevent program deliveries from picking up extra group + privileges. Problem reported by Wolfgang Ley of DFN-CERT. + SECURITY: The default value for DefaultUser is now set to the uid and + gid of the first existing user mailnull, sendmail, or daemon + that has a non-zero uid. If none of these exist, sendmail + reverts back to the old behavior of using uid 1 and gid 1. + This is a security problem for Linux which has chosen that + uid and gid for user bin instead of daemon. If DefaultUser + is set in the configuration file, that value overrides this + default. + SECURITY: Since 8.8.7, the check for non-setuid binaries + interfered with setting an alternate group id for the + RunAsUser option. Problem noted by Randall Winchester of + the University of Maryland. + Add support for Berkeley DB 2.X. Based on patch from John Kennedy + of Cal State University, Chico. + Remove support for OLD_NEWDB (pre-1.5 version of Berkeley DB). Users + which previously defined OLD_NEWDB=1 must now upgrade to the + current version of Berkeley DB. + Added support for regular expressions using the new map class regex. + From Jan Krueger of Unix-AG of University of Hannover. + Support for BIND 8.1.1's hesiod for hesiod maps and hesiod + UserDatabases from Randall Winchester of the University + of Maryland. + Allow any shell for user shell on program deliveries on V1 + configurations for backwards compatibility on machines which + do not have getusershell(). Fix from John Beck of Sun + Microsystems. + On operating systems which change the process title by reusing the + argument vector memory, sendmail could corrupt memory if the + last argument was either "-q" or "-d". Problem noted by + Frank Langbein of the University of Stuttgart. + Support Local Mail Transfer Protocol (LMTP) between sendmail and + mail.local on the F=z flag. + Macro-expand the contents of the ErrMsgFile. Previously this was + only done if you had magic characters (0x81) to indicate + macro expansion. Now $x will be expanded. This means that + real dollar signs have to be backslash escaped. + TCP Wrappers expects "unknown" in the hostname argument if the + reverse DNS lookup for the incoming connection fails. + Problem noted by Randy Grimshaw of Syracuse University and + Wietse Venema of the Global Security Analysis Lab at + IBM T.J. Watson Research. + DSN success bounces generated from an invocation of sendmail -t + would be sent to both the sender and MAILER-DAEMON. + Problem noted by Claus Assmann of + Christian-Albrechts-University of Kiel. + Avoid "Error 0" messages on delivery mailers which exit with a + valid exit value such as EX_NOPERM. Fix from Andreas Luik + of ISA Informationssysteme GmbH. + Tokenize $&x expansions on right hand side of rules. This eliminates + the need to use tricks like $(dequote "" $&{client_name} $) + to cause the ${client_name} macro to be properly tokenized. + Add the MaxRecipientsPerMessage option: this limits the number of + recipients that will be accepted in a single SMTP + transaction. After this number is reached, sendmail + starts returning "452 Too many recipients" to all RCPT + commands. This can be used to limit the number of recipients + per envelope (in particular, to discourage use of the server + for spamming). Note: a better approach is to restrict + relaying entirely. + Fixed pointer initialization for LDAP lmap struct, fixed -s option + to ldapx map and added timeout for ldap_open call to + avoid hanging sendmail in the event of hung LDAP servers. + Patch from Booker Bense of Stanford University. + Allow multiple -qI, -qR, or -qS queue run limiters. For example, + '-qRfoo -qRbar' would deliver mail to recipients with foo or + bar in their address. Patch from Allan E Johannesen of + Worcester Polytechnic Institute. + The bestmx map will now return a list of the MX servers for a host if + passed a column delimiter via the -z map flag. This can be + used to check if the server is an MX server for the recipient + of a message. This can be used to help prevent relaying. + Patch from Mitchell Blank Jr of Exec-PC. + Mark failures for the *file* mailer and return bounce messages to the + sender for those failures. + Prevent bogus syslog timestamps on errors in sendmail.cf by + preserving the TZ environment variable until TimeZoneSpec + has been determined. Problem noted by Ralf Hildebrandt of + Technical University of Braunschweig. Patch from Per Hedeland + of Ericsson. + Print test input in address test mode when input is not from the tty + when the -v flag is given (i.e. sendmail -bt -v) to make + output easier to decipher. Problem noted by Aidan Nichol + of Procter & Gamble. + The LDAP map -s flag was not properly parsed and the error message + given included the remainder of the arguments instead of + solely the argument in error. Problem noted by Aidan Nichol + of Procter & Gamble. + New DontBlameSendmail option. This option allows administrators to + bypass some of sendmail's file security checks at the expense + of system security. This should only be used if you are + absolutely sure you know the consequences. The available + DontBlameSendmail options are: + Safe + AssumeSafeChown + ClassFileInUnsafeDirPath + ErrorHeaderInUnsafeDirPath + GroupWritableDirPathSafe + GroupWritableForwardFileSafe + GroupWritableIncludeFileSafe + GroupWritableAliasFile + HelpFileinUnsafeDirPath + WorldWritableAliasFile + ForwardFileInGroupWritableDirPath + IncludeFileInGroupWritableDirPath + ForwardFileInUnsafeDirPath + IncludeFileInUnsafeDirPath + ForwardFileInUnsafeDirPathSafe + IncludeFileInUnsafeDirPathSafe + MapInUnsafeDirPath + LinkedAliasFileInWritableDir + LinkedClassFileInWritableDir + LinkedForwardFileInWritableDir + LinkedIncludeFileInWritableDir + LinkedMapInWritableDir + LinkedServiceSwitchFileInWritableDir + FileDeliveryToHardLink + FileDeliveryToSymLink + WriteMapToHardLink + WriteMapToSymLink + WriteStatsToHardLink + WriteStatsToSymLink + RunProgramInUnsafeDirPath + RunWritableProgram + New DontProbeInterfaces option to turn off the inclusion of all the + interface names in $=w on startup. In particular, if you + have lots of virtual interfaces, this option will speed up + startup. However, unless you make other arrangements, mail + sent to those addresses will be bounced. + Automatically create alias databases if they don't exist and + AutoRebuildAliases is set. + Add PrivacyOptions=noetrn flag to disable the SMTP ETRN command. + Suggested by Christophe Wolfhugel of the Institut Pasteur. + Add PrivacyOptions=noverb flag to disable the SMTP VERB command. + When determining the client host name ($&{client_name} macro), do + a forward (A) DNS lookup on the result of the PTR lookup + and compare results. If they differ or if the PTR lookup + fails, &{client_name} will contain the IP address + surrounded by square brackets (e.g. [127.0.0.1]). + New map flag: -Tx appends "x" to lookups that return temporary failure + (i.e, it is like -ax for the temporary failure case, in + contrast to the success case). + New syntax to do limited checking of header syntax. A config line + of the form: + HHeader: $>Ruleset + causes the indicated Ruleset to be invoked on the Header + when read. This ruleset works like the check_* rulesets -- + that is, it can reject mail on the basis of the contents. + Limit the size of the HELO/EHLO parameter to prevent spammers + from hiding their connection information in Received: + headers. + When SingleThreadDelivery is active, deliveries to locked hosts + are skipped. This will cause the delivering process to + try the next MX host or queue the message if no other MX + hosts are available. Suggested by Alexander Litvin. + The [FILE] mailer type now delivers to the file specified in the + A= equate of the mailer definition instead of $u. It also + obeys all of the F= mailer flags such as the MIME + 7/8 bit conversion flags. This is useful for defining + a mailer which delivers to the same file regardless of the + recipient (e.g. 'A=FILE /dev/null' to discard unwanted mail). + Do not assume the identity of a remote connection is root@localhost + if the remote connection closes the socket before the + remote identity can be queried. + Change semantics of the F=S mailer flag back to 8.7.5 behavior. + Some mailers, including procmail, require that the real + uid is left unchanged by sendmail. Problem noted by Per + Hedeland of Ericsson. + No longer is the src/obj*/Makefile selected from a large list -- it + is now generated using the information in BuildTools/OS/ -- + some of the details are determined dynamically via + BuildTools/bin/configure.sh. + The other programs in the sendmail distribution -- mail.local, + mailstats, makemap, praliases, rmail, and smrsh -- now use + the new Build method which creates an operating system + specific Makefile using the information in BuildTools. + Make 4xx reply codes to the SMTP MAIL command be non-sticky (i.e., + a failure on one message won't affect future messages to the + same host). This is necessary if the remote host sends + a 451 error if the domain of the sender does not resolve + as is common in anti-spam configurations. Problem noted + by Mitchell Blank Jr of Exec-PC. + New "discard" mailer for check_* rulesets and header checking + rulesets. If one of the above rulesets resolves to the + $#discard mailer, the commands will be accepted but the + message will be completely discarded after it is accepting. + This means that even if only one of the recipients + resolves to the $#discard mailer, none of the recipients + will receive the mail. Suggested by Brian Kantor. + All but the last cloned envelope of a split envelope were queued + instead of being delivered. Problem noted by John Caruso + of CNET: The Computer Network. + Fix deadlock situation in persistent host status file locking. + Syslog an error if a user forward file could not be read due to + an error. Patch from John Beck of Sun Microsystems. + Use the first name returned on machine lookups when canonifying a + hostname via NetInfo. Patch from Timm Wetzel of GWDG. + Clear the $&{client_addr}, $&{client_name}, and $&{client_port} + macros when delivering a bounce message to prevent + rejection by a check_compat ruleset which uses these macros. + Problem noted by Jens Hamisch of AgiX Internetservices GmbH. + If the check_relay ruleset resolves to the the error mailer, the + error in the $: portion of the resolved triplet is used + in the rejection message given to the remote machine. + Suggested by Scott Gifford of The Internet Ramp. + Set the $&{client_addr}, $&{client_name}, and $&{client_port} macros + before calling the check_relay ruleset. Suggested by Scott + Gifford of The Internet Ramp. + Sendmail would get a segmentation fault if a mailer exited with an + exit code of 79. Problem noted by Aaron Schrab of ExecPC + Internet. Fix from Christophe Wolfhugel of the Pasteur + Institute. + Separate snprintf/vsnprintf routines into separate file for use by + mail.local. + Allow multiple map lookups on right hand side, e.g., + R$* $( host $1 $) $| $( passwd $1 $). Patch from + Christophe Wolfhugel of the Pasteur Institute. + Properly generate success DSN messages if requested for aliases + which have owner- aliases. Problem noted by Kari Hurtta + of the Finnish Meteorological Institute. + Properly display delayed-expansion macros ($&{macroname}) in + address test mode (-bt). Problem noted by Bryan Costales + of InfoBeat, Inc. + -qR could sometimes match names incorrectly. Problem noted by + Lutz Euler of Lavielle EDV Systemberatung GmbH & Co. + Include a magic number and version in the StatusFile for the + mailstats command. + Record the number of rejected and discarded messages in the + StatusFile for display by the mailstats command. Patch + from Randall Winchester of the University of Maryland. + IDENT returns where the OSTYPE field equals "OTHER" now list the + user portion as IDENT:username@site instead of + username@site to differentiate the two. Suggested by + Kari Hurtta of the Finnish Meteorological Institute. + Enforce timeout for LDAP queries. Patch from Per Hedeland of + Ericsson. + Change persistent host status filename substitution so '/' is + replaced by ':' instead of '|' to avoid clashes. Also + avoid clashes with hostnames with leading dots. Fix from + Mitchell Blank Jr. of Exec-PC. + If the system lock table is full, only attempt to create a new + queue entry five times before giving up. Previously, it + was attempted indefinitely which could cause the partition + to run out of inodes. Problem noted by Suzie Weigand of + Stratus Computer, Inc. + In verbose mode, warn if the sendmail.cf version is less than the + currently supported version. + Sorting for QueueSortOrder=host is now case insensitive. Patch + from Randall S. Winchester of the University of Maryland. + Properly quote a full name passed via the -F command line option, + the Full-Name: header, or the NAME environment variable if + it contains characters which must be quoted. Problem noted + by Kari Hurtta of the Finnish Meteorological Institute. + Avoid possible race condition that unlocked a mail job before + releasing the transcript file on systems that use flock(2). + In some cases, this might result in a "Transcript Unavailable" + message in error bounces. + Accept SMTP replies which contain only a reply code and no + accompanying text. Problem noted by Fernando Fraticelli of + Digital Equipment Corporation. + Portability: + AIX 4.1 uses int for SOCKADDR_LEN_T from Motonori Nakamura + of Kyoto University. + AIX 4.2 requires <userpw.h> before <usersec.h>. Patch from + Randall S. Winchester of the University of + Maryland. + AIX 4.3 from Valdis Kletnieks of Virginia Tech CNS. + CRAY T3E from Manu Mahonen of Center for Scientific Computing + in Finland. + Digital UNIX now uses statvfs for determining free + disk space. Patch from Randall S. Winchester of + the University of Maryland. + HP-UX 11.x from Richard Allen of Opin Kerfi HF and + Regis McEwen of Progress Software Corporation. + IRIX 64 bit fixes from Kari Hurtta of the Finnish + Meteorological Institute. + IRIX 6.2 configuration fix for mail.local from Michael Kyle + of CIC/Advanced Computing Laboratory. + IRIX 6.5 from Thomas H Jones II of SGI. + IRIX 6.X load average code from Bob Mende of SGI. + QNX from Glen McCready <glen@qnx.com>. + SCO 4.2 and 5.x use /usr/bin instead of /usr/ucb for links + to sendmail. Install with group bin instead of kmem + as kmem does not exist. From Guillermo Freige of + Gobernacion de la Pcia de Buenos Aires and Paul + Fischer of BTG, Inc. + SunOS 4.X does not include memmove(). Patch from + Per Hedeland of Ericsson. + SunOS 5.7 includes getloadavg() function for determining + load average. Patch from John Beck of Sun + Microsystems. + CONFIG: Increment version number of config file. + CONFIG: add DATABASE_MAP_TYPE to set the default type of database + map for the various maps. The default is hash. Patch from + Robert Harker of Harker Systems. + CONFIG: new confEBINDIR m4 variable for defining the executable + directory for certain programs. + CONFIG: new FEATURE(local_lmtp) to use the new LMTP support for + local mail delivery. By the default, /usr/libexec/mail.local + is used. This is expected to be the mail.local shipped + with 8.9 which is LMTP capable. The path is based on the + new confEBINDIR m4 variable. + CONFIG: Use confEBINDIR in determining path to smrsh for + FEATURE(smrsh). Note that this changes the default from + /usr/local/etc/smrsh to /usr/libexec/smrsh. To obtain the + old path for smrsh, use FEATURE(smrsh, /usr/local/etc/smrsh). + CONFIG: DOMAIN(generic) changes the default confFORWARD_PATH to + include $z/.forward.$w+$h and $z/.forward+$h which allow + the user to setup different .forward files for + user+detail addressing. + CONFIG: add confMAX_RCPTS_PER_MESSAGE, confDONT_PROBE_INTERFACES, + and confDONT_BLAME_SENDMAIL to set MaxRecipientsPerMessage, + DontProbeInterfaces, and DontBlameSendmail options. + CONFIG: by default do not allow relaying (that is, accepting mail + from outside your domain and sending it to another host + outside your domain). + CONFIG: new FEATURE(promiscuous_relay) to allow mail relaying from + any site to any site. + CONFIG: new FEATURE(relay_entire_domain) allows any host in your + domain as defined by the 'm' class ($=m) to relay. + CONFIG: new FEATURE(relay_based_on_MX) to allow relaying based on + the MX records of the host portion of an incoming recipient. + CONFIG: new FEATURE(access_db) which turns on the access database + feature. This database give you the ability to allow + or refuse to accept mail from specified domains for + administrative reasons. By default, names that are listed + as "OK" in the access db are domain names, not host names. + CONFIG: new confCR_FILE m4 variable for defining the name of the file + used for class 'R'. Defaults to /etc/mail/relay-domains. + CONFIG: new command RELAY_DOMAIN(domain) and RELAY_DOMAIN_FILE(file) + to add items to class 'R' ($=R) for hosts allowed to relay. + CONFIG: new FEATURE(relay_hosts_only) to change the behavior + of FEATURE(access_db) and class 'R' to lookup individual + host names only. + CONFIG: new FEATURE(loose_relay_check). Normally, if a recipient + using % addressing is used, e.g. user%site@othersite, + and othersite is in class 'R', the check_rcpt ruleset + will strip @othersite and recheck user@site for relaying. + This feature changes that behavior. It should not be + needed for most installations. + CONFIG: new FEATURE(relay_local_from) to allow relaying if the + domain portion of the mail sender is a local host. This + should only be used if absolutely necessary as it opens + a window for spammers. Patch from Randall S. Winchester of + the University of Maryland. + CONFIG: new FEATURE(blacklist_recipients) turns on the ability to + block incoming mail destined for certain recipient + usernames, hostnames, or addresses. + CONFIG: By default, MAIL FROM: commands in the SMTP session will be + refused if the host part of the argument to MAIL FROM: cannot + be located in the host name service (e.g., DNS). + CONFIG: new FEATURE(accept_unresolvable_domains) accepts + unresolvable hostnames in MAIL FROM: SMTP commands. + CONFIG: new FEATURE(accept_unqualified_senders) accepts + MAIL FROM: senders which do not include a domain. + CONFIG: new FEATURE(rbl) Turns on rejection of hosts found in the + Realtime Blackhole List. You can specify the RBL name + server to contact by specifying it as an optional argument. + The default is rbl.maps.vix.com. For details, see + http://maps.vix.com/rbl/. + CONFIG: Call Local_check_relay, Local_check_mail, and + Local_check_rcpt from check_relay, check_mail, and + check_rcpt. Users with local rulesets should place the + rules using LOCAL_RULESETS. If a Local_check_* ruleset + returns $#OK, the message is accepted. If the ruleset + returns a mailer, the appropriate action is taken, else + the return of the ruleset is ignored. + CONFIG: CYRUS_MAILER_FLAGS now includes the /:| mailer flags by + default to support file, :include:, and program deliveries. + CONFIG: Remove the default for confDEF_USER_ID so the binary can + pick the proper default value. See the SECURITY note + above for more information. + CONFIG: FEATURE(nodns) now warns the user that the feature is a + no-op. Patch from Kari Hurtta of the Finnish + Meteorological Institute. + CONFIG: OSTYPE(osf1) now sets DefaultUserID (confDEF_USER_ID) to + daemon since DEC's /bin/mail will drop the envelope + sender if run as mailnull. See the Digital UNIX section + of src/README for more information. Problem noted by + Kari Hurtta of the Finnish Meteorological Institute. + CONFIG: .cf files are now stored in the same directory with the + .mc files instead of in the obj directory. + CONFIG: New options confSINGLE_LINE_FROM_HEADER, + confALLOW_BOGUS_HELO, and confMUST_QUOTE_CHARS for + setting SingleLineFromHeader, AllowBogusHELO, and + MustQuoteChars respectively. + MAIL.LOCAL: support -l flag to run LMTP on stdin/stdout. This + SMTP-like protocol allows detailed reporting of delivery + status on a per-user basis. Code donated by John Myers of + CMU (now of Netscape). + MAIL.LOCAL: HP-UX support from Randall S. Winchester of the + University of Maryland. NOTE: mail.local is not + compatible with the stock HP-UX mail format. Be sure to + read mail.local/README. + MAIL.LOCAL: Prevent other mail delivery agents from stealing a + mailbox lock. Patch from Randall S. Winchester of the + University of Maryland. + MAIL.LOCAL: glibc portability from John Kennedy of Cal State + University, Chico. + MAIL.LOCAL: IRIX portability from Kari Hurtta of the Finnish + Meteorological Institute. + MAILSTATS: Display the number of rejected and discarded messages + in the StatusFile. Patch from Randall Winchester of the + University of Maryland. + MAKEMAP: New -s flag to ignore safety checks on database map files + such as linked files in world writable directories. + MAKEMAP: Add support for Berkeley DB 2.X. Remove OLD_NEWDB support. + PRALIASES: Add support for Berkeley DB 2.X. + PRALIASES: Do not automatically include NDBM support. Problem + noted by Ralf Hildebrandt of the Technical University of + Braunschweig. + RMAIL: Improve portability for other platforms. Patches from + Randall S. Winchester of the University of Maryland and + Kari Hurtta of the Finnish Meteorological Institute. + Changed Files: + src/Makefiles/Makefile.* files have been modified to use + the new build mechanism and are now BuildTools/OS/*. + src/makesendmail changed to symbolic link to src/Build. + New Files: + BuildTools/M4/header.m4 + BuildTools/M4/depend/BSD.m4 + BuildTools/M4/depend/CC-M.m4 + BuildTools/M4/depend/NCR.m4 + BuildTools/M4/depend/Solaris.m4 + BuildTools/M4/depend/X11.m4 + BuildTools/M4/depend/generic.m4 + BuildTools/OS/AIX.4.2 + BuildTools/OS/AIX.4.x + BuildTools/OS/CRAYT3E.2.0.x + BuildTools/OS/HP-UX.11.x + BuildTools/OS/IRIX.6.5 + BuildTools/OS/NEXTSTEP.4.x + BuildTools/OS/NeXT.4.x + BuildTools/OS/NetBSD.8.3 + BuildTools/OS/QNX + BuildTools/OS/SunOS.5.7 + BuildTools/OS/dcosx.1.x.NILE + BuildTools/README + BuildTools/Site/README + BuildTools/bin/Build + BuildTools/bin/configure.sh + BuildTools/bin/find_m4.sh + BuildTools/bin/install.sh + Makefile + cf/cf/Build + cf/cf/generic-hpux10.cf + cf/feature/accept_unqualified_senders.m4 + cf/feature/accept_unresolvable_domains.m4 + cf/feature/access_db.m4 + cf/feature/blacklist_recipients.m4 + cf/feature/loose_relay_check.m4 + cf/feature/local_lmtp.m4 + cf/feature/promiscuous_relay.m4 + cf/feature/rbl.m4 + cf/feature/relay_based_on_MX.m4 + cf/feature/relay_entire_domain.m4 + cf/feature/relay_hosts_only.m4 + cf/feature/relay_local_from.m4 + cf/ostype/qnx.m4 + contrib/doublebounce.pl + mail.local/Build + mail.local/Makefile.m4 + mail.local/README + mailstats/Build + mailstats/Makefile.m4 + makemap/Build + makemap/Makefile.m4 + praliases/Build + praliases/Makefile.m4 + rmail/Build + rmail/Makefile.m4 + rmail/rmail.0 + smrsh/Build + smrsh/Makefile.m4 + src/Build + src/Makefile.m4 + src/snprintf.c + Deleted Files: + cf/cf/Makefile (replaced by Makefile.dist) + mail.local/Makefile + mail.local/Makefile.dist + mailstats/Makefile + mailstats/Makefile.dist + makemap/Makefile + makemap/Makefile.dist + praliases/Makefile + praliases/Makefile.dist + rmail/Makefile + smrsh/Makefile + smrsh/Makefile.dist + src/Makefile + src/Makefiles/Makefile.AIX.4 (split into AIX.4.x and AIX.4.2) + src/Makefiles/Makefile.SMP_DC.OSx.NILE + (renamed BuildTools/OS/dcosx.1.x.NILE) + src/Makefiles/Makefile.Utah (obsolete platform) + Renamed Files: + READ_ME => README + cf/cf/Makefile.dist => Makefile + cf/cf/obj/* => cf/cf/* + src/READ_ME => src/README + +8.8.8/8.8.8 97/10/24 + If the check_relay ruleset failed, the relay= field was logged + incorrectly. Problem noted by Kari Hurtta of the Finnish + Meteorological Institute. + If /usr/tmp/dead.letter already existed, sendmail could not + add additional bounces to it. Problem noted by Thomas J. + Arseneault of SRI International. + If an SMTP mailer used a non-standard port number for the outgoing + connection, it would be displayed incorrectly in verbose mode. + Problem noted by John Kennedy of Cal State University, Chico. + Log the ETRN parameter specified by the client before altering them + to internal form. Suggested by Bob Kupiec of GES-Verio. + EXPN and VRFY SMTP commands on malformed addresses were logging as + User unknown with bogus delay= values. Change them to log + the same as compliant addresses. Problem noted by Kari E. + Hurtta of the Finnish Meteorological Institute. + Ignore the debug resolver option unless using sendmail debug trace + option for resolver. Problem noted by Greg Nichols of Wind + River Systems. + If SingleThreadDelivery was enabled and the remote server returned a + protocol error on the DATA command, the connection would be + closed but the persistent host status file would not be + unlocked so other sendmail processes could not deliver to + that host. Problem noted by Peter Wemm of DIALix. + If queueing up a message due to an expensive mailer, don't increment + the number of delivery attempts or set the last delivery + attempt time so the message will be delivered on the next + queue run regardless of MinQueueAge. Problem noted by + Brian J. Coan of the Institute for Global Communications. + Authentication warnings of "Processed from queue _directory_" and + "Processed by _username_ with -C _filename_" would be logged + with the incorrect timestamp. Problem noted by Kari E. Hurtta + of the Finnish Meteorological Institute. + Use a better heuristic for detecting GDBM. + Log null connections on dropped connections. Problem noted by + Jon Lewis of Florida Digital Turnpike. + If class dbm maps are rebuilt, sendmail will now detect this and + reopen the map. Previously, they could give stale + results during a single message processing (but would + recover when the next message was received). Fix from + Joe Pruett of Q7 Enterprises. + Do not log failures such as "User unknown" on -bv or SMTP VRFY + requests. Problem noted by Kari E. Hurtta of the + Finnish Meteorological Institute. + Do not send a bounce message back to the sender regarding bad + recipients if the SMTP connection is dropped before the + message is accepted. Problem noted by Kari E. Hurtta of the + Finnish Meteorological Institute. + Use "localhost" instead of "[UNIX: localhost]" when connecting to + sendmail via a UNIX pipe. This will allow rulesets using + $&{client_name} to process without sending the string through + dequote. Problem noted by Alan Barrett of Internet Africa. + A combination of deferred delivery mode, a double bounce situation, + and the inability to save a bounce message to + /var/tmp/dead.letter would cause sendmail to send a bounce + to postmaster but not remove the offending envelope from the + queue causing it to create a new bounce message each time the + queue was run. Problem noted by Brad Doctor of Net Daemons + Associates. + Remove newlines from hostname information returned via DNS. There are + no known security implications of newlines in hostnames as + sendmail filters newlines in all vital areas; however, this + could cause confusing error messages. + Starting with sendmail 8.8.6, mail sent with the '-t' option would be + rejected if any of the specified addresses were bad. This + behavior was modified to only reject the bad addresses and not + the entire message. Problem noted by Jozsef Hollosi of + SuperNet, Inc. + Use Timeout.fileopen when delivering mail to a file. Suggested by + Bryan Costales of InfoBeat, Inc. + Display the proper Final-Recipient on DSN messages for non-SMTP + mailers. Problem noted by Kari E. Hurtta of the + Finnish Meteorological Institute. + An error in calculating the available space in the list of addresses + for logging deliveries could cause an address to be silently + dropped. + Include the initial user environment if sendmail is restarted via + a HUP signal. This will give room for the process title. + Problem noted by Jon Lewis of Florida Digital Turnpike. + Mail could be delivered without a body if the machine does not + support flock locking and runs out of processes during + delivery. Fix from Chuck Lever of the University of Michigan. + Drop recipient address from 251 and 551 SMTP responses per RFC 821. + Problem noted by Kari E. Hurtta of the Finnish Meteorological + Institute. + Make sure non-rebuildable database maps are opened before the + rebuildable maps (i.e. alias files) in case the database maps + are needed for verifying the left hand side of the aliases. + Problem noted by Lloyd Parkes of Victoria University. + Make sure sender RFC822 source route addresses are alias expanded for + bounce messages. Problem noted by Juergen Georgi of + RUS University of Stuttgart. + Minor lint fixes. + Return a temporary error instead of a permanent error if an LDAP map + search returns an error. This will allow sequenced maps which + use other LDAP servers to be checked. Fix from Booker Bense + of Stanford University. + When automatically converting from quoted printable to 8bit text do + not pad bare linefeeds with a space. Problem noted by Theo + Nolte of the University of Technology Aachen, Germany. + Portability: + Non-standard C compilers may have had a problem compiling + conf.c due to a standard C external declaration of + setproctitle(). Problem noted by Ted Roberts of + Electronic Data Systems. + AUX: has a broken O_EXCL implementation. Reported by Jim + Jagielski of jaguNET Access Services. + BSD/OS: didn't compile if HASSETUSERCONTEXT was defined. + Digital UNIX: Digital UNIX (and possibly others) moves + loader environment variables into the loader memory + area. If one of these environment variables (such as + LD_LIBRARY_PATH) was the last environment variable, + an invalid memory address would be used by the process + title routine causing memory corruption. Problem + noted by Sam Hartman of Mesa Internet Systems. + GNU libc: uses an enum for _PC_CHOWN_RESTRICTED which caused + chownsafe() to always return 0 even if the OS does + not permit file giveaways. Problem noted by + Yasutaka Sumi of The University of Tokyo. + IRIX6: Syslog buffer size set to 512 bytes. Reported by + Gerald Rinske of Siemens Business Services VAS. + Linux: Pad process title with NULLs. Problem noted by + Jon Lewis of Florida Digital Turnpike. + SCO OpenServer 5.0: SIOCGIFCONF ioctl call returns an + incorrect value for the number of interfaces. + Problem noted by Chris Loelke of JetStream Internet + Services. + SINIX: Update for Makefile and syslog buffer size from Gerald + Rinske of Siemens Business Services VAS. + Solaris: Make sure HASGETUSERSHELL setting for SunOS is not + used on a Solaris machine. Problem noted by + Stephen Ma of Jtec Pty Limited. + CONFIG: SINIX: Update from Gerald Rinske of Siemens Business + Services VAS. + MAKEMAP: Use a better heuristic for detecting GDBM. + CONTRIB: expn.pl: Updated version from the author, David Muir Sharnoff. + OP.ME: Document the F=i mailer flag. Problem noted by Per Hedeland of + Ericsson. + +8.8.7/8.8.7 97/08/03 + If using Berkeley DB on systems without O_EXLOCK (open a file with + an exclusive lock already set -- i.e., almost all systems + except 4.4-BSD derived systems), the initial attempt at + rebuilding aliases file if the database didn't already + exist would fail. Patch from Raymund Will of LST Software + GmbH. + Bogus incoming SMTP commands would reset the SMTP conversation. + Problem noted by Fredrik Jönsson of the Royal Institute + of Technology, Stockholm. + Since TCP Wrappers includes setenv(), unsetenv(), and putenv(), + some environments could give "multiple definitions" for these + routines during compilation. If using TCP Wrappers, assume + that these routines are included as though they were in the + C library. Patch from Robert La Ferla. + When a NEWDB database map was rebuilt at the same time it was being + used by a queue run, the maps could be left locked for the + duration of the queue run, causing other processes to hang. + Problem noted by Kendall Libby of Shore.NET. + In some cases, NoRecipientAction=add-bcc was being ignored, so the + mail was passed on without any recipient header. This could + cause problems downstream. Problem noted by Xander Jansen + of SURFnet ExpertiseCentrum. + Give error when GDBM is used with sendmail. GDBM's locking and + linking of the .dir and .pag files interferes with sendmail's + locking and security checks. Problems noted by Fyodor + Yarochkin of the Kyrgyz Republic FreeNet. + Don't fsync qf files if SuperSafe option is not set. + Avoid extra calls to gethostbyname for addresses for which a + gethostbyaddr found no value. Also, ignore any returns + from gethostbyaddr that look like a dotted quad. + If PTR lookup fails when looking up an SMTP peer, don't tag it as + "may be forged", since at the network level we pretty much + have to assume that the information is good. + In some cases, errors during an SMTP session could leave files + open or locked. + Better handling of missing file descriptors (0, 1, 2) on startup. + Better handling of non-setuid binaries -- avoids certain obnoxious + errors during testing. + Errors in file locking of NEWDB maps had the incorrect file name + printed in the error message. + If the AllowBogusHELO option were set and an EHLO with a bad or + missing parameter were issued, the EHLO behaved like a HELO. + Load limiting never kicked in for incoming SMTP transactions if the + DeliverMode=background and any recipient was an alias or + had a .forward file. From Nik Conwell of Boston University. + On some non-Posix systems, the decision of whether chown(2) permits + file giveaway was undefined. From Tetsu Ushijima of the + Tokyo Institute of Technology. + Fix race condition that could cause the body of a message to be + lost (so only the header was delivered). This only occurs + on systems that do not use flock(2), and only when a queue + runner runs during a critical section in another message + delivery. Based on a patch from Steve Schweinhart of + Results Computing. + If a qf file was found in a mail queue directory that had a problem + (wrong ownership, bad format, etc.) and the file name was + exactly MAXQFNAME bytes long, then instead of being tried + once, it would be tried on every queue run. Problem noted + by Bryan Costales of Mercury Mail. + If the system supports an st_gen field in the status structure, + include it when reporting that a file has changed after open. + This adds a new compile flag, HAS_ST_GEN (0/1 option). + This out to be checked as well as reported, since it is + theoretically possible for an attacker to remove a file after + it is opened and replace it with another file that has the + same i-number, but some filesystems (notably AFS) return + garbage in this field, and hence always look like the file + has changed. As a practical matter this is not a security + problem, since the files can be neither hard nor soft links, + and on no filesystem (that I am aware of) is it possible to + have two files on the same filesystem with the same i-number + simultaneously. + Delete the root Makefile from the distribution -- it is only for + use internally, and does not work at customer sites. + Fix botch that caused the second MAIL FROM: command in a single + transaction to clear the entire transaction. Problem + noted by John Kennedy of Cal State University, Chico. + Work properly on machines that have _PATH_VARTMP defined without + a trailing slash. (And a pox on vendors that decide to + ignore the established conventions!) Problem noted by + Gregory Neil Shapiro of WPI. + Internal changes to make it easier to add another protocol family + (intended for IPv6). Patches are from John Kennedy of + CSU Chico. + In certain cases, 7->8 bit MIME decoding of Base64 text could leave + an extra space at the beginning of some lines. Problem + noted by Charles Karney of Princeton University; fix based + on a patch from Christophe Wolfhugel. + Portability: + Allow _PATH_VENDOR_CF to be set in Makefile for consistency + with the _Sendmail_ book, 2nd edition. Note that + the book is actually wrong: _PATH_SENDMAILCF should + be used instead. + AIX 3.x: Include <sys/select.h>. Patch from Gene Rackow + of Argonne National Laboratory. + OpenBSD from from Paul DuBois of the University of Wisconsin. + RISC/os 4.0 from Paul DuBois of the University of Wisconsin. + SunOS: Include <memory.h> to fix warning from util.c. From + James Aldridge of EUnet Ltd. + Solaris: Change STDIR (location of status file) to /etc/mail + in Makefiles. + Linux, Dynix, UNICOS: Remove -DNDBM and -lgdbm from + Makefiles. Use NEWDB on Linux instead. + NCR MP-RAS 3.x with STREAMware TCP/IP: SIOCGIFNUM ioctl + exists but behaves differently than other OSes. + Add SIOCGIFNUM_IS_BROKEN compile flag to get + around the problem. Problem noted by Tom Moore of + NCR Corp. + HP-UX 9.x: fix compile warnings for old select API. Problem + noted by Tom Smith of Digital Equipment Corp. + UnixWare 2.x: compile warnings on offsetof macro. Problem + noted by Tom Good of the Community Access Information + Resource Network + SCO 4.2: compile problems caused by a change in the type of + the "length" parameters passed to accept, getpeername, + getsockname, and getsockopt. Adds new compile flags + SOCKADDR_SIZE_T and SOCKOPT_SIZE_T. Problem reported + by Tom Good of St. Vincent's North Richmond Community + Mental Health Center Residential Services. + AIX 4: Use size_t for SOCKADDR_SIZE_T and SOCKOPT_SIZE_T. + Suggested by Brett Hogden of Rochester Gas & Electric + Corp. + Linux: avoid compile problem for versions of <setjmp.h> that + #define both setjmp and longjmp. Problem pointed out + by J.R. Oldroyd of TerraNet. + CONFIG: SCO UnixWare 2.1: Support for OSTYPE(sco-uw-2.1) + from Christopher Durham of SCO. + CONFIG: NEXTSTEP: define confCW_FILE to + /etc/sendmail/sendmail.cw to match the usual + configuration. Patch from Dennis Glatting of + PlainTalk. + CONFIG: MAILER(fax) called a program that hasn't existed for a long + time. Convert to use the HylaFAX 4.0 conventions. Suggested + by Harry Styron. + CONFIG: Improve sample anti-spam rulesets in cf/cf/knecht.mc. These + are the rulesets in use on sendmail.org. + MAKEMAP: give error on GDBM files. + MAIL.LOCAL: Make error messages a bit more explicit, for example, + telling more details on what actually changed when "file + changed after open". + CONTRIB: etrn.pl: Ignore comments in Fw files. Support multiple Fw + files. + CONTRIB: passwd-to-alias.pl: Handle 8 bit characters and '-'. + NEW FILES: + src/Makefiles/Makefile.OpenBSD + src/Makefiles/Makefile.RISCos.4_0 + test/t_exclopen.c + cf/ostype/sco-uw-2.1.m4 + DELETED FILES: + Makefile + +8.8.6/8.8.6 97/06/14 + ************************************************************* + * The extensive assistance of Gregory Neil Shapiro of WPI * + * in preparing this release is gratefully appreciated. * + * Sun Microsystems has also provided resources toward * + * continued sendmail development. * + ************************************************************* + SECURITY: A few systems allow an open with the O_EXCL|O_CREAT open + mode bits set to create a file that is a symbolic link that + points nowhere. This makes it possible to create a root + owned file in an arbitrary directory by inserting the symlink + into a writable directory after the initial lstat(2) check + determined that the file did not exist. The only verified + example of a system having these odd semantics for O_EXCL + and symbolic links was HP-UX prior to version 9.07. Most + systems do not have the problem, since a exclusive create + of a file disallows symbolic links. Systems that have been + verified to NOT have the problem include AIX 3.x, *BSD, + DEC OSF/1, HP-UX 9.07 and higher, Linux, SunOS, Solaris, + and Ultrix. This is a potential exposure on systems that + have this bug and which do not have a MAILER-DAEMON alias + pointing at a legitimate account, since this will cause old + mail to be dropped in /var/tmp/dead.letter. + SECURITY: Problems can occur on poorly managed systems, specifically, + if maps or alias files are in world writable directories. + If your system has alias maps in writable directories, it + is potentially possible for an attacker to replace the .db + (or .dir and .pag) files by symbolic links pointing at + another database; this can be used either to expose + information (e.g., by pointing an alias file at /etc/spwd.db + and probing for accounts), or as a denial-of-service attack + (by trashing the password database). The fix disallows + symbolic links entirely when rebuilding alias files or on + maps that are in writable directories, and always warns on + writable directories; 8.9 will probably consider writable + directories to be fatal errors. This does not represent an + exposure on systems that have alias files in unwritable + system directories. + SECURITY: disallow .forward or :include: files that are links (hard + or soft) if the parent directory (or any directory in the + path) is writable by anyone other than the owner. This is + similar to the previous case for user files. This change + should not affect most systems, but is necessary to prevent + an attacker who can write the directory from pointing such + files at other files that are readable only by the owner. + SECURITY: Tighten safechown rules: many systems will say that they + have a safe (restricted to root) chown even on files that + are mounted from another system that allows owners to give + away files. The new rules are very strict, trusting file + ownership only in those few cases where the system has + been verified to be at least as paranoid as necessary. + However, it is possible to relax the rules to partially + trust the ownership if the directory path is not world or + group writable. This might allow someone who has a legitimate + :include: file (referenced directly from /etc/aliases) to + become another non-root user if the :include: file is in a + non-writable directory on an NFS-mounted filesystem where + the local system says that giveaway is denied but it is + actually permitted. I believe this to be a very small set + of cases. If in doubt, do not point :include: aliases at + NFS-mounted filesystems. + SECURITY: When setting a numeric group id using the RunAsUser option + (e.g., "O RunAsUser=10:20", the group id would not be set. + Implicit group ids (e.g., "O RunAsUser=mailnull") or alpha + group ids (e.g., "O RunAsUser=mailuser:mailgrp") worked fine. + The user id was still set properly. Problem noted by Uli + Pralle of the Technical University of Berlin. + Save the initial gid set for use when checking for if the + PrivacyOptions=restrictmailq option is set. Problem reported + by Wolfgang Ley of DFN-CERT. + Make 55x reply codes to the SMTP DATA-"." be non-sticky (i.e., a + failure on one message won't affect future messages to the + same host). + IP source route printing had an "off by one" error that would + affect any options that came after the route option. Patch + from Theo de Raadt. + The "Message is too large" error didn't successfully bounce the error + back to the sender. Problem reported by Stephen More of + PSI; patch from Gregory Neil Shapiro of WPI. + Change SMTP status code 553 to map into Extended code 5.1.0 (instead + of 5.1.3); it apparently gets used in multiple ways. + Suggested by John Myers of Portola Communications. + Fix possible extra null byte generated during collection if errors + occur at the beginning of the stream. Patch contributed by + Andrey A. Chernov and Gregory Neil Shapiro. + Code changes to avoid possible reentrant call of malloc/free within + a signal handler. Problem noted by John Beck of Sun + Microsystems. + Move map initialization to be earlier so that check_relay ruleset + will have the latest version of the map data. Problem noted + by Paul Forgey of Metainfo; patch from Gregory Neil Shapiro. + If there are fatal errors during the collection phase (e.g., message + too large) don't send the bogus message. + Avoid "cannot open xfAAA00000" messages when sending to aliases that + have errors and have owner- aliases. Problem noted by Michael + Barber of MTU; fix from Gregory Neil Shapiro of WPI. + Avoid null pointer dereference on illegal Boundary= parameters in + multipart/mixed Content-Type: header. Problem noted by + Richard Muirden of RMIT University. + Always print error messages during newaliases (-bi) even if the + ErrorMode is not set to "print". Fix from Gregory Neil + Shapiro. + Test mode could core dump if you did a /map lookup in an optional map + that could not be opened. Based on a fix from John Beck of + Sun Microsystems. + If DNS is misconfigured so that the last MX record tried points to + a host that does not have an A record, but other MX records + pointed to something reasonable, don't bounce the message + with a "host unknown" error. Note that this should really + be fixed in the zone file for the domain. Problem noted by + Joe Rhett of Navigist, Inc. + If a map fails (e.g., DNS times out) on all recipient addresses, mark + the message as having been tried; otherwise the next queue + run will not realize that this is a second attempt and will + retry immediately. Problem noted by Bryan Costales of + Mercury Mail. + If the clock is set backwards, and a MinQueueAge is set, no jobs + will be run until the later setting of the clock is reached. + "Problem" (I use the term loosely) noted by Eric Hagberg of + Morgan Stanley. + If the load average rises above the cutoff threshold (above which + sendmail will not process the queue at all) during a queue + run, abort the queue run immediately. Problem noted by + Bryan Costales of Mercury Mail. + The variable queue processing algorithm (based on the message size, + number of recipients, message precedence, and job age) was + non-functional -- either the entire queue was processed or + none of the queue was processed. The updated algorithm + does no queue run if a single recipient zero size job will + not be run. + If there is a fatal ("panic") message that will cause sendmail to + die immediately, never hold the error message for future + printing. + Force ErrorMode=print in -bt mode so that all errors are printed + regardless of the setting of the ErrorMode option in the + configuration file. Patch from Gregory Neil Shapiro. + New compile flag HASSTRERROR says that this OS has the strerror(3) + routine available in one of the libraries. Use it in conf.h. + The -m (match only) flag now works on host class maps. + If class hash or btree maps are rebuilt, sendmail will now detect + this and reopen the map. Previously, they could give + erroneous results during a single message processing + (but would recover when the next message was received). + Don't delete zero length queue files when doing queue runs until the + files are at least ten minutes old. This avoids a potential + race condition: the creator creates the qf file, getting back + a file descriptor. The queue runner locks it and deletes it + because it is zero length. The creator then writes the + descriptor that is now for a disconnected file, and the + job goes away. Based on a suggestion by Bryan Costales. + When determining the "validated" host name ($_ macro), do a forward + (A) DNS lookup on the result of the PTR lookup and compare + results. If they differ or if the PTR lookup fails, tag the + address as "may be forged". + Log null connections (i.e., hosts that connect but do not do any + substantive activity on the connection before disconnecting; + "substantive" is defined to be MAIL, EXPN, VRFY, or ETRN. + Always permit "writes" to /dev/null regardless of the link count. + This is safe because /dev/null is special cased, and no open + or write is ever actually attempted. Patch from Villy Kruse + of TwinCom. + If a message cannot be sent because of a 552 (exceeded storage + allocation) response to the MAIL FROM:<>, and a SIZE= parameter + was given, don't return the body in the bounce, since there + is a very good chance that the message will double-bounce. + Fix possible line truncation if a quoted-printable had an =00 escape + in the body. Problem noted by Charles Karney of the Princeton + Plasma Physics Laboratory. + Notify flags (e.g., -NSUCCESS) were lost on user+detail addresses. + Problem noted by Kari Hurtta of the Finnish Meteorological + Institute. + The MaxDaemonChildren option wasn't applying to queue runs as + documented. Note that this increases the potential denial + of service problems with this option: an attacker can + connect many times, and thereby lock out queue runs as well + as incoming connections. If you use this option, you should + run the "sendmail -bd" and "sendmail -q30m" jobs separately + to avoid this attack. Failure to limit noted by Matthew + Dillon of BEST Internet Communications. + Always give a message in newaliases if alias files cannot be + opened instead of failing silently. Suggested by Gregory + Neil Shapiro. This change makes the code match the O'Reilly + book (2nd edition). + Some older versions of the resolver could return with h_errno == -1 + if no name server could be reached, causing mail to bounce + instead of queueing. Treat this like TRY_AGAIN. Fix from + John Beck of SunSoft. + If a :include: file is owned by a user that does not have an entry + in the passwd file, sendmail could dereference a null pointer. + Problem noted by Satish Mynam of Sun Microsystems. + Take precautions to make sure that the SMTP protocol cannot get out + of sync if (for example) an alias file cannot be opened. + Fix a possible race condition that can cause a SIGALRM to come in + immediately after a SIGHUP, causing the new sendmail to die. + Avoid possible hang on SVr3 systems when doing child reaping. Patch + from Villy Kruse of TwinCom. + Ignore improperly formatted SMTP reply codes. Previously these were + partially processed, which could cause confusing error + returns. + Fix possible bogus pointer dereference when doing ldapx map lookups + on some architectures. + Portability: + A/UX: from Jim Jagielski of NASA/GSFC. + glibc: SOCK_STREAM was changed from a #define to an enum, + thus breaking #ifdef SOCK_STREAM. Only option seems + to be to assume SOCK_STREAM if __GNU_LIBRARY__ is + defined. Problem reported by A Sun of the University + of Washington. + Solaris: use SIOCGIFNUM to get the number of interfaces on + the system rather than guessing at compile time. + Patch contributed by John Beck of Sun Microsystems. + Intel Paragon: from Wendy Lin of Purdue University. + GNU Hurd: from Miles Bader of the GNU project. + RISC/os 4.50 from Harlan Stenn of PFCS Corporation. + ISC Unix: wait never returns if SIGCLD signals are blocked. + Unfortunately releasing them opens a race condition, + but there appears to be no fix for this. Patch from + Gregory Neil Shapiro. + BIND 8.1 for IPv6 compatibility from John Kennedy. + Solaris: a bug in strcasecmp caused characters with the + high order bit set to apparently randomly match + letters -- for example, $| (0233) matches "i" and "I". + Problem noted by John Gregson of the University of + Cambridge. + IRIX 6.x: make Makefile.IRIX.6.2 apply to all 6.x. From + Kari Hurtta. + IRIX 6.x: Create Makefiles for systems that claim to be + IRIX64 but are 6.2 or higher (so use the regular + IRIX Makefile). + IRIX 6.x: Fix load average computation on 64 bit kernels. + Problem noted by Eric Hagberg of Morgan Stanley. + CONFIG: Some canonification was still done for UUCP-like addresses + even if FEATURE(nocanonify) was set. Problem pointed out by + Brian Candler. + CONFIG: In some cases UUCP mailers wouldn't properly recognize all + local names as local. Problem noted by Jeff Polk of BSDI; + fix provided by Gregory Neil Shapiro. + CONFIG: The "local:user" syntax entries in mailertables and other + "mailer:user" syntax locations returned an incorrect value + for the $h macro. Problem noted by Gregory Neil Shapiro. + CONFIG: Retain "+detail" information when forwarding mail to a + MAIL_HUB, LUSER_RELAY, or LOCAL_RELAY. Patch from Philip + Guenther of Gustavus Adolphus College. + CONFIG: Make sure user+detail works for FEATURE(virtusertable); + rules are the same as for aliasing. Based on a patch from + Gregory Neil Shapiro. + CONFIG: Break up parsing rules into several pieces; this should + have no functional change in this release, but makes it + possible to have better anti-spam rulesets in the future. + CONFIG: Disallow double dots in host names to avoid having the + HostStatusDirectory store status under the wrong name. + In some cases this can be used as a denial-of-service attack. + Problem noted by Ron Jarrell of Virginia Tech, patch from + Gregory Neil Shapiro. + CONFIG: Don't use F=m (multiple recipients per invocation) for + MAILER(procmail), but do pass F=Pn9 (include Return-Path:, + don't include From_, and convert to 8-bit). Suggestions + from Kimmo Suominen and Roderick Schertler. + CONFIG: Domains under $=M (specified with MASQUERADE_DOMAIN) where + being masqueraded as though FEATURE(masquerade_entire_domain) + was specified, even when it wasn't. + MAIL.LOCAL: Solaris 2.6 has snprintf. From John Beck of SunSoft. + MAIL.LOCAL: SECURITY: check to make sure that an attacker doesn't + "slip in" a symbolic link between the lstat(2) call and the + exclusive open. This is only a problem on System V derived + systems that allow an exclusive create on files that are + symbolic links pointing nowhere. + MAIL.LOCAL: If the final mailbox close() failed, the user id was + not reset back to root, which on some systems would cause + later mailboxes to fail. Also, any partial message would + not be truncated, which could result in repeated deliveries. + Problem noted by Bruce Evans via Peter Wemm (FreeBSD + developers). + MAKEMAP: Handle cases where O_EXLOCK is #defined to be 0. A similar + change to the sendmail map code was made in 8.8.3. Problem + noted by Gregory Neil Shapiro. + MAKEMAP: Give warnings on file problems such as map files that are + symbolic links; although makemap is not setuid root, it is + often run as root and hence has the potential for the same + sorts of problems as alias rebuilds. + MAKEMAP: Change compilation so that it will link properly on + NEXTSTEP. + CONTRIB: etrn.pl: search for Cw as well as Fw lines in sendmail.cf. + Accept an optional list of arguments following the server + name for the ETRN arguments to use (instead of $=w). Other + miscellaneous bug fixes. From Christian von Roques via + John Beck of Sun Microsystems. + CONTRIB: Add passwd-to-alias.pl, contributed by Kari Hurtta. This + Perl script converts GECOS information in the /etc/passwd + file into aliases, allowing for faster access to full name + lookups; it is also clever about adding aliases (to root) + for system accounts. + NEW FILES: + src/safefile.c + cf/ostype/gnuhurd.m4 + cf/ostype/irix6.m4 + contrib/passwd-to-alias.pl + src/Makefiles/Makefile.IRIX64.6.1 + src/Makefiles/Makefile.IRIX64.6.x + RENAMED FILES: + src/Makefiles/Makefile.IRIX.6.2 => Makefile.IRIX.6.x + src/Makefiles/Makefile.IRIX64 => Makefile.IRIX64.6.0 + +8.8.5/8.8.5 97/01/21 + SECURITY: Clear out group list during startup. Without this, sendmail + will continue to run with the group permissions of the caller, + even if RunAsUser is specified. + SECURITY: Make purgestat (-bH) be root-only. This is not in response + to any known attack, but it's best to be conservative. + Suggested by Peter Wemm of DIALix. + SECURITY: Fix buffer overrun problem in MIME code that has possible + security implications. Patch from Alex Garthwaite of the + University of Pennsylvania. + Use of a -f flag with a phrase attached (e.g., "-f 'Full Name <addr>'") + would truncate the address after "Full". Although the -f + syntax is incorrect (since it is in the envelope, it + shouldn't have comments and full names), the failure mode + was unnecessarily awful. + Fix a possible null pointer dereference when converting 8-bit data + to a 7-bit format. Problem noted by Jim Hutchins of + Sandia National Labs and David James of British Telecom. + Clear out stale state that affected F=9 on SMTP mailers in queue + runs. Although this really shouldn't be used (F=9 is for + final delivery only, and using it on an SMTP mailer makes + it possible for a message to be converted from 8->7->8->7 + bits several times), it shouldn't have failed with a syserr. + Problem noted by Eric Hagberg of Morgan Stanley. + _Really_ fix the multiple :maildrop code in the user database + module. Patch from Roy Mongiovi of Georgia Tech. + Let F lines in the configuration file actually read root-only + files if the configuration file is safe. Based on a + patch from Keith Reynolds of SCO. + ETRN followed by QUIT would hold the connection open until the queue + run completed. Problem noted by Truck Lewis of TDK + Semiconductor Corp. + It turns out that despite the documentation, the TCP wrappers library + does _not_ log rejected connections. Do the logging ourselves. + Problem noted by Fletcher Mattox of the University of Texas + at Austin. + If sendmail finds a qf file in its queue directory that is an unknown + version (e.g., when backing out to an old version), the + error is reported on every queue run. Change it to only + give the error once (and rename the qf => Qf). Patch from + William A. Gianopoulos of Raytheon Company. + Start a new session when doing background delivery; currently it + ignored signals but didn't start a new signal, that caused + some problems if a background process tried to send mail + under certain circumstances. Problem noted by Eric Hagberg + of Morgan Stanley; fix from Kari Hurtta. + Simplify test for skipping a queue run to just check if the current + load average is >= the queueing load average. Previously + the check factored in some other parameters that caused it + to essentially never skip the queue run. Patch from Bryan + Costales. + If the SMTP server is running in "nullserver" mode (that is, it is + rejecting all commands), start sleeping after MAXBADCOMMAND + (25) commands; this helps prevent a bad guy from putting + you into a tight loop as a denial-of-service attack. Based + on an e-mail conversation with Brad Knowles of AOL. + Slow down when too many "light weight" commands have been issued; + this helps prevent a class of denial-of-service attacks. + The current values and defaults are: + MAXNOOPCOMMANDS 20 NOOP, VERB, ONEX, XUSR + MAXHELOCOMMANDS 3 HELO, EHLO + MAXVRFYCOMMANDS 6 VRFY, EXPN + MAXETRNCOMMANDS 8 ETRN + These will probably be configurable in a future release. + On systems that have uid_t typedefed to be an unsigned short, programs + that had the F=S flag and no U= equate would be invoked with + the real uid set to 65535 rather than being left unchanged. + In some cases, NOTIFY=NEVER was not being honored. Problem noted + by Steve Hubert of the University of Washington, Seattle. + Mail that was Quoted-Printable encoded and had a soft line break on + the last line (i.e., an incomplete continuation) had the last + line dropped. Since this appears to be illegal it isn't + clear what to do with it, but flushing the last line seems + to be a better "fail soft" approach. Based on a patch from + Eric Hagberg. + If AllowBogusHELO and PrivacyOptions=needmailhelo are both set, a + bogus HELO command still causes the "Polite people say HELO + first" error message. Problem pointed out by Chris Thomas + of UCLA; patch from John Beck of SunSoft. + Handle "sendmail -bp -qSfoobar" properly if restrictqrun is set + in PrivacyFlags. The -q shouldn't turn this command off. + Problem noted by Murray Kucherawy of Pacific Bell Internet; + based on a patch from Gregory Neil Shapiro of WPI. + Don't consider SMTP reply codes 452 or 552 (exceeded storage allocation) + in a DATA transaction to be sticky; these can occur because + a message is too large, and smaller messages should still go + through. Problem noted by Matt Dillon of Best Internet + Communications. + In some cases bounces were saved in /var/tmp/dead.letter even if they + had been successfully delivered to the envelope sender. + Problem noted Eric Hagberg of Morgan Stanley; solution from + Gregory Neil Shapiro of WPI. + Give better diagnostics on long alias lines. Based on code contributed + by Patrick Gosling of the University of Cambridge. + Increase the number of virtual interfaces that will be probed for + alternate names. Problem noted by Amy Rich of Shore.Net. + PORTABILITY: + UXP/DS V20L10 for Fujitsu DS/90: Makefile patches from + Toshiaki Nomura of Fujitsu Limited. + SunOS with LDAP support: compile problems with struct timeval. + Patch from Nick Cuccia of TCSI Corporation. + SCO: from Keith Reynolds of SCO. + Solaris: kstat load average computation wasn't being used. + Fixes from Michael Ju. Tokarev of Telecom Service, JSC + (Moscow). + OpenBSD: from Jason Downs of teeny.org. + Altos System V: from Tim Rice. + Solaris 2.5: from Alan Perry of SunSoft. + Solaris 2.6: from John Beck of SunSoft. + Harris Nighthawk PowerUX (mh6000 box): from Bob Miorelli + of Pratt & Whitney <miorelli@pweh.com>. + CONFIG: It seems that I hadn't gotten the Received: line syntax + _just_right_ yet. Tweak it again. I'll omit the names + of the "contributors" (quantity two) in this one case. + As of now, NO MORE DISCUSSION about the syntax of the + Received: line. + CONFIG: Although FEATURE(nullclient) uses EXPOSED_USER (class $=E), + it never inserts that class into the output file. Fix it + so it will honor EXPOSED_USER but will _not_ include root + automatically in this class. Problem noted by Ronan KERYELL + of Centre de Recherche en Informatique de l'École Nationale + Supérieure des Mines de Paris (CRI-ENSMP). + CONFIG: Clean up handling of "local:" syntax in relay specifications + such as LUSER_RELAY. This change permits the following + syntaxes: ``local:'' will send to the same user on the + local machine (e.g., in a mailertable entry for "host", + ``local:'' will cause an address addressed to user@host to + go to user on the local machone). ``local:user'' will send + to the named user on the local machine. ``local:user@host'' + is equivalent to ``local:user'' (the host is ignored). In + all cases, the original user@host is passed in $@ (i.e., the + detail information). Inspired by a report from Michael Fuhr. + CONFIG: Strip quotes from the first word of an "error:" host + indication. This lets you set (for example) the LUSER_RELAY + to be ``error:\"5.1.1\" Your Message Here''. Note the use + of the \" so that the resulting string is properly quoted. + Problem noted by Gregory Neil Shapiro of WPI. + OP.ME: documentation was inconsistent about whether sendmail did a + NOOP or a RSET to probe the connection (it does a RSET). + Inconsistency noted by Deeran Peethamparam. + OP.ME: insert additional blank pages so it will print properly on + a duplex printer. From Matthew Black of Cal State University, + Long Beach. + +8.8.4/8.8.4 96/12/02 + SECURITY: under some circumstances, an attacker could get additional + permissions by hard linking to files that were group + writable by the attacker. The solution is to disallow any + files that have hard links -- this will affect .forward, + :include:, and output files. Problem noted by Terry + Kyriacopoulos of Interlog Internet Services. As a + workaround, set UnsafeGroupWrites -- always a good idea. + SECURITY: the TryNullMXList (w) option should not be safe -- if it + is, it is possible to do a denial-of-service attack on + MX hosts that rely on the use of the null MX list. There + is no danger if you have this option turned off (the default). + Problem noted by Dan Bernstein. Also, make the DontInitGroups + unsafe. I know of no specific attack against this, although + a denial-of-service attack is probably possible, but in theory + you should not be able to safely tweak anything that affects + the permissions that are used when mail is delivered. + Purgestat could go into an infinite loop if one of the host status + directories somehow became empty. Problem noted by Roy + Mongiovi of Georgia Tech. + Processes got "lost" when counting children due to a race condition. + This caused "proc_list_probe: lost pid" messages to be logged. + Problem noted by several people. + On systems with System V SIGCLD child signal semantics (notably AIX + and HP-UX), mail transactions would print the message "451 + SMTP-MAIL: lost child: No child processes". Problem noted + by several people. + Miscellaneous compiler warnings on picky compilers (or when setting + gcc to high warning levels). From Tom Moore of NCR Corp. + SMTP protocol errors, and most errors on MAIL FROM: lines should + not be persistent between runs, since they are based on the + message rather than the host. Problem noted by Matt Dillon + of Best Internet Communications. + The F=7 flag was ignored on SMTP mailers. Problem noted by Tom Moore + of NCR (a.k.a., AT&T Global Information Solutions). + Avoid the possibility of having a child daemon run to completion + (including closing the SMTP socket) before the parent has + had a chance to close the socket; this can cause the parent + to hang for a long time waiting for the socket to drain. + Patch from Don Lewis of TDK Semiconductor. + If the fork() failed in a queue run, the queue runners would not be + rescheduled (so queue runs would stop). Patch from Don Lewis. + Some error conditions in ETRN could cause output without an SMTP + status code. Problem noted by Don Lewis. + Multiple :maildrop addresses in the user database didn't work properly. + Patch from Roy Mongiovi of Georgia Tech. + Add ".db" automatically onto any user database spec that does not + already have it; this is for consistency with makemap, the + K line, and the documentation. Inconsistency pointed out + by Roy Mongiovi. + Allow sendmail to be properly called in nohup mode. Patch from + Kyle Jones of UUNET. + Change ETRN to ignore but still update host status files; previously + it would ignore them and not save the updated status, which + caused stale information to be maintained. Based on a patch + from Christopher Davis of Kapor Enterprises Inc. Also, have + ETRN ignore the MinQueueAge option. + Patch long term host status to recover more gracefully from an empty + host status file condition. Patch from NAKAMURA Motonori + of Kyoto University. + Several patches to signal handling code to fix potential race + conditions from Don Lewis. + Make it possible to compile with -DDAEMON=0 (previously it had some + compile errors). This turns DAEMON, QUEUE, and SMTP into + 0/1 compilation flags. Note that DAEMON is an obsolete + compile flag; use NETINET instead. Solution based on a + patch from Bryan Costales. + PORTABILITY FIXES: + AIX4: getpwnam() and getpwuid() do a sequential scan of the + /etc/security/passwd file when called as root. This + is very slow on some systems. To speed it up, use the + (undocumented) _getpw{nam,uid}_shadow() routines. + Patch from Chris Thomas of UCLA/OAC Systems Group. + SCO 5.x: include -lprot in the Makefile. Patch from Bill + Glicker of Burrelle's Information Service. + NEWS-OS 4.x: need a definition for MODE_T to compile. Patch + from Makoto MATSUSHITA of Osaka University. + SunOS 4.0.3: compile problems. Patches from Andrew Cole of + Leeds University and SASABE Tetsuro of the University + of Tokyo. + DG/UX 5.4.4.11 from Brian J. Murrell of InterLinx Support + Services, Inc. + Domain/OS from Don (Truck) Lewis of TDK Semiconductor Corp. + I believe this to have only been a problem if you + compiled with -DUSE_VENDOR_CF_PATH -- another reason + to stick with /etc/sendmail.cf as your One True Path. + Digital UNIX (OSF/1 on Alpha) load average computation from + Martin Laubach of the Technischen Universität Wien. + CONFIG: change default Received: line to be multiple lines rather + than one long one. By popular demand. + MAIL.LOCAL: warnings weren't being logged on some systems. Patch + from Jerome Berkman of U.C. Berkeley. + MAKEMAP: be sure to zero hinfo to avoid cruft that can cause runs + to take a very long time. Problem noted by Yoshiro YONEYA + of NTT Software Corporation. + CONTRIB: add etrn.pl, contributed by John Beck. + NEW FILES: + contrib/etrn.pl + +8.8.3/8.8.3 96/11/17 + SECURITY: it was possible to get a root shell by lying to sendmail + about argv[0] and then sending it a signal. Problem noted + by Leshka Zakharoff <leshka@leshka.chuvashia.su> on the + best-of-security list. + Log sendmail binary version number in "Warning: .cf version level + (%d) exceeds program functionality (%d) message" -- this + should make it clearer to people that they are running + the wrong binary. + Fix a problem that occurs when you open an SMTP connection and then + do one or more ETRN commands followed by a MAIL command; at + the end of the DATA phase sendmail would incorrectly report + "451 SMTP-MAIL: lost child: No child processes". Problem + noted by Eric Bishop of Virginia Tech. + When doing text-based host canonification (typically /etc/hosts + lookup), a null host name would match any /etc/hosts entry + with space at the end of the line. Problem noted by Steve + Hubert of the University of Washington, Seattle. + 7 to 8 bit BASE64 MIME conversions could duplicate bits of text. + Problem reported by Tom Smith of Digital Equipment Corp. + Increase the size of the DNS answer buffer -- the standard UDP packet + size PACKETSZ (512) is not sufficient for some nameserver + answers containing very many resource records. The resolver + may also switch to TCP and retry if it detects UDP packet + overflow. Also, allow for the fact that the resolver + routines res_query and res_search return the size of the + *un*truncated answer in case the supplied answer buffer it + not big enough to accommodate the entire answer. Patch from + Eric Wassenaar. + Improvements to MaxDaemonChildren code. If you think you have too + many children, probe the ones you have to verify that they + are still around. Suggested by Jared Mauch of CICnet, Inc. + Also, do this probe before growing the vector of children + pids; this previously caused the vector to grow indefinitely + due to a race condition. Problem reported by Kyle Jones of + UUNET. + On some architectures, <db.h> (from the Berkeley DB library) defines + O_EXLOCK to zero; this fools the map compilation code into + thinking that it can avoid race conditions by locking on open. + Change it to check for O_EXLOCK non-zero. Problem noted by + Leif Erlingsson of Data Lege. + Always call res_init() on startup (if compiled in, of course) to + allow the sendmail.cf file to tweak resolver flags; without + it, flag tweaks in ResolverOptions are ignored. Patch from + Andrew Sun of Merrill Lynch. + Improvements to host status printing code. Suggested by Steve Hubert + of the University of Washington, Seattle. + Change MinQueueAge option processing to do the check for the job age + when reading the queue file, rather than at the end; this + avoids parsing the addresses, which can do DNS lookups. + Problem noted by John Beck of InReference, Inc. + When MIME was being 7->8 bit decoded, "From " lines weren't being + properly escaped. Problem noted by Peter Nilsson of the + University of Linkoping. + In some cases, sendmail would retain root permissions during queue + runs even if RunAsUser was set. Problem noted by Mark + Thomas of Mark G. Thomas Consulting. + If the F=l flag was set on an SMTP mailer to indicate that it is + actually local delivery, and NOTIFY=SUCCESS is specified in + the envelope, and the receiving SMTP server speaks DSN, then + the DSN would be both generated locally and propagated to the + other end. + The U= mailer field didn't correctly extract the group id if the + user id was numeric. Problem noted by Kenneth Herron of + MCI Telecommunications Communications. + If a message exceeded the fixed maximum size on input, the body of + the message was included in the bounce. Note that this did + not occur if it exceeded the maximum _output_ size. Problem + reported by Kyle Jones of UUNET. + PORTABILITY FIXES: + AIX4: 4.1 doesn't have a working setreuid(2); change the + AIX4 defines to use seteuid(2) instead, which + works on 4.1 as well as 4.2. Problem noted by + Håkan Lindholm of interAF, Sweden. + AIX4: use tzname[] vector to determine time zone name. + Patch from NAKAMURA Motonori of Kyoto University. + MkLinux: add Makefile.Linux.ppc and OSTYPE(mklinux) support. + Contributed by Paul DuBois <dubois@primate.wisc.edu>. + Solaris: kstat(3k) support for retrieving the load average. + This adds the LA_KSTAT definition for LA_TYPE. + The outline of the implementation was contributed + by Michael Tokarev of Telecom Service, JSC, Moscow. + HP-UX 10.0 gripes about the (perfectly legal!) forward + declaration of struct rusage at the top of conf.h; + change it to only be included if you are using gcc, + which is apparently the only compiler that requires + it in the first place. Problem noted by Jeff + Earickson of Colby College. + IRIX: don't default to using gcc. IRIX is a civilized + operating system that comes with a decent compiler + by default. Problem noted by Barry Bouwsma and + Kari Hurtta. + CONFIG: specify F=9 as default in FEATURE(local_procmail) for + consistency with other local mailers. Inconsistency + pointed out by Teddy Hogeborn <teddy@fukt.hk-r.se>. + CONFIG: if the "limited best mx" feature is used (to reduce DNS + overhead) as part of the bestmx_is_local feature, the + domain part was dropped from the name. Patch from Steve + Hubert of the University of Washington, Seattle. + CONFIG: catch addresses of the form "user@.dom.ain"; these could + end up being translated to the null host name, which would + return any entry in /etc/hosts that had a space at the end + of the line. Problem noted by Steve Hubert of the + University of Washington, Seattle. + CONFIG: add OSTYPE(aix4). From Michael Sofka of Rensselaer + Polytechnic Institute. + MAKEMAP: tweak hash and btree parameters for better performance. + Patch from Matt Dillon of Best Internet Communications. + NEW FILES: + src/Makefiles/Makefile.Linux.ppc + cf/ostype/aix4.m4 + cf/ostype/mklinux.m4 + +8.8.2/8.8.2 96/10/18 + SECURITY: fix a botch in the 7-bit MIME patch; the previous patch + changed the code but didn't fix the problem. + PORTABILITY FIXES: + Solaris: Don't use the system getusershell(3); it can + apparently corrupt the heap in some circumstances. + Problem found by Ken Pizzini of Spry, Inc. + OP.ME: document several mailer flags that were accidentally omitted + from this document. These flags were F=d, F=j, F=R, and F=9. + CONFIG: no changes. + +8.8.1/8.8.1 96/10/17 + SECURITY: unset all environment variables that the resolver will + examine during queue runs and daemon mode. Problem noted + by Dan Bernstein of the University of Illinois at Chicago. + SECURITY: in some cases an illegal 7-bit MIME-encoded text/plain + message could overflow a buffer if it was converted back + to 8 bits. This caused core dumps and has the potential + for a remote attack. Problem first noted by Gregory Shapiro + of WPI. + Avoid duplicate deliveries of error messages on systems that don't + have flock(2) support. Patch from Motonori Nakamura of + Kyoto University. + Ignore null FallBackMX (V) options. If this option is null (as + opposed to undefined) it can cause "null signature" syserrs + on illegal host names. + If a Base64 encoded text/plain message has no trailing newline in + the encoded text, conversion back to 8 bits will drop the + final line. Problem noted by Pierre David. + If running with a RunAsUser, sendmail would give bogus "cannot + setuid" (or seteuid, or setreuid) messages on some systems. + Problem pointed out by Jordan Mendelson of Web Services, Inc. + Always print error messages in -bv mode -- previously, -bv would + be absolutely silent on errors if the error mode was sent + to (say) mail-back. Problem noted by Kyle Jones of UUNET. + If -qI/R/S is set (or the ETRN command is used), ignore all long + term host status. This is necessary because it is common + to do this when you know a host has just come back up. + Disallow duplicate HELO/EHLO commands as required by RFC 1651 section + 4.2. Excessive permissiveness noted by Lee Flight of the + University of Leicester. + If a service (such as NIS) is specified as the last entry in the + service switch, but that service is not compiled in, sendmail + would return a temporary failure when an entry was not found + in the map. This caused the message to be queued instead of + bouncing immediately. Problem noted by Harry Edmon of the + University of Washington. + PORTABILITY FIXES: + Solaris 2.3 had compilation problems in conf.c. Several + people pointed this out. + NetBSD from Charles Hannum of MIT. + AIX4 improvements based on info from Steve Bauer of South + Dakota School of Mines & Technology. + CONFIG: ``error:code message'' syntax was broken in virtusertable. + Patch from Gil Kloepfer Jr. + CONFIG: if FEATURE(nocanonify) was specified, hosts in $=M (set + using MASQUERADE_DOMAIN) were not masqueraded unless they + were also in $=w. Problem noted by Zoltan Basti of + Softec. + MAIL.LOCAL: patches to compile and link cleanly on AIX. Based + on a patch from Eric Hagberg of Morgan Stanley. + MAIL.LOCAL: patches to compile on NEXTSTEP. From Patrick Nolan + of Stanford via Robert La Ferla. + +8.8.0/8.8.0 96/09/26 + Under some circumstances, Bcc: headers would not be properly + deleted. Pointed out by Jonathan Kamens of OpenVision. + Log a warning if the sendmail daemon is invoked without a full + pathname, which prevents "kill -1" from working. I was + urged to put this in by Andrey A. Chernov of DEMOS (Russia). + Fix small buffer overflow. Since the data in this buffer was not + read externally, there was no security problem (and in fact + probably wouldn't really overflow on most compilers). Pointed + out by KIZU takashi of Osaka University. + Fix problem causing domain literals such as [1.2.3.4] to be ignored + if a FallbackMXHost was specified in the configuration file + -- all mail would be sent to the fallback even if the original + host was accessible. Pointed out by Munenari Hirayama of + NSC (Japan). + A message that didn't terminate with a newline would (sometimes) not + have the trailing "." added properly in the SMTP dialogue, + causing SMTP to hang. Patch from Per Hedeland of Ericsson. + The DaemonPortOptions suboption to bind to a particular address was + incorrect and nonfunctional due to a misunderstanding of the + semantics of binding on a passive socket. Patch from + NIIBE Yutaka of Mitsubishi Research Institute. + Increase the number of MX hosts for a single name to 100 to better + handle the truly huge service providers such as AOL, which + has 13 at the moment (and climbing). In order to avoid + trashing memory, the buffer for all names has only been + slightly increased in size, to 12.8K from 10.2K -- this means + that if a single name had 100 MX records, the average size + of those records could not exceed 128 bytes. Requested by + Brad Knowles of America On Line. + Restore use of IDENT returns where the OSTYPE field equals "OTHER". + Urged by Dan Bernstein of U.C. Berkeley. + Print q_statdate and q_specificity in address structure debugging + printout. + Expand MCI structure flag bits for debugging output. + Support IPv6-style domain literals, which can have colons between + square braces. + Log open file descriptors for the "cannot dup" messages in deliver(); + this is an attempt to track down a bug that one person seems + to be having (it may be a Solaris bug!). + DSN NOTIFY parameters were not properly propagated across queue runs; + this caused the NOTIFY info to sometimes be lost. Problem + pointed out by Claus Assmann of the + Christian-Albrechts-University of Kiel. + The statistics gathered in the sendmail.st file were too high; in + some cases failures (e.g., user unknown or temporary failure) + would count as a delivery as far as the statistics were + concerned. Problem noted by Tom Moore of AT&T GIS. + Systems that don't have flock() would not send split envelopes in + the initial run. Problem pointed out by Leonard Zubkoff of + Dandelion Digital. + Move buffer overflow checking -- these primarily involve distrusting + results that may come from NIS and DNS. + 4.4-BSD-derived systems, including FreeBSD, NetBSD, and BSD/OS didn't + include <paths.h> and hence had the wrong pathnames for a few + things like /var/tmp. Reported by Matthew Green. + Conditions were reversed for the Priority: header, resulting in all + values being interpreted as non-urgent except for non-urgent, + which was interpreted as normal. Patch from Bryan Costales. + The -o (optional) flag was being ignored on hash and btree maps + since 8.7.2. Fix from Bryan Costales. + Content-Types listed in class "q" will always be encoded as + Quoted-Printable (or more accurately, will never be encoded + as base64). The class can have primary types (e.g., "text") + or full types (e.g., "text/plain"). Based on a suggestion by + Marius Olafsson of the University of Iceland. + Define ${envid} to be the original envelope id (from the ESMTP DSN + dialogue) so it can be passed to programs in mailers. + Define ${bodytype} to be the body type (from the -B flag or the + BODY= ESMTP parameter) so it can be passed to programs in + mailers. + Cause the VRFY command to return 252 instead of 250 unless the F=q + flag is set in the mailer descriptor. Suggested by John + Myers of CMU. + Implement ESMTP ETRN command to flush the queue for a specific host. + The command takes a host name; data for that host is + immediately (and asynchronously) flushed. Because this shares + the -qR implementation, other hosts may be attempted, but + there should be no security implications. Implementation + from John Beck of InReference, Inc. See RFC 1985 for details. + Add three new command line flags to pass in DSN parameters: -V envid + (equivalent to ENVID=envid on the MAIL command), -R ret + (equivalent to RET=ret on the MAIL command), and -Nnotify + (equivalent to NOTIFY=notify on the RCPT command). Note + that the -N flag applies to all recipients; there is no way + to specify per-address notifications on the command line, + nor is there an equivalent for the ORCPT= per-address + parameter. + Restore LogLevel option to be safe (it can only be increased); + apparently I went into paranoid mode between 8.6 and 8.7 + and made it unsafe. Pointed out by Dabe Murphy of the + University of Maryland. + New logging on log level 15: all SMTP traffic. Patches from + Andrew Gross of San Diego Supercomputer Center. + NetInfo property value searching code wasn't stopping when it found + a match. This was causing the wrong values to be found (and + had a memory leak). Found by Bastian Schleuter of TU-Berlin. + Add new F=0 (zero) mailer flag to turn off MX lookups. It was pointed + out by Bill Wisner of Electronics for Imaging that you can't + use the bracket address form for the MAIL_HUB macro, since + that causes the brackets to remain in the envelope recipient + address used for delivery. The simple fix (stripping off the + brackets in the config file) breaks the use of IP literal + addresses. This flag will solve that problem. + Add MustQuoteChars option. This is a list of characters that must + be quoted if they are found in the phrase part of an address + (that is, the full name part). The characters @,;:\()[] are + always in this list and cannot be removed. The default is + this list plus . and ' to match RFC 822. + Add AllowBogusHELO option; if set, sendmail will allow HELO commands + that do not include a host name for back compatibility with + some stupid SMTP clients. Setting this violates RFC 1123 + section 5.2.5. + Add MaxDaemonChildren option; if this is set, sendmail will start + rejecting connections if it has more than this many + outstanding children accepting mail. Note that you may + see more processes than this because of outgoing mail; this + is for incoming connections only. + Add ConnectionRateThrottle option. If set to a positive value, the + number of incoming SMTP connections that will be permitted + in a single second is limited to this number. Connections are + not refused during this time, just deferred. The intent is to + flatten out demand so that load average limiting can kick in. + It is less radical than MaxDaemonChildren, which will stop + accepting connections even if all the connections are idle + (e.g., due to connection caching). + Add Timeout.hoststatus option. This interval (defaulting to 30m) + specifies how long cached information about the state of a + host will be kept before they are considered stale and the + host is retried. If you are using persistent host status + (i.e., the HostStatusDirectory option is set) this will apply + between runs; otherwise, it applies only within a single queue + run and hence is useful only for hosts that have large queues + that take a very long time to run. + Add SingleLineFromHeader option. If set, From: headers are coerced + into being a single line even if they had newlines in them + when read. This is to get around a botch in Lotus Notes. + Text class maps were totally broken -- if you ever retrieved the last + item in a table it would be truncated. Problem noted by + Gregory Neil Shapiro of WPI. + Extend the lines printed by the mailq command (== the -bp flag) when + -v is given to 120 characters; this allows more information + to be displayed. Suggested by Gregory Neil Shapiro of WPI. + Allow macro definitions (`D' lines) with unquoted commas; previously + this was treated as end-of-input. Problem noted by Bryan + Costales. + The RET= envelope parameter (used for DSNs) wasn't properly written + to the queue file. Fix from John Hughes of Atlantic + Technologies, Inc. + Close /var/tmp/dead.letter after a successful write -- otherwise + if this happens in a queue run it can cause nasty delays. + Problem noted by Mark Horton of AT&T. + If userdb entries pointed to userdb entries, and there were multiple + values for a given key, the database cursor would get + trashed by the recursive call. Problem noted by Roy Mongiovi + of Georgia Tech. Fixed by reading all the values and creating + a comma-separated list; thus, the -v output will be somewhat + different for this case. + Fix buffer allocation problem with Hesiod-based userdb maps when + HES_GETMAILHOST is defined. Based on a patch by Betty Lee + of Stanford University. + When envelopes were split due to aliases with owner- aliases, and + there was some error on one of the lists, more than one of + the owners would get the message. Problem pointed out by + Roy Mongiovi of Georgia Tech. + Detect excessive recursion in macro expansions, e.g., $X defined + in terms of $Y which is defined in terms of $X. Problem + noted by Bryan Costales; patch from Eric Wassenaar. + When using F=U to get "ugly UUCP" From_ lines, a buffer could in + some cases get trashed causing bogus From_ lines. Fix from + Kyle Jones of UUNET. + When doing load average initialization, if the nlist call for avenrun + failed, the second and subsequent lookups wouldn't notice + that fact causing bogus load averages to be returned. Noted + by Casper Dik of Sun Holland. + Fix problem with incompatibility with some versions of inet_aton that + have changed the return value to unsigned, so a check for an + error return of -1 doesn't work. Use INADDR_NONE instead. + This could cause mail to addresses such as [foo.com] to bounce + or get dropped. Problem noted by Christophe Wolfhugel of the + Pasteur Institute. + DSNs were inconsistent if a failure occurred during the DATA phase + rather than the RCPT phase: the Action: would be correct, but + the detailed status information would be wrong. Problem noted + by Bob Snyder of General Electric Company. + Add -U command line flag and the XUSR ESMTP extension, both indicating + that this is the initial MUA->MTA submission. The flag current + does nothing, but in future releases (when MUAs start using + these flags) it will probably turn on things like DNS + canonification. + Default end-of-line string (E= specification on mailer [M] lines) + to \r\n on SMTP mailers. Default remains \n on non-SMTP + mailers. + Change the internal definition for the *file* and *include* mailers + to have $u in the argument vectors so that they aren't + misinterpreted as SMTP mailers and thus use \r\n line + termination. This will affect anyone who has redefined + either of these in their configuration file. + Don't assume that IDENT servers close the connection after a query; + responses can be newline terminated. From Terry Kennedy of + St. Peter's College. + Avoid core dumps on erroneous configuration files that have + $#mailer with nothing following. From Bryan Costales. + Avoid null pointer dereference with high debug values in unlockqueue. + Fix from Randy Martin of Clemson University. + Fix possible buffer overrun when expanding very large macros. Fix + from Kyle Jones of UUNET. + After 25 EXPN or VRFY commands, start pausing for a second before + processing each one. This avoids a certain form of denial + of service attack. Potential attack pointed out by Bryan + Costales. + Allow new named (not numbered!) config file rules to do validity + checking on SMTP arguments: check_mail for MAIL commands and + check_rcpt for RCPT commands. These rulesets can do anything + they want; their result is ignored unless they resolve to the + $#error mailer, in which case the indicated message is printed + and the command is rejected. Similarly, the check_compat + ruleset is called before delivery with "from_addr $| to_addr" + (the $| is a meta-symbol used to separate the two addresses); + it can give a "this sender can't send to this recipient" + notification. Note that this patch allows $| to stand alone + in rulesets. + Define new macros ${client_name}, ${client_addr}, and ${client_port} + that have the name, IP address, and port number (respectively) + of the SMTP client (that is, the entity at the other end of + the connection. These can be used in (e.g.) check_rcpt to + verify that someone isn't trying to relay mail through your + host inappropriately. Be sure to use the deferred evaluation + form, for example $&{client_name}, to avoid having these bound + when sendmail reads the configuration file. + Add new config file rule check_relay to check the incoming connection + information. Like check_compat, it is passed the host name + and host address separated by $| and can reject connections + on that basis. + Allow IDA-style recursive function calls. Code contributed by Mark + Lovell and Paul Vixie. + Eliminate the "No ! in UUCP From address!" message" -- instead, create + a virtual UUCP address using either a domain address or the $k + macro. Based on code contributed by Mark Lovell and Paul + Vixie. + Add Stanford LDAP map. Requires special libraries that are not + included with sendmail. Contributed by Booker C. Bense + <bbense@networking.stanford.edu>; contact him for support. + See also the src/READ_ME file. + Allow -dANSI to turn on ANSI escape sequences in debug output; this + puts metasymbols (e.g., $+) in reverse video. Really useful + only for debugging deep bits of code where it is important to + distinguish between the single-character metasymbol $+ and the + two characters $, +. + Changed ruleset 89 (executed in dumpstate()) to a named ruleset, + debug_dumpstate. + Add new UnsafeGroupWrites option; if set, .forward and :include: + files that are group writable are considered "unsafe" -- that + is, programs and files referenced from such files are not + valid recipients. + Delete bogosity test for FallBackMX host; this prevented it to be a + name that was not in DNS or was a domain-literal. Problem + noted by Tom May. + Change the introduction to error messages to more clearly delineate + permanent from temporary failures; if both existed in a + single message it could be confusing. Suggested by John + Beck of InReference, Inc. + The IngoreDot (i) option didn't work for lines that were terminated + with CRLF. Problem noted by Ted Stockwell of Secure + Computing Corporation. + Add a heuristic to improve the handling of unbalanced `<' signs in + message headers. Problem reported by Matt Dillon of Best + Internet Communications. + Check for bogus characters in the 0200-0237 range; since these are + used internally, very strange errors can occur if those + characters appear in headers. Problem noted by Anders Gertz + of Lysator. + Implement 7 -> 8 bit MIME conversions. This only takes place if the + recipient mailer has the F=9 flag set, and only works on + text/plain body types. Code contributed by Marius Olafsson + of the University of Iceland. + Special case "postmaster" name so that it is always treated as lower + case in alias files regardless of configuration settings; + this prevents some potential problems where "Postmaster" or + "POSTMASTER" might not match "postmaster". In most cases + this change is a no-op. + The -o map flag was ignored for text maps. Problem noted by Bryan + Costales. + The -a map flag was ignored for dequote maps. Problem noted by + Bryan Costales. + Fix core dump when a lookup of a class "prog" map returns no + response. Patch from Bryan Costales. + Log instances where sendmail is deferring or rejecting connections + on LogLevel 14. Suggested by Kyle Jones of UUNET. + Include port number in process title for network daemons. Suggested + by Kyle Jones of UUNET. + Send ``double bounces'' (errors that occur when sending an error + message) to the address indicated in the DoubleBounceAddress + option (default: postmaster). Previously they were always + sent to postmaster. Suggested by Kyle Jones of UUNET. + Add new mode, -bD, that acts like -bd in all respects except that + it runs in foreground. This is useful for using with a + wrapper that "watches" system services. Suggested by Kyle + Jones of UUNET. + Fix botch in spacing around (parenthesized) comments in addresses + when the comment comes before the address. Patch from + Motonori Nakamura of Kyoto University. + Use the prefix "Postmaster notify" on the Subject: lines of messages + that are being bounced to postmaster, rather than "Returned + mail". This permits the person who is postmaster more + easily determine what messages are to their role as + postmaster versus bounces to mail they actually sent. Based + on a suggestion by Motonori Nakamura. + Add new value "time" for QueueSortOrder option; this causes the queue + to be sorted strictly by the time of submission. Note that + this can cause very bad behaviour over slow lines (because + large jobs will tend to delay small jobs) and on nodes with + heavy traffic (because old things in the queue for hosts that + are down delay processing of new jobs). Also, this does not + guarantee that jobs will be delivered in submission order + unless you also set DeliveryMode=queue. In general, it should + probably only be used on the command line, and only in + conjunction with -qRhost.domain. In fact, there are very few + cases where it should be used at all. Based on an + implementation by Motonori Nakamura. + If a map lookup in ruleset 5 returns tempfail, queue the message in + the same manner as other rulesets. Previously a temporary + failure in ruleset 5 was ignored. Patch from Booker Bense + of Stanford University. + Don't proceed to the next MX host if an SMTP MAIL command returns a + 5yz (permanent failure) code. The next MX host will still be + tried if the connection cannot be opened in the first place + or if the MAIL command returns a 4yz (temporary failure) code. + (It's hard to know what to do here, since neither RFC 974 nor + RFC 1123 specify when to proceed to the next MX host.) + Suggested by Jonathan Kamens of OpenVision, Inc. + Add new "-t" flag for map definitions (the "K" line in the .cf file). + This causes map lookups that get a temporary failure (e.g., + name server failure) to _not_ defer the delivery of the + message. This should only be used if your configuration file + is prepared to do something sensible in this case. Based on + an idea by Gregory Shapiro of WPI. + Fix problem finding network interface addresses. Patch from + Motonori Nakamura. + Don't reject qf entries that are not owned by your effective uid if + you are not running setuid; this makes management of certain + kinds of firewall setups difficult. Patch suggested by + Eamonn Coleman of Qualcomm. + Add persistent host status. This keeps the information normally + maintained within a single queue run in disk files that are + shared between sendmail instances. The HostStatusDirectory + is the directory in which the information is maintained. If + not set, persistent host status is turned off. If not a full + pathname, it is relative to the queue directory. A common + value is ".hoststat". + There are also two new operation modes: + * -bh prints the status of hosts that have had recent + connections. + * -bH purges the host statuses. No attempt is made to save + recent status information. + This feature was originally written by Paul Vixie of Vixie + Enterprises for KJS and adapted for V8 by Mark Lovell of + Bigrock Consulting. Paul's funding of Mark and Mark's patience + with my insistence that things fit cleanly into the V8 + framework is gratefully appreciated. + New SingleThreadDelivery option (requires HostStatusDirectory to + operate). Avoids letting two sendmails on the local machine + open connections to the same remote host at the same time. + This reduces load on the other machine, but can cause mail to + be delayed (for example, if one sendmail is delivering a huge + message, other sendmails won't be able to send even small + messages). Also, it requires another file descriptor (for the + lock file) per connection, so you may have to reduce + ConnectionCacheSize to avoid running out of per-process + file descriptors. Based on the persistent host status code + contributed by Paul Vixie and Mark Lovell. + Allow sending to non-simple files (e.g., /dev/null) even if the + SafeFileEnvironment option is set. Problem noted by Bryan + Costales. + The -qR flag mistakenly matched flags in the "R" line of the queue + file. Problem noted by Bryan Costales. + If a job was aborted using the interrupt signal (e.g., control-C from + the keyboard), on some occasions an empty df file would be + left around; these would collect in the queue directory. + Problem noted by Bryan Costales. + Change the makesendmail script to enhance the search for Makefiles + based on release number. For example, on SunOS 5.5.1, it will + search for Makefile.SunOS.5.5.1, Makefile.SunOS.5.5, and then + Makefile.SunOS.5.x (in addition to the other rules, e.g., + adding $arch). Problem noted by Jason Mastaler of Atlanta + Webmasters. + When creating maps using "newaliases", always map the keys to lower + case when creating the map unless the -f flag is specified on + the map itself. Previously this was done based on the F=u + flag in the local mailer, which meant you could create aliases + that you could never access. Problem noted by Bob Wu of DEC. + When a job was read from the queue, the bits causing notification on + failure or delay were always set. This caused those + notifications to be sent even if NOTIFY=NEVER had been + specified. Problem noted by Steve Hubert of the University + of Washington, Seattle. + Add new configurable routine validate_connection (in conf.c). This + lets you decide if you are willing to accept traffic from + this host. If it returns FALSE, all SMTP commands will return + "550 Access denied". -DTCPWRAPPERS will include support for + TCP wrappers; you will need to add -lwrap to the link line. + (See src/READ_ME for details.) + Don't include the "THIS IS A WARNING MESSAGE ONLY" banner on postmaster + bounces. Some people seemed to think that this could be + confusing (even though it is true). Suggested by Motonori + Nakamura. + Add new RunAsUser option; this causes sendmail to do a setuid to that + user early in processing to avoid potential security problems. + However, this means that all .forward and :include: files must + be readable by that user, and all files to be written must be + writable by that user and all programs will be executed by that + user. It is also incompatible with the SafeFileEnvironment + option. In other words, it may not actually add much to + security. However, it should be useful on firewalls and other + places where users don't have accounts and the aliases file is + well constrained. + Add Timeout.iconnect. This is like Timeout.connect except it is used + only on the first attempt to delivery to an address. It could + be set to be lower than Timeout.connect on the principle that + the mail should go through quickly to responsive hosts; less + responsive hosts get to wait for the next queue run. + Fix a problem on Solaris that occasionally causes programs + (such as vacation) to hang with their standard input connected + to a UDP port. It also created some signal handling problems. + The problems turned out to be an interaction between vfork(2) + and some of the libraries, particularly NIS/NIS+. I am + indebted to Tor Egge <tegge@idt.ntnu.no> for this fix. + Change user class map to do the same matching that actual delivery + will do instead of just a /etc/passwd lookup. This adds + fuzzy matching to the user map. Patch from Dan Oscarsson. + The Timeout.* options are not safe -- they can be used to create a + denial-of-service attack. Problem noted by Christophe + Wolfhugel. + Don't send PostMasterCopy messages in the event of a "delayed" + notification. Suggested by Barry Bouwsma. + Don't advertise "VERB" ESMTP extension if the "noexpn" privacy + option is set, since this disables VERB mode. Suggested + by John Hawkinson of MIT. + Complain if the QueueDirectory (Q) option is not set. Problem noted + by Motonori Nakamura of Kyoto University. + Only queue messages on transient .forward open failures if there + were no successful opens. The previous behaviour caused it + to queue even if a "fall back" .forward was found. Problem + noted by Ann-Kian Yeo of the Dept. of Information Systems + and Computer Science (DISCS), NUS, Singapore. + Don't do 8->7 bit conversions when bouncing a MIME message that + is bouncing because of a MIME error during 8->7 bit conversion; + the encapsulated message will bounce again, causing a loop. + Problem noted by Steve Hubert of the University of Washington. + Create xf (transcript) files using the TempFileMode option value + instead of 0644. Suggested by Ann-Kian Yeo of the + National University of Singapore. + Print errors if setgid/setuid/etc. fail during delivery. This helps + detect cases where DefaultUid is set to something that the + system can't cope with. + PORTABILITY FIXES: + Support for AIX/RS 2.2.1 from Mark Whetzel of Western + Atlas International. + Patches for Intel Paragon OSF/1 1.3 from Leo Bicknell + <bicknell@ufp.org>. + On DEC OSF/1 3.2 and earlier, the MatchGECOS code would only + work on the first recipient of a message due to a + bug in the getpwent family. If this is something you + use, you can define DEC_OSF_BROKEN_GETPWENT=1 for a + workaround. From Maximum Entropy of Sanford C. + Bernstein and Associates. + FreeBSD 1.1.5.1 uname -r returns a string containing + parentheses, which breaks makesendmail. Reported + by Piero Serini <piero@strider.ibenet.it>. + Sequent DYNIX/ptx 4.0.2 patches from Jack Woolley of + Systems and Computer Technology Corporation. + Solaris 2.x: omit the UUCP grade parameter (-g flag) because + it is system-dependent. Problem noted by J.J. Bailey + of Bailey Computer Consulting. + Pyramid NILE running DC/OSx support from Earle F. Ake of + Hassler Communication Systems Technology, Inc. + HP-UX 10.x compile glitches, reported by Anne Brink of the + U.S. Army and James Byrne of Harte & Lyne Limited. + NetBSD from Matthew Green of the NetBSD crew. + SCO 5.x from Keith Reynolds of SCO. + IRIX 6.2 from Robert Tarrall of the University of + Colorado and Kari Hurtta of the Finnish Meteorological + Institute. + UXP/DS (Fujitsu/ICL DS/90 series) support from Diego R. + Lopez, CICA (Seville). + NCR SVR4 MP-RAS 3.x support from Tom Moore of NCR. + PTX 3.2.0 from Kenneth Stailey of the US Department of Labor + Employment Standards Administration. + Altos System V (5.3.1) from Tim Rice of Multitalents. + Concurrent Systems Corporation Maxion from Donald R. Laster + Jr. + NetInfo maps (improved debugging and multi-valued aliases) + from Adrian Steinmann of Steinmann Consulting. + ConvexOS 11.5 (including SecureWare C2 and the Share Scheduler) + from Eric Schnoebelen of Convex. + Linux 2.0 mail.local patches from Horst von Brand. + NEXTSTEP 3.x compilation from Robert La Ferla. + NEXTSTEP 3.x code changes from Allan J. Nathanson of NeXT. + Solaris 2.5 configuration fixes for mail.local by Jim Davis + of the University of Arizona. + Solaris 2.5 has a working setreuid. Noted by David Linn of + Vanderbilt University. + Solaris changes for praliases, makemap, mailstats, and smrsh. + Previously you had to add -DSOLARIS in Makefile.dist; + this auto-detects. Based on a patch from Randall + Winchester of the University of Maryland. + CONFIG: add generic-nextstep3.3.mc file. Contributed by + Robert La Ferla of Hot Software. + CONFIG: allow mailertables to resolve to ``error:code message'' + (where "code" is an exit status) on domains (previously + worked only on hosts). Patch from Cor Bosman of Xs4all + Foundation. + CONFIG: hooks for IPv6-style domain literals. + CONFIG: predefine ALIAS_FILE and change the prototype file so that + if it is undefined the AliasFile option is never set; this + should be transparent for most everyone. Suggested by John + Myers of CMU. + CONFIG: add FEATURE(limited_masquerade). Without this feature, any + domain listed in $=w is masqueraded. With it, only those + domains listed in a MASQUERADE_DOMAIN macro are masqueraded. + CONFIG: add FEATURE(masquerade_entire_domain). This causes + masquerading specified by MASQUERADE_DOMAIN to apply to all + hosts under those domains as well as the domain headers + themselves. For example, if a configuration had + MASQUERADE_DOMAIN(foo.com), then without this feature only + foo.com would be masqueraded; with it, *.foo.com would be + masqueraded as well. Based on an implementation by Richard + (Pug) Bainter of U. Texas. + CONFIG: add FEATURE(genericstable) to do a more general rewriting of + outgoing addresses. Defaults to ``hash -o /etc/genericstable''. + Keys are user names; values are outgoing mail addresses. Yes, + this does overlap with the user database, and figuring out + just when to use which one may be tricky. Based on code + contributed by Richard (Pug) Bainter of U. Texas with updates + from Per Hedeland of Ericsson. + CONFIG: add FEATURE(virtusertable) to do generalized rewriting of + incoming addresses. Defaults to ``hash -o /etc/virtusertable''. + Keys are either fully qualified addresses or just the host + part (with the @ sign). For example, a table containing: + info@foo.com foo-info + info@bar.com bar-info + @baz.org jane@elsewhere.net + would send all mail destined for info@foo.com to foo-info + (which is presumably an alias), mail addressed to info@bar.com + to bar-info, and anything addressed to anyone at baz.org will + be sent to jane@elsewhere.net. The names foo.com, bar.com, + and baz.org must all be in $=w. Based on discussions with + a great many people. + CONFIG: add nullclient configurations to define SMTP_MAILER_FLAGS. + Suggested by Richard Bainter. + CONFIG: add FAX_MAILER_ARGS to tweak the arguments passed to the + "fax" mailer. + CONFIG: allow mailertable entries to resolve to local:user; this + passes the original user@host in to procmail-style local + mailers as the "detail" information to allow them to do + additional clever processing. From Joe Pruett of + Teleport Corporation. Delivery to the original user can + be done by specifying "local:" (with nothing after the colon). + CONFIG: allow any context that takes "mailer:domain" to also take + "mailer:user@domain" to force mailing to the given user; + "local:user" can also be used to do local delivery. This + applies on *_RELAY and in the mailertable entries. Based + on a suggestion by Ribert Kiessling of Easynet. + CONFIG: Allow FEATURE(bestmx_is_local) to take an argument that + limits the possible domains; this reduces the number of DNS + lookups required to support this feature. For example, + FEATURE(bestmx_is_local, my.site.com) limits the lookups + to domains under my.site.com. Code contributed by Anthony + Thyssen <anthony@cit.gu.edu.au>. + CONFIG: LOCAL_RULESETS introduces any locally defined rulesets, + such as the check_rcpt ruleset. Suggested by Gregory Shapiro + of WPI. + CONFIG: MAILER_DEFINITIONS introduces any mailer definitions, in the + event you have to define local mailers. Suggested by + Gregory Shapiro of WPI. + CONFIG: fix cases where a three- (or more-) stage route-addr could + be misinterpreted as a list:...; syntax. Based on a patch by + Vlado Potisk <Vlado_Potisk@tempest.sk>. + CONFIG: Fix masquerading of UUCP addresses when the UUCP relay is + remotely connected. The address host!user was being + converted to host!user@thishost instead of host!user@uurelay. + Problem noted by William Gianopoulos of Raytheon Company. + CONFIG: add confTO_ICONNECT to set Timeout.iconnect. + CONFIG: change FEATURE(redirect) message from "User not local" to + "User has moved"; the former wording was confusing if the + new address is still on the local host. Based on a suggestion + by Andreas Luik. + CONFIG: add support in FEATURE(nullclient) for $=E (exposed users). + However, the class is not pre-initialized to contain root. + Suggested by Gregory Neil Shapiro. + CONTRIB: Remove XLA code at the request of the author, Christophe + Wolfhugel. + CONTRIB: Add re-mqueue.pl, contributed by Paul Pomes of Qualcomm. + MAIL.LOCAL: make it possible to compile mail.local on Solaris. Note + well: this produces a slightly different mailbox format (no + Content-Length: headers), file ownerships and modes are + different (not owned by group mail; mode 600 instead of 660), + and the local mailer flags will have to be tweaked (make them + match bsd4.4) in order to use this mailer. Patches from Paul + Hammann of the Missouri Research and Education Network. + MAIL.LOCAL: in some cases it could return EX_OK even though there + was a delivery error, such as if the ownership on the file + was wrong or the mode changed between the initial stat and + the open. Problem reported by William Colburn of the New + Mexico Institute of Mining and Technology. + MAILSTATS: handle zero length files more reliably. Patch from Bryan + Costales. + MAILSTATS: add man page contributed by Keith Bostic of BSDI. + MAKEMAP: The -d flag (to allow duplicate keys) to a btree map wasn't + honored. Fix from Michael Scott Shappe. + PRALIASES: add man page contributed by Keith Bostic of BSDI. + NEW FILES: + src/Makefiles/Makefile.AIX.2 + src/Makefiles/Makefile.IRIX.6.2 + src/Makefiles/Makefile.maxion + src/Makefiles/Makefile.NCR.MP-RAS.3.x + src/Makefiles/Makefile.SCO.5.x + src/Makefiles/Makefile.UXPDSV20 + mailstats/mailstats.8 + praliases/praliases.8 + cf/cf/generic-nextstep3.3.mc + cf/feature/genericstable.m4 + cf/feature/limited_masquerade.m4 + cf/feature/masquerade_entire_domain.m4 + cf/feature/virtusertable.m4 + cf/ostype/aix2.m4 + cf/ostype/altos.m4 + cf/ostype/maxion.m4 + cf/ostype/solaris2.ml.m4 + cf/ostype/uxpds.m4 + contrib/re-mqueue.pl + DELETED FILES: + src/Makefiles/Makefile.Solaris + contrib/xla/README + contrib/xla/xla.c + RENAMED FILES: + src/Makefiles/Makefile.NCR3000 => Makefile.NCR.MP-RAS.2.x + src/Makefiles/Makefile.SCO.3.2v4.2 => Makefile.SCO.4.2 + src/Makefiles/Makefile.UXPDS => Makefile.UXPDSV10 + src/Makefiles/Makefile.NeXT => Makefile.NeXT.2.x + src/Makefiles/Makefile.NEXTSTEP => Makefile.NeXT.3.x + +8.7.6/8.7.3 96/09/17 + SECURITY: It is possible to force getpwuid to fail when writing the + queue file, causing sendmail to fall back to running programs + as the default user. This is not exploitable from off-site. + Workarounds include using a unique user for the DefaultUser + (old u & g options) and using smrsh as the local shell. + SECURITY: fix some buffer overruns; in at least one case this allows + a local user to get root. This is not known to be exploitable + from off-site. The workaround is to disable chfn(1) commands. + +8.7.5/8.7.3 96/03/04 + Fix glitch in 8.7.4 when putting certain internal lines; this can + in some case cause connections to hang or messages to have + extra spaces in odd places. Patch from Eric Wassenaar; + reports from Eric Hall of Chiron Corporation, Stephen + Hansen of Stanford University, Dean Gaudet of HotWired, + and others. + +8.7.4/8.7.3 96/02/18 + SECURITY: In some cases it was still possible for an attacker to + insert newlines into a queue file, thus allowing access to + any user (except root). + CONFIG: no changes -- it is not a bug that the configuration + version number is unchanged. + +8.7.3/8.7.3 95/12/03 + Fix botch in name server timeout in RCPT code; this problem caused + two responses in SMTP, which breaks things horribly. Fix + from Gregory Neil Shapiro of WPI. + Verify that L= value on M lines cannot be negative, which could cause + negative array subscripting. Not a security problem since + this has to be in the config file, but it could have caused + core dumps. Pointed out by Bryan Costales. + Fix -d21 debug output for long macro names. Pointed out by Bryan + Costales. + PORTABILITY FIXES: + SCO doesn't have ftruncate. From Bill Aten of Computerizers. + IBM's version of arpa/nameser.h defaults to the wrong byte + order. Tweak it to work properly. Based on fixes + from Fletcher Mattox of UTexas and Betty Lee of + Stanford University. + CONFIG: add confHOSTS_FILE m4 variable to set HostsFile option. + Deficiency pointed out by Bryan Costales of ICSI. + +8.7.2/8.7.2 95/11/19 + REALLY fix the backslash escapes in SmtpGreetingMessage, + OperatorChars, and UnixFromLine options. They were not + properly repaired in 8.7.1. + Completely delete the Bcc: header if and only if there are other + valid recipient headers (To:, Cc: or Apparently-To:, the + last being a historic botch, of course). If Bcc: is the + only recipient header in the message, its value is tossed, + but the header name is kept. The old behaviour (always keep + the header name and toss the value) allowed primary recipients + to see that a Bcc: went to _someone_. + Include queue id on ``Authentication-Warning: <host>: <user> set + sender to <address> using -f'' syslog messages. Suggested + by Kari Hurtta. + If a sequence or switch map lookup entry gets a tempfail but then + continues on to another map type, but the name is not found, + return a temporary failure from the sequence or switch map. + For example, if hosts search ``dns files'' and DNS fails + with a tempfail, the hosts map will go on and search files, + but if it fails the whole thing should be a tempfail, not + a permanent (host unknown) failure, even though that is the + failure in the hosts.files map. This error caused hard + bounces when it should have requeued. + Aliases to files such as /users/bar/foo/inbox, with /users/bar/foo + owned by bar mode 700 and inbox being setuid bar stopped + working properly due to excessive paranoia. Pointed out by + John Hawkinson of Panix. + An SMTP RCPT command referencing a host that gave a nameserver + timeout would return a 451 command (8.6 accepted it and + queued it locally). Revert to the 8.6 behaviour in order + to simplify queue management for clustered systems. Suggested + by Gregory Neil Shapiro of WPI. The same problem could break + MH, which assumes that the SMTP session will succeed (tsk, tsk + -- mail gets lost!); this was pointed out by Stuart Pook of + Infobiogen. + Fix possible buffer overflow in munchstring(). This was not a security + problem because you couldn't specify any argument to this + without first giving up root privileges, but it is still a + good idea to avoid future problems. Problem noted by John + Hawkinson and Sam Hartman of MIT. + ``452 Out of disk space for temp file'' messages weren't being + printed. Fix from David Perlin of Nanosoft. + Don't advertise the ESMTP DSN extension if the SendMIMEErrors option + is not set, since this is required to get the actual DSNs + created. Problem pointed out by John Gardiner Myers of CMU. + Log permission problems that cause .forward and :include: files to + be untrusted or ignored on log level 12 and higher. Suggested + by Randy Martin of Clemson University. + Allow user ids in U= clauses of M lines to have hyphens and + underscores. + Fix overcounting of recipients -- only happened when sending to an + alias. Pointed out by Mark Andrews of SGI and Jack Woolley + of Systems and Computer Technology Corporation. + If a message is sent to an address that fails, the error message that + is returned could show some extraneous "success" information + included even if the user did not request success notification, + which was confusing. Pointed out by Allan Johannesen of WPI. + Config files that had no AliasFile definition were defaulting to + using /etc/aliases; this caused problems with nullclient + configurations. Change it back to the 8.6 semantics of + having no local alias file unless it is declared. Problem + noted by Charles Karney of Princeton University. + Fix compile problem if NOTUNIX is defined. Pointed out by Bryan + Costales of ICSI. + Map lookups of class "userdb" maps were always case sensitive; they + should be controlled by the -f flag like other maps. Pointed + out by Bjart Kvarme <bjart.kvarme@usit.uio.no>. + Fix problem that caused some addresses to be passed through ruleset 5 + even when they were tagged as "sticky" by prefixing the + address with an "@". Patch from Thomas Dwyer III of Michigan + Technological University. + When converting a message to Quoted-Printable, prevent any lines with + dots alone on a line by themselves. This is because of the + preponderance of broken mailers that still get this wrong. + Code contributed by Per Hedeland of Ericsson. + Fix F{macro}/file construct -- it previously did nothing. Pointed + out by Bjart Kvarme of USIT/UiO (Norway). + Announce whether a cached connection is SMTP or ESMTP (in -v mode). + Requested by Allan Johannesen. + Delete check for text format of alias files -- it should be legal + to have the database format of the alias files without the + text version. Problem pointed out by Joe Rhett of Navigist, + Inc. + If "Ot" was specified with no value, the TZ variable was not properly + imported from the environment. Pointed out by Frank Crawford + <frank@ansto.gov.au>. + Some architectures core dumped on "program" maps that didn't have + extra arguments. Patch from Booker C. Bense of Stanford + University. + Queue run processes would re-spawn daemons when given a SIGHUP; only + the parent should do this. Fix from Brian Coan of the + Association for Progressive Communications. + If MinQueueAge was set and a message was considered but not run + during a queue run and the Timeout.queuereturn interval was + reached, a "timed out" error message would be returned that + didn't include the failed address (and claimed to be a warning + even though it was fatal). The fix is to not return such + messages until they are actually tried, i.e., in the next + MinQueueAge interval. Problem noted by Rein Tollevik of + SINTEF RUNIT, Oslo. + Add HES_GETMAILHOST compile flag to support MIT Hesiod distributions + that have the hes_getmailhost() routine. DEC Hesiod + distributions do not have this routine. Based on a patch + from Betty Lee of Stanford University. + Extensive cleanups to map open code to handle a locking race condition + in ndbm, hash, and btree format database files on some (most + non-4.4-BSD based) OS architectures. This should solve the + occasional "user unknown" problem during alias rebuilds that + has plagued me for quite some time. Based on a patch from + Thomas Dwyer III of Michigan Technological University. + PORTABILITY FIXES: + Solaris: Change location of newaliases and mailq from + /usr/ucb to /usr/bin to match Sun settings. From + James B. Davis of TCI. + DomainOS: Makefile.DomainOS doesn't require -ldbm. From + Don Lewis of Silicon Systems. + HP-UX 10: rename Makefile.HP-UX.10 => Makefile.HP-UX.10.x + so that the makesendmail script will find it. Pointed + out by Richard Allen of the University of Iceland. + Also, use -Aa -D_HPUX_SOURCE instead of -Ae, which + isn't supported on all compilers. + UXPDS: compilation fixes from Diego R. Lopez. + CONFIG: FAX mailer wasn't setting .FAX as a pseudo-domain unless + you also had a FAX_RELAY. From Thomas.Tornblom@Hax.SE. + CONFIG: Minor glitch in S21 -- attachment of local domain name + didn't have trailing dot. From Jim Hickstein of Teradyne. + CONFIG: Fix best_mx_is_local feature to allow nested addresses such as + user%host@thishost. From Claude Scarpelli of Infobiogen + (France). + CONFIG: OSTYPE(hpux10) failed to define the location of the help file. + Pointed out by Hannu Martikka of Nokia Telecommunications. + CONFIG: Diagnose some inappropriate ordering in configuration files, + such as FEATURE(smrsh) listed after MAILER(local). Based on + a bug report submitted by Paul Hoffman of Proper Publishing. + CONFIG: Make OSTYPE files consistently not override settings that + have already been set. Previously it worked differently + for different files. + CONFIG: Change relay mailer to do masquerading like 8.6 did. My take + is that this is wrong, but the change was causing problems + for some people. From Per Hedeland of Ericsson. + CONTRIB: bitdomain.c patch from John Gardiner Myers <jgm+@CMU.EDU>; + portability changes for Posix environments (no functional + changes). + +8.7.1/8.7.1 95/10/01 + Old macros that have become options (SmtpGreetingMessage, + OperatorChars, and UnixFromLine) didn't allow backslash + escapes in the options, where they previously had. Bug + pointed out by John Hawkinson of MIT. + Fix strange case of an executable called by a program map that + returns a value but also a non-zero exit status; this + would give contradictory results in the higher level; in + particular, the default clause in the map lookup would be + ignored. Change to ignore the value if the program returns + non-zero exit status. From Tom Moore of AT&T GIS. + Shorten parameters passed to syslog() in some contexts to avoid a + bug in many vendors' implementations of that routine. Although + this isn't really a bug in sendmail per se, and my solution + has to assume that syslog() has at least a 1K buffer size + internally (I know some vendors have shortened this + dramatically -- they're on their own), sendmail is a popular + target. Also, limit the size of %s arguments in sprintf. + These both have possible security implications. Solutions + suggested by Casper Dik of Sun's Network Security Group + (Holland), Mark Seiden, and others. + Fix a problem that might cause a non-standard -B (body type) + parameter to be passed to the next server with undefined + results. This could have security implications. + If a filesystem was at > 100% utilization, the freediskspace() + routine incorrectly returned an error rather than zero. + Problem noted by G. Paul Ziemba of Alantec. + Change MX sort order so that local hostnames (those in $=w) always + sort first within a given preference. This forces the bestmx + map to always return the local host first, if it is included + in the list of highest priority MX records. From K. Robert + Elz. + Avoid some possible null pointer dereferences. Fixes from Randy + Martin <WOLF@CLEMSON.EDU> + When sendmail starts up on systems that have no fully qualified + domain name (FQDN) anywhere in the first matching host map + (e.g., /etc/hosts if the hosts service searches "files dns"), + sendmail would sleep to try to find a FQDN, which it really + really needs. This has been changed to fall through to the + next map type if it can't find a FQDN -- i.e., if the hosts + file doesn't have a FQDN, it will try dns even though the + short name was found in /etc/hosts. This is probably a crock, + but many people have hosts files without FQDNs. Remember: + domain names are your friends. + Log a high-priority message if you can't find your FQDN during startup. + Suggested by Simon Barnes of Schlumberger Limited. + When using Hesiod, initialize it early to improve error reporting. + Patch from Don Lewis of Silicon Systems, Inc. + Apparently at least some versions of Linux have a 90 !minute! TCP + connection timeout in the kernel. Add a new "connect" timeout + to limit this time. Defaults to zero (use whatever the + kernel provides). Based on code contributed by J.R. Oldroyd + of TerraNet. + Under some circumstances, a failed message would not be properly + removed from the queue, causing tons of bogus error messages. + (This fix eliminates the problematic EF_KEEPQUEUE flag.) + Problem noted by Allan E Johannesen and Gregory Neil Shapiro + of WPI. + PORTABILITY FIXES: + On IRIX 5.x, there was an inconsistency in the setting + of sendmail.st location. Change the Makefile to + install it in /var/sendmail.st to match the OSTYPE + file and SGI standards. From Andre + <andre@curry.zfe.siemens.de>. + Support for Fujitsu/ICL UXP/DS (For the DS/90 Series) + from Diego R. Lopez <drlopez@cica.es>. + Linux compilation patches from J.R. Oldroyd of TerraNet, Inc. + LUNA 2 Mach patches from Motonori Nakamura. + SunOS Makefile was including -ldbm, which is for the old + dbm library. The ndbm library is part of libc. + CONFIG: avoid bouncing ``user@host.'' (note trailing dot) with + ``local configuration error'' in nullclient configuration. + Patch from Gregory Neil Shapiro of WPI. + CONFIG: don't allow an alias file in nullclient configurations -- + since all addresses are relayed, they give errors during + rebuild. Suggested by Per Hedeland of Ericsson. + CONFIG: local mailer on Solaris 2 should always get a -f flag because + otherwise the F=S causes the From_ line to imply that root is + the sender. Problem pointed out by Claude Scarpelli of + Infobiogen (France). + NEW FILES: + cf/feature/use_ct_file.m4 (omitted from 8.7 by mistake) + src/Makefiles/Makefile.KSR (omitted from 8.7 by mistake) + src/Makefiles/Makefile.UXPDS + +8.7/8.7 95/09/16 + Fix a problem that could cause sendmail to run out of file + descriptors due to a trashed data structure after a + vfork. Fix from Brian Coan of the Institute for + Global Communications. + Change the VRFY response if you have disabled VRFY -- some + people seemed to think that it was too rude. + Avoid reference to uninitialized file descriptor if HASFLOCK + was not defined. This was used "safely" in the sense + that it only did a stat, but it would have set the + map modification time improperly. Problem pointed out + by Roy Mongiovi of Georgia Tech. + Clean up the Subject: line on warning messages and return + receipts so that they don't say "Returned mail:"; this + can be confusing. + Move ruleset entry/exit debugging from 21.2 to 21.1 -- this is + useful enough to make it worthwhile printing on "-d". + Avoid logging alias statistics every time you read the alias + file on systems with no database method compiled in. + If you have a name with a trailing dot, and you try looking it + up using gethostbyname without the dot (for /etc/hosts + compatibility), be sure to turn off RES_DEFNAMES and + RES_DNSRCH to avoid finding the wrong name accidentally. + Problem noted by Charles Amos of the University of + Maryland. + Don't do timeouts in collect if you are not running SMTP. + There is nothing that says you can't have a long + running program piped into sendmail (possibly via + /bin/mail, which just execs sendmail). Problem reported + by Don "Truck" Lewis of Silicon Systems. + Try gethostbyname() even if the DNS lookup fails iff option I + is not set. This allows you to have hosts listed in + NIS or /etc/hosts that are not known to DNS. It's normally + a bad idea, but can be useful on firewall machines. This + should really be broken out on a separate flag, I suppose. + Avoid compile warnings against BIND 4.9.3, which uses function + prototypes. From Don Lewis of Silicon Systems. + Avoid possible incorrect diagnosis of DNS-related errors caused + by things like attempts to resolve uucp names using + $[ ... $] -- the fix is to clear h_errno at appropriate + times. From Kyle Jones of UUNET. + SECURITY: avoid denial-of-service attacks possible by destroying + the alias database file by setting resource limits low. + This involves adding two new compile-time options: + HASSETRLIMIT (indicating that setrlimit(2) support is + available) and HASULIMIT (indicating that ulimit(2) support + is available -- the Release 3 form is used). The former + is assumed on BSD-based systems, the latter on System + V-based systems. Attack noted by Phil Brandenberger of + Swarthmore University. + New syntaxes in test (-bt) mode: + ``.Dmvalue'' will define macro "m" to "value". + ``.Ccvalue'' will add "value" to class "c". + ``=Sruleset'' will dump the contents of the indicated + ruleset. + ``=M'' will display the known mailers. + ``-ddebug-spec'' is equivalent to the command-line + -d debug flag. + ``$m'' will print the value of macro $m. + ``$=c'' will print the contents of class $=c. + ``/mx host'' returns the MX records for ``host''. + ``/parse address'' will parse address, returning the value of + crackaddr (essentially, the comment information) + and the parsed address. + ``/try mailer address'' will rewrite address into the form + it will have when presented to the indicated mailer. + ``/tryflags flags'' will set flags used by parsing. The + flags can be `H' for header or `E' for envelope, + and `S' for sender or `R' for recipient. These + can be combined, so `HR' sets flags for header + recipients. + ``/canon hostname'' will try to canonify hostname and + return the result. + ``/map mapname key'' will look up `key' in the indicated + `mapname' and return the result. + Somewhat better handling of UNIX-domain socket addresses -- it + should show the pathname rather than hex bytes. + Restore ``-ba'' mode -- this reads a file from stdin and parses + the header for envelope sender information and uses + CR-LF as message terminators. It was thought to be + obsolete (used only for Arpanet NCP protocols), but it + turns out that the UK ``Grey Book'' protocols require + that functionality. + Fix a fix in previous release -- if gethostname and gethostbyname + return a name without dots, and if an attempt to canonify + that name fails, wait one minute and try again. This can + result in an extra 60 second delay on startup if your system + hostname (as returned by hostname(1)) has no dot and no names + listed in /etc/hosts or your NIS map have a dot. + Check for proper domain name on HELO and EHLO commands per + RFC 1123 section 5.2.5. Problem noted by Thomas Dwyer III + of Michigan Technological University. + Relax chownsafe rules slightly -- old version said that if you + can't tell if _POSIX_CHOWN_RESTRICTED is set (that is, + if fpathconf returned EINVAL or ENOSYS), assume that + chown is not safe. The new version falls back to whether + you are on a BSD system or not. This is important for + SunOS, which apparently always returns one of those + error codes. This impacts whether you can mail to files + or not. + Syntax errors such as unbalanced parentheses in the configuration + file could be omitted if you had "Oem" prior to the + syntax error in the config file. Change to always print + the error message. It was especially weird because it + would cause a "warning" message to be sent to the Postmaster + for every message sent (but with no transcript). Problem + noted by Gregory Paris of Motorola. + Rewrite collect and putbody to handle full 8-bit data, including + zero bytes. These changes are internally extensive, but + should have minimal impact on external function. + Allow full words for option names -- if the option letter is + (apparently) a space, then take the word following -- e.g., + O MatchGECOS=TRUE + The full list of old and new names is as follows: + 7 SevenBitInput + 8 EightBitMode + A AliasFile + a AliasWait + B BlankSub + b MinFreeBlocks/MaxMessageSize + C CheckpointInterval + c HoldExpensive + D AutoRebuildAliases + d DeliveryMode + E ErrorHeader + e ErrorMode + f SaveFromLine + F TempFileMode + G MatchGECOS + H HelpFile + h MaxHopCount + i IgnoreDots + I ResolverOptions + J ForwardPath + j SendMimeErrors + k ConnectionCacheSize + K ConnectionCacheTimeout + L LogLevel + l UseErrorsTo + m MeToo + n CheckAliases + O DaemonPortOptions + o OldStyleHeaders + P PostmasterCopy + p PrivacyOptions + Q QueueDirectory + q QueueFactor + R DontPruneRoutes + r, T Timeout + S StatusFile + s SuperSafe + t TimeZoneSpec + u DefaultUser + U UserDatabaseSpec + V FallbackMXhost + v Verbose + w TryNullMXList + x QueueLA + X RefuseLA + Y ForkEachJob + y RecipientFactor + z ClassFactor + Z RetryFactor + The old macros that passed information into sendmail have + been changed to options; those correspondences are: + $e SmtpGreetingMessage + $l UnixFromLine + $o OperatorChars + $q (deleted -- not necessary) + To avoid possible problems with an older sendmail, + configuration level 6 is accepted by this version of + sendmail; any config file using the new names should + specify "V6" in the configuration. + Change address parsing to properly note that a phrase before a + colon and a trailing semicolon are essentially the same + as text outside of angle brackets (i.e., sendmail should + treat them as comments). This is to handle the + ``group name: addr1, addr2, ..., addrN;'' syntax (it will + assume that ``group name:'' is a comment on the first + address and the ``;'' is a comment on the last address). + This requires config file support to get right. It does + understand that :: is NOT this syntax, and can be turned + off completely by setting the ColonOkInAddresses option. + Level 6 config files added with new mailer flags: + A Addresses are aliasable. + i Do udb rewriting on envelope as well as header + sender lines. Applies to the from address mailer + flags rather than the recipient mailer flags. + j Do udb rewriting on header recipient addresses. + Applies to the sender mailer flags rather than the + recipient mailer flags. + k Disable check for loops when doing HELO command. + o Always run as the mail recipient, even on local + delivery. + w Check for an /etc/passwd entry for this user. + 5 Pass addresses through ruleset 5. + : Check for :include: on this address. + | Check for |program on this address. + / Check for /file on this address. + @ Look up sender header addresses in the user + database. Applies to the mailer flags for the + mailer corresponding to the envelope sender + address, rather than to recipient mailer flags. + Pre-level 6 configuration files set A, w, 5, :, |, /, and @ + on the "local" mailer, the o flag on the "prog" and "*file*" + mailers, and the ColonOkInAddresses option. + Eight-to-seven bit MIME conversions. This borrows ideas from + John Beck of Hewlett-Packard, who generously contributed + their implementation to me, which I then didn't use (see + mime.c for an explanation of why). This adds the + EightBitMode option (a.k.a. `8') and an F=8 mailer flag + to control handling of 8-bit data. These have to cope with + two types of 8-bit data: unlabelled 8-bit data (that is, + 8-bit data that is entered without declaring it as 8-bit + MIME -- technically this is illegal according to the + specs) and labelled 8-bit data (that is, it was declared + as 8BITMIME in the ESMTP session or by using the + -B8BITMIME command line flag). If the F=8 mailer flag is + set then 8-bit data is sent to non-8BITMIME machines + instead of converting to 7 bit (essentially using + just-send-8 semantics). The values for EightBitMode are: + m convert unlabelled 8-bit input to 8BITMIME, and do + any necessary conversion of 8BITMIME to 7BIT + (essentially, the full MIME option). + p pass unlabelled 8-bit input, but convert labelled + 8BITMIME input to 7BIT as required (default). + s strict adherence: reject unlabelled 8-bit input, + convert 8BITMIME to 7BIT as required. The F=8 + flag is ignored. + Unlabelled 8-bit data is rejected in mode `s' regardless of + the setting of F=8. + Add new internal class 'n', which is the set of MIME Content-Types + which can not be 8 to 7 bit encoded because of other + considerations. Types "multipart/*" and "message/*" are + never directly encoded (although their components can be). + Add new internal class 's', which is the set of subtypes of the + MIME message/* content type that can be treated as though + they are an RFC822 message. It is predefined to have + "rfc822". Suggested By Kari Hurtta. + Add new internal class 'e'. This is the set of MIME + Content-Transfer-Encodings that can be converted to + a seven bit format (Quoted-Printable or Base64). It is + preinitialized to contain "7bit", "8bit", and "binary". + Add C=charset mailer parameter and the the DefaultCharSet option (no + short name) to set the default character set to use in the + Content-Type: header when doing encoding of an 8-bit message + which isn't marked as MIME into MIME format. If the C= + parameter is set on the Envelope From address, use that as + the default encoding; else use the DefaultCharSet option. + If neither is set, it defaults to "unknown-8bit" as + suggested by RFC 1428 section 3. + Allow ``U=user:group'' field in mailer definition to set a default + user and group that a mailer will be executed as. This + overrides the 'u' and 'g' options, and if the `F=S' flag is + also set, it is the uid/gid that will always be used (that + is, the controlling address is ignored). The values may be + numeric or symbolic; if only a symbolic user is given (no + group) that user's default group in the passwd file is used + as the group. Based on code donated by Chip Rosenthal of + Unicom. + Allow `u' option to also accept user:group as a value, in the same + fashion as the U= mailer option. + Add the symbolic time zone name in the Arpanet format dates (as + a comment). This adds a new compile-time configuration + flag: TZ_TYPE can be set to TZ_TM_NAME (use the value + of (struct tm *)->tm_name), TZ_TM_ZONE (use the value + of (struct tm *)->tm_zone), TZ_TZNAME (use extern char + *tzname[(struct tm *)->tm_isdst]), TZ_TIMEZONE (use + timezone()), or TZ_NONE (don't include the comment). Code + from Chip Rosenthal. + The "Timeout" option (formerly "r") is extended to allow suboptions. + For example, + O Timeout.helo = 2m + There are also two new suboptions "queuereturn" and + "queuewarn"; these subsume the old T option. Thus, to + set them both the preferred new syntax is + O Timeout.queuereturn = 5d + O Timeout.queuewarn = 4h + Sort queue by host name instead of by message priority if the + QueueSortOrder option (no short name) is set is set to + ``host''. This makes better use of the connection cache, + but may delay more ``interactive'' messages behind large + backlogs under some circumstances. This is probably a + good option if you have high speed links or don't do lots + of ``batch'' messages, but less good if you are using + something like PPP on a 14.4 modem. Based on code + contributed by Roy Mongiovi of Georgia Tech (my main + contribution was to make it configurable). + Save i-number of df file in qf file to simplify rebuilding of queue + after disastrous disk crash. Suggested by Kyle Jones of + UUNET; closely based on code from KJS DECWRL code written + by Paul Vixie. NOTA BENE: The qf files produced by 8.7 + are NOT back compatible with 8.6 -- that is, you can convert + from 8.6 to 8.7, but not the other direction. + Add ``F=d'' mailer flag to disable all use of angle brackets in + route-addrs in envelopes; this is because in some cases + they can be sent to the shell, which interprets them as + I/O redirection. + Don't include error file (option E) with return-receipts; this + can be confusing. + Don't send "Warning: cannot send" messages to owner-* or + *-request addresses. Suggested by Christophe Wolfhugel + of the Institut Pasteur, Paris. + Allow -O command line flag to set long form options. + Add "MinQueueAge" option to set the minimum time between attempts + to run the queue. For example, if the queue interval + (-q value) is five minutes, but the minimum queue age + is fifteen minutes, jobs won't be tried more often than + once every fifteen minutes. This can be used to give + you more responsiveness if your delivery mode is set to + queue-only. + Allow "fileopen" timeout (default: 60 seconds) for opening + :include: and .forward files. + Add "-k", "-v", and "-z" flags to map definitions; these set the + key field name, the value field name, and the field + delimiter. The field delimiter can be a single character + or the sequence "\t" or "\n" for tab or newline. + These are for use by NIS+ and similar access methods. + Change maps to always strip quotes before lookups; the -q flag + turns off this behaviour. Suggested by Motonori Nakamura. + Add "nisplus" map class. Takes -k and -v flags to choose the + key and value field names respectively. Code donated by + Sun Microsystems. + Add "hesiod" map class. The "file name" is used as the + "HesiodNameType" parameter to hes_resolve(3). Returns the + first value found for the match. Code donated by Scott + Hutton of Indiana University. + Add "netinfo" (NeXT NetInfo) map class. Maps can have a -k flag to + specify the name of the property that is searched as the + key and a -v flag to specify the name of the property that + is returned as the value (defaults to "members"). The + default map is "/aliases". Some code based on code + contributed by Robert La Ferla of Hot Software. + Add "text" map class. This does slow, linear searches through + text files. The -z flag specifies a column delimiter + (defaults to any sequence of white space), the -k flag + sets the key column number, and the -v flag sets the + value column number. Lines beginning with `#' are treated + as comments. + Add "program" map class to execute arbitrary programs. The search + key is presented as the last argument; the output is one + line read from the programs standard output. Exit statuses + are from sysexits.h. + Add "sequence" map class -- searches maps in sequence until it + finds a match. For example, the declarations: + Kmap1 ... + Kmap2 ... + Kmapseq sequence map1 map2 + defines a map "mapseq" that first searches map1; if the + value is found it is returned immediately, otherwise + map2 is searched and the value returned. + Add "switch" map class. This is much like "sequence" except that + the ordering is fetched from an external file, usually + the system service switch. The parameter is the name of + the service to switch on, and the maps that it will use + are the name of the switch map followed by ".service_type". + For example, if the declaration of the map is + Ksample switch hosts + and the system service switch specifies that hosts are + looked up using dns and nis in that order, then this is + equivalent to + Ksample sequence sample.dns sample.nis + The subordinate maps (sample.*) must already be defined. + Add "user" map class -- looks up users using getpwnam. Takes a + "-v field" flag on the definition that tells what passwd + entry to return -- legal values are name, passwd, uid, gid, + gecos, dir, and shell. Generally expected to be used with + the -m (matchonly) flag. + Add "bestmx" map class -- returns the best MX value for the host + listed as the value. If there are several "best" MX records + for this host, one will be chosen at random. + Add "userdb" map class -- looks up entries in the user database. + The "file name" is actually the tag that will be used, + typically "mailname". If there are multiple entries + matching the name, the one chosen is undefined. + Add multiple queue timeouts (both return and warning). These are + set by the Precedence: or Priority: header fields to one of + three values. If a Priority: is set and has value "normal", + "urgent", or "non-urgent" the corresponding timeouts are + used. If no priority is set, the Precedence: is consulted; + if negative, non-urgent timeouts are used; if greater than + zero, urgent timeouts are used. Otherwise, normal timeouts + are used. The timeouts are set by setting the six timeouts + queue{warn,return}.{urgent,normal,non-urgent}. + Fix problem when a mail address is resolved to a $#error mailer + with a temporary failure indication; it works in SMTP, + but when delivering locally the mail is silently discarded. + This patch, from Kyle Jones of UUNET, bounces it instead + of queueing it (queueing is very hard). + When using /etc/hosts or NIS-style lookups, don't assume that + the first name in the list is the best one -- instead, + search for the first one with a dot. For example, if + an /etc/hosts entry reads + 128.32.149.68 mammoth mammoth.CS.Berkeley.EDU + this change will use the second name as the canonical + machine name instead of the initial, unqualified name. + Change dequote map to replace spaces in quoted text with a value + indicated by the -s flag on the dequote map definition. + For example, ``Mdequote dequote -s_'' will change + "Foo Bar" into an unquoted Foo_Bar instead of leaving it + quoted (because of the space character). Suggested by Dan + Oscarsson for use in X.400 addresses. + Implement long macro names as ${name}; long class names can + be similarly referenced as $={name} and $~{name}. + Definitions are (e.g.) ``D{name}value''. Names that have + a leading lower case letter or punctuation characters are + reserved for internal use by sendmail; i.e., config files + should use names that begin with a capital letter. Based + on code contributed by Dan Oscarsson. + Fix core dump if getgrgid returns a null group list (as opposed + to an empty group list, that is, a pointer to a list + with no members). Fix from Andrew Chang of Sun Microsystems. + Fix possible core dump if malloc fails -- if the malloc in xalloc + failed, it called syserr which called newstr which called + xalloc.... The newstr is now avoided for "panic" messages. + Reported by Stuart Kemp of James Cook University. + Improve connection cache timeouts; previously, they were not even + checked if you were delivering to anything other than an + IPC-connected host, so a series of (say) local mail + deliveries could cause cached connections to be open + much longer than the specified timeout. + If an incoming message exceeds the maximum message size, stop + writing the incoming bytes to the queue data file, since + this can fill your mqueue partition -- this is a possible + denial-of-service attack. + Don't reject all numeric local user names unless HESIOD is + defined. It turns out that Posix allows all-numeric + user names. Fix from Tony Sanders of BSDI. + Add service switch support. If the local OS has a service + switch (e.g., /etc/nsswitch.conf on Solaris or /etc/svc.conf + on DEC systems) that will be used; otherwise, it falls back + to using a local mechanism based on the ServiceSwitchFile + option (default: /etc/service.switch). For example, if the + service switch lists "files" and "nis" for the aliases + service, that will be the default lookup order. the "files" + ("local" on DEC) service type expands to any alias files + you listed in the configuration file, even if they aren't + actually file lookups. + Option I (NameServerOptions) no longer sets the "UseNameServer" + variable which tells whether or not DNS should be considered + canonical. This is now determined based on whether or not + "dns" is in the service list for "hosts". + Add preliminary support for the ESMTP "DSN" extension (Delivery + Status Notifications). DSN notifications override + Return-Receipt-To: headers, which are bogus anyhow -- + support for them has been removed. + Add T=mts-name-type/address-type/diagnostic-type keyletter to mailer + definitions to define the types used in DSN returns for + MTA names, addresses, and diagnostics respectively. + Extend heuristic to force running in ESMTP mode to look for the + five-character string "ESMTP" anywhere in the 220 greeting + message (not just the second line). This is to provide + better compatibility with other ESMTP servers. + Print sequence number of job when running the queue so you can + easily see how much progress you have made. Suggested + by Peter Wemm of DIALix. + Map newlines to spaces in logged message-ids; some versions of + syslog truncate the rest of the line after newlines. + Suggested by Fletcher Mattox of U. Texas. + Move up forking for job runs so that if a message is split into + multiple envelopes you don't get "fork storms" -- this + also improves the connection cache utilization. + Accept "<<>>", "<<<>>>", and so forth as equivalent to "<>" for + the purposes of refusing to send error returns. Suggested + by Motonori Nakamura of Ritsumeikan University. + Relax rules on when a file can be written when referenced from + the aliases file: use the default uid/gid instead of the + real uid/gid. This allows you to create a file owned by + and writable only by the default uid/gid that will work + all the time (without having the setuid bit set). Change + suggested by Shau-Ping Lo and Andrew Cheng of Sun + Microsystems. + Add "DialDelay" option (no short name) to provide an "extra" + delay for dial on demand systems. If this is non-zero + and a connect fails, sendmail will wait this long and + then try again. If it takes longer than the kernel + timeout interval to establish the connection, this + option can give the network software time to establish + the link. The default units are seconds. + Move logging of sender information to be as early as possible; + previously, it could be delayed a while for SMTP mail + sent to aliases. Suggested by Brad Knowles of the + Defense Information Systems Agency. + Call res_init() before setting RES_DEBUG; this is required by + BIND 4.9.3, or so I'm told. From Douglas Anderson of + the National Computer Security Center. + Add xdelay= field in logs -- this is a transaction delay, telling + you how long it took to deliver to this address on the + last try. It is intended to be used for sorting mailing + lists to favor "quick" addresses. Provided for use by + the mailprio scripts (see below). + If a map cannot be opened, and that map is non-optional, and + an address requires that map for resolution, queue the + map instead of bouncing it. This involves creating a + pseudo-class of maps called "bogus-map" -- if a required + map cannot be opened, the class is changed to bogus-map; + all queries against bogus-map return "tempfail". The + bogus-map class is not directly accessible. A sample + implementation was donated by Jem Taylor of Glasgow + University Computing Service. + Fix a possible core dump when mailing to a program that talks + SMTP on its standard input. Fix from Keith Moore of + the University of Kentucky. + Make it possible to resolve filenames to $#local $: @ /filename; + previously, the "@" would cause it to not be recognized + as a file. Problem noted by Brian Hill of U.C. Davis. + Accept a -1 signal to re-exec the daemon. This only works if + argv[0] is a full path to sendmail. + Fix bug in "addr=..." field in O option on little-endian machines + -- the network number wasn't being converted to network + byte order. Patch from Kurt Lidl of Pix Technologies + Corporation. + Pre-initialize the resolver early on; this is to avoid a bug with + BIND 4.9.3 that can cause the _res.retry field to get + reset to zero, causing all name server lookups to time + out. Fix from Matt Day of Artisoft. + Restore T line (trusted users) in config file -- but instead of + locking out the -f flag, they just tell whether or not + an X-Authentication-Warning: will be added. This really + just creates new entries in class 't', so "Ft/file/name" + can be used to read trusted user names from a file. + Trusted users are also allowed to execute programs even + if they have a shell that isn't in /etc/shells. + Improve NEWDB alias file rebuilding so it will create them + properly if they do not already exist. This had been + a MAYBENEXTRELEASE feature in 8.6.9. + Check for @:@ entry in NIS maps before starting up to avoid + (but not prevent, sigh) race conditions. This ought to + be handled properly in ypserv, but isn't. Suggested by + Michael Beirne of Motorola. + Refuse connections if there isn't enough space on the filesystem + holding the queue. Contributed by Robert Dana of Wolf + Communications. + Skip checking for directory permissions in the path to a file + when checking for file permissions iff setreuid() + succeeded -- it is unnecessary in that case. This avoids + significant performance problems when looking for .forward + files. Based on a suggestion by Win Bent of USC. + Allow symbolic ruleset names. Syntax can be "Sname" to get an + arbitrary ruleset number assigned or "Sname = integer" + to assign a specific ruleset number. Reference is + $>name_or_number. Names can be composed of alphas, digits, + underscore, or hyphen (first character must be non-numeric). + Allow -o flag on AliasFile lines to make the alias file optional. + From Bryan Costales of ICSI. + Add NoRecipientAction option to handle the case where there is + no legal recipient header in the message. It can take + on values: + None Leave the message as is. The + message will be passed on even + though it is in technically + illegal syntax. + Add-To Add a To: header with any + recipients that it can find from + the envelope. This risks exposing + Bcc: recipients. + Add-Apparently-To Add an Apparently-To: header. This + has almost no redeeming social value, + and is provided only for back + compatibility. + Add-To-Undisclosed Add a header reading + To: undisclosed-recipients:; + which will have the effect of + making the message legal without + exposing Bcc: recipients. + Add-Bcc To add an empty Bcc: header. + There is a chance that mailers down + the line will delete this header, + which could cause exposure of Bcc: + recipients. + The default is NoRecipientAction=None. + Truncate (rather than delete) Bcc: lines in the header. This + should prevent later sendmails (at least, those that don't + themselves delete Bcc:) from considering this message to + be non-conforming -- although it does imply that non-blind + recipients can see that a Bcc: was sent, albeit not to whom. + Add SafeFileEnvironment option. If declared, files named as delivery + targets must be regular files in addition to the regular + checks. Also, if the option is non-null then it is used as + the name of a directory that is used as a chroot(2) + environment for the delivery; the file names listed in an + alias or forward should include the name of this root. + For example, if you run with + O SafeFileEnvironment=/arch + then aliases should reference "/arch/rest/of/path". If a + value is given, sendmail also won't try to save to + /usr/tmp/dead.letter (instead it just leaves the job in the + queue as Qfxxxxxx). Inspired by *Hobbit*'s sendmail patch kit. + Support -A flag for alias files; this will comma concatenate like + entries. For example, given the aliases: + list: member1 + list: member2 + and an alias file declared as: + OAhash:-A /etc/aliases + the final alias inserted will be "list: member1,member2"; + without -A you will get an error on the second and subsequent + alias for "list". Contributed by Bryan Costales of ICSI. + Line-buffer transcript file. Suggested by Liudvikas Bukys. + Fix a problem that could cause very long addresses to core dump in + some special circumstances. Problem pointed out by Allan + Johannesen. + (Internal change.) Change interface to expand() (macro expansion) + to be simpler and more consistent. + Delete check for funny qf file names. This didn't really give + any extra security and caused some people some problems. + (If you -really- want this, define PICKY_QF_NAME_CHECK + at compile time.) Suggested by Kyle Jones of UUNET. + (Internal change.) Change EF_NORETURN to EF_NO_BODY_RETN and + merge with DSN code; this is simpler and more consistent. + This may affect some people who have written their own + checkcompat() routine. + (Internal change.) Eliminate `D' line in qf file. The df file + is now assumed to be the same name as the qf file (with + the `q' changed to a `d', of course). + Avoid forking for delivery if all recipient mailers are marked as + "expensive" -- this can be a major cost on some systems. + Essentially, this forces sendmail into "queue only" mode + if all it is going to do is queue anyway. + Avoid sending a null message in some rather unusual circumstances + (specifically, the RCPT command returns a temporary + failure but the connection is lost before the DATA + command). Fix from Scott Hammond of Secure Computing + Corporation. + Change makesendmail to use a somewhat more rational naming scheme: + Makefiles and obj directories are named $os.$rel.$arch, + where $os is the operating system (e.g., SunOS), $rel is + the release number (e.g., 5.3), and $arch is the machine + architecture (e.g., sun4). Any of these can be omitted, + and anything after the first dot in a release number can + be replaced with "x" (e.g., SunOS.4.x.sun4). The previous + version used $os.$arch.$rel and was rather less general. + Change makesendmail to do a "make depend" in the target directory + when it is being created. This involves adding an empty + "depend:" entry in most Makefiles. + Ignore IDENT return value if the OSTYPE field returns "OTHER", + as indicated by RFC 1413. Pointed out by Kari Hurtta + of the Finnish Meteorological Institute. + Fix problem that could cause multiple responses to DATA command + on header syntax errors (e.g., lines beginning with colons). + Problem noted by Jens Thomassen of the University of Oslo. + Don't let null bytes in headers cause truncation of the rest of + the header. + Log Authentication-Warning:s. Suggested by Motonori Nakamura. + Increase timeouts on message data puts to allow time for receivers + to canonify addresses in headers on the fly. This is still + a rather ugly heuristic. From Motonori Nakamura. + Add "HasWildcardMX" suboption to ResolverOptions; if set, MX + records are not used when canonifying names, and when MX + lookups are done for addressing they must be fully + qualified. This is useful if you have a wildcard MX record, + although it may cause other problems. In general, don't use + wildcard MX records. Patch from Motonori Nakamura. + Eliminate default two-line SMTP greeting message. Instead of + adding an extra "ESMTP spoken here" line, the word "ESMTP" + is added between the first and second word of the first + line of the greeting message (i.e., immediately after the + host name). This eliminates the need for the BROKEN_SMTP_PEERS + compile flag. Old sendmails won't see the ESMTP, but that's + acceptable because SIZE was the only useful extension that + old sendmails understand. + Avoid gethostbyname calls on UNIX domain sockets during SIGUSR1 + invoked state dumps. From Masaharu Onishi. + Allow on-line comments in .forward and :include: files; they are + introduced by the string "<LWSP>#@#<LWSP>", where <LWSP> + is a space or a tab. This is intended for native + representation of non-ASCII sets such as Japanese, where + existing encodings would be unreadable or would lose + data -- for example, + <motonori@cs.ritsumei.ac.jp> NAKAMURA Motonori + (romanized/less information) + <motonori@cs.ritsumei.ac.jp> =?ISO-2022-JP?B?GyRCQ2ZCPBsoQg==?= + =?ISO-2022-JP?B?GyRCQUdFNRsoQg==?= + (with MIME encoding, not human readable) + <motonori@cs.ritsumei.ac.jp> #@# ^[$BCfB<^[(B ^[$BAGE5^[(B + (native encoding with ISO-2022-JP) + The last form is human readable in the Japanese environment. + Based on a fix from (surprise!) Motonori Nakamura. + Don't make SMTP error returns on MAIL FROM: line be "sticky" for all + messages to that host; these are most frequently associated + with addresses rather than the host, with the exception of + 421 (service shutting down). The effect was to cause queues + to sometimes take an excessive time to flush. Reported by + Robert Sargent of Southern Geographics Technologies and + Eric Prestemon of American University. + Add Nice=N mailer option to set the niceness at which a mailer will + run. This is actually a relative niceness (that is, an + increment on the background value). + Log queue runs that are skipped due to high loads. They are logged + at LOG_INFO priority iff the log level is > 8. Contributed + by Bruce Nagel of Data General. + Allow the error mailer to accept a DSN-style error status code + instead of an sysexits status code in the host part. + Anything with a dot will be interpreted as a DSN-style code. + Add new mailer flag: F=3 will tell translations to Quoted-Printable + to encode characters that might be munged by an EBCDIC system + in addition to the set required by RFC 1521. The additional + characters are !, ", #, $, @, [, \, ], ^, `, {, |, }, and ~. + (Think of "IBM 360" as the mnemonic for this flag.) + Change check for mailing to files to look for a pathname of [FILE] + rather than looking for the mailer named *file*. The mapping + of leading slashes still goes to the *file* mailer. This + allows you to implement the *file* mailer as a separate + program, for example, to insert a Content-Length: header + or do special security policy. However, note that the usual + initial checking for the file permissions is still done, and + the program in question needs to be very careful about how + it does the file write to avoid security problems. + Be able to read ~root/.forward even if the path isn't accessible to + regular users. This is disrecommended because sendmail + sometimes does not run as root (e.g., when an unsafe option + is specified on the command line), but should otherwise be + safe because .forward files must be owned by the user for + whom mail is being forwarded, and cannot be a symbolic link. + Suggested by Forrest Aldrich of Wang Laboratories. + Add new "HostsFile" option that is the pathname to the /etc/hosts + file. This is used for canonifying hostnames when the + service type is "files". + Implement programs on F (read class from file) line. The syntax is + Fc|/path/to/program to read the output from the program + into class "c". + Probe the network interfaces to find alternate names for this + host. Requires the SIOCGIFCONF ioctl call. Code + contributed by SunSoft. + Add "E" configuration line to set or propagate environment + variables into children. "E<envar>" will propagate + the named variable from the environment when sendmail + was invoked into any children it calls; "E<envar>=<value>" + sets the named variable to the indicated value. Any + variables not explicitly named will not be in the child + environment. However, sendmail still forces an + "AGENT=sendmail" environment variable, in part to enforce + at least one environment variable, since many programs and + libraries die horribly if this is not guaranteed. + Change heuristic for rebuilding both NEWDB and NDBM versions of + alias databases -- new algorithm looks for the substring + "/yp/" in the file name. This is more portable and involves + less overhead. Suggested by Motonori Nakamura. + Dynamically allocate the queue work list so that you don't lose + jobs in large queue runs. The old QUEUESIZE compile parameter + is replaced by QUEUESEGSIZE (the unit of allocation, which + should not need to be changed) and the MaxQueueRunSize option, + which is the absolute maximum number of jobs that will ever + be handled in a single queue run. Based on code contributed + by Brian Coan of the Institute for Global Communications. + Log message when a message is dropped because it exceeds the maximum + message size. Suggested by Leo Bicknell of Virginia Tech. + Allow trusted users (those on a T line or in $=t) to use -bs without + an X-Authentication-Warning: added. Suggested by Mark Thomas + of Mark G. Thomas Consulting. + Announce state of compile flags on -d0.1 (-d0.10 throws in the + OS-dependent defines). The old semantic of -d0.1 to not + run the daemon in background has been moved to -d99.100, + and the old 52.5 flag (to avoid disconnect() from closing + all output files) has been moved to 52.100. This makes + things more consistent (flags below .100 don't change + semantics) and separates out the backgrounding so that + it doesn't happen automatically on other unrelated debugging + flags. + If -t is used but no addresses are found in the header, give an + error message rather than just doing nothing. Fix from + Motonori Nakamura. + On systems (like SunOS) where the effective gid is not necessarily + included in the group list returned by getgroups(), the + `restrictmailq' option could sometimes cause an authorized + user to not be able to use `mailq'. Fix from Charles Hannum + of MIT. + Allow symbolic service names for [IPC] mailers. Suggested by + Gerry Magennis of Logica International. + Add DontExpandCnames option to prevent $[ ... $] from expanding CNAMEs + when running DNS. For example, if the name FTP.Foo.ORG is + a CNAME for Cruft.Foo.ORG, then when sitting on a machine in + the Foo.ORG domain a lookup of "FTP" returns "Cruft.Foo.ORG" + if this option is not set, or "FTP.Foo.ORG" if it is set. + This is technically illegal under RFC 822 and 1123, but the + IETF is moving toward legalizing it. Note that turning on + this option is not sufficient to guarantee that a downstream + neighbor won't rewrite the address for you. + Add "-m" flag to makesendmail script -- this tells you what object + directory and Makefile it will use, but doesn't actually do + the make. + Do some additional checking on the contents of the qf file to try + to detect attacks against the qf file. In particular, + abort on any line beginning "From ", and add an "end of + file" line -- any data after that line is prohibited. + Always use /etc/sendmail.cf, regardless of the arbitrary vendor + choices. This can be overridden in the Makefile by using + either -DUSE_VENDOR_CF_PATH to get the vendor location + (to the extent that we know it) or by defining + _PATH_SENDMAILCF (which is a "hard override"). This allows + sendmail 8 to have more consistent installation instructions. + Allow macros on `K' line in config file. Suggested by Andrew Chang + of Sun Microsystems. + Improved symbol table hash function from Eric Wassenaar. This one + is at least 50% faster. + Fix problem that didn't notice that timeout on file open was a + transient error. Fix from Larry Parmelee of Cornell + University. + Allow comments (lines beginning with a `#') in files read for + classes. Suggested by Motonori Nakamura. + Make SIGINT (usually ^C) in test mode return to the prompt instead + of dropping out entirely. This makes testing some of the + name server lookups easier to deal with when there are + hung servers. From Motonori Nakamura. + Add new ${opMode} macro that is set to the current operation mode + (e.g., `s' for -bs, `t' for -bt, etc.). Suggested by + Claude Marinier <MARINIER@emp.ewd.dreo.dnd.ca>. + Add new delivery mode (Odd) that defers all map lookups to queue runs. + Kind of like queue-only mode (Odq) except it tries to avoid + any external service requests; for dial-on-demand hosts that + want to minimize DNS lookups when mail is being queued. For + this to work you will also have to make sure that gethostbyname + of your local host name does not do a DNS lookup. + Improved handling of "out of space" conditions from John Myers of + Carnegie Mellon. + Improved security for mailing to files on systems that have fchmod(2) + support. + Improve "cannot send message for N days" message -- now says "could + not send for past N days". Suggested by Tom Moore of AT&T + Global Information Solutions. + Less misleading Subject: line on messages sent to postmaster only. + From Motonori Nakamura. + Avoid duplicate error messages on bad command line flags. From + Motonori Nakamura. + Better error message for case where ruleset 0 falls off the end + or otherwise does not resolve to a canonical triple. + Fix a problem that could cause multiple bounce messages if a bad + address was sent along with a good address to an SMTP + site where that SMTP site returned a 4yz code in response + to the final dot of the data. Problem reported by David + James of British Telecom. + Add "volatile" declarations so that gcc -O2 will work. Patches + from Alexander Dupuy of System Management ARTS. + Delete duplicates in MX lists -- believe it or not, there are sites + that list the same host twice in an MX list. This deletion + only works on adjacent preferences, so an MX list that + had A=5, B=10, A=15 would leave both As, but one that had + A=5, A=10, B=15 would reduce to A, B. This is intentional, + just in case there is something weird I haven't thought of. + Suggested by Barry Shein of Software Tool & Die. + SECURITY: .forward files cannot be symbolic links. If they are, + a bad guy can read your private files. + PORTABILITY FIXES: + Solaris 2 from Rob McMahon <cudcv@csv.warwick.ac.uk>. + System V Release 4 from Motonori Nakamura of Ritsumeikan + University. This expands the disk size + checking to include all (?) SVR4 configurations. + System V Release 4 from Kimmo Suominen -- initgroups(3) + and setrlimit(2) are both available. + System V Release 4 from sob@sculley.ffg.com -- some versions + apparently "have EX_OK defined in other headerfiles." + Linux Makefile typo. + Linux getusershell(3) is broken in Slackware 2.0 -- + from Andrew Pam of Xanadu Australia. + More Linux tweaking from John Kennedy of California State + University, Chico. + Cray changes from Eric Wassenaar: ``On Cray, shorts, + ints, and longs are all 64 bits, and all structs + are multiples of 64 bits. This means that the + sizeof operator returns only multiples of 8. + This requires adaptation of code that really + deals with 32 bit or 16 bit fields, such as IP + addresses or nameserver fields.'' + DG/UX 5.4.3 from Mark T. Robinson <mtr@ornl.gov>. To + get the old behaviour, use -DDGUX_5_4_2. + DG/UX hack: add _FORCE_MAIL_LOCAL_=yes environment + variable to fix bogus /bin/mail behaviour. + Tandem NonStop-UX from Rick McCarty <mccarty@mpd.tandem.com>. + This also cleans up some System V Release 4 compile + problems. + Solaris 2: sendmail.cw file should be in /etc/mail to + match all the other configuration files. Fix + from Glenn Barry of Emory University. + Solaris 2.3: compile problem in conf.c. Fix from Alain + Nissen of the University of Liege, Belgium. + Ultrix: freespace calculation was incorrect. Fix from + Takashi Kizu of Osaka University. + SVR4: running in background gets a SIGTTOU because the + emulation code doesn't realize that "getpeername" + doesn't require reading the file. Fix from Peter + Wemm of DIALix. + Solaris 2.3: due to an apparent bug in the socket emulation + library, sockets can get into a "wedged" state where + they just return EPROTO; closing and re-opening the + socket clears the problem. Fix from Bob Manson + of Ohio State University. + Hitachi 3050R & 3050RX running HI-UX/WE2: portability + fixes from Akihiro Hashimoto ("Hash") of Chiba + University. + AIX changes to allow setproctitle to work from Rainer Schöpf + of Zentrum für Datenverarbeitung der Universität + Mainz. + AIX changes for load average from Ed Ravin of NASA/Goddard. + SCO Unix from Chip Rosenthal of Unicom (code was using the + wrong statfs call). + ANSI C fixes from Adam Glass (NetBSD project). + Stardent Titan/ANSI C fixes from Kate Hedstrom of Rutgers + University. + DG-UX fixes from Bruce Nagel of Data General. + IRIX64 updates from Mark Levinson of the University of + Rochester Medical Center. + Altos System V (``the first UNIX/XENIX merge the Altos + did for their Series 1000 & Series 2000 line; + their merged code was licensed back to AT&T and + Microsoft and became System V release 3.2'') from + Tim Rice <timr@crl.com>. + OSF/1 running on Intel Paragon from Jeff A. Earickson + <jeff@ssd.intel.com> of Intel Scalable Systems + Division. + Amdahl UTS System V 2.1.5 (SVr3-based) from Janet Jackson + <janet@dialix.oz.au>. + System V Release 4 (statvfs semantic fix) from Alain + Durand of I.M.A.G. + HP-UX 10.x multiprocessor load average changes from + Scott Hutton and Jeff Sumler of Indiana University. + Cray CSOS from Scott Bolte of Cray Computer Corporation. + Unicos 8.0 from Douglas K. Rand of the University of North + Dakota, Scientific Computing Center. + Solaris 2.4 fixes from Sanjay Dani of Dani Communications. + ConvexOS 11.0 from Christophe Wolfhugel. + IRIX 4.0.5 from David Ashton-Reader of CADcentre. + ISC UNIX from J. J. Bailey. + HP-UX 9.xx on the 8xx series machines from Remy Giraud + of Meteo France. + HP-UX configuration from Tom Lane <tgl@sss.pgh.pa.us>. + IRIX 5.2 and 5.3 from Kari E. Hurtta. + FreeBSD 2.0 from Mike Hickey of Federal Data Corporation. + Sony NEWS-OS 4.2.1R and 6.0.3 from Motonori Nakamura. + Omron LUNA unios-b, mach from Motonori Nakamura. + NEC EWS-UX/V 4.2 from Motonori Nakamura. + NeXT 2.1 from Bryan Costales. + AUX patch thanks to Mike Erwin of Apple Computer. + HP-UX 10.0 from John Beck of Hewlett-Packard. + Ultrix: allow -DBROKEN_RES_SEARCH=0 if you are using a + non-DEC resolver. Suggested by Allan Johannesen. + UnixWare 2.0 fixes from Petr Lampa of the Technical + University of Brno (Czech Republic). + KSR OS 1.2.2 support from Todd Miller of the University + of Colorado. + UX4800 support from Kazuhisa Shimizu of NEC. + MAKEMAP: allow -d flag to allow insertion of duplicate aliases + in type ``btree'' maps. The semantics of this are undefined + for regular maps, but it can be useful for the user database. + MAKEMAP: lock database file while rebuilding to avoid sendmail + lookups while the rebuild is going on. There is a race + condition between the open(... O_TRUNC ...) and the lock + on the file, but it should be quite small. + SMRSH: sendmail restricted shell added to the release. This can + be used as an alternative to /bin/sh for the "prog" mailer, + giving the local administrator more control over what + programs can be run from sendmail. + MAIL.LOCAL: add this local mailer to the tape. It is not really + part of the release proper, and isn't fully supported; in + particular, it does not run on System V based systems and + never will. + CONTRIB: a patch to rmail.c from Bill Gianopoulos of Raytheon + to allow rmail to compile on systems that don't have + function prototypes and systems that don't have snprintf. + CONTRIB: add the "mailprio" scripts that will help you sort mailing + lists by transaction delay times so that addresses that + respond quickly get sent first. This is to prevent very + sluggish servers from delaying other peoples' mail. + Contributed by Tony Sanders of BSDI. + CONTRIB: add the "bsdi.mc" file as contributed by Tony Sanders + of BSDI. This has a lot of comments to help people out. + CONFIG: Don't have .mc files include(../m4/cf.m4) -- instead, + put this on the m4 command line. On GNU m4 (which + supports the __file__ primitive) you can run m4 in an + arbitrary directory -- use either: + m4 ${CFDIR}/m4/cf.m4 config.mc > config.cf + or + m4 -I${CFDIR} m4/cf.m4 config.mc > config.cf + On other versions of m4 that don't support __file__, you + can use: + m4 -D_CF_DIR_=${CFDIR}/ ${CFDIR}/m4/cf.m4 ... + (Note the trailing slash on the _CF_DIR_ definition.) + Old versions of m4 will default to _CF_DIR_=.. for back + compatibility. + CONFIG: fix mail from <> so it will properly convert to + MAILER-DAEMON on local addresses. + CONFIG: fix code that was supposed to catch colons in host + names. Problem noted by John Gardiner Myers of CMU. + CONFIG: allow use of SMTP_MAILER_MAX in nullclient configuration. + From Paul Riddle of the University of Maryland, Baltimore + County. + CONFIG: Catch and reject "." as a host address. + CONFIG: Generalize domaintable to look up all domains, not + just unqualified ones. + CONFIG: Delete OLD_SENDMAIL support -- as near as I can tell, it + was never used and didn't work anyway. + CONFIG: Set flags A, w, 5, :, /, |, and @ on the "local" mailer + and d on all mailers in the UUCP class. + CONFIG: Allow "user+detail" to be aliased specially: it will first + look for an alias for "user+detail", then for "user+*", and + finally for "user". This is intended for forwarding mail + for system aliases such as root and postmaster to a + centralized hub. + CONFIG: add confEIGHT_BIT_HANDLING to set option 8 (see above). + CONFIG: add smtp8 mailer; this has the F=8 (just-send-8) flag set. + The F=8 flag is also set on the "relay" mailer, since + this is expected to be another sendmail. + CONFIG: avoid qualifying all UUCP addresses sent via SMTP with + the name of the UUCP_RELAY -- in some cases, this is the + wrong value (e.g., when we have local UUCP connections), + and this can create unreplyable addresses. From Chip + Rosenthal of Unicom. + CONFIG: add confRECEIVED_HEADER to change the format of the + Received: header inserted into all messages. Suggested by + Gary Mills of the University of Manitoba. + CONFIG: Make "notsticky" the default; use FEATURE(stickyhost) + to get the old behaviour. I did this upon observing + that almost everyone needed this feature, and that the + concept I was trying to make happen didn't work with + some user agents anyway. FEATURE(notsticky) still works, + but it is a no-op. + CONFIG: Add LUSER_RELAY -- the host to which unrecognized user + names are sent, rather than immediately diagnosing them + as User Unknown. + CONFIG: Add SMTP_MAILER_ARGS, ESMTP_MAILER_ARGS, SMTP8_MAILER_ARGS, + and RELAY_MAILER_ARGS to set the arguments for the + indicated mailers. All default to "IPC $h". Patch from + Larry Parmelee of Cornell University. + CONFIG: pop mailer needs F=n flag to avoid "annoying side effects + on the client side" and F=P to get an appropriate + return-path. From Kimmo Suominen. + CONFIG: add FEATURE(local_procmail) to use the procmail program + as the local mailer. For addresses of the form "user+detail" + the "detail" part is passed to procmail via the -a flag. + Contributed by Kimmo Suominen. + CONFIG: add MAILER(procmail) to add an interface to procmail for + use from mailertables. This lets you execute arbitrary + procmail scripts. Contributed by Kimmo Suominen. + CONFIG: add T= fields (MTS type) to local, smtp, and uucp mailers. + CONFIG: add OSTYPE(ptx2) for DYNIX/ptx 2.x from Sequent. From + Paul Southworth of CICNet Systems Support. + CONFIG: use -a$g as default to UUCP mailers, instead of -a$f. + This causes the null return path to be rewritten as + MAILER-DAEMON; otherwise UUCP gets horribly confused. + From Michael Hohmuth of Technische Universitat Dresden. + CONFIG: Add FEATURE(bestmx_is_local) to cause any hosts that + list us as the best possible MX record to be treated as + though they were local (essentially, assume that they + are included in $=w). This can cause additional DNS + traffic, but is easier to administer if this fits your + local model. It does not work reliably if there are + multiple hosts that share the best MX preference. + Code contributed by John Oleynick of Rutgers. + CONFIG: Add FEATURE(smrsh) to use smrsh (the SendMail Restricted + SHell) instead of /bin/sh as the program used for delivery + to programs. If an argument is included, it is used as + the path to smrsh; otherwise, /usr/local/etc/smrsh is + assumed. + CONFIG: Add LOCAL_MAILER_MAX and PROCMAILER_MAILER_MAX to limit the + size of messages to the local and procmail mailers + respectively. Contributed by Brad Knowles of the Defense + Information Systems Agency. + CONFIG: Handle leading ``phrase:'' and trailing ``;'' as comments + (just like text outside of angle brackets) in order to + properly deal with ``group: addr1, ... addrN;'' syntax. + CONFIG: Require OSTYPE macro (the defaults really don't apply to + any real systems any more) and tweak the DOMAIN macro + so that it is less likely that users will accidentally use + the Berkeley defaults. Also, create some generic files + that really can be used in the real world. + CONFIG: Add new configuration macros to set character sets for + messages _arriving from_ various mailers: LOCAL_MAILER_CHARSET, + SMTP_MAILER_CHARSET, and UUCP_MAILER_CHARSET. + CONFIG: Change UUCP_MAX_SIZE to UUCP_MAILER_MAX for consistency. + The old name will still be accepted for a while at least. + CONFIG: Implement DECNET_RELAY as spec for host to which DECNET + mail (.DECNET pseudo-domain or node::user) will be sent. + As with all relays, it can be ``mailer:hostname''. Suggested + by Scott Hutton. + CONFIG: Add MAILER(mail11) to get DECnet support. Code contributed + by Barb Dijker of Labyrinth Computer Services. + CONFIG: change confCHECK_ALIASES to default to False -- it has poor + performance for large alias files, and this confused many + people. + CONFIG: Add confCF_VERSION to append local information to the + configuration version number displayed during SMTP startup. + CONFIG: fix some.newsgroup.usenet@local.host syntax (previously it + would only work when locally addressed. Fix from + Edvard Tuinder of Cistron Internet Services. + CONFIG: use ${opMode} to avoid error on .REDIRECT addresses if option + "n" (CheckAlaises) is set when rebuilding alias database. + Based on code contributed by Claude Marinier. + CONFIG: Allow mailertable to have values of the form + ``error:code message''. The ``code'' is a status code + derived from the sysexits codes -- e.g., NOHOST or UNAVAILABLE. + Contributed by David James <dwj@agw.bt.co.uk>. + CONFIG: add MASQUERADE_DOMAIN(domain list) to extend the list of + sender domains that will be replaced with the masquerade name. + These domains will not be treated as local, but if mail passes + through with sender addresses in those domains they will be + replaced by the masquerade name. These can also be specified + in a file using MASQUERADE_DOMAIN_FILE(filename). + CONFIG: add FEATURE(masquerade_envelope) to masquerade the envelope + as well as the header. Substantial improvements to this + code were contributed by Per Hedeland. + CONFIG: add MAILER(phquery) to define a new "ph" mailer; this can be + accessed from a mailertable to do CCSO ph lookups. Contributed + by Kimmo Suominen. + CONFIG: add MAILER(cyrus) to define a new Cyrus mailer; this can be + used to define cyrus and cyrusbb mailers (for IMAP support). + Contributed by John Gardiner Myers of Carnegie Mellon. + CONFIG: add confUUCP_MAILER to select default mailer to use for + UUCP addressing. Suggested by Tom Moore of AT&T GIS. + NEW FILES: + cf/cf/cs-hpux10.mc + cf/cf/cs-solaris2.mc + cf/cf/cyrusproto.mc + cf/cf/generic-bsd4.4.mc + cf/cf/generic-hpux10.mc + cf/cf/generic-hpux9.mc + cf/cf/generic-osf1.mc + cf/cf/generic-solaris2.mc + cf/cf/generic-sunos4.1.mc + cf/cf/generic-ultrix4.mc + cf/cf/huginn.cs.mc + cf/domain/berkeley-only.m4 + cf/domain/generic.m4 + cf/feature/bestmx_is_local.m4 + cf/feature/local_procmail.m4 + cf/feature/masquerade_envelope.m4 + cf/feature/smrsh.m4 + cf/feature/stickyhost.m4 + cf/feature/use_ct_file.m4 + cf/m4/cfhead.m4 + cf/mailer/cyrus.m4 + cf/mailer/mail11.m4 + cf/mailer/phquery.m4 + cf/mailer/procmail.m4 + cf/ostype/amdahl-uts.m4 + cf/ostype/bsdi2.0.m4 + cf/ostype/hpux10.m4 + cf/ostype/irix5.m4 + cf/ostype/isc4.1.m4 + cf/ostype/ptx2.m4 + cf/ostype/unknown.m4 + contrib/bsdi.mc + contrib/mailprio + contrib/rmail.oldsys.patch + mail.local/mail.local.0 + makemap/makemap.0 + smrsh/README + smrsh/smrsh.0 + smrsh/smrsh.8 + smrsh/smrsh.c + src/Makefiles/Makefile.CSOS + src/Makefiles/Makefile.EWS-UX_V + src/Makefiles/Makefile.HP-UX.10 + src/Makefiles/Makefile.IRIX.5.x + src/Makefiles/Makefile.IRIX64 + src/Makefiles/Makefile.ISC + src/Makefiles/Makefile.KSR + src/Makefiles/Makefile.NEWS-OS.4.x + src/Makefiles/Makefile.NEWS-OS.6.x + src/Makefiles/Makefile.NEXTSTEP + src/Makefiles/Makefile.NonStop-UX + src/Makefiles/Makefile.Paragon + src/Makefiles/Makefile.SCO.3.2v4.2 + src/Makefiles/Makefile.SunOS.5.3 + src/Makefiles/Makefile.SunOS.5.4 + src/Makefiles/Makefile.SunOS.5.5 + src/Makefiles/Makefile.UNIX_SV.4.x.i386 + src/Makefiles/Makefile.uts.systemV + src/Makefiles/Makefile.UX4800 + src/aliases.0 + src/mailq.0 + src/mime.c + src/newaliases.0 + src/sendmail.0 + test/t_seteuid.c + RENAMED FILES: + cf/cf/alpha.mc => cf/cf/s2k-osf1.mc + cf/cf/chez.mc => cf/cf/chez.cs.mc + cf/cf/hpux-cs-exposed.mc => cf/cf/cs-hpux9.mc + cf/cf/osf1-cs-exposed.mc => cf/cf/cs-osf1.mc + cf/cf/s2k.mc => cf/cf/s2k-ultrix4.mc + cf/cf/sunos4.1-cs-exposed.mc => cf/cf/cs-sunos4.1.mc + cf/cf/ultrix4.1-cs-exposed.mc => cf/cf/cs-ultrix4.mc + cf/cf/vangogh.mc => cf/cf/vangogh.cs.mc + cf/domain/Berkeley.m4 => cf/domain/Berkeley.EDU.m4 + cf/domain/cs-exposed.m4 => cf/domain/CS.Berkeley.EDU.m4 + cf/domain/eecs-hidden.m4 => cf/domain/EECS.Berkeley.EDU.m4 + cf/domain/s2k.m4 => cf/domain/S2K.Berkeley.EDU.m4 + cf/ostype/hpux.m4 => cf/ostype/hpux9.m4 + cf/ostype/irix.m4 => cf/ostype/irix4.m4 + cf/ostype/ultrix4.1.m4 => cf/ostype/ultrix4.m4 + src/Makefile.* => src/Makefiles/Makefile.* + src/Makefile.AUX => src/Makefiles/Makefile.A-UX + src/Makefile.BSDI => src/Makefiles/Makefile.BSD-OS + src/Makefile.DGUX => src/Makefiles/Makefile.dgux + src/Makefile.RISCos => src/Makefiles/Makefile.UMIPS + src/Makefile.SunOS.4.0.3 => src/Makefiles/Makefile.SunOS.4.0 + OBSOLETED FILES: + cf/cf/cogsci.mc + cf/cf/cs-exposed.mc + cf/cf/cs-hidden.mc + cf/cf/hpux-cs-hidden.mc + cf/cf/knecht.mc + cf/cf/osf1-cs-hidden.mc + cf/cf/sunos3.5-cs-exposed.mc + cf/cf/sunos3.5-cs-hidden.mc + cf/cf/sunos4.1-cs-hidden.mc + cf/cf/ultrix4.1-cs-hidden.mc + cf/domain/cs-hidden.m4 + contrib/rcpt-streaming + src/Makefiles/Makefile.SunOS.5.x + +8.6.13/8.6.12 96/01/25 + SECURITY: In some cases it was still possible for an attacker to + insert newlines into a queue file, thus allowing access to + any user (except root). + CONFIG: no changes -- it is not a bug that the configuration + version number is unchanged. + +8.6.12/8.6.12 95/03/28 + Fix to IDENT code (it was getting the size of the reply buffer + too small, so nothing was ever accepted). Fix from several + people, including Allan Johannesen, Shane Castle of the + Boulder County Information Services, and Jeff Smith of + Warwick University (all arrived within a few hours of + each other!). + Fix a problem that could cause large jobs to run out of + file descriptors on systems that use vfork() rather + than fork(). + +8.6.11/8.6.11 95/03/08 + The ``possible attack'' message would be logged more often + than necessary if you are using Pine as a user agent. + The wrong host would be reported in the ``possible attack'' + message when attempted from IDENT. + In some cases the syslog buffer could be overflowed when + reporting the ``possible attack'' message. This can + cause denial of service attacks. Truncate the message + to 80 characters to prevent this problem. + When reading the IDENT response a loop is needed around the + read from the network to ensure that you don't get + partial lines. + Password entries without any shell listed (that is, a null + shell) wouldn't match as "ok". Problem noted by + Rob McMahon. + When running BIND 4.9.x a problem could occur because the + _res.options field is initialized differently than it + was historically -- this requires that sendmail call + res_init before it tweaks any bits. + Fix an incompatibility in openxscript() between the file open mode + and the stdio mode passed to fdopen. This caused UnixWare + 2.0 to have conniptions. Fix from Martin Sohnius of + Novell Labs Europe. + Fix problem with static linking of local getopt routine when + using GNU's ld command. Fix from John Kennedy of + Cal State Chico. + It was possible to turn off privacy flags. Problem noted by + *Hobbit*. + Be more paranoid about writing files. Suggestions by *Hobbit* + and Liudvikas Bukys. + MAKEMAP: fixes for 64 bit machines (DEC Alphas in particular) + from Spider Boardman. + CONFIG: No changes (version number only, to keep it in sync + with the binaries). + +8.6.10/8.6.10 95/02/10 + SECURITY: Diagnose bogus values to some command line flags that + could allow trash to get into headers and qf files. + Validate the name of the user returned by the IDENT protocol. + Some systems that really dislike IDENT send intentionally + bogus information. Problem pointed out by Michael Bushnell + of the Free Software Foundation. Has some security + implications. + Fix a problem causing error messages about DNS problems when + the host name contained a percent sign to act oddly + because it was passed as a printf-style format string. + In some cases this could cause core dumps. + Avoid possible buffer overrun in returntosender() if error + message is quite long. From Fletcher Mattox of the + University of Texas. + Fix a problem that would silently drop "too many hops" error + messages if and only if you were sending to an alias. + From Jon Giltner of the University of Colorado and + Dan Harton of Oak Ridge National Laboratory. + Fix a bug that caused core dumps on some systems if -d11.2 was + set and e->e_message was null. Fix from Bruce Nagel of + Data General. + Fix problem that can still cause df files to be left around + after "hop count exceeded" messages. Fix from Andrew + Chang and Shau-Ping Lo of SunSoft. + Fix a problem that can cause buffer overflows on very long + user names (as might occur if you piped to a program + with a lot of arguments). + Avoid returning an error and re-queueing if the host signature + is null; this can occur on addresses like ``user@.''. + Problem noted by Wesley Craig and the University of + Michigan. + Avoid possible calls to malloc(0) if MCI caching is turned + off. Bug fix from Pierre David of the Laboratoire + Parallelisme, Reseaux, Systemes et Modelisation (PRiSM), + Universite de Versailles - St Quentin, and Jacky + Thibault. + Make a local copy of the line being sent via senttolist() -- in + some cases, buffers could get trashed by map lookups + causing it to do unexpected things. This also simplifies + some of the map code. + CONFIG: No changes (version number only, to keep it in sync + with the binaries). + +8.6.9/8.6.9 94/04/19 + Do all mail delivery completely disconnected from any terminal. + This provides consistency with daemon delivery and + may have some security implications. + Make sure that malloc doesn't get called with zero size, + since that fails on some systems. Reported by Ed + Hill of the University of Iowa. + Fix multi-line values for $e (SMTP greeting message). Reported + by Mike O'Connor of Ford Motor Company. + Avoid syserr if no NIS domain name is defined, but the map it + is trying to open is optional. From Win Bent of USC. + Changes for picky compilers from Ed Gould of Digital Equipment. + Hesiod support for UDB from Todd Miller of the University of + Colorado. Use "hesiod" as the service name in the U + option. + Fix a problem that failed to set the "authentic" host name (that + is, the one derived from the socket info) if you called + sendmail -bs from inetd. Based on code contributed by + Todd Miller (this problem was also reported by Guy Helmer + of Dakota State University). This also fixes a related + problem reported by Liudvikas Bukys of the University of + Rochester. + Parameterize "nroff -h" in all the Makefiles so people with + variant versions can use them easily. Suggested by + Peter Collinson of Hillside Systems. + SMTP "MAIL" commands with multiple ESMTP parameters required two + spaces between parameters instead of one. Reported by + Valdis Kletnieks of Virginia Tech. + Reduce the number of system calls during message collection by + using global timeouts around the collect() loop. This + code was contributed by Eric Wassenaar. + If the initial hostname name gathering results in a name + without a dot (usually caused by NIS misconfiguration) + and BIND is compiled in, directly access DNS to get + the canonical name. This should make life easier for + Solaris systems. If it still can't be resolved, and + if the name server is listed as "required", try again + in 30 seconds. If that also fails, exit immediately to + avoid bogus "config error: mail loops back to myself" + messages. + Improve the "MAIL DELETED BECAUSE OF LACK OF DISK SPACE" error + message to explain how much space was available and + sound a bit less threatening. Suggested by Stan Janet + of the National Institute of Standards and Technology. + If mail is delivered to an alias that has an owner, deliver any + requested return-receipt immediately, and strip the + Return-Receipt-To: header from the subsequent message. + This prevents a certain class of denial of service + attack, arguably gives more reasonable semantics, and + moves things more towards what will probably become a + network standard. Suggested by Christopher Davis of + Kapor Enterprises. + Add a "noreceipts" privacy flag to turn off all return receipts + without recompiling. + Avoid printing ESMTP parameters as part of the error message + if there are errors during parsing. This change is + purely cosmetic. + Avoid sending out error messages during the collect phase of + SMTP; there is an MVS mailer from UCLA that gets + confused by this. Of course, I think it's their bug.... + Check for the $j macro getting undefined, losing a dot, or getting + lost from $=w in the daemon before accepting a connection; + if it is, it dumps state, prints a LOG_ALERT message, + and drops core for debugging. This is an attempt to + track down a bug that I thought was long since gone. + If you see this, please forward the log fragment to + sendmail@sendmail.ORG. + Change OLD_NEWDB from a #ifdef to a #if so it can be turned off + with -DOLD_NEWDB=0 on the command line. From Christophe + Wolfhugel. + Instead of trying to truncate the listen queue for the server + SMTP port when the load average is too high, just close + the port completely and reopen it later as needed. + This ensures that the other end gets a quick "connection + refused" response, and that the connection can be + recovered later. In particular, some socket emulations + seem to get confused if you tweak the listen queue + size around and can never start listening to connections + again. The down side is that someone could start up + another daemon process in the interim, so you could + have multiple daemons all not listening to connections; + this could in turn cause the sendmail.pid file to be + incorrect. A better approach might be to accept the + connection and give a 421 code, but that could break + other mailers in mysterious ways and have paging behaviour + implications. + Fix a glitch in TCP-level debugging that caused flag 16.101 to + set debugging on the wrong socket. From Eric Wassenaar. + When creating a df* temporary file, be sure you truncate any + existing data in the file -- otherwise system crashes + and the like could result in extra data being sent. + DOC: Replace the CHANGES-R5-R8 readme file with a paper in the + doc directory. This includes some additional + information. + CONFIG: change UUCP rules to never add $U! or $k! on the front + of recipient envelope addresses. This should have been + handled by the $&h trick, but broke if people were + mixing domainized and UUCP addresses. They should + probably have converted all the way over to uucp-uudom + instead of uucp-{new,old}, but the failure mode was to + loop the mail, which was bad news. + Portability fixes: + Newer BSDI systems (several people). + Older BSDI systems from Christophe Wolfhugel. + Intergraph CLIX, from Paul Southworth of CICNet. + UnixWare, from Evan Champion. + NetBSD from Adam Glass. + Solaris from Quentin Campbell of the University of + Newcastle upon Tyne. + IRIX from Dean Cookson and Bill Driscoll of Mitre + Corporation. + NCR 3000 from Kevin Darcy of Chrysler Financial Corporation. + SunOS (it has setsid() and setvbuf() calls) from + Jonathan Kamens of OpenVision Technologies. + HP-UX from Tor Lillqvist. + New Files: + src/Makefile.CLIX + src/Makefile.NCR3000 + doc/changes/Makefile + doc/changes/changes.me + doc/changes/changes.ps + +8.6.8/8.6.6 94/03/21 + SECURITY: it was possible to read any file as root using the + E (error message) option. Reported by Richard Jones; + fixed by Michael Corrigan and Christophe Wolfhugel. + +8.6.7/8.6.6 94/03/14 + SECURITY: it was possible to get root access by using weird + values to the -d flag. Thanks to Alain Durand of + INRIA for forwarding me the notice from the bugtraq + list. + +8.6.6/8.6.6 94/03/13 + SECURITY: the ability to give files away on System V-based + systems proved dangerous -- don't run as the owner + of a :include: file on a system that allows giveaways. + Unfortunately, this also applies to determining a + valid shell. + IMPORTANT: Previous versions weren't expiring old connections + in the connection cache for a long time under some + circumstances. This could result in resource exhaustion, + both at your end and at the other end. This checks the + connections for timeouts much more frequently. From + Doug Anderson of NCSC. + Fix a glitch that snuck in that caused programs to be run as + the sender instead of the recipient if the mail was + from a local user to another local user. From + Motonori Nakamura of Kyoto University. + Fix "wildcard" on /etc/shells matching -- instead of looking + for "*", look for "/SENDMAIL/ANY/SHELL/". From + Bryan Costales of ICSI. + Change the method used to declare the "statfs" availability; + instead of HASSTATFS and/or HASUSTAT with a ton of + tweaking in conf.c, there is a single #define called + SFS_TYPE which takes on one of six values (SFS_NONE + for no statfs availability, SFS_USTAT for the ustat(2) + syscall, SFS_4ARGS for a four argument statfs(2) call, + and SFS_VFS, SFS_MOUNT, or SFS_STATFS for a two argument + statfs(2) call with the declarations in <sys/vfs.h>, + <sys/mount.h>, or <sys/statfs.h> respectively). + Fix glitch in NetInfo support that could return garbage if + there was no "/locations/sendmail" property. From + David Meyer of the University of Virginia. + Change HASFLOCK from defined/not-defined to a 0/1 definition + to allow Linux to turn it off even though it is a + BSD-like system. + Allow setting of "ident" timeout to zero to turn off the ident + protocol entirely. + Make 7-bit stripping local to a connection (instead of to a + mailer); this allows you to specify that SMTP is a + 7-bit channel, but revert to 8-bit should it advertise + that it supports 8BITMIME. You still have to specify + mailer flag 7 to get this stripping at all. + Improve makesendmail script so it handles more cases automatically. + Tighten up restrictions on taking ownership of :include: files + to avoid problems on systems that allow you to give away + files. + Fix a problem that made it impossible to rebuild the alias + file if it was on a read-only file system. From + Harry Edmon of the University of Washington. + Improve MX randomization function. From John Gardiner Myers + of CMU. + Fix a minor glitch causing a bogus message to be printed (used + %s instead of %d in a printf string for the line number) + when a bad queue file was read. From Harry Edmon. + Allow $s to remain NULL on locally generated mail. I'm not + sure this is necessary, but a lot of people have complained + about it, and there is a legitimate question as to whether + "localhost" is legal as an 822-style domain. + Fix a problem with very short line lengths (mailer L= flag) in + headers. This causes a leading space to be added onto + continuation lines (including in the body!), and also + tries to wrap headers containing addresses (From:, To:, + etc) intelligently at the shorter line lengths. Problem + Reported by Lars-Johan Liman of SUNET Operations Center. + Log the real user name when logging syserrs, since these can have + security implications. Suggested by several people. + Fix address logging of cached connections -- it used to always + log the numeric address as zero. This is a somewhat + bogus implementation in that it does an extra system + call, but it should be an inexpensive one. Fix from + Motonori Nakamura. + Tighten up handling of short syslog buffers even more -- there + were cases where the outgoing relay= name was too long + to share a line with delay= and mailer= logging. + Limit the overhead on split envelopes to one open file descriptor + per envelope -- previously the overhead was three + descriptors. This was in response to a problem reported + by P{r (Pell) Emanuelsson. + Fixes to better handle the case of unexpected connection closes; + this redirects the output to the transcript so the info + is not lost. From Eric Wassenaar. + Fix potential string overrun if you macro evaluate a string that + has a naked $ at the end. Problem noted by James Matheson + <jmrm@eng.cam.ac.uk>. + Make default error number on $#error messages 553 (``Requested + action not taken: mailbox name not allowed'') instead of + 501 (``Syntax error in parameters or arguments'') to + avoid bogus "protocol error" messages. + Strip off any existing trailing dot on names during $[ ... $] + lookup. This prevents it from ending up with two dots + on the end of dot terminated names. From Wesley Craig + of the University of Michigan and Bryan Costales of ICSI. + Clean up file class reading so that the debugging information is + more informative. It hadn't been using setclass, so you + didn't see the class items being added. + Avoid core dump if you are running a version of sendmail where + NIS is compiled in, and you specify an NIS map, but + NIS is not running. Fix from John Oleynick of + Rutgers. + Diagnose bizarre case where res_search returns a failure value, + but sets h_errno to a success value. + Make sure that "too many hops" messages are considered important + enough to send an error to the Postmaster (that is, the + address specified in the P option). This fix should + help problems that cause the df file to be left around + sometimes -- unfortunately, I can't seem to reproduce + the problem myself. + Avoid core dump (null pointer reference) on EXPN command; this + only occurred if your log level was set to 10 or higher + and the target account was an alias or had a .forward file. + Problem noted by Janne Himanka. + Avoid "denial of service" attacks by someone who is flooding your + SMTP port with bad commands by shutting the connection + after 25 bad commands are issued. From Kyle Jones of + UUNET. + Fix core dump on error messages with very long "to" buffers; + fmtmsg overflows the message buffer. Fixed by trimming + the to address to 203 characters. Problem reported by + John Oleynick. + Fix configuration for HASFLOCK -- there were some spots where + a #ifndef was incorrectly #ifdef. Pointed out by + George Baltz of the University of Maryland. + Fix a typo in savemail() that could cause the error message To: + lists to be incorrect in some places. From Motonori + Nakamura. + Fix a glitch that can cause duplicate error messages on split + envelopes where an address on one of the lists has a + name server failure. Fix from Voradesh Yenbut of the + University of Washington. + Fix possible bogus pointer reference on ESMTP parameters that + don't have an ``=value'' part. + CNAME loops caused an error message to be generated, but also + re-queued the message. Changed to just re-queue the + message (it's really hard to just bounce it because + of the weird way the name server works in the presence + of CNAME loops). Problem noted by James M.R.Matheson + of Cambridge University. + Avoid giving ``warning: foo owned process doing -bs'' messages + if they use ``MAIL FROM:<foo>'' where foo is their true + user name. Suggested by Andreas Stolcke of ICSI. + Change the NAMED_BIND compile flag to be a 0/1 flag so you can + override it easily in the Makefile -- that is, you can + turn it off using -DNAMED_BIND=0. + If a gethostbyname(...) of an address with a trailing dot fails, + try it without the trailing dot. This is because if + you have a version of gethostbyname() that falls back + to NIS or the /etc/hosts file it will fail to find + perfectly reasonable names that just don't happen to + be dot terminated in the hosts file. You don't want to + strip the dot first though because we're trying to ensure + that country names that match one of your subdomains get + a chance. + PRALIASES: fix bogus output on non-null-terminated strings. + From Bill Gianopoulos of Raytheon. + CONFIG: Avoid rewriting anything that matches $w to be $j. + This was in code intended to only catch the self-literal + address (that is, [1.2.3.4], where 1.2.3.4 is your + IP address), but the code was broken. However, it will + still do this if $M is defined; this is necessary to + get client configurations to work (sigh). Note that this + means that $M overrides :mailname entries in the user + database! Problem noted by Paul Southworth. + CONFIG: Fix definition of Solaris help file location. From + Steve Cliffe <steve@gorgon.cs.uow.edu.au>. + CONFIG: Fix bug that broke news.group.USENET mappings. + CONFIG: Allow declaration of SMTP_MAILER_MAX, FAX_MAILER_MAX, + and USENET_MAILER_MAX to tweak the maximum message + size for various mailers. + CONFIG: Change definition of USENET_MAILER_ARGS to include argv[0] + instead of assuming that it is "inews" for consistency + with other mailers. From Michael Corrigan of UC San Diego. + CONFIG: When mail is forwarded to a LOCAL_RELAY or a MAIL_HUB, + qualify the address in the SMTP envelope as user@{relay|hub} + instead of user@$j. From Bill Wisner of The Well. + CONFIG: Fix route-addr syntax in nullrelay configuration set. + CONFIG: Don't turn off case mapping of user names in the local + mailer for IRIX. This was different than most every other + system. + CONFIG: Avoid infinite loops on certainly list:; syntaxes in + envelope. Noted by Thierry Besancon + <besancon@excalibur.ens.fr>. + CONFIG: Don't include -z by default on uux line -- most systems + don't want it set by default. Pointed out by Philippe + Michel of Thomson CSF. + CONFIG: Fix some bugs with mailertables -- for example, if your + host name was foo.bar.ray.com and you matched against + ".ray.com", the old implementation bound %1 to "bar" + instead of "foo.bar". Also, allow "." in the mailertable + to match anything -- essentially, take over SMART_HOST. + This also moves matching of explicit local host names + before the mailertable so they don't have to be special + cased in the mailertable data. Reported by Bill + Gianopoulos of Raytheon; the fix for the %1 binding + problem was contributed by Nicholas Comanos of the + University of Sydney. + CONFIG: Don't include "root" in class $=L (users to deliver + locally, even if a hub or relay exists) by default. + This is because of the known bug where definition of + both a LOCAL_RELAY and a MAIL_HUB causes $=L to ignore + both and deliver into the local mailbox. + CONFIG: Move up bitdomain and uudomain handling so that they + are done before .UUCP class matching; uudomain was + reported as ineffective before. This also frees up + diversion 8 for future use. Problem reported by Kimmo + Suominen. + CONFIG: Don't try to convert dotted IP address (e.g., [1.2.3.4]) + into host names. As pointed out by Jonathan Kamens, + these are often used because either the forward or reverse + mapping is broken; this translation makes it broken again. + DOC: Clarify $@ and $: in the Install & Op Guide. From Kimmo + Suominen. + Portability fixes: + Unicos from David L. Kensiski of Sterling Software. + DomainOS from Don Lewis of Silicon Systems. + GNU m4 1.0.3 from Karst Koymans of Utrecht University. + Convex from Kimmo Suominen <kim@tac.nyc.ny.us>. + NetBSD from Adam Glass <glass@sun-lamp.cs.berkeley.edu>. + BSD/386 from Tony Sanders of BSDI. + Apollo from Eric Wassenaar. + DGUX from Doug Anderson. + Sequent DYNIX/ptx 2.0 from Tim Wright of Sequent. + NEW FILES: + src/Makefile.DomainOS + src/Makefile.PTX + src/Makefile.SunOS.5.1 + src/Makefile.SunOS.5.2 + src/Makefile.SunOS.5.x + src/mailq.1 + cf/ostype/domainos.m4 + doc/op/Makefile + doc/intro/Makefile + doc/usenix/Makefile + +8.6.5/8.6.5 94/01/13 + Security fix: /.forward could be owned by anyone (the test + to allow root to own any file was backwards). From + Bob Campbell at U.C. Berkeley. + Security fix: group ids were not completely set when programs + were invoked. This caused programs to have group + permissions they should not have had (usually group + daemon instead of their own group). In particular, + Perl scripts would refuse to run. + Security: check to make sure files that are written are not + symbolic links (at least under some circumstances). + Although this does not respond to a specific known + attack, it's just a good idea. Suggested by + Christian Wettergren. + Security fix: if a user had an NFS mounted home directory on + a system with a restricted shell listed in their + /etc/passwd entry, they could still execute any + program by putting that in their .forward file. + This fix prevents that by insisting that their shell + appear in /etc/shells before allowing a .forward to + execute a program or write a file. You can disable + this by putting "*" in /etc/shells. It also won't + permit world-writable :include: files to reference + programs or files (there's no way to disable this). + These behaviours are only one level deep -- for + example, it is legal for a world-writable :include: + file to reference an alias that writes a file, on + the assumption that the alias file is well controlled. + Security fix: root was not treated suspiciously enough when + looking into subdirectories. This would potentially + allow a cracker to examine files that were publicly + readable but in a non-publicly searchable directory. + Fix a problem that causes an error on QUIT on a cached + connection to create problems on the current job. + These are typically unrelated, so errors occur in + the wrong place. + Reset CurrentLA in sendall() -- this makes sendmail queue + runs more responsive to load average, and fixes a + problem that ignored the load average in locally + generated mail. From Eric Wassenaar. + Fix possible core dump on aliases with null LHS. From + John Orthoefer of BB&N. + Revert to using flock() whenever possible -- there are just + too many bugs in fcntl() locking, particularly over + NFS, that cause sendmail to fail in perverse ways. + Fix a bug that causes the connection cache to get confused + when sending error messages. This resulted in + "unexpected close" messages. It should fix itself + on the following queue run. Problem noted by + Liudvikas Bukys of the University of Rochester. + Include $k in $=k as documented in the Install & Op Guide. + This seems odd, but it was documented.... From + Michael Corrigan of UCSD. + Fix problem that caused :include:s from alias files to be + forced to be owned by root instead of daemon + (actually DefUid). From Tim Irvin. + Diagnose unrecognized I option values -- from Mortin Forssen + of the Chalmers University of Technology. + Make "error" mailer work consistently when there is no error + code associated with it -- previously it returned OK + even though there was a real problem. Now it assumes + EX_UNAVAILABLE. + Fix bug that caused the last header line of messages that had + no body and which were terminated with EOF instead of + "." to be discarded. Problem noted by Liudvikas Bukys. + Fix core dump on SMTP mail to programs that failed -- it tried + to go to a "next MX host" when none existed, causing + a core dump. From der Mouse at McGill University. + Change IDENTPROTO from a defined/not defined to a 0/1 switch; + this makes it easier to turn it off (using + -DIDENTPROTO=0 in the Makefile). From der Mouse. + Fix YP_MASTER_NAME store to use the unupdated result of + gethostname() (instead of myhostname(), which tries + to fully qualify the name) to be consistent with + SunOS. If your hostname is unqualified, this fixes + transfers to slave servers. Bug noted by Keith + McMillan of Ameritech Services, Inc. + Fix Ultrix problem: gethostbyname() can return a very large + (> 500) h_length field, which causes the sockaddr + to be trashed. Use the size of the sockaddr instead. + Fix from Bob Manson of Ohio State. + Don't assume "-a." on host lookups if NAMED_BIND is not + defined -- this confuses gethostbyname on hosts + file lookups, which doesn't understand the trailing + dot convention. + Log SMTP server subprocesses that die with a signal instead + of from a clean exit. + If you don't have option "I" set, don't assume that a DNS + "host unknown" message is authoritative -- it + might still be found in /etc/hosts. + Fix a problem that would cause Deferred: messages to be sent + as the subject of an error message, even though the + actual cause of a message was more severe than that. + Problem noted by Chris Seabrook of OSSI. + Fix race condition in DBM alias file locking. From Kyle + Jones of UUNET. + Limit delivery syslog line length to avoid bugs in some + versions of syslog(3). This adds a new compile time + variable SYSLOG_BUFSIZE. From Jay Plett of Princeton + University, which is in turn derived from IDA. + Fix quotes inside of comments in addresses -- previously + it insisted that they be balanced, but the 822 spec + says that they should be ignored. + Dump open file state to syslog upon receiving SIGUSR1 (for + debugging). This also evaluates ruleset 89, if set + (with the null input), and logs the result. This + should be used sparingly, since the rewrite process + is not reentrant. + Change -qI, -qR, and -qS flags to be case-insensitive as + documented in the Bat Book. + If the mailer returned EX_IOERR or EX_OSERR, sendmail did not + return an error message and did not requeue the message. + Fix based on code from Roland Dirlewanger of + Reseau Regional Aquarel, Bordeaux, France. + Fix a problem that caused a seg fault if you got a 421 error + code during some parts of connection initialization. + I've only seen this when talking to buggy mailers on + the other end, but it shouldn't give a seg fault in + any case. From Amir Plivatsky. + Fix core dump caused by a ruleset call that returns null. + Fix from Bryan Costales of ICSI. + Full-Name: field was being ignored. Fix from Motonori Nakamura + of Kyoto University. + Fix a possible problem with very long input lines in setproctitle. + From P{r Emanuelsson. + Avoid putting "This is a warning message" out on return receipts. + Suggested by Douglas Anderson. + Detect loops caused by recursive ruleset calls. Suggested by + Bryan Costales. + Initialize non-alias maps during alias rebuilds -- they may be + needed for parsing. Problem noted by Douglas Anderson. + Log sender address even if no message was collected in SMTP + (e.g., if all RCPTs failed). Suggested by Motonori + Nakamura. + Don't reflect the owner-list contents into the envelope sender + address if the value contains ", :, /, or | (to avoid + illegal addresses appearing there). + Efficiency hack for toktype macro -- from Craig Partridge of + BB&N. + Clean up DNS error printing so that a host name is always + included. + Remember to set $i during queue runs. Reported by Stephen + Campbell of Dartmouth University. + If the environment variable HOSTALIASES is set, use it during + canonification as the name of a file with per-user host + translations so that headers are properly mapped. Reported + by Anne Bennett of Concordia University. + Avoid printing misleading error message if SMTP mailer (not + using [IPC]) should die on a core dump. + Avoid incorrect diagnosis of "file 1 closed" when it is caused + by the other end closing the connection. From + Dave Morrison of Oracle. + Improve several of the error messages printed by "mailq" + to include a host name or other useful information. + Add NetInfo preliminary support for NeXT systems. From Vince + DeMarco. + Fix a glitch that sometimes caused :include:s that pointed to + NFS filesystems that were down to give an "aliasing/ + forwarding loop broken" message instead of queueing + the message for retry. Noted by William C Fenner of + the NRL Connection Machine Facility. + Fix a problem that could cause a core dump if the input sequence + had (or somehow acquired) a \231 character. + Make sure that route-addrs always have <angle brackets> around + them in non-SMTP envelopes (SMTP envelopes already do + this properly). + Avoid weird headers on unbalanced punctuation of the form: + ``Joe User <user)'' -- this caused reference to the + null macro. Fix from Rick McCarty of IO.COM. + Fix a problem that caused an alias "user: user@local.host" to + not have the QNOTREMOTE bit set; this caused configs + to act as if FEATURE(notsticky) was defined even when + it was not. The effect of the problem was to make it + very hard to to set up satellite sites that had a few + local accounts, with everything else forwarded to a + corporate hub. Reported by Detlef Drewanz of the + University of Rostock and Mark Frost of NCD. + Change queuing to not call rulesets 3, {1 or 2}, 4 on header + addresses. This is more efficient (fewer name server + calls) and fixes certain unusual configurations, such + as those that have ruleset 4 do something that is + non-idempotent unless a mailer-specific ruleset did + something else. Problem reported by Brian J. Coan + of the Institute for Global Communications. + Fix the "obsolete argument" routine in main to better understand + new arguments. For example, if you used ``sendmail + -C config -v -q'' it would choke on the -q because + the -C would stop looking for old-format arguments. + Fix the code that was intended to allow two users to forward their + mail to the same program and have them appear unique. + Portability fixes for: + SCO UNIX from Murray Kucherawy. + SCO Open Server 3.2v4 from Philippe Brand. + System V Release 4 from Rick Ellis and others. + OSF/1 from Steve Campbell. + DG/UX from Ben Mesander of the USGS and Bryan Curnutt + of Stoner Associates. + Motorola SysV88 from Kevin Johnson of Motorola. + Solaris 2.3 from Casper H.S. Dik of the University + of Amsterdam and John Caruso of University + of Maryland. + FreeBSD from Ollivier Robert. + NetBSD from Adam Glass. + TitanOS from Kate Hedstrom of Rutgers University. + Irix from Bryan Curnutt. + Dynix from Jim Davis of the University of Arizona. + RISC/os. + Linux from John Kennedy of California State University + at Chico. + Solaris 2.x from Tony Boner of the U.S. Air Force. + NEXTSTEP 3.x from Vince DeMarco. + HP-UX from various people. NOTA BENE: the location + of the config file has moved to /usr/lib + to match the HP-UX version of sendmail. + CONFIG: Don't do any recipient rewriting on relay mailer; + since this is intended only for internal use, the + usual RFC 821/822/1123 rules can be relaxed. The + main point of this is to avoid munging (ugh) UUCP + addresses when relaying internally. + CONFIG: fix typo in mailer/uucp.m4 that mutilates list:; + syntax addresses delivered via UUCP. Solution + provided by Peter Wemm. + CONFIG: fix thumb-fumble in default UUCP relaying in ruleset + zero; it caused double @ signs in addresses. From + Irving Reid of the University of Toronto. + CONFIG: Portability fixes for SCO Unix 3.2 with TCP/IP 1.2.1 + from Markku Toijala of ICL Personal Systems Oy. + CONFIG: Add trailing "." on pseudo-domains for consistency; + this fixes a problem (noted by Al Whaley of Sunnyside) + that made it hard to recognize your own pseudodomain + names. + CONFIG: catch "@host" syntax errors (i.e., null local-parts) + rather than letting them get "local configuration + error"s. Problem noted by John Gardiner Myers. + CONFIG: add uucp-uudom mailer variant, based on code posted + by Spider Boardman <spider@Orb.Nashua.NH.US>; this + has uucp-dom semantics but old UUCP syntax. This + also permits "uucp-old" as an alias for "uucp" and + "uucp-new" as a synonym for "suucp" for consistency. + CONFIG: add POP mailer support (from Kimmo Suominen + <kim@grendel.lut.fi>). + CONFIG: drop CSNET_RELAY support -- CSNET is long gone. + CONFIG: fix bug caused with domain literal addresses (e.g., + ``[128.32.131.12]'') when FEATURE(allmasquerade) + was set; it would get an additional @masquerade.host + added to the address. Problem noted by Peter Wan + of Georgia Tech. + CONFIG: make sure that the local UUCP name is in $=w. From + Jim Murray of Stratus. + CONFIG: changes to UUCP rewriting to simulate IDA-style "V" + mailer flag. Briefly, if you are sending to host + "foo", then it rewrites "foo!...!baz" to "...!baz", + "foo!baz" remains "foo!baz", and anything else has + the local name prepended. + CONFIG: portability fixes for HP-UX. + DOC: several minor problems fixed in the Install & Op Guide. + MAKEMAP: fix core dump problem on lines that are too long or + which lack newline. From Mark Delany. + MAILSTATS: print sums of columns (total messages & kbytes + in and out of the system). From Tom Ferrin of UC + San Francisco Computer Graphics Lab. + SIGNIFICANT USER- OR SYSAD-VISIBLE CHANGES: + On HP-UX, /etc/sendmail.cf has been moved to + /usr/lib/sendmail.cf to match HP sendmail. + Permissions have been tightened up on world-writable + :include: files and accounts that have shells + that are not listed in /etc/shells. This may + cause some .forward files that have worked + before to start failing. + SIGUSR1 dumps some state to the log. + NEW FILES: + src/Makefile.DGUX + src/Makefile.Dynix + src/Makefile.FreeBSD + src/Makefile.Mach386 + src/Makefile.NetBSD + src/Makefile.RISCos + src/Makefile.SCO + src/Makefile.SVR4 + src/Makefile.Titan + cf/mailer/pop.m4 + cf/ostype/bsdi1.0.m4 + cf/ostype/dgux.m4 + cf/ostype/dynix3.2.m4 + cf/ostype/sco3.2.m4 + makemap/Makefile.dist + praliases/Makefile.dist + +8.6.4/8.6.4 93/10/31 + Repair core-dump problem (write to read-only memory segment) + if you fall back to the return-to-Postmaster case in + savemail. Problem reported by Richard Liu. + Immediately diagnose bogus sender addresses in SMTP. This + makes quite certain that crackers can't use this + class of attack. + Reliability Fix: check return value from fclose() and fsync() + in a few critical places. + Minor problem in initsys() that reversed a condition for + redirecting the output channel on queue runs. It's + not clear this code even does anything. From Eric + Wassenaar of the Dutch National Institute for Nuclear + and High-Energy Physics. + Fix some problems that caused queue runs to do "too much work", + such as double-reading the Errors-To: header. From + Eric Wassenaar. + Error messages on writing the temporary file (including the + data file) were getting suppressed in SMTP -- this + fix causes them to be properly reported. From Eric + Wassenaar. + Some changes to support AF_UNIX sockets -- this will only + really become relevant in the next release, but some + people need it for local patches. From Michael + Corrigan of UC San Diego. + Use dynamically allocated memory (instead of static buffers) + for macros defined in initsys() and settime(); since + these can have different values depending on which + envelope they are in. From Eric Wassenaar. + Improve logging to show ctladdr on to= logging; this tells you + what uid/gid processes ran as. + Fix a problem that caused error messages to be discarded if + the sender address was unparseable for some reason; + this was supposed to fall back to the "return to + postmaster" case. + Improve aliaswait backoff algorithm. + Portability patches for Linux (8.6.3 required another header + file) (from Karl London) and SCO UNIX. + CONFIG: patch prog mailer to not strip host name off of envelope + addresses (so that it matches local again). From + Christopher Davis. + CONFIG: change uucp-dom mailer so that "<>" translates to $n; + this prevents uux from seeing lines with null names like + ``From Sat Oct 30 14:55:31 1993''. From Motonori + Nakamura of Kyoto University. + CONFIG: handle <list:;> syntax correctly. This isn't legal, but + it shouldn't fail miserably. From Motonori Nakamura. + +8.6.2/8.6.2 93/10/15 + Put a "successful delivery" message in the transcript for + addresses that get return-receipts. + Put a prominent "this is only a warning" message in warning + messages -- some people don't read carefully enough + and end up sending the message several times. + Include reason for temporary failure in the "warning" return + message. Currently, it just says "cannot send for + four hours". + Fix the "Original message received" time generated for + returntosender messages. It was previously listed as + the current time. Bug reported by Eric Hagberg of + Cornell University Medical College. + If there is an error when writing the body of a message, + don't send the trailing dot and wait for a response + in sender SMTP, as this could cause the connection to + hang up under some bizarre circumstances. From Eric + Wassenaar. + Fix some server SMTP synchronization problems caused when + connections fail during message collection. From + Eric Wassenaar. + Fix a problem that can cause srvrsmtp to reject mail if the + name server is down -- it accepts the RCPT but rejects + the DATA command. Problem reported by Jim Murray of + Stratus. + Fix a problem that can cause core dumps if the config file + incorrectly resolves to a null hostname. Reported by + Allan Johannesen of WPI. + Non-root use of -C flag, dangerous -f flags, and use of -oQ + by non-root users were not put into + X-Authentication-Warning:s as intended because the + config file hadn't set the PrivacyFlags yet. Fix + from Sven-Ove Westberg of the University of Lulea. + Under very odd circumstances, the alias file rebuild code + could get confused as to whether a database was + open or not. + Check "vendor code" on the end of V lines -- this is + intended to provide a hook for vendor-specific + configuration syntax. (This is a "new feature", + but I've made an exception to my rule in a belief + that this is a highly exceptional case.) + Portability fixes for DG/UX (from Douglas Anderson of NCSC), + SCO Unix (from Murray Kucherawy), A/UX, and OSF/1 + (from Jon Forrest of UC Berkeley) + CONFIG: fix ``mailer:host'' form of UUCP relay naming. + +8.6.1/8.6 93/10/08 + Portability fixes for A/UX and Encore UMAX V. + Fix error message handling -- if you had a name server down + causing an error during parsing, that message was never + propagated to the queue file. + +8.6/8.6 93/10/05 + Configuration cleanup: make it easier to undo IDENTPROTO in + conf.h (other systems have the same bug). + If HASGETDTABLESIZE and _SC_OPEN_MAX are both defined, assume + getdtablesize() instead of sysconf(); a disturbingly + large number of systems defined _SC_OPEN_MAX in the + header files but don't have the syscall. + Another patch to really truly ignore MX records in getcanonname + if trymx == FALSE. + Fix problem that caused the "250 IAA25499 Message accepted for + delivery" message to be omitted if there was an error + in the header of the message (e.g., a bad Errors-To: + line). Pointed out by Michael Corrigan of UCSD. + Announce name of host we are chatting when we get errors; this + is an IDA-ism suggested by Christophe Wolfhugel. + Portability fixes for Alpha OSF/1 (from Anthony Baxter of the + Australian Artificial Intelligence Institute), SCO Unix + (from Murray Kucherawy of Hookup Communication Corp.), + NeXT (from Vince DeMarco and myself), Linux (from + Karl London <karl@borg.demon.co.uk>), BSDI (from + Christophe Wolfhugel, and SVR4 on Dell (from Kimmo + Suominen), AUX 3.0 on Macintosh, and ANSI C compilers. + Some changes to get around gcc optimizer bugs. From Takahiro + Kanbe. + Fix error recovery in queueup if another tf file of the same + name already exists. Problem stumbled over by Bill + Wisner of The Well. + Output YP_MASTER_NAME and YP_LAST_MODIFIED without null bytes. + Problem noted by Keith McMillan of Ameritech Services. + Deal with group permissions properly when opening .forward and + :include: files. This relaxes the 8.1C restrictions + slightly more. This includes proper setting of groups + when reading :include: files, allowing you to read some + files that you should be able to read but have previously + been denied unless you owned them or they had "other" + read permission. + Make certain that $j is in $=w (after the .cf is read) so that + if the user is forced to override some silly system, + MX suppression will still work. + Fix a couple of efficiency problems where newstr was double- + calling expensive routines. In at least one case, it + wasn't guaranteed that they would always return the + same result. Problem noted by Christophe Wolfhugel. + Fix null pointer dereference in putoutmsg -- only on an error + condition from a non-SMTP mailer. From Motonori + Nakamura. + Macro expand "C" line class definitions before scanning so that + "CX $Z" works. + Fix problem that caused error message to be sent while still + trying to send the original message if the connection + is closed during a DATA command after getting an error + on an RCPT command (pretty obscure). Problem reported + by John Myers of CMU. + Fix reply to NOOP to be 250 instead of 200 -- this is a long + term bug. + Fix a nasty bug causing core dumps when returning the "warning: + cannot deliver for N hours -- will keep trying" message; + it only occurred if you had PostMasterCopy set and + only on some architectures. Although sendmail would + keep trying, it would send error messages on each + queue interval. This is an important fix. + Allow u and g options to take user and group names respectively. + Don't do a chdir into the queue directory in -bt mode to make + ruleset testing a bit easier. + Don't allow users to turn off logging (using -oL) on the command + line -- command line can only raise, not lower, logging + level. + Set $u to the original recipient on the SMTP transaction or on + the command line. This is only done if there is exactly + one recipient. Technically, this does not meet the + specs, because it does not guarantee a domain on the + address. + Fix a problem that dumped error messages on bad addresses if + you used the -t flag. Problem noted by Josh Smith of + Harvey Mudd College. + Given an address such as ``<foo> <bar>'', auto-quote the first + ``<foo>'' part, giving ``"<foo>" <bar>''. This is to + avoid the problem of people who use angle brackets in + their full name information. + Fix a null pointer dereference if you set option "l", have + an Errors-To: header in the message, and have Errors-To: + defined in the config file H lines. From J.R. Oldroyd. + Put YPCOMPAT on #ifdef NIS instead -- it's one less thing to get + wrong when compiling. Suggested by Rick McCarty of TI. + Fix a problem that could pass negative SIZE parameter if the + df file got lost; this would cause servers to always + give a temporary failure, making the problem even worse. + Problem noted by Allan Johannesen of WPI. + Add "ident" timeout (one of the "r" option selectors) for IDENT + protocol timeouts (30s default). Requested by Murray + Kucherawy of HookUp Communication Corp. to handle bogus + PC TCP/IP implementations. + Change $w default definition to be just the first component of + the domain name on config level 5. The $j macro defaults + to the FQDN; $m remains as before. This lets well-behaved + config files use any of the short, long, or subdomain + names. + Add makesendmail script in src to try to automate multi-architecture + builds. I know, this is sub-optimal, but it is still + helpful. + Fix very obscure race condition that can cause a queue run to + get a queue file for an already completed job. This + problem has existed for years. Problem noted by the + long suffering Allan Johannesen of WPI. + Fix a problem that caused the raw sender name to be passed to + udbsender instead of the canonified name -- this caused + it to sometimes miss records that it should have found. + Relax check of name on HELO packet so that a program using -bs + that claims to be itself works properly. + Restore rewriting of $: part of address through 2, R, 4 in + buildaddr -- this requires passing a lot of flags to get + it right. Unlike old versions, this ONLY rewrites + recipient addresses, not sender addresses. + Fix a bug that caused core dumps in config files that cannot + resolve /file/name style addresses. Fix from Jonathan + Kamens of OpenVision Technologies. + Fix problem with fcntl locking that can cause error returns to + be lost if the lock is lost; this required fully + queueing everything, dropping the envelope (so errors + would get returned), and then re-reading the queue from + scratch. + Fix a problem that caused aliases that redefine an otherwise + true address to still send to the original address + if and only if the alias failed in certain bizarre + ways (e.g, if they pointed at a list:; syntax address). + Problem pointed out by Jonathan Kamens. + Remove support for frozen configuration files. They caused + more trouble than it was worth. + Fix problem that can cause error messages to get ignored when + using both -odb and -t flags. Problem noted by Rob + McNicholas at U.C. Berkeley. + Include all "normal" variations on hostname in $=w. For example, + if the host name is vangogh.cs.berkeley.edu, $=w will + contain vangogh, vangogh.cs, and vangogh.cs.berkeley.edu. + Add "restrictqrun" privacy flag -- without this, anyone can run + the queue. + Reset SmtpPhase global on initial connection creation so that + messages don't come out with stale information. + Pass an "ext" argument to lockfile so that error/log messages + will properly reflect the true filename being locked. + Put all [...] address forms into $=w -- this eliminates the need + for MAXIPADDR in conf.h. Suggested by John Gardiner + Myers of CMU. + Fix a bug that can cause qf files to be left around even after + an SMTP RSET command. Problem and fix from Michael + Corrigan. + Don't send a PostMasterCopy to errors when the Precedence: is + negative. Error reports still go to the envelope + sender address. + Add LA_SHORT for load averages. + Lock sendmail.st file when posting statistics. + Add "SendBufSize" and "RcvBufSize" suboptions to "O" option to + set the size of the TCP send and receive buffers; if you + run over a slow slip line you may need to set these down + (although it would be better to fix the SLIP implementation + so that it's not necessary to recompile every program + that does bulk data transfer). + Allow null defaults on $( ... $) lookups. Problem reported by + Amir Plivatsky. + Diagnose crufty S and V config lines. This resulted from an + observation that some people were using the SITE macro + without the SITECONFIG macro first, which was causing + bogus config files that were not caught. + Fix makemap -f flag to turn off case folding (it was turning it + on instead). THIS IS A USER VISIBLE CHANGE!!! + Fix a problem that caused multiple error messages to be sent if + you used "sendmail -t -oem -odb", your system uses fcntl + locking, and one of the recipient addresses is unknown. + Reset uid earlier in include() so that recursive .forwards or + :include:s don't use the wrong uid. + If file descriptor 0, 1, or 2 was closed when sendmail was + called, the code to recover the descriptor was broken. + This sometimes (only sometimes) caused problems with the + alias file. Fix from Motonori Nakamura. + Fix a problem that caused aliaswait to go into infinite recursion + if the @:@ metasymbol wasn't found in the alias file. + Improve error message on newaliases if database files cannot be + opened or if running with no database format defined. + Do a better estimation of the size of error messages when NoReturn + is set. Problem noted by P{r (Pell) Emanuelsson. + Fix a problem causing the "c" option (don't connect to expensive + mailers) to be ignored in SMTP. Problem noted and the + solution suggested by Robert Elz of The University of + Melbourne. + Improve connection caching algorithm by passing "[host]" to + hostsignature, which strips the square brackets and + returns the real name. This allows mailertable entries + to match regular entries. + Re-enable Return-Receipt-To: -- people seem to want this stupid + feature, even if it doesn't work right. + Catch and log attempts to try the "wiz" command in server SMTP. + This also ups the log level from LOG_NOTICE to LOG_CRIT. + Be more generous at assigning $z to the home directory -- do this + for programs that are specified through a .forward file. + Fix from Andrew Chang of Sun Microsystems. + Always save a fatal error message in preference to a non-fatal + error message so that the "subject" line of return + messages is the best possible. + CONFIG: reduce the number of quotes needed to quote configuration + parameters with commas: two quotes should work now, e.g., + define(ALIAS_FILE, ``/etc/aliases,/etc/aliases.local''). + CONFIG: class $=Z is a set of UUCP hosts that use uucp-dom + connections (domain-ized UUCP). + CONFIG: fix bug in default maps (-o must be before database file + name). Pointed out by Christophe Wolfhugel. + CONFIG: add FEATURE(nodns) to state that we are not relying on + DNS. This would presumably be used in UUCP islands. + CONFIG: add OSTYPE(nextstep) and OSTYPE(linux). + CONFIG: log $u in Received: line. This is in technical violation + of the standards, since it doesn't guarantee a domain + on the address. + CONFIG: don't assume "m" in local mailer flags -- this means that + if you redefine LOCAL_MAILER_FLAGS you will have to include + the "m" flag should you want it. Apparently some Solaris 2.2 + installations can't handle multiple local recipients. + Problem noted by Josh Smith. + CONFIG: add confDOMAIN_NAME to set $j (if undefined, $j defaults). + CONFIG: change default version level from 4 to 5. + CONFIG: add FEATURE(nullclient) to create a config file that + forwards all mail to a hub without ever looking at the + addresses in any detail. + CONFIG: properly strip mailer: information off of relays when + used to change .BITNET form into %-hack form. + CONFIG: fix a problem that caused infinite loops if presented + with an address such as "!foo". + CONFIG: check for self literal (e.g., [128.32.131.12]) even if + the reverse "PTR" mapping is broken. There's a better + way to do this, but the change is fairly major and I + want to hold it for another release. Problem noted by + Bret Marquis. + +8.5/8.5 93/07/23 + Serious bug: if you used a command line recipient that was unknown + sendmail would not send a return message (it was treating + everything as though it had an SMTP-style client that + would do the return itself). Problem noted by Josh Smith. + Change "trymx" option in getcanonname() to ignore all MX data, + even during a T_ANY query. This actually didn't break + anything, because the only time you called getcanonname + with !trymx was if you already knew there were no MX + records, but it is somewhat cleaner. From Motonori + Nakamura. + Don't call getcanonname from getmxrr if you already know there + are no DNS records matching the name. + Fix a problem causing error messages to always include "The + original message was received ... from localhost". + The correct original host information is now included. + Previous change to cf/sh/makeinfo.sh doesn't port to Ultrix (their + version of "test" doesn't have the -x flag). Change it + to use -f instead. From John Myers. + CONFIG: 8.4 mistakenly set the default SMTP-style mailer to + esmtp -- it should be smtp. + CONFIG: send all relayed mail using confRELAY_MAILER (defaults + to "relay" (a variant of "smtp") if MAILER(smtp) is used, + else "suucp" if MAILER(uucp) is used, else "unknown"); + this cleans up the configs somewhat. This fixes a serious + problem that caused route-addrs to get mistaken as relays, + pointed out by John Myers. WARNING: this also causes + the default on SMART_HOST to change from "suucp" to + "relay" if you have MAILER(smtp) specified. + +8.4/8.4 93/07/22 + Add option `w'. If you receive a message that comes to you because + you are the best (lowest preference) target of an MX, and + you haven't explicitly recognized the source MX host in + your .cf file, this option will cause you to try the target + host directly (as if there were no MX for it at all). If + `w' is not set, this case is a configuration error. + Beware: if `w' is set, senders may get bogus errors like + "message timed out" or "host unknown" for problems that + are really configuration errors. This option is + disrecommended, provided only for compatibility with + UIUC sendmail. + Fix a problem that caused the incoming socket to be left open + when sendmail forks after the DATA command. This caused + calling systems to wait in FIN_WAIT_2 state until the + entire list was processed and the child closed -- a + potentially prodigious amount of time. Problem noted + by Neil Rickert. + Fix problem (created in 6.64) that caused mail sent to multiple + addresses, one of which was a bad address, to completely + suppress the sending of the message. This changes + handling of EF_FATALERRS somewhat, and adds an + EF_GLOBALERRS flag. This also fixes a potential problem + with duplicate error messages if there is a syntax error + in the header of a message that isn't noticed until late + in processing. Original problem pointed out by Josh Smith + of Harvey Mudd College. This release includes quite a bit + of dickering with error handling (see below). + Back out SMTP transaction if MAIL gets nested 501 error. This + will only hurt already-broken software and should help + humans. + Fix a problem that broke aliases when neither NDBM nor NEWDB were + compiled in. It would never read the alias file. + Repair unbalanced `)' and `>' (the "open" versions are already + repaired). + Logging of "done" in dropenvelope() was incorrect: it would + log this even when the queue file still existed. Change + this to only log "done" (at log level 11) when the + queue file is actually removed. From John Myers. + Log "lost connection" in server SMTP at log level 20 if there + is no pending transaction. Some senders just close the + connection rather than sending QUIT. + Fix a bug causing getmxrr to add a dot to the end of unqualified + domains that do not have MX records -- this would cause + the subsequent host name lookup to fail. The problem + only occurred if you had FEATURE(nocanonify) set. + Problem noted by Rick McCarty of Texas Instruments. + Fix invocation of setvbuf when passed a -X flag -- I had + unwittingly used an ANSI C extension, and this caused + core dumps on some machines. + Diagnose self-destructive alias loops on RCPT as well as EXPN. + Previously it just gave an empty send queue, which + then gave either "Need RCPT (recipient)" at the DATA + (confusing, since you had given an RCPT command which + returned 250) or just dropped the email, depending on + whether you were running VERBose mode. Now it usually + diagnoses this case as "aliasing/forwarding loop broken". + Unfortunately, it still doesn't adequately diagnose + some true error conditions. + Add internal concept of "warning messages" using 6xx codes. + These are not reported only to Postmaster. Unbalanced + parens, brackets, and quotes are printed as 653 codes. + They are always mapped to 5xx codes before use in SMTP. + Clean up error messages to tell both the actual address that + failed and the alias they arose from. This makes it + somewhat easier to diagnose problems. Difficulty noted + by Motonori Nakamura. + Fix a problem that inappropriately added a ctladdr to addresses + that shouldn't have had one during a queue run. This + caused error messages to be handled differently during + a queue run than a direct run. + Don't print the qf name and line number if you get errors during + the direct run of the queue from srvrsmtp -- this was + just extra stuff for users to crawl through. + Put command line flags on second line of pid file so you can + auto-restart the daemon with all appropriate arguments. + Use "kill `head -1 /etc/sendmail.pid`" to stop the + daemon, and "eval `tail -1 /etc/sendmail.pid`" to + restart it. + Remove the ``setuid(getuid())'' in main -- this caused the + IDENT daemon to screw up. This required that I change + HASSETEUID to HASSETREUID and complicate the mode + changing somewhat because both Ultrix and SunOS seem + to have a bug causing seteuid() to set the saved uid + as well as the effective. The program test/t_setreuid.c + will test to see if your implementation of setreuid(2) + is appropriately functional. + The FallBackMX (option V) handling failed to properly identify + fallback to yourself -- most of the code was there, + but it wasn't being enabled. Problem noted by Murray + Kucherawy of the University of Waterloo. + Change :include: open timeout from ETIMEDOUT to an internal + code EOPENTIMEOUT; this avoids adding "during SmtpPhase + with CurHostName" in error messages, which can be + confusing. Reported by Jonathan Kamens of OpenVision + Technologies. + Back out setpgrp (setpgid on POSIX systems) call to reset the + process group id. The original fix was to get around + some problems with recalcitrant MUAs, but it breaks + any call from a shell that creates a process group id + different from the process id. I could try to fix + this by diddling the tty owner (using tcsetpgrp or + equivalent) but this is too likely to break other + things. + Portability changes: + Support -M as equivalent to -oM on Ultrix -- apparently + DECnet calls sendmail with -MrDECnet -Ms<HOST> -bs + instead of using standard flags. Oh joy. This + behaviour reported by Jon Giltner of University + of Colorado. + SGI IRIX -- this includes several changes that should + help other strict ANSI compilers. + SCO Unix -- from Murray Kucherawy of HookUp Communication + Corporation. + Solaris running the Sun C compiler (which despite the + documentation apparently doesn't define + __STDC__ by default). + ConvexOS from Eric Schnoebelen of Convex. + Sony NEWS workstations and Omron LUNA workstations from + Motonori Nakamura. + CONFIG: add confTRY_NULL_MX_LIST to set option `w'. + CONFIG: delete `C' and `e' from default SMTP mailers flags; + several people have made a good argument that this + creates more problems than it solves (although this + may prove painful in the short run). + CONFIG: generalize all the relays to accept a "mailer:host" + format. + CONFIG: move local processing in ruleset 0 into a new ruleset + 98 (8 on old sendmail). Domain literal [a.b.c.d] + addresses are also passed through this ruleset. + CONFIG: if neither SMART_HOST nor MAILER(smtp) were defined, + internet-style addresses would "fall off the end" of + ruleset zero and be interpreted as local -- however, + the angle brackets confused the recursive call. + These are now diagnosed as "Unrecognized host name". + CONFIG: USENET rules weren't included in S0 because of a mistaken + ifdef(`_MAILER_USENET_') instead of + ifdef(`_MAILER_usenet_'). Problem found by Rein Tollevik + of SINTEF RUNIT, Oslo. + CONFIG: move up LOCAL_RULE_0 processing so that it happens very + early in ruleset 0; this allows .mc authors to bypass + things like the "short circuit" code for local addresses. + Prompted by a comment by Bill Wisner of The Well. + CONFIG: add confSMTP_MAILER to define the mailer used (smtp or + esmtp) to send SMTP mail. This allows you to default + to esmtp but use a mailertable or other override to + deal with broken servers. This logic was pointed out + to me by Bill Wisner. Ditto for confLOCAL_MAILER. + Changes to cf/sh/makeinfo.sh to make it portable to SVR4 + environments. Ugly as sin. + +8.3/8.3 93/07/13 + Fix setuid problems introduced in 8.2 that caused messages + like "Cannot create qfXXXXXX: Invalid argument" + or "Cannot reopen dfXXXXXX: Permission denied". This + involved a new compile flag "HASSETEUID" that takes + the place of the old _POSIX_SAVED_IDS -- it turns out + that the POSIX interface is broken enough to break + some systems badly. This includes some fixes for + HP-UX. Also fixes problems where the real uid is + not reset properly on startup (from Neil Rickert). + Fix a problem that caused timed out messages to not report the + addresses that timed out. Error messages are also more + "user friendly". + Drop required bandwidth on connections from 64 bytes/sec to + 16 bytes/sec. + Further Solaris portability changes -- doesn't require the BSD + compatibility library. This also adds a new + "HASGETDTABLESIZE" compile flag which can be used if + you want to use getdtablesize(2) instead of sysconf(2). + These are loosely based on changes from David Meyer at + University of Oregon. This now seems to work, at least + for quick test cases. + Fix a problem that can cause duplicate error messages to be + sent if you are in SMTP, you send to multiple addresses, + and at least one of those addresses is good and points + to an account that has a .forward file (whew!). + Fix a problem causing messages to be discarded if checkcompat() + returned EX_TEMPFAIL (because it didn't properly mark + the "to" address). Problem noted by John Myers. + Fix dfopen to return NULL if the open failed; I was depending + on fdopen(-1) returning NULL, which isn't the case. This + isn't serious, but does result in weird error diagnoses. + From Michael Corrigan. + CONFIG: add UUCP_MAX_SIZE M4 macro to set the maximum size of + messages sent through UUCP-family mailers. Suggested + by Bill Wisner of The Well. + CONFIG: if both MAILER(uucp) and MAILER(smtp) are specified, + include a "uucp-dom" mailer that uses domain-style + addressing. Suggested by Bill Wisner. + CONFIG: Add LOCAL_SHELL_FLAGS and LOCAL_SHELL_ARGS to match + LOCAL_MAILER_FLAGS and LOCAL_MAILER_ARGS. Suggested by + Christophe Wolfhugel. + CONFIG: Add OSTYPE(aix3). From Christophe Wolfhugel. + +8.2/8.2 93/07/11 + Don't drop out on config file parse errors in -bt mode. + On older configuration files, assume option "l" (use Errors-To + header) for back compatibility. NOTE: this DOES NOT + imply an endorsement of the Errors-To: header in any way. + Accept -x flag on AIX-3 as well as OSF/1. Why, why, why??? + Don't log errors on EHLO -- it isn't a "real" error for an old + SMTP server to give an error on this command, and + logging it in the transcript can be confusing. Fix + from Bill Wisner. + IRIX compatibility changes provided by Dan Rich + <drich@sandman.lerc.nasa.gov>. + Solaris 2 compatibility changes. Provided by Bob Cunningham + <bob@kahala.soest.hawaii.edu>, John Oleynick + <juo@klinzhai.rutgers.edu> + Debugging: -d17 was overloaded (hostsignature and usersmtp.c); + move usersmtp (smtpinit and smtpmailfrom) to -d18 to + match the other flags in that file. + Flush transcript before fork in mailfile(). From Eric Wassenaar. + Save h_errno in mci struct and improve error message display. + Changes from Eric Wassenaar. + Open /dev/null for the transcript if the create of the xf file + failed; this avoids at least one possible null pointer + reference in very weird cases. From Eric Wassenaar. + Clean up statistics gathering; it was over-reporting because of + forks. From Eric Wassenaar. + Fix problem that causes old Return-Path: line to override new + Return-Path: line (conf.c needs H_FORCE to avoid + re-using old value). From Motonori Nakamura. + Fix broken -m flag in K definition -- even if -m (match only) + was specified, it would still replace the key with the + value. Noted by Rick McCarty of Texas Instruments. + If the name server timed out over several days, no "timed out" + message would ever be sent back. The timeout code + has been moved from markfailure() to dropenvelope() + so that all such failures should be diagnosed. Pointed + out by Christophe Wolfhugel and others. + Relax safefile() constraints: directories in an include or + forward path must be readable by self if the controlling + user owns the entry, readable by all otherwise (e.g., + when reading your .forward file, you have to own and + have X permission in it; everyone needs X permission in + the root and directories leading up to your home); + include files must be readable by anyone, but need not + be owned by you. + If _POSIX_SAVED_IDS is defined, setuid to the owner before + reading a .forward file; this gets around some problems + on NFS mounts if root permission is not exported and + the user's home directory isn't x'able. + Additional NeXT portability enhancements from Axel Zinser. + Additional HP-UX portability enhancements from Brian Bullen. + Add a timeout around SMTP message writes; this assumes you can + get throughput of at least 64 bytes/second. Note that + this does not impact the "datafinal" default, which + is separate; this is just intended to work around + network clogs that will occur before the final dot + is sent. From Eric Wassenaar. + Change map code to set the "include null" flag adaptively -- + it initially tries both, but if it finds anything + matching without a null it never tries again with a + null and vice versa. If -N is specified, it never + tries without the null and creates new maps with a + null byte. If -O is specified, it never tries with + the null (for efficiency). If -N and -O are specified, + you get -NO (get it?) lookup at all, so this would + be a bad idea. If you don't specify either -N or -O, + it adapts. + Fix recognition of "same from address" so that MH submissions + will insert the appropriate full name information; + this used to work and got broken somewhere along the + way. + Some changes to eliminate some unnecessary SYSERRs in the + log. For example, if you lost a connection, don't + bother reporting that fact on the connection you lost. + Add some "extended debugging" flags to try to track down + why we get occasional problems with file descriptor + one being closed when execing a mailer; it seems to + only happen when there has been another error in the + same transaction. This requires XDEBUG, defined + by default in conf.h. + Add "-X filename" command line flag, which logs both sides of + all SMTP transactions. This is intended ONLY for + debugging bad implementations of other mailers; start + it up, send a message from a mailer that is failing, + and then kill it off and examine the indicated log. + This output is not intended to be particularly human + readable. This also adds the HASSETVBUF compile + flag, defaulted on if your compiler defines __STDC__. + CONFIG: change SMART_HOST to override an SMTP mailer. If you + have a local net that should get direct connects, you + will need to use LOCAL_NET_CONFIG to catch these hosts. + See cf/README for an example. + CONFIG: add LOCAL_MAILER_ARGS (default: `mail -d $u') to handle + sites that don't use the -d flag. + CONFIG: hide recipient addresses as well as sender addresses + behind $M if FEATURE(allmasquerade) is specified; this + has been requested by several people, but can break + local aliases. For example, if you mail to "localalias" + this will be rewritten as "localalias@masqueradehost"; + although initial delivery will work, replies will be + broken. Use it sparingly. + CONFIG: add FEATURE(domaintable). This maps unqualified domains + to qualified domains in headers. I believe this is + largely equivalent to the IDA feature of the same name. + CONFIG: use $U as UUCP name instead of $k. This permits you + to override the "system name" as your UUCP name -- + in particular, to use domain-ized UUCP names. From + Bill Wisner of The Well. + CONFIG: create new mailer "esmtp" that always tries EHLO + first. This is currently unused in the config files, + but could be used in a mailertable entry. + +8.1C/8.1B 93/06/27 + Serious security bug fix: it was possible to read any file on + the system, regardless of ownership and permissions. + If a subroutine returns a fully qualified address, return it + immediately instead of feeding it back into rewriting. + This fixes a problem with mailertable lookups. + CONFIG: fix some M4 frotz (concat => CONCAT) + +8.1B/8.1A 93/06/12 + Serious bug fix: pattern matching backup algorithm stepped by + two tokens in classes instead of one. Found by Claus + Assmann at University of Kiel, Germany. + +8.1A/8.1A 93/06/08 + Another mailertable fix.... + +8.1/8.1 93/06/07 + 4.4BSD freeze. No semantic changes. + +6.65/6.34 93/06/06 + Fix some lintish problems. + Fix some cases where server SMTP behaved poorly when handed bogus + input, pointed out by Eric Wassenaar. + CONFIG: fix some more (sigh) mailertable bugs -- thanks to + Motonori Nakamura of Kyoto University (again). + +6.64/6.33 93/06/05 + Don't send 050 (-v) information after the 250 response to a QUIT + command in srvrsmtp -- clients usually close the connection + at this point, and it causes bogus error messages. + Don't send messages that have errors on input (such as unbalanced + parentheses) during SMTP transactions, since a return + message has (probably) already been sent. + Give better diagnostics on timeouts during network reads, including + information similar to the SMTP phase. + Fix bug that caused SMTP messages to deliver synchronously; this + happened after the DATA 250, and hence caused reading the + next command to be delayed. + Ignore Errors-To: header unless 'l' (lower case el) header is + specified. The Errors-To: header violates RFC 1123. + Errors-To: was only needed to take the place of the + envelope sender in the days when most Unix mailers + didn't understand about the two kinds of senders. + Don't send warning messages in response to automatically generated + messages (that is, those From:<>). + CONFIG: fix some rather stupid typos in the mailertable code + pointed out by Motonori Nakamura of Kyoto University. + CONFIG: add confUSE_ERRORS_TO configuration option. + CONFIG: if ALWAYS_ADD_DOMAIN is selected, try to use $M + (masquerade name) instead of $j. + CONFIG: don't add dots to relay names (added in 6.29); it breaks + several things, and can be simulated by dot terminating + the names of relays. For example, use: + DBbit.net.relay. + (note the trailing dot). + +6.63/6.32 93/06/01 + Fix prototypes to eliminate chars in argument lists -- some + compilers are pissy about this. + Log protocol ($r) and body type if set so we can determine if + the adaptive algorithms are working. + Pessimize on locking of database files (particularly for NEWDB + databases) during opens. There were problems with + processes opening the file while it was rebuilt; since + NEWDB caches heavily, the reader opened an empty file, + which is an error. If your system has the ability to + lock atomically on open, this works properly; otherwise, + there are race conditions. + Check mod time on .pag file instead of .dir in NDBM aliases + because the .dir file doesn't get updated for small + alias files. From John Gardiner Myers of CMU. + More Solaris portability -- it now compiles on Solaris, but + hangs up in gethostbyname(). + Move setting of RES_DEBUG flag before first myhostname() call + so we can see name server traffic on that call. + Fsync() queue files. + Fix a problem that causes -bi to try to rebuild maps other than + the alias file(s). + Fix a problem that caused udb to reject entries from any but + the first database listed. + Rearrange doc subdirectory for 4.4BSD release tape. + CONFIG: put $r into the Received line. This was an oversight. + CONFIG: fix typo (call to ruleset 99 should have been ruleset 90). + CONFIG: move "auxiliary" subroutines to be in ruleset 90-99 + range -- in the long run, single digit rulesets may + become reserved for builtin use by sendmail. + CONFIG: fix major problem that causes host aliases (that is, + anything in $=w != $j) to not be recognized. This has + been around since 6.30. + +6.62/6.31 93/05/28 + BETA RELEASE + Fix recursive syserr (if there is an error printing a syserr + message). This makes the code much less eager to consider + a write error as serious. This also includes some + heuristics to be clever about closed connections. + Lock NEWDB files during gets. This requires version 1.5 or later + of the db library. If you have an older version, you + can use -DOLD_NEWDB. This will go away in a few weeks. + Fix problem causing aliases that use host maps to get overwritten. + Do appropriate byte swapping on port numbers in ident protocol + code. Fix from Allan Johannesen of WPI. + Defer opening of map files to the same time as alias files so that + the daemon will tend to pick up new versions more promptly. + Prototype a bunch more functions. + Some Solaris 2.1 changes (still doesn't link though). + Try to simplify Makefiles by including more subordinate #defines + in conf.h (based on OS type). + CONFIG: check for domains if FEATURE(mailertable) is defined. + For example, if the host name is "knecht.cs.berkeley.edu" + it will search the following mailertable keys: + knecht.cs.berkeley.edu + .cs.berkeley.edu + .berkeley.edu + .edu + This could be used to replace the special relays for bitnet + and similar nets. + +6.61/6.30 93/05/24 + Fix problem that prevented appending dots on canonified host + names. This breaks tons of config files -- very + important fix. + Fix improper pointer dereference in response to HELO command. + Fix core dump if debugging set in map_rewrite. + CONFIG: add FEATURE(always_add_domain) to always attach the + local domain (only impacts local mail). + CONFIG: try to avoid turning names into $j -- although + technically a host can only have one "canonical name", + it seems to be common practice to have several. + +6.60/6.29 93/05/22 + Major change: merge alias databases with maps. This expands and + changes the map class interface but fixes a bunch of bugs. + The important user-visible change is that the file name + in a K line now does not include the ".db" extension; this + is added automatically. Also, the -d (NIS domain) flag is + missing from the K config line; use @domain instead. + When compiling, the *_MAP names are gone -- just compile + in NDBM, NEWDB, and/or NIS support. + Announce mailer/host/user triple on -bv flag -- from Brian + Bullen of Stirling University. + Don't send more than one line in response to HELO -- it confuses + Pony Express, which then behaves very badly. However, + this change does send two line 220 greetings, with the + second line reading "ESMTP spoken here". The usersmtp + module recognizes this and goes into ESMTP mode regardless + of the setting of the "a" mailer flag. Thus, "a" means + "always try EHLO". + AIX portability changes (thanks to Christophe Wolfhugel of + Herve Schauer Consultants (Paris) for providing me with + an INSA account for this purpose). Lightly tested. Use + -D_AIX3. This probably breaks compatibility with some + older systems (e.g., 4.2bsd) but still works on SunOS + 4.1.2, Ultrix 4.2A, HP-UX 8.07, OSF/1 T1.3, and AIX 3.2.3. + Fix a problem causing an error message loop if the output channel + is hosed. + Add the Makefiles that I use for various environments -- some are + Berkeley make versions and some are old make versions. + My makefile for the NeXT box has gotten lost, alas! + PRALIASES: support for printing NEWDB databases. From + Michael J. Corrigan of U.C. San Diego. + CONFIG: don't pass pseudo-domains to $[ ... $] (if you have + a wildcard MX it can have weird results). From + Christophe Wolfhugel. + CONFIG: dot terminate relay hostnames in S0. From Christophe + Wolfhugel. + +6.59/6.28 93/05/13 + Log version with SMTP daemon startup message. + Adjust setproctitle to work on NetBSD and BSD/386. + Fix null pointer reference in MX fallback code. + A bunch of minor fixes from Eric Wassenaar: + If deliver cannot execv the mailer, return EX_OSERR + instead of EX_TEMPFAIL (to give better + error messages). + Consistently malloc e_message. + Catch degenerate case of calling returntosender() + with an empty returnq. + MIME reformatting. + +6.58/6.28 93/05/13 + Fix bug that can cause incorrect verbose display of user smtp + messages. + Disable SMTP VERB command if PRIV_NOEXPN is set (since this + could reveal the same information. + Allow failure when reading SMTP greeting message to go on to + next MX host. + Add "MIME-Version: 1.0" header if using MIME (this was NOT + included in RFC 1344, but Bill King of Allan-Bradley + Company forwarded me email from Nathaniel Borenstein + claiming that it was an inadvertent omission). + Don't use Content-Type: X-message-header. According to John + Myers of CMU, many MIME readers will completely ignore + the data if they don't recognize it. Instead, just + add a blank line to make it a legal (empty) message. + Fix problem causing dots to keep getting appended to cached + hostnames. This can cause buffer overrun conditions. + The problem was found by Erik Forsberg of Retix, + although I used a different bug fix than he provided. + Fix parsing of split header/envelope rewriting specs -- from + Eric Forsberg. + Fix from Eric Wassenaar to correct To: lists in error messages. + +6.57/6.28 93/05/11 + Fix minor glitch causing extra ctladdrs to be output to queue + file. Just an annoyance. + Cache results of name server canonification lookups to avoid + backed up queue runs. + Major rewrite of alias.c: considerable cleanup, plus sample + (untested) support for NIS aliases. The "A" option + can now be a comma separated list (or be repeated) -- + that is, you can have multiple alias databases. Each + database can have the syntax ``class:file''; if no class + is specified, the "implicit" class is assumed. Implicit + searches through a list of compiled in types -- hash, + dbm, nis, and stab. Alias files are searched in the + order they are listed. For example: + OAhash:/etc/aliases.local,/etc/aliases + OAnis:mail.aliases@my.nis.domain + first searches the hash database /etc/aliases.local, + then the regular /etc/aliases database, then the NIS + map "mail.aliases" in the NIS domain "my.nis.domain". + If in Verbose mode (probably from VERB command) run SMTP job + in foreground and don't do RCPT optimizations. + Add udb :mailsender as equivalent to owner- for regular aliases. + Delete option 8; add option 7 that means the opposite. That is, + default to 8-bit mode; a special option is needed to + force sendmail into 7 bit mode. + Send error messages in encapsulated MIME format. + New compile flag "NIS" that turns on NIS alias and NIS map + support. + Add "j" option to send error messages in MIME (RFC 1341) + encapsulated message format per RFC 1344. The + syntax is pretty ugly if you don't have MIME-aware + user agents. + Clean up message handling (for display in mailq output). + New setproctitle implementation for 4.4bsd. + Create files (such as ~/dead.letter) using mode FileMode (the + F option value) instead of 0666. + Fix bug causing output of EXPN command to not be fully qualified. + This may cause some problems with UUCP addresses that + will require some config file assistance -- specifically, + the $: part has to include the host name for this output + to make sense. + Fix a problem that sometimes diagnosed errors and still sent the + message if the header syntax was bad. + Fix a bug that caused an error message to be emailed when sendmail + was operating in -bv mode. + Add "ListenQueueSize" keyword to daemon options option (OO) to + set the queue size parameter passed to listen(). You + will normally have to tweak your kernel to up this. + Strip spaces off of beginning of message-id before logging (in + case it was folded across lines). + Tweak compile flags in daemon.c -- there were some cases where + it wouldn't work without NETINET. + Change *file* mailer to output all the usual default headers + (From, Date, Message-Id). It gets used when sending + back error messages. + CONFIG: explicitly catch and diagnose list:; syntax in ruleset + zero -- this is not a valid recipient syntax according + to RFC 821. + CONFIG: add confMIME_FORMAT_ERRORS to send error messages in + MIME format. Defaults to on. + CONFIG: add SMTP_MAILER_FLAGS and UUCP_MAILER_FLAGS to augment + the flags for those mailers. + +6.56/6.27 93/05/01 + Fix problem that causes the fallback mail to postmaster + (case ESM_POSTMASTER in savemail()) to not look at + aliases (ugh). + Some more HPUX tweaking (compile flag hpux => __hpux so it + still works in ANSI mode). + Don't try to flock non-regular files when mailing to a file. + In particular, this was a problem if you tried to + send to /dev/null. + Fix a weird bug that can cause senders to be queued as + recipients if the name server is down when the mail + is initially sent. This hack just ignores sender + deletion (essentially, it sets the MeToo flag) if there + is a TEMPFAIL during processing of the sender address. + Obscure. + Fix a dangling else problem -- from Brian Bullen from University + of Stirling, UK. + Add the "b" mailer flag to force a blank line on the end of + messages. Some brilliant versions of /bin/mail insist + on this but do not add it themselves. + Add the "g" mailer flag to prevent user SMTP from sending + "MAIL From:<>". This is only intended to be a + transitional gesture, and should not be used if at + all possible. It appears that Berkeley and IDA + config files have always handled this properly; the + UK config kit apparently does not. + Don't lowercase and then capitalize header field names -- leave + them with original capitalization. Fixes from Bill + King of Allen-Bradley Company. + Further cleanup and improved reporting of error messages, + particularly conditions that cause messages to be + requeued for future delivery. + Tweak syslog priorities in some cases. + CONFIG: clean up route-addr on UUCP addresses. + +6.55/6.25 93/04/27 + HPUX 8.07 compatibility changes in getla() -- I had to make + these changes to get it to work at Berkeley, although + others seem to have been working before (???). + Various patches to XLA code. + Fix problem that causes setuid bit on files to be ignored from + SMTP or in queue runs. Problem noted by Jason Ornstein + of Under The Wire, Inc. + Fix problem that can cause CNAMEs to be ignored. + Generalize getmxrr to match local host in $=w instead of a + single name passed in. + Some cleanup from Eric Wassenaar: + Use FileMailer instead of ProgMailer in two places. + Eliminate duplicate 8th-bit stripping in commaize. + Fix a problem with mis-parsing of backslash escapes + under some circumstances. + NIS map fix (was always including trailing null character) + from Mike Glendinning of Ingres UK. + Add "a" mailer flag to try using ESMTP. It tries the EHLO + command and if that fails falls back to regular SMTP. + Also parses EHLO option keywords. If host supports + SIZE extension, this is added to the MAIL FROM: + command. + Extend "b" option to include a second value which is the + maximum message size this server is willing to accept. + For example, a value of "10/1000000" says that there + must be ten blocks free, and sendmail will reject + any message larger than one megabyte. + Some portability hooks for NeXT (this could be applicable + to Mach in general). You have to create an empty + file called "unistd.h" to get it to compile. + Adjust config values (MAXLINE, MAXATOM, and PSBUFSIZE) to + be more generous. + Add X400-Received: to the list of headers tagged with H_TRACE + in conf.c. From Bill King, Allen-Bradley Co. + +6.54/6.25 93/04/19 + Fix problem that caused redefinition of SMTP and QUEUE compile + flags. Pointed out by Jon Forrest of the Sequoia 2000 + project at Berkeley. + Properly handle \! hack -- it was treating host\!user as one + token (host!user) instead of three (host, !, user). + Fix from Eric Wassenaar of NIKHEF-H. + Fix compilation problem in getauthinfo() if IDENTPROTO is off. + Turn off DEFNAMES and DNSRCH when getting the hostsignature + (i.e., MX records) in level 1 configuration files; this + matches the old behaviour. From Motonori Nakamura of + Kyoto University. + Improve error message printing -- if sent through an alias, + error messages include the name of the alias in the + message. Unfortunately, in order to make this work + properly in queue runs, this changes the format of the + C line in the qf file. The relatively uselessness of + the previous information was pointed out to me by + Allan E Johannesen of WPI. + Add XLA compile flag to add hooks to Christophe Wolfhugel's + extended load average code. This is still in very early + form. For information regarding the guts of the xla + code, contact Christophe.Wolfhugel@grasp.insa-lyon.fr. + Additional hooks for detecting tempfails in rewriting rules + (that is, in map lookups). + +6.53/6.25 93/04/15 + Properly diagnose ruleset zero returning null (instead of a mailer + triple). From Motonori Nakamura of Kyoto University. + More generalization of socket code for other protocols. + Shorten timeouts on reverse name lookups -- since they are done + during connection establishment, long timeouts here can + cause higher level timeouts. This mainly serves to accept + mail from hosts that do not have proper reverse (PTR) DNS + records set up. + Reset e_statmsg before each mailer invocation to avoid bogus + messages in the log. + Redefine $r, $s, and $_ in error envelopes so you don't get + incorrect cruft in the error message. Problem noted by + Motonori Nakamura of Kyoto University. + Fix a problem that can cause failure to return errors to Postmaster + in certain cases. From Motonori Nakamura. + Fix a problem that can cause some systems to give duplicate error + messages when a bad syntax address such as "<a" is presented + to an SMTP server. It doesn't seem to occur on all + machines. From Motonori Nakamura. + Default IDENTPROTO off for Ultrix and HPUX, which apparently have + the interesting "feature" that when they receive a "Host + unreachable" message they closes all open connections to + that host. However, some firewall gateways send this message + if you try to connect to an unauthorized port, such as the + IDENT port (113). Thus, no email can be received from such + hosts. There is some evidence that versions of Ultrix before + 4.3 do not have this problem. Thanks to Tom Ivar Helbekkmo + for pointing out this behaviour to me and to Michael Corrigan + of U.C. San Diego for informing me about the HPUX problem. + Allow IPC mailers to return a colon-separated list of hosts in the + $@ clause; these are searched in order as though they were + MX records. + When sending an error report, print the list of addresses tagged + as bad. Requested by Allan E Johannesen of WPI. + Change map function calls to return a status code. This gets + passed back as the result of rewrite. Parseaddr marks + the address as a QUEUEUP address if the return code is + EX_TEMPFAIL. All this to queue properly if the name + server is down. This code is not well tested. This code + changes the interface to map lookup functions (a fifth + parameter, int *statp, is added). Feature requested by + Dan Oscarsson. + Don't delete quotes (in the dequote map) if there are spaces in + the string, since this would cause them to be replaced by + the SpaceSub character. + Accept BODY=8BITMIME on SMTP MAIL command. This isn't advertised + because the 8BIT to 7BIT translation doesn't exist yet. + This does add a "bodytype" field to both envelope and + queue file and a -B command line flag to pass the type in + during direct invocations. + Discard return error messages only on responses to responses to + responses, not on responses to responses. That is, the + algorithm is to try return to sender, then return to + postmaster, then discard. Previously it discarded + immediately if the return to sender pass failed. + CONFIG: back out change to hide unqualified hostnames behind %-hack. + This screws up local aliases and .forward files. + CONFIG: add FEATURE(nocanonify) to turn off calls to $[ ... $]; + some sites only handle completely canonified names. + Requested by John Gardiner Myers of CMU. + CONFIG: some UUCP code was still included even if FEATURE(nouucp) + was specified. + +6.52/6.24 93/04/10 + Clean up some minor glitches on error return messages pointed out + by Motonori Nakamura of Kyoto University. + Fix reply() to not reset SmtpReplyBuffer on fatal errors; this + was supposed to reset SmtpMsg Buffer. This makes the + client side code virtually useless. Reported by Allan + E Johannesen of WPI and Phil Brandenberger of Swarthmore. + Better debug messages if fuzzy is disabled, suggested by Allan + E Johannesen of WPI. + Offset SmtpReplyBuffer by four in usersmtp when checking for + loopback. From Eric Wassenaar. + Don't set $s until after runinchild in srvrsmtp -- otherwise + it gets cleared. From Eric Wassenaar. + Implement IDA-style $&x for deferred macro expansion. + More POSIX compatibility. + CONFIG: Hide unqualified hostnames behind %-hack using $s as the + actual sender. This is only done if $r is non-null, that + is, if this is not locally submitted mail. + CONFIG: Add FEATURE(bitdomain) allowing mapping of BITNET host + names to internet domains. A program contributed by + John Gardiner Myers of CMU to create the maps is included + in the contrib directory (in the "misc" tar file). + CONFIG: Add FEATURE(uucpdomain) for a similar mapping for UUCP + hosts. There is currently no tool to create this map. + +6.51/6.23 93/04/04 + Add D= mailer flag to specify a path of possible working directories + in which to execute the mailer. This is intended for the + prog mailer; some shells can get upset if they don't have + access to the current directory. + Add RFC 1413 (IDENT) protocol support. This is only very loosely + tested. This adds a $_ macro to be the authenticated + info (in ``user@domain [address]'' form) and debug flag + 9 to trace the protocol. + Check for loopbacks in usersmtp instead of srvrsmtp -- there is no + reason for a local agent to not be talking to the localhost + (although the inverse is not true). + Add a few hooks for automated map rebuilding. This is certainly + not done yet. + CONFIG: Have prog mailer specify a path of ``D=$z:/'' -- that is, + user's home directory then the root. + CONFIG: Log RFC 1413 identification in Received: line. + +6.50/6.22 93/04/01 + Fixes to requeueing code to make it compute priority, nrcpts, + and the like properly. + +6.49/6.22 93/04/01 + Diagnose incorrect privacy flags. Suggested by Bryan Costales + of ICSI. + Some ANSI C fixes. + Arrange to quote backslashes as well as other special characters + in the phrase part of a route-addr. + Some fixes to FallBackMX code suggested by Motonori Nakamura of + Kyoto University. + More vigorous zeroing of CurHostAddr to avoid logging of bogus + host addresses when you are actually just printing + information from the MCI structure; problem noted by + Michael Corrigan of U.C. San Diego. + Don't ignore rest of queue if any job is not runnable. This can + also cause an incorrect job to be lost. Fix from + Eric Wassenaar. + Always respond "quickly" to RCPT command; do alias expansion and + the like later. This also means that mail for lists that + have errors will be accepted, and an error sent back + later. This is done by instantiating the queue file + and then immediately running and requeueing it. + +6.48/6.22 93/03/30 + Fix incorrect diagnosis of infinite loop in ruleset. Problem noted + by several people. + Improve information printed when infinite loops are discovered. + Zero CurHostAddr to fix erroneous internet addresses in log when no + addresses can be bound. Pointed out by Motonori Nakamura + of Kyoto University. + "Probe" SMTP connections using RSET instead of NOOP "just in case". + Suggested by John Gardiner Myers of CMU. + Don't warn about -f if you are setting sender to yourself. + +6.47/6.22 93/03/29 + Fix incompatible call to endmailer in smtpquit which causes core + dumps. Noted by Allan E Johannesen of WPI. + HPUX portability changes from Michael J. Corrigan of UC San Diego. + Require MAIL before RCPT command in srvrsmtp.c. This had been + intentional from the 821 draft days when the order wasn't + clear, but is silly now. + Fix bug in nis_magic routine that was initializing parameters + incorrectly. Fix from Takahiro Kanbe of Fuji Xerox + Information Systems Co., Ltd. + Change default for PrivacyFlags in conf.c to 0 -- since it always + "or"s in new values, there was no way to turn off the + AuthWarning stuff. + Add O option to set SMTP daemon options. + Add V option to set fallback MX host. This always sorts at lower + priority than anything it gets from the name server. It + should only be used for environments with very bad network + connectivity. Requested by several people. + Log sending info. It's not clear this is a good idea. + CONFIG: fix typo in mailertable code. Noted by Phil Brandenberger + of Swarthmore. + CONFIG: add confDAEMON_OPTIONS and confFALLBACK_MX to set options + O and V, respectively. + +6.46/6.21 93/03/26 + Fix botch in server SMTP that broke transactions that did not + use HELO first (like MH). Fix from Michael Corrigan + of U.C. San Diego. + Fall back to other MX records if there is an error anywhere + in delivery (actually on MAIL or DATA -- RCPT is harder). + Suggested by John Gardiner Myers and Motonori Nakamura. + Revert to non-prototypes -- it turns out that our ANSI C + compiler is more forgiving than most others about + mixing prototyped extern declarations with non-prototyped + function definitions. + Fix a problem with multi-word class matching pointed out by + Neil Rickert. Given: + CX b a.b.c + R$+ $=X $+ $: $1 < $2 > $3 + the input "user@a.b.c" failed instead of being properly + rewritten as "user@a.<b>.c". + Neil also convinced me that it was correct that $~ should match + only one token -- the problem is that it's always possible + to add another token, so $~ matches far too eagerly. + +6.45/6.21 93/03/25 + Implement multi-word classes (properly!). + +6.44/6.21 93/03/25 + Add X-Authentication-Warning: headers to clue users into possible + attempts to forge mail. This is on the authwarnings + privacy flag, but is the default. Suggested by Bryan + Costales of ICSI. + Pass default units for convtime in so they can be more reasonable. + Allow config files to always add a new Comments: header (i.e., + they will be added even if an old one already exists). + Suggested by Bryan Costales of ICSI. + Allow config files to delete an existing Return-Path: header. + These should only be added at final delivery. Suggested + by Bryan Costales of ICSI. + Some debugging additions. Suggested by Bryan Costales of ICSI. + Clean up logging of Family 0 addresses. Noted by David Muir + Sharnoff and others. + Add a "dequote" map class. This allows config files to strip + quotes off of addresses. Note that this is not a builtin + map, just a class -- so you have to define the map + using the K line. + Fix a bug in the queueup() loop getting a locked tf where in + very odd cases it can fall off the bottom and core dump. + Of course, it was P{r Emanuelsson who found it.... + Open a new transcript when splitting an envelope. Problem found + by Allan E Johannesen of WPI. + Improved error output in endmailer if the mailer core dumps. + CONFIG: Fix typo in UUCP mailer definition. + CONFIG: Default several of the new options on: eight bit input, + privacy flags set to "authwarnings", and message warning + set to 4h. + CONFIG: Use dequote map. + +6.43/6.20 93/03/23 + Fix problem with assumption of an sa_len field in a generic + sockaddr -- it turns out that most vendors haven't + picked up this (very important) fix. + Change compilation flags for daemon code -- select one or both + of NETINET or NETISO, but don't ever set DAEMON manually. + CONFIG: add FEATURE(mailertable) to do IDA-style mailertables. + +6.42/6.19 93/03/19 + Use Postmaster as default fallback return address, not root. + POSIX changes for file descriptor handling. + Diagnose errors writing new queue file. + If you change the owner using an owner- alias, also change the + error mode to EM_MAIL so that errors don't get dropped + into an inappropriate directory. Problem noted by + Allan E Johannesen of WPI. + If you are su'ed to root, send email as who you really are, not + as root. From Brian Kantor of U.C. San Diego. + Allow warning messages to be sent after a configurable interval + has passed without delivery. The message is sent only + once per envelope. This changes the format of the qf + file to have an F line, and the format of the T option + to accept take the format "return/warn" (both intervals). + Don't force all local names to lower case -- this was left over + from the weird handling of case mapping on aliases. It + is now driven (as expected) by the "u" mailer flag. + Problem noted by P{r Emanuelsson. + Fix problem that caused headers on returned email to be trashed; + they were getting freed, but are still accessible via + BlankEnvelope. + Fix problem that caused bogus ids to be created on returned + mail. + Add support for ISO and other non-INET networking. This is by + no means finished yet. This does assume a lot of other + system support, like a version of gethostbyname that + returns non-AF_INET addresses. + CONFIG: change default on prog mailer to keep upper case in + user names (i.e., in the program command line). + CONFIG: strip trailing dots off of hosts in uucp mailer before + convert to bang format. + CONFIG: create new "relay" mailer for $R (LOCAL_RELAY) and $H + (MAIL_HUB) delivery that doesn't add local domain. Note + that this violates 821, but is probably "more correct" + for what we are trying to do. Problem pointed out by + Michael Graff of Iowa State. + +6.41/6.18 93/03/18 + Clean up unnecessary creates of queue ids (i.e., empty qf files) + when not needed, such as when starting up an SMTP + connection. + Fix problem where split envelopes aren't instantiated in the queue. + This is quite a serious bug. + Owner- aliases had problems with leading spaces causing a + premature delimitation. + +6.40/6.18 93/03/18 + Have ending 250 (after DATA) include the id; suggested by + Brian Kantor of UC San Diego. + Add logging on envelope splitting. + Change queue ids to have one more letter encoding the hour of + the day so that during a single day there is a greater + likelihood of uniqueness; requested by Brian Kantor. + +6.39/6.18 93/03/18 + Fix minor compile problem if LOCKF is defined. + Define size of tobuf in conf.h. Observed by Toshinari Takahashi + of Toshiba. + Restore e_sender -- this is equivalent to e_from.q_paddr without + decorations such as angle brackets and comments. + OSF/1 on Alpha changes from Allan E Johannesen of WPI. + CONFIG: fix typo in S3 for list syntax (;: => :;). Thanks to + Christopher Hoover for noting the problem. + +6.38/6.17 93/03/17 + Pass envelope to disconnect to avoid another use of CurEnv, which + can apparently end up being null at inopportune times. + Log "received from" as "relay=" for consistency (suggested by + John Gardiner Myers). + Fix major bug in header handling: if no From: line existed in + the header (so sendmail inserts one), and the sender is + an alias that has an owner, the From: line shows the + owner (as well as the envelope). Fixed by early binding + the headers (which will change debugging output). + HPUX portability patches from Michael J. Corrigan of UC San Diego. + Some attempts to adapt better to out of open file conditions. + Some changes to ctladdr handling in queue files. + +6.37/6.17 93/03/16 + MAJOR CHANGE: delete e_sender and e_returnpath (why are these + different from e_from?) and $< macro. + Log correct IP address in relay= field even if the connection + times out. + Log "received from [RESPONSE]" on EF_RESPONSE messages (from + John Gardiner Myers). + Fixes to SysExMsg logging (sometimes just got "message: %s" + instead of "message: error message"), noted by Eric + Wassenaar. Also reported by Motonori Nakamura. + Improvements to MX piggybacking code, from Motonori Nakamura. + Fix case where CurHostName points to an auto variable that has + been deallocated (from Motonori Nakamura). + Fix bug causing newlines to be included in aliases if option + "n" (check alias RHS) is set; bug noted by David Muir + Sharnoff. + Fix problem causing user names that should be mapped to lower + case to not be mapped if they are sent during a queue + run. This greatly simplifies the case mapping code. + Problem noted by Allan E Johannesen of WPI. + Don't do recipient address rewriting in buildaddr. This + improperly did recipient rewriting on sender addresses, + and just seems bogus in general -- but the change could + break some .cf files. + Pass TZ envariable to child processes for System V. + CONFIG: allow LOCAL_RULE_1 and LOCAL_RULE_2 if you want to + define those rulesets. + KNOWN PROBLEM: I have seen some problems on SunOS that causes + the User Data Base to give errors on some addresses. I + have tracked the problem back at least as far as 93.02.15 + (version 6.22). Running with debugging on makes it + go away, so I conclude that it is referencing uninitialized + stack data. I haven't been able to track this down yet. + +6.36/6.16 93/03/08 + Allow local mailer to specify $@host -- this lets you assign the + "foo" part of jgm+foo to $h for passing in to the local + mailer. + Additional debug printing in getcanonname (show query type). + Don't add the e_fromdomain on sender addresses -- this interacts + weirdly with the owner- code. + Improve delivery logging to not log obvious or meaningless stuff. + Include numeric IP address in Received: lines per RFC 1123 section + 5.2.8. + Fixed a bug in checking stat() return value if restrictmailq is + set. Also, check the entire group set instead of just the + primary group. Both from John Gardiner Myers. + Don't have usrerr automatically print errno, since this is often + misleading. + Use transienterror() in makeconnection after connect() fails and + in openmailer after execve() fails (from Eric Wassenaar). + Also moved transienterror() from util.c to conf.c. + Clean up from= logging on response messages. + Undo patch allowing prescan to return a null vector -- it breaks + too many things. + Config: FEATURE(notsticky) lets you use UDB for everything coming + in to the machine, even if it is specifically targetted + to this machine. Without it, UDB is bypassed if the user + name is fully qualified. + Config: fix another minor botch with <> (local mailer wasn't + mapping them properly). + +6.35/6.15 93/03/05 + Fix getrealhostname to return null if sinlen <= 0 -- this can + occur if stdin is a pipe. + Avoid infinite loop in getcanonname if name server return + NO_DATA (for example). + Config: avoid having C flag qualify list syntax and error syntax. + +6.34/6.14 93/03/05 + Fix logging in deliver to not pass too many parameters to Ultrix + versions of syslog. + Don't write the pid file until after the daemon has actually + opened and conditioned the connection. + Consider addresses "different" if their q_uids differ (so that + two users forwarding to the same program will be seen + as different, rather than the same). + Fix problem with bad parameters in main() -- they set ExitStat + but don't exit. + Fix null pointer references through RealHostName -- painfully + discovered by Allan E Johannesen of WPI. + Fix bug causing user@@localhost to core dump (yuch). + Config: don't put two @host.dom.ain on users in $=E in SMTP + mailer. Also, catch user@ (no host) in ruleset 0. + +6.33/6.13 93/03/03 + Config: add confCW_FILE as the name of the cw configuration file + (defaults to /etc/sendmail.cw). From P{r Emanuelsson. + Allow prescan to return a pointer to an empty list -- this is + not an error. Also, clean up error reporting to avoid + double errors (prescan reports once, then the caller + reports again). + Changes to avoid trusting T_ANY queries -- run them, but if you + don't get the info you expected, do T_A and T_MX queries + anyhow. This also fixes an oversight where _res.options + bits were being ignored. + If PRIV_NOVRFY is set, use 252 response code instead of 502 per + RFC 1123 section 5.2.3. It's not 100% clear that this + is correct, but it probably works better with stupid + mailers that do a VRFY and only check the first digit. + +6.32/6.12 93/03/02 + Fix uninitialized variable "protocol" in smtp code. + Include <unistd.h> in sendmail.h -- move towards POSIX/ANSI. + Additional hooks for RFC 1427 (ESMTP SIZE extension). This + includes requiring that enoughspace() know the system + block size, which will undoubtedly break most ports. + Trace flag 19 in use for srvrsmtp.c. + Additional logging -- notably the sending mailer name. This + also changes the delivery logging to strict field=value + syntax. + Fix some problems with messages getting sent even to addresses + that had been marked bad -- from Eric Wassenaar. + More WIDE changes: accept host name inside [...] as non-MXed + host. This is intended ONLY for use inside firewalled + environments, where the MX points at the gateway. + Change .cf file conventions so that mapping for <> addresses + don't have an @ in them (to avoid confusing the C mailer + flag). Pointed out by Neil Rickert. + Config extensions for Sam Leffler's FlexFAX software. + +6.31/6.10 93/02/28 + Fix some more bugs in alias owner code -- there were some weird + cases where an error in a non-aliased name would override + the return info in an aliased name with an owner. + Changes from WIDE Project, forwarded to me by Motonori Nakamura: + Log actual delivery host (after MX et al); from + yasuhiro@dcl.co.jp. + Log daemon startup. + Deliver Postmaster copies without a body. + Better logging of SMTP senders. + Send all program email as daemon even when local. + As requested in various forms from many people, accept -qIstring + to limit queue runs to jobs with queue-id matching string. + Similarly for -qRstring for recipients, -qSstring for + senders. + Initial hooks for ESMTP support (see RFC 1425). + Fixed a syntax error in the UUCP mailer specification that caused + core dumps on startup. + Check for missing A= or P= arguments in mailer definitions. + +6.30/6.10 93/02/27 + Require FROZENCONFIG compilation flag to include frozen + configuration code. Frozen configuration is really + not a very good idea any more, particularly in shared + library environments. + Do better checking of errno after opens of :include: and .forward + files to defer delivery on network and other transient + errors. Suggestion from Craig Everhart. + Fix minor botch in read timeout macro processing. + Add FEATURE(nouucp) to config files for sites that know absolutely + nothing about UUCP. + Add built cf files to distribution tape and clarify how to build + them if you don't have the Berkeley make. + Some sizeof(long) portability changes for the Alpha, from Allan + E Johannesen. + Add "restrictmailq" privacy flag -- if set, only people in the same + group as your queue directory can print the queue. If you + set this, be sure you also restrict access to log files.... + Fix another bug in owner-list stuff that can cause data files to + be "lost". + Fix a bug with queue runs that cause forwards to yourself to go + into alias/forwarding loops. I'm still iffy about this + fix. + Fix from Eric Wassenaar for suppression of return message code. + +6.29/6.9 93/02/24 + Fix yet another problem in alias owner code -- put the wrong return + address on the enclosed return-to-sender letter. + +6.28/6.9 93/02/24 + Fix botch in alias owner code that caused it to not operate if the + error was detected locally. + +6.27/6.9 93/02/24 + M_LOCAL => M_LOCALMAILER to avoid conflict with Ultrix include + file <sys/mount.h>. + Miscellaneous bug fixes from Eric Wassenaar: + sendmail -bv -t logs the from line even though in verify + mode only. + sendmail -v can go into queue mode if shouldqueue returns + TRUE. + Add route-addr pruning per RFC 1123 section 5.3.3. This can be + disabled using the "R" option. + Delete (always undocumented) -R flag (save original recipients); + there are ways to syslog(3) these now. + Clean up SMTP reply codes -- specify them as needed in the code, + instead of in conf.c -- this was needed during the NCP to + TCP transition, but seems silly now. This also changes + parameters to message and nmessage. + Have mailstats read the .cf file to find the sendmail.st file and + get text versions of mailer names. An initial version of + this code was provided by Tuominen Keijo (although the + comments indicate the good bits were written by "E.V."). + Add yet more System V compatibility hacks. + Fix bug in VRFY code (assumes everything must be a local user). + Allow specification of any of the hard-wired pathnames in the + Makefile. + Delete concept of "trusted users" -- this really didn't provide + any security anyway, and caused some problems. + Delete last vestige of support for the word "at" as an equivalent + to the character "@". + Propagate owner-foo alias information into the envelope sender. + Based on code from John Gardiner Myers. This is a major + semantic change -- beware! + Allow $@ on LHS to indicate "match zero" -- this is used to match + the null expression. + +6.26/6.8 93/02/21 + Don't "lose" queue runs. Very important fix from (who else?) + Eric Wassenaar. + Completely reset state on RSET command -- from Eric Wassenaar. + Send error messages and return receipts using an envelope sender + of <> regardless of the setting of $n. Rewriting rules + can undo this if they feel the necessity, as might be + needed for networks that don't understand the syntax. + This is permitted by RFC 821 section 3.6 and required by + RFC 1123 section 5.3.3. THIS REQUIRES VERSION 4 CONFIG + FILES because the rulesets must be able to parse <> + properly. + Don't ever send error messages to "<>" -- they will get sent to + the local postmaster or dumped in /usr/tmp/dead.letter + instead. Per RFC 1123 section 5.3.3. + Explicitly check for email to yourself as a dotted quad. You + have to call $[ [ ... ] $] to get this. + Up the message timeout to five days per RFC 1123 section 5.3.1.1. + Make all read timeouts individually configurable, as strongly + recommended by RFC 1123 section 5.3.2. + Use f_bavail (blocks available to regular users) instead of f_bfree + (blocks available to superuser) in free block checks. + Change $d macro to be the current time, not the origination time, + since this is consistent with how it is used now. + Generalization of enoughspace from Eric Wassenaar covering + SGI, Apollo, HPUX, Ultrix, and SunOS. + Ignore process group signals -- some front ends can do this if + you kill a window too quickly. From Eric Wassenaar. + Change umask to 022. + +6.25/6.8 93/02/20 + Close all cached connections before calling mailers and after + forking for delivery (caused double closes which resulted + in false errors). + Add FEATURE(redirect) in config files -- this allows you to alias + old addresses to a pointer to the new address that will + give a 551 error message, but not deliver the mail. + Some code changes to make the 551 errors look pretty. + Names of M4 program paths in config files have changed -- they + are all XXX_MAILER_PATH now, to match XXX_MAILER_FLAGS. + Fix a bug in the QSELFREF code having to do with empty .forward + files, reported by Eric Wassenaar. + Add option "p" (privacy flags); this allows you to tune how + picky the SMTP server will be. This also adds the + confPRIVACY_FLAGS M4 macro in the config files. + Add option "b" (minimum blocks free). If there are fewer than + this number of blocks free on the filesystem containing + the queue directory, the SMTP MAIL command will return + a 452 response and ask you to try again later. This + also adds the confMIN_FREE_BLOCKS M4 macro in the config + files. + Made VRFY just verify (doesn't expand aliases and .forward files); + EXPN does full expansion. RCPT in queue-only mode also + doesn't chase aliases and .forward. + +6.24/6.7 93/02/19 + Increase the number of domain search entries in domain.c to allow + for the extra "" entry indicating the root domain. + Reported by Motonori Nakamura of Kyoto U. + Add a "SMART_HOST" in the configs for UUCP-connected sites that + want to forward all mail with extra "@"s to that site. + Also allows SMART_HOST, LOCAL_RELAY, and MAIL_HUB to + be specified as ``mailer:hostname'' to use an alternate + mailer. + Clarified and updated some wording in the Operations Guide. + Add the "c" mailer flag -- this suppresses all comment parts of + addresses (requested by John Curran of NEARnet). + Have -v print prompts in -bt mode even if stdin is not a terminal + (default behaviour is to be silent if not reading from + a terminal). Suggested by Bryan Costales, ICSI. + Move the metacharacters from C0 space (\001-\037) into C1 space + (\201-\237). This also fixes a bunch of potential bugs + with G1 characters (\240-\276) in headers relating to + negative numbers passed to isspace() et al. + Add YP_LAST_MODIFIED and YP_MASTER_NAME to DBM version of alias + database if YPCOMPAT is #defined. Enhancement from + Takahiro Kanbe of Fuji Xerox Information Systems Co., Ltd. + Add "list" Precedence (-30); this can be used with old sendmails + which will map to precedence 0 (which will return error + messages). Suggested by Stephen R. van den Berg. + Many bug fixes from Eric Wassenaar of the National Institute for + Nuclear and High-Energy Physics, Amsterdam: + Clear timeouts properly on open failures in include(). + Don't dereference through NULL if no home directory found. + Re-establish SIGCHLD signal on System 5 in reapchild(). + Avoid NULL pointer reference on -pFOO flag. + Properly handle backslash escapes in comments. + Correctly check reply status on SMTP NOOP command. + Properly save SMTP error message if peer gives + "Service Shutting Down" message. + Avoid writing to the transcript if it couldn't be opened. + Signal errors in SMTP children to parent properly. + Handle self references in a list more globally (include a + QSELFREF bit in the address flags). This enhancement + was suggested by Eric Wassenaar. + Use initgroups() in hpux, even though it's System-V based. The + HASINITGROUPS compile flag can set this on other systems. + This HPUX behaviour was pointed out by Eric Wassenaar. + +6.23/6.6 93/02/16 + Clean up handling of LogLevel to make it easier to figure out + what's on what level. + Change log levels to have some consistency: + 1 serious system failures, security problems + 2 lost communications, protocol failures + 3 other serious failures + 4 minor errors + 5 message collection + 6 vrfy logging, creation of return-to-sender + 7 delivery failures + 8 delivery successes + 9 delivery tempfails (queue ups) + 10 database expansion + >64 debugging + Allow IDA-style separated processing on S= and R= in Mailer + definition lines. Note that rulesets 1 and 2 are + still used for both addresses as before. Bruce Lilly + gave a convincing argument that RFC976 insists on + this behaviour. + Added some time zones to arpatounix -- they may not be in the + standards, but they are in use. However, I may delete + arpatounix entirely -- there appears to be no reason + for it to exist. + Change to UUCP mailer (in cf directory) to try to do a saner job. + I'm still not certain about this mailer in general. + +6.22/6.5 93/02/15 + Fix bug that prevents saving letters in ~/dead.letter. + Don't add angle brackets in VRFY command if angle brackets already + exist in the address. + Fix bogus error message in udbexpand. + Null terminate host buffers in buildaddr (broken in 6.21) -- + IMPORTANT FIX!! + +6.21/6.5 93/02/15 + Fix another incorrect error message in alias.c, found by Azuma + Okamoto. + Fix a couple of problems in the more-configurable config files, + found by Tom Ivar Helbekkmo. + Fix problem with quoted :include: entries. + Don't duplicate the filename on verbose printing of .forward and + :include: contents. + Extend size of prescan buffer (to allow bigger addresses). Also, + detect some buffer overflows. + Log user SMTP protocol errors (log level 4). + +6.20/6.4 93/02/14 + Fix another problem in the MCI state machine caused when there + were errors generated from the other end to commands + other than RCPT. + +6.19/6.4 93/02/14 + Include load average support for DEC Alpha running OSF/1. + Fix multiple-response problem with errors in MAIL From: line. + Fix SMTP reply codes for invalid address syntaxes (give 501; + never give multiple error messages for a single message). + Fix problem where a cached connection timeout rejects all + later connects to that host. + Fix incorrect error message if alias.c is compiled with DBM only. + Additional changes to fix nested conditionals (from Bruce Lilly). + Recover more gracefully from operating system failures, particularly + NULL returns from openmailer (from Noritoshi Demizu, + OMRON Corporation). + Log forward, alias, and userdb expand operations on log level 10; + concept suggested by P{r (Pell) Emanuelsson. + Changes for HPUX 8.07 compatibility. + +6.18/6.4 93/02/12 + Allow any config option to be set using an M4 define. + Change UNAME compile flag to HASUNAME for IDA compatibility + (besides, it's a better name). + Note in README that on SunOS it must be linked -Bstatic. + Fairly major change in domain.c to handle wildcard MX records + more rationally. NOTE: the "w" option (no wildcard MX + records match local domain) has been eliminated. + Fix some unset variable references pointed out by Bruce Lilly. + Fix host name in process titles when using cached connection. + +6.17/6.3 93/01/28 + Fix System 5 compatibility changes to be compatible with the rest + of the world. + +6.16/6.3 93/01/28 + Experimental fix for problem handling errors in the SMTP + protocol in conjunction with connection caching. + System 5 compatibility changes. + +6.15/6.3 93/01/26 + Fix a bug that causes local mail delivered using -odq to be + eliminated as a duplicate (because it matched the + ctladdr, now passed in as a C line). These changes + are pretty tricky...... + +6.14/6.3 93/01/25 + Add debugging for some MCI errors. + +6.13/6.3 93/01/22 + Fix -e compatibility flag to take a value. + Fix a couple of minor compilation warnings on Sun cc. + Improve error messages in a few cases to be more self-explanatory. + +6.12/6.3 93/01/21 + Fix yet-another problem with environment handling, pointed out + by Yoshitaka Tokugawa and Tom Ivar Helbekkmo. + Some heuristics to try to limit resource exhaustion problems + if a downstream host has been down for a long time. + Fix problem with incorrect host name being logged in "Connection + timed out" messages (from Tom Ivar Helbekkmo). + Fix some ANSI C problems (from Takahiro Kanbe). + Properly log message sender on returned mail during queue run. + Count number of recipients properly. + Fix a problem in yp map code. + Diagnose "message timed out" (from Motonori Nakamura). + +6.11/6.3 93/01/20 + Fix problem with address delimitor inside quotes. + Define $k and $=k to be the UUCP name (from the uname call) + based on code from Bruce Lilly. + +6.10/6.2 93/01/18 + Implement arpatounix (largely code from Bruce Lilly). + Log more info (suggested by John Myers). + Allow nested $?...$|...$. (inspired by code from Bruce Lilly of + Sony US). + POSIX compatibility (noted by Keith Bostic). + Handle SMTP MAIL command errors properly (urged by several people, + notably John Myers of CMU). + Do early diagnosis of .cf errors (notably referencing a RHS + substitution that isn't on the LHS). + Adjust checkpointing to better handle batched recipients, suggested + by John Myers. + Fix miscellaneous bugs. + (config files:) Implement MAIL_HUB for all local mail (to handle + NFS-mounted directories) as urged by Tom Ivar Helbekkmo + of the Norwegian School of Economics. + +6.9/6.1 93/01/13 + Environment handling simplification/bug fix -- child processes + get a minimal, fixed environment. This avoids different + behaviour in queue runs. + Handle commas inside comments properly. + Properly limit large messages submitted in -obq mode. + +6.8/6.1 93/01/10 + Check mtime of thaw file against .cf and sendmail binary, based on + code from John Myers. + +6.7/6.1 93/01/10 + MX piggybacking, based on code from John Myers@CMU. + Allow checkcompat to return -1 to mean tempfail. + Bug fix in m_mno computation. + +6.6/6.1 93/01/09 + Tuning of queueing functions as recommended by John Gardiner Myers. + Return mail headers (no body) on messages with negative precedence. + Minor other bug fixes. + +6.5/6.1 93/01/03 + Fix botch causing queued headers to have ?XX? prefixes. + +6.4/6.1 93/01/02 + Changes to recognize special mailer types (e.g., file) early. + +6.3/6.1 93/01/01 + Pass timeouts to sfgets. + Check for control characters in addresses. + Fixed deferred error reporting. + Report duplicate aliases. + Handle mixed case recursive aliases. + Misc bug fixes. + +6.2/6.1 92/12/30 + Put return-receipt-to on a conf.c flag (but don't set it). + Fix minor syslog problem. |