summaryrefslogtreecommitdiffstats
path: root/contrib/sendmail/RELEASE_NOTES
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/sendmail/RELEASE_NOTES')
-rw-r--r--contrib/sendmail/RELEASE_NOTES6323
1 files changed, 6323 insertions, 0 deletions
diff --git a/contrib/sendmail/RELEASE_NOTES b/contrib/sendmail/RELEASE_NOTES
new file mode 100644
index 0000000..2b3475f
--- /dev/null
+++ b/contrib/sendmail/RELEASE_NOTES
@@ -0,0 +1,6323 @@
+ SENDMAIL RELEASE NOTES
+ @(#)RELEASE_NOTES 8.9.1.1 (Berkeley) 7/2/98
+
+
+This listing shows the version of the sendmail binary, the version
+of the sendmail configuration files, the date of release, and a
+summary of the changes in that release.
+
+8.9.1/8.9.1 98/07/02
+ If both an OS specific site configuration file and a generic
+ site.config.m4 file existed, only the latter was used
+ instead of both. Problem noted by Geir Johannessen of
+ the Norwegian University of Science and Technology.
+ Fix segmentation fault while converting 8 bit to 7 bit MIME
+ multipart messages by trying to write to an unopened
+ file descriptor. Fix from Kari Hurtta of the Finnish
+ Meteorological Institute.
+ Do not assume Message: and Text: headers indicate the end of
+ the header area when parsing MIME headers. Problem noted
+ by Kari Hurtta of the Finnish Meteorological Institute.
+ Setting the confMAN#SRC Build variable would only effect the
+ installation commands. The man pages would still be
+ built with .0 extensions. Problem noted by Bryan
+ Costales of InfoBeat, Inc.
+ Installation of manual pages didn't honor the DESTDIR environment
+ variable. Problem noted by Bryan Costales of InfoBeat, Inc.
+ If the check_relay ruleset resolved to the discard mailer, messages
+ were still delivered. Problem noted by Mirek Luc of NASK.
+ Mail delivery to files would fail with an Operating System Error
+ if sendmail was not running as root, i.e. RunAsUser was set.
+ Problem noted by Leonard N. Zubkoff of Dandelion Digital.
+ Prevent MinQueueAge from interfering from queued items created
+ in the future, i.e. if the system clock was set ahead
+ and then back. Problem noted by Michael Miller of the
+ University of Natal, Pietermaritzburg.
+ Do not advertise ETRN support in ESTMP EHLO reply if noetrn is
+ set in the PrivacyFlags option. Fix from Ted Rule of
+ Flextech TV.
+ Log invalid persistent host status file lines instead of
+ bouncing the message. Problem noted by David Lindes of
+ DaveLtd Enterprises.
+ Move creation of empty sendmail.st file from installation to
+ compilation. Installation may be done from a read-only
+ mount. Fix from Bryan Costales of InfoBeat, Inc. and Ric
+ Anderson of the Oasis Research Center, Inc.
+ Enforce the maximum number of User Database entries limit. Problem
+ noted by Gary Buchanan of Credence Systems Inc.
+ Allow dead.letter files in root's home directory. Problem noted
+ by Anna Ullman of Sun Microsystems.
+ Program deliveries in forward files could be marked unsafe if
+ any directory listed in the ForwardPath option did not
+ exist. Problem noted by Jorg Bielak of Coastal Web Online.
+ Do not trust the length of the address structure returned by
+ gethostbyname(). Problem noted by Chris Evans of Oxford
+ University.
+ If the SIZE= MAIL From: ESMTP parameter is too large, use the
+ 5.3.4 DSN status code instead of 5.2.2. Similarly, for
+ non-local deliveries, if the message is larger than the
+ mailer maximum message size, use 5.3.4 instead of 5.2.3.
+ Suggested by Antony Bowesman of
+ Fujitsu/TeaWARE Mail/MIME System.
+ Portability:
+ Fix the check for an IP address reverse lookup for
+ use in $&{client_name} on 64 bit platforms.
+ From Gilles Gallot of Institut for Development
+ and Resources in Intensive Scientific computing.
+ BSD-OS uses .0 for man page extensions. From Jeff Polk
+ of BSDI.
+ DomainOS detection for Build. Also, version 10.4 and later
+ ship a unistd.h. Fixes from Takanobu Ishimura of
+ PICT Inc.
+ NeXT 4.x uses /usr/lib/man/cat for its man pages. From
+ J. P. McCann of E I A.
+ SCO 4.X and 5.X include NDBM support. From Vlado Potisk
+ of TEMPEST, Ltd.
+ CONFIG: Do not pass spoofed PTR results through resolver for
+ qualification. Problem noted by Michiel Boland of
+ Digital Valley Internet Professionals; fix from
+ Kari Hurtta of the Finnish Meteorological Institute.
+ CONFIG: Do not try to resolve non-DNS hostnames such as UUCP,
+ BITNET, and DECNET addresses for resolvable senders.
+ Problem noted by Alexander Litvin of Lucky Net Ltd.
+ CONFIG: Work around Sun's broken configuration which sends bounce
+ messages as coming from @@hostname instead of <>. LMTP
+ would not accept @@hostname.
+ OP.ME: Corrections to complex sendmail startup script from Rick
+ Troxel of the National Institutes of Health.
+ RMAIL: Do not install rmail by default, require 'make force-install'
+ as this rmail isn't the same as others. Suggested by
+ Kari Hurtta of the Finnish Meteorological Institute.
+
+8.9.0/8.9.0 98/05/19
+ SECURITY: To prevent users from reading files not normally
+ readable, sendmail will no longer open forward, :include:,
+ class, ErrorHeader, or HelpFile files located in unsafe
+ (i.e. group or world writable) directory paths. Sites
+ which need the ability to override security can use the
+ DontBlameSendmail option. See the README file for more
+ information.
+ SECURITY: Problems can occur on poorly managed systems, specifically,
+ if maps or alias files are in world writable directories.
+ This fixes the change added to 8.8.6 to prevent links in these
+ world writable directories.
+ SECURITY: Make sure ServiceSwitchFile option file is not a link if
+ it is in a world writable directory.
+ SECURITY: Never pass a tty to a mailer -- if a mailer can get at the
+ tty it may be able to push bytes back to the senders input.
+ Unfortunately this breaks -v mode. Problem noted by
+ Wietse Venema of the Global Security Analysis Lab at
+ IBM T.J. Watson Research.
+ SECURITY: Empty group list if DontInitGroups is set to true to
+ prevent program deliveries from picking up extra group
+ privileges. Problem reported by Wolfgang Ley of DFN-CERT.
+ SECURITY: The default value for DefaultUser is now set to the uid and
+ gid of the first existing user mailnull, sendmail, or daemon
+ that has a non-zero uid. If none of these exist, sendmail
+ reverts back to the old behavior of using uid 1 and gid 1.
+ This is a security problem for Linux which has chosen that
+ uid and gid for user bin instead of daemon. If DefaultUser
+ is set in the configuration file, that value overrides this
+ default.
+ SECURITY: Since 8.8.7, the check for non-setuid binaries
+ interfered with setting an alternate group id for the
+ RunAsUser option. Problem noted by Randall Winchester of
+ the University of Maryland.
+ Add support for Berkeley DB 2.X. Based on patch from John Kennedy
+ of Cal State University, Chico.
+ Remove support for OLD_NEWDB (pre-1.5 version of Berkeley DB). Users
+ which previously defined OLD_NEWDB=1 must now upgrade to the
+ current version of Berkeley DB.
+ Added support for regular expressions using the new map class regex.
+ From Jan Krueger of Unix-AG of University of Hannover.
+ Support for BIND 8.1.1's hesiod for hesiod maps and hesiod
+ UserDatabases from Randall Winchester of the University
+ of Maryland.
+ Allow any shell for user shell on program deliveries on V1
+ configurations for backwards compatibility on machines which
+ do not have getusershell(). Fix from John Beck of Sun
+ Microsystems.
+ On operating systems which change the process title by reusing the
+ argument vector memory, sendmail could corrupt memory if the
+ last argument was either "-q" or "-d". Problem noted by
+ Frank Langbein of the University of Stuttgart.
+ Support Local Mail Transfer Protocol (LMTP) between sendmail and
+ mail.local on the F=z flag.
+ Macro-expand the contents of the ErrMsgFile. Previously this was
+ only done if you had magic characters (0x81) to indicate
+ macro expansion. Now $x will be expanded. This means that
+ real dollar signs have to be backslash escaped.
+ TCP Wrappers expects "unknown" in the hostname argument if the
+ reverse DNS lookup for the incoming connection fails.
+ Problem noted by Randy Grimshaw of Syracuse University and
+ Wietse Venema of the Global Security Analysis Lab at
+ IBM T.J. Watson Research.
+ DSN success bounces generated from an invocation of sendmail -t
+ would be sent to both the sender and MAILER-DAEMON.
+ Problem noted by Claus Assmann of
+ Christian-Albrechts-University of Kiel.
+ Avoid "Error 0" messages on delivery mailers which exit with a
+ valid exit value such as EX_NOPERM. Fix from Andreas Luik
+ of ISA Informationssysteme GmbH.
+ Tokenize $&x expansions on right hand side of rules. This eliminates
+ the need to use tricks like $(dequote "" $&{client_name} $)
+ to cause the ${client_name} macro to be properly tokenized.
+ Add the MaxRecipientsPerMessage option: this limits the number of
+ recipients that will be accepted in a single SMTP
+ transaction. After this number is reached, sendmail
+ starts returning "452 Too many recipients" to all RCPT
+ commands. This can be used to limit the number of recipients
+ per envelope (in particular, to discourage use of the server
+ for spamming). Note: a better approach is to restrict
+ relaying entirely.
+ Fixed pointer initialization for LDAP lmap struct, fixed -s option
+ to ldapx map and added timeout for ldap_open call to
+ avoid hanging sendmail in the event of hung LDAP servers.
+ Patch from Booker Bense of Stanford University.
+ Allow multiple -qI, -qR, or -qS queue run limiters. For example,
+ '-qRfoo -qRbar' would deliver mail to recipients with foo or
+ bar in their address. Patch from Allan E Johannesen of
+ Worcester Polytechnic Institute.
+ The bestmx map will now return a list of the MX servers for a host if
+ passed a column delimiter via the -z map flag. This can be
+ used to check if the server is an MX server for the recipient
+ of a message. This can be used to help prevent relaying.
+ Patch from Mitchell Blank Jr of Exec-PC.
+ Mark failures for the *file* mailer and return bounce messages to the
+ sender for those failures.
+ Prevent bogus syslog timestamps on errors in sendmail.cf by
+ preserving the TZ environment variable until TimeZoneSpec
+ has been determined. Problem noted by Ralf Hildebrandt of
+ Technical University of Braunschweig. Patch from Per Hedeland
+ of Ericsson.
+ Print test input in address test mode when input is not from the tty
+ when the -v flag is given (i.e. sendmail -bt -v) to make
+ output easier to decipher. Problem noted by Aidan Nichol
+ of Procter & Gamble.
+ The LDAP map -s flag was not properly parsed and the error message
+ given included the remainder of the arguments instead of
+ solely the argument in error. Problem noted by Aidan Nichol
+ of Procter & Gamble.
+ New DontBlameSendmail option. This option allows administrators to
+ bypass some of sendmail's file security checks at the expense
+ of system security. This should only be used if you are
+ absolutely sure you know the consequences. The available
+ DontBlameSendmail options are:
+ Safe
+ AssumeSafeChown
+ ClassFileInUnsafeDirPath
+ ErrorHeaderInUnsafeDirPath
+ GroupWritableDirPathSafe
+ GroupWritableForwardFileSafe
+ GroupWritableIncludeFileSafe
+ GroupWritableAliasFile
+ HelpFileinUnsafeDirPath
+ WorldWritableAliasFile
+ ForwardFileInGroupWritableDirPath
+ IncludeFileInGroupWritableDirPath
+ ForwardFileInUnsafeDirPath
+ IncludeFileInUnsafeDirPath
+ ForwardFileInUnsafeDirPathSafe
+ IncludeFileInUnsafeDirPathSafe
+ MapInUnsafeDirPath
+ LinkedAliasFileInWritableDir
+ LinkedClassFileInWritableDir
+ LinkedForwardFileInWritableDir
+ LinkedIncludeFileInWritableDir
+ LinkedMapInWritableDir
+ LinkedServiceSwitchFileInWritableDir
+ FileDeliveryToHardLink
+ FileDeliveryToSymLink
+ WriteMapToHardLink
+ WriteMapToSymLink
+ WriteStatsToHardLink
+ WriteStatsToSymLink
+ RunProgramInUnsafeDirPath
+ RunWritableProgram
+ New DontProbeInterfaces option to turn off the inclusion of all the
+ interface names in $=w on startup. In particular, if you
+ have lots of virtual interfaces, this option will speed up
+ startup. However, unless you make other arrangements, mail
+ sent to those addresses will be bounced.
+ Automatically create alias databases if they don't exist and
+ AutoRebuildAliases is set.
+ Add PrivacyOptions=noetrn flag to disable the SMTP ETRN command.
+ Suggested by Christophe Wolfhugel of the Institut Pasteur.
+ Add PrivacyOptions=noverb flag to disable the SMTP VERB command.
+ When determining the client host name ($&{client_name} macro), do
+ a forward (A) DNS lookup on the result of the PTR lookup
+ and compare results. If they differ or if the PTR lookup
+ fails, &{client_name} will contain the IP address
+ surrounded by square brackets (e.g. [127.0.0.1]).
+ New map flag: -Tx appends "x" to lookups that return temporary failure
+ (i.e, it is like -ax for the temporary failure case, in
+ contrast to the success case).
+ New syntax to do limited checking of header syntax. A config line
+ of the form:
+ HHeader: $>Ruleset
+ causes the indicated Ruleset to be invoked on the Header
+ when read. This ruleset works like the check_* rulesets --
+ that is, it can reject mail on the basis of the contents.
+ Limit the size of the HELO/EHLO parameter to prevent spammers
+ from hiding their connection information in Received:
+ headers.
+ When SingleThreadDelivery is active, deliveries to locked hosts
+ are skipped. This will cause the delivering process to
+ try the next MX host or queue the message if no other MX
+ hosts are available. Suggested by Alexander Litvin.
+ The [FILE] mailer type now delivers to the file specified in the
+ A= equate of the mailer definition instead of $u. It also
+ obeys all of the F= mailer flags such as the MIME
+ 7/8 bit conversion flags. This is useful for defining
+ a mailer which delivers to the same file regardless of the
+ recipient (e.g. 'A=FILE /dev/null' to discard unwanted mail).
+ Do not assume the identity of a remote connection is root@localhost
+ if the remote connection closes the socket before the
+ remote identity can be queried.
+ Change semantics of the F=S mailer flag back to 8.7.5 behavior.
+ Some mailers, including procmail, require that the real
+ uid is left unchanged by sendmail. Problem noted by Per
+ Hedeland of Ericsson.
+ No longer is the src/obj*/Makefile selected from a large list -- it
+ is now generated using the information in BuildTools/OS/ --
+ some of the details are determined dynamically via
+ BuildTools/bin/configure.sh.
+ The other programs in the sendmail distribution -- mail.local,
+ mailstats, makemap, praliases, rmail, and smrsh -- now use
+ the new Build method which creates an operating system
+ specific Makefile using the information in BuildTools.
+ Make 4xx reply codes to the SMTP MAIL command be non-sticky (i.e.,
+ a failure on one message won't affect future messages to the
+ same host). This is necessary if the remote host sends
+ a 451 error if the domain of the sender does not resolve
+ as is common in anti-spam configurations. Problem noted
+ by Mitchell Blank Jr of Exec-PC.
+ New "discard" mailer for check_* rulesets and header checking
+ rulesets. If one of the above rulesets resolves to the
+ $#discard mailer, the commands will be accepted but the
+ message will be completely discarded after it is accepting.
+ This means that even if only one of the recipients
+ resolves to the $#discard mailer, none of the recipients
+ will receive the mail. Suggested by Brian Kantor.
+ All but the last cloned envelope of a split envelope were queued
+ instead of being delivered. Problem noted by John Caruso
+ of CNET: The Computer Network.
+ Fix deadlock situation in persistent host status file locking.
+ Syslog an error if a user forward file could not be read due to
+ an error. Patch from John Beck of Sun Microsystems.
+ Use the first name returned on machine lookups when canonifying a
+ hostname via NetInfo. Patch from Timm Wetzel of GWDG.
+ Clear the $&{client_addr}, $&{client_name}, and $&{client_port}
+ macros when delivering a bounce message to prevent
+ rejection by a check_compat ruleset which uses these macros.
+ Problem noted by Jens Hamisch of AgiX Internetservices GmbH.
+ If the check_relay ruleset resolves to the the error mailer, the
+ error in the $: portion of the resolved triplet is used
+ in the rejection message given to the remote machine.
+ Suggested by Scott Gifford of The Internet Ramp.
+ Set the $&{client_addr}, $&{client_name}, and $&{client_port} macros
+ before calling the check_relay ruleset. Suggested by Scott
+ Gifford of The Internet Ramp.
+ Sendmail would get a segmentation fault if a mailer exited with an
+ exit code of 79. Problem noted by Aaron Schrab of ExecPC
+ Internet. Fix from Christophe Wolfhugel of the Pasteur
+ Institute.
+ Separate snprintf/vsnprintf routines into separate file for use by
+ mail.local.
+ Allow multiple map lookups on right hand side, e.g.,
+ R$* $( host $1 $) $| $( passwd $1 $). Patch from
+ Christophe Wolfhugel of the Pasteur Institute.
+ Properly generate success DSN messages if requested for aliases
+ which have owner- aliases. Problem noted by Kari Hurtta
+ of the Finnish Meteorological Institute.
+ Properly display delayed-expansion macros ($&{macroname}) in
+ address test mode (-bt). Problem noted by Bryan Costales
+ of InfoBeat, Inc.
+ -qR could sometimes match names incorrectly. Problem noted by
+ Lutz Euler of Lavielle EDV Systemberatung GmbH & Co.
+ Include a magic number and version in the StatusFile for the
+ mailstats command.
+ Record the number of rejected and discarded messages in the
+ StatusFile for display by the mailstats command. Patch
+ from Randall Winchester of the University of Maryland.
+ IDENT returns where the OSTYPE field equals "OTHER" now list the
+ user portion as IDENT:username@site instead of
+ username@site to differentiate the two. Suggested by
+ Kari Hurtta of the Finnish Meteorological Institute.
+ Enforce timeout for LDAP queries. Patch from Per Hedeland of
+ Ericsson.
+ Change persistent host status filename substitution so '/' is
+ replaced by ':' instead of '|' to avoid clashes. Also
+ avoid clashes with hostnames with leading dots. Fix from
+ Mitchell Blank Jr. of Exec-PC.
+ If the system lock table is full, only attempt to create a new
+ queue entry five times before giving up. Previously, it
+ was attempted indefinitely which could cause the partition
+ to run out of inodes. Problem noted by Suzie Weigand of
+ Stratus Computer, Inc.
+ In verbose mode, warn if the sendmail.cf version is less than the
+ currently supported version.
+ Sorting for QueueSortOrder=host is now case insensitive. Patch
+ from Randall S. Winchester of the University of Maryland.
+ Properly quote a full name passed via the -F command line option,
+ the Full-Name: header, or the NAME environment variable if
+ it contains characters which must be quoted. Problem noted
+ by Kari Hurtta of the Finnish Meteorological Institute.
+ Avoid possible race condition that unlocked a mail job before
+ releasing the transcript file on systems that use flock(2).
+ In some cases, this might result in a "Transcript Unavailable"
+ message in error bounces.
+ Accept SMTP replies which contain only a reply code and no
+ accompanying text. Problem noted by Fernando Fraticelli of
+ Digital Equipment Corporation.
+ Portability:
+ AIX 4.1 uses int for SOCKADDR_LEN_T from Motonori Nakamura
+ of Kyoto University.
+ AIX 4.2 requires <userpw.h> before <usersec.h>. Patch from
+ Randall S. Winchester of the University of
+ Maryland.
+ AIX 4.3 from Valdis Kletnieks of Virginia Tech CNS.
+ CRAY T3E from Manu Mahonen of Center for Scientific Computing
+ in Finland.
+ Digital UNIX now uses statvfs for determining free
+ disk space. Patch from Randall S. Winchester of
+ the University of Maryland.
+ HP-UX 11.x from Richard Allen of Opin Kerfi HF and
+ Regis McEwen of Progress Software Corporation.
+ IRIX 64 bit fixes from Kari Hurtta of the Finnish
+ Meteorological Institute.
+ IRIX 6.2 configuration fix for mail.local from Michael Kyle
+ of CIC/Advanced Computing Laboratory.
+ IRIX 6.5 from Thomas H Jones II of SGI.
+ IRIX 6.X load average code from Bob Mende of SGI.
+ QNX from Glen McCready <glen@qnx.com>.
+ SCO 4.2 and 5.x use /usr/bin instead of /usr/ucb for links
+ to sendmail. Install with group bin instead of kmem
+ as kmem does not exist. From Guillermo Freige of
+ Gobernacion de la Pcia de Buenos Aires and Paul
+ Fischer of BTG, Inc.
+ SunOS 4.X does not include memmove(). Patch from
+ Per Hedeland of Ericsson.
+ SunOS 5.7 includes getloadavg() function for determining
+ load average. Patch from John Beck of Sun
+ Microsystems.
+ CONFIG: Increment version number of config file.
+ CONFIG: add DATABASE_MAP_TYPE to set the default type of database
+ map for the various maps. The default is hash. Patch from
+ Robert Harker of Harker Systems.
+ CONFIG: new confEBINDIR m4 variable for defining the executable
+ directory for certain programs.
+ CONFIG: new FEATURE(local_lmtp) to use the new LMTP support for
+ local mail delivery. By the default, /usr/libexec/mail.local
+ is used. This is expected to be the mail.local shipped
+ with 8.9 which is LMTP capable. The path is based on the
+ new confEBINDIR m4 variable.
+ CONFIG: Use confEBINDIR in determining path to smrsh for
+ FEATURE(smrsh). Note that this changes the default from
+ /usr/local/etc/smrsh to /usr/libexec/smrsh. To obtain the
+ old path for smrsh, use FEATURE(smrsh, /usr/local/etc/smrsh).
+ CONFIG: DOMAIN(generic) changes the default confFORWARD_PATH to
+ include $z/.forward.$w+$h and $z/.forward+$h which allow
+ the user to setup different .forward files for
+ user+detail addressing.
+ CONFIG: add confMAX_RCPTS_PER_MESSAGE, confDONT_PROBE_INTERFACES,
+ and confDONT_BLAME_SENDMAIL to set MaxRecipientsPerMessage,
+ DontProbeInterfaces, and DontBlameSendmail options.
+ CONFIG: by default do not allow relaying (that is, accepting mail
+ from outside your domain and sending it to another host
+ outside your domain).
+ CONFIG: new FEATURE(promiscuous_relay) to allow mail relaying from
+ any site to any site.
+ CONFIG: new FEATURE(relay_entire_domain) allows any host in your
+ domain as defined by the 'm' class ($=m) to relay.
+ CONFIG: new FEATURE(relay_based_on_MX) to allow relaying based on
+ the MX records of the host portion of an incoming recipient.
+ CONFIG: new FEATURE(access_db) which turns on the access database
+ feature. This database give you the ability to allow
+ or refuse to accept mail from specified domains for
+ administrative reasons. By default, names that are listed
+ as "OK" in the access db are domain names, not host names.
+ CONFIG: new confCR_FILE m4 variable for defining the name of the file
+ used for class 'R'. Defaults to /etc/mail/relay-domains.
+ CONFIG: new command RELAY_DOMAIN(domain) and RELAY_DOMAIN_FILE(file)
+ to add items to class 'R' ($=R) for hosts allowed to relay.
+ CONFIG: new FEATURE(relay_hosts_only) to change the behavior
+ of FEATURE(access_db) and class 'R' to lookup individual
+ host names only.
+ CONFIG: new FEATURE(loose_relay_check). Normally, if a recipient
+ using % addressing is used, e.g. user%site@othersite,
+ and othersite is in class 'R', the check_rcpt ruleset
+ will strip @othersite and recheck user@site for relaying.
+ This feature changes that behavior. It should not be
+ needed for most installations.
+ CONFIG: new FEATURE(relay_local_from) to allow relaying if the
+ domain portion of the mail sender is a local host. This
+ should only be used if absolutely necessary as it opens
+ a window for spammers. Patch from Randall S. Winchester of
+ the University of Maryland.
+ CONFIG: new FEATURE(blacklist_recipients) turns on the ability to
+ block incoming mail destined for certain recipient
+ usernames, hostnames, or addresses.
+ CONFIG: By default, MAIL FROM: commands in the SMTP session will be
+ refused if the host part of the argument to MAIL FROM: cannot
+ be located in the host name service (e.g., DNS).
+ CONFIG: new FEATURE(accept_unresolvable_domains) accepts
+ unresolvable hostnames in MAIL FROM: SMTP commands.
+ CONFIG: new FEATURE(accept_unqualified_senders) accepts
+ MAIL FROM: senders which do not include a domain.
+ CONFIG: new FEATURE(rbl) Turns on rejection of hosts found in the
+ Realtime Blackhole List. You can specify the RBL name
+ server to contact by specifying it as an optional argument.
+ The default is rbl.maps.vix.com. For details, see
+ http://maps.vix.com/rbl/.
+ CONFIG: Call Local_check_relay, Local_check_mail, and
+ Local_check_rcpt from check_relay, check_mail, and
+ check_rcpt. Users with local rulesets should place the
+ rules using LOCAL_RULESETS. If a Local_check_* ruleset
+ returns $#OK, the message is accepted. If the ruleset
+ returns a mailer, the appropriate action is taken, else
+ the return of the ruleset is ignored.
+ CONFIG: CYRUS_MAILER_FLAGS now includes the /:| mailer flags by
+ default to support file, :include:, and program deliveries.
+ CONFIG: Remove the default for confDEF_USER_ID so the binary can
+ pick the proper default value. See the SECURITY note
+ above for more information.
+ CONFIG: FEATURE(nodns) now warns the user that the feature is a
+ no-op. Patch from Kari Hurtta of the Finnish
+ Meteorological Institute.
+ CONFIG: OSTYPE(osf1) now sets DefaultUserID (confDEF_USER_ID) to
+ daemon since DEC's /bin/mail will drop the envelope
+ sender if run as mailnull. See the Digital UNIX section
+ of src/README for more information. Problem noted by
+ Kari Hurtta of the Finnish Meteorological Institute.
+ CONFIG: .cf files are now stored in the same directory with the
+ .mc files instead of in the obj directory.
+ CONFIG: New options confSINGLE_LINE_FROM_HEADER,
+ confALLOW_BOGUS_HELO, and confMUST_QUOTE_CHARS for
+ setting SingleLineFromHeader, AllowBogusHELO, and
+ MustQuoteChars respectively.
+ MAIL.LOCAL: support -l flag to run LMTP on stdin/stdout. This
+ SMTP-like protocol allows detailed reporting of delivery
+ status on a per-user basis. Code donated by John Myers of
+ CMU (now of Netscape).
+ MAIL.LOCAL: HP-UX support from Randall S. Winchester of the
+ University of Maryland. NOTE: mail.local is not
+ compatible with the stock HP-UX mail format. Be sure to
+ read mail.local/README.
+ MAIL.LOCAL: Prevent other mail delivery agents from stealing a
+ mailbox lock. Patch from Randall S. Winchester of the
+ University of Maryland.
+ MAIL.LOCAL: glibc portability from John Kennedy of Cal State
+ University, Chico.
+ MAIL.LOCAL: IRIX portability from Kari Hurtta of the Finnish
+ Meteorological Institute.
+ MAILSTATS: Display the number of rejected and discarded messages
+ in the StatusFile. Patch from Randall Winchester of the
+ University of Maryland.
+ MAKEMAP: New -s flag to ignore safety checks on database map files
+ such as linked files in world writable directories.
+ MAKEMAP: Add support for Berkeley DB 2.X. Remove OLD_NEWDB support.
+ PRALIASES: Add support for Berkeley DB 2.X.
+ PRALIASES: Do not automatically include NDBM support. Problem
+ noted by Ralf Hildebrandt of the Technical University of
+ Braunschweig.
+ RMAIL: Improve portability for other platforms. Patches from
+ Randall S. Winchester of the University of Maryland and
+ Kari Hurtta of the Finnish Meteorological Institute.
+ Changed Files:
+ src/Makefiles/Makefile.* files have been modified to use
+ the new build mechanism and are now BuildTools/OS/*.
+ src/makesendmail changed to symbolic link to src/Build.
+ New Files:
+ BuildTools/M4/header.m4
+ BuildTools/M4/depend/BSD.m4
+ BuildTools/M4/depend/CC-M.m4
+ BuildTools/M4/depend/NCR.m4
+ BuildTools/M4/depend/Solaris.m4
+ BuildTools/M4/depend/X11.m4
+ BuildTools/M4/depend/generic.m4
+ BuildTools/OS/AIX.4.2
+ BuildTools/OS/AIX.4.x
+ BuildTools/OS/CRAYT3E.2.0.x
+ BuildTools/OS/HP-UX.11.x
+ BuildTools/OS/IRIX.6.5
+ BuildTools/OS/NEXTSTEP.4.x
+ BuildTools/OS/NeXT.4.x
+ BuildTools/OS/NetBSD.8.3
+ BuildTools/OS/QNX
+ BuildTools/OS/SunOS.5.7
+ BuildTools/OS/dcosx.1.x.NILE
+ BuildTools/README
+ BuildTools/Site/README
+ BuildTools/bin/Build
+ BuildTools/bin/configure.sh
+ BuildTools/bin/find_m4.sh
+ BuildTools/bin/install.sh
+ Makefile
+ cf/cf/Build
+ cf/cf/generic-hpux10.cf
+ cf/feature/accept_unqualified_senders.m4
+ cf/feature/accept_unresolvable_domains.m4
+ cf/feature/access_db.m4
+ cf/feature/blacklist_recipients.m4
+ cf/feature/loose_relay_check.m4
+ cf/feature/local_lmtp.m4
+ cf/feature/promiscuous_relay.m4
+ cf/feature/rbl.m4
+ cf/feature/relay_based_on_MX.m4
+ cf/feature/relay_entire_domain.m4
+ cf/feature/relay_hosts_only.m4
+ cf/feature/relay_local_from.m4
+ cf/ostype/qnx.m4
+ contrib/doublebounce.pl
+ mail.local/Build
+ mail.local/Makefile.m4
+ mail.local/README
+ mailstats/Build
+ mailstats/Makefile.m4
+ makemap/Build
+ makemap/Makefile.m4
+ praliases/Build
+ praliases/Makefile.m4
+ rmail/Build
+ rmail/Makefile.m4
+ rmail/rmail.0
+ smrsh/Build
+ smrsh/Makefile.m4
+ src/Build
+ src/Makefile.m4
+ src/snprintf.c
+ Deleted Files:
+ cf/cf/Makefile (replaced by Makefile.dist)
+ mail.local/Makefile
+ mail.local/Makefile.dist
+ mailstats/Makefile
+ mailstats/Makefile.dist
+ makemap/Makefile
+ makemap/Makefile.dist
+ praliases/Makefile
+ praliases/Makefile.dist
+ rmail/Makefile
+ smrsh/Makefile
+ smrsh/Makefile.dist
+ src/Makefile
+ src/Makefiles/Makefile.AIX.4 (split into AIX.4.x and AIX.4.2)
+ src/Makefiles/Makefile.SMP_DC.OSx.NILE
+ (renamed BuildTools/OS/dcosx.1.x.NILE)
+ src/Makefiles/Makefile.Utah (obsolete platform)
+ Renamed Files:
+ READ_ME => README
+ cf/cf/Makefile.dist => Makefile
+ cf/cf/obj/* => cf/cf/*
+ src/READ_ME => src/README
+
+8.8.8/8.8.8 97/10/24
+ If the check_relay ruleset failed, the relay= field was logged
+ incorrectly. Problem noted by Kari Hurtta of the Finnish
+ Meteorological Institute.
+ If /usr/tmp/dead.letter already existed, sendmail could not
+ add additional bounces to it. Problem noted by Thomas J.
+ Arseneault of SRI International.
+ If an SMTP mailer used a non-standard port number for the outgoing
+ connection, it would be displayed incorrectly in verbose mode.
+ Problem noted by John Kennedy of Cal State University, Chico.
+ Log the ETRN parameter specified by the client before altering them
+ to internal form. Suggested by Bob Kupiec of GES-Verio.
+ EXPN and VRFY SMTP commands on malformed addresses were logging as
+ User unknown with bogus delay= values. Change them to log
+ the same as compliant addresses. Problem noted by Kari E.
+ Hurtta of the Finnish Meteorological Institute.
+ Ignore the debug resolver option unless using sendmail debug trace
+ option for resolver. Problem noted by Greg Nichols of Wind
+ River Systems.
+ If SingleThreadDelivery was enabled and the remote server returned a
+ protocol error on the DATA command, the connection would be
+ closed but the persistent host status file would not be
+ unlocked so other sendmail processes could not deliver to
+ that host. Problem noted by Peter Wemm of DIALix.
+ If queueing up a message due to an expensive mailer, don't increment
+ the number of delivery attempts or set the last delivery
+ attempt time so the message will be delivered on the next
+ queue run regardless of MinQueueAge. Problem noted by
+ Brian J. Coan of the Institute for Global Communications.
+ Authentication warnings of "Processed from queue _directory_" and
+ "Processed by _username_ with -C _filename_" would be logged
+ with the incorrect timestamp. Problem noted by Kari E. Hurtta
+ of the Finnish Meteorological Institute.
+ Use a better heuristic for detecting GDBM.
+ Log null connections on dropped connections. Problem noted by
+ Jon Lewis of Florida Digital Turnpike.
+ If class dbm maps are rebuilt, sendmail will now detect this and
+ reopen the map. Previously, they could give stale
+ results during a single message processing (but would
+ recover when the next message was received). Fix from
+ Joe Pruett of Q7 Enterprises.
+ Do not log failures such as "User unknown" on -bv or SMTP VRFY
+ requests. Problem noted by Kari E. Hurtta of the
+ Finnish Meteorological Institute.
+ Do not send a bounce message back to the sender regarding bad
+ recipients if the SMTP connection is dropped before the
+ message is accepted. Problem noted by Kari E. Hurtta of the
+ Finnish Meteorological Institute.
+ Use "localhost" instead of "[UNIX: localhost]" when connecting to
+ sendmail via a UNIX pipe. This will allow rulesets using
+ $&{client_name} to process without sending the string through
+ dequote. Problem noted by Alan Barrett of Internet Africa.
+ A combination of deferred delivery mode, a double bounce situation,
+ and the inability to save a bounce message to
+ /var/tmp/dead.letter would cause sendmail to send a bounce
+ to postmaster but not remove the offending envelope from the
+ queue causing it to create a new bounce message each time the
+ queue was run. Problem noted by Brad Doctor of Net Daemons
+ Associates.
+ Remove newlines from hostname information returned via DNS. There are
+ no known security implications of newlines in hostnames as
+ sendmail filters newlines in all vital areas; however, this
+ could cause confusing error messages.
+ Starting with sendmail 8.8.6, mail sent with the '-t' option would be
+ rejected if any of the specified addresses were bad. This
+ behavior was modified to only reject the bad addresses and not
+ the entire message. Problem noted by Jozsef Hollosi of
+ SuperNet, Inc.
+ Use Timeout.fileopen when delivering mail to a file. Suggested by
+ Bryan Costales of InfoBeat, Inc.
+ Display the proper Final-Recipient on DSN messages for non-SMTP
+ mailers. Problem noted by Kari E. Hurtta of the
+ Finnish Meteorological Institute.
+ An error in calculating the available space in the list of addresses
+ for logging deliveries could cause an address to be silently
+ dropped.
+ Include the initial user environment if sendmail is restarted via
+ a HUP signal. This will give room for the process title.
+ Problem noted by Jon Lewis of Florida Digital Turnpike.
+ Mail could be delivered without a body if the machine does not
+ support flock locking and runs out of processes during
+ delivery. Fix from Chuck Lever of the University of Michigan.
+ Drop recipient address from 251 and 551 SMTP responses per RFC 821.
+ Problem noted by Kari E. Hurtta of the Finnish Meteorological
+ Institute.
+ Make sure non-rebuildable database maps are opened before the
+ rebuildable maps (i.e. alias files) in case the database maps
+ are needed for verifying the left hand side of the aliases.
+ Problem noted by Lloyd Parkes of Victoria University.
+ Make sure sender RFC822 source route addresses are alias expanded for
+ bounce messages. Problem noted by Juergen Georgi of
+ RUS University of Stuttgart.
+ Minor lint fixes.
+ Return a temporary error instead of a permanent error if an LDAP map
+ search returns an error. This will allow sequenced maps which
+ use other LDAP servers to be checked. Fix from Booker Bense
+ of Stanford University.
+ When automatically converting from quoted printable to 8bit text do
+ not pad bare linefeeds with a space. Problem noted by Theo
+ Nolte of the University of Technology Aachen, Germany.
+ Portability:
+ Non-standard C compilers may have had a problem compiling
+ conf.c due to a standard C external declaration of
+ setproctitle(). Problem noted by Ted Roberts of
+ Electronic Data Systems.
+ AUX: has a broken O_EXCL implementation. Reported by Jim
+ Jagielski of jaguNET Access Services.
+ BSD/OS: didn't compile if HASSETUSERCONTEXT was defined.
+ Digital UNIX: Digital UNIX (and possibly others) moves
+ loader environment variables into the loader memory
+ area. If one of these environment variables (such as
+ LD_LIBRARY_PATH) was the last environment variable,
+ an invalid memory address would be used by the process
+ title routine causing memory corruption. Problem
+ noted by Sam Hartman of Mesa Internet Systems.
+ GNU libc: uses an enum for _PC_CHOWN_RESTRICTED which caused
+ chownsafe() to always return 0 even if the OS does
+ not permit file giveaways. Problem noted by
+ Yasutaka Sumi of The University of Tokyo.
+ IRIX6: Syslog buffer size set to 512 bytes. Reported by
+ Gerald Rinske of Siemens Business Services VAS.
+ Linux: Pad process title with NULLs. Problem noted by
+ Jon Lewis of Florida Digital Turnpike.
+ SCO OpenServer 5.0: SIOCGIFCONF ioctl call returns an
+ incorrect value for the number of interfaces.
+ Problem noted by Chris Loelke of JetStream Internet
+ Services.
+ SINIX: Update for Makefile and syslog buffer size from Gerald
+ Rinske of Siemens Business Services VAS.
+ Solaris: Make sure HASGETUSERSHELL setting for SunOS is not
+ used on a Solaris machine. Problem noted by
+ Stephen Ma of Jtec Pty Limited.
+ CONFIG: SINIX: Update from Gerald Rinske of Siemens Business
+ Services VAS.
+ MAKEMAP: Use a better heuristic for detecting GDBM.
+ CONTRIB: expn.pl: Updated version from the author, David Muir Sharnoff.
+ OP.ME: Document the F=i mailer flag. Problem noted by Per Hedeland of
+ Ericsson.
+
+8.8.7/8.8.7 97/08/03
+ If using Berkeley DB on systems without O_EXLOCK (open a file with
+ an exclusive lock already set -- i.e., almost all systems
+ except 4.4-BSD derived systems), the initial attempt at
+ rebuilding aliases file if the database didn't already
+ exist would fail. Patch from Raymund Will of LST Software
+ GmbH.
+ Bogus incoming SMTP commands would reset the SMTP conversation.
+ Problem noted by Fredrik Jönsson of the Royal Institute
+ of Technology, Stockholm.
+ Since TCP Wrappers includes setenv(), unsetenv(), and putenv(),
+ some environments could give "multiple definitions" for these
+ routines during compilation. If using TCP Wrappers, assume
+ that these routines are included as though they were in the
+ C library. Patch from Robert La Ferla.
+ When a NEWDB database map was rebuilt at the same time it was being
+ used by a queue run, the maps could be left locked for the
+ duration of the queue run, causing other processes to hang.
+ Problem noted by Kendall Libby of Shore.NET.
+ In some cases, NoRecipientAction=add-bcc was being ignored, so the
+ mail was passed on without any recipient header. This could
+ cause problems downstream. Problem noted by Xander Jansen
+ of SURFnet ExpertiseCentrum.
+ Give error when GDBM is used with sendmail. GDBM's locking and
+ linking of the .dir and .pag files interferes with sendmail's
+ locking and security checks. Problems noted by Fyodor
+ Yarochkin of the Kyrgyz Republic FreeNet.
+ Don't fsync qf files if SuperSafe option is not set.
+ Avoid extra calls to gethostbyname for addresses for which a
+ gethostbyaddr found no value. Also, ignore any returns
+ from gethostbyaddr that look like a dotted quad.
+ If PTR lookup fails when looking up an SMTP peer, don't tag it as
+ "may be forged", since at the network level we pretty much
+ have to assume that the information is good.
+ In some cases, errors during an SMTP session could leave files
+ open or locked.
+ Better handling of missing file descriptors (0, 1, 2) on startup.
+ Better handling of non-setuid binaries -- avoids certain obnoxious
+ errors during testing.
+ Errors in file locking of NEWDB maps had the incorrect file name
+ printed in the error message.
+ If the AllowBogusHELO option were set and an EHLO with a bad or
+ missing parameter were issued, the EHLO behaved like a HELO.
+ Load limiting never kicked in for incoming SMTP transactions if the
+ DeliverMode=background and any recipient was an alias or
+ had a .forward file. From Nik Conwell of Boston University.
+ On some non-Posix systems, the decision of whether chown(2) permits
+ file giveaway was undefined. From Tetsu Ushijima of the
+ Tokyo Institute of Technology.
+ Fix race condition that could cause the body of a message to be
+ lost (so only the header was delivered). This only occurs
+ on systems that do not use flock(2), and only when a queue
+ runner runs during a critical section in another message
+ delivery. Based on a patch from Steve Schweinhart of
+ Results Computing.
+ If a qf file was found in a mail queue directory that had a problem
+ (wrong ownership, bad format, etc.) and the file name was
+ exactly MAXQFNAME bytes long, then instead of being tried
+ once, it would be tried on every queue run. Problem noted
+ by Bryan Costales of Mercury Mail.
+ If the system supports an st_gen field in the status structure,
+ include it when reporting that a file has changed after open.
+ This adds a new compile flag, HAS_ST_GEN (0/1 option).
+ This out to be checked as well as reported, since it is
+ theoretically possible for an attacker to remove a file after
+ it is opened and replace it with another file that has the
+ same i-number, but some filesystems (notably AFS) return
+ garbage in this field, and hence always look like the file
+ has changed. As a practical matter this is not a security
+ problem, since the files can be neither hard nor soft links,
+ and on no filesystem (that I am aware of) is it possible to
+ have two files on the same filesystem with the same i-number
+ simultaneously.
+ Delete the root Makefile from the distribution -- it is only for
+ use internally, and does not work at customer sites.
+ Fix botch that caused the second MAIL FROM: command in a single
+ transaction to clear the entire transaction. Problem
+ noted by John Kennedy of Cal State University, Chico.
+ Work properly on machines that have _PATH_VARTMP defined without
+ a trailing slash. (And a pox on vendors that decide to
+ ignore the established conventions!) Problem noted by
+ Gregory Neil Shapiro of WPI.
+ Internal changes to make it easier to add another protocol family
+ (intended for IPv6). Patches are from John Kennedy of
+ CSU Chico.
+ In certain cases, 7->8 bit MIME decoding of Base64 text could leave
+ an extra space at the beginning of some lines. Problem
+ noted by Charles Karney of Princeton University; fix based
+ on a patch from Christophe Wolfhugel.
+ Portability:
+ Allow _PATH_VENDOR_CF to be set in Makefile for consistency
+ with the _Sendmail_ book, 2nd edition. Note that
+ the book is actually wrong: _PATH_SENDMAILCF should
+ be used instead.
+ AIX 3.x: Include <sys/select.h>. Patch from Gene Rackow
+ of Argonne National Laboratory.
+ OpenBSD from from Paul DuBois of the University of Wisconsin.
+ RISC/os 4.0 from Paul DuBois of the University of Wisconsin.
+ SunOS: Include <memory.h> to fix warning from util.c. From
+ James Aldridge of EUnet Ltd.
+ Solaris: Change STDIR (location of status file) to /etc/mail
+ in Makefiles.
+ Linux, Dynix, UNICOS: Remove -DNDBM and -lgdbm from
+ Makefiles. Use NEWDB on Linux instead.
+ NCR MP-RAS 3.x with STREAMware TCP/IP: SIOCGIFNUM ioctl
+ exists but behaves differently than other OSes.
+ Add SIOCGIFNUM_IS_BROKEN compile flag to get
+ around the problem. Problem noted by Tom Moore of
+ NCR Corp.
+ HP-UX 9.x: fix compile warnings for old select API. Problem
+ noted by Tom Smith of Digital Equipment Corp.
+ UnixWare 2.x: compile warnings on offsetof macro. Problem
+ noted by Tom Good of the Community Access Information
+ Resource Network
+ SCO 4.2: compile problems caused by a change in the type of
+ the "length" parameters passed to accept, getpeername,
+ getsockname, and getsockopt. Adds new compile flags
+ SOCKADDR_SIZE_T and SOCKOPT_SIZE_T. Problem reported
+ by Tom Good of St. Vincent's North Richmond Community
+ Mental Health Center Residential Services.
+ AIX 4: Use size_t for SOCKADDR_SIZE_T and SOCKOPT_SIZE_T.
+ Suggested by Brett Hogden of Rochester Gas & Electric
+ Corp.
+ Linux: avoid compile problem for versions of <setjmp.h> that
+ #define both setjmp and longjmp. Problem pointed out
+ by J.R. Oldroyd of TerraNet.
+ CONFIG: SCO UnixWare 2.1: Support for OSTYPE(sco-uw-2.1)
+ from Christopher Durham of SCO.
+ CONFIG: NEXTSTEP: define confCW_FILE to
+ /etc/sendmail/sendmail.cw to match the usual
+ configuration. Patch from Dennis Glatting of
+ PlainTalk.
+ CONFIG: MAILER(fax) called a program that hasn't existed for a long
+ time. Convert to use the HylaFAX 4.0 conventions. Suggested
+ by Harry Styron.
+ CONFIG: Improve sample anti-spam rulesets in cf/cf/knecht.mc. These
+ are the rulesets in use on sendmail.org.
+ MAKEMAP: give error on GDBM files.
+ MAIL.LOCAL: Make error messages a bit more explicit, for example,
+ telling more details on what actually changed when "file
+ changed after open".
+ CONTRIB: etrn.pl: Ignore comments in Fw files. Support multiple Fw
+ files.
+ CONTRIB: passwd-to-alias.pl: Handle 8 bit characters and '-'.
+ NEW FILES:
+ src/Makefiles/Makefile.OpenBSD
+ src/Makefiles/Makefile.RISCos.4_0
+ test/t_exclopen.c
+ cf/ostype/sco-uw-2.1.m4
+ DELETED FILES:
+ Makefile
+
+8.8.6/8.8.6 97/06/14
+ *************************************************************
+ * The extensive assistance of Gregory Neil Shapiro of WPI *
+ * in preparing this release is gratefully appreciated. *
+ * Sun Microsystems has also provided resources toward *
+ * continued sendmail development. *
+ *************************************************************
+ SECURITY: A few systems allow an open with the O_EXCL|O_CREAT open
+ mode bits set to create a file that is a symbolic link that
+ points nowhere. This makes it possible to create a root
+ owned file in an arbitrary directory by inserting the symlink
+ into a writable directory after the initial lstat(2) check
+ determined that the file did not exist. The only verified
+ example of a system having these odd semantics for O_EXCL
+ and symbolic links was HP-UX prior to version 9.07. Most
+ systems do not have the problem, since a exclusive create
+ of a file disallows symbolic links. Systems that have been
+ verified to NOT have the problem include AIX 3.x, *BSD,
+ DEC OSF/1, HP-UX 9.07 and higher, Linux, SunOS, Solaris,
+ and Ultrix. This is a potential exposure on systems that
+ have this bug and which do not have a MAILER-DAEMON alias
+ pointing at a legitimate account, since this will cause old
+ mail to be dropped in /var/tmp/dead.letter.
+ SECURITY: Problems can occur on poorly managed systems, specifically,
+ if maps or alias files are in world writable directories.
+ If your system has alias maps in writable directories, it
+ is potentially possible for an attacker to replace the .db
+ (or .dir and .pag) files by symbolic links pointing at
+ another database; this can be used either to expose
+ information (e.g., by pointing an alias file at /etc/spwd.db
+ and probing for accounts), or as a denial-of-service attack
+ (by trashing the password database). The fix disallows
+ symbolic links entirely when rebuilding alias files or on
+ maps that are in writable directories, and always warns on
+ writable directories; 8.9 will probably consider writable
+ directories to be fatal errors. This does not represent an
+ exposure on systems that have alias files in unwritable
+ system directories.
+ SECURITY: disallow .forward or :include: files that are links (hard
+ or soft) if the parent directory (or any directory in the
+ path) is writable by anyone other than the owner. This is
+ similar to the previous case for user files. This change
+ should not affect most systems, but is necessary to prevent
+ an attacker who can write the directory from pointing such
+ files at other files that are readable only by the owner.
+ SECURITY: Tighten safechown rules: many systems will say that they
+ have a safe (restricted to root) chown even on files that
+ are mounted from another system that allows owners to give
+ away files. The new rules are very strict, trusting file
+ ownership only in those few cases where the system has
+ been verified to be at least as paranoid as necessary.
+ However, it is possible to relax the rules to partially
+ trust the ownership if the directory path is not world or
+ group writable. This might allow someone who has a legitimate
+ :include: file (referenced directly from /etc/aliases) to
+ become another non-root user if the :include: file is in a
+ non-writable directory on an NFS-mounted filesystem where
+ the local system says that giveaway is denied but it is
+ actually permitted. I believe this to be a very small set
+ of cases. If in doubt, do not point :include: aliases at
+ NFS-mounted filesystems.
+ SECURITY: When setting a numeric group id using the RunAsUser option
+ (e.g., "O RunAsUser=10:20", the group id would not be set.
+ Implicit group ids (e.g., "O RunAsUser=mailnull") or alpha
+ group ids (e.g., "O RunAsUser=mailuser:mailgrp") worked fine.
+ The user id was still set properly. Problem noted by Uli
+ Pralle of the Technical University of Berlin.
+ Save the initial gid set for use when checking for if the
+ PrivacyOptions=restrictmailq option is set. Problem reported
+ by Wolfgang Ley of DFN-CERT.
+ Make 55x reply codes to the SMTP DATA-"." be non-sticky (i.e., a
+ failure on one message won't affect future messages to the
+ same host).
+ IP source route printing had an "off by one" error that would
+ affect any options that came after the route option. Patch
+ from Theo de Raadt.
+ The "Message is too large" error didn't successfully bounce the error
+ back to the sender. Problem reported by Stephen More of
+ PSI; patch from Gregory Neil Shapiro of WPI.
+ Change SMTP status code 553 to map into Extended code 5.1.0 (instead
+ of 5.1.3); it apparently gets used in multiple ways.
+ Suggested by John Myers of Portola Communications.
+ Fix possible extra null byte generated during collection if errors
+ occur at the beginning of the stream. Patch contributed by
+ Andrey A. Chernov and Gregory Neil Shapiro.
+ Code changes to avoid possible reentrant call of malloc/free within
+ a signal handler. Problem noted by John Beck of Sun
+ Microsystems.
+ Move map initialization to be earlier so that check_relay ruleset
+ will have the latest version of the map data. Problem noted
+ by Paul Forgey of Metainfo; patch from Gregory Neil Shapiro.
+ If there are fatal errors during the collection phase (e.g., message
+ too large) don't send the bogus message.
+ Avoid "cannot open xfAAA00000" messages when sending to aliases that
+ have errors and have owner- aliases. Problem noted by Michael
+ Barber of MTU; fix from Gregory Neil Shapiro of WPI.
+ Avoid null pointer dereference on illegal Boundary= parameters in
+ multipart/mixed Content-Type: header. Problem noted by
+ Richard Muirden of RMIT University.
+ Always print error messages during newaliases (-bi) even if the
+ ErrorMode is not set to "print". Fix from Gregory Neil
+ Shapiro.
+ Test mode could core dump if you did a /map lookup in an optional map
+ that could not be opened. Based on a fix from John Beck of
+ Sun Microsystems.
+ If DNS is misconfigured so that the last MX record tried points to
+ a host that does not have an A record, but other MX records
+ pointed to something reasonable, don't bounce the message
+ with a "host unknown" error. Note that this should really
+ be fixed in the zone file for the domain. Problem noted by
+ Joe Rhett of Navigist, Inc.
+ If a map fails (e.g., DNS times out) on all recipient addresses, mark
+ the message as having been tried; otherwise the next queue
+ run will not realize that this is a second attempt and will
+ retry immediately. Problem noted by Bryan Costales of
+ Mercury Mail.
+ If the clock is set backwards, and a MinQueueAge is set, no jobs
+ will be run until the later setting of the clock is reached.
+ "Problem" (I use the term loosely) noted by Eric Hagberg of
+ Morgan Stanley.
+ If the load average rises above the cutoff threshold (above which
+ sendmail will not process the queue at all) during a queue
+ run, abort the queue run immediately. Problem noted by
+ Bryan Costales of Mercury Mail.
+ The variable queue processing algorithm (based on the message size,
+ number of recipients, message precedence, and job age) was
+ non-functional -- either the entire queue was processed or
+ none of the queue was processed. The updated algorithm
+ does no queue run if a single recipient zero size job will
+ not be run.
+ If there is a fatal ("panic") message that will cause sendmail to
+ die immediately, never hold the error message for future
+ printing.
+ Force ErrorMode=print in -bt mode so that all errors are printed
+ regardless of the setting of the ErrorMode option in the
+ configuration file. Patch from Gregory Neil Shapiro.
+ New compile flag HASSTRERROR says that this OS has the strerror(3)
+ routine available in one of the libraries. Use it in conf.h.
+ The -m (match only) flag now works on host class maps.
+ If class hash or btree maps are rebuilt, sendmail will now detect
+ this and reopen the map. Previously, they could give
+ erroneous results during a single message processing
+ (but would recover when the next message was received).
+ Don't delete zero length queue files when doing queue runs until the
+ files are at least ten minutes old. This avoids a potential
+ race condition: the creator creates the qf file, getting back
+ a file descriptor. The queue runner locks it and deletes it
+ because it is zero length. The creator then writes the
+ descriptor that is now for a disconnected file, and the
+ job goes away. Based on a suggestion by Bryan Costales.
+ When determining the "validated" host name ($_ macro), do a forward
+ (A) DNS lookup on the result of the PTR lookup and compare
+ results. If they differ or if the PTR lookup fails, tag the
+ address as "may be forged".
+ Log null connections (i.e., hosts that connect but do not do any
+ substantive activity on the connection before disconnecting;
+ "substantive" is defined to be MAIL, EXPN, VRFY, or ETRN.
+ Always permit "writes" to /dev/null regardless of the link count.
+ This is safe because /dev/null is special cased, and no open
+ or write is ever actually attempted. Patch from Villy Kruse
+ of TwinCom.
+ If a message cannot be sent because of a 552 (exceeded storage
+ allocation) response to the MAIL FROM:<>, and a SIZE= parameter
+ was given, don't return the body in the bounce, since there
+ is a very good chance that the message will double-bounce.
+ Fix possible line truncation if a quoted-printable had an =00 escape
+ in the body. Problem noted by Charles Karney of the Princeton
+ Plasma Physics Laboratory.
+ Notify flags (e.g., -NSUCCESS) were lost on user+detail addresses.
+ Problem noted by Kari Hurtta of the Finnish Meteorological
+ Institute.
+ The MaxDaemonChildren option wasn't applying to queue runs as
+ documented. Note that this increases the potential denial
+ of service problems with this option: an attacker can
+ connect many times, and thereby lock out queue runs as well
+ as incoming connections. If you use this option, you should
+ run the "sendmail -bd" and "sendmail -q30m" jobs separately
+ to avoid this attack. Failure to limit noted by Matthew
+ Dillon of BEST Internet Communications.
+ Always give a message in newaliases if alias files cannot be
+ opened instead of failing silently. Suggested by Gregory
+ Neil Shapiro. This change makes the code match the O'Reilly
+ book (2nd edition).
+ Some older versions of the resolver could return with h_errno == -1
+ if no name server could be reached, causing mail to bounce
+ instead of queueing. Treat this like TRY_AGAIN. Fix from
+ John Beck of SunSoft.
+ If a :include: file is owned by a user that does not have an entry
+ in the passwd file, sendmail could dereference a null pointer.
+ Problem noted by Satish Mynam of Sun Microsystems.
+ Take precautions to make sure that the SMTP protocol cannot get out
+ of sync if (for example) an alias file cannot be opened.
+ Fix a possible race condition that can cause a SIGALRM to come in
+ immediately after a SIGHUP, causing the new sendmail to die.
+ Avoid possible hang on SVr3 systems when doing child reaping. Patch
+ from Villy Kruse of TwinCom.
+ Ignore improperly formatted SMTP reply codes. Previously these were
+ partially processed, which could cause confusing error
+ returns.
+ Fix possible bogus pointer dereference when doing ldapx map lookups
+ on some architectures.
+ Portability:
+ A/UX: from Jim Jagielski of NASA/GSFC.
+ glibc: SOCK_STREAM was changed from a #define to an enum,
+ thus breaking #ifdef SOCK_STREAM. Only option seems
+ to be to assume SOCK_STREAM if __GNU_LIBRARY__ is
+ defined. Problem reported by A Sun of the University
+ of Washington.
+ Solaris: use SIOCGIFNUM to get the number of interfaces on
+ the system rather than guessing at compile time.
+ Patch contributed by John Beck of Sun Microsystems.
+ Intel Paragon: from Wendy Lin of Purdue University.
+ GNU Hurd: from Miles Bader of the GNU project.
+ RISC/os 4.50 from Harlan Stenn of PFCS Corporation.
+ ISC Unix: wait never returns if SIGCLD signals are blocked.
+ Unfortunately releasing them opens a race condition,
+ but there appears to be no fix for this. Patch from
+ Gregory Neil Shapiro.
+ BIND 8.1 for IPv6 compatibility from John Kennedy.
+ Solaris: a bug in strcasecmp caused characters with the
+ high order bit set to apparently randomly match
+ letters -- for example, $| (0233) matches "i" and "I".
+ Problem noted by John Gregson of the University of
+ Cambridge.
+ IRIX 6.x: make Makefile.IRIX.6.2 apply to all 6.x. From
+ Kari Hurtta.
+ IRIX 6.x: Create Makefiles for systems that claim to be
+ IRIX64 but are 6.2 or higher (so use the regular
+ IRIX Makefile).
+ IRIX 6.x: Fix load average computation on 64 bit kernels.
+ Problem noted by Eric Hagberg of Morgan Stanley.
+ CONFIG: Some canonification was still done for UUCP-like addresses
+ even if FEATURE(nocanonify) was set. Problem pointed out by
+ Brian Candler.
+ CONFIG: In some cases UUCP mailers wouldn't properly recognize all
+ local names as local. Problem noted by Jeff Polk of BSDI;
+ fix provided by Gregory Neil Shapiro.
+ CONFIG: The "local:user" syntax entries in mailertables and other
+ "mailer:user" syntax locations returned an incorrect value
+ for the $h macro. Problem noted by Gregory Neil Shapiro.
+ CONFIG: Retain "+detail" information when forwarding mail to a
+ MAIL_HUB, LUSER_RELAY, or LOCAL_RELAY. Patch from Philip
+ Guenther of Gustavus Adolphus College.
+ CONFIG: Make sure user+detail works for FEATURE(virtusertable);
+ rules are the same as for aliasing. Based on a patch from
+ Gregory Neil Shapiro.
+ CONFIG: Break up parsing rules into several pieces; this should
+ have no functional change in this release, but makes it
+ possible to have better anti-spam rulesets in the future.
+ CONFIG: Disallow double dots in host names to avoid having the
+ HostStatusDirectory store status under the wrong name.
+ In some cases this can be used as a denial-of-service attack.
+ Problem noted by Ron Jarrell of Virginia Tech, patch from
+ Gregory Neil Shapiro.
+ CONFIG: Don't use F=m (multiple recipients per invocation) for
+ MAILER(procmail), but do pass F=Pn9 (include Return-Path:,
+ don't include From_, and convert to 8-bit). Suggestions
+ from Kimmo Suominen and Roderick Schertler.
+ CONFIG: Domains under $=M (specified with MASQUERADE_DOMAIN) where
+ being masqueraded as though FEATURE(masquerade_entire_domain)
+ was specified, even when it wasn't.
+ MAIL.LOCAL: Solaris 2.6 has snprintf. From John Beck of SunSoft.
+ MAIL.LOCAL: SECURITY: check to make sure that an attacker doesn't
+ "slip in" a symbolic link between the lstat(2) call and the
+ exclusive open. This is only a problem on System V derived
+ systems that allow an exclusive create on files that are
+ symbolic links pointing nowhere.
+ MAIL.LOCAL: If the final mailbox close() failed, the user id was
+ not reset back to root, which on some systems would cause
+ later mailboxes to fail. Also, any partial message would
+ not be truncated, which could result in repeated deliveries.
+ Problem noted by Bruce Evans via Peter Wemm (FreeBSD
+ developers).
+ MAKEMAP: Handle cases where O_EXLOCK is #defined to be 0. A similar
+ change to the sendmail map code was made in 8.8.3. Problem
+ noted by Gregory Neil Shapiro.
+ MAKEMAP: Give warnings on file problems such as map files that are
+ symbolic links; although makemap is not setuid root, it is
+ often run as root and hence has the potential for the same
+ sorts of problems as alias rebuilds.
+ MAKEMAP: Change compilation so that it will link properly on
+ NEXTSTEP.
+ CONTRIB: etrn.pl: search for Cw as well as Fw lines in sendmail.cf.
+ Accept an optional list of arguments following the server
+ name for the ETRN arguments to use (instead of $=w). Other
+ miscellaneous bug fixes. From Christian von Roques via
+ John Beck of Sun Microsystems.
+ CONTRIB: Add passwd-to-alias.pl, contributed by Kari Hurtta. This
+ Perl script converts GECOS information in the /etc/passwd
+ file into aliases, allowing for faster access to full name
+ lookups; it is also clever about adding aliases (to root)
+ for system accounts.
+ NEW FILES:
+ src/safefile.c
+ cf/ostype/gnuhurd.m4
+ cf/ostype/irix6.m4
+ contrib/passwd-to-alias.pl
+ src/Makefiles/Makefile.IRIX64.6.1
+ src/Makefiles/Makefile.IRIX64.6.x
+ RENAMED FILES:
+ src/Makefiles/Makefile.IRIX.6.2 => Makefile.IRIX.6.x
+ src/Makefiles/Makefile.IRIX64 => Makefile.IRIX64.6.0
+
+8.8.5/8.8.5 97/01/21
+ SECURITY: Clear out group list during startup. Without this, sendmail
+ will continue to run with the group permissions of the caller,
+ even if RunAsUser is specified.
+ SECURITY: Make purgestat (-bH) be root-only. This is not in response
+ to any known attack, but it's best to be conservative.
+ Suggested by Peter Wemm of DIALix.
+ SECURITY: Fix buffer overrun problem in MIME code that has possible
+ security implications. Patch from Alex Garthwaite of the
+ University of Pennsylvania.
+ Use of a -f flag with a phrase attached (e.g., "-f 'Full Name <addr>'")
+ would truncate the address after "Full". Although the -f
+ syntax is incorrect (since it is in the envelope, it
+ shouldn't have comments and full names), the failure mode
+ was unnecessarily awful.
+ Fix a possible null pointer dereference when converting 8-bit data
+ to a 7-bit format. Problem noted by Jim Hutchins of
+ Sandia National Labs and David James of British Telecom.
+ Clear out stale state that affected F=9 on SMTP mailers in queue
+ runs. Although this really shouldn't be used (F=9 is for
+ final delivery only, and using it on an SMTP mailer makes
+ it possible for a message to be converted from 8->7->8->7
+ bits several times), it shouldn't have failed with a syserr.
+ Problem noted by Eric Hagberg of Morgan Stanley.
+ _Really_ fix the multiple :maildrop code in the user database
+ module. Patch from Roy Mongiovi of Georgia Tech.
+ Let F lines in the configuration file actually read root-only
+ files if the configuration file is safe. Based on a
+ patch from Keith Reynolds of SCO.
+ ETRN followed by QUIT would hold the connection open until the queue
+ run completed. Problem noted by Truck Lewis of TDK
+ Semiconductor Corp.
+ It turns out that despite the documentation, the TCP wrappers library
+ does _not_ log rejected connections. Do the logging ourselves.
+ Problem noted by Fletcher Mattox of the University of Texas
+ at Austin.
+ If sendmail finds a qf file in its queue directory that is an unknown
+ version (e.g., when backing out to an old version), the
+ error is reported on every queue run. Change it to only
+ give the error once (and rename the qf => Qf). Patch from
+ William A. Gianopoulos of Raytheon Company.
+ Start a new session when doing background delivery; currently it
+ ignored signals but didn't start a new signal, that caused
+ some problems if a background process tried to send mail
+ under certain circumstances. Problem noted by Eric Hagberg
+ of Morgan Stanley; fix from Kari Hurtta.
+ Simplify test for skipping a queue run to just check if the current
+ load average is >= the queueing load average. Previously
+ the check factored in some other parameters that caused it
+ to essentially never skip the queue run. Patch from Bryan
+ Costales.
+ If the SMTP server is running in "nullserver" mode (that is, it is
+ rejecting all commands), start sleeping after MAXBADCOMMAND
+ (25) commands; this helps prevent a bad guy from putting
+ you into a tight loop as a denial-of-service attack. Based
+ on an e-mail conversation with Brad Knowles of AOL.
+ Slow down when too many "light weight" commands have been issued;
+ this helps prevent a class of denial-of-service attacks.
+ The current values and defaults are:
+ MAXNOOPCOMMANDS 20 NOOP, VERB, ONEX, XUSR
+ MAXHELOCOMMANDS 3 HELO, EHLO
+ MAXVRFYCOMMANDS 6 VRFY, EXPN
+ MAXETRNCOMMANDS 8 ETRN
+ These will probably be configurable in a future release.
+ On systems that have uid_t typedefed to be an unsigned short, programs
+ that had the F=S flag and no U= equate would be invoked with
+ the real uid set to 65535 rather than being left unchanged.
+ In some cases, NOTIFY=NEVER was not being honored. Problem noted
+ by Steve Hubert of the University of Washington, Seattle.
+ Mail that was Quoted-Printable encoded and had a soft line break on
+ the last line (i.e., an incomplete continuation) had the last
+ line dropped. Since this appears to be illegal it isn't
+ clear what to do with it, but flushing the last line seems
+ to be a better "fail soft" approach. Based on a patch from
+ Eric Hagberg.
+ If AllowBogusHELO and PrivacyOptions=needmailhelo are both set, a
+ bogus HELO command still causes the "Polite people say HELO
+ first" error message. Problem pointed out by Chris Thomas
+ of UCLA; patch from John Beck of SunSoft.
+ Handle "sendmail -bp -qSfoobar" properly if restrictqrun is set
+ in PrivacyFlags. The -q shouldn't turn this command off.
+ Problem noted by Murray Kucherawy of Pacific Bell Internet;
+ based on a patch from Gregory Neil Shapiro of WPI.
+ Don't consider SMTP reply codes 452 or 552 (exceeded storage allocation)
+ in a DATA transaction to be sticky; these can occur because
+ a message is too large, and smaller messages should still go
+ through. Problem noted by Matt Dillon of Best Internet
+ Communications.
+ In some cases bounces were saved in /var/tmp/dead.letter even if they
+ had been successfully delivered to the envelope sender.
+ Problem noted Eric Hagberg of Morgan Stanley; solution from
+ Gregory Neil Shapiro of WPI.
+ Give better diagnostics on long alias lines. Based on code contributed
+ by Patrick Gosling of the University of Cambridge.
+ Increase the number of virtual interfaces that will be probed for
+ alternate names. Problem noted by Amy Rich of Shore.Net.
+ PORTABILITY:
+ UXP/DS V20L10 for Fujitsu DS/90: Makefile patches from
+ Toshiaki Nomura of Fujitsu Limited.
+ SunOS with LDAP support: compile problems with struct timeval.
+ Patch from Nick Cuccia of TCSI Corporation.
+ SCO: from Keith Reynolds of SCO.
+ Solaris: kstat load average computation wasn't being used.
+ Fixes from Michael Ju. Tokarev of Telecom Service, JSC
+ (Moscow).
+ OpenBSD: from Jason Downs of teeny.org.
+ Altos System V: from Tim Rice.
+ Solaris 2.5: from Alan Perry of SunSoft.
+ Solaris 2.6: from John Beck of SunSoft.
+ Harris Nighthawk PowerUX (mh6000 box): from Bob Miorelli
+ of Pratt & Whitney <miorelli@pweh.com>.
+ CONFIG: It seems that I hadn't gotten the Received: line syntax
+ _just_right_ yet. Tweak it again. I'll omit the names
+ of the "contributors" (quantity two) in this one case.
+ As of now, NO MORE DISCUSSION about the syntax of the
+ Received: line.
+ CONFIG: Although FEATURE(nullclient) uses EXPOSED_USER (class $=E),
+ it never inserts that class into the output file. Fix it
+ so it will honor EXPOSED_USER but will _not_ include root
+ automatically in this class. Problem noted by Ronan KERYELL
+ of Centre de Recherche en Informatique de l'École Nationale
+ Supérieure des Mines de Paris (CRI-ENSMP).
+ CONFIG: Clean up handling of "local:" syntax in relay specifications
+ such as LUSER_RELAY. This change permits the following
+ syntaxes: ``local:'' will send to the same user on the
+ local machine (e.g., in a mailertable entry for "host",
+ ``local:'' will cause an address addressed to user@host to
+ go to user on the local machone). ``local:user'' will send
+ to the named user on the local machine. ``local:user@host''
+ is equivalent to ``local:user'' (the host is ignored). In
+ all cases, the original user@host is passed in $@ (i.e., the
+ detail information). Inspired by a report from Michael Fuhr.
+ CONFIG: Strip quotes from the first word of an "error:" host
+ indication. This lets you set (for example) the LUSER_RELAY
+ to be ``error:\"5.1.1\" Your Message Here''. Note the use
+ of the \" so that the resulting string is properly quoted.
+ Problem noted by Gregory Neil Shapiro of WPI.
+ OP.ME: documentation was inconsistent about whether sendmail did a
+ NOOP or a RSET to probe the connection (it does a RSET).
+ Inconsistency noted by Deeran Peethamparam.
+ OP.ME: insert additional blank pages so it will print properly on
+ a duplex printer. From Matthew Black of Cal State University,
+ Long Beach.
+
+8.8.4/8.8.4 96/12/02
+ SECURITY: under some circumstances, an attacker could get additional
+ permissions by hard linking to files that were group
+ writable by the attacker. The solution is to disallow any
+ files that have hard links -- this will affect .forward,
+ :include:, and output files. Problem noted by Terry
+ Kyriacopoulos of Interlog Internet Services. As a
+ workaround, set UnsafeGroupWrites -- always a good idea.
+ SECURITY: the TryNullMXList (w) option should not be safe -- if it
+ is, it is possible to do a denial-of-service attack on
+ MX hosts that rely on the use of the null MX list. There
+ is no danger if you have this option turned off (the default).
+ Problem noted by Dan Bernstein. Also, make the DontInitGroups
+ unsafe. I know of no specific attack against this, although
+ a denial-of-service attack is probably possible, but in theory
+ you should not be able to safely tweak anything that affects
+ the permissions that are used when mail is delivered.
+ Purgestat could go into an infinite loop if one of the host status
+ directories somehow became empty. Problem noted by Roy
+ Mongiovi of Georgia Tech.
+ Processes got "lost" when counting children due to a race condition.
+ This caused "proc_list_probe: lost pid" messages to be logged.
+ Problem noted by several people.
+ On systems with System V SIGCLD child signal semantics (notably AIX
+ and HP-UX), mail transactions would print the message "451
+ SMTP-MAIL: lost child: No child processes". Problem noted
+ by several people.
+ Miscellaneous compiler warnings on picky compilers (or when setting
+ gcc to high warning levels). From Tom Moore of NCR Corp.
+ SMTP protocol errors, and most errors on MAIL FROM: lines should
+ not be persistent between runs, since they are based on the
+ message rather than the host. Problem noted by Matt Dillon
+ of Best Internet Communications.
+ The F=7 flag was ignored on SMTP mailers. Problem noted by Tom Moore
+ of NCR (a.k.a., AT&T Global Information Solutions).
+ Avoid the possibility of having a child daemon run to completion
+ (including closing the SMTP socket) before the parent has
+ had a chance to close the socket; this can cause the parent
+ to hang for a long time waiting for the socket to drain.
+ Patch from Don Lewis of TDK Semiconductor.
+ If the fork() failed in a queue run, the queue runners would not be
+ rescheduled (so queue runs would stop). Patch from Don Lewis.
+ Some error conditions in ETRN could cause output without an SMTP
+ status code. Problem noted by Don Lewis.
+ Multiple :maildrop addresses in the user database didn't work properly.
+ Patch from Roy Mongiovi of Georgia Tech.
+ Add ".db" automatically onto any user database spec that does not
+ already have it; this is for consistency with makemap, the
+ K line, and the documentation. Inconsistency pointed out
+ by Roy Mongiovi.
+ Allow sendmail to be properly called in nohup mode. Patch from
+ Kyle Jones of UUNET.
+ Change ETRN to ignore but still update host status files; previously
+ it would ignore them and not save the updated status, which
+ caused stale information to be maintained. Based on a patch
+ from Christopher Davis of Kapor Enterprises Inc. Also, have
+ ETRN ignore the MinQueueAge option.
+ Patch long term host status to recover more gracefully from an empty
+ host status file condition. Patch from NAKAMURA Motonori
+ of Kyoto University.
+ Several patches to signal handling code to fix potential race
+ conditions from Don Lewis.
+ Make it possible to compile with -DDAEMON=0 (previously it had some
+ compile errors). This turns DAEMON, QUEUE, and SMTP into
+ 0/1 compilation flags. Note that DAEMON is an obsolete
+ compile flag; use NETINET instead. Solution based on a
+ patch from Bryan Costales.
+ PORTABILITY FIXES:
+ AIX4: getpwnam() and getpwuid() do a sequential scan of the
+ /etc/security/passwd file when called as root. This
+ is very slow on some systems. To speed it up, use the
+ (undocumented) _getpw{nam,uid}_shadow() routines.
+ Patch from Chris Thomas of UCLA/OAC Systems Group.
+ SCO 5.x: include -lprot in the Makefile. Patch from Bill
+ Glicker of Burrelle's Information Service.
+ NEWS-OS 4.x: need a definition for MODE_T to compile. Patch
+ from Makoto MATSUSHITA of Osaka University.
+ SunOS 4.0.3: compile problems. Patches from Andrew Cole of
+ Leeds University and SASABE Tetsuro of the University
+ of Tokyo.
+ DG/UX 5.4.4.11 from Brian J. Murrell of InterLinx Support
+ Services, Inc.
+ Domain/OS from Don (Truck) Lewis of TDK Semiconductor Corp.
+ I believe this to have only been a problem if you
+ compiled with -DUSE_VENDOR_CF_PATH -- another reason
+ to stick with /etc/sendmail.cf as your One True Path.
+ Digital UNIX (OSF/1 on Alpha) load average computation from
+ Martin Laubach of the Technischen Universität Wien.
+ CONFIG: change default Received: line to be multiple lines rather
+ than one long one. By popular demand.
+ MAIL.LOCAL: warnings weren't being logged on some systems. Patch
+ from Jerome Berkman of U.C. Berkeley.
+ MAKEMAP: be sure to zero hinfo to avoid cruft that can cause runs
+ to take a very long time. Problem noted by Yoshiro YONEYA
+ of NTT Software Corporation.
+ CONTRIB: add etrn.pl, contributed by John Beck.
+ NEW FILES:
+ contrib/etrn.pl
+
+8.8.3/8.8.3 96/11/17
+ SECURITY: it was possible to get a root shell by lying to sendmail
+ about argv[0] and then sending it a signal. Problem noted
+ by Leshka Zakharoff <leshka@leshka.chuvashia.su> on the
+ best-of-security list.
+ Log sendmail binary version number in "Warning: .cf version level
+ (%d) exceeds program functionality (%d) message" -- this
+ should make it clearer to people that they are running
+ the wrong binary.
+ Fix a problem that occurs when you open an SMTP connection and then
+ do one or more ETRN commands followed by a MAIL command; at
+ the end of the DATA phase sendmail would incorrectly report
+ "451 SMTP-MAIL: lost child: No child processes". Problem
+ noted by Eric Bishop of Virginia Tech.
+ When doing text-based host canonification (typically /etc/hosts
+ lookup), a null host name would match any /etc/hosts entry
+ with space at the end of the line. Problem noted by Steve
+ Hubert of the University of Washington, Seattle.
+ 7 to 8 bit BASE64 MIME conversions could duplicate bits of text.
+ Problem reported by Tom Smith of Digital Equipment Corp.
+ Increase the size of the DNS answer buffer -- the standard UDP packet
+ size PACKETSZ (512) is not sufficient for some nameserver
+ answers containing very many resource records. The resolver
+ may also switch to TCP and retry if it detects UDP packet
+ overflow. Also, allow for the fact that the resolver
+ routines res_query and res_search return the size of the
+ *un*truncated answer in case the supplied answer buffer it
+ not big enough to accommodate the entire answer. Patch from
+ Eric Wassenaar.
+ Improvements to MaxDaemonChildren code. If you think you have too
+ many children, probe the ones you have to verify that they
+ are still around. Suggested by Jared Mauch of CICnet, Inc.
+ Also, do this probe before growing the vector of children
+ pids; this previously caused the vector to grow indefinitely
+ due to a race condition. Problem reported by Kyle Jones of
+ UUNET.
+ On some architectures, <db.h> (from the Berkeley DB library) defines
+ O_EXLOCK to zero; this fools the map compilation code into
+ thinking that it can avoid race conditions by locking on open.
+ Change it to check for O_EXLOCK non-zero. Problem noted by
+ Leif Erlingsson of Data Lege.
+ Always call res_init() on startup (if compiled in, of course) to
+ allow the sendmail.cf file to tweak resolver flags; without
+ it, flag tweaks in ResolverOptions are ignored. Patch from
+ Andrew Sun of Merrill Lynch.
+ Improvements to host status printing code. Suggested by Steve Hubert
+ of the University of Washington, Seattle.
+ Change MinQueueAge option processing to do the check for the job age
+ when reading the queue file, rather than at the end; this
+ avoids parsing the addresses, which can do DNS lookups.
+ Problem noted by John Beck of InReference, Inc.
+ When MIME was being 7->8 bit decoded, "From " lines weren't being
+ properly escaped. Problem noted by Peter Nilsson of the
+ University of Linkoping.
+ In some cases, sendmail would retain root permissions during queue
+ runs even if RunAsUser was set. Problem noted by Mark
+ Thomas of Mark G. Thomas Consulting.
+ If the F=l flag was set on an SMTP mailer to indicate that it is
+ actually local delivery, and NOTIFY=SUCCESS is specified in
+ the envelope, and the receiving SMTP server speaks DSN, then
+ the DSN would be both generated locally and propagated to the
+ other end.
+ The U= mailer field didn't correctly extract the group id if the
+ user id was numeric. Problem noted by Kenneth Herron of
+ MCI Telecommunications Communications.
+ If a message exceeded the fixed maximum size on input, the body of
+ the message was included in the bounce. Note that this did
+ not occur if it exceeded the maximum _output_ size. Problem
+ reported by Kyle Jones of UUNET.
+ PORTABILITY FIXES:
+ AIX4: 4.1 doesn't have a working setreuid(2); change the
+ AIX4 defines to use seteuid(2) instead, which
+ works on 4.1 as well as 4.2. Problem noted by
+ Håkan Lindholm of interAF, Sweden.
+ AIX4: use tzname[] vector to determine time zone name.
+ Patch from NAKAMURA Motonori of Kyoto University.
+ MkLinux: add Makefile.Linux.ppc and OSTYPE(mklinux) support.
+ Contributed by Paul DuBois <dubois@primate.wisc.edu>.
+ Solaris: kstat(3k) support for retrieving the load average.
+ This adds the LA_KSTAT definition for LA_TYPE.
+ The outline of the implementation was contributed
+ by Michael Tokarev of Telecom Service, JSC, Moscow.
+ HP-UX 10.0 gripes about the (perfectly legal!) forward
+ declaration of struct rusage at the top of conf.h;
+ change it to only be included if you are using gcc,
+ which is apparently the only compiler that requires
+ it in the first place. Problem noted by Jeff
+ Earickson of Colby College.
+ IRIX: don't default to using gcc. IRIX is a civilized
+ operating system that comes with a decent compiler
+ by default. Problem noted by Barry Bouwsma and
+ Kari Hurtta.
+ CONFIG: specify F=9 as default in FEATURE(local_procmail) for
+ consistency with other local mailers. Inconsistency
+ pointed out by Teddy Hogeborn <teddy@fukt.hk-r.se>.
+ CONFIG: if the "limited best mx" feature is used (to reduce DNS
+ overhead) as part of the bestmx_is_local feature, the
+ domain part was dropped from the name. Patch from Steve
+ Hubert of the University of Washington, Seattle.
+ CONFIG: catch addresses of the form "user@.dom.ain"; these could
+ end up being translated to the null host name, which would
+ return any entry in /etc/hosts that had a space at the end
+ of the line. Problem noted by Steve Hubert of the
+ University of Washington, Seattle.
+ CONFIG: add OSTYPE(aix4). From Michael Sofka of Rensselaer
+ Polytechnic Institute.
+ MAKEMAP: tweak hash and btree parameters for better performance.
+ Patch from Matt Dillon of Best Internet Communications.
+ NEW FILES:
+ src/Makefiles/Makefile.Linux.ppc
+ cf/ostype/aix4.m4
+ cf/ostype/mklinux.m4
+
+8.8.2/8.8.2 96/10/18
+ SECURITY: fix a botch in the 7-bit MIME patch; the previous patch
+ changed the code but didn't fix the problem.
+ PORTABILITY FIXES:
+ Solaris: Don't use the system getusershell(3); it can
+ apparently corrupt the heap in some circumstances.
+ Problem found by Ken Pizzini of Spry, Inc.
+ OP.ME: document several mailer flags that were accidentally omitted
+ from this document. These flags were F=d, F=j, F=R, and F=9.
+ CONFIG: no changes.
+
+8.8.1/8.8.1 96/10/17
+ SECURITY: unset all environment variables that the resolver will
+ examine during queue runs and daemon mode. Problem noted
+ by Dan Bernstein of the University of Illinois at Chicago.
+ SECURITY: in some cases an illegal 7-bit MIME-encoded text/plain
+ message could overflow a buffer if it was converted back
+ to 8 bits. This caused core dumps and has the potential
+ for a remote attack. Problem first noted by Gregory Shapiro
+ of WPI.
+ Avoid duplicate deliveries of error messages on systems that don't
+ have flock(2) support. Patch from Motonori Nakamura of
+ Kyoto University.
+ Ignore null FallBackMX (V) options. If this option is null (as
+ opposed to undefined) it can cause "null signature" syserrs
+ on illegal host names.
+ If a Base64 encoded text/plain message has no trailing newline in
+ the encoded text, conversion back to 8 bits will drop the
+ final line. Problem noted by Pierre David.
+ If running with a RunAsUser, sendmail would give bogus "cannot
+ setuid" (or seteuid, or setreuid) messages on some systems.
+ Problem pointed out by Jordan Mendelson of Web Services, Inc.
+ Always print error messages in -bv mode -- previously, -bv would
+ be absolutely silent on errors if the error mode was sent
+ to (say) mail-back. Problem noted by Kyle Jones of UUNET.
+ If -qI/R/S is set (or the ETRN command is used), ignore all long
+ term host status. This is necessary because it is common
+ to do this when you know a host has just come back up.
+ Disallow duplicate HELO/EHLO commands as required by RFC 1651 section
+ 4.2. Excessive permissiveness noted by Lee Flight of the
+ University of Leicester.
+ If a service (such as NIS) is specified as the last entry in the
+ service switch, but that service is not compiled in, sendmail
+ would return a temporary failure when an entry was not found
+ in the map. This caused the message to be queued instead of
+ bouncing immediately. Problem noted by Harry Edmon of the
+ University of Washington.
+ PORTABILITY FIXES:
+ Solaris 2.3 had compilation problems in conf.c. Several
+ people pointed this out.
+ NetBSD from Charles Hannum of MIT.
+ AIX4 improvements based on info from Steve Bauer of South
+ Dakota School of Mines & Technology.
+ CONFIG: ``error:code message'' syntax was broken in virtusertable.
+ Patch from Gil Kloepfer Jr.
+ CONFIG: if FEATURE(nocanonify) was specified, hosts in $=M (set
+ using MASQUERADE_DOMAIN) were not masqueraded unless they
+ were also in $=w. Problem noted by Zoltan Basti of
+ Softec.
+ MAIL.LOCAL: patches to compile and link cleanly on AIX. Based
+ on a patch from Eric Hagberg of Morgan Stanley.
+ MAIL.LOCAL: patches to compile on NEXTSTEP. From Patrick Nolan
+ of Stanford via Robert La Ferla.
+
+8.8.0/8.8.0 96/09/26
+ Under some circumstances, Bcc: headers would not be properly
+ deleted. Pointed out by Jonathan Kamens of OpenVision.
+ Log a warning if the sendmail daemon is invoked without a full
+ pathname, which prevents "kill -1" from working. I was
+ urged to put this in by Andrey A. Chernov of DEMOS (Russia).
+ Fix small buffer overflow. Since the data in this buffer was not
+ read externally, there was no security problem (and in fact
+ probably wouldn't really overflow on most compilers). Pointed
+ out by KIZU takashi of Osaka University.
+ Fix problem causing domain literals such as [1.2.3.4] to be ignored
+ if a FallbackMXHost was specified in the configuration file
+ -- all mail would be sent to the fallback even if the original
+ host was accessible. Pointed out by Munenari Hirayama of
+ NSC (Japan).
+ A message that didn't terminate with a newline would (sometimes) not
+ have the trailing "." added properly in the SMTP dialogue,
+ causing SMTP to hang. Patch from Per Hedeland of Ericsson.
+ The DaemonPortOptions suboption to bind to a particular address was
+ incorrect and nonfunctional due to a misunderstanding of the
+ semantics of binding on a passive socket. Patch from
+ NIIBE Yutaka of Mitsubishi Research Institute.
+ Increase the number of MX hosts for a single name to 100 to better
+ handle the truly huge service providers such as AOL, which
+ has 13 at the moment (and climbing). In order to avoid
+ trashing memory, the buffer for all names has only been
+ slightly increased in size, to 12.8K from 10.2K -- this means
+ that if a single name had 100 MX records, the average size
+ of those records could not exceed 128 bytes. Requested by
+ Brad Knowles of America On Line.
+ Restore use of IDENT returns where the OSTYPE field equals "OTHER".
+ Urged by Dan Bernstein of U.C. Berkeley.
+ Print q_statdate and q_specificity in address structure debugging
+ printout.
+ Expand MCI structure flag bits for debugging output.
+ Support IPv6-style domain literals, which can have colons between
+ square braces.
+ Log open file descriptors for the "cannot dup" messages in deliver();
+ this is an attempt to track down a bug that one person seems
+ to be having (it may be a Solaris bug!).
+ DSN NOTIFY parameters were not properly propagated across queue runs;
+ this caused the NOTIFY info to sometimes be lost. Problem
+ pointed out by Claus Assmann of the
+ Christian-Albrechts-University of Kiel.
+ The statistics gathered in the sendmail.st file were too high; in
+ some cases failures (e.g., user unknown or temporary failure)
+ would count as a delivery as far as the statistics were
+ concerned. Problem noted by Tom Moore of AT&T GIS.
+ Systems that don't have flock() would not send split envelopes in
+ the initial run. Problem pointed out by Leonard Zubkoff of
+ Dandelion Digital.
+ Move buffer overflow checking -- these primarily involve distrusting
+ results that may come from NIS and DNS.
+ 4.4-BSD-derived systems, including FreeBSD, NetBSD, and BSD/OS didn't
+ include <paths.h> and hence had the wrong pathnames for a few
+ things like /var/tmp. Reported by Matthew Green.
+ Conditions were reversed for the Priority: header, resulting in all
+ values being interpreted as non-urgent except for non-urgent,
+ which was interpreted as normal. Patch from Bryan Costales.
+ The -o (optional) flag was being ignored on hash and btree maps
+ since 8.7.2. Fix from Bryan Costales.
+ Content-Types listed in class "q" will always be encoded as
+ Quoted-Printable (or more accurately, will never be encoded
+ as base64). The class can have primary types (e.g., "text")
+ or full types (e.g., "text/plain"). Based on a suggestion by
+ Marius Olafsson of the University of Iceland.
+ Define ${envid} to be the original envelope id (from the ESMTP DSN
+ dialogue) so it can be passed to programs in mailers.
+ Define ${bodytype} to be the body type (from the -B flag or the
+ BODY= ESMTP parameter) so it can be passed to programs in
+ mailers.
+ Cause the VRFY command to return 252 instead of 250 unless the F=q
+ flag is set in the mailer descriptor. Suggested by John
+ Myers of CMU.
+ Implement ESMTP ETRN command to flush the queue for a specific host.
+ The command takes a host name; data for that host is
+ immediately (and asynchronously) flushed. Because this shares
+ the -qR implementation, other hosts may be attempted, but
+ there should be no security implications. Implementation
+ from John Beck of InReference, Inc. See RFC 1985 for details.
+ Add three new command line flags to pass in DSN parameters: -V envid
+ (equivalent to ENVID=envid on the MAIL command), -R ret
+ (equivalent to RET=ret on the MAIL command), and -Nnotify
+ (equivalent to NOTIFY=notify on the RCPT command). Note
+ that the -N flag applies to all recipients; there is no way
+ to specify per-address notifications on the command line,
+ nor is there an equivalent for the ORCPT= per-address
+ parameter.
+ Restore LogLevel option to be safe (it can only be increased);
+ apparently I went into paranoid mode between 8.6 and 8.7
+ and made it unsafe. Pointed out by Dabe Murphy of the
+ University of Maryland.
+ New logging on log level 15: all SMTP traffic. Patches from
+ Andrew Gross of San Diego Supercomputer Center.
+ NetInfo property value searching code wasn't stopping when it found
+ a match. This was causing the wrong values to be found (and
+ had a memory leak). Found by Bastian Schleuter of TU-Berlin.
+ Add new F=0 (zero) mailer flag to turn off MX lookups. It was pointed
+ out by Bill Wisner of Electronics for Imaging that you can't
+ use the bracket address form for the MAIL_HUB macro, since
+ that causes the brackets to remain in the envelope recipient
+ address used for delivery. The simple fix (stripping off the
+ brackets in the config file) breaks the use of IP literal
+ addresses. This flag will solve that problem.
+ Add MustQuoteChars option. This is a list of characters that must
+ be quoted if they are found in the phrase part of an address
+ (that is, the full name part). The characters @,;:\()[] are
+ always in this list and cannot be removed. The default is
+ this list plus . and ' to match RFC 822.
+ Add AllowBogusHELO option; if set, sendmail will allow HELO commands
+ that do not include a host name for back compatibility with
+ some stupid SMTP clients. Setting this violates RFC 1123
+ section 5.2.5.
+ Add MaxDaemonChildren option; if this is set, sendmail will start
+ rejecting connections if it has more than this many
+ outstanding children accepting mail. Note that you may
+ see more processes than this because of outgoing mail; this
+ is for incoming connections only.
+ Add ConnectionRateThrottle option. If set to a positive value, the
+ number of incoming SMTP connections that will be permitted
+ in a single second is limited to this number. Connections are
+ not refused during this time, just deferred. The intent is to
+ flatten out demand so that load average limiting can kick in.
+ It is less radical than MaxDaemonChildren, which will stop
+ accepting connections even if all the connections are idle
+ (e.g., due to connection caching).
+ Add Timeout.hoststatus option. This interval (defaulting to 30m)
+ specifies how long cached information about the state of a
+ host will be kept before they are considered stale and the
+ host is retried. If you are using persistent host status
+ (i.e., the HostStatusDirectory option is set) this will apply
+ between runs; otherwise, it applies only within a single queue
+ run and hence is useful only for hosts that have large queues
+ that take a very long time to run.
+ Add SingleLineFromHeader option. If set, From: headers are coerced
+ into being a single line even if they had newlines in them
+ when read. This is to get around a botch in Lotus Notes.
+ Text class maps were totally broken -- if you ever retrieved the last
+ item in a table it would be truncated. Problem noted by
+ Gregory Neil Shapiro of WPI.
+ Extend the lines printed by the mailq command (== the -bp flag) when
+ -v is given to 120 characters; this allows more information
+ to be displayed. Suggested by Gregory Neil Shapiro of WPI.
+ Allow macro definitions (`D' lines) with unquoted commas; previously
+ this was treated as end-of-input. Problem noted by Bryan
+ Costales.
+ The RET= envelope parameter (used for DSNs) wasn't properly written
+ to the queue file. Fix from John Hughes of Atlantic
+ Technologies, Inc.
+ Close /var/tmp/dead.letter after a successful write -- otherwise
+ if this happens in a queue run it can cause nasty delays.
+ Problem noted by Mark Horton of AT&T.
+ If userdb entries pointed to userdb entries, and there were multiple
+ values for a given key, the database cursor would get
+ trashed by the recursive call. Problem noted by Roy Mongiovi
+ of Georgia Tech. Fixed by reading all the values and creating
+ a comma-separated list; thus, the -v output will be somewhat
+ different for this case.
+ Fix buffer allocation problem with Hesiod-based userdb maps when
+ HES_GETMAILHOST is defined. Based on a patch by Betty Lee
+ of Stanford University.
+ When envelopes were split due to aliases with owner- aliases, and
+ there was some error on one of the lists, more than one of
+ the owners would get the message. Problem pointed out by
+ Roy Mongiovi of Georgia Tech.
+ Detect excessive recursion in macro expansions, e.g., $X defined
+ in terms of $Y which is defined in terms of $X. Problem
+ noted by Bryan Costales; patch from Eric Wassenaar.
+ When using F=U to get "ugly UUCP" From_ lines, a buffer could in
+ some cases get trashed causing bogus From_ lines. Fix from
+ Kyle Jones of UUNET.
+ When doing load average initialization, if the nlist call for avenrun
+ failed, the second and subsequent lookups wouldn't notice
+ that fact causing bogus load averages to be returned. Noted
+ by Casper Dik of Sun Holland.
+ Fix problem with incompatibility with some versions of inet_aton that
+ have changed the return value to unsigned, so a check for an
+ error return of -1 doesn't work. Use INADDR_NONE instead.
+ This could cause mail to addresses such as [foo.com] to bounce
+ or get dropped. Problem noted by Christophe Wolfhugel of the
+ Pasteur Institute.
+ DSNs were inconsistent if a failure occurred during the DATA phase
+ rather than the RCPT phase: the Action: would be correct, but
+ the detailed status information would be wrong. Problem noted
+ by Bob Snyder of General Electric Company.
+ Add -U command line flag and the XUSR ESMTP extension, both indicating
+ that this is the initial MUA->MTA submission. The flag current
+ does nothing, but in future releases (when MUAs start using
+ these flags) it will probably turn on things like DNS
+ canonification.
+ Default end-of-line string (E= specification on mailer [M] lines)
+ to \r\n on SMTP mailers. Default remains \n on non-SMTP
+ mailers.
+ Change the internal definition for the *file* and *include* mailers
+ to have $u in the argument vectors so that they aren't
+ misinterpreted as SMTP mailers and thus use \r\n line
+ termination. This will affect anyone who has redefined
+ either of these in their configuration file.
+ Don't assume that IDENT servers close the connection after a query;
+ responses can be newline terminated. From Terry Kennedy of
+ St. Peter's College.
+ Avoid core dumps on erroneous configuration files that have
+ $#mailer with nothing following. From Bryan Costales.
+ Avoid null pointer dereference with high debug values in unlockqueue.
+ Fix from Randy Martin of Clemson University.
+ Fix possible buffer overrun when expanding very large macros. Fix
+ from Kyle Jones of UUNET.
+ After 25 EXPN or VRFY commands, start pausing for a second before
+ processing each one. This avoids a certain form of denial
+ of service attack. Potential attack pointed out by Bryan
+ Costales.
+ Allow new named (not numbered!) config file rules to do validity
+ checking on SMTP arguments: check_mail for MAIL commands and
+ check_rcpt for RCPT commands. These rulesets can do anything
+ they want; their result is ignored unless they resolve to the
+ $#error mailer, in which case the indicated message is printed
+ and the command is rejected. Similarly, the check_compat
+ ruleset is called before delivery with "from_addr $| to_addr"
+ (the $| is a meta-symbol used to separate the two addresses);
+ it can give a "this sender can't send to this recipient"
+ notification. Note that this patch allows $| to stand alone
+ in rulesets.
+ Define new macros ${client_name}, ${client_addr}, and ${client_port}
+ that have the name, IP address, and port number (respectively)
+ of the SMTP client (that is, the entity at the other end of
+ the connection. These can be used in (e.g.) check_rcpt to
+ verify that someone isn't trying to relay mail through your
+ host inappropriately. Be sure to use the deferred evaluation
+ form, for example $&{client_name}, to avoid having these bound
+ when sendmail reads the configuration file.
+ Add new config file rule check_relay to check the incoming connection
+ information. Like check_compat, it is passed the host name
+ and host address separated by $| and can reject connections
+ on that basis.
+ Allow IDA-style recursive function calls. Code contributed by Mark
+ Lovell and Paul Vixie.
+ Eliminate the "No ! in UUCP From address!" message" -- instead, create
+ a virtual UUCP address using either a domain address or the $k
+ macro. Based on code contributed by Mark Lovell and Paul
+ Vixie.
+ Add Stanford LDAP map. Requires special libraries that are not
+ included with sendmail. Contributed by Booker C. Bense
+ <bbense@networking.stanford.edu>; contact him for support.
+ See also the src/READ_ME file.
+ Allow -dANSI to turn on ANSI escape sequences in debug output; this
+ puts metasymbols (e.g., $+) in reverse video. Really useful
+ only for debugging deep bits of code where it is important to
+ distinguish between the single-character metasymbol $+ and the
+ two characters $, +.
+ Changed ruleset 89 (executed in dumpstate()) to a named ruleset,
+ debug_dumpstate.
+ Add new UnsafeGroupWrites option; if set, .forward and :include:
+ files that are group writable are considered "unsafe" -- that
+ is, programs and files referenced from such files are not
+ valid recipients.
+ Delete bogosity test for FallBackMX host; this prevented it to be a
+ name that was not in DNS or was a domain-literal. Problem
+ noted by Tom May.
+ Change the introduction to error messages to more clearly delineate
+ permanent from temporary failures; if both existed in a
+ single message it could be confusing. Suggested by John
+ Beck of InReference, Inc.
+ The IngoreDot (i) option didn't work for lines that were terminated
+ with CRLF. Problem noted by Ted Stockwell of Secure
+ Computing Corporation.
+ Add a heuristic to improve the handling of unbalanced `<' signs in
+ message headers. Problem reported by Matt Dillon of Best
+ Internet Communications.
+ Check for bogus characters in the 0200-0237 range; since these are
+ used internally, very strange errors can occur if those
+ characters appear in headers. Problem noted by Anders Gertz
+ of Lysator.
+ Implement 7 -> 8 bit MIME conversions. This only takes place if the
+ recipient mailer has the F=9 flag set, and only works on
+ text/plain body types. Code contributed by Marius Olafsson
+ of the University of Iceland.
+ Special case "postmaster" name so that it is always treated as lower
+ case in alias files regardless of configuration settings;
+ this prevents some potential problems where "Postmaster" or
+ "POSTMASTER" might not match "postmaster". In most cases
+ this change is a no-op.
+ The -o map flag was ignored for text maps. Problem noted by Bryan
+ Costales.
+ The -a map flag was ignored for dequote maps. Problem noted by
+ Bryan Costales.
+ Fix core dump when a lookup of a class "prog" map returns no
+ response. Patch from Bryan Costales.
+ Log instances where sendmail is deferring or rejecting connections
+ on LogLevel 14. Suggested by Kyle Jones of UUNET.
+ Include port number in process title for network daemons. Suggested
+ by Kyle Jones of UUNET.
+ Send ``double bounces'' (errors that occur when sending an error
+ message) to the address indicated in the DoubleBounceAddress
+ option (default: postmaster). Previously they were always
+ sent to postmaster. Suggested by Kyle Jones of UUNET.
+ Add new mode, -bD, that acts like -bd in all respects except that
+ it runs in foreground. This is useful for using with a
+ wrapper that "watches" system services. Suggested by Kyle
+ Jones of UUNET.
+ Fix botch in spacing around (parenthesized) comments in addresses
+ when the comment comes before the address. Patch from
+ Motonori Nakamura of Kyoto University.
+ Use the prefix "Postmaster notify" on the Subject: lines of messages
+ that are being bounced to postmaster, rather than "Returned
+ mail". This permits the person who is postmaster more
+ easily determine what messages are to their role as
+ postmaster versus bounces to mail they actually sent. Based
+ on a suggestion by Motonori Nakamura.
+ Add new value "time" for QueueSortOrder option; this causes the queue
+ to be sorted strictly by the time of submission. Note that
+ this can cause very bad behaviour over slow lines (because
+ large jobs will tend to delay small jobs) and on nodes with
+ heavy traffic (because old things in the queue for hosts that
+ are down delay processing of new jobs). Also, this does not
+ guarantee that jobs will be delivered in submission order
+ unless you also set DeliveryMode=queue. In general, it should
+ probably only be used on the command line, and only in
+ conjunction with -qRhost.domain. In fact, there are very few
+ cases where it should be used at all. Based on an
+ implementation by Motonori Nakamura.
+ If a map lookup in ruleset 5 returns tempfail, queue the message in
+ the same manner as other rulesets. Previously a temporary
+ failure in ruleset 5 was ignored. Patch from Booker Bense
+ of Stanford University.
+ Don't proceed to the next MX host if an SMTP MAIL command returns a
+ 5yz (permanent failure) code. The next MX host will still be
+ tried if the connection cannot be opened in the first place
+ or if the MAIL command returns a 4yz (temporary failure) code.
+ (It's hard to know what to do here, since neither RFC 974 nor
+ RFC 1123 specify when to proceed to the next MX host.)
+ Suggested by Jonathan Kamens of OpenVision, Inc.
+ Add new "-t" flag for map definitions (the "K" line in the .cf file).
+ This causes map lookups that get a temporary failure (e.g.,
+ name server failure) to _not_ defer the delivery of the
+ message. This should only be used if your configuration file
+ is prepared to do something sensible in this case. Based on
+ an idea by Gregory Shapiro of WPI.
+ Fix problem finding network interface addresses. Patch from
+ Motonori Nakamura.
+ Don't reject qf entries that are not owned by your effective uid if
+ you are not running setuid; this makes management of certain
+ kinds of firewall setups difficult. Patch suggested by
+ Eamonn Coleman of Qualcomm.
+ Add persistent host status. This keeps the information normally
+ maintained within a single queue run in disk files that are
+ shared between sendmail instances. The HostStatusDirectory
+ is the directory in which the information is maintained. If
+ not set, persistent host status is turned off. If not a full
+ pathname, it is relative to the queue directory. A common
+ value is ".hoststat".
+ There are also two new operation modes:
+ * -bh prints the status of hosts that have had recent
+ connections.
+ * -bH purges the host statuses. No attempt is made to save
+ recent status information.
+ This feature was originally written by Paul Vixie of Vixie
+ Enterprises for KJS and adapted for V8 by Mark Lovell of
+ Bigrock Consulting. Paul's funding of Mark and Mark's patience
+ with my insistence that things fit cleanly into the V8
+ framework is gratefully appreciated.
+ New SingleThreadDelivery option (requires HostStatusDirectory to
+ operate). Avoids letting two sendmails on the local machine
+ open connections to the same remote host at the same time.
+ This reduces load on the other machine, but can cause mail to
+ be delayed (for example, if one sendmail is delivering a huge
+ message, other sendmails won't be able to send even small
+ messages). Also, it requires another file descriptor (for the
+ lock file) per connection, so you may have to reduce
+ ConnectionCacheSize to avoid running out of per-process
+ file descriptors. Based on the persistent host status code
+ contributed by Paul Vixie and Mark Lovell.
+ Allow sending to non-simple files (e.g., /dev/null) even if the
+ SafeFileEnvironment option is set. Problem noted by Bryan
+ Costales.
+ The -qR flag mistakenly matched flags in the "R" line of the queue
+ file. Problem noted by Bryan Costales.
+ If a job was aborted using the interrupt signal (e.g., control-C from
+ the keyboard), on some occasions an empty df file would be
+ left around; these would collect in the queue directory.
+ Problem noted by Bryan Costales.
+ Change the makesendmail script to enhance the search for Makefiles
+ based on release number. For example, on SunOS 5.5.1, it will
+ search for Makefile.SunOS.5.5.1, Makefile.SunOS.5.5, and then
+ Makefile.SunOS.5.x (in addition to the other rules, e.g.,
+ adding $arch). Problem noted by Jason Mastaler of Atlanta
+ Webmasters.
+ When creating maps using "newaliases", always map the keys to lower
+ case when creating the map unless the -f flag is specified on
+ the map itself. Previously this was done based on the F=u
+ flag in the local mailer, which meant you could create aliases
+ that you could never access. Problem noted by Bob Wu of DEC.
+ When a job was read from the queue, the bits causing notification on
+ failure or delay were always set. This caused those
+ notifications to be sent even if NOTIFY=NEVER had been
+ specified. Problem noted by Steve Hubert of the University
+ of Washington, Seattle.
+ Add new configurable routine validate_connection (in conf.c). This
+ lets you decide if you are willing to accept traffic from
+ this host. If it returns FALSE, all SMTP commands will return
+ "550 Access denied". -DTCPWRAPPERS will include support for
+ TCP wrappers; you will need to add -lwrap to the link line.
+ (See src/READ_ME for details.)
+ Don't include the "THIS IS A WARNING MESSAGE ONLY" banner on postmaster
+ bounces. Some people seemed to think that this could be
+ confusing (even though it is true). Suggested by Motonori
+ Nakamura.
+ Add new RunAsUser option; this causes sendmail to do a setuid to that
+ user early in processing to avoid potential security problems.
+ However, this means that all .forward and :include: files must
+ be readable by that user, and all files to be written must be
+ writable by that user and all programs will be executed by that
+ user. It is also incompatible with the SafeFileEnvironment
+ option. In other words, it may not actually add much to
+ security. However, it should be useful on firewalls and other
+ places where users don't have accounts and the aliases file is
+ well constrained.
+ Add Timeout.iconnect. This is like Timeout.connect except it is used
+ only on the first attempt to delivery to an address. It could
+ be set to be lower than Timeout.connect on the principle that
+ the mail should go through quickly to responsive hosts; less
+ responsive hosts get to wait for the next queue run.
+ Fix a problem on Solaris that occasionally causes programs
+ (such as vacation) to hang with their standard input connected
+ to a UDP port. It also created some signal handling problems.
+ The problems turned out to be an interaction between vfork(2)
+ and some of the libraries, particularly NIS/NIS+. I am
+ indebted to Tor Egge <tegge@idt.ntnu.no> for this fix.
+ Change user class map to do the same matching that actual delivery
+ will do instead of just a /etc/passwd lookup. This adds
+ fuzzy matching to the user map. Patch from Dan Oscarsson.
+ The Timeout.* options are not safe -- they can be used to create a
+ denial-of-service attack. Problem noted by Christophe
+ Wolfhugel.
+ Don't send PostMasterCopy messages in the event of a "delayed"
+ notification. Suggested by Barry Bouwsma.
+ Don't advertise "VERB" ESMTP extension if the "noexpn" privacy
+ option is set, since this disables VERB mode. Suggested
+ by John Hawkinson of MIT.
+ Complain if the QueueDirectory (Q) option is not set. Problem noted
+ by Motonori Nakamura of Kyoto University.
+ Only queue messages on transient .forward open failures if there
+ were no successful opens. The previous behaviour caused it
+ to queue even if a "fall back" .forward was found. Problem
+ noted by Ann-Kian Yeo of the Dept. of Information Systems
+ and Computer Science (DISCS), NUS, Singapore.
+ Don't do 8->7 bit conversions when bouncing a MIME message that
+ is bouncing because of a MIME error during 8->7 bit conversion;
+ the encapsulated message will bounce again, causing a loop.
+ Problem noted by Steve Hubert of the University of Washington.
+ Create xf (transcript) files using the TempFileMode option value
+ instead of 0644. Suggested by Ann-Kian Yeo of the
+ National University of Singapore.
+ Print errors if setgid/setuid/etc. fail during delivery. This helps
+ detect cases where DefaultUid is set to something that the
+ system can't cope with.
+ PORTABILITY FIXES:
+ Support for AIX/RS 2.2.1 from Mark Whetzel of Western
+ Atlas International.
+ Patches for Intel Paragon OSF/1 1.3 from Leo Bicknell
+ <bicknell@ufp.org>.
+ On DEC OSF/1 3.2 and earlier, the MatchGECOS code would only
+ work on the first recipient of a message due to a
+ bug in the getpwent family. If this is something you
+ use, you can define DEC_OSF_BROKEN_GETPWENT=1 for a
+ workaround. From Maximum Entropy of Sanford C.
+ Bernstein and Associates.
+ FreeBSD 1.1.5.1 uname -r returns a string containing
+ parentheses, which breaks makesendmail. Reported
+ by Piero Serini <piero@strider.ibenet.it>.
+ Sequent DYNIX/ptx 4.0.2 patches from Jack Woolley of
+ Systems and Computer Technology Corporation.
+ Solaris 2.x: omit the UUCP grade parameter (-g flag) because
+ it is system-dependent. Problem noted by J.J. Bailey
+ of Bailey Computer Consulting.
+ Pyramid NILE running DC/OSx support from Earle F. Ake of
+ Hassler Communication Systems Technology, Inc.
+ HP-UX 10.x compile glitches, reported by Anne Brink of the
+ U.S. Army and James Byrne of Harte & Lyne Limited.
+ NetBSD from Matthew Green of the NetBSD crew.
+ SCO 5.x from Keith Reynolds of SCO.
+ IRIX 6.2 from Robert Tarrall of the University of
+ Colorado and Kari Hurtta of the Finnish Meteorological
+ Institute.
+ UXP/DS (Fujitsu/ICL DS/90 series) support from Diego R.
+ Lopez, CICA (Seville).
+ NCR SVR4 MP-RAS 3.x support from Tom Moore of NCR.
+ PTX 3.2.0 from Kenneth Stailey of the US Department of Labor
+ Employment Standards Administration.
+ Altos System V (5.3.1) from Tim Rice of Multitalents.
+ Concurrent Systems Corporation Maxion from Donald R. Laster
+ Jr.
+ NetInfo maps (improved debugging and multi-valued aliases)
+ from Adrian Steinmann of Steinmann Consulting.
+ ConvexOS 11.5 (including SecureWare C2 and the Share Scheduler)
+ from Eric Schnoebelen of Convex.
+ Linux 2.0 mail.local patches from Horst von Brand.
+ NEXTSTEP 3.x compilation from Robert La Ferla.
+ NEXTSTEP 3.x code changes from Allan J. Nathanson of NeXT.
+ Solaris 2.5 configuration fixes for mail.local by Jim Davis
+ of the University of Arizona.
+ Solaris 2.5 has a working setreuid. Noted by David Linn of
+ Vanderbilt University.
+ Solaris changes for praliases, makemap, mailstats, and smrsh.
+ Previously you had to add -DSOLARIS in Makefile.dist;
+ this auto-detects. Based on a patch from Randall
+ Winchester of the University of Maryland.
+ CONFIG: add generic-nextstep3.3.mc file. Contributed by
+ Robert La Ferla of Hot Software.
+ CONFIG: allow mailertables to resolve to ``error:code message''
+ (where "code" is an exit status) on domains (previously
+ worked only on hosts). Patch from Cor Bosman of Xs4all
+ Foundation.
+ CONFIG: hooks for IPv6-style domain literals.
+ CONFIG: predefine ALIAS_FILE and change the prototype file so that
+ if it is undefined the AliasFile option is never set; this
+ should be transparent for most everyone. Suggested by John
+ Myers of CMU.
+ CONFIG: add FEATURE(limited_masquerade). Without this feature, any
+ domain listed in $=w is masqueraded. With it, only those
+ domains listed in a MASQUERADE_DOMAIN macro are masqueraded.
+ CONFIG: add FEATURE(masquerade_entire_domain). This causes
+ masquerading specified by MASQUERADE_DOMAIN to apply to all
+ hosts under those domains as well as the domain headers
+ themselves. For example, if a configuration had
+ MASQUERADE_DOMAIN(foo.com), then without this feature only
+ foo.com would be masqueraded; with it, *.foo.com would be
+ masqueraded as well. Based on an implementation by Richard
+ (Pug) Bainter of U. Texas.
+ CONFIG: add FEATURE(genericstable) to do a more general rewriting of
+ outgoing addresses. Defaults to ``hash -o /etc/genericstable''.
+ Keys are user names; values are outgoing mail addresses. Yes,
+ this does overlap with the user database, and figuring out
+ just when to use which one may be tricky. Based on code
+ contributed by Richard (Pug) Bainter of U. Texas with updates
+ from Per Hedeland of Ericsson.
+ CONFIG: add FEATURE(virtusertable) to do generalized rewriting of
+ incoming addresses. Defaults to ``hash -o /etc/virtusertable''.
+ Keys are either fully qualified addresses or just the host
+ part (with the @ sign). For example, a table containing:
+ info@foo.com foo-info
+ info@bar.com bar-info
+ @baz.org jane@elsewhere.net
+ would send all mail destined for info@foo.com to foo-info
+ (which is presumably an alias), mail addressed to info@bar.com
+ to bar-info, and anything addressed to anyone at baz.org will
+ be sent to jane@elsewhere.net. The names foo.com, bar.com,
+ and baz.org must all be in $=w. Based on discussions with
+ a great many people.
+ CONFIG: add nullclient configurations to define SMTP_MAILER_FLAGS.
+ Suggested by Richard Bainter.
+ CONFIG: add FAX_MAILER_ARGS to tweak the arguments passed to the
+ "fax" mailer.
+ CONFIG: allow mailertable entries to resolve to local:user; this
+ passes the original user@host in to procmail-style local
+ mailers as the "detail" information to allow them to do
+ additional clever processing. From Joe Pruett of
+ Teleport Corporation. Delivery to the original user can
+ be done by specifying "local:" (with nothing after the colon).
+ CONFIG: allow any context that takes "mailer:domain" to also take
+ "mailer:user@domain" to force mailing to the given user;
+ "local:user" can also be used to do local delivery. This
+ applies on *_RELAY and in the mailertable entries. Based
+ on a suggestion by Ribert Kiessling of Easynet.
+ CONFIG: Allow FEATURE(bestmx_is_local) to take an argument that
+ limits the possible domains; this reduces the number of DNS
+ lookups required to support this feature. For example,
+ FEATURE(bestmx_is_local, my.site.com) limits the lookups
+ to domains under my.site.com. Code contributed by Anthony
+ Thyssen <anthony@cit.gu.edu.au>.
+ CONFIG: LOCAL_RULESETS introduces any locally defined rulesets,
+ such as the check_rcpt ruleset. Suggested by Gregory Shapiro
+ of WPI.
+ CONFIG: MAILER_DEFINITIONS introduces any mailer definitions, in the
+ event you have to define local mailers. Suggested by
+ Gregory Shapiro of WPI.
+ CONFIG: fix cases where a three- (or more-) stage route-addr could
+ be misinterpreted as a list:...; syntax. Based on a patch by
+ Vlado Potisk <Vlado_Potisk@tempest.sk>.
+ CONFIG: Fix masquerading of UUCP addresses when the UUCP relay is
+ remotely connected. The address host!user was being
+ converted to host!user@thishost instead of host!user@uurelay.
+ Problem noted by William Gianopoulos of Raytheon Company.
+ CONFIG: add confTO_ICONNECT to set Timeout.iconnect.
+ CONFIG: change FEATURE(redirect) message from "User not local" to
+ "User has moved"; the former wording was confusing if the
+ new address is still on the local host. Based on a suggestion
+ by Andreas Luik.
+ CONFIG: add support in FEATURE(nullclient) for $=E (exposed users).
+ However, the class is not pre-initialized to contain root.
+ Suggested by Gregory Neil Shapiro.
+ CONTRIB: Remove XLA code at the request of the author, Christophe
+ Wolfhugel.
+ CONTRIB: Add re-mqueue.pl, contributed by Paul Pomes of Qualcomm.
+ MAIL.LOCAL: make it possible to compile mail.local on Solaris. Note
+ well: this produces a slightly different mailbox format (no
+ Content-Length: headers), file ownerships and modes are
+ different (not owned by group mail; mode 600 instead of 660),
+ and the local mailer flags will have to be tweaked (make them
+ match bsd4.4) in order to use this mailer. Patches from Paul
+ Hammann of the Missouri Research and Education Network.
+ MAIL.LOCAL: in some cases it could return EX_OK even though there
+ was a delivery error, such as if the ownership on the file
+ was wrong or the mode changed between the initial stat and
+ the open. Problem reported by William Colburn of the New
+ Mexico Institute of Mining and Technology.
+ MAILSTATS: handle zero length files more reliably. Patch from Bryan
+ Costales.
+ MAILSTATS: add man page contributed by Keith Bostic of BSDI.
+ MAKEMAP: The -d flag (to allow duplicate keys) to a btree map wasn't
+ honored. Fix from Michael Scott Shappe.
+ PRALIASES: add man page contributed by Keith Bostic of BSDI.
+ NEW FILES:
+ src/Makefiles/Makefile.AIX.2
+ src/Makefiles/Makefile.IRIX.6.2
+ src/Makefiles/Makefile.maxion
+ src/Makefiles/Makefile.NCR.MP-RAS.3.x
+ src/Makefiles/Makefile.SCO.5.x
+ src/Makefiles/Makefile.UXPDSV20
+ mailstats/mailstats.8
+ praliases/praliases.8
+ cf/cf/generic-nextstep3.3.mc
+ cf/feature/genericstable.m4
+ cf/feature/limited_masquerade.m4
+ cf/feature/masquerade_entire_domain.m4
+ cf/feature/virtusertable.m4
+ cf/ostype/aix2.m4
+ cf/ostype/altos.m4
+ cf/ostype/maxion.m4
+ cf/ostype/solaris2.ml.m4
+ cf/ostype/uxpds.m4
+ contrib/re-mqueue.pl
+ DELETED FILES:
+ src/Makefiles/Makefile.Solaris
+ contrib/xla/README
+ contrib/xla/xla.c
+ RENAMED FILES:
+ src/Makefiles/Makefile.NCR3000 => Makefile.NCR.MP-RAS.2.x
+ src/Makefiles/Makefile.SCO.3.2v4.2 => Makefile.SCO.4.2
+ src/Makefiles/Makefile.UXPDS => Makefile.UXPDSV10
+ src/Makefiles/Makefile.NeXT => Makefile.NeXT.2.x
+ src/Makefiles/Makefile.NEXTSTEP => Makefile.NeXT.3.x
+
+8.7.6/8.7.3 96/09/17
+ SECURITY: It is possible to force getpwuid to fail when writing the
+ queue file, causing sendmail to fall back to running programs
+ as the default user. This is not exploitable from off-site.
+ Workarounds include using a unique user for the DefaultUser
+ (old u & g options) and using smrsh as the local shell.
+ SECURITY: fix some buffer overruns; in at least one case this allows
+ a local user to get root. This is not known to be exploitable
+ from off-site. The workaround is to disable chfn(1) commands.
+
+8.7.5/8.7.3 96/03/04
+ Fix glitch in 8.7.4 when putting certain internal lines; this can
+ in some case cause connections to hang or messages to have
+ extra spaces in odd places. Patch from Eric Wassenaar;
+ reports from Eric Hall of Chiron Corporation, Stephen
+ Hansen of Stanford University, Dean Gaudet of HotWired,
+ and others.
+
+8.7.4/8.7.3 96/02/18
+ SECURITY: In some cases it was still possible for an attacker to
+ insert newlines into a queue file, thus allowing access to
+ any user (except root).
+ CONFIG: no changes -- it is not a bug that the configuration
+ version number is unchanged.
+
+8.7.3/8.7.3 95/12/03
+ Fix botch in name server timeout in RCPT code; this problem caused
+ two responses in SMTP, which breaks things horribly. Fix
+ from Gregory Neil Shapiro of WPI.
+ Verify that L= value on M lines cannot be negative, which could cause
+ negative array subscripting. Not a security problem since
+ this has to be in the config file, but it could have caused
+ core dumps. Pointed out by Bryan Costales.
+ Fix -d21 debug output for long macro names. Pointed out by Bryan
+ Costales.
+ PORTABILITY FIXES:
+ SCO doesn't have ftruncate. From Bill Aten of Computerizers.
+ IBM's version of arpa/nameser.h defaults to the wrong byte
+ order. Tweak it to work properly. Based on fixes
+ from Fletcher Mattox of UTexas and Betty Lee of
+ Stanford University.
+ CONFIG: add confHOSTS_FILE m4 variable to set HostsFile option.
+ Deficiency pointed out by Bryan Costales of ICSI.
+
+8.7.2/8.7.2 95/11/19
+ REALLY fix the backslash escapes in SmtpGreetingMessage,
+ OperatorChars, and UnixFromLine options. They were not
+ properly repaired in 8.7.1.
+ Completely delete the Bcc: header if and only if there are other
+ valid recipient headers (To:, Cc: or Apparently-To:, the
+ last being a historic botch, of course). If Bcc: is the
+ only recipient header in the message, its value is tossed,
+ but the header name is kept. The old behaviour (always keep
+ the header name and toss the value) allowed primary recipients
+ to see that a Bcc: went to _someone_.
+ Include queue id on ``Authentication-Warning: <host>: <user> set
+ sender to <address> using -f'' syslog messages. Suggested
+ by Kari Hurtta.
+ If a sequence or switch map lookup entry gets a tempfail but then
+ continues on to another map type, but the name is not found,
+ return a temporary failure from the sequence or switch map.
+ For example, if hosts search ``dns files'' and DNS fails
+ with a tempfail, the hosts map will go on and search files,
+ but if it fails the whole thing should be a tempfail, not
+ a permanent (host unknown) failure, even though that is the
+ failure in the hosts.files map. This error caused hard
+ bounces when it should have requeued.
+ Aliases to files such as /users/bar/foo/inbox, with /users/bar/foo
+ owned by bar mode 700 and inbox being setuid bar stopped
+ working properly due to excessive paranoia. Pointed out by
+ John Hawkinson of Panix.
+ An SMTP RCPT command referencing a host that gave a nameserver
+ timeout would return a 451 command (8.6 accepted it and
+ queued it locally). Revert to the 8.6 behaviour in order
+ to simplify queue management for clustered systems. Suggested
+ by Gregory Neil Shapiro of WPI. The same problem could break
+ MH, which assumes that the SMTP session will succeed (tsk, tsk
+ -- mail gets lost!); this was pointed out by Stuart Pook of
+ Infobiogen.
+ Fix possible buffer overflow in munchstring(). This was not a security
+ problem because you couldn't specify any argument to this
+ without first giving up root privileges, but it is still a
+ good idea to avoid future problems. Problem noted by John
+ Hawkinson and Sam Hartman of MIT.
+ ``452 Out of disk space for temp file'' messages weren't being
+ printed. Fix from David Perlin of Nanosoft.
+ Don't advertise the ESMTP DSN extension if the SendMIMEErrors option
+ is not set, since this is required to get the actual DSNs
+ created. Problem pointed out by John Gardiner Myers of CMU.
+ Log permission problems that cause .forward and :include: files to
+ be untrusted or ignored on log level 12 and higher. Suggested
+ by Randy Martin of Clemson University.
+ Allow user ids in U= clauses of M lines to have hyphens and
+ underscores.
+ Fix overcounting of recipients -- only happened when sending to an
+ alias. Pointed out by Mark Andrews of SGI and Jack Woolley
+ of Systems and Computer Technology Corporation.
+ If a message is sent to an address that fails, the error message that
+ is returned could show some extraneous "success" information
+ included even if the user did not request success notification,
+ which was confusing. Pointed out by Allan Johannesen of WPI.
+ Config files that had no AliasFile definition were defaulting to
+ using /etc/aliases; this caused problems with nullclient
+ configurations. Change it back to the 8.6 semantics of
+ having no local alias file unless it is declared. Problem
+ noted by Charles Karney of Princeton University.
+ Fix compile problem if NOTUNIX is defined. Pointed out by Bryan
+ Costales of ICSI.
+ Map lookups of class "userdb" maps were always case sensitive; they
+ should be controlled by the -f flag like other maps. Pointed
+ out by Bjart Kvarme <bjart.kvarme@usit.uio.no>.
+ Fix problem that caused some addresses to be passed through ruleset 5
+ even when they were tagged as "sticky" by prefixing the
+ address with an "@". Patch from Thomas Dwyer III of Michigan
+ Technological University.
+ When converting a message to Quoted-Printable, prevent any lines with
+ dots alone on a line by themselves. This is because of the
+ preponderance of broken mailers that still get this wrong.
+ Code contributed by Per Hedeland of Ericsson.
+ Fix F{macro}/file construct -- it previously did nothing. Pointed
+ out by Bjart Kvarme of USIT/UiO (Norway).
+ Announce whether a cached connection is SMTP or ESMTP (in -v mode).
+ Requested by Allan Johannesen.
+ Delete check for text format of alias files -- it should be legal
+ to have the database format of the alias files without the
+ text version. Problem pointed out by Joe Rhett of Navigist,
+ Inc.
+ If "Ot" was specified with no value, the TZ variable was not properly
+ imported from the environment. Pointed out by Frank Crawford
+ <frank@ansto.gov.au>.
+ Some architectures core dumped on "program" maps that didn't have
+ extra arguments. Patch from Booker C. Bense of Stanford
+ University.
+ Queue run processes would re-spawn daemons when given a SIGHUP; only
+ the parent should do this. Fix from Brian Coan of the
+ Association for Progressive Communications.
+ If MinQueueAge was set and a message was considered but not run
+ during a queue run and the Timeout.queuereturn interval was
+ reached, a "timed out" error message would be returned that
+ didn't include the failed address (and claimed to be a warning
+ even though it was fatal). The fix is to not return such
+ messages until they are actually tried, i.e., in the next
+ MinQueueAge interval. Problem noted by Rein Tollevik of
+ SINTEF RUNIT, Oslo.
+ Add HES_GETMAILHOST compile flag to support MIT Hesiod distributions
+ that have the hes_getmailhost() routine. DEC Hesiod
+ distributions do not have this routine. Based on a patch
+ from Betty Lee of Stanford University.
+ Extensive cleanups to map open code to handle a locking race condition
+ in ndbm, hash, and btree format database files on some (most
+ non-4.4-BSD based) OS architectures. This should solve the
+ occasional "user unknown" problem during alias rebuilds that
+ has plagued me for quite some time. Based on a patch from
+ Thomas Dwyer III of Michigan Technological University.
+ PORTABILITY FIXES:
+ Solaris: Change location of newaliases and mailq from
+ /usr/ucb to /usr/bin to match Sun settings. From
+ James B. Davis of TCI.
+ DomainOS: Makefile.DomainOS doesn't require -ldbm. From
+ Don Lewis of Silicon Systems.
+ HP-UX 10: rename Makefile.HP-UX.10 => Makefile.HP-UX.10.x
+ so that the makesendmail script will find it. Pointed
+ out by Richard Allen of the University of Iceland.
+ Also, use -Aa -D_HPUX_SOURCE instead of -Ae, which
+ isn't supported on all compilers.
+ UXPDS: compilation fixes from Diego R. Lopez.
+ CONFIG: FAX mailer wasn't setting .FAX as a pseudo-domain unless
+ you also had a FAX_RELAY. From Thomas.Tornblom@Hax.SE.
+ CONFIG: Minor glitch in S21 -- attachment of local domain name
+ didn't have trailing dot. From Jim Hickstein of Teradyne.
+ CONFIG: Fix best_mx_is_local feature to allow nested addresses such as
+ user%host@thishost. From Claude Scarpelli of Infobiogen
+ (France).
+ CONFIG: OSTYPE(hpux10) failed to define the location of the help file.
+ Pointed out by Hannu Martikka of Nokia Telecommunications.
+ CONFIG: Diagnose some inappropriate ordering in configuration files,
+ such as FEATURE(smrsh) listed after MAILER(local). Based on
+ a bug report submitted by Paul Hoffman of Proper Publishing.
+ CONFIG: Make OSTYPE files consistently not override settings that
+ have already been set. Previously it worked differently
+ for different files.
+ CONFIG: Change relay mailer to do masquerading like 8.6 did. My take
+ is that this is wrong, but the change was causing problems
+ for some people. From Per Hedeland of Ericsson.
+ CONTRIB: bitdomain.c patch from John Gardiner Myers <jgm+@CMU.EDU>;
+ portability changes for Posix environments (no functional
+ changes).
+
+8.7.1/8.7.1 95/10/01
+ Old macros that have become options (SmtpGreetingMessage,
+ OperatorChars, and UnixFromLine) didn't allow backslash
+ escapes in the options, where they previously had. Bug
+ pointed out by John Hawkinson of MIT.
+ Fix strange case of an executable called by a program map that
+ returns a value but also a non-zero exit status; this
+ would give contradictory results in the higher level; in
+ particular, the default clause in the map lookup would be
+ ignored. Change to ignore the value if the program returns
+ non-zero exit status. From Tom Moore of AT&T GIS.
+ Shorten parameters passed to syslog() in some contexts to avoid a
+ bug in many vendors' implementations of that routine. Although
+ this isn't really a bug in sendmail per se, and my solution
+ has to assume that syslog() has at least a 1K buffer size
+ internally (I know some vendors have shortened this
+ dramatically -- they're on their own), sendmail is a popular
+ target. Also, limit the size of %s arguments in sprintf.
+ These both have possible security implications. Solutions
+ suggested by Casper Dik of Sun's Network Security Group
+ (Holland), Mark Seiden, and others.
+ Fix a problem that might cause a non-standard -B (body type)
+ parameter to be passed to the next server with undefined
+ results. This could have security implications.
+ If a filesystem was at > 100% utilization, the freediskspace()
+ routine incorrectly returned an error rather than zero.
+ Problem noted by G. Paul Ziemba of Alantec.
+ Change MX sort order so that local hostnames (those in $=w) always
+ sort first within a given preference. This forces the bestmx
+ map to always return the local host first, if it is included
+ in the list of highest priority MX records. From K. Robert
+ Elz.
+ Avoid some possible null pointer dereferences. Fixes from Randy
+ Martin <WOLF@CLEMSON.EDU>
+ When sendmail starts up on systems that have no fully qualified
+ domain name (FQDN) anywhere in the first matching host map
+ (e.g., /etc/hosts if the hosts service searches "files dns"),
+ sendmail would sleep to try to find a FQDN, which it really
+ really needs. This has been changed to fall through to the
+ next map type if it can't find a FQDN -- i.e., if the hosts
+ file doesn't have a FQDN, it will try dns even though the
+ short name was found in /etc/hosts. This is probably a crock,
+ but many people have hosts files without FQDNs. Remember:
+ domain names are your friends.
+ Log a high-priority message if you can't find your FQDN during startup.
+ Suggested by Simon Barnes of Schlumberger Limited.
+ When using Hesiod, initialize it early to improve error reporting.
+ Patch from Don Lewis of Silicon Systems, Inc.
+ Apparently at least some versions of Linux have a 90 !minute! TCP
+ connection timeout in the kernel. Add a new "connect" timeout
+ to limit this time. Defaults to zero (use whatever the
+ kernel provides). Based on code contributed by J.R. Oldroyd
+ of TerraNet.
+ Under some circumstances, a failed message would not be properly
+ removed from the queue, causing tons of bogus error messages.
+ (This fix eliminates the problematic EF_KEEPQUEUE flag.)
+ Problem noted by Allan E Johannesen and Gregory Neil Shapiro
+ of WPI.
+ PORTABILITY FIXES:
+ On IRIX 5.x, there was an inconsistency in the setting
+ of sendmail.st location. Change the Makefile to
+ install it in /var/sendmail.st to match the OSTYPE
+ file and SGI standards. From Andre
+ <andre@curry.zfe.siemens.de>.
+ Support for Fujitsu/ICL UXP/DS (For the DS/90 Series)
+ from Diego R. Lopez <drlopez@cica.es>.
+ Linux compilation patches from J.R. Oldroyd of TerraNet, Inc.
+ LUNA 2 Mach patches from Motonori Nakamura.
+ SunOS Makefile was including -ldbm, which is for the old
+ dbm library. The ndbm library is part of libc.
+ CONFIG: avoid bouncing ``user@host.'' (note trailing dot) with
+ ``local configuration error'' in nullclient configuration.
+ Patch from Gregory Neil Shapiro of WPI.
+ CONFIG: don't allow an alias file in nullclient configurations --
+ since all addresses are relayed, they give errors during
+ rebuild. Suggested by Per Hedeland of Ericsson.
+ CONFIG: local mailer on Solaris 2 should always get a -f flag because
+ otherwise the F=S causes the From_ line to imply that root is
+ the sender. Problem pointed out by Claude Scarpelli of
+ Infobiogen (France).
+ NEW FILES:
+ cf/feature/use_ct_file.m4 (omitted from 8.7 by mistake)
+ src/Makefiles/Makefile.KSR (omitted from 8.7 by mistake)
+ src/Makefiles/Makefile.UXPDS
+
+8.7/8.7 95/09/16
+ Fix a problem that could cause sendmail to run out of file
+ descriptors due to a trashed data structure after a
+ vfork. Fix from Brian Coan of the Institute for
+ Global Communications.
+ Change the VRFY response if you have disabled VRFY -- some
+ people seemed to think that it was too rude.
+ Avoid reference to uninitialized file descriptor if HASFLOCK
+ was not defined. This was used "safely" in the sense
+ that it only did a stat, but it would have set the
+ map modification time improperly. Problem pointed out
+ by Roy Mongiovi of Georgia Tech.
+ Clean up the Subject: line on warning messages and return
+ receipts so that they don't say "Returned mail:"; this
+ can be confusing.
+ Move ruleset entry/exit debugging from 21.2 to 21.1 -- this is
+ useful enough to make it worthwhile printing on "-d".
+ Avoid logging alias statistics every time you read the alias
+ file on systems with no database method compiled in.
+ If you have a name with a trailing dot, and you try looking it
+ up using gethostbyname without the dot (for /etc/hosts
+ compatibility), be sure to turn off RES_DEFNAMES and
+ RES_DNSRCH to avoid finding the wrong name accidentally.
+ Problem noted by Charles Amos of the University of
+ Maryland.
+ Don't do timeouts in collect if you are not running SMTP.
+ There is nothing that says you can't have a long
+ running program piped into sendmail (possibly via
+ /bin/mail, which just execs sendmail). Problem reported
+ by Don "Truck" Lewis of Silicon Systems.
+ Try gethostbyname() even if the DNS lookup fails iff option I
+ is not set. This allows you to have hosts listed in
+ NIS or /etc/hosts that are not known to DNS. It's normally
+ a bad idea, but can be useful on firewall machines. This
+ should really be broken out on a separate flag, I suppose.
+ Avoid compile warnings against BIND 4.9.3, which uses function
+ prototypes. From Don Lewis of Silicon Systems.
+ Avoid possible incorrect diagnosis of DNS-related errors caused
+ by things like attempts to resolve uucp names using
+ $[ ... $] -- the fix is to clear h_errno at appropriate
+ times. From Kyle Jones of UUNET.
+ SECURITY: avoid denial-of-service attacks possible by destroying
+ the alias database file by setting resource limits low.
+ This involves adding two new compile-time options:
+ HASSETRLIMIT (indicating that setrlimit(2) support is
+ available) and HASULIMIT (indicating that ulimit(2) support
+ is available -- the Release 3 form is used). The former
+ is assumed on BSD-based systems, the latter on System
+ V-based systems. Attack noted by Phil Brandenberger of
+ Swarthmore University.
+ New syntaxes in test (-bt) mode:
+ ``.Dmvalue'' will define macro "m" to "value".
+ ``.Ccvalue'' will add "value" to class "c".
+ ``=Sruleset'' will dump the contents of the indicated
+ ruleset.
+ ``=M'' will display the known mailers.
+ ``-ddebug-spec'' is equivalent to the command-line
+ -d debug flag.
+ ``$m'' will print the value of macro $m.
+ ``$=c'' will print the contents of class $=c.
+ ``/mx host'' returns the MX records for ``host''.
+ ``/parse address'' will parse address, returning the value of
+ crackaddr (essentially, the comment information)
+ and the parsed address.
+ ``/try mailer address'' will rewrite address into the form
+ it will have when presented to the indicated mailer.
+ ``/tryflags flags'' will set flags used by parsing. The
+ flags can be `H' for header or `E' for envelope,
+ and `S' for sender or `R' for recipient. These
+ can be combined, so `HR' sets flags for header
+ recipients.
+ ``/canon hostname'' will try to canonify hostname and
+ return the result.
+ ``/map mapname key'' will look up `key' in the indicated
+ `mapname' and return the result.
+ Somewhat better handling of UNIX-domain socket addresses -- it
+ should show the pathname rather than hex bytes.
+ Restore ``-ba'' mode -- this reads a file from stdin and parses
+ the header for envelope sender information and uses
+ CR-LF as message terminators. It was thought to be
+ obsolete (used only for Arpanet NCP protocols), but it
+ turns out that the UK ``Grey Book'' protocols require
+ that functionality.
+ Fix a fix in previous release -- if gethostname and gethostbyname
+ return a name without dots, and if an attempt to canonify
+ that name fails, wait one minute and try again. This can
+ result in an extra 60 second delay on startup if your system
+ hostname (as returned by hostname(1)) has no dot and no names
+ listed in /etc/hosts or your NIS map have a dot.
+ Check for proper domain name on HELO and EHLO commands per
+ RFC 1123 section 5.2.5. Problem noted by Thomas Dwyer III
+ of Michigan Technological University.
+ Relax chownsafe rules slightly -- old version said that if you
+ can't tell if _POSIX_CHOWN_RESTRICTED is set (that is,
+ if fpathconf returned EINVAL or ENOSYS), assume that
+ chown is not safe. The new version falls back to whether
+ you are on a BSD system or not. This is important for
+ SunOS, which apparently always returns one of those
+ error codes. This impacts whether you can mail to files
+ or not.
+ Syntax errors such as unbalanced parentheses in the configuration
+ file could be omitted if you had "Oem" prior to the
+ syntax error in the config file. Change to always print
+ the error message. It was especially weird because it
+ would cause a "warning" message to be sent to the Postmaster
+ for every message sent (but with no transcript). Problem
+ noted by Gregory Paris of Motorola.
+ Rewrite collect and putbody to handle full 8-bit data, including
+ zero bytes. These changes are internally extensive, but
+ should have minimal impact on external function.
+ Allow full words for option names -- if the option letter is
+ (apparently) a space, then take the word following -- e.g.,
+ O MatchGECOS=TRUE
+ The full list of old and new names is as follows:
+ 7 SevenBitInput
+ 8 EightBitMode
+ A AliasFile
+ a AliasWait
+ B BlankSub
+ b MinFreeBlocks/MaxMessageSize
+ C CheckpointInterval
+ c HoldExpensive
+ D AutoRebuildAliases
+ d DeliveryMode
+ E ErrorHeader
+ e ErrorMode
+ f SaveFromLine
+ F TempFileMode
+ G MatchGECOS
+ H HelpFile
+ h MaxHopCount
+ i IgnoreDots
+ I ResolverOptions
+ J ForwardPath
+ j SendMimeErrors
+ k ConnectionCacheSize
+ K ConnectionCacheTimeout
+ L LogLevel
+ l UseErrorsTo
+ m MeToo
+ n CheckAliases
+ O DaemonPortOptions
+ o OldStyleHeaders
+ P PostmasterCopy
+ p PrivacyOptions
+ Q QueueDirectory
+ q QueueFactor
+ R DontPruneRoutes
+ r, T Timeout
+ S StatusFile
+ s SuperSafe
+ t TimeZoneSpec
+ u DefaultUser
+ U UserDatabaseSpec
+ V FallbackMXhost
+ v Verbose
+ w TryNullMXList
+ x QueueLA
+ X RefuseLA
+ Y ForkEachJob
+ y RecipientFactor
+ z ClassFactor
+ Z RetryFactor
+ The old macros that passed information into sendmail have
+ been changed to options; those correspondences are:
+ $e SmtpGreetingMessage
+ $l UnixFromLine
+ $o OperatorChars
+ $q (deleted -- not necessary)
+ To avoid possible problems with an older sendmail,
+ configuration level 6 is accepted by this version of
+ sendmail; any config file using the new names should
+ specify "V6" in the configuration.
+ Change address parsing to properly note that a phrase before a
+ colon and a trailing semicolon are essentially the same
+ as text outside of angle brackets (i.e., sendmail should
+ treat them as comments). This is to handle the
+ ``group name: addr1, addr2, ..., addrN;'' syntax (it will
+ assume that ``group name:'' is a comment on the first
+ address and the ``;'' is a comment on the last address).
+ This requires config file support to get right. It does
+ understand that :: is NOT this syntax, and can be turned
+ off completely by setting the ColonOkInAddresses option.
+ Level 6 config files added with new mailer flags:
+ A Addresses are aliasable.
+ i Do udb rewriting on envelope as well as header
+ sender lines. Applies to the from address mailer
+ flags rather than the recipient mailer flags.
+ j Do udb rewriting on header recipient addresses.
+ Applies to the sender mailer flags rather than the
+ recipient mailer flags.
+ k Disable check for loops when doing HELO command.
+ o Always run as the mail recipient, even on local
+ delivery.
+ w Check for an /etc/passwd entry for this user.
+ 5 Pass addresses through ruleset 5.
+ : Check for :include: on this address.
+ | Check for |program on this address.
+ / Check for /file on this address.
+ @ Look up sender header addresses in the user
+ database. Applies to the mailer flags for the
+ mailer corresponding to the envelope sender
+ address, rather than to recipient mailer flags.
+ Pre-level 6 configuration files set A, w, 5, :, |, /, and @
+ on the "local" mailer, the o flag on the "prog" and "*file*"
+ mailers, and the ColonOkInAddresses option.
+ Eight-to-seven bit MIME conversions. This borrows ideas from
+ John Beck of Hewlett-Packard, who generously contributed
+ their implementation to me, which I then didn't use (see
+ mime.c for an explanation of why). This adds the
+ EightBitMode option (a.k.a. `8') and an F=8 mailer flag
+ to control handling of 8-bit data. These have to cope with
+ two types of 8-bit data: unlabelled 8-bit data (that is,
+ 8-bit data that is entered without declaring it as 8-bit
+ MIME -- technically this is illegal according to the
+ specs) and labelled 8-bit data (that is, it was declared
+ as 8BITMIME in the ESMTP session or by using the
+ -B8BITMIME command line flag). If the F=8 mailer flag is
+ set then 8-bit data is sent to non-8BITMIME machines
+ instead of converting to 7 bit (essentially using
+ just-send-8 semantics). The values for EightBitMode are:
+ m convert unlabelled 8-bit input to 8BITMIME, and do
+ any necessary conversion of 8BITMIME to 7BIT
+ (essentially, the full MIME option).
+ p pass unlabelled 8-bit input, but convert labelled
+ 8BITMIME input to 7BIT as required (default).
+ s strict adherence: reject unlabelled 8-bit input,
+ convert 8BITMIME to 7BIT as required. The F=8
+ flag is ignored.
+ Unlabelled 8-bit data is rejected in mode `s' regardless of
+ the setting of F=8.
+ Add new internal class 'n', which is the set of MIME Content-Types
+ which can not be 8 to 7 bit encoded because of other
+ considerations. Types "multipart/*" and "message/*" are
+ never directly encoded (although their components can be).
+ Add new internal class 's', which is the set of subtypes of the
+ MIME message/* content type that can be treated as though
+ they are an RFC822 message. It is predefined to have
+ "rfc822". Suggested By Kari Hurtta.
+ Add new internal class 'e'. This is the set of MIME
+ Content-Transfer-Encodings that can be converted to
+ a seven bit format (Quoted-Printable or Base64). It is
+ preinitialized to contain "7bit", "8bit", and "binary".
+ Add C=charset mailer parameter and the the DefaultCharSet option (no
+ short name) to set the default character set to use in the
+ Content-Type: header when doing encoding of an 8-bit message
+ which isn't marked as MIME into MIME format. If the C=
+ parameter is set on the Envelope From address, use that as
+ the default encoding; else use the DefaultCharSet option.
+ If neither is set, it defaults to "unknown-8bit" as
+ suggested by RFC 1428 section 3.
+ Allow ``U=user:group'' field in mailer definition to set a default
+ user and group that a mailer will be executed as. This
+ overrides the 'u' and 'g' options, and if the `F=S' flag is
+ also set, it is the uid/gid that will always be used (that
+ is, the controlling address is ignored). The values may be
+ numeric or symbolic; if only a symbolic user is given (no
+ group) that user's default group in the passwd file is used
+ as the group. Based on code donated by Chip Rosenthal of
+ Unicom.
+ Allow `u' option to also accept user:group as a value, in the same
+ fashion as the U= mailer option.
+ Add the symbolic time zone name in the Arpanet format dates (as
+ a comment). This adds a new compile-time configuration
+ flag: TZ_TYPE can be set to TZ_TM_NAME (use the value
+ of (struct tm *)->tm_name), TZ_TM_ZONE (use the value
+ of (struct tm *)->tm_zone), TZ_TZNAME (use extern char
+ *tzname[(struct tm *)->tm_isdst]), TZ_TIMEZONE (use
+ timezone()), or TZ_NONE (don't include the comment). Code
+ from Chip Rosenthal.
+ The "Timeout" option (formerly "r") is extended to allow suboptions.
+ For example,
+ O Timeout.helo = 2m
+ There are also two new suboptions "queuereturn" and
+ "queuewarn"; these subsume the old T option. Thus, to
+ set them both the preferred new syntax is
+ O Timeout.queuereturn = 5d
+ O Timeout.queuewarn = 4h
+ Sort queue by host name instead of by message priority if the
+ QueueSortOrder option (no short name) is set is set to
+ ``host''. This makes better use of the connection cache,
+ but may delay more ``interactive'' messages behind large
+ backlogs under some circumstances. This is probably a
+ good option if you have high speed links or don't do lots
+ of ``batch'' messages, but less good if you are using
+ something like PPP on a 14.4 modem. Based on code
+ contributed by Roy Mongiovi of Georgia Tech (my main
+ contribution was to make it configurable).
+ Save i-number of df file in qf file to simplify rebuilding of queue
+ after disastrous disk crash. Suggested by Kyle Jones of
+ UUNET; closely based on code from KJS DECWRL code written
+ by Paul Vixie. NOTA BENE: The qf files produced by 8.7
+ are NOT back compatible with 8.6 -- that is, you can convert
+ from 8.6 to 8.7, but not the other direction.
+ Add ``F=d'' mailer flag to disable all use of angle brackets in
+ route-addrs in envelopes; this is because in some cases
+ they can be sent to the shell, which interprets them as
+ I/O redirection.
+ Don't include error file (option E) with return-receipts; this
+ can be confusing.
+ Don't send "Warning: cannot send" messages to owner-* or
+ *-request addresses. Suggested by Christophe Wolfhugel
+ of the Institut Pasteur, Paris.
+ Allow -O command line flag to set long form options.
+ Add "MinQueueAge" option to set the minimum time between attempts
+ to run the queue. For example, if the queue interval
+ (-q value) is five minutes, but the minimum queue age
+ is fifteen minutes, jobs won't be tried more often than
+ once every fifteen minutes. This can be used to give
+ you more responsiveness if your delivery mode is set to
+ queue-only.
+ Allow "fileopen" timeout (default: 60 seconds) for opening
+ :include: and .forward files.
+ Add "-k", "-v", and "-z" flags to map definitions; these set the
+ key field name, the value field name, and the field
+ delimiter. The field delimiter can be a single character
+ or the sequence "\t" or "\n" for tab or newline.
+ These are for use by NIS+ and similar access methods.
+ Change maps to always strip quotes before lookups; the -q flag
+ turns off this behaviour. Suggested by Motonori Nakamura.
+ Add "nisplus" map class. Takes -k and -v flags to choose the
+ key and value field names respectively. Code donated by
+ Sun Microsystems.
+ Add "hesiod" map class. The "file name" is used as the
+ "HesiodNameType" parameter to hes_resolve(3). Returns the
+ first value found for the match. Code donated by Scott
+ Hutton of Indiana University.
+ Add "netinfo" (NeXT NetInfo) map class. Maps can have a -k flag to
+ specify the name of the property that is searched as the
+ key and a -v flag to specify the name of the property that
+ is returned as the value (defaults to "members"). The
+ default map is "/aliases". Some code based on code
+ contributed by Robert La Ferla of Hot Software.
+ Add "text" map class. This does slow, linear searches through
+ text files. The -z flag specifies a column delimiter
+ (defaults to any sequence of white space), the -k flag
+ sets the key column number, and the -v flag sets the
+ value column number. Lines beginning with `#' are treated
+ as comments.
+ Add "program" map class to execute arbitrary programs. The search
+ key is presented as the last argument; the output is one
+ line read from the programs standard output. Exit statuses
+ are from sysexits.h.
+ Add "sequence" map class -- searches maps in sequence until it
+ finds a match. For example, the declarations:
+ Kmap1 ...
+ Kmap2 ...
+ Kmapseq sequence map1 map2
+ defines a map "mapseq" that first searches map1; if the
+ value is found it is returned immediately, otherwise
+ map2 is searched and the value returned.
+ Add "switch" map class. This is much like "sequence" except that
+ the ordering is fetched from an external file, usually
+ the system service switch. The parameter is the name of
+ the service to switch on, and the maps that it will use
+ are the name of the switch map followed by ".service_type".
+ For example, if the declaration of the map is
+ Ksample switch hosts
+ and the system service switch specifies that hosts are
+ looked up using dns and nis in that order, then this is
+ equivalent to
+ Ksample sequence sample.dns sample.nis
+ The subordinate maps (sample.*) must already be defined.
+ Add "user" map class -- looks up users using getpwnam. Takes a
+ "-v field" flag on the definition that tells what passwd
+ entry to return -- legal values are name, passwd, uid, gid,
+ gecos, dir, and shell. Generally expected to be used with
+ the -m (matchonly) flag.
+ Add "bestmx" map class -- returns the best MX value for the host
+ listed as the value. If there are several "best" MX records
+ for this host, one will be chosen at random.
+ Add "userdb" map class -- looks up entries in the user database.
+ The "file name" is actually the tag that will be used,
+ typically "mailname". If there are multiple entries
+ matching the name, the one chosen is undefined.
+ Add multiple queue timeouts (both return and warning). These are
+ set by the Precedence: or Priority: header fields to one of
+ three values. If a Priority: is set and has value "normal",
+ "urgent", or "non-urgent" the corresponding timeouts are
+ used. If no priority is set, the Precedence: is consulted;
+ if negative, non-urgent timeouts are used; if greater than
+ zero, urgent timeouts are used. Otherwise, normal timeouts
+ are used. The timeouts are set by setting the six timeouts
+ queue{warn,return}.{urgent,normal,non-urgent}.
+ Fix problem when a mail address is resolved to a $#error mailer
+ with a temporary failure indication; it works in SMTP,
+ but when delivering locally the mail is silently discarded.
+ This patch, from Kyle Jones of UUNET, bounces it instead
+ of queueing it (queueing is very hard).
+ When using /etc/hosts or NIS-style lookups, don't assume that
+ the first name in the list is the best one -- instead,
+ search for the first one with a dot. For example, if
+ an /etc/hosts entry reads
+ 128.32.149.68 mammoth mammoth.CS.Berkeley.EDU
+ this change will use the second name as the canonical
+ machine name instead of the initial, unqualified name.
+ Change dequote map to replace spaces in quoted text with a value
+ indicated by the -s flag on the dequote map definition.
+ For example, ``Mdequote dequote -s_'' will change
+ "Foo Bar" into an unquoted Foo_Bar instead of leaving it
+ quoted (because of the space character). Suggested by Dan
+ Oscarsson for use in X.400 addresses.
+ Implement long macro names as ${name}; long class names can
+ be similarly referenced as $={name} and $~{name}.
+ Definitions are (e.g.) ``D{name}value''. Names that have
+ a leading lower case letter or punctuation characters are
+ reserved for internal use by sendmail; i.e., config files
+ should use names that begin with a capital letter. Based
+ on code contributed by Dan Oscarsson.
+ Fix core dump if getgrgid returns a null group list (as opposed
+ to an empty group list, that is, a pointer to a list
+ with no members). Fix from Andrew Chang of Sun Microsystems.
+ Fix possible core dump if malloc fails -- if the malloc in xalloc
+ failed, it called syserr which called newstr which called
+ xalloc.... The newstr is now avoided for "panic" messages.
+ Reported by Stuart Kemp of James Cook University.
+ Improve connection cache timeouts; previously, they were not even
+ checked if you were delivering to anything other than an
+ IPC-connected host, so a series of (say) local mail
+ deliveries could cause cached connections to be open
+ much longer than the specified timeout.
+ If an incoming message exceeds the maximum message size, stop
+ writing the incoming bytes to the queue data file, since
+ this can fill your mqueue partition -- this is a possible
+ denial-of-service attack.
+ Don't reject all numeric local user names unless HESIOD is
+ defined. It turns out that Posix allows all-numeric
+ user names. Fix from Tony Sanders of BSDI.
+ Add service switch support. If the local OS has a service
+ switch (e.g., /etc/nsswitch.conf on Solaris or /etc/svc.conf
+ on DEC systems) that will be used; otherwise, it falls back
+ to using a local mechanism based on the ServiceSwitchFile
+ option (default: /etc/service.switch). For example, if the
+ service switch lists "files" and "nis" for the aliases
+ service, that will be the default lookup order. the "files"
+ ("local" on DEC) service type expands to any alias files
+ you listed in the configuration file, even if they aren't
+ actually file lookups.
+ Option I (NameServerOptions) no longer sets the "UseNameServer"
+ variable which tells whether or not DNS should be considered
+ canonical. This is now determined based on whether or not
+ "dns" is in the service list for "hosts".
+ Add preliminary support for the ESMTP "DSN" extension (Delivery
+ Status Notifications). DSN notifications override
+ Return-Receipt-To: headers, which are bogus anyhow --
+ support for them has been removed.
+ Add T=mts-name-type/address-type/diagnostic-type keyletter to mailer
+ definitions to define the types used in DSN returns for
+ MTA names, addresses, and diagnostics respectively.
+ Extend heuristic to force running in ESMTP mode to look for the
+ five-character string "ESMTP" anywhere in the 220 greeting
+ message (not just the second line). This is to provide
+ better compatibility with other ESMTP servers.
+ Print sequence number of job when running the queue so you can
+ easily see how much progress you have made. Suggested
+ by Peter Wemm of DIALix.
+ Map newlines to spaces in logged message-ids; some versions of
+ syslog truncate the rest of the line after newlines.
+ Suggested by Fletcher Mattox of U. Texas.
+ Move up forking for job runs so that if a message is split into
+ multiple envelopes you don't get "fork storms" -- this
+ also improves the connection cache utilization.
+ Accept "<<>>", "<<<>>>", and so forth as equivalent to "<>" for
+ the purposes of refusing to send error returns. Suggested
+ by Motonori Nakamura of Ritsumeikan University.
+ Relax rules on when a file can be written when referenced from
+ the aliases file: use the default uid/gid instead of the
+ real uid/gid. This allows you to create a file owned by
+ and writable only by the default uid/gid that will work
+ all the time (without having the setuid bit set). Change
+ suggested by Shau-Ping Lo and Andrew Cheng of Sun
+ Microsystems.
+ Add "DialDelay" option (no short name) to provide an "extra"
+ delay for dial on demand systems. If this is non-zero
+ and a connect fails, sendmail will wait this long and
+ then try again. If it takes longer than the kernel
+ timeout interval to establish the connection, this
+ option can give the network software time to establish
+ the link. The default units are seconds.
+ Move logging of sender information to be as early as possible;
+ previously, it could be delayed a while for SMTP mail
+ sent to aliases. Suggested by Brad Knowles of the
+ Defense Information Systems Agency.
+ Call res_init() before setting RES_DEBUG; this is required by
+ BIND 4.9.3, or so I'm told. From Douglas Anderson of
+ the National Computer Security Center.
+ Add xdelay= field in logs -- this is a transaction delay, telling
+ you how long it took to deliver to this address on the
+ last try. It is intended to be used for sorting mailing
+ lists to favor "quick" addresses. Provided for use by
+ the mailprio scripts (see below).
+ If a map cannot be opened, and that map is non-optional, and
+ an address requires that map for resolution, queue the
+ map instead of bouncing it. This involves creating a
+ pseudo-class of maps called "bogus-map" -- if a required
+ map cannot be opened, the class is changed to bogus-map;
+ all queries against bogus-map return "tempfail". The
+ bogus-map class is not directly accessible. A sample
+ implementation was donated by Jem Taylor of Glasgow
+ University Computing Service.
+ Fix a possible core dump when mailing to a program that talks
+ SMTP on its standard input. Fix from Keith Moore of
+ the University of Kentucky.
+ Make it possible to resolve filenames to $#local $: @ /filename;
+ previously, the "@" would cause it to not be recognized
+ as a file. Problem noted by Brian Hill of U.C. Davis.
+ Accept a -1 signal to re-exec the daemon. This only works if
+ argv[0] is a full path to sendmail.
+ Fix bug in "addr=..." field in O option on little-endian machines
+ -- the network number wasn't being converted to network
+ byte order. Patch from Kurt Lidl of Pix Technologies
+ Corporation.
+ Pre-initialize the resolver early on; this is to avoid a bug with
+ BIND 4.9.3 that can cause the _res.retry field to get
+ reset to zero, causing all name server lookups to time
+ out. Fix from Matt Day of Artisoft.
+ Restore T line (trusted users) in config file -- but instead of
+ locking out the -f flag, they just tell whether or not
+ an X-Authentication-Warning: will be added. This really
+ just creates new entries in class 't', so "Ft/file/name"
+ can be used to read trusted user names from a file.
+ Trusted users are also allowed to execute programs even
+ if they have a shell that isn't in /etc/shells.
+ Improve NEWDB alias file rebuilding so it will create them
+ properly if they do not already exist. This had been
+ a MAYBENEXTRELEASE feature in 8.6.9.
+ Check for @:@ entry in NIS maps before starting up to avoid
+ (but not prevent, sigh) race conditions. This ought to
+ be handled properly in ypserv, but isn't. Suggested by
+ Michael Beirne of Motorola.
+ Refuse connections if there isn't enough space on the filesystem
+ holding the queue. Contributed by Robert Dana of Wolf
+ Communications.
+ Skip checking for directory permissions in the path to a file
+ when checking for file permissions iff setreuid()
+ succeeded -- it is unnecessary in that case. This avoids
+ significant performance problems when looking for .forward
+ files. Based on a suggestion by Win Bent of USC.
+ Allow symbolic ruleset names. Syntax can be "Sname" to get an
+ arbitrary ruleset number assigned or "Sname = integer"
+ to assign a specific ruleset number. Reference is
+ $>name_or_number. Names can be composed of alphas, digits,
+ underscore, or hyphen (first character must be non-numeric).
+ Allow -o flag on AliasFile lines to make the alias file optional.
+ From Bryan Costales of ICSI.
+ Add NoRecipientAction option to handle the case where there is
+ no legal recipient header in the message. It can take
+ on values:
+ None Leave the message as is. The
+ message will be passed on even
+ though it is in technically
+ illegal syntax.
+ Add-To Add a To: header with any
+ recipients that it can find from
+ the envelope. This risks exposing
+ Bcc: recipients.
+ Add-Apparently-To Add an Apparently-To: header. This
+ has almost no redeeming social value,
+ and is provided only for back
+ compatibility.
+ Add-To-Undisclosed Add a header reading
+ To: undisclosed-recipients:;
+ which will have the effect of
+ making the message legal without
+ exposing Bcc: recipients.
+ Add-Bcc To add an empty Bcc: header.
+ There is a chance that mailers down
+ the line will delete this header,
+ which could cause exposure of Bcc:
+ recipients.
+ The default is NoRecipientAction=None.
+ Truncate (rather than delete) Bcc: lines in the header. This
+ should prevent later sendmails (at least, those that don't
+ themselves delete Bcc:) from considering this message to
+ be non-conforming -- although it does imply that non-blind
+ recipients can see that a Bcc: was sent, albeit not to whom.
+ Add SafeFileEnvironment option. If declared, files named as delivery
+ targets must be regular files in addition to the regular
+ checks. Also, if the option is non-null then it is used as
+ the name of a directory that is used as a chroot(2)
+ environment for the delivery; the file names listed in an
+ alias or forward should include the name of this root.
+ For example, if you run with
+ O SafeFileEnvironment=/arch
+ then aliases should reference "/arch/rest/of/path". If a
+ value is given, sendmail also won't try to save to
+ /usr/tmp/dead.letter (instead it just leaves the job in the
+ queue as Qfxxxxxx). Inspired by *Hobbit*'s sendmail patch kit.
+ Support -A flag for alias files; this will comma concatenate like
+ entries. For example, given the aliases:
+ list: member1
+ list: member2
+ and an alias file declared as:
+ OAhash:-A /etc/aliases
+ the final alias inserted will be "list: member1,member2";
+ without -A you will get an error on the second and subsequent
+ alias for "list". Contributed by Bryan Costales of ICSI.
+ Line-buffer transcript file. Suggested by Liudvikas Bukys.
+ Fix a problem that could cause very long addresses to core dump in
+ some special circumstances. Problem pointed out by Allan
+ Johannesen.
+ (Internal change.) Change interface to expand() (macro expansion)
+ to be simpler and more consistent.
+ Delete check for funny qf file names. This didn't really give
+ any extra security and caused some people some problems.
+ (If you -really- want this, define PICKY_QF_NAME_CHECK
+ at compile time.) Suggested by Kyle Jones of UUNET.
+ (Internal change.) Change EF_NORETURN to EF_NO_BODY_RETN and
+ merge with DSN code; this is simpler and more consistent.
+ This may affect some people who have written their own
+ checkcompat() routine.
+ (Internal change.) Eliminate `D' line in qf file. The df file
+ is now assumed to be the same name as the qf file (with
+ the `q' changed to a `d', of course).
+ Avoid forking for delivery if all recipient mailers are marked as
+ "expensive" -- this can be a major cost on some systems.
+ Essentially, this forces sendmail into "queue only" mode
+ if all it is going to do is queue anyway.
+ Avoid sending a null message in some rather unusual circumstances
+ (specifically, the RCPT command returns a temporary
+ failure but the connection is lost before the DATA
+ command). Fix from Scott Hammond of Secure Computing
+ Corporation.
+ Change makesendmail to use a somewhat more rational naming scheme:
+ Makefiles and obj directories are named $os.$rel.$arch,
+ where $os is the operating system (e.g., SunOS), $rel is
+ the release number (e.g., 5.3), and $arch is the machine
+ architecture (e.g., sun4). Any of these can be omitted,
+ and anything after the first dot in a release number can
+ be replaced with "x" (e.g., SunOS.4.x.sun4). The previous
+ version used $os.$arch.$rel and was rather less general.
+ Change makesendmail to do a "make depend" in the target directory
+ when it is being created. This involves adding an empty
+ "depend:" entry in most Makefiles.
+ Ignore IDENT return value if the OSTYPE field returns "OTHER",
+ as indicated by RFC 1413. Pointed out by Kari Hurtta
+ of the Finnish Meteorological Institute.
+ Fix problem that could cause multiple responses to DATA command
+ on header syntax errors (e.g., lines beginning with colons).
+ Problem noted by Jens Thomassen of the University of Oslo.
+ Don't let null bytes in headers cause truncation of the rest of
+ the header.
+ Log Authentication-Warning:s. Suggested by Motonori Nakamura.
+ Increase timeouts on message data puts to allow time for receivers
+ to canonify addresses in headers on the fly. This is still
+ a rather ugly heuristic. From Motonori Nakamura.
+ Add "HasWildcardMX" suboption to ResolverOptions; if set, MX
+ records are not used when canonifying names, and when MX
+ lookups are done for addressing they must be fully
+ qualified. This is useful if you have a wildcard MX record,
+ although it may cause other problems. In general, don't use
+ wildcard MX records. Patch from Motonori Nakamura.
+ Eliminate default two-line SMTP greeting message. Instead of
+ adding an extra "ESMTP spoken here" line, the word "ESMTP"
+ is added between the first and second word of the first
+ line of the greeting message (i.e., immediately after the
+ host name). This eliminates the need for the BROKEN_SMTP_PEERS
+ compile flag. Old sendmails won't see the ESMTP, but that's
+ acceptable because SIZE was the only useful extension that
+ old sendmails understand.
+ Avoid gethostbyname calls on UNIX domain sockets during SIGUSR1
+ invoked state dumps. From Masaharu Onishi.
+ Allow on-line comments in .forward and :include: files; they are
+ introduced by the string "<LWSP>#@#<LWSP>", where <LWSP>
+ is a space or a tab. This is intended for native
+ representation of non-ASCII sets such as Japanese, where
+ existing encodings would be unreadable or would lose
+ data -- for example,
+ <motonori@cs.ritsumei.ac.jp> NAKAMURA Motonori
+ (romanized/less information)
+ <motonori@cs.ritsumei.ac.jp> =?ISO-2022-JP?B?GyRCQ2ZCPBsoQg==?=
+ =?ISO-2022-JP?B?GyRCQUdFNRsoQg==?=
+ (with MIME encoding, not human readable)
+ <motonori@cs.ritsumei.ac.jp> #@# ^[$BCfB<^[(B ^[$BAGE5^[(B
+ (native encoding with ISO-2022-JP)
+ The last form is human readable in the Japanese environment.
+ Based on a fix from (surprise!) Motonori Nakamura.
+ Don't make SMTP error returns on MAIL FROM: line be "sticky" for all
+ messages to that host; these are most frequently associated
+ with addresses rather than the host, with the exception of
+ 421 (service shutting down). The effect was to cause queues
+ to sometimes take an excessive time to flush. Reported by
+ Robert Sargent of Southern Geographics Technologies and
+ Eric Prestemon of American University.
+ Add Nice=N mailer option to set the niceness at which a mailer will
+ run. This is actually a relative niceness (that is, an
+ increment on the background value).
+ Log queue runs that are skipped due to high loads. They are logged
+ at LOG_INFO priority iff the log level is > 8. Contributed
+ by Bruce Nagel of Data General.
+ Allow the error mailer to accept a DSN-style error status code
+ instead of an sysexits status code in the host part.
+ Anything with a dot will be interpreted as a DSN-style code.
+ Add new mailer flag: F=3 will tell translations to Quoted-Printable
+ to encode characters that might be munged by an EBCDIC system
+ in addition to the set required by RFC 1521. The additional
+ characters are !, ", #, $, @, [, \, ], ^, `, {, |, }, and ~.
+ (Think of "IBM 360" as the mnemonic for this flag.)
+ Change check for mailing to files to look for a pathname of [FILE]
+ rather than looking for the mailer named *file*. The mapping
+ of leading slashes still goes to the *file* mailer. This
+ allows you to implement the *file* mailer as a separate
+ program, for example, to insert a Content-Length: header
+ or do special security policy. However, note that the usual
+ initial checking for the file permissions is still done, and
+ the program in question needs to be very careful about how
+ it does the file write to avoid security problems.
+ Be able to read ~root/.forward even if the path isn't accessible to
+ regular users. This is disrecommended because sendmail
+ sometimes does not run as root (e.g., when an unsafe option
+ is specified on the command line), but should otherwise be
+ safe because .forward files must be owned by the user for
+ whom mail is being forwarded, and cannot be a symbolic link.
+ Suggested by Forrest Aldrich of Wang Laboratories.
+ Add new "HostsFile" option that is the pathname to the /etc/hosts
+ file. This is used for canonifying hostnames when the
+ service type is "files".
+ Implement programs on F (read class from file) line. The syntax is
+ Fc|/path/to/program to read the output from the program
+ into class "c".
+ Probe the network interfaces to find alternate names for this
+ host. Requires the SIOCGIFCONF ioctl call. Code
+ contributed by SunSoft.
+ Add "E" configuration line to set or propagate environment
+ variables into children. "E<envar>" will propagate
+ the named variable from the environment when sendmail
+ was invoked into any children it calls; "E<envar>=<value>"
+ sets the named variable to the indicated value. Any
+ variables not explicitly named will not be in the child
+ environment. However, sendmail still forces an
+ "AGENT=sendmail" environment variable, in part to enforce
+ at least one environment variable, since many programs and
+ libraries die horribly if this is not guaranteed.
+ Change heuristic for rebuilding both NEWDB and NDBM versions of
+ alias databases -- new algorithm looks for the substring
+ "/yp/" in the file name. This is more portable and involves
+ less overhead. Suggested by Motonori Nakamura.
+ Dynamically allocate the queue work list so that you don't lose
+ jobs in large queue runs. The old QUEUESIZE compile parameter
+ is replaced by QUEUESEGSIZE (the unit of allocation, which
+ should not need to be changed) and the MaxQueueRunSize option,
+ which is the absolute maximum number of jobs that will ever
+ be handled in a single queue run. Based on code contributed
+ by Brian Coan of the Institute for Global Communications.
+ Log message when a message is dropped because it exceeds the maximum
+ message size. Suggested by Leo Bicknell of Virginia Tech.
+ Allow trusted users (those on a T line or in $=t) to use -bs without
+ an X-Authentication-Warning: added. Suggested by Mark Thomas
+ of Mark G. Thomas Consulting.
+ Announce state of compile flags on -d0.1 (-d0.10 throws in the
+ OS-dependent defines). The old semantic of -d0.1 to not
+ run the daemon in background has been moved to -d99.100,
+ and the old 52.5 flag (to avoid disconnect() from closing
+ all output files) has been moved to 52.100. This makes
+ things more consistent (flags below .100 don't change
+ semantics) and separates out the backgrounding so that
+ it doesn't happen automatically on other unrelated debugging
+ flags.
+ If -t is used but no addresses are found in the header, give an
+ error message rather than just doing nothing. Fix from
+ Motonori Nakamura.
+ On systems (like SunOS) where the effective gid is not necessarily
+ included in the group list returned by getgroups(), the
+ `restrictmailq' option could sometimes cause an authorized
+ user to not be able to use `mailq'. Fix from Charles Hannum
+ of MIT.
+ Allow symbolic service names for [IPC] mailers. Suggested by
+ Gerry Magennis of Logica International.
+ Add DontExpandCnames option to prevent $[ ... $] from expanding CNAMEs
+ when running DNS. For example, if the name FTP.Foo.ORG is
+ a CNAME for Cruft.Foo.ORG, then when sitting on a machine in
+ the Foo.ORG domain a lookup of "FTP" returns "Cruft.Foo.ORG"
+ if this option is not set, or "FTP.Foo.ORG" if it is set.
+ This is technically illegal under RFC 822 and 1123, but the
+ IETF is moving toward legalizing it. Note that turning on
+ this option is not sufficient to guarantee that a downstream
+ neighbor won't rewrite the address for you.
+ Add "-m" flag to makesendmail script -- this tells you what object
+ directory and Makefile it will use, but doesn't actually do
+ the make.
+ Do some additional checking on the contents of the qf file to try
+ to detect attacks against the qf file. In particular,
+ abort on any line beginning "From ", and add an "end of
+ file" line -- any data after that line is prohibited.
+ Always use /etc/sendmail.cf, regardless of the arbitrary vendor
+ choices. This can be overridden in the Makefile by using
+ either -DUSE_VENDOR_CF_PATH to get the vendor location
+ (to the extent that we know it) or by defining
+ _PATH_SENDMAILCF (which is a "hard override"). This allows
+ sendmail 8 to have more consistent installation instructions.
+ Allow macros on `K' line in config file. Suggested by Andrew Chang
+ of Sun Microsystems.
+ Improved symbol table hash function from Eric Wassenaar. This one
+ is at least 50% faster.
+ Fix problem that didn't notice that timeout on file open was a
+ transient error. Fix from Larry Parmelee of Cornell
+ University.
+ Allow comments (lines beginning with a `#') in files read for
+ classes. Suggested by Motonori Nakamura.
+ Make SIGINT (usually ^C) in test mode return to the prompt instead
+ of dropping out entirely. This makes testing some of the
+ name server lookups easier to deal with when there are
+ hung servers. From Motonori Nakamura.
+ Add new ${opMode} macro that is set to the current operation mode
+ (e.g., `s' for -bs, `t' for -bt, etc.). Suggested by
+ Claude Marinier <MARINIER@emp.ewd.dreo.dnd.ca>.
+ Add new delivery mode (Odd) that defers all map lookups to queue runs.
+ Kind of like queue-only mode (Odq) except it tries to avoid
+ any external service requests; for dial-on-demand hosts that
+ want to minimize DNS lookups when mail is being queued. For
+ this to work you will also have to make sure that gethostbyname
+ of your local host name does not do a DNS lookup.
+ Improved handling of "out of space" conditions from John Myers of
+ Carnegie Mellon.
+ Improved security for mailing to files on systems that have fchmod(2)
+ support.
+ Improve "cannot send message for N days" message -- now says "could
+ not send for past N days". Suggested by Tom Moore of AT&T
+ Global Information Solutions.
+ Less misleading Subject: line on messages sent to postmaster only.
+ From Motonori Nakamura.
+ Avoid duplicate error messages on bad command line flags. From
+ Motonori Nakamura.
+ Better error message for case where ruleset 0 falls off the end
+ or otherwise does not resolve to a canonical triple.
+ Fix a problem that could cause multiple bounce messages if a bad
+ address was sent along with a good address to an SMTP
+ site where that SMTP site returned a 4yz code in response
+ to the final dot of the data. Problem reported by David
+ James of British Telecom.
+ Add "volatile" declarations so that gcc -O2 will work. Patches
+ from Alexander Dupuy of System Management ARTS.
+ Delete duplicates in MX lists -- believe it or not, there are sites
+ that list the same host twice in an MX list. This deletion
+ only works on adjacent preferences, so an MX list that
+ had A=5, B=10, A=15 would leave both As, but one that had
+ A=5, A=10, B=15 would reduce to A, B. This is intentional,
+ just in case there is something weird I haven't thought of.
+ Suggested by Barry Shein of Software Tool & Die.
+ SECURITY: .forward files cannot be symbolic links. If they are,
+ a bad guy can read your private files.
+ PORTABILITY FIXES:
+ Solaris 2 from Rob McMahon <cudcv@csv.warwick.ac.uk>.
+ System V Release 4 from Motonori Nakamura of Ritsumeikan
+ University. This expands the disk size
+ checking to include all (?) SVR4 configurations.
+ System V Release 4 from Kimmo Suominen -- initgroups(3)
+ and setrlimit(2) are both available.
+ System V Release 4 from sob@sculley.ffg.com -- some versions
+ apparently "have EX_OK defined in other headerfiles."
+ Linux Makefile typo.
+ Linux getusershell(3) is broken in Slackware 2.0 --
+ from Andrew Pam of Xanadu Australia.
+ More Linux tweaking from John Kennedy of California State
+ University, Chico.
+ Cray changes from Eric Wassenaar: ``On Cray, shorts,
+ ints, and longs are all 64 bits, and all structs
+ are multiples of 64 bits. This means that the
+ sizeof operator returns only multiples of 8.
+ This requires adaptation of code that really
+ deals with 32 bit or 16 bit fields, such as IP
+ addresses or nameserver fields.''
+ DG/UX 5.4.3 from Mark T. Robinson <mtr@ornl.gov>. To
+ get the old behaviour, use -DDGUX_5_4_2.
+ DG/UX hack: add _FORCE_MAIL_LOCAL_=yes environment
+ variable to fix bogus /bin/mail behaviour.
+ Tandem NonStop-UX from Rick McCarty <mccarty@mpd.tandem.com>.
+ This also cleans up some System V Release 4 compile
+ problems.
+ Solaris 2: sendmail.cw file should be in /etc/mail to
+ match all the other configuration files. Fix
+ from Glenn Barry of Emory University.
+ Solaris 2.3: compile problem in conf.c. Fix from Alain
+ Nissen of the University of Liege, Belgium.
+ Ultrix: freespace calculation was incorrect. Fix from
+ Takashi Kizu of Osaka University.
+ SVR4: running in background gets a SIGTTOU because the
+ emulation code doesn't realize that "getpeername"
+ doesn't require reading the file. Fix from Peter
+ Wemm of DIALix.
+ Solaris 2.3: due to an apparent bug in the socket emulation
+ library, sockets can get into a "wedged" state where
+ they just return EPROTO; closing and re-opening the
+ socket clears the problem. Fix from Bob Manson
+ of Ohio State University.
+ Hitachi 3050R & 3050RX running HI-UX/WE2: portability
+ fixes from Akihiro Hashimoto ("Hash") of Chiba
+ University.
+ AIX changes to allow setproctitle to work from Rainer Schöpf
+ of Zentrum für Datenverarbeitung der Universität
+ Mainz.
+ AIX changes for load average from Ed Ravin of NASA/Goddard.
+ SCO Unix from Chip Rosenthal of Unicom (code was using the
+ wrong statfs call).
+ ANSI C fixes from Adam Glass (NetBSD project).
+ Stardent Titan/ANSI C fixes from Kate Hedstrom of Rutgers
+ University.
+ DG-UX fixes from Bruce Nagel of Data General.
+ IRIX64 updates from Mark Levinson of the University of
+ Rochester Medical Center.
+ Altos System V (``the first UNIX/XENIX merge the Altos
+ did for their Series 1000 & Series 2000 line;
+ their merged code was licensed back to AT&T and
+ Microsoft and became System V release 3.2'') from
+ Tim Rice <timr@crl.com>.
+ OSF/1 running on Intel Paragon from Jeff A. Earickson
+ <jeff@ssd.intel.com> of Intel Scalable Systems
+ Division.
+ Amdahl UTS System V 2.1.5 (SVr3-based) from Janet Jackson
+ <janet@dialix.oz.au>.
+ System V Release 4 (statvfs semantic fix) from Alain
+ Durand of I.M.A.G.
+ HP-UX 10.x multiprocessor load average changes from
+ Scott Hutton and Jeff Sumler of Indiana University.
+ Cray CSOS from Scott Bolte of Cray Computer Corporation.
+ Unicos 8.0 from Douglas K. Rand of the University of North
+ Dakota, Scientific Computing Center.
+ Solaris 2.4 fixes from Sanjay Dani of Dani Communications.
+ ConvexOS 11.0 from Christophe Wolfhugel.
+ IRIX 4.0.5 from David Ashton-Reader of CADcentre.
+ ISC UNIX from J. J. Bailey.
+ HP-UX 9.xx on the 8xx series machines from Remy Giraud
+ of Meteo France.
+ HP-UX configuration from Tom Lane <tgl@sss.pgh.pa.us>.
+ IRIX 5.2 and 5.3 from Kari E. Hurtta.
+ FreeBSD 2.0 from Mike Hickey of Federal Data Corporation.
+ Sony NEWS-OS 4.2.1R and 6.0.3 from Motonori Nakamura.
+ Omron LUNA unios-b, mach from Motonori Nakamura.
+ NEC EWS-UX/V 4.2 from Motonori Nakamura.
+ NeXT 2.1 from Bryan Costales.
+ AUX patch thanks to Mike Erwin of Apple Computer.
+ HP-UX 10.0 from John Beck of Hewlett-Packard.
+ Ultrix: allow -DBROKEN_RES_SEARCH=0 if you are using a
+ non-DEC resolver. Suggested by Allan Johannesen.
+ UnixWare 2.0 fixes from Petr Lampa of the Technical
+ University of Brno (Czech Republic).
+ KSR OS 1.2.2 support from Todd Miller of the University
+ of Colorado.
+ UX4800 support from Kazuhisa Shimizu of NEC.
+ MAKEMAP: allow -d flag to allow insertion of duplicate aliases
+ in type ``btree'' maps. The semantics of this are undefined
+ for regular maps, but it can be useful for the user database.
+ MAKEMAP: lock database file while rebuilding to avoid sendmail
+ lookups while the rebuild is going on. There is a race
+ condition between the open(... O_TRUNC ...) and the lock
+ on the file, but it should be quite small.
+ SMRSH: sendmail restricted shell added to the release. This can
+ be used as an alternative to /bin/sh for the "prog" mailer,
+ giving the local administrator more control over what
+ programs can be run from sendmail.
+ MAIL.LOCAL: add this local mailer to the tape. It is not really
+ part of the release proper, and isn't fully supported; in
+ particular, it does not run on System V based systems and
+ never will.
+ CONTRIB: a patch to rmail.c from Bill Gianopoulos of Raytheon
+ to allow rmail to compile on systems that don't have
+ function prototypes and systems that don't have snprintf.
+ CONTRIB: add the "mailprio" scripts that will help you sort mailing
+ lists by transaction delay times so that addresses that
+ respond quickly get sent first. This is to prevent very
+ sluggish servers from delaying other peoples' mail.
+ Contributed by Tony Sanders of BSDI.
+ CONTRIB: add the "bsdi.mc" file as contributed by Tony Sanders
+ of BSDI. This has a lot of comments to help people out.
+ CONFIG: Don't have .mc files include(../m4/cf.m4) -- instead,
+ put this on the m4 command line. On GNU m4 (which
+ supports the __file__ primitive) you can run m4 in an
+ arbitrary directory -- use either:
+ m4 ${CFDIR}/m4/cf.m4 config.mc > config.cf
+ or
+ m4 -I${CFDIR} m4/cf.m4 config.mc > config.cf
+ On other versions of m4 that don't support __file__, you
+ can use:
+ m4 -D_CF_DIR_=${CFDIR}/ ${CFDIR}/m4/cf.m4 ...
+ (Note the trailing slash on the _CF_DIR_ definition.)
+ Old versions of m4 will default to _CF_DIR_=.. for back
+ compatibility.
+ CONFIG: fix mail from <> so it will properly convert to
+ MAILER-DAEMON on local addresses.
+ CONFIG: fix code that was supposed to catch colons in host
+ names. Problem noted by John Gardiner Myers of CMU.
+ CONFIG: allow use of SMTP_MAILER_MAX in nullclient configuration.
+ From Paul Riddle of the University of Maryland, Baltimore
+ County.
+ CONFIG: Catch and reject "." as a host address.
+ CONFIG: Generalize domaintable to look up all domains, not
+ just unqualified ones.
+ CONFIG: Delete OLD_SENDMAIL support -- as near as I can tell, it
+ was never used and didn't work anyway.
+ CONFIG: Set flags A, w, 5, :, /, |, and @ on the "local" mailer
+ and d on all mailers in the UUCP class.
+ CONFIG: Allow "user+detail" to be aliased specially: it will first
+ look for an alias for "user+detail", then for "user+*", and
+ finally for "user". This is intended for forwarding mail
+ for system aliases such as root and postmaster to a
+ centralized hub.
+ CONFIG: add confEIGHT_BIT_HANDLING to set option 8 (see above).
+ CONFIG: add smtp8 mailer; this has the F=8 (just-send-8) flag set.
+ The F=8 flag is also set on the "relay" mailer, since
+ this is expected to be another sendmail.
+ CONFIG: avoid qualifying all UUCP addresses sent via SMTP with
+ the name of the UUCP_RELAY -- in some cases, this is the
+ wrong value (e.g., when we have local UUCP connections),
+ and this can create unreplyable addresses. From Chip
+ Rosenthal of Unicom.
+ CONFIG: add confRECEIVED_HEADER to change the format of the
+ Received: header inserted into all messages. Suggested by
+ Gary Mills of the University of Manitoba.
+ CONFIG: Make "notsticky" the default; use FEATURE(stickyhost)
+ to get the old behaviour. I did this upon observing
+ that almost everyone needed this feature, and that the
+ concept I was trying to make happen didn't work with
+ some user agents anyway. FEATURE(notsticky) still works,
+ but it is a no-op.
+ CONFIG: Add LUSER_RELAY -- the host to which unrecognized user
+ names are sent, rather than immediately diagnosing them
+ as User Unknown.
+ CONFIG: Add SMTP_MAILER_ARGS, ESMTP_MAILER_ARGS, SMTP8_MAILER_ARGS,
+ and RELAY_MAILER_ARGS to set the arguments for the
+ indicated mailers. All default to "IPC $h". Patch from
+ Larry Parmelee of Cornell University.
+ CONFIG: pop mailer needs F=n flag to avoid "annoying side effects
+ on the client side" and F=P to get an appropriate
+ return-path. From Kimmo Suominen.
+ CONFIG: add FEATURE(local_procmail) to use the procmail program
+ as the local mailer. For addresses of the form "user+detail"
+ the "detail" part is passed to procmail via the -a flag.
+ Contributed by Kimmo Suominen.
+ CONFIG: add MAILER(procmail) to add an interface to procmail for
+ use from mailertables. This lets you execute arbitrary
+ procmail scripts. Contributed by Kimmo Suominen.
+ CONFIG: add T= fields (MTS type) to local, smtp, and uucp mailers.
+ CONFIG: add OSTYPE(ptx2) for DYNIX/ptx 2.x from Sequent. From
+ Paul Southworth of CICNet Systems Support.
+ CONFIG: use -a$g as default to UUCP mailers, instead of -a$f.
+ This causes the null return path to be rewritten as
+ MAILER-DAEMON; otherwise UUCP gets horribly confused.
+ From Michael Hohmuth of Technische Universitat Dresden.
+ CONFIG: Add FEATURE(bestmx_is_local) to cause any hosts that
+ list us as the best possible MX record to be treated as
+ though they were local (essentially, assume that they
+ are included in $=w). This can cause additional DNS
+ traffic, but is easier to administer if this fits your
+ local model. It does not work reliably if there are
+ multiple hosts that share the best MX preference.
+ Code contributed by John Oleynick of Rutgers.
+ CONFIG: Add FEATURE(smrsh) to use smrsh (the SendMail Restricted
+ SHell) instead of /bin/sh as the program used for delivery
+ to programs. If an argument is included, it is used as
+ the path to smrsh; otherwise, /usr/local/etc/smrsh is
+ assumed.
+ CONFIG: Add LOCAL_MAILER_MAX and PROCMAILER_MAILER_MAX to limit the
+ size of messages to the local and procmail mailers
+ respectively. Contributed by Brad Knowles of the Defense
+ Information Systems Agency.
+ CONFIG: Handle leading ``phrase:'' and trailing ``;'' as comments
+ (just like text outside of angle brackets) in order to
+ properly deal with ``group: addr1, ... addrN;'' syntax.
+ CONFIG: Require OSTYPE macro (the defaults really don't apply to
+ any real systems any more) and tweak the DOMAIN macro
+ so that it is less likely that users will accidentally use
+ the Berkeley defaults. Also, create some generic files
+ that really can be used in the real world.
+ CONFIG: Add new configuration macros to set character sets for
+ messages _arriving from_ various mailers: LOCAL_MAILER_CHARSET,
+ SMTP_MAILER_CHARSET, and UUCP_MAILER_CHARSET.
+ CONFIG: Change UUCP_MAX_SIZE to UUCP_MAILER_MAX for consistency.
+ The old name will still be accepted for a while at least.
+ CONFIG: Implement DECNET_RELAY as spec for host to which DECNET
+ mail (.DECNET pseudo-domain or node::user) will be sent.
+ As with all relays, it can be ``mailer:hostname''. Suggested
+ by Scott Hutton.
+ CONFIG: Add MAILER(mail11) to get DECnet support. Code contributed
+ by Barb Dijker of Labyrinth Computer Services.
+ CONFIG: change confCHECK_ALIASES to default to False -- it has poor
+ performance for large alias files, and this confused many
+ people.
+ CONFIG: Add confCF_VERSION to append local information to the
+ configuration version number displayed during SMTP startup.
+ CONFIG: fix some.newsgroup.usenet@local.host syntax (previously it
+ would only work when locally addressed. Fix from
+ Edvard Tuinder of Cistron Internet Services.
+ CONFIG: use ${opMode} to avoid error on .REDIRECT addresses if option
+ "n" (CheckAlaises) is set when rebuilding alias database.
+ Based on code contributed by Claude Marinier.
+ CONFIG: Allow mailertable to have values of the form
+ ``error:code message''. The ``code'' is a status code
+ derived from the sysexits codes -- e.g., NOHOST or UNAVAILABLE.
+ Contributed by David James <dwj@agw.bt.co.uk>.
+ CONFIG: add MASQUERADE_DOMAIN(domain list) to extend the list of
+ sender domains that will be replaced with the masquerade name.
+ These domains will not be treated as local, but if mail passes
+ through with sender addresses in those domains they will be
+ replaced by the masquerade name. These can also be specified
+ in a file using MASQUERADE_DOMAIN_FILE(filename).
+ CONFIG: add FEATURE(masquerade_envelope) to masquerade the envelope
+ as well as the header. Substantial improvements to this
+ code were contributed by Per Hedeland.
+ CONFIG: add MAILER(phquery) to define a new "ph" mailer; this can be
+ accessed from a mailertable to do CCSO ph lookups. Contributed
+ by Kimmo Suominen.
+ CONFIG: add MAILER(cyrus) to define a new Cyrus mailer; this can be
+ used to define cyrus and cyrusbb mailers (for IMAP support).
+ Contributed by John Gardiner Myers of Carnegie Mellon.
+ CONFIG: add confUUCP_MAILER to select default mailer to use for
+ UUCP addressing. Suggested by Tom Moore of AT&T GIS.
+ NEW FILES:
+ cf/cf/cs-hpux10.mc
+ cf/cf/cs-solaris2.mc
+ cf/cf/cyrusproto.mc
+ cf/cf/generic-bsd4.4.mc
+ cf/cf/generic-hpux10.mc
+ cf/cf/generic-hpux9.mc
+ cf/cf/generic-osf1.mc
+ cf/cf/generic-solaris2.mc
+ cf/cf/generic-sunos4.1.mc
+ cf/cf/generic-ultrix4.mc
+ cf/cf/huginn.cs.mc
+ cf/domain/berkeley-only.m4
+ cf/domain/generic.m4
+ cf/feature/bestmx_is_local.m4
+ cf/feature/local_procmail.m4
+ cf/feature/masquerade_envelope.m4
+ cf/feature/smrsh.m4
+ cf/feature/stickyhost.m4
+ cf/feature/use_ct_file.m4
+ cf/m4/cfhead.m4
+ cf/mailer/cyrus.m4
+ cf/mailer/mail11.m4
+ cf/mailer/phquery.m4
+ cf/mailer/procmail.m4
+ cf/ostype/amdahl-uts.m4
+ cf/ostype/bsdi2.0.m4
+ cf/ostype/hpux10.m4
+ cf/ostype/irix5.m4
+ cf/ostype/isc4.1.m4
+ cf/ostype/ptx2.m4
+ cf/ostype/unknown.m4
+ contrib/bsdi.mc
+ contrib/mailprio
+ contrib/rmail.oldsys.patch
+ mail.local/mail.local.0
+ makemap/makemap.0
+ smrsh/README
+ smrsh/smrsh.0
+ smrsh/smrsh.8
+ smrsh/smrsh.c
+ src/Makefiles/Makefile.CSOS
+ src/Makefiles/Makefile.EWS-UX_V
+ src/Makefiles/Makefile.HP-UX.10
+ src/Makefiles/Makefile.IRIX.5.x
+ src/Makefiles/Makefile.IRIX64
+ src/Makefiles/Makefile.ISC
+ src/Makefiles/Makefile.KSR
+ src/Makefiles/Makefile.NEWS-OS.4.x
+ src/Makefiles/Makefile.NEWS-OS.6.x
+ src/Makefiles/Makefile.NEXTSTEP
+ src/Makefiles/Makefile.NonStop-UX
+ src/Makefiles/Makefile.Paragon
+ src/Makefiles/Makefile.SCO.3.2v4.2
+ src/Makefiles/Makefile.SunOS.5.3
+ src/Makefiles/Makefile.SunOS.5.4
+ src/Makefiles/Makefile.SunOS.5.5
+ src/Makefiles/Makefile.UNIX_SV.4.x.i386
+ src/Makefiles/Makefile.uts.systemV
+ src/Makefiles/Makefile.UX4800
+ src/aliases.0
+ src/mailq.0
+ src/mime.c
+ src/newaliases.0
+ src/sendmail.0
+ test/t_seteuid.c
+ RENAMED FILES:
+ cf/cf/alpha.mc => cf/cf/s2k-osf1.mc
+ cf/cf/chez.mc => cf/cf/chez.cs.mc
+ cf/cf/hpux-cs-exposed.mc => cf/cf/cs-hpux9.mc
+ cf/cf/osf1-cs-exposed.mc => cf/cf/cs-osf1.mc
+ cf/cf/s2k.mc => cf/cf/s2k-ultrix4.mc
+ cf/cf/sunos4.1-cs-exposed.mc => cf/cf/cs-sunos4.1.mc
+ cf/cf/ultrix4.1-cs-exposed.mc => cf/cf/cs-ultrix4.mc
+ cf/cf/vangogh.mc => cf/cf/vangogh.cs.mc
+ cf/domain/Berkeley.m4 => cf/domain/Berkeley.EDU.m4
+ cf/domain/cs-exposed.m4 => cf/domain/CS.Berkeley.EDU.m4
+ cf/domain/eecs-hidden.m4 => cf/domain/EECS.Berkeley.EDU.m4
+ cf/domain/s2k.m4 => cf/domain/S2K.Berkeley.EDU.m4
+ cf/ostype/hpux.m4 => cf/ostype/hpux9.m4
+ cf/ostype/irix.m4 => cf/ostype/irix4.m4
+ cf/ostype/ultrix4.1.m4 => cf/ostype/ultrix4.m4
+ src/Makefile.* => src/Makefiles/Makefile.*
+ src/Makefile.AUX => src/Makefiles/Makefile.A-UX
+ src/Makefile.BSDI => src/Makefiles/Makefile.BSD-OS
+ src/Makefile.DGUX => src/Makefiles/Makefile.dgux
+ src/Makefile.RISCos => src/Makefiles/Makefile.UMIPS
+ src/Makefile.SunOS.4.0.3 => src/Makefiles/Makefile.SunOS.4.0
+ OBSOLETED FILES:
+ cf/cf/cogsci.mc
+ cf/cf/cs-exposed.mc
+ cf/cf/cs-hidden.mc
+ cf/cf/hpux-cs-hidden.mc
+ cf/cf/knecht.mc
+ cf/cf/osf1-cs-hidden.mc
+ cf/cf/sunos3.5-cs-exposed.mc
+ cf/cf/sunos3.5-cs-hidden.mc
+ cf/cf/sunos4.1-cs-hidden.mc
+ cf/cf/ultrix4.1-cs-hidden.mc
+ cf/domain/cs-hidden.m4
+ contrib/rcpt-streaming
+ src/Makefiles/Makefile.SunOS.5.x
+
+8.6.13/8.6.12 96/01/25
+ SECURITY: In some cases it was still possible for an attacker to
+ insert newlines into a queue file, thus allowing access to
+ any user (except root).
+ CONFIG: no changes -- it is not a bug that the configuration
+ version number is unchanged.
+
+8.6.12/8.6.12 95/03/28
+ Fix to IDENT code (it was getting the size of the reply buffer
+ too small, so nothing was ever accepted). Fix from several
+ people, including Allan Johannesen, Shane Castle of the
+ Boulder County Information Services, and Jeff Smith of
+ Warwick University (all arrived within a few hours of
+ each other!).
+ Fix a problem that could cause large jobs to run out of
+ file descriptors on systems that use vfork() rather
+ than fork().
+
+8.6.11/8.6.11 95/03/08
+ The ``possible attack'' message would be logged more often
+ than necessary if you are using Pine as a user agent.
+ The wrong host would be reported in the ``possible attack''
+ message when attempted from IDENT.
+ In some cases the syslog buffer could be overflowed when
+ reporting the ``possible attack'' message. This can
+ cause denial of service attacks. Truncate the message
+ to 80 characters to prevent this problem.
+ When reading the IDENT response a loop is needed around the
+ read from the network to ensure that you don't get
+ partial lines.
+ Password entries without any shell listed (that is, a null
+ shell) wouldn't match as "ok". Problem noted by
+ Rob McMahon.
+ When running BIND 4.9.x a problem could occur because the
+ _res.options field is initialized differently than it
+ was historically -- this requires that sendmail call
+ res_init before it tweaks any bits.
+ Fix an incompatibility in openxscript() between the file open mode
+ and the stdio mode passed to fdopen. This caused UnixWare
+ 2.0 to have conniptions. Fix from Martin Sohnius of
+ Novell Labs Europe.
+ Fix problem with static linking of local getopt routine when
+ using GNU's ld command. Fix from John Kennedy of
+ Cal State Chico.
+ It was possible to turn off privacy flags. Problem noted by
+ *Hobbit*.
+ Be more paranoid about writing files. Suggestions by *Hobbit*
+ and Liudvikas Bukys.
+ MAKEMAP: fixes for 64 bit machines (DEC Alphas in particular)
+ from Spider Boardman.
+ CONFIG: No changes (version number only, to keep it in sync
+ with the binaries).
+
+8.6.10/8.6.10 95/02/10
+ SECURITY: Diagnose bogus values to some command line flags that
+ could allow trash to get into headers and qf files.
+ Validate the name of the user returned by the IDENT protocol.
+ Some systems that really dislike IDENT send intentionally
+ bogus information. Problem pointed out by Michael Bushnell
+ of the Free Software Foundation. Has some security
+ implications.
+ Fix a problem causing error messages about DNS problems when
+ the host name contained a percent sign to act oddly
+ because it was passed as a printf-style format string.
+ In some cases this could cause core dumps.
+ Avoid possible buffer overrun in returntosender() if error
+ message is quite long. From Fletcher Mattox of the
+ University of Texas.
+ Fix a problem that would silently drop "too many hops" error
+ messages if and only if you were sending to an alias.
+ From Jon Giltner of the University of Colorado and
+ Dan Harton of Oak Ridge National Laboratory.
+ Fix a bug that caused core dumps on some systems if -d11.2 was
+ set and e->e_message was null. Fix from Bruce Nagel of
+ Data General.
+ Fix problem that can still cause df files to be left around
+ after "hop count exceeded" messages. Fix from Andrew
+ Chang and Shau-Ping Lo of SunSoft.
+ Fix a problem that can cause buffer overflows on very long
+ user names (as might occur if you piped to a program
+ with a lot of arguments).
+ Avoid returning an error and re-queueing if the host signature
+ is null; this can occur on addresses like ``user@.''.
+ Problem noted by Wesley Craig and the University of
+ Michigan.
+ Avoid possible calls to malloc(0) if MCI caching is turned
+ off. Bug fix from Pierre David of the Laboratoire
+ Parallelisme, Reseaux, Systemes et Modelisation (PRiSM),
+ Universite de Versailles - St Quentin, and Jacky
+ Thibault.
+ Make a local copy of the line being sent via senttolist() -- in
+ some cases, buffers could get trashed by map lookups
+ causing it to do unexpected things. This also simplifies
+ some of the map code.
+ CONFIG: No changes (version number only, to keep it in sync
+ with the binaries).
+
+8.6.9/8.6.9 94/04/19
+ Do all mail delivery completely disconnected from any terminal.
+ This provides consistency with daemon delivery and
+ may have some security implications.
+ Make sure that malloc doesn't get called with zero size,
+ since that fails on some systems. Reported by Ed
+ Hill of the University of Iowa.
+ Fix multi-line values for $e (SMTP greeting message). Reported
+ by Mike O'Connor of Ford Motor Company.
+ Avoid syserr if no NIS domain name is defined, but the map it
+ is trying to open is optional. From Win Bent of USC.
+ Changes for picky compilers from Ed Gould of Digital Equipment.
+ Hesiod support for UDB from Todd Miller of the University of
+ Colorado. Use "hesiod" as the service name in the U
+ option.
+ Fix a problem that failed to set the "authentic" host name (that
+ is, the one derived from the socket info) if you called
+ sendmail -bs from inetd. Based on code contributed by
+ Todd Miller (this problem was also reported by Guy Helmer
+ of Dakota State University). This also fixes a related
+ problem reported by Liudvikas Bukys of the University of
+ Rochester.
+ Parameterize "nroff -h" in all the Makefiles so people with
+ variant versions can use them easily. Suggested by
+ Peter Collinson of Hillside Systems.
+ SMTP "MAIL" commands with multiple ESMTP parameters required two
+ spaces between parameters instead of one. Reported by
+ Valdis Kletnieks of Virginia Tech.
+ Reduce the number of system calls during message collection by
+ using global timeouts around the collect() loop. This
+ code was contributed by Eric Wassenaar.
+ If the initial hostname name gathering results in a name
+ without a dot (usually caused by NIS misconfiguration)
+ and BIND is compiled in, directly access DNS to get
+ the canonical name. This should make life easier for
+ Solaris systems. If it still can't be resolved, and
+ if the name server is listed as "required", try again
+ in 30 seconds. If that also fails, exit immediately to
+ avoid bogus "config error: mail loops back to myself"
+ messages.
+ Improve the "MAIL DELETED BECAUSE OF LACK OF DISK SPACE" error
+ message to explain how much space was available and
+ sound a bit less threatening. Suggested by Stan Janet
+ of the National Institute of Standards and Technology.
+ If mail is delivered to an alias that has an owner, deliver any
+ requested return-receipt immediately, and strip the
+ Return-Receipt-To: header from the subsequent message.
+ This prevents a certain class of denial of service
+ attack, arguably gives more reasonable semantics, and
+ moves things more towards what will probably become a
+ network standard. Suggested by Christopher Davis of
+ Kapor Enterprises.
+ Add a "noreceipts" privacy flag to turn off all return receipts
+ without recompiling.
+ Avoid printing ESMTP parameters as part of the error message
+ if there are errors during parsing. This change is
+ purely cosmetic.
+ Avoid sending out error messages during the collect phase of
+ SMTP; there is an MVS mailer from UCLA that gets
+ confused by this. Of course, I think it's their bug....
+ Check for the $j macro getting undefined, losing a dot, or getting
+ lost from $=w in the daemon before accepting a connection;
+ if it is, it dumps state, prints a LOG_ALERT message,
+ and drops core for debugging. This is an attempt to
+ track down a bug that I thought was long since gone.
+ If you see this, please forward the log fragment to
+ sendmail@sendmail.ORG.
+ Change OLD_NEWDB from a #ifdef to a #if so it can be turned off
+ with -DOLD_NEWDB=0 on the command line. From Christophe
+ Wolfhugel.
+ Instead of trying to truncate the listen queue for the server
+ SMTP port when the load average is too high, just close
+ the port completely and reopen it later as needed.
+ This ensures that the other end gets a quick "connection
+ refused" response, and that the connection can be
+ recovered later. In particular, some socket emulations
+ seem to get confused if you tweak the listen queue
+ size around and can never start listening to connections
+ again. The down side is that someone could start up
+ another daemon process in the interim, so you could
+ have multiple daemons all not listening to connections;
+ this could in turn cause the sendmail.pid file to be
+ incorrect. A better approach might be to accept the
+ connection and give a 421 code, but that could break
+ other mailers in mysterious ways and have paging behaviour
+ implications.
+ Fix a glitch in TCP-level debugging that caused flag 16.101 to
+ set debugging on the wrong socket. From Eric Wassenaar.
+ When creating a df* temporary file, be sure you truncate any
+ existing data in the file -- otherwise system crashes
+ and the like could result in extra data being sent.
+ DOC: Replace the CHANGES-R5-R8 readme file with a paper in the
+ doc directory. This includes some additional
+ information.
+ CONFIG: change UUCP rules to never add $U! or $k! on the front
+ of recipient envelope addresses. This should have been
+ handled by the $&h trick, but broke if people were
+ mixing domainized and UUCP addresses. They should
+ probably have converted all the way over to uucp-uudom
+ instead of uucp-{new,old}, but the failure mode was to
+ loop the mail, which was bad news.
+ Portability fixes:
+ Newer BSDI systems (several people).
+ Older BSDI systems from Christophe Wolfhugel.
+ Intergraph CLIX, from Paul Southworth of CICNet.
+ UnixWare, from Evan Champion.
+ NetBSD from Adam Glass.
+ Solaris from Quentin Campbell of the University of
+ Newcastle upon Tyne.
+ IRIX from Dean Cookson and Bill Driscoll of Mitre
+ Corporation.
+ NCR 3000 from Kevin Darcy of Chrysler Financial Corporation.
+ SunOS (it has setsid() and setvbuf() calls) from
+ Jonathan Kamens of OpenVision Technologies.
+ HP-UX from Tor Lillqvist.
+ New Files:
+ src/Makefile.CLIX
+ src/Makefile.NCR3000
+ doc/changes/Makefile
+ doc/changes/changes.me
+ doc/changes/changes.ps
+
+8.6.8/8.6.6 94/03/21
+ SECURITY: it was possible to read any file as root using the
+ E (error message) option. Reported by Richard Jones;
+ fixed by Michael Corrigan and Christophe Wolfhugel.
+
+8.6.7/8.6.6 94/03/14
+ SECURITY: it was possible to get root access by using weird
+ values to the -d flag. Thanks to Alain Durand of
+ INRIA for forwarding me the notice from the bugtraq
+ list.
+
+8.6.6/8.6.6 94/03/13
+ SECURITY: the ability to give files away on System V-based
+ systems proved dangerous -- don't run as the owner
+ of a :include: file on a system that allows giveaways.
+ Unfortunately, this also applies to determining a
+ valid shell.
+ IMPORTANT: Previous versions weren't expiring old connections
+ in the connection cache for a long time under some
+ circumstances. This could result in resource exhaustion,
+ both at your end and at the other end. This checks the
+ connections for timeouts much more frequently. From
+ Doug Anderson of NCSC.
+ Fix a glitch that snuck in that caused programs to be run as
+ the sender instead of the recipient if the mail was
+ from a local user to another local user. From
+ Motonori Nakamura of Kyoto University.
+ Fix "wildcard" on /etc/shells matching -- instead of looking
+ for "*", look for "/SENDMAIL/ANY/SHELL/". From
+ Bryan Costales of ICSI.
+ Change the method used to declare the "statfs" availability;
+ instead of HASSTATFS and/or HASUSTAT with a ton of
+ tweaking in conf.c, there is a single #define called
+ SFS_TYPE which takes on one of six values (SFS_NONE
+ for no statfs availability, SFS_USTAT for the ustat(2)
+ syscall, SFS_4ARGS for a four argument statfs(2) call,
+ and SFS_VFS, SFS_MOUNT, or SFS_STATFS for a two argument
+ statfs(2) call with the declarations in <sys/vfs.h>,
+ <sys/mount.h>, or <sys/statfs.h> respectively).
+ Fix glitch in NetInfo support that could return garbage if
+ there was no "/locations/sendmail" property. From
+ David Meyer of the University of Virginia.
+ Change HASFLOCK from defined/not-defined to a 0/1 definition
+ to allow Linux to turn it off even though it is a
+ BSD-like system.
+ Allow setting of "ident" timeout to zero to turn off the ident
+ protocol entirely.
+ Make 7-bit stripping local to a connection (instead of to a
+ mailer); this allows you to specify that SMTP is a
+ 7-bit channel, but revert to 8-bit should it advertise
+ that it supports 8BITMIME. You still have to specify
+ mailer flag 7 to get this stripping at all.
+ Improve makesendmail script so it handles more cases automatically.
+ Tighten up restrictions on taking ownership of :include: files
+ to avoid problems on systems that allow you to give away
+ files.
+ Fix a problem that made it impossible to rebuild the alias
+ file if it was on a read-only file system. From
+ Harry Edmon of the University of Washington.
+ Improve MX randomization function. From John Gardiner Myers
+ of CMU.
+ Fix a minor glitch causing a bogus message to be printed (used
+ %s instead of %d in a printf string for the line number)
+ when a bad queue file was read. From Harry Edmon.
+ Allow $s to remain NULL on locally generated mail. I'm not
+ sure this is necessary, but a lot of people have complained
+ about it, and there is a legitimate question as to whether
+ "localhost" is legal as an 822-style domain.
+ Fix a problem with very short line lengths (mailer L= flag) in
+ headers. This causes a leading space to be added onto
+ continuation lines (including in the body!), and also
+ tries to wrap headers containing addresses (From:, To:,
+ etc) intelligently at the shorter line lengths. Problem
+ Reported by Lars-Johan Liman of SUNET Operations Center.
+ Log the real user name when logging syserrs, since these can have
+ security implications. Suggested by several people.
+ Fix address logging of cached connections -- it used to always
+ log the numeric address as zero. This is a somewhat
+ bogus implementation in that it does an extra system
+ call, but it should be an inexpensive one. Fix from
+ Motonori Nakamura.
+ Tighten up handling of short syslog buffers even more -- there
+ were cases where the outgoing relay= name was too long
+ to share a line with delay= and mailer= logging.
+ Limit the overhead on split envelopes to one open file descriptor
+ per envelope -- previously the overhead was three
+ descriptors. This was in response to a problem reported
+ by P{r (Pell) Emanuelsson.
+ Fixes to better handle the case of unexpected connection closes;
+ this redirects the output to the transcript so the info
+ is not lost. From Eric Wassenaar.
+ Fix potential string overrun if you macro evaluate a string that
+ has a naked $ at the end. Problem noted by James Matheson
+ <jmrm@eng.cam.ac.uk>.
+ Make default error number on $#error messages 553 (``Requested
+ action not taken: mailbox name not allowed'') instead of
+ 501 (``Syntax error in parameters or arguments'') to
+ avoid bogus "protocol error" messages.
+ Strip off any existing trailing dot on names during $[ ... $]
+ lookup. This prevents it from ending up with two dots
+ on the end of dot terminated names. From Wesley Craig
+ of the University of Michigan and Bryan Costales of ICSI.
+ Clean up file class reading so that the debugging information is
+ more informative. It hadn't been using setclass, so you
+ didn't see the class items being added.
+ Avoid core dump if you are running a version of sendmail where
+ NIS is compiled in, and you specify an NIS map, but
+ NIS is not running. Fix from John Oleynick of
+ Rutgers.
+ Diagnose bizarre case where res_search returns a failure value,
+ but sets h_errno to a success value.
+ Make sure that "too many hops" messages are considered important
+ enough to send an error to the Postmaster (that is, the
+ address specified in the P option). This fix should
+ help problems that cause the df file to be left around
+ sometimes -- unfortunately, I can't seem to reproduce
+ the problem myself.
+ Avoid core dump (null pointer reference) on EXPN command; this
+ only occurred if your log level was set to 10 or higher
+ and the target account was an alias or had a .forward file.
+ Problem noted by Janne Himanka.
+ Avoid "denial of service" attacks by someone who is flooding your
+ SMTP port with bad commands by shutting the connection
+ after 25 bad commands are issued. From Kyle Jones of
+ UUNET.
+ Fix core dump on error messages with very long "to" buffers;
+ fmtmsg overflows the message buffer. Fixed by trimming
+ the to address to 203 characters. Problem reported by
+ John Oleynick.
+ Fix configuration for HASFLOCK -- there were some spots where
+ a #ifndef was incorrectly #ifdef. Pointed out by
+ George Baltz of the University of Maryland.
+ Fix a typo in savemail() that could cause the error message To:
+ lists to be incorrect in some places. From Motonori
+ Nakamura.
+ Fix a glitch that can cause duplicate error messages on split
+ envelopes where an address on one of the lists has a
+ name server failure. Fix from Voradesh Yenbut of the
+ University of Washington.
+ Fix possible bogus pointer reference on ESMTP parameters that
+ don't have an ``=value'' part.
+ CNAME loops caused an error message to be generated, but also
+ re-queued the message. Changed to just re-queue the
+ message (it's really hard to just bounce it because
+ of the weird way the name server works in the presence
+ of CNAME loops). Problem noted by James M.R.Matheson
+ of Cambridge University.
+ Avoid giving ``warning: foo owned process doing -bs'' messages
+ if they use ``MAIL FROM:<foo>'' where foo is their true
+ user name. Suggested by Andreas Stolcke of ICSI.
+ Change the NAMED_BIND compile flag to be a 0/1 flag so you can
+ override it easily in the Makefile -- that is, you can
+ turn it off using -DNAMED_BIND=0.
+ If a gethostbyname(...) of an address with a trailing dot fails,
+ try it without the trailing dot. This is because if
+ you have a version of gethostbyname() that falls back
+ to NIS or the /etc/hosts file it will fail to find
+ perfectly reasonable names that just don't happen to
+ be dot terminated in the hosts file. You don't want to
+ strip the dot first though because we're trying to ensure
+ that country names that match one of your subdomains get
+ a chance.
+ PRALIASES: fix bogus output on non-null-terminated strings.
+ From Bill Gianopoulos of Raytheon.
+ CONFIG: Avoid rewriting anything that matches $w to be $j.
+ This was in code intended to only catch the self-literal
+ address (that is, [1.2.3.4], where 1.2.3.4 is your
+ IP address), but the code was broken. However, it will
+ still do this if $M is defined; this is necessary to
+ get client configurations to work (sigh). Note that this
+ means that $M overrides :mailname entries in the user
+ database! Problem noted by Paul Southworth.
+ CONFIG: Fix definition of Solaris help file location. From
+ Steve Cliffe <steve@gorgon.cs.uow.edu.au>.
+ CONFIG: Fix bug that broke news.group.USENET mappings.
+ CONFIG: Allow declaration of SMTP_MAILER_MAX, FAX_MAILER_MAX,
+ and USENET_MAILER_MAX to tweak the maximum message
+ size for various mailers.
+ CONFIG: Change definition of USENET_MAILER_ARGS to include argv[0]
+ instead of assuming that it is "inews" for consistency
+ with other mailers. From Michael Corrigan of UC San Diego.
+ CONFIG: When mail is forwarded to a LOCAL_RELAY or a MAIL_HUB,
+ qualify the address in the SMTP envelope as user@{relay|hub}
+ instead of user@$j. From Bill Wisner of The Well.
+ CONFIG: Fix route-addr syntax in nullrelay configuration set.
+ CONFIG: Don't turn off case mapping of user names in the local
+ mailer for IRIX. This was different than most every other
+ system.
+ CONFIG: Avoid infinite loops on certainly list:; syntaxes in
+ envelope. Noted by Thierry Besancon
+ <besancon@excalibur.ens.fr>.
+ CONFIG: Don't include -z by default on uux line -- most systems
+ don't want it set by default. Pointed out by Philippe
+ Michel of Thomson CSF.
+ CONFIG: Fix some bugs with mailertables -- for example, if your
+ host name was foo.bar.ray.com and you matched against
+ ".ray.com", the old implementation bound %1 to "bar"
+ instead of "foo.bar". Also, allow "." in the mailertable
+ to match anything -- essentially, take over SMART_HOST.
+ This also moves matching of explicit local host names
+ before the mailertable so they don't have to be special
+ cased in the mailertable data. Reported by Bill
+ Gianopoulos of Raytheon; the fix for the %1 binding
+ problem was contributed by Nicholas Comanos of the
+ University of Sydney.
+ CONFIG: Don't include "root" in class $=L (users to deliver
+ locally, even if a hub or relay exists) by default.
+ This is because of the known bug where definition of
+ both a LOCAL_RELAY and a MAIL_HUB causes $=L to ignore
+ both and deliver into the local mailbox.
+ CONFIG: Move up bitdomain and uudomain handling so that they
+ are done before .UUCP class matching; uudomain was
+ reported as ineffective before. This also frees up
+ diversion 8 for future use. Problem reported by Kimmo
+ Suominen.
+ CONFIG: Don't try to convert dotted IP address (e.g., [1.2.3.4])
+ into host names. As pointed out by Jonathan Kamens,
+ these are often used because either the forward or reverse
+ mapping is broken; this translation makes it broken again.
+ DOC: Clarify $@ and $: in the Install & Op Guide. From Kimmo
+ Suominen.
+ Portability fixes:
+ Unicos from David L. Kensiski of Sterling Software.
+ DomainOS from Don Lewis of Silicon Systems.
+ GNU m4 1.0.3 from Karst Koymans of Utrecht University.
+ Convex from Kimmo Suominen <kim@tac.nyc.ny.us>.
+ NetBSD from Adam Glass <glass@sun-lamp.cs.berkeley.edu>.
+ BSD/386 from Tony Sanders of BSDI.
+ Apollo from Eric Wassenaar.
+ DGUX from Doug Anderson.
+ Sequent DYNIX/ptx 2.0 from Tim Wright of Sequent.
+ NEW FILES:
+ src/Makefile.DomainOS
+ src/Makefile.PTX
+ src/Makefile.SunOS.5.1
+ src/Makefile.SunOS.5.2
+ src/Makefile.SunOS.5.x
+ src/mailq.1
+ cf/ostype/domainos.m4
+ doc/op/Makefile
+ doc/intro/Makefile
+ doc/usenix/Makefile
+
+8.6.5/8.6.5 94/01/13
+ Security fix: /.forward could be owned by anyone (the test
+ to allow root to own any file was backwards). From
+ Bob Campbell at U.C. Berkeley.
+ Security fix: group ids were not completely set when programs
+ were invoked. This caused programs to have group
+ permissions they should not have had (usually group
+ daemon instead of their own group). In particular,
+ Perl scripts would refuse to run.
+ Security: check to make sure files that are written are not
+ symbolic links (at least under some circumstances).
+ Although this does not respond to a specific known
+ attack, it's just a good idea. Suggested by
+ Christian Wettergren.
+ Security fix: if a user had an NFS mounted home directory on
+ a system with a restricted shell listed in their
+ /etc/passwd entry, they could still execute any
+ program by putting that in their .forward file.
+ This fix prevents that by insisting that their shell
+ appear in /etc/shells before allowing a .forward to
+ execute a program or write a file. You can disable
+ this by putting "*" in /etc/shells. It also won't
+ permit world-writable :include: files to reference
+ programs or files (there's no way to disable this).
+ These behaviours are only one level deep -- for
+ example, it is legal for a world-writable :include:
+ file to reference an alias that writes a file, on
+ the assumption that the alias file is well controlled.
+ Security fix: root was not treated suspiciously enough when
+ looking into subdirectories. This would potentially
+ allow a cracker to examine files that were publicly
+ readable but in a non-publicly searchable directory.
+ Fix a problem that causes an error on QUIT on a cached
+ connection to create problems on the current job.
+ These are typically unrelated, so errors occur in
+ the wrong place.
+ Reset CurrentLA in sendall() -- this makes sendmail queue
+ runs more responsive to load average, and fixes a
+ problem that ignored the load average in locally
+ generated mail. From Eric Wassenaar.
+ Fix possible core dump on aliases with null LHS. From
+ John Orthoefer of BB&N.
+ Revert to using flock() whenever possible -- there are just
+ too many bugs in fcntl() locking, particularly over
+ NFS, that cause sendmail to fail in perverse ways.
+ Fix a bug that causes the connection cache to get confused
+ when sending error messages. This resulted in
+ "unexpected close" messages. It should fix itself
+ on the following queue run. Problem noted by
+ Liudvikas Bukys of the University of Rochester.
+ Include $k in $=k as documented in the Install & Op Guide.
+ This seems odd, but it was documented.... From
+ Michael Corrigan of UCSD.
+ Fix problem that caused :include:s from alias files to be
+ forced to be owned by root instead of daemon
+ (actually DefUid). From Tim Irvin.
+ Diagnose unrecognized I option values -- from Mortin Forssen
+ of the Chalmers University of Technology.
+ Make "error" mailer work consistently when there is no error
+ code associated with it -- previously it returned OK
+ even though there was a real problem. Now it assumes
+ EX_UNAVAILABLE.
+ Fix bug that caused the last header line of messages that had
+ no body and which were terminated with EOF instead of
+ "." to be discarded. Problem noted by Liudvikas Bukys.
+ Fix core dump on SMTP mail to programs that failed -- it tried
+ to go to a "next MX host" when none existed, causing
+ a core dump. From der Mouse at McGill University.
+ Change IDENTPROTO from a defined/not defined to a 0/1 switch;
+ this makes it easier to turn it off (using
+ -DIDENTPROTO=0 in the Makefile). From der Mouse.
+ Fix YP_MASTER_NAME store to use the unupdated result of
+ gethostname() (instead of myhostname(), which tries
+ to fully qualify the name) to be consistent with
+ SunOS. If your hostname is unqualified, this fixes
+ transfers to slave servers. Bug noted by Keith
+ McMillan of Ameritech Services, Inc.
+ Fix Ultrix problem: gethostbyname() can return a very large
+ (> 500) h_length field, which causes the sockaddr
+ to be trashed. Use the size of the sockaddr instead.
+ Fix from Bob Manson of Ohio State.
+ Don't assume "-a." on host lookups if NAMED_BIND is not
+ defined -- this confuses gethostbyname on hosts
+ file lookups, which doesn't understand the trailing
+ dot convention.
+ Log SMTP server subprocesses that die with a signal instead
+ of from a clean exit.
+ If you don't have option "I" set, don't assume that a DNS
+ "host unknown" message is authoritative -- it
+ might still be found in /etc/hosts.
+ Fix a problem that would cause Deferred: messages to be sent
+ as the subject of an error message, even though the
+ actual cause of a message was more severe than that.
+ Problem noted by Chris Seabrook of OSSI.
+ Fix race condition in DBM alias file locking. From Kyle
+ Jones of UUNET.
+ Limit delivery syslog line length to avoid bugs in some
+ versions of syslog(3). This adds a new compile time
+ variable SYSLOG_BUFSIZE. From Jay Plett of Princeton
+ University, which is in turn derived from IDA.
+ Fix quotes inside of comments in addresses -- previously
+ it insisted that they be balanced, but the 822 spec
+ says that they should be ignored.
+ Dump open file state to syslog upon receiving SIGUSR1 (for
+ debugging). This also evaluates ruleset 89, if set
+ (with the null input), and logs the result. This
+ should be used sparingly, since the rewrite process
+ is not reentrant.
+ Change -qI, -qR, and -qS flags to be case-insensitive as
+ documented in the Bat Book.
+ If the mailer returned EX_IOERR or EX_OSERR, sendmail did not
+ return an error message and did not requeue the message.
+ Fix based on code from Roland Dirlewanger of
+ Reseau Regional Aquarel, Bordeaux, France.
+ Fix a problem that caused a seg fault if you got a 421 error
+ code during some parts of connection initialization.
+ I've only seen this when talking to buggy mailers on
+ the other end, but it shouldn't give a seg fault in
+ any case. From Amir Plivatsky.
+ Fix core dump caused by a ruleset call that returns null.
+ Fix from Bryan Costales of ICSI.
+ Full-Name: field was being ignored. Fix from Motonori Nakamura
+ of Kyoto University.
+ Fix a possible problem with very long input lines in setproctitle.
+ From P{r Emanuelsson.
+ Avoid putting "This is a warning message" out on return receipts.
+ Suggested by Douglas Anderson.
+ Detect loops caused by recursive ruleset calls. Suggested by
+ Bryan Costales.
+ Initialize non-alias maps during alias rebuilds -- they may be
+ needed for parsing. Problem noted by Douglas Anderson.
+ Log sender address even if no message was collected in SMTP
+ (e.g., if all RCPTs failed). Suggested by Motonori
+ Nakamura.
+ Don't reflect the owner-list contents into the envelope sender
+ address if the value contains ", :, /, or | (to avoid
+ illegal addresses appearing there).
+ Efficiency hack for toktype macro -- from Craig Partridge of
+ BB&N.
+ Clean up DNS error printing so that a host name is always
+ included.
+ Remember to set $i during queue runs. Reported by Stephen
+ Campbell of Dartmouth University.
+ If the environment variable HOSTALIASES is set, use it during
+ canonification as the name of a file with per-user host
+ translations so that headers are properly mapped. Reported
+ by Anne Bennett of Concordia University.
+ Avoid printing misleading error message if SMTP mailer (not
+ using [IPC]) should die on a core dump.
+ Avoid incorrect diagnosis of "file 1 closed" when it is caused
+ by the other end closing the connection. From
+ Dave Morrison of Oracle.
+ Improve several of the error messages printed by "mailq"
+ to include a host name or other useful information.
+ Add NetInfo preliminary support for NeXT systems. From Vince
+ DeMarco.
+ Fix a glitch that sometimes caused :include:s that pointed to
+ NFS filesystems that were down to give an "aliasing/
+ forwarding loop broken" message instead of queueing
+ the message for retry. Noted by William C Fenner of
+ the NRL Connection Machine Facility.
+ Fix a problem that could cause a core dump if the input sequence
+ had (or somehow acquired) a \231 character.
+ Make sure that route-addrs always have <angle brackets> around
+ them in non-SMTP envelopes (SMTP envelopes already do
+ this properly).
+ Avoid weird headers on unbalanced punctuation of the form:
+ ``Joe User <user)'' -- this caused reference to the
+ null macro. Fix from Rick McCarty of IO.COM.
+ Fix a problem that caused an alias "user: user@local.host" to
+ not have the QNOTREMOTE bit set; this caused configs
+ to act as if FEATURE(notsticky) was defined even when
+ it was not. The effect of the problem was to make it
+ very hard to to set up satellite sites that had a few
+ local accounts, with everything else forwarded to a
+ corporate hub. Reported by Detlef Drewanz of the
+ University of Rostock and Mark Frost of NCD.
+ Change queuing to not call rulesets 3, {1 or 2}, 4 on header
+ addresses. This is more efficient (fewer name server
+ calls) and fixes certain unusual configurations, such
+ as those that have ruleset 4 do something that is
+ non-idempotent unless a mailer-specific ruleset did
+ something else. Problem reported by Brian J. Coan
+ of the Institute for Global Communications.
+ Fix the "obsolete argument" routine in main to better understand
+ new arguments. For example, if you used ``sendmail
+ -C config -v -q'' it would choke on the -q because
+ the -C would stop looking for old-format arguments.
+ Fix the code that was intended to allow two users to forward their
+ mail to the same program and have them appear unique.
+ Portability fixes for:
+ SCO UNIX from Murray Kucherawy.
+ SCO Open Server 3.2v4 from Philippe Brand.
+ System V Release 4 from Rick Ellis and others.
+ OSF/1 from Steve Campbell.
+ DG/UX from Ben Mesander of the USGS and Bryan Curnutt
+ of Stoner Associates.
+ Motorola SysV88 from Kevin Johnson of Motorola.
+ Solaris 2.3 from Casper H.S. Dik of the University
+ of Amsterdam and John Caruso of University
+ of Maryland.
+ FreeBSD from Ollivier Robert.
+ NetBSD from Adam Glass.
+ TitanOS from Kate Hedstrom of Rutgers University.
+ Irix from Bryan Curnutt.
+ Dynix from Jim Davis of the University of Arizona.
+ RISC/os.
+ Linux from John Kennedy of California State University
+ at Chico.
+ Solaris 2.x from Tony Boner of the U.S. Air Force.
+ NEXTSTEP 3.x from Vince DeMarco.
+ HP-UX from various people. NOTA BENE: the location
+ of the config file has moved to /usr/lib
+ to match the HP-UX version of sendmail.
+ CONFIG: Don't do any recipient rewriting on relay mailer;
+ since this is intended only for internal use, the
+ usual RFC 821/822/1123 rules can be relaxed. The
+ main point of this is to avoid munging (ugh) UUCP
+ addresses when relaying internally.
+ CONFIG: fix typo in mailer/uucp.m4 that mutilates list:;
+ syntax addresses delivered via UUCP. Solution
+ provided by Peter Wemm.
+ CONFIG: fix thumb-fumble in default UUCP relaying in ruleset
+ zero; it caused double @ signs in addresses. From
+ Irving Reid of the University of Toronto.
+ CONFIG: Portability fixes for SCO Unix 3.2 with TCP/IP 1.2.1
+ from Markku Toijala of ICL Personal Systems Oy.
+ CONFIG: Add trailing "." on pseudo-domains for consistency;
+ this fixes a problem (noted by Al Whaley of Sunnyside)
+ that made it hard to recognize your own pseudodomain
+ names.
+ CONFIG: catch "@host" syntax errors (i.e., null local-parts)
+ rather than letting them get "local configuration
+ error"s. Problem noted by John Gardiner Myers.
+ CONFIG: add uucp-uudom mailer variant, based on code posted
+ by Spider Boardman <spider@Orb.Nashua.NH.US>; this
+ has uucp-dom semantics but old UUCP syntax. This
+ also permits "uucp-old" as an alias for "uucp" and
+ "uucp-new" as a synonym for "suucp" for consistency.
+ CONFIG: add POP mailer support (from Kimmo Suominen
+ <kim@grendel.lut.fi>).
+ CONFIG: drop CSNET_RELAY support -- CSNET is long gone.
+ CONFIG: fix bug caused with domain literal addresses (e.g.,
+ ``[128.32.131.12]'') when FEATURE(allmasquerade)
+ was set; it would get an additional @masquerade.host
+ added to the address. Problem noted by Peter Wan
+ of Georgia Tech.
+ CONFIG: make sure that the local UUCP name is in $=w. From
+ Jim Murray of Stratus.
+ CONFIG: changes to UUCP rewriting to simulate IDA-style "V"
+ mailer flag. Briefly, if you are sending to host
+ "foo", then it rewrites "foo!...!baz" to "...!baz",
+ "foo!baz" remains "foo!baz", and anything else has
+ the local name prepended.
+ CONFIG: portability fixes for HP-UX.
+ DOC: several minor problems fixed in the Install & Op Guide.
+ MAKEMAP: fix core dump problem on lines that are too long or
+ which lack newline. From Mark Delany.
+ MAILSTATS: print sums of columns (total messages & kbytes
+ in and out of the system). From Tom Ferrin of UC
+ San Francisco Computer Graphics Lab.
+ SIGNIFICANT USER- OR SYSAD-VISIBLE CHANGES:
+ On HP-UX, /etc/sendmail.cf has been moved to
+ /usr/lib/sendmail.cf to match HP sendmail.
+ Permissions have been tightened up on world-writable
+ :include: files and accounts that have shells
+ that are not listed in /etc/shells. This may
+ cause some .forward files that have worked
+ before to start failing.
+ SIGUSR1 dumps some state to the log.
+ NEW FILES:
+ src/Makefile.DGUX
+ src/Makefile.Dynix
+ src/Makefile.FreeBSD
+ src/Makefile.Mach386
+ src/Makefile.NetBSD
+ src/Makefile.RISCos
+ src/Makefile.SCO
+ src/Makefile.SVR4
+ src/Makefile.Titan
+ cf/mailer/pop.m4
+ cf/ostype/bsdi1.0.m4
+ cf/ostype/dgux.m4
+ cf/ostype/dynix3.2.m4
+ cf/ostype/sco3.2.m4
+ makemap/Makefile.dist
+ praliases/Makefile.dist
+
+8.6.4/8.6.4 93/10/31
+ Repair core-dump problem (write to read-only memory segment)
+ if you fall back to the return-to-Postmaster case in
+ savemail. Problem reported by Richard Liu.
+ Immediately diagnose bogus sender addresses in SMTP. This
+ makes quite certain that crackers can't use this
+ class of attack.
+ Reliability Fix: check return value from fclose() and fsync()
+ in a few critical places.
+ Minor problem in initsys() that reversed a condition for
+ redirecting the output channel on queue runs. It's
+ not clear this code even does anything. From Eric
+ Wassenaar of the Dutch National Institute for Nuclear
+ and High-Energy Physics.
+ Fix some problems that caused queue runs to do "too much work",
+ such as double-reading the Errors-To: header. From
+ Eric Wassenaar.
+ Error messages on writing the temporary file (including the
+ data file) were getting suppressed in SMTP -- this
+ fix causes them to be properly reported. From Eric
+ Wassenaar.
+ Some changes to support AF_UNIX sockets -- this will only
+ really become relevant in the next release, but some
+ people need it for local patches. From Michael
+ Corrigan of UC San Diego.
+ Use dynamically allocated memory (instead of static buffers)
+ for macros defined in initsys() and settime(); since
+ these can have different values depending on which
+ envelope they are in. From Eric Wassenaar.
+ Improve logging to show ctladdr on to= logging; this tells you
+ what uid/gid processes ran as.
+ Fix a problem that caused error messages to be discarded if
+ the sender address was unparseable for some reason;
+ this was supposed to fall back to the "return to
+ postmaster" case.
+ Improve aliaswait backoff algorithm.
+ Portability patches for Linux (8.6.3 required another header
+ file) (from Karl London) and SCO UNIX.
+ CONFIG: patch prog mailer to not strip host name off of envelope
+ addresses (so that it matches local again). From
+ Christopher Davis.
+ CONFIG: change uucp-dom mailer so that "<>" translates to $n;
+ this prevents uux from seeing lines with null names like
+ ``From Sat Oct 30 14:55:31 1993''. From Motonori
+ Nakamura of Kyoto University.
+ CONFIG: handle <list:;> syntax correctly. This isn't legal, but
+ it shouldn't fail miserably. From Motonori Nakamura.
+
+8.6.2/8.6.2 93/10/15
+ Put a "successful delivery" message in the transcript for
+ addresses that get return-receipts.
+ Put a prominent "this is only a warning" message in warning
+ messages -- some people don't read carefully enough
+ and end up sending the message several times.
+ Include reason for temporary failure in the "warning" return
+ message. Currently, it just says "cannot send for
+ four hours".
+ Fix the "Original message received" time generated for
+ returntosender messages. It was previously listed as
+ the current time. Bug reported by Eric Hagberg of
+ Cornell University Medical College.
+ If there is an error when writing the body of a message,
+ don't send the trailing dot and wait for a response
+ in sender SMTP, as this could cause the connection to
+ hang up under some bizarre circumstances. From Eric
+ Wassenaar.
+ Fix some server SMTP synchronization problems caused when
+ connections fail during message collection. From
+ Eric Wassenaar.
+ Fix a problem that can cause srvrsmtp to reject mail if the
+ name server is down -- it accepts the RCPT but rejects
+ the DATA command. Problem reported by Jim Murray of
+ Stratus.
+ Fix a problem that can cause core dumps if the config file
+ incorrectly resolves to a null hostname. Reported by
+ Allan Johannesen of WPI.
+ Non-root use of -C flag, dangerous -f flags, and use of -oQ
+ by non-root users were not put into
+ X-Authentication-Warning:s as intended because the
+ config file hadn't set the PrivacyFlags yet. Fix
+ from Sven-Ove Westberg of the University of Lulea.
+ Under very odd circumstances, the alias file rebuild code
+ could get confused as to whether a database was
+ open or not.
+ Check "vendor code" on the end of V lines -- this is
+ intended to provide a hook for vendor-specific
+ configuration syntax. (This is a "new feature",
+ but I've made an exception to my rule in a belief
+ that this is a highly exceptional case.)
+ Portability fixes for DG/UX (from Douglas Anderson of NCSC),
+ SCO Unix (from Murray Kucherawy), A/UX, and OSF/1
+ (from Jon Forrest of UC Berkeley)
+ CONFIG: fix ``mailer:host'' form of UUCP relay naming.
+
+8.6.1/8.6 93/10/08
+ Portability fixes for A/UX and Encore UMAX V.
+ Fix error message handling -- if you had a name server down
+ causing an error during parsing, that message was never
+ propagated to the queue file.
+
+8.6/8.6 93/10/05
+ Configuration cleanup: make it easier to undo IDENTPROTO in
+ conf.h (other systems have the same bug).
+ If HASGETDTABLESIZE and _SC_OPEN_MAX are both defined, assume
+ getdtablesize() instead of sysconf(); a disturbingly
+ large number of systems defined _SC_OPEN_MAX in the
+ header files but don't have the syscall.
+ Another patch to really truly ignore MX records in getcanonname
+ if trymx == FALSE.
+ Fix problem that caused the "250 IAA25499 Message accepted for
+ delivery" message to be omitted if there was an error
+ in the header of the message (e.g., a bad Errors-To:
+ line). Pointed out by Michael Corrigan of UCSD.
+ Announce name of host we are chatting when we get errors; this
+ is an IDA-ism suggested by Christophe Wolfhugel.
+ Portability fixes for Alpha OSF/1 (from Anthony Baxter of the
+ Australian Artificial Intelligence Institute), SCO Unix
+ (from Murray Kucherawy of Hookup Communication Corp.),
+ NeXT (from Vince DeMarco and myself), Linux (from
+ Karl London <karl@borg.demon.co.uk>), BSDI (from
+ Christophe Wolfhugel, and SVR4 on Dell (from Kimmo
+ Suominen), AUX 3.0 on Macintosh, and ANSI C compilers.
+ Some changes to get around gcc optimizer bugs. From Takahiro
+ Kanbe.
+ Fix error recovery in queueup if another tf file of the same
+ name already exists. Problem stumbled over by Bill
+ Wisner of The Well.
+ Output YP_MASTER_NAME and YP_LAST_MODIFIED without null bytes.
+ Problem noted by Keith McMillan of Ameritech Services.
+ Deal with group permissions properly when opening .forward and
+ :include: files. This relaxes the 8.1C restrictions
+ slightly more. This includes proper setting of groups
+ when reading :include: files, allowing you to read some
+ files that you should be able to read but have previously
+ been denied unless you owned them or they had "other"
+ read permission.
+ Make certain that $j is in $=w (after the .cf is read) so that
+ if the user is forced to override some silly system,
+ MX suppression will still work.
+ Fix a couple of efficiency problems where newstr was double-
+ calling expensive routines. In at least one case, it
+ wasn't guaranteed that they would always return the
+ same result. Problem noted by Christophe Wolfhugel.
+ Fix null pointer dereference in putoutmsg -- only on an error
+ condition from a non-SMTP mailer. From Motonori
+ Nakamura.
+ Macro expand "C" line class definitions before scanning so that
+ "CX $Z" works.
+ Fix problem that caused error message to be sent while still
+ trying to send the original message if the connection
+ is closed during a DATA command after getting an error
+ on an RCPT command (pretty obscure). Problem reported
+ by John Myers of CMU.
+ Fix reply to NOOP to be 250 instead of 200 -- this is a long
+ term bug.
+ Fix a nasty bug causing core dumps when returning the "warning:
+ cannot deliver for N hours -- will keep trying" message;
+ it only occurred if you had PostMasterCopy set and
+ only on some architectures. Although sendmail would
+ keep trying, it would send error messages on each
+ queue interval. This is an important fix.
+ Allow u and g options to take user and group names respectively.
+ Don't do a chdir into the queue directory in -bt mode to make
+ ruleset testing a bit easier.
+ Don't allow users to turn off logging (using -oL) on the command
+ line -- command line can only raise, not lower, logging
+ level.
+ Set $u to the original recipient on the SMTP transaction or on
+ the command line. This is only done if there is exactly
+ one recipient. Technically, this does not meet the
+ specs, because it does not guarantee a domain on the
+ address.
+ Fix a problem that dumped error messages on bad addresses if
+ you used the -t flag. Problem noted by Josh Smith of
+ Harvey Mudd College.
+ Given an address such as ``<foo> <bar>'', auto-quote the first
+ ``<foo>'' part, giving ``"<foo>" <bar>''. This is to
+ avoid the problem of people who use angle brackets in
+ their full name information.
+ Fix a null pointer dereference if you set option "l", have
+ an Errors-To: header in the message, and have Errors-To:
+ defined in the config file H lines. From J.R. Oldroyd.
+ Put YPCOMPAT on #ifdef NIS instead -- it's one less thing to get
+ wrong when compiling. Suggested by Rick McCarty of TI.
+ Fix a problem that could pass negative SIZE parameter if the
+ df file got lost; this would cause servers to always
+ give a temporary failure, making the problem even worse.
+ Problem noted by Allan Johannesen of WPI.
+ Add "ident" timeout (one of the "r" option selectors) for IDENT
+ protocol timeouts (30s default). Requested by Murray
+ Kucherawy of HookUp Communication Corp. to handle bogus
+ PC TCP/IP implementations.
+ Change $w default definition to be just the first component of
+ the domain name on config level 5. The $j macro defaults
+ to the FQDN; $m remains as before. This lets well-behaved
+ config files use any of the short, long, or subdomain
+ names.
+ Add makesendmail script in src to try to automate multi-architecture
+ builds. I know, this is sub-optimal, but it is still
+ helpful.
+ Fix very obscure race condition that can cause a queue run to
+ get a queue file for an already completed job. This
+ problem has existed for years. Problem noted by the
+ long suffering Allan Johannesen of WPI.
+ Fix a problem that caused the raw sender name to be passed to
+ udbsender instead of the canonified name -- this caused
+ it to sometimes miss records that it should have found.
+ Relax check of name on HELO packet so that a program using -bs
+ that claims to be itself works properly.
+ Restore rewriting of $: part of address through 2, R, 4 in
+ buildaddr -- this requires passing a lot of flags to get
+ it right. Unlike old versions, this ONLY rewrites
+ recipient addresses, not sender addresses.
+ Fix a bug that caused core dumps in config files that cannot
+ resolve /file/name style addresses. Fix from Jonathan
+ Kamens of OpenVision Technologies.
+ Fix problem with fcntl locking that can cause error returns to
+ be lost if the lock is lost; this required fully
+ queueing everything, dropping the envelope (so errors
+ would get returned), and then re-reading the queue from
+ scratch.
+ Fix a problem that caused aliases that redefine an otherwise
+ true address to still send to the original address
+ if and only if the alias failed in certain bizarre
+ ways (e.g, if they pointed at a list:; syntax address).
+ Problem pointed out by Jonathan Kamens.
+ Remove support for frozen configuration files. They caused
+ more trouble than it was worth.
+ Fix problem that can cause error messages to get ignored when
+ using both -odb and -t flags. Problem noted by Rob
+ McNicholas at U.C. Berkeley.
+ Include all "normal" variations on hostname in $=w. For example,
+ if the host name is vangogh.cs.berkeley.edu, $=w will
+ contain vangogh, vangogh.cs, and vangogh.cs.berkeley.edu.
+ Add "restrictqrun" privacy flag -- without this, anyone can run
+ the queue.
+ Reset SmtpPhase global on initial connection creation so that
+ messages don't come out with stale information.
+ Pass an "ext" argument to lockfile so that error/log messages
+ will properly reflect the true filename being locked.
+ Put all [...] address forms into $=w -- this eliminates the need
+ for MAXIPADDR in conf.h. Suggested by John Gardiner
+ Myers of CMU.
+ Fix a bug that can cause qf files to be left around even after
+ an SMTP RSET command. Problem and fix from Michael
+ Corrigan.
+ Don't send a PostMasterCopy to errors when the Precedence: is
+ negative. Error reports still go to the envelope
+ sender address.
+ Add LA_SHORT for load averages.
+ Lock sendmail.st file when posting statistics.
+ Add "SendBufSize" and "RcvBufSize" suboptions to "O" option to
+ set the size of the TCP send and receive buffers; if you
+ run over a slow slip line you may need to set these down
+ (although it would be better to fix the SLIP implementation
+ so that it's not necessary to recompile every program
+ that does bulk data transfer).
+ Allow null defaults on $( ... $) lookups. Problem reported by
+ Amir Plivatsky.
+ Diagnose crufty S and V config lines. This resulted from an
+ observation that some people were using the SITE macro
+ without the SITECONFIG macro first, which was causing
+ bogus config files that were not caught.
+ Fix makemap -f flag to turn off case folding (it was turning it
+ on instead). THIS IS A USER VISIBLE CHANGE!!!
+ Fix a problem that caused multiple error messages to be sent if
+ you used "sendmail -t -oem -odb", your system uses fcntl
+ locking, and one of the recipient addresses is unknown.
+ Reset uid earlier in include() so that recursive .forwards or
+ :include:s don't use the wrong uid.
+ If file descriptor 0, 1, or 2 was closed when sendmail was
+ called, the code to recover the descriptor was broken.
+ This sometimes (only sometimes) caused problems with the
+ alias file. Fix from Motonori Nakamura.
+ Fix a problem that caused aliaswait to go into infinite recursion
+ if the @:@ metasymbol wasn't found in the alias file.
+ Improve error message on newaliases if database files cannot be
+ opened or if running with no database format defined.
+ Do a better estimation of the size of error messages when NoReturn
+ is set. Problem noted by P{r (Pell) Emanuelsson.
+ Fix a problem causing the "c" option (don't connect to expensive
+ mailers) to be ignored in SMTP. Problem noted and the
+ solution suggested by Robert Elz of The University of
+ Melbourne.
+ Improve connection caching algorithm by passing "[host]" to
+ hostsignature, which strips the square brackets and
+ returns the real name. This allows mailertable entries
+ to match regular entries.
+ Re-enable Return-Receipt-To: -- people seem to want this stupid
+ feature, even if it doesn't work right.
+ Catch and log attempts to try the "wiz" command in server SMTP.
+ This also ups the log level from LOG_NOTICE to LOG_CRIT.
+ Be more generous at assigning $z to the home directory -- do this
+ for programs that are specified through a .forward file.
+ Fix from Andrew Chang of Sun Microsystems.
+ Always save a fatal error message in preference to a non-fatal
+ error message so that the "subject" line of return
+ messages is the best possible.
+ CONFIG: reduce the number of quotes needed to quote configuration
+ parameters with commas: two quotes should work now, e.g.,
+ define(ALIAS_FILE, ``/etc/aliases,/etc/aliases.local'').
+ CONFIG: class $=Z is a set of UUCP hosts that use uucp-dom
+ connections (domain-ized UUCP).
+ CONFIG: fix bug in default maps (-o must be before database file
+ name). Pointed out by Christophe Wolfhugel.
+ CONFIG: add FEATURE(nodns) to state that we are not relying on
+ DNS. This would presumably be used in UUCP islands.
+ CONFIG: add OSTYPE(nextstep) and OSTYPE(linux).
+ CONFIG: log $u in Received: line. This is in technical violation
+ of the standards, since it doesn't guarantee a domain
+ on the address.
+ CONFIG: don't assume "m" in local mailer flags -- this means that
+ if you redefine LOCAL_MAILER_FLAGS you will have to include
+ the "m" flag should you want it. Apparently some Solaris 2.2
+ installations can't handle multiple local recipients.
+ Problem noted by Josh Smith.
+ CONFIG: add confDOMAIN_NAME to set $j (if undefined, $j defaults).
+ CONFIG: change default version level from 4 to 5.
+ CONFIG: add FEATURE(nullclient) to create a config file that
+ forwards all mail to a hub without ever looking at the
+ addresses in any detail.
+ CONFIG: properly strip mailer: information off of relays when
+ used to change .BITNET form into %-hack form.
+ CONFIG: fix a problem that caused infinite loops if presented
+ with an address such as "!foo".
+ CONFIG: check for self literal (e.g., [128.32.131.12]) even if
+ the reverse "PTR" mapping is broken. There's a better
+ way to do this, but the change is fairly major and I
+ want to hold it for another release. Problem noted by
+ Bret Marquis.
+
+8.5/8.5 93/07/23
+ Serious bug: if you used a command line recipient that was unknown
+ sendmail would not send a return message (it was treating
+ everything as though it had an SMTP-style client that
+ would do the return itself). Problem noted by Josh Smith.
+ Change "trymx" option in getcanonname() to ignore all MX data,
+ even during a T_ANY query. This actually didn't break
+ anything, because the only time you called getcanonname
+ with !trymx was if you already knew there were no MX
+ records, but it is somewhat cleaner. From Motonori
+ Nakamura.
+ Don't call getcanonname from getmxrr if you already know there
+ are no DNS records matching the name.
+ Fix a problem causing error messages to always include "The
+ original message was received ... from localhost".
+ The correct original host information is now included.
+ Previous change to cf/sh/makeinfo.sh doesn't port to Ultrix (their
+ version of "test" doesn't have the -x flag). Change it
+ to use -f instead. From John Myers.
+ CONFIG: 8.4 mistakenly set the default SMTP-style mailer to
+ esmtp -- it should be smtp.
+ CONFIG: send all relayed mail using confRELAY_MAILER (defaults
+ to "relay" (a variant of "smtp") if MAILER(smtp) is used,
+ else "suucp" if MAILER(uucp) is used, else "unknown");
+ this cleans up the configs somewhat. This fixes a serious
+ problem that caused route-addrs to get mistaken as relays,
+ pointed out by John Myers. WARNING: this also causes
+ the default on SMART_HOST to change from "suucp" to
+ "relay" if you have MAILER(smtp) specified.
+
+8.4/8.4 93/07/22
+ Add option `w'. If you receive a message that comes to you because
+ you are the best (lowest preference) target of an MX, and
+ you haven't explicitly recognized the source MX host in
+ your .cf file, this option will cause you to try the target
+ host directly (as if there were no MX for it at all). If
+ `w' is not set, this case is a configuration error.
+ Beware: if `w' is set, senders may get bogus errors like
+ "message timed out" or "host unknown" for problems that
+ are really configuration errors. This option is
+ disrecommended, provided only for compatibility with
+ UIUC sendmail.
+ Fix a problem that caused the incoming socket to be left open
+ when sendmail forks after the DATA command. This caused
+ calling systems to wait in FIN_WAIT_2 state until the
+ entire list was processed and the child closed -- a
+ potentially prodigious amount of time. Problem noted
+ by Neil Rickert.
+ Fix problem (created in 6.64) that caused mail sent to multiple
+ addresses, one of which was a bad address, to completely
+ suppress the sending of the message. This changes
+ handling of EF_FATALERRS somewhat, and adds an
+ EF_GLOBALERRS flag. This also fixes a potential problem
+ with duplicate error messages if there is a syntax error
+ in the header of a message that isn't noticed until late
+ in processing. Original problem pointed out by Josh Smith
+ of Harvey Mudd College. This release includes quite a bit
+ of dickering with error handling (see below).
+ Back out SMTP transaction if MAIL gets nested 501 error. This
+ will only hurt already-broken software and should help
+ humans.
+ Fix a problem that broke aliases when neither NDBM nor NEWDB were
+ compiled in. It would never read the alias file.
+ Repair unbalanced `)' and `>' (the "open" versions are already
+ repaired).
+ Logging of "done" in dropenvelope() was incorrect: it would
+ log this even when the queue file still existed. Change
+ this to only log "done" (at log level 11) when the
+ queue file is actually removed. From John Myers.
+ Log "lost connection" in server SMTP at log level 20 if there
+ is no pending transaction. Some senders just close the
+ connection rather than sending QUIT.
+ Fix a bug causing getmxrr to add a dot to the end of unqualified
+ domains that do not have MX records -- this would cause
+ the subsequent host name lookup to fail. The problem
+ only occurred if you had FEATURE(nocanonify) set.
+ Problem noted by Rick McCarty of Texas Instruments.
+ Fix invocation of setvbuf when passed a -X flag -- I had
+ unwittingly used an ANSI C extension, and this caused
+ core dumps on some machines.
+ Diagnose self-destructive alias loops on RCPT as well as EXPN.
+ Previously it just gave an empty send queue, which
+ then gave either "Need RCPT (recipient)" at the DATA
+ (confusing, since you had given an RCPT command which
+ returned 250) or just dropped the email, depending on
+ whether you were running VERBose mode. Now it usually
+ diagnoses this case as "aliasing/forwarding loop broken".
+ Unfortunately, it still doesn't adequately diagnose
+ some true error conditions.
+ Add internal concept of "warning messages" using 6xx codes.
+ These are not reported only to Postmaster. Unbalanced
+ parens, brackets, and quotes are printed as 653 codes.
+ They are always mapped to 5xx codes before use in SMTP.
+ Clean up error messages to tell both the actual address that
+ failed and the alias they arose from. This makes it
+ somewhat easier to diagnose problems. Difficulty noted
+ by Motonori Nakamura.
+ Fix a problem that inappropriately added a ctladdr to addresses
+ that shouldn't have had one during a queue run. This
+ caused error messages to be handled differently during
+ a queue run than a direct run.
+ Don't print the qf name and line number if you get errors during
+ the direct run of the queue from srvrsmtp -- this was
+ just extra stuff for users to crawl through.
+ Put command line flags on second line of pid file so you can
+ auto-restart the daemon with all appropriate arguments.
+ Use "kill `head -1 /etc/sendmail.pid`" to stop the
+ daemon, and "eval `tail -1 /etc/sendmail.pid`" to
+ restart it.
+ Remove the ``setuid(getuid())'' in main -- this caused the
+ IDENT daemon to screw up. This required that I change
+ HASSETEUID to HASSETREUID and complicate the mode
+ changing somewhat because both Ultrix and SunOS seem
+ to have a bug causing seteuid() to set the saved uid
+ as well as the effective. The program test/t_setreuid.c
+ will test to see if your implementation of setreuid(2)
+ is appropriately functional.
+ The FallBackMX (option V) handling failed to properly identify
+ fallback to yourself -- most of the code was there,
+ but it wasn't being enabled. Problem noted by Murray
+ Kucherawy of the University of Waterloo.
+ Change :include: open timeout from ETIMEDOUT to an internal
+ code EOPENTIMEOUT; this avoids adding "during SmtpPhase
+ with CurHostName" in error messages, which can be
+ confusing. Reported by Jonathan Kamens of OpenVision
+ Technologies.
+ Back out setpgrp (setpgid on POSIX systems) call to reset the
+ process group id. The original fix was to get around
+ some problems with recalcitrant MUAs, but it breaks
+ any call from a shell that creates a process group id
+ different from the process id. I could try to fix
+ this by diddling the tty owner (using tcsetpgrp or
+ equivalent) but this is too likely to break other
+ things.
+ Portability changes:
+ Support -M as equivalent to -oM on Ultrix -- apparently
+ DECnet calls sendmail with -MrDECnet -Ms<HOST> -bs
+ instead of using standard flags. Oh joy. This
+ behaviour reported by Jon Giltner of University
+ of Colorado.
+ SGI IRIX -- this includes several changes that should
+ help other strict ANSI compilers.
+ SCO Unix -- from Murray Kucherawy of HookUp Communication
+ Corporation.
+ Solaris running the Sun C compiler (which despite the
+ documentation apparently doesn't define
+ __STDC__ by default).
+ ConvexOS from Eric Schnoebelen of Convex.
+ Sony NEWS workstations and Omron LUNA workstations from
+ Motonori Nakamura.
+ CONFIG: add confTRY_NULL_MX_LIST to set option `w'.
+ CONFIG: delete `C' and `e' from default SMTP mailers flags;
+ several people have made a good argument that this
+ creates more problems than it solves (although this
+ may prove painful in the short run).
+ CONFIG: generalize all the relays to accept a "mailer:host"
+ format.
+ CONFIG: move local processing in ruleset 0 into a new ruleset
+ 98 (8 on old sendmail). Domain literal [a.b.c.d]
+ addresses are also passed through this ruleset.
+ CONFIG: if neither SMART_HOST nor MAILER(smtp) were defined,
+ internet-style addresses would "fall off the end" of
+ ruleset zero and be interpreted as local -- however,
+ the angle brackets confused the recursive call.
+ These are now diagnosed as "Unrecognized host name".
+ CONFIG: USENET rules weren't included in S0 because of a mistaken
+ ifdef(`_MAILER_USENET_') instead of
+ ifdef(`_MAILER_usenet_'). Problem found by Rein Tollevik
+ of SINTEF RUNIT, Oslo.
+ CONFIG: move up LOCAL_RULE_0 processing so that it happens very
+ early in ruleset 0; this allows .mc authors to bypass
+ things like the "short circuit" code for local addresses.
+ Prompted by a comment by Bill Wisner of The Well.
+ CONFIG: add confSMTP_MAILER to define the mailer used (smtp or
+ esmtp) to send SMTP mail. This allows you to default
+ to esmtp but use a mailertable or other override to
+ deal with broken servers. This logic was pointed out
+ to me by Bill Wisner. Ditto for confLOCAL_MAILER.
+ Changes to cf/sh/makeinfo.sh to make it portable to SVR4
+ environments. Ugly as sin.
+
+8.3/8.3 93/07/13
+ Fix setuid problems introduced in 8.2 that caused messages
+ like "Cannot create qfXXXXXX: Invalid argument"
+ or "Cannot reopen dfXXXXXX: Permission denied". This
+ involved a new compile flag "HASSETEUID" that takes
+ the place of the old _POSIX_SAVED_IDS -- it turns out
+ that the POSIX interface is broken enough to break
+ some systems badly. This includes some fixes for
+ HP-UX. Also fixes problems where the real uid is
+ not reset properly on startup (from Neil Rickert).
+ Fix a problem that caused timed out messages to not report the
+ addresses that timed out. Error messages are also more
+ "user friendly".
+ Drop required bandwidth on connections from 64 bytes/sec to
+ 16 bytes/sec.
+ Further Solaris portability changes -- doesn't require the BSD
+ compatibility library. This also adds a new
+ "HASGETDTABLESIZE" compile flag which can be used if
+ you want to use getdtablesize(2) instead of sysconf(2).
+ These are loosely based on changes from David Meyer at
+ University of Oregon. This now seems to work, at least
+ for quick test cases.
+ Fix a problem that can cause duplicate error messages to be
+ sent if you are in SMTP, you send to multiple addresses,
+ and at least one of those addresses is good and points
+ to an account that has a .forward file (whew!).
+ Fix a problem causing messages to be discarded if checkcompat()
+ returned EX_TEMPFAIL (because it didn't properly mark
+ the "to" address). Problem noted by John Myers.
+ Fix dfopen to return NULL if the open failed; I was depending
+ on fdopen(-1) returning NULL, which isn't the case. This
+ isn't serious, but does result in weird error diagnoses.
+ From Michael Corrigan.
+ CONFIG: add UUCP_MAX_SIZE M4 macro to set the maximum size of
+ messages sent through UUCP-family mailers. Suggested
+ by Bill Wisner of The Well.
+ CONFIG: if both MAILER(uucp) and MAILER(smtp) are specified,
+ include a "uucp-dom" mailer that uses domain-style
+ addressing. Suggested by Bill Wisner.
+ CONFIG: Add LOCAL_SHELL_FLAGS and LOCAL_SHELL_ARGS to match
+ LOCAL_MAILER_FLAGS and LOCAL_MAILER_ARGS. Suggested by
+ Christophe Wolfhugel.
+ CONFIG: Add OSTYPE(aix3). From Christophe Wolfhugel.
+
+8.2/8.2 93/07/11
+ Don't drop out on config file parse errors in -bt mode.
+ On older configuration files, assume option "l" (use Errors-To
+ header) for back compatibility. NOTE: this DOES NOT
+ imply an endorsement of the Errors-To: header in any way.
+ Accept -x flag on AIX-3 as well as OSF/1. Why, why, why???
+ Don't log errors on EHLO -- it isn't a "real" error for an old
+ SMTP server to give an error on this command, and
+ logging it in the transcript can be confusing. Fix
+ from Bill Wisner.
+ IRIX compatibility changes provided by Dan Rich
+ <drich@sandman.lerc.nasa.gov>.
+ Solaris 2 compatibility changes. Provided by Bob Cunningham
+ <bob@kahala.soest.hawaii.edu>, John Oleynick
+ <juo@klinzhai.rutgers.edu>
+ Debugging: -d17 was overloaded (hostsignature and usersmtp.c);
+ move usersmtp (smtpinit and smtpmailfrom) to -d18 to
+ match the other flags in that file.
+ Flush transcript before fork in mailfile(). From Eric Wassenaar.
+ Save h_errno in mci struct and improve error message display.
+ Changes from Eric Wassenaar.
+ Open /dev/null for the transcript if the create of the xf file
+ failed; this avoids at least one possible null pointer
+ reference in very weird cases. From Eric Wassenaar.
+ Clean up statistics gathering; it was over-reporting because of
+ forks. From Eric Wassenaar.
+ Fix problem that causes old Return-Path: line to override new
+ Return-Path: line (conf.c needs H_FORCE to avoid
+ re-using old value). From Motonori Nakamura.
+ Fix broken -m flag in K definition -- even if -m (match only)
+ was specified, it would still replace the key with the
+ value. Noted by Rick McCarty of Texas Instruments.
+ If the name server timed out over several days, no "timed out"
+ message would ever be sent back. The timeout code
+ has been moved from markfailure() to dropenvelope()
+ so that all such failures should be diagnosed. Pointed
+ out by Christophe Wolfhugel and others.
+ Relax safefile() constraints: directories in an include or
+ forward path must be readable by self if the controlling
+ user owns the entry, readable by all otherwise (e.g.,
+ when reading your .forward file, you have to own and
+ have X permission in it; everyone needs X permission in
+ the root and directories leading up to your home);
+ include files must be readable by anyone, but need not
+ be owned by you.
+ If _POSIX_SAVED_IDS is defined, setuid to the owner before
+ reading a .forward file; this gets around some problems
+ on NFS mounts if root permission is not exported and
+ the user's home directory isn't x'able.
+ Additional NeXT portability enhancements from Axel Zinser.
+ Additional HP-UX portability enhancements from Brian Bullen.
+ Add a timeout around SMTP message writes; this assumes you can
+ get throughput of at least 64 bytes/second. Note that
+ this does not impact the "datafinal" default, which
+ is separate; this is just intended to work around
+ network clogs that will occur before the final dot
+ is sent. From Eric Wassenaar.
+ Change map code to set the "include null" flag adaptively --
+ it initially tries both, but if it finds anything
+ matching without a null it never tries again with a
+ null and vice versa. If -N is specified, it never
+ tries without the null and creates new maps with a
+ null byte. If -O is specified, it never tries with
+ the null (for efficiency). If -N and -O are specified,
+ you get -NO (get it?) lookup at all, so this would
+ be a bad idea. If you don't specify either -N or -O,
+ it adapts.
+ Fix recognition of "same from address" so that MH submissions
+ will insert the appropriate full name information;
+ this used to work and got broken somewhere along the
+ way.
+ Some changes to eliminate some unnecessary SYSERRs in the
+ log. For example, if you lost a connection, don't
+ bother reporting that fact on the connection you lost.
+ Add some "extended debugging" flags to try to track down
+ why we get occasional problems with file descriptor
+ one being closed when execing a mailer; it seems to
+ only happen when there has been another error in the
+ same transaction. This requires XDEBUG, defined
+ by default in conf.h.
+ Add "-X filename" command line flag, which logs both sides of
+ all SMTP transactions. This is intended ONLY for
+ debugging bad implementations of other mailers; start
+ it up, send a message from a mailer that is failing,
+ and then kill it off and examine the indicated log.
+ This output is not intended to be particularly human
+ readable. This also adds the HASSETVBUF compile
+ flag, defaulted on if your compiler defines __STDC__.
+ CONFIG: change SMART_HOST to override an SMTP mailer. If you
+ have a local net that should get direct connects, you
+ will need to use LOCAL_NET_CONFIG to catch these hosts.
+ See cf/README for an example.
+ CONFIG: add LOCAL_MAILER_ARGS (default: `mail -d $u') to handle
+ sites that don't use the -d flag.
+ CONFIG: hide recipient addresses as well as sender addresses
+ behind $M if FEATURE(allmasquerade) is specified; this
+ has been requested by several people, but can break
+ local aliases. For example, if you mail to "localalias"
+ this will be rewritten as "localalias@masqueradehost";
+ although initial delivery will work, replies will be
+ broken. Use it sparingly.
+ CONFIG: add FEATURE(domaintable). This maps unqualified domains
+ to qualified domains in headers. I believe this is
+ largely equivalent to the IDA feature of the same name.
+ CONFIG: use $U as UUCP name instead of $k. This permits you
+ to override the "system name" as your UUCP name --
+ in particular, to use domain-ized UUCP names. From
+ Bill Wisner of The Well.
+ CONFIG: create new mailer "esmtp" that always tries EHLO
+ first. This is currently unused in the config files,
+ but could be used in a mailertable entry.
+
+8.1C/8.1B 93/06/27
+ Serious security bug fix: it was possible to read any file on
+ the system, regardless of ownership and permissions.
+ If a subroutine returns a fully qualified address, return it
+ immediately instead of feeding it back into rewriting.
+ This fixes a problem with mailertable lookups.
+ CONFIG: fix some M4 frotz (concat => CONCAT)
+
+8.1B/8.1A 93/06/12
+ Serious bug fix: pattern matching backup algorithm stepped by
+ two tokens in classes instead of one. Found by Claus
+ Assmann at University of Kiel, Germany.
+
+8.1A/8.1A 93/06/08
+ Another mailertable fix....
+
+8.1/8.1 93/06/07
+ 4.4BSD freeze. No semantic changes.
+
+6.65/6.34 93/06/06
+ Fix some lintish problems.
+ Fix some cases where server SMTP behaved poorly when handed bogus
+ input, pointed out by Eric Wassenaar.
+ CONFIG: fix some more (sigh) mailertable bugs -- thanks to
+ Motonori Nakamura of Kyoto University (again).
+
+6.64/6.33 93/06/05
+ Don't send 050 (-v) information after the 250 response to a QUIT
+ command in srvrsmtp -- clients usually close the connection
+ at this point, and it causes bogus error messages.
+ Don't send messages that have errors on input (such as unbalanced
+ parentheses) during SMTP transactions, since a return
+ message has (probably) already been sent.
+ Give better diagnostics on timeouts during network reads, including
+ information similar to the SMTP phase.
+ Fix bug that caused SMTP messages to deliver synchronously; this
+ happened after the DATA 250, and hence caused reading the
+ next command to be delayed.
+ Ignore Errors-To: header unless 'l' (lower case el) header is
+ specified. The Errors-To: header violates RFC 1123.
+ Errors-To: was only needed to take the place of the
+ envelope sender in the days when most Unix mailers
+ didn't understand about the two kinds of senders.
+ Don't send warning messages in response to automatically generated
+ messages (that is, those From:<>).
+ CONFIG: fix some rather stupid typos in the mailertable code
+ pointed out by Motonori Nakamura of Kyoto University.
+ CONFIG: add confUSE_ERRORS_TO configuration option.
+ CONFIG: if ALWAYS_ADD_DOMAIN is selected, try to use $M
+ (masquerade name) instead of $j.
+ CONFIG: don't add dots to relay names (added in 6.29); it breaks
+ several things, and can be simulated by dot terminating
+ the names of relays. For example, use:
+ DBbit.net.relay.
+ (note the trailing dot).
+
+6.63/6.32 93/06/01
+ Fix prototypes to eliminate chars in argument lists -- some
+ compilers are pissy about this.
+ Log protocol ($r) and body type if set so we can determine if
+ the adaptive algorithms are working.
+ Pessimize on locking of database files (particularly for NEWDB
+ databases) during opens. There were problems with
+ processes opening the file while it was rebuilt; since
+ NEWDB caches heavily, the reader opened an empty file,
+ which is an error. If your system has the ability to
+ lock atomically on open, this works properly; otherwise,
+ there are race conditions.
+ Check mod time on .pag file instead of .dir in NDBM aliases
+ because the .dir file doesn't get updated for small
+ alias files. From John Gardiner Myers of CMU.
+ More Solaris portability -- it now compiles on Solaris, but
+ hangs up in gethostbyname().
+ Move setting of RES_DEBUG flag before first myhostname() call
+ so we can see name server traffic on that call.
+ Fsync() queue files.
+ Fix a problem that causes -bi to try to rebuild maps other than
+ the alias file(s).
+ Fix a problem that caused udb to reject entries from any but
+ the first database listed.
+ Rearrange doc subdirectory for 4.4BSD release tape.
+ CONFIG: put $r into the Received line. This was an oversight.
+ CONFIG: fix typo (call to ruleset 99 should have been ruleset 90).
+ CONFIG: move "auxiliary" subroutines to be in ruleset 90-99
+ range -- in the long run, single digit rulesets may
+ become reserved for builtin use by sendmail.
+ CONFIG: fix major problem that causes host aliases (that is,
+ anything in $=w != $j) to not be recognized. This has
+ been around since 6.30.
+
+6.62/6.31 93/05/28
+ BETA RELEASE
+ Fix recursive syserr (if there is an error printing a syserr
+ message). This makes the code much less eager to consider
+ a write error as serious. This also includes some
+ heuristics to be clever about closed connections.
+ Lock NEWDB files during gets. This requires version 1.5 or later
+ of the db library. If you have an older version, you
+ can use -DOLD_NEWDB. This will go away in a few weeks.
+ Fix problem causing aliases that use host maps to get overwritten.
+ Do appropriate byte swapping on port numbers in ident protocol
+ code. Fix from Allan Johannesen of WPI.
+ Defer opening of map files to the same time as alias files so that
+ the daemon will tend to pick up new versions more promptly.
+ Prototype a bunch more functions.
+ Some Solaris 2.1 changes (still doesn't link though).
+ Try to simplify Makefiles by including more subordinate #defines
+ in conf.h (based on OS type).
+ CONFIG: check for domains if FEATURE(mailertable) is defined.
+ For example, if the host name is "knecht.cs.berkeley.edu"
+ it will search the following mailertable keys:
+ knecht.cs.berkeley.edu
+ .cs.berkeley.edu
+ .berkeley.edu
+ .edu
+ This could be used to replace the special relays for bitnet
+ and similar nets.
+
+6.61/6.30 93/05/24
+ Fix problem that prevented appending dots on canonified host
+ names. This breaks tons of config files -- very
+ important fix.
+ Fix improper pointer dereference in response to HELO command.
+ Fix core dump if debugging set in map_rewrite.
+ CONFIG: add FEATURE(always_add_domain) to always attach the
+ local domain (only impacts local mail).
+ CONFIG: try to avoid turning names into $j -- although
+ technically a host can only have one "canonical name",
+ it seems to be common practice to have several.
+
+6.60/6.29 93/05/22
+ Major change: merge alias databases with maps. This expands and
+ changes the map class interface but fixes a bunch of bugs.
+ The important user-visible change is that the file name
+ in a K line now does not include the ".db" extension; this
+ is added automatically. Also, the -d (NIS domain) flag is
+ missing from the K config line; use @domain instead.
+ When compiling, the *_MAP names are gone -- just compile
+ in NDBM, NEWDB, and/or NIS support.
+ Announce mailer/host/user triple on -bv flag -- from Brian
+ Bullen of Stirling University.
+ Don't send more than one line in response to HELO -- it confuses
+ Pony Express, which then behaves very badly. However,
+ this change does send two line 220 greetings, with the
+ second line reading "ESMTP spoken here". The usersmtp
+ module recognizes this and goes into ESMTP mode regardless
+ of the setting of the "a" mailer flag. Thus, "a" means
+ "always try EHLO".
+ AIX portability changes (thanks to Christophe Wolfhugel of
+ Herve Schauer Consultants (Paris) for providing me with
+ an INSA account for this purpose). Lightly tested. Use
+ -D_AIX3. This probably breaks compatibility with some
+ older systems (e.g., 4.2bsd) but still works on SunOS
+ 4.1.2, Ultrix 4.2A, HP-UX 8.07, OSF/1 T1.3, and AIX 3.2.3.
+ Fix a problem causing an error message loop if the output channel
+ is hosed.
+ Add the Makefiles that I use for various environments -- some are
+ Berkeley make versions and some are old make versions.
+ My makefile for the NeXT box has gotten lost, alas!
+ PRALIASES: support for printing NEWDB databases. From
+ Michael J. Corrigan of U.C. San Diego.
+ CONFIG: don't pass pseudo-domains to $[ ... $] (if you have
+ a wildcard MX it can have weird results). From
+ Christophe Wolfhugel.
+ CONFIG: dot terminate relay hostnames in S0. From Christophe
+ Wolfhugel.
+
+6.59/6.28 93/05/13
+ Log version with SMTP daemon startup message.
+ Adjust setproctitle to work on NetBSD and BSD/386.
+ Fix null pointer reference in MX fallback code.
+ A bunch of minor fixes from Eric Wassenaar:
+ If deliver cannot execv the mailer, return EX_OSERR
+ instead of EX_TEMPFAIL (to give better
+ error messages).
+ Consistently malloc e_message.
+ Catch degenerate case of calling returntosender()
+ with an empty returnq.
+ MIME reformatting.
+
+6.58/6.28 93/05/13
+ Fix bug that can cause incorrect verbose display of user smtp
+ messages.
+ Disable SMTP VERB command if PRIV_NOEXPN is set (since this
+ could reveal the same information.
+ Allow failure when reading SMTP greeting message to go on to
+ next MX host.
+ Add "MIME-Version: 1.0" header if using MIME (this was NOT
+ included in RFC 1344, but Bill King of Allan-Bradley
+ Company forwarded me email from Nathaniel Borenstein
+ claiming that it was an inadvertent omission).
+ Don't use Content-Type: X-message-header. According to John
+ Myers of CMU, many MIME readers will completely ignore
+ the data if they don't recognize it. Instead, just
+ add a blank line to make it a legal (empty) message.
+ Fix problem causing dots to keep getting appended to cached
+ hostnames. This can cause buffer overrun conditions.
+ The problem was found by Erik Forsberg of Retix,
+ although I used a different bug fix than he provided.
+ Fix parsing of split header/envelope rewriting specs -- from
+ Eric Forsberg.
+ Fix from Eric Wassenaar to correct To: lists in error messages.
+
+6.57/6.28 93/05/11
+ Fix minor glitch causing extra ctladdrs to be output to queue
+ file. Just an annoyance.
+ Cache results of name server canonification lookups to avoid
+ backed up queue runs.
+ Major rewrite of alias.c: considerable cleanup, plus sample
+ (untested) support for NIS aliases. The "A" option
+ can now be a comma separated list (or be repeated) --
+ that is, you can have multiple alias databases. Each
+ database can have the syntax ``class:file''; if no class
+ is specified, the "implicit" class is assumed. Implicit
+ searches through a list of compiled in types -- hash,
+ dbm, nis, and stab. Alias files are searched in the
+ order they are listed. For example:
+ OAhash:/etc/aliases.local,/etc/aliases
+ OAnis:mail.aliases@my.nis.domain
+ first searches the hash database /etc/aliases.local,
+ then the regular /etc/aliases database, then the NIS
+ map "mail.aliases" in the NIS domain "my.nis.domain".
+ If in Verbose mode (probably from VERB command) run SMTP job
+ in foreground and don't do RCPT optimizations.
+ Add udb :mailsender as equivalent to owner- for regular aliases.
+ Delete option 8; add option 7 that means the opposite. That is,
+ default to 8-bit mode; a special option is needed to
+ force sendmail into 7 bit mode.
+ Send error messages in encapsulated MIME format.
+ New compile flag "NIS" that turns on NIS alias and NIS map
+ support.
+ Add "j" option to send error messages in MIME (RFC 1341)
+ encapsulated message format per RFC 1344. The
+ syntax is pretty ugly if you don't have MIME-aware
+ user agents.
+ Clean up message handling (for display in mailq output).
+ New setproctitle implementation for 4.4bsd.
+ Create files (such as ~/dead.letter) using mode FileMode (the
+ F option value) instead of 0666.
+ Fix bug causing output of EXPN command to not be fully qualified.
+ This may cause some problems with UUCP addresses that
+ will require some config file assistance -- specifically,
+ the $: part has to include the host name for this output
+ to make sense.
+ Fix a problem that sometimes diagnosed errors and still sent the
+ message if the header syntax was bad.
+ Fix a bug that caused an error message to be emailed when sendmail
+ was operating in -bv mode.
+ Add "ListenQueueSize" keyword to daemon options option (OO) to
+ set the queue size parameter passed to listen(). You
+ will normally have to tweak your kernel to up this.
+ Strip spaces off of beginning of message-id before logging (in
+ case it was folded across lines).
+ Tweak compile flags in daemon.c -- there were some cases where
+ it wouldn't work without NETINET.
+ Change *file* mailer to output all the usual default headers
+ (From, Date, Message-Id). It gets used when sending
+ back error messages.
+ CONFIG: explicitly catch and diagnose list:; syntax in ruleset
+ zero -- this is not a valid recipient syntax according
+ to RFC 821.
+ CONFIG: add confMIME_FORMAT_ERRORS to send error messages in
+ MIME format. Defaults to on.
+ CONFIG: add SMTP_MAILER_FLAGS and UUCP_MAILER_FLAGS to augment
+ the flags for those mailers.
+
+6.56/6.27 93/05/01
+ Fix problem that causes the fallback mail to postmaster
+ (case ESM_POSTMASTER in savemail()) to not look at
+ aliases (ugh).
+ Some more HPUX tweaking (compile flag hpux => __hpux so it
+ still works in ANSI mode).
+ Don't try to flock non-regular files when mailing to a file.
+ In particular, this was a problem if you tried to
+ send to /dev/null.
+ Fix a weird bug that can cause senders to be queued as
+ recipients if the name server is down when the mail
+ is initially sent. This hack just ignores sender
+ deletion (essentially, it sets the MeToo flag) if there
+ is a TEMPFAIL during processing of the sender address.
+ Obscure.
+ Fix a dangling else problem -- from Brian Bullen from University
+ of Stirling, UK.
+ Add the "b" mailer flag to force a blank line on the end of
+ messages. Some brilliant versions of /bin/mail insist
+ on this but do not add it themselves.
+ Add the "g" mailer flag to prevent user SMTP from sending
+ "MAIL From:<>". This is only intended to be a
+ transitional gesture, and should not be used if at
+ all possible. It appears that Berkeley and IDA
+ config files have always handled this properly; the
+ UK config kit apparently does not.
+ Don't lowercase and then capitalize header field names -- leave
+ them with original capitalization. Fixes from Bill
+ King of Allen-Bradley Company.
+ Further cleanup and improved reporting of error messages,
+ particularly conditions that cause messages to be
+ requeued for future delivery.
+ Tweak syslog priorities in some cases.
+ CONFIG: clean up route-addr on UUCP addresses.
+
+6.55/6.25 93/04/27
+ HPUX 8.07 compatibility changes in getla() -- I had to make
+ these changes to get it to work at Berkeley, although
+ others seem to have been working before (???).
+ Various patches to XLA code.
+ Fix problem that causes setuid bit on files to be ignored from
+ SMTP or in queue runs. Problem noted by Jason Ornstein
+ of Under The Wire, Inc.
+ Fix problem that can cause CNAMEs to be ignored.
+ Generalize getmxrr to match local host in $=w instead of a
+ single name passed in.
+ Some cleanup from Eric Wassenaar:
+ Use FileMailer instead of ProgMailer in two places.
+ Eliminate duplicate 8th-bit stripping in commaize.
+ Fix a problem with mis-parsing of backslash escapes
+ under some circumstances.
+ NIS map fix (was always including trailing null character)
+ from Mike Glendinning of Ingres UK.
+ Add "a" mailer flag to try using ESMTP. It tries the EHLO
+ command and if that fails falls back to regular SMTP.
+ Also parses EHLO option keywords. If host supports
+ SIZE extension, this is added to the MAIL FROM:
+ command.
+ Extend "b" option to include a second value which is the
+ maximum message size this server is willing to accept.
+ For example, a value of "10/1000000" says that there
+ must be ten blocks free, and sendmail will reject
+ any message larger than one megabyte.
+ Some portability hooks for NeXT (this could be applicable
+ to Mach in general). You have to create an empty
+ file called "unistd.h" to get it to compile.
+ Adjust config values (MAXLINE, MAXATOM, and PSBUFSIZE) to
+ be more generous.
+ Add X400-Received: to the list of headers tagged with H_TRACE
+ in conf.c. From Bill King, Allen-Bradley Co.
+
+6.54/6.25 93/04/19
+ Fix problem that caused redefinition of SMTP and QUEUE compile
+ flags. Pointed out by Jon Forrest of the Sequoia 2000
+ project at Berkeley.
+ Properly handle \! hack -- it was treating host\!user as one
+ token (host!user) instead of three (host, !, user).
+ Fix from Eric Wassenaar of NIKHEF-H.
+ Fix compilation problem in getauthinfo() if IDENTPROTO is off.
+ Turn off DEFNAMES and DNSRCH when getting the hostsignature
+ (i.e., MX records) in level 1 configuration files; this
+ matches the old behaviour. From Motonori Nakamura of
+ Kyoto University.
+ Improve error message printing -- if sent through an alias,
+ error messages include the name of the alias in the
+ message. Unfortunately, in order to make this work
+ properly in queue runs, this changes the format of the
+ C line in the qf file. The relatively uselessness of
+ the previous information was pointed out to me by
+ Allan E Johannesen of WPI.
+ Add XLA compile flag to add hooks to Christophe Wolfhugel's
+ extended load average code. This is still in very early
+ form. For information regarding the guts of the xla
+ code, contact Christophe.Wolfhugel@grasp.insa-lyon.fr.
+ Additional hooks for detecting tempfails in rewriting rules
+ (that is, in map lookups).
+
+6.53/6.25 93/04/15
+ Properly diagnose ruleset zero returning null (instead of a mailer
+ triple). From Motonori Nakamura of Kyoto University.
+ More generalization of socket code for other protocols.
+ Shorten timeouts on reverse name lookups -- since they are done
+ during connection establishment, long timeouts here can
+ cause higher level timeouts. This mainly serves to accept
+ mail from hosts that do not have proper reverse (PTR) DNS
+ records set up.
+ Reset e_statmsg before each mailer invocation to avoid bogus
+ messages in the log.
+ Redefine $r, $s, and $_ in error envelopes so you don't get
+ incorrect cruft in the error message. Problem noted by
+ Motonori Nakamura of Kyoto University.
+ Fix a problem that can cause failure to return errors to Postmaster
+ in certain cases. From Motonori Nakamura.
+ Fix a problem that can cause some systems to give duplicate error
+ messages when a bad syntax address such as "<a" is presented
+ to an SMTP server. It doesn't seem to occur on all
+ machines. From Motonori Nakamura.
+ Default IDENTPROTO off for Ultrix and HPUX, which apparently have
+ the interesting "feature" that when they receive a "Host
+ unreachable" message they closes all open connections to
+ that host. However, some firewall gateways send this message
+ if you try to connect to an unauthorized port, such as the
+ IDENT port (113). Thus, no email can be received from such
+ hosts. There is some evidence that versions of Ultrix before
+ 4.3 do not have this problem. Thanks to Tom Ivar Helbekkmo
+ for pointing out this behaviour to me and to Michael Corrigan
+ of U.C. San Diego for informing me about the HPUX problem.
+ Allow IPC mailers to return a colon-separated list of hosts in the
+ $@ clause; these are searched in order as though they were
+ MX records.
+ When sending an error report, print the list of addresses tagged
+ as bad. Requested by Allan E Johannesen of WPI.
+ Change map function calls to return a status code. This gets
+ passed back as the result of rewrite. Parseaddr marks
+ the address as a QUEUEUP address if the return code is
+ EX_TEMPFAIL. All this to queue properly if the name
+ server is down. This code is not well tested. This code
+ changes the interface to map lookup functions (a fifth
+ parameter, int *statp, is added). Feature requested by
+ Dan Oscarsson.
+ Don't delete quotes (in the dequote map) if there are spaces in
+ the string, since this would cause them to be replaced by
+ the SpaceSub character.
+ Accept BODY=8BITMIME on SMTP MAIL command. This isn't advertised
+ because the 8BIT to 7BIT translation doesn't exist yet.
+ This does add a "bodytype" field to both envelope and
+ queue file and a -B command line flag to pass the type in
+ during direct invocations.
+ Discard return error messages only on responses to responses to
+ responses, not on responses to responses. That is, the
+ algorithm is to try return to sender, then return to
+ postmaster, then discard. Previously it discarded
+ immediately if the return to sender pass failed.
+ CONFIG: back out change to hide unqualified hostnames behind %-hack.
+ This screws up local aliases and .forward files.
+ CONFIG: add FEATURE(nocanonify) to turn off calls to $[ ... $];
+ some sites only handle completely canonified names.
+ Requested by John Gardiner Myers of CMU.
+ CONFIG: some UUCP code was still included even if FEATURE(nouucp)
+ was specified.
+
+6.52/6.24 93/04/10
+ Clean up some minor glitches on error return messages pointed out
+ by Motonori Nakamura of Kyoto University.
+ Fix reply() to not reset SmtpReplyBuffer on fatal errors; this
+ was supposed to reset SmtpMsg Buffer. This makes the
+ client side code virtually useless. Reported by Allan
+ E Johannesen of WPI and Phil Brandenberger of Swarthmore.
+ Better debug messages if fuzzy is disabled, suggested by Allan
+ E Johannesen of WPI.
+ Offset SmtpReplyBuffer by four in usersmtp when checking for
+ loopback. From Eric Wassenaar.
+ Don't set $s until after runinchild in srvrsmtp -- otherwise
+ it gets cleared. From Eric Wassenaar.
+ Implement IDA-style $&x for deferred macro expansion.
+ More POSIX compatibility.
+ CONFIG: Hide unqualified hostnames behind %-hack using $s as the
+ actual sender. This is only done if $r is non-null, that
+ is, if this is not locally submitted mail.
+ CONFIG: Add FEATURE(bitdomain) allowing mapping of BITNET host
+ names to internet domains. A program contributed by
+ John Gardiner Myers of CMU to create the maps is included
+ in the contrib directory (in the "misc" tar file).
+ CONFIG: Add FEATURE(uucpdomain) for a similar mapping for UUCP
+ hosts. There is currently no tool to create this map.
+
+6.51/6.23 93/04/04
+ Add D= mailer flag to specify a path of possible working directories
+ in which to execute the mailer. This is intended for the
+ prog mailer; some shells can get upset if they don't have
+ access to the current directory.
+ Add RFC 1413 (IDENT) protocol support. This is only very loosely
+ tested. This adds a $_ macro to be the authenticated
+ info (in ``user@domain [address]'' form) and debug flag
+ 9 to trace the protocol.
+ Check for loopbacks in usersmtp instead of srvrsmtp -- there is no
+ reason for a local agent to not be talking to the localhost
+ (although the inverse is not true).
+ Add a few hooks for automated map rebuilding. This is certainly
+ not done yet.
+ CONFIG: Have prog mailer specify a path of ``D=$z:/'' -- that is,
+ user's home directory then the root.
+ CONFIG: Log RFC 1413 identification in Received: line.
+
+6.50/6.22 93/04/01
+ Fixes to requeueing code to make it compute priority, nrcpts,
+ and the like properly.
+
+6.49/6.22 93/04/01
+ Diagnose incorrect privacy flags. Suggested by Bryan Costales
+ of ICSI.
+ Some ANSI C fixes.
+ Arrange to quote backslashes as well as other special characters
+ in the phrase part of a route-addr.
+ Some fixes to FallBackMX code suggested by Motonori Nakamura of
+ Kyoto University.
+ More vigorous zeroing of CurHostAddr to avoid logging of bogus
+ host addresses when you are actually just printing
+ information from the MCI structure; problem noted by
+ Michael Corrigan of U.C. San Diego.
+ Don't ignore rest of queue if any job is not runnable. This can
+ also cause an incorrect job to be lost. Fix from
+ Eric Wassenaar.
+ Always respond "quickly" to RCPT command; do alias expansion and
+ the like later. This also means that mail for lists that
+ have errors will be accepted, and an error sent back
+ later. This is done by instantiating the queue file
+ and then immediately running and requeueing it.
+
+6.48/6.22 93/03/30
+ Fix incorrect diagnosis of infinite loop in ruleset. Problem noted
+ by several people.
+ Improve information printed when infinite loops are discovered.
+ Zero CurHostAddr to fix erroneous internet addresses in log when no
+ addresses can be bound. Pointed out by Motonori Nakamura
+ of Kyoto University.
+ "Probe" SMTP connections using RSET instead of NOOP "just in case".
+ Suggested by John Gardiner Myers of CMU.
+ Don't warn about -f if you are setting sender to yourself.
+
+6.47/6.22 93/03/29
+ Fix incompatible call to endmailer in smtpquit which causes core
+ dumps. Noted by Allan E Johannesen of WPI.
+ HPUX portability changes from Michael J. Corrigan of UC San Diego.
+ Require MAIL before RCPT command in srvrsmtp.c. This had been
+ intentional from the 821 draft days when the order wasn't
+ clear, but is silly now.
+ Fix bug in nis_magic routine that was initializing parameters
+ incorrectly. Fix from Takahiro Kanbe of Fuji Xerox
+ Information Systems Co., Ltd.
+ Change default for PrivacyFlags in conf.c to 0 -- since it always
+ "or"s in new values, there was no way to turn off the
+ AuthWarning stuff.
+ Add O option to set SMTP daemon options.
+ Add V option to set fallback MX host. This always sorts at lower
+ priority than anything it gets from the name server. It
+ should only be used for environments with very bad network
+ connectivity. Requested by several people.
+ Log sending info. It's not clear this is a good idea.
+ CONFIG: fix typo in mailertable code. Noted by Phil Brandenberger
+ of Swarthmore.
+ CONFIG: add confDAEMON_OPTIONS and confFALLBACK_MX to set options
+ O and V, respectively.
+
+6.46/6.21 93/03/26
+ Fix botch in server SMTP that broke transactions that did not
+ use HELO first (like MH). Fix from Michael Corrigan
+ of U.C. San Diego.
+ Fall back to other MX records if there is an error anywhere
+ in delivery (actually on MAIL or DATA -- RCPT is harder).
+ Suggested by John Gardiner Myers and Motonori Nakamura.
+ Revert to non-prototypes -- it turns out that our ANSI C
+ compiler is more forgiving than most others about
+ mixing prototyped extern declarations with non-prototyped
+ function definitions.
+ Fix a problem with multi-word class matching pointed out by
+ Neil Rickert. Given:
+ CX b a.b.c
+ R$+ $=X $+ $: $1 < $2 > $3
+ the input "user@a.b.c" failed instead of being properly
+ rewritten as "user@a.<b>.c".
+ Neil also convinced me that it was correct that $~ should match
+ only one token -- the problem is that it's always possible
+ to add another token, so $~ matches far too eagerly.
+
+6.45/6.21 93/03/25
+ Implement multi-word classes (properly!).
+
+6.44/6.21 93/03/25
+ Add X-Authentication-Warning: headers to clue users into possible
+ attempts to forge mail. This is on the authwarnings
+ privacy flag, but is the default. Suggested by Bryan
+ Costales of ICSI.
+ Pass default units for convtime in so they can be more reasonable.
+ Allow config files to always add a new Comments: header (i.e.,
+ they will be added even if an old one already exists).
+ Suggested by Bryan Costales of ICSI.
+ Allow config files to delete an existing Return-Path: header.
+ These should only be added at final delivery. Suggested
+ by Bryan Costales of ICSI.
+ Some debugging additions. Suggested by Bryan Costales of ICSI.
+ Clean up logging of Family 0 addresses. Noted by David Muir
+ Sharnoff and others.
+ Add a "dequote" map class. This allows config files to strip
+ quotes off of addresses. Note that this is not a builtin
+ map, just a class -- so you have to define the map
+ using the K line.
+ Fix a bug in the queueup() loop getting a locked tf where in
+ very odd cases it can fall off the bottom and core dump.
+ Of course, it was P{r Emanuelsson who found it....
+ Open a new transcript when splitting an envelope. Problem found
+ by Allan E Johannesen of WPI.
+ Improved error output in endmailer if the mailer core dumps.
+ CONFIG: Fix typo in UUCP mailer definition.
+ CONFIG: Default several of the new options on: eight bit input,
+ privacy flags set to "authwarnings", and message warning
+ set to 4h.
+ CONFIG: Use dequote map.
+
+6.43/6.20 93/03/23
+ Fix problem with assumption of an sa_len field in a generic
+ sockaddr -- it turns out that most vendors haven't
+ picked up this (very important) fix.
+ Change compilation flags for daemon code -- select one or both
+ of NETINET or NETISO, but don't ever set DAEMON manually.
+ CONFIG: add FEATURE(mailertable) to do IDA-style mailertables.
+
+6.42/6.19 93/03/19
+ Use Postmaster as default fallback return address, not root.
+ POSIX changes for file descriptor handling.
+ Diagnose errors writing new queue file.
+ If you change the owner using an owner- alias, also change the
+ error mode to EM_MAIL so that errors don't get dropped
+ into an inappropriate directory. Problem noted by
+ Allan E Johannesen of WPI.
+ If you are su'ed to root, send email as who you really are, not
+ as root. From Brian Kantor of U.C. San Diego.
+ Allow warning messages to be sent after a configurable interval
+ has passed without delivery. The message is sent only
+ once per envelope. This changes the format of the qf
+ file to have an F line, and the format of the T option
+ to accept take the format "return/warn" (both intervals).
+ Don't force all local names to lower case -- this was left over
+ from the weird handling of case mapping on aliases. It
+ is now driven (as expected) by the "u" mailer flag.
+ Problem noted by P{r Emanuelsson.
+ Fix problem that caused headers on returned email to be trashed;
+ they were getting freed, but are still accessible via
+ BlankEnvelope.
+ Fix problem that caused bogus ids to be created on returned
+ mail.
+ Add support for ISO and other non-INET networking. This is by
+ no means finished yet. This does assume a lot of other
+ system support, like a version of gethostbyname that
+ returns non-AF_INET addresses.
+ CONFIG: change default on prog mailer to keep upper case in
+ user names (i.e., in the program command line).
+ CONFIG: strip trailing dots off of hosts in uucp mailer before
+ convert to bang format.
+ CONFIG: create new "relay" mailer for $R (LOCAL_RELAY) and $H
+ (MAIL_HUB) delivery that doesn't add local domain. Note
+ that this violates 821, but is probably "more correct"
+ for what we are trying to do. Problem pointed out by
+ Michael Graff of Iowa State.
+
+6.41/6.18 93/03/18
+ Clean up unnecessary creates of queue ids (i.e., empty qf files)
+ when not needed, such as when starting up an SMTP
+ connection.
+ Fix problem where split envelopes aren't instantiated in the queue.
+ This is quite a serious bug.
+ Owner- aliases had problems with leading spaces causing a
+ premature delimitation.
+
+6.40/6.18 93/03/18
+ Have ending 250 (after DATA) include the id; suggested by
+ Brian Kantor of UC San Diego.
+ Add logging on envelope splitting.
+ Change queue ids to have one more letter encoding the hour of
+ the day so that during a single day there is a greater
+ likelihood of uniqueness; requested by Brian Kantor.
+
+6.39/6.18 93/03/18
+ Fix minor compile problem if LOCKF is defined.
+ Define size of tobuf in conf.h. Observed by Toshinari Takahashi
+ of Toshiba.
+ Restore e_sender -- this is equivalent to e_from.q_paddr without
+ decorations such as angle brackets and comments.
+ OSF/1 on Alpha changes from Allan E Johannesen of WPI.
+ CONFIG: fix typo in S3 for list syntax (;: => :;). Thanks to
+ Christopher Hoover for noting the problem.
+
+6.38/6.17 93/03/17
+ Pass envelope to disconnect to avoid another use of CurEnv, which
+ can apparently end up being null at inopportune times.
+ Log "received from" as "relay=" for consistency (suggested by
+ John Gardiner Myers).
+ Fix major bug in header handling: if no From: line existed in
+ the header (so sendmail inserts one), and the sender is
+ an alias that has an owner, the From: line shows the
+ owner (as well as the envelope). Fixed by early binding
+ the headers (which will change debugging output).
+ HPUX portability patches from Michael J. Corrigan of UC San Diego.
+ Some attempts to adapt better to out of open file conditions.
+ Some changes to ctladdr handling in queue files.
+
+6.37/6.17 93/03/16
+ MAJOR CHANGE: delete e_sender and e_returnpath (why are these
+ different from e_from?) and $< macro.
+ Log correct IP address in relay= field even if the connection
+ times out.
+ Log "received from [RESPONSE]" on EF_RESPONSE messages (from
+ John Gardiner Myers).
+ Fixes to SysExMsg logging (sometimes just got "message: %s"
+ instead of "message: error message"), noted by Eric
+ Wassenaar. Also reported by Motonori Nakamura.
+ Improvements to MX piggybacking code, from Motonori Nakamura.
+ Fix case where CurHostName points to an auto variable that has
+ been deallocated (from Motonori Nakamura).
+ Fix bug causing newlines to be included in aliases if option
+ "n" (check alias RHS) is set; bug noted by David Muir
+ Sharnoff.
+ Fix problem causing user names that should be mapped to lower
+ case to not be mapped if they are sent during a queue
+ run. This greatly simplifies the case mapping code.
+ Problem noted by Allan E Johannesen of WPI.
+ Don't do recipient address rewriting in buildaddr. This
+ improperly did recipient rewriting on sender addresses,
+ and just seems bogus in general -- but the change could
+ break some .cf files.
+ Pass TZ envariable to child processes for System V.
+ CONFIG: allow LOCAL_RULE_1 and LOCAL_RULE_2 if you want to
+ define those rulesets.
+ KNOWN PROBLEM: I have seen some problems on SunOS that causes
+ the User Data Base to give errors on some addresses. I
+ have tracked the problem back at least as far as 93.02.15
+ (version 6.22). Running with debugging on makes it
+ go away, so I conclude that it is referencing uninitialized
+ stack data. I haven't been able to track this down yet.
+
+6.36/6.16 93/03/08
+ Allow local mailer to specify $@host -- this lets you assign the
+ "foo" part of jgm+foo to $h for passing in to the local
+ mailer.
+ Additional debug printing in getcanonname (show query type).
+ Don't add the e_fromdomain on sender addresses -- this interacts
+ weirdly with the owner- code.
+ Improve delivery logging to not log obvious or meaningless stuff.
+ Include numeric IP address in Received: lines per RFC 1123 section
+ 5.2.8.
+ Fixed a bug in checking stat() return value if restrictmailq is
+ set. Also, check the entire group set instead of just the
+ primary group. Both from John Gardiner Myers.
+ Don't have usrerr automatically print errno, since this is often
+ misleading.
+ Use transienterror() in makeconnection after connect() fails and
+ in openmailer after execve() fails (from Eric Wassenaar).
+ Also moved transienterror() from util.c to conf.c.
+ Clean up from= logging on response messages.
+ Undo patch allowing prescan to return a null vector -- it breaks
+ too many things.
+ Config: FEATURE(notsticky) lets you use UDB for everything coming
+ in to the machine, even if it is specifically targetted
+ to this machine. Without it, UDB is bypassed if the user
+ name is fully qualified.
+ Config: fix another minor botch with <> (local mailer wasn't
+ mapping them properly).
+
+6.35/6.15 93/03/05
+ Fix getrealhostname to return null if sinlen <= 0 -- this can
+ occur if stdin is a pipe.
+ Avoid infinite loop in getcanonname if name server return
+ NO_DATA (for example).
+ Config: avoid having C flag qualify list syntax and error syntax.
+
+6.34/6.14 93/03/05
+ Fix logging in deliver to not pass too many parameters to Ultrix
+ versions of syslog.
+ Don't write the pid file until after the daemon has actually
+ opened and conditioned the connection.
+ Consider addresses "different" if their q_uids differ (so that
+ two users forwarding to the same program will be seen
+ as different, rather than the same).
+ Fix problem with bad parameters in main() -- they set ExitStat
+ but don't exit.
+ Fix null pointer references through RealHostName -- painfully
+ discovered by Allan E Johannesen of WPI.
+ Fix bug causing user@@localhost to core dump (yuch).
+ Config: don't put two @host.dom.ain on users in $=E in SMTP
+ mailer. Also, catch user@ (no host) in ruleset 0.
+
+6.33/6.13 93/03/03
+ Config: add confCW_FILE as the name of the cw configuration file
+ (defaults to /etc/sendmail.cw). From P{r Emanuelsson.
+ Allow prescan to return a pointer to an empty list -- this is
+ not an error. Also, clean up error reporting to avoid
+ double errors (prescan reports once, then the caller
+ reports again).
+ Changes to avoid trusting T_ANY queries -- run them, but if you
+ don't get the info you expected, do T_A and T_MX queries
+ anyhow. This also fixes an oversight where _res.options
+ bits were being ignored.
+ If PRIV_NOVRFY is set, use 252 response code instead of 502 per
+ RFC 1123 section 5.2.3. It's not 100% clear that this
+ is correct, but it probably works better with stupid
+ mailers that do a VRFY and only check the first digit.
+
+6.32/6.12 93/03/02
+ Fix uninitialized variable "protocol" in smtp code.
+ Include <unistd.h> in sendmail.h -- move towards POSIX/ANSI.
+ Additional hooks for RFC 1427 (ESMTP SIZE extension). This
+ includes requiring that enoughspace() know the system
+ block size, which will undoubtedly break most ports.
+ Trace flag 19 in use for srvrsmtp.c.
+ Additional logging -- notably the sending mailer name. This
+ also changes the delivery logging to strict field=value
+ syntax.
+ Fix some problems with messages getting sent even to addresses
+ that had been marked bad -- from Eric Wassenaar.
+ More WIDE changes: accept host name inside [...] as non-MXed
+ host. This is intended ONLY for use inside firewalled
+ environments, where the MX points at the gateway.
+ Change .cf file conventions so that mapping for <> addresses
+ don't have an @ in them (to avoid confusing the C mailer
+ flag). Pointed out by Neil Rickert.
+ Config extensions for Sam Leffler's FlexFAX software.
+
+6.31/6.10 93/02/28
+ Fix some more bugs in alias owner code -- there were some weird
+ cases where an error in a non-aliased name would override
+ the return info in an aliased name with an owner.
+ Changes from WIDE Project, forwarded to me by Motonori Nakamura:
+ Log actual delivery host (after MX et al); from
+ yasuhiro@dcl.co.jp.
+ Log daemon startup.
+ Deliver Postmaster copies without a body.
+ Better logging of SMTP senders.
+ Send all program email as daemon even when local.
+ As requested in various forms from many people, accept -qIstring
+ to limit queue runs to jobs with queue-id matching string.
+ Similarly for -qRstring for recipients, -qSstring for
+ senders.
+ Initial hooks for ESMTP support (see RFC 1425).
+ Fixed a syntax error in the UUCP mailer specification that caused
+ core dumps on startup.
+ Check for missing A= or P= arguments in mailer definitions.
+
+6.30/6.10 93/02/27
+ Require FROZENCONFIG compilation flag to include frozen
+ configuration code. Frozen configuration is really
+ not a very good idea any more, particularly in shared
+ library environments.
+ Do better checking of errno after opens of :include: and .forward
+ files to defer delivery on network and other transient
+ errors. Suggestion from Craig Everhart.
+ Fix minor botch in read timeout macro processing.
+ Add FEATURE(nouucp) to config files for sites that know absolutely
+ nothing about UUCP.
+ Add built cf files to distribution tape and clarify how to build
+ them if you don't have the Berkeley make.
+ Some sizeof(long) portability changes for the Alpha, from Allan
+ E Johannesen.
+ Add "restrictmailq" privacy flag -- if set, only people in the same
+ group as your queue directory can print the queue. If you
+ set this, be sure you also restrict access to log files....
+ Fix another bug in owner-list stuff that can cause data files to
+ be "lost".
+ Fix a bug with queue runs that cause forwards to yourself to go
+ into alias/forwarding loops. I'm still iffy about this
+ fix.
+ Fix from Eric Wassenaar for suppression of return message code.
+
+6.29/6.9 93/02/24
+ Fix yet another problem in alias owner code -- put the wrong return
+ address on the enclosed return-to-sender letter.
+
+6.28/6.9 93/02/24
+ Fix botch in alias owner code that caused it to not operate if the
+ error was detected locally.
+
+6.27/6.9 93/02/24
+ M_LOCAL => M_LOCALMAILER to avoid conflict with Ultrix include
+ file <sys/mount.h>.
+ Miscellaneous bug fixes from Eric Wassenaar:
+ sendmail -bv -t logs the from line even though in verify
+ mode only.
+ sendmail -v can go into queue mode if shouldqueue returns
+ TRUE.
+ Add route-addr pruning per RFC 1123 section 5.3.3. This can be
+ disabled using the "R" option.
+ Delete (always undocumented) -R flag (save original recipients);
+ there are ways to syslog(3) these now.
+ Clean up SMTP reply codes -- specify them as needed in the code,
+ instead of in conf.c -- this was needed during the NCP to
+ TCP transition, but seems silly now. This also changes
+ parameters to message and nmessage.
+ Have mailstats read the .cf file to find the sendmail.st file and
+ get text versions of mailer names. An initial version of
+ this code was provided by Tuominen Keijo (although the
+ comments indicate the good bits were written by "E.V.").
+ Add yet more System V compatibility hacks.
+ Fix bug in VRFY code (assumes everything must be a local user).
+ Allow specification of any of the hard-wired pathnames in the
+ Makefile.
+ Delete concept of "trusted users" -- this really didn't provide
+ any security anyway, and caused some problems.
+ Delete last vestige of support for the word "at" as an equivalent
+ to the character "@".
+ Propagate owner-foo alias information into the envelope sender.
+ Based on code from John Gardiner Myers. This is a major
+ semantic change -- beware!
+ Allow $@ on LHS to indicate "match zero" -- this is used to match
+ the null expression.
+
+6.26/6.8 93/02/21
+ Don't "lose" queue runs. Very important fix from (who else?)
+ Eric Wassenaar.
+ Completely reset state on RSET command -- from Eric Wassenaar.
+ Send error messages and return receipts using an envelope sender
+ of <> regardless of the setting of $n. Rewriting rules
+ can undo this if they feel the necessity, as might be
+ needed for networks that don't understand the syntax.
+ This is permitted by RFC 821 section 3.6 and required by
+ RFC 1123 section 5.3.3. THIS REQUIRES VERSION 4 CONFIG
+ FILES because the rulesets must be able to parse <>
+ properly.
+ Don't ever send error messages to "<>" -- they will get sent to
+ the local postmaster or dumped in /usr/tmp/dead.letter
+ instead. Per RFC 1123 section 5.3.3.
+ Explicitly check for email to yourself as a dotted quad. You
+ have to call $[ [ ... ] $] to get this.
+ Up the message timeout to five days per RFC 1123 section 5.3.1.1.
+ Make all read timeouts individually configurable, as strongly
+ recommended by RFC 1123 section 5.3.2.
+ Use f_bavail (blocks available to regular users) instead of f_bfree
+ (blocks available to superuser) in free block checks.
+ Change $d macro to be the current time, not the origination time,
+ since this is consistent with how it is used now.
+ Generalization of enoughspace from Eric Wassenaar covering
+ SGI, Apollo, HPUX, Ultrix, and SunOS.
+ Ignore process group signals -- some front ends can do this if
+ you kill a window too quickly. From Eric Wassenaar.
+ Change umask to 022.
+
+6.25/6.8 93/02/20
+ Close all cached connections before calling mailers and after
+ forking for delivery (caused double closes which resulted
+ in false errors).
+ Add FEATURE(redirect) in config files -- this allows you to alias
+ old addresses to a pointer to the new address that will
+ give a 551 error message, but not deliver the mail.
+ Some code changes to make the 551 errors look pretty.
+ Names of M4 program paths in config files have changed -- they
+ are all XXX_MAILER_PATH now, to match XXX_MAILER_FLAGS.
+ Fix a bug in the QSELFREF code having to do with empty .forward
+ files, reported by Eric Wassenaar.
+ Add option "p" (privacy flags); this allows you to tune how
+ picky the SMTP server will be. This also adds the
+ confPRIVACY_FLAGS M4 macro in the config files.
+ Add option "b" (minimum blocks free). If there are fewer than
+ this number of blocks free on the filesystem containing
+ the queue directory, the SMTP MAIL command will return
+ a 452 response and ask you to try again later. This
+ also adds the confMIN_FREE_BLOCKS M4 macro in the config
+ files.
+ Made VRFY just verify (doesn't expand aliases and .forward files);
+ EXPN does full expansion. RCPT in queue-only mode also
+ doesn't chase aliases and .forward.
+
+6.24/6.7 93/02/19
+ Increase the number of domain search entries in domain.c to allow
+ for the extra "" entry indicating the root domain.
+ Reported by Motonori Nakamura of Kyoto U.
+ Add a "SMART_HOST" in the configs for UUCP-connected sites that
+ want to forward all mail with extra "@"s to that site.
+ Also allows SMART_HOST, LOCAL_RELAY, and MAIL_HUB to
+ be specified as ``mailer:hostname'' to use an alternate
+ mailer.
+ Clarified and updated some wording in the Operations Guide.
+ Add the "c" mailer flag -- this suppresses all comment parts of
+ addresses (requested by John Curran of NEARnet).
+ Have -v print prompts in -bt mode even if stdin is not a terminal
+ (default behaviour is to be silent if not reading from
+ a terminal). Suggested by Bryan Costales, ICSI.
+ Move the metacharacters from C0 space (\001-\037) into C1 space
+ (\201-\237). This also fixes a bunch of potential bugs
+ with G1 characters (\240-\276) in headers relating to
+ negative numbers passed to isspace() et al.
+ Add YP_LAST_MODIFIED and YP_MASTER_NAME to DBM version of alias
+ database if YPCOMPAT is #defined. Enhancement from
+ Takahiro Kanbe of Fuji Xerox Information Systems Co., Ltd.
+ Add "list" Precedence (-30); this can be used with old sendmails
+ which will map to precedence 0 (which will return error
+ messages). Suggested by Stephen R. van den Berg.
+ Many bug fixes from Eric Wassenaar of the National Institute for
+ Nuclear and High-Energy Physics, Amsterdam:
+ Clear timeouts properly on open failures in include().
+ Don't dereference through NULL if no home directory found.
+ Re-establish SIGCHLD signal on System 5 in reapchild().
+ Avoid NULL pointer reference on -pFOO flag.
+ Properly handle backslash escapes in comments.
+ Correctly check reply status on SMTP NOOP command.
+ Properly save SMTP error message if peer gives
+ "Service Shutting Down" message.
+ Avoid writing to the transcript if it couldn't be opened.
+ Signal errors in SMTP children to parent properly.
+ Handle self references in a list more globally (include a
+ QSELFREF bit in the address flags). This enhancement
+ was suggested by Eric Wassenaar.
+ Use initgroups() in hpux, even though it's System-V based. The
+ HASINITGROUPS compile flag can set this on other systems.
+ This HPUX behaviour was pointed out by Eric Wassenaar.
+
+6.23/6.6 93/02/16
+ Clean up handling of LogLevel to make it easier to figure out
+ what's on what level.
+ Change log levels to have some consistency:
+ 1 serious system failures, security problems
+ 2 lost communications, protocol failures
+ 3 other serious failures
+ 4 minor errors
+ 5 message collection
+ 6 vrfy logging, creation of return-to-sender
+ 7 delivery failures
+ 8 delivery successes
+ 9 delivery tempfails (queue ups)
+ 10 database expansion
+ >64 debugging
+ Allow IDA-style separated processing on S= and R= in Mailer
+ definition lines. Note that rulesets 1 and 2 are
+ still used for both addresses as before. Bruce Lilly
+ gave a convincing argument that RFC976 insists on
+ this behaviour.
+ Added some time zones to arpatounix -- they may not be in the
+ standards, but they are in use. However, I may delete
+ arpatounix entirely -- there appears to be no reason
+ for it to exist.
+ Change to UUCP mailer (in cf directory) to try to do a saner job.
+ I'm still not certain about this mailer in general.
+
+6.22/6.5 93/02/15
+ Fix bug that prevents saving letters in ~/dead.letter.
+ Don't add angle brackets in VRFY command if angle brackets already
+ exist in the address.
+ Fix bogus error message in udbexpand.
+ Null terminate host buffers in buildaddr (broken in 6.21) --
+ IMPORTANT FIX!!
+
+6.21/6.5 93/02/15
+ Fix another incorrect error message in alias.c, found by Azuma
+ Okamoto.
+ Fix a couple of problems in the more-configurable config files,
+ found by Tom Ivar Helbekkmo.
+ Fix problem with quoted :include: entries.
+ Don't duplicate the filename on verbose printing of .forward and
+ :include: contents.
+ Extend size of prescan buffer (to allow bigger addresses). Also,
+ detect some buffer overflows.
+ Log user SMTP protocol errors (log level 4).
+
+6.20/6.4 93/02/14
+ Fix another problem in the MCI state machine caused when there
+ were errors generated from the other end to commands
+ other than RCPT.
+
+6.19/6.4 93/02/14
+ Include load average support for DEC Alpha running OSF/1.
+ Fix multiple-response problem with errors in MAIL From: line.
+ Fix SMTP reply codes for invalid address syntaxes (give 501;
+ never give multiple error messages for a single message).
+ Fix problem where a cached connection timeout rejects all
+ later connects to that host.
+ Fix incorrect error message if alias.c is compiled with DBM only.
+ Additional changes to fix nested conditionals (from Bruce Lilly).
+ Recover more gracefully from operating system failures, particularly
+ NULL returns from openmailer (from Noritoshi Demizu,
+ OMRON Corporation).
+ Log forward, alias, and userdb expand operations on log level 10;
+ concept suggested by P{r (Pell) Emanuelsson.
+ Changes for HPUX 8.07 compatibility.
+
+6.18/6.4 93/02/12
+ Allow any config option to be set using an M4 define.
+ Change UNAME compile flag to HASUNAME for IDA compatibility
+ (besides, it's a better name).
+ Note in README that on SunOS it must be linked -Bstatic.
+ Fairly major change in domain.c to handle wildcard MX records
+ more rationally. NOTE: the "w" option (no wildcard MX
+ records match local domain) has been eliminated.
+ Fix some unset variable references pointed out by Bruce Lilly.
+ Fix host name in process titles when using cached connection.
+
+6.17/6.3 93/01/28
+ Fix System 5 compatibility changes to be compatible with the rest
+ of the world.
+
+6.16/6.3 93/01/28
+ Experimental fix for problem handling errors in the SMTP
+ protocol in conjunction with connection caching.
+ System 5 compatibility changes.
+
+6.15/6.3 93/01/26
+ Fix a bug that causes local mail delivered using -odq to be
+ eliminated as a duplicate (because it matched the
+ ctladdr, now passed in as a C line). These changes
+ are pretty tricky......
+
+6.14/6.3 93/01/25
+ Add debugging for some MCI errors.
+
+6.13/6.3 93/01/22
+ Fix -e compatibility flag to take a value.
+ Fix a couple of minor compilation warnings on Sun cc.
+ Improve error messages in a few cases to be more self-explanatory.
+
+6.12/6.3 93/01/21
+ Fix yet-another problem with environment handling, pointed out
+ by Yoshitaka Tokugawa and Tom Ivar Helbekkmo.
+ Some heuristics to try to limit resource exhaustion problems
+ if a downstream host has been down for a long time.
+ Fix problem with incorrect host name being logged in "Connection
+ timed out" messages (from Tom Ivar Helbekkmo).
+ Fix some ANSI C problems (from Takahiro Kanbe).
+ Properly log message sender on returned mail during queue run.
+ Count number of recipients properly.
+ Fix a problem in yp map code.
+ Diagnose "message timed out" (from Motonori Nakamura).
+
+6.11/6.3 93/01/20
+ Fix problem with address delimitor inside quotes.
+ Define $k and $=k to be the UUCP name (from the uname call)
+ based on code from Bruce Lilly.
+
+6.10/6.2 93/01/18
+ Implement arpatounix (largely code from Bruce Lilly).
+ Log more info (suggested by John Myers).
+ Allow nested $?...$|...$. (inspired by code from Bruce Lilly of
+ Sony US).
+ POSIX compatibility (noted by Keith Bostic).
+ Handle SMTP MAIL command errors properly (urged by several people,
+ notably John Myers of CMU).
+ Do early diagnosis of .cf errors (notably referencing a RHS
+ substitution that isn't on the LHS).
+ Adjust checkpointing to better handle batched recipients, suggested
+ by John Myers.
+ Fix miscellaneous bugs.
+ (config files:) Implement MAIL_HUB for all local mail (to handle
+ NFS-mounted directories) as urged by Tom Ivar Helbekkmo
+ of the Norwegian School of Economics.
+
+6.9/6.1 93/01/13
+ Environment handling simplification/bug fix -- child processes
+ get a minimal, fixed environment. This avoids different
+ behaviour in queue runs.
+ Handle commas inside comments properly.
+ Properly limit large messages submitted in -obq mode.
+
+6.8/6.1 93/01/10
+ Check mtime of thaw file against .cf and sendmail binary, based on
+ code from John Myers.
+
+6.7/6.1 93/01/10
+ MX piggybacking, based on code from John Myers@CMU.
+ Allow checkcompat to return -1 to mean tempfail.
+ Bug fix in m_mno computation.
+
+6.6/6.1 93/01/09
+ Tuning of queueing functions as recommended by John Gardiner Myers.
+ Return mail headers (no body) on messages with negative precedence.
+ Minor other bug fixes.
+
+6.5/6.1 93/01/03
+ Fix botch causing queued headers to have ?XX? prefixes.
+
+6.4/6.1 93/01/02
+ Changes to recognize special mailer types (e.g., file) early.
+
+6.3/6.1 93/01/01
+ Pass timeouts to sfgets.
+ Check for control characters in addresses.
+ Fixed deferred error reporting.
+ Report duplicate aliases.
+ Handle mixed case recursive aliases.
+ Misc bug fixes.
+
+6.2/6.1 92/12/30
+ Put return-receipt-to on a conf.c flag (but don't set it).
+ Fix minor syslog problem.
OpenPOWER on IntegriCloud