diff options
Diffstat (limited to 'sendmail/RELEASE_NOTES')
| -rw-r--r-- | sendmail/RELEASE_NOTES | 10260 |
1 files changed, 10260 insertions, 0 deletions
diff --git a/sendmail/RELEASE_NOTES b/sendmail/RELEASE_NOTES new file mode 100644 index 0000000..8a0b51c --- /dev/null +++ b/sendmail/RELEASE_NOTES @@ -0,0 +1,10260 @@ + SENDMAIL RELEASE NOTES + $Id: RELEASE_NOTES,v 8.1909 2007/10/31 16:04:13 ca Exp $ + + +This listing shows the version of the sendmail binary, the version +of the sendmail configuration files, the date of release, and a +summary of the changes in that release. + +8.14.2/8.14.2 2007/11/01 + If a message was queued and it contained 8 bit characters in + a From: or To: header, then those characters could be + "mistaken" for internal control characters during a queue + run and trigger various consistency checks. Problem + noted by Neil Rickert of Northern Illinois University. + If MaxMimeHeaderLength is set to a value greater than 0 (which + it is by default) then even if the Linelimit parameter + is 0, sendmail corrupted in the non-transfer-encoding + case every MAXLINE-1 characters. Patch from John Gardiner + Myers of Proofpoint. + Setting the suboption DeliveryMode for DaemonPortOptions did not + work in earlier 8.14 versions. + Note: DeliveryMode=interactive is silently converted to + background if a milter can reject or delete a recipient. + Prior to 8.14 this happened only if milter could delete + recipients. + ClientRate should trigger when the limit was exceeded (as + documented), not when it was reached. Patch from + John Beck of Sun Microsystems. + Force a queue run for -qGqueuegroup even if no runners are + specified (R=0) and forking (F=f) is requested. + When multiple results are requested for a DNS map lookup + (-z and -Z), return only those that are relevant for + the query (not also those in the "additional section".) + If the message transfer time to sendmail (when acting as server) + exceeds Timeout.queuewarn or Timeout.queuereturn and + the message is refused (by a milter), sendmail previously + created a delivery status notification (DSN). Patch + from Doug Heath of The Hertz Corporation. + A code change in Cyrus-SASL 2.1.22 for sasl_decode64() requires + the MTA to deal with some input (i.e., "=") itself. + Problem noted by Eliot Lear. + sendmail counted a delivery as successful if PIPELINING is + compiled in but not offered by the server and the + delivery failed temporarily. Patch from Werner Wiethege. + If getting the result of an LDAP query times out then close the + map so it will be reopened on the next lookup. This + should help "failover" configurations that specify more + than one LDAP server. + If check_compat returns $#discard then a "savemail panic" could + be triggered under some circumstances (e.g., requiring + a system which does not have the compile time flag + HASFLOCK set). Based on patch by Motonori Nakamura + of National Institute of Informatics, Japan. + If a milter rejected a recipient, the count for nrcpts= in the + logfile entry might have been wrong. Problem found by + Petra Humann of TU Dresden. + If a milter invoked smfi_chgfrom() where ESMTP arguments are not + NULL, the message body was lost. Patch from Motonori + Nakamura of National Institute of Informatics, Japan. + sendmail(8) had a bogus space in -qGname. Patch from Peng Haitao. + CONTRIB: buildvirtuser: Preserve ownership and permissions when + replacing files. + CONTRIB: buildvirtuser: Skip dot-files (e.g., .cvsignore) when + reading the /etc/mail/virtusers/ directory. + CONTRIB: buildvirtuser: Emit warnings instead of exiting where + appropriate. + LIBMILTER: Fix ABI backwards compatibility so milters compiled + against an older libmilter.so shared library can use an + 8.14 libmilter.so shared library. + LIBMILTER: smfi_version() did not properly extract the patchlevel + from the version number, however, the returned value was + correct for the current libmilter version. + +8.14.1/8.14.1 2007/04/03 + Even though a milter rejects a recipient the MTA will still keep + it in its list of recipients and deliver to it if the + transaction is accepted. This is a regression introduced + in 8.14.0 due to the change for SMFIP_RCPT_REJ. Bug + found by Andy Fiddaman. + The new DaemonPortOptions which begin with a lower case character + could not be set in 8.14.0. + If a server shut down the connection in response to a STARTTLS + command, sendmail would log a misleading error message + due to an internal inconsistency. Problem found by + Werner Wiethege. + Document how some sendmail.cf options change the behavior of mailq. + Noted by Paul Menchini of the North Carolina School of + Science and Mathematics. + CONFIG: Add confSOFT_BOUNCE m4 option for setting SoftBounce. + CONFIG: 8.14.0's RELEASE_NOTES failed to mention the addition + of the confMAX_NOOP_COMMANDS and confSHARED_MEMORY_KEY_FILE + m4 options for setting MaxNOOPCommands and + SharedMemoryKeyFile. + CONFIG: Add confMILTER_MACROS_EOH and confMILTER_MACROS_DATA m4 + options for setting Milter.macros.eoh and Milter.macros.data. + CONTRIB: Use flock() and fcntl() in qtool.pl if necessary. + Patch from Daniel Carroll of Mesa State College. + LIBMILTER: Make sure an unknown command does not affect the + currently available macros. Problem found by Andy Fiddaman. + LIBMILTER: The MTA did not offer SMFIF_SETSYMLIST during option + negotiation. Problem reported by Bryan Costales. + LIBMILTER: Fix several minor errors in the documentation. + Patches from Bryan Costales. + PORTABILITY FIXES: + AIX 5.{1,2}: libsm/util.c failed to compile due to + redefinition of several macros, e.g., SIG_ERR. + Patch from Jim Pirzyk with assistance by Bob + Booth, University of Illinois at Urbana-Champaign. + Add support for QNX.6. Patch from Sean Boudreau of QNX + Software Systems. + New Files: + devtools/M4/depend/QNX6.m4 + devtools/OS/QNX.6.x + include/sm/os/sm_os_qnx.h + + New Files added in 8.14.0, but not shown in the release notes entry: + libmilter/docs/smfi_chgfrom.html + libmilter/docs/smfi_version.html + +8.14.0/8.14.0 2007/01/31 + Header field values are now 8 bit clean. Notes: + - header field names are still restricted to 7 bit. + - RFC 2822 allows only 7 bit (US-ASCII) characters in + headers. + Preserve spaces after the colon in a header. Previously, any + number of spaces after the colon would be changed to + exactly one space. + In some cases of deeply nested aliases/forwarding, mail can + be silently lost. Moreover, the MaxAliasRecursion + limit may be reached too early, e.g., the counter + may be off by a factor of 4 in case of a sequence of + .forward files that refer to others. Patch from + Motonori Nakamura of Kyoto University. + Fix a regression in 8.13.8: if InputMailFilters is set then + "sendmail -bs" can trigger an assertion because the + hostname of the client is undefined. It is now set + to "localhost" for the xxfi_connect() callback. + Avoid referencing a freed variable during cleanup when terminating. + Problem reported and diagnosed by Joe Maimon. + New option HeloName to set the name for the HELO/EHLO command. + Patch from Nik Clayton. + New option SoftBounce to issue temporary errors (4xy) instead of + permanent errors (5xy). This can be useful for testing. + New suboptions for DaemonPortOptions to set them individually + per daemon socket: + DeliveryMode DeliveryMode + refuseLA RefuseLA + delayLA DelayLA + queueLA QueueLA + children MaxDaemonChildren + New option -K for LDAP maps to replace %1 through %9 in the + lookup key with the LDAP escaped contents of the + arguments specified in the map lookup. Loosely based + on patch from Wolfgang Hottgenroth. + Log the time after which a greet_pause delay triggered. Patch + from Nik Clayton. + If a client is rejected via TCP wrapper or some other check + performed by validate_connection() (in conf.c) then do + not also invoke greet_pause. Problem noted by Jim Pirzyk + of the University of Illinois at Urbana-Champaign. + If a client terminates the SMTP connection during a pause + introduced by greet_pause, then a misleading message + was logged previously. Problem noted by Vernon Schryver + et.al., patch from Matej Vela. + New command "mstat" for control socket to provide "machine + readable" status. + New named config file rule check_eom which is called at the end + of a message, its parameter is the size of the message. + If the macro {addr_type} indicates that the current address + is a header address it also distinguishes between + recipient and sender addresses (as it is done for + envelope addresses). + When a macro is set in check_relay, then its value is accessible + by all transactions in the same SMTP session. + Increase size of key for ldap lookups to 1024 (MAXKEY). + New option MaxNOOPCommands to override default of 20 for the + number of "useless" commands before the SMTP server will + slow down responding. + New option SharedMemoryKeyFile: if shared memory support is + enabled, the MTA can be asked to select a shared memory + key itself by setting SharedMemoryKey to -1 and specifying + a file where to store the selected key. + Try to deal with open HTTP proxies that are used to send spam + by recognizing some commands from them. If the first command + from the client is GET, POST, CONNECT, or USER, then the + connection is terminated immediately. + New PrivacyOptions noactualrecipient to avoid putting + X-Actual-Recipient lines in DSNs revealing the actual + account that addresses map to. Patch from Dan Harkless. + New options B, z, and Z for DNS maps: + -B: specify a domain that is always appended to queries. + -z: specify the delimiter at which to cut off the result of + a query if it is too long. + -Z: specify the maximum number of entries to be concatenated + to form the result of a lookup. + New target "check" in the Makefile of libsm: instead of running tests + implicitly while building libsm, they must be explicitly + started by using "make check". + Fixed some inconsistent checks for NULL pointers that have been + reported by the SATURN tool which has been developed by + Isil Dillig and Thomas Dillig of Stanford University. + Fix a potential race condition caused by a signal handler for + terminated child processes. Problem noted by David F. Skoll. + When a milter deleted a recipient, that recipient could cause a + queue group selection. This has been disabled as it was not + intended. + New operator 'r' for the arith map to return a random number. + Patch from Motonori Nakamura of Kyoto University. + New compile time option MILTER_NO_NAGLE to turn off the Nagle + algorithm for communication with libmilter ("cork" on Linux), + which may improve the communication performance on some + operating systems. Patch from John Gardiner Myers of + Proofpoint. + If sendmail received input that contained a CR without subsequent LF + (thus violating RFC 2821 (2.3.7)), it could previously + generate an additional blank line in the output as the last + line. + Restarting persistent queue runners by sending a HUP signal to + the "queue control process" (QCP) works now. + Increase the length of an input line to 12288 to deal with + really long lines during SMTP AUTH negotiations. + Problem noted by Werner Wiethege. + If ARPANET mode (-ba) was selected STARTTLS would fail (due to + a missing initialization call for that case). Problem + noted by Neil Rickert of Northern Illinois University. + If sendmail is linked against a library that initializes Cyrus-SASL + before sendmail did it (such as libnss-ldap), then SMTP AUTH + could fail for the sendmail client. A patch by Moritz Both + works around the API design flaw of Cyrus-SASLv2. + CONFIG: Make it possible to unset the StatusFile option by + undefining STATUS_FILE. By not setting StatusFile, + the MTA will not attempt to open a statistics file on + each delivery. + CONFIG: New FEATURE(`require_rdns') to reject messages from SMTP + clients whose IP address does not have proper reverse DNS. + Contributed by Neil Rickert of Northern Illinois University + and John Beck of Sun Microsystems. + CONFIG: New FEATURE(`block_bad_helo') to reject messages from SMTP + clients which provide a HELO/EHLO argument which is either + unqualified, or is one of our own names (i.e., the server + name instead of the client name). Contributed by Neil + Rickert of Northern Illinois University and John Beck of + Sun Microsystems. + CONFIG: New FEATURE(`badmx') to reject envelope sender addresses + (MAIL) whose domain part resolves to a "bad" MX record. + Based on contribution from William Dell Wisner. + CONFIG: New macros SMTP_MAILER_LL and RELAY_MAILER_LL to override + the maximum line length of the smtp mailers. + CONFIG: New option `relaytofulladdress' for FEATURE(`access_db') + to allow entries in the access map to be of the form + To:user@example.com RELAY + CONFIG: New subsuboptions eoh and data to specify the list of + macros a milter should receive at those stages in the + SMTP dialogue. + CONFIG: New option confHELO_NAME for HeloName to set the name + for the HELO/EHLO command. + CONFIG: dnsbl and enhdnsbl can now also discard or quarantine + messages by using those values as second argument. + Patches from Nelson Fung. + CONTRIB: cidrexpand uses a hash symbol as comment character and + ignores everything after it unless it is in quotes or + preceeded by a backslash. + DEVTOOLS: New macro confMKDIR: if set to a program that creates + directories, then it used for "make install" to create + the required installation directories. + DEVTOOLS: New macro confCCLINK to specify the linker to use for + executables (defaults to confCC). + LIBMILTER: A new version of the milter API has been created that + has several changes which are listed below and documented + in the webpages reachable via libmilter/docs/index.html. + LIBMILTER: The meaning of the version macro SMFI_VERSION has been + changed. It now refers only to the version of libmilter, + not to the protocol version (which is used only internally, + it is not user/milter-programmer visible). Additionally, + a version function smfi_version() has been introduced such + that a milter program can check the libmilter version also + at runtime which is useful if a shared library is used. + LIBMILTER: A new callback xxfi_negotiate() can be used to + dynamically (i.e., at runtime) determine the available + protocol actions and features of the MTA and also to + specify which of these a milter wants to use. This allows + for more flexibility than hardcoding these flags in the + xxfi_flags field of the smfiDesc structure. + LIBMILTER: A new callback xxfi_data() is available so milters + can act on the DATA command. + LIBMILTER: A new callback xxfi_unknown() is available so milters + can receive also unknown SMTP commands. + LIBMILTER: A new return code SMFIS_NOREPLY has been added which + can be used by the xxfi_header() callback provided the + milter requested the SMFIP_NOHREPL protocol action. + LIBMILTER: The new return code SMFIS_SKIP can be used in the + xxfi_body() callback to skip over further body chunks + and directly advance to the xxfi_eom() callback. This + is useful if a milter can make a decision based on the + body chunks it already received without reading the entire + rest of the body and the milter wants to invoke functions + that are only available from the xxfi_eom() callback. + LIBMILTER: A new function smfi_addrcpt_par() can be used to add + new recipients including ESMTP parameters. + LIBMILTER: A new function smfi_chgfrom() can be used to change the + envelope sender including ESMTP parameters. + LIBMILTER: A milter can now request to be informed about rejected + recipients (RCPT) too. This requires to set the protocol + flag SMFIP_RCPT_REJ during option negotiation. Whether + a RCPT has been rejected can be checked by comparing the + value of the macro {rcpt_mailer} with "error". + LIBMILTER: A milter can now override the list of macros that it + wants to receive from the MTA for each protocol step + by invoking the function smfi_setsymlist() during option + negotiation. + LIBMILTER: A milter can receive header field values with all + leading spaces by requesting the SMFIP_HDR_LEADSPC + protocol action. Also, if the flag is set then the MTA + does not add a leading space to headers that are added, + inserted, or replaced. + LIBMILTER: If a milter sets the reply code to "421" for the HELO + callback, the SMTP server will terminate the SMTP session + with that error to match the behavior of all other callbacks. + New Files: + cf/feature/badmx.m4 + cf/feature/block_bad_helo.m4 + cf/feature/require_rdns.m4 + devtools/M4/UNIX/check.m4 + include/sm/misc.h + include/sm/sendmail.h + include/sm/tailq.h + libmilter/docs/smfi_addrcpt_par.html + libmilter/docs/smfi_setsymlist.html + libmilter/docs/xxfi_data.html + libmilter/docs/xxfi_negotiate.html + libmilter/docs/xxfi_unknown.html + libmilter/example.c + libmilter/monitor.c + libmilter/worker.c + libsm/memstat.c + libsm/t-memstat.c + libsm/t-qic.c + libsm/util.c + sendmail/daemon.h + sendmail/map.h + +8.13.8/8.13.8 2006/08/09 + Fix a regression in 8.13.7: if shared memory is activated, then + the server can erroneously report that there is + insufficient disk space. Additionally make sure that + an internal variable is set properly to avoid those + misleading errors. Based on patch from Steve Hubert + of University of Washington. + Fix a regression in 8.13.7: the PidFile could be removed after + the process that forks the daemon exited, i.e., if + sendmail -bd is invoked. Problem reported by Kan Sasaki + of Fusion Communications Corp. and Werner Wiethege. + Avoid opening qf files if QueueSortOrder is "none". Patch from + David F. Skoll. + Avoid a crash when finishing due to referencing a freed variable. + Problem reported and diagnosed by Moritz Jodeit. + CONTRIB: cidrexpand now deals with /0 by issuing the entire IPv4 + range (0..255). + LIBMILTER: The "hostname" argument of the xxfi_connect() callback + previously was the equivalent of {client_ptr}. However, + this did not match the documentation of the function, hence + it has been changed to {client_name}. See doc/op/op.* + about these macros. + +8.13.7/8.13.7 2006/06/14 + A malformed MIME structure with many parts can cause sendmail to + crash while trying to send a mail due to a stack overflow, + e.g., if the stack size is limited (ulimit -s). This + happens because the recursion of the function mime8to7() + was not restricted. The function is called for MIME 8 to + 7 bit conversion and also to enforce MaxMimeHeaderLength. + To work around this problem, recursive calls are limited to + a depth of MAXMIMENESTING (20); message content after this + limit is treated as opaque and is not checked further. + Problem noted by Frank Sheiness. + The changes to the I/O layer in 8.13.6 caused a regression for + SASL mechanisms that use the security layer, e.g., + DIGEST-MD5. Problem noted by Robert Stampfli. + If a timeout occurs while reading a message (during the DATA phase) + a df file might have been left behind in the queue. + This was another side effect of the changes to the I/O + layer made in 8.13.6. + Several minor problems have been fixed that were found by a + Coverity scan of sendmail 8 as part of the NetBSD + distribution. See http://scan.coverity.com/ + Note: the scan generated also a lot of "false positives", + e.g., "error" reports about situations that cannot happen. + Most of those code places are marked with lint(1) comments + like NOTREACHED, but Coverity does not understand those. + Hence an explicit assertion has been added in some cases + to avoid those false positives. + If the start of the sendmail daemon fails due to a configuration + error then in some cases shared memory segments or pid + files were not removed. + If DSN support is disabled via access_db, then related ESMTP + parameters for MAIL and RCPT should be rejected. Problem + reported by Akihiro Sagawa. + Enabling zlib compression in OpenSSL 0.9.8[ab] breaks the padding + bug work-around. Hence if sendmail is linked against + either of these versions and compression is available, + the padding bug work-around is turned off. Based on + patch from Victor Duchovni of Morgan Stanley. + CONFIG: FEATURE(`dnsbl') and FEATURE(`enhdnsbl') used + blackholes.mail-abuse.org as default domain for lookups, + however, that list is no longer available. To avoid + further problems, no default value is available anymore, + but an argument must be specified. + Portability: + Fix compilation on OSF/1 for sfsasl.c. Patch from + Pieter Bowman of the University of Utah. + +8.13.6/8.13.6 2006/03/22 + SECURITY: Replace unsafe use of setjmp(3)/longjmp(3) in the server + and client side of sendmail with timeouts in the libsm I/O + layer and fix problems in that code. Also fix handling of + a buffer in sm_syslog() which could have been used as an + attack vector to exploit the unsafe handling of + setjmp(3)/longjmp(3) in combination with signals. + Problem detected by Mark Dowd of ISS X-Force. + Handle theoretical integer overflows that could triggered if + the server accepted headers larger than the maximum + (signed) integer value. This is prevented in the default + configuration by restricting the size of a header, and on + most machines memory allocations would fail before reaching + those values. Problems found by Phil Brass of ISS. + If a server returns 421 for an RSET command when trying to start + another transaction in a session while sending mail, do + not trigger an internal consistency check. Problem found + by Allan E Johannesen of Worcester Polytechnic Institute. + If a server returns a 5xy error code (other than 501) in response + to a STARTTLS command despite the fact that it advertised + STARTTLS and that the code is not valid according to RFC + 2487 treat it nevertheless as a permanent failure instead + of a protocol error (which has been changed to a + temporary error in 8.13.5). Problem reported by Jeff + A. Earickson of Colby College. + Clear SMTP state after a HELO/EHLO command. Patch from John + Myers of Proofpoint. + Observe MinQueueAge option when gathering entries from the queue + for sorting etc instead of waiting until the entries are + processed. Patch from Brian Fundakowski Feldman. + Set up TLS session cache to properly handle clients that try to + resume a stored TLS session. + Properly count the number of (direct) child processes such that + a configured value (MaxDaemonChildren) is not exceeded. + Based on patch from Attila Bruncsak. + LIBMILTER: Remove superfluous backslash in macro definition + (libmilter.h). Based on patch from Mike Kupfer of + Sun Microsystems. + LIBMILTER: Don't try to set SO_REUSEADDR on UNIX domain sockets. + This generates an error message from libmilter on + Solaris, though other systems appear to just discard the + request silently. + LIBMILTER: Deal with sigwait(2) implementations that return + -1 and set errno instead of returning an error code + directly. Patch from Chris Adams of HiWAAY Informations + Services. + Portability: + Fix compilation checks for closefrom(3) and statvfs(2) + in NetBSD. Problem noted by S. Moonesamy, patch from + Andrew Brown. + +8.13.5/8.13.5 2005/09/16 + Store the filesystem identifier of the df/ subdirectory (if it + exists) in an internal structure instead of the base + directory. This structure is used decide whether there + is enough free disk space when selecting a queue, hence + without this change queue selection could fail if a df/ + subdirectory exists and is on a different filesystem + than the base directory. + Use the queue index of the df file (instead of the qf file) for + checking whether a link(2) operation can be used to split + an envelope across queue groups. Problem found by + Werner Wiethege. + If the list of items in the queue is larger than the maximum + number of items to process, sort the queue first and + then cut the list off instead of the other way around. + Patch from Matej Vela of Rudjer Boskovic Institute. + Fix helpfile to show full entry for ETRN. Problem noted by + Penelope Fudd, patch from Neil Rickert of Northern Illinois + University. + FallbackSmartHost should also be tried on temporary errors. + From John Beck of Sun Microsystems. + When a server responds with 421 to the STARTTLS command then treat + it as a temporary error, not as protocol error. Problem + noted by Andrey J. Melnikoff. + Properly define two functions in libsm as static because their + prototype used static too. Patch from Peter Klein. + Fix syntax errors in helpfile for MAIL and RCPT commands. + LIBMILTER: When smfi_replacebody() is called with bodylen equals + zero then do not silently ignore that call. Patch from + Gurusamy Sarathy of Active State. + LIBMILTER: Recognize "421" also in a multi-line reply to terminate + the SMTP session with that error. Fix from Brian Kantor. + Portability: New option HASSNPRINTF which can be set if the OS + has a properly working snprintf(3) to get rid + of the last two (safe) sprintf(3) calls in the + source code. + Add support for AIX 5.3. + Add support for SunOS 5.11 (aka Solaris 11). + Add support for Darwin 8.x. Patch from Lyndon Nerenberg. + OpenBSD 3.7 has removed support for NETISO. + CONFIG: Add OSTYPE(freebsd6) for FreeBSD 6.X. + Set DontBlameSendmail to AssumeSafeChown and + GroupWritableDirPathSafe for OSTYPE(darwin). + Patch from Lyndon Nerenberg. + Some features still used 4.7.1 as enhanced status code which + was supposed to be eliminated in 8.13.0 because some + broken systems misinterpret it as a permanent error. + Patch from Matej Vela of Rudjer Boskovic Institute. + Some default values in a generated cf file did not match + the defaults in the sendmail binary. Problem noted + by Mike Pechkin. + New Files: + cf/ostype/freebsd6.m4 + devtools/OS/AIX.5.3 + devtools/OS/Darwin.8.x + devtools/OS/SunOS.5.11 + include/sm/time.h + +8.13.4/8.13.4 2005/03/27 + The bug fixes in 8.13.3 for connection handling uncovered a + different error which could result in connections that + stay in CLOSE_WAIT state due to a variable that was not + properly initialized. Problem noted by Michael Sims. + Deal with empty hostnames in hostsignature(). This bug could lead + to an endless loop when doing LMTP deliveries to another + host. Problem first reported by Martin Lathoud and + tracked down by Gael Roualland. + Make sure return parameters are initialized in getmxrr(). Problem + found by Gael Roualland using valgrind. + If shared memory is used and the RunAsUser option is set, then the + owner and group of the shared memory segment is set to + the ids specified RunAsUser and the access mode is set + to 0660 to allow for updates by sendmail processes. + The number of queue entries that is (optionally) kept in shared + memory was wrong in some cases, e.g., envelope splitting + and bounce generation. + Undo a change made in 8.13.0 to silently truncate long strings + in address rewriting because the message can be triggered + for header checks where long strings are legitimate. + Problem reported by Mary Verge DeSisto, and tracked + down with the help of John Beck of Sun Microsystems. + The internal stab map did not obey the -m flag. Patch from + Rob McMahon of Warwick University, England. + The socket map did not obey the -f flag. Problem noted by + Dan Ringdahl, forwarded by Andrzej Filip. + The addition of LDAP recursion in 8.13.0 broke enforcement of + the LDAP map -1 argument which tells the MTA to only + return success if and only if a single LDAP match is found. + Add additional error checks in the MTA for milter communication + to avoid a possible segmentation fault. Based on patch + by Joe Maimon. + Do not trigger an assertion if X509_digest() returns success but + does not assign a value to its output parameter. Based + on patch by Brian Kantor. + Add more checks when resetting internal AUTH data (applies only + to Cyrus SASL version 2). Otherwise an SMTP session might + be dropped after an AUTH failure. + Portability: + Add LA_LONGLONG as valid LA_TYPE type for systems that use + "long long" to read load average data, e.g., + AIX 5.1 in 32 bit mode. Note: this has to be set + "by hand", it is not (yet) automatically detected. + Problem noted by Burak Bilen. + Use socklen_t for accept(), etc. on AIX 5.x. This should + fix problems when compiling in 64 bit mode. + Problem first reported by Harry Meiert of + University of Bremen. + New Files: + include/sm/sem.h + libsm/sem.c + libsm/t-sem.c + +8.13.3/8.13.3 2005/01/11 + Enhance handling of I/O errors, especially EOF, when STARTTLS + is active. + Make sure a connection is not reused after it has been closed + due to a 421 error. Problem found by Allan E Johannesen + of Worcester Polytechnic Institute. + Avoid triggering an assertion when sendmail is interrupted while + closing a connection. Problem found by Allan E Johannesen + of Worcester Polytechnic Institute. + Regression: a change in 8.13.2 caused sendmail not to try the + next MX host (or FallbackMXhost if configured) when, at + connection open, the current server returns a 4xy or 5xy + SMTP reply code. Problem noted by Mark Tranchant. + +8.13.2/8.13.2 2004/12/15 + Do not split the first header even if it exceeds the internal + buffer size. Previously a part of such a header would + end up in the body of the message. Problem noted by + Simple Nomad of BindView. + Do not complain about "cataddr: string too long" when checking + headers that do not contain RFC 2822 addresses. + Problem noted by Rich Graves of Brandeis University. + If a server returns a 421 reply to the RSET command between + message deliveries, do not attempt to deliver any more + messages on that connection. This prevents bogus "Bad + file number" recipient status. Problem noted by + Allan E Johannesen of Worcester Polytechnic Institute. + Allow trailing white space in EHLO command as recommended by RFC + 2821. Problem noted by Ralph Santagato of SBC Services. + Deal with clients which use AUTH but negotiate a smaller buffer size + for data exchanges than the value used by sendmail, e.g., + Cyrus IMAP lmtp server. Based on patch by Jamie Clark. + When passing ESMTP arguments for RCPT to a milter, do not cut + them off at a comma. Problem noted by Krzysztof Oledzki. + Add more logging to milter change header functions to + complement existing logging. Based on patch from + Gurusamy Sarathy of Active State. + Include <lber.h> in include/sm/config.h when LDAPMAP is defined. + Patch from Edgar Hoch of the University of Stuttgart. + Fix DNS lookup if IPv6 is enabled when converting an IP address + to a hostname for use with SASL. Problem noted by Ken Jones; + patch from Hajimu UMEMOTO. + CONFIG: For consistency enable MODIFY_MAILER_FLAGS for the prog + mailer. Patch from John Beck of Sun Microsystems. + LIBMILTER: It was possible that xxfi_abort() was called after + xxfi_eom() for a message if some timeouts were triggered. + Patch from Alexey Kravchuk. + LIBMILTER: Slightly rearrange mutex use in listener.c to allow + different threads to call smfi_opensocket() and smfi_main(). + Patch from Jordan Ritter of Cloudmark. + MAIL.LOCAL: Properly terminate MBDB before exiting. Problem + noted by Nelson Fung. + MAIL.LOCAL: make strip-mail.local used a wrong path to access + mail.local. Problem noted by William Park. + VACATION: Properly terminate MBDB before exiting. Problem noted + by Nelson Fung. + Portability: + Add support for DragonFly BSD. + New Files: + cf/ostype/dragonfly.m4 + devtools/OS/DragonFly + include/sm/os/sm_os_dragonfly.h + Deleted Files: + libsm/vsscanf.c + +8.13.1/8.13.1 2004/07/30 + Using the default AliasFile ldap: specification would cause the + objectClasses of the LDAP response to be included in the + alias expansion. Problem noted by Brenden Conte of + Rensselaer Polytechnic Institute. + Fix support for a fallback smart host for system where DNS is + (partially) available. From John Beck of Sun Microsystems. + Fix SuperSafe=PostMilter behavior when a milter replaces a body + but the data file is not yet stored on disk because it is + smaller than the size of the memory buffer. Problem noted + by David Russell. + Fix certificate revocation list support; if a CRL was specified + but the other side presented a cert that was signed by + a different (trusted) CA than the one which issued the CRL, + verification would always fail. Problem noted by Al Smith. + Run mailer programs as the RunAsUser when RunAsUser is set and + the F=S mailer flag is set without a U= mailer equate. + Problem noted by John Gardiner Myers of Proofpoint. + ${nbadrcpts} was off by one if BadRcptThrottle is zero. + Patch from Sung-hoon Choi of DreamWiz Inc. + CONFIG: Emit a warning if FEATURE(`access_db') is used after + FEATURE(`greet_pause') because then the latter will not + use the access map. Note: if no default value is given + for FEATURE(`greet_pause') then it issues an error if + FEATURE(`access_db') is not specified before it. + Problem noted by Alexander Dalloz of University of + Bielefeld. + CONFIG: Invoke ruleset Local_greet_pause if FEATURE(`greet_pause') + is used to give more flexibility for local changes. + Portability: + Fix a 64 bit problem in the socket map code. Problem + noted by Geoff Adams. + NetBSD 2.0F has closefrom(3). Patch from Andrew Brown. + NetBSD can use sysctl(3) to get the number of CPUs in + a system. Patch from Andrew Brown. + Add a README file in doc/op/ to explain potential + incompatibilities with various *roff related + tools. Problem tracked down by Per Hedeland. + New Files: + doc/op/README + +8.13.0/8.13.0 2004/06/20 + Do not include AUTH data in a bounce to avoid leaking confidential + information. See also cf/README about MSP and the section + "Providing SMTP AUTH Data when sendmail acts as Client". + Problem noted by Neil Rickert of Northern Illinois + University. + Fix compilation error in libsm/clock.c for -D_FFR_SLEEP_USE_SELECT=n + and -DSM_CONF_SETITIMER=0. Problem noted by Juergen Georgi + of RUS University of Stuttgart. + Fix bug in conversion from 8bit to quoted-printable. Problem found + by Christof Haerens, patch from Per Hedeland. + Add support for LDAP recursion based on types given to attribute + specifications in an LDAP map definition. This allows + LDAP queries to return a new query, a DN, or an LDAP + URL which will in turn be queried. See the ``LDAP + Recursion'' section of doc/op/op.me for more information. + Based on patch from Andrew Baucom. + Extend the default LDAP specifications for AliasFile + (O AliasFile=ldap:) and file classes (F{X}@LDAP) to + include support for LDAP recursion via new attributes. + See ``USING LDAP FOR ALIASES, MAPS, and CLASSES'' section + of cf/README for more information. + New option for LDAP maps: the -w option allows you to specify the + LDAP API/protocol version to use. The default depends on + the LDAP library. + New option for LDAP maps: the -H option allows you to specify an + LDAP URI instead of specifying the LDAP server via -h host + and -p port. This also allows for the use of LDAP over + SSL and connections via named sockets if your LDAP + library supports it. + New compile time flag SM_CONF_LDAP_INITIALIZE: set this if + ldap_initialize(3) is available (and LDAPMAP is set). + If MaxDaemonChildren is set and a command is repeated too often + during a SMTP session then terminate it just like it is + done for too many bad SMTP commands. + Basic connection rate control support has been added: the daemon + maintains the number of incoming connections per client + IP address and total in the macros {client_rate} and + {total_rate}, respectively. These macros can be used + in the cf file to impose connection rate limits. + A new option ConnectionRateWindowSize (default: 60s) + determines the length of the interval for which the + number of connections is stored. Based on patch from + Jose Marcio Martins da Cruz, Ecole des Mines de Paris. + Add optional protection from open proxies and SMTP slammers which + send SMTP traffic without waiting for the SMTP greeting. + If enabled by the new ruleset greet_pause (see + FEATURE(`greet_pause')), sendmail will wait the specified + amount of time before sending the initial 220 SMTP + greeting. If any traffic is received before then, a 554 + SMTP response is sent and all SMTP commands are rejected + during that connection. + If 32 NOOP (or unknown/bad) commands are issued by a client the SMTP + server could sleep for a very long time. Fix based on + patch from Tadashi Kobayashi of IIJ. + Fix a potential memory leak in persistent queue runners if the + number of entries in the queue exceeds the limit of jobs. + Problem noted by Steve Hubert of University of Washington. + Do not use 4.7.1 as enhanced status code because some broken systems + misinterpret it as a permanent error. + New value for SuperSafe: PostMilter which will delay fsync() until + all milters accepted the mail. This can increase + performance if many mails are rejected by milters due to + body scans. Based on patch from David F. Skoll. + New macro {msg_id} which contains the value of the Message-Id: + header, whether provided by the client or generated by + sendmail. + New macro {client_connections} which contains the number of open + connections in the SMTP server for the client IP address. + Based on patch from Jose Marcio Martins da Cruz, Ecole des + Mines de Paris. + sendmail will now remove its pidfile when it exits. This was done + to prevent confusion caused by running sendmail stop + scripts two or more times, where the second and subsequent + runs would report misleading error messages about sendmail's + pid no longer existing. See section 1.3.15 of doc/op/op.me + for a discussion of the implications of this, including + how to correct broken scripts which may have depended on + the old behavior. From John Beck of Sun Microsystems. + Support per-daemon input filter lists which override the default + filter list specified in InputMailFilters. The filters + can be listed in the I= equate of DaemonPortOptions. + Do not add all domain prefixes of the hostname to class 'w'. If + your configuration relies on this behavior, you have to + add those names to class 'w' yourself. Problem noted + by Sander Eerkes. + Support message quarantining in the mail queue. Quarantined + messages are not run on normal queue displays or runs + unless specifically requested with -qQ. Quarantined queue + files are named with an hf prefix instead of a qf prefix. + The -q command line option now can specify which queue to display + or run. -qQ operates on quarantined queue items. -qL + operates on lost queue items. + Restricted mail queue runs and displays can be done based on the + quarantined reason using -qQtext to run or display + quarantined items if the quarantine reason contains the + given text. Similarly, -q!Qtext will run or display + quarantined items which do not have the given text in the + quarantine reason. + Items in the queue can be quarantined or unquarantined using the + new -Q option. See doc/op/op.me for more information. + When displaying the quarantine mailq with 'mailq -qQ', the + quarantine reason is shown in a new line prefixed by + "QUARANTINE:". + A new error code for the $#error mailer, $@ quarantine, can be used + to quarantine messages in check_* (except check_compat) and + header check rulesets. The $: of the mailer triplet will + be used for the quarantine reason. + Add a new quarantine count to the mailstats collected. + Add a new macro ${quarantine} which is the quarantine reason for a + message if it is quarantined. + New map type "socket" for a trivial query protocol over UNIX domain + or TCP sockets (requires compile time option SOCKETMAP). + See sendmail/README and doc/op/op.me for details as well as + socketmapServer.pl and socketmapClient.pl in contrib. + Code donated by Bastiaan Bakker of LifeLine Networks. + Define new macro ${client_ptr} which holds the result of the PTR + lookup for the client IP address. Note: this is the same + as ${client_name} if and only if ${client_resolve} is OK. + Add a new macro ${nbadrcpts} which contains the number of bad + recipients received so far in a transaction. + Call check_relay with the value of ${client_name} to deal with bogus + DNS entries. See also FEATURE(`use_client_ptr'). Problem + noted by Kai Schlichting. + Treat Delivery-Receipt-To: headers the same as Return-Receipt-To: + headers (turn them into DSNs). Delivery-Receipt-To: is + apparently used by SIMS (Sun Internet Mail System). + Enable connection caching for LPC mailers. Patch from Christophe + Wolfhugel of France Telecom Oleane. + Do not silently truncate long strings in address rewriting. + Add support for Cyrus SASL version 2. From Kenneth Murchison of + Oceana Matrix Ltd. + Add a new AuthOption=m flag to require the use of mechanisms which + support mutual authentication. From Kenneth Murchison of + Oceana Matrix Ltd. + Fix logging of TLS related problems (introduced in 8.12.11). + The macros {auth_author} and {auth_authen} are stored in xtext + format just like the STARTTLS related macros to avoid + problems with parsing them. Problem noted by Pierangelo + Masarati of SysNet s.n.c. + New option AuthRealm to set the authentication realm that is + passed to the Cyrus SASL library. Patch from Gary Mills + of the University of Manitoba. + Enable AUTH mechanism EXTERNAL if STARTTLS verification was + successful, otherwise relaying would be allowed if + EXTERNAL is listed in TRUST_AUTH_MECH() and STARTTLS + is active. + Add basic support for certificate revocation lists. Note: if a + CRLFile is specified but the file is unusable, STARTTLS + is disabled. Based on patch by Ralf Hornik. + Enable workaround for inconsistent Cyrus SASLv1 API for mechanisms + DIGEST-MD5 and LOGIN. + Write pid to file also if sendmail only acts as persistent queue + runner. Proposed by Gary Mills of the University of Manitoba. + Keep daemon pid file(s) locked so other daemons don't try to + overwrite each other's pid files. + Increase maximum length of logfile fields for {cert_subject} and + {cert_issuer} from 128 to 256. Requested by Christophe + Wolfhugel of France Telecom. + Log the TLS verification message on the STARTTLS= log line at + LogLevel 12 or higher. + If the MSP is invoked with the verbose option (-v) then it will + try to use the SMTP command VERB to propagate this option + to the MTA which in turn will show the delivery just like + it was done before the default 8.12 separation of MSP and + MTA. Based on patch by Per Hedeland. + If a daemon is refusing connections for longer than the time specified + by the new option RejectLogInterval (default: 3 hours) due + to high load, log this information. Patch from John Beck + of Sun Microsystems. + Remove the ability for non-trusted users to raise the value of + CheckpointInterval on the command line. + New mailer flag 'B' to strip leading backslashes, which is a + subset of the functionality of the 's' flag. + New mailer flag 'W' to ignore long term host status information. + Patch from Juergen Georgi of RUS University of Stuttgart. + Enable generic mail filter API (milter) by default. To turn + it off, add -DMILTER=0 to the compile time options. + An internal SMTP session discard flag was lost after an RSET/HELO/EHLO + causing subsequent messages to be sent instead of being + discarded. This also caused milter callbacks to be called + out of order after the SMTP session was reset. + New option RequiresDirfsync to turn off the compile time flag + REQUIRES_DIR_FSYNC at runtime. See sendmail/README for + further information. + New command line option -D logfile to send debug output to + the indicated log file instead of stdout. + Add Timeout.queuereturn.dsn and Timeout.queuewarn.dsn to control + queue return and warning times for delivery status + notifications. + New queue sort order option: 'n'one for not sorting the queue entries + at all. + Several more return values for ruleset srv_features have been added + to enable/disable certain features in the server per + connection. See doc/op/op.me for details. + Support for SMTP over SSL (smtps), activated by Modifier=s + for DaemonPortOptions. + Continue with DNS lookups on ECONNREFUSED and TRY_AGAIN when + trying to canonify hostnames. Suggested by Neil Rickert + of Northern Illinois University. + Add support for a fallback smart host (option FallbackSmartHost) to + be tried as a last resort after all other fallbacks. This + is designed for sites with partial DNS (e.g., an accurate + view of inside the company, but an incomplete view of + outside). From John Beck of Sun Microsystems. + Enable timeout for STARTTLS even if client does not start the TLS + handshake. Based on patch by Andrey J. Melnikoff. + Remove deprecated -v option for PH map, use -k instead. Patch from + Mark Roth of the University of Illinois at Urbana-Champaign. + libphclient is version 1.2.x by default, if version 1.1.x is required + then compile with -DNPH_VERSION=10100. Patch from Mark Roth + of the University of Illinois at Urbana-Champaign. + Add Milter.macros.eom, allowing macros to be sent to milter + applications for use in the xxfi_eom() callback. + New macro {time} which contains the output of the time(3) function, + i.e., the number of seconds since 0 hours, 0 minutes, + 0 seconds, January 1, 1970, Coordinated Universal Time (UTC). + If check_relay sets the reply code to "421" the SMTP server will + terminate the SMTP session with a 421 error message. + Get rid of dead code that tried to access the environment variable + HOSTALIASES. + Deprecate the use of ErrorMode=write. To enable this in 8.13 + compile with -DUSE_TTYPATH=1. + Header check rulesets using $>+ (do not strip comments) will get + the header value passed in without balancing quotes, + parentheses, and angle brackets. Based on patch from + Oleg Bulyzhin. + Do not complain and fix up unbalanced quotes, parentheses, and + angle brackets when reading in rulesets. This allows + rules to be written for header checks to catch strings + that contain quotes, parentheses, and/or angle brackets. + Based on patch from Oleg Bulyzhin. + Do not close socket when accept(2) in the daemon encounters + some temporary errors like ECONNABORTED. + Added list of CA certificates that are used by members of the + sendmail consortium, see CACerts. + Portability: + Two new compile options have been added: + HASCLOSEFROM System has closefrom(3). + HASFDWALK System has fdwalk(3). + Based on patch from John Beck of Sun Microsystems. + The Linux kernel version 2.4 series has a broken flock() so + change to using fcntl() locking until they can fix + it. Be sure to update other sendmail related + programs to match locking techniques. + New compile time option NEEDINTERRNO which should be set + if <errno.h> does not declare errno itself. + Support for UNICOS/mk and UNICOS/mp added, some changes for + UNICOS. Patches contributed by Aaron Davis and + Brian Ginsbach, Cray Inc., and Manu Mahonen of + Center for Scientific Computing. + Add support for Darwin 7.0/Mac OS X 10.3 (a.k.a. Panther). + Extend support to Darwin 7.x/Mac OS X 10.3 (a.k.a. Panther). + Remove path from compiler definition for Interix because + Interix 3.0 and 3.5 put gcc in different locations. + Also use <sys/mkdev.h> to get the correct + major()/minor() definitions. Based on feedback + from Mark Funkenhauser. + CONFIG: Add support for LDAP recursion to the default LDAP searches + for maps via new attributes. See the ``USING LDAP FOR + ALIASES, MAPS, and CLASSES'' section of cf/README and + cf/sendmail.schema for more information. + CONFIG: Make sure confTRUSTED_USER is valid even if confRUN_AS_USER + is of the form "user:group" when used for submit.mc. + Problem noted by Carsten P. Gehrke, patch from Neil Rickert + of Northern Illinois University. + CONFIG: Add a new access DB value of QUARANTINE:reason which + instructs the check_* (except check_compat) to quarantine + the message using the given reason. + CONFIG: Use "dns -R A" as map type for dnsbl (just as for enhdnsbl) + instead of "host" to avoid problem with looking up other + DNS records than just A. + CONFIG: New option confCONNECTION_RATE_WINDOW_SIZE to define the + length of the interval for which the number of incoming + connections is maintained. + CONFIG: New FEATURE(`ratecontrol') to set the limits for connection + rate control for individual hosts or nets. + CONFIG: New FEATURE(`conncontrol') to set the limits for the + number of open SMTP connections for individual hosts or nets. + CONFIG: New FEATURE(`greet_pause') enables open proxy and SMTP + slamming protection described above. The feature can + take an argument specifying the milliseconds to wait and/or + use the access database to look the pause time based on + client hostname, domain, IP address, or subnet. + CONFIG: New FEATURE(`use_client_ptr') to have check_relay use + $&{client_ptr} as its first argument. This is useful for + rejections based on the unverified hostname of client, + which turns on the same behavior as in earlier sendmail + versions when delay_checks was not in use. See also entry + above about check_relay being invoked with ${client_name}. + CONFIG: New option confREJECT_LOG_INTERVAL to specify the log + interval when refusing connections for this long. + CONFIG: Remove quotes around usage of confREJECT_MSG; in some cases + this requires a change in a mc file. Requested by + Ted Roberts of Electronic Data Systems. + CONFIG: New option confAUTH_REALM to set the authentication realm + that is passed to the Cyrus SASL library. Patch from + Gary Mills of the University of Manitoba. + CONFIG: Rename the (internal) classes {tls}/{src} to {Tls}/{Src} + to follow the naming conventions. + CONFIG: Add a third optional argument to local_lmtp to specify + the A= argument. + CONFIG: Remove the f flag from the default mailer flags of + local_lmtp. + CONFIG: New option confREQUIRES_DIR_FSYNC to turn off the compile + time flag REQUIRES_DIR_FSYNC at runtime. + CONFIG: New LOCAL_UUCP macro to insert rules into the generated + cf file at the same place where MAILER(`uucp') inserts + its rules. + CONFIG: New options confTO_QUEUERETURN_DSN and confTO_QUEUEWARN_DSN + to control queue return and warning times for delivery + status notifications. + CONFIG: New option confFALLBACK_SMARTHOST to define FallbackSmartHost. + CONFIG: Add the mc file which has been used to create the cf + file to the end of the cf file when using make in cf/cf/. + Patch from Richard Rognlie. + CONFIG: FEATURE(nodns) has been removed, it was a no-op since 8.9. + Use ServiceSwitchFile to turn off DNS lookups, see + doc/op/op.me. + CONFIG: New option confMILTER_MACROS_EOM (sendmail Milter.macros.eom + option) defines macros to be sent to milter applications for + use in the xxfi_eom() callback. + CONFIG: New option confCRL to specify file which contains + certificate revocations lists. + CONFIG: Add a new value (sendertoo) for the third argument to + FEATURE(`ldap_routing') which will reject the SMTP + MAIL From: command if the sender address doesn't exist + in LDAP. See cf/README for more information. + CONFIG: Add a fifth argument to FEATURE(`ldap_routing') which + instructs the rulesets on whether or not to do a domain + lookup if a full address lookup doesn't match. See cf/README + for more information. + CONFIG: Add a sixth argument to FEATURE(`ldap_routing') which + instructs the rulesets on whether or not to queue the mail + or give an SMTP temporary error if the LDAP server can't be + reached. See cf/README for more information. Based on + patch from Billy Ray Miller of Caterpillar. + CONFIG: Experimental support for MTAMark, see cf/README for details. + CONFIG: New option confMESSAGEID_HEADER to define a different + Message-Id: header format. Patch from Bastiaan Bakker + of LifeLine Networks. + CONTRIB: New version of cidrexpand which uses Net::CIDR. From + Derek J. Balling. + CONTRIB: oldbind.compat.c has been removed due to security problems. + Found by code inspection done by Reasoning, Inc. + DEVTOOLS: Add an example file for devtools/Site/, contributed + by Neil Rickert of Northern Illinois University. + LIBMILTER: Add new function smfi_quarantine() which allows the + filter's EOM routine to quarantine the current message. + Filters which use this function must include the + SMFIF_QUARANTINE flag in the registered smfiDesc structure. + LIBMILTER: If a milter sets the reply code to "421", the SMTP server + will terminate the SMTP session with that error. + LIBMILTER: Upon filter shutdown, libmilter will not remove a + named socket in the file system if it is running as root. + LIBMILTER: Add new function smfi_progress() which allows the filter + to notify the MTA that an EOM operation is still in progress, + resetting the timeout. + LIBMILTER: Add new function smfi_opensocket() which allows the filter + to attempt to establish the interface socket, and detect + failure to do so before calling smfi_main(). + LIBMILTER: Add new function smfi_setmlreply() which allows the + filter to return a multi-line SMTP reply. + LIBMILTER: Deal with more temporary errors in accept() by ignoring + them instead of stopping after too many occurred. + Suggested by James Carlson of Sun Microsystems. + LIBMILTER: Fix a descriptor leak in the sample program found in + docs/sample.html. Reported by Dmitry Adamushko. + LIBMILTER: The sample program also needs to use SMFIF_ADDRCPT. + Reported by Carl Byington of 510 Software Group. + LIBMILTER: Document smfi_stop() and smfi_setdbg(). Patches + from Bryan Costales. + LIBMILTER: New compile time option SM_CONF_POLL; define this if + poll(2) should be used instead of select(2). + LIBMILTER: New function smfi_insheader() and related protocol + amendments to support header insertion operations. + MAIL.LOCAL: Add support for hashed mail directories, see + mail.local/README. Contributed by Chris Adams of HiWAAY + Informations Services. + MAILSTATS: Display quarantine message counts. + MAKEMAP: Add new flag -D to specify the comment character to use + instead of '#'. + VACATION: Add new flag -j to auto-respond to messages regardless of + whether or not the recipient is listed in the To: or Cc: + headers. + VACATION: Add new flag -R to specify the envelope sender address + for the auto-response message. + New Files: + CACerts + cf/feature/conncontrol.m4 + cf/feature/greet_pause.m4 + cf/feature/mtamark.m4 + cf/feature/ratecontrol.m4 + cf/feature/use_client_ptr.m4 + cf/ostype/unicos.m4 + cf/ostype/unicosmk.m4 + cf/ostype/unicosmp.m4 + contrib/socketmapClient.pl + contrib/socketmapServer.pl + devtools/OS/Darwin.7.0 + devtools/OS/UNICOS-mk + devtools/OS/UNICOS-mp + devtools/Site/site.config.m4.sample + include/sm/os/sm_os_unicos.h + include/sm/os/sm_os_unicosmk.h + include/sm/os/sm_os_unicosmp.h + libmilter/docs/smfi_insheader.html + libmilter/docs/smfi_progress.html + libmilter/docs/smfi_quarantine.html + libmilter/docs/smfi_setdbg.html + libmilter/docs/smfi_setmlreply.html + libmilter/docs/smfi_stop.html + sendmail/ratectrl.c + Deleted Files: + cf/feature/nodns.m4 + contrib/oldbind.compat.c + devtools/OS/CRAYT3E.2.0.x + devtools/OS/CRAYTS.10.0.x + libsm/vsprintf.c + Renamed Files: + devtools/OS/Darwin.7.0 => devtools/OS/Darwin.7.x + +8.12.11/8.12.11 2004/01/18 + Use QueueFileMode when opening qf files. This error was a + regression in 8.12.10. Problem detected and diagnosed + Lech Szychowski of the Polish Power Grid Company. + Properly count the number of queue runners in a work group and + make sure the total limit of MaxQueueChildren is not + exceeded. Based on patch from Takayuki Yoshizawa of + Techfirm, Inc. + Take care of systems that can generate time values where the + seconds can exceed the usual range of 0 to 59. + Problem noted by Randy Diffenderfer of EDS. + Avoid regeneration of identical queue identifiers by processes + whose process id is the same as that of the initial + sendmail process that was used to start the daemon. + Problem noted by Randy Diffenderfer of EDS. + When a milter invokes smfi_delrcpt() compare the supplied + recipient address also against the printable addresses + of the current list to deal with rewritten addresses. + Based on patch from Sean Hanson of The Asylum. + BadRcptThrottle now also works for addresses which return the + error mailer, e.g., virtusertable entries with the + right hand side error:. Patch from Per Hedeland. + Fix printing of 8 bit characters as octals in log messages. + Based on patch by Andrey J. Melnikoff. + Undo change of algorithm for MIME 7-bit base64 encoding to 8-bit + text that has been introduced in 8.12.3. There are some + examples where the new code fails, but the old code works. + To get the 8.12.3-8.12.10 version, compile sendmail with + -DMIME7TO8_OLD=0. If you have an example of improper + 7 to 8 bit conversion please send it to us. + Return normal error code for unknown SMTP commands instead of + the one specified by check_relay or a milter for a + connection. Problem noted by Andrzej Filip. + Some ident responses contain data after the terminating CRLF which + causes sendmail to log "POSSIBLE ATTACK...newline in string". + To avoid this everything after LF is ignored. + If the operating system supports O_EXLOCK and HASFLOCK is set + then a possible race condition for creating qf files + can be avoided. Note: the race condition does not + exist within sendmail, but between sendmail and an + external application that accesses qf files. + Log the proper options name for TLS related mising files for + the CACertPath, CACertFile, and DHParameters options. + Do not split an envelope if it will be discarded, otherwise df + files could be left behind. Problem found by Wolfgang + Breyha. + The use of the environment variables HOME and HOSTALIASES has been + deprecated and will be removed in version 8.13. This only + effects configuration which preserve those variable via the + 'E' command in the cf file as sendmail clears out its entire + environment. + Portability: + Add support for Darwin 7.0/Mac OS X 10.3 (a.k.a. Panther). + Solaris 10 has unsetenv(), patch from Craig Mohrman of + Sun Microsystems. + LIBMILTER: Add extra checks in case a broken MTA sends bogus data + to libmilter. Based on code review by Rob Grzywinski. + SMRSH: Properly assemble commands that contain '&&' or '||'. + Problem noted by Eric Lee of Talking Heads. + New Files: + devtools/OS/Darwin.7.0 + +8.12.10/8.12.10 2003/09/24 (Released: 2003/09/17) + SECURITY: Fix a buffer overflow in address parsing. Problem + detected by Michal Zalewski, patch from Todd C. Miller + of Courtesan Consulting. + Fix a potential buffer overflow in ruleset parsing. This problem + is not exploitable in the default sendmail configuration; + only if non-standard rulesets recipient (2), final (4), or + mailer-specific envelope recipients rulesets are used then + a problem may occur. Problem noted by Timo Sirainen. + Accept 0 (and 0/0) as valid input for set MaxMimeHeaderLength. + Problem noted by Thomas Schulz. + Add several checks to avoid (theoretical) buffer over/underflows. + Properly count message size when performing 7->8 or 8->7 bit MIME + conversions. Problem noted by Werner Wiethege. + Properly compute message priority based on size of entire message, + not just header. Problem noted by Axel Holscher. + Reset SevenBitInput to its configured value between SMTP + transactions for broken clients which do not properly + announce 8 bit data. Problem noted by Stefan Roehrich. + Set {addr_type} during queue runs when processing recipients. + Based on patch from Arne Jansen. + Better error handling in case of (very unlikely) queue-id conflicts. + Perform better error recovery for address parsing, e.g., when + encountering a comment that is too long. Problem noted by + Tanel Kokk, Union Bank of Estonia. + Add ':' to the allowed character list for bogus HELO/EHLO + checking. It is used for IPv6 domain literals. Patch from + Iwaizako Takahiro of FreeBit Co., Ltd. + Reset SASL connection context after a failed authentication attempt. + Based on patch from Rob Siemborski of CMU. + Check Berkeley DB compile time version against run time version + to make sure they match. + Do not attempt AAAA (IPv6) DNS lookups if IPv6 is not enabled + in the kernel. + When a milter adds recipients and one of them causes an error, + do not ignore the other recipients. Problem noted by + Bart Duchesne. + CONFIG: Use specified SMTP error code in mailertable entries which + lack a DSN, i.e., "error:### Text". Problem noted by + Craig Hunt. + CONFIG: Call Local_trust_auth with the correct argument. Patch + from Jerome Borsboom. + CONTRIB: Better handling of temporary filenames for doublebounce.pl + and expn.pl to avoid file overwrites, etc. Patches from + Richard A. Nelson of Debian and Paul Szabo. + MAIL.LOCAL: Fix obscure race condition that could lead to an + improper mailbox truncation if close() fails after the + mailbox is fsync()'ed and a new message is delivered + after the close() and before the truncate(). + MAIL.LOCAL: If mail delivery fails, do not leave behind a + stale lockfile (which is ignored after the lock timeout). + Patch from Oleg Bulyzhin of Cronyx Plus LLC. + Portability: + Port for AIX 5.2. Thanks to Steve Hubert of University + of Washington for providing access to a computer + with AIX 5.2. + setreuid(2) works on OpenBSD 3.3. Patch from + Todd C. Miller of Courtesan Consulting. + Allow for custom definition of SMRSH_CMDDIR and SMRSH_PATH + on all operating systems. Patch from Robert Harker + of Harker Systems. + Use strerror(3) on Linux. If this causes a problem on + your Linux distribution, compile with + -DHASSTRERROR=0 and tell sendmail.org about it. + Added Files: + devtools/OS/AIX.5.2 + +8.12.9/8.12.9 2003/03/29 + SECURITY: Fix a buffer overflow in address parsing due to + a char to int conversion problem which is potentially + remotely exploitable. Problem found by Michal Zalewski. + Note: an MTA that is not patched might be vulnerable to + data that it receives from untrusted sources, which + includes DNS. + To provide partial protection to internal, unpatched sendmail MTAs, + 8.12.9 changes by default (char)0xff to (char)0x7f in + headers etc. To turn off this conversion compile with + -DALLOW_255 or use the command line option -d82.101. + To provide partial protection for internal, unpatched MTAs that may be + performing 7->8 or 8->7 bit MIME conversions, the default + for MaxMimeHeaderLength has been changed to 2048/1024. + Note: this does have a performance impact, and it only + protects against frontal attacks from the outside. + To disable the checks and return to pre-8.12.9 defaults, + set MaxMimeHeaderLength to 0/0. + Do not complain about -ba when submitting mail. Problem noted + by Derek Wueppelmann. + Fix compilation with Berkeley DB 1.85 on systems that do not + have flock(2). Problem noted by Andy Harper of Kings + College London. + Properly initialize data structure for dns maps to avoid various + errors, e.g., looping processes. Problem noted by + Maurice Makaay of InterNLnet B.V. + CONFIG: Prevent multiple application of rule to add smart host. + Patch from Andrzej Filip. + CONFIG: Fix queue group declaration in MAILER(`usenet'). + CONTRIB: buildvirtuser: New option -t builds the virtusertable + text file instead of the database map. + Portability: + Revert wrong change made in 8.12.7 and actually use the + builtin getopt() version in sendmail on Linux. + This can be overridden by using -DSM_CONF_GETOPT=0 + in which case the OS supplied version will be used. + +8.12.8/8.12.8 2003/02/11 + SECURITY: Fix a remote buffer overflow in header parsing by + dropping sender and recipient header comments if the + comments are too long. Problem noted by Mark Dowd + of ISS X-Force. + Fix a potential non-exploitable buffer overflow in parsing the + .cf queue settings and potential buffer underflow in + parsing ident responses. Problem noted by Yichen Xie of + Stanford University Compilation Group. + Fix ETRN #queuegroup command: actually start a queue run for + the selected queue group. Problem noted by Jos Vos. + If MaxMimeHeaderLength is set and a malformed MIME header is fixed, + log the fixup as "Fixed MIME header" instead of "Truncated + MIME header". Problem noted by Ian J Hart. + CONFIG: Fix regression bug in proto.m4 that caused a bogus + error message: "FEATURE() should be before MAILER()". + MAIL.LOCAL: Be more explicit in some error cases, i.e., whether + a mailbox has more than one link or whether it is not + a regular file. Patch from John Beck of Sun Microsystems. + +8.12.7/8.12.7 2002/12/29 + Properly clean up macros to avoid persistence of session data + across various connections. This could cause session + oriented restrictions, e.g., STARTTLS requirements, + to erroneously allow a connection. Problem noted + by Tim Maletic of Priority Health. + Do not lookup MX records when sorting the MSP queue. The MSP + only needs to relay all mail to the MTA. Problem found + by Gary Mills of the University of Manitoba. + Do not restrict the length of connection information to 100 + characters in some logging statements. Problem noted by + Erik Parker. + When converting an enhanced status code to an exit status, use + EX_CONFIG if the first digit is not 2, 4, or 5 or if *.1.5 + is used. + Reset macro $x when receiving another MAIL command. Problem + noted by Vlado Potisk of Wigro s.r.o. + Don't bother setting the permissions on the build area statistics + file, the proper permissions will be put on the file at + install time. This fixes installation over NFS for some + users. Problem noted by Martin J. Dellwo of 3-Dimensional + Pharmaceuticals, Inc. + Fix problem of decoding SASLv2 encrypted data. Problem noted by + Alex Deiter of Mobile TeleSystems, Komi Republic. + Log milter socket open errors at MilterLogLevel 1 or higher instead + of 11 or higher. + Print early system errors to the console instead of silently + exiting. Problem noted by James Jong of IBM. + Do not process a queue group if Runners is set to 0, regardless + of whether F=f or sendmail is run in verbose mode (-v). + The use of -qGname will still force queue group "name" + to be run even if Runners=0. + Change the level for logging the fact that a daemon is refusing + connections due to high load from LOG_INFO to LOG_NOTICE. + Patch from John Beck of Sun Microsystems. + Use location information for submit.cf from NetInfo + (/locations/sendmail/submit.cf) if available. + Re-enable ForkEachJob which was lost in 8.12.0. Problem noted by + Neil Rickert of Northern Illinois University. + Make behavior of /canon in debug mode consistent with usage in + rulesets. Patch from Shigeno Kazutaka of IIJ. + Fix a potential memory leak in envelope splitting. Problem noted + by John Majikes of IBM. + Do not try to share an mailbox database LDAP connection across + different processes. Problem noted by Randy Kunkee. + Fix logging for undelivered recipients when the SMTP connection + times out during message collection. Problem noted by Neil + Rickert of Northern Illinois University. + Avoid problems with QueueSortOrder=random due to problems with + qsort() on Solaris (and maybe some other operating systems). + Problem noted by Stephan Schulz of Gruner+Jahr.. + If -f "" is specified, set the sender address to "<>". Problem + noted by Matthias Andree. + Fix formatting problem of footnotes for plain text output on some + versions of tmac. Patch from Per Hedeland. + Portability: + Berkeley DB 4.1 support (requires at least 4.1.25). + Some getopt(3) implementations in GNU/Linux are broken + and pass a NULL pointer to an option which requires + an argument, hence the builtin version of + sendmail is used instead. This can be overridden + by using -DSM_CONF_GETOPT=0. Problem noted by + Vlado Potisk of Wigro s.r.o. + Support for nph-1.2.0 from Mark D. Roth of the University + of Illinois at Urbana-Champaign. + Support for FreeBSD 5.0's MAC labeling from Robert Watson + of the TrustedBSD Project. + Support for reading the number of processors on an IRIX + system from Michel Bourget of SGI. + Support for UnixWare 7.1 based on input from Larry Rosenman. + Interix support from Nedelcho Stanev of Atlantic Sky + Corporation. + Update Mac OS X/Darwin portability from Wilfredo Sanchez. + CONFIG: Enforce tls_client restrictions even if delay_checks + is used. Problem noted by Malte Starostik. + CONFIG: Deal with an empty hostname created via bogus + DNS entries to get around access restrictions. + Problem noted by Kai Schlichting. + CONFIG: Use FEATURE(`msp', `[127.0.0.1]') in submit.mc by default + to avoid problems with hostname resolution for localhost + which on many systems does not resolve to 127.0.0.1 (or + ::1 for IPv6). If you do not use IPv4 but only IPv6 then + you need to change submit.mc accordingly, see the comment + in the file itself. + CONFIG: Set confDONT_INIT_GROUPS to True in submit.mc to avoid + error messages from initgroups(3) on AIX 4.3 when sending + mail to non-existing users. Problem noted by Mark Roth of + the University of Illinois at Urbana-Champaign. + CONFIG: Allow local_procmail to override local_lmtp settings. + CONFIG: Always allow connections from 127.0.0.1 or IPv6:::1 to + relay. + CONTRIB: cidrexpand: Deal with the prefix tags that may be included + in access_db. + CONTRIB: New version of doublebounce.pl contributed by Leo Bicknell. + LIBMILTER: On Solaris libmilter may get into an endless loop if + an error in the communication from/to the MTA occurs. + Patch from Gurusamy Sarathy of Active State. + LIBMILTER: Ignore EINTR from sigwait(3) which may happen on Tru64. + Patch from from Jose Marcio Martins da Cruz of Ecole + Nationale Superieure des Mines de Paris. + MAIL.LOCAL: Fix a truncation race condition if the close() on + the mailbox fails. Problem noted by Tomoko Fukuzawa of + Sun Microsystems. + MAIL.LOCAL: Fix a potential file descriptor leak if mkstemp(3) + fails. Patch from John Beck of Sun Microsystems. + SMRSH: SECURITY: Only allow regular files or symbolic links to be + used for a command. Problem noted by David Endler of + iDEFENSE, Inc. + New Files: + devtools/OS/Interix + include/sm/bdb.h + +8.12.6/8.12.6 2002/08/26 + Do not add the FallbackMXhost (or its MX records) to the list + returned by the bestmx map when -z is used as option. + Otherwise sendmail may act as an open relay if FallbackMXhost + and FEATURE(`relay_based_on_MX') are used together. + Problem noted by Alexander Ignatyev. + Properly split owner- mailing list messages when SuperSafe is set + to interactive. Problem noted by Todd C. Miller of + Courtesan Consulting. + Make sure that an envelope is queued in the selected queue group + even if some recipients are deleted or invalid. Problem + found by Chris Adams of HiWAAY Informations Services. + Do not send a bounce message if a message is completely collected + from the SMTP client. Problem noted by Kari Hurtta of the + Finnish Meteorological Institute. + Provide an 'install-submit-st' target for sendmail/Makefile to + install the MSP statistics file using the file named in the + confMSP_STFILE devtools variable. Requested by Jeff + Earickson of Colby College. + Queue up mail with a temporary error if setusercontext() fails + during a delivery attempt. Patch from Todd C. Miller of + Courtesan Consulting. + Fix handling of base64 encoded client authentication data for + SMTP AUTH. Patch from Elena Slobodnik of life medien GmbH. + Set the OpenLDAP option LDAP_OPT_RESTART so the client libraries + restart interrupted system calls. Problem noted by Luiz + Henrique Duma of BSIOne. + Prevent a segmentation fault if a program passed a NULL envp using + execve(). + Document a problem with the counting of queue runners that may + cause delays if MaxQueueChildren is set too low. Problem + noted by Ian Duplisse of Cable Television Laboratories, Inc. + If discarding a message based on a recipient, don't try to look up + the recipient in the mailbox database if F=w is set. This + allows users to discard bogus recipients when dealing with + spammers without tipping them off. Problem noted by Neil + Rickert of Northern Illinois University. + If applying a header check to a header with unstructured data, + e.g., Subject:, then do not run syntax checks that are + supposed for addresses on the header content. + Count messages rejected/discarded via the check_data ruleset. + Portability: + Fix compilation on systems which do not allow simple + copying of the variable argument va_list. Based on + fix from Scott Walters. + Fix NSD map open bug. From Michel Bourget of SGI. + Add some additional IRIX shells to the default shell + list. From Michel Bourget of SGI. + Fix compilation issues on Mac OS X 10.2 (Darwin 6.0). + NETISO support has been dropped. + CONFIG: There was a seemingly minor change in 8.12.4 with respect + to handling entries of IP nets/addresses with RHS REJECT. + These would be rejected in check_rcpt instead of only + being activated in check_relay. This change has been made to + avoid potential bogus temporary rejection of relay attempts + "450 4.7.1 Relaying temporarily denied. Cannot resolve PTR + record for ..." if delay_checks is enabled. However, this + modification causes a change of behavior if an IP net/address + is listed in the access map with REJECT and a host/domain + name is listed with OK or RELAY, hence it has been reversed + such that the behavior of 8.12.3 is restored. The original + change was made on request of Neil Rickert of Northern + Illinois University, the side effect has been found by + Stefaan Van Hoornick. + CONFIG: Make sure delay_checks works even for sender addresses + using the local hostname ($j) or domains in class {P}. + Based on patch from Neil Rickert of Northern Illinois + University. + CONFIG: Fix temporary error handling for LDAP Routing lookups. + Fix from Andrzej Filip. + CONTRIB: New version of etrn.pl script and external man page + (etrn.0) from John Beck of Sun Microsystems. + LIBMILTER: Protect a free(3) operation from being called with a + NULL pointer. Problem noted by Andrey J. Melnikoff. + LIBMILTER: Protect against more interrupted select() calls. Based + on patch from Jose Marcio Martins da Cruz of Ecole Nationale + Superieure des Mines de Paris. + New Files: + contrib/etrn.0 + +8.12.5/8.12.5 2002/06/25 + SECURITY: The DNS map can cause a buffer overflow if the user + specifies a dns map using TXT records in the configuration + file and a rogue DNS server is queried. None of the + sendmail supplied configuration files use this option hence + they are not vulnerable. Problem noted independently by + Joost Pol of PINE Internet and Anton Rang of Sun Microsystems. + Unprintable characters in responses from DNS servers for the DNS + map type are changed to 'X' to avoid potential problems + with rogue DNS servers. + Require a suboption when setting the Milter option. Problem noted + by Bryan Costales. + Do not silently overwrite command line settings for + DirectSubmissionModifiers. Problem noted by Bryan + Costales. + Prevent a segmentation fault when clearing the event list by + turning off alarms before checking if event list is + empty. Problem noted by Allan E Johannesen of Worcester + Polytechnic Institute. + Close a potential race condition in transitioning a memory buffered + file onto disk. From Janani Devarajan of Sun Microsystems. + Portability: + Include paths.h on Linux systems running glibc 2.0 or later + to get the definition for _PATH_SENDMAIL, used by + rmail and vacation. Problem noted by Kevin + A. McGrail of Peregrine Hardware. + NOTE: Linux appears to have broken flock() again. Unless + the bug is fixed before sendmail 8.13 is shipped, + 8.13 will change the default locking method to + fcntl() for Linux kernel 2.4 and later. You may + want to do this in 8.12 by compiling with + -DHASFLOCK=0. Be sure to update other sendmail + related programs to match locking techniques. + +8.12.4/8.12.4 2002/06/03 + SECURITY: Inherent limitations in the UNIX file locking model + can leave systems open to a local denial of service + attack. Be sure to read the "FILE AND MAP PERMISSIONS" + section of the top level README for more information. + Problem noted by lumpy. + Use TempFileMode (defaults to 0600) for the permissions of PidFile + instead of 0644. + Change the default file permissions for new alias database files + from 0644 to 0640. This can be overridden at compile time + by setting the DBMMODE macro. + Fix a potential core dump problem if the environment variable + NAME is set. Problem noted by Beth A. Chaney of + Purdue University. + Expand macros before passing them to libmilter. Problem noted + by Jose Marcio Martins da Cruz of Ecole Nationale + Superieure des Mines de Paris. + Rewind the df (message body) before truncating it when libmilter + replaces the body of a message. Problem noted by Gisle Aas + of Active State. + Change SMTP reply code for AUTH failure from 500 to 535 and the + initial zero-length response to "=" per RFC 2554. Patches + from Kenneth Murchison of Oceana Matrix Ltd. + Do not try to fix broken message/rfc822 MIME attachments by + inserting a MIME-Version: header when MaxMimeHeaderLength + is set and no 8 to 7 bit conversion is needed. Based on + patch from Rehor Petr of ICZ (Czech Republic). + Do not log "did not issue MAIL/EXPN/VRFY/ETRN" if the connection + is rejected anyway. Noted by Chris Loelke. + Mention the submission mail queue in the mailq man page. Requested + by Bill Fenner of AT&T. + Set ${msg_size} macro when reading a message from the command line + or the queue. + Detach from shared memory before dropping privileges back to + user who started sendmail. + If AllowBogusHELO is set to false (default) then also complain if + the argument to HELO/EHLO contains white space. Suggested + by Seva Gluschenko of Cronyx Plus. + Allow symbolicly linked forward files in writable directory paths + if both ForwardFileInUnsafeDirPath and + LinkedForwardFileInWritableDir DontBlameSendmail options + are set. Problem noted by Werner Spirk of + Leibniz-Rechenzentrum Munich. + Portability: + Operating systems that lack the ftruncate() call will not + be able to use Milter's body replacement feature. + This only affects Altos, Maxion, and MPE/iX. + Digital UNIX 5.0 has changed flock() semantics to be + non-compliant. Problem noted by Martin Mokrejs of + Charles University in Prague. + The sparc64 port of FreeBSD 5.0 now supports shared + memory. + CONFIG: FEATURE(`preserve_luser_host') needs the macro map. + Problem noted by Andrzej Filip. + CONFIG: Using 'local:' as a mailertable value with + FEATURE(`preserve_luser_host') and LUSER_RELAY caused mail + to be misaddressed. Problem noted by Andrzej Filip. + CONFIG: Provide a workaround for DNS based rejection lists that + fail for AAAA queries. Problem noted by Chris Boyd. + CONFIG: Accept the machine's hostname as resolvable when checking + the sender address. This allows locally submitted mail to + be accepted if the machine isn't connected to a nameserver + and doesn't have an /etc/hosts entry for itself. Problem + noted by Robert Watson of the TrustedBSD Project. + CONFIG: Use deferred expansion for checking the ${deliveryMode} + macro in case the SMTP VERB command is used. Problem + noted by Bryan Costales. + CONFIG: Avoid a duplicate '@domain' virtusertable lookup if no + matches are found. Fix from Andrzej Filip. + CONFIG: Fix wording in default dnsbl rejection message. Suggested + by Lou Katz of Metron Computerware, Ltd. + CONFIG: Add mailer cyrusv2 for Cyrus V2. Contributed by + Kenneth Murchison of Oceana Matrix Ltd. + CONTRIB: Fix wording in default dnsblaccess rejection message to + match dnsbl change. + DEVTOOLS: Add new option for access mode of statistics file, + confSTMODE, which specifies the permissions when initially + installing the sendmail statistics file. + LIBMILTER: Mark the listening socket as close-on-exec in case + a user's filter starts other applications. + LIBSM: Allow the MBDB initialize, lookup, and/or terminate + functions in SmMbdbTypes to be set to NULL. + MAKEMAP: Change the default file permissions for new databases from + 0644 to 0640. This can be overridden at compile time + by setting the DBMMODE macro. + SMRSH: Fix man page bug: replace SMRSH_CMDBIN with SMRSH_CMDDIR. + Problem noted by Dave Alden of Ohio State University. + VACATION: When listing the vacation database (-l), don't show + bogus timestamps for excluded (-x) addresses. Problem + noted by Bryan Costales. + New Files: + cf/mailer/cyrusv2.m4 + +8.12.3/8.12.3 2002/04/05 + NOTICE: In general queue files should not be moved if queue groups + are used. In previous versions this could cause mail + not to be delivered if a queue file is repeatedly moved + by an external process whenever sendmail moved it back + into the right place. Some precautions have been taken + to avoid moving queue files if not really necessary. + sendmail may use links to refer to queue files and it + may store the path of data files in queue files. Hence + queue files should not be moved unless those internals + are understood and the integrity of the files is not + compromised. Problem noted by Anne Bennett of Concordia + University. + If an error mail is created, and the mail is split across different + queue directories, and SuperSafe is off, then write the mail + to disk before splitting it, otherwise an assertion is + triggered. Problem tracked down by Henning Schmiedehausen + of INTERMETA. + Fix possible race condition that could cause sendmail to forget + running queues. Problem noted by Jeff Wasilko of smoe.org. + Handle bogus qf files better without triggering assertions. + Problem noted by Guy Feltin. + Protect against interrupted select() call when enforcing Milter + read and write timeouts. Patch from Gurusamy Sarathy of + ActiveState. + Matching queue IDs with -qI should be case sensitive. Problem + noted by Anne Bennett of Concordia University. + If privileges have been dropped, don't try to change group ID to + the RunAsUser group. Problem noted by Neil Rickert of + Northern Illinois University. + Fix SafeFileEnvironment path munging when the specified path + contains a trailing slash. Based on patch from Dirk Meyer + of Dinoex. + Do not limit sendmail command line length to SM_ARG_MAX (usually + 4096). Problem noted by Allan E Johannesen of Worcester + Polytechnic Institute. + Clear full name of sender for each new envelope to avoid bogus data + if several mails are sent in one session and some of them + do not have a From: header. Problem noted by Bas Haakman. + Change timeout check such that cached information about a connection + will be immediately invalid if ConnectionCacheTimeout is zero. + Based on patch from David Burns of Portland State University. + Properly count message size for mailstats during mail collection. + Problem noted by Werner Wiethege. + Log complete response from LMTP delivery agent on failure. Based on + patch from Motonori Nakamura of Kyoto University. + Provide workaround for getopt() implementations that do not catch + missing arguments. + Fix the message size calculation if the message body is replaced by + a milter filter and buffered file I/O is being used. + Problem noted by Sergey Akhapkin of Dr.Web. + Do not honor SIGUSR1 requests if running with extra privileges. + Problem noted by Werner Wiethege. + Prevent a file descriptor leak on mail delivery if the initial + connect fails and DialDelay is set. Patch from Servaas + Vandenberghe of Katholieke Universiteit Leuven. + Properly deal with a case where sendmail is called by root running + a set-user-ID (non-root) program. Problem noted by Jon + Lusky of ISS Atlanta. + Avoid leaving behind stray transcript (xf) files if multiple queue + directories are used and mail is sent to a mailing list + which has an owner- alias. Problem noted by Anne Bennett + of Concordia University. + Fix class map parsing code if optional key is specified. Problem + found by Mario Nigrovic. + The SMTP daemon no longer tries to fix up improperly dot-stuffed + incoming messages. A leading dot is always stripped by the + SMTP receiver regardless of whether or not it is followed by + another dot. Problem noted by Jordan Ritter of darkridge.com. + Fix corruption when doing automatic MIME 7-bit quoted-printable or + base64 encoding to 8-bit text. Problem noted by Mark + Elvers. + Correct the statistics gathered for total number of connections. + Instead of being the exact same number as the total number + of messages (T line in mailstats) it now represents the + total number of TCP connections. + Be more explicit about syntax errors in addresses, especially + non-ASCII characters, and properly create DSNs if necessary. + Problem noted by Leena Heino of the University of Tampere. + Prevent small timeouts from being lost on slow machines if itimers + are used. Problem noted by Suresh Ramasubramanian. + Prevent a race condition on child cleanup for delivery to files. + Problem noted by Fletcher Mattox of the University of + Texas. + Change the SMTP error code for temporary map failures from 421 + to 451. + Do not assume that realloc(NULL, size) works on all OS (this was + only done in one place: queue group creation). Based on + patch by Bryan Costales. + Initialize Timeout.iconnect in the code to prevent randomly short + timeouts. Problem noted by Bradley Watts of AT&T Canada. + Do not try to send a second SMTP QUIT command if the remote + responds to a MAIL command with a 421 reply or on I/O + errors. By doing so, the host was marked as having a + temporary problem and other mail destined for that host was + queued for the next queue run. Problem noted by Fletcher + Mattox of the University of Texas, Allan E Johannesen of + Worcester Polytechnic Institute, Larry Greenfield of CMU, + and Neil Rickert of Northern Illinois University. + Ignore error replies from the SMTP QUIT command (including servers + which drop the connection instead of responding to the + command). + Portability: + Check LDAP_API_VERSION to determine if ldap_memfree() is + available. + Define HPUX10 when building on HP-UX 10.X. That platform + now gets the proper _PATH_SENDMAIL and SMRSH_CMDDIR + settings. Patch from Elias Halldor Agustsson of + Skyrr. + Fix dependency building on Mac OS X and Darwin. Problem + noted by John Beck. + Preliminary support for the sparc64 port of FreeBSD 5.0. + Add /sbin/sh as an acceptable user shell on HP-UX. From + Rajesh Somasund of Hewlett-Packard. + CONFIG: Add FEATURE(`authinfo') to allow a separate database for + SMTP AUTH information. This feature was actually added in + 8.12.0 but a release note was not included. + CONFIG: Do not bounce mail if FEATURE(`ldap_routing')'s bounce + parameter is set and the LDAP lookup returns a temporary + error. + CONFIG: Honor FEATURE(`relay_hosts_only') when using + FEATURE(`relay_mail_from', `domain'). Problem noted by + Krzysztof Oledzki. + CONFIG: FEATURE(`msp') now disables any type of alias + initialization as aliases are not needed for the MSP. + CONFIG: Allow users to override RELAY_MAILER_ARGS when FEATURE(`msp') + is in use. Patch from Andrzej Filip. + CONFIG: FEATURE(`msp') uses `[localhost]' as default instead of + `localhost' and turns on MX lookups for the SMTP mailers. + This will only have an effect if a parameter is specified, + i.e., an MX lookup will be performed on the hostname unless + it is embedded in square brackets. Problem noted by + Theo Van Dinter of Collective Technologies. + CONFIG: Set confTIME_ZONE to USE_TZ in submit.mc (TimeZoneSpec= in + submit.cf) to use $TZ for time stamps. This is a compromise + to allow for the proper time zone on systems where the + default results in misleading time stamps. That is, syslog + time stamps and Date headers on submitted mail will use the + user's $TZ setting. Problem noted by Mark Roth of the + University of Illinois at Urbana-Champaign, solution proposed + by Neil Rickert of Northern Illinois University. + CONFIG: Mac OS X (Darwin) ships with mail.local as non-set-user-ID + binary. Adjust local mailer flags accordingly. Problem + noted by John Beck. + CONTRIB: Add a warning to qtool.pl to not move queue files around + if queue groups are used. + CONTRIB: buildvirtuser: Add -f option to force rebuild. + CONTRIB: smcontrol.pl: Add -f option to specify control socket. + CONTRIB: smcontrol.pl: Add support for 'memdump' command. + Suggested by Bryan Costales. + DEVTOOLS: Add dependency generation for test programs. + LIBMILTER: Remove conversion of port number for the socket + structure that is passed to xxfi_connect(). Notice: + this fix requires that sendmail and libmilter both have + this change; mixing versions may lead to wrong port + values depending on the endianness of the involved systems. + Problem noted by Gisle Aas of ActiveState. + LIBMILTER: If smfi_setreply() sets a custom reply code of '4XX' but + SMFI_REJECT is returned, ignore the custom reply. Do the + same if '5XX' is used and SMFI_TEMPFAIL is returned. + LIBMILTER: Install include files in ${INCLUDEDIR}/libmilter/ as + required by mfapi.h. Problem noted by Jose Marcio Martins + da Cruz of Ecole Nationale Superieure des Mines de Paris. + LIBSM: Add SM_CONF_LDAP_MEMFREE as a configuration define. Set + this to 1 if your LDAP client libraries include + ldap_memfree(). + LIBSMDB: Avoid a file creation race condition for Berkeley DB 1.X + and NDBM on systems with the O_EXLOCK open(2) flag. + SMRSH: Fix compilation problem on some operating systems. Problem + noted by Christian Krackowizer of schuler technodat GmbH. + VACATION: Allow root to operate on user vacation databases. Based + on patch from Greg Couch of the University of California, + San Francisco. + VACATION: Don't ignore -C option. Based on patch by Bryan Costales. + VACATION: Clarify option usage in the man page. Problem noted by + Joe Barbish. + New Files: + libmilter/docs/smfi_setbacklog.html + +8.12.2/8.12.2 2002/01/13 + Don't complain too much if stdin, stdout, or stderr are missing + at startup, only log an error message. + Fix potential problem if an unknown operation mode (character + following -b) has been specified. + Prevent purgestat from looping even if someone changes the + permissions or owner of hoststatus files. Problem noted + by Kari Hurtta of the Finnish Meteorological Institute. + Properly record dropped connections in persistent host status. + Problem noted by Ulrich Windl of the Universitat + Regensburg. + Remove newlines from recipients read via sendmail -t to prevent + SMTP protocol errors when sending the RCPT command. + Problem noted by William D. Colburn of the New Mexico + Institute of Mining and Technology. + Only log milter body replacements once instead of for each body + chunk sent by a filter. Problem noted by Kari Hurtta of + the Finnish Meteorological Institute. + In 8.12.0 and 8.12.1, the headers were mistakenly not included in + the message size calculation. Problem noted by Kari Hurtta + of the Finnish Meteorological Institute. + Since 8.12 no longer forks at the SMTP MAIL command, the daemon + needs to collect children status to avoid zombie processes. + Problem noted by Chris Adams of HiWAAY Informations Services. + Shut down "nullserver" and ETRN-only connections after 25 bad + commands are issued. This makes it consistent with normal + SMTP connections. + Avoid duplicate logging of milter rejections. Problem noted by + William D. Colburn of the New Mexico Institute of Mining + and Technology. + Error and delay DSNs were being sent to postmaster instead of the + message sender if the sender had used a deprecated RFC822 + source route. Problem noted by Kari Hurtta of the Finnish + Meteorological Institute. + Fix FallbackMXhost behavior for temporary errors during address + parsing. Problem noted by Jorg Bielak from Coastal Web + Online. + For systems on which stat(2) does not return a value for st_blksize + that is the "optimal blocksize for I/O" three new compile + time flags are available: SM_IO_MAX_BUF_FILE, SM_IO_MIN_BUF, + and SM_IO_MAX_BUF, which define an upper limit for + regular files, and a lower and upper limit for other file + types, respectively. + Fix a potential deadlock if two events are supposed to occur at + exactly the same time. Problem noted by Valdis Kletnieks + of Virginia Tech. + Perform envelope splitting for aliases listed directly in the + alias file, not just for include/.forward files. + Problem noted by John Beck of Sun Microsystems. + Allow selection of queue group for mailq using -qGgroup. + Based on patch by John Beck of Sun Microsystems. + Make sure cached LDAP connections used my multiple maps in the same + process are closed. Patch from Taso N. Devetzis. + If running as root, allow reading of class files in protected + directories. Patch from Alexander Talos of the University + of Vienna. + Correct a few LDAP related memory leaks. Patch from David Powell + of Sun Microsystems. + Allow specification of an empty realm via the authinfo ruleset. + This is necessary to interoperate as an SMTP AUTH client + with servers that do not support realms when using + CRAM-MD5. Problem noted by Bjoern Voigt of TU Berlin. + Avoid a potential information leak if AUTH PLAIN is used and the + server gets stuck while processing that command. Problem + noted by Chris Adams from HiWAAY Informations Services. + In addition to printing errors when parsing recipients during + command line invocations log them to make it simpler + to understand possible DSNs to postmaster. + Do not use FallbackMXhost on mailers which have the F=0 flag set. + Allow local mailers (F=l) to specify a host for TCP connections + instead of forcing localhost. + Obey ${DESTDIR} for installation of the client mail queue and + submit.cf. Patch from Peter 'Luna' Runestig. + Re-enable support for -M option which was broken in 8.12.1. Problem + noted by Neil Rickert of Northern Illinois University. + If a remote server violates the SMTP standard by unexpectedly + dropping the connection during an SMTP transaction, stop + sending commands. This prevents bogus "Bad file number" + recipient status. Problem noted by Allan E Johannesen of + Worcester Polytechnic Institute. + Do not use a size estimate of 100 for postmaster bounces, it's + almost always too small; do not guess the size at all. + New VENDOR_DEC for Compaq/DEC. Requested by James Seagraves of + Compaq Computer Corp. + Fix DaemonPortOptions IPv6 address parsing such that ::1 works + properly. Problem noted by Valdis Kletnieks of Virginia + Tech. + Portability: + Fix IPv6 network interface probing on HP-UX 11.X. Based on + patch provided by HP. + Mac OS X (aka Darwin) has a broken setreuid() call, but a + working seteuid() call. From Daniel J. Luke. + Use proper type for a 32-bit integer on SINIX. From Ganu + Sachin of Siemens. + Set SM_IO_MIN_BUF (4K) and SM_IO_MAX_BUF (8K) for HP-UX. + Reduce optimization from +O3 to +O2 on HP-UX 11. This + fixes a problem that caused additional bogus + characters to be written to the qf file. Problem + noted by Tapani Tarvainen. + Set LDA_USE_LOCKF by default for UnixWare. Problem noted + by Boyd Lynn Gerber. + Add support for HP MPE/iX. See sendmail/README for port + information. From Mark Bixby of Hewlett-Packard. + New portability defines HASNICE, HASRRESVPORT, USE_ENVIRON, + USE_DOUBLE_FORK, and NEEDLINK. See sendmail/README + for more information. From Mark Bixby of + Hewlett-Packard. + If an OS doesn't have a method of finding free disk space + (SFS_NONE), lie and say there is plenty of space. + From Mark Bixby of Hewlett-Packard. + Add support for AIX 5.1. From Valdis Kletnieks of + Virginia Tech. + Fix man page location for NeXTSTEP. From Hisanori Gogota + of the NTT/InterCommunication Center. + Do not assume that strerror() always returns a string. + Problem noted by John Beck of Sun Microsystems. + CONFIG: Add OSTYPE(freebsd5) for FreeBSD 5.X, which has removed + UUCP from the base operating system. From Mark Murray of + FreeBSD Services, Ltd. + CONFIG: Add OSTYPE(mpeix) and a generic .mc file for HP MPE/iX + systems. From Mark Bixby of Hewlett-Packard. + CONFIG: Add support for selecting a queue group for all mailers. + Based on proposal by Stephen L. Ulmer of the University of + Florida. + CONFIG: Fix error reporting for compat_check.m4. Problem noted by + Altin Waldmann. + CONFIG: Do not override user selections for confRUN_AS_USER and + confTRUSTED_USER in FEATURE(msp). From Mark Bixby of + Hewlett-Packard. + LIBMILTER: Fix bug that prevented the removal of a socket after + libmilter terminated. Problem reported by Andrey V. Pevnev + of MSFU. + LIBMILTER: Fix configuration error that required libsm for linking. + Problem noted by Kari Hurtta of the Finnish Meteorological + Institute. + LIBMILTER: Portability fix for OpenUNIX. Patch from Larry Rosenman. + LIBMILTER: Fix a theoretical memory leak and a possible attempt + to free memory twice. + LIBSM: Fix a potential segmentation violation in the I/O library. + Problem found and analyzed by John Beck and Tim Haley + of Sun Microsystems. + LIBSM: Do not clear the LDAP configuration information when + terminating the mailbox database connection in the LDAP + example code. Problem noted by Nikos Voutsinas of the + University of Athens. + New Files: + cf/cf/generic-mpeix.cf + cf/cf/generic-mpeix.mc + cf/ostype/freebsd5.m4 + cf/ostype/mpeix.m4 + devtools/OS/AIX.5.1 + devtools/OS/MPE-iX + include/sm/os/sm_os_mpeix.h + libsm/mpeix.c + +8.12.1/8.12.1 2001/10/01 + SECURITY: Check whether dropping group privileges actually succeeded + to avoid possible compromises of the mail system by + supplying bogus data. Add configuration options for + different set*gid() calls to reset saved gid. Problem + found by Michal Zalewski. + PRIVACY: Prevent information leakage when sendmail has extra + privileges by disabling debugging (command line -d flag) + during queue runs and disabling ETRN when sendmail -bs is + used. Suggested by Michal Zalewski. + Avoid memory corruption problems resulting from bogus .cf files. + Problem found by Michal Zalewski. + Set the ${server_addr} macro to name of mailer when doing LMTP + delivery. LMTP systems may offer SMTP Authentication or + STARTTLS causing sendmail to use this macro in rulesets. + If debugging is turned on (-d0.10) print not just the default + values for configuration file and pid file but also the + selected values. Problem noted by Brad Chapman. + Continue dealing with broken nameservers by ignoring SERVFAIL + errors returned on T_AAAA (IPv6) lookups at delivery time + if ResolverOptions=WorkAroundBrokenAAAA is set. Previously + this only applied to hostname canonification. Problem + noted by Bill Fenner of AT&T Research. + Ignore comments in NIS host records when trying to find the + canonical name for a host. + When sendmail has extra privileges, limit mail submission command + line flags (i.e., -G, -h, -F, etc.) to mail submission + operating modes (i.e., -bm, -bs, -bv, etc.). Idea based on + suggestion from Michal Zalewski. + Portability: + AIX: Use `oslevel` if available to determine OS version. + `uname` does not given complete information. + Problem noted by Keith Neufeld of the Cessna + Aircraft Company. + OpenUNIX: Use lockf() for LDA delivery (affects mail.local). + Problem noticed by Boyd Lynn Gerber of ZENEX. + Avoid compiler warnings by not using pointers to pass + integers. Problem noted by Todd C. Miller of + Courtesan Consulting. + CONFIG: Add restrictqrun to PrivacyOptions for the MSP to minimize + problems with potential misconfigurations. + CONFIG: Fix comment showing default value of MaxHopCount. Problem + noted by Greg Robinson of the Defence Science and + Technology Organisation of Australia. + CONFIG: dnsbl: If an argument specifies an error message in case + of temporary lookup failures for DNS based blacklists + then use it. + LIBMILTER: Install mfdef.h, required by mfapi.h. Problem noted by + Richard A. Nelson of Debian. + LIBMILTER: Add __P definition for OS that lack it. Problem noted + by Chris Adams from HiWAAY Informations Services. + LIBSMDB: Fix a lock race condition that affects makemap, praliases, + and vacation. + MAKEMAP: Avoid going beyond the end of an input line if it does + not contain a value for a key. Based on patch from + Mark Bixby from Hewlett-Packard. + New Files: + test/Build + test/Makefile + test/Makefile.m4 + test/README + test/t_dropgid.c + test/t_setgid.c + Deleted Files: + include/sm/stdio.h + include/sm/sysstat.h + +8.12.0/8.12.0 2001/09/08 + *NOTICE*: The default installation of sendmail does not use + set-user-ID root anymore. You need to create a new user and + a new group before installing sendmail (both called smmsp by + default). The installation process tries to install + /etc/mail/submit.cf and creates /var/spool/clientmqueue by + default. Please see sendmail/SECURITY for details. + SECURITY: Check for group and world writable forward and :include: + files. These checks can be turned off if absolutely + necessary using the DontBlameSendmail option and the new + flags: + GroupWritableForwardFile + WorldWritableForwardFile + GroupWritableIncludeFile + WorldWritableIncludeFile + Problem noted by Slawek Zak of Politechnika Warszawska, + SECURITY: Drop privileges when using address test mode. Suggested + by Michal Zalewski of the "Internet for Schools" project + (IdS). + Fixed problem of a global variable being used for a timeout jump + point where the variable could become overused for more than + one timeout concurrently. This erroneous behavior resulted in + a corrupted stack causing a core dump. The timeout is now + handled via libsm. Problem noted by Michael Shapiro, + John Beck, and Carl Smith of Sun Microsystems. + If sendmail is set-group-ID then that group ID is used for permission + checks (group ID of RunAsUser). This allows use of a + set-group-ID sendmail binary for initial message submission + and no set-user-ID root sendmail is needed. For details + see sendmail/SECURITY. + Log a warning if a non-trusted user changes the syslog label. + Based on notice from Bryan Costales of SL3D, Inc. + If sendmail is called for initial delivery, try to use submit.cf + with a fallback of sendmail.cf as configuration file. See + sendmail/SECURITY. + New configuration file option UseMSP to allow group writable queue + files if the group is the same as that of a set-group-ID + sendmail binary. See sendmail/SECURITY. + The .cf file is chosen based on the operation mode. For -bm (default), + -bs, and -t it is submit.cf if it exists for all others it + is sendmail.cf (to be backward compatible). This selection + can be changed by the new option -Ac or -Am (alternative .cf + file: client or mta). See sendmail/SECURITY. + The SMTP server no longer forks on each MAIL command. The ONEX + command has been removed. + Implement SMTP PIPELINING per RFC 2920. It can be turned off + at compile time or per host (ruleset). + New option MailboxDatabase specifies the type of mailbox database + used to look up local mail recipients; the default value + is "pw", which means to use getpwnam(). New mailbox database + types can be added by adding custom code to libsm/mbdb.c. + Queue file names are now 15 characters long, rather than 14 characters + long, to accomodate envelope splitting. File systems with + a 14 character file name length limit are no longer + supported. + Recipient list used for delivery now gets internally ordered by + hostsignature (character string version of MX RR). This orders + recipients for the same MX RR's together meaning smaller + portions of the list need to be scanned (instead of the whole + list) each delivery() pass to determine piggybacking. The + significance of the change is better the larger the recipient + list. Hostsignature is now created during recipient list + creation rather than just before delivery. + Enhancements for more opportunistic piggybacking. Previous + piggybacking (called coincidental) extended to coattail + piggybacking. Rather than complete MX RR matching + (coincidental) piggybacking is done if just the lowest value + preference matches (coattail). + If sendmail receives a temporary error on a RCPT TO: command, it will + try other MX hosts if available. + DefaultAuthInfo can contain a list of mechanisms to be used for + outgoing (client-side) SMTP Authentication. + New modifier 'A' for DaemonPortOptions/ClientPortOptions to disable + AUTH (overrides 'a' modifier in DaemonPortOptions). Based + on patch from Lyndon Nerenberg of Messaging Direct. + Enable AUTH mechanism EXTERNAL if STARTTLS is used. + A new ruleset authinfo can be used to return client side + authentication information for AUTH instead of DefaultAuthInfo. + Therefore the DefaultAuthInfo option is deprecated and will be + removed in future versions. + Accept any SMTP continuation code 3xy for AUTH even though RFC 2554 + requires 334. Mercury 1.48 is a known offender. + Add new option AuthMaxBits to limit the overall encryption strength + for the security layer in SMTP AUTH (SASL). See + doc/op/op.me for details. + Introduce new STARTTLS related macros {cn_issuer}, {cn_subject}, + {cert_md5} which hold the CN (common name) of the CA that + signed the presented certificate, the CN and the MD5 hash + of the presented certificate, respectively. + New ruleset try_tls to decide whether to try (as client) STARTTLS. + New ruleset srv_features to enable/disable certain features in the + server per connection. See doc/op/op.me for details. + New ruleset tls_rcpt to decide whether to send e-mail to a particular + recipient; useful to decide whether a conection is secure + enough on a per recipient basis. + New option TLSSrvOptions to modify some aspects of the server + for STARTTLS. + If no certificate has been requested, the macro {verify} has the + value "NOT". + New M=S modifier for ClientPortOptions/DaemonPortOptions to turn off + using/offering STARTTLS when delivering/receiving e-mail. + Macro expand filenames/directories for certs and keys in the .cf file. + Proposed by Neil Rickert of Northern Illinois University. + Generate an ephemeral RSA key for a STARTTLS connection only if + really required. This change results in a noticable + performance gains on most machines. Moreover, if shared + memory is in use, reuse the key several times. + Add queue groups which can be used to group queue directories with + the same behavior together. See doc/op/op.me for details. + If the new option FastSplit (defaults to one) has a value greater + than zero, it suppresses the MX lookups on addresses when they + are initially sorted which may result in faster envelope + splitting. If the mail is submitted directly from the + command line, then the value also limits the number of + processes to deliver the envelopes; if more envelopes are + created they are only queued up and must be taken care of + by a queue run. + The check for 'enough disk space' now pays attention to which file + system each queue directory resides in. + All queue runners can be cleanly terminated via SIGTERM to parent. + New option QueueFileMode for the default permissions of queue files. + Add parallel queue runner code. Allows multiple queue runners per work + group (one or more queues in a multi-queue environment + collected together) to process the same work list at the + same time. + Option MaxQueueChildren added to limit the number of concurrently + active queue runner processes. + New option MaxRunnersPerQueue to specify the maximum number of queue + runners per queue group. + Queue member selection by substring pattern matching now allows + the pattern to be negated. For -qI, -qR and -qS it is + permissible for -q!I, -q!R and -q!S to mean remove members + of the queue that match during processing. + New -qp[time] option is similar to -qtime, except that instead of + periodically forking a child to process the queue, a single + child is forked for each queue that sleeps between queue + runs. A SIGHUP signal can be sent to restart this + persistent queue runner. + The SIGHUP signal now restarts a timed queue run process (i.e., a + sendmail process which only runs the queue at an interval: + sendmail -q15m). + New option NiceQueueRun to set the priority of queue runners. + Proposed by Thom O'Connor. + sendmail will run the queue(s) in the background when invoked with -q + unless the new -qf option or -v is used. + QueueSortOrder=Random sorts the queue randomly, which is useful if + several queue runners are started by hand to avoid contention. + QueueSortOrder=Modification sorts the queue by the modification time + of the qf file (older entries first). + Support Deliver By SMTP Service Extension (RFC 2852) which allows + a client to specify an amount of time within which an e-mail + should be delivered. New option DeliverByMin added to set the + minimum amount of time or disable the extension. + Non-printable characters (ASCII: 0-31, 127) in mailbox addresses are + not allowed unless escaped or quoted. + Add support for a generic DNS map. Based on a patch contributed + by Leif Johansson of Stockholm University, which was based on + work by Assar Westerlund of Swedish Institute of Computer + Science, Kista, and Johan Danielsson of Royal Institute of + Technology, Stockholm, Sweden. + MX records will be looked up for FallBackMXhost. To use the old + behavior (no MX lookups), put the name in square brackets. + Proposed by Thom O'Connor. + Use shared memory to store free space of filesystems that are used + for queues, if shared memory is available and if a key is set + via SharedMemoryKey. This minimizes the number of system + calls to check the available space. See doc/op/op.me for + details. + If shared memory is compiled in the option -bP can be used to print + the number of entries in the queue(s). + Enable generic mail filter API (milter). See libmilter/README + and the usual documentation for details. + Remove AutoRebuildAliases option, deprecated since 8.10. + Remove '-U' (initial user submission) command line option as + announced in 8.10. + Remove support for non-standard SMTP command XUSR. Use an MSA instead. + New macro {addr_type} which contains whether the current address is + an envelope sender or recipient address. Suggested by + Neil Rickert of Northern Illinois University. + Two new options for host maps: -d (retransmission timeout), + -r (number of retries). + New option for LDAP maps: the -V<sep> allows you to specify a + separator such that a lookup can return both an attribute + and value separated by the given separator. + Add new operators '%', '|', '&' (modulo, binary or, binary and) + to map class arith. + If DoubleBounceAddress expands to an empty string, ``double bounces'' + (errors that occur when sending an error message) are dropped. + New DontBlameSendmail options GroupReadableSASLDBFile and + GroupWritableSASLDBFile to relax requirements for sasldb files. + New DontBlameSendmail options GroupReadableKeyFile to relax + requirements for files containing secret keys. This is + necessary for the MSP if client authentification is used. + Properly handle quoted filenames for class files (to allow for + filenames with spaces). + Honor the resolver option RES_NOALIASES when canonifying hostnames. + Add macros to avoid the reuse of {if_addr} etc: + {if_name_out} hostname of interface of outgoing connection. + {if_addr_out} address of interface of outgoing connection. + {if_family_out} family of interface of outgoing connection. + The latter two are only set if the interface does not belong + to the loopback net. + Add macro {nrcpts} which holds the number of (validated) recipients. + DialDelay option applies only to mailers with flag 'Z'. Patch from + Juergen Georgi of RUS University of Stuttgart. + New Timeout.lhlo,auth,starttls options to limit the time waiting for + an answer to the LMTP LHLO, SMTP AUTH or STARTTLS command. + New Timeout.aconnect option to limit the overall waiting time for + all connections for a single delivery attempt to succeed. + Limit the rate recipients in the SMTP envelope are accepted once + a threshold number of recipients has been rejected (option + BadRcptThrottle). From Gregory A Lundberg of the WU-FTPD + Development Group. + New option DelayLA to delay connections if the load averages + exceeds the specified value. The default of 0 does not + change the previous behavior. A value greater than 0 + will cause sendmail to sleep for one second on most + SMTP commands and before accepting connections if that + load average is exceeded. + Use a dynamic (instead of fixed-size) buffer for the list of + recipients that are sent during a connection to a mailer. + This also introduces a new mailer field 'r' which defines + the maximum number of recipients (defaults to 100). + Based on patch by Motonori Nakamura of Kyoto University. + Add new F=1 mailer flag to disable sending of null characters ('\0'). + Add new F=2 mailer flag to disable use of ESMTP, using SMTP instead. + The deprecated [TCP] builtin mailer pathname (P=) is gone. Use [IPC] + instead. + IPC is no longer available as first mailer argument (A=) for [IPC] + builtin mailer pathnames. Use TCP instead. + PH map code updated to use the new libphclient API instead of the + old libqiapi library. Contributed by Mark Roth of the + University of Illinois at Urbana-Champaign. + New option DirectSubmissionModifiers to define {daemon_flags} + for direct (command line) submissions. + New M=O modifier for DaemonPortOptions to ignore the socket in + case of failures. Based on patch by Jun-ichiro itojun + Hagino of the KAME Project. + Add Disposition-Notification-To: (RFC 2298) to the list of headers + whose content is rewritten similar to Reply-To:. + Proposed by Andrzej Filip. + Use STARTTLS/AUTH=server/client for logging incoming/outgoing + STARTTLS/AUTH connections; log incoming connections at level + 9 or higher. Use AUTH/STARTTLS instead of SASL/TLS for SMTP + AUTH/STARTTLS related logfile entries. + Convert unprintable characters (and backslash) into octal or C format + before logging. + Log recipients if no message is transferred but QUIT/RSET is given + (at LogLevel 9/10 or higher). + Log discarded recipients at LogLevel 10 or higher. + Do not log "did not issue MAIL/EXPN/VRFY/ETRN" for connections + in which most commands are rejected due to check_relay or + TCP Wrappers if the host tries one of those commands anyway. + Change logging format for cloned envelopes to be similar to that for + DSNs ("old id: new id: clone"). Suggested by Ulrich Windl + of the Universitat Regensburg. + Added libsm, a C library of general purpose abstractions including + assertions, tracing and debugging with named debug categories, + exception handling, malloc debugging, resource pools, + portability abstractions, and an extensible buffered I/O + package. It will at some point replace libsmutil. + See libsm/index.html for details. + Fixed most memory leaks in sendmail which were previously taken + care of by fork() and exit(). + Use new sm_io*() functions in place of stdio calls. Allows for + more consistent portablity amongst different platforms + new and old (from new libsm). + Common I/O pkg means just one buffering method needed instead of two + ('bf_portable' and 'bf_torek' now just 'bf'). + Sfio no longer needed as SASL/TLS code uses sm_io*() API's. + New possible value 'interactive' for SuperSafe which can be used + together with DeliveryMode=interactive is to avoid some disk + synchronizations calls. + Add per-recipient status information to mailq -v output. + T_ANY queries are no longer used by sendmail. + When compiling with "gcc -O -Wall" specify "-DSM_OMIT_BOGUS_WARNINGS" + too (see include/sm/cdefs.h for more info). + sendmail -d now has general support for named debug categories. + See libsm/debug.html and section 3.4 of doc/op/op.me + for details. + Eliminate the "postmaster warning" DSNs on address parsing errors + such as unbalanced angle brackets or parentheses. The DSNs + generated by this condition were illegal (not RFC conform). + Problem noted by Ulrich Windl of the Universitaet Regensburg. + Do not issue a DSN if the ruleset localaddr resolves to the $#error + mailer and the recipient has hence been rejected during the + SMTP dialogue. Problem reported by Larry Greenfield of CMU. + Deal with a case of multiple deliveries on misconfigured systems + that do not have postmaster defined. If an email was sent + from an address to which a DSN cannot be returned and + in which at least one recipient address is non-deliverable, + then that email had been delivered in each queue run. + Problem reported by Matteo HCE Valsasna of Universita + degli Studi dell'Insubria. + The compilation options SMTP, DAEMON, and QUEUE have been removed, + i.e., the corresponding code is always compiled in now. + Log the command line in daemon/queue-run mode at LogLevel 10 and + higher. Suggested by Robert Harker of Harker Systems. + New ResolverOptions setting: WorkAroundBrokenAAAA. When + attempting to canonify a hostname, some broken nameservers + will return SERVFAIL (a temporary failure) on T_AAAA (IPv6) + lookups. If you want to excuse this behavior, use this new + flag. Suggested by Chris Foote of SE Network Access and + Mark Roth of the University of Illinois at + Urbana-Champaign. + Free the memory allocated by getipnodeby{addr,name}(). Problem + noted by Joy Latten of IBM. + ConnectionRateThrottle limits the number of connections per second + to each daemon individually, not the overall number of + connections. + Specifying only "ldap:" as an AliasFile specification will force + sendmail to use a default alias schema as outlined in the + ``USING LDAP FOR ALIASES, MAPS, and CLASSES'' section of + cf/README. + Add a new syntax for the 'F' (file class) sendmail.cf command. If + the first character after the class name is not a '/' or a + '|' and it contains an '@' (e.g., F{X}key@class:spec), the + rest of the line will be parsed as a map lookup. This + allows classes to be filled via a map lookup. See op.me + for more syntax information. Specifically, this can be + used for commands such as VIRTUSER_DOMAIN_FILE() to read + the list of domains via LDAP (see the ``USING LDAP FOR + ALIASES, MAPS, and CLASSES'' section of cf/README for an + example). + The new macro ${sendmailMTACluster} determines the LDAP cluster for + the default schema used in the above two items. + Unless DontBlameSendmail=RunProgramInUnsafeDirPath is set, log a + warning if a program being run from a mailer or file class + (e.g., F|/path/to/prog) is in an unsafe directory path. + Unless DontBlameSendmail=RunWritableProgram is set, log a warning + if a program being run from a mailer or file class + (e.g., F|/path/to/prog) is group or world writable. + Loopback interfaces (e.g., "lo0") are now probed for class {w} + hostnames. Setting DontProbeInterfaces to "loopback" + (without quotes) will disable this and return to the + pre-8.12 behavior of only probing non-loopback interfaces. + Suggested by Bryan Stansell of GNAC. + In accordance with RFC 2821 section 4.1.4, accept multiple + HELO/EHLO commands. + Multiple ClientPortOptions settings are now allowed, one for each + possible protocol family which may be used for outgoing + connections. Restrictions placed on one family only affect + outgoing connections on that particular family. Because of + this change, the ${client_flags} macro is not set until the + connection is established. Based on patch from Motonori + Nakamura of Kyoto University. + PrivacyOptions=restrictexpand instructs sendmail to drop privileges + when the -bv option is given by users who are neither root + nor the TrustedUser so users can not read private aliases, + forwards, or :include: files. It also will override the -v + (verbose) command line option. + If the M=b modifier is set in DaemonPortOptions and the interface + address can't be used for the outgoing connection, fall + back to the settings in ClientPortOptions (if set). + Problem noted by John Beck of Sun Microsystems. + New named config file rule check_data for DATA command (input: + number of recipients). Based on patch from Mark Roth of + the University of Illinois at Urbana-Champaign. + Add support for ETRN queue selection per RFC 1985. The queue group + can be specified using the '#' option character. For + example, 'ETRN #queuegroup'. + If an LDAP server times out or becomes unavailable, close the + current connection and reopen to get to one of the fallback + servers. Patch from Paul Hilchey of the University of + British Columbia. + Make default error number on $#error messages 550 instead of 501 + because 501 is not allowed on all commands. + The .cf file option UnsafeGroupWrites is deprecated, it should be + replaced with the settings GroupWritableForwardFileSafe + and GroupWritableIncludeFileSafe in DontBlameSendmail + if required. + The deprecated ldapx map class has been removed. Use the ldap map + class instead. + Any IPv6 addresses used in configuration should be prefixed by the + "IPv6:" tag to identify the address properly. For example, + if you want to add the IPv6 address [2002:c0a8:51d2::23f4] to + class {w}, you would need to add [IPv6:2002:c0a8:51d2::23f4]. + Change the $&{opMode} macro if the operation mode changes while the + MTA is running. For example, during a queue run. + Add "use_inet6" as a new ResolverOptions flag to control the + RES_USE_INET6 resolver option. Based on patch from Rick + Nelson of IBM. + The maximum number of commands before the MTA slows down when too + many "light weight" commands have been received are now + configurable during compile time. The current values and + their defaults are: + MAXBADCOMMANDS 25 unknown commands + MAXNOOPCOMMANDS 20 NOOP, VERB, ONEX, XUSR + MAXHELOCOMMANDS 3 HELO, EHLO + MAXVRFYCOMMANDS 6 VRFY, EXPN + MAXETRNCOMMANDS 8 ETRN + Setting a value to 0 disables the check. Patch from Bryan + Costales of SL3D, Inc. + The header syntax H?${MyMacro}?X-My-Header: now not only checks if + ${MyMacro} is defined but also that it is not empty. + Properly quote usernames with special characters if they are used + in headers. Problem noted by Kari Hurtta of the Finnish + Meteorological Institute. + Be sure to include the proper Final-Recipient: DSN header in bounce + messages for messages for mailing list expanded addresses + which are not delivered on the initial attempt. + Do not treat errors as sticky when doing delivery via LMTP after + the final dot has been sent to avoid affecting future + deliveries. Problem reported by Larry Greenfield of CMU. + New compile time flag REQUIRES_DIR_FSYNC which turns on support for + file systems that require to call fsync() for a directory + if the meta-data in it has been changed. This should be + set at least for ReiserFS; it is enabled by default for Linux. + See sendmail/README for further information. + Avoid file locking deadlock when updating the statistics file if + sendmail is signaled to terminate. Problem noted by + Christophe Wolfhugel of France Telecom. + Set the $c macro (hop count) as it is being set instead of when the + envelope is initialized. Problem noted by Kari Hurtta of + the Finnish Meteorological Institute. + Properly count recipients for DeliveryMode defer and queue. Fix + from Peter A. Friend of EarthLink. + Treat invalid hesiod lookups as permanent errors instead of + temporary errors. Problem noted by Russell McOrmond of + flora.ca. + Portability: + Remove support for AIX 2, which supports only 14 character + filenames and is outdated anyway. Suggested by + Valdis Kletnieks of Virginia Tech. + Change several settings for Irix 6: remove confSBINDIR, + i.e., use default /usr/sbin, change owner/group + of man pages and user-executable to root/sys, set + optimization limit to 0 (unlimited). Based on patch + from Ayamura Kikuchi, M.D, and proposal from Kari + Hurtta of the Finnish Meteorological Institute. + Do not assume LDAP support is installed by default under + Solaris 8 and later. + Add support for OpenUNIX. + CONFIG: Increment version number of config file to 10. + CONFIG: Add an install target and a README file in cf/cf. + CONFIG: Don't accept addresses of the form a@b@, a@b@c, a@[b]c, etc. + CONFIG: Reject empty recipient addresses (in check_rcpt). + CONFIG: The access map uses an option of -T<TMPF> to deal with + temporary lookup failures. + CONFIG: New value for access map: SKIP, which causes the default + action to be taken by aborting the search for domain names + or IP nets. + CONFIG: check_rcpt can deal with TEMPFAIL for either recipient or + relay address as long as the other part allows the email + to get through. + CONFIG: Entries for virtusertable can make use of a third parameter + "%3" which contains "+detail" of a wildcard match, i.e., an + entry like user+*@domain. This allows handling of details by + using %1%3 as the RHS. Additionally, a "+" wildcard has been + introduced to match only non-empty details of addresses. + CONFIG: Numbers for rulesets used by MAILERs have been removed + and hence there is no required order within the MAILER + section anymore except for MAILER(`uucp') which must come + after MAILER(`smtp') if uucp-dom and uucp-uudom are used. + CONFIG: Hosts listed in the generics domain class {G} + (GENERICS_DOMAIN() and GENERICS_DOMAIN_FILE()) are treated + as canonical. Suggested by Per Hedeland of Ericsson. + CONFIG: If FEATURE(`delay_checks') is used, make sure that a lookup + in the access map which returns OK or RELAY actually + terminates check_* ruleset checking. + CONFIG: New tag TLS_Rcpt: for access map to be used by ruleset + tls_rcpt, see cf/README for details. + CONFIG: Change format of Received: header line which reveals whether + STARTTLS has been used to "(version=${tls_version} + cipher=${cipher} bits=${cipher_bits} verify=${verify})". + CONFIG: Use "Spam:" as tag for lookups for FEATURE(`delay_checks') + options friends/haters instead of "To:" and enable + specification of whole domains instead of just users. + Notice: this change is not backward compatible. + Suggested by Chris Adams from HiWAAY Informations Services. + CONFIG: Allow for local extensions for most new rulesets, see + cf/README for details. + CONFIG: New FEATURE(`lookupdotdomain') to lookup also .domain in + the access map. Proposed by Randall Winchester of the + University of Maryland. + CONFIG: New FEATURE(`local_no_masquerade') to avoid masquerading for + the local mailer. Proposed by Ingo Brueckl of Wupper Online. + CONFIG: confRELAY_MSG/confREJECT_MSG can override the default + messages for an unauthorized relaying attempt/for access + map entries with RHS REJECT, respectively. + CONFIG: FEATURE(`always_add_domain') takes an optional argument + to specify another domain to be added instead of the local one. + Suggested by Richard H. Gumpertz of Computer Problem + Solving. + CONFIG: confAUTH_OPTIONS allows setting of Cyrus-SASL specific + options, see doc/op/op.me for details. + CONFIG: confAUTH_MAX_BITS sets the maximum encryption strength for + the security layer in SMTP AUTH (SASL). + CONFIG: If Local_localaddr resolves to $#ok, localaddr is terminated + immediately. + CONFIG: FEATURE(`enhdnsbl') is an enhanced version of dnsbl which + allows checking of the return values of the DNS lookups. + See cf/README for details. + CONFIG: FEATURE(`dnsbl') allows now to specify the behavior for + temporary lookup failures. + CONFIG: New option confDELIVER_BY_MIN to specify minimum time for + Deliver By (RFC 2852) or to turn off the extension. + CONFIG: New option confSHARED_MEMORY_KEY to set the key for shared + memory use. + CONFIG: New FEATURE(`compat_check') to look up a key consisting + of the sender and the recipient address delimited by the + string "<@>", e.g., sender@sdomain<@>recipient@rdomain, + in the access map. Based on code contributed by Mathias + Koerber of Singapore Telecommunications Ltd. + CONFIG: Add EXPOSED_USER_FILE() command to allow an exposed user + file. Suggested by John Beck of Sun Microsystems. + CONFIG: Don't use MAILER-DAEMON for error messages delivered + via LMTP. Problem reported by Larry Greenfield of CMU. + CONFIG: New FEATURE(`preserve_luser_host') to preserve the name of + the recipient host if LUSER_RELAY is used. + CONFIG: New FEATURE(`preserve_local_plus_detail') to preserve the + +detail portion of the address when passing address to + local delivery agent. Disables alias and .forward +detail + stripping. Only use if LDA supports this. + CONFIG: Removed deprecated FEATURE(`rbl'). + CONFIG: Add LDAPROUTE_EQUIVALENT() and LDAPROUTE_EQUIVALENT_FILE() + which allow you to specify 'equivalent' hosts for LDAP + Routing lookups. Equivalent hostnames are replaced by the + masquerade domain name for lookups. See cf/README for + additional details. + CONFIG: Add a fourth argument to FEATURE(`ldap_routing') which + instructs the rulesets on what to do if the address being + looked up has +detail information. See cf/README for more + information. + CONFIG: When chosing a new destination via LDAP Routing, also look + up the new routing address/host in the mailertable. Based + on patch from Don Badrak of the United States Census Bureau. + CONFIG: Do not reject the SMTP Mail from: command if LDAP Routing + is in use and the bounce option is enabled. Only reject + recipients as user unknown. + CONFIG: Provide LDAP support for the remaining database map + features. See the ``USING LDAP FOR ALIASES AND MAPS'' + section of cf/README for more information. + CONFIG: Add confLDAP_CLUSTER which defines the ${sendmailMTACluster} + macro used for LDAP searches as described above in ``USING + LDAP FOR ALIASES, MAPS, AND CLASSES''. + CONFIG: confCLIENT_OPTIONS has been replaced by CLIENT_OPTIONS(), + which takes the options as argument and can be used + multiple times; see cf/README for details. + CONFIG: Add configuration macros for new options: + confBAD_RCPT_THROTTLE BadRcptThrottle + confDIRECT_SUBMISSION_MODIFIERS DirectSubmissionModifiers + confMAILBOX_DATABASE MailboxDatabase + confMAX_QUEUE_CHILDREN MaxQueueChildren + confMAX_RUNNERS_PER_QUEUE MaxRunnersPerQueue + confNICE_QUEUE_RUN NiceQueueRun + confQUEUE_FILE_MODE QueueFileMode + confFAST_SPLIT FastSplit + confTLS_SRV_OPTIONS TLSSrvOptions + See above (and related documentation) for further information. + CONFIG: Add configuration variables for new timeout options: + confTO_ACONNECT Timeout.aconnect + confTO_AUTH Timeout.auth + confTO_LHLO Timeout.lhlo + confTO_STARTTLS Timeout.starttls + CONFIG: Add configuration macros for mail filter API: + confINPUT_MAIL_FILTERS InputMailFilters + confMILTER_LOG_LEVEL Milter.LogLevel + confMILTER_MACROS_CONNECT Milter.macros.connect + confMILTER_MACROS_HELO Milter.macros.helo + confMILTER_MACROS_ENVFROM Milter.macros.envfrom + confMILTER_MACROS_ENVRCPT Milter.macros.envrcpt + Mail filters can be defined via INPUT_MAIL_FILTER() and + MAIL_FILTER(). See libmilter/README, cf/README, and + doc/op/op.me for details. + CONFIG: Add support for accepting temporarily unresolvable domains. + See cf/README for details. Based on patch by Motonori + Nakamura of Kyoto University. + CONFIG: confDEQUOTE_OPTS can be used to specify options for the + dequote map. + CONFIG: New macro QUEUE_GROUP() to define queue groups. + CONFIG: New FEATURE(`queuegroup') to select a queue group based + on the full e-mail address or the domain of the recipient. + CONFIG: Any IPv6 addresses used in configuration should be prefixed + by the "IPv6:" tag to identify the address properly. For + example, if you want to use the IPv6 address + 2002:c0a8:51d2::23f4 in the access database, you would need + to use IPv6:2002:c0a8:51d2::23f4 on the left hand side. + This affects the access database as well as the + relay-domains and local-host-names files. + CONFIG: OSTYPE(aux) has been renamed to OSTYPE(a-ux). + CONFIG: Avoid expansion of m4 keywords in SMART_HOST. + CONFIG: Add MASQUERADE_EXCEPTION_FILE() for reading masquerading + exceptions from a file. Suggested by Trey Breckenridge of + Mississippi State University. + CONFIG: Add LOCAL_USER_FILE() for reading local users + (LOCAL_USER() -- $={L}) entries from a file. + CONTRIB: dnsblaccess.m4 is a further enhanced version of enhdnsbl.m4 + which allows to lookup error codes in the access map. + Contributed by Neil Rickert of Northern Illinois University. + DEVTOOLS: Add new options for installation of include and library + files: confINCGRP, confINCMODE, confINCOWN, confLIBGRP, + confLIBMODE, confLIBOWN. + DEVTOOLS: Add new option confDONT_INSTALL_CATMAN to turn off + installation of the the formatted man pages on operating + systems which don't include cat directories. + EDITMAP: New program for editing maps as supplement to makemap. + MAIL.LOCAL: Mail.local now uses the libsm mbdb package to look up + local mail recipients. New option -D mbdb specifies the + mailbox database type. + MAIL.LOCAL: New option "-h filename" which instructs mail.local to + deliver the mail to the named file in the user's home + directory instead of the system mail spool area. Based on + patch from Doug Hardie of the Los Angeles Free-Net. + MAILSTATS: New command line option -P which acts the same as -p but + doesn't truncate the statistics file. + MAKEMAP: Add new option -t to specify a different delimiter + instead of white space. + RMAIL: Invoke sendmail with '-G' to indicate this is a gateway + submission. Problem noted by Kari Hurtta of the Finnish + Meteorological Institute. + SMRSH: Use the vendor supplied directory on FreeBSD 3.3 and later. + VACATION: Change Auto-Submitted: header value from auto-generated to + auto-replied. From Kenneth Murchison of Oceana Matrix Ltd. + VACATION: New option -d to send error/debug messages to stdout + instead of syslog. + VACATION: New option -U which prevents the attempt to lookup login + in the password file. The -f and -m options must be used + to specify the database and message file since there is no + home directory for the default settings for these options. + VACATION: Vacation now uses the libsm mbdb package to look up + local mail recipients; it reads the MailboxDatabase option + from the sendmail.cf file. New option -C cffile which + specifies the path of the sendmail.cf file. + New Directories: + libmilter/docs + New Files: + cf/cf/README + cf/cf/submit.cf + cf/cf/submit.mc + cf/feature/authinfo.m4 + cf/feature/compat_check.m4 + cf/feature/enhdnsbl.m4 + cf/feature/msp.m4 + cf/feature/local_no_masquerade.m4 + cf/feature/lookupdotdomain.m4 + cf/feature/preserve_luser_host.m4 + cf/feature/preserve_local_plus_detail.m4 + cf/feature/queuegroup.m4 + cf/sendmail.schema + contrib/dnsblaccess.m4 + devtools/M4/UNIX/sm-test.m4 + devtools/OS/OpenUNIX.5.i386 + editmap/* + include/sm/* + libsm/* + libsmutil/cf.c + libsmutil/err.c + sendmail/SECURITY + sendmail/TUNING + sendmail/bf.c + sendmail/bf.h + sendmail/sasl.c + sendmail/sm_resolve.c + sendmail/sm_resolve.h + sendmail/tls.c + Deleted Files: + cf/feature/rbl.m4 + cf/ostype/aix2.m4 + devtools/OS/AIX.2 + include/sendmail/cdefs.h + include/sendmail/errstring.h + include/sendmail/useful.h + libsmutil/errstring.c + sendmail/bf_portable.c + sendmail/bf_portable.h + sendmail/bf_torek.c + sendmail/bf_torek.h + sendmail/clock.c + Renamed Files: + cf/cf/generic-solaris2.mc => cf/cf/generic-solaris.mc + cf/cf/generic-solaris2.cf => cf/cf/generic-solaris.cf + cf/ostype/aux.m4 => cf/ostype/a-ux.m4 + +8.11.7/8.11.7 2003/03/29 + SECURITY: Fix a remote buffer overflow in header parsing by + dropping sender and recipient header comments if the + comments are too long. Problem noted by Mark Dowd + of ISS X-Force. + SECURITY: Fix a buffer overflow in address parsing due to + a char to int conversion problem which is potentially + remotely exploitable. Problem found by Michal Zalewski. + Note: an MTA that is not patched might be vulnerable to + data that it receives from untrusted sources, which + includes DNS. + To provide partial protection to internal, unpatched sendmail MTAs, + 8.11.7 changes by default (char)0xff to (char)0x7f in + headers etc. To turn off this conversion compile with + -DALLOW_255 or use the command line option -d82.101. + To provide partial protection for internal, unpatched MTAs that may be + performing 7->8 or 8->7 bit MIME conversions, the default + for MaxMimeHeaderLength has been changed to 2048/1024. + Note: this does have a performance impact, and it only + protects against frontal attacks from the outside. + To disable the checks and return to pre-8.11.7 defaults, + set MaxMimeHeaderLength to 0/0. + Properly clean up macros to avoid persistence of session data + across various connections. This could cause session + oriented restrictions, e.g., STARTTLS requirements, + to erroneously allow a connection. Problem noted + by Tim Maletic of Priority Health. + Ignore comments in NIS host records when trying to find the + canonical name for a host. + Fix a memory leak when closing Hesiod maps. + Set ${msg_size} macro when reading a message from the command line + or the queue. + Prevent a segmentation fault when clearing the event list by + turning off alarms before checking if event list is + empty. Problem noted by Allan E Johannesen of Worcester + Polytechnic Institute. + Fix a potential core dump problem if the environment variable + NAME is set. Problem noted by Beth A. Chaney of + Purdue University. + Prevent a race condition on child cleanup for delivery to files. + Problem noted by Fletcher Mattox of the University of + Texas. + CONFIG: Do not bounce mail if FEATURE(`ldap_routing')'s bounce + parameter is set and the LDAP lookup returns a temporary + error. + CONFIG: Fix a syntax error in the try_tls ruleset if + FEATURE(`access_db') is not enabled. + LIBSMDB: Fix a lock race condition that affects makemap, praliases, + and vacation. + LIBSMDB: Avoid a file creation race condition for Berkeley DB 1.X + and NDBM on systems with the O_EXLOCK open(2) flag. + MAKEMAP: Avoid going beyond the end of an input line if it does + not contain a value for a key. Based on patch from + Mark Bixby from Hewlett-Packard. + MAIL.LOCAL: Fix a truncation race condition if the close() on + the mailbox fails. Problem noted by Tomoko Fukuzawa of + Sun Microsystems. + SMRSH: SECURITY: Only allow regular files or symbolic links to be + used for a command. Problem noted by David Endler of + iDEFENSE, Inc. + +8.11.6/8.11.6 2001/08/20 + SECURITY: Fix a possible memory access violation when specifying + out-of-bounds debug parameters. Problem detected by + Cade Cairns of SecurityFocus. + Avoid leaking recipient information in unrelated DSNs. This could + happen if a connection is aborted, several mails had been + scheduled for delivery via that connection, and the timeout + is reached such that several DSNs are sent next. Problem + noted by Dileepan Moorkanat of Hewlett-Packard. + Fix a possible segmentation violation when specifying too many + wildcard operators in a rule. Problem detected by + Werner Wiethege. + Avoid a segmentation fault on non-matching Hesiod lookups. Problem + noted by Russell McOrmond of flora.ca + +8.11.5/8.11.5 2001/07/31 + Fix a possible race condition when sending a HUP signal to restart + the daemon. This could terminate the current process without + starting a new daemon. Problem reported by Wolfgang Breyha + of SE Netway Communications. + Only apply MaxHeadersLength when receiving a message via SMTP or + the command line. Problem noted by Andrey J. Melnikoff. + When finding the system's local hostname on an IPv6-enabled system + which doesn't have any IPv6 interface addresses, fall back + to looking up only IPv4 addresses. Problem noted by Tim + Bosserman of EarthLink. + When commands were being rejected due to check_relay or TCP + Wrappers, the ETRN command was not giving a response. + Incoming IPv4 connections on a Family=inet6 daemon (using + IPv4-mapped addresses) were incorrectly labeled as "may be + forged". Problem noted by Per Steinar Iversen of Oslo + University College. + Shutdown address test mode cleanly on SIGTERM. Problem noted by + Greg King of the OAO Corporation. + Restore the original real uid (changed in main() to prevent + out of band signals) before invoking a delivery agent. + Some delivery agents use this for the "From " envelope + "header". Problem noted by Leslie Carroll of the + University at Albany. + Mark closed file descriptors properly to avoid reuse. Problem + noted by Jeff Bronson of J.D. Bronson, Inc. + Setting Timeout options on the command line will also override + their sub-suboptions in the .cf file, e.g., -O + Timeout.queuereturn=2d will set all queuereturn timeouts + to 2 days. Problem noted by Roger B.A. Klorese. + Portability: + BSD/OS has a broken setreuid() implementation. Problem + noted by Vernon Schryver of Rhyolite Software. + BSD/OS has /dev/urandom(4) (as of version 4.1/199910 ?). + Noted by Vernon Schryver of Rhyolite Software. + BSD/OS has fchown(2). Noted by Dave Yadallee of Netline + 2000 Internet Solutions Inc. + Solaris 2.X and later have strerror(3). From Sebastian + Hagedorn of Cologne University. + CONFIG: Fix parsing for IPv6 domain literals in addresses + (user@[IPv6:address]). Problem noted by Liyuan Zhou. + +8.11.4/8.11.4 2001/05/28 + Clean up signal handling routines to reduce the chances of heap + corruption and other potential race conditions. + Terminating and restarting the daemon may not be + instantaneous due to this change. Also, non-root users can + no longer send out-of-band signals. Problem reported by + Michal Zalewski of BindView. + If LogLevel is greater than 9 and SASL fails to negotiate an + encryption layer, avoid core dump logging the encryption + strength. Problem noted by Miroslav Zubcic of Crol. + If a server offers "AUTH=" and "AUTH " and the list of mechanisms is + different in those two lines, sendmail might not have + recognized (and used) all of the offered mechanisms. + Fix an IP address lookup problem on Solaris 2.0 - 2.3. Patch + from Kenji Miyake. + This time, really don't use the .. directory when expanding + QueueDirectory wildcards. + If a process is interrupted while closing a map, don't try to close + the same map again while exiting. + Allow local mailers (F=l) to contact remote hosts (e.g., via + LMTP). Problem noted by Norbert Klasen of the University + of Tuebingen. + If Timeout.QueueReturn was set to a value less the time it took + to write a new queue file (e.g., 0 seconds), the bounce + message would be lost. Problem noted by Lorraine L Goff of + Oklahoma State University. + Pass map argument vector into map rewriting engine for the regex + and prog map types. Problem noted by Stephen Gildea of + InTouch Systems, Inc. + When closing an LDAP map due to a temporary error, close all of the + other LDAP maps which share the original map's connection + to the LDAP server. Patch from Victor Duchovni of + Morgan Stanley. + To detect changes of NDBM aliases files check the timestamp of the + .pag file instead of the .dir file. Problem noted by Neil + Rickert of Northern Illinois University. + Don't treat temporary hesiod lookup failures as permanent. Patch + from Werner Wiethege. + If ClientPortOptions is set, make sure to create the outgoing socket + with the family set in that option. Patch from Sean Farley. + Avoid a segmentation fault trying to dereference a NULL pointer + when logging a MaxHopCount exceeded error with an empty + recipient list. Problem noted by Chris Adams of HiWAAY + Internet Services. + Fix DSN for "Too many hops" bounces. Problem noticed by Ulrich + Windl of the Universitaet Regensburg. + Fix DSN for "mail loops back to me" bounces. Problem noticed by + Kari Hurtta of the Finnish Meteorological Institute. + Portability: + OpenBSD has a broken setreuid() implementation. + CONFIG: Undo change from 8.11.1: change 501 SMTP reply code back + to 553 since it is allowed by DRUMS. + CONFIG: Add OSTYPE(freebsd4) for FreeBSD 4.X. + DEVTOOLS: install.sh did not properly handle paths in the source + file name argument. Noted by Kari Hurtta of the Finnish + Meteorological Institute. + DEVTOOLS: Add FAST_PID_RECYCLE to compile time options for OpenBSD + since it generates random process ids. + PRALIASES: Add back adaptive algorithm to deal with different endings + of entries in the database (with/without trailing '\0'). + Patch from John Beck of Sun Microsystems. + New Files: + cf/ostype/freebsd4.m4 + +8.11.3/8.11.3 2001/02/27 + Prevent a segmentation fault when a bogus value was used in the + LDAPDefaultSpec option's -r, -s, or -M flags and if a bogus + option was used. Problem noted by Allan E Johannesen of + Worcester Polytechnic Institute. + Prevent "token too long" message by shortening {currHeader} which + could be too long if the last copied character was a quote. + Problem detected by Jan Krueger of digitalanswers + communications consulting gmbh. + Additional IPv6 check for unspecified addresses. Patch from + Jun-ichiro itojun Hagino of the KAME Project. + Do not ignore the ClientPortOptions setting if DaemonPortOptions + Modifier=b (bind to same interface) is set and the + connection came in from the command line. + Do not bind to the loopback address if DaemonPortOptions + Modifier=b (bind to same interface) is set. Patch from + John Beck of Sun Microsystems. + Properly deal with open failures on non-optional maps used in + check_* rulesets by returning a temporary failure. + Buffered file I/O files were not being properly fsync'ed to disk + when they were committed. + Properly encode '=' for the AUTH= parameter of the MAIL command. + Problem noted by Hadmut Danisch. + Under certain circumstances the macro {server_name} could be set + to the wrong hostname (of a previous connection), which may + cause some rulesets to return wrong results. This would + usually cause mail to be queued up and delivered later on. + Ignore F=z (LMTP) mailer flag if $u is given in the mailer A= + equate. Problem noted by Motonori Nakamura of Kyoto + University. + Work around broken accept() implementations which only partially + fill in the peer address if the socket is closed before + accept() completes. + Return an SMTP "421" temporary failure if the data file can't be + opened where the "354" reply would normally be given. + Prevent a CPU loop in trying to expand a macro which doesn't exist + in a queue run. Problem noted by Gordon Lack of Glaxo + Wellcome. + If delivering via a program and that program exits with EX_TEMPFAIL, + note that fact for the mailq display instead of just showing + "Deferred". Problem noted by Motonori Nakamura of Kyoto + University. + If doing canonification via /etc/hosts, try both the fully + qualified hostname as well as the first portion of the + hostname. Problem noted by David Bremner of the + University of New Brunswick. + Portability: + Fix a compilation problem for mail.local and rmail if SFIO + is in use. Problem noted by Auteria Wally + Winzer Jr. of Champion Nutrition. + IPv6 changes for platforms using KAME. Patch from + Jun-ichiro itojun Hagino of the KAME Project. + OpenBSD 2.7 and higher has srandomdev(3). OpenBSD 2.8 and + higher has BSDI-style login classes. Patch from + Todd C. Miller of Courtesan Consulting. + Unixware 7.1.1 doesn't allow h_errno to be set directly if + sendmail is being compiled with -kthread. Problem + noted by Orion Poplawski of CQG, Inc. + CONTRIB: buildvirtuser: Substitute current domain for $DOMAIN and + current left hand side for $LHS in virtuser files. + DEVTOOLS: Do not pass make targets to recursive Build invocations. + Problem noted by Jeff Bronson of J.D. Bronson, Inc. + MAIL.LOCAL: In LMTP mode, do not return errors regarding problems + storing the temporary message file until after the remote + side has sent the final DATA termination dot. Problem + noted by Allan E Johannesen of Worcester Polytechnic + Institute. + MAIL.LOCAL: If LMTP mode is set, give a temporary error if users + are also specified on the command line. Patch from + Motonori Nakamura of Kyoto University. + PRALIASES: Skip over AliasFile specifications which aren't based on + database files (i.e., only show dbm, hash, and btree). + Renamed Files: + devtools/OS/OSF1.V5.0 => devtools/OS/OSF1.V5.x + +8.11.2/8.11.2 2000/12/29 + Prevent a segmentation fault when trying to set a class in + address test mode due to a negative array index. Audit + other array indexing. This bug is not believed to be + exploitable. Noted by Michal Zalewski of the "Internet for + Schools" project (IdS). + Add an FFR (for future release) to drop privileges when using + address test mode. This will be turned on in 8.12. It can + be enabled by compiling with: + APPENDDEF(`conf_sendmail_ENVDEF', `-D_FFR_TESTMODE_DROP_PRIVS') + in your devtools/Site/site.config.m4 file. Suggested by + Michal Zalewski of the "Internet for Schools" project (IdS). + Fix potential problem with Cyrus-SASL security layer which may have + caused I/O errors, especially for mechanism DIGEST-MD5. + When QueueSortOrder was set to host, sendmail might not read + enough of the queue file to determine the host, making the + sort sub-optimal. Problem noted by Jeff Earickson of + Colby College. + Don't issue DSNs for addresses which use the NOTIFY parameter (per + RFC 1891) but don't have FAILURE as value. + Initialize Cyrus-SASL library before the SMTP daemon is started. + This implies that every change to SASL related files requires + a restart of the daemon, e.g., Sendmail.conf, new SASL + mechanisms (in form of shared libraries). + Properly set the STARTTLS related macros during a queue run for + a cached connection. Bug reported by Michael Kellen of + NxNetworks, Inc. + Log the server name in relay= for ruleset tls_server instead of the + client name. + Include original length of bad field/header when reporting + MaxMimeHeaderLength problems. Requested by Ulrich Windl of + the Universitat Regensburg. + Fix delivery to set-user-ID files that are expanded from aliases in + DeliveryMode queue. Problem noted by Ric Anderson of the + University of Arizona. + Fix LDAP map -m (match only) flag. Problem noted by Jeff Giuliano + of Collective Technologies. + Avoid using a negative argument for sleep() calls when delaying answers + to EXPN/VRFY commands on systems which respond very slowly. + Problem noted by Mikolaj J. Habryn of Optus Internet + Engineering. + Make sure the F=u flag is set in the default prog mailer + definition. Problem noted by Kari Hurtta of the Finnish + Meteorological Institute. + Fix IPv6 check for unspecified addresses. Patch from + Jun-ichiro itojun Hagino of the KAME Project. + Fix return values for IRIX nsd map. From Kari Hurtta of the Finnish + Meteorological Institute. + Fix parsing of DaemonPortOptions and ClientPortOptions. Read all + of the parameters to find Family= setting before trying to + interpret Addr= and Port=. Problem noted by Valdis + Kletnieks of Virginia Tech. + When delivering to a file directly from an alias, do not call + initgroups(); instead use the DefaultUser group information. + Problem noted by Marc Schaefer of ALPHANET NF. + RunAsUser now overrides the ownership of the control socket, if + created. Otherwise, sendmail can not remove it upon + close. Problem noted by Werner Wiethege. + Fix ConnectionRateThrottle counting as the option is the number of + overall connections, not the number of connections per + socket. A future version may change this to per socket + counting. + Portability: + Clean up libsmdb so it functions properly on platforms + where sizeof(u_int32_t) != sizeof(size_t). Problem + noted by Rein Tollevik of Basefarm AS. + Fix man page formatting for compatibility with Solaris' + whatis. From Stephen Gildea of InTouch Systems, Inc. + UnixWare 7 includes snprintf() support. From Larry + Rosenman. + IPv6 changes for platforms using KAME. Patch from + Jun-ichiro itojun Hagino of the KAME Project. + Avoid a typedef compile conflict with Berkeley DB 3.X and + Solaris 2.5 or earlier. Problem noted by Bob Hughes + of Pacific Access. + Add preliminary support for AIX 5. Contributed by + Valdis Kletnieks of Virginia Tech. + Solaris 9 load average support from Andrew Tucker of Sun + Microsystems. + CONFIG: Reject addresses of the form a!b if FEATURE(`nouucp', `r') + is used. Problem noted by Phil Homewood of Asia Online, + patch from Neil Rickert of Northern Illinois University. + CONFIG: Change the default DNS based blacklist server for + FEATURE(`dnsbl') to blackholes.mail-abuse.org. + CONFIG: Deal correctly with the 'C' flag in {daemon_flags}, i.e., + implicitly assume canonical host names. + CONFIG: Deal with "::" in IPv6 addresses for access_db. Based on + patch by Motonori Nakamura of Kyoto University. + CONFIG: New OSTYPE(`aix5') contributed by Valdis Kletnieks of + Virginia Tech. + CONFIG: Pass the illegal header form <list:;> through untouched + instead of making it worse. Problem noted by Motonori + Nakamura of Kyoto University. + CONTRIB: Added buildvirtuser (see `perldoc contrib/buildvirtuser`). + CONTRIB: qtool.pl: An empty queue is not an error. Problem noted + by Jan Krueger of digitalanswers communications consulting + gmbh. + CONTRIB: domainmap.m4: Handle domains with '-' in them. From Mark + Roth of the University of Illinois at Urbana-Champaign. + DEVTOOLS: Change the internal devtools OS, REL, and ARCH m4 + variables into bldOS, bldREL, and bldARCH to prevent + namespace collisions. Problem noted by Motonori Nakamura + of Kyoto University. + RMAIL: Undo the 8.11.1 change to use -G when calling sendmail. It + causes some changes in behavior and may break rmail for + installations where sendmail is actually a wrapper to + another MTA. The change will re-appear in a future + version. + SMRSH: Use the vendor supplied directory on HPUX 10.X, HPUX 11.X, + and SunOS 5.8. Requested by Jeff A. Earickson of Colby + College and John Beck of Sun Microsystems. + VACATION: Fix pattern matching for addresses to ignore. + VACATION: Don't reply to addresses of the form owner-* + or *-owner. + New Files: + cf/ostype/aix5.m4 + contrib/buildvirtuser + devtools/OS/AIX.5.0 + +8.11.1/8.11.1 2000/09/27 + Fix SMTP EXPN command output if the address expands to a single + name. Fix from John Beck of Sun Microsystems. + Don't try STARTTLS in the client if the PRNG has not been properly + seeded. This problem only occurs on systems without + /dev/urandom. Problem detected by Jan Krueger of + digitalanswers communications consulting gmbh and + Neil Rickert of Northern Illinois University. + Don't use the . and .. directories when expanding QueueDirectory + wildcards. + Do not try to cache LDAP connections across processes as a parent + process may close the connection before the child process + has completed. Problem noted by Lai Yiu Fai of the Hong + Kong University of Science and Technology and Wolfgang + Hottgenroth of UUNET. + Use Timeout.fileopen to limit the amount of time spent trying to + read the LDAP secret from a file. + Prevent SIGTERM from removing a command line submitted item after + the user submits the message and before the first delivery + attempt completes. Problem noted by Max France of AlphaNet. + Fix from Neil Rickert of Northern Illinois University. + Deal correctly with MaxMessageSize restriction if message size is + greater than 2^31. Problem noted by Tim "Darth Dice" Bosserman + of EarthLink. + Turn off queue checkpointing if CheckpointInterval is set to zero. + Treat an empty home directory (from getpw*() or $HOME) as + non-existent instead of treating it as /. Problem noted by + Todd C. Miller of Courtesan Consulting. + Don't drop duplicate headers when reading a queued item. Problem + noted by Motonori Nakamura of Kyoto University. + Avoid bogus error text when logging the savemail panic "cannot + save rejected email anywhere". Problem noted by Marc G. + Fournier of Acadia University. + If an LDAP search fails because the LDAP server went down, close + the map so subsequent searches reopen the map. If there are + multiple LDAP servers, the down server will be skipped and + one of the others may be able to take over. + Set the ${load_avg} macro to the current load average, not the + previous load average query result. + If a non-optional map used in a check_* ruleset can't be opened, + return a temporary failure to the remote SMTP client + instead of ignoring the map. Problem noted by Allan E + Johannesen of Worcester Polytechnic Institute. + Avoid a race condition when queuing up split envelopes by saving + the split envelopes before the original envelope. + Fix a bug in the PH_MAP code which caused mail to bounce instead of + defer if the PH server could not be contacted. From Mark + Roth of the University of Illinois at Urbana-Champaign. + Prevent QueueSortOrder=Filename from interfering with -qR, -qS, and + ETRN. Problem noted by Erik R. Leo of SoVerNet. + Change error code for unrecognized parameters to the SMTP MAIL and + RCPT commands from 501 to 555 per RFC 1869. Problem + reported to Postfix by Robert Norris of Monash University. + Prevent overwriting the argument of -B on certain OS. Problem + noted by Matteo Gelosa of I.NET S.p.A. + Use the proper routine for freeing memory with Netscape's LDAP + client libraries. Patch from Paul Hilchey of the + University of British Columbia. + Portability: + Move the NETINET6 define to devtools/OS/SunOS.5.{8,9} + instead of defining it in conf.h so users can + override the setting. Suggested by + Henrik Nordstrom of Ericsson. + On HP-UX 10.X and 11.X, use /usr/sbin/sendmail instead of + /usr/lib/sendmail for rmail and vacation. From + Jeff A. Earickson of Colby College. + On HP-UX 11.X, use /usr/sbin instead of /usr/libexec (which + does not exist). From Jeff A. Earickson of Colby + College. + Avoid using the UCB subsystem on NCR MP-RAS 3.x. From + Tom Moore of NCR. + NeXT 3.X and 4.X installs man pages in /usr/man. From + Hisanori Gogota of NTT/InterCommunicationCenter. + Solaris 8 and later include /var/run. The default PID file + location is now /var/run/sendmail.pid. From John + Beck of Sun Microsystems. + SFIO includes snprintf() for those operating systems + which do not. From Todd C. Miller of Courtesan + Consulting. + CONFIG: Use the result of _CERT_REGEX_SUBJECT_ not {cert_subject}. + Problem noted by Kaspar Brand of futureLab AG. + CONFIG: Change 553 SMTP reply code to 501 to avoid problems with + errors in the MAIL address. + CONFIG: Fix FEATURE(nouucp) usage in example .mc files. Problem + noted by Ron Jarrell of Virginia Tech. + CONFIG: Add support for Solaris 8 (and later) as OSTYPE(solaris8). + Contributed by John Beck of Sun Microsystems. + CONFIG: Set confFROM_HEADER such that the mail hub can possibly add + GECOS information for an address. This more closely + matches pre-8.10 nullclient behavior. From Per Hedeland of + Ericsson. + CONFIG: Fix MODIFY_MAILER_FLAGS(): apply the flag modifications for + SMTP to all *smtp* mailers and those for RELAY to the relay + mailer as described in cf/README. + MAIL.LOCAL: Open the mailbox as the recipient not root so quotas + are obeyed. Problem noted by Damian Kuczynski of NIK. + MAKEMAP: Do not change a map's owner to the TrustedUser if using + makemap to 'unmake' the map. + RMAIL: Avoid overflowing the list of recipients being passed to + sendmail. + RMAIL: Invoke sendmail with '-G' to indicate this is a gateway + submission. Problem noted by Kari Hurtta of the Finnish + Meteorological Institute. + VACATION: Read the complete message to avoid "broken pipe" signals. + VACATION: Do not cut off vacation.msg files which have a single + dot as the only character on the line. + New Files: + cf/ostype/solaris8.m4 + +8.11.0/8.11.0 2000/07/19 + SECURITY: If sendmail is installed as a non-root set-user-ID binary + (not the normal case), some operating systems will still + keep a saved-uid of the effective-uid when sendmail tries + to drop all of its privileges. If sendmail needs to drop + these privileges and the operating system doesn't set the + saved-uid as well, exit with an error. Problem noted by + Kari Hurtta of the Finnish Meteorological Institute. + SECURITY: sendmail depends on snprintf() NUL terminating the string + it populates. It is possible that some broken + implementations of snprintf() exist that do not do this. + Systems in this category should compile with + -DSNPRINTF_IS_BROKEN=1. Use test/t_snprintf.c to test your + system and report broken implementations to + sendmail-bugs@sendmail.org and your OS vendor. Problem + noted by Slawomir Piotrowski of TELSAT GP. + Support SMTP Service Extension for Secure SMTP (RFC 2487) (STARTTLS). + Implementation influenced by the example programs of + OpenSSL and the work of Lutz Jaenicke of TU Cottbus. + Add new STARTTLS related options CACERTPath, CACERTFile, + ClientCertFile, ClientKeyFile, DHParameters, RandFile, + ServerCertFile, and ServerKeyFile. These are documented in + cf/README and doc/op/op.*. + New STARTTLS related macros: ${cert_issuer}, ${cert_subject}, + ${tls_version}, ${cipher}, ${cipher_bits}, ${verify}, + ${server_name}, and ${server_addr}. These are documented + in cf/README and doc/op/op.*. + Add support for the Entropy Gathering Daemon (EGD) for better + random data. + New DontBlameSendmail option InsufficientEntropy for systems which + don't properly seed the PRNG for OpenSSL but want to + try to use STARTTLS despite the security problems. + Support the security layer in SMTP AUTH for mechanisms which + support encryption. Based on code contributed by Tim + Martin of CMU. + Add new macro ${auth_ssf} to reflect the SMTP AUTH security + strength factor. + LDAP's -1 (single match only) flag was not honored if the -z + (delimiter) flag was not given. Problem noted by ST Wong of + the Chinese University of Hong Kong. Fix from Mark Adamson + of CMU. + Add more protection from accidentally tripping OpenLDAP 1.X's + ld_errno == LDAP_DECODING_ERROR hack on ldap_next_attribute(). + Suggested by Kurt Zeilenga of OpenLDAP. + Fix the default family selection for DaemonPortOptions. As + documented, unless a family is specified in a + DaemonPortOptions option, "inet" is the default. It is + also the default if no DaemonPortOptions value is set. + Therefore, IPv6 users should configure additional sockets + by adding DaemonPortOptions settings with Family=inet6 if + they wish to also listen on IPv6 interfaces. Problem noted + by Jun-ichiro itojun Hagino of the KAME Project. + Set ${if_family} when setting ${if_addr} and ${if_name} to reflect + the interface information for an outgoing connection. + Not doing so was creating a mismatch between the socket + family and address used in subsequent connections if the + M=b modifier was set in DaemonPortOptions. Problem noted + by John Beck of Sun Microsystems. + If DaemonPortOptions modifier M=b is used, determine the socket + family based on the IP address. ${if_family} is no longer + persistent (i.e., saved in qf files). Patch from John Beck + of Sun Microsystems. + sendmail 8.10 and 8.11 reused the ${if_addr} and ${if_family} + macros for both the incoming interface address/family and + the outgoing interface address/family. In order for M=b + modifier in DaemonPortOptions to work properly, preserve + the incoming information in the queue file for later + delivery attempts. + Use SMTP error code and enhanced status code from check_relay in + responses to commands. Problem noted by Jeff Wasilko of + smoe.org. + Add more vigilance in checking for putc() errors on output streams + to protect from a bug in Solaris 2.6's putc(). Problem + noted by Graeme Hewson of Oracle. + The LDAP map -n option (return attribute names only) wasn't working. + Problem noted by Ajay Matia. + Under certain circumstances, an address could be listed as deferred + but would be bounced back to the sender as failed to be + delivered when it really should have been queued. Problem + noted by Allan E Johannesen of Worcester Polytechnic Institute. + Prevent a segmentation fault in a child SMTP process from getting + the SMTP transaction out of sync. Problem noted by Per + Hedeland of Ericsson. + Turn off RES_DEBUG if SFIO is defined unless SFIO_STDIO_COMPAT + is defined to avoid a core dump due to incompatibilities + between sfio and stdio. Problem noted by Neil Rickert + of Northern Illinois University. + Don't log useless envelope ID on initial connection log. Problem + noted by Kari Hurtta of the Finnish Meteorological Institute. + Convert the free disk space shown in a control socket status query + to kilobyte units. + If TryNullMXList is True and there is a temporary DNS failure + looking up the hostname, requeue the message for a later + attempt. Problem noted by Ari Heikkinen of Pohjois-Savo + Polytechnic. + Under the proper circumstances, failed connections would be recorded + as "Bad file number" instead of "Connection failed" in the + queue file and persistent host status. Problem noted by + Graeme Hewson of Oracle. + Avoid getting into an endless loop if a non-hoststat directory exists + within the hoststatus directory (e.g., lost+found). + Patch from Valdis Kletnieks of Virginia Tech. + Make sure Timeout.queuereturn=now returns a bounce message to the + sender. Problem noted by Per Hedeland of Ericsson. + If a message data file can't be opened at delivery time, panic and + abort the attempt instead of delivering a message that + states "<<< No Message Collected >>>". + Fixup the GID checking code from 8.10.2 as it was overly + restrictive. Problem noted by Mark G. Thomas of Mark + G. Thomas Consulting. + Preserve source port number instead of replacing it with the ident + port number (113). + Document the queue status characters in the mailq man page. + Suggested by Ulrich Windl of the Universitat Regensburg. + Process queued items in which none of the recipient addresses have + host portions (or there are no recipients). Problem noted + by Valdis Kletnieks of Virginia Tech. + If a cached LDAP connection is used for multiple maps, make sure + only the first to open the connection is allowed to close + it so a later map close doesn't break the connection for + other maps. Problem noted by Wolfgang Hottgenroth of UUNET. + Netscape's LDAP libraries do not support Kerberos V4 + authentication. Patch from Rainer Schoepf of the + University of Mainz. + Provide workaround for inconsistent handling of data passed + via callbacks to Cyrus SASL prior to version 1.5.23. + Mention ENHANCEDSTATUSCODES in the SMTP HELP helpfile. Omission + noted by Ulrich Windl of the Universitat Regensburg. + Portability: + Add the ability to read IPv6 interface addresses into class + 'w' under FreeBSD (and possibly others). From Jun + Kuriyama of IMG SRC, Inc. and the FreeBSD Project. + Replace code for finding the number of CPUs on HPUX. + NCRUNIX MP-RAS 3.02 SO_REUSEADDR socket option does not + work properly causing problems if the accept() + fails and the socket needs to be reopened. Patch + from Tom Moore of NCR. + NetBSD uses a .0 extension of formatted man pages. From + Andrew Brown of Crossbar Security. + Return to using the IPv6 AI_DEFAULT flag instead of AI_V4MAPPED + for calls to getipnodebyname(). The Linux + implementation is broken so AI_ADDRCONFIG is stripped + under Linux. From John Beck of Sun Microsystems and + John Kennedy of Cal State University, Chico. + CONFIG: Catch invalid addresses containing a ',' at the wrong place. + Patch from Neil Rickert of Northern Illinois University. + CONFIG: New variables for the new sendmail options: + confCACERT_PATH CACERTPath + confCACERT CACERTFile + confCLIENT_CERT ClientCertFile + confCLIENT_KEY ClientKeyFile + confDH_PARAMETERS DHParameters + confRAND_FILE RandFile + confSERVER_CERT ServerCertFile + confSERVER_KEY ServerKeyFile + CONFIG: Provide basic rulesets for TLS policy control and add new + tags to the access database to support these policies. See + cf/README for more information. + CONFIG: Add TLS information to the Received: header. + CONFIG: Call tls_client ruleset from check_mail in case it wasn't + called due to a STARTTLS command. + CONFIG: If TLS_PERM_ERR is defined, TLS related errors are permanent + instead of temporary. + CONFIG: FEATURE(`relay_hosts_only') didn't work in combination with + the access map and relaying to a domain without using a To: + tag. Problem noted by Mark G. Thomas of Mark G. Thomas + Consulting. + CONFIG: Set confEBINDIR to /usr/sbin to match the devtools entry in + OSTYPE(`linux') and OSTYPE(`mklinux'). From Tim Pierce of + RootsWeb.com. + CONFIG: Make sure FEATURE(`nullclient') doesn't use aliasing and + forwarding to make it as close to the old behavior as + possible. Problem noted by George W. Baltz of the + University of Maryland. + CONFIG: Added OSTYPE(`darwin') for Mac OS X and Darwin users. From + Wilfredo Sanchez of Apple Computer, Inc. + CONFIG: Changed the map names used by FEATURE(`ldap_routing') from + ldap_mailhost and ldap_mailroutingaddress to ldapmh and + ldapmra as underscores in map names cause problems if + underscore is in OperatorChars. Problem noted by Bob Zeitz + of the University of Alberta. + CONFIG: Apply blacklist_recipients also to hosts in class {w}. + Patch from Michael Tratz of Esosoft Corporation. + CONFIG: Use A=TCP ... instead of A=IPC ... in SMTP mailers. + CONTRIB: Add link_hash.sh to create symbolic links to the hash + of X.509 certificates. + CONTRIB: passwd-to-alias.pl: More protection from special characters; + treat special shells as root aliases; skip entries where the + GECOS full name and username match. From Ulrich Windl of the + Universitat Regensburg. + CONTRIB: qtool.pl: Add missing last_modified_time method and fix a + typo. Patch from Graeme Hewson of Oracle. + CONTRIB: re-mqueue.pl: Improve handling of a race between re-mqueue + and sendmail. Patch from Graeme Hewson of Oracle. + CONTRIB: re-mqueue.pl: Don't exit(0) at end so can be called as + subroutine Patch from Graeme Hewson of Oracle. + CONTRIB: Add movemail.pl (move old mail messages between queues by + calling re-mqueue.pl) and movemail.conf (configuration + script for movemail.pl). From Graeme Hewson of Oracle. + CONTRIB: Add cidrexpand (expands CIDR blocks as a preprocessor to + makemap). From Derek J. Balling of Yahoo,Inc. + DEVTOOLS: INSTALL_RAWMAN installation option mistakenly applied any + extension modifications (e.g., MAN8EXT) to the installation + target. Patch from James Ralston of Carnegie Mellon + University. + DEVTOOLS: Add support for SunOS 5.9. + DEVTOOLS: New option confLN contains the command used to create + links. + LIBSMDB: Berkeley DB 2.X and 3.X errors might be lost and not + reported. + MAIL.LOCAL: DG/UX portability. Problem noted by Tim Boyer of + Denman Tire Corporation. + MAIL.LOCAL: Prevent a possible DoS attack when compiled with + -DCONTENTLENGTH. Based on patch from 3APA3A@SECURITY.NNOV.RU. + MAILSTATS: Fix usage statement (-p and -o are optional). + MAKEMAP: Change man page layout as workaround for problem with nroff + and -man on Solaris 7. Patch from Larry Williamson. + RMAIL: AIX 4.3 has snprintf(). Problem noted by David Hayes of + Black Diamond Equipment, Limited. + RMAIL: Prevent a segmentation fault if the incoming message does not + have a From line. + VACATION: Read all of the headers before deciding whether or not + to respond instead of stopping after finding recipient. + Added Files: + cf/ostype/darwin.m4 + contrib/cidrexpand + contrib/link_hash.sh + contrib/movemail.conf + contrib/movemail.pl + devtools/OS/SunOS.5.9 + test/t_snprintf.c + +8.10.2/8.10.2 2000/06/07 + SECURITY: Work around broken Linux setuid() implementation. + On Linux, a normal user process has the ability to subvert + the setuid() call such that it is impossible for a root + process to drop its privileges. Problem noted by Wojciech + Purczynski of elzabsoft.pl. + SECURITY: Add more vigilance around set*uid(), setgid(), setgroups(), + initgroups(), and chroot() calls. + Added Files: + test/t_setuid.c + +8.10.1/8.10.1 2000/04/06 + SECURITY: Limit the choice of outgoing (client-side) SMTP + Authentication mechanisms to those specified in + AuthMechanisms to prevent information leakage. We do not + recommend use of PLAIN for outgoing mail as it sends the + password in clear text to possibly untrusted servers. See + cf/README's DefaultAuthInfo section for additional information. + Copy the ident argument for openlog() to avoid problems on some + OSs. Based on patch from Rob Bajorek from Webhelp.com. + Avoid bogus error message when reporting an alias line as too long. + Avoid bogus socket error message if sendmail.cf version level is + greater than sendmail binary supported version. Patch + from John Beck of Sun Microsystems. + Prevent a malformed ruleset (missing right hand side) from causing + a segmentation fault when using address test mode. Based on + patch from John Beck of Sun Microsystems. + Prevent memory leak from use of NIS maps and yp_match(3). Problem + noted by Gil Kloepfer of the University of Texas at Austin. + Fix queue file permission checks to allow for TrustedUser ownership. + Change logging of errors from the trust_auth ruleset to LogLevel 10 + or higher. + Avoid simple password cracking attacks against SMTP AUTH by using + exponential delay after too many tries within one connection. + Encode an initial empty AUTH challenge as '=', not as empty string. + Avoid segmentation fault on EX_SOFTWARE internal error logs. + Problem noted by Allan E Johannesen of Worcester + Polytechnic Institute. + Ensure that a header check which resolves to $#discard actually + discards the message. + Emit missing value warnings for aliases with no right hand side + when newaliases is run instead of only when delivery is + attempted to the alias. + Remove AuthOptions missing value warning for consistency with other + flag options. + Portability: + SECURITY: Specify a run-time shared library search path for + AIX 4.X instead of using the dangerous AIX 4.X + linker semantics. AIX 4.X users should consult + sendmail/README for further information. Problem + noted by Valdis Kletnieks of Virginia Tech. + Avoid use of strerror(3) call. Problem noted by Charles + Levert of Ecole Polytechnique de Montreal. + DGUX requires -lsocket -lnsl and has a non-standard install + program. From Tim Boyer of Denman Tire Corporation. + HPUX 11.0 has a broken res_search() function. + Updates to devtools/OS/NeXT.3.X, NeXT.4.X, and NEXTSTEP.4.X + from J. P. McCann of E I A. + Digital UNIX/Compaq Tru64 5.0 now includes snprintf(3). + Problem noted by Michael Long of Info Avenue Internet + Services, LLC. + Modern (post-199912) OpenBSD versions include working + strlc{at,py}(3) functions. From Todd C. Miller of + Courtesan Consulting. + SINIX doesn't have random(3). From Gerald Rinske of + Siemens Business Services. + CONFIG: Change error message about unresolvable sender domain to + include the sender address. Proposed by Wolfgang Rupprecht + of WSRCC. + CONFIG: Fix usenet mailer calls. + CONFIG: If RELAY_MAILER_FLAGS is not defined, use SMTP_MAILER_FLAGS + to be backward compatible with 8.9. + CONFIG: Change handling of default case @domain for virtusertable + to allow for +*@domain to deal with +detail. + CONTRIB: Remove converting.sun.configs -- it is obsolete. + DEVTOOLS: confUBINMODE was being ignored. Fix from KITAZIMA, Tuneki + of NEC. + DEVTOOLS: Add to NCR platform list and include the architecture + (i486). From Tom J. Moore of NCR. + DEVTOOLS: SECURITY: Change method of linking with sendmail utility + libraries to work around the AIX 4.X and SunOS 4.X linker's + overloaded -L option. Problem noted by Valdis Kletnieks of + Virginia Tech. + DEVTOOLS: configure.sh was overriding the user's choice for + confNROFF. Problem noted by Glenn A. Malling of Syracuse + University. + DEVTOOLS: New variables conf_prog_LIB_POST and confBLDVARIANT added + for other internal projects but included in the open source + release. + LIBSMDB: Check for ".db" instead of simply "db" at the end of the + map name to determine whether or not to add the extension. + This fixes makemap when building the userdb file. Problem + noted by Andrew J Cole of the University of Leeds. + LIBSMDB: Allow a database to be opened for updating and created if + it doesn't already exist. Problem noted by Rand Wacker of + Sendmail. + LIBSMDB: If type is SMDB_TYPE_DEFAULT and both NEWDB and NDBM are + available, fall back to NDBM if NEWDB open fails. This + fixes praliases. Patch from John Beck of Sun Microsystems. + LIBSMUTIL: safefile()'s SFF_NOTEXCL check was being misinterpreted + as SFF_NOWRFILES. + OP.ME: Clarify some issues regarding mailer flags. Suggested by + Martin Mokrejs of The Charles University and Neil Rickert of + Northern Illinois University. + PRALIASES: Restore 8.9.X functionality of being able to search for + particular keys in a database by specifying the keys on the + command line. Man page updated accordingly. Patch from + John Beck of Sun Microsystems. + VACATION: SunOS 4.X portability from Charles Levert of Ecole + Polytechnique de Montreal. + VACATION: Fix -t option which is ignored but available for + compatibility with Sun's version, based on patch from + Volker Dobler of Infratest Burke. + Added Files: + devtools/M4/UNIX/smlib.m4 + devtools/OS/OSF1.V5.0 + Deleted Files: + contrib/converting.sun.configs + Deleted Directories (already done in 8.10.0 but not listed): + doc/intro + doc/usenix + doc/changes + +8.10.0/8.10.0 2000/03/01 + ************************************************************* + * The engineering department at Sendmail, Inc. has suffered * + * the tragic loss of a key member of our engineering team. * + * Julie Van Bourg was the Vice President of Engineering * + * at Sendmail, Inc. during the development and deployment * + * of this release. It was her vision, dedication, and * + * support that has made this release a success. Julie died * + * on October 26, 1999 of cancer. We have lost a leader, a * + * coach, and a friend. * + * * + * This release is dedicated to her memory and to the joy, * + * strength, ideals, and hope that she brought to all of us. * + * Julie, we miss you! * + ************************************************************* + SECURITY: The safe file checks now back track through symbolic + links to make sure the files can't be compromised due + to poor permissions on the parent directories of the + symbolic link target. + SECURITY: Only root, TrustedUser, and users in class t can rebuild + the alias map. Problem noted by Michal Zalewski of the + "Internet for Schools" project (IdS). + SECURITY: There is a potential for a denial of service attack if + the AutoRebuildAliases option is set as a user can kill the + sendmail process while it is rebuilding the aliases file + (leaving it in an inconsistent state). This option and + its use is deprecated and will be removed from a future + version of sendmail. + SECURITY: Make sure all file descriptors (besides stdin, stdout, and + stderr) are closed before restarting sendmail. Problem noted + by Michal Zalewski of the "Internet for Schools" project + (IdS). + Begin using /etc/mail/ for sendmail related files. This affects + a large number of files. See cf/README for more details. + The directory structure of the distribution has changed slightly + for easier code sharing among the programs. + Support SMTP AUTH (see RFC 2554). New macros for this purpose + are ${auth_authen}, ${auth_type}, and ${auth_author} + which hold the client's authentication credentials, + the mechanism used for authentication, and the + authorization identity (i.e., the AUTH= parameter if + supplied). Based on code contributed by Tim Martin of CMU. + On systems which use the Torek stdio library (all of the BSD + distributions), use memory-buffered files to reduce + file system overhead by not creating temporary files on + disk. Contributed by Exactis.com, Inc. + New option DataFileBufferSize to control the maximum size of a + memory-buffered data (df) file before a disk-based file is + used. Contributed by Exactis.com, Inc. + New option XscriptFileBufferSize to control the maximum size of a + memory-buffered transcript (xf) file before a disk-based + file is used. Contributed by Exactis.com, Inc. + sendmail implements RFC 2476 (Message Submission), e.g., it can + now listen on several different ports. Use: + O DaemonPortOptions=Name=MSA, Port=587, M=E + to run a Message Submission Agent (MSA); this is turned + on by default in m4-generated .cf files; it can be turned + off with FEATURE(`no_default_msa'). + The 'XUSR' SMTP command is deprecated. Mail user agents should + begin using RFC 2476 Message Submission for initial user + message submission. XUSR may disappear from a future release. + The new '-G' (relay (gateway) submission) command line option + indicates that the message being submitted from the command + line is for relaying, not initial submission. This means + the message will be rejected if the addresses are not fully + qualified and no canonicalization will be done. Future + releases may even reject improperly formed messages. + The '-U' (initial user submission) command line option is + deprecated and may be removed from a future release. + Mail user agents should begin using '-G' to indicate that + this is a relay submission (the inverse of -U). + The next release of sendmail will assume that any message submitted + from the command line is an initial user submission and act + accordingly. + If sendmail doesn't have enough privileges to run a .forward + program or deliver to file as the owner of that file, the + address is marked as unsafe. This means if RunAsUser is + set, users won't be able to use programs or delivery to + files in their .forward files. Administrators can override + this by setting the DontBlameSendmail option to the new + setting NonRootSafeAddr. + Allow group or world writable directories if the sticky bit is set + on the directory and DontBlameSendmail is set to + TrustStickyBit. Based on patch from Chris Metcalf of + InCert Software. + Prevent logging of unsafe directory paths for non-existent forward + files if the new DontWarnForwardFileInUnsafeDirPath bit is + set in the DontBlameSendmail option. Requested by many. + New Timeout.control option to limit the total time spent satisfying + a control socket request. + New Timeout.resolver options for controlling BIND resolver + settings: + Timeout.resolver.retrans + Sets the resolver's retransmission time interval (in + seconds). Sets both Timeout.resolver.retrans.first + and Timeout.resolver.retrans.normal. + Timeout.resolver.retrans.first + Sets the resolver's retransmission time interval (in + seconds) for the first attempt to deliver a message. + Timeout.resolver.retrans.normal + Sets the resolver's retransmission time interval (in + seconds) for all resolver lookups except the first + delivery attempt. + Timeout.resolver.retry + Sets the number of times to retransmit a resolver + query. Sets both Timeout.resolver.retry.first + and Timeout.resolver.retry.normal. + Timeout.resolver.retry.first + Sets the number of times to retransmit a resolver + query for the first attempt to deliver a message. + Timeout.resolver.retry.normal + Sets the number of times to retransmit a resolver + query for all resolver lookups except the first + delivery attempt. + Contributed by Exactis.com, Inc. + Support multiple queue directories. To use multiple queues, supply + a QueueDirectory option value ending with an asterisk. For + example, /var/spool/mqueue/q* will use all of the + directories or symbolic links to directories beginning with + 'q' in /var/spool/mqueue as queue directories. Keep in + mind, the queue directory structure should not be changed + while sendmail is running. Queue runs create a separate + process for running each queue unless the verbose flag is + given on a non-daemon queue run. New items are randomly + assigned to a queue. Contributed by Exactis.com, Inc. + Support different directories for qf, df, and xf queue files; if + subdirectories or symbolic links to directories of those names + exist in the queue directories, they are used for the + corresponding queue files. Keep in mind, the queue + directory structure should not be changed while sendmail is + running. Proposed by Mathias Koerber of Singapore + Telecommunications Ltd. + New queue file naming system which uses a filename guaranteed to be + unique for 60 years. This allows queue IDs to be assigned + without fancy file system locking. Queued items can be + moved between queues easily. Contributed by Exactis.com, + Inc. + Messages which are undeliverable due to temporary address failures + (e.g., DNS failure) will now go to the FallBackMX host, if + set. Contributed by Exactis.com, Inc. + New command line option '-L tag' which sets the identifier used for + syslog. Contributed by Exactis.com, Inc. + QueueSortOrder=Filename will sort the queue by filename. This + avoids opening and reading each queue file when preparing + to run the queue. Contributed by Exactis.com, Inc. + Shared memory counters and microtimers functionality has been + donated by Exactis.com, Inc. + The SCCS ID tags have been replaced with RCS ID tags. + Allow trusted users (those on a T line or in $=t) to set the + QueueDirectory (Q) option without an X-Authentication-Warning: + being added. Suggested by Michael K. Sanders. + IPv6 support based on patches from John Kennedy of Cal State + University, Chico, Motonori Nakamura of Kyoto University, + and John Beck of Sun Microsystems. + In low-disk space situations, where sendmail would previously refuse + connections, still accept them, but only allow ETRN commands. + Suggested by Mathias Koerber of Singapore Telecommunications + Ltd. + The [IPC] builtin mailer now allows delivery to a UNIX domain socket + on systems which support them. This can be used with LMTP + local delivery agents which listen on a named socket. An + example mailer might be: + Mexecmail, P=[IPC], F=lsDFMmnqSXzA5@/:|, E=\r\n, + S=10, R=20/40, T=DNS/RFC822/X-Unix, + A=FILE /var/run/lmtpd + Code contributed by Lyndon Nerenberg of Messaging Direct. + The [TCP] builtin mailer name is now deprecated. Use [IPC] + instead. + The first mailer argument in the [IPC] mailer is now checked for a + legitimate value. Possible values are TCP (for TCP/IP + connections), IPC (which will be deprecated in a future + version), and FILE (for UNIX domain socket delivery). + PrivacyOptions=goaway no longer includes the noetrn and the noreceipts + flags. + PrivacyOptions=nobodyreturn instructs sendmail not to include the + body of the original message on delivery status + notifications. + Don't announce DSN if PrivacyOptions=noreceipts is set. Problem noted + by Dan Bernstein, fix from Robert Harker of Harker Systems. + Accept the SMTP RSET command even when rejecting commands due to TCP + Wrappers or the check_relay ruleset. Problem noted by + Steve Schweinhart of America Online. + Warn if OperatorChars is set multiple times. OperatorChars should + not be set after rulesets are defined. Suggested by + Mitchell Blank Jr of Exec-PC. + Do not report temporary failure on delivery to files. In + interactive delivery mode, this would result in two SMTP + responses after the DATA command. Problem noted by + Nik Conwell of Boston University. + Check file close when mailing to files. Problem noted by Nik + Conwell of Boston University. + Avoid a segmentation fault when using the LDAP map. Patch from + Curtis W. Hillegas of Princeton University. + Always bind to the LDAP server regardless of whether you are using + ldap_open() or ldap_init(). Fix from Raj Kunjithapadam of + @Home Network. + New ruleset trust_auth to determine whether a given AUTH= + parameter of the MAIL command should be trusted. See SMTP + AUTH, cf/README, and doc/op/op.ps. + Allow new named config file rules check_vrfy, check_expn, and + check_etrn for VRFY, EXPN, and ETRN commands, respectively, + similar to check_rcpt etc. + Introduce new macros ${rcpt_mailer}, ${rcpt_host}, ${rcpt_addr}, + ${mail_mailer}, ${mail_host}, ${mail_addr} that hold + the results of parsing the RCPT and MAIL arguments, i.e. + the resolved triplet from $#mailer $@host $:addr. + From Kari Hurtta of the Finnish Meteorological Institute. + New macro ${client_resolve} which holds the result of the resolve + call for ${client_name}: OK, FAIL, FORGED, TEMP. Proposed + by Kari Hurtta of the Finnish Meteorological Institute. + New macros ${dsn_notify}, ${dsn_envid}, and ${dsn_ret} that hold + the corresponding DSN parameter values. Proposed by + Mathias Herberts. + New macro ${msg_size} which holds the value of the SIZE= parameter, + i.e., usually the size of the message (in an ESMTP dialogue), + before the message has been collected, thereafter it holds + the message size as computed by sendmail (and can be used + in check_compat). + The macro ${deliveryMode} now specifies the current delivery mode + sendmail is using instead of the value of the DeliveryMode + option. + New macro ${ntries} holds the number of delivery attempts. + Drop explicit From: if same as what would be generated only if it is + a local address. From Motonori Nakamura of Kyoto University. + Write pid to file also if sendmail only processes the queue. + Proposed by Roy J. Mongiovi of Georgia Tech. + Log "low on disk space" only when necessary. + New macro ${load_avg} can be used to check the current load average. + Suggested by Scott Gifford of The Internet Ramp. + Return-Receipt-To: header implies DSN request if option RrtImpliesDsn + is set. + Flag -S for maps to specify the character which is substituted + for spaces (instead of the default given by O BlankSub). + Flag -D for maps: perform no lookup in deferred delivery mode. + This flag is set by default for the host map. Based on a + proposal from Ian MacPhedran of the University of Saskatchewan. + Open maps only on demand, not at startup. + Log warning about unsupported IP address families. + New option MaxHeadersLength allows to specify a maximum length + of the sum of all headers. This can be used to prevent + a denial-of-service attack. + New option MaxMimeHeaderLength which limits the size of MIME + headers and parameters within those headers. This option + is intended to protect mail user agents from buffer + overflow attacks. + Added option MaxAliasRecursion to specify the maximum depth of + alias recursion. + New flag F=6 for mailers to strip headers to seven bit. + Map type syslog to log the key via syslogd. + Entries in the alias file can be continued by putting a backslash + directly before the newline. + New option DeadLetterDrop to define the location of the system-wide + dead.letter file, formerly hardcoded to + /usr/tmp/dead.letter. If this option is not set (the + default), sendmail will not attempt to save to a + system-wide dead.letter file if it can not bounce the mail + to the user nor postmaster. Instead, it will rename the qf + file as it has in the past when the dead.letter file + could not be opened. + New option PidFile to define the location of the pid file. The + value of this option is macro expanded. + New option ProcessTitlePrefix specifies a prefix string for the + process title shown in 'ps' listings. + New macros for use with the PidFile and ProcessTitlePrefix options + (along with the already existing macros): + ${daemon_info} Daemon information, e.g. + SMTP+queueing@00:30:00 + ${daemon_addr} Daemon address, e.g., 0.0.0.0 + ${daemon_family} Daemon family, e.g., inet, inet6, etc. + ${daemon_name} Daemon name, e.g., MSA. + ${daemon_port} Daemon port, e.g., 25 + ${queue_interval} Queue run interval, e.g., 00:30:00 + New macros especially for virtual hosting: + ${if_name} hostname of interface of incoming connection. + ${if_addr} address of interface of incoming connection. + The latter is only set if the interface does not belong to the + loopback net. + If a message being accepted via a method other than SMTP and + would be rejected by a header check, do not send the message. + Suggested by Phil Homewood of Mincom Pty Ltd. + Don't strip comments for header checks if $>+ is used instead of $>. + Provide header value as quoted string in the macro + ${currHeader} (possibly truncated to MAXNAME). Suggested by + Jan Krueger of Unix-AG of University of Hannover. + The length of the header value is stored in ${hdrlen}. + H*: allows to specify a default ruleset for header checks. This + ruleset will only be called if the individual header does + not have its own ruleset assigned. Suggested by Jan + Krueger of Unix-AG of University of Hannover. + The name of the header field stored in ${hdr_name}. + Comments (i.e., text within parentheses) in rulesets are not + removed if the config file version is greater than or equal + to 9. For example, "R$+ ( 1 ) $@ 1" matches the + input "token (1)" but does not match "token". + Avoid removing the Content-Transfer-Encoding MIME header on + MIME messages. Problem noted by Sigurbjorn B. Larusson of + Multimedia Consumer Services. Fix from Per Hedeland of + Ericsson. + Avoid duplicate Content-Transfer-Encoding MIME header on + messages with 8-bit text in headers. Problem noted by + Per Steinar Iversen of Oslo College. Fix from Per Hedeland + of Ericsson. + Avoid keeping maps locked longer than necessary when re-opening a + modified database map file. Problem noted by Chris Adams + of Renaissance Internet Services. + Resolving to the $#error mailer with a temporary failure code (e.g., + $#error $@ tempfail $: "400 Temporary failure") will now + queue up the message instead of bouncing it. + Be more liberal in acceptable responses to an SMTP RSET command as + standard does not provide any indication of what to do when + something other than 250 is received. Based on a patch + from Steve Schweinhart of America Online. + New option TrustedUser allows to specify a user who can own + important files instead of root. This requires HASFCHOWN. + Fix USERDB conditional so compiling with NEWDB or HESIOD and + setting USERDB=0 works. Fix from Jorg Zanger of Schock. + Fix another instance (similar to one in 8.9.3) of a network failure + being mis-logged as "Illegal Seek" instead of whatever + really went wrong. From John Beck of Sun Microsystems. + $? tests also whether the macro is non-null. + Print an error message if a mailer definition contains an invalid + equate name. + New mailer equate /= to specify a directory to chroot() into before + executing the mailer program. Suggested by Igor Vinokurov. + New mailer equate W= to specify the maximum time to wait for the + mailer to return after sending all data to it. + Only free memory from the process list when adding a new process + into a previously filled slot. Previously, the memory was + freed at removal time. Since removal can happen in a + signal handler, this may leave the memory map in an + inconsistent state. Problem noted by Jeff A. Earickson and + David Cooley of Colby College. + When using the UserDB @hostname catch-all, do not try to lookup + local users in the passwd file. The UserDB code has + already decided the message will be passed to another host + for processing. Fix from Tony Landells of Burdett + Buckeridge Young Limited. + Support LDAP authorization via either a file containing the + password or Kerberos V4 using the new map options + '-ddistinguished_name', '-Mmethod', and '-Pfilename'. The + distinguished_name is who to login as. The method can be + one of LDAP_AUTH_NONE, LDAP_AUTH_SIMPLE, or + LDAP_AUTH_KRBV4. The filename is the file containing the + secret key for LDAP_AUTH_SIMPLE or the name of the Kerberos + ticket file for LDAP_AUTH_KRBV4. Patch from Booker Bense + of Stanford University. + The ldapx map has been renamed to ldap. The use of ldapx is + deprecated and will be removed in a future version. + If the result of an LDAP search returns a multi-valued attribute + and the map has the column delimiter set, it turns that + response into a delimiter separated string. The LDAP map + will traverse multiple entries as well. LDAP alias maps + automatically set the column delimiter to the comma. + Based on patch from Booker Bense of Stanford University and + idea from Philip A. Prindeville of Mirapoint, Inc. + Support return of multiple values for a single LDAP lookup. The + values to be returned should be in a comma separated string. + For example, `-v "email,emailother"'. Patch from + Curtis W. Hillegas of Princeton University. + Allow the use of LDAP for alias maps. + If no LDAP attributes are specified in an LDAP map declaration, all + attributes found in the match will be returned. + Prevent commas in quoted strings in the AliasFile value from + breaking up a single entry into multiple entries. This is + needed for LDAP alias file specifications to allow for + comma separated key and value strings. + Keep connections to LDAP server open instead of opening and closing + for each lookup. To reduce overhead, sendmail will cache + connections such that multiple maps which use the same + host, port, bind DN, and authentication will only result in + a single connection to that host. + Put timeout in the proper place for USE_LDAP_INIT. + Be more careful about checking for errors and freeing memory on + LDAP lookups. + Use asynchronous LDAP searches to save memory and network + resources. + Do not copy LDAP query results if the map's match only flag is set. + Increase portability to the Netscape LDAP libraries. + Change the parsing of the LDAP filter specification. '%s' is still + replaced with the literal contents of the map lookup key -- + note that this means a lookup can be done using the LDAP + special characters. The new '%0' token can be used instead + of '%s' to encode the key buffer according to RFC 2254. + For example, if the LDAP map specification contains '-k + "(user=%s)"' and a lookup is done on "*", this would be + equivalent to '-k "(user=*)"' -- matching ANY record with a + user attribute. Instead, if the LDAP map specification + contains '-k "(user=%0)"' and a lookup is done on "*", this + would be equivalent to '-k "(user=\2A)"' -- matching a user + with the name "*". + New LDAP map flags: "-1" requires a single match to be returned, if + more than one is returned, it is equivalent to no records + being found; "-r never|always|search|find" sets the LDAP + alias dereference option; "-Z size" limits the number of + matches to return. + New option LDAPDefaultSpec allows a default map specification for + LDAP maps. The value should only contain LDAP specific + settings such as "-h host -p port -d bindDN", etc. The + settings will be used for all LDAP maps unless they are + specified in the individual map specification ('K' + command). This option should be set before any LDAP maps + are defined. + Prevent an NDBM alias file opening loop when the NDBM open + continually fails. Fix from Roy J. Mongiovi of Georgia + Tech. + Reduce memory utilization for smaller symbol table entries. In + particular, class entries get much smaller, which can be + important if you have large classes. + On network-related temporary failures, record the hostname which + gave error in the queued status message. Requested by + Ulrich Windl of the Universitat Regensburg. + Add new F=% mailer flag to allow for a store and forward + configuration. Mailers which have this flag will not attempt + delivery on initial receipt of a message or on queue runs + unless the queued message is selected using one of the + -qI/-qR/-qS queue run modifiers or an ETRN request. Code + provided by Philip Guenther of Gustavus Adolphus College. + New option ControlSocketName which, when set, creates a daemon + control socket. This socket allows an external program to + control and query status from the running sendmail daemon + via a named socket, similar to the ctlinnd interface to the + INN news server. Access to this interface is controlled by + the UNIX file permissions on the named socket on most UNIX + systems (see sendmail/README for more information). An + example control program is provided as contrib/smcontrol.pl. + Change the default values of QueueLA from 8 to (8 * numproc) and + RefuseLA from 12 to (12 * numproc) where numproc is the + number of processors online on the system (if that can be + determined). For single processor machines, this change + has no effect. + Don't return body of message to postmaster on "Too many hops" bounces. + Based on fix from Motonori Nakamura of Kyoto University. + Give more detailed DSN descriptions for some cases. Patch from + Motonori Nakamura of Kyoto University. + Logging of alias, forward file, and UserDB expansion now happens + at LogLevel 11 or higher instead of 10 or higher. + Logging of an envelope's complete delivery (the "done" message) now + happens at LogLevel 10 or higher instead of 11 or higher. + Logging of TCP/IP or UNIX standard input connections now happens at + LogLevel 10 or higher. Previously, only TCP/IP connections + were logged, and on at LogLevel 12 or higher. Setting + LogLevel to 10 will now assist users in tracking frequent + connection-based denial of service attacks. + Log basic information about authenticated connections at LogLevel + 10 or higher. + Log SMTP Authentication mechanism and author when logging the sender + information (from= syslog line). + Log the DSN code for each recipient if one is available as a new + equate (dsn=). + Macro expand PostmasterCopy and DoubleBounceAddress options. + New "ph" map for performing ph queries in rulesets, see + sendmail/README for details. Contributed by Mark Roth + of the University of Illinois at Urbana-Champaign. + Detect temporary lookup failures in the host map if looking up a + bracketed IP address. Problem noted by Kari Hurtta of the + Finnish Meteorological Institute. + Do not report a Remote-MTA on local deliveries. Problem noted by + Kari Hurtta of the Finnish Meteorological Institute. + When a forward file points to an alias which runs a program, run + the program as the default user and the default group, not + the forward file user. This change also assures the + :include: directives in aliases are also processed using + the default user and group. Problem noted by Sergiu + Popovici of DNT Romania. + Prevent attempts to save a dead.letter file for a user with + no home directory (/no/such/directory). Problem noted by + Michael Brown of Finnigan FT/MS. + Include message delay and number of tries when logging that a + message has been completely delivered (LogLevel of 10 or + above). Suggested by Nick Hilliard of Ireland Online. + Log the sender of a message even if none of the recipients were + accepted. If some of the recipients were rejected, it is + helpful to know the sender of the message. + Check the root directory (/) when checking a path for safety. + Problem noted by John Beck of Sun Microsystems. + Prevent multiple responses to the DATA command if DeliveryMode is + interactive and delivering to an alias which resolves to + multiple files. + Macros in the helpfile are expanded if the helpfile version is 2 or + greater (see below); the help function doesn't print the + version of sendmail any longer, instead it is placed in + the helpfile ($v). Suggested by Chuck Foster of UUNET + PIPEX. Additionally, comment lines (starting with #) are + skipped and a version line (#vers) is introduced. The + helpfile version for 8.10.0 is 2, if no version or an older + version is found, a warning is logged. The '#vers' + directive should be placed at the top of the help file. + Use fsync() when delivering to a file to guarantee the delivery to + disk succeeded. Suggested by Nick Christenson. + If delivery to a file is unsuccessful, truncate the file back to its + length before the attempt. + If a forward points to a filename for delivery, change to the + user's uid before checking permissions on the file. This + allows delivery to files on NFS mounted directories where + root is remapped to nobody. Problem noted by Harald + Daeubler of Universitaet Ulm. + purgestat and sendmail -bH purge only expired (Timeout.hoststatus) + host status files, not all files. + Any macros stored in the class $={persistentMacros} will be saved + in the queue file for the message and set when delivery + is attempted on the queued item. Suggested by Kyle Jones of + Wonderworks Inc. + Add support for storing information between rulesets using the new + macro map class. This can be used to store information + between queue runs as well using $={persistentMacros}. + Based on an idea from Jan Krueger of Unix-AG of University + of Hannover. + New map class arith to allow for computations in rules. The + operation (+, -, *, /, l (for less than), and =) is given + as key. The two operands are specified as arguments; the + lookup returns the result of the computation. For example, + "$(arith l $@ 4 $@ 2 $)" will return "FALSE" and + "$(arith + $@ 4 $@ 2 $)" will return "6". + Add new syntax for header declarations which decide whether to + include the header based on a macro rather than a mailer + flag: + H?${MyMacro}?X-My-Header: ${MyMacro} + This should be used along with $={persistentMacros}. + It can be used for adding headers to a message based on + the results of check_* and header check rulesets. + Allow new named config file rule check_eoh which is called after + all of the headers have been collected. The input to the + ruleset the number of headers and the size of all of the + headers in bytes separated by $|. This ruleset along with + the macro storage map can be used to correlate information + gathered between headers and to check for missing headers. + See cf/README or doc/op/op.ps for an example. + Change the default for the MeToo option to True to correspond + to the clarification in the DRUMS SMTP Update spec. This + option is deprecated and will be removed from a future + version. + Change the sendmail binary default for SendMimeErrors to True. + Change the sendmail binary default for SuperSafe to True. + Display ruleset names in debug and address test mode output + if referencing a named ruleset. + New mailer equate m= which will limit the number of messages + delivered per connection on an SMTP or LMTP mailer. + Improve QueueSortOrder=Host by reversing the hostname before + using it to sort. Now all the same domains are really run + through the queue together. If they have the same MX host, + then they will have a much better opportunity to use the + connection cache if available. This should be a reasonable + performance improvement. Patch from Randall Winchester of + the University of Maryland. + If a message is rejected by a header check ruleset, log who would + have received the message if it had not been rejected. + New "now" value for Timeout.queuereturn to bounce entries from the + queue immediately. No delivery attempt is made. + Increase sleeping time exponentially after too many "bad" commands + up to 4 minutes delay (compare MAX{BAD,NOOP,HELO,VRFY,ETRN}- + COMMANDS). + New option ClientPortOptions similar to DaemonPortOptions + but for outgoing connections. + New suboptions for DaemonPortOptions: Name (a name used for + error messages and logging) and Modifiers, i.e. + a require authentication + b bind to interface through which mail has + been received + c perform hostname canonification + f require fully qualified hostname + h use name of interface for outgoing HELO + command + C don't perform hostname canonification + E disallow ETRN (see RFC 2476) + New suboption for ClientPortOptions: Modifiers, i.e. + h use name of interface for HELO command + The version number for queue files (qf) has been incremented to 4. + Log unacceptable HELO/EHLO domain name attempts if LogLevel is set + to 10 or higher. Suggested by Rick Troxel of the National + Institutes of Health. + If a mailer dies, print the status in decimal instead of octal + format. Suggested by Michael Shapiro of Sun Microsystems. + Limit the length of all MX records considered for delivery to 8k. + Move message priority from sender to recipient logging. Suggested by + Ulrich Windl of the Universitat Regensburg. + Add support for Berkeley DB 3.X. + Add fix for Berkeley DB 2.X fcntl() locking race condition. + Requires a post-2.7.5 version of Berkeley DB. + Support writing traffic log (sendmail -X option) to a FIFO. + Patch submitted by Rick Heaton of Network Associates, Inc. + Do not ignore Timeout settings in the .cf file when a Timeout + sub-options is set on the command line. Problem noted by + Graeme Hewson of Oracle. + Randomize equal preference MX records each time delivery is + attempted via a new connection to a host instead of once per + session. Suggested by Scott Salvidio of Compaq. + Implement enhanced status codes as defined by RFC 2034. + Add [hostname] to class w for the names of all interfaces unless + DontProbeInterfaces is set. This is useful for sending mails + to hosts which have dynamically assigned names. + If a message is bounced due to bad MIME conformance, avoid bouncing + the bounce for the same reason. If the body is not 8-bit + clean, and EightBitMode isn't set to pass8, the body will + not be included in the bounce. Problem noted by Valdis + Kletnieks of Virginia Tech. + The timeout for sending a message via SMTP has been changed from + '${msgsize} / 16 + (${nrcpts} * 300)' to a timeout which + simply checks for progress on sending data every 5 minutes. + This will detect the inability to send information quicker + and reduce the number of processes simply waiting to + timeout. + Prevent a segmentation fault on systems which give a partial filled + interface address structure when loading the system network + interface addresses. Fix from Reinier Bezuidenhout of + Nanoteq. + Add a compile-time configuration macro, MAXINTERFACES, which + indicates the number of interfaces to read when probing + for hostnames and IP addresses for class w ($=w). The + default value is 512. Based on idea from Reinier + Bezuidenhout of Nanoteq. + If the RefuseLA option is set to 0, do not reject connections based + on load average. + Allow ruleset 0 to have a name. Problem noted by Neil Rickert of + Northern Illinois University. + Expand the Return-Path: header at delivery time, after "owner-" + envelope splitting has occurred. + Don't try to sort the queue if there are no entries. Patch from + Luke Mewburn from RMIT University. + Add a "/quit" command to address test mode. + Include the proper sender in the UNIX "From " line and Return-Path: + header when undeliverable mail is saved to ~/dead.letter. + Problem noted by Kari Hurtta of the Finnish Meteorological + Institute. + The contents of a class can now be copied to another class using + the syntax: "C{Dest} $={Source}". This would copy all of + the items in class $={Source} into the class $={Dest}. + Include original envelope's error transcript in bounces created for + split (owner-) envelopes to see the original errors when + the recipients were added. Based on fix from Motonori + Nakamura of Kyoto University. + Show reason for permanent delivery errors directly after the + addresses. From Motonori Nakamura of Kyoto University. + Prevent a segmentation fault when bouncing a split-envelope + message. Patch from Motonori Nakamura of Kyoto University. + If the specification for the queue run interval (-q###) has a + syntax error, consider the error fatal and exit. + Pay attention to CheckpointInterval during LMTP delivery. Problem + noted by Motonori Nakamura of Kyoto University. + On operating systems which have setlogin(2), use it to set the + login name to the RunAsUserName when starting as a daemon. + This is for delivery to programs which use getlogin(). + Based on fix from Motonori Nakamura of Kyoto University. + Differentiate between "command not implemented" and "command + unrecognized" in the SMTP dialogue. + Strip returns from forward and include files. Problem noted by + Allan E Johannesen of Worcester Polytechnic Institute. + Prevent a core dump when using 'sendmail -bv' on an address which + resolves to the $#error mailer with a temporary failure. + Based on fix from Neil Rickert of Northern Illinois + University. + Prevent multiple deliveries of a message with a "non-local alias" + pointing to a local user, if canonicalization fails + the message was requeued *and* delivered to the alias. + If an invalid ruleset is declared, the ruleset name could be + ignored and its rules added to S0. Instead, ignore the + ruleset lines as well. + Avoid incorrect Final-Recipient, Action, and X-Actual-Recipient + success DSN fields as well as duplicate entries for a + single address due to S5 and UserDB processing. Problems + noted by Kari Hurtta of the Finnish Meteorological + Institute. + Turn off timeouts when exiting sendmail due to an interrupt signal + to prevent the timeout from firing during the exit process. + Problem noted by Michael Shapiro of Sun Microsystems. + Do not append @MyHostName to non-RFC822 addresses output by the EXPN + command or on Final-Recipient: and X-Actual-Recipient: DSN + headers. Non-RFC822 addresses include deliveries to + programs, file, DECnet, etc. + Fix logic for determining if a local user is using -f or -bs to + spoof their return address. Based on idea from Neil Rickert + of Northern Illinois University and patch from Per Hedeland + of Ericsson. + Report the proper UID in the bounce message if an :include: file is + owned by a uid that doesn't map to a username and the + :include: file contains delivery to a file or program. + Problem noted by John Beck of Sun Microsystems. + Avoid the attempt of trying to send a second SMTP QUIT command if + the remote server responds to the first QUIT with a 4xx + response code and drops the connection. This behavior was + noted by Ulrich Windl of the Universitat Regensburg when + sendmail was talking to the Mercury 1.43 MTA. + If a hostname lookup times out and ServiceSwitchFile is set but the + file is not present, the lookup failure would be marked as + a permanent failure instead of a temporary failure. Fix + from Russell King of the ARM Linux Project. + Handle aliases or forwards which deliver to programs using tabs + instead of spaces between arguments. Problem noted by Randy + Wormser. Fix from Neil Rickert of Northern Illinois + University. + Allow MaxRecipientsPerMessage option to be set on the command line + by normal users (e.g., sendmail won't drop its root + privileges) to allow overrides for message submission via + 'sendmail -bs'. + Set the names for help file and statistics file to "helpfile" and + "statistics", respectively, if no parameters are given for + them in the .cf file. + Avoid bogus 'errbody: I/O Error -7' log messages when sending + success DSN messages for messages relayed to non-DSN aware + systems. Problem noted by Juergen Georgi of RUS University + of Stuttgart and Kyle Tucker of Parexel International. + Prevent +detail information from interfering with local delivery to + multiple users in the same transaction (F=m). + Add H_FORCE flag for the X-Authentication-Warning: header, so it + will be added even if one already exists. Problem noted + by Michal Zalewski of Marchew Industries. + Stop processing SMTP commands if the SMTP connection is dropped. + This prevents a remote system from flooding the connection + with commands and then disconnecting. Previously, the + server would process all of the buffered commands. Problem + noted by Michal Zalewski of Marchew Industries. + Properly process user-supplied headers beginning with '?'. Problem + noted by Michal Zalewski of Marchew Industries. + If multiple header checks resolve to the $#error mailer, use the + last permanent (5XX) failure if any exist. Otherwise, use + the last temporary (4XX) failure. + RFC 1891 requires "hexchar" in a "xtext" to be upper case. Patch + from Ronald F. Guilmette of Infinite Monkeys & Co. + Timeout.ident now defaults to 5 seconds instead of 30 seconds to + prevent the now common delays associated with mailing to a + site which drops IDENT packets. Suggested by many. + Persistent host status data is not reloaded disk when current data + is available in the in-memory cache. Problem noted by Per + Hedeland of Ericsson. + mailq displays unprintable characters in addresses as their octal + representation and a leading backslash. This avoids problems + with "unprintable" characters. Problem noted by Michal + Zalewski of the "Internet for Schools" project (IdS). + The mail line length limit (L= equate) was adding the '!' indicator + one character past the limit. This would cause subsequent + hops to break the line again. The '!' is now placed in + the last column of the limit if the line needs to be broken. + Problem noted by Joe Pruett of Q7 Enterprises. Based on fix + from Per Hedeland of Ericsson. + If a resolver ANY query is larger than the UDP packet size, the + resolver will fall back to TCP. However, some + misconfigured firewalls black 53/TCP so the ANY lookup + fails whereas an MX or A record might succeed. Therefore, + don't fail on ANY queries. + If an SMTP recipient is rejected due to syntax errors in the + address, do not send an empty postmaster notification DSN + to the postmaster. Problem noted by Neil Rickert of + Northern Illinois University. + Allow '_' and '.' in map names when parsing a sequence map + specification. Patch from William Setzer of North Carolina + State University. + Fix hostname in logging of read timeouts for the QUIT command on + cached connections. Problem noted by Neil Rickert of + Northern Illinois University. + Use a more descriptive entry to log "null" connections, i.e., + "host did not issue MAIL/EXPN/VRFY/ETRN during connection". + Fix a file descriptor leak in ONEX mode. + Portability: + Reverse signal handling logic such that sigaction(2) with + the SA_RESTART flag is the preferred method and the + other signal methods are only tried if SA_RESTART + is not available. Problem noted by Allan E + Johannesen of Worcester Polytechnic Institute. + AIX 4.x supports the sa_len member of struct sockaddr. + This allows network interface probing to work + properly. Fix from David Bronder of the + University of Iowa. + AIX 4.3 has snprintf() support. + Use "PPC" as the architecture name when building under + AIX. This will be reflected in the obj.* directory + name. + Apple Darwin support based on Apple Rhapsody port. + Fixed AIX 'make depend' method from Valdis Kletnieks of + Virginia Tech. + Digital UNIX has uname(2). + GNU Hurd updates from Mark Kettenis of the University of + Amsterdam. + Improved HPUX 11.0 portability. + Properly determine the number of CPUs on FreeBSD 2.X, + FreeBSD 3.X, HP/UX 10.X and HP/UX 11.X. + Remove special IRIX ABI cases from Build script and the OS + files. Use the standard 'cc' options used by SGI + in building the operating system. Users can + override the defaults by setting confCC and + confLIBSEARCHPATH appropriately. + IRIX nsd map support from Bob Mende of SGI. + Minor devtools fixes for IRIX from Bob Mende of SGI. + Linux patch for IP_SRCROUTE support from Joerg Dorchain + of MW EDV & ELECTRONIC. + Linux now uses /usr/sbin for confEBINDIR in the build + system. From MATSUURA Takanori of Osaka University. + Remove special treatment for Linux PPC in the build + system. From MATSUURA Takanori of Osaka University. + Motorolla UNIX SYSTEM V/88 Release 4.0 support from + Sergey Rusanov of the Republic of Udmurtia. + NCR MP-RAS 3.x includes regular expression support. From + Tom J. Moore of NCR. + NEC EWS-UX/V series settings for _PATH_VENDOR_CF and + _PATH_SENDMAILPID from Oota Toshiya of + NEC Computers Group Planning Division. + Minor NetBSD owner/group tweaks from Ayamura Kikuchi, M.D. + NEWS-OS 6.X listed SYSLOG_BUFSIZE as 256 in confENVDEF and + 1024 in conf.h. Since confENVDEF would be used, + use that value in conf.h. + Use NeXT's NETINFO to get domain name. From Gerd Knops of + BITart Consulting. + Use NeXT's NETINFO for alias and hostname resolution if + AUTO_NETINFO_ALIASES and AUTO_NETINFO_HOSTS are + defined. Patch from Wilfredo Sanchez of Apple + Computer, Inc. + NeXT portability tweaks. Problems reported by Dragan + Milicic of the University of Utah and J. P. McCann + of E I A. + New compile flag FAST_PID_RECYCLE: set this if your system + can reuse the same PID in the same second. + New compile flag HASFCHOWN: set this if your OS has + fchown(2). + New compile flag HASRANDOM: set this to 0 if your OS does + not have random(3). rand() will be used instead. + New compile flag HASSRANDOMDEV: set this if your OS has + srandomdev(3). + New compile flag HASSETLOGIN: set this if your OS has + setlogin(2). + Replace SINIX and ReliantUNIX support with version + specific SINIX files. From Gerald Rinske of + Siemens Business Services. + Use the 60-second load average instead of the 5 second load + average on Compaq Tru64 UNIX (formerly Digital + UNIX). From Chris Teakle of the University of Qld. + Use ANSI C by default for Compaq Tru64 UNIX. Suggested by + Randall Winchester of Swales Aerospace. + Correct setgroups() prototype for Compaq Tru64 UNIX. + Problem noted by Randall Winchester of Swales + Aerospace. + Hitachi 3050R/3050RX and 3500 Workstations running + HI-UX/WE2 4.02, 6.10 and 7.10 from Motonori + NAKAMURA of Kyoto University. + New compile flag NO_GETSERVBYNAME: set this to disable + use of getservbyname() on systems which can + not lookup a service by name over NIS, such as + HI-UX. Patch from Motonori NAKAMURA of Kyoto + University. + Use devtools/bin/install.sh on SCO 5.x. Problem noted + by Sun Wenbing of the China Engineering and + Technology Information Network. + make depend didn't work properly on UNIXWARE 4.2. Problem + noted by Ariel Malik of Netology, Ltd. + Use /usr/lbin as confEBINDIR for Compaq Tru64 (Digital UNIX). + Set confSTDIO_TYPE to torek for BSD-OS, FreeBSD, NetBSD, + and OpenBSD. + A recent Compaq Ultrix 4.5 Y2K patch has broken detection + of local_hostname_length(). See sendmail/README + for more details. Problem noted by Allan E + Johannesen of Worcester Polytechnic Institute. + CONFIG: Begin using /etc/mail/ for sendmail related files. This + affects a large number of files. See cf/README for more + details. + CONFIG: New macro MAIL_SETTINGS_DIR contains the path (including + trailing slash) for the mail settings directory. + CONFIG: Increment version number of config file to 9. + CONFIG: OSTYPE(`bsdi1.0') and OSTYPE(`bsdi2.0') have been + deprecated and may be removed from a future release. + BSD/OS users should begin using OSTYPE(`bsdi'). + CONFIG: OpenBSD 2.4 installs mail.local non-set-user-ID root. This + requires a new OSTYPE(`openbsd'). From Todd C. Miller of + Courtesan Consulting. + CONFIG: New OSTYPE(`hpux11') for HP/UX 11.X. + CONFIG: A syntax error in check_mail would cause fake top-level + domains (.BITNET, .DECNET, .FAX, .USENET, and .UUCP) to + be improperly rejected as unresolvable. + CONFIG: New FEATURE(`dnsbl') takes up to two arguments (name of + DNS server, rejection message) and can be included + multiple times. + CONFIG: New FEATURE(`relay_mail_from') allows relaying if the + mail sender is listed as RELAY in the access map (and tagged + with From:). + CONFIG: Optional tagging of LHS in the access map (Connect:, + From:, To:) to enable finer control. + CONFIG: New FEATURE(`ldap_routing') implements LDAP address + routing. See cf/README for a complete description of the + new functionality. + CONFIG: New variables for the new sendmail options: + confAUTH_MECHANISMS AuthMechanisms + confAUTH_OPTIONS AuthOptions + confCLIENT_OPTIONS ClientPortOptions + confCONTROL_SOCKET_NAME ControlSocketName + confDEAD_LETTER_DROP DeadLetterDrop + confDEF_AUTH_INFO DefaultAuthInfo + confDF_BUFFER_SIZE DataFileBufferSize + confLDAP_DEFAULT_SPEC LDAPDefaultSpec + confMAX_ALIAS_RECURSION MaxAliasRecursion + confMAX_HEADERS_LENGTH MaxHeadersLength + confMAX_MIME_HEADER_LENGTH MaxMimeHeaderLength + confPID_FILE PidFile + confPROCESS_TITLE_PREFIX ProcessTitlePrefix + confRRT_IMPLIES_DSN RrtImpliesDsn + confTO_CONTROL Timeout.control + confTO_RESOLVER_RETRANS Timeout.resolver.retrans + confTO_RESOLVER_RETRANS_FIRST Timeout.resolver.retrans.first + confTO_RESOLVER_RETRANS_NORMAL Timeout.resolver.retrans.normal + confTO_RESOLVER_RETRY Timeout.resolver.retry + confTO_RESOLVER_RETRY_FIRST Timeout.resolver.retry.first + confTO_RESOLVER_RETRY_NORMAL Timeout.resolver.retry.normal + confTRUSTED_USER TrustedUser + confXF_BUFFER_SIZE XscriptFileBufferSize + CONFIG: confDAEMON_OPTIONS has been replaced by DAEMON_OPTIONS(), + which takes the options as argument and can be used + multiple times; see cf/README for details. + CONFIG: Add a fifth mailer definition to MAILER(`smtp') called + "dsmtp". This mail provides on-demand delivery using the + F=% mailer flag described above. The "dsmtp" mailer + definition uses the new DSMTP_MAILER_ARGS which defaults + to "IPC $h". + CONFIG: New variables LOCAL_MAILER_MAXMSGS, SMTP_MAILER_MAXMSGS, + and RELAY_MAILER_MAXMSGS for setting the m= equate for the + local, smtp, and relay mailers respectively. + CONFIG: New variable LOCAL_MAILER_DSN_DIAGNOSTIC_CODE for setting + the DSN Diagnostic-Code type for the local mailer. The + value should be changed with care. + CONFIG: FEATURE(`local_lmtp') now sets the DSN Diagnostic-Code type + for the local mailer to the proper value of "SMTP". + CONFIG: All included maps are no longer optional by default; if + there there is a problem with a map, sendmail will + complain. + CONFIG: Removed root from class E; use EXPOSED_USER(`root') + to get the old behavior. Suggested by Joe Pruett + of Q7 Enterprises. + CONFIG: MASQUERADE_EXCEPTION() defines hosts/subdomains which + will not be masqueraded. Proposed by Arne Wichmann + of MPI Saarbruecken, Griff Miller of PGS Tensor, + Jayme Cox of Broderbund Software Inc. + CONFIG: A list of exceptions for FEATURE(`nocanonify') can be + specified by CANONIFY_DOMAIN or CANONIFY_DOMAIN_FILE, + i.e., a list of domains which are passed to $[ ... $] + for canonification. Based on an idea from Neil Rickert + of Northern Illinois University. + CONFIG: If `canonify_hosts' is specified as parameter for + FEATURE(`nocanonify') then addresses which have only + a hostname, e.g., <user@host>, will be canonified. + CONFIG: If FEATURE(`nocanonify') is turned on, a trailing dot is + nevertheless added to addresses with more than one component + in it. + CONFIG: Canonification is no longer attempted for any host or domain + in class 'P' ($=P). + CONFIG: New class for matching virtusertable entries $={VirtHost} that + can be populated by VIRTUSER_DOMAIN or VIRTUSER_DOMAIN_FILE. + FEATURE(`virtuser_entire_domain') can be used to apply this + class also to entire subdomains. Hosts in this class are + treated as canonical in SCanonify2, i.e., a trailing dot + is added. + CONFIG: If VIRTUSER_DOMAIN() or VIRTUSER_DOMAIN_FILE() are used, + include $={VirtHost} in $=R (hosts allowed to relay). + CONFIG: FEATURE(`generics_entire_domain') can be used to apply the + genericstable also to subdomains of $=G. + CONFIG: Pass "+detail" as %2 for virtusertable lookups. + Patch from Noam Freedman from University of Chicago. + CONFIG: Pass "+detail" as %1 for genericstable lookups. Suggested + by Raymond S Brand of rsbx.net. + CONFIG: Allow @domain in genericstable to override masquerading. + Suggested by Owen Duffy from Owen Duffy & Associates. + CONFIG: LOCAL_DOMAIN() adds entries to class w. Suggested by Steve + Hubert of University of Washington. + CONFIG: OSTYPE(`gnuhurd') has been replaced by OSTYPE(`gnu') as + GNU is now the canonical system name. From Mark + Kettenis of the University of Amsterdam. + CONFIG: OSTYPE(`unixware7') updates from Larry Rosenman. + CONFIG: Do not include '=' in option expansion if there is no value + associated with the option. From Andrew Brown of + Graffiti World Wide, Inc. + CONFIG: Add MAILER(`qpage') to define a new pager mailer. Contributed + by Philip A. Prindeville of Enteka Enterprise Technology + Services. + CONFIG: MAILER(`cyrus') was not preserving case for mail folder + names. Problem noted by Randall Winchester of Swales + Aerospace. + CONFIG: RELAY_MAILER_FLAGS can be used to define additional flags + for the relay mailer. Suggested by Doug Hughes of Auburn + University and Brian Candler. + CONFIG: LOCAL_MAILER_FLAGS now includes 'P' (Add Return-Path: + header) by default. Suggested by Per Hedeland of Ericsson. + CONFIG: Use SMART_HOST for bracketed addresses, e.g., user@[host]. + Suggested by Kari Hurtta of the Finnish Meteorological + Institute. + CONFIG: New macro MODIFY_MAILER_FLAGS to tweak *_MAILER_FLAGS; + i.e., to set, add, or delete flags. + CONFIG: If SMTP AUTH is used then relaying is allowed for any user + who authenticated via a "trusted" mechanism, i.e., one that + is defined via TRUST_AUTH_MECH(`list of mechanisms'). + CONFIG: FEATURE(`delay_checks') delays check_mail and check_relay + after check_rcpt and allows for exceptions from the checks. + CONFIG: Map declarations have been moved into their associated + feature files to allow greater flexibility in use of + sequence maps. Suggested by Per Hedeland of Ericsson. + CONFIG: New macro LOCAL_MAILER_EOL to override the default end of + line string for the local mailer. Requested by Il Oh of + Willamette Industries, Inc. + CONFIG: Route addresses are stripped, i.e., <@a,@b,@c:user@d> is + converted to <user@d> + CONFIG: Reject bogus return address of <@@hostname>, generated by + Sun's older, broken configuration files. + CONFIG: FEATURE(`nullclient') now provides the full rulesets of a + normal configuration, allowing anti-spam checks to be + performed. + CONFIG: Don't return a permanent error (Relaying denied) if + ${client_name} can't be resolved just temporarily. + Suggested by Kari Hurtta of the Finnish Meteorological + Institute. + CONFIG: Change numbered rulesets into named (which still can + be accessed by their numbers). + CONFIG: FEATURE(`nouucp') takes one parameter: reject or nospecial + which describes whether to disallow "!" in the local part + of an address. + CONFIG: Call Local_localaddr from localaddr (S5) which can be used + to rewrite an address from a mailer which has the F=5 flag + set. If the ruleset returns a mailer, the appropriate + action is taken, otherwise the returned tokens are ignored. + CONFIG: cf/ostype/solaris.m4 has been renamed to solaris2.pre5.m4 + and cf/ostype/solaris2.m4 is now a copy of solaris2.ml.m4. + The latter is kept around for backward compatibility. + CONFIG: Allow ":D.S.N:" for mailer/virtusertable "error:" entries, + where "D.S.N" is an RFC 1893 compliant error code. + CONFIG: Use /usr/lbin as confEBINDIR for Compaq Tru64 (Digital UNIX). + CONFIG: Remove second space between username and date in UNIX From_ + line. Noted by Allan E Johannesen of Worcester Polytechnic + Institute. + CONFIG: Make sure all of the mailers have complete T= equates. + CONFIG: Extend FEATURE(`local_procmail') so it can now take + arguments overriding the mailer program, arguments, and + mailer definition flags. This makes it possible to use + other programs such as maildrop for local delivery. + CONFIG: Emit warning if FEATURE(`local_lmtp') or + FEATURE(`local_procmail') is given after MAILER(`local'). + Patch from Richard A. Nelson of IBM. + CONFIG: Add SMTP Authentication information to Received: header + default value (confRECEIVED_HEADER). + CONFIG: Remove `l' flag from USENET_MAILER_FLAGS as it is not a + local mailer. Problem noted by Per Hedeland of Ericsson. + CONTRIB: Added bounce-resender.pl from Brian R. Gaeke of the + University of California at Berkeley. + CONTRIB: Added domainmap.m4 from Mark D. Roth of the University of + Illinois at Urbana-Champaign. + CONTRIB: etrn.pl now recognizes bogus host names. Patch from + Bruce Barnett of GE's R&D Lab. + CONTRIB: Patches for re-mqueue.pl by Graeme Hewson of Oracle + Corporation UK. + CONTRIB: Added qtool.pl to assist in managing the queues. + DEVTOOLS: Prevent user environment variables from interfering with + the Build scripts. Problem noted by Ezequiel H. Panepucci of + Yale University. + DEVTOOLS: 'Build -M' will display the obj.* directory which will + be used for building. + DEVTOOLS: 'Build -A' will display the architecture that would be + used for a fresh build. + DEVTOOLS: New variable confRANLIB, set automatically by configure.sh. + DEVTOOLS: New variable confRANLIBOPTS for the options to send to + ranlib. + DEVTOOLS: 'Build -O <path>' will have the object files build in + <path>/obj.*. Suggested by Bryan Costales of Exactis. + DEVTOOLS: New variable confNO_MAN_BUILD which will prevent the + building of the man pages when defined. Suggested by Bryan + Costales. + DEVTOOLS: New variables confNO_HELPFILE_INSTALL and + confNO_STATISTICS_INSTALL which will prevent the + installation of the sendmail helpfile and statistics file + respectively. Suggested by Bryan Costales. + DEVTOOLS: Recognize ReliantUNIX as SINIX. Patch from Gerald Rinske + of Siemens Business Services. + DEVTOOLS: New variable confSTDIO_TYPE which defines the type of + stdio library. The new buffered file I/O depends on the + Torek stdio library. This option can be either portable or + torek. + DEVTOOLS: New variables confSRCADD and confSMSRCADD which + correspond to confOBJADD and confSMOBJADD respectively. + They should contain the C source files for the object files + listed in confOBJADD and confSMOBJADD. These file names + will be passed to the 'make depend' stage of compilation. + DEVTOOLS: New program specific variables for each of the programs + in the sendmail distribution. Each has the form + `conf_prog_ENVDEF', for example, `conf_sendmail_ENVDEF'. + The new variables are conf_prog_ENVDEF, conf_prog_LIBS, + conf_prog_SRCADD, and conf_prog_OBJADD. + DEVTOOLS: Build system redesign. This should have little affect on + building the distribution, but documentation on the changes + are in devtools/README. + DEVTOOLS: Don't allow 'Build -f file' if an object directory already + exists. Suggested by Valdis Kletnieks of Virginia Tech. + DEVTOOLS: Rename confSRCDIR to confSMSRCDIR since it only identifies + the path to the sendmail source directory. confSRCDIR is a + new variable which identifies the root of the source + directories for all of the programs in the distribution. + DEVTOOLS: confSRCDIR and confSMSRCDIR are now determined at Build + time. They can both still be overridden by setting the m4 + macro. + DEVTOOLS: confSBINGRP now defaults to bin instead of kmem. + DEVTOOLS: 'Build -Q prefix' uses devtools/Site/prefix.*.m4 for + build configurations, and places objects in obj.prefix.*/. + Complains as 'Build -f file' does for existing object + directories. Suggested by Tom Smith of Digital Equipment + Corporation. + DEVTOOLS: Setting confINSTALL_RAWMAN will install unformatted + manual pages in the directory tree specified by + confMANROOTMAN. + DEVTOOLS: If formatting the manual pages fails, copy in the + preformatted pages from the distribution. The new variable + confCOPY specifies the copying program. + DEVTOOLS: Defining confFORCE_RMAIL will install rmail without + question. Suggested by Terry Lambert of Whistle + Communications. + DEVTOOLS: confSTFILE and confHFFILE can be used to change the names + of the installed statistics and help files, respectively. + DEVTOOLS: Remove spaces in `uname -r` output when determining + operating system identity. Problem noted by Erik + Wachtenheim of Dartmouth College. + DEVTOOLS: New variable confLIBSEARCHPATH to specify the paths that + will be search for the libraries specified in confLIBSEARCH. + Defaults to "/lib /usr/lib /usr/shlib". + DEVTOOLS: New variables confSTRIP and confSTRIPOPTS for specifying + how to strip binaries. These are used by the new + install-strip target. + DEVTOOLS: New config file site.post.m4 which is included after + the others (if it exists). + DEVTOOLS: Change order of LIBS: first product specific libraries + then the default ones. + MAIL.LOCAL: Will not be installed set-user-ID root. To use mail.local + as local delivery agent without LMTP mode, use + MODIFY_MAILER_FLAGS(`LOCAL', `+S') + to set the S flag. + MAIL.LOCAL: Do not reject addresses which would otherwise be + accepted by sendmail. Suggested by Neil Rickert of + Northern Illinois University. + MAIL.LOCAL: New -7 option which causes LMTP mode not to advertise + 8BITMIME in the LHLO response. Suggested by Kari Hurtta of + the Finnish Meteorological Institute. + MAIL.LOCAL: Add support for the maillock() routines by defining + MAILLOCK when compiling. Also requires linking with + -lmail. Patch from Neil Rickert of Northern Illinois + University. + MAIL.LOCAL: Create a Content-Length: header if CONTENTLENGTH is + defined when compiling. Automatically set for Solaris 2.3 + and later. Patch from Neil Rickert of Northern Illinois + University. + MAIL.LOCAL: Move the initialization of the 'notifybiff' address + structure to the beginning of the program. This ensures that + the getservbyname() is done before any seteuid to a possibly + unauthenticated user. If you are using NIS+ and secure RPC + on a Solaris system, this avoids syslog messages such as, + "authdes_refresh: keyserv(1m) is unable to encrypt session + key." Patch from Neil Rickert of Northern Illinois + University. + MAIL.LOCAL: Support group writable mail spool files when MAILGID is + set to the gid to use (-DMAILGID=6) when compiling. + Patch from Neil Rickert of Northern Illinois University. + MAIL.LOCAL: When a mail message included lines longer than 2046 + characters (in LMTP mode), mail.local split the incoming + line up into 2046-character output lines (excluding the + newline). If an input line was 2047 characters long + (excluding CR-LF) and the last character was a '.', + mail.local saw it as the end of input, transfered it to the + user mailbox and tried to write an `ok' back to sendmail. + If the message was much longer, both sendmail and + mail.local would deadlock waiting for each other to read + what they have written. Problem noted by Peter Jeremy of + Alcatel Australia Limited. + MAIL.LOCAL: New option -b to return a permanent error instead of a + temporary error if a mailbox exceeds quota. Suggested by + Neil Rickert of Northern Illinois University. + MAIL.LOCAL: The creation of a lockfile is subject to a global + timeout to avoid starvation. + MAIL.LOCAL: Properly parse addresses with multiple quoted + local-parts. Problem noted by Ronald F. Guilmette of + Infinite Monkeys & Co. + MAIL.LOCAL: NCR MP/RAS 3.X portability from Tom J. Moore of NCR. + MAILSTATS: New -p option to invoke program mode in which stats are + printed in a machine readable fashion and the stats file + is reset. Patch from Kevin Hildebrand of the University + of Maryland. + MAKEMAP: If running as root, automatically change the ownership of + generated maps to the TrustedUser as specified in the + sendmail configuration file. + MAKEMAP: New -C option to accept an alternate sendmail + configuration file to use for finding the TrustedUser + option. + MAKEMAP: New -u option to dump (unmap) a database. Based on + code contributed by Roy Mongiovi of Georgia Tech. + MAKEMAP: New -e option to allow empty values. Suggested by Philip + A. Prindeville of Enteka Enterprise Technology Services. + MAKEMAP: Compile cleanly on 64-bit operating systems. Problem + noted by Gerald Rinske of Siemens Business Services. + OP.ME: Correctly document interaction between F=S and U= mailer + equates. Problem noted by Bob Halley of Internet Engines. + OP.ME: Fixup Timeout documentation. From Graeme Hewson of Oracle + Corporation UK. + OP.ME: The Timeout [r] option was incorrectly listed as "safe" + (e.g., sendmail would not drop root privileges if the + option was specified on the command line). Problem noted + by Todd C. Miller of Courtesan Consulting. + PRALIASES: Handle the hash and btree map specifications for + Berkeley DB. Patch from Brian J. Coan of the + Institute for Global Communications. + PRALIASES: Read the sendmail.cf file for the location(s) of the + alias file(s) if the -f option is not used. Patch from + John Beck of Sun Microsystems. + PRALIASES: New -C option to specify an alternate sendmail + configuration file to use for finding alias file(s). Patch + from John Beck of Sun Microsystems. + SMRSH: allow shell commands echo, exec, and exit. Allow command + lists using || and &&. Based on patch from Brian J. Coan + of the Institute for Global Communications. + SMRSH: Update README for the new Build system. From Tim Pierce + of RootsWeb Genealogical Data Cooperative. + VACATION: Added vacation auto-responder to sendmail distribution. + LIBSMDB: Added abstracted database library. Works with Berkeley + DB 1.85, Berkeley DB 2.X, Berkeley DB 3.X, and NDBM. + Changed Files: + The Build script in the various program subdirectories are + no longer symbolic links. They are now scripts + which execute the actual Build script in + devtools/bin. + All the manual pages are now written against -man and not + -mandoc as they were previously. + Add a simple Makefile to every directory so make instead + of Build will work (unless parameters are + required for Build). + New Directories: + devtools/M4/UNIX + include + libmilter + libsmdb + libsmutil + vacation + Renamed Directories: + BuildTools => devtools + src => sendmail + Deleted Files: + cf/m4/nullrelay.m4 + devtools/OS/Linux.ppc + devtools/OS/ReliantUNIX + devtools/OS/SINIX + sendmail/ldap_map.h + New Files: + INSTALL + PGPKEYS + cf/cf/generic-linux.cf + cf/cf/generic-linux.mc + cf/feature/delay_checks.m4 + cf/feature/dnsbl.m4 + cf/feature/generics_entire_domain.m4 + cf/feature/no_default_msa.m4 + cf/feature/relay_mail_from.m4 + cf/feature/virtuser_entire_domain.m4 + cf/mailer/qpage.m4 + cf/ostype/bsdi.m4 + cf/ostype/hpux11.m4 + cf/ostype/openbsd.m4 + contrib/bounce-resender.pl + contrib/domainmap.m4 + contrib/qtool.8 + contrib/qtool.pl + devtools/M4/depend/AIX.m4 + devtools/M4/list.m4 + devtools/M4/string.m4 + devtools/M4/subst_ext.m4 + devtools/M4/switch.m4 + devtools/OS/Darwin + devtools/OS/GNU + devtools/OS/SINIX.5.43 + devtools/OS/SINIX.5.44 + devtools/OS/m88k + devtools/bin/find_in_path.sh + mail.local/Makefile + mailstats/Makefile + makemap/Makefile + praliases/Makefile + rmail/Makefile + sendmail/Makefile + sendmail/bf.h + sendmail/bf_portable.c + sendmail/bf_portable.h + sendmail/bf_torek.c + sendmail/bf_torek.h + sendmail/shmticklib.c + sendmail/statusd_shm.h + sendmail/timers.c + sendmail/timers.h + smrsh/Makefile + vacation/Makefile + Renamed Files: + cf/ostype/gnuhurd.m4 => cf/ostype/gnu.m4 + sendmail/cdefs.h => include/sendmail/cdefs.h + sendmail/sendmail.hf => sendmail/helpfile + sendmail/mailstats.h => include/sendmail/mailstats.h + sendmail/pathnames.h => include/sendmail/pathnames.h + sendmail/safefile.c => libsmutil/safefile.c + sendmail/snprintf.c => libsmutil/snprintf.c + sendmail/useful.h => include/sendmail/useful.h + cf/ostype/solaris2.m4 => cf/ostype/solaris2.pre5.m4 + Copied Files: + cf/ostype/solaris2.ml.m4 => cf/ostype/solaris2.m4 + +8.9.3/8.9.3 1999/02/04 + SECURITY: Limit message headers to a maximum of 32K bytes (total + of all headers in a single message) to prevent a denial of + service attack. This limit will be configurable in 8.10. + Problem noted by Michal Zalewski of the "Internet for + Schools" project (IdS). + Prevent segmentation fault on an LDAP lookup if the LDAP map + was closed due to an earlier failure. Problem noted by + Jeff Wasilko of smoe.org. Fix from Booker Bense of + Stanford University and Per Hedeland of Ericsson. + Preserve the order of the MIME headers in multipart messages + when performing the MIME header length check. This + will allow PGP signatures to function properly. Problem + noted by Lars Hecking of University College, Cork, Ireland. + If ruleset 5 rewrote the local address to an :include: directive, + the delivery would fail with an "aliasing/forwarding loop + broken" error. Problem noted by Eric C Hagberg of Morgan + Stanley. Fix from Per Hedeland of Ericsson. + Allow -T to work for bestmx maps. Fix from Aaron Schrab of + ExecPC Internet Systems. + During the transfer of a message in an SMTP transaction, if a + TCP timeout occurs, the message would be properly queued + for later retry but the failure would be logged as + "Illegal Seek" instead of a timeout. Problem noted by + Piotr Kucharski of the Warsaw School of Economics (SGH) + and Carles Xavier Munyoz Baldo of CTV Internet. + Prevent multiple deliveries on a self-referencing alias if the + F=w mailer flag is not set. Problem noted by Murray S. + Kucherawy of Concentric Network Corporation and Per + Hedeland of Ericsson. + Do not strip empty headers but if there is no value and a + default is defined in sendmail.cf, use the default. + Problem noted by Philip Guenther of Gustavus Adolphus + College and Christopher McCrory of Netus, Inc. + Don't inherit information about the sender (notably the full name) + in SMTP (-bs) mode, since this might be called from inetd. + Accept any 3xx reply code in response to DATA command instead of + requiring 354. This change will match the wording to be + published in the updated SMTP specification from the DRUMS + group of the IETF. + Portability: + AIX 4.2.0 or 4.2.1 may become updated by the fileset + bos.rte.net level 4.2.0.2. This introduces the + softlink /usr/lib/libbind.a which should + not be used. It conflicts with the resolver + built into libc.a. "bind" has been removed + from the confLIBSEARCH BuildTools variable. + Users who have installed BIND 8.X will have + to add it back in their site.config.m4 file. + Problem noted by Ole Holm Nielsen of the + Technical University of Denmark. + CRAY TS 10.0.x from Sven Nielsen of San Diego + Supercomputer Center. + Improved LDAP version 3 integration based on input + from Kurt D. Zeilenga of the OpenLDAP Foundation, + John Beck of Sun Microsystems, and Booker Bense + of Stanford University. + Linux doesn't have a standard way to get the timezone + between different releases. Back out the + change in 8.9.2 and don't attempt to derive + a timezone. Problem reported by Igor S. Livshits + of the University of Illinois at Urbana-Champaign + and Michael Dickens of Tetranet Communications. + Reliant UNIX, the new name for SINIX, from Gert-Jan Looy + of Siemens/SNI. + SunOS 5.8 from John Beck of Sun Microsystems. + CONFIG: SCO UnixWare 2.1 and 7.0 need TZ to get the proper + timezone. Problem noted by Petr Lampa of Technical + University of Brno. + CONFIG: Handle <@bestmx-host:user@otherhost> addressing properly + when using FEATURE(bestmx_is_local). Patch from Neil W. + Rickert of Northern Illinois University. + CONFIG: Properly handle source routed and %-hack addresses on + hosts which the mailertable remaps to local:. Patch from + Neil W. Rickert of Northern Illinois University. + CONFIG: Internal fixup of mailertable local: map value. Patch from + Larry Parmelee of Cornell University. + CONFIG: Only add back +detail from host portion of mailer triplet + on local mailer triplets if it was originally +detail. + Patch from Neil W. Rickert of Northern Illinois University. + CONFIG: The bestmx_is_local checking done in check_rcpt would + cause later checks to fail. Patch from Paul J Murphy of + MIDS Europe. + New Files: + BuildTools/OS/CRAYTS.10.0.x + BuildTools/OS/ReliantUNIX + BuildTools/OS/SunOS.5.8 + +8.9.2/8.9.2 1998/12/30 + SECURITY: Remove five second sleep on accepting daemon connections + due to an accept() failure. This sleep could be used + for a denial of service attack. + Do not silently ignore queue files with names which are too long. + Patch from Bryan Costales of InfoBeat, Inc. + Do not store failures closing an SMTP session in persistent + host status. Reported by Graeme Hewson of Oracle + Corporation UK. + Allow symbolic link forward files if they are in safe directories. + Problem noted by Andreas Schott of the Max Planck Society. + Missing columns in a text map could cause a segmentation fault. + Fix from David Lee of the University of Durham. + Note that for 8.9.X, PrivacyOptions=goaway also includes the + noetrn flag. This is scheduled to change in a future + version of sendmail. Problem noted by Theo Van Dinter of + Chrysalis Symbolic Designa and Alan Brown of Manawatu + Internet Services. + When trying to do host canonification in a Wildcard MX + environment, try an MX lookup of the hostname without the + default domain appended. Problem noted by Olaf Seibert of + Polderland Language & Speech Technology. + Reject SMTP RCPT To: commands with only comments (i.e. + 'RCPT TO: (comment)'. Problem noted by Earle Ake of + Hassler Communication Systems Technology, Inc. + Handle any number of %s in the LDAP filter spec. Patch from + Per Hedeland of Ericsson. + Clear ldapx open timeouts even if the map open failed to prevent + a segmentation fault. Patch from Wayne Knowles of the + National Institute of Water & Atmospheric Research Ltd. + Do not syslog envelope clone messages when using address + verification (-bv). Problem noted by Kari Hurtta of the + Finnish Meteorological Institute. + Continue to perform queue runs while in daemon mode even if the + daemon is rejecting connections due to a disk full + condition. Problem noted by JR Oldroyd of TerraNet + Internet Services. + Include full filename on installation of the sendmail.hf file + in case the $HFDIR directory does not exist. Problem + noted by Josef Svitak of Montana State University. + Close all maps when exiting the process with one exception. + Berkeley DB can use internal shared memory locking for + its memory pool. Closing a map opened by another process + will interfere with the shared memory and locks of the + parent process leaving things in a bad state. For + Berkeley DB, only close the map if the current process + is also the one that opened the map, otherwise only close + the map file descriptor. Thanks to Yoseff Francus of + Collective Technologies for volunteering his system for + extended testing. + Avoid null pointer dereference on XDEBUG output for SMTP reply + failures. Problem noted by Carlos Canau of EUnet Portugal. + On mailq and hoststat listings being piped to another program, such + as more, if the pipe closes (i.e., the user quits more), + stop sending output and exit. Patch from Allan E Johannesen + of Worcester Polytechnic Institute. + In accordance with the documentation, LDAP map lookup failures + are now considered temporary failures instead of permanent + failures unless the -t flag is used in the map definition. + Problem noted by Booker Bense of Stanford University and + Eric C. Hagberg of Morgan Stanley. + Fix by one error reporting on long alias names. Problem noted by + H. Paul Hammann of the Missouri Research and Education + Network. + Fix DontBlameSendmail=IncludeFileInUnsafeDirPath behavior. Problem + noted by Barry S. Finkel of Argonne National Laboratory. + When automatically converting from 8 bit to quoted printable MIME, + be careful not to miss a multi-part boundary if that + boundary is preceded by a boundary-like line. Problem + noted by Andreas Raschle of Ansid Inc. Fix from + Kari Hurtta of the Finnish Meteorological Institute. + Avoid bogus reporting of "LMTP tobuf overflow" when the buffer + has enough space for the additional address. Problem + noted by Steve Cliffe of the University of Wollongong. + Fix DontBlameSendmail=FileDeliveryToSymlink behavior. Problem + noted by Alex Vorobiev of Swarthmore College. + If the check_compat ruleset resolves to the $#discard mailer, + discard the current recipient. Unlike check_relay, + check_mail, and check_rcpt, the entire envelope is not + discarded. Problem noted by RZ D. Rahlfs. Fix from + Claus Assmann of Christian-Albrechts-University of Kiel. + Avoid segmentation fault when reading ServiceSwitchFile files with + bogus formatting. Patch from Kari Hurtta of the Finnish + Meteorological Institute. + Support Berkeley DB 2.6.4 API change. + OP.ME: Pages weren't properly output on duplexed printers. Fix + from Matthew Black of CSU Long Beach. + Portability: + Apple Rhapsody from Wilfredo Sanchez of Apple Computer, Inc. + Avoid a clash with IRIX 6.2 getopt.h and the UserDatabase + option structure. Problem noted by Ashley M. + Kirchner of Photo Craft Laboratories, Inc. + Break out IP address to hostname translation for + reading network interface addresses into + class 'w'. Patch from John Kennedy of + Cal State University, Chico. + AIX 4.x use -qstrict with -O3 to prevent the optimized + from changing the semantics of the compiled + program. From Simon Travaglia of the + University of Waikato, New Zealand. + FreeBSD 2.2.2 and later support setusercontext(). From + Peter Wemm of DIALix. + FreeBSD 3.x fix from Peter Wemm of DIALix. + IRIX 5.x has a syslog buffer size of 512 bytes. From + Nao NINOMIYA of Utsunomiya University. + IRIX 6.5 64-bit Build support. + LDAP Version 3 support from John Beck and Ravi Iyer + of Sun Microsystems. + Linux does not implement seteuid() properly. From + John Kennedy of Cal State University, Chico. + Linux timezone type was set improperly. From Takeshi Itoh + of Bits Co., Ltd. + NCR MP-RAS 3.x needs -lresolv for confLIBS. From + Tom J. Moore of NCR. + NeXT 4.x correction to man page path. From J. P. McCann + of E I A. + System V Rel 5.x (a.k.a UnixWare7 w/o BSD-Compatibility Libs) + from Paul Gampe of the Asia Pacific Network + Information Center. + ULTRIX now requires an optimization limit of 970 from + Allan E Johannesen of Worcester Polytechnic + Institute. + Fix extern declaration for sm_dopr(). Fix from Henk + van Oers of Algemeen Nederlands Persbureau. + CONFIG: Catch @hostname,user@anotherhost.domain as relaying. + Problem noted by Mark Rogov of AirMedia, Inc. Fix from + Claus Assmann of Christian-Albrechts-University of Kiel. + CONFIG: Do not refer to http://maps.vix.com/ on RBL rejections as + there are multiple RBL's available and the MAPS RBL may + not be the one in use. Suggested by Alan Brown of + Manawatu Internet Services. + CONFIG: Properly strip route addresses (i.e., @host1:user@host2) + when stripping down a recipient address to check for + relaying. Patch from Claus Assmann of + Christian-Albrechts-University of Kiel and Neil W Rickert + of Northern Illinois University. + CONFIG: Allow the access database to override RBL lookups. Patch + from Claus Assmann of Christian-Albrechts-University of + Kiel. + CONFIG: UnixWare 7 support from Phillip P. Porch of The Porch + Dot Com. + CONFIG: Fixed check for deferred delivery mode warning. Patch + from Claus Assmann of Christian-Albrechts-University of + Kiel and Per Hedeland of Ericsson. + CONFIG: If a recipient using % addressing is used, e.g. + user%site@othersite, and othersite's MX records are now + checked for local hosts if FEATURE(relay_based_on_MX) is + used. Problem noted by Alexander Litvin of Lucky Net Ltd. + Patch from Alexander Litvin of Lucky Net Ltd and + Claus Assmann of Christian-Albrechts-University of Kiel. + MAIL.LOCAL: Prevent warning messages from appearing in the LMTP + stream. Do not allow more than one response per recipient. + MAIL.LOCAL: Handle routed addresses properly when using LMTP. Fix + from John Beck of Sun Microsystems. + MAIL.LOCAL: Properly check for CRLF when using LMTP. Fix from + John Beck of Sun Microsystems. + MAIL.LOCAL: Substitute MAILER-DAEMON for the LMTP empty sender in + the envelope From header. + MAIL.LOCAL: Accept underscores in hostnames in LMTP mode. + Problem noted by Glenn A. Malling of Syracuse University. + MAILSTATS: Document msgsrej and msgsdis fields in the man page. + Problem noted by Richard Wong of Princeton University. + MAKEMAP: Build group list so group writable files are allowed with + the -s flag. Problem noted by Curt Sampson of Internet + Portal Services, Inc. + PRALIASES: Automatically handle alias files created without the + NULL byte at the end of the key. Patch from John Beck of + Sun Microsystems. + PRALIASES: Support Berkeley DB 2.6.4 API change. + New Files: + BuildTools/OS/IRIX64.6.5 + BuildTools/OS/UnixWare.5.i386 + cf/ostype/unixware7.m4 + contrib/smcontrol.pl + src/control.c + +8.9.1/8.9.1 1998/07/02 + If both an OS specific site configuration file and a generic + site.config.m4 file existed, only the latter was used + instead of both. Problem noted by Geir Johannessen of + the Norwegian University of Science and Technology. + Fix segmentation fault while converting 8 bit to 7 bit MIME + multipart messages by trying to write to an unopened + file descriptor. Fix from Kari Hurtta of the Finnish + Meteorological Institute. + Do not assume Message: and Text: headers indicate the end of + the header area when parsing MIME headers. Problem noted + by Kari Hurtta of the Finnish Meteorological Institute. + Setting the confMAN#SRC Build variable would only effect the + installation commands. The man pages would still be + built with .0 extensions. Problem noted by Bryan + Costales of InfoBeat, Inc. + Installation of manual pages didn't honor the DESTDIR environment + variable. Problem noted by Bryan Costales of InfoBeat, Inc. + If the check_relay ruleset resolved to the discard mailer, messages + were still delivered. Problem noted by Mirek Luc of NASK. + Mail delivery to files would fail with an Operating System Error + if sendmail was not running as root, i.e., RunAsUser was set. + Problem noted by Leonard N. Zubkoff of Dandelion Digital. + Prevent MinQueueAge from interfering from queued items created + in the future, i.e., if the system clock was set ahead + and then back. Problem noted by Michael Miller of the + University of Natal, Pietermaritzburg. + Do not advertise ETRN support in ESTMP EHLO reply if noetrn is + set in the PrivacyOptions option. Fix from Ted Rule of + Flextech TV. + Log invalid persistent host status file lines instead of + bouncing the message. Problem noted by David Lindes of + DaveLtd Enterprises. + Move creation of empty sendmail.st file from installation to + compilation. Installation may be done from a read-only + mount. Fix from Bryan Costales of InfoBeat, Inc. and Ric + Anderson of the Oasis Research Center, Inc. + Enforce the maximum number of User Database entries limit. Problem + noted by Gary Buchanan of Credence Systems Inc. + Allow dead.letter files in root's home directory. Problem noted + by Anna Ullman of Sun Microsystems. + Program deliveries in forward files could be marked unsafe if + any directory listed in the ForwardPath option did not + exist. Problem noted by Jorg Bielak of Coastal Web Online. + Do not trust the length of the address structure returned by + gethostbyname(). Problem noted by Chris Evans of Oxford + University. + If the SIZE= MAIL From: ESMTP parameter is too large, use the + 5.3.4 DSN status code instead of 5.2.2. Similarly, for + non-local deliveries, if the message is larger than the + mailer maximum message size, use 5.3.4 instead of 5.2.3. + Suggested by Antony Bowesman of + Fujitsu/TeaWARE Mail/MIME System. + Portability: + Fix the check for an IP address reverse lookup for + use in $&{client_name} on 64 bit platforms. + From Gilles Gallot of Institut for Development + and Resources in Intensive Scientific computing. + BSD-OS uses .0 for man page extensions. From Jeff Polk + of BSDI. + DomainOS detection for Build. Also, version 10.4 and later + ship a unistd.h. Fixes from Takanobu Ishimura of + PICT Inc. + NeXT 4.x uses /usr/lib/man/cat for its man pages. From + J. P. McCann of E I A. + SCO 4.X and 5.X include NDBM support. From Vlado Potisk + of TEMPEST, Ltd. + CONFIG: Do not pass spoofed PTR results through resolver for + qualification. Problem noted by Michiel Boland of + Digital Valley Internet Professionals; fix from + Kari Hurtta of the Finnish Meteorological Institute. + CONFIG: Do not try to resolve non-DNS hostnames such as UUCP, + BITNET, and DECNET addresses for resolvable senders. + Problem noted by Alexander Litvin of Lucky Net Ltd. + CONFIG: Work around Sun's broken configuration which sends bounce + messages as coming from @@hostname instead of <>. LMTP + would not accept @@hostname. + OP.ME: Corrections to complex sendmail startup script from Rick + Troxel of the National Institutes of Health. + RMAIL: Do not install rmail by default, require 'make force-install' + as this rmail isn't the same as others. Suggested by + Kari Hurtta of the Finnish Meteorological Institute. + New Files: + BuildTools/OS/DomainOS.10.4 + +8.9.0/8.9.0 1998/05/19 + SECURITY: To prevent users from reading files not normally + readable, sendmail will no longer open forward, :include:, + class, ErrorHeader, or HelpFile files located in unsafe + (i.e., group or world writable) directory paths. Sites + which need the ability to override security can use the + DontBlameSendmail option. See the README file for more + information. + SECURITY: Problems can occur on poorly managed systems, specifically, + if maps or alias files are in world writable directories. + This fixes the change added to 8.8.6 to prevent links in these + world writable directories. + SECURITY: Make sure ServiceSwitchFile option file is not a link if + it is in a world writable directory. + SECURITY: Never pass a tty to a mailer -- if a mailer can get at the + tty it may be able to push bytes back to the senders input. + Unfortunately this breaks -v mode. Problem noted by + Wietse Venema of the Global Security Analysis Lab at + IBM T.J. Watson Research. + SECURITY: Empty group list if DontInitGroups is set to true to + prevent program deliveries from picking up extra group + privileges. Problem reported by Wolfgang Ley of DFN-CERT. + SECURITY: The default value for DefaultUser is now set to the uid and + gid of the first existing user mailnull, sendmail, or daemon + that has a non-zero uid. If none of these exist, sendmail + reverts back to the old behavior of using uid 1 and gid 1. + This is a security problem for Linux which has chosen that + uid and gid for user bin instead of daemon. If DefaultUser + is set in the configuration file, that value overrides this + default. + SECURITY: Since 8.8.7, the check for non-set-user-ID binaries + interfered with setting an alternate group id for the + RunAsUser option. Problem noted by Randall Winchester of + the University of Maryland. + Add support for Berkeley DB 2.X. Based on patch from John Kennedy + of Cal State University, Chico. + Remove support for OLD_NEWDB (pre-1.5 version of Berkeley DB). Users + which previously defined OLD_NEWDB=1 must now upgrade to the + current version of Berkeley DB. + Added support for regular expressions using the new map class regex. + From Jan Krueger of Unix-AG of University of Hannover. + Support for BIND 8.1.1's hesiod for hesiod maps and hesiod + UserDatabases from Randall Winchester of the University + of Maryland. + Allow any shell for user shell on program deliveries on V1 + configurations for backwards compatibility on machines which + do not have getusershell(). Fix from John Beck of Sun + Microsystems. + On operating systems which change the process title by reusing the + argument vector memory, sendmail could corrupt memory if the + last argument was either "-q" or "-d". Problem noted by + Frank Langbein of the University of Stuttgart. + Support Local Mail Transfer Protocol (LMTP) between sendmail and + mail.local on the F=z flag. + Macro-expand the contents of the ErrMsgFile. Previously this was + only done if you had magic characters (0x81) to indicate + macro expansion. Now $x will be expanded. This means that + real dollar signs have to be backslash escaped. + TCP Wrappers expects "unknown" in the hostname argument if the + reverse DNS lookup for the incoming connection fails. + Problem noted by Randy Grimshaw of Syracuse University and + Wietse Venema of the Global Security Analysis Lab at + IBM T.J. Watson Research. + DSN success bounces generated from an invocation of sendmail -t + would be sent to both the sender and MAILER-DAEMON. + Problem noted by Claus Assmann of + Christian-Albrechts-University of Kiel. + Avoid "Error 0" messages on delivery mailers which exit with a + valid exit value such as EX_NOPERM. Fix from Andreas Luik + of ISA Informationssysteme GmbH. + Tokenize $&x expansions on right hand side of rules. This eliminates + the need to use tricks like $(dequote "" $&{client_name} $) + to cause the ${client_name} macro to be properly tokenized. + Add the MaxRecipientsPerMessage option: this limits the number of + recipients that will be accepted in a single SMTP + transaction. After this number is reached, sendmail + starts returning "452 Too many recipients" to all RCPT + commands. This can be used to limit the number of recipients + per envelope (in particular, to discourage use of the server + for spamming). Note: a better approach is to restrict + relaying entirely. + Fixed pointer initialization for LDAP lmap struct, fixed -s option + to ldapx map and added timeout for ldap_open call to + avoid hanging sendmail in the event of hung LDAP servers. + Patch from Booker Bense of Stanford University. + Allow multiple -qI, -qR, or -qS queue run limiters. For example, + '-qRfoo -qRbar' would deliver mail to recipients with foo or + bar in their address. Patch from Allan E Johannesen of + Worcester Polytechnic Institute. + The bestmx map will now return a list of the MX servers for a host if + passed a column delimiter via the -z map flag. This can be + used to check if the server is an MX server for the recipient + of a message. This can be used to help prevent relaying. + Patch from Mitchell Blank Jr of Exec-PC. + Mark failures for the *file* mailer and return bounce messages to the + sender for those failures. + Prevent bogus syslog timestamps on errors in sendmail.cf by + preserving the TZ environment variable until TimeZoneSpec + has been determined. Problem noted by Ralf Hildebrandt of + Technical University of Braunschweig. Patch from Per Hedeland + of Ericsson. + Print test input in address test mode when input is not from the tty + when the -v flag is given (i.e., sendmail -bt -v) to make + output easier to decipher. Problem noted by Aidan Nichol + of Procter & Gamble. + The LDAP map -s flag was not properly parsed and the error message + given included the remainder of the arguments instead of + solely the argument in error. Problem noted by Aidan Nichol + of Procter & Gamble. + New DontBlameSendmail option. This option allows administrators to + bypass some of sendmail's file security checks at the expense + of system security. This should only be used if you are + absolutely sure you know the consequences. The available + DontBlameSendmail options are: + Safe + AssumeSafeChown + ClassFileInUnsafeDirPath + ErrorHeaderInUnsafeDirPath + GroupWritableDirPathSafe + GroupWritableForwardFileSafe + GroupWritableIncludeFileSafe + GroupWritableAliasFile + HelpFileinUnsafeDirPath + WorldWritableAliasFile + ForwardFileInGroupWritableDirPath + IncludeFileInGroupWritableDirPath + ForwardFileInUnsafeDirPath + IncludeFileInUnsafeDirPath + ForwardFileInUnsafeDirPathSafe + IncludeFileInUnsafeDirPathSafe + MapInUnsafeDirPath + LinkedAliasFileInWritableDir + LinkedClassFileInWritableDir + LinkedForwardFileInWritableDir + LinkedIncludeFileInWritableDir + LinkedMapInWritableDir + LinkedServiceSwitchFileInWritableDir + FileDeliveryToHardLink + FileDeliveryToSymLink + WriteMapToHardLink + WriteMapToSymLink + WriteStatsToHardLink + WriteStatsToSymLink + RunProgramInUnsafeDirPath + RunWritableProgram + New DontProbeInterfaces option to turn off the inclusion of all the + interface names in $=w on startup. In particular, if you + have lots of virtual interfaces, this option will speed up + startup. However, unless you make other arrangements, mail + sent to those addresses will be bounced. + Automatically create alias databases if they don't exist and + AutoRebuildAliases is set. + Add PrivacyOptions=noetrn flag to disable the SMTP ETRN command. + Suggested by Christophe Wolfhugel of the Institut Pasteur. + Add PrivacyOptions=noverb flag to disable the SMTP VERB command. + When determining the client host name ($&{client_name} macro), do + a forward (A) DNS lookup on the result of the PTR lookup + and compare results. If they differ or if the PTR lookup + fails, &{client_name} will contain the IP address + surrounded by square brackets (e.g., [127.0.0.1]). + New map flag: -Tx appends "x" to lookups that return temporary failure + (i.e, it is like -ax for the temporary failure case, in + contrast to the success case). + New syntax to do limited checking of header syntax. A config line + of the form: + HHeader: $>Ruleset + causes the indicated Ruleset to be invoked on the Header + when read. This ruleset works like the check_* rulesets -- + that is, it can reject mail on the basis of the contents. + Limit the size of the HELO/EHLO parameter to prevent spammers + from hiding their connection information in Received: + headers. + When SingleThreadDelivery is active, deliveries to locked hosts + are skipped. This will cause the delivering process to + try the next MX host or queue the message if no other MX + hosts are available. Suggested by Alexander Litvin. + The [FILE] mailer type now delivers to the file specified in the + A= equate of the mailer definition instead of $u. It also + obeys all of the F= mailer flags such as the MIME + 7/8 bit conversion flags. This is useful for defining + a mailer which delivers to the same file regardless of the + recipient (e.g., 'A=FILE /dev/null' to discard unwanted mail). + Do not assume the identity of a remote connection is root@localhost + if the remote connection closes the socket before the + remote identity can be queried. + Change semantics of the F=S mailer flag back to 8.7.5 behavior. + Some mailers, including procmail, require that the real + uid is left unchanged by sendmail. Problem noted by Per + Hedeland of Ericsson. + No longer is the src/obj*/Makefile selected from a large list -- it + is now generated using the information in BuildTools/OS/ -- + some of the details are determined dynamically via + BuildTools/bin/configure.sh. + The other programs in the sendmail distribution -- mail.local, + mailstats, makemap, praliases, rmail, and smrsh -- now use + the new Build method which creates an operating system + specific Makefile using the information in BuildTools. + Make 4xx reply codes to the SMTP MAIL command be non-sticky (i.e., + a failure on one message won't affect future messages to the + same host). This is necessary if the remote host sends + a 451 error if the domain of the sender does not resolve + as is common in anti-spam configurations. Problem noted + by Mitchell Blank Jr of Exec-PC. + New "discard" mailer for check_* rulesets and header checking + rulesets. If one of the above rulesets resolves to the + $#discard mailer, the commands will be accepted but the + message will be completely discarded after it is accepting. + This means that even if only one of the recipients + resolves to the $#discard mailer, none of the recipients + will receive the mail. Suggested by Brian Kantor. + All but the last cloned envelope of a split envelope were queued + instead of being delivered. Problem noted by John Caruso + of CNET: The Computer Network. + Fix deadlock situation in persistent host status file locking. + Syslog an error if a user forward file could not be read due to + an error. Patch from John Beck of Sun Microsystems. + Use the first name returned on machine lookups when canonifying a + hostname via NetInfo. Patch from Timm Wetzel of GWDG. + Clear the $&{client_addr}, $&{client_name}, and $&{client_port} + macros when delivering a bounce message to prevent + rejection by a check_compat ruleset which uses these macros. + Problem noted by Jens Hamisch of AgiX Internetservices GmbH. + If the check_relay ruleset resolves to the the error mailer, the + error in the $: portion of the resolved triplet is used + in the rejection message given to the remote machine. + Suggested by Scott Gifford of The Internet Ramp. + Set the $&{client_addr}, $&{client_name}, and $&{client_port} macros + before calling the check_relay ruleset. Suggested by Scott + Gifford of The Internet Ramp. + Sendmail would get a segmentation fault if a mailer exited with an + exit code of 79. Problem noted by Aaron Schrab of ExecPC + Internet. Fix from Christophe Wolfhugel of the Pasteur + Institute. + Separate snprintf/vsnprintf routines into separate file for use by + mail.local. + Allow multiple map lookups on right hand side, e.g., + R$* $( host $1 $) $| $( passwd $1 $). Patch from + Christophe Wolfhugel of the Pasteur Institute. + Properly generate success DSN messages if requested for aliases + which have owner- aliases. Problem noted by Kari Hurtta + of the Finnish Meteorological Institute. + Properly display delayed-expansion macros ($&{macroname}) in + address test mode (-bt). Problem noted by Bryan Costales + of InfoBeat, Inc. + -qR could sometimes match names incorrectly. Problem noted by + Lutz Euler of Lavielle EDV Systemberatung GmbH & Co. + Include a magic number and version in the StatusFile for the + mailstats command. + Record the number of rejected and discarded messages in the + StatusFile for display by the mailstats command. Patch + from Randall Winchester of the University of Maryland. + IDENT returns where the OSTYPE field equals "OTHER" now list the + user portion as IDENT:username@site instead of + username@site to differentiate the two. Suggested by + Kari Hurtta of the Finnish Meteorological Institute. + Enforce timeout for LDAP queries. Patch from Per Hedeland of + Ericsson. + Change persistent host status filename substitution so '/' is + replaced by ':' instead of '|' to avoid clashes. Also + avoid clashes with hostnames with leading dots. Fix from + Mitchell Blank Jr. of Exec-PC. + If the system lock table is full, only attempt to create a new + queue entry five times before giving up. Previously, it + was attempted indefinitely which could cause the partition + to run out of inodes. Problem noted by Suzie Weigand of + Stratus Computer, Inc. + In verbose mode, warn if the sendmail.cf version is less than the + currently supported version. + Sorting for QueueSortOrder=host is now case insensitive. Patch + from Randall S. Winchester of the University of Maryland. + Properly quote a full name passed via the -F command line option, + the Full-Name: header, or the NAME environment variable if + it contains characters which must be quoted. Problem noted + by Kari Hurtta of the Finnish Meteorological Institute. + Avoid possible race condition that unlocked a mail job before + releasing the transcript file on systems that use flock(2). + In some cases, this might result in a "Transcript Unavailable" + message in error bounces. + Accept SMTP replies which contain only a reply code and no + accompanying text. Problem noted by Fernando Fraticelli of + Digital Equipment Corporation. + Portability: + AIX 4.1 uses int for SOCKADDR_LEN_T from Motonori Nakamura + of Kyoto University. + AIX 4.2 requires <userpw.h> before <usersec.h>. Patch from + Randall S. Winchester of the University of + Maryland. + AIX 4.3 from Valdis Kletnieks of Virginia Tech CNS. + CRAY T3E from Manu Mahonen of Center for Scientific Computing + in Finland. + Digital UNIX now uses statvfs for determining free + disk space. Patch from Randall S. Winchester of + the University of Maryland. + HP-UX 11.x from Richard Allen of Opin Kerfi HF and + Regis McEwen of Progress Software Corporation. + IRIX 64 bit fixes from Kari Hurtta of the Finnish + Meteorological Institute. + IRIX 6.2 configuration fix for mail.local from Michael Kyle + of CIC/Advanced Computing Laboratory. + IRIX 6.5 from Thomas H Jones II of SGI. + IRIX 6.X load average code from Bob Mende of SGI. + QNX from Glen McCready <glen@qnx.com>. + SCO 4.2 and 5.x use /usr/bin instead of /usr/ucb for links + to sendmail. Install with group bin instead of kmem + as kmem does not exist. From Guillermo Freige of + Gobernacion de la Pcia de Buenos Aires and Paul + Fischer of BTG, Inc. + SunOS 4.X does not include memmove(). Patch from + Per Hedeland of Ericsson. + SunOS 5.7 includes getloadavg() function for determining + load average. Patch from John Beck of Sun + Microsystems. + CONFIG: Increment version number of config file. + CONFIG: add DATABASE_MAP_TYPE to set the default type of database + map for the various maps. The default is hash. Patch from + Robert Harker of Harker Systems. + CONFIG: new confEBINDIR m4 variable for defining the executable + directory for certain programs. + CONFIG: new FEATURE(local_lmtp) to use the new LMTP support for + local mail delivery. By the default, /usr/libexec/mail.local + is used. This is expected to be the mail.local shipped + with 8.9 which is LMTP capable. The path is based on the + new confEBINDIR m4 variable. + CONFIG: Use confEBINDIR in determining path to smrsh for + FEATURE(smrsh). Note that this changes the default from + /usr/local/etc/smrsh to /usr/libexec/smrsh. To obtain the + old path for smrsh, use FEATURE(smrsh, /usr/local/etc/smrsh). + CONFIG: DOMAIN(generic) changes the default confFORWARD_PATH to + include $z/.forward.$w+$h and $z/.forward+$h which allow + the user to setup different .forward files for + user+detail addressing. + CONFIG: add confMAX_RCPTS_PER_MESSAGE, confDONT_PROBE_INTERFACES, + and confDONT_BLAME_SENDMAIL to set MaxRecipientsPerMessage, + DontProbeInterfaces, and DontBlameSendmail options. + CONFIG: by default do not allow relaying (that is, accepting mail + from outside your domain and sending it to another host + outside your domain). + CONFIG: new FEATURE(promiscuous_relay) to allow mail relaying from + any site to any site. + CONFIG: new FEATURE(relay_entire_domain) allows any host in your + domain as defined by the 'm' class ($=m) to relay. + CONFIG: new FEATURE(relay_based_on_MX) to allow relaying based on + the MX records of the host portion of an incoming recipient. + CONFIG: new FEATURE(access_db) which turns on the access database + feature. This database gives you the ability to allow + or refuse to accept mail from specified domains for + administrative reasons. By default, names that are listed + as "OK" in the access db are domain names, not host names. + CONFIG: new confCR_FILE m4 variable for defining the name of the file + used for class 'R'. Defaults to /etc/mail/relay-domains. + CONFIG: new command RELAY_DOMAIN(domain) and RELAY_DOMAIN_FILE(file) + to add items to class 'R' ($=R) for hosts allowed to relay. + CONFIG: new FEATURE(relay_hosts_only) to change the behavior + of FEATURE(access_db) and class 'R' to lookup individual + host names only. + CONFIG: new FEATURE(loose_relay_check). Normally, if a recipient + using % addressing is used, e.g. user%site@othersite, + and othersite is in class 'R', the check_rcpt ruleset + will strip @othersite and recheck user@site for relaying. + This feature changes that behavior. It should not be + needed for most installations. + CONFIG: new FEATURE(relay_local_from) to allow relaying if the + domain portion of the mail sender is a local host. This + should only be used if absolutely necessary as it opens + a window for spammers. Patch from Randall S. Winchester of + the University of Maryland. + CONFIG: new FEATURE(blacklist_recipients) turns on the ability to + block incoming mail destined for certain recipient + usernames, hostnames, or addresses. + CONFIG: By default, MAIL FROM: commands in the SMTP session will be + refused if the host part of the argument to MAIL FROM: cannot + be located in the host name service (e.g., DNS). + CONFIG: new FEATURE(accept_unresolvable_domains) accepts + unresolvable hostnames in MAIL FROM: SMTP commands. + CONFIG: new FEATURE(accept_unqualified_senders) accepts + MAIL FROM: senders which do not include a domain. + CONFIG: new FEATURE(rbl) Turns on rejection of hosts found in the + Realtime Blackhole List. You can specify the RBL name + server to contact by specifying it as an optional argument. + The default is rbl.maps.vix.com. For details, see + http://maps.vix.com/rbl/. + CONFIG: Call Local_check_relay, Local_check_mail, and + Local_check_rcpt from check_relay, check_mail, and + check_rcpt. Users with local rulesets should place the + rules using LOCAL_RULESETS. If a Local_check_* ruleset + returns $#OK, the message is accepted. If the ruleset + returns a mailer, the appropriate action is taken, else + the return of the ruleset is ignored. + CONFIG: CYRUS_MAILER_FLAGS now includes the /:| mailer flags by + default to support file, :include:, and program deliveries. + CONFIG: Remove the default for confDEF_USER_ID so the binary can + pick the proper default value. See the SECURITY note + above for more information. + CONFIG: FEATURE(nodns) now warns the user that the feature is a + no-op. Patch from Kari Hurtta of the Finnish + Meteorological Institute. + CONFIG: OSTYPE(osf1) now sets DefaultUserID (confDEF_USER_ID) to + daemon since DEC's /bin/mail will drop the envelope + sender if run as mailnull. See the Digital UNIX section + of src/README for more information. Problem noted by + Kari Hurtta of the Finnish Meteorological Institute. + CONFIG: .cf files are now stored in the same directory with the + .mc files instead of in the obj directory. + CONFIG: New options confSINGLE_LINE_FROM_HEADER, + confALLOW_BOGUS_HELO, and confMUST_QUOTE_CHARS for + setting SingleLineFromHeader, AllowBogusHELO, and + MustQuoteChars respectively. + MAIL.LOCAL: support -l flag to run LMTP on stdin/stdout. This + SMTP-like protocol allows detailed reporting of delivery + status on a per-user basis. Code donated by John Myers of + CMU (now of Netscape). + MAIL.LOCAL: HP-UX support from Randall S. Winchester of the + University of Maryland. NOTE: mail.local is not + compatible with the stock HP-UX mail format. Be sure to + read mail.local/README. + MAIL.LOCAL: Prevent other mail delivery agents from stealing a + mailbox lock. Patch from Randall S. Winchester of the + University of Maryland. + MAIL.LOCAL: glibc portability from John Kennedy of Cal State + University, Chico. + MAIL.LOCAL: IRIX portability from Kari Hurtta of the Finnish + Meteorological Institute. + MAILSTATS: Display the number of rejected and discarded messages + in the StatusFile. Patch from Randall Winchester of the + University of Maryland. + MAKEMAP: New -s flag to ignore safety checks on database map files + such as linked files in world writable directories. + MAKEMAP: Add support for Berkeley DB 2.X. Remove OLD_NEWDB support. + PRALIASES: Add support for Berkeley DB 2.X. + PRALIASES: Do not automatically include NDBM support. Problem + noted by Ralf Hildebrandt of the Technical University of + Braunschweig. + RMAIL: Improve portability for other platforms. Patches from + Randall S. Winchester of the University of Maryland and + Kari Hurtta of the Finnish Meteorological Institute. + Changed Files: + src/Makefiles/Makefile.* files have been modified to use + the new build mechanism and are now BuildTools/OS/*. + src/makesendmail changed to symbolic link to src/Build. + New Files: + BuildTools/M4/header.m4 + BuildTools/M4/depend/BSD.m4 + BuildTools/M4/depend/CC-M.m4 + BuildTools/M4/depend/NCR.m4 + BuildTools/M4/depend/Solaris.m4 + BuildTools/M4/depend/X11.m4 + BuildTools/M4/depend/generic.m4 + BuildTools/OS/AIX.4.2 + BuildTools/OS/AIX.4.x + BuildTools/OS/CRAYT3E.2.0.x + BuildTools/OS/HP-UX.11.x + BuildTools/OS/IRIX.6.5 + BuildTools/OS/NEXTSTEP.4.x + BuildTools/OS/NeXT.4.x + BuildTools/OS/NetBSD.8.3 + BuildTools/OS/QNX + BuildTools/OS/SunOS.5.7 + BuildTools/OS/dcosx.1.x.NILE + BuildTools/README + BuildTools/Site/README + BuildTools/bin/Build + BuildTools/bin/configure.sh + BuildTools/bin/find_m4.sh + BuildTools/bin/install.sh + Makefile + cf/cf/Build + cf/cf/generic-hpux10.cf + cf/feature/accept_unqualified_senders.m4 + cf/feature/accept_unresolvable_domains.m4 + cf/feature/access_db.m4 + cf/feature/blacklist_recipients.m4 + cf/feature/loose_relay_check.m4 + cf/feature/local_lmtp.m4 + cf/feature/promiscuous_relay.m4 + cf/feature/rbl.m4 + cf/feature/relay_based_on_MX.m4 + cf/feature/relay_entire_domain.m4 + cf/feature/relay_hosts_only.m4 + cf/feature/relay_local_from.m4 + cf/ostype/qnx.m4 + contrib/doublebounce.pl + mail.local/Build + mail.local/Makefile.m4 + mail.local/README + mailstats/Build + mailstats/Makefile.m4 + makemap/Build + makemap/Makefile.m4 + praliases/Build + praliases/Makefile.m4 + rmail/Build + rmail/Makefile.m4 + rmail/rmail.0 + smrsh/Build + smrsh/Makefile.m4 + src/Build + src/Makefile.m4 + src/snprintf.c + Deleted Files: + cf/cf/Makefile (replaced by Makefile.dist) + mail.local/Makefile + mail.local/Makefile.dist + mailstats/Makefile + mailstats/Makefile.dist + makemap/Makefile + makemap/Makefile.dist + praliases/Makefile + praliases/Makefile.dist + rmail/Makefile + smrsh/Makefile + smrsh/Makefile.dist + src/Makefile + src/Makefiles/Makefile.AIX.4 (split into AIX.4.x and AIX.4.2) + src/Makefiles/Makefile.SMP_DC.OSx.NILE + (renamed BuildTools/OS/dcosx.1.x.NILE) + src/Makefiles/Makefile.Utah (obsolete platform) + Renamed Files: + READ_ME => README + cf/cf/Makefile.dist => Makefile + cf/cf/obj/* => cf/cf/* + src/READ_ME => src/README + +8.8.8/8.8.8 1997/10/24 + If the check_relay ruleset failed, the relay= field was logged + incorrectly. Problem noted by Kari Hurtta of the Finnish + Meteorological Institute. + If /usr/tmp/dead.letter already existed, sendmail could not + add additional bounces to it. Problem noted by Thomas J. + Arseneault of SRI International. + If an SMTP mailer used a non-standard port number for the outgoing + connection, it would be displayed incorrectly in verbose mode. + Problem noted by John Kennedy of Cal State University, Chico. + Log the ETRN parameter specified by the client before altering them + to internal form. Suggested by Bob Kupiec of GES-Verio. + EXPN and VRFY SMTP commands on malformed addresses were logging as + User unknown with bogus delay= values. Change them to log + the same as compliant addresses. Problem noted by Kari E. + Hurtta of the Finnish Meteorological Institute. + Ignore the debug resolver option unless using sendmail debug trace + option for resolver. Problem noted by Greg Nichols of Wind + River Systems. + If SingleThreadDelivery was enabled and the remote server returned a + protocol error on the DATA command, the connection would be + closed but the persistent host status file would not be + unlocked so other sendmail processes could not deliver to + that host. Problem noted by Peter Wemm of DIALix. + If queueing up a message due to an expensive mailer, don't increment + the number of delivery attempts or set the last delivery + attempt time so the message will be delivered on the next + queue run regardless of MinQueueAge. Problem noted by + Brian J. Coan of the Institute for Global Communications. + Authentication warnings of "Processed from queue _directory_" and + "Processed by _username_ with -C _filename_" would be logged + with the incorrect timestamp. Problem noted by Kari E. Hurtta + of the Finnish Meteorological Institute. + Use a better heuristic for detecting GDBM. + Log null connections on dropped connections. Problem noted by + Jon Lewis of Florida Digital Turnpike. + If class dbm maps are rebuilt, sendmail will now detect this and + reopen the map. Previously, they could give stale + results during a single message processing (but would + recover when the next message was received). Fix from + Joe Pruett of Q7 Enterprises. + Do not log failures such as "User unknown" on -bv or SMTP VRFY + requests. Problem noted by Kari E. Hurtta of the + Finnish Meteorological Institute. + Do not send a bounce message back to the sender regarding bad + recipients if the SMTP connection is dropped before the + message is accepted. Problem noted by Kari E. Hurtta of the + Finnish Meteorological Institute. + Use "localhost" instead of "[UNIX: localhost]" when connecting to + sendmail via a UNIX pipe. This will allow rulesets using + $&{client_name} to process without sending the string through + dequote. Problem noted by Alan Barrett of Internet Africa. + A combination of deferred delivery mode, a double bounce situation, + and the inability to save a bounce message to + /var/tmp/dead.letter would cause sendmail to send a bounce + to postmaster but not remove the offending envelope from the + queue causing it to create a new bounce message each time the + queue was run. Problem noted by Brad Doctor of Net Daemons + Associates. + Remove newlines from hostname information returned via DNS. There are + no known security implications of newlines in hostnames as + sendmail filters newlines in all vital areas; however, this + could cause confusing error messages. + Starting with sendmail 8.8.6, mail sent with the '-t' option would be + rejected if any of the specified addresses were bad. This + behavior was modified to only reject the bad addresses and not + the entire message. Problem noted by Jozsef Hollosi of + SuperNet, Inc. + Use Timeout.fileopen when delivering mail to a file. Suggested by + Bryan Costales of InfoBeat, Inc. + Display the proper Final-Recipient on DSN messages for non-SMTP + mailers. Problem noted by Kari E. Hurtta of the + Finnish Meteorological Institute. + An error in calculating the available space in the list of addresses + for logging deliveries could cause an address to be silently + dropped. + Include the initial user environment if sendmail is restarted via + a HUP signal. This will give room for the process title. + Problem noted by Jon Lewis of Florida Digital Turnpike. + Mail could be delivered without a body if the machine does not + support flock locking and runs out of processes during + delivery. Fix from Chuck Lever of the University of Michigan. + Drop recipient address from 251 and 551 SMTP responses per RFC 821. + Problem noted by Kari E. Hurtta of the Finnish Meteorological + Institute. + Make sure non-rebuildable database maps are opened before the + rebuildable maps (i.e., alias files) in case the database maps + are needed for verifying the left hand side of the aliases. + Problem noted by Lloyd Parkes of Victoria University. + Make sure sender RFC822 source route addresses are alias expanded for + bounce messages. Problem noted by Juergen Georgi of + RUS University of Stuttgart. + Minor lint fixes. + Return a temporary error instead of a permanent error if an LDAP map + search returns an error. This will allow sequenced maps which + use other LDAP servers to be checked. Fix from Booker Bense + of Stanford University. + When automatically converting from quoted printable to 8bit text do + not pad bare linefeeds with a space. Problem noted by Theo + Nolte of the University of Technology Aachen, Germany. + Portability: + Non-standard C compilers may have had a problem compiling + conf.c due to a standard C external declaration of + setproctitle(). Problem noted by Ted Roberts of + Electronic Data Systems. + AUX: has a broken O_EXCL implementation. Reported by Jim + Jagielski of jaguNET Access Services. + BSD/OS: didn't compile if HASSETUSERCONTEXT was defined. + Digital UNIX: Digital UNIX (and possibly others) moves + loader environment variables into the loader memory + area. If one of these environment variables (such as + LD_LIBRARY_PATH) was the last environment variable, + an invalid memory address would be used by the process + title routine causing memory corruption. Problem + noted by Sam Hartman of Mesa Internet Systems. + GNU libc: uses an enum for _PC_CHOWN_RESTRICTED which caused + chownsafe() to always return 0 even if the OS does + not permit file giveaways. Problem noted by + Yasutaka Sumi of The University of Tokyo. + IRIX6: Syslog buffer size set to 512 bytes. Reported by + Gerald Rinske of Siemens Business Services VAS. + Linux: Pad process title with NULLs. Problem noted by + Jon Lewis of Florida Digital Turnpike. + SCO OpenServer 5.0: SIOCGIFCONF ioctl call returns an + incorrect value for the number of interfaces. + Problem noted by Chris Loelke of JetStream Internet + Services. + SINIX: Update for Makefile and syslog buffer size from Gerald + Rinske of Siemens Business Services VAS. + Solaris: Make sure HASGETUSERSHELL setting for SunOS is not + used on a Solaris machine. Problem noted by + Stephen Ma of Jtec Pty Limited. + CONFIG: SINIX: Update from Gerald Rinske of Siemens Business + Services VAS. + MAKEMAP: Use a better heuristic for detecting GDBM. + CONTRIB: expn.pl: Updated version from the author, David Muir Sharnoff. + OP.ME: Document the F=i mailer flag. Problem noted by Per Hedeland of + Ericsson. + +8.8.7/8.8.7 1997/08/03 + If using Berkeley DB on systems without O_EXLOCK (open a file with + an exclusive lock already set -- i.e., almost all systems + except 4.4-BSD derived systems), the initial attempt at + rebuilding aliases file if the database didn't already + exist would fail. Patch from Raymund Will of LST Software + GmbH. + Bogus incoming SMTP commands would reset the SMTP conversation. + Problem noted by Fredrik Jönsson of the Royal Institute + of Technology, Stockholm. + Since TCP Wrappers includes setenv(), unsetenv(), and putenv(), + some environments could give "multiple definitions" for these + routines during compilation. If using TCP Wrappers, assume + that these routines are included as though they were in the + C library. Patch from Robert La Ferla. + When a NEWDB database map was rebuilt at the same time it was being + used by a queue run, the maps could be left locked for the + duration of the queue run, causing other processes to hang. + Problem noted by Kendall Libby of Shore.NET. + In some cases, NoRecipientAction=add-bcc was being ignored, so the + mail was passed on without any recipient header. This could + cause problems downstream. Problem noted by Xander Jansen + of SURFnet ExpertiseCentrum. + Give error when GDBM is used with sendmail. GDBM's locking and + linking of the .dir and .pag files interferes with sendmail's + locking and security checks. Problems noted by Fyodor + Yarochkin of the Kyrgyz Republic FreeNet. + Don't fsync qf files if SuperSafe option is not set. + Avoid extra calls to gethostbyname for addresses for which a + gethostbyaddr found no value. Also, ignore any returns + from gethostbyaddr that look like a dotted quad. + If PTR lookup fails when looking up an SMTP peer, don't tag it as + "may be forged", since at the network level we pretty much + have to assume that the information is good. + In some cases, errors during an SMTP session could leave files + open or locked. + Better handling of missing file descriptors (0, 1, 2) on startup. + Better handling of non-set-user-ID binaries -- avoids certain obnoxious + errors during testing. + Errors in file locking of NEWDB maps had the incorrect file name + printed in the error message. + If the AllowBogusHELO option were set and an EHLO with a bad or + missing parameter were issued, the EHLO behaved like a HELO. + Load limiting never kicked in for incoming SMTP transactions if the + DeliveryMode=background and any recipient was an alias or + had a .forward file. From Nik Conwell of Boston University. + On some non-Posix systems, the decision of whether chown(2) permits + file giveaway was undefined. From Tetsu Ushijima of the + Tokyo Institute of Technology. + Fix race condition that could cause the body of a message to be + lost (so only the header was delivered). This only occurs + on systems that do not use flock(2), and only when a queue + runner runs during a critical section in another message + delivery. Based on a patch from Steve Schweinhart of + Results Computing. + If a qf file was found in a mail queue directory that had a problem + (wrong ownership, bad format, etc.) and the file name was + exactly MAXQFNAME bytes long, then instead of being tried + once, it would be tried on every queue run. Problem noted + by Bryan Costales of Mercury Mail. + If the system supports an st_gen field in the status structure, + include it when reporting that a file has changed after open. + This adds a new compile flag, HAS_ST_GEN (0/1 option). + This out to be checked as well as reported, since it is + theoretically possible for an attacker to remove a file after + it is opened and replace it with another file that has the + same i-number, but some filesystems (notably AFS) return + garbage in this field, and hence always look like the file + has changed. As a practical matter this is not a security + problem, since the files can be neither hard nor soft links, + and on no filesystem (that I am aware of) is it possible to + have two files on the same filesystem with the same i-number + simultaneously. + Delete the root Makefile from the distribution -- it is only for + use internally, and does not work at customer sites. + Fix botch that caused the second MAIL FROM: command in a single + transaction to clear the entire transaction. Problem + noted by John Kennedy of Cal State University, Chico. + Work properly on machines that have _PATH_VARTMP defined without + a trailing slash. (And a pox on vendors that decide to + ignore the established conventions!) Problem noted by + Gregory Neil Shapiro of WPI. + Internal changes to make it easier to add another protocol family + (intended for IPv6). Patches are from John Kennedy of + CSU Chico. + In certain cases, 7->8 bit MIME decoding of Base64 text could leave + an extra space at the beginning of some lines. Problem + noted by Charles Karney of Princeton University; fix based + on a patch from Christophe Wolfhugel. + Portability: + Allow _PATH_VENDOR_CF to be set in Makefile for consistency + with the _Sendmail_ book, 2nd edition. Note that + the book is actually wrong: _PATH_SENDMAILCF should + be used instead. + AIX 3.x: Include <sys/select.h>. Patch from Gene Rackow + of Argonne National Laboratory. + OpenBSD from from Paul DuBois of the University of Wisconsin. + RISC/os 4.0 from Paul DuBois of the University of Wisconsin. + SunOS: Include <memory.h> to fix warning from util.c. From + James Aldridge of EUnet Ltd. + Solaris: Change STDIR (location of status file) to /etc/mail + in Makefiles. + Linux, Dynix, UNICOS: Remove -DNDBM and -lgdbm from + Makefiles. Use NEWDB on Linux instead. + NCR MP-RAS 3.x with STREAMware TCP/IP: SIOCGIFNUM ioctl + exists but behaves differently than other OSes. + Add SIOCGIFNUM_IS_BROKEN compile flag to get + around the problem. Problem noted by Tom Moore of + NCR Corp. + HP-UX 9.x: fix compile warnings for old select API. Problem + noted by Tom Smith of Digital Equipment Corp. + UnixWare 2.x: compile warnings on offsetof macro. Problem + noted by Tom Good of the Community Access Information + Resource Network + SCO 4.2: compile problems caused by a change in the type of + the "length" parameters passed to accept, getpeername, + getsockname, and getsockopt. Adds new compile flags + SOCKADDR_SIZE_T and SOCKOPT_SIZE_T. Problem reported + by Tom Good of St. Vincent's North Richmond Community + Mental Health Center Residential Services. + AIX 4: Use size_t for SOCKADDR_SIZE_T and SOCKOPT_SIZE_T. + Suggested by Brett Hogden of Rochester Gas & Electric + Corp. + Linux: avoid compile problem for versions of <setjmp.h> that + #define both setjmp and longjmp. Problem pointed out + by J.R. Oldroyd of TerraNet. + CONFIG: SCO UnixWare 2.1: Support for OSTYPE(sco-uw-2.1) + from Christopher Durham of SCO. + CONFIG: NEXTSTEP: define confCW_FILE to + /etc/sendmail/sendmail.cw to match the usual + configuration. Patch from Dennis Glatting of + PlainTalk. + CONFIG: MAILER(fax) called a program that hasn't existed for a long + time. Convert to use the HylaFAX 4.0 conventions. Suggested + by Harry Styron. + CONFIG: Improve sample anti-spam rulesets in cf/cf/knecht.mc. These + are the rulesets in use on sendmail.org. + MAKEMAP: give error on GDBM files. + MAIL.LOCAL: Make error messages a bit more explicit, for example, + telling more details on what actually changed when "file + changed after open". + CONTRIB: etrn.pl: Ignore comments in Fw files. Support multiple Fw + files. + CONTRIB: passwd-to-alias.pl: Handle 8 bit characters and '-'. + NEW FILES: + src/Makefiles/Makefile.OpenBSD + src/Makefiles/Makefile.RISCos.4_0 + test/t_exclopen.c + cf/ostype/sco-uw-2.1.m4 + DELETED FILES: + Makefile + +8.8.6/8.8.6 1997/06/14 + ************************************************************* + * The extensive assistance of Gregory Neil Shapiro of WPI * + * in preparing this release is gratefully appreciated. * + * Sun Microsystems has also provided resources toward * + * continued sendmail development. * + ************************************************************* + SECURITY: A few systems allow an open with the O_EXCL|O_CREAT open + mode bits set to create a file that is a symbolic link that + points nowhere. This makes it possible to create a root + owned file in an arbitrary directory by inserting the symlink + into a writable directory after the initial lstat(2) check + determined that the file did not exist. The only verified + example of a system having these odd semantics for O_EXCL + and symbolic links was HP-UX prior to version 9.07. Most + systems do not have the problem, since a exclusive create + of a file disallows symbolic links. Systems that have been + verified to NOT have the problem include AIX 3.x, *BSD, + DEC OSF/1, HP-UX 9.07 and higher, Linux, SunOS, Solaris, + and Ultrix. This is a potential exposure on systems that + have this bug and which do not have a MAILER-DAEMON alias + pointing at a legitimate account, since this will cause old + mail to be dropped in /var/tmp/dead.letter. + SECURITY: Problems can occur on poorly managed systems, specifically, + if maps or alias files are in world writable directories. + If your system has alias maps in writable directories, it + is potentially possible for an attacker to replace the .db + (or .dir and .pag) files by symbolic links pointing at + another database; this can be used either to expose + information (e.g., by pointing an alias file at /etc/spwd.db + and probing for accounts), or as a denial-of-service attack + (by trashing the password database). The fix disallows + symbolic links entirely when rebuilding alias files or on + maps that are in writable directories, and always warns on + writable directories; 8.9 will probably consider writable + directories to be fatal errors. This does not represent an + exposure on systems that have alias files in unwritable + system directories. + SECURITY: disallow .forward or :include: files that are links (hard + or soft) if the parent directory (or any directory in the + path) is writable by anyone other than the owner. This is + similar to the previous case for user files. This change + should not affect most systems, but is necessary to prevent + an attacker who can write the directory from pointing such + files at other files that are readable only by the owner. + SECURITY: Tighten safechown rules: many systems will say that they + have a safe (restricted to root) chown even on files that + are mounted from another system that allows owners to give + away files. The new rules are very strict, trusting file + ownership only in those few cases where the system has + been verified to be at least as paranoid as necessary. + However, it is possible to relax the rules to partially + trust the ownership if the directory path is not world or + group writable. This might allow someone who has a legitimate + :include: file (referenced directly from /etc/aliases) to + become another non-root user if the :include: file is in a + non-writable directory on an NFS-mounted filesystem where + the local system says that giveaway is denied but it is + actually permitted. I believe this to be a very small set + of cases. If in doubt, do not point :include: aliases at + NFS-mounted filesystems. + SECURITY: When setting a numeric group id using the RunAsUser option + (e.g., "O RunAsUser=10:20", the group id would not be set. + Implicit group ids (e.g., "O RunAsUser=mailnull") or alpha + group ids (e.g., "O RunAsUser=mailuser:mailgrp") worked fine. + The user id was still set properly. Problem noted by Uli + Pralle of the Technical University of Berlin. + Save the initial gid set for use when checking for if the + PrivacyOptions=restrictmailq option is set. Problem reported + by Wolfgang Ley of DFN-CERT. + Make 55x reply codes to the SMTP DATA-"." be non-sticky (i.e., a + failure on one message won't affect future messages to the + same host). + IP source route printing had an "off by one" error that would + affect any options that came after the route option. Patch + from Theo de Raadt. + The "Message is too large" error didn't successfully bounce the error + back to the sender. Problem reported by Stephen More of + PSI; patch from Gregory Neil Shapiro of WPI. + Change SMTP status code 553 to map into Extended code 5.1.0 (instead + of 5.1.3); it apparently gets used in multiple ways. + Suggested by John Myers of Portola Communications. + Fix possible extra null byte generated during collection if errors + occur at the beginning of the stream. Patch contributed by + Andrey A. Chernov and Gregory Neil Shapiro. + Code changes to avoid possible reentrant call of malloc/free within + a signal handler. Problem noted by John Beck of Sun + Microsystems. + Move map initialization to be earlier so that check_relay ruleset + will have the latest version of the map data. Problem noted + by Paul Forgey of Metainfo; patch from Gregory Neil Shapiro. + If there are fatal errors during the collection phase (e.g., message + too large) don't send the bogus message. + Avoid "cannot open xfAAA00000" messages when sending to aliases that + have errors and have owner- aliases. Problem noted by Michael + Barber of MTU; fix from Gregory Neil Shapiro of WPI. + Avoid null pointer dereference on illegal Boundary= parameters in + multipart/mixed Content-Type: header. Problem noted by + Richard Muirden of RMIT University. + Always print error messages during newaliases (-bi) even if the + ErrorMode is not set to "print". Fix from Gregory Neil + Shapiro. + Test mode could core dump if you did a /map lookup in an optional map + that could not be opened. Based on a fix from John Beck of + Sun Microsystems. + If DNS is misconfigured so that the last MX record tried points to + a host that does not have an A record, but other MX records + pointed to something reasonable, don't bounce the message + with a "host unknown" error. Note that this should really + be fixed in the zone file for the domain. Problem noted by + Joe Rhett of Navigist, Inc. + If a map fails (e.g., DNS times out) on all recipient addresses, mark + the message as having been tried; otherwise the next queue + run will not realize that this is a second attempt and will + retry immediately. Problem noted by Bryan Costales of + Mercury Mail. + If the clock is set backwards, and a MinQueueAge is set, no jobs + will be run until the later setting of the clock is reached. + "Problem" (I use the term loosely) noted by Eric Hagberg of + Morgan Stanley. + If the load average rises above the cutoff threshold (above which + sendmail will not process the queue at all) during a queue + run, abort the queue run immediately. Problem noted by + Bryan Costales of Mercury Mail. + The variable queue processing algorithm (based on the message size, + number of recipients, message precedence, and job age) was + non-functional -- either the entire queue was processed or + none of the queue was processed. The updated algorithm + does no queue run if a single recipient zero size job will + not be run. + If there is a fatal ("panic") message that will cause sendmail to + die immediately, never hold the error message for future + printing. + Force ErrorMode=print in -bt mode so that all errors are printed + regardless of the setting of the ErrorMode option in the + configuration file. Patch from Gregory Neil Shapiro. + New compile flag HASSTRERROR says that this OS has the strerror(3) + routine available in one of the libraries. Use it in conf.h. + The -m (match only) flag now works on host class maps. + If class hash or btree maps are rebuilt, sendmail will now detect + this and reopen the map. Previously, they could give + erroneous results during a single message processing + (but would recover when the next message was received). + Don't delete zero length queue files when doing queue runs until the + files are at least ten minutes old. This avoids a potential + race condition: the creator creates the qf file, getting back + a file descriptor. The queue runner locks it and deletes it + because it is zero length. The creator then writes the + descriptor that is now for a disconnected file, and the + job goes away. Based on a suggestion by Bryan Costales. + When determining the "validated" host name ($_ macro), do a forward + (A) DNS lookup on the result of the PTR lookup and compare + results. If they differ or if the PTR lookup fails, tag the + address as "may be forged". + Log null connections (i.e., hosts that connect but do not do any + substantive activity on the connection before disconnecting; + "substantive" is defined to be MAIL, EXPN, VRFY, or ETRN. + Always permit "writes" to /dev/null regardless of the link count. + This is safe because /dev/null is special cased, and no open + or write is ever actually attempted. Patch from Villy Kruse + of TwinCom. + If a message cannot be sent because of a 552 (exceeded storage + allocation) response to the MAIL FROM:<>, and a SIZE= parameter + was given, don't return the body in the bounce, since there + is a very good chance that the message will double-bounce. + Fix possible line truncation if a quoted-printable had an =00 escape + in the body. Problem noted by Charles Karney of the Princeton + Plasma Physics Laboratory. + Notify flags (e.g., -NSUCCESS) were lost on user+detail addresses. + Problem noted by Kari Hurtta of the Finnish Meteorological + Institute. + The MaxDaemonChildren option wasn't applying to queue runs as + documented. Note that this increases the potential denial + of service problems with this option: an attacker can + connect many times, and thereby lock out queue runs as well + as incoming connections. If you use this option, you should + run the "sendmail -bd" and "sendmail -q30m" jobs separately + to avoid this attack. Failure to limit noted by Matthew + Dillon of BEST Internet Communications. + Always give a message in newaliases if alias files cannot be + opened instead of failing silently. Suggested by Gregory + Neil Shapiro. This change makes the code match the O'Reilly + book (2nd edition). + Some older versions of the resolver could return with h_errno == -1 + if no name server could be reached, causing mail to bounce + instead of queueing. Treat this like TRY_AGAIN. Fix from + John Beck of SunSoft. + If a :include: file is owned by a user that does not have an entry + in the passwd file, sendmail could dereference a null pointer. + Problem noted by Satish Mynam of Sun Microsystems. + Take precautions to make sure that the SMTP protocol cannot get out + of sync if (for example) an alias file cannot be opened. + Fix a possible race condition that can cause a SIGALRM to come in + immediately after a SIGHUP, causing the new sendmail to die. + Avoid possible hang on SVr3 systems when doing child reaping. Patch + from Villy Kruse of TwinCom. + Ignore improperly formatted SMTP reply codes. Previously these were + partially processed, which could cause confusing error + returns. + Fix possible bogus pointer dereference when doing ldapx map lookups + on some architectures. + Portability: + A/UX: from Jim Jagielski of NASA/GSFC. + glibc: SOCK_STREAM was changed from a #define to an enum, + thus breaking #ifdef SOCK_STREAM. Only option seems + to be to assume SOCK_STREAM if __GNU_LIBRARY__ is + defined. Problem reported by A Sun of the University + of Washington. + Solaris: use SIOCGIFNUM to get the number of interfaces on + the system rather than guessing at compile time. + Patch contributed by John Beck of Sun Microsystems. + Intel Paragon: from Wendy Lin of Purdue University. + GNU Hurd: from Miles Bader of the GNU project. + RISC/os 4.50 from Harlan Stenn of PFCS Corporation. + ISC Unix: wait never returns if SIGCLD signals are blocked. + Unfortunately releasing them opens a race condition, + but there appears to be no fix for this. Patch from + Gregory Neil Shapiro. + BIND 8.1 for IPv6 compatibility from John Kennedy. + Solaris: a bug in strcasecmp caused characters with the + high order bit set to apparently randomly match + letters -- for example, $| (0233) matches "i" and "I". + Problem noted by John Gregson of the University of + Cambridge. + IRIX 6.x: make Makefile.IRIX.6.2 apply to all 6.x. From + Kari Hurtta. + IRIX 6.x: Create Makefiles for systems that claim to be + IRIX64 but are 6.2 or higher (so use the regular + IRIX Makefile). + IRIX 6.x: Fix load average computation on 64 bit kernels. + Problem noted by Eric Hagberg of Morgan Stanley. + CONFIG: Some canonification was still done for UUCP-like addresses + even if FEATURE(nocanonify) was set. Problem pointed out by + Brian Candler. + CONFIG: In some cases UUCP mailers wouldn't properly recognize all + local names as local. Problem noted by Jeff Polk of BSDI; + fix provided by Gregory Neil Shapiro. + CONFIG: The "local:user" syntax entries in mailertables and other + "mailer:user" syntax locations returned an incorrect value + for the $h macro. Problem noted by Gregory Neil Shapiro. + CONFIG: Retain "+detail" information when forwarding mail to a + MAIL_HUB, LUSER_RELAY, or LOCAL_RELAY. Patch from Philip + Guenther of Gustavus Adolphus College. + CONFIG: Make sure user+detail works for FEATURE(virtusertable); + rules are the same as for aliasing. Based on a patch from + Gregory Neil Shapiro. + CONFIG: Break up parsing rules into several pieces; this should + have no functional change in this release, but makes it + possible to have better anti-spam rulesets in the future. + CONFIG: Disallow double dots in host names to avoid having the + HostStatusDirectory store status under the wrong name. + In some cases this can be used as a denial-of-service attack. + Problem noted by Ron Jarrell of Virginia Tech, patch from + Gregory Neil Shapiro. + CONFIG: Don't use F=m (multiple recipients per invocation) for + MAILER(procmail), but do pass F=Pn9 (include Return-Path:, + don't include From_, and convert to 8-bit). Suggestions + from Kimmo Suominen and Roderick Schertler. + CONFIG: Domains under $=M (specified with MASQUERADE_DOMAIN) were + being masqueraded as though FEATURE(masquerade_entire_domain) + was specified, even when it wasn't. + MAIL.LOCAL: Solaris 2.6 has snprintf. From John Beck of SunSoft. + MAIL.LOCAL: SECURITY: check to make sure that an attacker doesn't + "slip in" a symbolic link between the lstat(2) call and the + exclusive open. This is only a problem on System V derived + systems that allow an exclusive create on files that are + symbolic links pointing nowhere. + MAIL.LOCAL: If the final mailbox close() failed, the user id was + not reset back to root, which on some systems would cause + later mailboxes to fail. Also, any partial message would + not be truncated, which could result in repeated deliveries. + Problem noted by Bruce Evans via Peter Wemm (FreeBSD + developers). + MAKEMAP: Handle cases where O_EXLOCK is #defined to be 0. A similar + change to the sendmail map code was made in 8.8.3. Problem + noted by Gregory Neil Shapiro. + MAKEMAP: Give warnings on file problems such as map files that are + symbolic links; although makemap is not set-user-ID root, it is + often run as root and hence has the potential for the same + sorts of problems as alias rebuilds. + MAKEMAP: Change compilation so that it will link properly on + NEXTSTEP. + CONTRIB: etrn.pl: search for Cw as well as Fw lines in sendmail.cf. + Accept an optional list of arguments following the server + name for the ETRN arguments to use (instead of $=w). Other + miscellaneous bug fixes. From Christian von Roques via + John Beck of Sun Microsystems. + CONTRIB: Add passwd-to-alias.pl, contributed by Kari Hurtta. This + Perl script converts GECOS information in the /etc/passwd + file into aliases, allowing for faster access to full name + lookups; it is also clever about adding aliases (to root) + for system accounts. + NEW FILES: + src/safefile.c + cf/ostype/gnuhurd.m4 + cf/ostype/irix6.m4 + contrib/passwd-to-alias.pl + src/Makefiles/Makefile.IRIX64.6.1 + src/Makefiles/Makefile.IRIX64.6.x + RENAMED FILES: + src/Makefiles/Makefile.IRIX.6.2 => Makefile.IRIX.6.x + src/Makefiles/Makefile.IRIX64 => Makefile.IRIX64.6.0 + +8.8.5/8.8.5 1997/01/21 + SECURITY: Clear out group list during startup. Without this, sendmail + will continue to run with the group permissions of the caller, + even if RunAsUser is specified. + SECURITY: Make purgestat (-bH) be root-only. This is not in response + to any known attack, but it's best to be conservative. + Suggested by Peter Wemm of DIALix. + SECURITY: Fix buffer overrun problem in MIME code that has possible + security implications. Patch from Alex Garthwaite of the + University of Pennsylvania. + Use of a -f flag with a phrase attached (e.g., "-f 'Full Name <addr>'") + would truncate the address after "Full". Although the -f + syntax is incorrect (since it is in the envelope, it + shouldn't have comments and full names), the failure mode + was unnecessarily awful. + Fix a possible null pointer dereference when converting 8-bit data + to a 7-bit format. Problem noted by Jim Hutchins of + Sandia National Labs and David James of British Telecom. + Clear out stale state that affected F=9 on SMTP mailers in queue + runs. Although this really shouldn't be used (F=9 is for + final delivery only, and using it on an SMTP mailer makes + it possible for a message to be converted from 8->7->8->7 + bits several times), it shouldn't have failed with a syserr. + Problem noted by Eric Hagberg of Morgan Stanley. + _Really_ fix the multiple :maildrop code in the user database + module. Patch from Roy Mongiovi of Georgia Tech. + Let F lines in the configuration file actually read root-only + files if the configuration file is safe. Based on a + patch from Keith Reynolds of SCO. + ETRN followed by QUIT would hold the connection open until the queue + run completed. Problem noted by Truck Lewis of TDK + Semiconductor Corp. + It turns out that despite the documentation, the TCP wrappers library + does _not_ log rejected connections. Do the logging ourselves. + Problem noted by Fletcher Mattox of the University of Texas + at Austin. + If sendmail finds a qf file in its queue directory that is an unknown + version (e.g., when backing out to an old version), the + error is reported on every queue run. Change it to only + give the error once (and rename the qf => Qf). Patch from + William A. Gianopoulos of Raytheon Company. + Start a new session when doing background delivery; currently it + ignored signals but didn't start a new signal, that caused + some problems if a background process tried to send mail + under certain circumstances. Problem noted by Eric Hagberg + of Morgan Stanley; fix from Kari Hurtta. + Simplify test for skipping a queue run to just check if the current + load average is >= the queueing load average. Previously + the check factored in some other parameters that caused it + to essentially never skip the queue run. Patch from Bryan + Costales. + If the SMTP server is running in "nullserver" mode (that is, it is + rejecting all commands), start sleeping after MAXBADCOMMAND + (25) commands; this helps prevent a bad guy from putting + you into a tight loop as a denial-of-service attack. Based + on an e-mail conversation with Brad Knowles of AOL. + Slow down when too many "light weight" commands have been issued; + this helps prevent a class of denial-of-service attacks. + The current values and defaults are: + MAXNOOPCOMMANDS 20 NOOP, VERB, ONEX, XUSR + MAXHELOCOMMANDS 3 HELO, EHLO + MAXVRFYCOMMANDS 6 VRFY, EXPN + MAXETRNCOMMANDS 8 ETRN + These will probably be configurable in a future release. + On systems that have uid_t typedefed to be an unsigned short, programs + that had the F=S flag and no U= equate would be invoked with + the real uid set to 65535 rather than being left unchanged. + In some cases, NOTIFY=NEVER was not being honored. Problem noted + by Steve Hubert of the University of Washington, Seattle. + Mail that was Quoted-Printable encoded and had a soft line break on + the last line (i.e., an incomplete continuation) had the last + line dropped. Since this appears to be illegal it isn't + clear what to do with it, but flushing the last line seems + to be a better "fail soft" approach. Based on a patch from + Eric Hagberg. + If AllowBogusHELO and PrivacyOptions=needmailhelo are both set, a + bogus HELO command still causes the "Polite people say HELO + first" error message. Problem pointed out by Chris Thomas + of UCLA; patch from John Beck of SunSoft. + Handle "sendmail -bp -qSfoobar" properly if restrictqrun is set + in PrivacyOptions. The -q shouldn't turn this command off. + Problem noted by Murray Kucherawy of Pacific Bell Internet; + based on a patch from Gregory Neil Shapiro of WPI. + Don't consider SMTP reply codes 452 or 552 (exceeded storage allocation) + in a DATA transaction to be sticky; these can occur because + a message is too large, and smaller messages should still go + through. Problem noted by Matt Dillon of Best Internet + Communications. + In some cases bounces were saved in /var/tmp/dead.letter even if they + had been successfully delivered to the envelope sender. + Problem noted Eric Hagberg of Morgan Stanley; solution from + Gregory Neil Shapiro of WPI. + Give better diagnostics on long alias lines. Based on code contributed + by Patrick Gosling of the University of Cambridge. + Increase the number of virtual interfaces that will be probed for + alternate names. Problem noted by Amy Rich of Shore.Net. + PORTABILITY: + UXP/DS V20L10 for Fujitsu DS/90: Makefile patches from + Toshiaki Nomura of Fujitsu Limited. + SunOS with LDAP support: compile problems with struct timeval. + Patch from Nick Cuccia of TCSI Corporation. + SCO: from Keith Reynolds of SCO. + Solaris: kstat load average computation wasn't being used. + Fixes from Michael Ju. Tokarev of Telecom Service, JSC + (Moscow). + OpenBSD: from Jason Downs of teeny.org. + Altos System V: from Tim Rice. + Solaris 2.5: from Alan Perry of SunSoft. + Solaris 2.6: from John Beck of SunSoft. + Harris Nighthawk PowerUX (mh6000 box): from Bob Miorelli + of Pratt & Whitney <miorelli@pweh.com>. + CONFIG: It seems that I hadn't gotten the Received: line syntax + _just_right_ yet. Tweak it again. I'll omit the names + of the "contributors" (quantity two) in this one case. + As of now, NO MORE DISCUSSION about the syntax of the + Received: line. + CONFIG: Although FEATURE(nullclient) uses EXPOSED_USER (class $=E), + it never inserts that class into the output file. Fix it + so it will honor EXPOSED_USER but will _not_ include root + automatically in this class. Problem noted by Ronan KERYELL + of Centre de Recherche en Informatique de l'École Nationale + Supérieure des Mines de Paris (CRI-ENSMP). + CONFIG: Clean up handling of "local:" syntax in relay specifications + such as LUSER_RELAY. This change permits the following + syntaxes: ``local:'' will send to the same user on the + local machine (e.g., in a mailertable entry for "host", + ``local:'' will cause an address addressed to user@host to + go to user on the local machone). ``local:user'' will send + to the named user on the local machine. ``local:user@host'' + is equivalent to ``local:user'' (the host is ignored). In + all cases, the original user@host is passed in $@ (i.e., the + detail information). Inspired by a report from Michael Fuhr. + CONFIG: Strip quotes from the first word of an "error:" host + indication. This lets you set (for example) the LUSER_RELAY + to be ``error:\"5.1.1\" Your Message Here''. Note the use + of the \" so that the resulting string is properly quoted. + Problem noted by Gregory Neil Shapiro of WPI. + OP.ME: documentation was inconsistent about whether sendmail did a + NOOP or a RSET to probe the connection (it does a RSET). + Inconsistency noted by Deeran Peethamparam. + OP.ME: insert additional blank pages so it will print properly on + a duplex printer. From Matthew Black of Cal State University, + Long Beach. + +8.8.4/8.8.4 1996/12/02 + SECURITY: under some circumstances, an attacker could get additional + permissions by hard linking to files that were group + writable by the attacker. The solution is to disallow any + files that have hard links -- this will affect .forward, + :include:, and output files. Problem noted by Terry + Kyriacopoulos of Interlog Internet Services. As a + workaround, set UnsafeGroupWrites -- always a good idea. + SECURITY: the TryNullMXList (w) option should not be safe -- if it + is, it is possible to do a denial-of-service attack on + MX hosts that rely on the use of the null MX list. There + is no danger if you have this option turned off (the default). + Problem noted by Dan Bernstein. Also, make the DontInitGroups + unsafe. I know of no specific attack against this, although + a denial-of-service attack is probably possible, but in theory + you should not be able to safely tweak anything that affects + the permissions that are used when mail is delivered. + Purgestat could go into an infinite loop if one of the host status + directories somehow became empty. Problem noted by Roy + Mongiovi of Georgia Tech. + Processes got "lost" when counting children due to a race condition. + This caused "proc_list_probe: lost pid" messages to be logged. + Problem noted by several people. + On systems with System V SIGCLD child signal semantics (notably AIX + and HP-UX), mail transactions would print the message "451 + SMTP-MAIL: lost child: No child processes". Problem noted + by several people. + Miscellaneous compiler warnings on picky compilers (or when setting + gcc to high warning levels). From Tom Moore of NCR Corp. + SMTP protocol errors, and most errors on MAIL FROM: lines should + not be persistent between runs, since they are based on the + message rather than the host. Problem noted by Matt Dillon + of Best Internet Communications. + The F=7 flag was ignored on SMTP mailers. Problem noted by Tom Moore + of NCR (a.k.a., AT&T Global Information Solutions). + Avoid the possibility of having a child daemon run to completion + (including closing the SMTP socket) before the parent has + had a chance to close the socket; this can cause the parent + to hang for a long time waiting for the socket to drain. + Patch from Don Lewis of TDK Semiconductor. + If the fork() failed in a queue run, the queue runners would not be + rescheduled (so queue runs would stop). Patch from Don Lewis. + Some error conditions in ETRN could cause output without an SMTP + status code. Problem noted by Don Lewis. + Multiple :maildrop addresses in the user database didn't work properly. + Patch from Roy Mongiovi of Georgia Tech. + Add ".db" automatically onto any user database spec that does not + already have it; this is for consistency with makemap, the + K line, and the documentation. Inconsistency pointed out + by Roy Mongiovi. + Allow sendmail to be properly called in nohup mode. Patch from + Kyle Jones of UUNET. + Change ETRN to ignore but still update host status files; previously + it would ignore them and not save the updated status, which + caused stale information to be maintained. Based on a patch + from Christopher Davis of Kapor Enterprises Inc. Also, have + ETRN ignore the MinQueueAge option. + Patch long term host status to recover more gracefully from an empty + host status file condition. Patch from NAKAMURA Motonori + of Kyoto University. + Several patches to signal handling code to fix potential race + conditions from Don Lewis. + Make it possible to compile with -DDAEMON=0 (previously it had some + compile errors). This turns DAEMON, QUEUE, and SMTP into + 0/1 compilation flags. Note that DAEMON is an obsolete + compile flag; use NETINET instead. Solution based on a + patch from Bryan Costales. + PORTABILITY FIXES: + AIX4: getpwnam() and getpwuid() do a sequential scan of the + /etc/security/passwd file when called as root. This + is very slow on some systems. To speed it up, use the + (undocumented) _getpw{nam,uid}_shadow() routines. + Patch from Chris Thomas of UCLA/OAC Systems Group. + SCO 5.x: include -lprot in the Makefile. Patch from Bill + Glicker of Burrelle's Information Service. + NEWS-OS 4.x: need a definition for MODE_T to compile. Patch + from Makoto MATSUSHITA of Osaka University. + SunOS 4.0.3: compile problems. Patches from Andrew Cole of + Leeds University and SASABE Tetsuro of the University + of Tokyo. + DG/UX 5.4.4.11 from Brian J. Murrell of InterLinx Support + Services, Inc. + Domain/OS from Don (Truck) Lewis of TDK Semiconductor Corp. + I believe this to have only been a problem if you + compiled with -DUSE_VENDOR_CF_PATH -- another reason + to stick with /etc/sendmail.cf as your One True Path. + Digital UNIX (OSF/1 on Alpha) load average computation from + Martin Laubach of the Technischen Universität Wien. + CONFIG: change default Received: line to be multiple lines rather + than one long one. By popular demand. + MAIL.LOCAL: warnings weren't being logged on some systems. Patch + from Jerome Berkman of U.C. Berkeley. + MAKEMAP: be sure to zero hinfo to avoid cruft that can cause runs + to take a very long time. Problem noted by Yoshiro YONEYA + of NTT Software Corporation. + CONTRIB: add etrn.pl, contributed by John Beck. + NEW FILES: + contrib/etrn.pl + +8.8.3/8.8.3 1996/11/17 + SECURITY: it was possible to get a root shell by lying to sendmail + about argv[0] and then sending it a signal. Problem noted + by Leshka Zakharoff <leshka@leshka.chuvashia.su> on the + best-of-security list. + Log sendmail binary version number in "Warning: .cf version level + (%d) exceeds program functionality (%d) message" -- this + should make it clearer to people that they are running + the wrong binary. + Fix a problem that occurs when you open an SMTP connection and then + do one or more ETRN commands followed by a MAIL command; at + the end of the DATA phase sendmail would incorrectly report + "451 SMTP-MAIL: lost child: No child processes". Problem + noted by Eric Bishop of Virginia Tech. + When doing text-based host canonification (typically /etc/hosts + lookup), a null host name would match any /etc/hosts entry + with space at the end of the line. Problem noted by Steve + Hubert of the University of Washington, Seattle. + 7 to 8 bit BASE64 MIME conversions could duplicate bits of text. + Problem reported by Tom Smith of Digital Equipment Corp. + Increase the size of the DNS answer buffer -- the standard UDP packet + size PACKETSZ (512) is not sufficient for some nameserver + answers containing very many resource records. The resolver + may also switch to TCP and retry if it detects UDP packet + overflow. Also, allow for the fact that the resolver + routines res_query and res_search return the size of the + *un*truncated answer in case the supplied answer buffer it + not big enough to accommodate the entire answer. Patch from + Eric Wassenaar. + Improvements to MaxDaemonChildren code. If you think you have too + many children, probe the ones you have to verify that they + are still around. Suggested by Jared Mauch of CICnet, Inc. + Also, do this probe before growing the vector of children + pids; this previously caused the vector to grow indefinitely + due to a race condition. Problem reported by Kyle Jones of + UUNET. + On some architectures, <db.h> (from the Berkeley DB library) defines + O_EXLOCK to zero; this fools the map compilation code into + thinking that it can avoid race conditions by locking on open. + Change it to check for O_EXLOCK non-zero. Problem noted by + Leif Erlingsson of Data Lege. + Always call res_init() on startup (if compiled in, of course) to + allow the sendmail.cf file to tweak resolver flags; without + it, flag tweaks in ResolverOptions are ignored. Patch from + Andrew Sun of Merrill Lynch. + Improvements to host status printing code. Suggested by Steve Hubert + of the University of Washington, Seattle. + Change MinQueueAge option processing to do the check for the job age + when reading the queue file, rather than at the end; this + avoids parsing the addresses, which can do DNS lookups. + Problem noted by John Beck of InReference, Inc. + When MIME was being 7->8 bit decoded, "From " lines weren't being + properly escaped. Problem noted by Peter Nilsson of the + University of Linkoping. + In some cases, sendmail would retain root permissions during queue + runs even if RunAsUser was set. Problem noted by Mark + Thomas of Mark G. Thomas Consulting. + If the F=l flag was set on an SMTP mailer to indicate that it is + actually local delivery, and NOTIFY=SUCCESS is specified in + the envelope, and the receiving SMTP server speaks DSN, then + the DSN would be both generated locally and propagated to the + other end. + The U= mailer field didn't correctly extract the group id if the + user id was numeric. Problem noted by Kenneth Herron of + MCI Telecommunications Communications. + If a message exceeded the fixed maximum size on input, the body of + the message was included in the bounce. Note that this did + not occur if it exceeded the maximum _output_ size. Problem + reported by Kyle Jones of UUNET. + PORTABILITY FIXES: + AIX4: 4.1 doesn't have a working setreuid(2); change the + AIX4 defines to use seteuid(2) instead, which + works on 4.1 as well as 4.2. Problem noted by + Håkan Lindholm of interAF, Sweden. + AIX4: use tzname[] vector to determine time zone name. + Patch from NAKAMURA Motonori of Kyoto University. + MkLinux: add Makefile.Linux.ppc and OSTYPE(mklinux) support. + Contributed by Paul DuBois <dubois@primate.wisc.edu>. + Solaris: kstat(3k) support for retrieving the load average. + This adds the LA_KSTAT definition for LA_TYPE. + The outline of the implementation was contributed + by Michael Tokarev of Telecom Service, JSC, Moscow. + HP-UX 10.0 gripes about the (perfectly legal!) forward + declaration of struct rusage at the top of conf.h; + change it to only be included if you are using gcc, + which is apparently the only compiler that requires + it in the first place. Problem noted by Jeff + Earickson of Colby College. + IRIX: don't default to using gcc. IRIX is a civilized + operating system that comes with a decent compiler + by default. Problem noted by Barry Bouwsma and + Kari Hurtta. + CONFIG: specify F=9 as default in FEATURE(local_procmail) for + consistency with other local mailers. Inconsistency + pointed out by Teddy Hogeborn <teddy@fukt.hk-r.se>. + CONFIG: if the "limited best mx" feature is used (to reduce DNS + overhead) as part of the bestmx_is_local feature, the + domain part was dropped from the name. Patch from Steve + Hubert of the University of Washington, Seattle. + CONFIG: catch addresses of the form "user@.dom.ain"; these could + end up being translated to the null host name, which would + return any entry in /etc/hosts that had a space at the end + of the line. Problem noted by Steve Hubert of the + University of Washington, Seattle. + CONFIG: add OSTYPE(aix4). From Michael Sofka of Rensselaer + Polytechnic Institute. + MAKEMAP: tweak hash and btree parameters for better performance. + Patch from Matt Dillon of Best Internet Communications. + NEW FILES: + src/Makefiles/Makefile.Linux.ppc + cf/ostype/aix4.m4 + cf/ostype/mklinux.m4 + +8.8.2/8.8.2 1996/10/18 + SECURITY: fix a botch in the 7-bit MIME patch; the previous patch + changed the code but didn't fix the problem. + PORTABILITY FIXES: + Solaris: Don't use the system getusershell(3); it can + apparently corrupt the heap in some circumstances. + Problem found by Ken Pizzini of Spry, Inc. + OP.ME: document several mailer flags that were accidentally omitted + from this document. These flags were F=d, F=j, F=R, and F=9. + CONFIG: no changes. + +8.8.1/8.8.1 1996/10/17 + SECURITY: unset all environment variables that the resolver will + examine during queue runs and daemon mode. Problem noted + by Dan Bernstein of the University of Illinois at Chicago. + SECURITY: in some cases an illegal 7-bit MIME-encoded text/plain + message could overflow a buffer if it was converted back + to 8 bits. This caused core dumps and has the potential + for a remote attack. Problem first noted by Gregory Shapiro + of WPI. + Avoid duplicate deliveries of error messages on systems that don't + have flock(2) support. Patch from Motonori Nakamura of + Kyoto University. + Ignore null FallBackMX (V) options. If this option is null (as + opposed to undefined) it can cause "null signature" syserrs + on illegal host names. + If a Base64 encoded text/plain message has no trailing newline in + the encoded text, conversion back to 8 bits will drop the + final line. Problem noted by Pierre David. + If running with a RunAsUser, sendmail would give bogus "cannot + setuid" (or seteuid, or setreuid) messages on some systems. + Problem pointed out by Jordan Mendelson of Web Services, Inc. + Always print error messages in -bv mode -- previously, -bv would + be absolutely silent on errors if the error mode was sent + to (say) mail-back. Problem noted by Kyle Jones of UUNET. + If -qI/R/S is set (or the ETRN command is used), ignore all long + term host status. This is necessary because it is common + to do this when you know a host has just come back up. + Disallow duplicate HELO/EHLO commands as required by RFC 1651 section + 4.2. Excessive permissiveness noted by Lee Flight of the + University of Leicester. + If a service (such as NIS) is specified as the last entry in the + service switch, but that service is not compiled in, sendmail + would return a temporary failure when an entry was not found + in the map. This caused the message to be queued instead of + bouncing immediately. Problem noted by Harry Edmon of the + University of Washington. + PORTABILITY FIXES: + Solaris 2.3 had compilation problems in conf.c. Several + people pointed this out. + NetBSD from Charles Hannum of MIT. + AIX4 improvements based on info from Steve Bauer of South + Dakota School of Mines & Technology. + CONFIG: ``error:code message'' syntax was broken in virtusertable. + Patch from Gil Kloepfer Jr. + CONFIG: if FEATURE(nocanonify) was specified, hosts in $=M (set + using MASQUERADE_DOMAIN) were not masqueraded unless they + were also in $=w. Problem noted by Zoltan Basti of + Softec. + MAIL.LOCAL: patches to compile and link cleanly on AIX. Based + on a patch from Eric Hagberg of Morgan Stanley. + MAIL.LOCAL: patches to compile on NEXTSTEP. From Patrick Nolan + of Stanford via Robert La Ferla. + +8.8.0/8.8.0 1996/09/26 + Under some circumstances, Bcc: headers would not be properly + deleted. Pointed out by Jonathan Kamens of OpenVision. + Log a warning if the sendmail daemon is invoked without a full + pathname, which prevents "kill -1" from working. I was + urged to put this in by Andrey A. Chernov of DEMOS (Russia). + Fix small buffer overflow. Since the data in this buffer was not + read externally, there was no security problem (and in fact + probably wouldn't really overflow on most compilers). Pointed + out by KIZU takashi of Osaka University. + Fix problem causing domain literals such as [1.2.3.4] to be ignored + if a FallbackMXHost was specified in the configuration file + -- all mail would be sent to the fallback even if the original + host was accessible. Pointed out by Munenari Hirayama of + NSC (Japan). + A message that didn't terminate with a newline would (sometimes) not + have the trailing "." added properly in the SMTP dialogue, + causing SMTP to hang. Patch from Per Hedeland of Ericsson. + The DaemonPortOptions suboption to bind to a particular address was + incorrect and nonfunctional due to a misunderstanding of the + semantics of binding on a passive socket. Patch from + NIIBE Yutaka of Mitsubishi Research Institute. + Increase the number of MX hosts for a single name to 100 to better + handle the truly huge service providers such as AOL, which + has 13 at the moment (and climbing). In order to avoid + trashing memory, the buffer for all names has only been + slightly increased in size, to 12.8K from 10.2K -- this means + that if a single name had 100 MX records, the average size + of those records could not exceed 128 bytes. Requested by + Brad Knowles of America On Line. + Restore use of IDENT returns where the OSTYPE field equals "OTHER". + Urged by Dan Bernstein of U.C. Berkeley. + Print q_statdate and q_specificity in address structure debugging + printout. + Expand MCI structure flag bits for debugging output. + Support IPv6-style domain literals, which can have colons between + square braces. + Log open file descriptors for the "cannot dup" messages in deliver(); + this is an attempt to track down a bug that one person seems + to be having (it may be a Solaris bug!). + DSN NOTIFY parameters were not properly propagated across queue runs; + this caused the NOTIFY info to sometimes be lost. Problem + pointed out by Claus Assmann of the + Christian-Albrechts-University of Kiel. + The statistics gathered in the sendmail.st file were too high; in + some cases failures (e.g., user unknown or temporary failure) + would count as a delivery as far as the statistics were + concerned. Problem noted by Tom Moore of AT&T GIS. + Systems that don't have flock() would not send split envelopes in + the initial run. Problem pointed out by Leonard Zubkoff of + Dandelion Digital. + Move buffer overflow checking -- these primarily involve distrusting + results that may come from NIS and DNS. + 4.4-BSD-derived systems, including FreeBSD, NetBSD, and BSD/OS didn't + include <paths.h> and hence had the wrong pathnames for a few + things like /var/tmp. Reported by Matthew Green. + Conditions were reversed for the Priority: header, resulting in all + values being interpreted as non-urgent except for non-urgent, + which was interpreted as normal. Patch from Bryan Costales. + The -o (optional) flag was being ignored on hash and btree maps + since 8.7.2. Fix from Bryan Costales. + Content-Types listed in class "q" will always be encoded as + Quoted-Printable (or more accurately, will never be encoded + as base64). The class can have primary types (e.g., "text") + or full types (e.g., "text/plain"). Based on a suggestion by + Marius Olafsson of the University of Iceland. + Define ${envid} to be the original envelope id (from the ESMTP DSN + dialogue) so it can be passed to programs in mailers. + Define ${bodytype} to be the body type (from the -B flag or the + BODY= ESMTP parameter) so it can be passed to programs in + mailers. + Cause the VRFY command to return 252 instead of 250 unless the F=q + flag is set in the mailer descriptor. Suggested by John + Myers of CMU. + Implement ESMTP ETRN command to flush the queue for a specific host. + The command takes a host name; data for that host is + immediately (and asynchronously) flushed. Because this shares + the -qR implementation, other hosts may be attempted, but + there should be no security implications. Implementation + from John Beck of InReference, Inc. See RFC 1985 for details. + Add three new command line flags to pass in DSN parameters: -V envid + (equivalent to ENVID=envid on the MAIL command), -R ret + (equivalent to RET=ret on the MAIL command), and -Nnotify + (equivalent to NOTIFY=notify on the RCPT command). Note + that the -N flag applies to all recipients; there is no way + to specify per-address notifications on the command line, + nor is there an equivalent for the ORCPT= per-address + parameter. + Restore LogLevel option to be safe (it can only be increased); + apparently I went into paranoid mode between 8.6 and 8.7 + and made it unsafe. Pointed out by Dabe Murphy of the + University of Maryland. + New logging on log level 15: all SMTP traffic. Patches from + Andrew Gross of San Diego Supercomputer Center. + NetInfo property value searching code wasn't stopping when it found + a match. This was causing the wrong values to be found (and + had a memory leak). Found by Bastian Schleuter of TU-Berlin. + Add new F=0 (zero) mailer flag to turn off MX lookups. It was pointed + out by Bill Wisner of Electronics for Imaging that you can't + use the bracket address form for the MAIL_HUB macro, since + that causes the brackets to remain in the envelope recipient + address used for delivery. The simple fix (stripping off the + brackets in the config file) breaks the use of IP literal + addresses. This flag will solve that problem. + Add MustQuoteChars option. This is a list of characters that must + be quoted if they are found in the phrase part of an address + (that is, the full name part). The characters @,;:\()[] are + always in this list and cannot be removed. The default is + this list plus . and ' to match RFC 822. + Add AllowBogusHELO option; if set, sendmail will allow HELO commands + that do not include a host name for back compatibility with + some stupid SMTP clients. Setting this violates RFC 1123 + section 5.2.5. + Add MaxDaemonChildren option; if this is set, sendmail will start + rejecting connections if it has more than this many + outstanding children accepting mail. Note that you may + see more processes than this because of outgoing mail; this + is for incoming connections only. + Add ConnectionRateThrottle option. If set to a positive value, the + number of incoming SMTP connections that will be permitted + in a single second is limited to this number. Connections are + not refused during this time, just deferred. The intent is to + flatten out demand so that load average limiting can kick in. + It is less radical than MaxDaemonChildren, which will stop + accepting connections even if all the connections are idle + (e.g., due to connection caching). + Add Timeout.hoststatus option. This interval (defaulting to 30m) + specifies how long cached information about the state of a + host will be kept before they are considered stale and the + host is retried. If you are using persistent host status + (i.e., the HostStatusDirectory option is set) this will apply + between runs; otherwise, it applies only within a single queue + run and hence is useful only for hosts that have large queues + that take a very long time to run. + Add SingleLineFromHeader option. If set, From: headers are coerced + into being a single line even if they had newlines in them + when read. This is to get around a botch in Lotus Notes. + Text class maps were totally broken -- if you ever retrieved the last + item in a table it would be truncated. Problem noted by + Gregory Neil Shapiro of WPI. + Extend the lines printed by the mailq command (== the -bp flag) when + -v is given to 120 characters; this allows more information + to be displayed. Suggested by Gregory Neil Shapiro of WPI. + Allow macro definitions (`D' lines) with unquoted commas; previously + this was treated as end-of-input. Problem noted by Bryan + Costales. + The RET= envelope parameter (used for DSNs) wasn't properly written + to the queue file. Fix from John Hughes of Atlantic + Technologies, Inc. + Close /var/tmp/dead.letter after a successful write -- otherwise + if this happens in a queue run it can cause nasty delays. + Problem noted by Mark Horton of AT&T. + If userdb entries pointed to userdb entries, and there were multiple + values for a given key, the database cursor would get + trashed by the recursive call. Problem noted by Roy Mongiovi + of Georgia Tech. Fixed by reading all the values and creating + a comma-separated list; thus, the -v output will be somewhat + different for this case. + Fix buffer allocation problem with Hesiod-based userdb maps when + HES_GETMAILHOST is defined. Based on a patch by Betty Lee + of Stanford University. + When envelopes were split due to aliases with owner- aliases, and + there was some error on one of the lists, more than one of + the owners would get the message. Problem pointed out by + Roy Mongiovi of Georgia Tech. + Detect excessive recursion in macro expansions, e.g., $X defined + in terms of $Y which is defined in terms of $X. Problem + noted by Bryan Costales; patch from Eric Wassenaar. + When using F=U to get "ugly UUCP" From_ lines, a buffer could in + some cases get trashed causing bogus From_ lines. Fix from + Kyle Jones of UUNET. + When doing load average initialization, if the nlist call for avenrun + failed, the second and subsequent lookups wouldn't notice + that fact causing bogus load averages to be returned. Noted + by Casper Dik of Sun Holland. + Fix problem with incompatibility with some versions of inet_aton that + have changed the return value to unsigned, so a check for an + error return of -1 doesn't work. Use INADDR_NONE instead. + This could cause mail to addresses such as [foo.com] to bounce + or get dropped. Problem noted by Christophe Wolfhugel of the + Pasteur Institute. + DSNs were inconsistent if a failure occurred during the DATA phase + rather than the RCPT phase: the Action: would be correct, but + the detailed status information would be wrong. Problem noted + by Bob Snyder of General Electric Company. + Add -U command line flag and the XUSR ESMTP extension, both indicating + that this is the initial MUA->MTA submission. The flag current + does nothing, but in future releases (when MUAs start using + these flags) it will probably turn on things like DNS + canonification. + Default end-of-line string (E= specification on mailer [M] lines) + to \r\n on SMTP mailers. Default remains \n on non-SMTP + mailers. + Change the internal definition for the *file* and *include* mailers + to have $u in the argument vectors so that they aren't + misinterpreted as SMTP mailers and thus use \r\n line + termination. This will affect anyone who has redefined + either of these in their configuration file. + Don't assume that IDENT servers close the connection after a query; + responses can be newline terminated. From Terry Kennedy of + St. Peter's College. + Avoid core dumps on erroneous configuration files that have + $#mailer with nothing following. From Bryan Costales. + Avoid null pointer dereference with high debug values in unlockqueue. + Fix from Randy Martin of Clemson University. + Fix possible buffer overrun when expanding very large macros. Fix + from Kyle Jones of UUNET. + After 25 EXPN or VRFY commands, start pausing for a second before + processing each one. This avoids a certain form of denial + of service attack. Potential attack pointed out by Bryan + Costales. + Allow new named (not numbered!) config file rules to do validity + checking on SMTP arguments: check_mail for MAIL commands and + check_rcpt for RCPT commands. These rulesets can do anything + they want; their result is ignored unless they resolve to the + $#error mailer, in which case the indicated message is printed + and the command is rejected. Similarly, the check_compat + ruleset is called before delivery with "from_addr $| to_addr" + (the $| is a meta-symbol used to separate the two addresses); + it can give a "this sender can't send to this recipient" + notification. Note that this patch allows $| to stand alone + in rulesets. + Define new macros ${client_name}, ${client_addr}, and ${client_port} + that have the name, IP address, and port number (respectively) + of the SMTP client (that is, the entity at the other end of + the connection. These can be used in (e.g.) check_rcpt to + verify that someone isn't trying to relay mail through your + host inappropriately. Be sure to use the deferred evaluation + form, for example $&{client_name}, to avoid having these bound + when sendmail reads the configuration file. + Add new config file rule check_relay to check the incoming connection + information. Like check_compat, it is passed the host name + and host address separated by $| and can reject connections + on that basis. + Allow IDA-style recursive function calls. Code contributed by Mark + Lovell and Paul Vixie. + Eliminate the "No ! in UUCP From address!" message" -- instead, create + a virtual UUCP address using either a domain address or the $k + macro. Based on code contributed by Mark Lovell and Paul + Vixie. + Add Stanford LDAP map. Requires special libraries that are not + included with sendmail. Contributed by Booker C. Bense + <bbense@networking.stanford.edu>; contact him for support. + See also the src/READ_ME file. + Allow -dANSI to turn on ANSI escape sequences in debug output; this + puts metasymbols (e.g., $+) in reverse video. Really useful + only for debugging deep bits of code where it is important to + distinguish between the single-character metasymbol $+ and the + two characters $, +. + Changed ruleset 89 (executed in dumpstate()) to a named ruleset, + debug_dumpstate. + Add new UnsafeGroupWrites option; if set, .forward and :include: + files that are group writable are considered "unsafe" -- that + is, programs and files referenced from such files are not + valid recipients. + Delete bogosity test for FallBackMX host; this prevented it to be a + name that was not in DNS or was a domain-literal. Problem + noted by Tom May. + Change the introduction to error messages to more clearly delineate + permanent from temporary failures; if both existed in a + single message it could be confusing. Suggested by John + Beck of InReference, Inc. + The IngoreDot (i) option didn't work for lines that were terminated + with CRLF. Problem noted by Ted Stockwell of Secure + Computing Corporation. + Add a heuristic to improve the handling of unbalanced `<' signs in + message headers. Problem reported by Matt Dillon of Best + Internet Communications. + Check for bogus characters in the 0200-0237 range; since these are + used internally, very strange errors can occur if those + characters appear in headers. Problem noted by Anders Gertz + of Lysator. + Implement 7 -> 8 bit MIME conversions. This only takes place if the + recipient mailer has the F=9 flag set, and only works on + text/plain body types. Code contributed by Marius Olafsson + of the University of Iceland. + Special case "postmaster" name so that it is always treated as lower + case in alias files regardless of configuration settings; + this prevents some potential problems where "Postmaster" or + "POSTMASTER" might not match "postmaster". In most cases + this change is a no-op. + The -o map flag was ignored for text maps. Problem noted by Bryan + Costales. + The -a map flag was ignored for dequote maps. Problem noted by + Bryan Costales. + Fix core dump when a lookup of a class "prog" map returns no + response. Patch from Bryan Costales. + Log instances where sendmail is deferring or rejecting connections + on LogLevel 14. Suggested by Kyle Jones of UUNET. + Include port number in process title for network daemons. Suggested + by Kyle Jones of UUNET. + Send ``double bounces'' (errors that occur when sending an error + message) to the address indicated in the DoubleBounceAddress + option (default: postmaster). Previously they were always + sent to postmaster. Suggested by Kyle Jones of UUNET. + Add new mode, -bD, that acts like -bd in all respects except that + it runs in foreground. This is useful for using with a + wrapper that "watches" system services. Suggested by Kyle + Jones of UUNET. + Fix botch in spacing around (parenthesized) comments in addresses + when the comment comes before the address. Patch from + Motonori Nakamura of Kyoto University. + Use the prefix "Postmaster notify" on the Subject: lines of messages + that are being bounced to postmaster, rather than "Returned + mail". This permits the person who is postmaster more + easily determine what messages are to their role as + postmaster versus bounces to mail they actually sent. Based + on a suggestion by Motonori Nakamura. + Add new value "time" for QueueSortOrder option; this causes the queue + to be sorted strictly by the time of submission. Note that + this can cause very bad behavior over slow lines (because + large jobs will tend to delay small jobs) and on nodes with + heavy traffic (because old things in the queue for hosts that + are down delay processing of new jobs). Also, this does not + guarantee that jobs will be delivered in submission order + unless you also set DeliveryMode=queue. In general, it should + probably only be used on the command line, and only in + conjunction with -qRhost.domain. In fact, there are very few + cases where it should be used at all. Based on an + implementation by Motonori Nakamura. + If a map lookup in ruleset 5 returns tempfail, queue the message in + the same manner as other rulesets. Previously a temporary + failure in ruleset 5 was ignored. Patch from Booker Bense + of Stanford University. + Don't proceed to the next MX host if an SMTP MAIL command returns a + 5yz (permanent failure) code. The next MX host will still be + tried if the connection cannot be opened in the first place + or if the MAIL command returns a 4yz (temporary failure) code. + (It's hard to know what to do here, since neither RFC 974 nor + RFC 1123 specify when to proceed to the next MX host.) + Suggested by Jonathan Kamens of OpenVision, Inc. + Add new "-t" flag for map definitions (the "K" line in the .cf file). + This causes map lookups that get a temporary failure (e.g., + name server failure) to _not_ defer the delivery of the + message. This should only be used if your configuration file + is prepared to do something sensible in this case. Based on + an idea by Gregory Shapiro of WPI. + Fix problem finding network interface addresses. Patch from + Motonori Nakamura. + Don't reject qf entries that are not owned by your effective uid if + you are not running set-user-ID; this makes management of + certain kinds of firewall setups difficult. Patch + suggested by Eamonn Coleman of Qualcomm. + Add persistent host status. This keeps the information normally + maintained within a single queue run in disk files that are + shared between sendmail instances. The HostStatusDirectory + is the directory in which the information is maintained. If + not set, persistent host status is turned off. If not a full + pathname, it is relative to the queue directory. A common + value is ".hoststat". + There are also two new operation modes: + * -bh prints the status of hosts that have had recent + connections. + * -bH purges the host statuses. No attempt is made to save + recent status information. + This feature was originally written by Paul Vixie of Vixie + Enterprises for KJS and adapted for V8 by Mark Lovell of + Bigrock Consulting. Paul's funding of Mark and Mark's patience + with my insistence that things fit cleanly into the V8 + framework is gratefully appreciated. + New SingleThreadDelivery option (requires HostStatusDirectory to + operate). Avoids letting two sendmails on the local machine + open connections to the same remote host at the same time. + This reduces load on the other machine, but can cause mail to + be delayed (for example, if one sendmail is delivering a huge + message, other sendmails won't be able to send even small + messages). Also, it requires another file descriptor (for the + lock file) per connection, so you may have to reduce + ConnectionCacheSize to avoid running out of per-process + file descriptors. Based on the persistent host status code + contributed by Paul Vixie and Mark Lovell. + Allow sending to non-simple files (e.g., /dev/null) even if the + SafeFileEnvironment option is set. Problem noted by Bryan + Costales. + The -qR flag mistakenly matched flags in the "R" line of the queue + file. Problem noted by Bryan Costales. + If a job was aborted using the interrupt signal (e.g., control-C from + the keyboard), on some occasions an empty df file would be + left around; these would collect in the queue directory. + Problem noted by Bryan Costales. + Change the makesendmail script to enhance the search for Makefiles + based on release number. For example, on SunOS 5.5.1, it will + search for Makefile.SunOS.5.5.1, Makefile.SunOS.5.5, and then + Makefile.SunOS.5.x (in addition to the other rules, e.g., + adding $arch). Problem noted by Jason Mastaler of Atlanta + Webmasters. + When creating maps using "newaliases", always map the keys to lower + case when creating the map unless the -f flag is specified on + the map itself. Previously this was done based on the F=u + flag in the local mailer, which meant you could create aliases + that you could never access. Problem noted by Bob Wu of DEC. + When a job was read from the queue, the bits causing notification on + failure or delay were always set. This caused those + notifications to be sent even if NOTIFY=NEVER had been + specified. Problem noted by Steve Hubert of the University + of Washington, Seattle. + Add new configurable routine validate_connection (in conf.c). This + lets you decide if you are willing to accept traffic from + this host. If it returns FALSE, all SMTP commands will return + "550 Access denied". -DTCPWRAPPERS will include support for + TCP wrappers; you will need to add -lwrap to the link line. + (See src/READ_ME for details.) + Don't include the "THIS IS A WARNING MESSAGE ONLY" banner on postmaster + bounces. Some people seemed to think that this could be + confusing (even though it is true). Suggested by Motonori + Nakamura. + Add new RunAsUser option; this causes sendmail to do a setuid to that + user early in processing to avoid potential security problems. + However, this means that all .forward and :include: files must + be readable by that user, and all files to be written must be + writable by that user and all programs will be executed by that + user. It is also incompatible with the SafeFileEnvironment + option. In other words, it may not actually add much to + security. However, it should be useful on firewalls and other + places where users don't have accounts and the aliases file is + well constrained. + Add Timeout.iconnect. This is like Timeout.connect except it is used + only on the first attempt to delivery to an address. It could + be set to be lower than Timeout.connect on the principle that + the mail should go through quickly to responsive hosts; less + responsive hosts get to wait for the next queue run. + Fix a problem on Solaris that occasionally causes programs + (such as vacation) to hang with their standard input connected + to a UDP port. It also created some signal handling problems. + The problems turned out to be an interaction between vfork(2) + and some of the libraries, particularly NIS/NIS+. I am + indebted to Tor Egge <tegge@idt.ntnu.no> for this fix. + Change user class map to do the same matching that actual delivery + will do instead of just a /etc/passwd lookup. This adds + fuzzy matching to the user map. Patch from Dan Oscarsson. + The Timeout.* options are not safe -- they can be used to create a + denial-of-service attack. Problem noted by Christophe + Wolfhugel. + Don't send PostmasterCopy messages in the event of a "delayed" + notification. Suggested by Barry Bouwsma. + Don't advertise "VERB" ESMTP extension if the "noexpn" privacy + option is set, since this disables VERB mode. Suggested + by John Hawkinson of MIT. + Complain if the QueueDirectory (Q) option is not set. Problem noted + by Motonori Nakamura of Kyoto University. + Only queue messages on transient .forward open failures if there + were no successful opens. The previous behavior caused it + to queue even if a "fall back" .forward was found. Problem + noted by Ann-Kian Yeo of the Dept. of Information Systems + and Computer Science (DISCS), NUS, Singapore. + Don't do 8->7 bit conversions when bouncing a MIME message that + is bouncing because of a MIME error during 8->7 bit conversion; + the encapsulated message will bounce again, causing a loop. + Problem noted by Steve Hubert of the University of Washington. + Create xf (transcript) files using the TempFileMode option value + instead of 0644. Suggested by Ann-Kian Yeo of the + National University of Singapore. + Print errors if setgid/setuid/etc. fail during delivery. This helps + detect cases where DefaultUid is set to something that the + system can't cope with. + PORTABILITY FIXES: + Support for AIX/RS 2.2.1 from Mark Whetzel of Western + Atlas International. + Patches for Intel Paragon OSF/1 1.3 from Leo Bicknell + <bicknell@ufp.org>. + On DEC OSF/1 3.2 and earlier, the MatchGECOS code would only + work on the first recipient of a message due to a + bug in the getpwent family. If this is something you + use, you can define DEC_OSF_BROKEN_GETPWENT=1 for a + workaround. From Maximum Entropy of Sanford C. + Bernstein and Associates. + FreeBSD 1.1.5.1 uname -r returns a string containing + parentheses, which breaks makesendmail. Reported + by Piero Serini <piero@strider.ibenet.it>. + Sequent DYNIX/ptx 4.0.2 patches from Jack Woolley of + Systems and Computer Technology Corporation. + Solaris 2.x: omit the UUCP grade parameter (-g flag) because + it is system-dependent. Problem noted by J.J. Bailey + of Bailey Computer Consulting. + Pyramid NILE running DC/OSx support from Earle F. Ake of + Hassler Communication Systems Technology, Inc. + HP-UX 10.x compile glitches, reported by Anne Brink of the + U.S. Army and James Byrne of Harte & Lyne Limited. + NetBSD from Matthew Green of the NetBSD crew. + SCO 5.x from Keith Reynolds of SCO. + IRIX 6.2 from Robert Tarrall of the University of + Colorado and Kari Hurtta of the Finnish Meteorological + Institute. + UXP/DS (Fujitsu/ICL DS/90 series) support from Diego R. + Lopez, CICA (Seville). + NCR SVR4 MP-RAS 3.x support from Tom Moore of NCR. + PTX 3.2.0 from Kenneth Stailey of the US Department of Labor + Employment Standards Administration. + Altos System V (5.3.1) from Tim Rice of Multitalents. + Concurrent Systems Corporation Maxion from Donald R. Laster + Jr. + NetInfo maps (improved debugging and multi-valued aliases) + from Adrian Steinmann of Steinmann Consulting. + ConvexOS 11.5 (including SecureWare C2 and the Share Scheduler) + from Eric Schnoebelen of Convex. + Linux 2.0 mail.local patches from Horst von Brand. + NEXTSTEP 3.x compilation from Robert La Ferla. + NEXTSTEP 3.x code changes from Allan J. Nathanson of NeXT. + Solaris 2.5 configuration fixes for mail.local by Jim Davis + of the University of Arizona. + Solaris 2.5 has a working setreuid. Noted by David Linn of + Vanderbilt University. + Solaris changes for praliases, makemap, mailstats, and smrsh. + Previously you had to add -DSOLARIS in Makefile.dist; + this auto-detects. Based on a patch from Randall + Winchester of the University of Maryland. + CONFIG: add generic-nextstep3.3.mc file. Contributed by + Robert La Ferla of Hot Software. + CONFIG: allow mailertables to resolve to ``error:code message'' + (where "code" is an exit status) on domains (previously + worked only on hosts). Patch from Cor Bosman of Xs4all + Foundation. + CONFIG: hooks for IPv6-style domain literals. + CONFIG: predefine ALIAS_FILE and change the prototype file so that + if it is undefined the AliasFile option is never set; this + should be transparent for most everyone. Suggested by John + Myers of CMU. + CONFIG: add FEATURE(limited_masquerade). Without this feature, any + domain listed in $=w is masqueraded. With it, only those + domains listed in a MASQUERADE_DOMAIN macro are masqueraded. + CONFIG: add FEATURE(masquerade_entire_domain). This causes + masquerading specified by MASQUERADE_DOMAIN to apply to all + hosts under those domains as well as the domain headers + themselves. For example, if a configuration had + MASQUERADE_DOMAIN(foo.com), then without this feature only + foo.com would be masqueraded; with it, *.foo.com would be + masqueraded as well. Based on an implementation by Richard + (Pug) Bainter of U. Texas. + CONFIG: add FEATURE(genericstable) to do a more general rewriting of + outgoing addresses. Defaults to ``hash -o /etc/genericstable''. + Keys are user names; values are outgoing mail addresses. Yes, + this does overlap with the user database, and figuring out + just when to use which one may be tricky. Based on code + contributed by Richard (Pug) Bainter of U. Texas with updates + from Per Hedeland of Ericsson. + CONFIG: add FEATURE(virtusertable) to do generalized rewriting of + incoming addresses. Defaults to ``hash -o /etc/virtusertable''. + Keys are either fully qualified addresses or just the host + part (with the @ sign). For example, a table containing: + info@foo.com foo-info + info@bar.com bar-info + @baz.org jane@elsewhere.net + would send all mail destined for info@foo.com to foo-info + (which is presumably an alias), mail addressed to info@bar.com + to bar-info, and anything addressed to anyone at baz.org will + be sent to jane@elsewhere.net. The names foo.com, bar.com, + and baz.org must all be in $=w. Based on discussions with + a great many people. + CONFIG: add nullclient configurations to define SMTP_MAILER_FLAGS. + Suggested by Richard Bainter. + CONFIG: add FAX_MAILER_ARGS to tweak the arguments passed to the + "fax" mailer. + CONFIG: allow mailertable entries to resolve to local:user; this + passes the original user@host in to procmail-style local + mailers as the "detail" information to allow them to do + additional clever processing. From Joe Pruett of + Teleport Corporation. Delivery to the original user can + be done by specifying "local:" (with nothing after the colon). + CONFIG: allow any context that takes "mailer:domain" to also take + "mailer:user@domain" to force mailing to the given user; + "local:user" can also be used to do local delivery. This + applies on *_RELAY and in the mailertable entries. Based + on a suggestion by Ribert Kiessling of Easynet. + CONFIG: Allow FEATURE(bestmx_is_local) to take an argument that + limits the possible domains; this reduces the number of DNS + lookups required to support this feature. For example, + FEATURE(bestmx_is_local, my.site.com) limits the lookups + to domains under my.site.com. Code contributed by Anthony + Thyssen <anthony@cit.gu.edu.au>. + CONFIG: LOCAL_RULESETS introduces any locally defined rulesets, + such as the check_rcpt ruleset. Suggested by Gregory Shapiro + of WPI. + CONFIG: MAILER_DEFINITIONS introduces any mailer definitions, in the + event you have to define local mailers. Suggested by + Gregory Shapiro of WPI. + CONFIG: fix cases where a three- (or more-) stage route-addr could + be misinterpreted as a list:...; syntax. Based on a patch by + Vlado Potisk <Vlado_Potisk@tempest.sk>. + CONFIG: Fix masquerading of UUCP addresses when the UUCP relay is + remotely connected. The address host!user was being + converted to host!user@thishost instead of host!user@uurelay. + Problem noted by William Gianopoulos of Raytheon Company. + CONFIG: add confTO_ICONNECT to set Timeout.iconnect. + CONFIG: change FEATURE(redirect) message from "User not local" to + "User has moved"; the former wording was confusing if the + new address is still on the local host. Based on a suggestion + by Andreas Luik. + CONFIG: add support in FEATURE(nullclient) for $=E (exposed users). + However, the class is not pre-initialized to contain root. + Suggested by Gregory Neil Shapiro. + CONTRIB: Remove XLA code at the request of the author, Christophe + Wolfhugel. + CONTRIB: Add re-mqueue.pl, contributed by Paul Pomes of Qualcomm. + MAIL.LOCAL: make it possible to compile mail.local on Solaris. Note + well: this produces a slightly different mailbox format (no + Content-Length: headers), file ownerships and modes are + different (not owned by group mail; mode 600 instead of 660), + and the local mailer flags will have to be tweaked (make them + match bsd4.4) in order to use this mailer. Patches from Paul + Hammann of the Missouri Research and Education Network. + MAIL.LOCAL: in some cases it could return EX_OK even though there + was a delivery error, such as if the ownership on the file + was wrong or the mode changed between the initial stat and + the open. Problem reported by William Colburn of the New + Mexico Institute of Mining and Technology. + MAILSTATS: handle zero length files more reliably. Patch from Bryan + Costales. + MAILSTATS: add man page contributed by Keith Bostic of BSDI. + MAKEMAP: The -d flag (to allow duplicate keys) to a btree map wasn't + honored. Fix from Michael Scott Shappe. + PRALIASES: add man page contributed by Keith Bostic of BSDI. + NEW FILES: + src/Makefiles/Makefile.AIX.2 + src/Makefiles/Makefile.IRIX.6.2 + src/Makefiles/Makefile.maxion + src/Makefiles/Makefile.NCR.MP-RAS.3.x + src/Makefiles/Makefile.SCO.5.x + src/Makefiles/Makefile.UXPDSV20 + mailstats/mailstats.8 + praliases/praliases.8 + cf/cf/generic-nextstep3.3.mc + cf/feature/genericstable.m4 + cf/feature/limited_masquerade.m4 + cf/feature/masquerade_entire_domain.m4 + cf/feature/virtusertable.m4 + cf/ostype/aix2.m4 + cf/ostype/altos.m4 + cf/ostype/maxion.m4 + cf/ostype/solaris2.ml.m4 + cf/ostype/uxpds.m4 + contrib/re-mqueue.pl + DELETED FILES: + src/Makefiles/Makefile.Solaris + contrib/xla/README + contrib/xla/xla.c + RENAMED FILES: + src/Makefiles/Makefile.NCR3000 => Makefile.NCR.MP-RAS.2.x + src/Makefiles/Makefile.SCO.3.2v4.2 => Makefile.SCO.4.2 + src/Makefiles/Makefile.UXPDS => Makefile.UXPDSV10 + src/Makefiles/Makefile.NeXT => Makefile.NeXT.2.x + src/Makefiles/Makefile.NEXTSTEP => Makefile.NeXT.3.x + +8.7.6/8.7.3 1996/09/17 + SECURITY: It is possible to force getpwuid to fail when writing the + queue file, causing sendmail to fall back to running programs + as the default user. This is not exploitable from off-site. + Workarounds include using a unique user for the DefaultUser + (old u & g options) and using smrsh as the local shell. + SECURITY: fix some buffer overruns; in at least one case this allows + a local user to get root. This is not known to be exploitable + from off-site. The workaround is to disable chfn(1) commands. + +8.7.5/8.7.3 1996/03/04 + Fix glitch in 8.7.4 when putting certain internal lines; this can + in some case cause connections to hang or messages to have + extra spaces in odd places. Patch from Eric Wassenaar; + reports from Eric Hall of Chiron Corporation, Stephen + Hansen of Stanford University, Dean Gaudet of HotWired, + and others. + +8.7.4/8.7.3 1996/02/18 + SECURITY: In some cases it was still possible for an attacker to + insert newlines into a queue file, thus allowing access to + any user (except root). + CONFIG: no changes -- it is not a bug that the configuration + version number is unchanged. + +8.7.3/8.7.3 1995/12/03 + Fix botch in name server timeout in RCPT code; this problem caused + two responses in SMTP, which breaks things horribly. Fix + from Gregory Neil Shapiro of WPI. + Verify that L= value on M lines cannot be negative, which could cause + negative array subscripting. Not a security problem since + this has to be in the config file, but it could have caused + core dumps. Pointed out by Bryan Costales. + Fix -d21 debug output for long macro names. Pointed out by Bryan + Costales. + PORTABILITY FIXES: + SCO doesn't have ftruncate. From Bill Aten of Computerizers. + IBM's version of arpa/nameser.h defaults to the wrong byte + order. Tweak it to work properly. Based on fixes + from Fletcher Mattox of UTexas and Betty Lee of + Stanford University. + CONFIG: add confHOSTS_FILE m4 variable to set HostsFile option. + Deficiency pointed out by Bryan Costales of ICSI. + +8.7.2/8.7.2 1995/11/19 + REALLY fix the backslash escapes in SmtpGreetingMessage, + OperatorChars, and UnixFromLine options. They were not + properly repaired in 8.7.1. + Completely delete the Bcc: header if and only if there are other + valid recipient headers (To:, Cc: or Apparently-To:, the + last being a historic botch, of course). If Bcc: is the + only recipient header in the message, its value is tossed, + but the header name is kept. The old behavior (always keep + the header name and toss the value) allowed primary recipients + to see that a Bcc: went to _someone_. + Include queue id on ``Authentication-Warning: <host>: <user> set + sender to <address> using -f'' syslog messages. Suggested + by Kari Hurtta. + If a sequence or switch map lookup entry gets a tempfail but then + continues on to another map type, but the name is not found, + return a temporary failure from the sequence or switch map. + For example, if hosts search ``dns files'' and DNS fails + with a tempfail, the hosts map will go on and search files, + but if it fails the whole thing should be a tempfail, not + a permanent (host unknown) failure, even though that is the + failure in the hosts.files map. This error caused hard + bounces when it should have requeued. + Aliases to files such as /users/bar/foo/inbox, with /users/bar/foo + owned by bar mode 700 and inbox being set-user-ID bar stopped + working properly due to excessive paranoia. Pointed out by + John Hawkinson of Panix. + An SMTP RCPT command referencing a host that gave a nameserver + timeout would return a 451 command (8.6 accepted it and + queued it locally). Revert to the 8.6 behavior in order + to simplify queue management for clustered systems. Suggested + by Gregory Neil Shapiro of WPI. The same problem could break + MH, which assumes that the SMTP session will succeed (tsk, tsk + -- mail gets lost!); this was pointed out by Stuart Pook of + Infobiogen. + Fix possible buffer overflow in munchstring(). This was not a security + problem because you couldn't specify any argument to this + without first giving up root privileges, but it is still a + good idea to avoid future problems. Problem noted by John + Hawkinson and Sam Hartman of MIT. + ``452 Out of disk space for temp file'' messages weren't being + printed. Fix from David Perlin of Nanosoft. + Don't advertise the ESMTP DSN extension if the SendMimeErrors option + is not set, since this is required to get the actual DSNs + created. Problem pointed out by John Gardiner Myers of CMU. + Log permission problems that cause .forward and :include: files to + be untrusted or ignored on log level 12 and higher. Suggested + by Randy Martin of Clemson University. + Allow user ids in U= clauses of M lines to have hyphens and + underscores. + Fix overcounting of recipients -- only happened when sending to an + alias. Pointed out by Mark Andrews of SGI and Jack Woolley + of Systems and Computer Technology Corporation. + If a message is sent to an address that fails, the error message that + is returned could show some extraneous "success" information + included even if the user did not request success notification, + which was confusing. Pointed out by Allan Johannesen of WPI. + Config files that had no AliasFile definition were defaulting to + using /etc/aliases; this caused problems with nullclient + configurations. Change it back to the 8.6 semantics of + having no local alias file unless it is declared. Problem + noted by Charles Karney of Princeton University. + Fix compile problem if NOTUNIX is defined. Pointed out by Bryan + Costales of ICSI. + Map lookups of class "userdb" maps were always case sensitive; they + should be controlled by the -f flag like other maps. Pointed + out by Bjart Kvarme <bjart.kvarme@usit.uio.no>. + Fix problem that caused some addresses to be passed through ruleset 5 + even when they were tagged as "sticky" by prefixing the + address with an "@". Patch from Thomas Dwyer III of Michigan + Technological University. + When converting a message to Quoted-Printable, prevent any lines with + dots alone on a line by themselves. This is because of the + preponderance of broken mailers that still get this wrong. + Code contributed by Per Hedeland of Ericsson. + Fix F{macro}/file construct -- it previously did nothing. Pointed + out by Bjart Kvarme of USIT/UiO (Norway). + Announce whether a cached connection is SMTP or ESMTP (in -v mode). + Requested by Allan Johannesen. + Delete check for text format of alias files -- it should be legal + to have the database format of the alias files without the + text version. Problem pointed out by Joe Rhett of Navigist, + Inc. + If "Ot" was specified with no value, the TZ variable was not properly + imported from the environment. Pointed out by Frank Crawford + <frank@ansto.gov.au>. + Some architectures core dumped on "program" maps that didn't have + extra arguments. Patch from Booker C. Bense of Stanford + University. + Queue run processes would re-spawn daemons when given a SIGHUP; only + the parent should do this. Fix from Brian Coan of the + Association for Progressive Communications. + If MinQueueAge was set and a message was considered but not run + during a queue run and the Timeout.queuereturn interval was + reached, a "timed out" error message would be returned that + didn't include the failed address (and claimed to be a warning + even though it was fatal). The fix is to not return such + messages until they are actually tried, i.e., in the next + MinQueueAge interval. Problem noted by Rein Tollevik of + SINTEF RUNIT, Oslo. + Add HES_GETMAILHOST compile flag to support MIT Hesiod distributions + that have the hes_getmailhost() routine. DEC Hesiod + distributions do not have this routine. Based on a patch + from Betty Lee of Stanford University. + Extensive cleanups to map open code to handle a locking race condition + in ndbm, hash, and btree format database files on some (most + non-4.4-BSD based) OS architectures. This should solve the + occasional "user unknown" problem during alias rebuilds that + has plagued me for quite some time. Based on a patch from + Thomas Dwyer III of Michigan Technological University. + PORTABILITY FIXES: + Solaris: Change location of newaliases and mailq from + /usr/ucb to /usr/bin to match Sun settings. From + James B. Davis of TCI. + DomainOS: Makefile.DomainOS doesn't require -ldbm. From + Don Lewis of Silicon Systems. + HP-UX 10: rename Makefile.HP-UX.10 => Makefile.HP-UX.10.x + so that the makesendmail script will find it. Pointed + out by Richard Allen of the University of Iceland. + Also, use -Aa -D_HPUX_SOURCE instead of -Ae, which + isn't supported on all compilers. + UXPDS: compilation fixes from Diego R. Lopez. + CONFIG: FAX mailer wasn't setting .FAX as a pseudo-domain unless + you also had a FAX_RELAY. From Thomas.Tornblom@Hax.SE. + CONFIG: Minor glitch in S21 -- attachment of local domain name + didn't have trailing dot. From Jim Hickstein of Teradyne. + CONFIG: Fix best_mx_is_local feature to allow nested addresses such as + user%host@thishost. From Claude Scarpelli of Infobiogen + (France). + CONFIG: OSTYPE(hpux10) failed to define the location of the help file. + Pointed out by Hannu Martikka of Nokia Telecommunications. + CONFIG: Diagnose some inappropriate ordering in configuration files, + such as FEATURE(smrsh) listed after MAILER(local). Based on + a bug report submitted by Paul Hoffman of Proper Publishing. + CONFIG: Make OSTYPE files consistently not override settings that + have already been set. Previously it worked differently + for different files. + CONFIG: Change relay mailer to do masquerading like 8.6 did. My take + is that this is wrong, but the change was causing problems + for some people. From Per Hedeland of Ericsson. + CONTRIB: bitdomain.c patch from John Gardiner Myers <jgm+@CMU.EDU>; + portability changes for Posix environments (no functional + changes). + +8.7.1/8.7.1 1995/10/01 + Old macros that have become options (SmtpGreetingMessage, + OperatorChars, and UnixFromLine) didn't allow backslash + escapes in the options, where they previously had. Bug + pointed out by John Hawkinson of MIT. + Fix strange case of an executable called by a program map that + returns a value but also a non-zero exit status; this + would give contradictory results in the higher level; in + particular, the default clause in the map lookup would be + ignored. Change to ignore the value if the program returns + non-zero exit status. From Tom Moore of AT&T GIS. + Shorten parameters passed to syslog() in some contexts to avoid a + bug in many vendors' implementations of that routine. Although + this isn't really a bug in sendmail per se, and my solution + has to assume that syslog() has at least a 1K buffer size + internally (I know some vendors have shortened this + dramatically -- they're on their own), sendmail is a popular + target. Also, limit the size of %s arguments in sprintf. + These both have possible security implications. Solutions + suggested by Casper Dik of Sun's Network Security Group + (Holland), Mark Seiden, and others. + Fix a problem that might cause a non-standard -B (body type) + parameter to be passed to the next server with undefined + results. This could have security implications. + If a filesystem was at > 100% utilization, the freediskspace() + routine incorrectly returned an error rather than zero. + Problem noted by G. Paul Ziemba of Alantec. + Change MX sort order so that local hostnames (those in $=w) always + sort first within a given preference. This forces the bestmx + map to always return the local host first, if it is included + in the list of highest priority MX records. From K. Robert + Elz. + Avoid some possible null pointer dereferences. Fixes from Randy + Martin <WOLF@CLEMSON.EDU> + When sendmail starts up on systems that have no fully qualified + domain name (FQDN) anywhere in the first matching host map + (e.g., /etc/hosts if the hosts service searches "files dns"), + sendmail would sleep to try to find a FQDN, which it really + really needs. This has been changed to fall through to the + next map type if it can't find a FQDN -- i.e., if the hosts + file doesn't have a FQDN, it will try dns even though the + short name was found in /etc/hosts. This is probably a crock, + but many people have hosts files without FQDNs. Remember: + domain names are your friends. + Log a high-priority message if you can't find your FQDN during startup. + Suggested by Simon Barnes of Schlumberger Limited. + When using Hesiod, initialize it early to improve error reporting. + Patch from Don Lewis of Silicon Systems, Inc. + Apparently at least some versions of Linux have a 90 !minute! TCP + connection timeout in the kernel. Add a new "connect" timeout + to limit this time. Defaults to zero (use whatever the + kernel provides). Based on code contributed by J.R. Oldroyd + of TerraNet. + Under some circumstances, a failed message would not be properly + removed from the queue, causing tons of bogus error messages. + (This fix eliminates the problematic EF_KEEPQUEUE flag.) + Problem noted by Allan E Johannesen and Gregory Neil Shapiro + of WPI. + PORTABILITY FIXES: + On IRIX 5.x, there was an inconsistency in the setting + of sendmail.st location. Change the Makefile to + install it in /var/sendmail.st to match the OSTYPE + file and SGI standards. From Andre + <andre@curry.zfe.siemens.de>. + Support for Fujitsu/ICL UXP/DS (For the DS/90 Series) + from Diego R. Lopez <drlopez@cica.es>. + Linux compilation patches from J.R. Oldroyd of TerraNet, Inc. + LUNA 2 Mach patches from Motonori Nakamura. + SunOS Makefile was including -ldbm, which is for the old + dbm library. The ndbm library is part of libc. + CONFIG: avoid bouncing ``user@host.'' (note trailing dot) with + ``local configuration error'' in nullclient configuration. + Patch from Gregory Neil Shapiro of WPI. + CONFIG: don't allow an alias file in nullclient configurations -- + since all addresses are relayed, they give errors during + rebuild. Suggested by Per Hedeland of Ericsson. + CONFIG: local mailer on Solaris 2 should always get a -f flag because + otherwise the F=S causes the From_ line to imply that root is + the sender. Problem pointed out by Claude Scarpelli of + Infobiogen (France). + NEW FILES: + cf/feature/use_ct_file.m4 (omitted from 8.7 by mistake) + src/Makefiles/Makefile.KSR (omitted from 8.7 by mistake) + src/Makefiles/Makefile.UXPDS + +8.7/8.7 1995/09/16 + Fix a problem that could cause sendmail to run out of file + descriptors due to a trashed data structure after a + vfork. Fix from Brian Coan of the Institute for + Global Communications. + Change the VRFY response if you have disabled VRFY -- some + people seemed to think that it was too rude. + Avoid reference to uninitialized file descriptor if HASFLOCK + was not defined. This was used "safely" in the sense + that it only did a stat, but it would have set the + map modification time improperly. Problem pointed out + by Roy Mongiovi of Georgia Tech. + Clean up the Subject: line on warning messages and return + receipts so that they don't say "Returned mail:"; this + can be confusing. + Move ruleset entry/exit debugging from 21.2 to 21.1 -- this is + useful enough to make it worthwhile printing on "-d". + Avoid logging alias statistics every time you read the alias + file on systems with no database method compiled in. + If you have a name with a trailing dot, and you try looking it + up using gethostbyname without the dot (for /etc/hosts + compatibility), be sure to turn off RES_DEFNAMES and + RES_DNSRCH to avoid finding the wrong name accidentally. + Problem noted by Charles Amos of the University of + Maryland. + Don't do timeouts in collect if you are not running SMTP. + There is nothing that says you can't have a long + running program piped into sendmail (possibly via + /bin/mail, which just execs sendmail). Problem reported + by Don "Truck" Lewis of Silicon Systems. + Try gethostbyname() even if the DNS lookup fails iff option I + is not set. This allows you to have hosts listed in + NIS or /etc/hosts that are not known to DNS. It's normally + a bad idea, but can be useful on firewall machines. This + should really be broken out on a separate flag, I suppose. + Avoid compile warnings against BIND 4.9.3, which uses function + prototypes. From Don Lewis of Silicon Systems. + Avoid possible incorrect diagnosis of DNS-related errors caused + by things like attempts to resolve uucp names using + $[ ... $] -- the fix is to clear h_errno at appropriate + times. From Kyle Jones of UUNET. + SECURITY: avoid denial-of-service attacks possible by destroying + the alias database file by setting resource limits low. + This involves adding two new compile-time options: + HASSETRLIMIT (indicating that setrlimit(2) support is + available) and HASULIMIT (indicating that ulimit(2) support + is available -- the Release 3 form is used). The former + is assumed on BSD-based systems, the latter on System + V-based systems. Attack noted by Phil Brandenberger of + Swarthmore University. + New syntaxes in test (-bt) mode: + ``.Dmvalue'' will define macro "m" to "value". + ``.Ccvalue'' will add "value" to class "c". + ``=Sruleset'' will dump the contents of the indicated + ruleset. + ``=M'' will display the known mailers. + ``-ddebug-spec'' is equivalent to the command-line + -d debug flag. + ``$m'' will print the value of macro $m. + ``$=c'' will print the contents of class $=c. + ``/mx host'' returns the MX records for ``host''. + ``/parse address'' will parse address, returning the value of + crackaddr (essentially, the comment information) + and the parsed address. + ``/try mailer address'' will rewrite address into the form + it will have when presented to the indicated mailer. + ``/tryflags flags'' will set flags used by parsing. The + flags can be `H' for header or `E' for envelope, + and `S' for sender or `R' for recipient. These + can be combined, so `HR' sets flags for header + recipients. + ``/canon hostname'' will try to canonify hostname and + return the result. + ``/map mapname key'' will look up `key' in the indicated + `mapname' and return the result. + Somewhat better handling of UNIX-domain socket addresses -- it + should show the pathname rather than hex bytes. + Restore ``-ba'' mode -- this reads a file from stdin and parses + the header for envelope sender information and uses + CR-LF as message terminators. It was thought to be + obsolete (used only for Arpanet NCP protocols), but it + turns out that the UK ``Grey Book'' protocols require + that functionality. + Fix a fix in previous release -- if gethostname and gethostbyname + return a name without dots, and if an attempt to canonify + that name fails, wait one minute and try again. This can + result in an extra 60 second delay on startup if your system + hostname (as returned by hostname(1)) has no dot and no names + listed in /etc/hosts or your NIS map have a dot. + Check for proper domain name on HELO and EHLO commands per + RFC 1123 section 5.2.5. Problem noted by Thomas Dwyer III + of Michigan Technological University. + Relax chownsafe rules slightly -- old version said that if you + can't tell if _POSIX_CHOWN_RESTRICTED is set (that is, + if fpathconf returned EINVAL or ENOSYS), assume that + chown is not safe. The new version falls back to whether + you are on a BSD system or not. This is important for + SunOS, which apparently always returns one of those + error codes. This impacts whether you can mail to files + or not. + Syntax errors such as unbalanced parentheses in the configuration + file could be omitted if you had "Oem" prior to the + syntax error in the config file. Change to always print + the error message. It was especially weird because it + would cause a "warning" message to be sent to the Postmaster + for every message sent (but with no transcript). Problem + noted by Gregory Paris of Motorola. + Rewrite collect and putbody to handle full 8-bit data, including + zero bytes. These changes are internally extensive, but + should have minimal impact on external function. + Allow full words for option names -- if the option letter is + (apparently) a space, then take the word following -- e.g., + O MatchGECOS=TRUE + The full list of old and new names is as follows: + 7 SevenBitInput + 8 EightBitMode + A AliasFile + a AliasWait + B BlankSub + b MinFreeBlocks/MaxMessageSize + C CheckpointInterval + c HoldExpensive + D AutoRebuildAliases + d DeliveryMode + E ErrorHeader + e ErrorMode + f SaveFromLine + F TempFileMode + G MatchGECOS + H HelpFile + h MaxHopCount + i IgnoreDots + I ResolverOptions + J ForwardPath + j SendMimeErrors + k ConnectionCacheSize + K ConnectionCacheTimeout + L LogLevel + l UseErrorsTo + m MeToo + n CheckAliases + O DaemonPortOptions + o OldStyleHeaders + P PostmasterCopy + p PrivacyOptions + Q QueueDirectory + q QueueFactor + R DontPruneRoutes + r, T Timeout + S StatusFile + s SuperSafe + t TimeZoneSpec + u DefaultUser + U UserDatabaseSpec + V FallbackMXHost + v Verbose + w TryNullMXList + x QueueLA + X RefuseLA + Y ForkEachJob + y RecipientFactor + z ClassFactor + Z RetryFactor + The old macros that passed information into sendmail have + been changed to options; those correspondences are: + $e SmtpGreetingMessage + $l UnixFromLine + $o OperatorChars + $q (deleted -- not necessary) + To avoid possible problems with an older sendmail, + configuration level 6 is accepted by this version of + sendmail; any config file using the new names should + specify "V6" in the configuration. + Change address parsing to properly note that a phrase before a + colon and a trailing semicolon are essentially the same + as text outside of angle brackets (i.e., sendmail should + treat them as comments). This is to handle the + ``group name: addr1, addr2, ..., addrN;'' syntax (it will + assume that ``group name:'' is a comment on the first + address and the ``;'' is a comment on the last address). + This requires config file support to get right. It does + understand that :: is NOT this syntax, and can be turned + off completely by setting the ColonOkInAddresses option. + Level 6 config files added with new mailer flags: + A Addresses are aliasable. + i Do udb rewriting on envelope as well as header + sender lines. Applies to the from address mailer + flags rather than the recipient mailer flags. + j Do udb rewriting on header recipient addresses. + Applies to the sender mailer flags rather than the + recipient mailer flags. + k Disable check for loops when doing HELO command. + o Always run as the mail recipient, even on local + delivery. + w Check for an /etc/passwd entry for this user. + 5 Pass addresses through ruleset 5. + : Check for :include: on this address. + | Check for |program on this address. + / Check for /file on this address. + @ Look up sender header addresses in the user + database. Applies to the mailer flags for the + mailer corresponding to the envelope sender + address, rather than to recipient mailer flags. + Pre-level 6 configuration files set A, w, 5, :, |, /, and @ + on the "local" mailer, the o flag on the "prog" and "*file*" + mailers, and the ColonOkInAddresses option. + Eight-to-seven bit MIME conversions. This borrows ideas from + John Beck of Hewlett-Packard, who generously contributed + their implementation to me, which I then didn't use (see + mime.c for an explanation of why). This adds the + EightBitMode option (a.k.a. `8') and an F=8 mailer flag + to control handling of 8-bit data. These have to cope with + two types of 8-bit data: unlabelled 8-bit data (that is, + 8-bit data that is entered without declaring it as 8-bit + MIME -- technically this is illegal according to the + specs) and labelled 8-bit data (that is, it was declared + as 8BITMIME in the ESMTP session or by using the + -B8BITMIME command line flag). If the F=8 mailer flag is + set then 8-bit data is sent to non-8BITMIME machines + instead of converting to 7 bit (essentially using + just-send-8 semantics). The values for EightBitMode are: + m convert unlabelled 8-bit input to 8BITMIME, and do + any necessary conversion of 8BITMIME to 7BIT + (essentially, the full MIME option). + p pass unlabelled 8-bit input, but convert labelled + 8BITMIME input to 7BIT as required (default). + s strict adherence: reject unlabelled 8-bit input, + convert 8BITMIME to 7BIT as required. The F=8 + flag is ignored. + Unlabelled 8-bit data is rejected in mode `s' regardless of + the setting of F=8. + Add new internal class 'n', which is the set of MIME Content-Types + which can not be 8 to 7 bit encoded because of other + considerations. Types "multipart/*" and "message/*" are + never directly encoded (although their components can be). + Add new internal class 's', which is the set of subtypes of the + MIME message/* content type that can be treated as though + they are an RFC822 message. It is predefined to have + "rfc822". Suggested By Kari Hurtta. + Add new internal class 'e'. This is the set of MIME + Content-Transfer-Encodings that can be converted to + a seven bit format (Quoted-Printable or Base64). It is + preinitialized to contain "7bit", "8bit", and "binary". + Add C=charset mailer parameter and the the DefaultCharSet option (no + short name) to set the default character set to use in the + Content-Type: header when doing encoding of an 8-bit message + which isn't marked as MIME into MIME format. If the C= + parameter is set on the Envelope From address, use that as + the default encoding; else use the DefaultCharSet option. + If neither is set, it defaults to "unknown-8bit" as + suggested by RFC 1428 section 3. + Allow ``U=user:group'' field in mailer definition to set a default + user and group that a mailer will be executed as. This + overrides the 'u' and 'g' options, and if the `F=S' flag is + also set, it is the uid/gid that will always be used (that + is, the controlling address is ignored). The values may be + numeric or symbolic; if only a symbolic user is given (no + group) that user's default group in the passwd file is used + as the group. Based on code donated by Chip Rosenthal of + Unicom. + Allow `u' option to also accept user:group as a value, in the same + fashion as the U= mailer option. + Add the symbolic time zone name in the Arpanet format dates (as + a comment). This adds a new compile-time configuration + flag: TZ_TYPE can be set to TZ_TM_NAME (use the value + of (struct tm *)->tm_name), TZ_TM_ZONE (use the value + of (struct tm *)->tm_zone), TZ_TZNAME (use extern char + *tzname[(struct tm *)->tm_isdst]), TZ_TIMEZONE (use + timezone()), or TZ_NONE (don't include the comment). Code + from Chip Rosenthal. + The "Timeout" option (formerly "r") is extended to allow suboptions. + For example, + O Timeout.helo = 2m + There are also two new suboptions "queuereturn" and + "queuewarn"; these subsume the old T option. Thus, to + set them both the preferred new syntax is + O Timeout.queuereturn = 5d + O Timeout.queuewarn = 4h + Sort queue by host name instead of by message priority if the + QueueSortOrder option (no short name) is set is set to + ``host''. This makes better use of the connection cache, + but may delay more ``interactive'' messages behind large + backlogs under some circumstances. This is probably a + good option if you have high speed links or don't do lots + of ``batch'' messages, but less good if you are using + something like PPP on a 14.4 modem. Based on code + contributed by Roy Mongiovi of Georgia Tech (my main + contribution was to make it configurable). + Save i-number of df file in qf file to simplify rebuilding of queue + after disastrous disk crash. Suggested by Kyle Jones of + UUNET; closely based on code from KJS DECWRL code written + by Paul Vixie. NOTA BENE: The qf files produced by 8.7 + are NOT back compatible with 8.6 -- that is, you can convert + from 8.6 to 8.7, but not the other direction. + Add ``F=d'' mailer flag to disable all use of angle brackets in + route-addrs in envelopes; this is because in some cases + they can be sent to the shell, which interprets them as + I/O redirection. + Don't include error file (option E) with return-receipts; this + can be confusing. + Don't send "Warning: cannot send" messages to owner-* or + *-request addresses. Suggested by Christophe Wolfhugel + of the Institut Pasteur, Paris. + Allow -O command line flag to set long form options. + Add "MinQueueAge" option to set the minimum time between attempts + to run the queue. For example, if the queue interval + (-q value) is five minutes, but the minimum queue age + is fifteen minutes, jobs won't be tried more often than + once every fifteen minutes. This can be used to give + you more responsiveness if your delivery mode is set to + queue-only. + Allow "fileopen" timeout (default: 60 seconds) for opening + :include: and .forward files. + Add "-k", "-v", and "-z" flags to map definitions; these set the + key field name, the value field name, and the field + delimiter. The field delimiter can be a single character + or the sequence "\t" or "\n" for tab or newline. + These are for use by NIS+ and similar access methods. + Change maps to always strip quotes before lookups; the -q flag + turns off this behavior. Suggested by Motonori Nakamura. + Add "nisplus" map class. Takes -k and -v flags to choose the + key and value field names respectively. Code donated by + Sun Microsystems. + Add "hesiod" map class. The "file name" is used as the + "HesiodNameType" parameter to hes_resolve(3). Returns the + first value found for the match. Code donated by Scott + Hutton of Indiana University. + Add "netinfo" (NeXT NetInfo) map class. Maps can have a -k flag to + specify the name of the property that is searched as the + key and a -v flag to specify the name of the property that + is returned as the value (defaults to "members"). The + default map is "/aliases". Some code based on code + contributed by Robert La Ferla of Hot Software. + Add "text" map class. This does slow, linear searches through + text files. The -z flag specifies a column delimiter + (defaults to any sequence of white space), the -k flag + sets the key column number, and the -v flag sets the + value column number. Lines beginning with `#' are treated + as comments. + Add "program" map class to execute arbitrary programs. The search + key is presented as the last argument; the output is one + line read from the programs standard output. Exit statuses + are from sysexits.h. + Add "sequence" map class -- searches maps in sequence until it + finds a match. For example, the declarations: + Kmap1 ... + Kmap2 ... + Kmapseq sequence map1 map2 + defines a map "mapseq" that first searches map1; if the + value is found it is returned immediately, otherwise + map2 is searched and the value returned. + Add "switch" map class. This is much like "sequence" except that + the ordering is fetched from an external file, usually + the system service switch. The parameter is the name of + the service to switch on, and the maps that it will use + are the name of the switch map followed by ".service_type". + For example, if the declaration of the map is + Ksample switch hosts + and the system service switch specifies that hosts are + looked up using dns and nis in that order, then this is + equivalent to + Ksample sequence sample.dns sample.nis + The subordinate maps (sample.*) must already be defined. + Add "user" map class -- looks up users using getpwnam. Takes a + "-v field" flag on the definition that tells what passwd + entry to return -- legal values are name, passwd, uid, gid, + gecos, dir, and shell. Generally expected to be used with + the -m (matchonly) flag. + Add "bestmx" map class -- returns the best MX value for the host + listed as the value. If there are several "best" MX records + for this host, one will be chosen at random. + Add "userdb" map class -- looks up entries in the user database. + The "file name" is actually the tag that will be used, + typically "mailname". If there are multiple entries + matching the name, the one chosen is undefined. + Add multiple queue timeouts (both return and warning). These are + set by the Precedence: or Priority: header fields to one of + three values. If a Priority: is set and has value "normal", + "urgent", or "non-urgent" the corresponding timeouts are + used. If no priority is set, the Precedence: is consulted; + if negative, non-urgent timeouts are used; if greater than + zero, urgent timeouts are used. Otherwise, normal timeouts + are used. The timeouts are set by setting the six timeouts + queue{warn,return}.{urgent,normal,non-urgent}. + Fix problem when a mail address is resolved to a $#error mailer + with a temporary failure indication; it works in SMTP, + but when delivering locally the mail is silently discarded. + This patch, from Kyle Jones of UUNET, bounces it instead + of queueing it (queueing is very hard). + When using /etc/hosts or NIS-style lookups, don't assume that + the first name in the list is the best one -- instead, + search for the first one with a dot. For example, if + an /etc/hosts entry reads + 128.32.149.68 mammoth mammoth.CS.Berkeley.EDU + this change will use the second name as the canonical + machine name instead of the initial, unqualified name. + Change dequote map to replace spaces in quoted text with a value + indicated by the -s flag on the dequote map definition. + For example, ``Mdequote dequote -s_'' will change + "Foo Bar" into an unquoted Foo_Bar instead of leaving it + quoted (because of the space character). Suggested by Dan + Oscarsson for use in X.400 addresses. + Implement long macro names as ${name}; long class names can + be similarly referenced as $={name} and $~{name}. + Definitions are (e.g.) ``D{name}value''. Names that have + a leading lower case letter or punctuation characters are + reserved for internal use by sendmail; i.e., config files + should use names that begin with a capital letter. Based + on code contributed by Dan Oscarsson. + Fix core dump if getgrgid returns a null group list (as opposed + to an empty group list, that is, a pointer to a list + with no members). Fix from Andrew Chang of Sun Microsystems. + Fix possible core dump if malloc fails -- if the malloc in xalloc + failed, it called syserr which called newstr which called + xalloc.... The newstr is now avoided for "panic" messages. + Reported by Stuart Kemp of James Cook University. + Improve connection cache timeouts; previously, they were not even + checked if you were delivering to anything other than an + IPC-connected host, so a series of (say) local mail + deliveries could cause cached connections to be open + much longer than the specified timeout. + If an incoming message exceeds the maximum message size, stop + writing the incoming bytes to the queue data file, since + this can fill your mqueue partition -- this is a possible + denial-of-service attack. + Don't reject all numeric local user names unless HESIOD is + defined. It turns out that Posix allows all-numeric + user names. Fix from Tony Sanders of BSDI. + Add service switch support. If the local OS has a service + switch (e.g., /etc/nsswitch.conf on Solaris or /etc/svc.conf + on DEC systems) that will be used; otherwise, it falls back + to using a local mechanism based on the ServiceSwitchFile + option (default: /etc/service.switch). For example, if the + service switch lists "files" and "nis" for the aliases + service, that will be the default lookup order. the "files" + ("local" on DEC) service type expands to any alias files + you listed in the configuration file, even if they aren't + actually file lookups. + Option I (NameServerOptions) no longer sets the "UseNameServer" + variable which tells whether or not DNS should be considered + canonical. This is now determined based on whether or not + "dns" is in the service list for "hosts". + Add preliminary support for the ESMTP "DSN" extension (Delivery + Status Notifications). DSN notifications override + Return-Receipt-To: headers, which are bogus anyhow -- + support for them has been removed. + Add T=mts-name-type/address-type/diagnostic-type keyletter to mailer + definitions to define the types used in DSN returns for + MTA names, addresses, and diagnostics respectively. + Extend heuristic to force running in ESMTP mode to look for the + five-character string "ESMTP" anywhere in the 220 greeting + message (not just the second line). This is to provide + better compatibility with other ESMTP servers. + Print sequence number of job when running the queue so you can + easily see how much progress you have made. Suggested + by Peter Wemm of DIALix. + Map newlines to spaces in logged message-ids; some versions of + syslog truncate the rest of the line after newlines. + Suggested by Fletcher Mattox of U. Texas. + Move up forking for job runs so that if a message is split into + multiple envelopes you don't get "fork storms" -- this + also improves the connection cache utilization. + Accept "<<>>", "<<<>>>", and so forth as equivalent to "<>" for + the purposes of refusing to send error returns. Suggested + by Motonori Nakamura of Ritsumeikan University. + Relax rules on when a file can be written when referenced from + the aliases file: use the default uid/gid instead of the + real uid/gid. This allows you to create a file owned by + and writable only by the default uid/gid that will work + all the time (without having the set-user-ID bit set). Change + suggested by Shau-Ping Lo and Andrew Cheng of Sun + Microsystems. + Add "DialDelay" option (no short name) to provide an "extra" + delay for dial on demand systems. If this is non-zero + and a connect fails, sendmail will wait this long and + then try again. If it takes longer than the kernel + timeout interval to establish the connection, this + option can give the network software time to establish + the link. The default units are seconds. + Move logging of sender information to be as early as possible; + previously, it could be delayed a while for SMTP mail + sent to aliases. Suggested by Brad Knowles of the + Defense Information Systems Agency. + Call res_init() before setting RES_DEBUG; this is required by + BIND 4.9.3, or so I'm told. From Douglas Anderson of + the National Computer Security Center. + Add xdelay= field in logs -- this is a transaction delay, telling + you how long it took to deliver to this address on the + last try. It is intended to be used for sorting mailing + lists to favor "quick" addresses. Provided for use by + the mailprio scripts (see below). + If a map cannot be opened, and that map is non-optional, and + an address requires that map for resolution, queue the + map instead of bouncing it. This involves creating a + pseudo-class of maps called "bogus-map" -- if a required + map cannot be opened, the class is changed to bogus-map; + all queries against bogus-map return "tempfail". The + bogus-map class is not directly accessible. A sample + implementation was donated by Jem Taylor of Glasgow + University Computing Service. + Fix a possible core dump when mailing to a program that talks + SMTP on its standard input. Fix from Keith Moore of + the University of Kentucky. + Make it possible to resolve filenames to $#local $: @ /filename; + previously, the "@" would cause it to not be recognized + as a file. Problem noted by Brian Hill of U.C. Davis. + Accept a -1 signal to re-exec the daemon. This only works if + argv[0] is a full path to sendmail. + Fix bug in "addr=..." field in O option on little-endian machines + -- the network number wasn't being converted to network + byte order. Patch from Kurt Lidl of Pix Technologies + Corporation. + Pre-initialize the resolver early on; this is to avoid a bug with + BIND 4.9.3 that can cause the _res.retry field to get + reset to zero, causing all name server lookups to time + out. Fix from Matt Day of Artisoft. + Restore T line (trusted users) in config file -- but instead of + locking out the -f flag, they just tell whether or not + an X-Authentication-Warning: will be added. This really + just creates new entries in class 't', so "Ft/file/name" + can be used to read trusted user names from a file. + Trusted users are also allowed to execute programs even + if they have a shell that isn't in /etc/shells. + Improve NEWDB alias file rebuilding so it will create them + properly if they do not already exist. This had been + a MAYBENEXTRELEASE feature in 8.6.9. + Check for @:@ entry in NIS maps before starting up to avoid + (but not prevent, sigh) race conditions. This ought to + be handled properly in ypserv, but isn't. Suggested by + Michael Beirne of Motorola. + Refuse connections if there isn't enough space on the filesystem + holding the queue. Contributed by Robert Dana of Wolf + Communications. + Skip checking for directory permissions in the path to a file + when checking for file permissions iff setreuid() + succeeded -- it is unnecessary in that case. This avoids + significant performance problems when looking for .forward + files. Based on a suggestion by Win Bent of USC. + Allow symbolic ruleset names. Syntax can be "Sname" to get an + arbitrary ruleset number assigned or "Sname = integer" + to assign a specific ruleset number. Reference is + $>name_or_number. Names can be composed of alphas, digits, + underscore, or hyphen (first character must be non-numeric). + Allow -o flag on AliasFile lines to make the alias file optional. + From Bryan Costales of ICSI. + Add NoRecipientAction option to handle the case where there is + no legal recipient header in the message. It can take + on values: + None Leave the message as is. The + message will be passed on even + though it is in technically + illegal syntax. + Add-To Add a To: header with any + recipients that it can find from + the envelope. This risks exposing + Bcc: recipients. + Add-Apparently-To Add an Apparently-To: header. This + has almost no redeeming social value, + and is provided only for back + compatibility. + Add-To-Undisclosed Add a header reading + To: undisclosed-recipients:; + which will have the effect of + making the message legal without + exposing Bcc: recipients. + Add-Bcc To add an empty Bcc: header. + There is a chance that mailers down + the line will delete this header, + which could cause exposure of Bcc: + recipients. + The default is NoRecipientAction=None. + Truncate (rather than delete) Bcc: lines in the header. This + should prevent later sendmails (at least, those that don't + themselves delete Bcc:) from considering this message to + be non-conforming -- although it does imply that non-blind + recipients can see that a Bcc: was sent, albeit not to whom. + Add SafeFileEnvironment option. If declared, files named as delivery + targets must be regular files in addition to the regular + checks. Also, if the option is non-null then it is used as + the name of a directory that is used as a chroot(2) + environment for the delivery; the file names listed in an + alias or forward should include the name of this root. + For example, if you run with + O SafeFileEnvironment=/arch + then aliases should reference "/arch/rest/of/path". If a + value is given, sendmail also won't try to save to + /usr/tmp/dead.letter (instead it just leaves the job in the + queue as Qfxxxxxx). Inspired by *Hobbit*'s sendmail patch kit. + Support -A flag for alias files; this will comma concatenate like + entries. For example, given the aliases: + list: member1 + list: member2 + and an alias file declared as: + OAhash:-A /etc/aliases + the final alias inserted will be "list: member1,member2"; + without -A you will get an error on the second and subsequent + alias for "list". Contributed by Bryan Costales of ICSI. + Line-buffer transcript file. Suggested by Liudvikas Bukys. + Fix a problem that could cause very long addresses to core dump in + some special circumstances. Problem pointed out by Allan + Johannesen. + (Internal change.) Change interface to expand() (macro expansion) + to be simpler and more consistent. + Delete check for funny qf file names. This didn't really give + any extra security and caused some people some problems. + (If you -really- want this, define PICKY_QF_NAME_CHECK + at compile time.) Suggested by Kyle Jones of UUNET. + (Internal change.) Change EF_NORETURN to EF_NO_BODY_RETN and + merge with DSN code; this is simpler and more consistent. + This may affect some people who have written their own + checkcompat() routine. + (Internal change.) Eliminate `D' line in qf file. The df file + is now assumed to be the same name as the qf file (with + the `q' changed to a `d', of course). + Avoid forking for delivery if all recipient mailers are marked as + "expensive" -- this can be a major cost on some systems. + Essentially, this forces sendmail into "queue only" mode + if all it is going to do is queue anyway. + Avoid sending a null message in some rather unusual circumstances + (specifically, the RCPT command returns a temporary + failure but the connection is lost before the DATA + command). Fix from Scott Hammond of Secure Computing + Corporation. + Change makesendmail to use a somewhat more rational naming scheme: + Makefiles and obj directories are named $os.$rel.$arch, + where $os is the operating system (e.g., SunOS), $rel is + the release number (e.g., 5.3), and $arch is the machine + architecture (e.g., sun4). Any of these can be omitted, + and anything after the first dot in a release number can + be replaced with "x" (e.g., SunOS.4.x.sun4). The previous + version used $os.$arch.$rel and was rather less general. + Change makesendmail to do a "make depend" in the target directory + when it is being created. This involves adding an empty + "depend:" entry in most Makefiles. + Ignore IDENT return value if the OSTYPE field returns "OTHER", + as indicated by RFC 1413. Pointed out by Kari Hurtta + of the Finnish Meteorological Institute. + Fix problem that could cause multiple responses to DATA command + on header syntax errors (e.g., lines beginning with colons). + Problem noted by Jens Thomassen of the University of Oslo. + Don't let null bytes in headers cause truncation of the rest of + the header. + Log Authentication-Warning:s. Suggested by Motonori Nakamura. + Increase timeouts on message data puts to allow time for receivers + to canonify addresses in headers on the fly. This is still + a rather ugly heuristic. From Motonori Nakamura. + Add "HasWildcardMX" suboption to ResolverOptions; if set, MX + records are not used when canonifying names, and when MX + lookups are done for addressing they must be fully + qualified. This is useful if you have a wildcard MX record, + although it may cause other problems. In general, don't use + wildcard MX records. Patch from Motonori Nakamura. + Eliminate default two-line SMTP greeting message. Instead of + adding an extra "ESMTP spoken here" line, the word "ESMTP" + is added between the first and second word of the first + line of the greeting message (i.e., immediately after the + host name). This eliminates the need for the BROKEN_SMTP_PEERS + compile flag. Old sendmails won't see the ESMTP, but that's + acceptable because SIZE was the only useful extension that + old sendmails understand. + Avoid gethostbyname calls on UNIX domain sockets during SIGUSR1 + invoked state dumps. From Masaharu Onishi. + Allow on-line comments in .forward and :include: files; they are + introduced by the string "<LWSP>#@#<LWSP>", where <LWSP> + is a space or a tab. This is intended for native + representation of non-ASCII sets such as Japanese, where + existing encodings would be unreadable or would lose + data -- for example, + <motonori@cs.ritsumei.ac.jp> NAKAMURA Motonori + (romanized/less information) + <motonori@cs.ritsumei.ac.jp> =?ISO-2022-JP?B?GyRCQ2ZCPBsoQg==?= + =?ISO-2022-JP?B?GyRCQUdFNRsoQg==?= + (with MIME encoding, not human readable) + <motonori@cs.ritsumei.ac.jp> #@# ^[$BCfB<^[(B ^[$BAGE5^[(B + (native encoding with ISO-2022-JP) + The last form is human readable in the Japanese environment. + Based on a fix from (surprise!) Motonori Nakamura. + Don't make SMTP error returns on MAIL FROM: line be "sticky" for all + messages to that host; these are most frequently associated + with addresses rather than the host, with the exception of + 421 (service shutting down). The effect was to cause queues + to sometimes take an excessive time to flush. Reported by + Robert Sargent of Southern Geographics Technologies and + Eric Prestemon of American University. + Add Nice=N mailer option to set the niceness at which a mailer will + run. This is actually a relative niceness (that is, an + increment on the background value). + Log queue runs that are skipped due to high loads. They are logged + at LOG_INFO priority iff the log level is > 8. Contributed + by Bruce Nagel of Data General. + Allow the error mailer to accept a DSN-style error status code + instead of an sysexits status code in the host part. + Anything with a dot will be interpreted as a DSN-style code. + Add new mailer flag: F=3 will tell translations to Quoted-Printable + to encode characters that might be munged by an EBCDIC system + in addition to the set required by RFC 1521. The additional + characters are !, ", #, $, @, [, \, ], ^, `, {, |, }, and ~. + (Think of "IBM 360" as the mnemonic for this flag.) + Change check for mailing to files to look for a pathname of [FILE] + rather than looking for the mailer named *file*. The mapping + of leading slashes still goes to the *file* mailer. This + allows you to implement the *file* mailer as a separate + program, for example, to insert a Content-Length: header + or do special security policy. However, note that the usual + initial checking for the file permissions is still done, and + the program in question needs to be very careful about how + it does the file write to avoid security problems. + Be able to read ~root/.forward even if the path isn't accessible to + regular users. This is disrecommended because sendmail + sometimes does not run as root (e.g., when an unsafe option + is specified on the command line), but should otherwise be + safe because .forward files must be owned by the user for + whom mail is being forwarded, and cannot be a symbolic link. + Suggested by Forrest Aldrich of Wang Laboratories. + Add new "HostsFile" option that is the pathname to the /etc/hosts + file. This is used for canonifying hostnames when the + service type is "files". + Implement programs on F (read class from file) line. The syntax is + Fc|/path/to/program to read the output from the program + into class "c". + Probe the network interfaces to find alternate names for this + host. Requires the SIOCGIFCONF ioctl call. Code + contributed by SunSoft. + Add "E" configuration line to set or propagate environment + variables into children. "E<envar>" will propagate + the named variable from the environment when sendmail + was invoked into any children it calls; "E<envar>=<value>" + sets the named variable to the indicated value. Any + variables not explicitly named will not be in the child + environment. However, sendmail still forces an + "AGENT=sendmail" environment variable, in part to enforce + at least one environment variable, since many programs and + libraries die horribly if this is not guaranteed. + Change heuristic for rebuilding both NEWDB and NDBM versions of + alias databases -- new algorithm looks for the substring + "/yp/" in the file name. This is more portable and involves + less overhead. Suggested by Motonori Nakamura. + Dynamically allocate the queue work list so that you don't lose + jobs in large queue runs. The old QUEUESIZE compile parameter + is replaced by QUEUESEGSIZE (the unit of allocation, which + should not need to be changed) and the MaxQueueRunSize option, + which is the absolute maximum number of jobs that will ever + be handled in a single queue run. Based on code contributed + by Brian Coan of the Institute for Global Communications. + Log message when a message is dropped because it exceeds the maximum + message size. Suggested by Leo Bicknell of Virginia Tech. + Allow trusted users (those on a T line or in $=t) to use -bs without + an X-Authentication-Warning: added. Suggested by Mark Thomas + of Mark G. Thomas Consulting. + Announce state of compile flags on -d0.1 (-d0.10 throws in the + OS-dependent defines). The old semantic of -d0.1 to not + run the daemon in background has been moved to -d99.100, + and the old 52.5 flag (to avoid disconnect() from closing + all output files) has been moved to 52.100. This makes + things more consistent (flags below .100 don't change + semantics) and separates out the backgrounding so that + it doesn't happen automatically on other unrelated debugging + flags. + If -t is used but no addresses are found in the header, give an + error message rather than just doing nothing. Fix from + Motonori Nakamura. + On systems (like SunOS) where the effective gid is not necessarily + included in the group list returned by getgroups(), the + `restrictmailq' option could sometimes cause an authorized + user to not be able to use `mailq'. Fix from Charles Hannum + of MIT. + Allow symbolic service names for [IPC] mailers. Suggested by + Gerry Magennis of Logica International. + Add DontExpandCnames option to prevent $[ ... $] from expanding CNAMEs + when running DNS. For example, if the name FTP.Foo.ORG is + a CNAME for Cruft.Foo.ORG, then when sitting on a machine in + the Foo.ORG domain a lookup of "FTP" returns "Cruft.Foo.ORG" + if this option is not set, or "FTP.Foo.ORG" if it is set. + This is technically illegal under RFC 822 and 1123, but the + IETF is moving toward legalizing it. Note that turning on + this option is not sufficient to guarantee that a downstream + neighbor won't rewrite the address for you. + Add "-m" flag to makesendmail script -- this tells you what object + directory and Makefile it will use, but doesn't actually do + the make. + Do some additional checking on the contents of the qf file to try + to detect attacks against the qf file. In particular, + abort on any line beginning "From ", and add an "end of + file" line -- any data after that line is prohibited. + Always use /etc/sendmail.cf, regardless of the arbitrary vendor + choices. This can be overridden in the Makefile by using + either -DUSE_VENDOR_CF_PATH to get the vendor location + (to the extent that we know it) or by defining + _PATH_SENDMAILCF (which is a "hard override"). This allows + sendmail 8 to have more consistent installation instructions. + Allow macros on `K' line in config file. Suggested by Andrew Chang + of Sun Microsystems. + Improved symbol table hash function from Eric Wassenaar. This one + is at least 50% faster. + Fix problem that didn't notice that timeout on file open was a + transient error. Fix from Larry Parmelee of Cornell + University. + Allow comments (lines beginning with a `#') in files read for + classes. Suggested by Motonori Nakamura. + Make SIGINT (usually ^C) in test mode return to the prompt instead + of dropping out entirely. This makes testing some of the + name server lookups easier to deal with when there are + hung servers. From Motonori Nakamura. + Add new ${opMode} macro that is set to the current operation mode + (e.g., `s' for -bs, `t' for -bt, etc.). Suggested by + Claude Marinier <MARINIER@emp.ewd.dreo.dnd.ca>. + Add new delivery mode (Odd) that defers all map lookups to queue runs. + Kind of like queue-only mode (Odq) except it tries to avoid + any external service requests; for dial-on-demand hosts that + want to minimize DNS lookups when mail is being queued. For + this to work you will also have to make sure that gethostbyname + of your local host name does not do a DNS lookup. + Improved handling of "out of space" conditions from John Myers of + Carnegie Mellon. + Improved security for mailing to files on systems that have fchmod(2) + support. + Improve "cannot send message for N days" message -- now says "could + not send for past N days". Suggested by Tom Moore of AT&T + Global Information Solutions. + Less misleading Subject: line on messages sent to postmaster only. + From Motonori Nakamura. + Avoid duplicate error messages on bad command line flags. From + Motonori Nakamura. + Better error message for case where ruleset 0 falls off the end + or otherwise does not resolve to a canonical triple. + Fix a problem that could cause multiple bounce messages if a bad + address was sent along with a good address to an SMTP + site where that SMTP site returned a 4yz code in response + to the final dot of the data. Problem reported by David + James of British Telecom. + Add "volatile" declarations so that gcc -O2 will work. Patches + from Alexander Dupuy of System Management ARTS. + Delete duplicates in MX lists -- believe it or not, there are sites + that list the same host twice in an MX list. This deletion + only works on adjacent preferences, so an MX list that + had A=5, B=10, A=15 would leave both As, but one that had + A=5, A=10, B=15 would reduce to A, B. This is intentional, + just in case there is something weird I haven't thought of. + Suggested by Barry Shein of Software Tool & Die. + SECURITY: .forward files cannot be symbolic links. If they are, + a bad guy can read your private files. + PORTABILITY FIXES: + Solaris 2 from Rob McMahon <cudcv@csv.warwick.ac.uk>. + System V Release 4 from Motonori Nakamura of Ritsumeikan + University. This expands the disk size + checking to include all (?) SVR4 configurations. + System V Release 4 from Kimmo Suominen -- initgroups(3) + and setrlimit(2) are both available. + System V Release 4 from sob@sculley.ffg.com -- some versions + apparently "have EX_OK defined in other headerfiles." + Linux Makefile typo. + Linux getusershell(3) is broken in Slackware 2.0 -- + from Andrew Pam of Xanadu Australia. + More Linux tweaking from John Kennedy of California State + University, Chico. + Cray changes from Eric Wassenaar: ``On Cray, shorts, + ints, and longs are all 64 bits, and all structs + are multiples of 64 bits. This means that the + sizeof operator returns only multiples of 8. + This requires adaptation of code that really + deals with 32 bit or 16 bit fields, such as IP + addresses or nameserver fields.'' + DG/UX 5.4.3 from Mark T. Robinson <mtr@ornl.gov>. To + get the old behavior, use -DDGUX_5_4_2. + DG/UX hack: add _FORCE_MAIL_LOCAL_=yes environment + variable to fix bogus /bin/mail behavior. + Tandem NonStop-UX from Rick McCarty <mccarty@mpd.tandem.com>. + This also cleans up some System V Release 4 compile + problems. + Solaris 2: sendmail.cw file should be in /etc/mail to + match all the other configuration files. Fix + from Glenn Barry of Emory University. + Solaris 2.3: compile problem in conf.c. Fix from Alain + Nissen of the University of Liege, Belgium. + Ultrix: freespace calculation was incorrect. Fix from + Takashi Kizu of Osaka University. + SVR4: running in background gets a SIGTTOU because the + emulation code doesn't realize that "getpeername" + doesn't require reading the file. Fix from Peter + Wemm of DIALix. + Solaris 2.3: due to an apparent bug in the socket emulation + library, sockets can get into a "wedged" state where + they just return EPROTO; closing and re-opening the + socket clears the problem. Fix from Bob Manson + of Ohio State University. + Hitachi 3050R & 3050RX running HI-UX/WE2: portability + fixes from Akihiro Hashimoto ("Hash") of Chiba + University. + AIX changes to allow setproctitle to work from Rainer Schöpf + of Zentrum für Datenverarbeitung der Universität + Mainz. + AIX changes for load average from Ed Ravin of NASA/Goddard. + SCO Unix from Chip Rosenthal of Unicom (code was using the + wrong statfs call). + ANSI C fixes from Adam Glass (NetBSD project). + Stardent Titan/ANSI C fixes from Kate Hedstrom of Rutgers + University. + DG-UX fixes from Bruce Nagel of Data General. + IRIX64 updates from Mark Levinson of the University of + Rochester Medical Center. + Altos System V (``the first UNIX/XENIX merge the Altos + did for their Series 1000 & Series 2000 line; + their merged code was licensed back to AT&T and + Microsoft and became System V release 3.2'') from + Tim Rice <timr@crl.com>. + OSF/1 running on Intel Paragon from Jeff A. Earickson + <jeff@ssd.intel.com> of Intel Scalable Systems + Division. + Amdahl UTS System V 2.1.5 (SVr3-based) from Janet Jackson + <janet@dialix.oz.au>. + System V Release 4 (statvfs semantic fix) from Alain + Durand of I.M.A.G. + HP-UX 10.x multiprocessor load average changes from + Scott Hutton and Jeff Sumler of Indiana University. + Cray CSOS from Scott Bolte of Cray Computer Corporation. + Unicos 8.0 from Douglas K. Rand of the University of North + Dakota, Scientific Computing Center. + Solaris 2.4 fixes from Sanjay Dani of Dani Communications. + ConvexOS 11.0 from Christophe Wolfhugel. + IRIX 4.0.5 from David Ashton-Reader of CADcentre. + ISC UNIX from J. J. Bailey. + HP-UX 9.xx on the 8xx series machines from Remy Giraud + of Meteo France. + HP-UX configuration from Tom Lane <tgl@sss.pgh.pa.us>. + IRIX 5.2 and 5.3 from Kari E. Hurtta. + FreeBSD 2.0 from Mike Hickey of Federal Data Corporation. + Sony NEWS-OS 4.2.1R and 6.0.3 from Motonori Nakamura. + Omron LUNA unios-b, mach from Motonori Nakamura. + NEC EWS-UX/V 4.2 from Motonori Nakamura. + NeXT 2.1 from Bryan Costales. + AUX patch thanks to Mike Erwin of Apple Computer. + HP-UX 10.0 from John Beck of Hewlett-Packard. + Ultrix: allow -DBROKEN_RES_SEARCH=0 if you are using a + non-DEC resolver. Suggested by Allan Johannesen. + UnixWare 2.0 fixes from Petr Lampa of the Technical + University of Brno (Czech Republic). + KSR OS 1.2.2 support from Todd Miller of the University + of Colorado. + UX4800 support from Kazuhisa Shimizu of NEC. + MAKEMAP: allow -d flag to allow insertion of duplicate aliases + in type ``btree'' maps. The semantics of this are undefined + for regular maps, but it can be useful for the user database. + MAKEMAP: lock database file while rebuilding to avoid sendmail + lookups while the rebuild is going on. There is a race + condition between the open(... O_TRUNC ...) and the lock + on the file, but it should be quite small. + SMRSH: sendmail restricted shell added to the release. This can + be used as an alternative to /bin/sh for the "prog" mailer, + giving the local administrator more control over what + programs can be run from sendmail. + MAIL.LOCAL: add this local mailer to the tape. It is not really + part of the release proper, and isn't fully supported; in + particular, it does not run on System V based systems and + never will. + CONTRIB: a patch to rmail.c from Bill Gianopoulos of Raytheon + to allow rmail to compile on systems that don't have + function prototypes and systems that don't have snprintf. + CONTRIB: add the "mailprio" scripts that will help you sort mailing + lists by transaction delay times so that addresses that + respond quickly get sent first. This is to prevent very + sluggish servers from delaying other peoples' mail. + Contributed by Tony Sanders of BSDI. + CONTRIB: add the "bsdi.mc" file as contributed by Tony Sanders + of BSDI. This has a lot of comments to help people out. + CONFIG: Don't have .mc files include(../m4/cf.m4) -- instead, + put this on the m4 command line. On GNU m4 (which + supports the __file__ primitive) you can run m4 in an + arbitrary directory -- use either: + m4 ${CFDIR}/m4/cf.m4 config.mc > config.cf + or + m4 -I${CFDIR} m4/cf.m4 config.mc > config.cf + On other versions of m4 that don't support __file__, you + can use: + m4 -D_CF_DIR_=${CFDIR}/ ${CFDIR}/m4/cf.m4 ... + (Note the trailing slash on the _CF_DIR_ definition.) + Old versions of m4 will default to _CF_DIR_=.. for back + compatibility. + CONFIG: fix mail from <> so it will properly convert to + MAILER-DAEMON on local addresses. + CONFIG: fix code that was supposed to catch colons in host + names. Problem noted by John Gardiner Myers of CMU. + CONFIG: allow use of SMTP_MAILER_MAX in nullclient configuration. + From Paul Riddle of the University of Maryland, Baltimore + County. + CONFIG: Catch and reject "." as a host address. + CONFIG: Generalize domaintable to look up all domains, not + just unqualified ones. + CONFIG: Delete OLD_SENDMAIL support -- as near as I can tell, it + was never used and didn't work anyway. + CONFIG: Set flags A, w, 5, :, /, |, and @ on the "local" mailer + and d on all mailers in the UUCP class. + CONFIG: Allow "user+detail" to be aliased specially: it will first + look for an alias for "user+detail", then for "user+*", and + finally for "user". This is intended for forwarding mail + for system aliases such as root and postmaster to a + centralized hub. + CONFIG: add confEIGHT_BIT_HANDLING to set option 8 (see above). + CONFIG: add smtp8 mailer; this has the F=8 (just-send-8) flag set. + The F=8 flag is also set on the "relay" mailer, since + this is expected to be another sendmail. + CONFIG: avoid qualifying all UUCP addresses sent via SMTP with + the name of the UUCP_RELAY -- in some cases, this is the + wrong value (e.g., when we have local UUCP connections), + and this can create unreplyable addresses. From Chip + Rosenthal of Unicom. + CONFIG: add confRECEIVED_HEADER to change the format of the + Received: header inserted into all messages. Suggested by + Gary Mills of the University of Manitoba. + CONFIG: Make "notsticky" the default; use FEATURE(stickyhost) + to get the old behavior. I did this upon observing + that almost everyone needed this feature, and that the + concept I was trying to make happen didn't work with + some user agents anyway. FEATURE(notsticky) still works, + but it is a no-op. + CONFIG: Add LUSER_RELAY -- the host to which unrecognized user + names are sent, rather than immediately diagnosing them + as User Unknown. + CONFIG: Add SMTP_MAILER_ARGS, ESMTP_MAILER_ARGS, SMTP8_MAILER_ARGS, + and RELAY_MAILER_ARGS to set the arguments for the + indicated mailers. All default to "IPC $h". Patch from + Larry Parmelee of Cornell University. + CONFIG: pop mailer needs F=n flag to avoid "annoying side effects + on the client side" and F=P to get an appropriate + return-path. From Kimmo Suominen. + CONFIG: add FEATURE(local_procmail) to use the procmail program + as the local mailer. For addresses of the form "user+detail" + the "detail" part is passed to procmail via the -a flag. + Contributed by Kimmo Suominen. + CONFIG: add MAILER(procmail) to add an interface to procmail for + use from mailertables. This lets you execute arbitrary + procmail scripts. Contributed by Kimmo Suominen. + CONFIG: add T= fields (MTS type) to local, smtp, and uucp mailers. + CONFIG: add OSTYPE(ptx2) for DYNIX/ptx 2.x from Sequent. From + Paul Southworth of CICNet Systems Support. + CONFIG: use -a$g as default to UUCP mailers, instead of -a$f. + This causes the null return path to be rewritten as + MAILER-DAEMON; otherwise UUCP gets horribly confused. + From Michael Hohmuth of Technische Universitat Dresden. + CONFIG: Add FEATURE(bestmx_is_local) to cause any hosts that + list us as the best possible MX record to be treated as + though they were local (essentially, assume that they + are included in $=w). This can cause additional DNS + traffic, but is easier to administer if this fits your + local model. It does not work reliably if there are + multiple hosts that share the best MX preference. + Code contributed by John Oleynick of Rutgers. + CONFIG: Add FEATURE(smrsh) to use smrsh (the SendMail Restricted + SHell) instead of /bin/sh as the program used for delivery + to programs. If an argument is included, it is used as + the path to smrsh; otherwise, /usr/local/etc/smrsh is + assumed. + CONFIG: Add LOCAL_MAILER_MAX and PROCMAILER_MAILER_MAX to limit the + size of messages to the local and procmail mailers + respectively. Contributed by Brad Knowles of the Defense + Information Systems Agency. + CONFIG: Handle leading ``phrase:'' and trailing ``;'' as comments + (just like text outside of angle brackets) in order to + properly deal with ``group: addr1, ... addrN;'' syntax. + CONFIG: Require OSTYPE macro (the defaults really don't apply to + any real systems any more) and tweak the DOMAIN macro + so that it is less likely that users will accidentally use + the Berkeley defaults. Also, create some generic files + that really can be used in the real world. + CONFIG: Add new configuration macros to set character sets for + messages _arriving from_ various mailers: LOCAL_MAILER_CHARSET, + SMTP_MAILER_CHARSET, and UUCP_MAILER_CHARSET. + CONFIG: Change UUCP_MAX_SIZE to UUCP_MAILER_MAX for consistency. + The old name will still be accepted for a while at least. + CONFIG: Implement DECNET_RELAY as spec for host to which DECNET + mail (.DECNET pseudo-domain or node::user) will be sent. + As with all relays, it can be ``mailer:hostname''. Suggested + by Scott Hutton. + CONFIG: Add MAILER(mail11) to get DECnet support. Code contributed + by Barb Dijker of Labyrinth Computer Services. + CONFIG: change confCHECK_ALIASES to default to False -- it has poor + performance for large alias files, and this confused many + people. + CONFIG: Add confCF_VERSION to append local information to the + configuration version number displayed during SMTP startup. + CONFIG: fix some.newsgroup.usenet@local.host syntax (previously it + would only work when locally addressed. Fix from + Edvard Tuinder of Cistron Internet Services. + CONFIG: use ${opMode} to avoid error on .REDIRECT addresses if option + "n" (CheckAliases) is set when rebuilding alias database. + Based on code contributed by Claude Marinier. + CONFIG: Allow mailertable to have values of the form + ``error:code message''. The ``code'' is a status code + derived from the sysexits codes -- e.g., NOHOST or UNAVAILABLE. + Contributed by David James <dwj@agw.bt.co.uk>. + CONFIG: add MASQUERADE_DOMAIN(domain list) to extend the list of + sender domains that will be replaced with the masquerade name. + These domains will not be treated as local, but if mail passes + through with sender addresses in those domains they will be + replaced by the masquerade name. These can also be specified + in a file using MASQUERADE_DOMAIN_FILE(filename). + CONFIG: add FEATURE(masquerade_envelope) to masquerade the envelope + as well as the header. Substantial improvements to this + code were contributed by Per Hedeland. + CONFIG: add MAILER(phquery) to define a new "ph" mailer; this can be + accessed from a mailertable to do CCSO ph lookups. Contributed + by Kimmo Suominen. + CONFIG: add MAILER(cyrus) to define a new Cyrus mailer; this can be + used to define cyrus and cyrusbb mailers (for IMAP support). + Contributed by John Gardiner Myers of Carnegie Mellon. + CONFIG: add confUUCP_MAILER to select default mailer to use for + UUCP addressing. Suggested by Tom Moore of AT&T GIS. + NEW FILES: + cf/cf/cs-hpux10.mc + cf/cf/cs-solaris2.mc + cf/cf/cyrusproto.mc + cf/cf/generic-bsd4.4.mc + cf/cf/generic-hpux10.mc + cf/cf/generic-hpux9.mc + cf/cf/generic-osf1.mc + cf/cf/generic-solaris2.mc + cf/cf/generic-sunos4.1.mc + cf/cf/generic-ultrix4.mc + cf/cf/huginn.cs.mc + cf/domain/berkeley-only.m4 + cf/domain/generic.m4 + cf/feature/bestmx_is_local.m4 + cf/feature/local_procmail.m4 + cf/feature/masquerade_envelope.m4 + cf/feature/smrsh.m4 + cf/feature/stickyhost.m4 + cf/feature/use_ct_file.m4 + cf/m4/cfhead.m4 + cf/mailer/cyrus.m4 + cf/mailer/mail11.m4 + cf/mailer/phquery.m4 + cf/mailer/procmail.m4 + cf/ostype/amdahl-uts.m4 + cf/ostype/bsdi2.0.m4 + cf/ostype/hpux10.m4 + cf/ostype/irix5.m4 + cf/ostype/isc4.1.m4 + cf/ostype/ptx2.m4 + cf/ostype/unknown.m4 + contrib/bsdi.mc + contrib/mailprio + contrib/rmail.oldsys.patch + mail.local/mail.local.0 + makemap/makemap.0 + smrsh/README + smrsh/smrsh.0 + smrsh/smrsh.8 + smrsh/smrsh.c + src/Makefiles/Makefile.CSOS + src/Makefiles/Makefile.EWS-UX_V + src/Makefiles/Makefile.HP-UX.10 + src/Makefiles/Makefile.IRIX.5.x + src/Makefiles/Makefile.IRIX64 + src/Makefiles/Makefile.ISC + src/Makefiles/Makefile.KSR + src/Makefiles/Makefile.NEWS-OS.4.x + src/Makefiles/Makefile.NEWS-OS.6.x + src/Makefiles/Makefile.NEXTSTEP + src/Makefiles/Makefile.NonStop-UX + src/Makefiles/Makefile.Paragon + src/Makefiles/Makefile.SCO.3.2v4.2 + src/Makefiles/Makefile.SunOS.5.3 + src/Makefiles/Makefile.SunOS.5.4 + src/Makefiles/Makefile.SunOS.5.5 + src/Makefiles/Makefile.UNIX_SV.4.x.i386 + src/Makefiles/Makefile.uts.systemV + src/Makefiles/Makefile.UX4800 + src/aliases.0 + src/mailq.0 + src/mime.c + src/newaliases.0 + src/sendmail.0 + test/t_seteuid.c + RENAMED FILES: + cf/cf/alpha.mc => cf/cf/s2k-osf1.mc + cf/cf/chez.mc => cf/cf/chez.cs.mc + cf/cf/hpux-cs-exposed.mc => cf/cf/cs-hpux9.mc + cf/cf/osf1-cs-exposed.mc => cf/cf/cs-osf1.mc + cf/cf/s2k.mc => cf/cf/s2k-ultrix4.mc + cf/cf/sunos4.1-cs-exposed.mc => cf/cf/cs-sunos4.1.mc + cf/cf/ultrix4.1-cs-exposed.mc => cf/cf/cs-ultrix4.mc + cf/cf/vangogh.mc => cf/cf/vangogh.cs.mc + cf/domain/Berkeley.m4 => cf/domain/Berkeley.EDU.m4 + cf/domain/cs-exposed.m4 => cf/domain/CS.Berkeley.EDU.m4 + cf/domain/eecs-hidden.m4 => cf/domain/EECS.Berkeley.EDU.m4 + cf/domain/s2k.m4 => cf/domain/S2K.Berkeley.EDU.m4 + cf/ostype/hpux.m4 => cf/ostype/hpux9.m4 + cf/ostype/irix.m4 => cf/ostype/irix4.m4 + cf/ostype/ultrix4.1.m4 => cf/ostype/ultrix4.m4 + src/Makefile.* => src/Makefiles/Makefile.* + src/Makefile.AUX => src/Makefiles/Makefile.A-UX + src/Makefile.BSDI => src/Makefiles/Makefile.BSD-OS + src/Makefile.DGUX => src/Makefiles/Makefile.dgux + src/Makefile.RISCos => src/Makefiles/Makefile.UMIPS + src/Makefile.SunOS.4.0.3 => src/Makefiles/Makefile.SunOS.4.0 + OBSOLETED FILES: + cf/cf/cogsci.mc + cf/cf/cs-exposed.mc + cf/cf/cs-hidden.mc + cf/cf/hpux-cs-hidden.mc + cf/cf/knecht.mc + cf/cf/osf1-cs-hidden.mc + cf/cf/sunos3.5-cs-exposed.mc + cf/cf/sunos3.5-cs-hidden.mc + cf/cf/sunos4.1-cs-hidden.mc + cf/cf/ultrix4.1-cs-hidden.mc + cf/domain/cs-hidden.m4 + contrib/rcpt-streaming + src/Makefiles/Makefile.SunOS.5.x + +8.6.13/8.6.12 1996/01/25 + SECURITY: In some cases it was still possible for an attacker to + insert newlines into a queue file, thus allowing access to + any user (except root). + CONFIG: no changes -- it is not a bug that the configuration + version number is unchanged. + +8.6.12/8.6.12 1995/03/28 + Fix to IDENT code (it was getting the size of the reply buffer + too small, so nothing was ever accepted). Fix from several + people, including Allan Johannesen, Shane Castle of the + Boulder County Information Services, and Jeff Smith of + Warwick University (all arrived within a few hours of + each other!). + Fix a problem that could cause large jobs to run out of + file descriptors on systems that use vfork() rather + than fork(). + +8.6.11/8.6.11 1995/03/08 + The ``possible attack'' message would be logged more often + than necessary if you are using Pine as a user agent. + The wrong host would be reported in the ``possible attack'' + message when attempted from IDENT. + In some cases the syslog buffer could be overflowed when + reporting the ``possible attack'' message. This can + cause denial of service attacks. Truncate the message + to 80 characters to prevent this problem. + When reading the IDENT response a loop is needed around the + read from the network to ensure that you don't get + partial lines. + Password entries without any shell listed (that is, a null + shell) wouldn't match as "ok". Problem noted by + Rob McMahon. + When running BIND 4.9.x a problem could occur because the + _res.options field is initialized differently than it + was historically -- this requires that sendmail call + res_init before it tweaks any bits. + Fix an incompatibility in openxscript() between the file open mode + and the stdio mode passed to fdopen. This caused UnixWare + 2.0 to have conniptions. Fix from Martin Sohnius of + Novell Labs Europe. + Fix problem with static linking of local getopt routine when + using GNU's ld command. Fix from John Kennedy of + Cal State Chico. + It was possible to turn off privacy flags. Problem noted by + *Hobbit*. + Be more paranoid about writing files. Suggestions by *Hobbit* + and Liudvikas Bukys. + MAKEMAP: fixes for 64 bit machines (DEC Alphas in particular) + from Spider Boardman. + CONFIG: No changes (version number only, to keep it in sync + with the binaries). + +8.6.10/8.6.10 1995/02/10 + SECURITY: Diagnose bogus values to some command line flags that + could allow trash to get into headers and qf files. + Validate the name of the user returned by the IDENT protocol. + Some systems that really dislike IDENT send intentionally + bogus information. Problem pointed out by Michael Bushnell + of the Free Software Foundation. Has some security + implications. + Fix a problem causing error messages about DNS problems when + the host name contained a percent sign to act oddly + because it was passed as a printf-style format string. + In some cases this could cause core dumps. + Avoid possible buffer overrun in returntosender() if error + message is quite long. From Fletcher Mattox of the + University of Texas. + Fix a problem that would silently drop "too many hops" error + messages if and only if you were sending to an alias. + From Jon Giltner of the University of Colorado and + Dan Harton of Oak Ridge National Laboratory. + Fix a bug that caused core dumps on some systems if -d11.2 was + set and e->e_message was null. Fix from Bruce Nagel of + Data General. + Fix problem that can still cause df files to be left around + after "hop count exceeded" messages. Fix from Andrew + Chang and Shau-Ping Lo of SunSoft. + Fix a problem that can cause buffer overflows on very long + user names (as might occur if you piped to a program + with a lot of arguments). + Avoid returning an error and re-queueing if the host signature + is null; this can occur on addresses like ``user@.''. + Problem noted by Wesley Craig and the University of + Michigan. + Avoid possible calls to malloc(0) if MCI caching is turned + off. Bug fix from Pierre David of the Laboratoire + Parallelisme, Reseaux, Systemes et Modelisation (PRiSM), + Universite de Versailles - St Quentin, and Jacky + Thibault. + Make a local copy of the line being sent via senttolist() -- in + some cases, buffers could get trashed by map lookups + causing it to do unexpected things. This also simplifies + some of the map code. + CONFIG: No changes (version number only, to keep it in sync + with the binaries). + +8.6.9/8.6.9 1994/04/19 + Do all mail delivery completely disconnected from any terminal. + This provides consistency with daemon delivery and + may have some security implications. + Make sure that malloc doesn't get called with zero size, + since that fails on some systems. Reported by Ed + Hill of the University of Iowa. + Fix multi-line values for $e (SMTP greeting message). Reported + by Mike O'Connor of Ford Motor Company. + Avoid syserr if no NIS domain name is defined, but the map it + is trying to open is optional. From Win Bent of USC. + Changes for picky compilers from Ed Gould of Digital Equipment. + Hesiod support for UDB from Todd Miller of the University of + Colorado. Use "hesiod" as the service name in the U + option. + Fix a problem that failed to set the "authentic" host name (that + is, the one derived from the socket info) if you called + sendmail -bs from inetd. Based on code contributed by + Todd Miller (this problem was also reported by Guy Helmer + of Dakota State University). This also fixes a related + problem reported by Liudvikas Bukys of the University of + Rochester. + Parameterize "nroff -h" in all the Makefiles so people with + variant versions can use them easily. Suggested by + Peter Collinson of Hillside Systems. + SMTP "MAIL" commands with multiple ESMTP parameters required two + spaces between parameters instead of one. Reported by + Valdis Kletnieks of Virginia Tech. + Reduce the number of system calls during message collection by + using global timeouts around the collect() loop. This + code was contributed by Eric Wassenaar. + If the initial hostname name gathering results in a name + without a dot (usually caused by NIS misconfiguration) + and BIND is compiled in, directly access DNS to get + the canonical name. This should make life easier for + Solaris systems. If it still can't be resolved, and + if the name server is listed as "required", try again + in 30 seconds. If that also fails, exit immediately to + avoid bogus "config error: mail loops back to myself" + messages. + Improve the "MAIL DELETED BECAUSE OF LACK OF DISK SPACE" error + message to explain how much space was available and + sound a bit less threatening. Suggested by Stan Janet + of the National Institute of Standards and Technology. + If mail is delivered to an alias that has an owner, deliver any + requested return-receipt immediately, and strip the + Return-Receipt-To: header from the subsequent message. + This prevents a certain class of denial of service + attack, arguably gives more reasonable semantics, and + moves things more towards what will probably become a + network standard. Suggested by Christopher Davis of + Kapor Enterprises. + Add a "noreceipts" privacy flag to turn off all return receipts + without recompiling. + Avoid printing ESMTP parameters as part of the error message + if there are errors during parsing. This change is + purely cosmetic. + Avoid sending out error messages during the collect phase of + SMTP; there is an MVS mailer from UCLA that gets + confused by this. Of course, I think it's their bug.... + Check for the $j macro getting undefined, losing a dot, or getting + lost from $=w in the daemon before accepting a connection; + if it is, it dumps state, prints a LOG_ALERT message, + and drops core for debugging. This is an attempt to + track down a bug that I thought was long since gone. + If you see this, please forward the log fragment to + sendmail@sendmail.ORG. + Change OLD_NEWDB from a #ifdef to a #if so it can be turned off + with -DOLD_NEWDB=0 on the command line. From Christophe + Wolfhugel. + Instead of trying to truncate the listen queue for the server + SMTP port when the load average is too high, just close + the port completely and reopen it later as needed. + This ensures that the other end gets a quick "connection + refused" response, and that the connection can be + recovered later. In particular, some socket emulations + seem to get confused if you tweak the listen queue + size around and can never start listening to connections + again. The down side is that someone could start up + another daemon process in the interim, so you could + have multiple daemons all not listening to connections; + this could in turn cause the sendmail.pid file to be + incorrect. A better approach might be to accept the + connection and give a 421 code, but that could break + other mailers in mysterious ways and have paging behavior + implications. + Fix a glitch in TCP-level debugging that caused flag 16.101 to + set debugging on the wrong socket. From Eric Wassenaar. + When creating a df* temporary file, be sure you truncate any + existing data in the file -- otherwise system crashes + and the like could result in extra data being sent. + DOC: Replace the CHANGES-R5-R8 readme file with a paper in the + doc directory. This includes some additional + information. + CONFIG: change UUCP rules to never add $U! or $k! on the front + of recipient envelope addresses. This should have been + handled by the $&h trick, but broke if people were + mixing domainized and UUCP addresses. They should + probably have converted all the way over to uucp-uudom + instead of uucp-{new,old}, but the failure mode was to + loop the mail, which was bad news. + Portability fixes: + Newer BSDI systems (several people). + Older BSDI systems from Christophe Wolfhugel. + Intergraph CLIX, from Paul Southworth of CICNet. + UnixWare, from Evan Champion. + NetBSD from Adam Glass. + Solaris from Quentin Campbell of the University of + Newcastle upon Tyne. + IRIX from Dean Cookson and Bill Driscoll of Mitre + Corporation. + NCR 3000 from Kevin Darcy of Chrysler Financial Corporation. + SunOS (it has setsid() and setvbuf() calls) from + Jonathan Kamens of OpenVision Technologies. + HP-UX from Tor Lillqvist. + New Files: + src/Makefile.CLIX + src/Makefile.NCR3000 + doc/changes/Makefile + doc/changes/changes.me + doc/changes/changes.ps + +8.6.8/8.6.6 1994/03/21 + SECURITY: it was possible to read any file as root using the + E (error message) option. Reported by Richard Jones; + fixed by Michael Corrigan and Christophe Wolfhugel. + +8.6.7/8.6.6 1994/03/14 + SECURITY: it was possible to get root access by using weird + values to the -d flag. Thanks to Alain Durand of + INRIA for forwarding me the notice from the bugtraq + list. + +8.6.6/8.6.6 1994/03/13 + SECURITY: the ability to give files away on System V-based + systems proved dangerous -- don't run as the owner + of a :include: file on a system that allows giveaways. + Unfortunately, this also applies to determining a + valid shell. + IMPORTANT: Previous versions weren't expiring old connections + in the connection cache for a long time under some + circumstances. This could result in resource exhaustion, + both at your end and at the other end. This checks the + connections for timeouts much more frequently. From + Doug Anderson of NCSC. + Fix a glitch that snuck in that caused programs to be run as + the sender instead of the recipient if the mail was + from a local user to another local user. From + Motonori Nakamura of Kyoto University. + Fix "wildcard" on /etc/shells matching -- instead of looking + for "*", look for "/SENDMAIL/ANY/SHELL/". From + Bryan Costales of ICSI. + Change the method used to declare the "statfs" availability; + instead of HASSTATFS and/or HASUSTAT with a ton of + tweaking in conf.c, there is a single #define called + SFS_TYPE which takes on one of six values (SFS_NONE + for no statfs availability, SFS_USTAT for the ustat(2) + syscall, SFS_4ARGS for a four argument statfs(2) call, + and SFS_VFS, SFS_MOUNT, or SFS_STATFS for a two argument + statfs(2) call with the declarations in <sys/vfs.h>, + <sys/mount.h>, or <sys/statfs.h> respectively). + Fix glitch in NetInfo support that could return garbage if + there was no "/locations/sendmail" property. From + David Meyer of the University of Virginia. + Change HASFLOCK from defined/not-defined to a 0/1 definition + to allow Linux to turn it off even though it is a + BSD-like system. + Allow setting of "ident" timeout to zero to turn off the ident + protocol entirely. + Make 7-bit stripping local to a connection (instead of to a + mailer); this allows you to specify that SMTP is a + 7-bit channel, but revert to 8-bit should it advertise + that it supports 8BITMIME. You still have to specify + mailer flag 7 to get this stripping at all. + Improve makesendmail script so it handles more cases automatically. + Tighten up restrictions on taking ownership of :include: files + to avoid problems on systems that allow you to give away + files. + Fix a problem that made it impossible to rebuild the alias + file if it was on a read-only file system. From + Harry Edmon of the University of Washington. + Improve MX randomization function. From John Gardiner Myers + of CMU. + Fix a minor glitch causing a bogus message to be printed (used + %s instead of %d in a printf string for the line number) + when a bad queue file was read. From Harry Edmon. + Allow $s to remain NULL on locally generated mail. I'm not + sure this is necessary, but a lot of people have complained + about it, and there is a legitimate question as to whether + "localhost" is legal as an 822-style domain. + Fix a problem with very short line lengths (mailer L= flag) in + headers. This causes a leading space to be added onto + continuation lines (including in the body!), and also + tries to wrap headers containing addresses (From:, To:, + etc) intelligently at the shorter line lengths. Problem + Reported by Lars-Johan Liman of SUNET Operations Center. + Log the real user name when logging syserrs, since these can have + security implications. Suggested by several people. + Fix address logging of cached connections -- it used to always + log the numeric address as zero. This is a somewhat + bogus implementation in that it does an extra system + call, but it should be an inexpensive one. Fix from + Motonori Nakamura. + Tighten up handling of short syslog buffers even more -- there + were cases where the outgoing relay= name was too long + to share a line with delay= and mailer= logging. + Limit the overhead on split envelopes to one open file descriptor + per envelope -- previously the overhead was three + descriptors. This was in response to a problem reported + by P{r (Pell) Emanuelsson. + Fixes to better handle the case of unexpected connection closes; + this redirects the output to the transcript so the info + is not lost. From Eric Wassenaar. + Fix potential string overrun if you macro evaluate a string that + has a naked $ at the end. Problem noted by James Matheson + <jmrm@eng.cam.ac.uk>. + Make default error number on $#error messages 553 (``Requested + action not taken: mailbox name not allowed'') instead of + 501 (``Syntax error in parameters or arguments'') to + avoid bogus "protocol error" messages. + Strip off any existing trailing dot on names during $[ ... $] + lookup. This prevents it from ending up with two dots + on the end of dot terminated names. From Wesley Craig + of the University of Michigan and Bryan Costales of ICSI. + Clean up file class reading so that the debugging information is + more informative. It hadn't been using setclass, so you + didn't see the class items being added. + Avoid core dump if you are running a version of sendmail where + NIS is compiled in, and you specify an NIS map, but + NIS is not running. Fix from John Oleynick of + Rutgers. + Diagnose bizarre case where res_search returns a failure value, + but sets h_errno to a success value. + Make sure that "too many hops" messages are considered important + enough to send an error to the Postmaster (that is, the + address specified in the P option). This fix should + help problems that cause the df file to be left around + sometimes -- unfortunately, I can't seem to reproduce + the problem myself. + Avoid core dump (null pointer reference) on EXPN command; this + only occurred if your log level was set to 10 or higher + and the target account was an alias or had a .forward file. + Problem noted by Janne Himanka. + Avoid "denial of service" attacks by someone who is flooding your + SMTP port with bad commands by shutting the connection + after 25 bad commands are issued. From Kyle Jones of + UUNET. + Fix core dump on error messages with very long "to" buffers; + fmtmsg overflows the message buffer. Fixed by trimming + the to address to 203 characters. Problem reported by + John Oleynick. + Fix configuration for HASFLOCK -- there were some spots where + a #ifndef was incorrectly #ifdef. Pointed out by + George Baltz of the University of Maryland. + Fix a typo in savemail() that could cause the error message To: + lists to be incorrect in some places. From Motonori + Nakamura. + Fix a glitch that can cause duplicate error messages on split + envelopes where an address on one of the lists has a + name server failure. Fix from Voradesh Yenbut of the + University of Washington. + Fix possible bogus pointer reference on ESMTP parameters that + don't have an ``=value'' part. + CNAME loops caused an error message to be generated, but also + re-queued the message. Changed to just re-queue the + message (it's really hard to just bounce it because + of the weird way the name server works in the presence + of CNAME loops). Problem noted by James M.R.Matheson + of Cambridge University. + Avoid giving ``warning: foo owned process doing -bs'' messages + if they use ``MAIL FROM:<foo>'' where foo is their true + user name. Suggested by Andreas Stolcke of ICSI. + Change the NAMED_BIND compile flag to be a 0/1 flag so you can + override it easily in the Makefile -- that is, you can + turn it off using -DNAMED_BIND=0. + If a gethostbyname(...) of an address with a trailing dot fails, + try it without the trailing dot. This is because if + you have a version of gethostbyname() that falls back + to NIS or the /etc/hosts file it will fail to find + perfectly reasonable names that just don't happen to + be dot terminated in the hosts file. You don't want to + strip the dot first though because we're trying to ensure + that country names that match one of your subdomains get + a chance. + PRALIASES: fix bogus output on non-null-terminated strings. + From Bill Gianopoulos of Raytheon. + CONFIG: Avoid rewriting anything that matches $w to be $j. + This was in code intended to only catch the self-literal + address (that is, [1.2.3.4], where 1.2.3.4 is your + IP address), but the code was broken. However, it will + still do this if $M is defined; this is necessary to + get client configurations to work (sigh). Note that this + means that $M overrides :mailname entries in the user + database! Problem noted by Paul Southworth. + CONFIG: Fix definition of Solaris help file location. From + Steve Cliffe <steve@gorgon.cs.uow.edu.au>. + CONFIG: Fix bug that broke news.group.USENET mappings. + CONFIG: Allow declaration of SMTP_MAILER_MAX, FAX_MAILER_MAX, + and USENET_MAILER_MAX to tweak the maximum message + size for various mailers. + CONFIG: Change definition of USENET_MAILER_ARGS to include argv[0] + instead of assuming that it is "inews" for consistency + with other mailers. From Michael Corrigan of UC San Diego. + CONFIG: When mail is forwarded to a LOCAL_RELAY or a MAIL_HUB, + qualify the address in the SMTP envelope as user@{relay|hub} + instead of user@$j. From Bill Wisner of The Well. + CONFIG: Fix route-addr syntax in nullrelay configuration set. + CONFIG: Don't turn off case mapping of user names in the local + mailer for IRIX. This was different than most every other + system. + CONFIG: Avoid infinite loops on certainly list:; syntaxes in + envelope. Noted by Thierry Besancon + <besancon@excalibur.ens.fr>. + CONFIG: Don't include -z by default on uux line -- most systems + don't want it set by default. Pointed out by Philippe + Michel of Thomson CSF. + CONFIG: Fix some bugs with mailertables -- for example, if your + host name was foo.bar.ray.com and you matched against + ".ray.com", the old implementation bound %1 to "bar" + instead of "foo.bar". Also, allow "." in the mailertable + to match anything -- essentially, take over SMART_HOST. + This also moves matching of explicit local host names + before the mailertable so they don't have to be special + cased in the mailertable data. Reported by Bill + Gianopoulos of Raytheon; the fix for the %1 binding + problem was contributed by Nicholas Comanos of the + University of Sydney. + CONFIG: Don't include "root" in class $=L (users to deliver + locally, even if a hub or relay exists) by default. + This is because of the known bug where definition of + both a LOCAL_RELAY and a MAIL_HUB causes $=L to ignore + both and deliver into the local mailbox. + CONFIG: Move up bitdomain and uudomain handling so that they + are done before .UUCP class matching; uudomain was + reported as ineffective before. This also frees up + diversion 8 for future use. Problem reported by Kimmo + Suominen. + CONFIG: Don't try to convert dotted IP address (e.g., [1.2.3.4]) + into host names. As pointed out by Jonathan Kamens, + these are often used because either the forward or reverse + mapping is broken; this translation makes it broken again. + DOC: Clarify $@ and $: in the Install & Op Guide. From Kimmo + Suominen. + Portability fixes: + Unicos from David L. Kensiski of Sterling Software. + DomainOS from Don Lewis of Silicon Systems. + GNU m4 1.0.3 from Karst Koymans of Utrecht University. + Convex from Kimmo Suominen <kim@tac.nyc.ny.us>. + NetBSD from Adam Glass <glass@sun-lamp.cs.berkeley.edu>. + BSD/386 from Tony Sanders of BSDI. + Apollo from Eric Wassenaar. + DGUX from Doug Anderson. + Sequent DYNIX/ptx 2.0 from Tim Wright of Sequent. + NEW FILES: + src/Makefile.DomainOS + src/Makefile.PTX + src/Makefile.SunOS.5.1 + src/Makefile.SunOS.5.2 + src/Makefile.SunOS.5.x + src/mailq.1 + cf/ostype/domainos.m4 + doc/op/Makefile + doc/intro/Makefile + doc/usenix/Makefile + +8.6.5/8.6.5 1994/01/13 + Security fix: /.forward could be owned by anyone (the test + to allow root to own any file was backwards). From + Bob Campbell at U.C. Berkeley. + Security fix: group ids were not completely set when programs + were invoked. This caused programs to have group + permissions they should not have had (usually group + daemon instead of their own group). In particular, + Perl scripts would refuse to run. + Security: check to make sure files that are written are not + symbolic links (at least under some circumstances). + Although this does not respond to a specific known + attack, it's just a good idea. Suggested by + Christian Wettergren. + Security fix: if a user had an NFS mounted home directory on + a system with a restricted shell listed in their + /etc/passwd entry, they could still execute any + program by putting that in their .forward file. + This fix prevents that by insisting that their shell + appear in /etc/shells before allowing a .forward to + execute a program or write a file. You can disable + this by putting "*" in /etc/shells. It also won't + permit world-writable :include: files to reference + programs or files (there's no way to disable this). + These behaviors are only one level deep -- for + example, it is legal for a world-writable :include: + file to reference an alias that writes a file, on + the assumption that the alias file is well controlled. + Security fix: root was not treated suspiciously enough when + looking into subdirectories. This would potentially + allow a cracker to examine files that were publicly + readable but in a non-publicly searchable directory. + Fix a problem that causes an error on QUIT on a cached + connection to create problems on the current job. + These are typically unrelated, so errors occur in + the wrong place. + Reset CurrentLA in sendall() -- this makes sendmail queue + runs more responsive to load average, and fixes a + problem that ignored the load average in locally + generated mail. From Eric Wassenaar. + Fix possible core dump on aliases with null LHS. From + John Orthoefer of BB&N. + Revert to using flock() whenever possible -- there are just + too many bugs in fcntl() locking, particularly over + NFS, that cause sendmail to fail in perverse ways. + Fix a bug that causes the connection cache to get confused + when sending error messages. This resulted in + "unexpected close" messages. It should fix itself + on the following queue run. Problem noted by + Liudvikas Bukys of the University of Rochester. + Include $k in $=k as documented in the Install & Op Guide. + This seems odd, but it was documented.... From + Michael Corrigan of UCSD. + Fix problem that caused :include:s from alias files to be + forced to be owned by root instead of daemon + (actually DefUid). From Tim Irvin. + Diagnose unrecognized I option values -- from Mortin Forssen + of the Chalmers University of Technology. + Make "error" mailer work consistently when there is no error + code associated with it -- previously it returned OK + even though there was a real problem. Now it assumes + EX_UNAVAILABLE. + Fix bug that caused the last header line of messages that had + no body and which were terminated with EOF instead of + "." to be discarded. Problem noted by Liudvikas Bukys. + Fix core dump on SMTP mail to programs that failed -- it tried + to go to a "next MX host" when none existed, causing + a core dump. From der Mouse at McGill University. + Change IDENTPROTO from a defined/not defined to a 0/1 switch; + this makes it easier to turn it off (using + -DIDENTPROTO=0 in the Makefile). From der Mouse. + Fix YP_MASTER_NAME store to use the unupdated result of + gethostname() (instead of myhostname(), which tries + to fully qualify the name) to be consistent with + SunOS. If your hostname is unqualified, this fixes + transfers to slave servers. Bug noted by Keith + McMillan of Ameritech Services, Inc. + Fix Ultrix problem: gethostbyname() can return a very large + (> 500) h_length field, which causes the sockaddr + to be trashed. Use the size of the sockaddr instead. + Fix from Bob Manson of Ohio State. + Don't assume "-a." on host lookups if NAMED_BIND is not + defined -- this confuses gethostbyname on hosts + file lookups, which doesn't understand the trailing + dot convention. + Log SMTP server subprocesses that die with a signal instead + of from a clean exit. + If you don't have option "I" set, don't assume that a DNS + "host unknown" message is authoritative -- it + might still be found in /etc/hosts. + Fix a problem that would cause Deferred: messages to be sent + as the subject of an error message, even though the + actual cause of a message was more severe than that. + Problem noted by Chris Seabrook of OSSI. + Fix race condition in DBM alias file locking. From Kyle + Jones of UUNET. + Limit delivery syslog line length to avoid bugs in some + versions of syslog(3). This adds a new compile time + variable SYSLOG_BUFSIZE. From Jay Plett of Princeton + University, which is in turn derived from IDA. + Fix quotes inside of comments in addresses -- previously + it insisted that they be balanced, but the 822 spec + says that they should be ignored. + Dump open file state to syslog upon receiving SIGUSR1 (for + debugging). This also evaluates ruleset 89, if set + (with the null input), and logs the result. This + should be used sparingly, since the rewrite process + is not reentrant. + Change -qI, -qR, and -qS flags to be case-insensitive as + documented in the Bat Book. + If the mailer returned EX_IOERR or EX_OSERR, sendmail did not + return an error message and did not requeue the message. + Fix based on code from Roland Dirlewanger of + Reseau Regional Aquarel, Bordeaux, France. + Fix a problem that caused a seg fault if you got a 421 error + code during some parts of connection initialization. + I've only seen this when talking to buggy mailers on + the other end, but it shouldn't give a seg fault in + any case. From Amir Plivatsky. + Fix core dump caused by a ruleset call that returns null. + Fix from Bryan Costales of ICSI. + Full-Name: field was being ignored. Fix from Motonori Nakamura + of Kyoto University. + Fix a possible problem with very long input lines in setproctitle. + From P{r Emanuelsson. + Avoid putting "This is a warning message" out on return receipts. + Suggested by Douglas Anderson. + Detect loops caused by recursive ruleset calls. Suggested by + Bryan Costales. + Initialize non-alias maps during alias rebuilds -- they may be + needed for parsing. Problem noted by Douglas Anderson. + Log sender address even if no message was collected in SMTP + (e.g., if all RCPTs failed). Suggested by Motonori + Nakamura. + Don't reflect the owner-list contents into the envelope sender + address if the value contains ", :, /, or | (to avoid + illegal addresses appearing there). + Efficiency hack for toktype macro -- from Craig Partridge of + BB&N. + Clean up DNS error printing so that a host name is always + included. + Remember to set $i during queue runs. Reported by Stephen + Campbell of Dartmouth University. + If the environment variable HOSTALIASES is set, use it during + canonification as the name of a file with per-user host + translations so that headers are properly mapped. Reported + by Anne Bennett of Concordia University. + Avoid printing misleading error message if SMTP mailer (not + using [IPC]) should die on a core dump. + Avoid incorrect diagnosis of "file 1 closed" when it is caused + by the other end closing the connection. From + Dave Morrison of Oracle. + Improve several of the error messages printed by "mailq" + to include a host name or other useful information. + Add NetInfo preliminary support for NeXT systems. From Vince + DeMarco. + Fix a glitch that sometimes caused :include:s that pointed to + NFS filesystems that were down to give an "aliasing/ + forwarding loop broken" message instead of queueing + the message for retry. Noted by William C Fenner of + the NRL Connection Machine Facility. + Fix a problem that could cause a core dump if the input sequence + had (or somehow acquired) a \231 character. + Make sure that route-addrs always have <angle brackets> around + them in non-SMTP envelopes (SMTP envelopes already do + this properly). + Avoid weird headers on unbalanced punctuation of the form: + ``Joe User <user)'' -- this caused reference to the + null macro. Fix from Rick McCarty of IO.COM. + Fix a problem that caused an alias "user: user@local.host" to + not have the QNOTREMOTE bit set; this caused configs + to act as if FEATURE(notsticky) was defined even when + it was not. The effect of the problem was to make it + very hard to to set up satellite sites that had a few + local accounts, with everything else forwarded to a + corporate hub. Reported by Detlef Drewanz of the + University of Rostock and Mark Frost of NCD. + Change queuing to not call rulesets 3, {1 or 2}, 4 on header + addresses. This is more efficient (fewer name server + calls) and fixes certain unusual configurations, such + as those that have ruleset 4 do something that is + non-idempotent unless a mailer-specific ruleset did + something else. Problem reported by Brian J. Coan + of the Institute for Global Communications. + Fix the "obsolete argument" routine in main to better understand + new arguments. For example, if you used ``sendmail + -C config -v -q'' it would choke on the -q because + the -C would stop looking for old-format arguments. + Fix the code that was intended to allow two users to forward their + mail to the same program and have them appear unique. + Portability fixes for: + SCO UNIX from Murray Kucherawy. + SCO Open Server 3.2v4 from Philippe Brand. + System V Release 4 from Rick Ellis and others. + OSF/1 from Steve Campbell. + DG/UX from Ben Mesander of the USGS and Bryan Curnutt + of Stoner Associates. + Motorola SysV88 from Kevin Johnson of Motorola. + Solaris 2.3 from Casper H.S. Dik of the University + of Amsterdam and John Caruso of University + of Maryland. + FreeBSD from Ollivier Robert. + NetBSD from Adam Glass. + TitanOS from Kate Hedstrom of Rutgers University. + Irix from Bryan Curnutt. + Dynix from Jim Davis of the University of Arizona. + RISC/os. + Linux from John Kennedy of California State University + at Chico. + Solaris 2.x from Tony Boner of the U.S. Air Force. + NEXTSTEP 3.x from Vince DeMarco. + HP-UX from various people. NOTA BENE: the location + of the config file has moved to /usr/lib + to match the HP-UX version of sendmail. + CONFIG: Don't do any recipient rewriting on relay mailer; + since this is intended only for internal use, the + usual RFC 821/822/1123 rules can be relaxed. The + main point of this is to avoid munging (ugh) UUCP + addresses when relaying internally. + CONFIG: fix typo in mailer/uucp.m4 that mutilates list:; + syntax addresses delivered via UUCP. Solution + provided by Peter Wemm. + CONFIG: fix thumb-fumble in default UUCP relaying in ruleset + zero; it caused double @ signs in addresses. From + Irving Reid of the University of Toronto. + CONFIG: Portability fixes for SCO Unix 3.2 with TCP/IP 1.2.1 + from Markku Toijala of ICL Personal Systems Oy. + CONFIG: Add trailing "." on pseudo-domains for consistency; + this fixes a problem (noted by Al Whaley of Sunnyside) + that made it hard to recognize your own pseudodomain + names. + CONFIG: catch "@host" syntax errors (i.e., null local-parts) + rather than letting them get "local configuration + error"s. Problem noted by John Gardiner Myers. + CONFIG: add uucp-uudom mailer variant, based on code posted + by Spider Boardman <spider@Orb.Nashua.NH.US>; this + has uucp-dom semantics but old UUCP syntax. This + also permits "uucp-old" as an alias for "uucp" and + "uucp-new" as a synonym for "suucp" for consistency. + CONFIG: add POP mailer support (from Kimmo Suominen + <kim@grendel.lut.fi>). + CONFIG: drop CSNET_RELAY support -- CSNET is long gone. + CONFIG: fix bug caused with domain literal addresses (e.g., + ``[128.32.131.12]'') when FEATURE(allmasquerade) + was set; it would get an additional @masquerade.host + added to the address. Problem noted by Peter Wan + of Georgia Tech. + CONFIG: make sure that the local UUCP name is in $=w. From + Jim Murray of Stratus. + CONFIG: changes to UUCP rewriting to simulate IDA-style "V" + mailer flag. Briefly, if you are sending to host + "foo", then it rewrites "foo!...!baz" to "...!baz", + "foo!baz" remains "foo!baz", and anything else has + the local name prepended. + CONFIG: portability fixes for HP-UX. + DOC: several minor problems fixed in the Install & Op Guide. + MAKEMAP: fix core dump problem on lines that are too long or + which lack newline. From Mark Delany. + MAILSTATS: print sums of columns (total messages & kbytes + in and out of the system). From Tom Ferrin of UC + San Francisco Computer Graphics Lab. + SIGNIFICANT USER- OR SYSAD-VISIBLE CHANGES: + On HP-UX, /etc/sendmail.cf has been moved to + /usr/lib/sendmail.cf to match HP sendmail. + Permissions have been tightened up on world-writable + :include: files and accounts that have shells + that are not listed in /etc/shells. This may + cause some .forward files that have worked + before to start failing. + SIGUSR1 dumps some state to the log. + NEW FILES: + src/Makefile.DGUX + src/Makefile.Dynix + src/Makefile.FreeBSD + src/Makefile.Mach386 + src/Makefile.NetBSD + src/Makefile.RISCos + src/Makefile.SCO + src/Makefile.SVR4 + src/Makefile.Titan + cf/mailer/pop.m4 + cf/ostype/bsdi1.0.m4 + cf/ostype/dgux.m4 + cf/ostype/dynix3.2.m4 + cf/ostype/sco3.2.m4 + makemap/Makefile.dist + praliases/Makefile.dist + +8.6.4/8.6.4 1993/10/31 + Repair core-dump problem (write to read-only memory segment) + if you fall back to the return-to-Postmaster case in + savemail. Problem reported by Richard Liu. + Immediately diagnose bogus sender addresses in SMTP. This + makes quite certain that crackers can't use this + class of attack. + Reliability Fix: check return value from fclose() and fsync() + in a few critical places. + Minor problem in initsys() that reversed a condition for + redirecting the output channel on queue runs. It's + not clear this code even does anything. From Eric + Wassenaar of the Dutch National Institute for Nuclear + and High-Energy Physics. + Fix some problems that caused queue runs to do "too much work", + such as double-reading the Errors-To: header. From + Eric Wassenaar. + Error messages on writing the temporary file (including the + data file) were getting suppressed in SMTP -- this + fix causes them to be properly reported. From Eric + Wassenaar. + Some changes to support AF_UNIX sockets -- this will only + really become relevant in the next release, but some + people need it for local patches. From Michael + Corrigan of UC San Diego. + Use dynamically allocated memory (instead of static buffers) + for macros defined in initsys() and settime(); since + these can have different values depending on which + envelope they are in. From Eric Wassenaar. + Improve logging to show ctladdr on to= logging; this tells you + what uid/gid processes ran as. + Fix a problem that caused error messages to be discarded if + the sender address was unparseable for some reason; + this was supposed to fall back to the "return to + postmaster" case. + Improve aliaswait backoff algorithm. + Portability patches for Linux (8.6.3 required another header + file) (from Karl London) and SCO UNIX. + CONFIG: patch prog mailer to not strip host name off of envelope + addresses (so that it matches local again). From + Christopher Davis. + CONFIG: change uucp-dom mailer so that "<>" translates to $n; + this prevents uux from seeing lines with null names like + ``From Sat Oct 30 14:55:31 1993''. From Motonori + Nakamura of Kyoto University. + CONFIG: handle <list:;> syntax correctly. This isn't legal, but + it shouldn't fail miserably. From Motonori Nakamura. + +8.6.2/8.6.2 1993/10/15 + Put a "successful delivery" message in the transcript for + addresses that get return-receipts. + Put a prominent "this is only a warning" message in warning + messages -- some people don't read carefully enough + and end up sending the message several times. + Include reason for temporary failure in the "warning" return + message. Currently, it just says "cannot send for + four hours". + Fix the "Original message received" time generated for + returntosender messages. It was previously listed as + the current time. Bug reported by Eric Hagberg of + Cornell University Medical College. + If there is an error when writing the body of a message, + don't send the trailing dot and wait for a response + in sender SMTP, as this could cause the connection to + hang up under some bizarre circumstances. From Eric + Wassenaar. + Fix some server SMTP synchronization problems caused when + connections fail during message collection. From + Eric Wassenaar. + Fix a problem that can cause srvrsmtp to reject mail if the + name server is down -- it accepts the RCPT but rejects + the DATA command. Problem reported by Jim Murray of + Stratus. + Fix a problem that can cause core dumps if the config file + incorrectly resolves to a null hostname. Reported by + Allan Johannesen of WPI. + Non-root use of -C flag, dangerous -f flags, and use of -oQ + by non-root users were not put into + X-Authentication-Warning:s as intended because the + config file hadn't set the PrivacyOptions yet. Fix + from Sven-Ove Westberg of the University of Lulea. + Under very odd circumstances, the alias file rebuild code + could get confused as to whether a database was + open or not. + Check "vendor code" on the end of V lines -- this is + intended to provide a hook for vendor-specific + configuration syntax. (This is a "new feature", + but I've made an exception to my rule in a belief + that this is a highly exceptional case.) + Portability fixes for DG/UX (from Douglas Anderson of NCSC), + SCO Unix (from Murray Kucherawy), A/UX, and OSF/1 + (from Jon Forrest of UC Berkeley) + CONFIG: fix ``mailer:host'' form of UUCP relay naming. + +8.6.1/8.6 1993/10/08 + Portability fixes for A/UX and Encore UMAX V. + Fix error message handling -- if you had a name server down + causing an error during parsing, that message was never + propagated to the queue file. + +8.6/8.6 1993/10/05 + Configuration cleanup: make it easier to undo IDENTPROTO in + conf.h (other systems have the same bug). + If HASGETDTABLESIZE and _SC_OPEN_MAX are both defined, assume + getdtablesize() instead of sysconf(); a disturbingly + large number of systems defined _SC_OPEN_MAX in the + header files but don't have the syscall. + Another patch to really truly ignore MX records in getcanonname + if trymx == FALSE. + Fix problem that caused the "250 IAA25499 Message accepted for + delivery" message to be omitted if there was an error + in the header of the message (e.g., a bad Errors-To: + line). Pointed out by Michael Corrigan of UCSD. + Announce name of host we are chatting when we get errors; this + is an IDA-ism suggested by Christophe Wolfhugel. + Portability fixes for Alpha OSF/1 (from Anthony Baxter of the + Australian Artificial Intelligence Institute), SCO Unix + (from Murray Kucherawy of Hookup Communication Corp.), + NeXT (from Vince DeMarco and myself), Linux (from + Karl London <karl@borg.demon.co.uk>), BSDI (from + Christophe Wolfhugel, and SVR4 on Dell (from Kimmo + Suominen), AUX 3.0 on Macintosh, and ANSI C compilers. + Some changes to get around gcc optimizer bugs. From Takahiro + Kanbe. + Fix error recovery in queueup if another tf file of the same + name already exists. Problem stumbled over by Bill + Wisner of The Well. + Output YP_MASTER_NAME and YP_LAST_MODIFIED without null bytes. + Problem noted by Keith McMillan of Ameritech Services. + Deal with group permissions properly when opening .forward and + :include: files. This relaxes the 8.1C restrictions + slightly more. This includes proper setting of groups + when reading :include: files, allowing you to read some + files that you should be able to read but have previously + been denied unless you owned them or they had "other" + read permission. + Make certain that $j is in $=w (after the .cf is read) so that + if the user is forced to override some silly system, + MX suppression will still work. + Fix a couple of efficiency problems where newstr was double- + calling expensive routines. In at least one case, it + wasn't guaranteed that they would always return the + same result. Problem noted by Christophe Wolfhugel. + Fix null pointer dereference in putoutmsg -- only on an error + condition from a non-SMTP mailer. From Motonori + Nakamura. + Macro expand "C" line class definitions before scanning so that + "CX $Z" works. + Fix problem that caused error message to be sent while still + trying to send the original message if the connection + is closed during a DATA command after getting an error + on an RCPT command (pretty obscure). Problem reported + by John Myers of CMU. + Fix reply to NOOP to be 250 instead of 200 -- this is a long + term bug. + Fix a nasty bug causing core dumps when returning the "warning: + cannot deliver for N hours -- will keep trying" message; + it only occurred if you had PostmasterCopy set and + only on some architectures. Although sendmail would + keep trying, it would send error messages on each + queue interval. This is an important fix. + Allow u and g options to take user and group names respectively. + Don't do a chdir into the queue directory in -bt mode to make + ruleset testing a bit easier. + Don't allow users to turn off logging (using -oL) on the command + line -- command line can only raise, not lower, logging + level. + Set $u to the original recipient on the SMTP transaction or on + the command line. This is only done if there is exactly + one recipient. Technically, this does not meet the + specs, because it does not guarantee a domain on the + address. + Fix a problem that dumped error messages on bad addresses if + you used the -t flag. Problem noted by Josh Smith of + Harvey Mudd College. + Given an address such as ``<foo> <bar>'', auto-quote the first + ``<foo>'' part, giving ``"<foo>" <bar>''. This is to + avoid the problem of people who use angle brackets in + their full name information. + Fix a null pointer dereference if you set option "l", have + an Errors-To: header in the message, and have Errors-To: + defined in the config file H lines. From J.R. Oldroyd. + Put YPCOMPAT on #ifdef NIS instead -- it's one less thing to get + wrong when compiling. Suggested by Rick McCarty of TI. + Fix a problem that could pass negative SIZE parameter if the + df file got lost; this would cause servers to always + give a temporary failure, making the problem even worse. + Problem noted by Allan Johannesen of WPI. + Add "ident" timeout (one of the "r" option selectors) for IDENT + protocol timeouts (30s default). Requested by Murray + Kucherawy of HookUp Communication Corp. to handle bogus + PC TCP/IP implementations. + Change $w default definition to be just the first component of + the domain name on config level 5. The $j macro defaults + to the FQDN; $m remains as before. This lets well-behaved + config files use any of the short, long, or subdomain + names. + Add makesendmail script in src to try to automate multi-architecture + builds. I know, this is sub-optimal, but it is still + helpful. + Fix very obscure race condition that can cause a queue run to + get a queue file for an already completed job. This + problem has existed for years. Problem noted by the + long suffering Allan Johannesen of WPI. + Fix a problem that caused the raw sender name to be passed to + udbsender instead of the canonified name -- this caused + it to sometimes miss records that it should have found. + Relax check of name on HELO packet so that a program using -bs + that claims to be itself works properly. + Restore rewriting of $: part of address through 2, R, 4 in + buildaddr -- this requires passing a lot of flags to get + it right. Unlike old versions, this ONLY rewrites + recipient addresses, not sender addresses. + Fix a bug that caused core dumps in config files that cannot + resolve /file/name style addresses. Fix from Jonathan + Kamens of OpenVision Technologies. + Fix problem with fcntl locking that can cause error returns to + be lost if the lock is lost; this required fully + queueing everything, dropping the envelope (so errors + would get returned), and then re-reading the queue from + scratch. + Fix a problem that caused aliases that redefine an otherwise + true address to still send to the original address + if and only if the alias failed in certain bizarre + ways (e.g, if they pointed at a list:; syntax address). + Problem pointed out by Jonathan Kamens. + Remove support for frozen configuration files. They caused + more trouble than it was worth. + Fix problem that can cause error messages to get ignored when + using both -odb and -t flags. Problem noted by Rob + McNicholas at U.C. Berkeley. + Include all "normal" variations on hostname in $=w. For example, + if the host name is vangogh.cs.berkeley.edu, $=w will + contain vangogh, vangogh.cs, and vangogh.cs.berkeley.edu. + Add "restrictqrun" privacy flag -- without this, anyone can run + the queue. + Reset SmtpPhase global on initial connection creation so that + messages don't come out with stale information. + Pass an "ext" argument to lockfile so that error/log messages + will properly reflect the true filename being locked. + Put all [...] address forms into $=w -- this eliminates the need + for MAXIPADDR in conf.h. Suggested by John Gardiner + Myers of CMU. + Fix a bug that can cause qf files to be left around even after + an SMTP RSET command. Problem and fix from Michael + Corrigan. + Don't send a PostmasterCopy to errors when the Precedence: is + negative. Error reports still go to the envelope + sender address. + Add LA_SHORT for load averages. + Lock sendmail.st file when posting statistics. + Add "SendBufSize" and "RcvBufSize" suboptions to "O" option to + set the size of the TCP send and receive buffers; if you + run over a slow slip line you may need to set these down + (although it would be better to fix the SLIP implementation + so that it's not necessary to recompile every program + that does bulk data transfer). + Allow null defaults on $( ... $) lookups. Problem reported by + Amir Plivatsky. + Diagnose crufty S and V config lines. This resulted from an + observation that some people were using the SITE macro + without the SITECONFIG macro first, which was causing + bogus config files that were not caught. + Fix makemap -f flag to turn off case folding (it was turning it + on instead). THIS IS A USER VISIBLE CHANGE!!! + Fix a problem that caused multiple error messages to be sent if + you used "sendmail -t -oem -odb", your system uses fcntl + locking, and one of the recipient addresses is unknown. + Reset uid earlier in include() so that recursive .forwards or + :include:s don't use the wrong uid. + If file descriptor 0, 1, or 2 was closed when sendmail was + called, the code to recover the descriptor was broken. + This sometimes (only sometimes) caused problems with the + alias file. Fix from Motonori Nakamura. + Fix a problem that caused aliaswait to go into infinite recursion + if the @:@ metasymbol wasn't found in the alias file. + Improve error message on newaliases if database files cannot be + opened or if running with no database format defined. + Do a better estimation of the size of error messages when NoReturn + is set. Problem noted by P{r (Pell) Emanuelsson. + Fix a problem causing the "c" option (don't connect to expensive + mailers) to be ignored in SMTP. Problem noted and the + solution suggested by Robert Elz of The University of + Melbourne. + Improve connection caching algorithm by passing "[host]" to + hostsignature, which strips the square brackets and + returns the real name. This allows mailertable entries + to match regular entries. + Re-enable Return-Receipt-To: -- people seem to want this stupid + feature, even if it doesn't work right. + Catch and log attempts to try the "wiz" command in server SMTP. + This also ups the log level from LOG_NOTICE to LOG_CRIT. + Be more generous at assigning $z to the home directory -- do this + for programs that are specified through a .forward file. + Fix from Andrew Chang of Sun Microsystems. + Always save a fatal error message in preference to a non-fatal + error message so that the "subject" line of return + messages is the best possible. + CONFIG: reduce the number of quotes needed to quote configuration + parameters with commas: two quotes should work now, e.g., + define(ALIAS_FILE, ``/etc/aliases,/etc/aliases.local''). + CONFIG: class $=Z is a set of UUCP hosts that use uucp-dom + connections (domain-ized UUCP). + CONFIG: fix bug in default maps (-o must be before database file + name). Pointed out by Christophe Wolfhugel. + CONFIG: add FEATURE(nodns) to state that we are not relying on + DNS. This would presumably be used in UUCP islands. + CONFIG: add OSTYPE(nextstep) and OSTYPE(linux). + CONFIG: log $u in Received: line. This is in technical violation + of the standards, since it doesn't guarantee a domain + on the address. + CONFIG: don't assume "m" in local mailer flags -- this means that + if you redefine LOCAL_MAILER_FLAGS you will have to include + the "m" flag should you want it. Apparently some Solaris 2.2 + installations can't handle multiple local recipients. + Problem noted by Josh Smith. + CONFIG: add confDOMAIN_NAME to set $j (if undefined, $j defaults). + CONFIG: change default version level from 4 to 5. + CONFIG: add FEATURE(nullclient) to create a config file that + forwards all mail to a hub without ever looking at the + addresses in any detail. + CONFIG: properly strip mailer: information off of relays when + used to change .BITNET form into %-hack form. + CONFIG: fix a problem that caused infinite loops if presented + with an address such as "!foo". + CONFIG: check for self literal (e.g., [128.32.131.12]) even if + the reverse "PTR" mapping is broken. There's a better + way to do this, but the change is fairly major and I + want to hold it for another release. Problem noted by + Bret Marquis. + +8.5/8.5 1993/07/23 + Serious bug: if you used a command line recipient that was unknown + sendmail would not send a return message (it was treating + everything as though it had an SMTP-style client that + would do the return itself). Problem noted by Josh Smith. + Change "trymx" option in getcanonname() to ignore all MX data, + even during a T_ANY query. This actually didn't break + anything, because the only time you called getcanonname + with !trymx was if you already knew there were no MX + records, but it is somewhat cleaner. From Motonori + Nakamura. + Don't call getcanonname from getmxrr if you already know there + are no DNS records matching the name. + Fix a problem causing error messages to always include "The + original message was received ... from localhost". + The correct original host information is now included. + Previous change to cf/sh/makeinfo.sh doesn't port to Ultrix (their + version of "test" doesn't have the -x flag). Change it + to use -f instead. From John Myers. + CONFIG: 8.4 mistakenly set the default SMTP-style mailer to + esmtp -- it should be smtp. + CONFIG: send all relayed mail using confRELAY_MAILER (defaults + to "relay" (a variant of "smtp") if MAILER(smtp) is used, + else "suucp" if MAILER(uucp) is used, else "unknown"); + this cleans up the configs somewhat. This fixes a serious + problem that caused route-addrs to get mistaken as relays, + pointed out by John Myers. WARNING: this also causes + the default on SMART_HOST to change from "suucp" to + "relay" if you have MAILER(smtp) specified. + +8.4/8.4 1993/07/22 + Add option `w'. If you receive a message that comes to you because + you are the best (lowest preference) target of an MX, and + you haven't explicitly recognized the source MX host in + your .cf file, this option will cause you to try the target + host directly (as if there were no MX for it at all). If + `w' is not set, this case is a configuration error. + Beware: if `w' is set, senders may get bogus errors like + "message timed out" or "host unknown" for problems that + are really configuration errors. This option is + disrecommended, provided only for compatibility with + UIUC sendmail. + Fix a problem that caused the incoming socket to be left open + when sendmail forks after the DATA command. This caused + calling systems to wait in FIN_WAIT_2 state until the + entire list was processed and the child closed -- a + potentially prodigious amount of time. Problem noted + by Neil Rickert. + Fix problem (created in 6.64) that caused mail sent to multiple + addresses, one of which was a bad address, to completely + suppress the sending of the message. This changes + handling of EF_FATALERRS somewhat, and adds an + EF_GLOBALERRS flag. This also fixes a potential problem + with duplicate error messages if there is a syntax error + in the header of a message that isn't noticed until late + in processing. Original problem pointed out by Josh Smith + of Harvey Mudd College. This release includes quite a bit + of dickering with error handling (see below). + Back out SMTP transaction if MAIL gets nested 501 error. This + will only hurt already-broken software and should help + humans. + Fix a problem that broke aliases when neither NDBM nor NEWDB were + compiled in. It would never read the alias file. + Repair unbalanced `)' and `>' (the "open" versions are already + repaired). + Logging of "done" in dropenvelope() was incorrect: it would + log this even when the queue file still existed. Change + this to only log "done" (at log level 11) when the + queue file is actually removed. From John Myers. + Log "lost connection" in server SMTP at log level 20 if there + is no pending transaction. Some senders just close the + connection rather than sending QUIT. + Fix a bug causing getmxrr to add a dot to the end of unqualified + domains that do not have MX records -- this would cause + the subsequent host name lookup to fail. The problem + only occurred if you had FEATURE(nocanonify) set. + Problem noted by Rick McCarty of Texas Instruments. + Fix invocation of setvbuf when passed a -X flag -- I had + unwittingly used an ANSI C extension, and this caused + core dumps on some machines. + Diagnose self-destructive alias loops on RCPT as well as EXPN. + Previously it just gave an empty send queue, which + then gave either "Need RCPT (recipient)" at the DATA + (confusing, since you had given an RCPT command which + returned 250) or just dropped the email, depending on + whether you were running VERBose mode. Now it usually + diagnoses this case as "aliasing/forwarding loop broken". + Unfortunately, it still doesn't adequately diagnose + some true error conditions. + Add internal concept of "warning messages" using 6xx codes. + These are not reported only to Postmaster. Unbalanced + parens, brackets, and quotes are printed as 653 codes. + They are always mapped to 5xx codes before use in SMTP. + Clean up error messages to tell both the actual address that + failed and the alias they arose from. This makes it + somewhat easier to diagnose problems. Difficulty noted + by Motonori Nakamura. + Fix a problem that inappropriately added a ctladdr to addresses + that shouldn't have had one during a queue run. This + caused error messages to be handled differently during + a queue run than a direct run. + Don't print the qf name and line number if you get errors during + the direct run of the queue from srvrsmtp -- this was + just extra stuff for users to crawl through. + Put command line flags on second line of pid file so you can + auto-restart the daemon with all appropriate arguments. + Use "kill `head -1 /etc/sendmail.pid`" to stop the + daemon, and "eval `tail -1 /etc/sendmail.pid`" to + restart it. + Remove the ``setuid(getuid())'' in main -- this caused the + IDENT daemon to screw up. This required that I change + HASSETEUID to HASSETREUID and complicate the mode + changing somewhat because both Ultrix and SunOS seem + to have a bug causing seteuid() to set the saved uid + as well as the effective. The program test/t_setreuid.c + will test to see if your implementation of setreuid(2) + is appropriately functional. + The FallBackMX (option V) handling failed to properly identify + fallback to yourself -- most of the code was there, + but it wasn't being enabled. Problem noted by Murray + Kucherawy of the University of Waterloo. + Change :include: open timeout from ETIMEDOUT to an internal + code EOPENTIMEOUT; this avoids adding "during SmtpPhase + with CurHostName" in error messages, which can be + confusing. Reported by Jonathan Kamens of OpenVision + Technologies. + Back out setpgrp (setpgid on POSIX systems) call to reset the + process group id. The original fix was to get around + some problems with recalcitrant MUAs, but it breaks + any call from a shell that creates a process group id + different from the process id. I could try to fix + this by diddling the tty owner (using tcsetpgrp or + equivalent) but this is too likely to break other + things. + Portability changes: + Support -M as equivalent to -oM on Ultrix -- apparently + DECnet calls sendmail with -MrDECnet -Ms<HOST> -bs + instead of using standard flags. Oh joy. This + behavior reported by Jon Giltner of University + of Colorado. + SGI IRIX -- this includes several changes that should + help other strict ANSI compilers. + SCO Unix -- from Murray Kucherawy of HookUp Communication + Corporation. + Solaris running the Sun C compiler (which despite the + documentation apparently doesn't define + __STDC__ by default). + ConvexOS from Eric Schnoebelen of Convex. + Sony NEWS workstations and Omron LUNA workstations from + Motonori Nakamura. + CONFIG: add confTRY_NULL_MX_LIST to set option `w'. + CONFIG: delete `C' and `e' from default SMTP mailers flags; + several people have made a good argument that this + creates more problems than it solves (although this + may prove painful in the short run). + CONFIG: generalize all the relays to accept a "mailer:host" + format. + CONFIG: move local processing in ruleset 0 into a new ruleset + 98 (8 on old sendmail). Domain literal [a.b.c.d] + addresses are also passed through this ruleset. + CONFIG: if neither SMART_HOST nor MAILER(smtp) were defined, + internet-style addresses would "fall off the end" of + ruleset zero and be interpreted as local -- however, + the angle brackets confused the recursive call. + These are now diagnosed as "Unrecognized host name". + CONFIG: USENET rules weren't included in S0 because of a mistaken + ifdef(`_MAILER_USENET_') instead of + ifdef(`_MAILER_usenet_'). Problem found by Rein Tollevik + of SINTEF RUNIT, Oslo. + CONFIG: move up LOCAL_RULE_0 processing so that it happens very + early in ruleset 0; this allows .mc authors to bypass + things like the "short circuit" code for local addresses. + Prompted by a comment by Bill Wisner of The Well. + CONFIG: add confSMTP_MAILER to define the mailer used (smtp or + esmtp) to send SMTP mail. This allows you to default + to esmtp but use a mailertable or other override to + deal with broken servers. This logic was pointed out + to me by Bill Wisner. Ditto for confLOCAL_MAILER. + Changes to cf/sh/makeinfo.sh to make it portable to SVR4 + environments. Ugly as sin. + +8.3/8.3 1993/07/13 + Fix setuid problems introduced in 8.2 that caused messages + like "Cannot create qfXXXXXX: Invalid argument" + or "Cannot reopen dfXXXXXX: Permission denied". This + involved a new compile flag "HASSETEUID" that takes + the place of the old _POSIX_SAVED_IDS -- it turns out + that the POSIX interface is broken enough to break + some systems badly. This includes some fixes for + HP-UX. Also fixes problems where the real uid is + not reset properly on startup (from Neil Rickert). + Fix a problem that caused timed out messages to not report the + addresses that timed out. Error messages are also more + "user friendly". + Drop required bandwidth on connections from 64 bytes/sec to + 16 bytes/sec. + Further Solaris portability changes -- doesn't require the BSD + compatibility library. This also adds a new + "HASGETDTABLESIZE" compile flag which can be used if + you want to use getdtablesize(2) instead of sysconf(2). + These are loosely based on changes from David Meyer at + University of Oregon. This now seems to work, at least + for quick test cases. + Fix a problem that can cause duplicate error messages to be + sent if you are in SMTP, you send to multiple addresses, + and at least one of those addresses is good and points + to an account that has a .forward file (whew!). + Fix a problem causing messages to be discarded if checkcompat() + returned EX_TEMPFAIL (because it didn't properly mark + the "to" address). Problem noted by John Myers. + Fix dfopen to return NULL if the open failed; I was depending + on fdopen(-1) returning NULL, which isn't the case. This + isn't serious, but does result in weird error diagnoses. + From Michael Corrigan. + CONFIG: add UUCP_MAX_SIZE M4 macro to set the maximum size of + messages sent through UUCP-family mailers. Suggested + by Bill Wisner of The Well. + CONFIG: if both MAILER(uucp) and MAILER(smtp) are specified, + include a "uucp-dom" mailer that uses domain-style + addressing. Suggested by Bill Wisner. + CONFIG: Add LOCAL_SHELL_FLAGS and LOCAL_SHELL_ARGS to match + LOCAL_MAILER_FLAGS and LOCAL_MAILER_ARGS. Suggested by + Christophe Wolfhugel. + CONFIG: Add OSTYPE(aix3). From Christophe Wolfhugel. + +8.2/8.2 1993/07/11 + Don't drop out on config file parse errors in -bt mode. + On older configuration files, assume option "l" (use Errors-To + header) for back compatibility. NOTE: this DOES NOT + imply an endorsement of the Errors-To: header in any way. + Accept -x flag on AIX-3 as well as OSF/1. Why, why, why??? + Don't log errors on EHLO -- it isn't a "real" error for an old + SMTP server to give an error on this command, and + logging it in the transcript can be confusing. Fix + from Bill Wisner. + IRIX compatibility changes provided by Dan Rich + <drich@sandman.lerc.nasa.gov>. + Solaris 2 compatibility changes. Provided by Bob Cunningham + <bob@kahala.soest.hawaii.edu>, John Oleynick + <juo@klinzhai.rutgers.edu> + Debugging: -d17 was overloaded (hostsignature and usersmtp.c); + move usersmtp (smtpinit and smtpmailfrom) to -d18 to + match the other flags in that file. + Flush transcript before fork in mailfile(). From Eric Wassenaar. + Save h_errno in mci struct and improve error message display. + Changes from Eric Wassenaar. + Open /dev/null for the transcript if the create of the xf file + failed; this avoids at least one possible null pointer + reference in very weird cases. From Eric Wassenaar. + Clean up statistics gathering; it was over-reporting because of + forks. From Eric Wassenaar. + Fix problem that causes old Return-Path: line to override new + Return-Path: line (conf.c needs H_FORCE to avoid + re-using old value). From Motonori Nakamura. + Fix broken -m flag in K definition -- even if -m (match only) + was specified, it would still replace the key with the + value. Noted by Rick McCarty of Texas Instruments. + If the name server timed out over several days, no "timed out" + message would ever be sent back. The timeout code + has been moved from markfailure() to dropenvelope() + so that all such failures should be diagnosed. Pointed + out by Christophe Wolfhugel and others. + Relax safefile() constraints: directories in an include or + forward path must be readable by self if the controlling + user owns the entry, readable by all otherwise (e.g., + when reading your .forward file, you have to own and + have X permission in it; everyone needs X permission in + the root and directories leading up to your home); + include files must be readable by anyone, but need not + be owned by you. + If _POSIX_SAVED_IDS is defined, setuid to the owner before + reading a .forward file; this gets around some problems + on NFS mounts if root permission is not exported and + the user's home directory isn't x'able. + Additional NeXT portability enhancements from Axel Zinser. + Additional HP-UX portability enhancements from Brian Bullen. + Add a timeout around SMTP message writes; this assumes you can + get throughput of at least 64 bytes/second. Note that + this does not impact the "datafinal" default, which + is separate; this is just intended to work around + network clogs that will occur before the final dot + is sent. From Eric Wassenaar. + Change map code to set the "include null" flag adaptively -- + it initially tries both, but if it finds anything + matching without a null it never tries again with a + null and vice versa. If -N is specified, it never + tries without the null and creates new maps with a + null byte. If -O is specified, it never tries with + the null (for efficiency). If -N and -O are specified, + you get -NO (get it?) lookup at all, so this would + be a bad idea. If you don't specify either -N or -O, + it adapts. + Fix recognition of "same from address" so that MH submissions + will insert the appropriate full name information; + this used to work and got broken somewhere along the + way. + Some changes to eliminate some unnecessary SYSERRs in the + log. For example, if you lost a connection, don't + bother reporting that fact on the connection you lost. + Add some "extended debugging" flags to try to track down + why we get occasional problems with file descriptor + one being closed when execing a mailer; it seems to + only happen when there has been another error in the + same transaction. This requires XDEBUG, defined + by default in conf.h. + Add "-X filename" command line flag, which logs both sides of + all SMTP transactions. This is intended ONLY for + debugging bad implementations of other mailers; start + it up, send a message from a mailer that is failing, + and then kill it off and examine the indicated log. + This output is not intended to be particularly human + readable. This also adds the HASSETVBUF compile + flag, defaulted on if your compiler defines __STDC__. + CONFIG: change SMART_HOST to override an SMTP mailer. If you + have a local net that should get direct connects, you + will need to use LOCAL_NET_CONFIG to catch these hosts. + See cf/README for an example. + CONFIG: add LOCAL_MAILER_ARGS (default: `mail -d $u') to handle + sites that don't use the -d flag. + CONFIG: hide recipient addresses as well as sender addresses + behind $M if FEATURE(allmasquerade) is specified; this + has been requested by several people, but can break + local aliases. For example, if you mail to "localalias" + this will be rewritten as "localalias@masqueradehost"; + although initial delivery will work, replies will be + broken. Use it sparingly. + CONFIG: add FEATURE(domaintable). This maps unqualified domains + to qualified domains in headers. I believe this is + largely equivalent to the IDA feature of the same name. + CONFIG: use $U as UUCP name instead of $k. This permits you + to override the "system name" as your UUCP name -- + in particular, to use domain-ized UUCP names. From + Bill Wisner of The Well. + CONFIG: create new mailer "esmtp" that always tries EHLO + first. This is currently unused in the config files, + but could be used in a mailertable entry. + +8.1C/8.1B 1993/06/27 + Serious security bug fix: it was possible to read any file on + the system, regardless of ownership and permissions. + If a subroutine returns a fully qualified address, return it + immediately instead of feeding it back into rewriting. + This fixes a problem with mailertable lookups. + CONFIG: fix some M4 frotz (concat => CONCAT) + +8.1B/8.1A 1993/06/12 + Serious bug fix: pattern matching backup algorithm stepped by + two tokens in classes instead of one. Found by Claus + Assmann at University of Kiel, Germany. + +8.1A/8.1A 1993/06/08 + Another mailertable fix.... + +8.1/8.1 1993/06/07 + 4.4BSD freeze. No semantic changes. |
