SENDMAIL RELEASE NOTES This listing shows the version of the sendmail binary, the version of the sendmail configuration files, the date of release, and a summary of the changes in that release. 8.18.1/8.18.1 2024/01/31 sendmail is now stricter in following the RFCs and rejects some invalid input with respect to line endings and pipelining: - Prevent transaction stuffing by ensuring SMTP clients wait for the HELO/EHLO and DATA response before sending further SMTP commands. This can be disabled using the new srv_features option 'F'. Issue reported by Yepeng Pan and Christian Rossow from CISPA Helmholtz Center for Information Security. - Accept only CRLF . CRLF as end of an SMTP message as required by the RFCs, which can disabled by the new srv_features option 'O'. - Do not accept a CR or LF except in the combination CRLF (as required by the RFCs). These checks can be disabled by the new srv_features options 'U' and 'G', respectively. In this case it is suggested to use 'u2' and 'g2' instead so the server replaces offending bare CR or bare LF with a space. It is recommended to only turn these protections off for trusted networks due to the potential for abuse. Full DANE support is available if OpenSSL versions 1.1.1 or 3.x are used, i.e., TLSA RR 2-x-y and 3-x-y are supported as required by RFC 7672. OpenSSL version 3.0.x is supported. Note: OpenSSL 3 loads by default an openssl.cnf file from a location specified in the library which may cause unwanted behaviour in sendmail. Hence sendmail sets the environment variable OPENSSL_CONF to /etc/mail/sendmail.ossl to override the default. The file name can be changed by defining confOPENSSL_CNF in the mc file; using an empty value prevents setting OPENSSL_CONF. Note: referring to a file which does not exist does not cause an an error. Two new values have been added for {verify}: "DANE_TEMP": DANE verification failed temporarily. "DANE_NOTLS": DANE was required but STARTTLS was not offered by the server. The default rules return a temporary error for these cases, so delivery is not attempted. If the TLS setup code in the client fails and DANE requirements exist then {verify} will be set to "DANE_TEMP" thus preventing delivery by default. DANE related logging has been slightly changed for clarification: "DANE configured in DNS but no STARTTLS available" changed to "DANE configured in DNS but STARTTLS not offered" When the compile time option USE_EAI is enabled, vacation could fail to respond when it should (the code change in 8.17.2 was incomplete). Problem reported by Alex Hautequest. If SMTPUTF8 BODY=7BIT are used as parameters for the MAIL command the parsing of UTF8 addresses could fail (USE_EAI). If a reply to a previous RCPT was received while sending another RCPT in pipelining mode then parts of the reply could have been assigned to the wrong RCPT. New DontBlameSendmail option CertOwner to relax requirement for certificate public and private key ownership. Based on suggestion from Marius Strobl of the FreeBSD project. clt_features was not checked for connections via Unix domain sockets. CONFIG: FEATURE(`enhdnsbl') did not handle multiple replies from DNS lookups thus potentially causing random "false negatives". Note: the fix creates an incompatibility: the arguments must not have a trailing dot anymore because the -a. option has been removed (as it only applies to the entire result, not individual values). CONFIG: New FEATURE(`fips3') for basic FIPS support in OpenSSL 3. VACATION: Add support for Return-Path header to set sender to match OpenBSD and NetBSD functionality. VACATION: Honor RFC3834 and avoid an auto-reply if 'Auto-Submitted: no' is found in the headers to match OpenBSD and NetBSD functionality. VACATION: Avoid an auto-reply if a 'List-Id:' is found in the headers to match OpenBSD functionality. VACATION: Add support for $SUBJECT in .vacation.msg which is replaced with the first line of the subject of the original message to match OpenBSD and NetBSD functionality. Portability: Add support for Darwin 23. New Files: cf/feature/fips3.m4 devtools/OS/Darwin.23.x 8.17.2/8.17.2 2023/06/03 Make sure DANE checks (if enabled) are performed even if CACertPath or CACertFile are not set or unusable. Note: if the code to set up TLS in the client fails, then {verify} will be set to TEMP but DANE requirements will be ignored, i.e., by default mail will be sent without STARTTLS. This can be changed via a LOCAL_TLS_SERVER ruleset. Pass server name to clt_features ruleset instead of client name to account for limitations in macro availability described below in CONFIG section. This may break custom clt_features rulesets which expect to receive the client name as input. Fix a regression introduced in 8.17.1: aliases file which contain continuation lines caused parsing errors. Add an FFR (for future release) compile time option _FFR_LOG_STAGE to log the protocol stage as stage= for some errors during delivery attempts to make troubleshooting simpler. This new logging may be enabled in a future release. When EAI is enabled, milters also got the arguments of MAIL/RCPT commands in argv[0] for xxfi_envfrom()/xxfi_envrcpt() callbacks instead of just the mail address. Problem reported by Dilyan Palauzo. When EAI is enabled, mailq prints UTF-8 addresses as such if SMTPUTF8 was used. When EAI is enabled, the $h macro is now in the correct format. Previously this could cause wrong values for relay= in log entries and the mailer argument vector. When the compile time option USE_EAI is enabled, vacation could fail to respond when it should. Problem reported by Alex Hautequest. When EAI was enabled, header truncation might not have been logged even when it happened. Problem reported by Werner Wiethege. Handle a possible change in an upcoming release of Cyrus-SASL (2.1.28) by changing the definition of an internal flag. Patch from Dilyan Palauzo. Avoid an assertion failure when an smtps connection is made to the server and a milter is unavailable. Problem reported by Dilyan Palauzo. Fixed some spelling errors in documentation and comments, based on a codespell report by Jens Schleusener of fossies.org. The result of try_tls is now logged using status= instead of reject=. If tls_rcpt rejected the delivery of a recipient then a bogus dsn= entry might have been logged under some circumstances. If a server replied with 421 to a RCPT command then a bogus reply= might have been logged. When quoting the value for ${currHeader} avoid causing a syntax error (Unbalanced '"') when truncating a header value which is too long. Problem reported by Werner Wiethege. Reduce the performance impact of a change introduced in 8.12.9: the default for MaxMimeHeaderLength was set to 2048/1024. Problem reported by Tabata Shintaro of Internet Initiative Japan Inc. CONFIG: The default clt_features ruleset tried to access ${server_name} and ${server_addr} which are not set when the ruleset is invoked. Only the server name is available which is passed as an argument. CONFIG: Properly quote host variable to prevent cf build breakage when a hostname contains 'dnl'. Problem reported by Maxim Shalomikhin of Kaspersky. DEVTOOLS: Add configure.sh support for BSD's mandoc as an alternative man page formatting tool. DOC: Document that USAGE is a possible value for {verify}. LIBMILTER: The macros for the EOH and EOM callbacks are sent in reverse order which means accessing macros in the EOM callback got the macro for the EOH callback. Store those macros in the expected order in libmilter. Note: this does not affect sendmail because the macros for both callbacks are the same because the message is sent to libmilter after it is completely read by sendmail. Fix and problem report from David Buergin. Portability: Make use of IN_LOOPBACK, if defined, to determine if using a loopback address. Patch from Mike Karels of FreeBSD. On Linux use gethostbyname2(3) if glibc 2.19 or newer is used to avoid potential problems with IPv6 lookups. Patch from Werner Wiethege. Add support for Darwin 21 and Darwin 22. Solaris 12 has been renamed to Solaris 11.4, hence adapt a condition for sigwait(2) taking one argument. Patch from John Beck. New Files: devtools/M4/UNIX/sharedlib.m4 devtools/OS/Darwin.21.x devtools/OS/Darwin.22.x sendmail/sched.c libsm/notify.h 8.17.1/8.17.1 2021/08/17 Deprecation notice: due to compatibility problems with some third party code, we plan to finally switch from K&R to ANSI C. If you are using sendmail on a system which does not have a compiler for ANSI C contact us with details as soon as possible so we can determine how to proceed. Experimental support for SMTPUTF8 (EAI, see RFC 6530-6533) is available when using the compile time option USE_EAI (see also devtools/Site/site.config.m4.sample for other required settings) and the cf option SMTPUTF8. If a mail submission via the command line requires the use of SMTPUTF8, e.g., because a header uses UTF-8 encoding, but the addresses on the command line are all ASCII, then the new option -U must be used, and the cf option SMTPUTF8 must be set in submit.cf. Please test and provide feedback. Experimental support for SMTP MTA Strict Transport Security (MTA-STS, see RFC 8461) is available when using - the compile time option _FFR_MTA_STS (which requires STARTTLS, MAP_REGEX, SOCKETMAP, and _FFR_TLS_ALTNAMES), - FEATURE(sts), which implicitly sets the cf option StrictTransportSecurity, - postfix-mta-sts-resolver, see https://github.com/Snawoot/postfix-mta-sts-resolver.git New ruleset check_other which is called for all unknown SMTP commands in the server and for commands which do not have specific rulesets, e.g., NOOP and VERB. New ruleset clt_features which can be used to select features in the SMTP client per server. Currently only two flags are available: D/M to disable DANE/MTA-STS, respectively. New compile time option NO_EOH_FIELDS to disable the special meaning of the headers Message: and Text: to denote the end of the message header. Avoid leaking session macros for an envelope between delivery attempts to different servers. This problem could have affected check_compat. Avoid leaking actual SMTP replies between delivery attempts to different servers which could cause bogus logging of reply= entries. Change default SMTP reply code for STARTTLS related problems from 403 to 454 to better match the RFCs. Fix a theoretical buffer overflow when encountering an unknown/unsupported socket address family on an operating system where sa_data is larger than 30 (the standard is 14). Based on patch by Toomas Soome. Several potential memory leaks and other similar problems (mostly in error handling code) have been fixed. Problems reported by Tomas Korbar of RedHat. Previously the commands GET, POST, CONNECT, or USER terminate a connection immediately only if sent as first command. Now this is also done if any of these is sent directly after STARTTLS or if the 'h' option is set via srv_features. CDB map locking has been changed so a sendmail process which does have a CDB map open does not block an in-place update of the map by makemap. The simple workaround for that problem in earlier versions is to create the map under a different name and then move it into place. On some systems the rejection of a RCPT by a milter could silently fail. CONFIG: New FEATURE(`check_other') to provide a default check_other ruleset. CONFIG: FEATURE(`tls_failures') is deprecated and will be removed in future versions because it has a fundamental problem: it is message oriented but STARTTLS is session oriented. For example, having multiple RCPTs in one envelope for different destinations, with different temporary errors, does not work properly, as the persistent macro applies to all RCPTs and hence implicitly to all destinations (servers). The option TLSFallbacktoClear should be used if needed. CONTRIB: AuthRealm.p0 has been modified for 8.16.1 by Anne Bennett. CONTRIB: Added cidrexpand -O option for suppressing duplicates from a CIDR expansion that overlaps a later entry and -S option for skipping comments exactly like makemap does. MAIL.LOCAL: Enhance some error messages to simplify troubleshooting. Portability: Add support for Darwin 19 & 20. Use proper FreeBSD version define to allow for cross compiling. Fix from Brooks Davis of the FreeBSD project. NOTE: File locking using fcntl() does not interoperate with Berkeley DB 5.x (and probably later). Use CDB, flock() (-DHASFLOCK), or an earlier Berkeley DB version. Problem noted by Harald Hannelius. New Files: cf/feature/check_other.m4 cf/feature/sts.m4 devtools/OS/Darwin.19.x devtools/OS/Darwin.20.x include/sm/ixlen.h libsm/ilenx.c libsm/lowercase.c libsm/strcaseeq.c libsm/t-ixlen.c libsm/t-ixlen.sh libsm/t-streq.c libsm/t-streq.sh libsm/utf8_valid.c libsm/uxtext_unquote.c libsm/xleni.c libsmutil/t-lockfile.c libsmutil/t-lockfile-0.sh libsmutil/t-maplock-0.sh 8.16.1/8.16.1 2020/07/05 SECURITY: If sendmail tried to reuse an SMTP session which had already been closed by the server, then the connection cache could have invalid information about the session. One possible consequence was that STARTTLS was not used even if offered. This problem has been fixed by clearing out all relevant status information when a closed session is encountered. OpenSSL versions before 0.9.8 are no longer supported. OpenSSL version 1.1.0 and 1.1.1 are supported. Initial support for DANE (see RFC 7672 et.al.) is available if the compile time option DANE is set. Only TLSA RR 3-1-x is currently implemented. New options SSLEngine and SSLEnginePath to support OpenSSL engines. Note: this feature has so far only been tested with the "chil" engine; please report problems with other engines if you encounter any. New option CRLPath to specify a directory which contains hashes pointing to certificate revocations files. Based on patch from Al Smith. New rulesets tls_srv_features and tls_clt_features which can return a (semicolon separated) list of TLS related options, e.g., CipherList, CertFile, KeyFile, see doc/op/op.me for details. To automatically handle TLS interoperability problems for outgoing mail, sendmail can now immediately try a connection again without STARTTLS after a TLS handshake failure. This can be configured globally via the option TLSFallbacktoClear or per session via the 'C' flag of tls_clt_features. This also adds the new value "CLEAR" for the macro {verify}: STARTTLS has been disabled internally for a clear text delivery attempt. Apply Timeout.starttls also to the server waiting for the TLS handshake to begin. Based on patch from Simon Hradecky. New compile time option TLS_EC to enable the use of elliptic curve cryptography in STARTTLS (previously available as _FFR_TLS_EC). Handle MIME boundaries specified in headers which contain CRLF. Fix detection of loopback net (it was broken when compiled with NETINET6) and only set the macros {if_addr_out} and {if_family_out} if the interface of the outgoing connection does not belong to the loopback net. Fix logic to enable a milter to delete a recipient in DeliveryMode=interactive even if it might be subject to alias expansion. Log name of a milter making changes (this was missing for some functions). Log the actual reply of a server when an SMTP delivery problem occurs in a "reply=" field if possible. Log user= for failed AUTH attempts if possible. Based on patch from Packet Hack, Jim Hranicky, Kevin A. McGrail, and Joe Quinn. Add CDB as map type. Note: CDB is a "Constant DataBase", i.e., no changes can be made after it is created, hence it does not work with vacation(1) nor editmap(8) (except for query mode). Fix some memory leaks (mostly in error cases) and properly handle copied varargs in sm_io_vfprintf(). The issues were found using Coverity Scan and reported (including patches) by OndÅ™ej LysonÄ›k of Red Hat. Do not override ServerSSLOptions and ClientSSLOptions when they are specified on the command line. Based on patch from Hiroki Sato. Add RFC7505 Null MX support for domains that declare they do not accept mail. New compile time option LDAP_NETWORK_TIMEOUT which is set automatically when LDAPMAP is used and LDAP_OPT_NETWORK_TIMEOUT is available to enable the new -c option for LDAP maps to specify the network timeout. CONFIG: New FEATURE(`tls_session_features') to enable standard rules for tls_srv_features and tls_clt_features; for details see cf/README. CONFIG: New options confSSL_ENGINE and confSSL_ENGINE_PATH for SSLEngine and SSLEnginePath, respectively. CONFIG: New options confDANE to enable DANE support. CONFIG: New option confTLS_FALLBACK_TO_CLEAR for TLSFallbacktoClear. CONFIG: New extension CITag: for TLS restrictions, see cf/README for details. CONFIG: FEATURE(`blacklist_recipients') renamed to FEATURE(`blocklist_recipients'). CONTRIB: cidrexpand updated to support IPv6 CIDR ranges and to canonicalize IPv6 addresses; if cidrexpand is used with IPv6 addresses then UseCompressedIPv6Addresses must be disabled. DOC: The dns map can return multiple values in a single result if the -z option is used. DOC: Note to set MustQuoteChars=. due to DKIM signatures. LIBMILTER: Fix typo in a macro. Patch from Ignacio Goyret of Alcatel-Lucent. LIBMILTER: Fix reference in xxfi_negotiate documentation. Patch from Sven Neuhaus. LIBMILTER: Fix function name in smfi_addrcpt_par documentation. Patch from G.W. Haywood. LIBMILTER: Fix a potential memory leak in smfi_setsymlist(). Patch from Martin Svec. MAKEMAP: New map type "implicit" refers to the first available type, i.e., it depends on the compile time options NEWDB, DBM, and CDB. This can be used in conjunction with the "implicit" map type in sendmail.cf. Note: makemap, libsmdb, and sendmail must be compiled with the same options (and library versions of course). Portability: Add support for Darwin 14-18 (Mac OS X 10.x). New option HAS_GETHOSTBYNAME2: set if your system supports gethostbyname2(2). Set SM_CONF_SEM=2 for FreeBSD 12 and later due to changes in sys/sem.h On Linux set MAXHOSTNAMELEN (the maximum length of a FQHN) to 256 if it is less than that value. New Files: cf/feature/blocklist_recipients.m4 cf/feature/check_cert_altnames.m4 cf/feature/tls_failures.m4 devtools/OS/Darwin.14.x devtools/OS/Darwin.15.x devtools/OS/Darwin.16.x devtools/OS/Darwin.17.x devtools/OS/Darwin.18.x include/sm/notify.h libsm/notify.c libsm/t-notify.c libsmdb/smcdb.c sendmail/ratectrl.h sendmail/tls.h sendmail/tlsh.c 8.15.2/8.15.2 2015/07/03 If FEATURE(`nopercenthack') is used then some bogus input triggered a recursion which was caught and logged as SYSERR: rewrite: excessive recursion (max 50) ... Fix based on patch from Ondrej Holas. DHParameters now by default uses an included 2048 bit prime. The value 'none' previously caused a log entry claiming there was an error "cannot read or set DH parameters". Also note that this option applies to the server side only. The U= mailer field didn't accept group names containing hyphens, underbars, or periods. Based on patch from David Gwynne of the University of Queensland. CONFIG: Allow connections from IPv6:0:0:0:0:0:0:0:1 to relay again. Patch from Lars-Johan Liman of Netnod Internet Exchange. CONFIG: New option UseCompressedIPv6Addresses to select between compressed and uncompressed IPv6 addresses. The default value depends on the compile-time option IPV6_FULL: For 1 the default is False, for 0 it is True, thus preserving the current behaviour. Based on patch from John Beck of Oracle. CONFIG: Account for IPv6 localhost addresses in FEATURE(`block_bad_helo'). Suggested by Andrey Chernov from FreeBSD and Robert Scheck from the Fedora Project. CONFIG: Account for IPv6 localhost addresses in check_mail ruleset. LIBMILTER: Deal with more invalid protocol data to avoid potential crashes. Problem noted by Dimitri Kirchner. LIBMILTER: Allow a milter to specify an empty macro list ("", not NULL) in smfi_setsymlist() so no macro is sent for the selected stage. MAKEMAP: A change to check TrustedUser in fewer cases which was made in 2013 caused a potential regression when makemap was run as root (which should not be done anyway). Note: sendmail often contains options "For Future Releases" (prefix _FFR_) which might be enabled in a subsequent version or might simply be removed as they turned out not to be really useful. These features are usually not documented but if they are, then the required (FFR) options are listed in - doc/op/op.* for rulesets and macros, - cf/README for mc/cf options. 8.15.1/8.15.1 2014/12/06 SECURITY: Properly set the close-on-exec flag for file descriptors (except stdin, stdout, and stderr) before executing mailers. If header rewriting fails due to a temporary map lookup failure, queue the mail for later retry instead of sending it without rewriting the header. Note: this is done while the mail is being sent and hence the transaction is aborted, which only works for SMTP/LMTP mailers hence the handling of temporary map failures is suppressed for other mailers. SMTP/LMTP servers may complain about aborted transactions when this problem occurs. See also "DNS Lookups" in sendmail/TUNING. Incompatible Change: Use uncompressed IPv6 addresses by default, i.e., they will not contain "::". For example, instead of ::1 it will be 0:0:0:0:0:0:0:1. This permits a zero subnet to have a more specific match, such as different map entries for IPv6:0:0 vs IPv6:0. This change requires that configuration data (including maps, files, classes, custom ruleset, etc) must use the same format, so make certain such configuration data is updated before using 8.15. As a very simple check search for patterns like 'IPv6:[0-9a-fA-F:]*::' and 'IPv6::'. If necessary, the prior format can be retained by compiling with: APPENDDEF(`conf_sendmail_ENVDEF', `-DIPV6_FULL=0') in your devtools/Site/site.config.m4 file. If debugging is turned on (-d0.14) also print the OpenSSL versions, both build time and run time (provided STARTTLS is compiled in). If a connection to the MTA is dropped by the client before its hostname can be validated, treat it as "may be forged", so that the unvalidated hostname is not passed to a milter in xxfi_connect(). Add a timeout for communication with socket map servers which can be specified using the -d option. Add a compile time option HESIOD_ALLOW_NUMERIC_LOGIN to allow numeric logins even if HESIOD is enabled. The new option CertFingerprintAlgorithm specifies the finger- print algorithm (digest) to use for the presented cert. If the option is not set, md5 is used and the macro {cert_md5} contains the cert fingerprint. However, if the option is set, the specified algorithm (e.g., sha1) is used and the macro {cert_fp} contains the cert fingerprint. That is, as long as the option is not set, the behaviour does not change, but otherwise, {cert_md5} is superseded by {cert_fp} even if you set CertFingerprintAlgorithm to md5. The options ServerSSLOptions and ClientSSLOptions can be used to set SSL options for the server and client side respectively. See SSL_CTX_set_options(3) for a list. Note: this change turns on SSL_OP_NO_SSLv2 and SSL_OP_NO_TICKET for the client. See doc/op/op.me for details. The option CipherList sets the list of ciphers for STARTTLS. See ciphers(1) for possible values. Do not log "STARTTLS: internal error: tls_verify_cb: ssl == NULL" if a CRLFile is in use (and LogLevel is 14 or higher.) Store a more specific TLS protocol version in ${tls_version} instead of a generic one, e.g., TLSv1 instead of TLSv1/SSLv3. Properly set {client_port} value on little endian machines. Patch from Kelsey Cummings of Sonic.net. Per RFC 3848, indicate in the Received: header whether SSL or SMTP AUTH was negotiated by setting the protocol clause to ESMTPS, ESMTPA, or ESMTPSA instead of ESMTP. If the 'C' flag is listed as TLSSrvOptions the requirement for the TLS server to have a cert is removed. This only works under very specific circumstances and should only be used if the consequences are understood, e.g., clients may not work with a server using this. The options ClientCertFile, ClientKeyFile, ServerCertFile, and ServerKeyFile can take a second file name, which must be separated from the first with a comma (note: do not use any spaces) to set up a second cert/key pair. This can be used to have certs of different types, e.g., RSA and DSA. A new map type "arpa" is available to reverse an IP (IPv4 or IPv6) address. It returns the string for the PTR lookup, but without trailing {ip6,in-addr}.arpa. New operation mode 'C' just checks the configuration file, e.g., sendmail -C new.cf -bC will perform a basic syntax/consistency check of new.cf. The mailer flag 'I' is deprecated and will be removed in a future version. Allow local (not just TCP) socket connections to the server, e.g., O DaemonPortOptions=Family=local, Addr=/var/mta/server.sock can be used. If the new option MaxQueueAge is set to a value greater than zero, entries in the queue will be retried during a queue run only if the individual retry time has been reached which is doubled for each attempt. The maximum retry time is limited by the specified value. New DontBlameSendmail option GroupReadableDefaultAuthInfoFile to relax requirement for DefaultAuthInfo file. Reset timeout after receiving a message to appropriate value if STARTTLS is in use. Based on patch by Kelsey Cummings of Sonic.net. Report correct error messages from the LDAP library for a range of small negative return values covering those used by OpenLDAP. Fix compilation with Berkeley DB 5.0 and 6.0. Patch from Allan E Johannesen of Worcester Polytechnic Institute. CONFIG: FEATURE(`nopercenthack') takes one parameter: reject or nospecial which describes whether to disallow "%" in the local part of an address. DEVTOOLS: Fix regression in auto-detection of libraries when only shared libraries are available. Problem reported by Bryan Costales. LIBMILTER: Mark communication socket as close-on-exec in case a user's filter starts other applications. Based on patch from Paul Howarth. Portability: SunOS 5.12 has changed the API for sigwait(2) to conform with XPG7. Based on patch from Roger Faulkner of Oracle. Deleted Files: libsm/path.c 8.14.9/8.14.9 2014/05/21 SECURITY: Properly set the close-on-exec flag for file descriptors (except stdin, stdout, and stderr) before executing mailers. Fix a misformed comment in conf.c: "/*" within comment which may cause a compilation error on some systems. Problem reported by John Beck of Oracle. DEVTOOLS: Fix regression in auto-detection of libraries when only shared libraries are available. Problem reported by Bryan Costales. 8.14.8/8.14.8 2014/01/26 Properly initialize all OpenSSL algorithms for versions before OpenSSL 0.9.8o. Without this SHA2 algorithms may not work properly, causing for example failures for certs that use sha256WithRSAEncryption as signature algorithm. When looking up hostnames, ensure only to return those records for the requested family (AF_INET or AF_INET6). On system that have NEEDSGETIPNODE and NETINET6 this may have failed and cause delivery problems. Problem noted by Kees Cook. A new mailer flag '!' is available to suppress an MH hack that drops an explicit From: header if it is the same as what sendmail would generate. Add an FFR (for future release) to use uncompressed IPv6 addresses, i.e., they will not contain "::". For example, instead of ::1 it will be 0:0:0:0:0:0:0:1. This means that configuration data (including maps, files, classes, custom ruleset, etc) have to use the same format. This will be turned on in 8.15. It can be enabled in 8.14 by compiling with: APPENDDEF(`conf_sendmail_ENVDEF', `-D_FFR_IPV6_FULL') in your devtools/Site/site.config.m4 file. Add an additional case for the WorkAroundBrokenAAAA check when dealing with broken nameservers by ignoring SERVFAIL errors returned on T_AAAA (IPv6) lookups at delivery time. Problem noted by Pavel Timofeev of OCS. If available, pass LOGIN_SETCPUMASK and LOGIN_SETLOGINCLASS to setusercontext() on deliveries as a different user. Patch from Edward Tomasz Napierala from FreeBSD. Avoid compiler warnings from a change in Cyrus-SASL 2.1.25. Patch from Hajimu UMEMOTO from FreeBSD. Add support for DHParameters 2048-bit primes. CONFIG: Accept IPv6 literals when evaluating the HELO/EHLO argument in FEATURE(`block_bad_helo'). Suggested by Andrey Chernov. LIBSMDB: Add a missing check for malloc() in libsmdb/smndbm.c. Patch from Bill Parker. LIBSMDB: Fix minor memory leaks in libsmdb/ if allocations fail. Patch from John Beck of Oracle. Portability: Add support for Darwin 12.x and 13.x (Mac OS X 10.8 and 10.9). On Linux use socklen_t as the type for the 3rd argument for getsockname/getpeername if the glibc version is at least 2.1. New Files: devtools/OS/Darwin.12.x devtools/OS/Darwin.13.x 8.14.7/8.14.7 2013/04/21 Drop support for IPv4-mapped IPv6 addresses to prevent the MTA from using a mapped address over a legitimate IPv6 address and to enforce the proper semantics over the IPv6 connection. Problem noted by Ulrich Sporlein. Fix a regression introduced in 8.14.6: the wrong list of macros was sent to a milter in the EHLO stage. Problem found by Fabrice Bellet, reported via RedHat (Jaroslav Skarvada). Fix handling of ORCPT parameter for DSNs: xtext decoding was not performed and a wrong syntax check was applied to the "addr-type" field. Problem noted by Dan Lukes of Obludarium. Fix handling of NUL characters in the MIME conversion functions so that message bodies containing them will be sent on properly. Note: this usually also affects mails that are not converted as those functions are used for other purposes too. Problem noted by Elchonon Edelson of Lockheed Martin. Do not perform "duplicate" elimination of recipients if they resolve to the error mailer using a temporary failure (4xy) via ruleset 0. Problem noted by Akira Takahashi of IIJ. CONTRIB: Updated version of etrn.pl script from John Beck of Oracle. Portability: Unlike gcc, clang doesn't apply full prototypes to K&R definitions. 8.14.6/8.14.6 2012/12/23 Fix a regression introduced in 8.14.5: if a server offers two AUTH lines, the MTA would not read them after STARTTLS has been used and hence SMTP AUTH for the client side would fail. Problem noted by Lena. Do not cache hostnames internally in a non case sensitive way as that may cause addresses to change from lower case to upper case or vice versa. These header modifications can cause problems with milters that rely on receiving headers in the same way as they are being sent out such as a DKIM signing milter. If MaxQueueChildren is set then it was possible that new queue runners could not be started anymore because an internal counter was subject to a race condition. If a milter decreases the timeout it waits for a communication with the MTA, the MTA might experience a write() timeout. In some situations, the resulting error might have been ignored. Problem noted by Werner Wiethege. Note: decreasing the communication timeout in a milter should not be done without considering the potential problems. smfi_setsymlist() now properly sets the list of macros for the milter which invoked it, instead of a global list for all milters. Problem reported by David Shrimpton of the University of Queensland. If Timeout.resolver.retrans is set to a value larger than 20, then resolver.retry was temporarily set to 0 for gethostbyaddr() lookups. Now it is set to 1 instead. Patch from Peter. If sendmail could not lock the statistics file due to a system error, and sendmail later sends a DSN for a mail that triggered such an error, then sendmail tried to access memory that was freed before (causing a crash on some systems). Problem reported by Ryan Stone. Do not log negative values for size= nor pri= to avoid confusing log parsers, instead limit the values to LONG_MAX. Account for an API change in newer versions of Cyrus-SASL. Patch from Hajimu UMEMOTO from FreeBSD. Do not try to resolve link-local addresses for IPv4 (just as it is done for IPv6). Patch from John Beck of Oracle. Improve logging of client and server STARTTLS connection failures that may be due to incompatible cipher lists by including the reason for the failure in a single log line. Suggested by James Carey of Boeing. Portability: Add support for Darwin 11.x (Mac OS X 10.7). Add support for SunOS 5.12 (aka Solaris 12). Patch from John Beck of Oracle. New Files: devtools/OS/Darwin.11.x devtools/OS/SunOS.5.12 8.14.5/8.14.5 2011/05/17 Do not cache SMTP extensions across connections as the cache is based on hostname which may not be a unique identifier for a server, i.e., different machines may have the same hostname but provide different SMTP extensions. Problem noted by Jim Hermann. Avoid an out-of-bounds access in case a resolver reply for a DNS map lookup returns a size larger than 1K. Based on a patch from Dr. Werner Fink of SuSE. If a job is aborted using the interrupt signal (e.g., control-C from the keyboard), perform minimal cleanup to avoid invoking functions that are not signal-safe. Note: in previous versions the mail might have been queued up already and would be delivered subsequently, now an interrupt will always remove the queue files and thus prevent delivery. Per RFC 6176, when operating as a TLS client, do not offer SSLv2. Since TLS session resumption is never used as a client, disable use of RFC 4507-style session tickets. Work around gcc4 versions which reverse 25 years of history and no longer align char buffers on the stack, breaking calls to resolver functions on strict alignment platforms. Found by Stuart Henderson of OpenBSD. Read at most two AUTH lines from a server greeting (up to two lines are read because servers may use "AUTH mechs" and "AUTH=mechs"). Otherwise a malicious server may exhaust the memory of the client. Bug report by Nils of MWR InfoSecurity. Avoid triggering an assertion in the OpenLDAP code when the connection to an LDAP server is lost while making a query. Problem noted and patch provided by Andy Fiddaman. If ConnectOnlyTo is set and sendmail is compiled with NETINET6 it would try to use an IPv6 address if an IPv4 (or unparseable) address is specified. If SASLv2 is used, make sure that the macro {auth_authen} is stored in xtext format to avoid problems with parsing it. Problem noted by Christophe Wolfhugel. CONFIG: FEATURE(`ldap_routing') in 8.14.4 tried to add a missing -T that is required, but failed for some cases that did not use LDAP. This change has been undone until a better solution can be implemented. Problem found by Andy Fiddaman. CONFIG: Add cf/ostype/solaris11.m4 for Solaris11 support. Contributed by Casper Dik of Oracle. CONTRIB: qtool.pl: Deal with H entries that do not have a letter between the question marks. Patch from Stefan Christensen. DOC: Use a better description for the -i option in sendmail. Patch from Mitchell Berger. Portability: Add support for Darwin 10.x (Mac OS X 10.6). Enable HAVE_NANOSLEEP for FreeBSD 3 and later. Patch from John Marshall. Enable HAVE_NANOSLEEP for OpenBSD 4.3 and later. Use new directory "/system/volatile" for PidFile on Solaris 11. Patch from Casper Dik of Oracle. Fix compilation on Solaris 11 (and maybe some other OSs) when using OpenSSL 1.0. Based on patch from Jan Pechanec of Oracle. Set SOCKADDR_LEN_T and SOCKOPT_LEN_T to socklen_t for Solaris 11. Patch from Roger Faulkner of Oracle. New Files: cf/ostype/solaris11.m4 8.14.4/8.14.4 2009/12/30 SECURITY: Handle bogus certificates containing NUL characters in CNs by placing a string indicating a bad certificate in the {cn_subject} or {cn_issuer} macro. Patch inspired by Matthias Andree's changes for fetchmail. During the generation of a queue identifier an integer overflow could occur which might result in bogus characters being used. Based on patch from John Vannoy of Pepperdine University. The value of headers, e.g., Precedence, Content-Type, et.al., was not processed correctly. Patch from Per Hedeland. Between 8.11.7 and 8.12.0 the length limitation on a return path was erroneously reduced from MAXNAME (256) to MAXSHORTSTR (203). Patch from John Gardiner Myers of Proofpoint; the problem was also noted by Steve Hubert of University of Washington. Prevent a crash when a hostname lookup returns a seemingly valid result which contains a NULL pointer (this seems to be happening on some Linux versions). The process title was missing the current load average when the MTA was delaying connections due to DelayLA. Patch from Dick St.Peters of NetHeaven. Do not reset the number of queue entries in shared memory if only some of them are processed. Fix overflow of an internal array when parsing some replies from a milter. Problem found by Scott Rotondo of Sun Microsystems. If STARTTLS is turned off in the server (via M=S) then it would not be initialized for use in the client either. Patch from Kazuteru Okahashi of IIJ. If a Diffie-Hellman cipher is selected for STARTTLS, the handshake could fail with some TLS implementations because the prime used by the server is not long enough. Note: the initialization of the DSA/DH parameters for the server can take a significant amount of time on slow machines. This can be turned off by setting DHParameters to none or a file (see doc/op/op.me). Patch from Petr Lampa of the Brno University of Technology. Fix handling of `b' modifier for DaemonPortOptions on little endian machines for loopback address. Patch from John Beck of Sun Microsystems. Fix a potential memory leak in libsmdb/smdb1.c found by parfait. Based on patch from Jonathan Gray of OpenBSD. If a milter sets the reply code to "421" during the transfer of the body, the SMTP server will terminate the SMTP session with that error to match the behavior of the other callbacks. Return EX_IOERR (instead of 0) if a mail submission fails due to missing disk space in the mail queue. Based on patch from Martin Poole of RedHat. CONFIG: Using FEATURE(`ldap_routing')'s `nodomain' argument would cause addresses not found in LDAP to be misparsed. CONFIG: Using a CN restriction did not work for TLS_Clt as it referred to a wrong macro. Patch from John Gardiner Myers of Proofpoint. CONFIG: The option relaytofulladdress of FEATURE(`access_db') did not work if FEATURE(`relay_hosts_only') is used too. Problem noted by Kristian Shaw. CONFIG: The internal function lower() was broken and hence strcasecmp() did not work either, which could cause problems for some FEATURE()s if upper case arguments were used. Patch from Vesa-Matti J Kari of the University of Helsinki. LIBMILTER: Fix internal check whether a milter application is compiled against the same version of libmilter as it is linked against (especially useful for dynamic libraries). LIBMILTER: Fix memory leak that occurred when smfi_setsymlist() was used. Based on patch by Dan Lukes. LIBMILTER: Document the effect of SMFIP_HDR_LEADSPC for filters which add, insert, or replace headers. From Benjamin Pineau. LIBMILTER: Fix error messages which refer to "select()" to be correct if SM_CONF_POLL is used. Based on patch from John Nemeth. LIBSM: Fix handling of LDAP search failures where the error is carried in the search result itself, such as seen with OpenLDAP proxy servers. VACATION: Do not refer to a local variable outside its scope. Based on patch from Mark Costlow of Southwest Cyberport. Portability: Enable HAVE_NANOSLEEP for SunOS 5.11. Patch from John Beck of Sun Microsystems. Drop NISPLUS from default SunOS 5.11 map definitions. Patch from John Beck of Sun Microsystems. 8.14.3/8.14.3 2008/05/03 During ruleset processing the generation of a key for a map lookup and the parsing of the default value was broken for some macros, e.g., $|, which caused the BlankSub character to be inserted into the workspace and thus failures, e.g., rules that should have matched did not. 8.14.2 caused a regression: it accessed (macro) storage which was freed before. First instance of the problem reported by Matthew Dillon of DragonFlyBSD; variations of the same bug reported by Todd C. Miller of OpenBSD, Moritz Jodeit, and Dave Hayes. Improve pathname length checks for persistent host status. Patch from Joerg Sonnenberger of DragonFlyBSD. Reword misleading SMTP reply text for FEATURE(`badmx'). Problem noted by Beth Halsema. The read timeout was fixed to be Timeout.datablock if STARTTLS was activated. This may cause problems if that value is lowered from its default. Problem noted by Jens Elkner. CONFIG: Using LOCAL_TLS_CLIENT caused the tls_client ruleset to operate incorrectly. Problem found by Werner Wiethege. LIBMILTER: Omitting some protocol steps via the xxfi_negotiate() callback did not work properly. The patchlevel of libmilter has been set to 1 so a milter can determine whether libmilter contains this fix. MAKEMAP: If a delimiter is specified (-t) use that also when dumping a map. Patch from Todd C. Miller of OpenBSD. Portability: Add support for Darwin 9.x (Mac OS X 10.5). Support shared libraries in Darwin 8 and 9. Patch from Chris Behrens of Concentric. Add support for SCO OpenServer 6, patch from Boyd Gerber. DEVTOOLS: Clarify that confSHAREDLIBDIR requires a trailing slash. New Files: devtools/OS/Darwin.9.x devtools/OS/OSR.i386 8.14.2/8.14.2 2007/11/01 If a message was queued and it contained 8 bit characters in a From: or To: header, then those characters could be "mistaken" for internal control characters during a queue run and trigger various consistency checks. Problem noted by Neil Rickert of Northern Illinois University. If MaxMimeHeaderLength is set to a value greater than 0 (which it is by default) then even if the Linelimit parameter is 0, sendmail corrupted in the non-transfer-encoding case every MAXLINE-1 characters. Patch from John Gardiner Myers of Proofpoint. Setting the suboption DeliveryMode for DaemonPortOptions did not work in earlier 8.14 versions. Note: DeliveryMode=interactive is silently converted to background if a milter can reject or delete a recipient. Prior to 8.14 this happened only if milter could delete recipients. ClientRate should trigger when the limit was exceeded (as documented), not when it was reached. Patch from John Beck of Sun Microsystems. Force a queue run for -qGqueuegroup even if no runners are specified (R=0) and forking (F=f) is requested. When multiple results are requested for a DNS map lookup (-z and -Z), return only those that are relevant for the query (not also those in the "additional section".) If the message transfer time to sendmail (when acting as server) exceeds Timeout.queuewarn or Timeout.queuereturn and the message is refused (by a milter), sendmail previously created a delivery status notification (DSN). Patch from Doug Heath of The Hertz Corporation. A code change in Cyrus-SASL 2.1.22 for sasl_decode64() requires the MTA to deal with some input (i.e., "=") itself. Problem noted by Eliot Lear. sendmail counted a delivery as successful if PIPELINING is compiled in but not offered by the server and the delivery failed temporarily. Patch from Werner Wiethege. If getting the result of an LDAP query times out then close the map so it will be reopened on the next lookup. This should help "failover" configurations that specify more than one LDAP server. If check_compat returns $#discard then a "savemail panic" could be triggered under some circumstances (e.g., requiring a system which does not have the compile time flag HASFLOCK set). Based on patch by Motonori Nakamura of National Institute of Informatics, Japan. If a milter rejected a recipient, the count for nrcpts= in the logfile entry might have been wrong. Problem found by Petra Humann of TU Dresden. If a milter invoked smfi_chgfrom() where ESMTP arguments are not NULL, the message body was lost. Patch from Motonori Nakamura of National Institute of Informatics, Japan. sendmail(8) had a bogus space in -qGname. Patch from Peng Haitao. CONTRIB: buildvirtuser: Preserve ownership and permissions when replacing files. CONTRIB: buildvirtuser: Skip dot-files (e.g., .cvsignore) when reading the /etc/mail/virtusers/ directory. CONTRIB: buildvirtuser: Emit warnings instead of exiting where appropriate. LIBMILTER: Fix ABI backwards compatibility so milters compiled against an older libmilter.so shared library can use an 8.14 libmilter.so shared library. LIBMILTER: smfi_version() did not properly extract the patchlevel from the version number, however, the returned value was correct for the current libmilter version. 8.14.1/8.14.1 2007/04/03 Even though a milter rejects a recipient the MTA will still keep it in its list of recipients and deliver to it if the transaction is accepted. This is a regression introduced in 8.14.0 due to the change for SMFIP_RCPT_REJ. Bug found by Andy Fiddaman. The new DaemonPortOptions which begin with a lower case character could not be set in 8.14.0. If a server shut down the connection in response to a STARTTLS command, sendmail would log a misleading error message due to an internal inconsistency. Problem found by Werner Wiethege. Document how some sendmail.cf options change the behavior of mailq. Noted by Paul Menchini of the North Carolina School of Science and Mathematics. CONFIG: Add confSOFT_BOUNCE m4 option for setting SoftBounce. CONFIG: 8.14.0's RELEASE_NOTES failed to mention the addition of the confMAX_NOOP_COMMANDS and confSHARED_MEMORY_KEY_FILE m4 options for setting MaxNOOPCommands and SharedMemoryKeyFile. CONFIG: Add confMILTER_MACROS_EOH and confMILTER_MACROS_DATA m4 options for setting Milter.macros.eoh and Milter.macros.data. CONTRIB: Use flock() and fcntl() in qtool.pl if necessary. Patch from Daniel Carroll of Mesa State College. LIBMILTER: Make sure an unknown command does not affect the currently available macros. Problem found by Andy Fiddaman. LIBMILTER: The MTA did not offer SMFIF_SETSYMLIST during option negotiation. Problem reported by Bryan Costales. LIBMILTER: Fix several minor errors in the documentation. Patches from Bryan Costales. PORTABILITY FIXES: AIX 5.{1,2}: libsm/util.c failed to compile due to redefinition of several macros, e.g., SIG_ERR. Patch from Jim Pirzyk with assistance by Bob Booth, University of Illinois at Urbana-Champaign. Add support for QNX.6. Patch from Sean Boudreau of QNX Software Systems. New Files: devtools/M4/depend/QNX6.m4 devtools/OS/QNX.6.x include/sm/os/sm_os_qnx.h New Files added in 8.14.0, but not shown in the release notes entry: libmilter/docs/smfi_chgfrom.html libmilter/docs/smfi_version.html 8.14.0/8.14.0 2007/01/31 Header field values are now 8 bit clean. Notes: - header field names are still restricted to 7 bit. - RFC 2822 allows only 7 bit (US-ASCII) characters in headers. Preserve spaces after the colon in a header. Previously, any number of spaces after the colon would be changed to exactly one space. In some cases of deeply nested aliases/forwarding, mail can be silently lost. Moreover, the MaxAliasRecursion limit may be reached too early, e.g., the counter may be off by a factor of 4 in case of a sequence of .forward files that refer to others. Patch from Motonori Nakamura of Kyoto University. Fix a regression in 8.13.8: if InputMailFilters is set then "sendmail -bs" can trigger an assertion because the hostname of the client is undefined. It is now set to "localhost" for the xxfi_connect() callback. Avoid referencing a freed variable during cleanup when terminating. Problem reported and diagnosed by Joe Maimon. New option HeloName to set the name for the HELO/EHLO command. Patch from Nik Clayton. New option SoftBounce to issue temporary errors (4xy) instead of permanent errors (5xy). This can be useful for testing. New suboptions for DaemonPortOptions to set them individually per daemon socket: DeliveryMode DeliveryMode refuseLA RefuseLA delayLA DelayLA queueLA QueueLA children MaxDaemonChildren New option -K for LDAP maps to replace %1 through %9 in the lookup key with the LDAP escaped contents of the arguments specified in the map lookup. Loosely based on patch from Wolfgang Hottgenroth. Log the time after which a greet_pause delay triggered. Patch from Nik Clayton. If a client is rejected via TCP wrapper or some other check performed by validate_connection() (in conf.c) then do not also invoke greet_pause. Problem noted by Jim Pirzyk of the University of Illinois at Urbana-Champaign. If a client terminates the SMTP connection during a pause introduced by greet_pause, then a misleading message was logged previously. Problem noted by Vernon Schryver et.al., patch from Matej Vela. New command "mstat" for control socket to provide "machine readable" status. New named config file rule check_eom which is called at the end of a message, its parameter is the size of the message. If the macro {addr_type} indicates that the current address is a header address it also distinguishes between recipient and sender addresses (as it is done for envelope addresses). When a macro is set in check_relay, then its value is accessible by all transactions in the same SMTP session. Increase size of key for ldap lookups to 1024 (MAXKEY). New option MaxNOOPCommands to override default of 20 for the number of "useless" commands before the SMTP server will slow down responding. New option SharedMemoryKeyFile: if shared memory support is enabled, the MTA can be asked to select a shared memory key itself by setting SharedMemoryKey to -1 and specifying a file where to store the selected key. Try to deal with open HTTP proxies that are used to send spam by recognizing some commands from them. If the first command from the client is GET, POST, CONNECT, or USER, then the connection is terminated immediately. New PrivacyOptions noactualrecipient to avoid putting X-Actual-Recipient lines in DSNs revealing the actual account that addresses map to. Patch from Dan Harkless. New options B, z, and Z for DNS maps: -B: specify a domain that is always appended to queries. -z: specify the delimiter at which to cut off the result of a query if it is too long. -Z: specify the maximum number of entries to be concatenated to form the result of a lookup. New target "check" in the Makefile of libsm: instead of running tests implicitly while building libsm, they must be explicitly started by using "make check". Fixed some inconsistent checks for NULL pointers that have been reported by the SATURN tool which has been developed by Isil Dillig and Thomas Dillig of Stanford University. Fix a potential race condition caused by a signal handler for terminated child processes. Problem noted by David F. Skoll. When a milter deleted a recipient, that recipient could cause a queue group selection. This has been disabled as it was not intended. New operator 'r' for the arith map to return a random number. Patch from Motonori Nakamura of Kyoto University. New compile time option MILTER_NO_NAGLE to turn off the Nagle algorithm for communication with libmilter ("cork" on Linux), which may improve the communication performance on some operating systems. Patch from John Gardiner Myers of Proofpoint. If sendmail received input that contained a CR without subsequent LF (thus violating RFC 2821 (2.3.7)), it could previously generate an additional blank line in the output as the last line. Restarting persistent queue runners by sending a HUP signal to the "queue control process" (QCP) works now. Increase the length of an input line to 12288 to deal with really long lines during SMTP AUTH negotiations. Problem noted by Werner Wiethege. If ARPANET mode (-ba) was selected STARTTLS would fail (due to a missing initialization call for that case). Problem noted by Neil Rickert of Northern Illinois University. If sendmail is linked against a library that initializes Cyrus-SASL before sendmail did it (such as libnss-ldap), then SMTP AUTH could fail for the sendmail client. A patch by Moritz Both works around the API design flaw of Cyrus-SASLv2. CONFIG: Make it possible to unset the StatusFile option by undefining STATUS_FILE. By not setting StatusFile, the MTA will not attempt to open a statistics file on each delivery. CONFIG: New FEATURE(`require_rdns') to reject messages from SMTP clients whose IP address does not have proper reverse DNS. Contributed by Neil Rickert of Northern Illinois University and John Beck of Sun Microsystems. CONFIG: New FEATURE(`block_bad_helo') to reject messages from SMTP clients which provide a HELO/EHLO argument which is either unqualified, or is one of our own names (i.e., the server name instead of the client name). Contributed by Neil Rickert of Northern Illinois University and John Beck of Sun Microsystems. CONFIG: New FEATURE(`badmx') to reject envelope sender addresses (MAIL) whose domain part resolves to a "bad" MX record. Based on contribution from William Dell Wisner. CONFIG: New macros SMTP_MAILER_LL and RELAY_MAILER_LL to override the maximum line length of the smtp mailers. CONFIG: New option `relaytofulladdress' for FEATURE(`access_db') to allow entries in the access map to be of the form To:user@example.com RELAY CONFIG: New subsuboptions eoh and data to specify the list of macros a milter should receive at those stages in the SMTP dialogue. CONFIG: New option confHELO_NAME for HeloName to set the name for the HELO/EHLO command. CONFIG: dnsbl and enhdnsbl can now also discard or quarantine messages by using those values as second argument. Patches from Nelson Fung. CONTRIB: cidrexpand uses a hash symbol as comment character and ignores everything after it unless it is in quotes or preceded by a backslash. DEVTOOLS: New macro confMKDIR: if set to a program that creates directories, then it used for "make install" to create the required installation directories. DEVTOOLS: New macro confCCLINK to specify the linker to use for executables (defaults to confCC). LIBMILTER: A new version of the milter API has been created that has several changes which are listed below and documented in the webpages reachable via libmilter/docs/index.html. LIBMILTER: The meaning of the version macro SMFI_VERSION has been changed. It now refers only to the version of libmilter, not to the protocol version (which is used only internally, it is not user/milter-programmer visible). Additionally, a version function smfi_version() has been introduced such that a milter program can check the libmilter version also at runtime which is useful if a shared library is used. LIBMILTER: A new callback xxfi_negotiate() can be used to dynamically (i.e., at runtime) determine the available protocol actions and features of the MTA and also to specify which of these a milter wants to use. This allows for more flexibility than hardcoding these flags in the xxfi_flags field of the smfiDesc structure. LIBMILTER: A new callback xxfi_data() is available so milters can act on the DATA command. LIBMILTER: A new callback xxfi_unknown() is available so milters can receive also unknown SMTP commands. LIBMILTER: A new return code SMFIS_NOREPLY has been added which can be used by the xxfi_header() callback provided the milter requested the SMFIP_NOHREPL protocol action. LIBMILTER: The new return code SMFIS_SKIP can be used in the xxfi_body() callback to skip over further body chunks and directly advance to the xxfi_eom() callback. This is useful if a milter can make a decision based on the body chunks it already received without reading the entire rest of the body and the milter wants to invoke functions that are only available from the xxfi_eom() callback. LIBMILTER: A new function smfi_addrcpt_par() can be used to add new recipients including ESMTP parameters. LIBMILTER: A new function smfi_chgfrom() can be used to change the envelope sender including ESMTP parameters. LIBMILTER: A milter can now request to be informed about rejected recipients (RCPT) too. This requires to set the protocol flag SMFIP_RCPT_REJ during option negotiation. Whether a RCPT has been rejected can be checked by comparing the value of the macro {rcpt_mailer} with "error". LIBMILTER: A milter can now override the list of macros that it wants to receive from the MTA for each protocol step by invoking the function smfi_setsymlist() during option negotiation. LIBMILTER: A milter can receive header field values with all leading spaces by requesting the SMFIP_HDR_LEADSPC protocol action. Also, if the flag is set then the MTA does not add a leading space to headers that are added, inserted, or replaced. LIBMILTER: If a milter sets the reply code to "421" for the HELO callback, the SMTP server will terminate the SMTP session with that error to match the behavior of all other callbacks. New Files: cf/feature/badmx.m4 cf/feature/block_bad_helo.m4 cf/feature/require_rdns.m4 devtools/M4/UNIX/check.m4 include/sm/misc.h include/sm/sendmail.h include/sm/tailq.h libmilter/docs/smfi_addrcpt_par.html libmilter/docs/smfi_setsymlist.html libmilter/docs/xxfi_data.html libmilter/docs/xxfi_negotiate.html libmilter/docs/xxfi_unknown.html libmilter/example.c libmilter/monitor.c libmilter/worker.c libsm/memstat.c libsm/t-memstat.c libsm/t-qic.c libsm/util.c sendmail/daemon.h sendmail/map.h 8.13.8/8.13.8 2006/08/09 Fix a regression in 8.13.7: if shared memory is activated, then the server can erroneously report that there is insufficient disk space. Additionally make sure that an internal variable is set properly to avoid those misleading errors. Based on patch from Steve Hubert of University of Washington. Fix a regression in 8.13.7: the PidFile could be removed after the process that forks the daemon exited, i.e., if sendmail -bd is invoked. Problem reported by Kan Sasaki of Fusion Communications Corp. and Werner Wiethege. Avoid opening qf files if QueueSortOrder is "none". Patch from David F. Skoll. Avoid a crash when finishing due to referencing a freed variable. Problem reported and diagnosed by Moritz Jodeit. CONTRIB: cidrexpand now deals with /0 by issuing the entire IPv4 range (0..255). LIBMILTER: The "hostname" argument of the xxfi_connect() callback previously was the equivalent of {client_ptr}. However, this did not match the documentation of the function, hence it has been changed to {client_name}. See doc/op/op.me about these macros. 8.13.7/8.13.7 2006/06/14 A malformed MIME structure with many parts can cause sendmail to crash while trying to send a mail due to a stack overflow, e.g., if the stack size is limited (ulimit -s). This happens because the recursion of the function mime8to7() was not restricted. The function is called for MIME 8 to 7 bit conversion and also to enforce MaxMimeHeaderLength. To work around this problem, recursive calls are limited to a depth of MAXMIMENESTING (20); message content after this limit is treated as opaque and is not checked further. Problem noted by Frank Sheiness. The changes to the I/O layer in 8.13.6 caused a regression for SASL mechanisms that use the security layer, e.g., DIGEST-MD5. Problem noted by Robert Stampfli. If a timeout occurs while reading a message (during the DATA phase) a df file might have been left behind in the queue. This was another side effect of the changes to the I/O layer made in 8.13.6. Several minor problems have been fixed that were found by a Coverity scan of sendmail 8 as part of the NetBSD distribution. See http://scan.coverity.com/ Note: the scan generated also a lot of "false positives", e.g., "error" reports about situations that cannot happen. Most of those code places are marked with lint(1) comments like NOTREACHED, but Coverity does not understand those. Hence an explicit assertion has been added in some cases to avoid those false positives. If the start of the sendmail daemon fails due to a configuration error then in some cases shared memory segments or pid files were not removed. If DSN support is disabled via access_db, then related ESMTP parameters for MAIL and RCPT should be rejected. Problem reported by Akihiro Sagawa. Enabling zlib compression in OpenSSL 0.9.8[ab] breaks the padding bug work-around. Hence if sendmail is linked against either of these versions and compression is available, the padding bug work-around is turned off. Based on patch from Victor Duchovni of Morgan Stanley. CONFIG: FEATURE(`dnsbl') and FEATURE(`enhdnsbl') used blackholes.mail-abuse.org as default domain for lookups, however, that list is no longer available. To avoid further problems, no default value is available anymore, but an argument must be specified. Portability: Fix compilation on OSF/1 for sfsasl.c. Patch from Pieter Bowman of the University of Utah. 8.13.6/8.13.6 2006/03/22 SECURITY: Replace unsafe use of setjmp(3)/longjmp(3) in the server and client side of sendmail with timeouts in the libsm I/O layer and fix problems in that code. Also fix handling of a buffer in sm_syslog() which could have been used as an attack vector to exploit the unsafe handling of setjmp(3)/longjmp(3) in combination with signals. Problem detected by Mark Dowd of ISS X-Force. Handle theoretical integer overflows that could triggered if the server accepted headers larger than the maximum (signed) integer value. This is prevented in the default configuration by restricting the size of a header, and on most machines memory allocations would fail before reaching those values. Problems found by Phil Brass of ISS. If a server returns 421 for an RSET command when trying to start another transaction in a session while sending mail, do not trigger an internal consistency check. Problem found by Allan E Johannesen of Worcester Polytechnic Institute. If a server returns a 5xy error code (other than 501) in response to a STARTTLS command despite the fact that it advertised STARTTLS and that the code is not valid according to RFC 2487 treat it nevertheless as a permanent failure instead of a protocol error (which has been changed to a temporary error in 8.13.5). Problem reported by Jeff A. Earickson of Colby College. Clear SMTP state after a HELO/EHLO command. Patch from John Myers of Proofpoint. Observe MinQueueAge option when gathering entries from the queue for sorting etc instead of waiting until the entries are processed. Patch from Brian Fundakowski Feldman. Set up TLS session cache to properly handle clients that try to resume a stored TLS session. Properly count the number of (direct) child processes such that a configured value (MaxDaemonChildren) is not exceeded. Based on patch from Attila Bruncsak. LIBMILTER: Remove superfluous backslash in macro definition (libmilter.h). Based on patch from Mike Kupfer of Sun Microsystems. LIBMILTER: Don't try to set SO_REUSEADDR on UNIX domain sockets. This generates an error message from libmilter on Solaris, though other systems appear to just discard the request silently. LIBMILTER: Deal with sigwait(2) implementations that return -1 and set errno instead of returning an error code directly. Patch from Chris Adams of HiWAAY Informations Services. Portability: Fix compilation checks for closefrom(3) and statvfs(2) in NetBSD. Problem noted by S. Moonesamy, patch from Andrew Brown. 8.13.5/8.13.5 2005/09/16 Store the filesystem identifier of the df/ subdirectory (if it exists) in an internal structure instead of the base directory. This structure is used decide whether there is enough free disk space when selecting a queue, hence without this change queue selection could fail if a df/ subdirectory exists and is on a different filesystem than the base directory. Use the queue index of the df file (instead of the qf file) for checking whether a link(2) operation can be used to split an envelope across queue groups. Problem found by Werner Wiethege. If the list of items in the queue is larger than the maximum number of items to process, sort the queue first and then cut the list off instead of the other way around. Patch from Matej Vela of Rudjer Boskovic Institute. Fix helpfile to show full entry for ETRN. Problem noted by Penelope Fudd, patch from Neil Rickert of Northern Illinois University. FallbackSmartHost should also be tried on temporary errors. From John Beck of Sun Microsystems. When a server responds with 421 to the STARTTLS command then treat it as a temporary error, not as protocol error. Problem noted by Andrey J. Melnikoff. Properly define two functions in libsm as static because their prototype used static too. Patch from Peter Klein. Fix syntax errors in helpfile for MAIL and RCPT commands. LIBMILTER: When smfi_replacebody() is called with bodylen equals zero then do not silently ignore that call. Patch from Gurusamy Sarathy of Active State. LIBMILTER: Recognize "421" also in a multi-line reply to terminate the SMTP session with that error. Fix from Brian Kantor. Portability: New option HASSNPRINTF which can be set if the OS has a properly working snprintf(3) to get rid of the last two (safe) sprintf(3) calls in the source code. Add support for AIX 5.3. Add support for SunOS 5.11 (aka Solaris 11). Add support for Darwin 8.x. Patch from Lyndon Nerenberg. OpenBSD 3.7 has removed support for NETISO. CONFIG: Add OSTYPE(freebsd6) for FreeBSD 6.X. Set DontBlameSendmail to AssumeSafeChown and GroupWritableDirPathSafe for OSTYPE(darwin). Patch from Lyndon Nerenberg. Some features still used 4.7.1 as enhanced status code which was supposed to be eliminated in 8.13.0 because some broken systems misinterpret it as a permanent error. Patch from Matej Vela of Rudjer Boskovic Institute. Some default values in a generated cf file did not match the defaults in the sendmail binary. Problem noted by Mike Pechkin. New Files: cf/ostype/freebsd6.m4 devtools/OS/AIX.5.3 devtools/OS/Darwin.8.x devtools/OS/SunOS.5.11 include/sm/time.h 8.13.4/8.13.4 2005/03/27 The bug fixes in 8.13.3 for connection handling uncovered a different error which could result in connections that stay in CLOSE_WAIT state due to a variable that was not properly initialized. Problem noted by Michael Sims. Deal with empty hostnames in hostsignature(). This bug could lead to an endless loop when doing LMTP deliveries to another host. Problem first reported by Martin Lathoud and tracked down by Gael Roualland. Make sure return parameters are initialized in getmxrr(). Problem found by Gael Roualland using valgrind. If shared memory is used and the RunAsUser option is set, then the owner and group of the shared memory segment is set to the ids specified RunAsUser and the access mode is set to 0660 to allow for updates by sendmail processes. The number of queue entries that is (optionally) kept in shared memory was wrong in some cases, e.g., envelope splitting and bounce generation. Undo a change made in 8.13.0 to silently truncate long strings in address rewriting because the message can be triggered for header checks where long strings are legitimate. Problem reported by Mary Verge DeSisto, and tracked down with the help of John Beck of Sun Microsystems. The internal stab map did not obey the -m flag. Patch from Rob McMahon of Warwick University, England. The socket map did not obey the -f flag. Problem noted by Dan Ringdahl, forwarded by Andrzej Filip. The addition of LDAP recursion in 8.13.0 broke enforcement of the LDAP map -1 argument which tells the MTA to only return success if and only if a single LDAP match is found. Add additional error checks in the MTA for milter communication to avoid a possible segmentation fault. Based on patch by Joe Maimon. Do not trigger an assertion if X509_digest() returns success but does not assign a value to its output parameter. Based on patch by Brian Kantor. Add more checks when resetting internal AUTH data (applies only to Cyrus SASL version 2). Otherwise an SMTP session might be dropped after an AUTH failure. Portability: Add LA_LONGLONG as valid LA_TYPE type for systems that use "long long" to read load average data, e.g., AIX 5.1 in 32 bit mode. Note: this has to be set "by hand", it is not (yet) automatically detected. Problem noted by Burak Bilen. Use socklen_t for accept(), etc. on AIX 5.x. This should fix problems when compiling in 64 bit mode. Problem first reported by Harry Meiert of University of Bremen. New Files: include/sm/sem.h libsm/sem.c libsm/t-sem.c 8.13.3/8.13.3 2005/01/11 Enhance handling of I/O errors, especially EOF, when STARTTLS is active. Make sure a connection is not reused after it has been closed due to a 421 error. Problem found by Allan E Johannesen of Worcester Polytechnic Institute. Avoid triggering an assertion when sendmail is interrupted while closing a connection. Problem found by Allan E Johannesen of Worcester Polytechnic Institute. Regression: a change in 8.13.2 caused sendmail not to try the next MX host (or FallbackMXhost if configured) when, at connection open, the current server returns a 4xy or 5xy SMTP reply code. Problem noted by Mark Tranchant. 8.13.2/8.13.2 2004/12/15 Do not split the first header even if it exceeds the internal buffer size. Previously a part of such a header would end up in the body of the message. Problem noted by Simple Nomad of BindView. Do not complain about "cataddr: string too long" when checking headers that do not contain RFC 2822 addresses. Problem noted by Rich Graves of Brandeis University. If a server returns a 421 reply to the RSET command between message deliveries, do not attempt to deliver any more messages on that connection. This prevents bogus "Bad file number" recipient status. Problem noted by Allan E Johannesen of Worcester Polytechnic Institute. Allow trailing white space in EHLO command as recommended by RFC 2821. Problem noted by Ralph Santagato of SBC Services. Deal with clients which use AUTH but negotiate a smaller buffer size for data exchanges than the value used by sendmail, e.g., Cyrus IMAP lmtp server. Based on patch by Jamie Clark. When passing ESMTP arguments for RCPT to a milter, do not cut them off at a comma. Problem noted by Krzysztof Oledzki. Add more logging to milter change header functions to complement existing logging. Based on patch from Gurusamy Sarathy of Active State. Include in include/sm/config.h when LDAPMAP is defined. Patch from Edgar Hoch of the University of Stuttgart. Fix DNS lookup if IPv6 is enabled when converting an IP address to a hostname for use with SASL. Problem noted by Ken Jones; patch from Hajimu UMEMOTO. CONFIG: For consistency enable MODIFY_MAILER_FLAGS for the prog mailer. Patch from John Beck of Sun Microsystems. LIBMILTER: It was possible that xxfi_abort() was called after xxfi_eom() for a message if some timeouts were triggered. Patch from Alexey Kravchuk. LIBMILTER: Slightly rearrange mutex use in listener.c to allow different threads to call smfi_opensocket() and smfi_main(). Patch from Jordan Ritter of Cloudmark. MAIL.LOCAL: Properly terminate MBDB before exiting. Problem noted by Nelson Fung. MAIL.LOCAL: make strip-mail.local used a wrong path to access mail.local. Problem noted by William Park. VACATION: Properly terminate MBDB before exiting. Problem noted by Nelson Fung. Portability: Add support for DragonFly BSD. New Files: cf/ostype/dragonfly.m4 devtools/OS/DragonFly include/sm/os/sm_os_dragonfly.h Deleted Files: libsm/vsscanf.c 8.13.1/8.13.1 2004/07/30 Using the default AliasFile ldap: specification would cause the objectClasses of the LDAP response to be included in the alias expansion. Problem noted by Brenden Conte of Rensselaer Polytechnic Institute. Fix support for a fallback smart host for system where DNS is (partially) available. From John Beck of Sun Microsystems. Fix SuperSafe=PostMilter behavior when a milter replaces a body but the data file is not yet stored on disk because it is smaller than the size of the memory buffer. Problem noted by David Russell. Fix certificate revocation list support; if a CRL was specified but the other side presented a cert that was signed by a different (trusted) CA than the one which issued the CRL, verification would always fail. Problem noted by Al Smith. Run mailer programs as the RunAsUser when RunAsUser is set and the F=S mailer flag is set without a U= mailer equate. Problem noted by John Gardiner Myers of Proofpoint. ${nbadrcpts} was off by one if BadRcptThrottle is zero. Patch from Sung-hoon Choi of DreamWiz Inc. CONFIG: Emit a warning if FEATURE(`access_db') is used after FEATURE(`greet_pause') because then the latter will not use the access map. Note: if no default value is given for FEATURE(`greet_pause') then it issues an error if FEATURE(`access_db') is not specified before it. Problem noted by Alexander Dalloz of University of Bielefeld. CONFIG: Invoke ruleset Local_greet_pause if FEATURE(`greet_pause') is used to give more flexibility for local changes. Portability: Fix a 64 bit problem in the socket map code. Problem noted by Geoff Adams. NetBSD 2.0F has closefrom(3). Patch from Andrew Brown. NetBSD can use sysctl(3) to get the number of CPUs in a system. Patch from Andrew Brown. Add a README file in doc/op/ to explain potential incompatibilities with various *roff related tools. Problem tracked down by Per Hedeland. New Files: doc/op/README 8.13.0/8.13.0 2004/06/20 Do not include AUTH data in a bounce to avoid leaking confidential information. See also cf/README about MSP and the section "Providing SMTP AUTH Data when sendmail acts as Client". Problem noted by Neil Rickert of Northern Illinois University. Fix compilation error in libsm/clock.c for -D_FFR_SLEEP_USE_SELECT=n and -DSM_CONF_SETITIMER=0. Problem noted by Juergen Georgi of RUS University of Stuttgart. Fix bug in conversion from 8bit to quoted-printable. Problem found by Christof Haerens, patch from Per Hedeland. Add support for LDAP recursion based on types given to attribute specifications in an LDAP map definition. This allows LDAP queries to return a new query, a DN, or an LDAP URL which will in turn be queried. See the ``LDAP Recursion'' section of doc/op/op.me for more information. Based on patch from Andrew Baucom. Extend the default LDAP specifications for AliasFile (O AliasFile=ldap:) and file classes (F{X}@LDAP) to include support for LDAP recursion via new attributes. See ``USING LDAP FOR ALIASES, MAPS, and CLASSES'' section of cf/README for more information. New option for LDAP maps: the -w option allows you to specify the LDAP API/protocol version to use. The default depends on the LDAP library. New option for LDAP maps: the -H option allows you to specify an LDAP URI instead of specifying the LDAP server via -h host and -p port. This also allows for the use of LDAP over SSL and connections via named sockets if your LDAP library supports it. New compile time flag SM_CONF_LDAP_INITIALIZE: set this if ldap_initialize(3) is available (and LDAPMAP is set). If MaxDaemonChildren is set and a command is repeated too often during a SMTP session then terminate it just like it is done for too many bad SMTP commands. Basic connection rate control support has been added: the daemon maintains the number of incoming connections per client IP address and total in the macros {client_rate} and {total_rate}, respectively. These macros can be used in the cf file to impose connection rate limits. A new option ConnectionRateWindowSize (default: 60s) determines the length of the interval for which the number of connections is stored. Based on patch from Jose Marcio Martins da Cruz, Ecole des Mines de Paris. Add optional protection from open proxies and SMTP slammers which send SMTP traffic without waiting for the SMTP greeting. If enabled by the new ruleset greet_pause (see FEATURE(`greet_pause')), sendmail will wait the specified amount of time before sending the initial 220 SMTP greeting. If any traffic is received before then, a 554 SMTP response is sent and all SMTP commands are rejected during that connection. If 32 NOOP (or unknown/bad) commands are issued by a client the SMTP server could sleep for a very long time. Fix based on patch from Tadashi Kobayashi of IIJ. Fix a potential memory leak in persistent queue runners if the number of entries in the queue exceeds the limit of jobs. Problem noted by Steve Hubert of University of Washington. Do not use 4.7.1 as enhanced status code because some broken systems misinterpret it as a permanent error. New value for SuperSafe: PostMilter which will delay fsync() until all milters accepted the mail. This can increase performance if many mails are rejected by milters due to body scans. Based on patch from David F. Skoll. New macro {msg_id} which contains the value of the Message-Id: header, whether provided by the client or generated by sendmail. New macro {client_connections} which contains the number of open connections in the SMTP server for the client IP address. Based on patch from Jose Marcio Martins da Cruz, Ecole des Mines de Paris. sendmail will now remove its pidfile when it exits. This was done to prevent confusion caused by running sendmail stop scripts two or more times, where the second and subsequent runs would report misleading error messages about sendmail's pid no longer existing. See section 1.3.15 of doc/op/op.me for a discussion of the implications of this, including how to correct broken scripts which may have depended on the old behavior. From John Beck of Sun Microsystems. Support per-daemon input filter lists which override the default filter list specified in InputMailFilters. The filters can be listed in the I= equate of DaemonPortOptions. Do not add all domain prefixes of the hostname to class 'w'. If your configuration relies on this behavior, you have to add those names to class 'w' yourself. Problem noted by Sander Eerkes. Support message quarantining in the mail queue. Quarantined messages are not run on normal queue displays or runs unless specifically requested with -qQ. Quarantined queue files are named with an hf prefix instead of a qf prefix. The -q command line option now can specify which queue to display or run. -qQ operates on quarantined queue items. -qL operates on lost queue items. Restricted mail queue runs and displays can be done based on the quarantined reason using -qQtext to run or display quarantined items if the quarantine reason contains the given text. Similarly, -q!Qtext will run or display quarantined items which do not have the given text in the quarantine reason. Items in the queue can be quarantined or unquarantined using the new -Q option. See doc/op/op.me for more information. When displaying the quarantine mailq with 'mailq -qQ', the quarantine reason is shown in a new line prefixed by "QUARANTINE:". A new error code for the $#error mailer, $@ quarantine, can be used to quarantine messages in check_* (except check_compat) and header check rulesets. The $: of the mailer triplet will be used for the quarantine reason. Add a new quarantine count to the mailstats collected. Add a new macro ${quarantine} which is the quarantine reason for a message if it is quarantined. New map type "socket" for a trivial query protocol over UNIX domain or TCP sockets (requires compile time option SOCKETMAP). See sendmail/README and doc/op/op.me for details as well as socketmapServer.pl and socketmapClient.pl in contrib. Code donated by Bastiaan Bakker of LifeLine Networks. Define new macro ${client_ptr} which holds the result of the PTR lookup for the client IP address. Note: this is the same as ${client_name} if and only if ${client_resolve} is OK. Add a new macro ${nbadrcpts} which contains the number of bad recipients received so far in a transaction. Call check_relay with the value of ${client_name} to deal with bogus DNS entries. See also FEATURE(`use_client_ptr'). Problem noted by Kai Schlichting. Treat Delivery-Receipt-To: headers the same as Return-Receipt-To: headers (turn them into DSNs). Delivery-Receipt-To: is apparently used by SIMS (Sun Internet Mail System). Enable connection caching for LPC mailers. Patch from Christophe Wolfhugel of France Telecom Oleane. Do not silently truncate long strings in address rewriting. Add support for Cyrus SASL version 2. From Kenneth Murchison of Oceana Matrix Ltd. Add a new AuthOption=m flag to require the use of mechanisms which support mutual authentication. From Kenneth Murchison of Oceana Matrix Ltd. Fix logging of TLS related problems (introduced in 8.12.11). The macros {auth_author} and {auth_authen} are stored in xtext format just like the STARTTLS related macros to avoid problems with parsing them. Problem noted by Pierangelo Masarati of SysNet s.n.c. New option AuthRealm to set the authentication realm that is passed to the Cyrus SASL library. Patch from Gary Mills of the University of Manitoba. Enable AUTH mechanism EXTERNAL if STARTTLS verification was successful, otherwise relaying would be allowed if EXTERNAL is listed in TRUST_AUTH_MECH() and STARTTLS is active. Add basic support for certificate revocation lists. Note: if a CRLFile is specified but the file is unusable, STARTTLS is disabled. Based on patch by Ralf Hornik. Enable workaround for inconsistent Cyrus SASLv1 API for mechanisms DIGEST-MD5 and LOGIN. Write pid to file also if sendmail only acts as persistent queue runner. Proposed by Gary Mills of the University of Manitoba. Keep daemon pid file(s) locked so other daemons don't try to overwrite each other's pid files. Increase maximum length of logfile fields for {cert_subject} and {cert_issuer} from 128 to 256. Requested by Christophe Wolfhugel of France Telecom. Log the TLS verification message on the STARTTLS= log line at LogLevel 12 or higher. If the MSP is invoked with the verbose option (-v) then it will try to use the SMTP command VERB to propagate this option to the MTA which in turn will show the delivery just like it was done before the default 8.12 separation of MSP and MTA. Based on patch by Per Hedeland. If a daemon is refusing connections for longer than the time specified by the new option RejectLogInterval (default: 3 hours) due to high load, log this information. Patch from John Beck of Sun Microsystems. Remove the ability for non-trusted users to raise the value of CheckpointInterval on the command line. New mailer flag 'B' to strip leading backslashes, which is a subset of the functionality of the 's' flag. New mailer flag 'W' to ignore long term host status information. Patch from Juergen Georgi of RUS University of Stuttgart. Enable generic mail filter API (milter) by default. To turn it off, add -DMILTER=0 to the compile time options. An internal SMTP session discard flag was lost after an RSET/HELO/EHLO causing subsequent messages to be sent instead of being discarded. This also caused milter callbacks to be called out of order after the SMTP session was reset. New option RequiresDirfsync to turn off the compile time flag REQUIRES_DIR_FSYNC at runtime. See sendmail/README for further information. New command line option -D logfile to send debug output to the indicated log file instead of stdout. Add Timeout.queuereturn.dsn and Timeout.queuewarn.dsn to control queue return and warning times for delivery status notifications. New queue sort order option: 'n'one for not sorting the queue entries at all. Several more return values for ruleset srv_features have been added to enable/disable certain features in the server per connection. See doc/op/op.me for details. Support for SMTP over SSL (smtps), activated by Modifier=s for DaemonPortOptions. Continue with DNS lookups on ECONNREFUSED and TRY_AGAIN when trying to canonify hostnames. Suggested by Neil Rickert of Northern Illinois University. Add support for a fallback smart host (option FallbackSmartHost) to be tried as a last resort after all other fallbacks. This is designed for sites with partial DNS (e.g., an accurate view of inside the company, but an incomplete view of outside). From John Beck of Sun Microsystems. Enable timeout for STARTTLS even if client does not start the TLS handshake. Based on patch by Andrey J. Melnikoff. Remove deprecated -v option for PH map, use -k instead. Patch from Mark Roth of the University of Illinois at Urbana-Champaign. libphclient is version 1.2.x by default, if version 1.1.x is required then compile with -DNPH_VERSION=10100. Patch from Mark Roth of the University of Illinois at Urbana-Champaign. Add Milter.macros.eom, allowing macros to be sent to milter applications for use in the xxfi_eom() callback. New macro {time} which contains the output of the time(3) function, i.e., the number of seconds since 0 hours, 0 minutes, 0 seconds, January 1, 1970, Coordinated Universal Time (UTC). If check_relay sets the reply code to "421" the SMTP server will terminate the SMTP session with a 421 error message. Get rid of dead code that tried to access the environment variable HOSTALIASES. Deprecate the use of ErrorMode=write. To enable this in 8.13 compile with -DUSE_TTYPATH=1. Header check rulesets using $>+ (do not strip comments) will get the header value passed in without balancing quotes, parentheses, and angle brackets. Based on patch from Oleg Bulyzhin. Do not complain and fix up unbalanced quotes, parentheses, and angle brackets when reading in rulesets. This allows rules to be written for header checks to catch strings that contain quotes, parentheses, and/or angle brackets. Based on patch from Oleg Bulyzhin. Do not close socket when accept(2) in the daemon encounters some temporary errors like ECONNABORTED. Added list of CA certificates that are used by members of the sendmail consortium, see CACerts. Portability: Two new compile options have been added: HASCLOSEFROM System has closefrom(3). HASFDWALK System has fdwalk(3). Based on patch from John Beck of Sun Microsystems. The Linux kernel version 2.4 series has a broken flock() so change to using fcntl() locking until they can fix it. Be sure to update other sendmail related programs to match locking techniques. New compile time option NEEDINTERRNO which should be set if does not declare errno itself. Support for UNICOS/mk and UNICOS/mp added, some changes for UNICOS. Patches contributed by Aaron Davis and Brian Ginsbach, Cray Inc., and Manu Mahonen of Center for Scientific Computing. Add support for Darwin 7.0/Mac OS X 10.3 (a.k.a. Panther). Extend support to Darwin 7.x/Mac OS X 10.3 (a.k.a. Panther). Remove path from compiler definition for Interix because Interix 3.0 and 3.5 put gcc in different locations. Also use to get the correct major()/minor() definitions. Based on feedback from Mark Funkenhauser. CONFIG: Add support for LDAP recursion to the default LDAP searches for maps via new attributes. See the ``USING LDAP FOR ALIASES, MAPS, and CLASSES'' section of cf/README and cf/sendmail.schema for more information. CONFIG: Make sure confTRUSTED_USER is valid even if confRUN_AS_USER is of the form "user:group" when used for submit.mc. Problem noted by Carsten P. Gehrke, patch from Neil Rickert of Northern Illinois University. CONFIG: Add a new access DB value of QUARANTINE:reason which instructs the check_* (except check_compat) to quarantine the message using the given reason. CONFIG: Use "dns -R A" as map type for dnsbl (just as for enhdnsbl) instead of "host" to avoid problem with looking up other DNS records than just A. CONFIG: New option confCONNECTION_RATE_WINDOW_SIZE to define the length of the interval for which the number of incoming connections is maintained. CONFIG: New FEATURE(`ratecontrol') to set the limits for connection rate control for individual hosts or nets. CONFIG: New FEATURE(`conncontrol') to set the limits for the number of open SMTP connections for individual hosts or nets. CONFIG: New FEATURE(`greet_pause') enables open proxy and SMTP slamming protection described above. The feature can take an argument specifying the milliseconds to wait and/or use the access database to look the pause time based on client hostname, domain, IP address, or subnet. CONFIG: New FEATURE(`use_client_ptr') to have check_relay use $&{client_ptr} as its first argument. This is useful for rejections based on the unverified hostname of client, which turns on the same behavior as in earlier sendmail versions when delay_checks was not in use. See also entry above about check_relay being invoked with ${client_name}. CONFIG: New option confREJECT_LOG_INTERVAL to specify the log interval when refusing connections for this long. CONFIG: Remove quotes around usage of confREJECT_MSG; in some cases this requires a change in a mc file. Requested by Ted Roberts of Electronic Data Systems. CONFIG: New option confAUTH_REALM to set the authentication realm that is passed to the Cyrus SASL library. Patch from Gary Mills of the University of Manitoba. CONFIG: Rename the (internal) classes {tls}/{src} to {Tls}/{Src} to follow the naming conventions. CONFIG: Add a third optional argument to local_lmtp to specify the A= argument. CONFIG: Remove the f flag from the default mailer flags of local_lmtp. CONFIG: New option confREQUIRES_DIR_FSYNC to turn off the compile time flag REQUIRES_DIR_FSYNC at runtime. CONFIG: New LOCAL_UUCP macro to insert rules into the generated cf file at the same place where MAILER(`uucp') inserts its rules. CONFIG: New options confTO_QUEUERETURN_DSN and confTO_QUEUEWARN_DSN to control queue return and warning times for delivery status notifications. CONFIG: New option confFALLBACK_SMARTHOST to define FallbackSmartHost. CONFIG: Add the mc file which has been used to create the cf file to the end of the cf file when using make in cf/cf/. Patch from Richard Rognlie. CONFIG: FEATURE(nodns) has been removed, it was a no-op since 8.9. Use ServiceSwitchFile to turn off DNS lookups, see doc/op/op.me. CONFIG: New option confMILTER_MACROS_EOM (sendmail Milter.macros.eom option) defines macros to be sent to milter applications for use in the xxfi_eom() callback. CONFIG: New option confCRL to specify file which contains certificate revocations lists. CONFIG: Add a new value (sendertoo) for the third argument to FEATURE(`ldap_routing') which will reject the SMTP MAIL From: command if the sender address doesn't exist in LDAP. See cf/README for more information. CONFIG: Add a fifth argument to FEATURE(`ldap_routing') which instructs the rulesets on whether or not to do a domain lookup if a full address lookup doesn't match. See cf/README for more information. CONFIG: Add a sixth argument to FEATURE(`ldap_routing') which instructs the rulesets on whether or not to queue the mail or give an SMTP temporary error if the LDAP server can't be reached. See cf/README for more information. Based on patch from Billy Ray Miller of Caterpillar. CONFIG: Experimental support for MTAMark, see cf/README for details. CONFIG: New option confMESSAGEID_HEADER to define a different Message-Id: header format. Patch from Bastiaan Bakker of LifeLine Networks. CONTRIB: New version of cidrexpand which uses Net::CIDR. From Derek J. Balling. CONTRIB: oldbind.compat.c has been removed due to security problems. Found by code inspection done by Reasoning, Inc. DEVTOOLS: Add an example file for devtools/Site/, contributed by Neil Rickert of Northern Illinois University. LIBMILTER: Add new function smfi_quarantine() which allows the filter's EOM routine to quarantine the current message. Filters which use this function must include the SMFIF_QUARANTINE flag in the registered smfiDesc structure. LIBMILTER: If a milter sets the reply code to "421", the SMTP server will terminate the SMTP session with that error. LIBMILTER: Upon filter shutdown, libmilter will not remove a named socket in the file system if it is running as root. LIBMILTER: Add new function smfi_progress() which allows the filter to notify the MTA that an EOM operation is still in progress, resetting the timeout. LIBMILTER: Add new function smfi_opensocket() which allows the filter to attempt to establish the interface socket, and detect failure to do so before calling smfi_main(). LIBMILTER: Add new function smfi_setmlreply() which allows the filter to return a multi-line SMTP reply. LIBMILTER: Deal with more temporary errors in accept() by ignoring them instead of stopping after too many occurred. Suggested by James Carlson of Sun Microsystems. LIBMILTER: Fix a descriptor leak in the sample program found in docs/sample.html. Reported by Dmitry Adamushko. LIBMILTER: The sample program also needs to use SMFIF_ADDRCPT. Reported by Carl Byington of 510 Software Group. LIBMILTER: Document smfi_stop() and smfi_setdbg(). Patches from Bryan Costales. LIBMILTER: New compile time option SM_CONF_POLL; define this if poll(2) should be used instead of select(2). LIBMILTER: New function smfi_insheader() and related protocol amendments to support header insertion operations. MAIL.LOCAL: Add support for hashed mail directories, see mail.local/README. Contributed by Chris Adams of HiWAAY Informations Services. MAILSTATS: Display quarantine message counts. MAKEMAP: Add new flag -D to specify the comment character to use instead of '#'. VACATION: Add new flag -j to auto-respond to messages regardless of whether or not the recipient is listed in the To: or Cc: headers. VACATION: Add new flag -R to specify the envelope sender address for the auto-response message. New Files: CACerts cf/feature/conncontrol.m4 cf/feature/greet_pause.m4 cf/feature/mtamark.m4 cf/feature/ratecontrol.m4 cf/feature/use_client_ptr.m4 cf/ostype/unicos.m4 cf/ostype/unicosmk.m4 cf/ostype/unicosmp.m4 contrib/socketmapClient.pl contrib/socketmapServer.pl devtools/OS/Darwin.7.0 devtools/OS/UNICOS-mk devtools/OS/UNICOS-mp devtools/Site/site.config.m4.sample include/sm/os/sm_os_unicos.h include/sm/os/sm_os_unicosmk.h include/sm/os/sm_os_unicosmp.h libmilter/docs/smfi_insheader.html libmilter/docs/smfi_progress.html libmilter/docs/smfi_quarantine.html libmilter/docs/smfi_setdbg.html libmilter/docs/smfi_setmlreply.html libmilter/docs/smfi_stop.html sendmail/ratectrl.c Deleted Files: cf/feature/nodns.m4 contrib/oldbind.compat.c devtools/OS/CRAYT3E.2.0.x devtools/OS/CRAYTS.10.0.x libsm/vsprintf.c Renamed Files: devtools/OS/Darwin.7.0 => devtools/OS/Darwin.7.x 8.12.11/8.12.11 2004/01/18 Use QueueFileMode when opening qf files. This error was a regression in 8.12.10. Problem detected and diagnosed Lech Szychowski of the Polish Power Grid Company. Properly count the number of queue runners in a work group and make sure the total limit of MaxQueueChildren is not exceeded. Based on patch from Takayuki Yoshizawa of Techfirm, Inc. Take care of systems that can generate time values where the seconds can exceed the usual range of 0 to 59. Problem noted by Randy Diffenderfer of EDS. Avoid regeneration of identical queue identifiers by processes whose process id is the same as that of the initial sendmail process that was used to start the daemon. Problem noted by Randy Diffenderfer of EDS. When a milter invokes smfi_delrcpt() compare the supplied recipient address also against the printable addresses of the current list to deal with rewritten addresses. Based on patch from Sean Hanson of The Asylum. BadRcptThrottle now also works for addresses which return the error mailer, e.g., virtusertable entries with the right hand side error:. Patch from Per Hedeland. Fix printing of 8 bit characters as octals in log messages. Based on patch by Andrey J. Melnikoff. Undo change of algorithm for MIME 7-bit base64 encoding to 8-bit text that has been introduced in 8.12.3. There are some examples where the new code fails, but the old code works. To get the 8.12.3-8.12.10 version, compile sendmail with -DMIME7TO8_OLD=0. If you have an example of improper 7 to 8 bit conversion please send it to us. Return normal error code for unknown SMTP commands instead of the one specified by check_relay or a milter for a connection. Problem noted by Andrzej Filip. Some ident responses contain data after the terminating CRLF which causes sendmail to log "POSSIBLE ATTACK...newline in string". To avoid this everything after LF is ignored. If the operating system supports O_EXLOCK and HASFLOCK is set then a possible race condition for creating qf files can be avoided. Note: the race condition does not exist within sendmail, but between sendmail and an external application that accesses qf files. Log the proper options name for TLS related mising files for the CACertPath, CACertFile, and DHParameters options. Do not split an envelope if it will be discarded, otherwise df files could be left behind. Problem found by Wolfgang Breyha. The use of the environment variables HOME and HOSTALIASES has been deprecated and will be removed in version 8.13. This only effects configuration which preserve those variable via the 'E' command in the cf file as sendmail clears out its entire environment. Portability: Add support for Darwin 7.0/Mac OS X 10.3 (a.k.a. Panther). Solaris 10 has unsetenv(), patch from Craig Mohrman of Sun Microsystems. LIBMILTER: Add extra checks in case a broken MTA sends bogus data to libmilter. Based on code review by Rob Grzywinski. SMRSH: Properly assemble commands that contain '&&' or '||'. Problem noted by Eric Lee of Talking Heads. New Files: devtools/OS/Darwin.7.0 8.12.10/8.12.10 2003/09/24 (Released: 2003/09/17) SECURITY: Fix a buffer overflow in address parsing. Problem detected by Michal Zalewski, patch from Todd C. Miller of Courtesan Consulting. Fix a potential buffer overflow in ruleset parsing. This problem is not exploitable in the default sendmail configuration; only if non-standard rulesets recipient (2), final (4), or mailer-specific envelope recipients rulesets are used then a problem may occur. Problem noted by Timo Sirainen. Accept 0 (and 0/0) as valid input for set MaxMimeHeaderLength. Problem noted by Thomas Schulz. Add several checks to avoid (theoretical) buffer over/underflows. Properly count message size when performing 7->8 or 8->7 bit MIME conversions. Problem noted by Werner Wiethege. Properly compute message priority based on size of entire message, not just header. Problem noted by Axel Holscher. Reset SevenBitInput to its configured value between SMTP transactions for broken clients which do not properly announce 8 bit data. Problem noted by Stefan Roehrich. Set {addr_type} during queue runs when processing recipients. Based on patch from Arne Jansen. Better error handling in case of (very unlikely) queue-id conflicts. Perform better error recovery for address parsing, e.g., when encountering a comment that is too long. Problem noted by Tanel Kokk, Union Bank of Estonia. Add ':' to the allowed character list for bogus HELO/EHLO checking. It is used for IPv6 domain literals. Patch from Iwaizako Takahiro of FreeBit Co., Ltd. Reset SASL connection context after a failed authentication attempt. Based on patch from Rob Siemborski of CMU. Check Berkeley DB compile time version against run time version to make sure they match. Do not attempt AAAA (IPv6) DNS lookups if IPv6 is not enabled in the kernel. When a milter adds recipients and one of them causes an error, do not ignore the other recipients. Problem noted by Bart Duchesne. CONFIG: Use specified SMTP error code in mailertable entries which lack a DSN, i.e., "error:### Text". Problem noted by Craig Hunt. CONFIG: Call Local_trust_auth with the correct argument. Patch from Jerome Borsboom. CONTRIB: Better handling of temporary filenames for doublebounce.pl and expn.pl to avoid file overwrites, etc. Patches from Richard A. Nelson of Debian and Paul Szabo. MAIL.LOCAL: Fix obscure race condition that could lead to an improper mailbox truncation if close() fails after the mailbox is fsync()'ed and a new message is delivered after the close() and before the truncate(). MAIL.LOCAL: If mail delivery fails, do not leave behind a stale lockfile (which is ignored after the lock timeout). Patch from Oleg Bulyzhin of Cronyx Plus LLC. Portability: Port for AIX 5.2. Thanks to Steve Hubert of University of Washington for providing access to a computer with AIX 5.2. setreuid(2) works on OpenBSD 3.3. Patch from Todd C. Miller of Courtesan Consulting. Allow for custom definition of SMRSH_CMDDIR and SMRSH_PATH on all operating systems. Patch from Robert Harker of Harker Systems. Use strerror(3) on Linux. If this causes a problem on your Linux distribution, compile with -DHASSTRERROR=0 and tell sendmail.org about it. New Files: devtools/OS/AIX.5.2 8.12.9/8.12.9 2003/03/29 SECURITY: Fix a buffer overflow in address parsing due to a char to int conversion problem which is potentially remotely exploitable. Problem found by Michal Zalewski. Note: an MTA that is not patched might be vulnerable to data that it receives from untrusted sources, which includes DNS. To provide partial protection to internal, unpatched sendmail MTAs, 8.12.9 changes by default (char)0xff to (char)0x7f in headers etc. To turn off this conversion compile with -DALLOW_255 or use the command line option -d82.101. To provide partial protection for internal, unpatched MTAs that may be performing 7->8 or 8->7 bit MIME conversions, the default for MaxMimeHeaderLength has been changed to 2048/1024. Note: this does have a performance impact, and it only protects against frontal attacks from the outside. To disable the checks and return to pre-8.12.9 defaults, set MaxMimeHeaderLength to 0/0. Do not complain about -ba when submitting mail. Problem noted by Derek Wueppelmann. Fix compilation with Berkeley DB 1.85 on systems that do not have flock(2). Problem noted by Andy Harper of Kings College London. Properly initialize data structure for dns maps to avoid various errors, e.g., looping processes. Problem noted by Maurice Makaay of InterNLnet B.V. CONFIG: Prevent multiple application of rule to add smart host. Patch from Andrzej Filip. CONFIG: Fix queue group declaration in MAILER(`usenet'). CONTRIB: buildvirtuser: New option -t builds the virtusertable text file instead of the database map. Portability: Revert wrong change made in 8.12.7 and actually use the builtin getopt() version in sendmail on Linux. This can be overridden by using -DSM_CONF_GETOPT=0 in which case the OS supplied version will be used. 8.12.8/8.12.8 2003/02/11 SECURITY: Fix a remote buffer overflow in header parsing by dropping sender and recipient header comments if the comments are too long. Problem noted by Mark Dowd of ISS X-Force. Fix a potential non-exploitable buffer overflow in parsing the .cf queue settings and potential buffer underflow in parsing ident responses. Problem noted by Yichen Xie of Stanford University Compilation Group. Fix ETRN #queuegroup command: actually start a queue run for the selected queue group. Problem noted by Jos Vos. If MaxMimeHeaderLength is set and a malformed MIME header is fixed, log the fixup as "Fixed MIME header" instead of "Truncated MIME header". Problem noted by Ian J Hart. CONFIG: Fix regression bug in proto.m4 that caused a bogus error message: "FEATURE() should be before MAILER()". MAIL.LOCAL: Be more explicit in some error cases, i.e., whether a mailbox has more than one link or whether it is not a regular file. Patch from John Beck of Sun Microsystems. 8.12.7/8.12.7 2002/12/29 Properly clean up macros to avoid persistence of session data across various connections. This could cause session oriented restrictions, e.g., STARTTLS requirements, to erroneously allow a connection. Problem noted by Tim Maletic of Priority Health. Do not lookup MX records when sorting the MSP queue. The MSP only needs to relay all mail to the MTA. Problem found by Gary Mills of the University of Manitoba. Do not restrict the length of connection information to 100 characters in some logging statements. Problem noted by Erik Parker. When converting an enhanced status code to an exit status, use EX_CONFIG if the first digit is not 2, 4, or 5 or if *.1.5 is used. Reset macro $x when receiving another MAIL command. Problem noted by Vlado Potisk of Wigro s.r.o. Don't bother setting the permissions on the build area statistics file, the proper permissions will be put on the file at install time. This fixes installation over NFS for some users. Problem noted by Martin J. Dellwo of 3-Dimensional Pharmaceuticals, Inc. Fix problem of decoding SASLv2 encrypted data. Problem noted by Alex Deiter of Mobile TeleSystems, Komi Republic. Log milter socket open errors at MilterLogLevel 1 or higher instead of 11 or higher. Print early system errors to the console instead of silently exiting. Problem noted by James Jong of IBM. Do not process a queue group if Runners is set to 0, regardless of whether F=f or sendmail is run in verbose mode (-v). The use of -qGname will still force queue group "name" to be run even if Runners=0. Change the level for logging the fact that a daemon is refusing connections due to high load from LOG_INFO to LOG_NOTICE. Patch from John Beck of Sun Microsystems. Use location information for submit.cf from NetInfo (/locations/sendmail/submit.cf) if available. Re-enable ForkEachJob which was lost in 8.12.0. Problem noted by Neil Rickert of Northern Illinois University. Make behavior of /canon in debug mode consistent with usage in rulesets. Patch from Shigeno Kazutaka of IIJ. Fix a potential memory leak in envelope splitting. Problem noted by John Majikes of IBM. Do not try to share an mailbox database LDAP connection across different processes. Problem noted by Randy Kunkee. Fix logging for undelivered recipients when the SMTP connection times out during message collection. Problem noted by Neil Rickert of Northern Illinois University. Avoid problems with QueueSortOrder=random due to problems with qsort() on Solaris (and maybe some other operating systems). Problem noted by Stephan Schulz of Gruner+Jahr.. If -f "" is specified, set the sender address to "<>". Problem noted by Matthias Andree. Fix formatting problem of footnotes for plain text output on some versions of tmac. Patch from Per Hedeland. Portability: Berkeley DB 4.1 support (requires at least 4.1.25). Some getopt(3) implementations in GNU/Linux are broken and pass a NULL pointer to an option which requires an argument, hence the builtin version of sendmail is used instead. This can be overridden by using -DSM_CONF_GETOPT=0. Problem noted by Vlado Potisk of Wigro s.r.o. Support for nph-1.2.0 from Mark D. Roth of the University of Illinois at Urbana-Champaign. Support for FreeBSD 5.0's MAC labeling from Robert Watson of the TrustedBSD Project. Support for reading the number of processors on an IRIX system from Michel Bourget of SGI. Support for UnixWare 7.1 based on input from Larry Rosenman. Interix support from Nedelcho Stanev of Atlantic Sky Corporation. Update Mac OS X/Darwin portability from Wilfredo Sanchez. CONFIG: Enforce tls_client restrictions even if delay_checks is used. Problem noted by Malte Starostik. CONFIG: Deal with an empty hostname created via bogus DNS entries to get around access restrictions. Problem noted by Kai Schlichting. CONFIG: Use FEATURE(`msp', `[127.0.0.1]') in submit.mc by default to avoid problems with hostname resolution for localhost which on many systems does not resolve to 127.0.0.1 (or ::1 for IPv6). If you do not use IPv4 but only IPv6 then you need to change submit.mc accordingly, see the comment in the file itself. CONFIG: Set confDONT_INIT_GROUPS to True in submit.mc to avoid error messages from initgroups(3) on AIX 4.3 when sending mail to non-existing users. Problem noted by Mark Roth of the University of Illinois at Urbana-Champaign. CONFIG: Allow local_procmail to override local_lmtp settings. CONFIG: Always allow connections from 127.0.0.1 or IPv6:::1 to relay. CONTRIB: cidrexpand: Deal with the prefix tags that may be included in access_db. CONTRIB: New version of doublebounce.pl contributed by Leo Bicknell. LIBMILTER: On Solaris libmilter may get into an endless loop if an error in the communication from/to the MTA occurs. Patch from Gurusamy Sarathy of Active State. LIBMILTER: Ignore EINTR from sigwait(3) which may happen on Tru64. Patch from from Jose Marcio Martins da Cruz of Ecole Nationale Superieure des Mines de Paris. MAIL.LOCAL: Fix a truncation race condition if the close() on the mailbox fails. Problem noted by Tomoko Fukuzawa of Sun Microsystems. MAIL.LOCAL: Fix a potential file descriptor leak if mkstemp(3) fails. Patch from John Beck of Sun Microsystems. SMRSH: SECURITY: Only allow regular files or symbolic links to be used for a command. Problem noted by David Endler of iDEFENSE, Inc. New Files: devtools/OS/Interix include/sm/bdb.h 8.12.6/8.12.6 2002/08/26 Do not add the FallbackMXhost (or its MX records) to the list returned by the bestmx map when -z is used as option. Otherwise sendmail may act as an open relay if FallbackMXhost and FEATURE(`relay_based_on_MX') are used together. Problem noted by Alexander Ignatyev. Properly split owner- mailing list messages when SuperSafe is set to interactive. Problem noted by Todd C. Miller of Courtesan Consulting. Make sure that an envelope is queued in the selected queue group even if some recipients are deleted or invalid. Problem found by Chris Adams of HiWAAY Informations Services. Do not send a bounce message if a message is completely collected from the SMTP client. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. Provide an 'install-submit-st' target for sendmail/Makefile to install the MSP statistics file using the file named in the confMSP_STFILE devtools variable. Requested by Jeff Earickson of Colby College. Queue up mail with a temporary error if setusercontext() fails during a delivery attempt. Patch from Todd C. Miller of Courtesan Consulting. Fix handling of base64 encoded client authentication data for SMTP AUTH. Patch from Elena Slobodnik of life medien GmbH. Set the OpenLDAP option LDAP_OPT_RESTART so the client libraries restart interrupted system calls. Problem noted by Luiz Henrique Duma of BSIOne. Prevent a segmentation fault if a program passed a NULL envp using execve(). Document a problem with the counting of queue runners that may cause delays if MaxQueueChildren is set too low. Problem noted by Ian Duplisse of Cable Television Laboratories, Inc. If discarding a message based on a recipient, don't try to look up the recipient in the mailbox database if F=w is set. This allows users to discard bogus recipients when dealing with spammers without tipping them off. Problem noted by Neil Rickert of Northern Illinois University. If applying a header check to a header with unstructured data, e.g., Subject:, then do not run syntax checks that are supposed for addresses on the header content. Count messages rejected/discarded via the check_data ruleset. Portability: Fix compilation on systems which do not allow simple copying of the variable argument va_list. Based on fix from Scott Walters. Fix NSD map open bug. From Michel Bourget of SGI. Add some additional IRIX shells to the default shell list. From Michel Bourget of SGI. Fix compilation issues on Mac OS X 10.2 (Darwin 6.0). NETISO support has been dropped. CONFIG: There was a seemingly minor change in 8.12.4 with respect to handling entries of IP nets/addresses with RHS REJECT. These would be rejected in check_rcpt instead of only being activated in check_relay. This change has been made to avoid potential bogus temporary rejection of relay attempts "450 4.7.1 Relaying temporarily denied. Cannot resolve PTR record for ..." if delay_checks is enabled. However, this modification causes a change of behavior if an IP net/address is listed in the access map with REJECT and a host/domain name is listed with OK or RELAY, hence it has been reversed such that the behavior of 8.12.3 is restored. The original change was made on request of Neil Rickert of Northern Illinois University, the side effect has been found by Stefaan Van Hoornick. CONFIG: Make sure delay_checks works even for sender addresses using the local hostname ($j) or domains in class {P}. Based on patch from Neil Rickert of Northern Illinois University. CONFIG: Fix temporary error handling for LDAP Routing lookups. Fix from Andrzej Filip. CONTRIB: New version of etrn.pl script and external man page (etrn.0) from John Beck of Sun Microsystems. LIBMILTER: Protect a free(3) operation from being called with a NULL pointer. Problem noted by Andrey J. Melnikoff. LIBMILTER: Protect against more interrupted select() calls. Based on patch from Jose Marcio Martins da Cruz of Ecole Nationale Superieure des Mines de Paris. New Files: contrib/etrn.0 8.12.5/8.12.5 2002/06/25 SECURITY: The DNS map can cause a buffer overflow if the user specifies a dns map using TXT records in the configuration file and a rogue DNS server is queried. None of the sendmail supplied configuration files use this option hence they are not vulnerable. Problem noted independently by Joost Pol of PINE Internet and Anton Rang of Sun Microsystems. Unprintable characters in responses from DNS servers for the DNS map type are changed to 'X' to avoid potential problems with rogue DNS servers. Require a suboption when setting the Milter option. Problem noted by Bryan Costales. Do not silently overwrite command line settings for DirectSubmissionModifiers. Problem noted by Bryan Costales. Prevent a segmentation fault when clearing the event list by turning off alarms before checking if event list is empty. Problem noted by Allan E Johannesen of Worcester Polytechnic Institute. Close a potential race condition in transitioning a memory buffered file onto disk. From Janani Devarajan of Sun Microsystems. Portability: Include paths.h on Linux systems running glibc 2.0 or later to get the definition for _PATH_SENDMAIL, used by rmail and vacation. Problem noted by Kevin A. McGrail of Peregrine Hardware. NOTE: Linux appears to have broken flock() again. Unless the bug is fixed before sendmail 8.13 is shipped, 8.13 will change the default locking method to fcntl() for Linux kernel 2.4 and later. You may want to do this in 8.12 by compiling with -DHASFLOCK=0. Be sure to update other sendmail related programs to match locking techniques. 8.12.4/8.12.4 2002/06/03 SECURITY: Inherent limitations in the UNIX file locking model can leave systems open to a local denial of service attack. Be sure to read the "FILE AND MAP PERMISSIONS" section of the top level README for more information. Problem noted by lumpy. Use TempFileMode (defaults to 0600) for the permissions of PidFile instead of 0644. Change the default file permissions for new alias database files from 0644 to 0640. This can be overridden at compile time by setting the DBMMODE macro. Fix a potential core dump problem if the environment variable NAME is set. Problem noted by Beth A. Chaney of Purdue University. Expand macros before passing them to libmilter. Problem noted by Jose Marcio Martins da Cruz of Ecole Nationale Superieure des Mines de Paris. Rewind the df (message body) before truncating it when libmilter replaces the body of a message. Problem noted by Gisle Aas of Active State. Change SMTP reply code for AUTH failure from 500 to 535 and the initial zero-length response to "=" per RFC 2554. Patches from Kenneth Murchison of Oceana Matrix Ltd. Do not try to fix broken message/rfc822 MIME attachments by inserting a MIME-Version: header when MaxMimeHeaderLength is set and no 8 to 7 bit conversion is needed. Based on patch from Rehor Petr of ICZ (Czech Republic). Do not log "did not issue MAIL/EXPN/VRFY/ETRN" if the connection is rejected anyway. Noted by Chris Loelke. Mention the submission mail queue in the mailq man page. Requested by Bill Fenner of AT&T. Set ${msg_size} macro when reading a message from the command line or the queue. Detach from shared memory before dropping privileges back to user who started sendmail. If AllowBogusHELO is set to false (default) then also complain if the argument to HELO/EHLO contains white space. Suggested by Seva Gluschenko of Cronyx Plus. Allow symbolicly linked forward files in writable directory paths if both ForwardFileInUnsafeDirPath and LinkedForwardFileInWritableDir DontBlameSendmail options are set. Problem noted by Werner Spirk of Leibniz-Rechenzentrum Munich. Portability: Operating systems that lack the ftruncate() call will not be able to use Milter's body replacement feature. This only affects Altos, Maxion, and MPE/iX. Digital UNIX 5.0 has changed flock() semantics to be non-compliant. Problem noted by Martin Mokrejs of Charles University in Prague. The sparc64 port of FreeBSD 5.0 now supports shared memory. CONFIG: FEATURE(`preserve_luser_host') needs the macro map. Problem noted by Andrzej Filip. CONFIG: Using 'local:' as a mailertable value with FEATURE(`preserve_luser_host') and LUSER_RELAY caused mail to be misaddressed. Problem noted by Andrzej Filip. CONFIG: Provide a workaround for DNS based rejection lists that fail for AAAA queries. Problem noted by Chris Boyd. CONFIG: Accept the machine's hostname as resolvable when checking the sender address. This allows locally submitted mail to be accepted if the machine isn't connected to a nameserver and doesn't have an /etc/hosts entry for itself. Problem noted by Robert Watson of the TrustedBSD Project. CONFIG: Use deferred expansion for checking the ${deliveryMode} macro in case the SMTP VERB command is used. Problem noted by Bryan Costales. CONFIG: Avoid a duplicate '@domain' virtusertable lookup if no matches are found. Fix from Andrzej Filip. CONFIG: Fix wording in default dnsbl rejection message. Suggested by Lou Katz of Metron Computerware, Ltd. CONFIG: Add mailer cyrusv2 for Cyrus V2. Contributed by Kenneth Murchison of Oceana Matrix Ltd. CONTRIB: Fix wording in default dnsblaccess rejection message to match dnsbl change. DEVTOOLS: Add new option for access mode of statistics file, confSTMODE, which specifies the permissions when initially installing the sendmail statistics file. LIBMILTER: Mark the listening socket as close-on-exec in case a user's filter starts other applications. LIBSM: Allow the MBDB initialize, lookup, and/or terminate functions in SmMbdbTypes to be set to NULL. MAKEMAP: Change the default file permissions for new databases from 0644 to 0640. This can be overridden at compile time by setting the DBMMODE macro. SMRSH: Fix man page bug: replace SMRSH_CMDBIN with SMRSH_CMDDIR. Problem noted by Dave Alden of Ohio State University. VACATION: When listing the vacation database (-l), don't show bogus timestamps for excluded (-x) addresses. Problem noted by Bryan Costales. New Files: cf/mailer/cyrusv2.m4 8.12.3/8.12.3 2002/04/05 NOTICE: In general queue files should not be moved if queue groups are used. In previous versions this could cause mail not to be delivered if a queue file is repeatedly moved by an external process whenever sendmail moved it back into the right place. Some precautions have been taken to avoid moving queue files if not really necessary. sendmail may use links to refer to queue files and it may store the path of data files in queue files. Hence queue files should not be moved unless those internals are understood and the integrity of the files is not compromised. Problem noted by Anne Bennett of Concordia University. If an error mail is created, and the mail is split across different queue directories, and SuperSafe is off, then write the mail to disk before splitting it, otherwise an assertion is triggered. Problem tracked down by Henning Schmiedehausen of INTERMETA. Fix possible race condition that could cause sendmail to forget running queues. Problem noted by Jeff Wasilko of smoe.org. Handle bogus qf files better without triggering assertions. Problem noted by Guy Feltin. Protect against interrupted select() call when enforcing Milter read and write timeouts. Patch from Gurusamy Sarathy of ActiveState. Matching queue IDs with -qI should be case sensitive. Problem noted by Anne Bennett of Concordia University. If privileges have been dropped, don't try to change group ID to the RunAsUser group. Problem noted by Neil Rickert of Northern Illinois University. Fix SafeFileEnvironment path munging when the specified path contains a trailing slash. Based on patch from Dirk Meyer of Dinoex. Do not limit sendmail command line length to SM_ARG_MAX (usually 4096). Problem noted by Allan E Johannesen of Worcester Polytechnic Institute. Clear full name of sender for each new envelope to avoid bogus data if several mails are sent in one session and some of them do not have a From: header. Problem noted by Bas Haakman. Change timeout check such that cached information about a connection will be immediately invalid if ConnectionCacheTimeout is zero. Based on patch from David Burns of Portland State University. Properly count message size for mailstats during mail collection. Problem noted by Werner Wiethege. Log complete response from LMTP delivery agent on failure. Based on patch from Motonori Nakamura of Kyoto University. Provide workaround for getopt() implementations that do not catch missing arguments. Fix the message size calculation if the message body is replaced by a milter filter and buffered file I/O is being used. Problem noted by Sergey Akhapkin of Dr.Web. Do not honor SIGUSR1 requests if running with extra privileges. Problem noted by Werner Wiethege. Prevent a file descriptor leak on mail delivery if the initial connect fails and DialDelay is set. Patch from Servaas Vandenberghe of Katholieke Universiteit Leuven. Properly deal with a case where sendmail is called by root running a set-user-ID (non-root) program. Problem noted by Jon Lusky of ISS Atlanta. Avoid leaving behind stray transcript (xf) files if multiple queue directories are used and mail is sent to a mailing list which has an owner- alias. Problem noted by Anne Bennett of Concordia University. Fix class map parsing code if optional key is specified. Problem found by Mario Nigrovic. The SMTP daemon no longer tries to fix up improperly dot-stuffed incoming messages. A leading dot is always stripped by the SMTP receiver regardless of whether or not it is followed by another dot. Problem noted by Jordan Ritter of darkridge.com. Fix corruption when doing automatic MIME 7-bit quoted-printable or base64 encoding to 8-bit text. Problem noted by Mark Elvers. Correct the statistics gathered for total number of connections. Instead of being the exact same number as the total number of messages (T line in mailstats) it now represents the total number of TCP connections. Be more explicit about syntax errors in addresses, especially non-ASCII characters, and properly create DSNs if necessary. Problem noted by Leena Heino of the University of Tampere. Prevent small timeouts from being lost on slow machines if itimers are used. Problem noted by Suresh Ramasubramanian. Prevent a race condition on child cleanup for delivery to files. Problem noted by Fletcher Mattox of the University of Texas. Change the SMTP error code for temporary map failures from 421 to 451. Do not assume that realloc(NULL, size) works on all OS (this was only done in one place: queue group creation). Based on patch by Bryan Costales. Initialize Timeout.iconnect in the code to prevent randomly short timeouts. Problem noted by Bradley Watts of AT&T Canada. Do not try to send a second SMTP QUIT command if the remote responds to a MAIL command with a 421 reply or on I/O errors. By doing so, the host was marked as having a temporary problem and other mail destined for that host was queued for the next queue run. Problem noted by Fletcher Mattox of the University of Texas, Allan E Johannesen of Worcester Polytechnic Institute, Larry Greenfield of CMU, and Neil Rickert of Northern Illinois University. Ignore error replies from the SMTP QUIT command (including servers which drop the connection instead of responding to the command). Portability: Check LDAP_API_VERSION to determine if ldap_memfree() is available. Define HPUX10 when building on HP-UX 10.X. That platform now gets the proper _PATH_SENDMAIL and SMRSH_CMDDIR settings. Patch from Elias Halldor Agustsson of Skyrr. Fix dependency building on Mac OS X and Darwin. Problem noted by John Beck. Preliminary support for the sparc64 port of FreeBSD 5.0. Add /sbin/sh as an acceptable user shell on HP-UX. From Rajesh Somasund of Hewlett-Packard. CONFIG: Add FEATURE(`authinfo') to allow a separate database for SMTP AUTH information. This feature was actually added in 8.12.0 but a release note was not included. CONFIG: Do not bounce mail if FEATURE(`ldap_routing')'s bounce parameter is set and the LDAP lookup returns a temporary error. CONFIG: Honor FEATURE(`relay_hosts_only') when using FEATURE(`relay_mail_from', `domain'). Problem noted by Krzysztof Oledzki. CONFIG: FEATURE(`msp') now disables any type of alias initialization as aliases are not needed for the MSP. CONFIG: Allow users to override RELAY_MAILER_ARGS when FEATURE(`msp') is in use. Patch from Andrzej Filip. CONFIG: FEATURE(`msp') uses `[localhost]' as default instead of `localhost' and turns on MX lookups for the SMTP mailers. This will only have an effect if a parameter is specified, i.e., an MX lookup will be performed on the hostname unless it is embedded in square brackets. Problem noted by Theo Van Dinter of Collective Technologies. CONFIG: Set confTIME_ZONE to USE_TZ in submit.mc (TimeZoneSpec= in submit.cf) to use $TZ for time stamps. This is a compromise to allow for the proper time zone on systems where the default results in misleading time stamps. That is, syslog time stamps and Date headers on submitted mail will use the user's $TZ setting. Problem noted by Mark Roth of the University of Illinois at Urbana-Champaign, solution proposed by Neil Rickert of Northern Illinois University. CONFIG: Mac OS X (Darwin) ships with mail.local as non-set-user-ID binary. Adjust local mailer flags accordingly. Problem noted by John Beck. CONTRIB: Add a warning to qtool.pl to not move queue files around if queue groups are used. CONTRIB: buildvirtuser: Add -f option to force rebuild. CONTRIB: smcontrol.pl: Add -f option to specify control socket. CONTRIB: smcontrol.pl: Add support for 'memdump' command. Suggested by Bryan Costales. DEVTOOLS: Add dependency generation for test programs. LIBMILTER: Remove conversion of port number for the socket structure that is passed to xxfi_connect(). Notice: this fix requires that sendmail and libmilter both have this change; mixing versions may lead to wrong port values depending on the endianness of the involved systems. Problem noted by Gisle Aas of ActiveState. LIBMILTER: If smfi_setreply() sets a custom reply code of '4XX' but SMFI_REJECT is returned, ignore the custom reply. Do the same if '5XX' is used and SMFI_TEMPFAIL is returned. LIBMILTER: Install include files in ${INCLUDEDIR}/libmilter/ as required by mfapi.h. Problem noted by Jose Marcio Martins da Cruz of Ecole Nationale Superieure des Mines de Paris. LIBSM: Add SM_CONF_LDAP_MEMFREE as a configuration define. Set this to 1 if your LDAP client libraries include ldap_memfree(). LIBSMDB: Avoid a file creation race condition for Berkeley DB 1.X and NDBM on systems with the O_EXLOCK open(2) flag. SMRSH: Fix compilation problem on some operating systems. Problem noted by Christian Krackowizer of schuler technodat GmbH. VACATION: Allow root to operate on user vacation databases. Based on patch from Greg Couch of the University of California, San Francisco. VACATION: Don't ignore -C option. Based on patch by Bryan Costales. VACATION: Clarify option usage in the man page. Problem noted by Joe Barbish. New Files: libmilter/docs/smfi_setbacklog.html 8.12.2/8.12.2 2002/01/13 Don't complain too much if stdin, stdout, or stderr are missing at startup, only log an error message. Fix potential problem if an unknown operation mode (character following -b) has been specified. Prevent purgestat from looping even if someone changes the permissions or owner of hoststatus files. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. Properly record dropped connections in persistent host status. Problem noted by Ulrich Windl of the Universitat Regensburg. Remove newlines from recipients read via sendmail -t to prevent SMTP protocol errors when sending the RCPT command. Problem noted by William D. Colburn of the New Mexico Institute of Mining and Technology. Only log milter body replacements once instead of for each body chunk sent by a filter. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. In 8.12.0 and 8.12.1, the headers were mistakenly not included in the message size calculation. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. Since 8.12 no longer forks at the SMTP MAIL command, the daemon needs to collect children status to avoid zombie processes. Problem noted by Chris Adams of HiWAAY Informations Services. Shut down "nullserver" and ETRN-only connections after 25 bad commands are issued. This makes it consistent with normal SMTP connections. Avoid duplicate logging of milter rejections. Problem noted by William D. Colburn of the New Mexico Institute of Mining and Technology. Error and delay DSNs were being sent to postmaster instead of the message sender if the sender had used a deprecated RFC822 source route. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. Fix FallbackMXhost behavior for temporary errors during address parsing. Problem noted by Jorg Bielak from Coastal Web Online. For systems on which stat(2) does not return a value for st_blksize that is the "optimal blocksize for I/O" three new compile time flags are available: SM_IO_MAX_BUF_FILE, SM_IO_MIN_BUF, and SM_IO_MAX_BUF, which define an upper limit for regular files, and a lower and upper limit for other file types, respectively. Fix a potential deadlock if two events are supposed to occur at exactly the same time. Problem noted by Valdis Kletnieks of Virginia Tech. Perform envelope splitting for aliases listed directly in the alias file, not just for include/.forward files. Problem noted by John Beck of Sun Microsystems. Allow selection of queue group for mailq using -qGgroup. Based on patch by John Beck of Sun Microsystems. Make sure cached LDAP connections used my multiple maps in the same process are closed. Patch from Taso N. Devetzis. If running as root, allow reading of class files in protected directories. Patch from Alexander Talos of the University of Vienna. Correct a few LDAP related memory leaks. Patch from David Powell of Sun Microsystems. Allow specification of an empty realm via the authinfo ruleset. This is necessary to interoperate as an SMTP AUTH client with servers that do not support realms when using CRAM-MD5. Problem noted by Bjoern Voigt of TU Berlin. Avoid a potential information leak if AUTH PLAIN is used and the server gets stuck while processing that command. Problem noted by Chris Adams from HiWAAY Informations Services. In addition to printing errors when parsing recipients during command line invocations log them to make it simpler to understand possible DSNs to postmaster. Do not use FallbackMXhost on mailers which have the F=0 flag set. Allow local mailers (F=l) to specify a host for TCP connections instead of forcing localhost. Obey ${DESTDIR} for installation of the client mail queue and submit.cf. Patch from Peter 'Luna' Runestig. Re-enable support for -M option which was broken in 8.12.1. Problem noted by Neil Rickert of Northern Illinois University. If a remote server violates the SMTP standard by unexpectedly dropping the connection during an SMTP transaction, stop sending commands. This prevents bogus "Bad file number" recipient status. Problem noted by Allan E Johannesen of Worcester Polytechnic Institute. Do not use a size estimate of 100 for postmaster bounces, it's almost always too small; do not guess the size at all. New VENDOR_DEC for Compaq/DEC. Requested by James Seagraves of Compaq Computer Corp. Fix DaemonPortOptions IPv6 address parsing such that ::1 works properly. Problem noted by Valdis Kletnieks of Virginia Tech. Portability: Fix IPv6 network interface probing on HP-UX 11.X. Based on patch provided by HP. Mac OS X (aka Darwin) has a broken setreuid() call, but a working seteuid() call. From Daniel J. Luke. Use proper type for a 32-bit integer on SINIX. From Ganu Sachin of Siemens. Set SM_IO_MIN_BUF (4K) and SM_IO_MAX_BUF (8K) for HP-UX. Reduce optimization from +O3 to +O2 on HP-UX 11. This fixes a problem that caused additional bogus characters to be written to the qf file. Problem noted by Tapani Tarvainen. Set LDA_USE_LOCKF by default for UnixWare. Problem noted by Boyd Lynn Gerber. Add support for HP MPE/iX. See sendmail/README for port information. From Mark Bixby of Hewlett-Packard. New portability defines HASNICE, HASRRESVPORT, USE_ENVIRON, USE_DOUBLE_FORK, and NEEDLINK. See sendmail/README for more information. From Mark Bixby of Hewlett-Packard. If an OS doesn't have a method of finding free disk space (SFS_NONE), lie and say there is plenty of space. From Mark Bixby of Hewlett-Packard. Add support for AIX 5.1. From Valdis Kletnieks of Virginia Tech. Fix man page location for NeXTSTEP. From Hisanori Gogota of the NTT/InterCommunication Center. Do not assume that strerror() always returns a string. Problem noted by John Beck of Sun Microsystems. CONFIG: Add OSTYPE(freebsd5) for FreeBSD 5.X, which has removed UUCP from the base operating system. From Mark Murray of FreeBSD Services, Ltd. CONFIG: Add OSTYPE(mpeix) and a generic .mc file for HP MPE/iX systems. From Mark Bixby of Hewlett-Packard. CONFIG: Add support for selecting a queue group for all mailers. Based on proposal by Stephen L. Ulmer of the University of Florida. CONFIG: Fix error reporting for compat_check.m4. Problem noted by Altin Waldmann. CONFIG: Do not override user selections for confRUN_AS_USER and confTRUSTED_USER in FEATURE(msp). From Mark Bixby of Hewlett-Packard. LIBMILTER: Fix bug that prevented the removal of a socket after libmilter terminated. Problem reported by Andrey V. Pevnev of MSFU. LIBMILTER: Fix configuration error that required libsm for linking. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. LIBMILTER: Portability fix for OpenUNIX. Patch from Larry Rosenman. LIBMILTER: Fix a theoretical memory leak and a possible attempt to free memory twice. LIBSM: Fix a potential segmentation violation in the I/O library. Problem found and analyzed by John Beck and Tim Haley of Sun Microsystems. LIBSM: Do not clear the LDAP configuration information when terminating the mailbox database connection in the LDAP example code. Problem noted by Nikos Voutsinas of the University of Athens. New Files: cf/cf/generic-mpeix.cf cf/cf/generic-mpeix.mc cf/ostype/freebsd5.m4 cf/ostype/mpeix.m4 devtools/OS/AIX.5.1 devtools/OS/MPE-iX include/sm/os/sm_os_mpeix.h libsm/mpeix.c 8.12.1/8.12.1 2001/10/01 SECURITY: Check whether dropping group privileges actually succeeded to avoid possible compromises of the mail system by supplying bogus data. Add configuration options for different set*gid() calls to reset saved gid. Problem found by Michal Zalewski. PRIVACY: Prevent information leakage when sendmail has extra privileges by disabling debugging (command line -d flag) during queue runs and disabling ETRN when sendmail -bs is used. Suggested by Michal Zalewski. Avoid memory corruption problems resulting from bogus .cf files. Problem found by Michal Zalewski. Set the ${server_addr} macro to name of mailer when doing LMTP delivery. LMTP systems may offer SMTP Authentication or STARTTLS causing sendmail to use this macro in rulesets. If debugging is turned on (-d0.10) print not just the default values for configuration file and pid file but also the selected values. Problem noted by Brad Chapman. Continue dealing with broken nameservers by ignoring SERVFAIL errors returned on T_AAAA (IPv6) lookups at delivery time if ResolverOptions=WorkAroundBrokenAAAA is set. Previously this only applied to hostname canonification. Problem noted by Bill Fenner of AT&T Research. Ignore comments in NIS host records when trying to find the canonical name for a host. When sendmail has extra privileges, limit mail submission command line flags (i.e., -G, -h, -F, etc.) to mail submission operating modes (i.e., -bm, -bs, -bv, etc.). Idea based on suggestion from Michal Zalewski. Portability: AIX: Use `oslevel` if available to determine OS version. `uname` does not given complete information. Problem noted by Keith Neufeld of the Cessna Aircraft Company. OpenUNIX: Use lockf() for LDA delivery (affects mail.local). Problem noticed by Boyd Lynn Gerber of ZENEX. Avoid compiler warnings by not using pointers to pass integers. Problem noted by Todd C. Miller of Courtesan Consulting. CONFIG: Add restrictqrun to PrivacyOptions for the MSP to minimize problems with potential misconfigurations. CONFIG: Fix comment showing default value of MaxHopCount. Problem noted by Greg Robinson of the Defence Science and Technology Organisation of Australia. CONFIG: dnsbl: If an argument specifies an error message in case of temporary lookup failures for DNS based blocklists then use it. LIBMILTER: Install mfdef.h, required by mfapi.h. Problem noted by Richard A. Nelson of Debian. LIBMILTER: Add __P definition for OS that lack it. Problem noted by Chris Adams from HiWAAY Informations Services. LIBSMDB: Fix a lock race condition that affects makemap, praliases, and vacation. MAKEMAP: Avoid going beyond the end of an input line if it does not contain a value for a key. Based on patch from Mark Bixby from Hewlett-Packard. New Files: test/Build test/Makefile test/Makefile.m4 test/README test/t_dropgid.c test/t_setgid.c Deleted Files: include/sm/stdio.h include/sm/sysstat.h 8.12.0/8.12.0 2001/09/08 *NOTICE*: The default installation of sendmail does not use set-user-ID root anymore. You need to create a new user and a new group before installing sendmail (both called smmsp by default). The installation process tries to install /etc/mail/submit.cf and creates /var/spool/clientmqueue by default. Please see sendmail/SECURITY for details. SECURITY: Check for group and world writable forward and :include: files. These checks can be turned off if absolutely necessary using the DontBlameSendmail option and the new flags: GroupWritableForwardFile WorldWritableForwardFile GroupWritableIncludeFile WorldWritableIncludeFile Problem noted by Slawek Zak of Politechnika Warszawska, SECURITY: Drop privileges when using address test mode. Suggested by Michal Zalewski of the "Internet for Schools" project (IdS). Fixed problem of a global variable being used for a timeout jump point where the variable could become overused for more than one timeout concurrently. This erroneous behavior resulted in a corrupted stack causing a core dump. The timeout is now handled via libsm. Problem noted by Michael Shapiro, John Beck, and Carl Smith of Sun Microsystems. If sendmail is set-group-ID then that group ID is used for permission checks (group ID of RunAsUser). This allows use of a set-group-ID sendmail binary for initial message submission and no set-user-ID root sendmail is needed. For details see sendmail/SECURITY. Log a warning if a non-trusted user changes the syslog label. Based on notice from Bryan Costales of SL3D, Inc. If sendmail is called for initial delivery, try to use submit.cf with a fallback of sendmail.cf as configuration file. See sendmail/SECURITY. New configuration file option UseMSP to allow group writable queue files if the group is the same as that of a set-group-ID sendmail binary. See sendmail/SECURITY. The .cf file is chosen based on the operation mode. For -bm (default), -bs, and -t it is submit.cf if it exists for all others it is sendmail.cf (to be backward compatible). This selection can be changed by the new option -Ac or -Am (alternative .cf file: client or mta). See sendmail/SECURITY. The SMTP server no longer forks on each MAIL command. The ONEX command has been removed. Implement SMTP PIPELINING per RFC 2920. It can be turned off at compile time or per host (ruleset). New option MailboxDatabase specifies the type of mailbox database used to look up local mail recipients; the default value is "pw", which means to use getpwnam(). New mailbox database types can be added by adding custom code to libsm/mbdb.c. Queue file names are now 15 characters long, rather than 14 characters long, to accommodate envelope splitting. File systems with a 14 character file name length limit are no longer supported. Recipient list used for delivery now gets internally ordered by hostsignature (character string version of MX RR). This orders recipients for the same MX RR's together meaning smaller portions of the list need to be scanned (instead of the whole list) each delivery() pass to determine piggybacking. The significance of the change is better the larger the recipient list. Hostsignature is now created during recipient list creation rather than just before delivery. Enhancements for more opportunistic piggybacking. Previous piggybacking (called coincidental) extended to coattail piggybacking. Rather than complete MX RR matching (coincidental) piggybacking is done if just the lowest value preference matches (coattail). If sendmail receives a temporary error on a RCPT TO: command, it will try other MX hosts if available. DefaultAuthInfo can contain a list of mechanisms to be used for outgoing (client-side) SMTP Authentication. New modifier 'A' for DaemonPortOptions/ClientPortOptions to disable AUTH (overrides 'a' modifier in DaemonPortOptions). Based on patch from Lyndon Nerenberg of Messaging Direct. Enable AUTH mechanism EXTERNAL if STARTTLS is used. A new ruleset authinfo can be used to return client side authentication information for AUTH instead of DefaultAuthInfo. Therefore the DefaultAuthInfo option is deprecated and will be removed in future versions. Accept any SMTP continuation code 3xy for AUTH even though RFC 2554 requires 334. Mercury 1.48 is a known offender. Add new option AuthMaxBits to limit the overall encryption strength for the security layer in SMTP AUTH (SASL). See doc/op/op.me for details. Introduce new STARTTLS related macros {cn_issuer}, {cn_subject}, {cert_md5} which hold the CN (common name) of the CA that signed the presented certificate, the CN and the MD5 hash of the presented certificate, respectively. New ruleset try_tls to decide whether to try (as client) STARTTLS. New ruleset srv_features to enable/disable certain features in the server per connection. See doc/op/op.me for details. New ruleset tls_rcpt to decide whether to send e-mail to a particular recipient; useful to decide whether a connection is secure enough on a per recipient basis. New option TLSSrvOptions to modify some aspects of the server for STARTTLS. If no certificate has been requested, the macro {verify} has the value "NOT". New M=S modifier for ClientPortOptions/DaemonPortOptions to turn off using/offering STARTTLS when delivering/receiving e-mail. Macro expand filenames/directories for certs and keys in the .cf file. Proposed by Neil Rickert of Northern Illinois University. Generate an ephemeral RSA key for a STARTTLS connection only if really required. This change results in a noticeable performance gains on most machines. Moreover, if shared memory is in use, reuse the key several times. Add queue groups which can be used to group queue directories with the same behavior together. See doc/op/op.me for details. If the new option FastSplit (defaults to one) has a value greater than zero, it suppresses the MX lookups on addresses when they are initially sorted which may result in faster envelope splitting. If the mail is submitted directly from the command line, then the value also limits the number of processes to deliver the envelopes; if more envelopes are created they are only queued up and must be taken care of by a queue run. The check for 'enough disk space' now pays attention to which file system each queue directory resides in. All queue runners can be cleanly terminated via SIGTERM to parent. New option QueueFileMode for the default permissions of queue files. Add parallel queue runner code. Allows multiple queue runners per work group (one or more queues in a multi-queue environment collected together) to process the same work list at the same time. Option MaxQueueChildren added to limit the number of concurrently active queue runner processes. New option MaxRunnersPerQueue to specify the maximum number of queue runners per queue group. Queue member selection by substring pattern matching now allows the pattern to be negated. For -qI, -qR and -qS it is permissible for -q!I, -q!R and -q!S to mean remove members of the queue that match during processing. New -qp[time] option is similar to -qtime, except that instead of periodically forking a child to process the queue, a single child is forked for each queue that sleeps between queue runs. A SIGHUP signal can be sent to restart this persistent queue runner. The SIGHUP signal now restarts a timed queue run process (i.e., a sendmail process which only runs the queue at an interval: sendmail -q15m). New option NiceQueueRun to set the priority of queue runners. Proposed by Thom O'Connor. sendmail will run the queue(s) in the background when invoked with -q unless the new -qf option or -v is used. QueueSortOrder=Random sorts the queue randomly, which is useful if several queue runners are started by hand to avoid contention. QueueSortOrder=Modification sorts the queue by the modification time of the qf file (older entries first). Support Deliver By SMTP Service Extension (RFC 2852) which allows a client to specify an amount of time within which an e-mail should be delivered. New option DeliverByMin added to set the minimum amount of time or disable the extension. Non-printable characters (ASCII: 0-31, 127) in mailbox addresses are not allowed unless escaped or quoted. Add support for a generic DNS map. Based on a patch contributed by Leif Johansson of Stockholm University, which was based on work by Assar Westerlund of Swedish Institute of Computer Science, Kista, and Johan Danielsson of Royal Institute of Technology, Stockholm, Sweden. MX records will be looked up for FallBackMXhost. To use the old behavior (no MX lookups), put the name in square brackets. Proposed by Thom O'Connor. Use shared memory to store free space of filesystems that are used for queues, if shared memory is available and if a key is set via SharedMemoryKey. This minimizes the number of system calls to check the available space. See doc/op/op.me for details. If shared memory is compiled in the option -bP can be used to print the number of entries in the queue(s). Enable generic mail filter API (milter). See libmilter/README and the usual documentation for details. Remove AutoRebuildAliases option, deprecated since 8.10. Remove '-U' (initial user submission) command line option as announced in 8.10. Remove support for non-standard SMTP command XUSR. Use an MSA instead. New macro {addr_type} which contains whether the current address is an envelope sender or recipient address. Suggested by Neil Rickert of Northern Illinois University. Two new options for host maps: -d (retransmission timeout), -r (number of retries). New option for LDAP maps: the -V allows you to specify a separator such that a lookup can return both an attribute and value separated by the given separator. Add new operators '%', '|', '&' (modulo, binary or, binary and) to map class arith. If DoubleBounceAddress expands to an empty string, ``double bounces'' (errors that occur when sending an error message) are dropped. New DontBlameSendmail options GroupReadableSASLDBFile and GroupWritableSASLDBFile to relax requirements for sasldb files. New DontBlameSendmail options GroupReadableKeyFile to relax requirements for files containing secret keys. This is necessary for the MSP if client authentification is used. Properly handle quoted filenames for class files (to allow for filenames with spaces). Honor the resolver option RES_NOALIASES when canonifying hostnames. Add macros to avoid the reuse of {if_addr} etc: {if_name_out} hostname of interface of outgoing connection. {if_addr_out} address of interface of outgoing connection. {if_family_out} family of interface of outgoing connection. The latter two are only set if the interface does not belong to the loopback net. Add macro {nrcpts} which holds the number of (validated) recipients. DialDelay option applies only to mailers with flag 'Z'. Patch from Juergen Georgi of RUS University of Stuttgart. New Timeout.lhlo,auth,starttls options to limit the time waiting for an answer to the LMTP LHLO, SMTP AUTH or STARTTLS command. New Timeout.aconnect option to limit the overall waiting time for all connections for a single delivery attempt to succeed. Limit the rate recipients in the SMTP envelope are accepted once a threshold number of recipients has been rejected (option BadRcptThrottle). From Gregory A Lundberg of the WU-FTPD Development Group. New option DelayLA to delay connections if the load averages exceeds the specified value. The default of 0 does not change the previous behavior. A value greater than 0 will cause sendmail to sleep for one second on most SMTP commands and before accepting connections if that load average is exceeded. Use a dynamic (instead of fixed-size) buffer for the list of recipients that are sent during a connection to a mailer. This also introduces a new mailer field 'r' which defines the maximum number of recipients (defaults to 100). Based on patch by Motonori Nakamura of Kyoto University. Add new F=1 mailer flag to disable sending of null characters ('\0'). Add new F=2 mailer flag to disable use of ESMTP, using SMTP instead. The deprecated [TCP] builtin mailer pathname (P=) is gone. Use [IPC] instead. IPC is no longer available as first mailer argument (A=) for [IPC] builtin mailer pathnames. Use TCP instead. PH map code updated to use the new libphclient API instead of the old libqiapi library. Contributed by Mark Roth of the University of Illinois at Urbana-Champaign. New option DirectSubmissionModifiers to define {daemon_flags} for direct (command line) submissions. New M=O modifier for DaemonPortOptions to ignore the socket in case of failures. Based on patch by Jun-ichiro itojun Hagino of the KAME Project. Add Disposition-Notification-To: (RFC 2298) to the list of headers whose content is rewritten similar to Reply-To:. Proposed by Andrzej Filip. Use STARTTLS/AUTH=server/client for logging incoming/outgoing STARTTLS/AUTH connections; log incoming connections at level 9 or higher. Use AUTH/STARTTLS instead of SASL/TLS for SMTP AUTH/STARTTLS related logfile entries. Convert unprintable characters (and backslash) into octal or C format before logging. Log recipients if no message is transferred but QUIT/RSET is given (at LogLevel 9/10 or higher). Log discarded recipients at LogLevel 10 or higher. Do not log "did not issue MAIL/EXPN/VRFY/ETRN" for connections in which most commands are rejected due to check_relay or TCP Wrappers if the host tries one of those commands anyway. Change logging format for cloned envelopes to be similar to that for DSNs ("old id: new id: clone"). Suggested by Ulrich Windl of the Universitat Regensburg. Added libsm, a C library of general purpose abstractions including assertions, tracing and debugging with named debug categories, exception handling, malloc debugging, resource pools, portability abstractions, and an extensible buffered I/O package. It will at some point replace libsmutil. See libsm/index.html for details. Fixed most memory leaks in sendmail which were previously taken care of by fork() and exit(). Use new sm_io*() functions in place of stdio calls. Allows for more consistent portablity amongst different platforms new and old (from new libsm). Common I/O pkg means just one buffering method needed instead of two ('bf_portable' and 'bf_torek' now just 'bf'). Sfio no longer needed as SASL/TLS code uses sm_io*() API's. New possible value 'interactive' for SuperSafe which can be used together with DeliveryMode=interactive is to avoid some disk synchronizations calls. Add per-recipient status information to mailq -v output. T_ANY queries are no longer used by sendmail. When compiling with "gcc -O -Wall" specify "-DSM_OMIT_BOGUS_WARNINGS" too (see include/sm/cdefs.h for more info). sendmail -d now has general support for named debug categories. See libsm/debug.html and section 3.4 of doc/op/op.me for details. Eliminate the "postmaster warning" DSNs on address parsing errors such as unbalanced angle brackets or parentheses. The DSNs generated by this condition were illegal (not RFC conform). Problem noted by Ulrich Windl of the Universitaet Regensburg. Do not issue a DSN if the ruleset localaddr resolves to the $#error mailer and the recipient has hence been rejected during the SMTP dialogue. Problem reported by Larry Greenfield of CMU. Deal with a case of multiple deliveries on misconfigured systems that do not have postmaster defined. If an email was sent from an address to which a DSN cannot be returned and in which at least one recipient address is non-deliverable, then that email had been delivered in each queue run. Problem reported by Matteo HCE Valsasna of Universita degli Studi dell'Insubria. The compilation options SMTP, DAEMON, and QUEUE have been removed, i.e., the corresponding code is always compiled in now. Log the command line in daemon/queue-run mode at LogLevel 10 and higher. Suggested by Robert Harker of Harker Systems. New ResolverOptions setting: WorkAroundBrokenAAAA. When attempting to canonify a hostname, some broken nameservers will return SERVFAIL (a temporary failure) on T_AAAA (IPv6) lookups. If you want to excuse this behavior, use this new flag. Suggested by Chris Foote of SE Network Access and Mark Roth of the University of Illinois at Urbana-Champaign. Free the memory allocated by getipnodeby{addr,name}(). Problem noted by Joy Latten of IBM. ConnectionRateThrottle limits the number of connections per second to each daemon individually, not the overall number of connections. Specifying only "ldap:" as an AliasFile specification will force sendmail to use a default alias schema as outlined in the ``USING LDAP FOR ALIASES, MAPS, and CLASSES'' section of cf/README. Add a new syntax for the 'F' (file class) sendmail.cf command. If the first character after the class name is not a '/' or a '|' and it contains an '@' (e.g., F{X}key@class:spec), the rest of the line will be parsed as a map lookup. This allows classes to be filled via a map lookup. See op.me for more syntax information. Specifically, this can be used for commands such as VIRTUSER_DOMAIN_FILE() to read the list of domains via LDAP (see the ``USING LDAP FOR ALIASES, MAPS, and CLASSES'' section of cf/README for an example). The new macro ${sendmailMTACluster} determines the LDAP cluster for the default schema used in the above two items. Unless DontBlameSendmail=RunProgramInUnsafeDirPath is set, log a warning if a program being run from a mailer or file class (e.g., F|/path/to/prog) is in an unsafe directory path. Unless DontBlameSendmail=RunWritableProgram is set, log a warning if a program being run from a mailer or file class (e.g., F|/path/to/prog) is group or world writable. Loopback interfaces (e.g., "lo0") are now probed for class {w} hostnames. Setting DontProbeInterfaces to "loopback" (without quotes) will disable this and return to the pre-8.12 behavior of only probing non-loopback interfaces. Suggested by Bryan Stansell of GNAC. In accordance with RFC 2821 section 4.1.4, accept multiple HELO/EHLO commands. Multiple ClientPortOptions settings are now allowed, one for each possible protocol family which may be used for outgoing connections. Restrictions placed on one family only affect outgoing connections on that particular family. Because of this change, the ${client_flags} macro is not set until the connection is established. Based on patch from Motonori Nakamura of Kyoto University. PrivacyOptions=restrictexpand instructs sendmail to drop privileges when the -bv option is given by users who are neither root nor the TrustedUser so users can not read private aliases, forwards, or :include: files. It also will override the -v (verbose) command line option. If the M=b modifier is set in DaemonPortOptions and the interface address can't be used for the outgoing connection, fall back to the settings in ClientPortOptions (if set). Problem noted by John Beck of Sun Microsystems. New named config file rule check_data for DATA command (input: number of recipients). Based on patch from Mark Roth of the University of Illinois at Urbana-Champaign. Add support for ETRN queue selection per RFC 1985. The queue group can be specified using the '#' option character. For example, 'ETRN #queuegroup'. If an LDAP server times out or becomes unavailable, close the current connection and reopen to get to one of the fallback servers. Patch from Paul Hilchey of the University of British Columbia. Make default error number on $#error messages 550 instead of 501 because 501 is not allowed on all commands. The .cf file option UnsafeGroupWrites is deprecated, it should be replaced with the settings GroupWritableForwardFileSafe and GroupWritableIncludeFileSafe in DontBlameSendmail if required. The deprecated ldapx map class has been removed. Use the ldap map class instead. Any IPv6 addresses used in configuration should be prefixed by the "IPv6:" tag to identify the address properly. For example, if you want to add the IPv6 address [2002:c0a8:51d2::23f4] to class {w}, you would need to add [IPv6:2002:c0a8:51d2::23f4]. Change the $&{opMode} macro if the operation mode changes while the MTA is running. For example, during a queue run. Add "use_inet6" as a new ResolverOptions flag to control the RES_USE_INET6 resolver option. Based on patch from Rick Nelson of IBM. The maximum number of commands before the MTA slows down when too many "light weight" commands have been received are now configurable during compile time. The current values and their defaults are: MAXBADCOMMANDS 25 unknown commands MAXNOOPCOMMANDS 20 NOOP, VERB, ONEX, XUSR MAXHELOCOMMANDS 3 HELO, EHLO MAXVRFYCOMMANDS 6 VRFY, EXPN MAXETRNCOMMANDS 8 ETRN Setting a value to 0 disables the check. Patch from Bryan Costales of SL3D, Inc. The header syntax H?${MyMacro}?X-My-Header: now not only checks if ${MyMacro} is defined but also that it is not empty. Properly quote usernames with special characters if they are used in headers. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. Be sure to include the proper Final-Recipient: DSN header in bounce messages for messages for mailing list expanded addresses which are not delivered on the initial attempt. Do not treat errors as sticky when doing delivery via LMTP after the final dot has been sent to avoid affecting future deliveries. Problem reported by Larry Greenfield of CMU. New compile time flag REQUIRES_DIR_FSYNC which turns on support for file systems that require to call fsync() for a directory if the meta-data in it has been changed. This should be set at least for ReiserFS; it is enabled by default for Linux. See sendmail/README for further information. Avoid file locking deadlock when updating the statistics file if sendmail is signaled to terminate. Problem noted by Christophe Wolfhugel of France Telecom. Set the $c macro (hop count) as it is being set instead of when the envelope is initialized. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. Properly count recipients for DeliveryMode defer and queue. Fix from Peter A. Friend of EarthLink. Treat invalid hesiod lookups as permanent errors instead of temporary errors. Problem noted by Russell McOrmond of flora.ca. Portability: Remove support for AIX 2, which supports only 14 character filenames and is outdated anyway. Suggested by Valdis Kletnieks of Virginia Tech. Change several settings for Irix 6: remove confSBINDIR, i.e., use default /usr/sbin, change owner/group of man pages and user-executable to root/sys, set optimization limit to 0 (unlimited). Based on patch from Ayamura Kikuchi, M.D, and proposal from Kari Hurtta of the Finnish Meteorological Institute. Do not assume LDAP support is installed by default under Solaris 8 and later. Add support for OpenUNIX. CONFIG: Increment version number of config file to 10. CONFIG: Add an install target and a README file in cf/cf. CONFIG: Don't accept addresses of the form a@b@, a@b@c, a@[b]c, etc. CONFIG: Reject empty recipient addresses (in check_rcpt). CONFIG: The access map uses an option of -T to deal with temporary lookup failures. CONFIG: New value for access map: SKIP, which causes the default action to be taken by aborting the search for domain names or IP nets. CONFIG: check_rcpt can deal with TEMPFAIL for either recipient or relay address as long as the other part allows the email to get through. CONFIG: Entries for virtusertable can make use of a third parameter "%3" which contains "+detail" of a wildcard match, i.e., an entry like user+*@domain. This allows handling of details by using %1%3 as the RHS. Additionally, a "+" wildcard has been introduced to match only non-empty details of addresses. CONFIG: Numbers for rulesets used by MAILERs have been removed and hence there is no required order within the MAILER section anymore except for MAILER(`uucp') which must come after MAILER(`smtp') if uucp-dom and uucp-uudom are used. CONFIG: Hosts listed in the generics domain class {G} (GENERICS_DOMAIN() and GENERICS_DOMAIN_FILE()) are treated as canonical. Suggested by Per Hedeland of Ericsson. CONFIG: If FEATURE(`delay_checks') is used, make sure that a lookup in the access map which returns OK or RELAY actually terminates check_* ruleset checking. CONFIG: New tag TLS_Rcpt: for access map to be used by ruleset tls_rcpt, see cf/README for details. CONFIG: Change format of Received: header line which reveals whether STARTTLS has been used to "(version=${tls_version} cipher=${cipher} bits=${cipher_bits} verify=${verify})". CONFIG: Use "Spam:" as tag for lookups for FEATURE(`delay_checks') options friends/haters instead of "To:" and enable specification of whole domains instead of just users. Notice: this change is not backward compatible. Suggested by Chris Adams from HiWAAY Informations Services. CONFIG: Allow for local extensions for most new rulesets, see cf/README for details. CONFIG: New FEATURE(`lookupdotdomain') to lookup also .domain in the access map. Proposed by Randall Winchester of the University of Maryland. CONFIG: New FEATURE(`local_no_masquerade') to avoid masquerading for the local mailer. Proposed by Ingo Brueckl of Wupper Online. CONFIG: confRELAY_MSG/confREJECT_MSG can override the default messages for an unauthorized relaying attempt/for access map entries with RHS REJECT, respectively. CONFIG: FEATURE(`always_add_domain') takes an optional argument to specify another domain to be added instead of the local one. Suggested by Richard H. Gumpertz of Computer Problem Solving. CONFIG: confAUTH_OPTIONS allows setting of Cyrus-SASL specific options, see doc/op/op.me for details. CONFIG: confAUTH_MAX_BITS sets the maximum encryption strength for the security layer in SMTP AUTH (SASL). CONFIG: If Local_localaddr resolves to $#ok, localaddr is terminated immediately. CONFIG: FEATURE(`enhdnsbl') is an enhanced version of dnsbl which allows checking of the return values of the DNS lookups. See cf/README for details. CONFIG: FEATURE(`dnsbl') allows now to specify the behavior for temporary lookup failures. CONFIG: New option confDELIVER_BY_MIN to specify minimum time for Deliver By (RFC 2852) or to turn off the extension. CONFIG: New option confSHARED_MEMORY_KEY to set the key for shared memory use. CONFIG: New FEATURE(`compat_check') to look up a key consisting of the sender and the recipient address delimited by the string "<@>", e.g., sender@sdomain<@>recipient@rdomain, in the access map. Based on code contributed by Mathias Koerber of Singapore Telecommunications Ltd. CONFIG: Add EXPOSED_USER_FILE() command to allow an exposed user file. Suggested by John Beck of Sun Microsystems. CONFIG: Don't use MAILER-DAEMON for error messages delivered via LMTP. Problem reported by Larry Greenfield of CMU. CONFIG: New FEATURE(`preserve_luser_host') to preserve the name of the recipient host if LUSER_RELAY is used. CONFIG: New FEATURE(`preserve_local_plus_detail') to preserve the +detail portion of the address when passing address to local delivery agent. Disables alias and .forward +detail stripping. Only use if LDA supports this. CONFIG: Removed deprecated FEATURE(`rbl'). CONFIG: Add LDAPROUTE_EQUIVALENT() and LDAPROUTE_EQUIVALENT_FILE() which allow you to specify 'equivalent' hosts for LDAP Routing lookups. Equivalent hostnames are replaced by the masquerade domain name for lookups. See cf/README for additional details. CONFIG: Add a fourth argument to FEATURE(`ldap_routing') which instructs the rulesets on what to do if the address being looked up has +detail information. See cf/README for more information. CONFIG: When chosing a new destination via LDAP Routing, also look up the new routing address/host in the mailertable. Based on patch from Don Badrak of the United States Census Bureau. CONFIG: Do not reject the SMTP Mail from: command if LDAP Routing is in use and the bounce option is enabled. Only reject recipients as user unknown. CONFIG: Provide LDAP support for the remaining database map features. See the ``USING LDAP FOR ALIASES AND MAPS'' section of cf/README for more information. CONFIG: Add confLDAP_CLUSTER which defines the ${sendmailMTACluster} macro used for LDAP searches as described above in ``USING LDAP FOR ALIASES, MAPS, AND CLASSES''. CONFIG: confCLIENT_OPTIONS has been replaced by CLIENT_OPTIONS(), which takes the options as argument and can be used multiple times; see cf/README for details. CONFIG: Add configuration macros for new options: confBAD_RCPT_THROTTLE BadRcptThrottle confDIRECT_SUBMISSION_MODIFIERS DirectSubmissionModifiers confMAILBOX_DATABASE MailboxDatabase confMAX_QUEUE_CHILDREN MaxQueueChildren confMAX_RUNNERS_PER_QUEUE MaxRunnersPerQueue confNICE_QUEUE_RUN NiceQueueRun confQUEUE_FILE_MODE QueueFileMode confFAST_SPLIT FastSplit confTLS_SRV_OPTIONS TLSSrvOptions See above (and related documentation) for further information. CONFIG: Add configuration variables for new timeout options: confTO_ACONNECT Timeout.aconnect confTO_AUTH Timeout.auth confTO_LHLO Timeout.lhlo confTO_STARTTLS Timeout.starttls CONFIG: Add configuration macros for mail filter API: confINPUT_MAIL_FILTERS InputMailFilters confMILTER_LOG_LEVEL Milter.LogLevel confMILTER_MACROS_CONNECT Milter.macros.connect confMILTER_MACROS_HELO Milter.macros.helo confMILTER_MACROS_ENVFROM Milter.macros.envfrom confMILTER_MACROS_ENVRCPT Milter.macros.envrcpt Mail filters can be defined via INPUT_MAIL_FILTER() and MAIL_FILTER(). See libmilter/README, cf/README, and doc/op/op.me for details. CONFIG: Add support for accepting temporarily unresolvable domains. See cf/README for details. Based on patch by Motonori Nakamura of Kyoto University. CONFIG: confDEQUOTE_OPTS can be used to specify options for the dequote map. CONFIG: New macro QUEUE_GROUP() to define queue groups. CONFIG: New FEATURE(`queuegroup') to select a queue group based on the full e-mail address or the domain of the recipient. CONFIG: Any IPv6 addresses used in configuration should be prefixed by the "IPv6:" tag to identify the address properly. For example, if you want to use the IPv6 address 2002:c0a8:51d2::23f4 in the access database, you would need to use IPv6:2002:c0a8:51d2::23f4 on the left hand side. This affects the access database as well as the relay-domains and local-host-names files. CONFIG: OSTYPE(aux) has been renamed to OSTYPE(a-ux). CONFIG: Avoid expansion of m4 keywords in SMART_HOST. CONFIG: Add MASQUERADE_EXCEPTION_FILE() for reading masquerading exceptions from a file. Suggested by Trey Breckenridge of Mississippi State University. CONFIG: Add LOCAL_USER_FILE() for reading local users (LOCAL_USER() -- $={L}) entries from a file. CONTRIB: dnsblaccess.m4 is a further enhanced version of enhdnsbl.m4 which allows to lookup error codes in the access map. Contributed by Neil Rickert of Northern Illinois University. DEVTOOLS: Add new options for installation of include and library files: confINCGRP, confINCMODE, confINCOWN, confLIBGRP, confLIBMODE, confLIBOWN. DEVTOOLS: Add new option confDONT_INSTALL_CATMAN to turn off installation of the the formatted man pages on operating systems which don't include cat directories. EDITMAP: New program for editing maps as supplement to makemap. MAIL.LOCAL: Mail.local now uses the libsm mbdb package to look up local mail recipients. New option -D mbdb specifies the mailbox database type. MAIL.LOCAL: New option "-h filename" which instructs mail.local to deliver the mail to the named file in the user's home directory instead of the system mail spool area. Based on patch from Doug Hardie of the Los Angeles Free-Net. MAILSTATS: New command line option -P which acts the same as -p but doesn't truncate the statistics file. MAKEMAP: Add new option -t to specify a different delimiter instead of white space. RMAIL: Invoke sendmail with '-G' to indicate this is a gateway submission. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. SMRSH: Use the vendor supplied directory on FreeBSD 3.3 and later. VACATION: Change Auto-Submitted: header value from auto-generated to auto-replied. From Kenneth Murchison of Oceana Matrix Ltd. VACATION: New option -d to send error/debug messages to stdout instead of syslog. VACATION: New option -U which prevents the attempt to lookup login in the password file. The -f and -m options must be used to specify the database and message file since there is no home directory for the default settings for these options. VACATION: Vacation now uses the libsm mbdb package to look up local mail recipients; it reads the MailboxDatabase option from the sendmail.cf file. New option -C cffile which specifies the path of the sendmail.cf file. New Directories: libmilter/docs New Files: cf/cf/README cf/cf/submit.cf cf/cf/submit.mc cf/feature/authinfo.m4 cf/feature/compat_check.m4 cf/feature/enhdnsbl.m4 cf/feature/msp.m4 cf/feature/local_no_masquerade.m4 cf/feature/lookupdotdomain.m4 cf/feature/preserve_luser_host.m4 cf/feature/preserve_local_plus_detail.m4 cf/feature/queuegroup.m4 cf/sendmail.schema contrib/dnsblaccess.m4 devtools/M4/UNIX/sm-test.m4 devtools/OS/OpenUNIX.5.i386 editmap/* include/sm/* libsm/* libsmutil/cf.c libsmutil/err.c sendmail/SECURITY sendmail/TUNING sendmail/bf.c sendmail/bf.h sendmail/sasl.c sendmail/sm_resolve.c sendmail/sm_resolve.h sendmail/tls.c Deleted Files: cf/feature/rbl.m4 cf/ostype/aix2.m4 devtools/OS/AIX.2 include/sendmail/cdefs.h include/sendmail/errstring.h include/sendmail/useful.h libsmutil/errstring.c sendmail/bf_portable.c sendmail/bf_portable.h sendmail/bf_torek.c sendmail/bf_torek.h sendmail/clock.c Renamed Files: cf/cf/generic-solaris2.mc => cf/cf/generic-solaris.mc cf/cf/generic-solaris2.cf => cf/cf/generic-solaris.cf cf/ostype/aux.m4 => cf/ostype/a-ux.m4 8.11.7/8.11.7 2003/03/29 SECURITY: Fix a remote buffer overflow in header parsing by dropping sender and recipient header comments if the comments are too long. Problem noted by Mark Dowd of ISS X-Force. SECURITY: Fix a buffer overflow in address parsing due to a char to int conversion problem which is potentially remotely exploitable. Problem found by Michal Zalewski. Note: an MTA that is not patched might be vulnerable to data that it receives from untrusted sources, which includes DNS. To provide partial protection to internal, unpatched sendmail MTAs, 8.11.7 changes by default (char)0xff to (char)0x7f in headers etc. To turn off this conversion compile with -DALLOW_255 or use the command line option -d82.101. To provide partial protection for internal, unpatched MTAs that may be performing 7->8 or 8->7 bit MIME conversions, the default for MaxMimeHeaderLength has been changed to 2048/1024. Note: this does have a performance impact, and it only protects against frontal attacks from the outside. To disable the checks and return to pre-8.11.7 defaults, set MaxMimeHeaderLength to 0/0. Properly clean up macros to avoid persistence of session data across various connections. This could cause session oriented restrictions, e.g., STARTTLS requirements, to erroneously allow a connection. Problem noted by Tim Maletic of Priority Health. Ignore comments in NIS host records when trying to find the canonical name for a host. Fix a memory leak when closing Hesiod maps. Set ${msg_size} macro when reading a message from the command line or the queue. Prevent a segmentation fault when clearing the event list by turning off alarms before checking if event list is empty. Problem noted by Allan E Johannesen of Worcester Polytechnic Institute. Fix a potential core dump problem if the environment variable NAME is set. Problem noted by Beth A. Chaney of Purdue University. Prevent a race condition on child cleanup for delivery to files. Problem noted by Fletcher Mattox of the University of Texas. CONFIG: Do not bounce mail if FEATURE(`ldap_routing')'s bounce parameter is set and the LDAP lookup returns a temporary error. CONFIG: Fix a syntax error in the try_tls ruleset if FEATURE(`access_db') is not enabled. LIBSMDB: Fix a lock race condition that affects makemap, praliases, and vacation. LIBSMDB: Avoid a file creation race condition for Berkeley DB 1.X and NDBM on systems with the O_EXLOCK open(2) flag. MAKEMAP: Avoid going beyond the end of an input line if it does not contain a value for a key. Based on patch from Mark Bixby from Hewlett-Packard. MAIL.LOCAL: Fix a truncation race condition if the close() on the mailbox fails. Problem noted by Tomoko Fukuzawa of Sun Microsystems. SMRSH: SECURITY: Only allow regular files or symbolic links to be used for a command. Problem noted by David Endler of iDEFENSE, Inc. 8.11.6/8.11.6 2001/08/20 SECURITY: Fix a possible memory access violation when specifying out-of-bounds debug parameters. Problem detected by Cade Cairns of SecurityFocus. Avoid leaking recipient information in unrelated DSNs. This could happen if a connection is aborted, several mails had been scheduled for delivery via that connection, and the timeout is reached such that several DSNs are sent next. Problem noted by Dileepan Moorkanat of Hewlett-Packard. Fix a possible segmentation violation when specifying too many wildcard operators in a rule. Problem detected by Werner Wiethege. Avoid a segmentation fault on non-matching Hesiod lookups. Problem noted by Russell McOrmond of flora.ca 8.11.5/8.11.5 2001/07/31 Fix a possible race condition when sending a HUP signal to restart the daemon. This could terminate the current process without starting a new daemon. Problem reported by Wolfgang Breyha of SE Netway Communications. Only apply MaxHeadersLength when receiving a message via SMTP or the command line. Problem noted by Andrey J. Melnikoff. When finding the system's local hostname on an IPv6-enabled system which doesn't have any IPv6 interface addresses, fall back to looking up only IPv4 addresses. Problem noted by Tim Bosserman of EarthLink. When commands were being rejected due to check_relay or TCP Wrappers, the ETRN command was not giving a response. Incoming IPv4 connections on a Family=inet6 daemon (using IPv4-mapped addresses) were incorrectly labeled as "may be forged". Problem noted by Per Steinar Iversen of Oslo University College. Shutdown address test mode cleanly on SIGTERM. Problem noted by Greg King of the OAO Corporation. Restore the original real uid (changed in main() to prevent out of band signals) before invoking a delivery agent. Some delivery agents use this for the "From " envelope "header". Problem noted by Leslie Carroll of the University at Albany. Mark closed file descriptors properly to avoid reuse. Problem noted by Jeff Bronson of J.D. Bronson, Inc. Setting Timeout options on the command line will also override their sub-suboptions in the .cf file, e.g., -O Timeout.queuereturn=2d will set all queuereturn timeouts to 2 days. Problem noted by Roger B.A. Klorese. Portability: BSD/OS has a broken setreuid() implementation. Problem noted by Vernon Schryver of Rhyolite Software. BSD/OS has /dev/urandom(4) (as of version 4.1/199910 ?). Noted by Vernon Schryver of Rhyolite Software. BSD/OS has fchown(2). Noted by Dave Yadallee of Netline 2000 Internet Solutions Inc. Solaris 2.X and later have strerror(3). From Sebastian Hagedorn of Cologne University. CONFIG: Fix parsing for IPv6 domain literals in addresses (user@[IPv6:address]). Problem noted by Liyuan Zhou. 8.11.4/8.11.4 2001/05/28 Clean up signal handling routines to reduce the chances of heap corruption and other potential race conditions. Terminating and restarting the daemon may not be instantaneous due to this change. Also, non-root users can no longer send out-of-band signals. Problem reported by Michal Zalewski of BindView. If LogLevel is greater than 9 and SASL fails to negotiate an encryption layer, avoid core dump logging the encryption strength. Problem noted by Miroslav Zubcic of Crol. If a server offers "AUTH=" and "AUTH " and the list of mechanisms is different in those two lines, sendmail might not have recognized (and used) all of the offered mechanisms. Fix an IP address lookup problem on Solaris 2.0 - 2.3. Patch from Kenji Miyake. This time, really don't use the .. directory when expanding QueueDirectory wildcards. If a process is interrupted while closing a map, don't try to close the same map again while exiting. Allow local mailers (F=l) to contact remote hosts (e.g., via LMTP). Problem noted by Norbert Klasen of the University of Tuebingen. If Timeout.QueueReturn was set to a value less the time it took to write a new queue file (e.g., 0 seconds), the bounce message would be lost. Problem noted by Lorraine L Goff of Oklahoma State University. Pass map argument vector into map rewriting engine for the regex and prog map types. Problem noted by Stephen Gildea of InTouch Systems, Inc. When closing an LDAP map due to a temporary error, close all of the other LDAP maps which share the original map's connection to the LDAP server. Patch from Victor Duchovni of Morgan Stanley. To detect changes of NDBM aliases files check the timestamp of the .pag file instead of the .dir file. Problem noted by Neil Rickert of Northern Illinois University. Don't treat temporary hesiod lookup failures as permanent. Patch from Werner Wiethege. If ClientPortOptions is set, make sure to create the outgoing socket with the family set in that option. Patch from Sean Farley. Avoid a segmentation fault trying to dereference a NULL pointer when logging a MaxHopCount exceeded error with an empty recipient list. Problem noted by Chris Adams of HiWAAY Internet Services. Fix DSN for "Too many hops" bounces. Problem noticed by Ulrich Windl of the Universitaet Regensburg. Fix DSN for "mail loops back to me" bounces. Problem noticed by Kari Hurtta of the Finnish Meteorological Institute. Portability: OpenBSD has a broken setreuid() implementation. CONFIG: Undo change from 8.11.1: change 501 SMTP reply code back to 553 since it is allowed by DRUMS. CONFIG: Add OSTYPE(freebsd4) for FreeBSD 4.X. DEVTOOLS: install.sh did not properly handle paths in the source file name argument. Noted by Kari Hurtta of the Finnish Meteorological Institute. DEVTOOLS: Add FAST_PID_RECYCLE to compile time options for OpenBSD since it generates random process ids. PRALIASES: Add back adaptive algorithm to deal with different endings of entries in the database (with/without trailing '\0'). Patch from John Beck of Sun Microsystems. New Files: cf/ostype/freebsd4.m4 8.11.3/8.11.3 2001/02/27 Prevent a segmentation fault when a bogus value was used in the LDAPDefaultSpec option's -r, -s, or -M flags and if a bogus option was used. Problem noted by Allan E Johannesen of Worcester Polytechnic Institute. Prevent "token too long" message by shortening {currHeader} which could be too long if the last copied character was a quote. Problem detected by Jan Krueger of digitalanswers communications consulting gmbh. Additional IPv6 check for unspecified addresses. Patch from Jun-ichiro itojun Hagino of the KAME Project. Do not ignore the ClientPortOptions setting if DaemonPortOptions Modifier=b (bind to same interface) is set and the connection came in from the command line. Do not bind to the loopback address if DaemonPortOptions Modifier=b (bind to same interface) is set. Patch from John Beck of Sun Microsystems. Properly deal with open failures on non-optional maps used in check_* rulesets by returning a temporary failure. Buffered file I/O files were not being properly fsync'ed to disk when they were committed. Properly encode '=' for the AUTH= parameter of the MAIL command. Problem noted by Hadmut Danisch. Under certain circumstances the macro {server_name} could be set to the wrong hostname (of a previous connection), which may cause some rulesets to return wrong results. This would usually cause mail to be queued up and delivered later on. Ignore F=z (LMTP) mailer flag if $u is given in the mailer A= equate. Problem noted by Motonori Nakamura of Kyoto University. Work around broken accept() implementations which only partially fill in the peer address if the socket is closed before accept() completes. Return an SMTP "421" temporary failure if the data file can't be opened where the "354" reply would normally be given. Prevent a CPU loop in trying to expand a macro which doesn't exist in a queue run. Problem noted by Gordon Lack of Glaxo Wellcome. If delivering via a program and that program exits with EX_TEMPFAIL, note that fact for the mailq display instead of just showing "Deferred". Problem noted by Motonori Nakamura of Kyoto University. If doing canonification via /etc/hosts, try both the fully qualified hostname as well as the first portion of the hostname. Problem noted by David Bremner of the University of New Brunswick. Portability: Fix a compilation problem for mail.local and rmail if SFIO is in use. Problem noted by Auteria Wally Winzer Jr. of Champion Nutrition. IPv6 changes for platforms using KAME. Patch from Jun-ichiro itojun Hagino of the KAME Project. OpenBSD 2.7 and higher has srandomdev(3). OpenBSD 2.8 and higher has BSDI-style login classes. Patch from Todd C. Miller of Courtesan Consulting. Unixware 7.1.1 doesn't allow h_errno to be set directly if sendmail is being compiled with -kthread. Problem noted by Orion Poplawski of CQG, Inc. CONTRIB: buildvirtuser: Substitute current domain for $DOMAIN and current left hand side for $LHS in virtuser files. DEVTOOLS: Do not pass make targets to recursive Build invocations. Problem noted by Jeff Bronson of J.D. Bronson, Inc. MAIL.LOCAL: In LMTP mode, do not return errors regarding problems storing the temporary message file until after the remote side has sent the final DATA termination dot. Problem noted by Allan E Johannesen of Worcester Polytechnic Institute. MAIL.LOCAL: If LMTP mode is set, give a temporary error if users are also specified on the command line. Patch from Motonori Nakamura of Kyoto University. PRALIASES: Skip over AliasFile specifications which aren't based on database files (i.e., only show dbm, hash, and btree). Renamed Files: devtools/OS/OSF1.V5.0 => devtools/OS/OSF1.V5.x 8.11.2/8.11.2 2000/12/29 Prevent a segmentation fault when trying to set a class in address test mode due to a negative array index. Audit other array indexing. This bug is not believed to be exploitable. Noted by Michal Zalewski of the "Internet for Schools" project (IdS). Add an FFR (for future release) to drop privileges when using address test mode. This will be turned on in 8.12. It can be enabled by compiling with: APPENDDEF(`conf_sendmail_ENVDEF', `-D_FFR_TESTMODE_DROP_PRIVS') in your devtools/Site/site.config.m4 file. Suggested by Michal Zalewski of the "Internet for Schools" project (IdS). Fix potential problem with Cyrus-SASL security layer which may have caused I/O errors, especially for mechanism DIGEST-MD5. When QueueSortOrder was set to host, sendmail might not read enough of the queue file to determine the host, making the sort sub-optimal. Problem noted by Jeff Earickson of Colby College. Don't issue DSNs for addresses which use the NOTIFY parameter (per RFC 1891) but don't have FAILURE as value. Initialize Cyrus-SASL library before the SMTP daemon is started. This implies that every change to SASL related files requires a restart of the daemon, e.g., Sendmail.conf, new SASL mechanisms (in form of shared libraries). Properly set the STARTTLS related macros during a queue run for a cached connection. Bug reported by Michael Kellen of NxNetworks, Inc. Log the server name in relay= for ruleset tls_server instead of the client name. Include original length of bad field/header when reporting MaxMimeHeaderLength problems. Requested by Ulrich Windl of the Universitat Regensburg. Fix delivery to set-user-ID files that are expanded from aliases in DeliveryMode queue. Problem noted by Ric Anderson of the University of Arizona. Fix LDAP map -m (match only) flag. Problem noted by Jeff Giuliano of Collective Technologies. Avoid using a negative argument for sleep() calls when delaying answers to EXPN/VRFY commands on systems which respond very slowly. Problem noted by Mikolaj J. Habryn of Optus Internet Engineering. Make sure the F=u flag is set in the default prog mailer definition. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. Fix IPv6 check for unspecified addresses. Patch from Jun-ichiro itojun Hagino of the KAME Project. Fix return values for IRIX nsd map. From Kari Hurtta of the Finnish Meteorological Institute. Fix parsing of DaemonPortOptions and ClientPortOptions. Read all of the parameters to find Family= setting before trying to interpret Addr= and Port=. Problem noted by Valdis Kletnieks of Virginia Tech. When delivering to a file directly from an alias, do not call initgroups(); instead use the DefaultUser group information. Problem noted by Marc Schaefer of ALPHANET NF. RunAsUser now overrides the ownership of the control socket, if created. Otherwise, sendmail can not remove it upon close. Problem noted by Werner Wiethege. Fix ConnectionRateThrottle counting as the option is the number of overall connections, not the number of connections per socket. A future version may change this to per socket counting. Portability: Clean up libsmdb so it functions properly on platforms where sizeof(u_int32_t) != sizeof(size_t). Problem noted by Rein Tollevik of Basefarm AS. Fix man page formatting for compatibility with Solaris' whatis. From Stephen Gildea of InTouch Systems, Inc. UnixWare 7 includes snprintf() support. From Larry Rosenman. IPv6 changes for platforms using KAME. Patch from Jun-ichiro itojun Hagino of the KAME Project. Avoid a typedef compile conflict with Berkeley DB 3.X and Solaris 2.5 or earlier. Problem noted by Bob Hughes of Pacific Access. Add preliminary support for AIX 5. Contributed by Valdis Kletnieks of Virginia Tech. Solaris 9 load average support from Andrew Tucker of Sun Microsystems. CONFIG: Reject addresses of the form a!b if FEATURE(`nouucp', `r') is used. Problem noted by Phil Homewood of Asia Online, patch from Neil Rickert of Northern Illinois University. CONFIG: Change the default DNS based blocklist server for FEATURE(`dnsbl') to blackholes.mail-abuse.org. CONFIG: Deal correctly with the 'C' flag in {daemon_flags}, i.e., implicitly assume canonical host names. CONFIG: Deal with "::" in IPv6 addresses for access_db. Based on patch by Motonori Nakamura of Kyoto University. CONFIG: New OSTYPE(`aix5') contributed by Valdis Kletnieks of Virginia Tech. CONFIG: Pass the illegal header form through untouched instead of making it worse. Problem noted by Motonori Nakamura of Kyoto University. CONTRIB: Added buildvirtuser (see `perldoc contrib/buildvirtuser`). CONTRIB: qtool.pl: An empty queue is not an error. Problem noted by Jan Krueger of digitalanswers communications consulting gmbh. CONTRIB: domainmap.m4: Handle domains with '-' in them. From Mark Roth of the University of Illinois at Urbana-Champaign. DEVTOOLS: Change the internal devtools OS, REL, and ARCH m4 variables into bldOS, bldREL, and bldARCH to prevent namespace collisions. Problem noted by Motonori Nakamura of Kyoto University. RMAIL: Undo the 8.11.1 change to use -G when calling sendmail. It causes some changes in behavior and may break rmail for installations where sendmail is actually a wrapper to another MTA. The change will re-appear in a future version. SMRSH: Use the vendor supplied directory on HPUX 10.X, HPUX 11.X, and SunOS 5.8. Requested by Jeff A. Earickson of Colby College and John Beck of Sun Microsystems. VACATION: Fix pattern matching for addresses to ignore. VACATION: Don't reply to addresses of the form owner-* or *-owner. New Files: cf/ostype/aix5.m4 contrib/buildvirtuser devtools/OS/AIX.5.0 8.11.1/8.11.1 2000/09/27 Fix SMTP EXPN command output if the address expands to a single name. Fix from John Beck of Sun Microsystems. Don't try STARTTLS in the client if the PRNG has not been properly seeded. This problem only occurs on systems without /dev/urandom. Problem detected by Jan Krueger of digitalanswers communications consulting gmbh and Neil Rickert of Northern Illinois University. Don't use the . and .. directories when expanding QueueDirectory wildcards. Do not try to cache LDAP connections across processes as a parent process may close the connection before the child process has completed. Problem noted by Lai Yiu Fai of the Hong Kong University of Science and Technology and Wolfgang Hottgenroth of UUNET. Use Timeout.fileopen to limit the amount of time spent trying to read the LDAP secret from a file. Prevent SIGTERM from removing a command line submitted item after the user submits the message and before the first delivery attempt completes. Problem noted by Max France of AlphaNet. Fix from Neil Rickert of Northern Illinois University. Deal correctly with MaxMessageSize restriction if message size is greater than 2^31. Problem noted by Tim "Darth Dice" Bosserman of EarthLink. Turn off queue checkpointing if CheckpointInterval is set to zero. Treat an empty home directory (from getpw*() or $HOME) as non-existent instead of treating it as /. Problem noted by Todd C. Miller of Courtesan Consulting. Don't drop duplicate headers when reading a queued item. Problem noted by Motonori Nakamura of Kyoto University. Avoid bogus error text when logging the savemail panic "cannot save rejected email anywhere". Problem noted by Marc G. Fournier of Acadia University. If an LDAP search fails because the LDAP server went down, close the map so subsequent searches reopen the map. If there are multiple LDAP servers, the down server will be skipped and one of the others may be able to take over. Set the ${load_avg} macro to the current load average, not the previous load average query result. If a non-optional map used in a check_* ruleset can't be opened, return a temporary failure to the remote SMTP client instead of ignoring the map. Problem noted by Allan E Johannesen of Worcester Polytechnic Institute. Avoid a race condition when queuing up split envelopes by saving the split envelopes before the original envelope. Fix a bug in the PH_MAP code which caused mail to bounce instead of defer if the PH server could not be contacted. From Mark Roth of the University of Illinois at Urbana-Champaign. Prevent QueueSortOrder=Filename from interfering with -qR, -qS, and ETRN. Problem noted by Erik R. Leo of SoVerNet. Change error code for unrecognized parameters to the SMTP MAIL and RCPT commands from 501 to 555 per RFC 1869. Problem reported to Postfix by Robert Norris of Monash University. Prevent overwriting the argument of -B on certain OS. Problem noted by Matteo Gelosa of I.NET S.p.A. Use the proper routine for freeing memory with Netscape's LDAP client libraries. Patch from Paul Hilchey of the University of British Columbia. Portability: Move the NETINET6 define to devtools/OS/SunOS.5.{8,9} instead of defining it in conf.h so users can override the setting. Suggested by Henrik Nordstrom of Ericsson. On HP-UX 10.X and 11.X, use /usr/sbin/sendmail instead of /usr/lib/sendmail for rmail and vacation. From Jeff A. Earickson of Colby College. On HP-UX 11.X, use /usr/sbin instead of /usr/libexec (which does not exist). From Jeff A. Earickson of Colby College. Avoid using the UCB subsystem on NCR MP-RAS 3.x. From Tom Moore of NCR. NeXT 3.X and 4.X installs man pages in /usr/man. From Hisanori Gogota of NTT/InterCommunicationCenter. Solaris 8 and later include /var/run. The default PID file location is now /var/run/sendmail.pid. From John Beck of Sun Microsystems. SFIO includes snprintf() for those operating systems which do not. From Todd C. Miller of Courtesan Consulting. CONFIG: Use the result of _CERT_REGEX_SUBJECT_ not {cert_subject}. Problem noted by Kaspar Brand of futureLab AG. CONFIG: Change 553 SMTP reply code to 501 to avoid problems with errors in the MAIL address. CONFIG: Fix FEATURE(nouucp) usage in example .mc files. Problem noted by Ron Jarrell of Virginia Tech. CONFIG: Add support for Solaris 8 (and later) as OSTYPE(solaris8). Contributed by John Beck of Sun Microsystems. CONFIG: Set confFROM_HEADER such that the mail hub can possibly add GECOS information for an address. This more closely matches pre-8.10 nullclient behavior. From Per Hedeland of Ericsson. CONFIG: Fix MODIFY_MAILER_FLAGS(): apply the flag modifications for SMTP to all *smtp* mailers and those for RELAY to the relay mailer as described in cf/README. MAIL.LOCAL: Open the mailbox as the recipient not root so quotas are obeyed. Problem noted by Damian Kuczynski of NIK. MAKEMAP: Do not change a map's owner to the TrustedUser if using makemap to 'unmake' the map. RMAIL: Avoid overflowing the list of recipients being passed to sendmail. RMAIL: Invoke sendmail with '-G' to indicate this is a gateway submission. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. VACATION: Read the complete message to avoid "broken pipe" signals. VACATION: Do not cut off vacation.msg files which have a single dot as the only character on the line. New Files: cf/ostype/solaris8.m4 8.11.0/8.11.0 2000/07/19 SECURITY: If sendmail is installed as a non-root set-user-ID binary (not the normal case), some operating systems will still keep a saved-uid of the effective-uid when sendmail tries to drop all of its privileges. If sendmail needs to drop these privileges and the operating system doesn't set the saved-uid as well, exit with an error. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. SECURITY: sendmail depends on snprintf() NUL terminating the string it populates. It is possible that some broken implementations of snprintf() exist that do not do this. Systems in this category should compile with -DSNPRINTF_IS_BROKEN=1. Use test/t_snprintf.c to test your system and report broken implementations to sendmail-bugs@sendmail.org and your OS vendor. Problem noted by Slawomir Piotrowski of TELSAT GP. Support SMTP Service Extension for Secure SMTP (RFC 2487) (STARTTLS). Implementation influenced by the example programs of OpenSSL and the work of Lutz Jaenicke of TU Cottbus. Add new STARTTLS related options CACERTPath, CACERTFile, ClientCertFile, ClientKeyFile, DHParameters, RandFile, ServerCertFile, and ServerKeyFile. These are documented in cf/README and doc/op/op.me. New STARTTLS related macros: ${cert_issuer}, ${cert_subject}, ${tls_version}, ${cipher}, ${cipher_bits}, ${verify}, ${server_name}, and ${server_addr}. These are documented in cf/README and doc/op/op.me. Add support for the Entropy Gathering Daemon (EGD) for better random data. New DontBlameSendmail option InsufficientEntropy for systems which don't properly seed the PRNG for OpenSSL but want to try to use STARTTLS despite the security problems. Support the security layer in SMTP AUTH for mechanisms which support encryption. Based on code contributed by Tim Martin of CMU. Add new macro ${auth_ssf} to reflect the SMTP AUTH security strength factor. LDAP's -1 (single match only) flag was not honored if the -z (delimiter) flag was not given. Problem noted by ST Wong of the Chinese University of Hong Kong. Fix from Mark Adamson of CMU. Add more protection from accidentally tripping OpenLDAP 1.X's ld_errno == LDAP_DECODING_ERROR hack on ldap_next_attribute(). Suggested by Kurt Zeilenga of OpenLDAP. Fix the default family selection for DaemonPortOptions. As documented, unless a family is specified in a DaemonPortOptions option, "inet" is the default. It is also the default if no DaemonPortOptions value is set. Therefore, IPv6 users should configure additional sockets by adding DaemonPortOptions settings with Family=inet6 if they wish to also listen on IPv6 interfaces. Problem noted by Jun-ichiro itojun Hagino of the KAME Project. Set ${if_family} when setting ${if_addr} and ${if_name} to reflect the interface information for an outgoing connection. Not doing so was creating a mismatch between the socket family and address used in subsequent connections if the M=b modifier was set in DaemonPortOptions. Problem noted by John Beck of Sun Microsystems. If DaemonPortOptions modifier M=b is used, determine the socket family based on the IP address. ${if_family} is no longer persistent (i.e., saved in qf files). Patch from John Beck of Sun Microsystems. sendmail 8.10 and 8.11 reused the ${if_addr} and ${if_family} macros for both the incoming interface address/family and the outgoing interface address/family. In order for M=b modifier in DaemonPortOptions to work properly, preserve the incoming information in the queue file for later delivery attempts. Use SMTP error code and enhanced status code from check_relay in responses to commands. Problem noted by Jeff Wasilko of smoe.org. Add more vigilance in checking for putc() errors on output streams to protect from a bug in Solaris 2.6's putc(). Problem noted by Graeme Hewson of Oracle. The LDAP map -n option (return attribute names only) wasn't working. Problem noted by Ajay Matia. Under certain circumstances, an address could be listed as deferred but would be bounced back to the sender as failed to be delivered when it really should have been queued. Problem noted by Allan E Johannesen of Worcester Polytechnic Institute. Prevent a segmentation fault in a child SMTP process from getting the SMTP transaction out of sync. Problem noted by Per Hedeland of Ericsson. Turn off RES_DEBUG if SFIO is defined unless SFIO_STDIO_COMPAT is defined to avoid a core dump due to incompatibilities between sfio and stdio. Problem noted by Neil Rickert of Northern Illinois University. Don't log useless envelope ID on initial connection log. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. Convert the free disk space shown in a control socket status query to kilobyte units. If TryNullMXList is True and there is a temporary DNS failure looking up the hostname, requeue the message for a later attempt. Problem noted by Ari Heikkinen of Pohjois-Savo Polytechnic. Under the proper circumstances, failed connections would be recorded as "Bad file number" instead of "Connection failed" in the queue file and persistent host status. Problem noted by Graeme Hewson of Oracle. Avoid getting into an endless loop if a non-hoststat directory exists within the hoststatus directory (e.g., lost+found). Patch from Valdis Kletnieks of Virginia Tech. Make sure Timeout.queuereturn=now returns a bounce message to the sender. Problem noted by Per Hedeland of Ericsson. If a message data file can't be opened at delivery time, panic and abort the attempt instead of delivering a message that states "<<< No Message Collected >>>". Fixup the GID checking code from 8.10.2 as it was overly restrictive. Problem noted by Mark G. Thomas of Mark G. Thomas Consulting. Preserve source port number instead of replacing it with the ident port number (113). Document the queue status characters in the mailq man page. Suggested by Ulrich Windl of the Universitat Regensburg. Process queued items in which none of the recipient addresses have host portions (or there are no recipients). Problem noted by Valdis Kletnieks of Virginia Tech. If a cached LDAP connection is used for multiple maps, make sure only the first to open the connection is allowed to close it so a later map close doesn't break the connection for other maps. Problem noted by Wolfgang Hottgenroth of UUNET. Netscape's LDAP libraries do not support Kerberos V4 authentication. Patch from Rainer Schoepf of the University of Mainz. Provide workaround for inconsistent handling of data passed via callbacks to Cyrus SASL prior to version 1.5.23. Mention ENHANCEDSTATUSCODES in the SMTP HELP helpfile. Omission noted by Ulrich Windl of the Universitat Regensburg. Portability: Add the ability to read IPv6 interface addresses into class 'w' under FreeBSD (and possibly others). From Jun Kuriyama of IMG SRC, Inc. and the FreeBSD Project. Replace code for finding the number of CPUs on HPUX. NCRUNIX MP-RAS 3.02 SO_REUSEADDR socket option does not work properly causing problems if the accept() fails and the socket needs to be reopened. Patch from Tom Moore of NCR. NetBSD uses a .0 extension of formatted man pages. From Andrew Brown of Crossbar Security. Return to using the IPv6 AI_DEFAULT flag instead of AI_V4MAPPED for calls to getipnodebyname(). The Linux implementation is broken so AI_ADDRCONFIG is stripped under Linux. From John Beck of Sun Microsystems and John Kennedy of Cal State University, Chico. CONFIG: Catch invalid addresses containing a ',' at the wrong place. Patch from Neil Rickert of Northern Illinois University. CONFIG: New variables for the new sendmail options: confCACERT_PATH CACERTPath confCACERT CACERTFile confCLIENT_CERT ClientCertFile confCLIENT_KEY ClientKeyFile confDH_PARAMETERS DHParameters confRAND_FILE RandFile confSERVER_CERT ServerCertFile confSERVER_KEY ServerKeyFile CONFIG: Provide basic rulesets for TLS policy control and add new tags to the access database to support these policies. See cf/README for more information. CONFIG: Add TLS information to the Received: header. CONFIG: Call tls_client ruleset from check_mail in case it wasn't called due to a STARTTLS command. CONFIG: If TLS_PERM_ERR is defined, TLS related errors are permanent instead of temporary. CONFIG: FEATURE(`relay_hosts_only') didn't work in combination with the access map and relaying to a domain without using a To: tag. Problem noted by Mark G. Thomas of Mark G. Thomas Consulting. CONFIG: Set confEBINDIR to /usr/sbin to match the devtools entry in OSTYPE(`linux') and OSTYPE(`mklinux'). From Tim Pierce of RootsWeb.com. CONFIG: Make sure FEATURE(`nullclient') doesn't use aliasing and forwarding to make it as close to the old behavior as possible. Problem noted by George W. Baltz of the University of Maryland. CONFIG: Added OSTYPE(`darwin') for Mac OS X and Darwin users. From Wilfredo Sanchez of Apple Computer, Inc. CONFIG: Changed the map names used by FEATURE(`ldap_routing') from ldap_mailhost and ldap_mailroutingaddress to ldapmh and ldapmra as underscores in map names cause problems if underscore is in OperatorChars. Problem noted by Bob Zeitz of the University of Alberta. CONFIG: Apply blacklist_recipients also to hosts in class {w}. Patch from Michael Tratz of Esosoft Corporation. CONFIG: Use A=TCP ... instead of A=IPC ... in SMTP mailers. CONTRIB: Add link_hash.sh to create symbolic links to the hash of X.509 certificates. CONTRIB: passwd-to-alias.pl: More protection from special characters; treat special shells as root aliases; skip entries where the GECOS full name and username match. From Ulrich Windl of the Universitat Regensburg. CONTRIB: qtool.pl: Add missing last_modified_time method and fix a typo. Patch from Graeme Hewson of Oracle. CONTRIB: re-mqueue.pl: Improve handling of a race between re-mqueue and sendmail. Patch from Graeme Hewson of Oracle. CONTRIB: re-mqueue.pl: Don't exit(0) at end so can be called as subroutine Patch from Graeme Hewson of Oracle. CONTRIB: Add movemail.pl (move old mail messages between queues by calling re-mqueue.pl) and movemail.conf (configuration script for movemail.pl). From Graeme Hewson of Oracle. CONTRIB: Add cidrexpand (expands CIDR blocks as a preprocessor to makemap). From Derek J. Balling of Yahoo,Inc. DEVTOOLS: INSTALL_RAWMAN installation option mistakenly applied any extension modifications (e.g., MAN8EXT) to the installation target. Patch from James Ralston of Carnegie Mellon University. DEVTOOLS: Add support for SunOS 5.9. DEVTOOLS: New option confLN contains the command used to create links. LIBSMDB: Berkeley DB 2.X and 3.X errors might be lost and not reported. MAIL.LOCAL: DG/UX portability. Problem noted by Tim Boyer of Denman Tire Corporation. MAIL.LOCAL: Prevent a possible DoS attack when compiled with -DCONTENTLENGTH. Based on patch from 3APA3A@SECURITY.NNOV.RU. MAILSTATS: Fix usage statement (-p and -o are optional). MAKEMAP: Change man page layout as workaround for problem with nroff and -man on Solaris 7. Patch from Larry Williamson. RMAIL: AIX 4.3 has snprintf(). Problem noted by David Hayes of Black Diamond Equipment, Limited. RMAIL: Prevent a segmentation fault if the incoming message does not have a From line. VACATION: Read all of the headers before deciding whether or not to respond instead of stopping after finding recipient. New Files: cf/ostype/darwin.m4 contrib/cidrexpand contrib/link_hash.sh contrib/movemail.conf contrib/movemail.pl devtools/OS/SunOS.5.9 test/t_snprintf.c 8.10.2/8.10.2 2000/06/07 SECURITY: Work around broken Linux setuid() implementation. On Linux, a normal user process has the ability to subvert the setuid() call such that it is impossible for a root process to drop its privileges. Problem noted by Wojciech Purczynski of elzabsoft.pl. SECURITY: Add more vigilance around set*uid(), setgid(), setgroups(), initgroups(), and chroot() calls. New Files: test/t_setuid.c 8.10.1/8.10.1 2000/04/06 SECURITY: Limit the choice of outgoing (client-side) SMTP Authentication mechanisms to those specified in AuthMechanisms to prevent information leakage. We do not recommend use of PLAIN for outgoing mail as it sends the password in clear text to possibly untrusted servers. See cf/README's DefaultAuthInfo section for additional information. Copy the ident argument for openlog() to avoid problems on some OSs. Based on patch from Rob Bajorek from Webhelp.com. Avoid bogus error message when reporting an alias line as too long. Avoid bogus socket error message if sendmail.cf version level is greater than sendmail binary supported version. Patch from John Beck of Sun Microsystems. Prevent a malformed ruleset (missing right hand side) from causing a segmentation fault when using address test mode. Based on patch from John Beck of Sun Microsystems. Prevent memory leak from use of NIS maps and yp_match(3). Problem noted by Gil Kloepfer of the University of Texas at Austin. Fix queue file permission checks to allow for TrustedUser ownership. Change logging of errors from the trust_auth ruleset to LogLevel 10 or higher. Avoid simple password cracking attacks against SMTP AUTH by using exponential delay after too many tries within one connection. Encode an initial empty AUTH challenge as '=', not as empty string. Avoid segmentation fault on EX_SOFTWARE internal error logs. Problem noted by Allan E Johannesen of Worcester Polytechnic Institute. Ensure that a header check which resolves to $#discard actually discards the message. Emit missing value warnings for aliases with no right hand side when newaliases is run instead of only when delivery is attempted to the alias. Remove AuthOptions missing value warning for consistency with other flag options. Portability: SECURITY: Specify a run-time shared library search path for AIX 4.X instead of using the dangerous AIX 4.X linker semantics. AIX 4.X users should consult sendmail/README for further information. Problem noted by Valdis Kletnieks of Virginia Tech. Avoid use of strerror(3) call. Problem noted by Charles Levert of Ecole Polytechnique de Montreal. DGUX requires -lsocket -lnsl and has a non-standard install program. From Tim Boyer of Denman Tire Corporation. HPUX 11.0 has a broken res_search() function. Updates to devtools/OS/NeXT.3.X, NeXT.4.X, and NEXTSTEP.4.X from J. P. McCann of E I A. Digital UNIX/Compaq Tru64 5.0 now includes snprintf(3). Problem noted by Michael Long of Info Avenue Internet Services, LLC. Modern (post-199912) OpenBSD versions include working strlc{at,py}(3) functions. From Todd C. Miller of Courtesan Consulting. SINIX doesn't have random(3). From Gerald Rinske of Siemens Business Services. CONFIG: Change error message about unresolvable sender domain to include the sender address. Proposed by Wolfgang Rupprecht of WSRCC. CONFIG: Fix usenet mailer calls. CONFIG: If RELAY_MAILER_FLAGS is not defined, use SMTP_MAILER_FLAGS to be backward compatible with 8.9. CONFIG: Change handling of default case @domain for virtusertable to allow for +*@domain to deal with +detail. CONTRIB: Remove converting.sun.configs -- it is obsolete. DEVTOOLS: confUBINMODE was being ignored. Fix from KITAZIMA, Tuneki of NEC. DEVTOOLS: Add to NCR platform list and include the architecture (i486). From Tom J. Moore of NCR. DEVTOOLS: SECURITY: Change method of linking with sendmail utility libraries to work around the AIX 4.X and SunOS 4.X linker's overloaded -L option. Problem noted by Valdis Kletnieks of Virginia Tech. DEVTOOLS: configure.sh was overriding the user's choice for confNROFF. Problem noted by Glenn A. Malling of Syracuse University. DEVTOOLS: New variables conf_prog_LIB_POST and confBLDVARIANT added for other internal projects but included in the open source release. LIBSMDB: Check for ".db" instead of simply "db" at the end of the map name to determine whether or not to add the extension. This fixes makemap when building the userdb file. Problem noted by Andrew J Cole of the University of Leeds. LIBSMDB: Allow a database to be opened for updating and created if it doesn't already exist. Problem noted by Rand Wacker of Sendmail. LIBSMDB: If type is SMDB_TYPE_DEFAULT and both NEWDB and NDBM are available, fall back to NDBM if NEWDB open fails. This fixes praliases. Patch from John Beck of Sun Microsystems. LIBSMUTIL: safefile()'s SFF_NOTEXCL check was being misinterpreted as SFF_NOWRFILES. OP.ME: Clarify some issues regarding mailer flags. Suggested by Martin Mokrejs of The Charles University and Neil Rickert of Northern Illinois University. PRALIASES: Restore 8.9.X functionality of being able to search for particular keys in a database by specifying the keys on the command line. Man page updated accordingly. Patch from John Beck of Sun Microsystems. VACATION: SunOS 4.X portability from Charles Levert of Ecole Polytechnique de Montreal. VACATION: Fix -t option which is ignored but available for compatibility with Sun's version, based on patch from Volker Dobler of Infratest Burke. New Files: devtools/M4/UNIX/smlib.m4 devtools/OS/OSF1.V5.0 Deleted Files: contrib/converting.sun.configs Deleted Directories (already done in 8.10.0 but not listed): doc/intro doc/usenix doc/changes 8.10.0/8.10.0 2000/03/01 ************************************************************* * The engineering department at Sendmail, Inc. has suffered * * the tragic loss of a key member of our engineering team. * * Julie Van Bourg was the Vice President of Engineering * * at Sendmail, Inc. during the development and deployment * * of this release. It was her vision, dedication, and * * support that has made this release a success. Julie died * * on October 26, 1999 of cancer. We have lost a leader, a * * coach, and a friend. * * * * This release is dedicated to her memory and to the joy, * * strength, ideals, and hope that she brought to all of us. * * Julie, we miss you! * ************************************************************* SECURITY: The safe file checks now back track through symbolic links to make sure the files can't be compromised due to poor permissions on the parent directories of the symbolic link target. SECURITY: Only root, TrustedUser, and users in class t can rebuild the alias map. Problem noted by Michal Zalewski of the "Internet for Schools" project (IdS). SECURITY: There is a potential for a denial of service attack if the AutoRebuildAliases option is set as a user can kill the sendmail process while it is rebuilding the aliases file (leaving it in an inconsistent state). This option and its use is deprecated and will be removed from a future version of sendmail. SECURITY: Make sure all file descriptors (besides stdin, stdout, and stderr) are closed before restarting sendmail. Problem noted by Michal Zalewski of the "Internet for Schools" project (IdS). Begin using /etc/mail/ for sendmail related files. This affects a large number of files. See cf/README for more details. The directory structure of the distribution has changed slightly for easier code sharing among the programs. Support SMTP AUTH (see RFC 2554). New macros for this purpose are ${auth_authen}, ${auth_type}, and ${auth_author} which hold the client's authentication credentials, the mechanism used for authentication, and the authorization identity (i.e., the AUTH= parameter if supplied). Based on code contributed by Tim Martin of CMU. On systems which use the Torek stdio library (all of the BSD distributions), use memory-buffered files to reduce file system overhead by not creating temporary files on disk. Contributed by Exactis.com, Inc. New option DataFileBufferSize to control the maximum size of a memory-buffered data (df) file before a disk-based file is used. Contributed by Exactis.com, Inc. New option XscriptFileBufferSize to control the maximum size of a memory-buffered transcript (xf) file before a disk-based file is used. Contributed by Exactis.com, Inc. sendmail implements RFC 2476 (Message Submission), e.g., it can now listen on several different ports. Use: O DaemonPortOptions=Name=MSA, Port=587, M=E to run a Message Submission Agent (MSA); this is turned on by default in m4-generated .cf files; it can be turned off with FEATURE(`no_default_msa'). The 'XUSR' SMTP command is deprecated. Mail user agents should begin using RFC 2476 Message Submission for initial user message submission. XUSR may disappear from a future release. The new '-G' (relay (gateway) submission) command line option indicates that the message being submitted from the command line is for relaying, not initial submission. This means the message will be rejected if the addresses are not fully qualified and no canonicalization will be done. Future releases may even reject improperly formed messages. The '-U' (initial user submission) command line option is deprecated and may be removed from a future release. Mail user agents should begin using '-G' to indicate that this is a relay submission (the inverse of -U). The next release of sendmail will assume that any message submitted from the command line is an initial user submission and act accordingly. If sendmail doesn't have enough privileges to run a .forward program or deliver to file as the owner of that file, the address is marked as unsafe. This means if RunAsUser is set, users won't be able to use programs or delivery to files in their .forward files. Administrators can override this by setting the DontBlameSendmail option to the new setting NonRootSafeAddr. Allow group or world writable directories if the sticky bit is set on the directory and DontBlameSendmail is set to TrustStickyBit. Based on patch from Chris Metcalf of InCert Software. Prevent logging of unsafe directory paths for non-existent forward files if the new DontWarnForwardFileInUnsafeDirPath bit is set in the DontBlameSendmail option. Requested by many. New Timeout.control option to limit the total time spent satisfying a control socket request. New Timeout.resolver options for controlling BIND resolver settings: Timeout.resolver.retrans Sets the resolver's retransmission time interval (in seconds). Sets both Timeout.resolver.retrans.first and Timeout.resolver.retrans.normal. Timeout.resolver.retrans.first Sets the resolver's retransmission time interval (in seconds) for the first attempt to deliver a message. Timeout.resolver.retrans.normal Sets the resolver's retransmission time interval (in seconds) for all resolver lookups except the first delivery attempt. Timeout.resolver.retry Sets the number of times to retransmit a resolver query. Sets both Timeout.resolver.retry.first and Timeout.resolver.retry.normal. Timeout.resolver.retry.first Sets the number of times to retransmit a resolver query for the first attempt to deliver a message. Timeout.resolver.retry.normal Sets the number of times to retransmit a resolver query for all resolver lookups except the first delivery attempt. Contributed by Exactis.com, Inc. Support multiple queue directories. To use multiple queues, supply a QueueDirectory option value ending with an asterisk. For example, /var/spool/mqueue/q* will use all of the directories or symbolic links to directories beginning with 'q' in /var/spool/mqueue as queue directories. Keep in mind, the queue directory structure should not be changed while sendmail is running. Queue runs create a separate process for running each queue unless the verbose flag is given on a non-daemon queue run. New items are randomly assigned to a queue. Contributed by Exactis.com, Inc. Support different directories for qf, df, and xf queue files; if subdirectories or symbolic links to directories of those names exist in the queue directories, they are used for the corresponding queue files. Keep in mind, the queue directory structure should not be changed while sendmail is running. Proposed by Mathias Koerber of Singapore Telecommunications Ltd. New queue file naming system which uses a filename guaranteed to be unique for 60 years. This allows queue IDs to be assigned without fancy file system locking. Queued items can be moved between queues easily. Contributed by Exactis.com, Inc. Messages which are undeliverable due to temporary address failures (e.g., DNS failure) will now go to the FallBackMX host, if set. Contributed by Exactis.com, Inc. New command line option '-L tag' which sets the identifier used for syslog. Contributed by Exactis.com, Inc. QueueSortOrder=Filename will sort the queue by filename. This avoids opening and reading each queue file when preparing to run the queue. Contributed by Exactis.com, Inc. Shared memory counters and microtimers functionality has been donated by Exactis.com, Inc. The SCCS ID tags have been replaced with RCS ID tags. Allow trusted users (those on a T line or in $=t) to set the QueueDirectory (Q) option without an X-Authentication-Warning: being added. Suggested by Michael K. Sanders. IPv6 support based on patches from John Kennedy of Cal State University, Chico, Motonori Nakamura of Kyoto University, and John Beck of Sun Microsystems. In low-disk space situations, where sendmail would previously refuse connections, still accept them, but only allow ETRN commands. Suggested by Mathias Koerber of Singapore Telecommunications Ltd. The [IPC] builtin mailer now allows delivery to a UNIX domain socket on systems which support them. This can be used with LMTP local delivery agents which listen on a named socket. An example mailer might be: Mexecmail, P=[IPC], F=lsDFMmnqSXzA5@/:|, E=\r\n, S=10, R=20/40, T=DNS/RFC822/X-Unix, A=FILE /var/run/lmtpd Code contributed by Lyndon Nerenberg of Messaging Direct. The [TCP] builtin mailer name is now deprecated. Use [IPC] instead. The first mailer argument in the [IPC] mailer is now checked for a legitimate value. Possible values are TCP (for TCP/IP connections), IPC (which will be deprecated in a future version), and FILE (for UNIX domain socket delivery). PrivacyOptions=goaway no longer includes the noetrn and the noreceipts flags. PrivacyOptions=nobodyreturn instructs sendmail not to include the body of the original message on delivery status notifications. Don't announce DSN if PrivacyOptions=noreceipts is set. Problem noted by Dan Bernstein, fix from Robert Harker of Harker Systems. Accept the SMTP RSET command even when rejecting commands due to TCP Wrappers or the check_relay ruleset. Problem noted by Steve Schweinhart of America Online. Warn if OperatorChars is set multiple times. OperatorChars should not be set after rulesets are defined. Suggested by Mitchell Blank Jr of Exec-PC. Do not report temporary failure on delivery to files. In interactive delivery mode, this would result in two SMTP responses after the DATA command. Problem noted by Nik Conwell of Boston University. Check file close when mailing to files. Problem noted by Nik Conwell of Boston University. Avoid a segmentation fault when using the LDAP map. Patch from Curtis W. Hillegas of Princeton University. Always bind to the LDAP server regardless of whether you are using ldap_open() or ldap_init(). Fix from Raj Kunjithapadam of @Home Network. New ruleset trust_auth to determine whether a given AUTH= parameter of the MAIL command should be trusted. See SMTP AUTH, cf/README, and doc/op/op.ps. Allow new named config file rules check_vrfy, check_expn, and check_etrn for VRFY, EXPN, and ETRN commands, respectively, similar to check_rcpt etc. Introduce new macros ${rcpt_mailer}, ${rcpt_host}, ${rcpt_addr}, ${mail_mailer}, ${mail_host}, ${mail_addr} that hold the results of parsing the RCPT and MAIL arguments, i.e. the resolved triplet from $#mailer $@host $:addr. From Kari Hurtta of the Finnish Meteorological Institute. New macro ${client_resolve} which holds the result of the resolve call for ${client_name}: OK, FAIL, FORGED, TEMP. Proposed by Kari Hurtta of the Finnish Meteorological Institute. New macros ${dsn_notify}, ${dsn_envid}, and ${dsn_ret} that hold the corresponding DSN parameter values. Proposed by Mathias Herberts. New macro ${msg_size} which holds the value of the SIZE= parameter, i.e., usually the size of the message (in an ESMTP dialogue), before the message has been collected, thereafter it holds the message size as computed by sendmail (and can be used in check_compat). The macro ${deliveryMode} now specifies the current delivery mode sendmail is using instead of the value of the DeliveryMode option. New macro ${ntries} holds the number of delivery attempts. Drop explicit From: if same as what would be generated only if it is a local address. From Motonori Nakamura of Kyoto University. Write pid to file also if sendmail only processes the queue. Proposed by Roy J. Mongiovi of Georgia Tech. Log "low on disk space" only when necessary. New macro ${load_avg} can be used to check the current load average. Suggested by Scott Gifford of The Internet Ramp. Return-Receipt-To: header implies DSN request if option RrtImpliesDsn is set. Flag -S for maps to specify the character which is substituted for spaces (instead of the default given by O BlankSub). Flag -D for maps: perform no lookup in deferred delivery mode. This flag is set by default for the host map. Based on a proposal from Ian MacPhedran of the University of Saskatchewan. Open maps only on demand, not at startup. Log warning about unsupported IP address families. New option MaxHeadersLength allows to specify a maximum length of the sum of all headers. This can be used to prevent a denial-of-service attack. New option MaxMimeHeaderLength which limits the size of MIME headers and parameters within those headers. This option is intended to protect mail user agents from buffer overflow attacks. Added option MaxAliasRecursion to specify the maximum depth of alias recursion. New flag F=6 for mailers to strip headers to seven bit. Map type syslog to log the key via syslogd. Entries in the alias file can be continued by putting a backslash directly before the newline. New option DeadLetterDrop to define the location of the system-wide dead.letter file, formerly hardcoded to /usr/tmp/dead.letter. If this option is not set (the default), sendmail will not attempt to save to a system-wide dead.letter file if it can not bounce the mail to the user nor postmaster. Instead, it will rename the qf file as it has in the past when the dead.letter file could not be opened. New option PidFile to define the location of the pid file. The value of this option is macro expanded. New option ProcessTitlePrefix specifies a prefix string for the process title shown in 'ps' listings. New macros for use with the PidFile and ProcessTitlePrefix options (along with the already existing macros): ${daemon_info} Daemon information, e.g. SMTP+queueing@00:30:00 ${daemon_addr} Daemon address, e.g., 0.0.0.0 ${daemon_family} Daemon family, e.g., inet, inet6, etc. ${daemon_name} Daemon name, e.g., MSA. ${daemon_port} Daemon port, e.g., 25 ${queue_interval} Queue run interval, e.g., 00:30:00 New macros especially for virtual hosting: ${if_name} hostname of interface of incoming connection. ${if_addr} address of interface of incoming connection. The latter is only set if the interface does not belong to the loopback net. If a message being accepted via a method other than SMTP and would be rejected by a header check, do not send the message. Suggested by Phil Homewood of Mincom Pty Ltd. Don't strip comments for header checks if $>+ is used instead of $>. Provide header value as quoted string in the macro ${currHeader} (possibly truncated to MAXNAME). Suggested by Jan Krueger of Unix-AG of University of Hannover. The length of the header value is stored in ${hdrlen}. H*: allows to specify a default ruleset for header checks. This ruleset will only be called if the individual header does not have its own ruleset assigned. Suggested by Jan Krueger of Unix-AG of University of Hannover. The name of the header field stored in ${hdr_name}. Comments (i.e., text within parentheses) in rulesets are not removed if the config file version is greater than or equal to 9. For example, "R$+ ( 1 ) $@ 1" matches the input "token (1)" but does not match "token". Avoid removing the Content-Transfer-Encoding MIME header on MIME messages. Problem noted by Sigurbjorn B. Larusson of Multimedia Consumer Services. Fix from Per Hedeland of Ericsson. Avoid duplicate Content-Transfer-Encoding MIME header on messages with 8-bit text in headers. Problem noted by Per Steinar Iversen of Oslo College. Fix from Per Hedeland of Ericsson. Avoid keeping maps locked longer than necessary when re-opening a modified database map file. Problem noted by Chris Adams of Renaissance Internet Services. Resolving to the $#error mailer with a temporary failure code (e.g., $#error $@ tempfail $: "400 Temporary failure") will now queue up the message instead of bouncing it. Be more liberal in acceptable responses to an SMTP RSET command as standard does not provide any indication of what to do when something other than 250 is received. Based on a patch from Steve Schweinhart of America Online. New option TrustedUser allows to specify a user who can own important files instead of root. This requires HASFCHOWN. Fix USERDB conditional so compiling with NEWDB or HESIOD and setting USERDB=0 works. Fix from Jorg Zanger of Schock. Fix another instance (similar to one in 8.9.3) of a network failure being mis-logged as "Illegal Seek" instead of whatever really went wrong. From John Beck of Sun Microsystems. $? tests also whether the macro is non-null. Print an error message if a mailer definition contains an invalid equate name. New mailer equate /= to specify a directory to chroot() into before executing the mailer program. Suggested by Igor Vinokurov. New mailer equate W= to specify the maximum time to wait for the mailer to return after sending all data to it. Only free memory from the process list when adding a new process into a previously filled slot. Previously, the memory was freed at removal time. Since removal can happen in a signal handler, this may leave the memory map in an inconsistent state. Problem noted by Jeff A. Earickson and David Cooley of Colby College. When using the UserDB @hostname catch-all, do not try to lookup local users in the passwd file. The UserDB code has already decided the message will be passed to another host for processing. Fix from Tony Landells of Burdett Buckeridge Young Limited. Support LDAP authorization via either a file containing the password or Kerberos V4 using the new map options '-ddistinguished_name', '-Mmethod', and '-Pfilename'. The distinguished_name is who to login as. The method can be one of LDAP_AUTH_NONE, LDAP_AUTH_SIMPLE, or LDAP_AUTH_KRBV4. The filename is the file containing the secret key for LDAP_AUTH_SIMPLE or the name of the Kerberos ticket file for LDAP_AUTH_KRBV4. Patch from Booker Bense of Stanford University. The ldapx map has been renamed to ldap. The use of ldapx is deprecated and will be removed in a future version. If the result of an LDAP search returns a multi-valued attribute and the map has the column delimiter set, it turns that response into a delimiter separated string. The LDAP map will traverse multiple entries as well. LDAP alias maps automatically set the column delimiter to the comma. Based on patch from Booker Bense of Stanford University and idea from Philip A. Prindeville of Mirapoint, Inc. Support return of multiple values for a single LDAP lookup. The values to be returned should be in a comma separated string. For example, `-v "email,emailother"'. Patch from Curtis W. Hillegas of Princeton University. Allow the use of LDAP for alias maps. If no LDAP attributes are specified in an LDAP map declaration, all attributes found in the match will be returned. Prevent commas in quoted strings in the AliasFile value from breaking up a single entry into multiple entries. This is needed for LDAP alias file specifications to allow for comma separated key and value strings. Keep connections to LDAP server open instead of opening and closing for each lookup. To reduce overhead, sendmail will cache connections such that multiple maps which use the same host, port, bind DN, and authentication will only result in a single connection to that host. Put timeout in the proper place for USE_LDAP_INIT. Be more careful about checking for errors and freeing memory on LDAP lookups. Use asynchronous LDAP searches to save memory and network resources. Do not copy LDAP query results if the map's match only flag is set. Increase portability to the Netscape LDAP libraries. Change the parsing of the LDAP filter specification. '%s' is still replaced with the literal contents of the map lookup key -- note that this means a lookup can be done using the LDAP special characters. The new '%0' token can be used instead of '%s' to encode the key buffer according to RFC 2254. For example, if the LDAP map specification contains '-k "(user=%s)"' and a lookup is done on "*", this would be equivalent to '-k "(user=*)"' -- matching ANY record with a user attribute. Instead, if the LDAP map specification contains '-k "(user=%0)"' and a lookup is done on "*", this would be equivalent to '-k "(user=\2A)"' -- matching a user with the name "*". New LDAP map flags: "-1" requires a single match to be returned, if more than one is returned, it is equivalent to no records being found; "-r never|always|search|find" sets the LDAP alias dereference option; "-Z size" limits the number of matches to return. New option LDAPDefaultSpec allows a default map specification for LDAP maps. The value should only contain LDAP specific settings such as "-h host -p port -d bindDN", etc. The settings will be used for all LDAP maps unless they are specified in the individual map specification ('K' command). This option should be set before any LDAP maps are defined. Prevent an NDBM alias file opening loop when the NDBM open continually fails. Fix from Roy J. Mongiovi of Georgia Tech. Reduce memory utilization for smaller symbol table entries. In particular, class entries get much smaller, which can be important if you have large classes. On network-related temporary failures, record the hostname which gave error in the queued status message. Requested by Ulrich Windl of the Universitat Regensburg. Add new F=% mailer flag to allow for a store and forward configuration. Mailers which have this flag will not attempt delivery on initial receipt of a message or on queue runs unless the queued message is selected using one of the -qI/-qR/-qS queue run modifiers or an ETRN request. Code provided by Philip Guenther of Gustavus Adolphus College. New option ControlSocketName which, when set, creates a daemon control socket. This socket allows an external program to control and query status from the running sendmail daemon via a named socket, similar to the ctlinnd interface to the INN news server. Access to this interface is controlled by the UNIX file permissions on the named socket on most UNIX systems (see sendmail/README for more information). An example control program is provided as contrib/smcontrol.pl. Change the default values of QueueLA from 8 to (8 * numproc) and RefuseLA from 12 to (12 * numproc) where numproc is the number of processors online on the system (if that can be determined). For single processor machines, this change has no effect. Don't return body of message to postmaster on "Too many hops" bounces. Based on fix from Motonori Nakamura of Kyoto University. Give more detailed DSN descriptions for some cases. Patch from Motonori Nakamura of Kyoto University. Logging of alias, forward file, and UserDB expansion now happens at LogLevel 11 or higher instead of 10 or higher. Logging of an envelope's complete delivery (the "done" message) now happens at LogLevel 10 or higher instead of 11 or higher. Logging of TCP/IP or UNIX standard input connections now happens at LogLevel 10 or higher. Previously, only TCP/IP connections were logged, and on at LogLevel 12 or higher. Setting LogLevel to 10 will now assist users in tracking frequent connection-based denial of service attacks. Log basic information about authenticated connections at LogLevel 10 or higher. Log SMTP Authentication mechanism and author when logging the sender information (from= syslog line). Log the DSN code for each recipient if one is available as a new equate (dsn=). Macro expand PostmasterCopy and DoubleBounceAddress options. New "ph" map for performing ph queries in rulesets, see sendmail/README for details. Contributed by Mark Roth of the University of Illinois at Urbana-Champaign. Detect temporary lookup failures in the host map if looking up a bracketed IP address. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. Do not report a Remote-MTA on local deliveries. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. When a forward file points to an alias which runs a program, run the program as the default user and the default group, not the forward file user. This change also assures the :include: directives in aliases are also processed using the default user and group. Problem noted by Sergiu Popovici of DNT Romania. Prevent attempts to save a dead.letter file for a user with no home directory (/no/such/directory). Problem noted by Michael Brown of Finnigan FT/MS. Include message delay and number of tries when logging that a message has been completely delivered (LogLevel of 10 or above). Suggested by Nick Hilliard of Ireland Online. Log the sender of a message even if none of the recipients were accepted. If some of the recipients were rejected, it is helpful to know the sender of the message. Check the root directory (/) when checking a path for safety. Problem noted by John Beck of Sun Microsystems. Prevent multiple responses to the DATA command if DeliveryMode is interactive and delivering to an alias which resolves to multiple files. Macros in the helpfile are expanded if the helpfile version is 2 or greater (see below); the help function doesn't print the version of sendmail any longer, instead it is placed in the helpfile ($v). Suggested by Chuck Foster of UUNET PIPEX. Additionally, comment lines (starting with #) are skipped and a version line (#vers) is introduced. The helpfile version for 8.10.0 is 2, if no version or an older version is found, a warning is logged. The '#vers' directive should be placed at the top of the help file. Use fsync() when delivering to a file to guarantee the delivery to disk succeeded. Suggested by Nick Christenson. If delivery to a file is unsuccessful, truncate the file back to its length before the attempt. If a forward points to a filename for delivery, change to the user's uid before checking permissions on the file. This allows delivery to files on NFS mounted directories where root is remapped to nobody. Problem noted by Harald Daeubler of Universitaet Ulm. purgestat and sendmail -bH purge only expired (Timeout.hoststatus) host status files, not all files. Any macros stored in the class $={persistentMacros} will be saved in the queue file for the message and set when delivery is attempted on the queued item. Suggested by Kyle Jones of Wonderworks Inc. Add support for storing information between rulesets using the new macro map class. This can be used to store information between queue runs as well using $={persistentMacros}. Based on an idea from Jan Krueger of Unix-AG of University of Hannover. New map class arith to allow for computations in rules. The operation (+, -, *, /, l (for less than), and =) is given as key. The two operands are specified as arguments; the lookup returns the result of the computation. For example, "$(arith l $@ 4 $@ 2 $)" will return "FALSE" and "$(arith + $@ 4 $@ 2 $)" will return "6". Add new syntax for header declarations which decide whether to include the header based on a macro rather than a mailer flag: H?${MyMacro}?X-My-Header: ${MyMacro} This should be used along with $={persistentMacros}. It can be used for adding headers to a message based on the results of check_* and header check rulesets. Allow new named config file rule check_eoh which is called after all of the headers have been collected. The input to the ruleset the number of headers and the size of all of the headers in bytes separated by $|. This ruleset along with the macro storage map can be used to correlate information gathered between headers and to check for missing headers. See cf/README or doc/op/op.ps for an example. Change the default for the MeToo option to True to correspond to the clarification in the DRUMS SMTP Update spec. This option is deprecated and will be removed from a future version. Change the sendmail binary default for SendMimeErrors to True. Change the sendmail binary default for SuperSafe to True. Display ruleset names in debug and address test mode output if referencing a named ruleset. New mailer equate m= which will limit the number of messages delivered per connection on an SMTP or LMTP mailer. Improve QueueSortOrder=Host by reversing the hostname before using it to sort. Now all the same domains are really run through the queue together. If they have the same MX host, then they will have a much better opportunity to use the connection cache if available. This should be a reasonable performance improvement. Patch from Randall Winchester of the University of Maryland. If a message is rejected by a header check ruleset, log who would have received the message if it had not been rejected. New "now" value for Timeout.queuereturn to bounce entries from the queue immediately. No delivery attempt is made. Increase sleeping time exponentially after too many "bad" commands up to 4 minutes delay (compare MAX{BAD,NOOP,HELO,VRFY,ETRN}- COMMANDS). New option ClientPortOptions similar to DaemonPortOptions but for outgoing connections. New suboptions for DaemonPortOptions: Name (a name used for error messages and logging) and Modifiers, i.e. a require authentication b bind to interface through which mail has been received c perform hostname canonification f require fully qualified hostname h use name of interface for outgoing HELO command C don't perform hostname canonification E disallow ETRN (see RFC 2476) New suboption for ClientPortOptions: Modifiers, i.e. h use name of interface for HELO command The version number for queue files (qf) has been incremented to 4. Log unacceptable HELO/EHLO domain name attempts if LogLevel is set to 10 or higher. Suggested by Rick Troxel of the National Institutes of Health. If a mailer dies, print the status in decimal instead of octal format. Suggested by Michael Shapiro of Sun Microsystems. Limit the length of all MX records considered for delivery to 8k. Move message priority from sender to recipient logging. Suggested by Ulrich Windl of the Universitat Regensburg. Add support for Berkeley DB 3.X. Add fix for Berkeley DB 2.X fcntl() locking race condition. Requires a post-2.7.5 version of Berkeley DB. Support writing traffic log (sendmail -X option) to a FIFO. Patch submitted by Rick Heaton of Network Associates, Inc. Do not ignore Timeout settings in the .cf file when a Timeout sub-options is set on the command line. Problem noted by Graeme Hewson of Oracle. Randomize equal preference MX records each time delivery is attempted via a new connection to a host instead of once per session. Suggested by Scott Salvidio of Compaq. Implement enhanced status codes as defined by RFC 2034. Add [hostname] to class w for the names of all interfaces unless DontProbeInterfaces is set. This is useful for sending mails to hosts which have dynamically assigned names. If a message is bounced due to bad MIME conformance, avoid bouncing the bounce for the same reason. If the body is not 8-bit clean, and EightBitMode isn't set to pass8, the body will not be included in the bounce. Problem noted by Valdis Kletnieks of Virginia Tech. The timeout for sending a message via SMTP has been changed from '${msgsize} / 16 + (${nrcpts} * 300)' to a timeout which simply checks for progress on sending data every 5 minutes. This will detect the inability to send information quicker and reduce the number of processes simply waiting to timeout. Prevent a segmentation fault on systems which give a partial filled interface address structure when loading the system network interface addresses. Fix from Reinier Bezuidenhout of Nanoteq. Add a compile-time configuration macro, MAXINTERFACES, which indicates the number of interfaces to read when probing for hostnames and IP addresses for class w ($=w). The default value is 512. Based on idea from Reinier Bezuidenhout of Nanoteq. If the RefuseLA option is set to 0, do not reject connections based on load average. Allow ruleset 0 to have a name. Problem noted by Neil Rickert of Northern Illinois University. Expand the Return-Path: header at delivery time, after "owner-" envelope splitting has occurred. Don't try to sort the queue if there are no entries. Patch from Luke Mewburn from RMIT University. Add a "/quit" command to address test mode. Include the proper sender in the UNIX "From " line and Return-Path: header when undeliverable mail is saved to ~/dead.letter. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. The contents of a class can now be copied to another class using the syntax: "C{Dest} $={Source}". This would copy all of the items in class $={Source} into the class $={Dest}. Include original envelope's error transcript in bounces created for split (owner-) envelopes to see the original errors when the recipients were added. Based on fix from Motonori Nakamura of Kyoto University. Show reason for permanent delivery errors directly after the addresses. From Motonori Nakamura of Kyoto University. Prevent a segmentation fault when bouncing a split-envelope message. Patch from Motonori Nakamura of Kyoto University. If the specification for the queue run interval (-q###) has a syntax error, consider the error fatal and exit. Pay attention to CheckpointInterval during LMTP delivery. Problem noted by Motonori Nakamura of Kyoto University. On operating systems which have setlogin(2), use it to set the login name to the RunAsUserName when starting as a daemon. This is for delivery to programs which use getlogin(). Based on fix from Motonori Nakamura of Kyoto University. Differentiate between "command not implemented" and "command unrecognized" in the SMTP dialogue. Strip returns from forward and include files. Problem noted by Allan E Johannesen of Worcester Polytechnic Institute. Prevent a core dump when using 'sendmail -bv' on an address which resolves to the $#error mailer with a temporary failure. Based on fix from Neil Rickert of Northern Illinois University. Prevent multiple deliveries of a message with a "non-local alias" pointing to a local user, if canonicalization fails the message was requeued *and* delivered to the alias. If an invalid ruleset is declared, the ruleset name could be ignored and its rules added to S0. Instead, ignore the ruleset lines as well. Avoid incorrect Final-Recipient, Action, and X-Actual-Recipient success DSN fields as well as duplicate entries for a single address due to S5 and UserDB processing. Problems noted by Kari Hurtta of the Finnish Meteorological Institute. Turn off timeouts when exiting sendmail due to an interrupt signal to prevent the timeout from firing during the exit process. Problem noted by Michael Shapiro of Sun Microsystems. Do not append @MyHostName to non-RFC822 addresses output by the EXPN command or on Final-Recipient: and X-Actual-Recipient: DSN headers. Non-RFC822 addresses include deliveries to programs, file, DECnet, etc. Fix logic for determining if a local user is using -f or -bs to spoof their return address. Based on idea from Neil Rickert of Northern Illinois University and patch from Per Hedeland of Ericsson. Report the proper UID in the bounce message if an :include: file is owned by a uid that doesn't map to a username and the :include: file contains delivery to a file or program. Problem noted by John Beck of Sun Microsystems. Avoid the attempt of trying to send a second SMTP QUIT command if the remote server responds to the first QUIT with a 4xx response code and drops the connection. This behavior was noted by Ulrich Windl of the Universitat Regensburg when sendmail was talking to the Mercury 1.43 MTA. If a hostname lookup times out and ServiceSwitchFile is set but the file is not present, the lookup failure would be marked as a permanent failure instead of a temporary failure. Fix from Russell King of the ARM Linux Project. Handle aliases or forwards which deliver to programs using tabs instead of spaces between arguments. Problem noted by Randy Wormser. Fix from Neil Rickert of Northern Illinois University. Allow MaxRecipientsPerMessage option to be set on the command line by normal users (e.g., sendmail won't drop its root privileges) to allow overrides for message submission via 'sendmail -bs'. Set the names for help file and statistics file to "helpfile" and "statistics", respectively, if no parameters are given for them in the .cf file. Avoid bogus 'errbody: I/O Error -7' log messages when sending success DSN messages for messages relayed to non-DSN aware systems. Problem noted by Juergen Georgi of RUS University of Stuttgart and Kyle Tucker of Parexel International. Prevent +detail information from interfering with local delivery to multiple users in the same transaction (F=m). Add H_FORCE flag for the X-Authentication-Warning: header, so it will be added even if one already exists. Problem noted by Michal Zalewski of Marchew Industries. Stop processing SMTP commands if the SMTP connection is dropped. This prevents a remote system from flooding the connection with commands and then disconnecting. Previously, the server would process all of the buffered commands. Problem noted by Michal Zalewski of Marchew Industries. Properly process user-supplied headers beginning with '?'. Problem noted by Michal Zalewski of Marchew Industries. If multiple header checks resolve to the $#error mailer, use the last permanent (5XX) failure if any exist. Otherwise, use the last temporary (4XX) failure. RFC 1891 requires "hexchar" in a "xtext" to be upper case. Patch from Ronald F. Guilmette of Infinite Monkeys & Co. Timeout.ident now defaults to 5 seconds instead of 30 seconds to prevent the now common delays associated with mailing to a site which drops IDENT packets. Suggested by many. Persistent host status data is not reloaded disk when current data is available in the in-memory cache. Problem noted by Per Hedeland of Ericsson. mailq displays unprintable characters in addresses as their octal representation and a leading backslash. This avoids problems with "unprintable" characters. Problem noted by Michal Zalewski of the "Internet for Schools" project (IdS). The mail line length limit (L= equate) was adding the '!' indicator one character past the limit. This would cause subsequent hops to break the line again. The '!' is now placed in the last column of the limit if the line needs to be broken. Problem noted by Joe Pruett of Q7 Enterprises. Based on fix from Per Hedeland of Ericsson. If a resolver ANY query is larger than the UDP packet size, the resolver will fall back to TCP. However, some misconfigured firewalls block 53/TCP so the ANY lookup fails whereas an MX or A record might succeed. Therefore, don't fail on ANY queries. If an SMTP recipient is rejected due to syntax errors in the address, do not send an empty postmaster notification DSN to the postmaster. Problem noted by Neil Rickert of Northern Illinois University. Allow '_' and '.' in map names when parsing a sequence map specification. Patch from William Setzer of North Carolina State University. Fix hostname in logging of read timeouts for the QUIT command on cached connections. Problem noted by Neil Rickert of Northern Illinois University. Use a more descriptive entry to log "null" connections, i.e., "host did not issue MAIL/EXPN/VRFY/ETRN during connection". Fix a file descriptor leak in ONEX mode. Portability: Reverse signal handling logic such that sigaction(2) with the SA_RESTART flag is the preferred method and the other signal methods are only tried if SA_RESTART is not available. Problem noted by Allan E Johannesen of Worcester Polytechnic Institute. AIX 4.x supports the sa_len member of struct sockaddr. This allows network interface probing to work properly. Fix from David Bronder of the University of Iowa. AIX 4.3 has snprintf() support. Use "PPC" as the architecture name when building under AIX. This will be reflected in the obj.* directory name. Apple Darwin support based on Apple Rhapsody port. Fixed AIX 'make depend' method from Valdis Kletnieks of Virginia Tech. Digital UNIX has uname(2). GNU Hurd updates from Mark Kettenis of the University of Amsterdam. Improved HPUX 11.0 portability. Properly determine the number of CPUs on FreeBSD 2.X, FreeBSD 3.X, HP/UX 10.X and HP/UX 11.X. Remove special IRIX ABI cases from Build script and the OS files. Use the standard 'cc' options used by SGI in building the operating system. Users can override the defaults by setting confCC and confLIBSEARCHPATH appropriately. IRIX nsd map support from Bob Mende of SGI. Minor devtools fixes for IRIX from Bob Mende of SGI. Linux patch for IP_SRCROUTE support from Joerg Dorchain of MW EDV & ELECTRONIC. Linux now uses /usr/sbin for confEBINDIR in the build system. From MATSUURA Takanori of Osaka University. Remove special treatment for Linux PPC in the build system. From MATSUURA Takanori of Osaka University. Motorolla UNIX SYSTEM V/88 Release 4.0 support from Sergey Rusanov of the Republic of Udmurtia. NCR MP-RAS 3.x includes regular expression support. From Tom J. Moore of NCR. NEC EWS-UX/V series settings for _PATH_VENDOR_CF and _PATH_SENDMAILPID from Oota Toshiya of NEC Computers Group Planning Division. Minor NetBSD owner/group tweaks from Ayamura Kikuchi, M.D. NEWS-OS 6.X listed SYSLOG_BUFSIZE as 256 in confENVDEF and 1024 in conf.h. Since confENVDEF would be used, use that value in conf.h. Use NeXT's NETINFO to get domain name. From Gerd Knops of BITart Consulting. Use NeXT's NETINFO for alias and hostname resolution if AUTO_NETINFO_ALIASES and AUTO_NETINFO_HOSTS are defined. Patch from Wilfredo Sanchez of Apple Computer, Inc. NeXT portability tweaks. Problems reported by Dragan Milicic of the University of Utah and J. P. McCann of E I A. New compile flag FAST_PID_RECYCLE: set this if your system can reuse the same PID in the same second. New compile flag HASFCHOWN: set this if your OS has fchown(2). New compile flag HASRANDOM: set this to 0 if your OS does not have random(3). rand() will be used instead. New compile flag HASSRANDOMDEV: set this if your OS has srandomdev(3). New compile flag HASSETLOGIN: set this if your OS has setlogin(2). Replace SINIX and ReliantUNIX support with version specific SINIX files. From Gerald Rinske of Siemens Business Services. Use the 60-second load average instead of the 5 second load average on Compaq Tru64 UNIX (formerly Digital UNIX). From Chris Teakle of the University of Qld. Use ANSI C by default for Compaq Tru64 UNIX. Suggested by Randall Winchester of Swales Aerospace. Correct setgroups() prototype for Compaq Tru64 UNIX. Problem noted by Randall Winchester of Swales Aerospace. Hitachi 3050R/3050RX and 3500 Workstations running HI-UX/WE2 4.02, 6.10 and 7.10 from Motonori NAKAMURA of Kyoto University. New compile flag NO_GETSERVBYNAME: set this to disable use of getservbyname() on systems which can not lookup a service by name over NIS, such as HI-UX. Patch from Motonori NAKAMURA of Kyoto University. Use devtools/bin/install.sh on SCO 5.x. Problem noted by Sun Wenbing of the China Engineering and Technology Information Network. make depend didn't work properly on UNIXWARE 4.2. Problem noted by Ariel Malik of Netology, Ltd. Use /usr/lbin as confEBINDIR for Compaq Tru64 (Digital UNIX). Set confSTDIO_TYPE to torek for BSD-OS, FreeBSD, NetBSD, and OpenBSD. A recent Compaq Ultrix 4.5 Y2K patch has broken detection of local_hostname_length(). See sendmail/README for more details. Problem noted by Allan E Johannesen of Worcester Polytechnic Institute. CONFIG: Begin using /etc/mail/ for sendmail related files. This affects a large number of files. See cf/README for more details. CONFIG: New macro MAIL_SETTINGS_DIR contains the path (including trailing slash) for the mail settings directory. CONFIG: Increment version number of config file to 9. CONFIG: OSTYPE(`bsdi1.0') and OSTYPE(`bsdi2.0') have been deprecated and may be removed from a future release. BSD/OS users should begin using OSTYPE(`bsdi'). CONFIG: OpenBSD 2.4 installs mail.local non-set-user-ID root. This requires a new OSTYPE(`openbsd'). From Todd C. Miller of Courtesan Consulting. CONFIG: New OSTYPE(`hpux11') for HP/UX 11.X. CONFIG: A syntax error in check_mail would cause fake top-level domains (.BITNET, .DECNET, .FAX, .USENET, and .UUCP) to be improperly rejected as unresolvable. CONFIG: New FEATURE(`dnsbl') takes up to two arguments (name of DNS server, rejection message) and can be included multiple times. CONFIG: New FEATURE(`relay_mail_from') allows relaying if the mail sender is listed as RELAY in the access map (and tagged with From:). CONFIG: Optional tagging of LHS in the access map (Connect:, From:, To:) to enable finer control. CONFIG: New FEATURE(`ldap_routing') implements LDAP address routing. See cf/README for a complete description of the new functionality. CONFIG: New variables for the new sendmail options: confAUTH_MECHANISMS AuthMechanisms confAUTH_OPTIONS AuthOptions confCLIENT_OPTIONS ClientPortOptions confCONTROL_SOCKET_NAME ControlSocketName confDEAD_LETTER_DROP DeadLetterDrop confDEF_AUTH_INFO DefaultAuthInfo confDF_BUFFER_SIZE DataFileBufferSize confLDAP_DEFAULT_SPEC LDAPDefaultSpec confMAX_ALIAS_RECURSION MaxAliasRecursion confMAX_HEADERS_LENGTH MaxHeadersLength confMAX_MIME_HEADER_LENGTH MaxMimeHeaderLength confPID_FILE PidFile confPROCESS_TITLE_PREFIX ProcessTitlePrefix confRRT_IMPLIES_DSN RrtImpliesDsn confTO_CONTROL Timeout.control confTO_RESOLVER_RETRANS Timeout.resolver.retrans confTO_RESOLVER_RETRANS_FIRST Timeout.resolver.retrans.first confTO_RESOLVER_RETRANS_NORMAL Timeout.resolver.retrans.normal confTO_RESOLVER_RETRY Timeout.resolver.retry confTO_RESOLVER_RETRY_FIRST Timeout.resolver.retry.first confTO_RESOLVER_RETRY_NORMAL Timeout.resolver.retry.normal confTRUSTED_USER TrustedUser confXF_BUFFER_SIZE XscriptFileBufferSize CONFIG: confDAEMON_OPTIONS has been replaced by DAEMON_OPTIONS(), which takes the options as argument and can be used multiple times; see cf/README for details. CONFIG: Add a fifth mailer definition to MAILER(`smtp') called "dsmtp". This mail provides on-demand delivery using the F=% mailer flag described above. The "dsmtp" mailer definition uses the new DSMTP_MAILER_ARGS which defaults to "IPC $h". CONFIG: New variables LOCAL_MAILER_MAXMSGS, SMTP_MAILER_MAXMSGS, and RELAY_MAILER_MAXMSGS for setting the m= equate for the local, smtp, and relay mailers respectively. CONFIG: New variable LOCAL_MAILER_DSN_DIAGNOSTIC_CODE for setting the DSN Diagnostic-Code type for the local mailer. The value should be changed with care. CONFIG: FEATURE(`local_lmtp') now sets the DSN Diagnostic-Code type for the local mailer to the proper value of "SMTP". CONFIG: All included maps are no longer optional by default; if there there is a problem with a map, sendmail will complain. CONFIG: Removed root from class E; use EXPOSED_USER(`root') to get the old behavior. Suggested by Joe Pruett of Q7 Enterprises. CONFIG: MASQUERADE_EXCEPTION() defines hosts/subdomains which will not be masqueraded. Proposed by Arne Wichmann of MPI Saarbruecken, Griff Miller of PGS Tensor, Jayme Cox of Broderbund Software Inc. CONFIG: A list of exceptions for FEATURE(`nocanonify') can be specified by CANONIFY_DOMAIN or CANONIFY_DOMAIN_FILE, i.e., a list of domains which are passed to $[ ... $] for canonification. Based on an idea from Neil Rickert of Northern Illinois University. CONFIG: If `canonify_hosts' is specified as parameter for FEATURE(`nocanonify') then addresses which have only a hostname, e.g., , will be canonified. CONFIG: If FEATURE(`nocanonify') is turned on, a trailing dot is nevertheless added to addresses with more than one component in it. CONFIG: Canonification is no longer attempted for any host or domain in class 'P' ($=P). CONFIG: New class for matching virtusertable entries $={VirtHost} that can be populated by VIRTUSER_DOMAIN or VIRTUSER_DOMAIN_FILE. FEATURE(`virtuser_entire_domain') can be used to apply this class also to entire subdomains. Hosts in this class are treated as canonical in SCanonify2, i.e., a trailing dot is added. CONFIG: If VIRTUSER_DOMAIN() or VIRTUSER_DOMAIN_FILE() are used, include $={VirtHost} in $=R (hosts allowed to relay). CONFIG: FEATURE(`generics_entire_domain') can be used to apply the genericstable also to subdomains of $=G. CONFIG: Pass "+detail" as %2 for virtusertable lookups. Patch from Noam Freedman from University of Chicago. CONFIG: Pass "+detail" as %1 for genericstable lookups. Suggested by Raymond S Brand of rsbx.net. CONFIG: Allow @domain in genericstable to override masquerading. Suggested by Owen Duffy from Owen Duffy & Associates. CONFIG: LOCAL_DOMAIN() adds entries to class w. Suggested by Steve Hubert of University of Washington. CONFIG: OSTYPE(`gnuhurd') has been replaced by OSTYPE(`gnu') as GNU is now the canonical system name. From Mark Kettenis of the University of Amsterdam. CONFIG: OSTYPE(`unixware7') updates from Larry Rosenman. CONFIG: Do not include '=' in option expansion if there is no value associated with the option. From Andrew Brown of Graffiti World Wide, Inc. CONFIG: Add MAILER(`qpage') to define a new pager mailer. Contributed by Philip A. Prindeville of Enteka Enterprise Technology Services. CONFIG: MAILER(`cyrus') was not preserving case for mail folder names. Problem noted by Randall Winchester of Swales Aerospace. CONFIG: RELAY_MAILER_FLAGS can be used to define additional flags for the relay mailer. Suggested by Doug Hughes of Auburn University and Brian Candler. CONFIG: LOCAL_MAILER_FLAGS now includes 'P' (Add Return-Path: header) by default. Suggested by Per Hedeland of Ericsson. CONFIG: Use SMART_HOST for bracketed addresses, e.g., user@[host]. Suggested by Kari Hurtta of the Finnish Meteorological Institute. CONFIG: New macro MODIFY_MAILER_FLAGS to tweak *_MAILER_FLAGS; i.e., to set, add, or delete flags. CONFIG: If SMTP AUTH is used then relaying is allowed for any user who authenticated via a "trusted" mechanism, i.e., one that is defined via TRUST_AUTH_MECH(`list of mechanisms'). CONFIG: FEATURE(`delay_checks') delays check_mail and check_relay after check_rcpt and allows for exceptions from the checks. CONFIG: Map declarations have been moved into their associated feature files to allow greater flexibility in use of sequence maps. Suggested by Per Hedeland of Ericsson. CONFIG: New macro LOCAL_MAILER_EOL to override the default end of line string for the local mailer. Requested by Il Oh of Willamette Industries, Inc. CONFIG: Route addresses are stripped, i.e., <@a,@b,@c:user@d> is converted to CONFIG: Reject bogus return address of <@@hostname>, generated by Sun's older, broken configuration files. CONFIG: FEATURE(`nullclient') now provides the full rulesets of a normal configuration, allowing anti-spam checks to be performed. CONFIG: Don't return a permanent error (Relaying denied) if ${client_name} can't be resolved just temporarily. Suggested by Kari Hurtta of the Finnish Meteorological Institute. CONFIG: Change numbered rulesets into named (which still can be accessed by their numbers). CONFIG: FEATURE(`nouucp') takes one parameter: reject or nospecial which describes whether to disallow "!" in the local part of an address. CONFIG: Call Local_localaddr from localaddr (S5) which can be used to rewrite an address from a mailer which has the F=5 flag set. If the ruleset returns a mailer, the appropriate action is taken, otherwise the returned tokens are ignored. CONFIG: cf/ostype/solaris.m4 has been renamed to solaris2.pre5.m4 and cf/ostype/solaris2.m4 is now a copy of solaris2.ml.m4. The latter is kept around for backward compatibility. CONFIG: Allow ":D.S.N:" for mailer/virtusertable "error:" entries, where "D.S.N" is an RFC 1893 compliant error code. CONFIG: Use /usr/lbin as confEBINDIR for Compaq Tru64 (Digital UNIX). CONFIG: Remove second space between username and date in UNIX From_ line. Noted by Allan E Johannesen of Worcester Polytechnic Institute. CONFIG: Make sure all of the mailers have complete T= equates. CONFIG: Extend FEATURE(`local_procmail') so it can now take arguments overriding the mailer program, arguments, and mailer definition flags. This makes it possible to use other programs such as maildrop for local delivery. CONFIG: Emit warning if FEATURE(`local_lmtp') or FEATURE(`local_procmail') is given after MAILER(`local'). Patch from Richard A. Nelson of IBM. CONFIG: Add SMTP Authentication information to Received: header default value (confRECEIVED_HEADER). CONFIG: Remove `l' flag from USENET_MAILER_FLAGS as it is not a local mailer. Problem noted by Per Hedeland of Ericsson. CONTRIB: Added bounce-resender.pl from Brian R. Gaeke of the University of California at Berkeley. CONTRIB: Added domainmap.m4 from Mark D. Roth of the University of Illinois at Urbana-Champaign. CONTRIB: etrn.pl now recognizes bogus host names. Patch from Bruce Barnett of GE's R&D Lab. CONTRIB: Patches for re-mqueue.pl by Graeme Hewson of Oracle Corporation UK. CONTRIB: Added qtool.pl to assist in managing the queues. DEVTOOLS: Prevent user environment variables from interfering with the Build scripts. Problem noted by Ezequiel H. Panepucci of Yale University. DEVTOOLS: 'Build -M' will display the obj.* directory which will be used for building. DEVTOOLS: 'Build -A' will display the architecture that would be used for a fresh build. DEVTOOLS: New variable confRANLIB, set automatically by configure.sh. DEVTOOLS: New variable confRANLIBOPTS for the options to send to ranlib. DEVTOOLS: 'Build -O ' will have the object files build in /obj.*. Suggested by Bryan Costales of Exactis. DEVTOOLS: New variable confNO_MAN_BUILD which will prevent the building of the man pages when defined. Suggested by Bryan Costales. DEVTOOLS: New variables confNO_HELPFILE_INSTALL and confNO_STATISTICS_INSTALL which will prevent the installation of the sendmail helpfile and statistics file respectively. Suggested by Bryan Costales. DEVTOOLS: Recognize ReliantUNIX as SINIX. Patch from Gerald Rinske of Siemens Business Services. DEVTOOLS: New variable confSTDIO_TYPE which defines the type of stdio library. The new buffered file I/O depends on the Torek stdio library. This option can be either portable or torek. DEVTOOLS: New variables confSRCADD and confSMSRCADD which correspond to confOBJADD and confSMOBJADD respectively. They should contain the C source files for the object files listed in confOBJADD and confSMOBJADD. These file names will be passed to the 'make depend' stage of compilation. DEVTOOLS: New program specific variables for each of the programs in the sendmail distribution. Each has the form `conf_prog_ENVDEF', for example, `conf_sendmail_ENVDEF'. The new variables are conf_prog_ENVDEF, conf_prog_LIBS, conf_prog_SRCADD, and conf_prog_OBJADD. DEVTOOLS: Build system redesign. This should have little affect on building the distribution, but documentation on the changes are in devtools/README. DEVTOOLS: Don't allow 'Build -f file' if an object directory already exists. Suggested by Valdis Kletnieks of Virginia Tech. DEVTOOLS: Rename confSRCDIR to confSMSRCDIR since it only identifies the path to the sendmail source directory. confSRCDIR is a new variable which identifies the root of the source directories for all of the programs in the distribution. DEVTOOLS: confSRCDIR and confSMSRCDIR are now determined at Build time. They can both still be overridden by setting the m4 macro. DEVTOOLS: confSBINGRP now defaults to bin instead of kmem. DEVTOOLS: 'Build -Q prefix' uses devtools/Site/prefix.*.m4 for build configurations, and places objects in obj.prefix.*/. Complains as 'Build -f file' does for existing object directories. Suggested by Tom Smith of Digital Equipment Corporation. DEVTOOLS: Setting confINSTALL_RAWMAN will install unformatted manual pages in the directory tree specified by confMANROOTMAN. DEVTOOLS: If formatting the manual pages fails, copy in the preformatted pages from the distribution. The new variable confCOPY specifies the copying program. DEVTOOLS: Defining confFORCE_RMAIL will install rmail without question. Suggested by Terry Lambert of Whistle Communications. DEVTOOLS: confSTFILE and confHFFILE can be used to change the names of the installed statistics and help files, respectively. DEVTOOLS: Remove spaces in `uname -r` output when determining operating system identity. Problem noted by Erik Wachtenheim of Dartmouth College. DEVTOOLS: New variable confLIBSEARCHPATH to specify the paths that will be search for the libraries specified in confLIBSEARCH. Defaults to "/lib /usr/lib /usr/shlib". DEVTOOLS: New variables confSTRIP and confSTRIPOPTS for specifying how to strip binaries. These are used by the new install-strip target. DEVTOOLS: New config file site.post.m4 which is included after the others (if it exists). DEVTOOLS: Change order of LIBS: first product specific libraries then the default ones. MAIL.LOCAL: Will not be installed set-user-ID root. To use mail.local as local delivery agent without LMTP mode, use MODIFY_MAILER_FLAGS(`LOCAL', `+S') to set the S flag. MAIL.LOCAL: Do not reject addresses which would otherwise be accepted by sendmail. Suggested by Neil Rickert of Northern Illinois University. MAIL.LOCAL: New -7 option which causes LMTP mode not to advertise 8BITMIME in the LHLO response. Suggested by Kari Hurtta of the Finnish Meteorological Institute. MAIL.LOCAL: Add support for the maillock() routines by defining MAILLOCK when compiling. Also requires linking with -lmail. Patch from Neil Rickert of Northern Illinois University. MAIL.LOCAL: Create a Content-Length: header if CONTENTLENGTH is defined when compiling. Automatically set for Solaris 2.3 and later. Patch from Neil Rickert of Northern Illinois University. MAIL.LOCAL: Move the initialization of the 'notifybiff' address structure to the beginning of the program. This ensures that the getservbyname() is done before any seteuid to a possibly unauthenticated user. If you are using NIS+ and secure RPC on a Solaris system, this avoids syslog messages such as, "authdes_refresh: keyserv(1m) is unable to encrypt session key." Patch from Neil Rickert of Northern Illinois University. MAIL.LOCAL: Support group writable mail spool files when MAILGID is set to the gid to use (-DMAILGID=6) when compiling. Patch from Neil Rickert of Northern Illinois University. MAIL.LOCAL: When a mail message included lines longer than 2046 characters (in LMTP mode), mail.local split the incoming line up into 2046-character output lines (excluding the newline). If an input line was 2047 characters long (excluding CRLF) and the last character was a '.', mail.local saw it as the end of input, transferred it to the user mailbox and tried to write an `ok' back to sendmail. If the message was much longer, both sendmail and mail.local would deadlock waiting for each other to read what they have written. Problem noted by Peter Jeremy of Alcatel Australia Limited. MAIL.LOCAL: New option -b to return a permanent error instead of a temporary error if a mailbox exceeds quota. Suggested by Neil Rickert of Northern Illinois University. MAIL.LOCAL: The creation of a lockfile is subject to a global timeout to avoid starvation. MAIL.LOCAL: Properly parse addresses with multiple quoted local-parts. Problem noted by Ronald F. Guilmette of Infinite Monkeys & Co. MAIL.LOCAL: NCR MP/RAS 3.X portability from Tom J. Moore of NCR. MAILSTATS: New -p option to invoke program mode in which stats are printed in a machine readable fashion and the stats file is reset. Patch from Kevin Hildebrand of the University of Maryland. MAKEMAP: If running as root, automatically change the ownership of generated maps to the TrustedUser as specified in the sendmail configuration file. MAKEMAP: New -C option to accept an alternate sendmail configuration file to use for finding the TrustedUser option. MAKEMAP: New -u option to dump (unmap) a database. Based on code contributed by Roy Mongiovi of Georgia Tech. MAKEMAP: New -e option to allow empty values. Suggested by Philip A. Prindeville of Enteka Enterprise Technology Services. MAKEMAP: Compile cleanly on 64-bit operating systems. Problem noted by Gerald Rinske of Siemens Business Services. OP.ME: Correctly document interaction between F=S and U= mailer equates. Problem noted by Bob Halley of Internet Engines. OP.ME: Fixup Timeout documentation. From Graeme Hewson of Oracle Corporation UK. OP.ME: The Timeout [r] option was incorrectly listed as "safe" (e.g., sendmail would not drop root privileges if the option was specified on the command line). Problem noted by Todd C. Miller of Courtesan Consulting. PRALIASES: Handle the hash and btree map specifications for Berkeley DB. Patch from Brian J. Coan of the Institute for Global Communications. PRALIASES: Read the sendmail.cf file for the location(s) of the alias file(s) if the -f option is not used. Patch from John Beck of Sun Microsystems. PRALIASES: New -C option to specify an alternate sendmail configuration file to use for finding alias file(s). Patch from John Beck of Sun Microsystems. SMRSH: allow shell commands echo, exec, and exit. Allow command lists using || and &&. Based on patch from Brian J. Coan of the Institute for Global Communications. SMRSH: Update README for the new Build system. From Tim Pierce of RootsWeb Genealogical Data Cooperative. VACATION: Added vacation auto-responder to sendmail distribution. LIBSMDB: Added abstracted database library. Works with Berkeley DB 1.85, Berkeley DB 2.X, Berkeley DB 3.X, and NDBM. Changed Files: The Build script in the various program subdirectories are no longer symbolic links. They are now scripts which execute the actual Build script in devtools/bin. All the manual pages are now written against -man and not -mandoc as they were previously. Add a simple Makefile to every directory so make instead of Build will work (unless parameters are required for Build). New Directories: devtools/M4/UNIX include libmilter libsmdb libsmutil vacation Renamed Directories: BuildTools => devtools src => sendmail Deleted Files: cf/m4/nullrelay.m4 devtools/OS/Linux.ppc devtools/OS/ReliantUNIX devtools/OS/SINIX sendmail/ldap_map.h New Files: INSTALL PGPKEYS cf/cf/generic-linux.cf cf/cf/generic-linux.mc cf/feature/delay_checks.m4 cf/feature/dnsbl.m4 cf/feature/generics_entire_domain.m4 cf/feature/no_default_msa.m4 cf/feature/relay_mail_from.m4 cf/feature/virtuser_entire_domain.m4 cf/mailer/qpage.m4 cf/ostype/bsdi.m4 cf/ostype/hpux11.m4 cf/ostype/openbsd.m4 contrib/bounce-resender.pl contrib/domainmap.m4 contrib/qtool.8 contrib/qtool.pl devtools/M4/depend/AIX.m4 devtools/M4/list.m4 devtools/M4/string.m4 devtools/M4/subst_ext.m4 devtools/M4/switch.m4 devtools/OS/Darwin devtools/OS/GNU devtools/OS/SINIX.5.43 devtools/OS/SINIX.5.44 devtools/OS/m88k devtools/bin/find_in_path.sh mail.local/Makefile mailstats/Makefile makemap/Makefile praliases/Makefile rmail/Makefile sendmail/Makefile sendmail/bf.h sendmail/bf_portable.c sendmail/bf_portable.h sendmail/bf_torek.c sendmail/bf_torek.h sendmail/shmticklib.c sendmail/statusd_shm.h sendmail/timers.c sendmail/timers.h smrsh/Makefile vacation/Makefile Renamed Files: cf/ostype/gnuhurd.m4 => cf/ostype/gnu.m4 sendmail/cdefs.h => include/sendmail/cdefs.h sendmail/sendmail.hf => sendmail/helpfile sendmail/mailstats.h => include/sendmail/mailstats.h sendmail/pathnames.h => include/sendmail/pathnames.h sendmail/safefile.c => libsmutil/safefile.c sendmail/snprintf.c => libsmutil/snprintf.c sendmail/useful.h => include/sendmail/useful.h cf/ostype/solaris2.m4 => cf/ostype/solaris2.pre5.m4 Copied Files: cf/ostype/solaris2.ml.m4 => cf/ostype/solaris2.m4 8.9.3/8.9.3 1999/02/04 SECURITY: Limit message headers to a maximum of 32K bytes (total of all headers in a single message) to prevent a denial of service attack. This limit will be configurable in 8.10. Problem noted by Michal Zalewski of the "Internet for Schools" project (IdS). Prevent segmentation fault on an LDAP lookup if the LDAP map was closed due to an earlier failure. Problem noted by Jeff Wasilko of smoe.org. Fix from Booker Bense of Stanford University and Per Hedeland of Ericsson. Preserve the order of the MIME headers in multipart messages when performing the MIME header length check. This will allow PGP signatures to function properly. Problem noted by Lars Hecking of University College, Cork, Ireland. If ruleset 5 rewrote the local address to an :include: directive, the delivery would fail with an "aliasing/forwarding loop broken" error. Problem noted by Eric C Hagberg of Morgan Stanley. Fix from Per Hedeland of Ericsson. Allow -T to work for bestmx maps. Fix from Aaron Schrab of ExecPC Internet Systems. During the transfer of a message in an SMTP transaction, if a TCP timeout occurs, the message would be properly queued for later retry but the failure would be logged as "Illegal Seek" instead of a timeout. Problem noted by Piotr Kucharski of the Warsaw School of Economics (SGH) and Carles Xavier Munyoz Baldo of CTV Internet. Prevent multiple deliveries on a self-referencing alias if the F=w mailer flag is not set. Problem noted by Murray S. Kucherawy of Concentric Network Corporation and Per Hedeland of Ericsson. Do not strip empty headers but if there is no value and a default is defined in sendmail.cf, use the default. Problem noted by Philip Guenther of Gustavus Adolphus College and Christopher McCrory of Netus, Inc. Don't inherit information about the sender (notably the full name) in SMTP (-bs) mode, since this might be called from inetd. Accept any 3xx reply code in response to DATA command instead of requiring 354. This change will match the wording to be published in the updated SMTP specification from the DRUMS group of the IETF. Portability: AIX 4.2.0 or 4.2.1 may become updated by the fileset bos.rte.net level 4.2.0.2. This introduces the softlink /usr/lib/libbind.a which should not be used. It conflicts with the resolver built into libc.a. "bind" has been removed from the confLIBSEARCH BuildTools variable. Users who have installed BIND 8.X will have to add it back in their site.config.m4 file. Problem noted by Ole Holm Nielsen of the Technical University of Denmark. CRAY TS 10.0.x from Sven Nielsen of San Diego Supercomputer Center. Improved LDAP version 3 integration based on input from Kurt D. Zeilenga of the OpenLDAP Foundation, John Beck of Sun Microsystems, and Booker Bense of Stanford University. Linux doesn't have a standard way to get the timezone between different releases. Back out the change in 8.9.2 and don't attempt to derive a timezone. Problem reported by Igor S. Livshits of the University of Illinois at Urbana-Champaign and Michael Dickens of Tetranet Communications. Reliant UNIX, the new name for SINIX, from Gert-Jan Looy of Siemens/SNI. SunOS 5.8 from John Beck of Sun Microsystems. CONFIG: SCO UnixWare 2.1 and 7.0 need TZ to get the proper timezone. Problem noted by Petr Lampa of Technical University of Brno. CONFIG: Handle <@bestmx-host:user@otherhost> addressing properly when using FEATURE(bestmx_is_local). Patch from Neil W. Rickert of Northern Illinois University. CONFIG: Properly handle source routed and %-hack addresses on hosts which the mailertable remaps to local:. Patch from Neil W. Rickert of Northern Illinois University. CONFIG: Internal fixup of mailertable local: map value. Patch from Larry Parmelee of Cornell University. CONFIG: Only add back +detail from host portion of mailer triplet on local mailer triplets if it was originally +detail. Patch from Neil W. Rickert of Northern Illinois University. CONFIG: The bestmx_is_local checking done in check_rcpt would cause later checks to fail. Patch from Paul J Murphy of MIDS Europe. New Files: BuildTools/OS/CRAYTS.10.0.x BuildTools/OS/ReliantUNIX BuildTools/OS/SunOS.5.8 8.9.2/8.9.2 1998/12/30 SECURITY: Remove five second sleep on accepting daemon connections due to an accept() failure. This sleep could be used for a denial of service attack. Do not silently ignore queue files with names which are too long. Patch from Bryan Costales of InfoBeat, Inc. Do not store failures closing an SMTP session in persistent host status. Reported by Graeme Hewson of Oracle Corporation UK. Allow symbolic link forward files if they are in safe directories. Problem noted by Andreas Schott of the Max Planck Society. Missing columns in a text map could cause a segmentation fault. Fix from David Lee of the University of Durham. Note that for 8.9.X, PrivacyOptions=goaway also includes the noetrn flag. This is scheduled to change in a future version of sendmail. Problem noted by Theo Van Dinter of Chrysalis Symbolic Designa and Alan Brown of Manawatu Internet Services. When trying to do host canonification in a Wildcard MX environment, try an MX lookup of the hostname without the default domain appended. Problem noted by Olaf Seibert of Polderland Language & Speech Technology. Reject SMTP RCPT To: commands with only comments (i.e. 'RCPT TO: (comment)'. Problem noted by Earle Ake of Hassler Communication Systems Technology, Inc. Handle any number of %s in the LDAP filter spec. Patch from Per Hedeland of Ericsson. Clear ldapx open timeouts even if the map open failed to prevent a segmentation fault. Patch from Wayne Knowles of the National Institute of Water & Atmospheric Research Ltd. Do not syslog envelope clone messages when using address verification (-bv). Problem noted by Kari Hurtta of the Finnish Meteorological Institute. Continue to perform queue runs while in daemon mode even if the daemon is rejecting connections due to a disk full condition. Problem noted by JR Oldroyd of TerraNet Internet Services. Include full filename on installation of the sendmail.hf file in case the $HFDIR directory does not exist. Problem noted by Josef Svitak of Montana State University. Close all maps when exiting the process with one exception. Berkeley DB can use internal shared memory locking for its memory pool. Closing a map opened by another process will interfere with the shared memory and locks of the parent process leaving things in a bad state. For Berkeley DB, only close the map if the current process is also the one that opened the map, otherwise only close the map file descriptor. Thanks to Yoseff Francus of Collective Technologies for volunteering his system for extended testing. Avoid null pointer dereference on XDEBUG output for SMTP reply failures. Problem noted by Carlos Canau of EUnet Portugal. On mailq and hoststat listings being piped to another program, such as more, if the pipe closes (i.e., the user quits more), stop sending output and exit. Patch from Allan E Johannesen of Worcester Polytechnic Institute. In accordance with the documentation, LDAP map lookup failures are now considered temporary failures instead of permanent failures unless the -t flag is used in the map definition. Problem noted by Booker Bense of Stanford University and Eric C. Hagberg of Morgan Stanley. Fix by one error reporting on long alias names. Problem noted by H. Paul Hammann of the Missouri Research and Education Network. Fix DontBlameSendmail=IncludeFileInUnsafeDirPath behavior. Problem noted by Barry S. Finkel of Argonne National Laboratory. When automatically converting from 8 bit to quoted printable MIME, be careful not to miss a multi-part boundary if that boundary is preceded by a boundary-like line. Problem noted by Andreas Raschle of Ansid Inc. Fix from Kari Hurtta of the Finnish Meteorological Institute. Avoid bogus reporting of "LMTP tobuf overflow" when the buffer has enough space for the additional address. Problem noted by Steve Cliffe of the University of Wollongong. Fix DontBlameSendmail=FileDeliveryToSymlink behavior. Problem noted by Alex Vorobiev of Swarthmore College. If the check_compat ruleset resolves to the $#discard mailer, discard the current recipient. Unlike check_relay, check_mail, and check_rcpt, the entire envelope is not discarded. Problem noted by RZ D. Rahlfs. Fix from Claus Assmann of Christian-Albrechts-University of Kiel. Avoid segmentation fault when reading ServiceSwitchFile files with bogus formatting. Patch from Kari Hurtta of the Finnish Meteorological Institute. Support Berkeley DB 2.6.4 API change. OP.ME: Pages weren't properly output on duplexed printers. Fix from Matthew Black of CSU Long Beach. Portability: Apple Rhapsody from Wilfredo Sanchez of Apple Computer, Inc. Avoid a clash with IRIX 6.2 getopt.h and the UserDatabase option structure. Problem noted by Ashley M. Kirchner of Photo Craft Laboratories, Inc. Break out IP address to hostname translation for reading network interface addresses into class 'w'. Patch from John Kennedy of Cal State University, Chico. AIX 4.x use -qstrict with -O3 to prevent the optimized from changing the semantics of the compiled program. From Simon Travaglia of the University of Waikato, New Zealand. FreeBSD 2.2.2 and later support setusercontext(). From Peter Wemm of DIALix. FreeBSD 3.x fix from Peter Wemm of DIALix. IRIX 5.x has a syslog buffer size of 512 bytes. From Nao NINOMIYA of Utsunomiya University. IRIX 6.5 64-bit Build support. LDAP Version 3 support from John Beck and Ravi Iyer of Sun Microsystems. Linux does not implement seteuid() properly. From John Kennedy of Cal State University, Chico. Linux timezone type was set improperly. From Takeshi Itoh of Bits Co., Ltd. NCR MP-RAS 3.x needs -lresolv for confLIBS. From Tom J. Moore of NCR. NeXT 4.x correction to man page path. From J. P. McCann of E I A. System V Rel 5.x (a.k.a UnixWare7 w/o BSD-Compatibility Libs) from Paul Gampe of the Asia Pacific Network Information Center. ULTRIX now requires an optimization limit of 970 from Allan E Johannesen of Worcester Polytechnic Institute. Fix extern declaration for sm_dopr(). Fix from Henk van Oers of Algemeen Nederlands Persbureau. CONFIG: Catch @hostname,user@anotherhost.domain as relaying. Problem noted by Mark Rogov of AirMedia, Inc. Fix from Claus Assmann of Christian-Albrechts-University of Kiel. CONFIG: Do not refer to http://maps.vix.com/ on RBL rejections as there are multiple RBL's available and the MAPS RBL may not be the one in use. Suggested by Alan Brown of Manawatu Internet Services. CONFIG: Properly strip route addresses (i.e., @host1:user@host2) when stripping down a recipient address to check for relaying. Patch from Claus Assmann of Christian-Albrechts-University of Kiel and Neil W Rickert of Northern Illinois University. CONFIG: Allow the access database to override RBL lookups. Patch from Claus Assmann of Christian-Albrechts-University of Kiel. CONFIG: UnixWare 7 support from Phillip P. Porch of The Porch Dot Com. CONFIG: Fixed check for deferred delivery mode warning. Patch from Claus Assmann of Christian-Albrechts-University of Kiel and Per Hedeland of Ericsson. CONFIG: If a recipient using % addressing is used, e.g. user%site@othersite, and othersite's MX records are now checked for local hosts if FEATURE(relay_based_on_MX) is used. Problem noted by Alexander Litvin of Lucky Net Ltd. Patch from Alexander Litvin of Lucky Net Ltd and Claus Assmann of Christian-Albrechts-University of Kiel. MAIL.LOCAL: Prevent warning messages from appearing in the LMTP stream. Do not allow more than one response per recipient. MAIL.LOCAL: Handle routed addresses properly when using LMTP. Fix from John Beck of Sun Microsystems. MAIL.LOCAL: Properly check for CRLF when using LMTP. Fix from John Beck of Sun Microsystems. MAIL.LOCAL: Substitute MAILER-DAEMON for the LMTP empty sender in the envelope From header. MAIL.LOCAL: Accept underscores in hostnames in LMTP mode. Problem noted by Glenn A. Malling of Syracuse University. MAILSTATS: Document msgsrej and msgsdis fields in the man page. Problem noted by Richard Wong of Princeton University. MAKEMAP: Build group list so group writable files are allowed with the -s flag. Problem noted by Curt Sampson of Internet Portal Services, Inc. PRALIASES: Automatically handle alias files created without the NULL byte at the end of the key. Patch from John Beck of Sun Microsystems. PRALIASES: Support Berkeley DB 2.6.4 API change. New Files: BuildTools/OS/IRIX64.6.5 BuildTools/OS/UnixWare.5.i386 cf/ostype/unixware7.m4 contrib/smcontrol.pl src/control.c 8.9.1/8.9.1 1998/07/02 If both an OS specific site configuration file and a generic site.config.m4 file existed, only the latter was used instead of both. Problem noted by Geir Johannessen of the Norwegian University of Science and Technology. Fix segmentation fault while converting 8 bit to 7 bit MIME multipart messages by trying to write to an unopened file descriptor. Fix from Kari Hurtta of the Finnish Meteorological Institute. Do not assume Message: and Text: headers indicate the end of the header area when parsing MIME headers. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. Setting the confMAN#SRC Build variable would only effect the installation commands. The man pages would still be built with .0 extensions. Problem noted by Bryan Costales of InfoBeat, Inc. Installation of manual pages didn't honor the DESTDIR environment variable. Problem noted by Bryan Costales of InfoBeat, Inc. If the check_relay ruleset resolved to the discard mailer, messages were still delivered. Problem noted by Mirek Luc of NASK. Mail delivery to files would fail with an Operating System Error if sendmail was not running as root, i.e., RunAsUser was set. Problem noted by Leonard N. Zubkoff of Dandelion Digital. Prevent MinQueueAge from interfering from queued items created in the future, i.e., if the system clock was set ahead and then back. Problem noted by Michael Miller of the University of Natal, Pietermaritzburg. Do not advertise ETRN support in ESTMP EHLO reply if noetrn is set in the PrivacyOptions option. Fix from Ted Rule of Flextech TV. Log invalid persistent host status file lines instead of bouncing the message. Problem noted by David Lindes of DaveLtd Enterprises. Move creation of empty sendmail.st file from installation to compilation. Installation may be done from a read-only mount. Fix from Bryan Costales of InfoBeat, Inc. and Ric Anderson of the Oasis Research Center, Inc. Enforce the maximum number of User Database entries limit. Problem noted by Gary Buchanan of Credence Systems Inc. Allow dead.letter files in root's home directory. Problem noted by Anna Ullman of Sun Microsystems. Program deliveries in forward files could be marked unsafe if any directory listed in the ForwardPath option did not exist. Problem noted by Jorg Bielak of Coastal Web Online. Do not trust the length of the address structure returned by gethostbyname(). Problem noted by Chris Evans of Oxford University. If the SIZE= MAIL From: ESMTP parameter is too large, use the 5.3.4 DSN status code instead of 5.2.2. Similarly, for non-local deliveries, if the message is larger than the mailer maximum message size, use 5.3.4 instead of 5.2.3. Suggested by Antony Bowesman of Fujitsu/TeaWARE Mail/MIME System. Portability: Fix the check for an IP address reverse lookup for use in $&{client_name} on 64 bit platforms. From Gilles Gallot of Institut for Development and Resources in Intensive Scientific computing. BSD-OS uses .0 for man page extensions. From Jeff Polk of BSDI. DomainOS detection for Build. Also, version 10.4 and later ship a unistd.h. Fixes from Takanobu Ishimura of PICT Inc. NeXT 4.x uses /usr/lib/man/cat for its man pages. From J. P. McCann of E I A. SCO 4.X and 5.X include NDBM support. From Vlado Potisk of TEMPEST, Ltd. CONFIG: Do not pass spoofed PTR results through resolver for qualification. Problem noted by Michiel Boland of Digital Valley Internet Professionals; fix from Kari Hurtta of the Finnish Meteorological Institute. CONFIG: Do not try to resolve non-DNS hostnames such as UUCP, BITNET, and DECNET addresses for resolvable senders. Problem noted by Alexander Litvin of Lucky Net Ltd. CONFIG: Work around Sun's broken configuration which sends bounce messages as coming from @@hostname instead of <>. LMTP would not accept @@hostname. OP.ME: Corrections to complex sendmail startup script from Rick Troxel of the National Institutes of Health. RMAIL: Do not install rmail by default, require 'make force-install' as this rmail isn't the same as others. Suggested by Kari Hurtta of the Finnish Meteorological Institute. New Files: BuildTools/OS/DomainOS.10.4 8.9.0/8.9.0 1998/05/19 SECURITY: To prevent users from reading files not normally readable, sendmail will no longer open forward, :include:, class, ErrorHeader, or HelpFile files located in unsafe (i.e., group or world writable) directory paths. Sites which need the ability to override security can use the DontBlameSendmail option. See the README file for more information. SECURITY: Problems can occur on poorly managed systems, specifically, if maps or alias files are in world writable directories. This fixes the change added to 8.8.6 to prevent links in these world writable directories. SECURITY: Make sure ServiceSwitchFile option file is not a link if it is in a world writable directory. SECURITY: Never pass a tty to a mailer -- if a mailer can get at the tty it may be able to push bytes back to the senders input. Unfortunately this breaks -v mode. Problem noted by Wietse Venema of the Global Security Analysis Lab at IBM T.J. Watson Research. SECURITY: Empty group list if DontInitGroups is set to true to prevent program deliveries from picking up extra group privileges. Problem reported by Wolfgang Ley of DFN-CERT. SECURITY: The default value for DefaultUser is now set to the uid and gid of the first existing user mailnull, sendmail, or daemon that has a non-zero uid. If none of these exist, sendmail reverts back to the old behavior of using uid 1 and gid 1. This is a security problem for Linux which has chosen that uid and gid for user bin instead of daemon. If DefaultUser is set in the configuration file, that value overrides this default. SECURITY: Since 8.8.7, the check for non-set-user-ID binaries interfered with setting an alternate group id for the RunAsUser option. Problem noted by Randall Winchester of the University of Maryland. Add support for Berkeley DB 2.X. Based on patch from John Kennedy of Cal State University, Chico. Remove support for OLD_NEWDB (pre-1.5 version of Berkeley DB). Users which previously defined OLD_NEWDB=1 must now upgrade to the current version of Berkeley DB. Added support for regular expressions using the new map class regex. From Jan Krueger of Unix-AG of University of Hannover. Support for BIND 8.1.1's hesiod for hesiod maps and hesiod UserDatabases from Randall Winchester of the University of Maryland. Allow any shell for user shell on program deliveries on V1 configurations for backwards compatibility on machines which do not have getusershell(). Fix from John Beck of Sun Microsystems. On operating systems which change the process title by reusing the argument vector memory, sendmail could corrupt memory if the last argument was either "-q" or "-d". Problem noted by Frank Langbein of the University of Stuttgart. Support Local Mail Transfer Protocol (LMTP) between sendmail and mail.local on the F=z flag. Macro-expand the contents of the ErrMsgFile. Previously this was only done if you had magic characters (0x81) to indicate macro expansion. Now $x will be expanded. This means that real dollar signs have to be backslash escaped. TCP Wrappers expects "unknown" in the hostname argument if the reverse DNS lookup for the incoming connection fails. Problem noted by Randy Grimshaw of Syracuse University and Wietse Venema of the Global Security Analysis Lab at IBM T.J. Watson Research. DSN success bounces generated from an invocation of sendmail -t would be sent to both the sender and MAILER-DAEMON. Problem noted by Claus Assmann of Christian-Albrechts-University of Kiel. Avoid "Error 0" messages on delivery mailers which exit with a valid exit value such as EX_NOPERM. Fix from Andreas Luik of ISA Informationssysteme GmbH. Tokenize $&x expansions on right hand side of rules. This eliminates the need to use tricks like $(dequote "" $&{client_name} $) to cause the ${client_name} macro to be properly tokenized. Add the MaxRecipientsPerMessage option: this limits the number of recipients that will be accepted in a single SMTP transaction. After this number is reached, sendmail starts returning "452 Too many recipients" to all RCPT commands. This can be used to limit the number of recipients per envelope (in particular, to discourage use of the server for spamming). Note: a better approach is to restrict relaying entirely. Fixed pointer initialization for LDAP lmap struct, fixed -s option to ldapx map and added timeout for ldap_open call to avoid hanging sendmail in the event of hung LDAP servers. Patch from Booker Bense of Stanford University. Allow multiple -qI, -qR, or -qS queue run limiters. For example, '-qRfoo -qRbar' would deliver mail to recipients with foo or bar in their address. Patch from Allan E Johannesen of Worcester Polytechnic Institute. The bestmx map will now return a list of the MX servers for a host if passed a column delimiter via the -z map flag. This can be used to check if the server is an MX server for the recipient of a message. This can be used to help prevent relaying. Patch from Mitchell Blank Jr of Exec-PC. Mark failures for the *file* mailer and return bounce messages to the sender for those failures. Prevent bogus syslog timestamps on errors in sendmail.cf by preserving the TZ environment variable until TimeZoneSpec has been determined. Problem noted by Ralf Hildebrandt of Technical University of Braunschweig. Patch from Per Hedeland of Ericsson. Print test input in address test mode when input is not from the tty when the -v flag is given (i.e., sendmail -bt -v) to make output easier to decipher. Problem noted by Aidan Nichol of Procter & Gamble. The LDAP map -s flag was not properly parsed and the error message given included the remainder of the arguments instead of solely the argument in error. Problem noted by Aidan Nichol of Procter & Gamble. New DontBlameSendmail option. This option allows administrators to bypass some of sendmail's file security checks at the expense of system security. This should only be used if you are absolutely sure you know the consequences. The available DontBlameSendmail options are: Safe AssumeSafeChown ClassFileInUnsafeDirPath ErrorHeaderInUnsafeDirPath GroupWritableDirPathSafe GroupWritableForwardFileSafe GroupWritableIncludeFileSafe GroupWritableAliasFile HelpFileinUnsafeDirPath WorldWritableAliasFile ForwardFileInGroupWritableDirPath IncludeFileInGroupWritableDirPath ForwardFileInUnsafeDirPath IncludeFileInUnsafeDirPath ForwardFileInUnsafeDirPathSafe IncludeFileInUnsafeDirPathSafe MapInUnsafeDirPath LinkedAliasFileInWritableDir LinkedClassFileInWritableDir LinkedForwardFileInWritableDir LinkedIncludeFileInWritableDir LinkedMapInWritableDir LinkedServiceSwitchFileInWritableDir FileDeliveryToHardLink FileDeliveryToSymLink WriteMapToHardLink WriteMapToSymLink WriteStatsToHardLink WriteStatsToSymLink RunProgramInUnsafeDirPath RunWritableProgram New DontProbeInterfaces option to turn off the inclusion of all the interface names in $=w on startup. In particular, if you have lots of virtual interfaces, this option will speed up startup. However, unless you make other arrangements, mail sent to those addresses will be bounced. Automatically create alias databases if they don't exist and AutoRebuildAliases is set. Add PrivacyOptions=noetrn flag to disable the SMTP ETRN command. Suggested by Christophe Wolfhugel of the Institut Pasteur. Add PrivacyOptions=noverb flag to disable the SMTP VERB command. When determining the client host name ($&{client_name} macro), do a forward (A) DNS lookup on the result of the PTR lookup and compare results. If they differ or if the PTR lookup fails, &{client_name} will contain the IP address surrounded by square brackets (e.g., [127.0.0.1]). New map flag: -Tx appends "x" to lookups that return temporary failure (i.e, it is like -ax for the temporary failure case, in contrast to the success case). New syntax to do limited checking of header syntax. A config line of the form: HHeader: $>Ruleset causes the indicated Ruleset to be invoked on the Header when read. This ruleset works like the check_* rulesets -- that is, it can reject mail on the basis of the contents. Limit the size of the HELO/EHLO parameter to prevent spammers from hiding their connection information in Received: headers. When SingleThreadDelivery is active, deliveries to locked hosts are skipped. This will cause the delivering process to try the next MX host or queue the message if no other MX hosts are available. Suggested by Alexander Litvin. The [FILE] mailer type now delivers to the file specified in the A= equate of the mailer definition instead of $u. It also obeys all of the F= mailer flags such as the MIME 7/8 bit conversion flags. This is useful for defining a mailer which delivers to the same file regardless of the recipient (e.g., 'A=FILE /dev/null' to discard unwanted mail). Do not assume the identity of a remote connection is root@localhost if the remote connection closes the socket before the remote identity can be queried. Change semantics of the F=S mailer flag back to 8.7.5 behavior. Some mailers, including procmail, require that the real uid is left unchanged by sendmail. Problem noted by Per Hedeland of Ericsson. No longer is the src/obj*/Makefile selected from a large list -- it is now generated using the information in BuildTools/OS/ -- some of the details are determined dynamically via BuildTools/bin/configure.sh. The other programs in the sendmail distribution -- mail.local, mailstats, makemap, praliases, rmail, and smrsh -- now use the new Build method which creates an operating system specific Makefile using the information in BuildTools. Make 4xx reply codes to the SMTP MAIL command be non-sticky (i.e., a failure on one message won't affect future messages to the same host). This is necessary if the remote host sends a 451 error if the domain of the sender does not resolve as is common in anti-spam configurations. Problem noted by Mitchell Blank Jr of Exec-PC. New "discard" mailer for check_* rulesets and header checking rulesets. If one of the above rulesets resolves to the $#discard mailer, the commands will be accepted but the message will be completely discarded after it is accepting. This means that even if only one of the recipients resolves to the $#discard mailer, none of the recipients will receive the mail. Suggested by Brian Kantor. All but the last cloned envelope of a split envelope were queued instead of being delivered. Problem noted by John Caruso of CNET: The Computer Network. Fix deadlock situation in persistent host status file locking. Syslog an error if a user forward file could not be read due to an error. Patch from John Beck of Sun Microsystems. Use the first name returned on machine lookups when canonifying a hostname via NetInfo. Patch from Timm Wetzel of GWDG. Clear the $&{client_addr}, $&{client_name}, and $&{client_port} macros when delivering a bounce message to prevent rejection by a check_compat ruleset which uses these macros. Problem noted by Jens Hamisch of AgiX Internetservices GmbH. If the check_relay ruleset resolves to the the error mailer, the error in the $: portion of the resolved triplet is used in the rejection message given to the remote machine. Suggested by Scott Gifford of The Internet Ramp. Set the $&{client_addr}, $&{client_name}, and $&{client_port} macros before calling the check_relay ruleset. Suggested by Scott Gifford of The Internet Ramp. Sendmail would get a segmentation fault if a mailer exited with an exit code of 79. Problem noted by Aaron Schrab of ExecPC Internet. Fix from Christophe Wolfhugel of the Pasteur Institute. Separate snprintf/vsnprintf routines into separate file for use by mail.local. Allow multiple map lookups on right hand side, e.g., R$* $( host $1 $) $| $( passwd $1 $). Patch from Christophe Wolfhugel of the Pasteur Institute. Properly generate success DSN messages if requested for aliases which have owner- aliases. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. Properly display delayed-expansion macros ($&{macroname}) in address test mode (-bt). Problem noted by Bryan Costales of InfoBeat, Inc. -qR could sometimes match names incorrectly. Problem noted by Lutz Euler of Lavielle EDV Systemberatung GmbH & Co. Include a magic number and version in the StatusFile for the mailstats command. Record the number of rejected and discarded messages in the StatusFile for display by the mailstats command. Patch from Randall Winchester of the University of Maryland. IDENT returns where the OSTYPE field equals "OTHER" now list the user portion as IDENT:username@site instead of username@site to differentiate the two. Suggested by Kari Hurtta of the Finnish Meteorological Institute. Enforce timeout for LDAP queries. Patch from Per Hedeland of Ericsson. Change persistent host status filename substitution so '/' is replaced by ':' instead of '|' to avoid clashes. Also avoid clashes with hostnames with leading dots. Fix from Mitchell Blank Jr. of Exec-PC. If the system lock table is full, only attempt to create a new queue entry five times before giving up. Previously, it was attempted indefinitely which could cause the partition to run out of inodes. Problem noted by Suzie Weigand of Stratus Computer, Inc. In verbose mode, warn if the sendmail.cf version is less than the currently supported version. Sorting for QueueSortOrder=host is now case insensitive. Patch from Randall S. Winchester of the University of Maryland. Properly quote a full name passed via the -F command line option, the Full-Name: header, or the NAME environment variable if it contains characters which must be quoted. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. Avoid possible race condition that unlocked a mail job before releasing the transcript file on systems that use flock(2). In some cases, this might result in a "Transcript Unavailable" message in error bounces. Accept SMTP replies which contain only a reply code and no accompanying text. Problem noted by Fernando Fraticelli of Digital Equipment Corporation. Portability: AIX 4.1 uses int for SOCKADDR_LEN_T from Motonori Nakamura of Kyoto University. AIX 4.2 requires before . Patch from Randall S. Winchester of the University of Maryland. AIX 4.3 from Valdis Kletnieks of Virginia Tech CNS. CRAY T3E from Manu Mahonen of Center for Scientific Computing in Finland. Digital UNIX now uses statvfs for determining free disk space. Patch from Randall S. Winchester of the University of Maryland. HP-UX 11.x from Richard Allen of Opin Kerfi HF and Regis McEwen of Progress Software Corporation. IRIX 64 bit fixes from Kari Hurtta of the Finnish Meteorological Institute. IRIX 6.2 configuration fix for mail.local from Michael Kyle of CIC/Advanced Computing Laboratory. IRIX 6.5 from Thomas H Jones II of SGI. IRIX 6.X load average code from Bob Mende of SGI. QNX from Glen McCready . SCO 4.2 and 5.x use /usr/bin instead of /usr/ucb for links to sendmail. Install with group bin instead of kmem as kmem does not exist. From Guillermo Freige of Gobernacion de la Pcia de Buenos Aires and Paul Fischer of BTG, Inc. SunOS 4.X does not include memmove(). Patch from Per Hedeland of Ericsson. SunOS 5.7 includes getloadavg() function for determining load average. Patch from John Beck of Sun Microsystems. CONFIG: Increment version number of config file. CONFIG: add DATABASE_MAP_TYPE to set the default type of database map for the various maps. The default is hash. Patch from Robert Harker of Harker Systems. CONFIG: new confEBINDIR m4 variable for defining the executable directory for certain programs. CONFIG: new FEATURE(local_lmtp) to use the new LMTP support for local mail delivery. By the default, /usr/libexec/mail.local is used. This is expected to be the mail.local shipped with 8.9 which is LMTP capable. The path is based on the new confEBINDIR m4 variable. CONFIG: Use confEBINDIR in determining path to smrsh for FEATURE(smrsh). Note that this changes the default from /usr/local/etc/smrsh to /usr/libexec/smrsh. To obtain the old path for smrsh, use FEATURE(smrsh, /usr/local/etc/smrsh). CONFIG: DOMAIN(generic) changes the default confFORWARD_PATH to include $z/.forward.$w+$h and $z/.forward+$h which allow the user to setup different .forward files for user+detail addressing. CONFIG: add confMAX_RCPTS_PER_MESSAGE, confDONT_PROBE_INTERFACES, and confDONT_BLAME_SENDMAIL to set MaxRecipientsPerMessage, DontProbeInterfaces, and DontBlameSendmail options. CONFIG: by default do not allow relaying (that is, accepting mail from outside your domain and sending it to another host outside your domain). CONFIG: new FEATURE(promiscuous_relay) to allow mail relaying from any site to any site. CONFIG: new FEATURE(relay_entire_domain) allows any host in your domain as defined by the 'm' class ($=m) to relay. CONFIG: new FEATURE(relay_based_on_MX) to allow relaying based on the MX records of the host portion of an incoming recipient. CONFIG: new FEATURE(access_db) which turns on the access database feature. This database gives you the ability to allow or refuse to accept mail from specified domains for administrative reasons. By default, names that are listed as "OK" in the access db are domain names, not host names. CONFIG: new confCR_FILE m4 variable for defining the name of the file used for class 'R'. Defaults to /etc/mail/relay-domains. CONFIG: new command RELAY_DOMAIN(domain) and RELAY_DOMAIN_FILE(file) to add items to class 'R' ($=R) for hosts allowed to relay. CONFIG: new FEATURE(relay_hosts_only) to change the behavior of FEATURE(access_db) and class 'R' to lookup individual host names only. CONFIG: new FEATURE(loose_relay_check). Normally, if a recipient using % addressing is used, e.g. user%site@othersite, and othersite is in class 'R', the check_rcpt ruleset will strip @othersite and recheck user@site for relaying. This feature changes that behavior. It should not be needed for most installations. CONFIG: new FEATURE(relay_local_from) to allow relaying if the domain portion of the mail sender is a local host. This should only be used if absolutely necessary as it opens a window for spammers. Patch from Randall S. Winchester of the University of Maryland. CONFIG: new FEATURE(blacklist_recipients) turns on the ability to block incoming mail destined for certain recipient usernames, hostnames, or addresses. CONFIG: By default, MAIL FROM: commands in the SMTP session will be refused if the host part of the argument to MAIL FROM: cannot be located in the host name service (e.g., DNS). CONFIG: new FEATURE(accept_unresolvable_domains) accepts unresolvable hostnames in MAIL FROM: SMTP commands. CONFIG: new FEATURE(accept_unqualified_senders) accepts MAIL FROM: senders which do not include a domain. CONFIG: new FEATURE(rbl) Turns on rejection of hosts found in the Realtime Blackhole List. You can specify the RBL name server to contact by specifying it as an optional argument. The default is rbl.maps.vix.com. For details, see http://maps.vix.com/rbl/. CONFIG: Call Local_check_relay, Local_check_mail, and Local_check_rcpt from check_relay, check_mail, and check_rcpt. Users with local rulesets should place the rules using LOCAL_RULESETS. If a Local_check_* ruleset returns $#OK, the message is accepted. If the ruleset returns a mailer, the appropriate action is taken, else the return of the ruleset is ignored. CONFIG: CYRUS_MAILER_FLAGS now includes the /:| mailer flags by default to support file, :include:, and program deliveries. CONFIG: Remove the default for confDEF_USER_ID so the binary can pick the proper default value. See the SECURITY note above for more information. CONFIG: FEATURE(nodns) now warns the user that the feature is a no-op. Patch from Kari Hurtta of the Finnish Meteorological Institute. CONFIG: OSTYPE(osf1) now sets DefaultUser (confDEF_USER_ID) to daemon since DEC's /bin/mail will drop the envelope sender if run as mailnull. See the Digital UNIX section of src/README for more information. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. CONFIG: .cf files are now stored in the same directory with the .mc files instead of in the obj directory. CONFIG: New options confSINGLE_LINE_FROM_HEADER, confALLOW_BOGUS_HELO, and confMUST_QUOTE_CHARS for setting SingleLineFromHeader, AllowBogusHELO, and MustQuoteChars respectively. MAIL.LOCAL: support -l flag to run LMTP on stdin/stdout. This SMTP-like protocol allows detailed reporting of delivery status on a per-user basis. Code donated by John Myers of CMU (now of Netscape). MAIL.LOCAL: HP-UX support from Randall S. Winchester of the University of Maryland. NOTE: mail.local is not compatible with the stock HP-UX mail format. Be sure to read mail.local/README. MAIL.LOCAL: Prevent other mail delivery agents from stealing a mailbox lock. Patch from Randall S. Winchester of the University of Maryland. MAIL.LOCAL: glibc portability from John Kennedy of Cal State University, Chico. MAIL.LOCAL: IRIX portability from Kari Hurtta of the Finnish Meteorological Institute. MAILSTATS: Display the number of rejected and discarded messages in the StatusFile. Patch from Randall Winchester of the University of Maryland. MAKEMAP: New -s flag to ignore safety checks on database map files such as linked files in world writable directories. MAKEMAP: Add support for Berkeley DB 2.X. Remove OLD_NEWDB support. PRALIASES: Add support for Berkeley DB 2.X. PRALIASES: Do not automatically include NDBM support. Problem noted by Ralf Hildebrandt of the Technical University of Braunschweig. RMAIL: Improve portability for other platforms. Patches from Randall S. Winchester of the University of Maryland and Kari Hurtta of the Finnish Meteorological Institute. Changed Files: src/Makefiles/Makefile.* files have been modified to use the new build mechanism and are now BuildTools/OS/*. src/makesendmail changed to symbolic link to src/Build. New Files: BuildTools/M4/header.m4 BuildTools/M4/depend/BSD.m4 BuildTools/M4/depend/CC-M.m4 BuildTools/M4/depend/NCR.m4 BuildTools/M4/depend/Solaris.m4 BuildTools/M4/depend/X11.m4 BuildTools/M4/depend/generic.m4 BuildTools/OS/AIX.4.2 BuildTools/OS/AIX.4.x BuildTools/OS/CRAYT3E.2.0.x BuildTools/OS/HP-UX.11.x BuildTools/OS/IRIX.6.5 BuildTools/OS/NEXTSTEP.4.x BuildTools/OS/NeXT.4.x BuildTools/OS/NetBSD.8.3 BuildTools/OS/QNX BuildTools/OS/SunOS.5.7 BuildTools/OS/dcosx.1.x.NILE BuildTools/README BuildTools/Site/README BuildTools/bin/Build BuildTools/bin/configure.sh BuildTools/bin/find_m4.sh BuildTools/bin/install.sh Makefile cf/cf/Build cf/cf/generic-hpux10.cf cf/feature/accept_unqualified_senders.m4 cf/feature/accept_unresolvable_domains.m4 cf/feature/access_db.m4 cf/feature/blacklist_recipients.m4 cf/feature/loose_relay_check.m4 cf/feature/local_lmtp.m4 cf/feature/promiscuous_relay.m4 cf/feature/rbl.m4 cf/feature/relay_based_on_MX.m4 cf/feature/relay_entire_domain.m4 cf/feature/relay_hosts_only.m4 cf/feature/relay_local_from.m4 cf/ostype/qnx.m4 contrib/doublebounce.pl mail.local/Build mail.local/Makefile.m4 mail.local/README mailstats/Build mailstats/Makefile.m4 makemap/Build makemap/Makefile.m4 praliases/Build praliases/Makefile.m4 rmail/Build rmail/Makefile.m4 rmail/rmail.0 smrsh/Build smrsh/Makefile.m4 src/Build src/Makefile.m4 src/snprintf.c Deleted Files: cf/cf/Makefile (replaced by Makefile.dist) mail.local/Makefile mail.local/Makefile.dist mailstats/Makefile mailstats/Makefile.dist makemap/Makefile makemap/Makefile.dist praliases/Makefile praliases/Makefile.dist rmail/Makefile smrsh/Makefile smrsh/Makefile.dist src/Makefile src/Makefiles/Makefile.AIX.4 (split into AIX.4.x and AIX.4.2) src/Makefiles/Makefile.SMP_DC.OSx.NILE (renamed BuildTools/OS/dcosx.1.x.NILE) src/Makefiles/Makefile.Utah (obsolete platform) Renamed Files: READ_ME => README cf/cf/Makefile.dist => Makefile cf/cf/obj/* => cf/cf/* src/READ_ME => src/README 8.8.8/8.8.8 1997/10/24 If the check_relay ruleset failed, the relay= field was logged incorrectly. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. If /usr/tmp/dead.letter already existed, sendmail could not add additional bounces to it. Problem noted by Thomas J. Arseneault of SRI International. If an SMTP mailer used a non-standard port number for the outgoing connection, it would be displayed incorrectly in verbose mode. Problem noted by John Kennedy of Cal State University, Chico. Log the ETRN parameter specified by the client before altering them to internal form. Suggested by Bob Kupiec of GES-Verio. EXPN and VRFY SMTP commands on malformed addresses were logging as User unknown with bogus delay= values. Change them to log the same as compliant addresses. Problem noted by Kari E. Hurtta of the Finnish Meteorological Institute. Ignore the debug resolver option unless using sendmail debug trace option for resolver. Problem noted by Greg Nichols of Wind River Systems. If SingleThreadDelivery was enabled and the remote server returned a protocol error on the DATA command, the connection would be closed but the persistent host status file would not be unlocked so other sendmail processes could not deliver to that host. Problem noted by Peter Wemm of DIALix. If queueing up a message due to an expensive mailer, don't increment the number of delivery attempts or set the last delivery attempt time so the message will be delivered on the next queue run regardless of MinQueueAge. Problem noted by Brian J. Coan of the Institute for Global Communications. Authentication warnings of "Processed from queue _directory_" and "Processed by _username_ with -C _filename_" would be logged with the incorrect timestamp. Problem noted by Kari E. Hurtta of the Finnish Meteorological Institute. Use a better heuristic for detecting GDBM. Log null connections on dropped connections. Problem noted by Jon Lewis of Florida Digital Turnpike. If class dbm maps are rebuilt, sendmail will now detect this and reopen the map. Previously, they could give stale results during a single message processing (but would recover when the next message was received). Fix from Joe Pruett of Q7 Enterprises. Do not log failures such as "User unknown" on -bv or SMTP VRFY requests. Problem noted by Kari E. Hurtta of the Finnish Meteorological Institute. Do not send a bounce message back to the sender regarding bad recipients if the SMTP connection is dropped before the message is accepted. Problem noted by Kari E. Hurtta of the Finnish Meteorological Institute. Use "localhost" instead of "[UNIX: localhost]" when connecting to sendmail via a UNIX pipe. This will allow rulesets using $&{client_name} to process without sending the string through dequote. Problem noted by Alan Barrett of Internet Africa. A combination of deferred delivery mode, a double bounce situation, and the inability to save a bounce message to /var/tmp/dead.letter would cause sendmail to send a bounce to postmaster but not remove the offending envelope from the queue causing it to create a new bounce message each time the queue was run. Problem noted by Brad Doctor of Net Daemons Associates. Remove newlines from hostname information returned via DNS. There are no known security implications of newlines in hostnames as sendmail filters newlines in all vital areas; however, this could cause confusing error messages. Starting with sendmail 8.8.6, mail sent with the '-t' option would be rejected if any of the specified addresses were bad. This behavior was modified to only reject the bad addresses and not the entire message. Problem noted by Jozsef Hollosi of SuperNet, Inc. Use Timeout.fileopen when delivering mail to a file. Suggested by Bryan Costales of InfoBeat, Inc. Display the proper Final-Recipient on DSN messages for non-SMTP mailers. Problem noted by Kari E. Hurtta of the Finnish Meteorological Institute. An error in calculating the available space in the list of addresses for logging deliveries could cause an address to be silently dropped. Include the initial user environment if sendmail is restarted via a HUP signal. This will give room for the process title. Problem noted by Jon Lewis of Florida Digital Turnpike. Mail could be delivered without a body if the machine does not support flock locking and runs out of processes during delivery. Fix from Chuck Lever of the University of Michigan. Drop recipient address from 251 and 551 SMTP responses per RFC 821. Problem noted by Kari E. Hurtta of the Finnish Meteorological Institute. Make sure non-rebuildable database maps are opened before the rebuildable maps (i.e., alias files) in case the database maps are needed for verifying the left hand side of the aliases. Problem noted by Lloyd Parkes of Victoria University. Make sure sender RFC822 source route addresses are alias expanded for bounce messages. Problem noted by Juergen Georgi of RUS University of Stuttgart. Minor lint fixes. Return a temporary error instead of a permanent error if an LDAP map search returns an error. This will allow sequenced maps which use other LDAP servers to be checked. Fix from Booker Bense of Stanford University. When automatically converting from quoted printable to 8bit text do not pad bare linefeeds with a space. Problem noted by Theo Nolte of the University of Technology Aachen, Germany. Portability: Non-standard C compilers may have had a problem compiling conf.c due to a standard C external declaration of setproctitle(). Problem noted by Ted Roberts of Electronic Data Systems. AUX: has a broken O_EXCL implementation. Reported by Jim Jagielski of jaguNET Access Services. BSD/OS: didn't compile if HASSETUSERCONTEXT was defined. Digital UNIX: Digital UNIX (and possibly others) moves loader environment variables into the loader memory area. If one of these environment variables (such as LD_LIBRARY_PATH) was the last environment variable, an invalid memory address would be used by the process title routine causing memory corruption. Problem noted by Sam Hartman of Mesa Internet Systems. GNU libc: uses an enum for _PC_CHOWN_RESTRICTED which caused chownsafe() to always return 0 even if the OS does not permit file giveaways. Problem noted by Yasutaka Sumi of The University of Tokyo. IRIX6: Syslog buffer size set to 512 bytes. Reported by Gerald Rinske of Siemens Business Services VAS. Linux: Pad process title with NULLs. Problem noted by Jon Lewis of Florida Digital Turnpike. SCO OpenServer 5.0: SIOCGIFCONF ioctl call returns an incorrect value for the number of interfaces. Problem noted by Chris Loelke of JetStream Internet Services. SINIX: Update for Makefile and syslog buffer size from Gerald Rinske of Siemens Business Services VAS. Solaris: Make sure HASGETUSERSHELL setting for SunOS is not used on a Solaris machine. Problem noted by Stephen Ma of Jtec Pty Limited. CONFIG: SINIX: Update from Gerald Rinske of Siemens Business Services VAS. MAKEMAP: Use a better heuristic for detecting GDBM. CONTRIB: expn.pl: Updated version from the author, David Muir Sharnoff. OP.ME: Document the F=i mailer flag. Problem noted by Per Hedeland of Ericsson. 8.8.7/8.8.7 1997/08/03 If using Berkeley DB on systems without O_EXLOCK (open a file with an exclusive lock already set -- i.e., almost all systems except 4.4-BSD derived systems), the initial attempt at rebuilding aliases file if the database didn't already exist would fail. Patch from Raymund Will of LST Software GmbH. Bogus incoming SMTP commands would reset the SMTP conversation. Problem noted by Fredrik Jönsson of the Royal Institute of Technology, Stockholm. Since TCP Wrappers includes setenv(), unsetenv(), and putenv(), some environments could give "multiple definitions" for these routines during compilation. If using TCP Wrappers, assume that these routines are included as though they were in the C library. Patch from Robert La Ferla. When a NEWDB database map was rebuilt at the same time it was being used by a queue run, the maps could be left locked for the duration of the queue run, causing other processes to hang. Problem noted by Kendall Libby of Shore.NET. In some cases, NoRecipientAction=add-bcc was being ignored, so the mail was passed on without any recipient header. This could cause problems downstream. Problem noted by Xander Jansen of SURFnet ExpertiseCentrum. Give error when GDBM is used with sendmail. GDBM's locking and linking of the .dir and .pag files interferes with sendmail's locking and security checks. Problems noted by Fyodor Yarochkin of the Kyrgyz Republic FreeNet. Don't fsync qf files if SuperSafe option is not set. Avoid extra calls to gethostbyname for addresses for which a gethostbyaddr found no value. Also, ignore any returns from gethostbyaddr that look like a dotted quad. If PTR lookup fails when looking up an SMTP peer, don't tag it as "may be forged", since at the network level we pretty much have to assume that the information is good. In some cases, errors during an SMTP session could leave files open or locked. Better handling of missing file descriptors (0, 1, 2) on startup. Better handling of non-set-user-ID binaries -- avoids certain obnoxious errors during testing. Errors in file locking of NEWDB maps had the incorrect file name printed in the error message. If the AllowBogusHELO option were set and an EHLO with a bad or missing parameter were issued, the EHLO behaved like a HELO. Load limiting never kicked in for incoming SMTP transactions if the DeliveryMode=background and any recipient was an alias or had a .forward file. From Nik Conwell of Boston University. On some non-Posix systems, the decision of whether chown(2) permits file giveaway was undefined. From Tetsu Ushijima of the Tokyo Institute of Technology. Fix race condition that could cause the body of a message to be lost (so only the header was delivered). This only occurs on systems that do not use flock(2), and only when a queue runner runs during a critical section in another message delivery. Based on a patch from Steve Schweinhart of Results Computing. If a qf file was found in a mail queue directory that had a problem (wrong ownership, bad format, etc.) and the file name was exactly MAXQFNAME bytes long, then instead of being tried once, it would be tried on every queue run. Problem noted by Bryan Costales of Mercury Mail. If the system supports an st_gen field in the status structure, include it when reporting that a file has changed after open. This adds a new compile flag, HAS_ST_GEN (0/1 option). This out to be checked as well as reported, since it is theoretically possible for an attacker to remove a file after it is opened and replace it with another file that has the same i-number, but some filesystems (notably AFS) return garbage in this field, and hence always look like the file has changed. As a practical matter this is not a security problem, since the files can be neither hard nor soft links, and on no filesystem (that I am aware of) is it possible to have two files on the same filesystem with the same i-number simultaneously. Delete the root Makefile from the distribution -- it is only for use internally, and does not work at customer sites. Fix botch that caused the second MAIL FROM: command in a single transaction to clear the entire transaction. Problem noted by John Kennedy of Cal State University, Chico. Work properly on machines that have _PATH_VARTMP defined without a trailing slash. (And a pox on vendors that decide to ignore the established conventions!) Problem noted by Gregory Neil Shapiro of WPI. Internal changes to make it easier to add another protocol family (intended for IPv6). Patches are from John Kennedy of CSU Chico. In certain cases, 7->8 bit MIME decoding of Base64 text could leave an extra space at the beginning of some lines. Problem noted by Charles Karney of Princeton University; fix based on a patch from Christophe Wolfhugel. Portability: Allow _PATH_VENDOR_CF to be set in Makefile for consistency with the _Sendmail_ book, 2nd edition. Note that the book is actually wrong: _PATH_SENDMAILCF should be used instead. AIX 3.x: Include . Patch from Gene Rackow of Argonne National Laboratory. OpenBSD from from Paul DuBois of the University of Wisconsin. RISC/os 4.0 from Paul DuBois of the University of Wisconsin. SunOS: Include to fix warning from util.c. From James Aldridge of EUnet Ltd. Solaris: Change STDIR (location of status file) to /etc/mail in Makefiles. Linux, Dynix, UNICOS: Remove -DNDBM and -lgdbm from Makefiles. Use NEWDB on Linux instead. NCR MP-RAS 3.x with STREAMware TCP/IP: SIOCGIFNUM ioctl exists but behaves differently than other OSes. Add SIOCGIFNUM_IS_BROKEN compile flag to get around the problem. Problem noted by Tom Moore of NCR Corp. HP-UX 9.x: fix compile warnings for old select API. Problem noted by Tom Smith of Digital Equipment Corp. UnixWare 2.x: compile warnings on offsetof macro. Problem noted by Tom Good of the Community Access Information Resource Network SCO 4.2: compile problems caused by a change in the type of the "length" parameters passed to accept, getpeername, getsockname, and getsockopt. Adds new compile flags SOCKADDR_SIZE_T and SOCKOPT_SIZE_T. Problem reported by Tom Good of St. Vincent's North Richmond Community Mental Health Center Residential Services. AIX 4: Use size_t for SOCKADDR_SIZE_T and SOCKOPT_SIZE_T. Suggested by Brett Hogden of Rochester Gas & Electric Corp. Linux: avoid compile problem for versions of that #define both setjmp and longjmp. Problem pointed out by J.R. Oldroyd of TerraNet. CONFIG: SCO UnixWare 2.1: Support for OSTYPE(sco-uw-2.1) from Christopher Durham of SCO. CONFIG: NEXTSTEP: define confCW_FILE to /etc/sendmail/sendmail.cw to match the usual configuration. Patch from Dennis Glatting of PlainTalk. CONFIG: MAILER(fax) called a program that hasn't existed for a long time. Convert to use the HylaFAX 4.0 conventions. Suggested by Harry Styron. CONFIG: Improve sample anti-spam rulesets in cf/cf/knecht.mc. These are the rulesets in use on sendmail.org. MAKEMAP: give error on GDBM files. MAIL.LOCAL: Make error messages a bit more explicit, for example, telling more details on what actually changed when "file changed after open". CONTRIB: etrn.pl: Ignore comments in Fw files. Support multiple Fw files. CONTRIB: passwd-to-alias.pl: Handle 8 bit characters and '-'. NEW FILES: src/Makefiles/Makefile.OpenBSD src/Makefiles/Makefile.RISCos.4_0 test/t_exclopen.c cf/ostype/sco-uw-2.1.m4 DELETED FILES: Makefile 8.8.6/8.8.6 1997/06/14 ************************************************************* * The extensive assistance of Gregory Neil Shapiro of WPI * * in preparing this release is gratefully appreciated. * * Sun Microsystems has also provided resources toward * * continued sendmail development. * ************************************************************* SECURITY: A few systems allow an open with the O_EXCL|O_CREAT open mode bits set to create a file that is a symbolic link that points nowhere. This makes it possible to create a root owned file in an arbitrary directory by inserting the symlink into a writable directory after the initial lstat(2) check determined that the file did not exist. The only verified example of a system having these odd semantics for O_EXCL and symbolic links was HP-UX prior to version 9.07. Most systems do not have the problem, since a exclusive create of a file disallows symbolic links. Systems that have been verified to NOT have the problem include AIX 3.x, *BSD, DEC OSF/1, HP-UX 9.07 and higher, Linux, SunOS, Solaris, and Ultrix. This is a potential exposure on systems that have this bug and which do not have a MAILER-DAEMON alias pointing at a legitimate account, since this will cause old mail to be dropped in /var/tmp/dead.letter. SECURITY: Problems can occur on poorly managed systems, specifically, if maps or alias files are in world writable directories. If your system has alias maps in writable directories, it is potentially possible for an attacker to replace the .db (or .dir and .pag) files by symbolic links pointing at another database; this can be used either to expose information (e.g., by pointing an alias file at /etc/spwd.db and probing for accounts), or as a denial-of-service attack (by trashing the password database). The fix disallows symbolic links entirely when rebuilding alias files or on maps that are in writable directories, and always warns on writable directories; 8.9 will probably consider writable directories to be fatal errors. This does not represent an exposure on systems that have alias files in unwritable system directories. SECURITY: disallow .forward or :include: files that are links (hard or soft) if the parent directory (or any directory in the path) is writable by anyone other than the owner. This is similar to the previous case for user files. This change should not affect most systems, but is necessary to prevent an attacker who can write the directory from pointing such files at other files that are readable only by the owner. SECURITY: Tighten safechown rules: many systems will say that they have a safe (restricted to root) chown even on files that are mounted from another system that allows owners to give away files. The new rules are very strict, trusting file ownership only in those few cases where the system has been verified to be at least as paranoid as necessary. However, it is possible to relax the rules to partially trust the ownership if the directory path is not world or group writable. This might allow someone who has a legitimate :include: file (referenced directly from /etc/aliases) to become another non-root user if the :include: file is in a non-writable directory on an NFS-mounted filesystem where the local system says that giveaway is denied but it is actually permitted. I believe this to be a very small set of cases. If in doubt, do not point :include: aliases at NFS-mounted filesystems. SECURITY: When setting a numeric group id using the RunAsUser option (e.g., "O RunAsUser=10:20", the group id would not be set. Implicit group ids (e.g., "O RunAsUser=mailnull") or alpha group ids (e.g., "O RunAsUser=mailuser:mailgrp") worked fine. The user id was still set properly. Problem noted by Uli Pralle of the Technical University of Berlin. Save the initial gid set for use when checking for if the PrivacyOptions=restrictmailq option is set. Problem reported by Wolfgang Ley of DFN-CERT. Make 55x reply codes to the SMTP DATA-"." be non-sticky (i.e., a failure on one message won't affect future messages to the same host). IP source route printing had an "off by one" error that would affect any options that came after the route option. Patch from Theo de Raadt. The "Message is too large" error didn't successfully bounce the error back to the sender. Problem reported by Stephen More of PSI; patch from Gregory Neil Shapiro of WPI. Change SMTP status code 553 to map into Extended code 5.1.0 (instead of 5.1.3); it apparently gets used in multiple ways. Suggested by John Myers of Portola Communications. Fix possible extra null byte generated during collection if errors occur at the beginning of the stream. Patch contributed by Andrey A. Chernov and Gregory Neil Shapiro. Code changes to avoid possible reentrant call of malloc/free within a signal handler. Problem noted by John Beck of Sun Microsystems. Move map initialization to be earlier so that check_relay ruleset will have the latest version of the map data. Problem noted by Paul Forgey of Metainfo; patch from Gregory Neil Shapiro. If there are fatal errors during the collection phase (e.g., message too large) don't send the bogus message. Avoid "cannot open xfAAA00000" messages when sending to aliases that have errors and have owner- aliases. Problem noted by Michael Barber of MTU; fix from Gregory Neil Shapiro of WPI. Avoid null pointer dereference on illegal Boundary= parameters in multipart/mixed Content-Type: header. Problem noted by Richard Muirden of RMIT University. Always print error messages during newaliases (-bi) even if the ErrorMode is not set to "print". Fix from Gregory Neil Shapiro. Test mode could core dump if you did a /map lookup in an optional map that could not be opened. Based on a fix from John Beck of Sun Microsystems. If DNS is misconfigured so that the last MX record tried points to a host that does not have an A record, but other MX records pointed to something reasonable, don't bounce the message with a "host unknown" error. Note that this should really be fixed in the zone file for the domain. Problem noted by Joe Rhett of Navigist, Inc. If a map fails (e.g., DNS times out) on all recipient addresses, mark the message as having been tried; otherwise the next queue run will not realize that this is a second attempt and will retry immediately. Problem noted by Bryan Costales of Mercury Mail. If the clock is set backwards, and a MinQueueAge is set, no jobs will be run until the later setting of the clock is reached. "Problem" (I use the term loosely) noted by Eric Hagberg of Morgan Stanley. If the load average rises above the cutoff threshold (above which sendmail will not process the queue at all) during a queue run, abort the queue run immediately. Problem noted by Bryan Costales of Mercury Mail. The variable queue processing algorithm (based on the message size, number of recipients, message precedence, and job age) was non-functional -- either the entire queue was processed or none of the queue was processed. The updated algorithm does no queue run if a single recipient zero size job will not be run. If there is a fatal ("panic") message that will cause sendmail to die immediately, never hold the error message for future printing. Force ErrorMode=print in -bt mode so that all errors are printed regardless of the setting of the ErrorMode option in the configuration file. Patch from Gregory Neil Shapiro. New compile flag HASSTRERROR says that this OS has the strerror(3) routine available in one of the libraries. Use it in conf.h. The -m (match only) flag now works on host class maps. If class hash or btree maps are rebuilt, sendmail will now detect this and reopen the map. Previously, they could give erroneous results during a single message processing (but would recover when the next message was received). Don't delete zero length queue files when doing queue runs until the files are at least ten minutes old. This avoids a potential race condition: the creator creates the qf file, getting back a file descriptor. The queue runner locks it and deletes it because it is zero length. The creator then writes the descriptor that is now for a disconnected file, and the job goes away. Based on a suggestion by Bryan Costales. When determining the "validated" host name ($_ macro), do a forward (A) DNS lookup on the result of the PTR lookup and compare results. If they differ or if the PTR lookup fails, tag the address as "may be forged". Log null connections (i.e., hosts that connect but do not do any substantive activity on the connection before disconnecting; "substantive" is defined to be MAIL, EXPN, VRFY, or ETRN. Always permit "writes" to /dev/null regardless of the link count. This is safe because /dev/null is special cased, and no open or write is ever actually attempted. Patch from Villy Kruse of TwinCom. If a message cannot be sent because of a 552 (exceeded storage allocation) response to the MAIL FROM:<>, and a SIZE= parameter was given, don't return the body in the bounce, since there is a very good chance that the message will double-bounce. Fix possible line truncation if a quoted-printable had an =00 escape in the body. Problem noted by Charles Karney of the Princeton Plasma Physics Laboratory. Notify flags (e.g., -NSUCCESS) were lost on user+detail addresses. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. The MaxDaemonChildren option wasn't applying to queue runs as documented. Note that this increases the potential denial of service problems with this option: an attacker can connect many times, and thereby lock out queue runs as well as incoming connections. If you use this option, you should run the "sendmail -bd" and "sendmail -q30m" jobs separately to avoid this attack. Failure to limit noted by Matthew Dillon of BEST Internet Communications. Always give a message in newaliases if alias files cannot be opened instead of failing silently. Suggested by Gregory Neil Shapiro. This change makes the code match the O'Reilly book (2nd edition). Some older versions of the resolver could return with h_errno == -1 if no name server could be reached, causing mail to bounce instead of queueing. Treat this like TRY_AGAIN. Fix from John Beck of SunSoft. If a :include: file is owned by a user that does not have an entry in the passwd file, sendmail could dereference a null pointer. Problem noted by Satish Mynam of Sun Microsystems. Take precautions to make sure that the SMTP protocol cannot get out of sync if (for example) an alias file cannot be opened. Fix a possible race condition that can cause a SIGALRM to come in immediately after a SIGHUP, causing the new sendmail to die. Avoid possible hang on SVr3 systems when doing child reaping. Patch from Villy Kruse of TwinCom. Ignore improperly formatted SMTP reply codes. Previously these were partially processed, which could cause confusing error returns. Fix possible bogus pointer dereference when doing ldapx map lookups on some architectures. Portability: A/UX: from Jim Jagielski of NASA/GSFC. glibc: SOCK_STREAM was changed from a #define to an enum, thus breaking #ifdef SOCK_STREAM. Only option seems to be to assume SOCK_STREAM if __GNU_LIBRARY__ is defined. Problem reported by A Sun of the University of Washington. Solaris: use SIOCGIFNUM to get the number of interfaces on the system rather than guessing at compile time. Patch contributed by John Beck of Sun Microsystems. Intel Paragon: from Wendy Lin of Purdue University. GNU Hurd: from Miles Bader of the GNU project. RISC/os 4.50 from Harlan Stenn of PFCS Corporation. ISC Unix: wait never returns if SIGCLD signals are blocked. Unfortunately releasing them opens a race condition, but there appears to be no fix for this. Patch from Gregory Neil Shapiro. BIND 8.1 for IPv6 compatibility from John Kennedy. Solaris: a bug in strcasecmp caused characters with the high order bit set to apparently randomly match letters -- for example, $| (0233) matches "i" and "I". Problem noted by John Gregson of the University of Cambridge. IRIX 6.x: make Makefile.IRIX.6.2 apply to all 6.x. From Kari Hurtta. IRIX 6.x: Create Makefiles for systems that claim to be IRIX64 but are 6.2 or higher (so use the regular IRIX Makefile). IRIX 6.x: Fix load average computation on 64 bit kernels. Problem noted by Eric Hagberg of Morgan Stanley. CONFIG: Some canonification was still done for UUCP-like addresses even if FEATURE(nocanonify) was set. Problem pointed out by Brian Candler. CONFIG: In some cases UUCP mailers wouldn't properly recognize all local names as local. Problem noted by Jeff Polk of BSDI; fix provided by Gregory Neil Shapiro. CONFIG: The "local:user" syntax entries in mailertables and other "mailer:user" syntax locations returned an incorrect value for the $h macro. Problem noted by Gregory Neil Shapiro. CONFIG: Retain "+detail" information when forwarding mail to a MAIL_HUB, LUSER_RELAY, or LOCAL_RELAY. Patch from Philip Guenther of Gustavus Adolphus College. CONFIG: Make sure user+detail works for FEATURE(virtusertable); rules are the same as for aliasing. Based on a patch from Gregory Neil Shapiro. CONFIG: Break up parsing rules into several pieces; this should have no functional change in this release, but makes it possible to have better anti-spam rulesets in the future. CONFIG: Disallow double dots in host names to avoid having the HostStatusDirectory store status under the wrong name. In some cases this can be used as a denial-of-service attack. Problem noted by Ron Jarrell of Virginia Tech, patch from Gregory Neil Shapiro. CONFIG: Don't use F=m (multiple recipients per invocation) for MAILER(procmail), but do pass F=Pn9 (include Return-Path:, don't include From_, and convert to 8-bit). Suggestions from Kimmo Suominen and Roderick Schertler. CONFIG: Domains under $=M (specified with MASQUERADE_DOMAIN) were being masqueraded as though FEATURE(masquerade_entire_domain) was specified, even when it wasn't. MAIL.LOCAL: Solaris 2.6 has snprintf. From John Beck of SunSoft. MAIL.LOCAL: SECURITY: check to make sure that an attacker doesn't "slip in" a symbolic link between the lstat(2) call and the exclusive open. This is only a problem on System V derived systems that allow an exclusive create on files that are symbolic links pointing nowhere. MAIL.LOCAL: If the final mailbox close() failed, the user id was not reset back to root, which on some systems would cause later mailboxes to fail. Also, any partial message would not be truncated, which could result in repeated deliveries. Problem noted by Bruce Evans via Peter Wemm (FreeBSD developers). MAKEMAP: Handle cases where O_EXLOCK is #defined to be 0. A similar change to the sendmail map code was made in 8.8.3. Problem noted by Gregory Neil Shapiro. MAKEMAP: Give warnings on file problems such as map files that are symbolic links; although makemap is not set-user-ID root, it is often run as root and hence has the potential for the same sorts of problems as alias rebuilds. MAKEMAP: Change compilation so that it will link properly on NEXTSTEP. CONTRIB: etrn.pl: search for Cw as well as Fw lines in sendmail.cf. Accept an optional list of arguments following the server name for the ETRN arguments to use (instead of $=w). Other miscellaneous bug fixes. From Christian von Roques via John Beck of Sun Microsystems. CONTRIB: Add passwd-to-alias.pl, contributed by Kari Hurtta. This Perl script converts GECOS information in the /etc/passwd file into aliases, allowing for faster access to full name lookups; it is also clever about adding aliases (to root) for system accounts. NEW FILES: src/safefile.c cf/ostype/gnuhurd.m4 cf/ostype/irix6.m4 contrib/passwd-to-alias.pl src/Makefiles/Makefile.IRIX64.6.1 src/Makefiles/Makefile.IRIX64.6.x RENAMED FILES: src/Makefiles/Makefile.IRIX.6.2 => Makefile.IRIX.6.x src/Makefiles/Makefile.IRIX64 => Makefile.IRIX64.6.0 8.8.5/8.8.5 1997/01/21 SECURITY: Clear out group list during startup. Without this, sendmail will continue to run with the group permissions of the caller, even if RunAsUser is specified. SECURITY: Make purgestat (-bH) be root-only. This is not in response to any known attack, but it's best to be conservative. Suggested by Peter Wemm of DIALix. SECURITY: Fix buffer overrun problem in MIME code that has possible security implications. Patch from Alex Garthwaite of the University of Pennsylvania. Use of a -f flag with a phrase attached (e.g., "-f 'Full Name '") would truncate the address after "Full". Although the -f syntax is incorrect (since it is in the envelope, it shouldn't have comments and full names), the failure mode was unnecessarily awful. Fix a possible null pointer dereference when converting 8-bit data to a 7-bit format. Problem noted by Jim Hutchins of Sandia National Labs and David James of British Telecom. Clear out stale state that affected F=9 on SMTP mailers in queue runs. Although this really shouldn't be used (F=9 is for final delivery only, and using it on an SMTP mailer makes it possible for a message to be converted from 8->7->8->7 bits several times), it shouldn't have failed with a syserr. Problem noted by Eric Hagberg of Morgan Stanley. _Really_ fix the multiple :maildrop code in the user database module. Patch from Roy Mongiovi of Georgia Tech. Let F lines in the configuration file actually read root-only files if the configuration file is safe. Based on a patch from Keith Reynolds of SCO. ETRN followed by QUIT would hold the connection open until the queue run completed. Problem noted by Truck Lewis of TDK Semiconductor Corp. It turns out that despite the documentation, the TCP wrappers library does _not_ log rejected connections. Do the logging ourselves. Problem noted by Fletcher Mattox of the University of Texas at Austin. If sendmail finds a qf file in its queue directory that is an unknown version (e.g., when backing out to an old version), the error is reported on every queue run. Change it to only give the error once (and rename the qf => Qf). Patch from William A. Gianopoulos of Raytheon Company. Start a new session when doing background delivery; currently it ignored signals but didn't start a new signal, that caused some problems if a background process tried to send mail under certain circumstances. Problem noted by Eric Hagberg of Morgan Stanley; fix from Kari Hurtta. Simplify test for skipping a queue run to just check if the current load average is >= the queueing load average. Previously the check factored in some other parameters that caused it to essentially never skip the queue run. Patch from Bryan Costales. If the SMTP server is running in "nullserver" mode (that is, it is rejecting all commands), start sleeping after MAXBADCOMMAND (25) commands; this helps prevent a bad guy from putting you into a tight loop as a denial-of-service attack. Based on an e-mail conversation with Brad Knowles of AOL. Slow down when too many "light weight" commands have been issued; this helps prevent a class of denial-of-service attacks. The current values and defaults are: MAXNOOPCOMMANDS 20 NOOP, VERB, ONEX, XUSR MAXHELOCOMMANDS 3 HELO, EHLO MAXVRFYCOMMANDS 6 VRFY, EXPN MAXETRNCOMMANDS 8 ETRN These will probably be configurable in a future release. On systems that have uid_t typedefed to be an unsigned short, programs that had the F=S flag and no U= equate would be invoked with the real uid set to 65535 rather than being left unchanged. In some cases, NOTIFY=NEVER was not being honored. Problem noted by Steve Hubert of the University of Washington, Seattle. Mail that was Quoted-Printable encoded and had a soft line break on the last line (i.e., an incomplete continuation) had the last line dropped. Since this appears to be illegal it isn't clear what to do with it, but flushing the last line seems to be a better "fail soft" approach. Based on a patch from Eric Hagberg. If AllowBogusHELO and PrivacyOptions=needmailhelo are both set, a bogus HELO command still causes the "Polite people say HELO first" error message. Problem pointed out by Chris Thomas of UCLA; patch from John Beck of SunSoft. Handle "sendmail -bp -qSfoobar" properly if restrictqrun is set in PrivacyOptions. The -q shouldn't turn this command off. Problem noted by Murray Kucherawy of Pacific Bell Internet; based on a patch from Gregory Neil Shapiro of WPI. Don't consider SMTP reply codes 452 or 552 (exceeded storage allocation) in a DATA transaction to be sticky; these can occur because a message is too large, and smaller messages should still go through. Problem noted by Matt Dillon of Best Internet Communications. In some cases bounces were saved in /var/tmp/dead.letter even if they had been successfully delivered to the envelope sender. Problem noted Eric Hagberg of Morgan Stanley; solution from Gregory Neil Shapiro of WPI. Give better diagnostics on long alias lines. Based on code contributed by Patrick Gosling of the University of Cambridge. Increase the number of virtual interfaces that will be probed for alternate names. Problem noted by Amy Rich of Shore.Net. PORTABILITY: UXP/DS V20L10 for Fujitsu DS/90: Makefile patches from Toshiaki Nomura of Fujitsu Limited. SunOS with LDAP support: compile problems with struct timeval. Patch from Nick Cuccia of TCSI Corporation. SCO: from Keith Reynolds of SCO. Solaris: kstat load average computation wasn't being used. Fixes from Michael Ju. Tokarev of Telecom Service, JSC (Moscow). OpenBSD: from Jason Downs of teeny.org. Altos System V: from Tim Rice. Solaris 2.5: from Alan Perry of SunSoft. Solaris 2.6: from John Beck of SunSoft. Harris Nighthawk PowerUX (mh6000 box): from Bob Miorelli of Pratt & Whitney . CONFIG: It seems that I hadn't gotten the Received: line syntax _just_right_ yet. Tweak it again. I'll omit the names of the "contributors" (quantity two) in this one case. As of now, NO MORE DISCUSSION about the syntax of the Received: line. CONFIG: Although FEATURE(nullclient) uses EXPOSED_USER (class $=E), it never inserts that class into the output file. Fix it so it will honor EXPOSED_USER but will _not_ include root automatically in this class. Problem noted by Ronan KERYELL of Centre de Recherche en Informatique de l'École Nationale Supérieure des Mines de Paris (CRI-ENSMP). CONFIG: Clean up handling of "local:" syntax in relay specifications such as LUSER_RELAY. This change permits the following syntaxes: ``local:'' will send to the same user on the local machine (e.g., in a mailertable entry for "host", ``local:'' will cause an address addressed to user@host to go to user on the local machone). ``local:user'' will send to the named user on the local machine. ``local:user@host'' is equivalent to ``local:user'' (the host is ignored). In all cases, the original user@host is passed in $@ (i.e., the detail information). Inspired by a report from Michael Fuhr. CONFIG: Strip quotes from the first word of an "error:" host indication. This lets you set (for example) the LUSER_RELAY to be ``error:\"5.1.1\" Your Message Here''. Note the use of the \" so that the resulting string is properly quoted. Problem noted by Gregory Neil Shapiro of WPI. OP.ME: documentation was inconsistent about whether sendmail did a NOOP or a RSET to probe the connection (it does a RSET). Inconsistency noted by Deeran Peethamparam. OP.ME: insert additional blank pages so it will print properly on a duplex printer. From Matthew Black of Cal State University, Long Beach. 8.8.4/8.8.4 1996/12/02 SECURITY: under some circumstances, an attacker could get additional permissions by hard linking to files that were group writable by the attacker. The solution is to disallow any files that have hard links -- this will affect .forward, :include:, and output files. Problem noted by Terry Kyriacopoulos of Interlog Internet Services. As a workaround, set UnsafeGroupWrites -- always a good idea. SECURITY: the TryNullMXList (w) option should not be safe -- if it is, it is possible to do a denial-of-service attack on MX hosts that rely on the use of the null MX list. There is no danger if you have this option turned off (the default). Problem noted by Dan Bernstein. Also, make the DontInitGroups unsafe. I know of no specific attack against this, although a denial-of-service attack is probably possible, but in theory you should not be able to safely tweak anything that affects the permissions that are used when mail is delivered. Purgestat could go into an infinite loop if one of the host status directories somehow became empty. Problem noted by Roy Mongiovi of Georgia Tech. Processes got "lost" when counting children due to a race condition. This caused "proc_list_probe: lost pid" messages to be logged. Problem noted by several people. On systems with System V SIGCLD child signal semantics (notably AIX and HP-UX), mail transactions would print the message "451 SMTP-MAIL: lost child: No child processes". Problem noted by several people. Miscellaneous compiler warnings on picky compilers (or when setting gcc to high warning levels). From Tom Moore of NCR Corp. SMTP protocol errors, and most errors on MAIL FROM: lines should not be persistent between runs, since they are based on the message rather than the host. Problem noted by Matt Dillon of Best Internet Communications. The F=7 flag was ignored on SMTP mailers. Problem noted by Tom Moore of NCR (a.k.a., AT&T Global Information Solutions). Avoid the possibility of having a child daemon run to completion (including closing the SMTP socket) before the parent has had a chance to close the socket; this can cause the parent to hang for a long time waiting for the socket to drain. Patch from Don Lewis of TDK Semiconductor. If the fork() failed in a queue run, the queue runners would not be rescheduled (so queue runs would stop). Patch from Don Lewis. Some error conditions in ETRN could cause output without an SMTP status code. Problem noted by Don Lewis. Multiple :maildrop addresses in the user database didn't work properly. Patch from Roy Mongiovi of Georgia Tech. Add ".db" automatically onto any user database spec that does not already have it; this is for consistency with makemap, the K line, and the documentation. Inconsistency pointed out by Roy Mongiovi. Allow sendmail to be properly called in nohup mode. Patch from Kyle Jones of UUNET. Change ETRN to ignore but still update host status files; previously it would ignore them and not save the updated status, which caused stale information to be maintained. Based on a patch from Christopher Davis of Kapor Enterprises Inc. Also, have ETRN ignore the MinQueueAge option. Patch long term host status to recover more gracefully from an empty host status file condition. Patch from NAKAMURA Motonori of Kyoto University. Several patches to signal handling code to fix potential race conditions from Don Lewis. Make it possible to compile with -DDAEMON=0 (previously it had some compile errors). This turns DAEMON, QUEUE, and SMTP into 0/1 compilation flags. Note that DAEMON is an obsolete compile flag; use NETINET instead. Solution based on a patch from Bryan Costales. PORTABILITY FIXES: AIX4: getpwnam() and getpwuid() do a sequential scan of the /etc/security/passwd file when called as root. This is very slow on some systems. To speed it up, use the (undocumented) _getpw{nam,uid}_shadow() routines. Patch from Chris Thomas of UCLA/OAC Systems Group. SCO 5.x: include -lprot in the Makefile. Patch from Bill Glicker of Burrelle's Information Service. NEWS-OS 4.x: need a definition for MODE_T to compile. Patch from Makoto MATSUSHITA of Osaka University. SunOS 4.0.3: compile problems. Patches from Andrew Cole of Leeds University and SASABE Tetsuro of the University of Tokyo. DG/UX 5.4.4.11 from Brian J. Murrell of InterLinx Support Services, Inc. Domain/OS from Don (Truck) Lewis of TDK Semiconductor Corp. I believe this to have only been a problem if you compiled with -DUSE_VENDOR_CF_PATH -- another reason to stick with /etc/sendmail.cf as your One True Path. Digital UNIX (OSF/1 on Alpha) load average computation from Martin Laubach of the Technischen Universität Wien. CONFIG: change default Received: line to be multiple lines rather than one long one. By popular demand. MAIL.LOCAL: warnings weren't being logged on some systems. Patch from Jerome Berkman of U.C. Berkeley. MAKEMAP: be sure to zero hinfo to avoid cruft that can cause runs to take a very long time. Problem noted by Yoshiro YONEYA of NTT Software Corporation. CONTRIB: add etrn.pl, contributed by John Beck. NEW FILES: contrib/etrn.pl 8.8.3/8.8.3 1996/11/17 SECURITY: it was possible to get a root shell by lying to sendmail about argv[0] and then sending it a signal. Problem noted by Leshka Zakharoff on the best-of-security list. Log sendmail binary version number in "Warning: .cf version level (%d) exceeds program functionality (%d) message" -- this should make it clearer to people that they are running the wrong binary. Fix a problem that occurs when you open an SMTP connection and then do one or more ETRN commands followed by a MAIL command; at the end of the DATA phase sendmail would incorrectly report "451 SMTP-MAIL: lost child: No child processes". Problem noted by Eric Bishop of Virginia Tech. When doing text-based host canonification (typically /etc/hosts lookup), a null host name would match any /etc/hosts entry with space at the end of the line. Problem noted by Steve Hubert of the University of Washington, Seattle. 7 to 8 bit BASE64 MIME conversions could duplicate bits of text. Problem reported by Tom Smith of Digital Equipment Corp. Increase the size of the DNS answer buffer -- the standard UDP packet size PACKETSZ (512) is not sufficient for some nameserver answers containing very many resource records. The resolver may also switch to TCP and retry if it detects UDP packet overflow. Also, allow for the fact that the resolver routines res_query and res_search return the size of the *un*truncated answer in case the supplied answer buffer it not big enough to accommodate the entire answer. Patch from Eric Wassenaar. Improvements to MaxDaemonChildren code. If you think you have too many children, probe the ones you have to verify that they are still around. Suggested by Jared Mauch of CICnet, Inc. Also, do this probe before growing the vector of children pids; this previously caused the vector to grow indefinitely due to a race condition. Problem reported by Kyle Jones of UUNET. On some architectures, (from the Berkeley DB library) defines O_EXLOCK to zero; this fools the map compilation code into thinking that it can avoid race conditions by locking on open. Change it to check for O_EXLOCK non-zero. Problem noted by Leif Erlingsson of Data Lege. Always call res_init() on startup (if compiled in, of course) to allow the sendmail.cf file to tweak resolver flags; without it, flag tweaks in ResolverOptions are ignored. Patch from Andrew Sun of Merrill Lynch. Improvements to host status printing code. Suggested by Steve Hubert of the University of Washington, Seattle. Change MinQueueAge option processing to do the check for the job age when reading the queue file, rather than at the end; this avoids parsing the addresses, which can do DNS lookups. Problem noted by John Beck of InReference, Inc. When MIME was being 7->8 bit decoded, "From " lines weren't being properly escaped. Problem noted by Peter Nilsson of the University of Linkoping. In some cases, sendmail would retain root permissions during queue runs even if RunAsUser was set. Problem noted by Mark Thomas of Mark G. Thomas Consulting. If the F=l flag was set on an SMTP mailer to indicate that it is actually local delivery, and NOTIFY=SUCCESS is specified in the envelope, and the receiving SMTP server speaks DSN, then the DSN would be both generated locally and propagated to the other end. The U= mailer field didn't correctly extract the group id if the user id was numeric. Problem noted by Kenneth Herron of MCI Telecommunications Communications. If a message exceeded the fixed maximum size on input, the body of the message was included in the bounce. Note that this did not occur if it exceeded the maximum _output_ size. Problem reported by Kyle Jones of UUNET. PORTABILITY FIXES: AIX4: 4.1 doesn't have a working setreuid(2); change the AIX4 defines to use seteuid(2) instead, which works on 4.1 as well as 4.2. Problem noted by Håkan Lindholm of interAF, Sweden. AIX4: use tzname[] vector to determine time zone name. Patch from NAKAMURA Motonori of Kyoto University. MkLinux: add Makefile.Linux.ppc and OSTYPE(mklinux) support. Contributed by Paul DuBois . Solaris: kstat(3k) support for retrieving the load average. This adds the LA_KSTAT definition for LA_TYPE. The outline of the implementation was contributed by Michael Tokarev of Telecom Service, JSC, Moscow. HP-UX 10.0 gripes about the (perfectly legal!) forward declaration of struct rusage at the top of conf.h; change it to only be included if you are using gcc, which is apparently the only compiler that requires it in the first place. Problem noted by Jeff Earickson of Colby College. IRIX: don't default to using gcc. IRIX is a civilized operating system that comes with a decent compiler by default. Problem noted by Barry Bouwsma and Kari Hurtta. CONFIG: specify F=9 as default in FEATURE(local_procmail) for consistency with other local mailers. Inconsistency pointed out by Teddy Hogeborn . CONFIG: if the "limited best mx" feature is used (to reduce DNS overhead) as part of the bestmx_is_local feature, the domain part was dropped from the name. Patch from Steve Hubert of the University of Washington, Seattle. CONFIG: catch addresses of the form "user@.dom.ain"; these could end up being translated to the null host name, which would return any entry in /etc/hosts that had a space at the end of the line. Problem noted by Steve Hubert of the University of Washington, Seattle. CONFIG: add OSTYPE(aix4). From Michael Sofka of Rensselaer Polytechnic Institute. MAKEMAP: tweak hash and btree parameters for better performance. Patch from Matt Dillon of Best Internet Communications. NEW FILES: src/Makefiles/Makefile.Linux.ppc cf/ostype/aix4.m4 cf/ostype/mklinux.m4 8.8.2/8.8.2 1996/10/18 SECURITY: fix a botch in the 7-bit MIME patch; the previous patch changed the code but didn't fix the problem. PORTABILITY FIXES: Solaris: Don't use the system getusershell(3); it can apparently corrupt the heap in some circumstances. Problem found by Ken Pizzini of Spry, Inc. OP.ME: document several mailer flags that were accidentally omitted from this document. These flags were F=d, F=j, F=R, and F=9. CONFIG: no changes. 8.8.1/8.8.1 1996/10/17 SECURITY: unset all environment variables that the resolver will examine during queue runs and daemon mode. Problem noted by Dan Bernstein of the University of Illinois at Chicago. SECURITY: in some cases an illegal 7-bit MIME-encoded text/plain message could overflow a buffer if it was converted back to 8 bits. This caused core dumps and has the potential for a remote attack. Problem first noted by Gregory Shapiro of WPI. Avoid duplicate deliveries of error messages on systems that don't have flock(2) support. Patch from Motonori Nakamura of Kyoto University. Ignore null FallBackMX (V) options. If this option is null (as opposed to undefined) it can cause "null signature" syserrs on illegal host names. If a Base64 encoded text/plain message has no trailing newline in the encoded text, conversion back to 8 bits will drop the final line. Problem noted by Pierre David. If running with a RunAsUser, sendmail would give bogus "cannot setuid" (or seteuid, or setreuid) messages on some systems. Problem pointed out by Jordan Mendelson of Web Services, Inc. Always print error messages in -bv mode -- previously, -bv would be absolutely silent on errors if the error mode was sent to (say) mail-back. Problem noted by Kyle Jones of UUNET. If -qI/R/S is set (or the ETRN command is used), ignore all long term host status. This is necessary because it is common to do this when you know a host has just come back up. Disallow duplicate HELO/EHLO commands as required by RFC 1651 section 4.2. Excessive permissiveness noted by Lee Flight of the University of Leicester. If a service (such as NIS) is specified as the last entry in the service switch, but that service is not compiled in, sendmail would return a temporary failure when an entry was not found in the map. This caused the message to be queued instead of bouncing immediately. Problem noted by Harry Edmon of the University of Washington. PORTABILITY FIXES: Solaris 2.3 had compilation problems in conf.c. Several people pointed this out. NetBSD from Charles Hannum of MIT. AIX4 improvements based on info from Steve Bauer of South Dakota School of Mines & Technology. CONFIG: ``error:code message'' syntax was broken in virtusertable. Patch from Gil Kloepfer Jr. CONFIG: if FEATURE(nocanonify) was specified, hosts in $=M (set using MASQUERADE_DOMAIN) were not masqueraded unless they were also in $=w. Problem noted by Zoltan Basti of Softec. MAIL.LOCAL: patches to compile and link cleanly on AIX. Based on a patch from Eric Hagberg of Morgan Stanley. MAIL.LOCAL: patches to compile on NEXTSTEP. From Patrick Nolan of Stanford via Robert La Ferla. 8.8.0/8.8.0 1996/09/26 Under some circumstances, Bcc: headers would not be properly deleted. Pointed out by Jonathan Kamens of OpenVision. Log a warning if the sendmail daemon is invoked without a full pathname, which prevents "kill -1" from working. I was urged to put this in by Andrey A. Chernov of DEMOS (Russia). Fix small buffer overflow. Since the data in this buffer was not read externally, there was no security problem (and in fact probably wouldn't really overflow on most compilers). Pointed out by KIZU takashi of Osaka University. Fix problem causing domain literals such as [1.2.3.4] to be ignored if a FallbackMXHost was specified in the configuration file -- all mail would be sent to the fallback even if the original host was accessible. Pointed out by Munenari Hirayama of NSC (Japan). A message that didn't terminate with a newline would (sometimes) not have the trailing "." added properly in the SMTP dialogue, causing SMTP to hang. Patch from Per Hedeland of Ericsson. The DaemonPortOptions suboption to bind to a particular address was incorrect and nonfunctional due to a misunderstanding of the semantics of binding on a passive socket. Patch from NIIBE Yutaka of Mitsubishi Research Institute. Increase the number of MX hosts for a single name to 100 to better handle the truly huge service providers such as AOL, which has 13 at the moment (and climbing). In order to avoid trashing memory, the buffer for all names has only been slightly increased in size, to 12.8K from 10.2K -- this means that if a single name had 100 MX records, the average size of those records could not exceed 128 bytes. Requested by Brad Knowles of America On Line. Restore use of IDENT returns where the OSTYPE field equals "OTHER". Urged by Dan Bernstein of U.C. Berkeley. Print q_statdate and q_specificity in address structure debugging printout. Expand MCI structure flag bits for debugging output. Support IPv6-style domain literals, which can have colons between square braces. Log open file descriptors for the "cannot dup" messages in deliver(); this is an attempt to track down a bug that one person seems to be having (it may be a Solaris bug!). DSN NOTIFY parameters were not properly propagated across queue runs; this caused the NOTIFY info to sometimes be lost. Problem pointed out by Claus Assmann of the Christian-Albrechts-University of Kiel. The statistics gathered in the sendmail.st file were too high; in some cases failures (e.g., user unknown or temporary failure) would count as a delivery as far as the statistics were concerned. Problem noted by Tom Moore of AT&T GIS. Systems that don't have flock() would not send split envelopes in the initial run. Problem pointed out by Leonard Zubkoff of Dandelion Digital. Move buffer overflow checking -- these primarily involve distrusting results that may come from NIS and DNS. 4.4-BSD-derived systems, including FreeBSD, NetBSD, and BSD/OS didn't include and hence had the wrong pathnames for a few things like /var/tmp. Reported by Matthew Green. Conditions were reversed for the Priority: header, resulting in all values being interpreted as non-urgent except for non-urgent, which was interpreted as normal. Patch from Bryan Costales. The -o (optional) flag was being ignored on hash and btree maps since 8.7.2. Fix from Bryan Costales. Content-Types listed in class "q" will always be encoded as Quoted-Printable (or more accurately, will never be encoded as base64). The class can have primary types (e.g., "text") or full types (e.g., "text/plain"). Based on a suggestion by Marius Olafsson of the University of Iceland. Define ${envid} to be the original envelope id (from the ESMTP DSN dialogue) so it can be passed to programs in mailers. Define ${bodytype} to be the body type (from the -B flag or the BODY= ESMTP parameter) so it can be passed to programs in mailers. Cause the VRFY command to return 252 instead of 250 unless the F=q flag is set in the mailer descriptor. Suggested by John Myers of CMU. Implement ESMTP ETRN command to flush the queue for a specific host. The command takes a host name; data for that host is immediately (and asynchronously) flushed. Because this shares the -qR implementation, other hosts may be attempted, but there should be no security implications. Implementation from John Beck of InReference, Inc. See RFC 1985 for details. Add three new command line flags to pass in DSN parameters: -V envid (equivalent to ENVID=envid on the MAIL command), -R ret (equivalent to RET=ret on the MAIL command), and -Nnotify (equivalent to NOTIFY=notify on the RCPT command). Note that the -N flag applies to all recipients; there is no way to specify per-address notifications on the command line, nor is there an equivalent for the ORCPT= per-address parameter. Restore LogLevel option to be safe (it can only be increased); apparently I went into paranoid mode between 8.6 and 8.7 and made it unsafe. Pointed out by Dabe Murphy of the University of Maryland. New logging on log level 15: all SMTP traffic. Patches from Andrew Gross of San Diego Supercomputer Center. NetInfo property value searching code wasn't stopping when it found a match. This was causing the wrong values to be found (and had a memory leak). Found by Bastian Schleuter of TU-Berlin. Add new F=0 (zero) mailer flag to turn off MX lookups. It was pointed out by Bill Wisner of Electronics for Imaging that you can't use the bracket address form for the MAIL_HUB macro, since that causes the brackets to remain in the envelope recipient address used for delivery. The simple fix (stripping off the brackets in the config file) breaks the use of IP literal addresses. This flag will solve that problem. Add MustQuoteChars option. This is a list of characters that must be quoted if they are found in the phrase part of an address (that is, the full name part). The characters @,;:\()[] are always in this list and cannot be removed. The default is this list plus . and ' to match RFC 822. Add AllowBogusHELO option; if set, sendmail will allow HELO commands that do not include a host name for back compatibility with some stupid SMTP clients. Setting this violates RFC 1123 section 5.2.5. Add MaxDaemonChildren option; if this is set, sendmail will start rejecting connections if it has more than this many outstanding children accepting mail. Note that you may see more processes than this because of outgoing mail; this is for incoming connections only. Add ConnectionRateThrottle option. If set to a positive value, the number of incoming SMTP connections that will be permitted in a single second is limited to this number. Connections are not refused during this time, just deferred. The intent is to flatten out demand so that load average limiting can kick in. It is less radical than MaxDaemonChildren, which will stop accepting connections even if all the connections are idle (e.g., due to connection caching). Add Timeout.hoststatus option. This interval (defaulting to 30m) specifies how long cached information about the state of a host will be kept before they are considered stale and the host is retried. If you are using persistent host status (i.e., the HostStatusDirectory option is set) this will apply between runs; otherwise, it applies only within a single queue run and hence is useful only for hosts that have large queues that take a very long time to run. Add SingleLineFromHeader option. If set, From: headers are coerced into being a single line even if they had newlines in them when read. This is to get around a botch in Lotus Notes. Text class maps were totally broken -- if you ever retrieved the last item in a table it would be truncated. Problem noted by Gregory Neil Shapiro of WPI. Extend the lines printed by the mailq command (== the -bp flag) when -v is given to 120 characters; this allows more information to be displayed. Suggested by Gregory Neil Shapiro of WPI. Allow macro definitions (`D' lines) with unquoted commas; previously this was treated as end-of-input. Problem noted by Bryan Costales. The RET= envelope parameter (used for DSNs) wasn't properly written to the queue file. Fix from John Hughes of Atlantic Technologies, Inc. Close /var/tmp/dead.letter after a successful write -- otherwise if this happens in a queue run it can cause nasty delays. Problem noted by Mark Horton of AT&T. If userdb entries pointed to userdb entries, and there were multiple values for a given key, the database cursor would get trashed by the recursive call. Problem noted by Roy Mongiovi of Georgia Tech. Fixed by reading all the values and creating a comma-separated list; thus, the -v output will be somewhat different for this case. Fix buffer allocation problem with Hesiod-based userdb maps when HES_GETMAILHOST is defined. Based on a patch by Betty Lee of Stanford University. When envelopes were split due to aliases with owner- aliases, and there was some error on one of the lists, more than one of the owners would get the message. Problem pointed out by Roy Mongiovi of Georgia Tech. Detect excessive recursion in macro expansions, e.g., $X defined in terms of $Y which is defined in terms of $X. Problem noted by Bryan Costales; patch from Eric Wassenaar. When using F=U to get "ugly UUCP" From_ lines, a buffer could in some cases get trashed causing bogus From_ lines. Fix from Kyle Jones of UUNET. When doing load average initialization, if the nlist call for avenrun failed, the second and subsequent lookups wouldn't notice that fact causing bogus load averages to be returned. Noted by Casper Dik of Sun Holland. Fix problem with incompatibility with some versions of inet_aton that have changed the return value to unsigned, so a check for an error return of -1 doesn't work. Use INADDR_NONE instead. This could cause mail to addresses such as [foo.com] to bounce or get dropped. Problem noted by Christophe Wolfhugel of the Pasteur Institute. DSNs were inconsistent if a failure occurred during the DATA phase rather than the RCPT phase: the Action: would be correct, but the detailed status information would be wrong. Problem noted by Bob Snyder of General Electric Company. Add -U command line flag and the XUSR ESMTP extension, both indicating that this is the initial MUA->MTA submission. The flag current does nothing, but in future releases (when MUAs start using these flags) it will probably turn on things like DNS canonification. Default end-of-line string (E= specification on mailer [M] lines) to \r\n on SMTP mailers. Default remains \n on non-SMTP mailers. Change the internal definition for the *file* and *include* mailers to have $u in the argument vectors so that they aren't misinterpreted as SMTP mailers and thus use \r\n line termination. This will affect anyone who has redefined either of these in their configuration file. Don't assume that IDENT servers close the connection after a query; responses can be newline terminated. From Terry Kennedy of St. Peter's College. Avoid core dumps on erroneous configuration files that have $#mailer with nothing following. From Bryan Costales. Avoid null pointer dereference with high debug values in unlockqueue. Fix from Randy Martin of Clemson University. Fix possible buffer overrun when expanding very large macros. Fix from Kyle Jones of UUNET. After 25 EXPN or VRFY commands, start pausing for a second before processing each one. This avoids a certain form of denial of service attack. Potential attack pointed out by Bryan Costales. Allow new named (not numbered!) config file rules to do validity checking on SMTP arguments: check_mail for MAIL commands and check_rcpt for RCPT commands. These rulesets can do anything they want; their result is ignored unless they resolve to the $#error mailer, in which case the indicated message is printed and the command is rejected. Similarly, the check_compat ruleset is called before delivery with "from_addr $| to_addr" (the $| is a meta-symbol used to separate the two addresses); it can give a "this sender can't send to this recipient" notification. Note that this patch allows $| to stand alone in rulesets. Define new macros ${client_name}, ${client_addr}, and ${client_port} that have the name, IP address, and port number (respectively) of the SMTP client (that is, the entity at the other end of the connection. These can be used in (e.g.) check_rcpt to verify that someone isn't trying to relay mail through your host inappropriately. Be sure to use the deferred evaluation form, for example $&{client_name}, to avoid having these bound when sendmail reads the configuration file. Add new config file rule check_relay to check the incoming connection information. Like check_compat, it is passed the host name and host address separated by $| and can reject connections on that basis. Allow IDA-style recursive function calls. Code contributed by Mark Lovell and Paul Vixie. Eliminate the "No ! in UUCP From address!" message" -- instead, create a virtual UUCP address using either a domain address or the $k macro. Based on code contributed by Mark Lovell and Paul Vixie. Add Stanford LDAP map. Requires special libraries that are not included with sendmail. Contributed by Booker C. Bense ; contact him for support. See also the src/READ_ME file. Allow -dANSI to turn on ANSI escape sequences in debug output; this puts metasymbols (e.g., $+) in reverse video. Really useful only for debugging deep bits of code where it is important to distinguish between the single-character metasymbol $+ and the two characters $, +. Changed ruleset 89 (executed in dumpstate()) to a named ruleset, debug_dumpstate. Add new UnsafeGroupWrites option; if set, .forward and :include: files that are group writable are considered "unsafe" -- that is, programs and files referenced from such files are not valid recipients. Delete bogosity test for FallBackMXhost; this prevented it to be a name that was not in DNS or was a domain-literal. Problem noted by Tom May. Change the introduction to error messages to more clearly delineate permanent from temporary failures; if both existed in a single message it could be confusing. Suggested by John Beck of InReference, Inc. The IngoreDot (i) option didn't work for lines that were terminated with CRLF. Problem noted by Ted Stockwell of Secure Computing Corporation. Add a heuristic to improve the handling of unbalanced `<' signs in message headers. Problem reported by Matt Dillon of Best Internet Communications. Check for bogus characters in the 0200-0237 range; since these are used internally, very strange errors can occur if those characters appear in headers. Problem noted by Anders Gertz of Lysator. Implement 7 -> 8 bit MIME conversions. This only takes place if the recipient mailer has the F=9 flag set, and only works on text/plain body types. Code contributed by Marius Olafsson of the University of Iceland. Special case "postmaster" name so that it is always treated as lower case in alias files regardless of configuration settings; this prevents some potential problems where "Postmaster" or "POSTMASTER" might not match "postmaster". In most cases this change is a no-op. The -o map flag was ignored for text maps. Problem noted by Bryan Costales. The -a map flag was ignored for dequote maps. Problem noted by Bryan Costales. Fix core dump when a lookup of a class "prog" map returns no response. Patch from Bryan Costales. Log instances where sendmail is deferring or rejecting connections on LogLevel 14. Suggested by Kyle Jones of UUNET. Include port number in process title for network daemons. Suggested by Kyle Jones of UUNET. Send ``double bounces'' (errors that occur when sending an error message) to the address indicated in the DoubleBounceAddress option (default: postmaster). Previously they were always sent to postmaster. Suggested by Kyle Jones of UUNET. Add new mode, -bD, that acts like -bd in all respects except that it runs in foreground. This is useful for using with a wrapper that "watches" system services. Suggested by Kyle Jones of UUNET. Fix botch in spacing around (parenthesized) comments in addresses when the comment comes before the address. Patch from Motonori Nakamura of Kyoto University. Use the prefix "Postmaster notify" on the Subject: lines of messages that are being bounced to postmaster, rather than "Returned mail". This permits the person who is postmaster more easily determine what messages are to their role as postmaster versus bounces to mail they actually sent. Based on a suggestion by Motonori Nakamura. Add new value "time" for QueueSortOrder option; this causes the queue to be sorted strictly by the time of submission. Note that this can cause very bad behavior over slow lines (because large jobs will tend to delay small jobs) and on nodes with heavy traffic (because old things in the queue for hosts that are down delay processing of new jobs). Also, this does not guarantee that jobs will be delivered in submission order unless you also set DeliveryMode=queue. In general, it should probably only be used on the command line, and only in conjunction with -qRhost.domain. In fact, there are very few cases where it should be used at all. Based on an implementation by Motonori Nakamura. If a map lookup in ruleset 5 returns tempfail, queue the message in the same manner as other rulesets. Previously a temporary failure in ruleset 5 was ignored. Patch from Booker Bense of Stanford University. Don't proceed to the next MX host if an SMTP MAIL command returns a 5yz (permanent failure) code. The next MX host will still be tried if the connection cannot be opened in the first place or if the MAIL command returns a 4yz (temporary failure) code. (It's hard to know what to do here, since neither RFC 974 nor RFC 1123 specify when to proceed to the next MX host.) Suggested by Jonathan Kamens of OpenVision, Inc. Add new "-t" flag for map definitions (the "K" line in the .cf file). This causes map lookups that get a temporary failure (e.g., name server failure) to _not_ defer the delivery of the message. This should only be used if your configuration file is prepared to do something sensible in this case. Based on an idea by Gregory Shapiro of WPI. Fix problem finding network interface addresses. Patch from Motonori Nakamura. Don't reject qf entries that are not owned by your effective uid if you are not running set-user-ID; this makes management of certain kinds of firewall setups difficult. Patch suggested by Eamonn Coleman of Qualcomm. Add persistent host status. This keeps the information normally maintained within a single queue run in disk files that are shared between sendmail instances. The HostStatusDirectory is the directory in which the information is maintained. If not set, persistent host status is turned off. If not a full pathname, it is relative to the queue directory. A common value is ".hoststat". There are also two new operation modes: * -bh prints the status of hosts that have had recent connections. * -bH purges the host statuses. No attempt is made to save recent status information. This feature was originally written by Paul Vixie of Vixie Enterprises for KJS and adapted for V8 by Mark Lovell of Bigrock Consulting. Paul's funding of Mark and Mark's patience with my insistence that things fit cleanly into the V8 framework is gratefully appreciated. New SingleThreadDelivery option (requires HostStatusDirectory to operate). Avoids letting two sendmails on the local machine open connections to the same remote host at the same time. This reduces load on the other machine, but can cause mail to be delayed (for example, if one sendmail is delivering a huge message, other sendmails won't be able to send even small messages). Also, it requires another file descriptor (for the lock file) per connection, so you may have to reduce ConnectionCacheSize to avoid running out of per-process file descriptors. Based on the persistent host status code contributed by Paul Vixie and Mark Lovell. Allow sending to non-simple files (e.g., /dev/null) even if the SafeFileEnvironment option is set. Problem noted by Bryan Costales. The -qR flag mistakenly matched flags in the "R" line of the queue file. Problem noted by Bryan Costales. If a job was aborted using the interrupt signal (e.g., control-C from the keyboard), on some occasions an empty df file would be left around; these would collect in the queue directory. Problem noted by Bryan Costales. Change the makesendmail script to enhance the search for Makefiles based on release number. For example, on SunOS 5.5.1, it will search for Makefile.SunOS.5.5.1, Makefile.SunOS.5.5, and then Makefile.SunOS.5.x (in addition to the other rules, e.g., adding $arch). Problem noted by Jason Mastaler of Atlanta Webmasters. When creating maps using "newaliases", always map the keys to lower case when creating the map unless the -f flag is specified on the map itself. Previously this was done based on the F=u flag in the local mailer, which meant you could create aliases that you could never access. Problem noted by Bob Wu of DEC. When a job was read from the queue, the bits causing notification on failure or delay were always set. This caused those notifications to be sent even if NOTIFY=NEVER had been specified. Problem noted by Steve Hubert of the University of Washington, Seattle. Add new configurable routine validate_connection (in conf.c). This lets you decide if you are willing to accept traffic from this host. If it returns FALSE, all SMTP commands will return "550 Access denied". -DTCPWRAPPERS will include support for TCP wrappers; you will need to add -lwrap to the link line. (See src/READ_ME for details.) Don't include the "THIS IS A WARNING MESSAGE ONLY" banner on postmaster bounces. Some people seemed to think that this could be confusing (even though it is true). Suggested by Motonori Nakamura. Add new RunAsUser option; this causes sendmail to do a setuid to that user early in processing to avoid potential security problems. However, this means that all .forward and :include: files must be readable by that user, and all files to be written must be writable by that user and all programs will be executed by that user. It is also incompatible with the SafeFileEnvironment option. In other words, it may not actually add much to security. However, it should be useful on firewalls and other places where users don't have accounts and the aliases file is well constrained. Add Timeout.iconnect. This is like Timeout.connect except it is used only on the first attempt to delivery to an address. It could be set to be lower than Timeout.connect on the principle that the mail should go through quickly to responsive hosts; less responsive hosts get to wait for the next queue run. Fix a problem on Solaris that occasionally causes programs (such as vacation) to hang with their standard input connected to a UDP port. It also created some signal handling problems. The problems turned out to be an interaction between vfork(2) and some of the libraries, particularly NIS/NIS+. I am indebted to Tor Egge for this fix. Change user class map to do the same matching that actual delivery will do instead of just a /etc/passwd lookup. This adds fuzzy matching to the user map. Patch from Dan Oscarsson. The Timeout.* options are not safe -- they can be used to create a denial-of-service attack. Problem noted by Christophe Wolfhugel. Don't send PostmasterCopy messages in the event of a "delayed" notification. Suggested by Barry Bouwsma. Don't advertise "VERB" ESMTP extension if the "noexpn" privacy option is set, since this disables VERB mode. Suggested by John Hawkinson of MIT. Complain if the QueueDirectory (Q) option is not set. Problem noted by Motonori Nakamura of Kyoto University. Only queue messages on transient .forward open failures if there were no successful opens. The previous behavior caused it to queue even if a "fall back" .forward was found. Problem noted by Ann-Kian Yeo of the Dept. of Information Systems and Computer Science (DISCS), NUS, Singapore. Don't do 8->7 bit conversions when bouncing a MIME message that is bouncing because of a MIME error during 8->7 bit conversion; the encapsulated message will bounce again, causing a loop. Problem noted by Steve Hubert of the University of Washington. Create xf (transcript) files using the TempFileMode option value instead of 0644. Suggested by Ann-Kian Yeo of the National University of Singapore. Print errors if setgid/setuid/etc. fail during delivery. This helps detect cases where DefaultUser is set to something that the system can't cope with. PORTABILITY FIXES: Support for AIX/RS 2.2.1 from Mark Whetzel of Western Atlas International. Patches for Intel Paragon OSF/1 1.3 from Leo Bicknell . On DEC OSF/1 3.2 and earlier, the MatchGECOS code would only work on the first recipient of a message due to a bug in the getpwent family. If this is something you use, you can define DEC_OSF_BROKEN_GETPWENT=1 for a workaround. From Maximum Entropy of Sanford C. Bernstein and Associates. FreeBSD 1.1.5.1 uname -r returns a string containing parentheses, which breaks makesendmail. Reported by Piero Serini . Sequent DYNIX/ptx 4.0.2 patches from Jack Woolley of Systems and Computer Technology Corporation. Solaris 2.x: omit the UUCP grade parameter (-g flag) because it is system-dependent. Problem noted by J.J. Bailey of Bailey Computer Consulting. Pyramid NILE running DC/OSx support from Earle F. Ake of Hassler Communication Systems Technology, Inc. HP-UX 10.x compile glitches, reported by Anne Brink of the U.S. Army and James Byrne of Harte & Lyne Limited. NetBSD from Matthew Green of the NetBSD crew. SCO 5.x from Keith Reynolds of SCO. IRIX 6.2 from Robert Tarrall of the University of Colorado and Kari Hurtta of the Finnish Meteorological Institute. UXP/DS (Fujitsu/ICL DS/90 series) support from Diego R. Lopez, CICA (Seville). NCR SVR4 MP-RAS 3.x support from Tom Moore of NCR. PTX 3.2.0 from Kenneth Stailey of the US Department of Labor Employment Standards Administration. Altos System V (5.3.1) from Tim Rice of Multitalents. Concurrent Systems Corporation Maxion from Donald R. Laster Jr. NetInfo maps (improved debugging and multi-valued aliases) from Adrian Steinmann of Steinmann Consulting. ConvexOS 11.5 (including SecureWare C2 and the Share Scheduler) from Eric Schnoebelen of Convex. Linux 2.0 mail.local patches from Horst von Brand. NEXTSTEP 3.x compilation from Robert La Ferla. NEXTSTEP 3.x code changes from Allan J. Nathanson of NeXT. Solaris 2.5 configuration fixes for mail.local by Jim Davis of the University of Arizona. Solaris 2.5 has a working setreuid. Noted by David Linn of Vanderbilt University. Solaris changes for praliases, makemap, mailstats, and smrsh. Previously you had to add -DSOLARIS in Makefile.dist; this auto-detects. Based on a patch from Randall Winchester of the University of Maryland. CONFIG: add generic-nextstep3.3.mc file. Contributed by Robert La Ferla of Hot Software. CONFIG: allow mailertables to resolve to ``error:code message'' (where "code" is an exit status) on domains (previously worked only on hosts). Patch from Cor Bosman of Xs4all Foundation. CONFIG: hooks for IPv6-style domain literals. CONFIG: predefine ALIAS_FILE and change the prototype file so that if it is undefined the AliasFile option is never set; this should be transparent for most everyone. Suggested by John Myers of CMU. CONFIG: add FEATURE(limited_masquerade). Without this feature, any domain listed in $=w is masqueraded. With it, only those domains listed in a MASQUERADE_DOMAIN macro are masqueraded. CONFIG: add FEATURE(masquerade_entire_domain). This causes masquerading specified by MASQUERADE_DOMAIN to apply to all hosts under those domains as well as the domain headers themselves. For example, if a configuration had MASQUERADE_DOMAIN(foo.com), then without this feature only foo.com would be masqueraded; with it, *.foo.com would be masqueraded as well. Based on an implementation by Richard (Pug) Bainter of U. Texas. CONFIG: add FEATURE(genericstable) to do a more general rewriting of outgoing addresses. Defaults to ``hash -o /etc/genericstable''. Keys are user names; values are outgoing mail addresses. Yes, this does overlap with the user database, and figuring out just when to use which one may be tricky. Based on code contributed by Richard (Pug) Bainter of U. Texas with updates from Per Hedeland of Ericsson. CONFIG: add FEATURE(virtusertable) to do generalized rewriting of incoming addresses. Defaults to ``hash -o /etc/virtusertable''. Keys are either fully qualified addresses or just the host part (with the @ sign). For example, a table containing: info@foo.com foo-info info@bar.com bar-info @baz.org jane@elsewhere.net would send all mail destined for info@foo.com to foo-info (which is presumably an alias), mail addressed to info@bar.com to bar-info, and anything addressed to anyone at baz.org will be sent to jane@elsewhere.net. The names foo.com, bar.com, and baz.org must all be in $=w. Based on discussions with a great many people. CONFIG: add nullclient configurations to define SMTP_MAILER_FLAGS. Suggested by Richard Bainter. CONFIG: add FAX_MAILER_ARGS to tweak the arguments passed to the "fax" mailer. CONFIG: allow mailertable entries to resolve to local:user; this passes the original user@host in to procmail-style local mailers as the "detail" information to allow them to do additional clever processing. From Joe Pruett of Teleport Corporation. Delivery to the original user can be done by specifying "local:" (with nothing after the colon). CONFIG: allow any context that takes "mailer:domain" to also take "mailer:user@domain" to force mailing to the given user; "local:user" can also be used to do local delivery. This applies on *_RELAY and in the mailertable entries. Based on a suggestion by Ribert Kiessling of Easynet. CONFIG: Allow FEATURE(bestmx_is_local) to take an argument that limits the possible domains; this reduces the number of DNS lookups required to support this feature. For example, FEATURE(bestmx_is_local, my.site.com) limits the lookups to domains under my.site.com. Code contributed by Anthony Thyssen . CONFIG: LOCAL_RULESETS introduces any locally defined rulesets, such as the check_rcpt ruleset. Suggested by Gregory Shapiro of WPI. CONFIG: MAILER_DEFINITIONS introduces any mailer definitions, in the event you have to define local mailers. Suggested by Gregory Shapiro of WPI. CONFIG: fix cases where a three- (or more-) stage route-addr could be misinterpreted as a list:...; syntax. Based on a patch by Vlado Potisk . CONFIG: Fix masquerading of UUCP addresses when the UUCP relay is remotely connected. The address host!user was being converted to host!user@thishost instead of host!user@uurelay. Problem noted by William Gianopoulos of Raytheon Company. CONFIG: add confTO_ICONNECT to set Timeout.iconnect. CONFIG: change FEATURE(redirect) message from "User not local" to "User has moved"; the former wording was confusing if the new address is still on the local host. Based on a suggestion by Andreas Luik. CONFIG: add support in FEATURE(nullclient) for $=E (exposed users). However, the class is not pre-initialized to contain root. Suggested by Gregory Neil Shapiro. CONTRIB: Remove XLA code at the request of the author, Christophe Wolfhugel. CONTRIB: Add re-mqueue.pl, contributed by Paul Pomes of Qualcomm. MAIL.LOCAL: make it possible to compile mail.local on Solaris. Note well: this produces a slightly different mailbox format (no Content-Length: headers), file ownerships and modes are different (not owned by group mail; mode 600 instead of 660), and the local mailer flags will have to be tweaked (make them match bsd4.4) in order to use this mailer. Patches from Paul Hammann of the Missouri Research and Education Network. MAIL.LOCAL: in some cases it could return EX_OK even though there was a delivery error, such as if the ownership on the file was wrong or the mode changed between the initial stat and the open. Problem reported by William Colburn of the New Mexico Institute of Mining and Technology. MAILSTATS: handle zero length files more reliably. Patch from Bryan Costales. MAILSTATS: add man page contributed by Keith Bostic of BSDI. MAKEMAP: The -d flag (to allow duplicate keys) to a btree map wasn't honored. Fix from Michael Scott Shappe. PRALIASES: add man page contributed by Keith Bostic of BSDI. NEW FILES: src/Makefiles/Makefile.AIX.2 src/Makefiles/Makefile.IRIX.6.2 src/Makefiles/Makefile.maxion src/Makefiles/Makefile.NCR.MP-RAS.3.x src/Makefiles/Makefile.SCO.5.x src/Makefiles/Makefile.UXPDSV20 mailstats/mailstats.8 praliases/praliases.8 cf/cf/generic-nextstep3.3.mc cf/feature/genericstable.m4 cf/feature/limited_masquerade.m4 cf/feature/masquerade_entire_domain.m4 cf/feature/virtusertable.m4 cf/ostype/aix2.m4 cf/ostype/altos.m4 cf/ostype/maxion.m4 cf/ostype/solaris2.ml.m4 cf/ostype/uxpds.m4 contrib/re-mqueue.pl DELETED FILES: src/Makefiles/Makefile.Solaris contrib/xla/README contrib/xla/xla.c RENAMED FILES: src/Makefiles/Makefile.NCR3000 => Makefile.NCR.MP-RAS.2.x src/Makefiles/Makefile.SCO.3.2v4.2 => Makefile.SCO.4.2 src/Makefiles/Makefile.UXPDS => Makefile.UXPDSV10 src/Makefiles/Makefile.NeXT => Makefile.NeXT.2.x src/Makefiles/Makefile.NEXTSTEP => Makefile.NeXT.3.x 8.7.6/8.7.3 1996/09/17 SECURITY: It is possible to force getpwuid to fail when writing the queue file, causing sendmail to fall back to running programs as the default user. This is not exploitable from off-site. Workarounds include using a unique user for the DefaultUser (old u & g options) and using smrsh as the local shell. SECURITY: fix some buffer overruns; in at least one case this allows a local user to get root. This is not known to be exploitable from off-site. The workaround is to disable chfn(1) commands. 8.7.5/8.7.3 1996/03/04 Fix glitch in 8.7.4 when putting certain internal lines; this can in some case cause connections to hang or messages to have extra spaces in odd places. Patch from Eric Wassenaar; reports from Eric Hall of Chiron Corporation, Stephen Hansen of Stanford University, Dean Gaudet of HotWired, and others. 8.7.4/8.7.3 1996/02/18 SECURITY: In some cases it was still possible for an attacker to insert newlines into a queue file, thus allowing access to any user (except root). CONFIG: no changes -- it is not a bug that the configuration version number is unchanged. 8.7.3/8.7.3 1995/12/03 Fix botch in name server timeout in RCPT code; this problem caused two responses in SMTP, which breaks things horribly. Fix from Gregory Neil Shapiro of WPI. Verify that L= value on M lines cannot be negative, which could cause negative array subscripting. Not a security problem since this has to be in the config file, but it could have caused core dumps. Pointed out by Bryan Costales. Fix -d21 debug output for long macro names. Pointed out by Bryan Costales. PORTABILITY FIXES: SCO doesn't have ftruncate. From Bill Aten of Computerizers. IBM's version of arpa/nameser.h defaults to the wrong byte order. Tweak it to work properly. Based on fixes from Fletcher Mattox of UTexas and Betty Lee of Stanford University. CONFIG: add confHOSTS_FILE m4 variable to set HostsFile option. Deficiency pointed out by Bryan Costales of ICSI. 8.7.2/8.7.2 1995/11/19 REALLY fix the backslash escapes in SmtpGreetingMessage, OperatorChars, and UnixFromLine options. They were not properly repaired in 8.7.1. Completely delete the Bcc: header if and only if there are other valid recipient headers (To:, Cc: or Apparently-To:, the last being a historic botch, of course). If Bcc: is the only recipient header in the message, its value is tossed, but the header name is kept. The old behavior (always keep the header name and toss the value) allowed primary recipients to see that a Bcc: went to _someone_. Include queue id on ``Authentication-Warning: : set sender to
using -f'' syslog messages. Suggested by Kari Hurtta. If a sequence or switch map lookup entry gets a tempfail but then continues on to another map type, but the name is not found, return a temporary failure from the sequence or switch map. For example, if hosts search ``dns files'' and DNS fails with a tempfail, the hosts map will go on and search files, but if it fails the whole thing should be a tempfail, not a permanent (host unknown) failure, even though that is the failure in the hosts.files map. This error caused hard bounces when it should have requeued. Aliases to files such as /users/bar/foo/inbox, with /users/bar/foo owned by bar mode 700 and inbox being set-user-ID bar stopped working properly due to excessive paranoia. Pointed out by John Hawkinson of Panix. An SMTP RCPT command referencing a host that gave a nameserver timeout would return a 451 command (8.6 accepted it and queued it locally). Revert to the 8.6 behavior in order to simplify queue management for clustered systems. Suggested by Gregory Neil Shapiro of WPI. The same problem could break MH, which assumes that the SMTP session will succeed (tsk, tsk -- mail gets lost!); this was pointed out by Stuart Pook of Infobiogen. Fix possible buffer overflow in munchstring(). This was not a security problem because you couldn't specify any argument to this without first giving up root privileges, but it is still a good idea to avoid future problems. Problem noted by John Hawkinson and Sam Hartman of MIT. ``452 Out of disk space for temp file'' messages weren't being printed. Fix from David Perlin of Nanosoft. Don't advertise the ESMTP DSN extension if the SendMimeErrors option is not set, since this is required to get the actual DSNs created. Problem pointed out by John Gardiner Myers of CMU. Log permission problems that cause .forward and :include: files to be untrusted or ignored on log level 12 and higher. Suggested by Randy Martin of Clemson University. Allow user ids in U= clauses of M lines to have hyphens and underscores. Fix overcounting of recipients -- only happened when sending to an alias. Pointed out by Mark Andrews of SGI and Jack Woolley of Systems and Computer Technology Corporation. If a message is sent to an address that fails, the error message that is returned could show some extraneous "success" information included even if the user did not request success notification, which was confusing. Pointed out by Allan Johannesen of WPI. Config files that had no AliasFile definition were defaulting to using /etc/aliases; this caused problems with nullclient configurations. Change it back to the 8.6 semantics of having no local alias file unless it is declared. Problem noted by Charles Karney of Princeton University. Fix compile problem if NOTUNIX is defined. Pointed out by Bryan Costales of ICSI. Map lookups of class "userdb" maps were always case sensitive; they should be controlled by the -f flag like other maps. Pointed out by Bjart Kvarme . Fix problem that caused some addresses to be passed through ruleset 5 even when they were tagged as "sticky" by prefixing the address with an "@". Patch from Thomas Dwyer III of Michigan Technological University. When converting a message to Quoted-Printable, prevent any lines with dots alone on a line by themselves. This is because of the preponderance of broken mailers that still get this wrong. Code contributed by Per Hedeland of Ericsson. Fix F{macro}/file construct -- it previously did nothing. Pointed out by Bjart Kvarme of USIT/UiO (Norway). Announce whether a cached connection is SMTP or ESMTP (in -v mode). Requested by Allan Johannesen. Delete check for text format of alias files -- it should be legal to have the database format of the alias files without the text version. Problem pointed out by Joe Rhett of Navigist, Inc. If "Ot" was specified with no value, the TZ variable was not properly imported from the environment. Pointed out by Frank Crawford . Some architectures core dumped on "program" maps that didn't have extra arguments. Patch from Booker C. Bense of Stanford University. Queue run processes would re-spawn daemons when given a SIGHUP; only the parent should do this. Fix from Brian Coan of the Association for Progressive Communications. If MinQueueAge was set and a message was considered but not run during a queue run and the Timeout.queuereturn interval was reached, a "timed out" error message would be returned that didn't include the failed address (and claimed to be a warning even though it was fatal). The fix is to not return such messages until they are actually tried, i.e., in the next MinQueueAge interval. Problem noted by Rein Tollevik of SINTEF RUNIT, Oslo. Add HES_GETMAILHOST compile flag to support MIT Hesiod distributions that have the hes_getmailhost() routine. DEC Hesiod distributions do not have this routine. Based on a patch from Betty Lee of Stanford University. Extensive cleanups to map open code to handle a locking race condition in ndbm, hash, and btree format database files on some (most non-4.4-BSD based) OS architectures. This should solve the occasional "user unknown" problem during alias rebuilds that has plagued me for quite some time. Based on a patch from Thomas Dwyer III of Michigan Technological University. PORTABILITY FIXES: Solaris: Change location of newaliases and mailq from /usr/ucb to /usr/bin to match Sun settings. From James B. Davis of TCI. DomainOS: Makefile.DomainOS doesn't require -ldbm. From Don Lewis of Silicon Systems. HP-UX 10: rename Makefile.HP-UX.10 => Makefile.HP-UX.10.x so that the makesendmail script will find it. Pointed out by Richard Allen of the University of Iceland. Also, use -Aa -D_HPUX_SOURCE instead of -Ae, which isn't supported on all compilers. UXPDS: compilation fixes from Diego R. Lopez. CONFIG: FAX mailer wasn't setting .FAX as a pseudo-domain unless you also had a FAX_RELAY. From Thomas.Tornblom@Hax.SE. CONFIG: Minor glitch in S21 -- attachment of local domain name didn't have trailing dot. From Jim Hickstein of Teradyne. CONFIG: Fix best_mx_is_local feature to allow nested addresses such as user%host@thishost. From Claude Scarpelli of Infobiogen (France). CONFIG: OSTYPE(hpux10) failed to define the location of the help file. Pointed out by Hannu Martikka of Nokia Telecommunications. CONFIG: Diagnose some inappropriate ordering in configuration files, such as FEATURE(smrsh) listed after MAILER(local). Based on a bug report submitted by Paul Hoffman of Proper Publishing. CONFIG: Make OSTYPE files consistently not override settings that have already been set. Previously it worked differently for different files. CONFIG: Change relay mailer to do masquerading like 8.6 did. My take is that this is wrong, but the change was causing problems for some people. From Per Hedeland of Ericsson. CONTRIB: bitdomain.c patch from John Gardiner Myers ; portability changes for Posix environments (no functional changes). 8.7.1/8.7.1 1995/10/01 Old macros that have become options (SmtpGreetingMessage, OperatorChars, and UnixFromLine) didn't allow backslash escapes in the options, where they previously had. Bug pointed out by John Hawkinson of MIT. Fix strange case of an executable called by a program map that returns a value but also a non-zero exit status; this would give contradictory results in the higher level; in particular, the default clause in the map lookup would be ignored. Change to ignore the value if the program returns non-zero exit status. From Tom Moore of AT&T GIS. Shorten parameters passed to syslog() in some contexts to avoid a bug in many vendors' implementations of that routine. Although this isn't really a bug in sendmail per se, and my solution has to assume that syslog() has at least a 1K buffer size internally (I know some vendors have shortened this dramatically -- they're on their own), sendmail is a popular target. Also, limit the size of %s arguments in sprintf. These both have possible security implications. Solutions suggested by Casper Dik of Sun's Network Security Group (Holland), Mark Seiden, and others. Fix a problem that might cause a non-standard -B (body type) parameter to be passed to the next server with undefined results. This could have security implications. If a filesystem was at > 100% utilization, the freediskspace() routine incorrectly returned an error rather than zero. Problem noted by G. Paul Ziemba of Alantec. Change MX sort order so that local hostnames (those in $=w) always sort first within a given preference. This forces the bestmx map to always return the local host first, if it is included in the list of highest priority MX records. From K. Robert Elz. Avoid some possible null pointer dereferences. Fixes from Randy Martin When sendmail starts up on systems that have no fully qualified domain name (FQDN) anywhere in the first matching host map (e.g., /etc/hosts if the hosts service searches "files dns"), sendmail would sleep to try to find a FQDN, which it really really needs. This has been changed to fall through to the next map type if it can't find a FQDN -- i.e., if the hosts file doesn't have a FQDN, it will try dns even though the short name was found in /etc/hosts. This is probably a crock, but many people have hosts files without FQDNs. Remember: domain names are your friends. Log a high-priority message if you can't find your FQDN during startup. Suggested by Simon Barnes of Schlumberger Limited. When using Hesiod, initialize it early to improve error reporting. Patch from Don Lewis of Silicon Systems, Inc. Apparently at least some versions of Linux have a 90 !minute! TCP connection timeout in the kernel. Add a new "connect" timeout to limit this time. Defaults to zero (use whatever the kernel provides). Based on code contributed by J.R. Oldroyd of TerraNet. Under some circumstances, a failed message would not be properly removed from the queue, causing tons of bogus error messages. (This fix eliminates the problematic EF_KEEPQUEUE flag.) Problem noted by Allan E Johannesen and Gregory Neil Shapiro of WPI. PORTABILITY FIXES: On IRIX 5.x, there was an inconsistency in the setting of sendmail.st location. Change the Makefile to install it in /var/sendmail.st to match the OSTYPE file and SGI standards. From Andre . Support for Fujitsu/ICL UXP/DS (For the DS/90 Series) from Diego R. Lopez . Linux compilation patches from J.R. Oldroyd of TerraNet, Inc. LUNA 2 Mach patches from Motonori Nakamura. SunOS Makefile was including -ldbm, which is for the old dbm library. The ndbm library is part of libc. CONFIG: avoid bouncing ``user@host.'' (note trailing dot) with ``local configuration error'' in nullclient configuration. Patch from Gregory Neil Shapiro of WPI. CONFIG: don't allow an alias file in nullclient configurations -- since all addresses are relayed, they give errors during rebuild. Suggested by Per Hedeland of Ericsson. CONFIG: local mailer on Solaris 2 should always get a -f flag because otherwise the F=S causes the From_ line to imply that root is the sender. Problem pointed out by Claude Scarpelli of Infobiogen (France). NEW FILES: cf/feature/use_ct_file.m4 (omitted from 8.7 by mistake) src/Makefiles/Makefile.KSR (omitted from 8.7 by mistake) src/Makefiles/Makefile.UXPDS 8.7/8.7 1995/09/16 Fix a problem that could cause sendmail to run out of file descriptors due to a trashed data structure after a vfork. Fix from Brian Coan of the Institute for Global Communications. Change the VRFY response if you have disabled VRFY -- some people seemed to think that it was too rude. Avoid reference to uninitialized file descriptor if HASFLOCK was not defined. This was used "safely" in the sense that it only did a stat, but it would have set the map modification time improperly. Problem pointed out by Roy Mongiovi of Georgia Tech. Clean up the Subject: line on warning messages and return receipts so that they don't say "Returned mail:"; this can be confusing. Move ruleset entry/exit debugging from 21.2 to 21.1 -- this is useful enough to make it worthwhile printing on "-d". Avoid logging alias statistics every time you read the alias file on systems with no database method compiled in. If you have a name with a trailing dot, and you try looking it up using gethostbyname without the dot (for /etc/hosts compatibility), be sure to turn off RES_DEFNAMES and RES_DNSRCH to avoid finding the wrong name accidentally. Problem noted by Charles Amos of the University of Maryland. Don't do timeouts in collect if you are not running SMTP. There is nothing that says you can't have a long running program piped into sendmail (possibly via /bin/mail, which just execs sendmail). Problem reported by Don "Truck" Lewis of Silicon Systems. Try gethostbyname() even if the DNS lookup fails iff option I is not set. This allows you to have hosts listed in NIS or /etc/hosts that are not known to DNS. It's normally a bad idea, but can be useful on firewall machines. This should really be broken out on a separate flag, I suppose. Avoid compile warnings against BIND 4.9.3, which uses function prototypes. From Don Lewis of Silicon Systems. Avoid possible incorrect diagnosis of DNS-related errors caused by things like attempts to resolve uucp names using $[ ... $] -- the fix is to clear h_errno at appropriate times. From Kyle Jones of UUNET. SECURITY: avoid denial-of-service attacks possible by destroying the alias database file by setting resource limits low. This involves adding two new compile-time options: HASSETRLIMIT (indicating that setrlimit(2) support is available) and HASULIMIT (indicating that ulimit(2) support is available -- the Release 3 form is used). The former is assumed on BSD-based systems, the latter on System V-based systems. Attack noted by Phil Brandenberger of Swarthmore University. New syntaxes in test (-bt) mode: ``.Dmvalue'' will define macro "m" to "value". ``.Ccvalue'' will add "value" to class "c". ``=Sruleset'' will dump the contents of the indicated ruleset. ``=M'' will display the known mailers. ``-ddebug-spec'' is equivalent to the command-line -d debug flag. ``$m'' will print the value of macro $m. ``$=c'' will print the contents of class $=c. ``/mx host'' returns the MX records for ``host''. ``/parse address'' will parse address, returning the value of crackaddr (essentially, the comment information) and the parsed address. ``/try mailer address'' will rewrite address into the form it will have when presented to the indicated mailer. ``/tryflags flags'' will set flags used by parsing. The flags can be `H' for header or `E' for envelope, and `S' for sender or `R' for recipient. These can be combined, so `HR' sets flags for header recipients. ``/canon hostname'' will try to canonify hostname and return the result. ``/map mapname key'' will look up `key' in the indicated `mapname' and return the result. Somewhat better handling of UNIX-domain socket addresses -- it should show the pathname rather than hex bytes. Restore ``-ba'' mode -- this reads a file from stdin and parses the header for envelope sender information and uses CRLF as message terminators. It was thought to be obsolete (used only for Arpanet NCP protocols), but it turns out that the UK ``Grey Book'' protocols require that functionality. Fix a fix in previous release -- if gethostname and gethostbyname return a name without dots, and if an attempt to canonify that name fails, wait one minute and try again. This can result in an extra 60 second delay on startup if your system hostname (as returned by hostname(1)) has no dot and no names listed in /etc/hosts or your NIS map have a dot. Check for proper domain name on HELO and EHLO commands per RFC 1123 section 5.2.5. Problem noted by Thomas Dwyer III of Michigan Technological University. Relax chownsafe rules slightly -- old version said that if you can't tell if _POSIX_CHOWN_RESTRICTED is set (that is, if fpathconf returned EINVAL or ENOSYS), assume that chown is not safe. The new version falls back to whether you are on a BSD system or not. This is important for SunOS, which apparently always returns one of those error codes. This impacts whether you can mail to files or not. Syntax errors such as unbalanced parentheses in the configuration file could be omitted if you had "Oem" prior to the syntax error in the config file. Change to always print the error message. It was especially weird because it would cause a "warning" message to be sent to the Postmaster for every message sent (but with no transcript). Problem noted by Gregory Paris of Motorola. Rewrite collect and putbody to handle full 8-bit data, including zero bytes. These changes are internally extensive, but should have minimal impact on external function. Allow full words for option names -- if the option letter is (apparently) a space, then take the word following -- e.g., O MatchGECOS=TRUE The full list of old and new names is as follows: 7 SevenBitInput 8 EightBitMode A AliasFile a AliasWait B BlankSub b MinFreeBlocks/MaxMessageSize C CheckpointInterval c HoldExpensive D AutoRebuildAliases d DeliveryMode E ErrorHeader e ErrorMode f SaveFromLine F TempFileMode G MatchGECOS H HelpFile h MaxHopCount i IgnoreDots I ResolverOptions J ForwardPath j SendMimeErrors k ConnectionCacheSize K ConnectionCacheTimeout L LogLevel l UseErrorsTo m MeToo n CheckAliases O DaemonPortOptions o OldStyleHeaders P PostmasterCopy p PrivacyOptions Q QueueDirectory q QueueFactor R DontPruneRoutes r, T Timeout S StatusFile s SuperSafe t TimeZoneSpec u DefaultUser U UserDatabaseSpec V FallbackMXHost v Verbose w TryNullMXList x QueueLA X RefuseLA Y ForkEachJob y RecipientFactor z ClassFactor Z RetryFactor The old macros that passed information into sendmail have been changed to options; those correspondences are: $e SmtpGreetingMessage $l UnixFromLine $o OperatorChars $q (deleted -- not necessary) To avoid possible problems with an older sendmail, configuration level 6 is accepted by this version of sendmail; any config file using the new names should specify "V6" in the configuration. Change address parsing to properly note that a phrase before a colon and a trailing semicolon are essentially the same as text outside of angle brackets (i.e., sendmail should treat them as comments). This is to handle the ``group name: addr1, addr2, ..., addrN;'' syntax (it will assume that ``group name:'' is a comment on the first address and the ``;'' is a comment on the last address). This requires config file support to get right. It does understand that :: is NOT this syntax, and can be turned off completely by setting the ColonOkInAddresses option. Level 6 config files added with new mailer flags: A Addresses are aliasable. i Do udb rewriting on envelope as well as header sender lines. Applies to the from address mailer flags rather than the recipient mailer flags. j Do udb rewriting on header recipient addresses. Applies to the sender mailer flags rather than the recipient mailer flags. k Disable check for loops when doing HELO command. o Always run as the mail recipient, even on local delivery. w Check for an /etc/passwd entry for this user. 5 Pass addresses through ruleset 5. : Check for :include: on this address. | Check for |program on this address. / Check for /file on this address. @ Look up sender header addresses in the user database. Applies to the mailer flags for the mailer corresponding to the envelope sender address, rather than to recipient mailer flags. Pre-level 6 configuration files set A, w, 5, :, |, /, and @ on the "local" mailer, the o flag on the "prog" and "*file*" mailers, and the ColonOkInAddresses option. Eight-to-seven bit MIME conversions. This borrows ideas from John Beck of Hewlett-Packard, who generously contributed their implementation to me, which I then didn't use (see mime.c for an explanation of why). This adds the EightBitMode option (a.k.a. `8') and an F=8 mailer flag to control handling of 8-bit data. These have to cope with two types of 8-bit data: unlabelled 8-bit data (that is, 8-bit data that is entered without declaring it as 8-bit MIME -- technically this is illegal according to the specs) and labelled 8-bit data (that is, it was declared as 8BITMIME in the ESMTP session or by using the -B8BITMIME command line flag). If the F=8 mailer flag is set then 8-bit data is sent to non-8BITMIME machines instead of converting to 7 bit (essentially using just-send-8 semantics). The values for EightBitMode are: m convert unlabelled 8-bit input to 8BITMIME, and do any necessary conversion of 8BITMIME to 7BIT (essentially, the full MIME option). p pass unlabelled 8-bit input, but convert labelled 8BITMIME input to 7BIT as required (default). s strict adherence: reject unlabelled 8-bit input, convert 8BITMIME to 7BIT as required. The F=8 flag is ignored. Unlabelled 8-bit data is rejected in mode `s' regardless of the setting of F=8. Add new internal class 'n', which is the set of MIME Content-Types which can not be 8 to 7 bit encoded because of other considerations. Types "multipart/*" and "message/*" are never directly encoded (although their components can be). Add new internal class 's', which is the set of subtypes of the MIME message/* content type that can be treated as though they are an RFC822 message. It is predefined to have "rfc822". Suggested By Kari Hurtta. Add new internal class 'e'. This is the set of MIME Content-Transfer-Encodings that can be converted to a seven bit format (Quoted-Printable or Base64). It is preinitialized to contain "7bit", "8bit", and "binary". Add C=charset mailer parameter and the the DefaultCharSet option (no short name) to set the default character set to use in the Content-Type: header when doing encoding of an 8-bit message which isn't marked as MIME into MIME format. If the C= parameter is set on the Envelope From address, use that as the default encoding; else use the DefaultCharSet option. If neither is set, it defaults to "unknown-8bit" as suggested by RFC 1428 section 3. Allow ``U=user:group'' field in mailer definition to set a default user and group that a mailer will be executed as. This overrides the 'u' and 'g' options, and if the `F=S' flag is also set, it is the uid/gid that will always be used (that is, the controlling address is ignored). The values may be numeric or symbolic; if only a symbolic user is given (no group) that user's default group in the passwd file is used as the group. Based on code donated by Chip Rosenthal of Unicom. Allow `u' option to also accept user:group as a value, in the same fashion as the U= mailer option. Add the symbolic time zone name in the Arpanet format dates (as a comment). This adds a new compile-time configuration flag: TZ_TYPE can be set to TZ_TM_NAME (use the value of (struct tm *)->tm_name), TZ_TM_ZONE (use the value of (struct tm *)->tm_zone), TZ_TZNAME (use extern char *tzname[(struct tm *)->tm_isdst]), TZ_TIMEZONE (use timezone()), or TZ_NONE (don't include the comment). Code from Chip Rosenthal. The "Timeout" option (formerly "r") is extended to allow suboptions. For example, O Timeout.helo = 2m There are also two new suboptions "queuereturn" and "queuewarn"; these subsume the old T option. Thus, to set them both the preferred new syntax is O Timeout.queuereturn = 5d O Timeout.queuewarn = 4h Sort queue by host name instead of by message priority if the QueueSortOrder option (no short name) is set is set to ``host''. This makes better use of the connection cache, but may delay more ``interactive'' messages behind large backlogs under some circumstances. This is probably a good option if you have high speed links or don't do lots of ``batch'' messages, but less good if you are using something like PPP on a 14.4 modem. Based on code contributed by Roy Mongiovi of Georgia Tech (my main contribution was to make it configurable). Save i-number of df file in qf file to simplify rebuilding of queue after disastrous disk crash. Suggested by Kyle Jones of UUNET; closely based on code from KJS DECWRL code written by Paul Vixie. NOTA BENE: The qf files produced by 8.7 are NOT back compatible with 8.6 -- that is, you can convert from 8.6 to 8.7, but not the other direction. Add ``F=d'' mailer flag to disable all use of angle brackets in route-addrs in envelopes; this is because in some cases they can be sent to the shell, which interprets them as I/O redirection. Don't include error file (option E) with return-receipts; this can be confusing. Don't send "Warning: cannot send" messages to owner-* or *-request addresses. Suggested by Christophe Wolfhugel of the Institut Pasteur, Paris. Allow -O command line flag to set long form options. Add "MinQueueAge" option to set the minimum time between attempts to run the queue. For example, if the queue interval (-q value) is five minutes, but the minimum queue age is fifteen minutes, jobs won't be tried more often than once every fifteen minutes. This can be used to give you more responsiveness if your delivery mode is set to queue-only. Allow "fileopen" timeout (default: 60 seconds) for opening :include: and .forward files. Add "-k", "-v", and "-z" flags to map definitions; these set the key field name, the value field name, and the field delimiter. The field delimiter can be a single character or the sequence "\t" or "\n" for tab or newline. These are for use by NIS+ and similar access methods. Change maps to always strip quotes before lookups; the -q flag turns off this behavior. Suggested by Motonori Nakamura. Add "nisplus" map class. Takes -k and -v flags to choose the key and value field names respectively. Code donated by Sun Microsystems. Add "hesiod" map class. The "file name" is used as the "HesiodNameType" parameter to hes_resolve(3). Returns the first value found for the match. Code donated by Scott Hutton of Indiana University. Add "netinfo" (NeXT NetInfo) map class. Maps can have a -k flag to specify the name of the property that is searched as the key and a -v flag to specify the name of the property that is returned as the value (defaults to "members"). The default map is "/aliases". Some code based on code contributed by Robert La Ferla of Hot Software. Add "text" map class. This does slow, linear searches through text files. The -z flag specifies a column delimiter (defaults to any sequence of white space), the -k flag sets the key column number, and the -v flag sets the value column number. Lines beginning with `#' are treated as comments. Add "program" map class to execute arbitrary programs. The search key is presented as the last argument; the output is one line read from the programs standard output. Exit statuses are from sysexits.h. Add "sequence" map class -- searches maps in sequence until it finds a match. For example, the declarations: Kmap1 ... Kmap2 ... Kmapseq sequence map1 map2 defines a map "mapseq" that first searches map1; if the value is found it is returned immediately, otherwise map2 is searched and the value returned. Add "switch" map class. This is much like "sequence" except that the ordering is fetched from an external file, usually the system service switch. The parameter is the name of the service to switch on, and the maps that it will use are the name of the switch map followed by ".service_type". For example, if the declaration of the map is Ksample switch hosts and the system service switch specifies that hosts are looked up using dns and nis in that order, then this is equivalent to Ksample sequence sample.dns sample.nis The subordinate maps (sample.*) must already be defined. Add "user" map class -- looks up users using getpwnam. Takes a "-v field" flag on the definition that tells what passwd entry to return -- legal values are name, passwd, uid, gid, gecos, dir, and shell. Generally expected to be used with the -m (matchonly) flag. Add "bestmx" map class -- returns the best MX value for the host listed as the value. If there are several "best" MX records for this host, one will be chosen at random. Add "userdb" map class -- looks up entries in the user database. The "file name" is actually the tag that will be used, typically "mailname". If there are multiple entries matching the name, the one chosen is undefined. Add multiple queue timeouts (both return and warning). These are set by the Precedence: or Priority: header fields to one of three values. If a Priority: is set and has value "normal", "urgent", or "non-urgent" the corresponding timeouts are used. If no priority is set, the Precedence: is consulted; if negative, non-urgent timeouts are used; if greater than zero, urgent timeouts are used. Otherwise, normal timeouts are used. The timeouts are set by setting the six timeouts queue{warn,return}.{urgent,normal,non-urgent}. Fix problem when a mail address is resolved to a $#error mailer with a temporary failure indication; it works in SMTP, but when delivering locally the mail is silently discarded. This patch, from Kyle Jones of UUNET, bounces it instead of queueing it (queueing is very hard). When using /etc/hosts or NIS-style lookups, don't assume that the first name in the list is the best one -- instead, search for the first one with a dot. For example, if an /etc/hosts entry reads 128.32.149.68 mammoth mammoth.CS.Berkeley.EDU this change will use the second name as the canonical machine name instead of the initial, unqualified name. Change dequote map to replace spaces in quoted text with a value indicated by the -s flag on the dequote map definition. For example, ``Mdequote dequote -s_'' will change "Foo Bar" into an unquoted Foo_Bar instead of leaving it quoted (because of the space character). Suggested by Dan Oscarsson for use in X.400 addresses. Implement long macro names as ${name}; long class names can be similarly referenced as $={name} and $~{name}. Definitions are (e.g.) ``D{name}value''. Names that have a leading lower case letter or punctuation characters are reserved for internal use by sendmail; i.e., config files should use names that begin with a capital letter. Based on code contributed by Dan Oscarsson. Fix core dump if getgrgid returns a null group list (as opposed to an empty group list, that is, a pointer to a list with no members). Fix from Andrew Chang of Sun Microsystems. Fix possible core dump if malloc fails -- if the malloc in xalloc failed, it called syserr which called newstr which called xalloc.... The newstr is now avoided for "panic" messages. Reported by Stuart Kemp of James Cook University. Improve connection cache timeouts; previously, they were not even checked if you were delivering to anything other than an IPC-connected host, so a series of (say) local mail deliveries could cause cached connections to be open much longer than the specified timeout. If an incoming message exceeds the maximum message size, stop writing the incoming bytes to the queue data file, since this can fill your mqueue partition -- this is a possible denial-of-service attack. Don't reject all numeric local user names unless HESIOD is defined. It turns out that Posix allows all-numeric user names. Fix from Tony Sanders of BSDI. Add service switch support. If the local OS has a service switch (e.g., /etc/nsswitch.conf on Solaris or /etc/svc.conf on DEC systems) that will be used; otherwise, it falls back to using a local mechanism based on the ServiceSwitchFile option (default: /etc/service.switch). For example, if the service switch lists "files" and "nis" for the aliases service, that will be the default lookup order. the "files" ("local" on DEC) service type expands to any alias files you listed in the configuration file, even if they aren't actually file lookups. Option I (NameServerOptions) no longer sets the "UseNameServer" variable which tells whether or not DNS should be considered canonical. This is now determined based on whether or not "dns" is in the service list for "hosts". Add preliminary support for the ESMTP "DSN" extension (Delivery Status Notifications). DSN notifications override Return-Receipt-To: headers, which are bogus anyhow -- support for them has been removed. Add T=mts-name-type/address-type/diagnostic-type keyletter to mailer definitions to define the types used in DSN returns for MTA names, addresses, and diagnostics respectively. Extend heuristic to force running in ESMTP mode to look for the five-character string "ESMTP" anywhere in the 220 greeting message (not just the second line). This is to provide better compatibility with other ESMTP servers. Print sequence number of job when running the queue so you can easily see how much progress you have made. Suggested by Peter Wemm of DIALix. Map newlines to spaces in logged message-ids; some versions of syslog truncate the rest of the line after newlines. Suggested by Fletcher Mattox of U. Texas. Move up forking for job runs so that if a message is split into multiple envelopes you don't get "fork storms" -- this also improves the connection cache utilization. Accept "<<>>", "<<<>>>", and so forth as equivalent to "<>" for the purposes of refusing to send error returns. Suggested by Motonori Nakamura of Ritsumeikan University. Relax rules on when a file can be written when referenced from the aliases file: use the default uid/gid instead of the real uid/gid. This allows you to create a file owned by and writable only by the default uid/gid that will work all the time (without having the set-user-ID bit set). Change suggested by Shau-Ping Lo and Andrew Cheng of Sun Microsystems. Add "DialDelay" option (no short name) to provide an "extra" delay for dial on demand systems. If this is non-zero and a connect fails, sendmail will wait this long and then try again. If it takes longer than the kernel timeout interval to establish the connection, this option can give the network software time to establish the link. The default units are seconds. Move logging of sender information to be as early as possible; previously, it could be delayed a while for SMTP mail sent to aliases. Suggested by Brad Knowles of the Defense Information Systems Agency. Call res_init() before setting RES_DEBUG; this is required by BIND 4.9.3, or so I'm told. From Douglas Anderson of the National Computer Security Center. Add xdelay= field in logs -- this is a transaction delay, telling you how long it took to deliver to this address on the last try. It is intended to be used for sorting mailing lists to favor "quick" addresses. Provided for use by the mailprio scripts (see below). If a map cannot be opened, and that map is non-optional, and an address requires that map for resolution, queue the map instead of bouncing it. This involves creating a pseudo-class of maps called "bogus-map" -- if a required map cannot be opened, the class is changed to bogus-map; all queries against bogus-map return "tempfail". The bogus-map class is not directly accessible. A sample implementation was donated by Jem Taylor of Glasgow University Computing Service. Fix a possible core dump when mailing to a program that talks SMTP on its standard input. Fix from Keith Moore of the University of Kentucky. Make it possible to resolve filenames to $#local $: @ /filename; previously, the "@" would cause it to not be recognized as a file. Problem noted by Brian Hill of U.C. Davis. Accept a -1 signal to re-exec the daemon. This only works if argv[0] is a full path to sendmail. Fix bug in "addr=..." field in O option on little-endian machines -- the network number wasn't being converted to network byte order. Patch from Kurt Lidl of Pix Technologies Corporation. Pre-initialize the resolver early on; this is to avoid a bug with BIND 4.9.3 that can cause the _res.retry field to get reset to zero, causing all name server lookups to time out. Fix from Matt Day of Artisoft. Restore T line (trusted users) in config file -- but instead of locking out the -f flag, they just tell whether or not an X-Authentication-Warning: will be added. This really just creates new entries in class 't', so "Ft/file/name" can be used to read trusted user names from a file. Trusted users are also allowed to execute programs even if they have a shell that isn't in /etc/shells. Improve NEWDB alias file rebuilding so it will create them properly if they do not already exist. This had been a MAYBENEXTRELEASE feature in 8.6.9. Check for @:@ entry in NIS maps before starting up to avoid (but not prevent, sigh) race conditions. This ought to be handled properly in ypserv, but isn't. Suggested by Michael Beirne of Motorola. Refuse connections if there isn't enough space on the filesystem holding the queue. Contributed by Robert Dana of Wolf Communications. Skip checking for directory permissions in the path to a file when checking for file permissions iff setreuid() succeeded -- it is unnecessary in that case. This avoids significant performance problems when looking for .forward files. Based on a suggestion by Win Bent of USC. Allow symbolic ruleset names. Syntax can be "Sname" to get an arbitrary ruleset number assigned or "Sname = integer" to assign a specific ruleset number. Reference is $>name_or_number. Names can be composed of alphas, digits, underscore, or hyphen (first character must be non-numeric). Allow -o flag on AliasFile lines to make the alias file optional. From Bryan Costales of ICSI. Add NoRecipientAction option to handle the case where there is no legal recipient header in the message. It can take on values: None Leave the message as is. The message will be passed on even though it is in technically illegal syntax. Add-To Add a To: header with any recipients that it can find from the envelope. This risks exposing Bcc: recipients. Add-Apparently-To Add an Apparently-To: header. This has almost no redeeming social value, and is provided only for back compatibility. Add-To-Undisclosed Add a header reading To: undisclosed-recipients:; which will have the effect of making the message legal without exposing Bcc: recipients. Add-Bcc To add an empty Bcc: header. There is a chance that mailers down the line will delete this header, which could cause exposure of Bcc: recipients. The default is NoRecipientAction=None. Truncate (rather than delete) Bcc: lines in the header. This should prevent later sendmails (at least, those that don't themselves delete Bcc:) from considering this message to be non-conforming -- although it does imply that non-blind recipients can see that a Bcc: was sent, albeit not to whom. Add SafeFileEnvironment option. If declared, files named as delivery targets must be regular files in addition to the regular checks. Also, if the option is non-null then it is used as the name of a directory that is used as a chroot(2) environment for the delivery; the file names listed in an alias or forward should include the name of this root. For example, if you run with O SafeFileEnvironment=/arch then aliases should reference "/arch/rest/of/path". If a value is given, sendmail also won't try to save to /usr/tmp/dead.letter (instead it just leaves the job in the queue as Qfxxxxxx). Inspired by *Hobbit*'s sendmail patch kit. Support -A flag for alias files; this will comma concatenate like entries. For example, given the aliases: list: member1 list: member2 and an alias file declared as: OAhash:-A /etc/aliases the final alias inserted will be "list: member1,member2"; without -A you will get an error on the second and subsequent alias for "list". Contributed by Bryan Costales of ICSI. Line-buffer transcript file. Suggested by Liudvikas Bukys. Fix a problem that could cause very long addresses to core dump in some special circumstances. Problem pointed out by Allan Johannesen. (Internal change.) Change interface to expand() (macro expansion) to be simpler and more consistent. Delete check for funny qf file names. This didn't really give any extra security and caused some people some problems. (If you -really- want this, define PICKY_QF_NAME_CHECK at compile time.) Suggested by Kyle Jones of UUNET. (Internal change.) Change EF_NORETURN to EF_NO_BODY_RETN and merge with DSN code; this is simpler and more consistent. This may affect some people who have written their own checkcompat() routine. (Internal change.) Eliminate `D' line in qf file. The df file is now assumed to be the same name as the qf file (with the `q' changed to a `d', of course). Avoid forking for delivery if all recipient mailers are marked as "expensive" -- this can be a major cost on some systems. Essentially, this forces sendmail into "queue only" mode if all it is going to do is queue anyway. Avoid sending a null message in some rather unusual circumstances (specifically, the RCPT command returns a temporary failure but the connection is lost before the DATA command). Fix from Scott Hammond of Secure Computing Corporation. Change makesendmail to use a somewhat more rational naming scheme: Makefiles and obj directories are named $os.$rel.$arch, where $os is the operating system (e.g., SunOS), $rel is the release number (e.g., 5.3), and $arch is the machine architecture (e.g., sun4). Any of these can be omitted, and anything after the first dot in a release number can be replaced with "x" (e.g., SunOS.4.x.sun4). The previous version used $os.$arch.$rel and was rather less general. Change makesendmail to do a "make depend" in the target directory when it is being created. This involves adding an empty "depend:" entry in most Makefiles. Ignore IDENT return value if the OSTYPE field returns "OTHER", as indicated by RFC 1413. Pointed out by Kari Hurtta of the Finnish Meteorological Institute. Fix problem that could cause multiple responses to DATA command on header syntax errors (e.g., lines beginning with colons). Problem noted by Jens Thomassen of the University of Oslo. Don't let null bytes in headers cause truncation of the rest of the header. Log Authentication-Warning:s. Suggested by Motonori Nakamura. Increase timeouts on message data puts to allow time for receivers to canonify addresses in headers on the fly. This is still a rather ugly heuristic. From Motonori Nakamura. Add "HasWildcardMX" suboption to ResolverOptions; if set, MX records are not used when canonifying names, and when MX lookups are done for addressing they must be fully qualified. This is useful if you have a wildcard MX record, although it may cause other problems. In general, don't use wildcard MX records. Patch from Motonori Nakamura. Eliminate default two-line SMTP greeting message. Instead of adding an extra "ESMTP spoken here" line, the word "ESMTP" is added between the first and second word of the first line of the greeting message (i.e., immediately after the host name). This eliminates the need for the BROKEN_SMTP_PEERS compile flag. Old sendmails won't see the ESMTP, but that's acceptable because SIZE was the only useful extension that old sendmails understand. Avoid gethostbyname calls on UNIX domain sockets during SIGUSR1 invoked state dumps. From Masaharu Onishi. Allow on-line comments in .forward and :include: files; they are introduced by the string "#@#", where is a space or a tab. This is intended for native representation of non-ASCII sets such as Japanese, where existing encodings would be unreadable or would lose data -- for example, NAKAMURA Motonori (romanized/less information) =?ISO-2022-JP?B?GyRCQ2ZCPBsoQg==?= =?ISO-2022-JP?B?GyRCQUdFNRsoQg==?= (with MIME encoding, not human readable) #@# ^[$BCfB<^[(B ^[$BAGE5^[(B (native encoding with ISO-2022-JP) The last form is human readable in the Japanese environment. Based on a fix from (surprise!) Motonori Nakamura. Don't make SMTP error returns on MAIL FROM: line be "sticky" for all messages to that host; these are most frequently associated with addresses rather than the host, with the exception of 421 (service shutting down). The effect was to cause queues to sometimes take an excessive time to flush. Reported by Robert Sargent of Southern Geographics Technologies and Eric Prestemon of American University. Add Nice=N mailer option to set the niceness at which a mailer will run. This is actually a relative niceness (that is, an increment on the background value). Log queue runs that are skipped due to high loads. They are logged at LOG_INFO priority iff the log level is > 8. Contributed by Bruce Nagel of Data General. Allow the error mailer to accept a DSN-style error status code instead of an sysexits status code in the host part. Anything with a dot will be interpreted as a DSN-style code. Add new mailer flag: F=3 will tell translations to Quoted-Printable to encode characters that might be munged by an EBCDIC system in addition to the set required by RFC 1521. The additional characters are !, ", #, $, @, [, \, ], ^, `, {, |, }, and ~. (Think of "IBM 360" as the mnemonic for this flag.) Change check for mailing to files to look for a pathname of [FILE] rather than looking for the mailer named *file*. The mapping of leading slashes still goes to the *file* mailer. This allows you to implement the *file* mailer as a separate program, for example, to insert a Content-Length: header or do special security policy. However, note that the usual initial checking for the file permissions is still done, and the program in question needs to be very careful about how it does the file write to avoid security problems. Be able to read ~root/.forward even if the path isn't accessible to regular users. This is disrecommended because sendmail sometimes does not run as root (e.g., when an unsafe option is specified on the command line), but should otherwise be safe because .forward files must be owned by the user for whom mail is being forwarded, and cannot be a symbolic link. Suggested by Forrest Aldrich of Wang Laboratories. Add new "HostsFile" option that is the pathname to the /etc/hosts file. This is used for canonifying hostnames when the service type is "files". Implement programs on F (read class from file) line. The syntax is Fc|/path/to/program to read the output from the program into class "c". Probe the network interfaces to find alternate names for this host. Requires the SIOCGIFCONF ioctl call. Code contributed by SunSoft. Add "E" configuration line to set or propagate environment variables into children. "E" will propagate the named variable from the environment when sendmail was invoked into any children it calls; "E=" sets the named variable to the indicated value. Any variables not explicitly named will not be in the child environment. However, sendmail still forces an "AGENT=sendmail" environment variable, in part to enforce at least one environment variable, since many programs and libraries die horribly if this is not guaranteed. Change heuristic for rebuilding both NEWDB and NDBM versions of alias databases -- new algorithm looks for the substring "/yp/" in the file name. This is more portable and involves less overhead. Suggested by Motonori Nakamura. Dynamically allocate the queue work list so that you don't lose jobs in large queue runs. The old QUEUESIZE compile parameter is replaced by QUEUESEGSIZE (the unit of allocation, which should not need to be changed) and the MaxQueueRunSize option, which is the absolute maximum number of jobs that will ever be handled in a single queue run. Based on code contributed by Brian Coan of the Institute for Global Communications. Log message when a message is dropped because it exceeds the maximum message size. Suggested by Leo Bicknell of Virginia Tech. Allow trusted users (those on a T line or in $=t) to use -bs without an X-Authentication-Warning: added. Suggested by Mark Thomas of Mark G. Thomas Consulting. Announce state of compile flags on -d0.1 (-d0.10 throws in the OS-dependent defines). The old semantic of -d0.1 to not run the daemon in background has been moved to -d99.100, and the old 52.5 flag (to avoid disconnect() from closing all output files) has been moved to 52.100. This makes things more consistent (flags below .100 don't change semantics) and separates out the backgrounding so that it doesn't happen automatically on other unrelated debugging flags. If -t is used but no addresses are found in the header, give an error message rather than just doing nothing. Fix from Motonori Nakamura. On systems (like SunOS) where the effective gid is not necessarily included in the group list returned by getgroups(), the `restrictmailq' option could sometimes cause an authorized user to not be able to use `mailq'. Fix from Charles Hannum of MIT. Allow symbolic service names for [IPC] mailers. Suggested by Gerry Magennis of Logica International. Add DontExpandCnames option to prevent $[ ... $] from expanding CNAMEs when running DNS. For example, if the name FTP.Foo.ORG is a CNAME for Cruft.Foo.ORG, then when sitting on a machine in the Foo.ORG domain a lookup of "FTP" returns "Cruft.Foo.ORG" if this option is not set, or "FTP.Foo.ORG" if it is set. This is technically illegal under RFC 822 and 1123, but the IETF is moving toward legalizing it. Note that turning on this option is not sufficient to guarantee that a downstream neighbor won't rewrite the address for you. Add "-m" flag to makesendmail script -- this tells you what object directory and Makefile it will use, but doesn't actually do the make. Do some additional checking on the contents of the qf file to try to detect attacks against the qf file. In particular, abort on any line beginning "From ", and add an "end of file" line -- any data after that line is prohibited. Always use /etc/sendmail.cf, regardless of the arbitrary vendor choices. This can be overridden in the Makefile by using either -DUSE_VENDOR_CF_PATH to get the vendor location (to the extent that we know it) or by defining _PATH_SENDMAILCF (which is a "hard override"). This allows sendmail 8 to have more consistent installation instructions. Allow macros on `K' line in config file. Suggested by Andrew Chang of Sun Microsystems. Improved symbol table hash function from Eric Wassenaar. This one is at least 50% faster. Fix problem that didn't notice that timeout on file open was a transient error. Fix from Larry Parmelee of Cornell University. Allow comments (lines beginning with a `#') in files read for classes. Suggested by Motonori Nakamura. Make SIGINT (usually ^C) in test mode return to the prompt instead of dropping out entirely. This makes testing some of the name server lookups easier to deal with when there are hung servers. From Motonori Nakamura. Add new ${opMode} macro that is set to the current operation mode (e.g., `s' for -bs, `t' for -bt, etc.). Suggested by Claude Marinier . Add new delivery mode (Odd) that defers all map lookups to queue runs. Kind of like queue-only mode (Odq) except it tries to avoid any external service requests; for dial-on-demand hosts that want to minimize DNS lookups when mail is being queued. For this to work you will also have to make sure that gethostbyname of your local host name does not do a DNS lookup. Improved handling of "out of space" conditions from John Myers of Carnegie Mellon. Improved security for mailing to files on systems that have fchmod(2) support. Improve "cannot send message for N days" message -- now says "could not send for past N days". Suggested by Tom Moore of AT&T Global Information Solutions. Less misleading Subject: line on messages sent to postmaster only. From Motonori Nakamura. Avoid duplicate error messages on bad command line flags. From Motonori Nakamura. Better error message for case where ruleset 0 falls off the end or otherwise does not resolve to a canonical triple. Fix a problem that could cause multiple bounce messages if a bad address was sent along with a good address to an SMTP site where that SMTP site returned a 4yz code in response to the final dot of the data. Problem reported by David James of British Telecom. Add "volatile" declarations so that gcc -O2 will work. Patches from Alexander Dupuy of System Management ARTS. Delete duplicates in MX lists -- believe it or not, there are sites that list the same host twice in an MX list. This deletion only works on adjacent preferences, so an MX list that had A=5, B=10, A=15 would leave both As, but one that had A=5, A=10, B=15 would reduce to A, B. This is intentional, just in case there is something weird I haven't thought of. Suggested by Barry Shein of Software Tool & Die. SECURITY: .forward files cannot be symbolic links. If they are, a bad guy can read your private files. PORTABILITY FIXES: Solaris 2 from Rob McMahon . System V Release 4 from Motonori Nakamura of Ritsumeikan University. This expands the disk size checking to include all (?) SVR4 configurations. System V Release 4 from Kimmo Suominen -- initgroups(3) and setrlimit(2) are both available. System V Release 4 from sob@sculley.ffg.com -- some versions apparently "have EX_OK defined in other headerfiles." Linux Makefile typo. Linux getusershell(3) is broken in Slackware 2.0 -- from Andrew Pam of Xanadu Australia. More Linux tweaking from John Kennedy of California State University, Chico. Cray changes from Eric Wassenaar: ``On Cray, shorts, ints, and longs are all 64 bits, and all structs are multiples of 64 bits. This means that the sizeof operator returns only multiples of 8. This requires adaptation of code that really deals with 32 bit or 16 bit fields, such as IP addresses or nameserver fields.'' DG/UX 5.4.3 from Mark T. Robinson . To get the old behavior, use -DDGUX_5_4_2. DG/UX hack: add _FORCE_MAIL_LOCAL_=yes environment variable to fix bogus /bin/mail behavior. Tandem NonStop-UX from Rick McCarty . This also cleans up some System V Release 4 compile problems. Solaris 2: sendmail.cw file should be in /etc/mail to match all the other configuration files. Fix from Glenn Barry of Emory University. Solaris 2.3: compile problem in conf.c. Fix from Alain Nissen of the University of Liege, Belgium. Ultrix: freespace calculation was incorrect. Fix from Takashi Kizu of Osaka University. SVR4: running in background gets a SIGTTOU because the emulation code doesn't realize that "getpeername" doesn't require reading the file. Fix from Peter Wemm of DIALix. Solaris 2.3: due to an apparent bug in the socket emulation library, sockets can get into a "wedged" state where they just return EPROTO; closing and re-opening the socket clears the problem. Fix from Bob Manson of Ohio State University. Hitachi 3050R & 3050RX running HI-UX/WE2: portability fixes from Akihiro Hashimoto ("Hash") of Chiba University. AIX changes to allow setproctitle to work from Rainer Schöpf of Zentrum für Datenverarbeitung der Universität Mainz. AIX changes for load average from Ed Ravin of NASA/Goddard. SCO Unix from Chip Rosenthal of Unicom (code was using the wrong statfs call). ANSI C fixes from Adam Glass (NetBSD project). Stardent Titan/ANSI C fixes from Kate Hedstrom of Rutgers University. DG-UX fixes from Bruce Nagel of Data General. IRIX64 updates from Mark Levinson of the University of Rochester Medical Center. Altos System V (``the first UNIX/XENIX merge the Altos did for their Series 1000 & Series 2000 line; their merged code was licensed back to AT&T and Microsoft and became System V release 3.2'') from Tim Rice . OSF/1 running on Intel Paragon from Jeff A. Earickson of Intel Scalable Systems Division. Amdahl UTS System V 2.1.5 (SVr3-based) from Janet Jackson . System V Release 4 (statvfs semantic fix) from Alain Durand of I.M.A.G. HP-UX 10.x multiprocessor load average changes from Scott Hutton and Jeff Sumler of Indiana University. Cray CSOS from Scott Bolte of Cray Computer Corporation. Unicos 8.0 from Douglas K. Rand of the University of North Dakota, Scientific Computing Center. Solaris 2.4 fixes from Sanjay Dani of Dani Communications. ConvexOS 11.0 from Christophe Wolfhugel. IRIX 4.0.5 from David Ashton-Reader of CADcentre. ISC UNIX from J. J. Bailey. HP-UX 9.xx on the 8xx series machines from Remy Giraud of Meteo France. HP-UX configuration from Tom Lane . IRIX 5.2 and 5.3 from Kari E. Hurtta. FreeBSD 2.0 from Mike Hickey of Federal Data Corporation. Sony NEWS-OS 4.2.1R and 6.0.3 from Motonori Nakamura. Omron LUNA unios-b, mach from Motonori Nakamura. NEC EWS-UX/V 4.2 from Motonori Nakamura. NeXT 2.1 from Bryan Costales. AUX patch thanks to Mike Erwin of Apple Computer. HP-UX 10.0 from John Beck of Hewlett-Packard. Ultrix: allow -DBROKEN_RES_SEARCH=0 if you are using a non-DEC resolver. Suggested by Allan Johannesen. UnixWare 2.0 fixes from Petr Lampa of the Technical University of Brno (Czech Republic). KSR OS 1.2.2 support from Todd Miller of the University of Colorado. UX4800 support from Kazuhisa Shimizu of NEC. MAKEMAP: allow -d flag to allow insertion of duplicate aliases in type ``btree'' maps. The semantics of this are undefined for regular maps, but it can be useful for the user database. MAKEMAP: lock database file while rebuilding to avoid sendmail lookups while the rebuild is going on. There is a race condition between the open(... O_TRUNC ...) and the lock on the file, but it should be quite small. SMRSH: sendmail restricted shell added to the release. This can be used as an alternative to /bin/sh for the "prog" mailer, giving the local administrator more control over what programs can be run from sendmail. MAIL.LOCAL: add this local mailer to the tape. It is not really part of the release proper, and isn't fully supported; in particular, it does not run on System V based systems and never will. CONTRIB: a patch to rmail.c from Bill Gianopoulos of Raytheon to allow rmail to compile on systems that don't have function prototypes and systems that don't have snprintf. CONTRIB: add the "mailprio" scripts that will help you sort mailing lists by transaction delay times so that addresses that respond quickly get sent first. This is to prevent very sluggish servers from delaying other peoples' mail. Contributed by Tony Sanders of BSDI. CONTRIB: add the "bsdi.mc" file as contributed by Tony Sanders of BSDI. This has a lot of comments to help people out. CONFIG: Don't have .mc files include(../m4/cf.m4) -- instead, put this on the m4 command line. On GNU m4 (which supports the __file__ primitive) you can run m4 in an arbitrary directory -- use either: m4 ${CFDIR}/m4/cf.m4 config.mc > config.cf or m4 -I${CFDIR} m4/cf.m4 config.mc > config.cf On other versions of m4 that don't support __file__, you can use: m4 -D_CF_DIR_=${CFDIR}/ ${CFDIR}/m4/cf.m4 ... (Note the trailing slash on the _CF_DIR_ definition.) Old versions of m4 will default to _CF_DIR_=.. for back compatibility. CONFIG: fix mail from <> so it will properly convert to MAILER-DAEMON on local addresses. CONFIG: fix code that was supposed to catch colons in host names. Problem noted by John Gardiner Myers of CMU. CONFIG: allow use of SMTP_MAILER_MAX in nullclient configuration. From Paul Riddle of the University of Maryland, Baltimore County. CONFIG: Catch and reject "." as a host address. CONFIG: Generalize domaintable to look up all domains, not just unqualified ones. CONFIG: Delete OLD_SENDMAIL support -- as near as I can tell, it was never used and didn't work anyway. CONFIG: Set flags A, w, 5, :, /, |, and @ on the "local" mailer and d on all mailers in the UUCP class. CONFIG: Allow "user+detail" to be aliased specially: it will first look for an alias for "user+detail", then for "user+*", and finally for "user". This is intended for forwarding mail for system aliases such as root and postmaster to a centralized hub. CONFIG: add confEIGHT_BIT_HANDLING to set option 8 (see above). CONFIG: add smtp8 mailer; this has the F=8 (just-send-8) flag set. The F=8 flag is also set on the "relay" mailer, since this is expected to be another sendmail. CONFIG: avoid qualifying all UUCP addresses sent via SMTP with the name of the UUCP_RELAY -- in some cases, this is the wrong value (e.g., when we have local UUCP connections), and this can create unreplyable addresses. From Chip Rosenthal of Unicom. CONFIG: add confRECEIVED_HEADER to change the format of the Received: header inserted into all messages. Suggested by Gary Mills of the University of Manitoba. CONFIG: Make "notsticky" the default; use FEATURE(stickyhost) to get the old behavior. I did this upon observing that almost everyone needed this feature, and that the concept I was trying to make happen didn't work with some user agents anyway. FEATURE(notsticky) still works, but it is a no-op. CONFIG: Add LUSER_RELAY -- the host to which unrecognized user names are sent, rather than immediately diagnosing them as User Unknown. CONFIG: Add SMTP_MAILER_ARGS, ESMTP_MAILER_ARGS, SMTP8_MAILER_ARGS, and RELAY_MAILER_ARGS to set the arguments for the indicated mailers. All default to "IPC $h". Patch from Larry Parmelee of Cornell University. CONFIG: pop mailer needs F=n flag to avoid "annoying side effects on the client side" and F=P to get an appropriate return-path. From Kimmo Suominen. CONFIG: add FEATURE(local_procmail) to use the procmail program as the local mailer. For addresses of the form "user+detail" the "detail" part is passed to procmail via the -a flag. Contributed by Kimmo Suominen. CONFIG: add MAILER(procmail) to add an interface to procmail for use from mailertables. This lets you execute arbitrary procmail scripts. Contributed by Kimmo Suominen. CONFIG: add T= fields (MTS type) to local, smtp, and uucp mailers. CONFIG: add OSTYPE(ptx2) for DYNIX/ptx 2.x from Sequent. From Paul Southworth of CICNet Systems Support. CONFIG: use -a$g as default to UUCP mailers, instead of -a$f. This causes the null return path to be rewritten as MAILER-DAEMON; otherwise UUCP gets horribly confused. From Michael Hohmuth of Technische Universitat Dresden. CONFIG: Add FEATURE(bestmx_is_local) to cause any hosts that list us as the best possible MX record to be treated as though they were local (essentially, assume that they are included in $=w). This can cause additional DNS traffic, but is easier to administer if this fits your local model. It does not work reliably if there are multiple hosts that share the best MX preference. Code contributed by John Oleynick of Rutgers. CONFIG: Add FEATURE(smrsh) to use smrsh (the SendMail Restricted SHell) instead of /bin/sh as the program used for delivery to programs. If an argument is included, it is used as the path to smrsh; otherwise, /usr/local/etc/smrsh is assumed. CONFIG: Add LOCAL_MAILER_MAX and PROCMAILER_MAILER_MAX to limit the size of messages to the local and procmail mailers respectively. Contributed by Brad Knowles of the Defense Information Systems Agency. CONFIG: Handle leading ``phrase:'' and trailing ``;'' as comments (just like text outside of angle brackets) in order to properly deal with ``group: addr1, ... addrN;'' syntax. CONFIG: Require OSTYPE macro (the defaults really don't apply to any real systems any more) and tweak the DOMAIN macro so that it is less likely that users will accidentally use the Berkeley defaults. Also, create some generic files that really can be used in the real world. CONFIG: Add new configuration macros to set character sets for messages _arriving from_ various mailers: LOCAL_MAILER_CHARSET, SMTP_MAILER_CHARSET, and UUCP_MAILER_CHARSET. CONFIG: Change UUCP_MAX_SIZE to UUCP_MAILER_MAX for consistency. The old name will still be accepted for a while at least. CONFIG: Implement DECNET_RELAY as spec for host to which DECNET mail (.DECNET pseudo-domain or node::user) will be sent. As with all relays, it can be ``mailer:hostname''. Suggested by Scott Hutton. CONFIG: Add MAILER(mail11) to get DECnet support. Code contributed by Barb Dijker of Labyrinth Computer Services. CONFIG: change confCHECK_ALIASES to default to False -- it has poor performance for large alias files, and this confused many people. CONFIG: Add confCF_VERSION to append local information to the configuration version number displayed during SMTP startup. CONFIG: fix some.newsgroup.usenet@local.host syntax (previously it would only work when locally addressed. Fix from Edvard Tuinder of Cistron Internet Services. CONFIG: use ${opMode} to avoid error on .REDIRECT addresses if option "n" (CheckAliases) is set when rebuilding alias database. Based on code contributed by Claude Marinier. CONFIG: Allow mailertable to have values of the form ``error:code message''. The ``code'' is a status code derived from the sysexits codes -- e.g., NOHOST or UNAVAILABLE. Contributed by David James . CONFIG: add MASQUERADE_DOMAIN(domain list) to extend the list of sender domains that will be replaced with the masquerade name. These domains will not be treated as local, but if mail passes through with sender addresses in those domains they will be replaced by the masquerade name. These can also be specified in a file using MASQUERADE_DOMAIN_FILE(filename). CONFIG: add FEATURE(masquerade_envelope) to masquerade the envelope as well as the header. Substantial improvements to this code were contributed by Per Hedeland. CONFIG: add MAILER(phquery) to define a new "ph" mailer; this can be accessed from a mailertable to do CCSO ph lookups. Contributed by Kimmo Suominen. CONFIG: add MAILER(cyrus) to define a new Cyrus mailer; this can be used to define cyrus and cyrusbb mailers (for IMAP support). Contributed by John Gardiner Myers of Carnegie Mellon. CONFIG: add confUUCP_MAILER to select default mailer to use for UUCP addressing. Suggested by Tom Moore of AT&T GIS. NEW FILES: cf/cf/cs-hpux10.mc cf/cf/cs-solaris2.mc cf/cf/cyrusproto.mc cf/cf/generic-bsd4.4.mc cf/cf/generic-hpux10.mc cf/cf/generic-hpux9.mc cf/cf/generic-osf1.mc cf/cf/generic-solaris2.mc cf/cf/generic-sunos4.1.mc cf/cf/generic-ultrix4.mc cf/cf/huginn.cs.mc cf/domain/berkeley-only.m4 cf/domain/generic.m4 cf/feature/bestmx_is_local.m4 cf/feature/local_procmail.m4 cf/feature/masquerade_envelope.m4 cf/feature/smrsh.m4 cf/feature/stickyhost.m4 cf/feature/use_ct_file.m4 cf/m4/cfhead.m4 cf/mailer/cyrus.m4 cf/mailer/mail11.m4 cf/mailer/phquery.m4 cf/mailer/procmail.m4 cf/ostype/amdahl-uts.m4 cf/ostype/bsdi2.0.m4 cf/ostype/hpux10.m4 cf/ostype/irix5.m4 cf/ostype/isc4.1.m4 cf/ostype/ptx2.m4 cf/ostype/unknown.m4 contrib/bsdi.mc contrib/mailprio contrib/rmail.oldsys.patch mail.local/mail.local.0 makemap/makemap.0 smrsh/README smrsh/smrsh.0 smrsh/smrsh.8 smrsh/smrsh.c src/Makefiles/Makefile.CSOS src/Makefiles/Makefile.EWS-UX_V src/Makefiles/Makefile.HP-UX.10 src/Makefiles/Makefile.IRIX.5.x src/Makefiles/Makefile.IRIX64 src/Makefiles/Makefile.ISC src/Makefiles/Makefile.KSR src/Makefiles/Makefile.NEWS-OS.4.x src/Makefiles/Makefile.NEWS-OS.6.x src/Makefiles/Makefile.NEXTSTEP src/Makefiles/Makefile.NonStop-UX src/Makefiles/Makefile.Paragon src/Makefiles/Makefile.SCO.3.2v4.2 src/Makefiles/Makefile.SunOS.5.3 src/Makefiles/Makefile.SunOS.5.4 src/Makefiles/Makefile.SunOS.5.5 src/Makefiles/Makefile.UNIX_SV.4.x.i386 src/Makefiles/Makefile.uts.systemV src/Makefiles/Makefile.UX4800 src/aliases.0 src/mailq.0 src/mime.c src/newaliases.0 src/sendmail.0 test/t_seteuid.c RENAMED FILES: cf/cf/alpha.mc => cf/cf/s2k-osf1.mc cf/cf/chez.mc => cf/cf/chez.cs.mc cf/cf/hpux-cs-exposed.mc => cf/cf/cs-hpux9.mc cf/cf/osf1-cs-exposed.mc => cf/cf/cs-osf1.mc cf/cf/s2k.mc => cf/cf/s2k-ultrix4.mc cf/cf/sunos4.1-cs-exposed.mc => cf/cf/cs-sunos4.1.mc cf/cf/ultrix4.1-cs-exposed.mc => cf/cf/cs-ultrix4.mc cf/cf/vangogh.mc => cf/cf/vangogh.cs.mc cf/domain/Berkeley.m4 => cf/domain/Berkeley.EDU.m4 cf/domain/cs-exposed.m4 => cf/domain/CS.Berkeley.EDU.m4 cf/domain/eecs-hidden.m4 => cf/domain/EECS.Berkeley.EDU.m4 cf/domain/s2k.m4 => cf/domain/S2K.Berkeley.EDU.m4 cf/ostype/hpux.m4 => cf/ostype/hpux9.m4 cf/ostype/irix.m4 => cf/ostype/irix4.m4 cf/ostype/ultrix4.1.m4 => cf/ostype/ultrix4.m4 src/Makefile.* => src/Makefiles/Makefile.* src/Makefile.AUX => src/Makefiles/Makefile.A-UX src/Makefile.BSDI => src/Makefiles/Makefile.BSD-OS src/Makefile.DGUX => src/Makefiles/Makefile.dgux src/Makefile.RISCos => src/Makefiles/Makefile.UMIPS src/Makefile.SunOS.4.0.3 => src/Makefiles/Makefile.SunOS.4.0 OBSOLETED FILES: cf/cf/cogsci.mc cf/cf/cs-exposed.mc cf/cf/cs-hidden.mc cf/cf/hpux-cs-hidden.mc cf/cf/knecht.mc cf/cf/osf1-cs-hidden.mc cf/cf/sunos3.5-cs-exposed.mc cf/cf/sunos3.5-cs-hidden.mc cf/cf/sunos4.1-cs-hidden.mc cf/cf/ultrix4.1-cs-hidden.mc cf/domain/cs-hidden.m4 contrib/rcpt-streaming src/Makefiles/Makefile.SunOS.5.x 8.6.13/8.6.12 1996/01/25 SECURITY: In some cases it was still possible for an attacker to insert newlines into a queue file, thus allowing access to any user (except root). CONFIG: no changes -- it is not a bug that the configuration version number is unchanged. 8.6.12/8.6.12 1995/03/28 Fix to IDENT code (it was getting the size of the reply buffer too small, so nothing was ever accepted). Fix from several people, including Allan Johannesen, Shane Castle of the Boulder County Information Services, and Jeff Smith of Warwick University (all arrived within a few hours of each other!). Fix a problem that could cause large jobs to run out of file descriptors on systems that use vfork() rather than fork(). 8.6.11/8.6.11 1995/03/08 The ``possible attack'' message would be logged more often than necessary if you are using Pine as a user agent. The wrong host would be reported in the ``possible attack'' message when attempted from IDENT. In some cases the syslog buffer could be overflowed when reporting the ``possible attack'' message. This can cause denial of service attacks. Truncate the message to 80 characters to prevent this problem. When reading the IDENT response a loop is needed around the read from the network to ensure that you don't get partial lines. Password entries without any shell listed (that is, a null shell) wouldn't match as "ok". Problem noted by Rob McMahon. When running BIND 4.9.x a problem could occur because the _res.options field is initialized differently than it was historically -- this requires that sendmail call res_init before it tweaks any bits. Fix an incompatibility in openxscript() between the file open mode and the stdio mode passed to fdopen. This caused UnixWare 2.0 to have conniptions. Fix from Martin Sohnius of Novell Labs Europe. Fix problem with static linking of local getopt routine when using GNU's ld command. Fix from John Kennedy of Cal State Chico. It was possible to turn off privacy flags. Problem noted by *Hobbit*. Be more paranoid about writing files. Suggestions by *Hobbit* and Liudvikas Bukys. MAKEMAP: fixes for 64 bit machines (DEC Alphas in particular) from Spider Boardman. CONFIG: No changes (version number only, to keep it in sync with the binaries). 8.6.10/8.6.10 1995/02/10 SECURITY: Diagnose bogus values to some command line flags that could allow trash to get into headers and qf files. Validate the name of the user returned by the IDENT protocol. Some systems that really dislike IDENT send intentionally bogus information. Problem pointed out by Michael Bushnell of the Free Software Foundation. Has some security implications. Fix a problem causing error messages about DNS problems when the host name contained a percent sign to act oddly because it was passed as a printf-style format string. In some cases this could cause core dumps. Avoid possible buffer overrun in returntosender() if error message is quite long. From Fletcher Mattox of the University of Texas. Fix a problem that would silently drop "too many hops" error messages if and only if you were sending to an alias. From Jon Giltner of the University of Colorado and Dan Harton of Oak Ridge National Laboratory. Fix a bug that caused core dumps on some systems if -d11.2 was set and e->e_message was null. Fix from Bruce Nagel of Data General. Fix problem that can still cause df files to be left around after "hop count exceeded" messages. Fix from Andrew Chang and Shau-Ping Lo of SunSoft. Fix a problem that can cause buffer overflows on very long user names (as might occur if you piped to a program with a lot of arguments). Avoid returning an error and re-queueing if the host signature is null; this can occur on addresses like ``user@.''. Problem noted by Wesley Craig and the University of Michigan. Avoid possible calls to malloc(0) if MCI caching is turned off. Bug fix from Pierre David of the Laboratoire Parallelisme, Reseaux, Systemes et Modelisation (PRiSM), Universite de Versailles - St Quentin, and Jacky Thibault. Make a local copy of the line being sent via senttolist() -- in some cases, buffers could get trashed by map lookups causing it to do unexpected things. This also simplifies some of the map code. CONFIG: No changes (version number only, to keep it in sync with the binaries). 8.6.9/8.6.9 1994/04/19 Do all mail delivery completely disconnected from any terminal. This provides consistency with daemon delivery and may have some security implications. Make sure that malloc doesn't get called with zero size, since that fails on some systems. Reported by Ed Hill of the University of Iowa. Fix multi-line values for $e (SMTP greeting message). Reported by Mike O'Connor of Ford Motor Company. Avoid syserr if no NIS domain name is defined, but the map it is trying to open is optional. From Win Bent of USC. Changes for picky compilers from Ed Gould of Digital Equipment. Hesiod support for UDB from Todd Miller of the University of Colorado. Use "hesiod" as the service name in the U option. Fix a problem that failed to set the "authentic" host name (that is, the one derived from the socket info) if you called sendmail -bs from inetd. Based on code contributed by Todd Miller (this problem was also reported by Guy Helmer of Dakota State University). This also fixes a related problem reported by Liudvikas Bukys of the University of Rochester. Parameterize "nroff -h" in all the Makefiles so people with variant versions can use them easily. Suggested by Peter Collinson of Hillside Systems. SMTP "MAIL" commands with multiple ESMTP parameters required two spaces between parameters instead of one. Reported by Valdis Kletnieks of Virginia Tech. Reduce the number of system calls during message collection by using global timeouts around the collect() loop. This code was contributed by Eric Wassenaar. If the initial hostname name gathering results in a name without a dot (usually caused by NIS misconfiguration) and BIND is compiled in, directly access DNS to get the canonical name. This should make life easier for Solaris systems. If it still can't be resolved, and if the name server is listed as "required", try again in 30 seconds. If that also fails, exit immediately to avoid bogus "config error: mail loops back to myself" messages. Improve the "MAIL DELETED BECAUSE OF LACK OF DISK SPACE" error message to explain how much space was available and sound a bit less threatening. Suggested by Stan Janet of the National Institute of Standards and Technology. If mail is delivered to an alias that has an owner, deliver any requested return-receipt immediately, and strip the Return-Receipt-To: header from the subsequent message. This prevents a certain class of denial of service attack, arguably gives more reasonable semantics, and moves things more towards what will probably become a network standard. Suggested by Christopher Davis of Kapor Enterprises. Add a "noreceipts" privacy flag to turn off all return receipts without recompiling. Avoid printing ESMTP parameters as part of the error message if there are errors during parsing. This change is purely cosmetic. Avoid sending out error messages during the collect phase of SMTP; there is an MVS mailer from UCLA that gets confused by this. Of course, I think it's their bug.... Check for the $j macro getting undefined, losing a dot, or getting lost from $=w in the daemon before accepting a connection; if it is, it dumps state, prints a LOG_ALERT message, and drops core for debugging. This is an attempt to track down a bug that I thought was long since gone. If you see this, please forward the log fragment to sendmail@sendmail.ORG. Change OLD_NEWDB from a #ifdef to a #if so it can be turned off with -DOLD_NEWDB=0 on the command line. From Christophe Wolfhugel. Instead of trying to truncate the listen queue for the server SMTP port when the load average is too high, just close the port completely and reopen it later as needed. This ensures that the other end gets a quick "connection refused" response, and that the connection can be recovered later. In particular, some socket emulations seem to get confused if you tweak the listen queue size around and can never start listening to connections again. The down side is that someone could start up another daemon process in the interim, so you could have multiple daemons all not listening to connections; this could in turn cause the sendmail.pid file to be incorrect. A better approach might be to accept the connection and give a 421 code, but that could break other mailers in mysterious ways and have paging behavior implications. Fix a glitch in TCP-level debugging that caused flag 16.101 to set debugging on the wrong socket. From Eric Wassenaar. When creating a df* temporary file, be sure you truncate any existing data in the file -- otherwise system crashes and the like could result in extra data being sent. DOC: Replace the CHANGES-R5-R8 readme file with a paper in the doc directory. This includes some additional information. CONFIG: change UUCP rules to never add $U! or $k! on the front of recipient envelope addresses. This should have been handled by the $&h trick, but broke if people were mixing domainized and UUCP addresses. They should probably have converted all the way over to uucp-uudom instead of uucp-{new,old}, but the failure mode was to loop the mail, which was bad news. Portability fixes: Newer BSDI systems (several people). Older BSDI systems from Christophe Wolfhugel. Intergraph CLIX, from Paul Southworth of CICNet. UnixWare, from Evan Champion. NetBSD from Adam Glass. Solaris from Quentin Campbell of the University of Newcastle upon Tyne. IRIX from Dean Cookson and Bill Driscoll of Mitre Corporation. NCR 3000 from Kevin Darcy of Chrysler Financial Corporation. SunOS (it has setsid() and setvbuf() calls) from Jonathan Kamens of OpenVision Technologies. HP-UX from Tor Lillqvist. New Files: src/Makefile.CLIX src/Makefile.NCR3000 doc/changes/Makefile doc/changes/changes.me doc/changes/changes.ps 8.6.8/8.6.6 1994/03/21 SECURITY: it was possible to read any file as root using the E (error message) option. Reported by Richard Jones; fixed by Michael Corrigan and Christophe Wolfhugel. 8.6.7/8.6.6 1994/03/14 SECURITY: it was possible to get root access by using weird values to the -d flag. Thanks to Alain Durand of INRIA for forwarding me the notice from the bugtraq list. 8.6.6/8.6.6 1994/03/13 SECURITY: the ability to give files away on System V-based systems proved dangerous -- don't run as the owner of a :include: file on a system that allows giveaways. Unfortunately, this also applies to determining a valid shell. IMPORTANT: Previous versions weren't expiring old connections in the connection cache for a long time under some circumstances. This could result in resource exhaustion, both at your end and at the other end. This checks the connections for timeouts much more frequently. From Doug Anderson of NCSC. Fix a glitch that snuck in that caused programs to be run as the sender instead of the recipient if the mail was from a local user to another local user. From Motonori Nakamura of Kyoto University. Fix "wildcard" on /etc/shells matching -- instead of looking for "*", look for "/SENDMAIL/ANY/SHELL/". From Bryan Costales of ICSI. Change the method used to declare the "statfs" availability; instead of HASSTATFS and/or HASUSTAT with a ton of tweaking in conf.c, there is a single #define called SFS_TYPE which takes on one of six values (SFS_NONE for no statfs availability, SFS_USTAT for the ustat(2) syscall, SFS_4ARGS for a four argument statfs(2) call, and SFS_VFS, SFS_MOUNT, or SFS_STATFS for a two argument statfs(2) call with the declarations in , , or respectively). Fix glitch in NetInfo support that could return garbage if there was no "/locations/sendmail" property. From David Meyer of the University of Virginia. Change HASFLOCK from defined/not-defined to a 0/1 definition to allow Linux to turn it off even though it is a BSD-like system. Allow setting of "ident" timeout to zero to turn off the ident protocol entirely. Make 7-bit stripping local to a connection (instead of to a mailer); this allows you to specify that SMTP is a 7-bit channel, but revert to 8-bit should it advertise that it supports 8BITMIME. You still have to specify mailer flag 7 to get this stripping at all. Improve makesendmail script so it handles more cases automatically. Tighten up restrictions on taking ownership of :include: files to avoid problems on systems that allow you to give away files. Fix a problem that made it impossible to rebuild the alias file if it was on a read-only file system. From Harry Edmon of the University of Washington. Improve MX randomization function. From John Gardiner Myers of CMU. Fix a minor glitch causing a bogus message to be printed (used %s instead of %d in a printf string for the line number) when a bad queue file was read. From Harry Edmon. Allow $s to remain NULL on locally generated mail. I'm not sure this is necessary, but a lot of people have complained about it, and there is a legitimate question as to whether "localhost" is legal as an 822-style domain. Fix a problem with very short line lengths (mailer L= flag) in headers. This causes a leading space to be added onto continuation lines (including in the body!), and also tries to wrap headers containing addresses (From:, To:, etc) intelligently at the shorter line lengths. Problem Reported by Lars-Johan Liman of SUNET Operations Center. Log the real user name when logging syserrs, since these can have security implications. Suggested by several people. Fix address logging of cached connections -- it used to always log the numeric address as zero. This is a somewhat bogus implementation in that it does an extra system call, but it should be an inexpensive one. Fix from Motonori Nakamura. Tighten up handling of short syslog buffers even more -- there were cases where the outgoing relay= name was too long to share a line with delay= and mailer= logging. Limit the overhead on split envelopes to one open file descriptor per envelope -- previously the overhead was three descriptors. This was in response to a problem reported by P{r (Pell) Emanuelsson. Fixes to better handle the case of unexpected connection closes; this redirects the output to the transcript so the info is not lost. From Eric Wassenaar. Fix potential string overrun if you macro evaluate a string that has a naked $ at the end. Problem noted by James Matheson . Make default error number on $#error messages 553 (``Requested action not taken: mailbox name not allowed'') instead of 501 (``Syntax error in parameters or arguments'') to avoid bogus "protocol error" messages. Strip off any existing trailing dot on names during $[ ... $] lookup. This prevents it from ending up with two dots on the end of dot terminated names. From Wesley Craig of the University of Michigan and Bryan Costales of ICSI. Clean up file class reading so that the debugging information is more informative. It hadn't been using setclass, so you didn't see the class items being added. Avoid core dump if you are running a version of sendmail where NIS is compiled in, and you specify an NIS map, but NIS is not running. Fix from John Oleynick of Rutgers. Diagnose bizarre case where res_search returns a failure value, but sets h_errno to a success value. Make sure that "too many hops" messages are considered important enough to send an error to the Postmaster (that is, the address specified in the P option). This fix should help problems that cause the df file to be left around sometimes -- unfortunately, I can't seem to reproduce the problem myself. Avoid core dump (null pointer reference) on EXPN command; this only occurred if your log level was set to 10 or higher and the target account was an alias or had a .forward file. Problem noted by Janne Himanka. Avoid "denial of service" attacks by someone who is flooding your SMTP port with bad commands by shutting the connection after 25 bad commands are issued. From Kyle Jones of UUNET. Fix core dump on error messages with very long "to" buffers; fmtmsg overflows the message buffer. Fixed by trimming the to address to 203 characters. Problem reported by John Oleynick. Fix configuration for HASFLOCK -- there were some spots where a #ifndef was incorrectly #ifdef. Pointed out by George Baltz of the University of Maryland. Fix a typo in savemail() that could cause the error message To: lists to be incorrect in some places. From Motonori Nakamura. Fix a glitch that can cause duplicate error messages on split envelopes where an address on one of the lists has a name server failure. Fix from Voradesh Yenbut of the University of Washington. Fix possible bogus pointer reference on ESMTP parameters that don't have an ``=value'' part. CNAME loops caused an error message to be generated, but also re-queued the message. Changed to just re-queue the message (it's really hard to just bounce it because of the weird way the name server works in the presence of CNAME loops). Problem noted by James M.R.Matheson of Cambridge University. Avoid giving ``warning: foo owned process doing -bs'' messages if they use ``MAIL FROM:'' where foo is their true user name. Suggested by Andreas Stolcke of ICSI. Change the NAMED_BIND compile flag to be a 0/1 flag so you can override it easily in the Makefile -- that is, you can turn it off using -DNAMED_BIND=0. If a gethostbyname(...) of an address with a trailing dot fails, try it without the trailing dot. This is because if you have a version of gethostbyname() that falls back to NIS or the /etc/hosts file it will fail to find perfectly reasonable names that just don't happen to be dot terminated in the hosts file. You don't want to strip the dot first though because we're trying to ensure that country names that match one of your subdomains get a chance. PRALIASES: fix bogus output on non-null-terminated strings. From Bill Gianopoulos of Raytheon. CONFIG: Avoid rewriting anything that matches $w to be $j. This was in code intended to only catch the self-literal address (that is, [1.2.3.4], where 1.2.3.4 is your IP address), but the code was broken. However, it will still do this if $M is defined; this is necessary to get client configurations to work (sigh). Note that this means that $M overrides :mailname entries in the user database! Problem noted by Paul Southworth. CONFIG: Fix definition of Solaris help file location. From Steve Cliffe . CONFIG: Fix bug that broke news.group.USENET mappings. CONFIG: Allow declaration of SMTP_MAILER_MAX, FAX_MAILER_MAX, and USENET_MAILER_MAX to tweak the maximum message size for various mailers. CONFIG: Change definition of USENET_MAILER_ARGS to include argv[0] instead of assuming that it is "inews" for consistency with other mailers. From Michael Corrigan of UC San Diego. CONFIG: When mail is forwarded to a LOCAL_RELAY or a MAIL_HUB, qualify the address in the SMTP envelope as user@{relay|hub} instead of user@$j. From Bill Wisner of The Well. CONFIG: Fix route-addr syntax in nullrelay configuration set. CONFIG: Don't turn off case mapping of user names in the local mailer for IRIX. This was different than most every other system. CONFIG: Avoid infinite loops on certainly list:; syntaxes in envelope. Noted by Thierry Besancon . CONFIG: Don't include -z by default on uux line -- most systems don't want it set by default. Pointed out by Philippe Michel of Thomson CSF. CONFIG: Fix some bugs with mailertables -- for example, if your host name was foo.bar.ray.com and you matched against ".ray.com", the old implementation bound %1 to "bar" instead of "foo.bar". Also, allow "." in the mailertable to match anything -- essentially, take over SMART_HOST. This also moves matching of explicit local host names before the mailertable so they don't have to be special cased in the mailertable data. Reported by Bill Gianopoulos of Raytheon; the fix for the %1 binding problem was contributed by Nicholas Comanos of the University of Sydney. CONFIG: Don't include "root" in class $=L (users to deliver locally, even if a hub or relay exists) by default. This is because of the known bug where definition of both a LOCAL_RELAY and a MAIL_HUB causes $=L to ignore both and deliver into the local mailbox. CONFIG: Move up bitdomain and uudomain handling so that they are done before .UUCP class matching; uudomain was reported as ineffective before. This also frees up diversion 8 for future use. Problem reported by Kimmo Suominen. CONFIG: Don't try to convert dotted IP address (e.g., [1.2.3.4]) into host names. As pointed out by Jonathan Kamens, these are often used because either the forward or reverse mapping is broken; this translation makes it broken again. DOC: Clarify $@ and $: in the Install & Op Guide. From Kimmo Suominen. Portability fixes: Unicos from David L. Kensiski of Sterling Software. DomainOS from Don Lewis of Silicon Systems. GNU m4 1.0.3 from Karst Koymans of Utrecht University. Convex from Kimmo Suominen . NetBSD from Adam Glass . BSD/386 from Tony Sanders of BSDI. Apollo from Eric Wassenaar. DGUX from Doug Anderson. Sequent DYNIX/ptx 2.0 from Tim Wright of Sequent. NEW FILES: src/Makefile.DomainOS src/Makefile.PTX src/Makefile.SunOS.5.1 src/Makefile.SunOS.5.2 src/Makefile.SunOS.5.x src/mailq.1 cf/ostype/domainos.m4 doc/op/Makefile doc/intro/Makefile doc/usenix/Makefile 8.6.5/8.6.5 1994/01/13 Security fix: /.forward could be owned by anyone (the test to allow root to own any file was backwards). From Bob Campbell at U.C. Berkeley. Security fix: group ids were not completely set when programs were invoked. This caused programs to have group permissions they should not have had (usually group daemon instead of their own group). In particular, Perl scripts would refuse to run. Security: check to make sure files that are written are not symbolic links (at least under some circumstances). Although this does not respond to a specific known attack, it's just a good idea. Suggested by Christian Wettergren. Security fix: if a user had an NFS mounted home directory on a system with a restricted shell listed in their /etc/passwd entry, they could still execute any program by putting that in their .forward file. This fix prevents that by insisting that their shell appear in /etc/shells before allowing a .forward to execute a program or write a file. You can disable this by putting "*" in /etc/shells. It also won't permit world-writable :include: files to reference programs or files (there's no way to disable this). These behaviors are only one level deep -- for example, it is legal for a world-writable :include: file to reference an alias that writes a file, on the assumption that the alias file is well controlled. Security fix: root was not treated suspiciously enough when looking into subdirectories. This would potentially allow a cracker to examine files that were publicly readable but in a non-publicly searchable directory. Fix a problem that causes an error on QUIT on a cached connection to create problems on the current job. These are typically unrelated, so errors occur in the wrong place. Reset CurrentLA in sendall() -- this makes sendmail queue runs more responsive to load average, and fixes a problem that ignored the load average in locally generated mail. From Eric Wassenaar. Fix possible core dump on aliases with null LHS. From John Orthoefer of BB&N. Revert to using flock() whenever possible -- there are just too many bugs in fcntl() locking, particularly over NFS, that cause sendmail to fail in perverse ways. Fix a bug that causes the connection cache to get confused when sending error messages. This resulted in "unexpected close" messages. It should fix itself on the following queue run. Problem noted by Liudvikas Bukys of the University of Rochester. Include $k in $=k as documented in the Install & Op Guide. This seems odd, but it was documented.... From Michael Corrigan of UCSD. Fix problem that caused :include:s from alias files to be forced to be owned by root instead of daemon (actually DefUid). From Tim Irvin. Diagnose unrecognized I option values -- from Mortin Forssen of the Chalmers University of Technology. Make "error" mailer work consistently when there is no error code associated with it -- previously it returned OK even though there was a real problem. Now it assumes EX_UNAVAILABLE. Fix bug that caused the last header line of messages that had no body and which were terminated with EOF instead of "." to be discarded. Problem noted by Liudvikas Bukys. Fix core dump on SMTP mail to programs that failed -- it tried to go to a "next MX host" when none existed, causing a core dump. From der Mouse at McGill University. Change IDENTPROTO from a defined/not defined to a 0/1 switch; this makes it easier to turn it off (using -DIDENTPROTO=0 in the Makefile). From der Mouse. Fix YP_MASTER_NAME store to use the unupdated result of gethostname() (instead of myhostname(), which tries to fully qualify the name) to be consistent with SunOS. If your hostname is unqualified, this fixes transfers to secondary servers. Bug noted by Keith McMillan of Ameritech Services, Inc. Fix Ultrix problem: gethostbyname() can return a very large (> 500) h_length field, which causes the sockaddr to be trashed. Use the size of the sockaddr instead. Fix from Bob Manson of Ohio State. Don't assume "-a." on host lookups if NAMED_BIND is not defined -- this confuses gethostbyname on hosts file lookups, which doesn't understand the trailing dot convention. Log SMTP server subprocesses that die with a signal instead of from a clean exit. If you don't have option "I" set, don't assume that a DNS "host unknown" message is authoritative -- it might still be found in /etc/hosts. Fix a problem that would cause Deferred: messages to be sent as the subject of an error message, even though the actual cause of a message was more severe than that. Problem noted by Chris Seabrook of OSSI. Fix race condition in DBM alias file locking. From Kyle Jones of UUNET. Limit delivery syslog line length to avoid bugs in some versions of syslog(3). This adds a new compile time variable SYSLOG_BUFSIZE. From Jay Plett of Princeton University, which is in turn derived from IDA. Fix quotes inside of comments in addresses -- previously it insisted that they be balanced, but the 822 spec says that they should be ignored. Dump open file state to syslog upon receiving SIGUSR1 (for debugging). This also evaluates ruleset 89, if set (with the null input), and logs the result. This should be used sparingly, since the rewrite process is not reentrant. Change -qI, -qR, and -qS flags to be case-insensitive as documented in the Bat Book. If the mailer returned EX_IOERR or EX_OSERR, sendmail did not return an error message and did not requeue the message. Fix based on code from Roland Dirlewanger of Reseau Regional Aquarel, Bordeaux, France. Fix a problem that caused a seg fault if you got a 421 error code during some parts of connection initialization. I've only seen this when talking to buggy mailers on the other end, but it shouldn't give a seg fault in any case. From Amir Plivatsky. Fix core dump caused by a ruleset call that returns null. Fix from Bryan Costales of ICSI. Full-Name: field was being ignored. Fix from Motonori Nakamura of Kyoto University. Fix a possible problem with very long input lines in setproctitle. From P{r Emanuelsson. Avoid putting "This is a warning message" out on return receipts. Suggested by Douglas Anderson. Detect loops caused by recursive ruleset calls. Suggested by Bryan Costales. Initialize non-alias maps during alias rebuilds -- they may be needed for parsing. Problem noted by Douglas Anderson. Log sender address even if no message was collected in SMTP (e.g., if all RCPTs failed). Suggested by Motonori Nakamura. Don't reflect the owner-list contents into the envelope sender address if the value contains ", :, /, or | (to avoid illegal addresses appearing there). Efficiency hack for toktype macro -- from Craig Partridge of BB&N. Clean up DNS error printing so that a host name is always included. Remember to set $i during queue runs. Reported by Stephen Campbell of Dartmouth University. If the environment variable HOSTALIASES is set, use it during canonification as the name of a file with per-user host translations so that headers are properly mapped. Reported by Anne Bennett of Concordia University. Avoid printing misleading error message if SMTP mailer (not using [IPC]) should die on a core dump. Avoid incorrect diagnosis of "file 1 closed" when it is caused by the other end closing the connection. From Dave Morrison of Oracle. Improve several of the error messages printed by "mailq" to include a host name or other useful information. Add NetInfo preliminary support for NeXT systems. From Vince DeMarco. Fix a glitch that sometimes caused :include:s that pointed to NFS filesystems that were down to give an "aliasing/ forwarding loop broken" message instead of queueing the message for retry. Noted by William C Fenner of the NRL Connection Machine Facility. Fix a problem that could cause a core dump if the input sequence had (or somehow acquired) a \231 character. Make sure that route-addrs always have around them in non-SMTP envelopes (SMTP envelopes already do this properly). Avoid weird headers on unbalanced punctuation of the form: ``Joe User ; this has uucp-dom semantics but old UUCP syntax. This also permits "uucp-old" as an alias for "uucp" and "uucp-new" as a synonym for "suucp" for consistency. CONFIG: add POP mailer support (from Kimmo Suominen ). CONFIG: drop CSNET_RELAY support -- CSNET is long gone. CONFIG: fix bug caused with domain literal addresses (e.g., ``[128.32.131.12]'') when FEATURE(allmasquerade) was set; it would get an additional @masquerade.host added to the address. Problem noted by Peter Wan of Georgia Tech. CONFIG: make sure that the local UUCP name is in $=w. From Jim Murray of Stratus. CONFIG: changes to UUCP rewriting to simulate IDA-style "V" mailer flag. Briefly, if you are sending to host "foo", then it rewrites "foo!...!baz" to "...!baz", "foo!baz" remains "foo!baz", and anything else has the local name prepended. CONFIG: portability fixes for HP-UX. DOC: several minor problems fixed in the Install & Op Guide. MAKEMAP: fix core dump problem on lines that are too long or which lack newline. From Mark Delany. MAILSTATS: print sums of columns (total messages & kbytes in and out of the system). From Tom Ferrin of UC San Francisco Computer Graphics Lab. SIGNIFICANT USER- OR SYSAD-VISIBLE CHANGES: On HP-UX, /etc/sendmail.cf has been moved to /usr/lib/sendmail.cf to match HP sendmail. Permissions have been tightened up on world-writable :include: files and accounts that have shells that are not listed in /etc/shells. This may cause some .forward files that have worked before to start failing. SIGUSR1 dumps some state to the log. NEW FILES: src/Makefile.DGUX src/Makefile.Dynix src/Makefile.FreeBSD src/Makefile.Mach386 src/Makefile.NetBSD src/Makefile.RISCos src/Makefile.SCO src/Makefile.SVR4 src/Makefile.Titan cf/mailer/pop.m4 cf/ostype/bsdi1.0.m4 cf/ostype/dgux.m4 cf/ostype/dynix3.2.m4 cf/ostype/sco3.2.m4 makemap/Makefile.dist praliases/Makefile.dist 8.6.4/8.6.4 1993/10/31 Repair core-dump problem (write to read-only memory segment) if you fall back to the return-to-Postmaster case in savemail. Problem reported by Richard Liu. Immediately diagnose bogus sender addresses in SMTP. This makes quite certain that crackers can't use this class of attack. Reliability Fix: check return value from fclose() and fsync() in a few critical places. Minor problem in initsys() that reversed a condition for redirecting the output channel on queue runs. It's not clear this code even does anything. From Eric Wassenaar of the Dutch National Institute for Nuclear and High-Energy Physics. Fix some problems that caused queue runs to do "too much work", such as double-reading the Errors-To: header. From Eric Wassenaar. Error messages on writing the temporary file (including the data file) were getting suppressed in SMTP -- this fix causes them to be properly reported. From Eric Wassenaar. Some changes to support AF_UNIX sockets -- this will only really become relevant in the next release, but some people need it for local patches. From Michael Corrigan of UC San Diego. Use dynamically allocated memory (instead of static buffers) for macros defined in initsys() and settime(); since these can have different values depending on which envelope they are in. From Eric Wassenaar. Improve logging to show ctladdr on to= logging; this tells you what uid/gid processes ran as. Fix a problem that caused error messages to be discarded if the sender address was unparseable for some reason; this was supposed to fall back to the "return to postmaster" case. Improve aliaswait backoff algorithm. Portability patches for Linux (8.6.3 required another header file) (from Karl London) and SCO UNIX. CONFIG: patch prog mailer to not strip host name off of envelope addresses (so that it matches local again). From Christopher Davis. CONFIG: change uucp-dom mailer so that "<>" translates to $n; this prevents uux from seeing lines with null names like ``From Sat Oct 30 14:55:31 1993''. From Motonori Nakamura of Kyoto University. CONFIG: handle syntax correctly. This isn't legal, but it shouldn't fail miserably. From Motonori Nakamura. 8.6.2/8.6.2 1993/10/15 Put a "successful delivery" message in the transcript for addresses that get return-receipts. Put a prominent "this is only a warning" message in warning messages -- some people don't read carefully enough and end up sending the message several times. Include reason for temporary failure in the "warning" return message. Currently, it just says "cannot send for four hours". Fix the "Original message received" time generated for returntosender messages. It was previously listed as the current time. Bug reported by Eric Hagberg of Cornell University Medical College. If there is an error when writing the body of a message, don't send the trailing dot and wait for a response in sender SMTP, as this could cause the connection to hang up under some bizarre circumstances. From Eric Wassenaar. Fix some server SMTP synchronization problems caused when connections fail during message collection. From Eric Wassenaar. Fix a problem that can cause srvrsmtp to reject mail if the name server is down -- it accepts the RCPT but rejects the DATA command. Problem reported by Jim Murray of Stratus. Fix a problem that can cause core dumps if the config file incorrectly resolves to a null hostname. Reported by Allan Johannesen of WPI. Non-root use of -C flag, dangerous -f flags, and use of -oQ by non-root users were not put into X-Authentication-Warning:s as intended because the config file hadn't set the PrivacyOptions yet. Fix from Sven-Ove Westberg of the University of Lulea. Under very odd circumstances, the alias file rebuild code could get confused as to whether a database was open or not. Check "vendor code" on the end of V lines -- this is intended to provide a hook for vendor-specific configuration syntax. (This is a "new feature", but I've made an exception to my rule in a belief that this is a highly exceptional case.) Portability fixes for DG/UX (from Douglas Anderson of NCSC), SCO Unix (from Murray Kucherawy), A/UX, and OSF/1 (from Jon Forrest of UC Berkeley) CONFIG: fix ``mailer:host'' form of UUCP relay naming. 8.6.1/8.6 1993/10/08 Portability fixes for A/UX and Encore UMAX V. Fix error message handling -- if you had a name server down causing an error during parsing, that message was never propagated to the queue file. 8.6/8.6 1993/10/05 Configuration cleanup: make it easier to undo IDENTPROTO in conf.h (other systems have the same bug). If HASGETDTABLESIZE and _SC_OPEN_MAX are both defined, assume getdtablesize() instead of sysconf(); a disturbingly large number of systems defined _SC_OPEN_MAX in the header files but don't have the syscall. Another patch to really truly ignore MX records in getcanonname if trymx == FALSE. Fix problem that caused the "250 IAA25499 Message accepted for delivery" message to be omitted if there was an error in the header of the message (e.g., a bad Errors-To: line). Pointed out by Michael Corrigan of UCSD. Announce name of host we are chatting when we get errors; this is an IDA-ism suggested by Christophe Wolfhugel. Portability fixes for Alpha OSF/1 (from Anthony Baxter of the Australian Artificial Intelligence Institute), SCO Unix (from Murray Kucherawy of Hookup Communication Corp.), NeXT (from Vince DeMarco and myself), Linux (from Karl London ), BSDI (from Christophe Wolfhugel, and SVR4 on Dell (from Kimmo Suominen), AUX 3.0 on Macintosh, and ANSI C compilers. Some changes to get around gcc optimizer bugs. From Takahiro Kanbe. Fix error recovery in queueup if another tf file of the same name already exists. Problem stumbled over by Bill Wisner of The Well. Output YP_MASTER_NAME and YP_LAST_MODIFIED without null bytes. Problem noted by Keith McMillan of Ameritech Services. Deal with group permissions properly when opening .forward and :include: files. This relaxes the 8.1C restrictions slightly more. This includes proper setting of groups when reading :include: files, allowing you to read some files that you should be able to read but have previously been denied unless you owned them or they had "other" read permission. Make certain that $j is in $=w (after the .cf is read) so that if the user is forced to override some silly system, MX suppression will still work. Fix a couple of efficiency problems where newstr was double- calling expensive routines. In at least one case, it wasn't guaranteed that they would always return the same result. Problem noted by Christophe Wolfhugel. Fix null pointer dereference in putoutmsg -- only on an error condition from a non-SMTP mailer. From Motonori Nakamura. Macro expand "C" line class definitions before scanning so that "CX $Z" works. Fix problem that caused error message to be sent while still trying to send the original message if the connection is closed during a DATA command after getting an error on an RCPT command (pretty obscure). Problem reported by John Myers of CMU. Fix reply to NOOP to be 250 instead of 200 -- this is a long term bug. Fix a nasty bug causing core dumps when returning the "warning: cannot deliver for N hours -- will keep trying" message; it only occurred if you had PostmasterCopy set and only on some architectures. Although sendmail would keep trying, it would send error messages on each queue interval. This is an important fix. Allow u and g options to take user and group names respectively. Don't do a chdir into the queue directory in -bt mode to make ruleset testing a bit easier. Don't allow users to turn off logging (using -oL) on the command line -- command line can only raise, not lower, logging level. Set $u to the original recipient on the SMTP transaction or on the command line. This is only done if there is exactly one recipient. Technically, this does not meet the specs, because it does not guarantee a domain on the address. Fix a problem that dumped error messages on bad addresses if you used the -t flag. Problem noted by Josh Smith of Harvey Mudd College. Given an address such as `` '', auto-quote the first ``'' part, giving ``"" ''. This is to avoid the problem of people who use angle brackets in their full name information. Fix a null pointer dereference if you set option "l", have an Errors-To: header in the message, and have Errors-To: defined in the config file H lines. From J.R. Oldroyd. Put YPCOMPAT on #ifdef NIS instead -- it's one less thing to get wrong when compiling. Suggested by Rick McCarty of TI. Fix a problem that could pass negative SIZE parameter if the df file got lost; this would cause servers to always give a temporary failure, making the problem even worse. Problem noted by Allan Johannesen of WPI. Add "ident" timeout (one of the "r" option selectors) for IDENT protocol timeouts (30s default). Requested by Murray Kucherawy of HookUp Communication Corp. to handle bogus PC TCP/IP implementations. Change $w default definition to be just the first component of the domain name on config level 5. The $j macro defaults to the FQDN; $m remains as before. This lets well-behaved config files use any of the short, long, or subdomain names. Add makesendmail script in src to try to automate multi-architecture builds. I know, this is sub-optimal, but it is still helpful. Fix very obscure race condition that can cause a queue run to get a queue file for an already completed job. This problem has existed for years. Problem noted by the long suffering Allan Johannesen of WPI. Fix a problem that caused the raw sender name to be passed to udbsender instead of the canonified name -- this caused it to sometimes miss records that it should have found. Relax check of name on HELO packet so that a program using -bs that claims to be itself works properly. Restore rewriting of $: part of address through 2, R, 4 in buildaddr -- this requires passing a lot of flags to get it right. Unlike old versions, this ONLY rewrites recipient addresses, not sender addresses. Fix a bug that caused core dumps in config files that cannot resolve /file/name style addresses. Fix from Jonathan Kamens of OpenVision Technologies. Fix problem with fcntl locking that can cause error returns to be lost if the lock is lost; this required fully queueing everything, dropping the envelope (so errors would get returned), and then re-reading the queue from scratch. Fix a problem that caused aliases that redefine an otherwise true address to still send to the original address if and only if the alias failed in certain bizarre ways (e.g, if they pointed at a list:; syntax address). Problem pointed out by Jonathan Kamens. Remove support for frozen configuration files. They caused more trouble than it was worth. Fix problem that can cause error messages to get ignored when using both -odb and -t flags. Problem noted by Rob McNicholas at U.C. Berkeley. Include all "normal" variations on hostname in $=w. For example, if the host name is vangogh.cs.berkeley.edu, $=w will contain vangogh, vangogh.cs, and vangogh.cs.berkeley.edu. Add "restrictqrun" privacy flag -- without this, anyone can run the queue. Reset SmtpPhase global on initial connection creation so that messages don't come out with stale information. Pass an "ext" argument to lockfile so that error/log messages will properly reflect the true filename being locked. Put all [...] address forms into $=w -- this eliminates the need for MAXIPADDR in conf.h. Suggested by John Gardiner Myers of CMU. Fix a bug that can cause qf files to be left around even after an SMTP RSET command. Problem and fix from Michael Corrigan. Don't send a PostmasterCopy to errors when the Precedence: is negative. Error reports still go to the envelope sender address. Add LA_SHORT for load averages. Lock sendmail.st file when posting statistics. Add "SendBufSize" and "RcvBufSize" suboptions to "O" option to set the size of the TCP send and receive buffers; if you run over a slow slip line you may need to set these down (although it would be better to fix the SLIP implementation so that it's not necessary to recompile every program that does bulk data transfer). Allow null defaults on $( ... $) lookups. Problem reported by Amir Plivatsky. Diagnose crufty S and V config lines. This resulted from an observation that some people were using the SITE macro without the SITECONFIG macro first, which was causing bogus config files that were not caught. Fix makemap -f flag to turn off case folding (it was turning it on instead). THIS IS A USER VISIBLE CHANGE!!! Fix a problem that caused multiple error messages to be sent if you used "sendmail -t -oem -odb", your system uses fcntl locking, and one of the recipient addresses is unknown. Reset uid earlier in include() so that recursive .forwards or :include:s don't use the wrong uid. If file descriptor 0, 1, or 2 was closed when sendmail was called, the code to recover the descriptor was broken. This sometimes (only sometimes) caused problems with the alias file. Fix from Motonori Nakamura. Fix a problem that caused aliaswait to go into infinite recursion if the @:@ metasymbol wasn't found in the alias file. Improve error message on newaliases if database files cannot be opened or if running with no database format defined. Do a better estimation of the size of error messages when NoReturn is set. Problem noted by P{r (Pell) Emanuelsson. Fix a problem causing the "c" option (don't connect to expensive mailers) to be ignored in SMTP. Problem noted and the solution suggested by Robert Elz of The University of Melbourne. Improve connection caching algorithm by passing "[host]" to hostsignature, which strips the square brackets and returns the real name. This allows mailertable entries to match regular entries. Re-enable Return-Receipt-To: -- people seem to want this stupid feature, even if it doesn't work right. Catch and log attempts to try the "wiz" command in server SMTP. This also ups the log level from LOG_NOTICE to LOG_CRIT. Be more generous at assigning $z to the home directory -- do this for programs that are specified through a .forward file. Fix from Andrew Chang of Sun Microsystems. Always save a fatal error message in preference to a non-fatal error message so that the "subject" line of return messages is the best possible. CONFIG: reduce the number of quotes needed to quote configuration parameters with commas: two quotes should work now, e.g., define(ALIAS_FILE, ``/etc/aliases,/etc/aliases.local''). CONFIG: class $=Z is a set of UUCP hosts that use uucp-dom connections (domain-ized UUCP). CONFIG: fix bug in default maps (-o must be before database file name). Pointed out by Christophe Wolfhugel. CONFIG: add FEATURE(nodns) to state that we are not relying on DNS. This would presumably be used in UUCP islands. CONFIG: add OSTYPE(nextstep) and OSTYPE(linux). CONFIG: log $u in Received: line. This is in technical violation of the standards, since it doesn't guarantee a domain on the address. CONFIG: don't assume "m" in local mailer flags -- this means that if you redefine LOCAL_MAILER_FLAGS you will have to include the "m" flag should you want it. Apparently some Solaris 2.2 installations can't handle multiple local recipients. Problem noted by Josh Smith. CONFIG: add confDOMAIN_NAME to set $j (if undefined, $j defaults). CONFIG: change default version level from 4 to 5. CONFIG: add FEATURE(nullclient) to create a config file that forwards all mail to a hub without ever looking at the addresses in any detail. CONFIG: properly strip mailer: information off of relays when used to change .BITNET form into %-hack form. CONFIG: fix a problem that caused infinite loops if presented with an address such as "!foo". CONFIG: check for self literal (e.g., [128.32.131.12]) even if the reverse "PTR" mapping is broken. There's a better way to do this, but the change is fairly major and I want to hold it for another release. Problem noted by Bret Marquis. 8.5/8.5 1993/07/23 Serious bug: if you used a command line recipient that was unknown sendmail would not send a return message (it was treating everything as though it had an SMTP-style client that would do the return itself). Problem noted by Josh Smith. Change "trymx" option in getcanonname() to ignore all MX data, even during a T_ANY query. This actually didn't break anything, because the only time you called getcanonname with !trymx was if you already knew there were no MX records, but it is somewhat cleaner. From Motonori Nakamura. Don't call getcanonname from getmxrr if you already know there are no DNS records matching the name. Fix a problem causing error messages to always include "The original message was received ... from localhost". The correct original host information is now included. Previous change to cf/sh/makeinfo.sh doesn't port to Ultrix (their version of "test" doesn't have the -x flag). Change it to use -f instead. From John Myers. CONFIG: 8.4 mistakenly set the default SMTP-style mailer to esmtp -- it should be smtp. CONFIG: send all relayed mail using confRELAY_MAILER (defaults to "relay" (a variant of "smtp") if MAILER(smtp) is used, else "suucp" if MAILER(uucp) is used, else "unknown"); this cleans up the configs somewhat. This fixes a serious problem that caused route-addrs to get mistaken as relays, pointed out by John Myers. WARNING: this also causes the default on SMART_HOST to change from "suucp" to "relay" if you have MAILER(smtp) specified. 8.4/8.4 1993/07/22 Add option `w'. If you receive a message that comes to you because you are the best (lowest preference) target of an MX, and you haven't explicitly recognized the source MX host in your .cf file, this option will cause you to try the target host directly (as if there were no MX for it at all). If `w' is not set, this case is a configuration error. Beware: if `w' is set, senders may get bogus errors like "message timed out" or "host unknown" for problems that are really configuration errors. This option is disrecommended, provided only for compatibility with UIUC sendmail. Fix a problem that caused the incoming socket to be left open when sendmail forks after the DATA command. This caused calling systems to wait in FIN_WAIT_2 state until the entire list was processed and the child closed -- a potentially prodigious amount of time. Problem noted by Neil Rickert. Fix problem (created in 6.64) that caused mail sent to multiple addresses, one of which was a bad address, to completely suppress the sending of the message. This changes handling of EF_FATALERRS somewhat, and adds an EF_GLOBALERRS flag. This also fixes a potential problem with duplicate error messages if there is a syntax error in the header of a message that isn't noticed until late in processing. Original problem pointed out by Josh Smith of Harvey Mudd College. This release includes quite a bit of dickering with error handling (see below). Back out SMTP transaction if MAIL gets nested 501 error. This will only hurt already-broken software and should help humans. Fix a problem that broke aliases when neither NDBM nor NEWDB were compiled in. It would never read the alias file. Repair unbalanced `)' and `>' (the "open" versions are already repaired). Logging of "done" in dropenvelope() was incorrect: it would log this even when the queue file still existed. Change this to only log "done" (at log level 11) when the queue file is actually removed. From John Myers. Log "lost connection" in server SMTP at log level 20 if there is no pending transaction. Some senders just close the connection rather than sending QUIT. Fix a bug causing getmxrr to add a dot to the end of unqualified domains that do not have MX records -- this would cause the subsequent host name lookup to fail. The problem only occurred if you had FEATURE(nocanonify) set. Problem noted by Rick McCarty of Texas Instruments. Fix invocation of setvbuf when passed a -X flag -- I had unwittingly used an ANSI C extension, and this caused core dumps on some machines. Diagnose self-destructive alias loops on RCPT as well as EXPN. Previously it just gave an empty send queue, which then gave either "Need RCPT (recipient)" at the DATA (confusing, since you had given an RCPT command which returned 250) or just dropped the email, depending on whether you were running VERBose mode. Now it usually diagnoses this case as "aliasing/forwarding loop broken". Unfortunately, it still doesn't adequately diagnose some true error conditions. Add internal concept of "warning messages" using 6xx codes. These are not reported only to Postmaster. Unbalanced parens, brackets, and quotes are printed as 653 codes. They are always mapped to 5xx codes before use in SMTP. Clean up error messages to tell both the actual address that failed and the alias they arose from. This makes it somewhat easier to diagnose problems. Difficulty noted by Motonori Nakamura. Fix a problem that inappropriately added a ctladdr to addresses that shouldn't have had one during a queue run. This caused error messages to be handled differently during a queue run than a direct run. Don't print the qf name and line number if you get errors during the direct run of the queue from srvrsmtp -- this was just extra stuff for users to crawl through. Put command line flags on second line of pid file so you can auto-restart the daemon with all appropriate arguments. Use "kill `head -1 /etc/sendmail.pid`" to stop the daemon, and "eval `tail -1 /etc/sendmail.pid`" to restart it. Remove the ``setuid(getuid())'' in main -- this caused the IDENT daemon to screw up. This required that I change HASSETEUID to HASSETREUID and complicate the mode changing somewhat because both Ultrix and SunOS seem to have a bug causing seteuid() to set the saved uid as well as the effective. The program test/t_setreuid.c will test to see if your implementation of setreuid(2) is appropriately functional. The FallBackMXhost (option V) handling failed to properly identify fallback to yourself -- most of the code was there, but it wasn't being enabled. Problem noted by Murray Kucherawy of the University of Waterloo. Change :include: open timeout from ETIMEDOUT to an internal code EOPENTIMEOUT; this avoids adding "during SmtpPhase with CurHostName" in error messages, which can be confusing. Reported by Jonathan Kamens of OpenVision Technologies. Back out setpgrp (setpgid on POSIX systems) call to reset the process group id. The original fix was to get around some problems with recalcitrant MUAs, but it breaks any call from a shell that creates a process group id different from the process id. I could try to fix this by diddling the tty owner (using tcsetpgrp or equivalent) but this is too likely to break other things. Portability changes: Support -M as equivalent to -oM on Ultrix -- apparently DECnet calls sendmail with -MrDECnet -Ms -bs instead of using standard flags. Oh joy. This behavior reported by Jon Giltner of University of Colorado. SGI IRIX -- this includes several changes that should help other strict ANSI compilers. SCO Unix -- from Murray Kucherawy of HookUp Communication Corporation. Solaris running the Sun C compiler (which despite the documentation apparently doesn't define __STDC__ by default). ConvexOS from Eric Schnoebelen of Convex. Sony NEWS workstations and Omron LUNA workstations from Motonori Nakamura. CONFIG: add confTRY_NULL_MX_LIST to set option `w'. CONFIG: delete `C' and `e' from default SMTP mailers flags; several people have made a good argument that this creates more problems than it solves (although this may prove painful in the short run). CONFIG: generalize all the relays to accept a "mailer:host" format. CONFIG: move local processing in ruleset 0 into a new ruleset 98 (8 on old sendmail). Domain literal [a.b.c.d] addresses are also passed through this ruleset. CONFIG: if neither SMART_HOST nor MAILER(smtp) were defined, internet-style addresses would "fall off the end" of ruleset zero and be interpreted as local -- however, the angle brackets confused the recursive call. These are now diagnosed as "Unrecognized host name". CONFIG: USENET rules weren't included in S0 because of a mistaken ifdef(`_MAILER_USENET_') instead of ifdef(`_MAILER_usenet_'). Problem found by Rein Tollevik of SINTEF RUNIT, Oslo. CONFIG: move up LOCAL_RULE_0 processing so that it happens very early in ruleset 0; this allows .mc authors to bypass things like the "short circuit" code for local addresses. Prompted by a comment by Bill Wisner of The Well. CONFIG: add confSMTP_MAILER to define the mailer used (smtp or esmtp) to send SMTP mail. This allows you to default to esmtp but use a mailertable or other override to deal with broken servers. This logic was pointed out to me by Bill Wisner. Ditto for confLOCAL_MAILER. Changes to cf/sh/makeinfo.sh to make it portable to SVR4 environments. Ugly as sin. 8.3/8.3 1993/07/13 Fix setuid problems introduced in 8.2 that caused messages like "Cannot create qfXXXXXX: Invalid argument" or "Cannot reopen dfXXXXXX: Permission denied". This involved a new compile flag "HASSETEUID" that takes the place of the old _POSIX_SAVED_IDS -- it turns out that the POSIX interface is broken enough to break some systems badly. This includes some fixes for HP-UX. Also fixes problems where the real uid is not reset properly on startup (from Neil Rickert). Fix a problem that caused timed out messages to not report the addresses that timed out. Error messages are also more "user friendly". Drop required bandwidth on connections from 64 bytes/sec to 16 bytes/sec. Further Solaris portability changes -- doesn't require the BSD compatibility library. This also adds a new "HASGETDTABLESIZE" compile flag which can be used if you want to use getdtablesize(2) instead of sysconf(2). These are loosely based on changes from David Meyer at University of Oregon. This now seems to work, at least for quick test cases. Fix a problem that can cause duplicate error messages to be sent if you are in SMTP, you send to multiple addresses, and at least one of those addresses is good and points to an account that has a .forward file (whew!). Fix a problem causing messages to be discarded if checkcompat() returned EX_TEMPFAIL (because it didn't properly mark the "to" address). Problem noted by John Myers. Fix dfopen to return NULL if the open failed; I was depending on fdopen(-1) returning NULL, which isn't the case. This isn't serious, but does result in weird error diagnoses. From Michael Corrigan. CONFIG: add UUCP_MAX_SIZE M4 macro to set the maximum size of messages sent through UUCP-family mailers. Suggested by Bill Wisner of The Well. CONFIG: if both MAILER(uucp) and MAILER(smtp) are specified, include a "uucp-dom" mailer that uses domain-style addressing. Suggested by Bill Wisner. CONFIG: Add LOCAL_SHELL_FLAGS and LOCAL_SHELL_ARGS to match LOCAL_MAILER_FLAGS and LOCAL_MAILER_ARGS. Suggested by Christophe Wolfhugel. CONFIG: Add OSTYPE(aix3). From Christophe Wolfhugel. 8.2/8.2 1993/07/11 Don't drop out on config file parse errors in -bt mode. On older configuration files, assume option "l" (use Errors-To header) for back compatibility. NOTE: this DOES NOT imply an endorsement of the Errors-To: header in any way. Accept -x flag on AIX-3 as well as OSF/1. Why, why, why??? Don't log errors on EHLO -- it isn't a "real" error for an old SMTP server to give an error on this command, and logging it in the transcript can be confusing. Fix from Bill Wisner. IRIX compatibility changes provided by Dan Rich . Solaris 2 compatibility changes. Provided by Bob Cunningham , John Oleynick Debugging: -d17 was overloaded (hostsignature and usersmtp.c); move usersmtp (smtpinit and smtpmailfrom) to -d18 to match the other flags in that file. Flush transcript before fork in mailfile(). From Eric Wassenaar. Save h_errno in mci struct and improve error message display. Changes from Eric Wassenaar. Open /dev/null for the transcript if the create of the xf file failed; this avoids at least one possible null pointer reference in very weird cases. From Eric Wassenaar. Clean up statistics gathering; it was over-reporting because of forks. From Eric Wassenaar. Fix problem that causes old Return-Path: line to override new Return-Path: line (conf.c needs H_FORCE to avoid re-using old value). From Motonori Nakamura. Fix broken -m flag in K definition -- even if -m (match only) was specified, it would still replace the key with the value. Noted by Rick McCarty of Texas Instruments. If the name server timed out over several days, no "timed out" message would ever be sent back. The timeout code has been moved from markfailure() to dropenvelope() so that all such failures should be diagnosed. Pointed out by Christophe Wolfhugel and others. Relax safefile() constraints: directories in an include or forward path must be readable by self if the controlling user owns the entry, readable by all otherwise (e.g., when reading your .forward file, you have to own and have X permission in it; everyone needs X permission in the root and directories leading up to your home); include files must be readable by anyone, but need not be owned by you. If _POSIX_SAVED_IDS is defined, setuid to the owner before reading a .forward file; this gets around some problems on NFS mounts if root permission is not exported and the user's home directory isn't x'able. Additional NeXT portability enhancements from Axel Zinser. Additional HP-UX portability enhancements from Brian Bullen. Add a timeout around SMTP message writes; this assumes you can get throughput of at least 64 bytes/second. Note that this does not impact the "datafinal" default, which is separate; this is just intended to work around network clogs that will occur before the final dot is sent. From Eric Wassenaar. Change map code to set the "include null" flag adaptively -- it initially tries both, but if it finds anything matching without a null it never tries again with a null and vice versa. If -N is specified, it never tries without the null and creates new maps with a null byte. If -O is specified, it never tries with the null (for efficiency). If -N and -O are specified, you get -NO (get it?) lookup at all, so this would be a bad idea. If you don't specify either -N or -O, it adapts. Fix recognition of "same from address" so that MH submissions will insert the appropriate full name information; this used to work and got broken somewhere along the way. Some changes to eliminate some unnecessary SYSERRs in the log. For example, if you lost a connection, don't bother reporting that fact on the connection you lost. Add some "extended debugging" flags to try to track down why we get occasional problems with file descriptor one being closed when execing a mailer; it seems to only happen when there has been another error in the same transaction. This requires XDEBUG, defined by default in conf.h. Add "-X filename" command line flag, which logs both sides of all SMTP transactions. This is intended ONLY for debugging bad implementations of other mailers; start it up, send a message from a mailer that is failing, and then kill it off and examine the indicated log. This output is not intended to be particularly human readable. This also adds the HASSETVBUF compile flag, defaulted on if your compiler defines __STDC__. CONFIG: change SMART_HOST to override an SMTP mailer. If you have a local net that should get direct connects, you will need to use LOCAL_NET_CONFIG to catch these hosts. See cf/README for an example. CONFIG: add LOCAL_MAILER_ARGS (default: `mail -d $u') to handle sites that don't use the -d flag. CONFIG: hide recipient addresses as well as sender addresses behind $M if FEATURE(allmasquerade) is specified; this has been requested by several people, but can break local aliases. For example, if you mail to "localalias" this will be rewritten as "localalias@masqueradehost"; although initial delivery will work, replies will be broken. Use it sparingly. CONFIG: add FEATURE(domaintable). This maps unqualified domains to qualified domains in headers. I believe this is largely equivalent to the IDA feature of the same name. CONFIG: use $U as UUCP name instead of $k. This permits you to override the "system name" as your UUCP name -- in particular, to use domain-ized UUCP names. From Bill Wisner of The Well. CONFIG: create new mailer "esmtp" that always tries EHLO first. This is currently unused in the config files, but could be used in a mailertable entry. 8.1C/8.1B 1993/06/27 Serious security bug fix: it was possible to read any file on the system, regardless of ownership and permissions. If a subroutine returns a fully qualified address, return it immediately instead of feeding it back into rewriting. This fixes a problem with mailertable lookups. CONFIG: fix some M4 frotz (concat => CONCAT) 8.1B/8.1A 1993/06/12 Serious bug fix: pattern matching backup algorithm stepped by two tokens in classes instead of one. Found by Claus Assmann at University of Kiel, Germany. 8.1A/8.1A 1993/06/08 Another mailertable fix.... 8.1/8.1 1993/06/07 4.4BSD freeze. No semantic changes.