DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 
Sendmail Version 8.12.9 Release Notes

Sendmail Version 8.12.9 Release Notes

The following are the release notes for the 8.12.9 version of sendmail(1M), plus the 8.12.10 security features included on Unixware. These notes were provided by sendmail.org, and are part of the sendmail distribution.

We list below only the changes since the previous version of sendmail included with UnixWare (version 8.10.1).

Note that the version numbers at the beginning of each section below indicate the versions of sendmail and it configuration file sendmail.cf, respectively, to which the notes apply.

Also see ..

   8.12.10/8.12.10	2003/09/24
   	SECURITY: Fix a buffer overflow in address parsing.  Problem
   		detected by Michal Zalewski, patch from Todd C. Miller
   		of Courtesan Consulting.
   

8.12.9/8.12.9 2003/03/29 SECURITY: Fix a buffer overflow in address parsing due to a char to int conversion problem which is potentially remotely exploitable. Problem found by Michal Zalewski. Note: an MTA that is not patched might be vulnerable to data that it receives from untrusted sources, which includes DNS. To provide partial protection to internal, unpatched sendmail MTAs, 8.12.9 changes by default (char)0xff to (char)0x7f in headers etc. To turn off this conversion compile with -DALLOW_255 or use the command line option -d82.101. To provide partial protection for internal, unpatched MTAs that may be performing 7->8 or 8->7 bit MIME conversions, the default for MaxMimeHeaderLength has been changed to 2048/1024. Note: this does have a performance impact, and it only protects against frontal attacks from the outside. To disable the checks and return to pre-8.12.9 defaults, set MaxMimeHeaderLength to 0/0. Do not complain about -ba when submitting mail. Problem noted by Derek Wueppelmann. Fix compilation with Berkeley DB 1.85 on systems that do not have flock(2). Problem noted by Andy Harper of Kings College London. Properly initialize data structure for dns maps to avoid various errors, e.g., looping processes. Problem noted by Maurice Makaay of InterNLnet B.V. CONFIG: Prevent multiple application of rule to add smart host. Patch from Andrzej Filip. CONFIG: Fix queue group declaration in MAILER(`usenet'). CONTRIB: buildvirtuser: New option -t builds the virtusertable text file instead of the database map. Portability: Revert wrong change made in 8.12.7 and actually use the builtin getopt() version in sendmail on Linux. This can be overridden by using -DSM_CONF_GETOPT=0 in which case the OS supplied version will be used.

8.12.8/8.12.8 2003/02/11 SECURITY: Fix a remote buffer overflow in header parsing by dropping sender and recipient header comments if the comments are too long. Problem noted by Mark Dowd of ISS X-Force. Fix a potential non-exploitable buffer overflow in parsing the .cf queue settings and potential buffer underflow in parsing ident responses. Problem noted by Yichen Xie of Stanford University Compilation Group. Fix ETRN #queuegroup command: actually start a queue run for the selected queue group. Problem noted by Jos Vos. If MaxMimeHeaderLength is set and a malformed MIME header is fixed, log the fixup as "Fixed MIME header" instead of "Truncated MIME header". Problem noted by Ian J Hart. CONFIG: Fix regression bug in proto.m4 that caused a bogus error message: "FEATURE() should be before MAILER()". MAIL.LOCAL: Be more explicit in some error cases, i.e., whether a mailbox has more than one link or whether it is not a regular file. Patch from John Beck of Sun Microsystems.

8.12.7/8.12.7 2002/12/29 Properly clean up macros to avoid persistence of session data across various connections. This could cause session oriented restrictions, e.g., STARTTLS requirements, to erroneously allow a connection. Problem noted by Tim Maletic of Priority Health. Do not lookup MX records when sorting the MSP queue. The MSP only needs to relay all mail to the MTA. Problem found by Gary Mills of the University of Manitoba. Do not restrict the length of connection information to 100 characters in some logging statements. Problem noted by Erik Parker. When converting an enhanced status code to an exit status, use EX_CONFIG if the first digit is not 2, 4, or 5 or if *.1.5 is used. Reset macro $x when receiving another MAIL command. Problem noted by Vlado Potisk of Wigro s.r.o. Don't bother setting the permissions on the build area statistics file, the proper permissions will be put on the file at install time. This fixes installation over NFS for some users. Problem noted by Martin J. Dellwo of 3-Dimensional Pharmaceuticals, Inc. Fix problem of decoding SASLv2 encrypted data. Problem noted by Alex Deiter of Mobile TeleSystems, Komi Republic. Log milter socket open errors at MilterLogLevel 1 or higher instead of 11 or higher. Print early system errors to the console instead of silently exiting. Problem noted by James Jong of IBM. Do not process a queue group if Runners is set to 0, regardless of whether F=f or sendmail is run in verbose mode (-v). The use of -qGname will still force queue group "name" to be run even if Runners=0. Change the level for logging the fact that a daemon is refusing connections due to high load from LOG_INFO to LOG_NOTICE. Patch from John Beck of Sun Microsystems. Use location information for submit.cf from NetInfo (/locations/sendmail/submit.cf) if available. Re-enable ForkEachJob which was lost in 8.12.0. Problem noted by Neil Rickert of Northern Illinois University. Make behavior of /canon in debug mode consistent with usage in rulesets. Patch from Shigeno Kazutaka of IIJ. Fix a potential memory leak in envelope splitting. Problem noted by John Majikes of IBM. Do not try to share an mailbox database LDAP connection across different processes. Problem noted by Randy Kunkee. Fix logging for undelivered recipients when the SMTP connection times out during message collection. Problem noted by Neil Rickert of Northern Illinois University. Avoid problems with QueueSortOrder=random due to problems with qsort() on Solaris (and maybe some other operating systems). Problem noted by Stephan Schulz of Gruner+Jahr.. If -f "" is specified, set the sender address to "<>". Problem noted by Matthias Andree. Fix formatting problem of footnotes for plain text output on some versions of tmac. Patch from Per Hedeland. Portability: Berkeley DB 4.1 support (requires at least 4.1.25). Some getopt(3) implementations in GNU/Linux are broken and pass a NULL pointer to an option which requires an argument, hence the builtin version of sendmail is used instead. This can be overridden by using -DSM_CONF_GETOPT=0. Problem noted by Vlado Potisk of Wigro s.r.o. Support for nph-1.2.0 from Mark D. Roth of the University of Illinois at Urbana-Champaign. Support for FreeBSD 5.0's MAC labeling from Robert Watson of the TrustedBSD Project. Support for reading the number of processors on an IRIX system from Michel Bourget of SGI. Support for UnixWare 7.1 based on input from Larry Rosenman. Interix support from Nedelcho Stanev of Atlantic Sky Corporation. Update Mac OS X/Darwin portability from Wilfredo Sanchez. CONFIG: Enforce tls_client restrictions even if delay_checks is used. Problem noted by Malte Starostik. CONFIG: Deal with an empty hostname created via bogus DNS entries to get around access restrictions. Problem noted by Kai Schlichting. CONFIG: Use FEATURE(`msp', `[127.0.0.1]') in submit.mc by default to avoid problems with hostname resolution for localhost which on many systems does not resolve to 127.0.0.1 (or ::1 for IPv6). If you do not use IPv4 but only IPv6 then you need to change submit.mc accordingly, see the comment in the file itself. CONFIG: Set confDONT_INIT_GROUPS to True in submit.mc to avoid error messages from initgroups(3) on AIX 4.3 when sending mail to non-existing users. Problem noted by Mark Roth of the University of Illinois at Urbana-Champaign. CONFIG: Allow local_procmail to override local_lmtp settings. CONFIG: Always allow connections from 127.0.0.1 or IPv6:::1 to relay. CONTRIB: cidrexpand: Deal with the prefix tags that may be included in access_db. CONTRIB: New version of doublebounce.pl contributed by Leo Bicknell. LIBMILTER: On Solaris libmilter may get into an endless loop if an error in the communication from/to the MTA occurs. Patch from Gurusamy Sarathy of Active State. LIBMILTER: Ignore EINTR from sigwait(3) which may happen on Tru64. Patch from from Jose Marcio Martins da Cruz of Ecole Nationale Superieure des Mines de Paris. MAIL.LOCAL: Fix a truncation race condition if the close() on the mailbox fails. Problem noted by Tomoko Fukuzawa of Sun Microsystems. MAIL.LOCAL: Fix a potential file descriptor leak if mkstemp(3) fails. Patch from John Beck of Sun Microsystems. SMRSH: SECURITY: Only allow regular files or symbolic links to be used for a command. Problem noted by David Endler of iDEFENSE, Inc. New Files: devtools/OS/Interix include/sm/bdb.h

8.12.6/8.12.6 2002/08/26 Do not add the FallbackMXhost (or its MX records) to the list returned by the bestmx map when -z is used as option. Otherwise sendmail may act as an open relay if FallbackMXhost and FEATURE(`relay_based_on_MX') are used together. Problem noted by Alexander Ignatyev. Properly split owner- mailing list messages when SuperSafe is set to interactive. Problem noted by Todd C. Miller of Courtesan Consulting. Make sure that an envelope is queued in the selected queue group even if some recipients are deleted or invalid. Problem found by Chris Adams of HiWAAY Informations Services. Do not send a bounce message if a message is completely collected from the SMTP client. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. Provide an 'install-submit-st' target for sendmail/Makefile to install the MSP statistics file using the file named in the confMSP_STFILE devtools variable. Requested by Jeff Earickson of Colby College. Queue up mail with a temporary error if setusercontext() fails during a delivery attempt. Patch from Todd C. Miller of Courtesan Consulting. Fix handling of base64 encoded client authentication data for SMTP AUTH. Patch from Elena Slobodnik of life medien GmbH. Set the OpenLDAP option LDAP_OPT_RESTART so the client libraries restart interrupted system calls. Problem noted by Luiz Henrique Duma of BSIOne. Prevent a segmentation fault if a program passed a NULL envp using execve(). Document a problem with the counting of queue runners that may cause delays if MaxQueueChildren is set too low. Problem noted by Ian Duplisse of Cable Television Laboratories, Inc. If discarding a message based on a recipient, don't try to look up the recipient in the mailbox database if F=w is set. This allows users to discard bogus recipients when dealing with spammers without tipping them off. Problem noted by Neil Rickert of Northern Illinois University. If applying a header check to a header with unstructured data, e.g., Subject:, then do not run syntax checks that are supposed for addresses on the header content. Count messages rejected/discarded via the check_data ruleset. Portability: Fix compilation on systems which do not allow simple copying of the variable argument va_list. Based on fix from Scott Walters. Fix NSD map open bug. From Michel Bourget of SGI. Add some additional IRIX shells to the default shell list. From Michel Bourget of SGI. Fix compilation issues on Mac OS X 10.2 (Darwin 6.0). NETISO support has been dropped. CONFIG: There was a seemingly minor change in 8.12.4 with respect to handling entries of IP nets/addresses with RHS REJECT. These would be rejected in check_rcpt instead of only being activated in check_relay. This change has been made to avoid potential bogus temporary rejection of relay attempts "450 4.7.1 Relaying temporarily denied. Cannot resolve PTR record for ..." if delay_checks is enabled. However, this modification causes a change of behavior if an IP net/address is listed in the access map with REJECT and a host/domain name is listed with OK or RELAY, hence it has been reversed such that the behavior of 8.12.3 is restored. The original change was made on request of Neil Rickert of Northern Illinois University, the side effect has been found by Stefaan Van Hoornick. CONFIG: Make sure delay_checks works even for sender addresses using the local hostname ($j) or domains in class {P}. Based on patch from Neil Rickert of Northern Illinois University. CONFIG: Fix temporary error handling for LDAP Routing lookups. Fix from Andrzej Filip. CONTRIB: New version of etrn.pl script and external man page (etrn.0) from John Beck of Sun Microsystems. LIBMILTER: Protect a free(3) operation from being called with a NULL pointer. Problem noted by Andrey J. Melnikoff. LIBMILTER: Protect against more interrupted select() calls. Based on patch from Jose Marcio Martins da Cruz of Ecole Nationale Superieure des Mines de Paris. New Files: contrib/etrn.0

8.12.5/8.12.5 2002/06/25 SECURITY: The DNS map can cause a buffer overflow if the user specifies a dns map using TXT records in the configuration file and a rogue DNS server is queried. None of the sendmail supplied configuration files use this option hence they are not vulnerable. Problem noted independently by Joost Pol of PINE Internet and Anton Rang of Sun Microsystems. Unprintable characters in responses from DNS servers for the DNS map type are changed to 'X' to avoid potential problems with rogue DNS servers. Require a suboption when setting the Milter option. Problem noted by Bryan Costales. Do not silently overwrite command line settings for DirectSubmissionModifiers. Problem noted by Bryan Costales. Prevent a segmentation fault when clearing the event list by turning off alarms before checking if event list is empty. Problem noted by Allan E Johannesen of Worcester Polytechnic Institute. Close a potential race condition in transitioning a memory buffered file onto disk. From Janani Devarajan of Sun Microsystems. Portability: Include paths.h on Linux systems running glibc 2.0 or later to get the definition for _PATH_SENDMAIL, used by rmail and vacation. Problem noted by Kevin A. McGrail of Peregrine Hardware. NOTE: Linux appears to have broken flock() again. Unless the bug is fixed before sendmail 8.13 is shipped, 8.13 will change the default locking method to fcntl() for Linux kernel 2.4 and later. You may want to do this in 8.12 by compiling with -DHASFLOCK=0. Be sure to update other sendmail related programs to match locking techniques.

8.12.4/8.12.4 2002/06/03 SECURITY: Inherent limitations in the UNIX file locking model can leave systems open to a local denial of service attack. Be sure to read the "FILE AND MAP PERMISSIONS" section of the top level README for more information. Problem noted by lumpy. Use TempFileMode (defaults to 0600) for the permissions of PidFile instead of 0644. Change the default file permissions for new alias database files from 0644 to 0640. This can be overridden at compile time by setting the DBMMODE macro. Fix a potential core dump problem if the environment variable NAME is set. Problem noted by Beth A. Chaney of Purdue University. Expand macros before passing them to libmilter. Problem noted by Jose Marcio Martins da Cruz of Ecole Nationale Superieure des Mines de Paris. Rewind the df (message body) before truncating it when libmilter replaces the body of a message. Problem noted by Gisle Aas of Active State. Change SMTP reply code for AUTH failure from 500 to 535 and the initial zero-length response to "=" per RFC 2554. Patches from Kenneth Murchison of Oceana Matrix Ltd. Do not try to fix broken message/rfc822 MIME attachments by inserting a MIME-Version: header when MaxMimeHeaderLength is set and no 8 to 7 bit conversion is needed. Based on patch from Rehor Petr of ICZ (Czech Republic). Do not log "did not issue MAIL/EXPN/VRFY/ETRN" if the connection is rejected anyway. Noted by Chris Loelke. Mention the submission mail queue in the mailq man page. Requested by Bill Fenner of AT&T. Set ${msg_size} macro when reading a message from the command line or the queue. Detach from shared memory before dropping privileges back to user who started sendmail. If AllowBogusHELO is set to false (default) then also complain if the argument to HELO/EHLO contains white space. Suggested by Seva Gluschenko of Cronyx Plus. Allow symbolicly linked forward files in writable directory paths if both ForwardFileInUnsafeDirPath and LinkedForwardFileInWritableDir DontBlameSendmail options are set. Problem noted by Werner Spirk of Leibniz-Rechenzentrum Munich. Portability: Operating systems that lack the ftruncate() call will not be able to use Milter's body replacement feature. This only affects Altos, Maxion, and MPE/iX. Digital UNIX 5.0 has changed flock() semantics to be non-compliant. Problem noted by Martin Mokrejs of Charles University in Prague. The sparc64 port of FreeBSD 5.0 now supports shared memory. CONFIG: FEATURE(`preserve_luser_host') needs the macro map. Problem noted by Andrzej Filip. CONFIG: Using 'local:' as a mailertable value with FEATURE(`preserve_luser_host') and LUSER_RELAY caused mail to be misaddressed. Problem noted by Andrzej Filip. CONFIG: Provide a workaround for DNS based rejection lists that fail for AAAA queries. Problem noted by Chris Boyd. CONFIG: Accept the machine's hostname as resolvable when checking the sender address. This allows locally submitted mail to be accepted if the machine isn't connected to a nameserver and doesn't have an /etc/hosts entry for itself. Problem noted by Robert Watson of the TrustedBSD Project. CONFIG: Use deferred expansion for checking the ${deliveryMode} macro in case the SMTP VERB command is used. Problem noted by Bryan Costales. CONFIG: Avoid a duplicate '@domain' virtusertable lookup if no matches are found. Fix from Andrzej Filip. CONFIG: Fix wording in default dnsbl rejection message. Suggested by Lou Katz of Metron Computerware, Ltd. CONFIG: Add mailer cyrusv2 for Cyrus V2. Contributed by Kenneth Murchison of Oceana Matrix Ltd. CONTRIB: Fix wording in default dnsblaccess rejection message to match dnsbl change. DEVTOOLS: Add new option for access mode of statistics file, confSTMODE, which specifies the permissions when initially installing the sendmail statistics file. LIBMILTER: Mark the listening socket as close-on-exec in case a user's filter starts other applications. LIBSM: Allow the MBDB initialize, lookup, and/or terminate functions in SmMbdbTypes to be set to NULL. MAKEMAP: Change the default file permissions for new databases from 0644 to 0640. This can be overridden at compile time by setting the DBMMODE macro. SMRSH: Fix man page bug: replace SMRSH_CMDBIN with SMRSH_CMDDIR. Problem noted by Dave Alden of Ohio State University. VACATION: When listing the vacation database (-l), don't show bogus timestamps for excluded (-x) addresses. Problem noted by Bryan Costales. New Files: cf/mailer/cyrusv2.m4

8.12.3/8.12.3 2002/04/05 NOTICE: In general queue files should not be moved if queue groups are used. In previous versions this could cause mail not to be delivered if a queue file is repeatedly moved by an external process whenever sendmail moved it back into the right place. Some precautions have been taken to avoid moving queue files if not really necessary. sendmail may use links to refer to queue files and it may store the path of data files in queue files. Hence queue files should not be moved unless those internals are understood and the integrity of the files is not compromised. Problem noted by Anne Bennett of Concordia University. If an error mail is created, and the mail is split across different queue directories, and SuperSafe is off, then write the mail to disk before splitting it, otherwise an assertion is triggered. Problem tracked down by Henning Schmiedehausen of INTERMETA. Fix possible race condition that could cause sendmail to forget running queues. Problem noted by Jeff Wasilko of smoe.org. Handle bogus qf files better without triggering assertions. Problem noted by Guy Feltin. Protect against interrupted select() call when enforcing Milter read and write timeouts. Patch from Gurusamy Sarathy of ActiveState. Matching queue IDs with -qI should be case sensitive. Problem noted by Anne Bennett of Concordia University. If privileges have been dropped, don't try to change group ID to the RunAsUser group. Problem noted by Neil Rickert of Northern Illinois University. Fix SafeFileEnvironment path munging when the specified path contains a trailing slash. Based on patch from Dirk Meyer of Dinoex. Do not limit sendmail command line length to SM_ARG_MAX (usually 4096). Problem noted by Allan E Johannesen of Worcester Polytechnic Institute. Clear full name of sender for each new envelope to avoid bogus data if several mails are sent in one session and some of them do not have a From: header. Problem noted by Bas Haakman. Change timeout check such that cached information about a connection will be immediately invalid if ConnectionCacheTimeout is zero. Based on patch from David Burns of Portland State University. Properly count message size for mailstats during mail collection. Problem noted by Werner Wiethege. Log complete response from LMTP delivery agent on failure. Based on patch from by Motonori Nakamura of Kyoto University. Provide workaround for getopt() implementations that do not catch missing arguments. Fix the message size calculation if the message body is replaced by a milter filter and buffered file I/O is being used. Problem noted by Sergey Akhapkin of Dr.Web. Do not honor SIGUSR1 requests if running with extra privileges. Problem noted by Werner Wiethege. Prevent a file descriptor leak on mail delivery if the initial connect fails and DialDelay is set. Patch from Servaas Vandenberghe of Katholieke Universiteit Leuven. Properly deal with a case where sendmail is called by root running a set-user-ID (non-root) program. Problem noted by Jon Lusky of ISS Atlanta. Avoid leaving behind stray transcript (xf) files if multiple queue directories are used and mail is sent to a mailing list which has an owner- alias. Problem noted by Anne Bennett of Concordia University. Fix class map parsing code if optional key is specified. Problem found by Mario Nigrovic. The SMTP daemon no longer tries to fix up improperly dot-stuffed incoming messages. A leading dot is always stripped by the SMTP receiver regardless of whether or not it is followed by another dot. Problem noted by Jordan Ritter of darkridge.com. Fix corruption when doing automatic MIME 7-bit quoted-printable or base64 encoding to 8-bit text. Problem noted by Mark Elvers. Correct the statistics gathered for total number of connections. Instead of being the exact same number as the total number of messages (T line in mailstats) it now represents the total number of TCP connections. Be more explicit about syntax errors in addresses, especially non-ASCII characters, and properly create DSNs if necessary. Problem noted by Leena Heino of the University of Tampere. Prevent small timeouts from being lost on slow machines if itimers are used. Problem noted by Suresh Ramasubramanian. Prevent a race condition on child cleanup for delivery to files. Problem noted by Fletcher Mattox of the University of Texas. Change the SMTP error code for temporary map failures from 421 to 451. Do not assume that realloc(NULL, size) works on all OS (this was only done in one place: queue group creation). Based on patch by Bryan Costales. Initialize Timeout.iconnect in the code to prevent randomly short timeouts. Problem noted by Bradley Watts of AT&T Canada. Do not try to send a second SMTP QUIT command if the remote responds to a MAIL command with a 421 reply or on I/O errors. By doing so, the host was marked as having a temporary problem and other mail destined for that host was queued for the next queue run. Problem noted by Fletcher Mattox of the University of Texas, Allan E Johannesen of Worcester Polytechnic Institute, Larry Greenfield of CMU, and Neil Rickert of Northern Illinois University. Ignore error replies from the SMTP QUIT command (including servers which drop the connection instead of responding to the command). Portability: Check LDAP_API_VERSION to determine if ldap_memfree() is available. Define HPUX10 when building on HP-UX 10.X. That platform now gets the proper _PATH_SENDMAIL and SMRSH_CMDDIR settings. Patch from Elias Halldor Agustsson of Skyrr. Fix dependency building on Mac OS X and Darwin. Problem noted by John Beck. Preliminary support for the sparc64 port of FreeBSD 5.0. Add /sbin/sh as an acceptable user shell on HP-UX. From Rajesh Somasund of Hewlett-Packard. CONFIG: Add FEATURE(`authinfo') to allow a separate database for SMTP AUTH information. This feature was actually added in 8.12.0 but a release note was not included. CONFIG: Do not bounce mail if FEATURE(`ldap_routing')'s bounce parameter is set and the LDAP lookup returns a temporary error. CONFIG: Honor FEATURE(`relay_hosts_only') when using FEATURE(`relay_mail_from', `domain'). Problem noted by Krzysztof Oledzki. CONFIG: FEATURE(`msp') now disables any type of alias initialization as aliases are not needed for the MSP. CONFIG: Allow users to override RELAY_MAILER_ARGS when FEATURE(`msp') is in use. Patch from Andrzej Filip. CONFIG: FEATURE(`msp') uses `[localhost]' as default instead of `localhost' and turns on MX lookups for the SMTP mailers. This will only have an effect if a parameter is specified, i.e., an MX lookup will be performed on the hostname unless it is embedded in square brackets. Problem noted by Theo Van Dinter of Collective Technologies. CONFIG: Set confTIME_ZONE to USE_TZ in submit.mc (TimeZoneSpec= in submit.cf) to use $TZ for time stamps. This is a compromise to allow for the proper time zone on systems where the default results in misleading time stamps. That is, syslog time stamps and Date headers on submitted mail will use the user's $TZ setting. Problem noted by Mark Roth of the University of Illinois at Urbana-Champaign, solution proposed by Neil Rickert of Northern Illinois University. CONFIG: Mac OS X (Darwin) ships with mail.local as non-set-user-ID binary. Adjust local mailer flags accordingly. Problem noted by John Beck. CONTRIB: Add a warning to qtool.pl to not move queue files around if queue groups are used. CONTRIB: buildvirtuser: Add -f option to force rebuild. CONTRIB: smcontrol.pl: Add -f option to specify control socket. CONTRIB: smcontrol.pl: Add support for 'memdump' command. Suggested by Bryan Costales. DEVTOOLS: Add dependency generation for test programs. LIBMILTER: Remove conversion of port number for the socket structure that is passed to xxfi_connect(). Notice: this fix requires that sendmail and libmilter both have this change; mixing versions may lead to wrong port values depending on the endianness of the involved systems. Problem noted by Gisle Aas of ActiveState. LIBMILTER: If smfi_setreply() sets a custom reply code of '4XX' but SMFI_REJECT is returned, ignore the custom reply. Do the same if '5XX' is used and SMFI_TEMPFAIL is returned. LIBMILTER: Install include files in ${INCLUDEDIR}/libmilter/ as required by mfapi.h. Problem noted by Jose Marcio Martins da Cruz of Ecole Nationale Superieure des Mines de Paris. LIBSM: Add SM_CONF_LDAP_MEMFREE as a configuration define. Set this to 1 if your LDAP client libraries include ldap_memfree(). LIBSMDB: Avoid a file creation race condition for Berkeley DB 1.X and NDBM on systems with the O_EXLOCK open(2) flag. SMRSH: Fix compilation problem on some operating systems. Problem noted by Christian Krackowizer of schuler technodat GmbH. VACATION: Allow root to operate on user vacation databases. Based on patch from Greg Couch of the University of California, San Francisco. VACATION: Don't ignore -C option. Based on patch by Bryan Costales. VACATION: Clarify option usage in the man page. Problem noted by Joe Barbish. New Files: libmilter/docs/smfi_setbacklog.html

8.12.2/8.12.2 2002/01/13 Don't complain too much if stdin, stdout, or stderr are missing at startup, only log an error message. Fix potential problem if an unknown operation mode (character following -b) has been specified. Prevent purgestat from looping even if someone changes the permissions or owner of hoststatus files. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. Properly record dropped connections in persistent host status. Problem noted by Ulrich Windl of the Universitat Regensburg. Remove newlines from recipients read via sendmail -t to prevent SMTP protocol errors when sending the RCPT command. Problem noted by William D. Colburn of the New Mexico Institute of Mining and Technology. Only log milter body replacements once instead of for each body chunk sent by a filter. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. In 8.12.0 and 8.12.1, the headers were mistakenly not included in the message size calculation. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. Since 8.12 no longer forks at the SMTP MAIL command, the daemon needs to collect children status to avoid zombie processes. Problem noted by Chris Adams of HiWAAY Informations Services. Shut down "nullserver" and ETRN-only connections after 25 bad commands are issued. This makes it consistent with normal SMTP connections. Avoid duplicate logging of milter rejections. Problem noted by William D. Colburn of the New Mexico Institute of Mining and Technology. Error and delay DSNs were being sent to postmaster instead of the message sender if the sender had used a deprecated RFC822 source route. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. Fix FallbackMXhost behavior for temporary errors during address parsing. Problem noted by Jorg Bielak from Coastal Web Online. For systems on which stat(2) does not return a value for st_blksize that is the "optimal blocksize for I/O" three new compile time flags are available: SM_IO_MAX_BUF_FILE, SM_IO_MIN_BUF, and SM_IO_MAX_BUF, which define an upper limit for regular files, and a lower and upper limit for other file types, respectively. Fix a potential deadlock if two events are supposed to occur at exactly the same time. Problem noted by Valdis Kletnieks of Virginia Tech. Perform envelope splitting for aliases listed directly in the alias file, not just for include/.forward files. Problem noted by John Beck of Sun Microsystems. Allow selection of queue group for mailq using -qGgroup. Based on patch by John Beck of Sun Microsystems. Make sure cached LDAP connections used my multiple maps in the same process are closed. Patch from Taso N. Devetzis. If running as root, allow reading of class files in protected directories. Patch from Alexander Talos of the University of Vienna. Correct a few LDAP related memory leaks. Patch from David Powell of Sun Microsystems. Allow specification of an empty realm via the authinfo ruleset. This is necessary to interoperate as an SMTP AUTH client with servers that do not support realms when using CRAM-MD5. Problem noted by Bjoern Voigt of TU Berlin. Avoid a potential information leak if AUTH PLAIN is used and the server gets stuck while processing that command. Problem noted by Chris Adams from HiWAAY Informations Services. In addition to printing errors when parsing recipients during command line invocations log them to make it simpler to understand possible DSNs to postmaster. Do not use FallbackMXhost on mailers which have the F=0 flag set. Allow local mailers (F=l) to specify a host for TCP connections instead of forcing localhost. Obey ${DESTDIR} for installation of the client mail queue and submit.cf. Patch from Peter 'Luna' Runestig. Re-enable support for -M option which was broken in 8.12.1. Problem noted by Neil Rickert of Northern Illinois University. If a remote server violates the SMTP standard by unexpectedly dropping the connection during an SMTP transaction, stop sending commands. This prevents bogus "Bad file number" recipient status. Problem noted by Allan E Johannesen of Worcester Polytechnic Institute. Do not use a size estimate of 100 for postmaster bounces, it's almost always too small; do not guess the size at all. New VENDOR_DEC for Compaq/DEC. Requested by James Seagraves of Compaq Computer Corp. Fix DaemonPortOptions IPv6 address parsing such that ::1 works properly. Problem noted by Valdis Kletnieks of Virginia Tech. Portability: Fix IPv6 network interface probing on HP-UX 11.X. Based on patch provided by HP. Mac OS X (aka Darwin) has a broken setreuid() call, but a working seteuid() call. From Daniel J. Luke. Use proper type for a 32-bit integer on SINIX. From Ganu Sachin of Siemens. Set SM_IO_MIN_BUF (4K) and SM_IO_MAX_BUF (8K) for HP-UX. Reduce optimization from +O3 to +O2 on HP-UX 11. This fixes a problem that caused additional bogus characters to be written to the qf file. Problem noted by Tapani Tarvainen. Set LDA_USE_LOCKF by default for UnixWare. Problem noted by Boyd Lynn Gerber. Add support for HP MPE/iX. See sendmail/README for port information. From Mark Bixby of Hewlett-Packard. New portability defines HASNICE, HASRRESVPORT, USE_ENVIRON, USE_DOUBLE_FORK, and NEEDLINK. See sendmail/README for more information. From Mark Bixby of Hewlett-Packard. If an OS doesn't have a method of finding free disk space (SFS_NONE), lie and say there is plenty of space. From Mark Bixby of Hewlett-Packard. Add support for AIX 5.1. From Valdis Kletnieks of Virginia Tech. Fix man page location for NeXTSTEP. From Hisanori Gogota of the NTT/InterCommunication Center. Do not assume that strerror() always returns a string. Problem noted by John Beck of Sun Microsystems. CONFIG: Add OSTYPE(freebsd5) for FreeBSD 5.X, which has removed UUCP from the base operating system. From Mark Murray of FreeBSD Services, Ltd. CONFIG: Add OSTYPE(mpeix) and a generic .mc file for HP MPE/iX systems. From Mark Bixby of Hewlett-Packard. CONFIG: Add support for selecting a queue group for all mailers. Based on proposal by Stephen L. Ulmer of the University of Florida. CONFIG: Fix error reporting for compat_check.m4. Problem noted by Altin Waldmann. CONFIG: Do not override user selections for confRUN_AS_USER and confTRUSTED_USER in FEATURE(msp). From Mark Bixby of Hewlett-Packard. LIBMILTER: Fix bug that prevented the removal of a socket after libmilter terminated. Problem reported by Andrey V. Pevnev of MSFU. LIBMILTER: Fix configuration error that required libsm for linking. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. LIBMILTER: Portability fix for OpenUNIX. Patch from Larry Rosenman. LIBMILTER: Fix a theoretical memory leak and a possible attempt to free memory twice. LIBSM: Fix a potential segmentation violation in the I/O library. Problem found and analyzed by John Beck and Tim Haley of Sun Microsystems. LIBSM: Do not clear the LDAP configuration information when terminating the mailbox database connection in the LDAP example code. Problem noted by Nikos Voutsinas of the University of Athens. New Files: cf/cf/generic-mpeix.cf cf/cf/generic-mpeix.mc cf/ostype/freebsd5.m4 cf/ostype/mpeix.m4 devtools/OS/AIX.5.1 devtools/OS/MPE-iX include/sm/os/sm_os_mpeix.h libsm/mpeix.c

8.12.1/8.12.1 2001/10/01 SECURITY: Check whether dropping group privileges actually succeeded to avoid possible compromises of the mail system by supplying bogus data. Add configuration options for different set*gid() calls to reset saved gid. Problem found by Michal Zalewski. PRIVACY: Prevent information leakage when sendmail has extra privileges by disabling debugging (command line -d flag) during queue runs and disabling ETRN when sendmail -bs is used. Suggested by Michal Zalewski. Avoid memory corruption problems resulting from bogus .cf files. Problem found by Michal Zalewski. Set the ${server_addr} macro to name of mailer when doing LMTP delivery. LMTP systems may offer SMTP Authentication or STARTTLS causing sendmail to use this macro in rulesets. If debugging is turned on (-d0.10) print not just the default values for configuration file and pid file but also the selected values. Problem noted by Brad Chapman. Continue dealing with broken nameservers by ignoring SERVFAIL errors returned on T_AAAA (IPv6) lookups at delivery time if ResolverOptions=WorkAroundBrokenAAAA is set. Previously this only applied to hostname canonification. Problem noted by Bill Fenner of AT&T Research. Ignore comments in NIS host records when trying to find the canonical name for a host. When sendmail has extra privileges, limit mail submission command line flags (i.e., -G, -h, -F, etc.) to mail submission operating modes (i.e., -bm, -bs, -bv, etc.). Idea based on suggestion from Michal Zalewski. Portability: AIX: Use `oslevel` if available to determine OS version. `uname` does not given complete information. Problem noted by Keith Neufeld of the Cessna Aircraft Company. OpenUNIX: Use lockf() for LDA delivery (affects mail.local). Problem noticed by Boyd Lynn Gerber of ZENEX. Avoid compiler warnings by not using pointers to pass integers. Problem noted by Todd C. Miller of Courtesan Consulting. CONFIG: Add restrictqrun to PrivacyOptions for the MSP to minimize problems with potential misconfigurations. CONFIG: Fix comment showing default value of MaxHopCount. Problem noted by Greg Robinson of the Defence Science and Technology Organisation of Australia. CONFIG: dnsbl: If an argument specifies an error message in case of temporary lookup failures for DNS based blacklists then use it. LIBMILTER: Install mfdef.h, required by mfapi.h. Problem noted by Richard A. Nelson of Debian. LIBMILTER: Add __P definition for OS that lack it. Problem noted by Chris Adams from HiWAAY Informations Services. LIBSMDB: Fix a lock race condition that affects makemap, praliases, and vacation. MAKEMAP: Avoid going beyond the end of an input line if it does not contain a value for a key. Based on patch from Mark Bixby from Hewlett-Packard. New Files: test/Build test/Makefile test/Makefile.m4 test/README test/t_dropgid.c test/t_setgid.c Deleted Files: include/sm/stdio.h include/sm/sysstat.h

8.12.0/8.12.0 2001/09/08 *NOTICE*: The default installation of sendmail does not use set-user-ID root anymore. You need to create a new user and a new group before installing sendmail (both called smmsp by default). The installation process tries to install /etc/mail/submit.cf and creates /var/spool/clientmqueue by default. Please see sendmail/SECURITY for details. SECURITY: Check for group and world writable forward and :include: files. These checks can be turned off if absolutely necessary using the DontBlameSendmail option and the new flags: GroupWritableForwardFile WorldWritableForwardFile GroupWritableIncludeFile WorldWritableIncludeFile Problem noted by Slawek Zak of Politechnika Warszawska, SECURITY: Drop privileges when using address test mode. Suggested by Michal Zalewski of the "Internet for Schools" project (IdS). Fixed problem of a global variable being used for a timeout jump point where the variable could become overused for more than one timeout concurrently. This erroneous behavior resulted in a corrupted stack causing a core dump. The timeout is now handled via libsm. Problem noted by Michael Shapiro, John Beck, and Carl Smith of Sun Microsystems. If sendmail is set-group-ID then that group ID is used for permission checks (group ID of RunAsUser). This allows use of a set-group-ID sendmail binary for initial message submission and no set-user-ID root sendmail is needed. For details see sendmail/SECURITY. Log a warning if a non-trusted user changes the syslog label. Based on notice from Bryan Costales of SL3D, Inc. If sendmail is called for initial delivery, try to use submit.cf with a fallback of sendmail.cf as configuration file. See sendmail/SECURITY. New configuration file option UseMSP to allow group writable queue files if the group is the same as that of a set-group-ID sendmail binary. See sendmail/SECURITY. The .cf file is chosen based on the operation mode. For -bm (default), -bs, and -t it is submit.cf if it exists for all others it is sendmail.cf (to be backward compatible). This selection can be changed by the new option -Ac or -Am (alternative .cf file: client or mta). See sendmail/SECURITY. The SMTP server no longer forks on each MAIL command. The ONEX command has been removed. Implement SMTP PIPELINING per RFC 2920. It can be turned off at compile time or per host (ruleset). New option MailboxDatabase specifies the type of mailbox database used to look up local mail recipients; the default value is "pw", which means to use getpwnam(). New mailbox database types can be added by adding custom code to libsm/mbdb.c. Queue file names are now 15 characters long, rather than 14 characters long, to accomodate envelope splitting. File systems with a 14 character file name length limit are no longer supported. Recipient list used for delivery now gets internally ordered by hostsignature (character string version of MX RR). This orders recipients for the same MX RR's together meaning smaller portions of the list need to be scanned (instead of the whole list) each delivery() pass to determine piggybacking. The significance of the change is better the larger the recipient list. Hostsignature is now created during recipient list creation rather than just before delivery. Enhancements for more opportunistic piggybacking. Previous piggybacking (called coincidental) extended to coattail piggybacking. Rather than complete MX RR matching (coincidental) piggybacking is done if just the lowest value preference matches (coattail). If sendmail receives a temporary error on a RCPT TO: command, it will try other MX hosts if available. DefaultAuthInfo can contain a list of mechanisms to be used for outgoing (client-side) SMTP Authentication. New modifier 'A' for DaemonPortOptions/ClientPortOptions to disable AUTH (overrides 'a' modifier in DaemonPortOptions). Based on patch from Lyndon Nerenberg of Messaging Direct. Enable AUTH mechanism EXTERNAL if STARTTLS is used. A new ruleset authinfo can be used to return client side authentication information for AUTH instead of DefaultAuthInfo. Therefore the DefaultAuthInfo option is deprecated and will be removed in future versions. Accept any SMTP continuation code 3xy for AUTH even though RFC 2554 requires 334. Mercury 1.48 is a known offender. Add new option AuthMaxBits to limit the overall encryption strength for the security layer in SMTP AUTH (SASL). See doc/op/op.me for details. Introduce new STARTTLS related macros {cn_issuer}, {cn_subject}, {cert_md5} which hold the CN (common name) of the CA that signed the presented certificate, the CN and the MD5 hash of the presented certificate, respectively. New ruleset try_tls to decide whether to try (as client) STARTTLS. New ruleset srv_features to enable/disable certain features in the server per connection. See doc/op/op.me for details. New ruleset tls_rcpt to decide whether to send e-mail to a particular recipient; useful to decide whether a conection is secure enough on a per recipient basis. New option TLSSrvOptions to modify some aspects of the server for STARTTLS. If no certificate has been requested, the macro {verify} has the value "NOT". New M=S modifier for ClientPortOptions/DaemonPortOptions to turn off using/offering STARTTLS when delivering/receiving e-mail. Macro expand filenames/directories for certs and keys in the .cf file. Proposed by Neil Rickert of Northern Illinois University. Generate an ephemeral RSA key for a STARTTLS connection only if really required. This change results in a noticable performance gains on most machines. Moreover, if shared memory is in use, reuse the key several times. Add queue groups which can be used to group queue directories with the same behavior together. See doc/op/op.me for details. If the new option FastSplit (defaults to one) has a value greater than zero, it suppresses the MX lookups on addresses when they are initially sorted which may result in faster envelope splitting. If the mail is submitted directly from the command line, then the value also limits the number of processes to deliver the envelopes; if more envelopes are created they are only queued up and must be taken care of by a queue run. The check for 'enough disk space' now pays attention to which file system each queue directory resides in. All queue runners can be cleanly terminated via SIGTERM to parent. New option QueueFileMode for the default permissions of queue files. Add parallel queue runner code. Allows multiple queue runners per work group (one or more queues in a multi-queue environment collected together) to process the same work list at the same time. Option MaxQueueChildren added to limit the number of concurrently active queue runner processes. New option MaxRunnersPerQueue to specify the maximum number of queue runners per queue group. Queue member selection by substring pattern matching now allows the pattern to be negated. For -qI, -qR and -qS it is permissible for -q!I, -q!R and -q!S to mean remove members of the queue that match during processing. New -qp[time] option is similar to -qtime, except that instead of periodically forking a child to process the queue, a single child is forked for each queue that sleeps between queue runs. A SIGHUP signal can be sent to restart this persistent queue runner. The SIGHUP signal now restarts a timed queue run process (i.e., a sendmail process which only runs the queue at an interval: sendmail -q15m). New option NiceQueueRun to set the priority of queue runners. Proposed by Thom O'Connor. sendmail will run the queue(s) in the background when invoked with -q unless the new -qf option or -v is used. QueueSortOrder=Random sorts the queue randomly, which is useful if several queue runners are started by hand to avoid contention. QueueSortOrder=Modification sorts the queue by the modification time of the qf file (older entries first). Support Deliver By SMTP Service Extension (RFC 2852) which allows a client to specify an amount of time within which an e-mail should be delivered. New option DeliverByMin added to set the minimum amount of time or disable the extension. Non-printable characters (ASCII: 0-31, 127) in mailbox addresses are not allowed unless escaped or quoted. Add support for a generic DNS map. Based on a patch contributed by Leif Johansson of Stockholm University, which was based on work by Assar Westerlund of Swedish Institute of Computer Science, Kista, and Johan Danielsson of Royal Institute of Technology, Stockholm, Sweden. MX records will be looked up for FallBackMXhost. To use the old behavior (no MX lookups), put the name in square brackets. Proposed by Thom O'Connor. Use shared memory to store free space of filesystems that are used for queues, if shared memory is available and if a key is set via SharedMemoryKey. This minimizes the number of system calls to check the available space. See doc/op/op.me for details. If shared memory is compiled in the option -bP can be used to print the number of entries in the queue(s). Enable generic mail filter API (milter). See libmilter/README and the usual documentation for details. Remove AutoRebuildAliases option, deprecated since 8.10. Remove '-U' (initial user submission) command line option as announced in 8.10. Remove support for non-standard SMTP command XUSR. Use an MSA instead. New macro {addr_type} which contains whether the current address is an envelope sender or recipient address. Suggested by Neil Rickert of Northern Illinois University. Two new options for host maps: -d (retransmission timeout), -r (number of retries). New option for LDAP maps: the -V<sep> allows you to specify a separator such that a lookup can return both an attribute and value separated by the given separator. Add new operators '%', '|', '&' (modulo, binary or, binary and) to map class arith. If DoubleBounceAddress expands to an empty string, ``double bounces'' (errors that occur when sending an error message) are dropped. New DontBlameSendmail options GroupReadableSASLDBFile and GroupWritableSASLDBFile to relax requirements for sasldb files. New DontBlameSendmail options GroupReadableKeyFile to relax requirements for files containing secret keys. This is necessary for the MSP if client authentification is used. Properly handle quoted filenames for class files (to allow for filenames with spaces). Honor the resolver option RES_NOALIASES when canonifying hostnames. Add macros to avoid the reuse of {if_addr} etc: {if_name_out} hostname of interface of outgoing connection. {if_addr_out} address of interface of outgoing connection. {if_family_out} family of interface of outgoing connection. The latter two are only set if the interface does not belong to the loopback net. Add macro {nrcpts} which holds the number of (validated) recipients. DialDelay option applies only to mailers with flag 'Z'. Patch from Juergen Georgi of RUS University of Stuttgart. New Timeout.lhlo,auth,starttls options to limit the time waiting for an answer to the LMTP LHLO, SMTP AUTH or STARTTLS command. New Timeout.aconnect option to limit the overall waiting time for all connections for a single delivery attempt to succeed. Limit the rate recipients in the SMTP envelope are accepted once a threshold number of recipients has been rejected (option BadRcptThrottle). From Gregory A Lundberg of the WU-FTPD Development Group. New option DelayLA to delay connections if the load averages exceeds the specified value. The default of 0 does not change the previous behavior. A value greater than 0 will cause sendmail to sleep for one second on most SMTP commands and before accepting connections if that load average is exceeded. Use a dynamic (instead of fixed-size) buffer for the list of recipients that are sent during a connection to a mailer. This also introduces a new mailer field 'r' which defines the maximum number of recipients (defaults to 100). Based on patch by Motonori Nakamura of Kyoto University. Add new F=1 mailer flag to disable sending of null characters (' '). Add new F=2 mailer flag to disable use of ESMTP, using SMTP instead. The deprecated [TCP] builtin mailer pathname (P=) is gone. Use [IPC] instead. IPC is no longer available as first mailer argument (A=) for [IPC] builtin mailer pathnames. Use TCP instead. PH map code updated to use the new libphclient API instead of the old libqiapi library. Contributed by Mark Roth of the University of Illinois at Urbana-Champaign. New option DirectSubmissionModifiers to define {daemon_flags} for direct (command line) submissions. New M=O modifier for DaemonPortOptions to ignore the socket in case of failures. Based on patch by Jun-ichiro itojun Hagino of the KAME Project. Add Disposition-Notification-To: (RFC 2298) to the list of headers whose content is rewritten similar to Reply-To:. Proposed by Andrzej Filip. Use STARTTLS/AUTH=server/client for logging incoming/outgoing STARTTLS/AUTH connections; log incoming connections at level 9 or higher. Use AUTH/STARTTLS instead of SASL/TLS for SMTP AUTH/STARTTLS related logfile entries. Convert unprintable characters (and backslash) into octal or C format before logging. Log recipients if no message is transferred but QUIT/RSET is given (at LogLevel 9/10 or higher). Log discarded recipients at LogLevel 10 or higher. Do not log "did not issue MAIL/EXPN/VRFY/ETRN" for connections in which most commands are rejected due to check_relay or TCP Wrappers if the host tries one of those commands anyway. Change logging format for cloned envelopes to be similar to that for DSNs ("old id: new id: clone"). Suggested by Ulrich Windl of the Universitat Regensburg. Added libsm, a C library of general purpose abstractions including assertions, tracing and debugging with named debug categories, exception handling, malloc debugging, resource pools, portability abstractions, and an extensible buffered I/O package. It will at some point replace libsmutil. See libsm/index.html for details. Fixed most memory leaks in sendmail which were previously taken care of by fork() and exit(). Use new sm_io*() functions in place of stdio calls. Allows for more consistent portablity amongst different platforms new and old (from new libsm). Common I/O pkg means just one buffering method needed instead of two ('bf_portable' and 'bf_torek' now just 'bf'). Sfio no longer needed as SASL/TLS code uses sm_io*() API's. New possible value 'interactive' for SuperSafe which can be used together with DeliveryMode=interactive is to avoid some disk synchronizations calls. Add per-recipient status information to mailq -v output. T_ANY queries are no longer used by sendmail. When compiling with "gcc -O -Wall" specify "-DSM_OMIT_BOGUS_WARNINGS" too (see include/sm/cdefs.h for more info). sendmail -d now has general support for named debug categories. See libsm/debug.html and section 3.4 of doc/op/op.me for details. Eliminate the "postmaster warning" DSNs on address parsing errors such as unbalanced angle brackets or parentheses. The DSNs generated by this condition were illegal (not RFC conform). Problem noted by Ulrich Windl of the Universitaet Regensburg. Do not issue a DSN if the ruleset localaddr resolves to the $#error mailer and the recipient has hence been rejected during the SMTP dialogue. Problem reported by Larry Greenfield of CMU. Deal with a case of multiple deliveries on misconfigured systems that do not have postmaster defined. If an email was sent from an address to which a DSN cannot be returned and in which at least one recipient address is non-deliverable, then that email had been delivered in each queue run. Problem reported by Matteo HCE Valsasna of Universita degli Studi dell'Insubria. The compilation options SMTP, DAEMON, and QUEUE have been removed, i.e., the corresponding code is always compiled in now. Log the command line in daemon/queue-run mode at LogLevel 10 and higher. Suggested by Robert Harker of Harker Systems. New ResolverOptions setting: WorkAroundBrokenAAAA. When attempting to canonify a hostname, some broken nameservers will return SERVFAIL (a temporary failure) on T_AAAA (IPv6) lookups. If you want to excuse this behavior, use this new flag. Suggested by Chris Foote of SE Network Access and Mark Roth of the University of Illinois at Urbana-Champaign. Free the memory allocated by getipnodeby{addr,name}(). Problem noted by Joy Latten of IBM. ConnectionRateThrottle limits the number of connections per second to each daemon individually, not the overall number of connections. Specifying only "ldap:" as an AliasFile specification will force sendmail to use a default alias schema as outlined in the ``USING LDAP FOR ALIASES, MAPS, and CLASSES'' section of cf/README. Add a new syntax for the 'F' (file class) sendmail.cf command. If the first character after the class name is not a '/' or a '|' and it contains an '@' (e.g., F{X}key@class:spec), the rest of the line will be parsed as a map lookup. This allows classes to be filled via a map lookup. See op.me for more syntax information. Specifically, this can be used for commands such as VIRTUSER_DOMAIN_FILE() to read the list of domains via LDAP (see the ``USING LDAP FOR ALIASES, MAPS, and CLASSES'' section of cf/README for an example). The new macro ${sendmailMTACluster} determines the LDAP cluster for the default schema used in the above two items. Unless DontBlameSendmail=RunProgramInUnsafeDirPath is set, log a warning if a program being run from a mailer or file class (e.g., F|/path/to/prog) is in an unsafe directory path. Unless DontBlameSendmail=RunWritableProgram is set, log a warning if a program being run from a mailer or file class (e.g., F|/path/to/prog) is group or world writable. Loopback interfaces (e.g., "lo0") are now probed for class {w} hostnames. Setting DontProbeInterfaces to "loopback" (without quotes) will disable this and return to the pre-8.12 behavior of only probing non-loopback interfaces. Suggested by Bryan Stansell of GNAC. In accordance with RFC 2821 section 4.1.4, accept multiple HELO/EHLO commands. Multiple ClientPortOptions settings are now allowed, one for each possible protocol family which may be used for outgoing connections. Restrictions placed on one family only affect outgoing connections on that particular family. Because of this change, the ${client_flags} macro is not set until the connection is established. Based on patch from Motonori Nakamura of Kyoto University. PrivacyOptions=restrictexpand instructs sendmail to drop privileges when the -bv option is given by users who are neither root nor the TrustedUser so users can not read private aliases, forwards, or :include: files. It also will override the -v (verbose) command line option. If the M=b modifier is set in DaemonPortOptions and the interface address can't be used for the outgoing connection, fall back to the settings in ClientPortOptions (if set). Problem noted by John Beck of Sun Microsystems. New named config file rule check_data for DATA command (input: number of recipients). Based on patch from Mark Roth of the University of Illinois at Urbana-Champaign. Add support for ETRN queue selection per RFC 1985. The queue group can be specified using the '#' option character. For example, 'ETRN #queuegroup'. If an LDAP server times out or becomes unavailable, close the current connection and reopen to get to one of the fallback servers. Patch from Paul Hilchey of the University of British Columbia. Make default error number on $#error messages 550 instead of 501 because 501 is not allowed on all commands. The .cf file option UnsafeGroupWrites is deprecated, it should be replaced with the settings GroupWritableForwardFileSafe and GroupWritableIncludeFileSafe in DontBlameSendmail if required. The deprecated ldapx map class has been removed. Use the ldap map class instead. Any IPv6 addresses used in configuration should be prefixed by the "IPv6:" tag to identify the address properly. For example, if you want to add the IPv6 address [2002:c0a8:51d2::23f4] to class {w}, you would need to add [IPv6:2002:c0a8:51d2::23f4]. Change the $&{opMode} macro if the operation mode changes while the MTA is running. For example, during a queue run. Add "use_inet6" as a new ResolverOptions flag to control the RES_USE_INET6 resolver option. Based on patch from Rick Nelson of IBM. The maximum number of commands before the MTA slows down when too many "light weight" commands have been received are now configurable during compile time. The current values and their defaults are: MAXBADCOMMANDS 25 unknown commands MAXNOOPCOMMANDS 20 NOOP, VERB, ONEX, XUSR MAXHELOCOMMANDS 3 HELO, EHLO MAXVRFYCOMMANDS 6 VRFY, EXPN MAXETRNCOMMANDS 8 ETRN Setting a value to 0 disables the check. Patch from Bryan Costales of SL3D, Inc. The header syntax H?${MyMacro}?X-My-Header: now not only checks if ${MyMacro} is defined but also that it is not empty. Properly quote usernames with special characters if they are used in headers. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. Be sure to include the proper Final-Recipient: DSN header in bounce messages for messages for mailing list expanded addresses which are not delivered on the initial attempt. Do not treat errors as sticky when doing delivery via LMTP after the final dot has been sent to avoid affecting future deliveries. Problem reported by Larry Greenfield of CMU. New compile time flag REQUIRES_DIR_FSYNC which turns on support for file systems that require to call fsync() for a directory if the meta-data in it has been changed. This should be set at least for ReiserFS; it is enabled by default for Linux. See sendmail/README for further information. Avoid file locking deadlock when updating the statistics file if sendmail is signaled to terminate. Problem noted by Christophe Wolfhugel of France Telecom. Set the $c macro (hop count) as it is being set instead of when the envelope is initialized. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. Properly count recipients for DeliveryMode defer and queue. Fix from Peter A. Friend of EarthLink. Treat invalid hesiod lookups as permanent errors instead of temporary errors. Problem noted by Russell McOrmond of flora.ca. Portability: Remove support for AIX 2, which supports only 14 character filenames and is outdated anyway. Suggested by Valdis Kletnieks of Virginia Tech. Change several settings for Irix 6: remove confSBINDIR, i.e., use default /usr/sbin, change owner/group of man pages and user-executable to root/sys, set optimization limit to 0 (unlimited). Based on patch from Ayamura Kikuchi, M.D, and proposal from Kari Hurtta of the Finnish Meteorological Institute. Do not assume LDAP support is installed by default under Solaris 8 and later. Add support for OpenUNIX. CONFIG: Increment version number of config file to 10. CONFIG: Add an install target and a README file in cf/cf. CONFIG: Don't accept addresses of the form a@b@, a@b@c, a@[b]c, etc. CONFIG: Reject empty recipient addresses (in check_rcpt). CONFIG: The access map uses an option of -T<TMPF> to deal with temporary lookup failures. CONFIG: New value for access map: SKIP, which causes the default action to be taken by aborting the search for domain names or IP nets. CONFIG: check_rcpt can deal with TEMPFAIL for either recipient or relay address as long as the other part allows the email to get through. CONFIG: Entries for virtusertable can make use of a third parameter "%3" which contains "+detail" of a wildcard match, i.e., an entry like user+*@domain. This allows handling of details by using %1%3 as the RHS. Additionally, a "+" wildcard has been introduced to match only non-empty details of addresses. CONFIG: Numbers for rulesets used by MAILERs have been removed and hence there is no required order within the MAILER section anymore except for MAILER(`uucp') which must come after MAILER(`smtp') if uucp-dom and uucp-uudom are used. CONFIG: Hosts listed in the generics domain class {G} (GENERICS_DOMAIN() and GENERICS_DOMAIN_FILE()) are treated as canonical. Suggested by Per Hedeland of Ericsson. CONFIG: If FEATURE(`delay_checks') is used, make sure that a lookup in the access map which returns OK or RELAY actually terminates check_* ruleset checking. CONFIG: New tag TLS_Rcpt: for access map to be used by ruleset tls_rcpt, see cf/README for details. CONFIG: Change format of Received: header line which reveals whether STARTTLS has been used to "(version=${tls_version} cipher=${cipher} bits=${cipher_bits} verify=${verify})". CONFIG: Use "Spam:" as tag for lookups for FEATURE(`delay_checks') options friends/haters instead of "To:" and enable specification of whole domains instead of just users. Notice: this change is not backward compatible. Suggested by Chris Adams from HiWAAY Informations Services. CONFIG: Allow for local extensions for most new rulesets, see cf/README for details. CONFIG: New FEATURE(`lookupdotdomain') to lookup also .domain in the access map. Proposed by Randall Winchester of the University of Maryland. CONFIG: New FEATURE(`local_no_masquerade') to avoid masquerading for the local mailer. Proposed by Ingo Brueckl of Wupper Online. CONFIG: confRELAY_MSG/confREJECT_MSG can override the default messages for an unauthorized relaying attempt/for access map entries with RHS REJECT, respectively. CONFIG: FEATURE(`always_add_domain') takes an optional argument to specify another domain to be added instead of the local one. Suggested by Richard H. Gumpertz of Computer Problem Solving. CONFIG: confAUTH_OPTIONS allows setting of Cyrus-SASL specific options, see doc/op/op.me for details. CONFIG: confAUTH_MAX_BITS sets the maximum encryption strength for the security layer in SMTP AUTH (SASL). CONFIG: If Local_localaddr resolves to $#ok, localaddr is terminated immediately. CONFIG: FEATURE(`enhdnsbl') is an enhanced version of dnsbl which allows checking of the return values of the DNS lookups. See cf/README for details. CONFIG: FEATURE(`dnsbl') allows now to specify the behavior for temporary lookup failures. CONFIG: New option confDELIVER_BY_MIN to specify minimum time for Deliver By (RFC 2852) or to turn off the extension. CONFIG: New option confSHARED_MEMORY_KEY to set the key for shared memory use. CONFIG: New FEATURE(`compat_check') to look up a key consisting of the sender and the recipient address delimited by the string "<@>", e.g., sender@sdomain<@>recipient@rdomain, in the access map. Based on code contributed by Mathias Koerber of Singapore Telecommunications Ltd. CONFIG: Add EXPOSED_USER_FILE() command to allow an exposed user file. Suggested by John Beck of Sun Microsystems. CONFIG: Don't use MAILER-DAEMON for error messages delivered via LMTP. Problem reported by Larry Greenfield of CMU. CONFIG: New FEATURE(`preserve_luser_host') to preserve the name of the recipient host if LUSER_RELAY is used. CONFIG: New FEATURE(`preserve_local_plus_detail') to preserve the +detail portion of the address when passing address to local delivery agent. Disables alias and .forward +detail stripping. Only use if LDA supports this. CONFIG: Removed deprecated FEATURE(`rbl'). CONFIG: Add LDAPROUTE_EQUIVALENT() and LDAPROUTE_EQUIVALENT_FILE() which allow you to specify 'equivalent' hosts for LDAP Routing lookups. Equivalent hostnames are replaced by the masquerade domain name for lookups. See cf/README for additional details. CONFIG: Add a fourth argument to FEATURE(`ldap_routing') which instructs the rulesets on what to do if the address being looked up has +detail information. See cf/README for more information. CONFIG: When chosing a new destination via LDAP Routing, also look up the new routing address/host in the mailertable. Based on patch from Don Badrak of the United States Census Bureau. CONFIG: Do not reject the SMTP Mail from: command if LDAP Routing is in use and the bounce option is enabled. Only reject recipients as user unknown. CONFIG: Provide LDAP support for the remaining database map features. See the ``USING LDAP FOR ALIASES AND MAPS'' section of cf/README for more information. CONFIG: Add confLDAP_CLUSTER which defines the ${sendmailMTACluster} macro used for LDAP searches as described above in ``USING LDAP FOR ALIASES, MAPS, AND CLASSES''. CONFIG: confCLIENT_OPTIONS has been replaced by CLIENT_OPTIONS(), which takes the options as argument and can be used multiple times; see cf/README for details. CONFIG: Add configuration macros for new options: confBAD_RCPT_THROTTLE BadRcptThrottle confDIRECT_SUBMISSION_MODIFIERS DirectSubmissionModifiers confMAILBOX_DATABASE MailboxDatabase confMAX_QUEUE_CHILDREN MaxQueueChildren confMAX_RUNNERS_PER_QUEUE MaxRunnersPerQueue confNICE_QUEUE_RUN NiceQueueRun confQUEUE_FILE_MODE QueueFileMode confFAST_SPLIT FastSplit confTLS_SRV_OPTIONS TLSSrvOptions See above (and related documentation) for further information. CONFIG: Add configuration variables for new timeout options: confTO_ACONNECT Timeout.aconnect confTO_AUTH Timeout.auth confTO_LHLO Timeout.lhlo confTO_STARTTLS Timeout.starttls CONFIG: Add configuration macros for mail filter API: confINPUT_MAIL_FILTERS InputMailFilters confMILTER_LOG_LEVEL Milter.LogLevel confMILTER_MACROS_CONNECT Milter.macros.connect confMILTER_MACROS_HELO Milter.macros.helo confMILTER_MACROS_ENVFROM Milter.macros.envfrom confMILTER_MACROS_ENVRCPT Milter.macros.envrcpt Mail filters can be defined via INPUT_MAIL_FILTER() and MAIL_FILTER(). See libmilter/README, cf/README, and doc/op/op.me for details. CONFIG: Add support for accepting temporarily unresolvable domains. See cf/README for details. Based on patch by Motonori Nakamura of Kyoto University. CONFIG: confDEQUOTE_OPTS can be used to specify options for the dequote map. CONFIG: New macro QUEUE_GROUP() to define queue groups. CONFIG: New FEATURE(`queuegroup') to select a queue group based on the full e-mail address or the domain of the recipient. CONFIG: Any IPv6 addresses used in configuration should be prefixed by the "IPv6:" tag to identify the address properly. For example, if you want to use the IPv6 address 2002:c0a8:51d2::23f4 in the access database, you would need to use IPv6:2002:c0a8:51d2::23f4 on the left hand side. This affects the access database as well as the relay-domains and local-host-names files. CONFIG: OSTYPE(aux) has been renamed to OSTYPE(a-ux). CONFIG: Avoid expansion of m4 keywords in SMART_HOST. CONFIG: Add MASQUERADE_EXCEPTION_FILE() for reading masquerading exceptions from a file. Suggested by Trey Breckenridge of Mississippi State University. CONFIG: Add LOCAL_USER_FILE() for reading local users (LOCAL_USER() -- $={L}) entries from a file. CONTRIB: dnsblaccess.m4 is a further enhanced version of enhdnsbl.m4 which allows to lookup error codes in the access map. Contributed by Neil Rickert of Northern Illinois University. DEVTOOLS: Add new options for installation of include and library files: confINCGRP, confINCMODE, confINCOWN, confLIBGRP, confLIBMODE, confLIBOWN. DEVTOOLS: Add new option confDONT_INSTALL_CATMAN to turn off installation of the the formatted man pages on operating systems which don't include cat directories. EDITMAP: New program for editing maps as supplement to makemap. MAIL.LOCAL: Mail.local now uses the libsm mbdb package to look up local mail recipients. New option -D mbdb specifies the mailbox database type. MAIL.LOCAL: New option "-h filename" which instructs mail.local to deliver the mail to the named file in the user's home directory instead of the system mail spool area. Based on patch from Doug Hardie of the Los Angeles Free-Net. MAILSTATS: New command line option -P which acts the same as -p but doesn't truncate the statistics file. MAKEMAP: Add new option -t to specify a different delimiter instead of white space. RMAIL: Invoke sendmail with '-G' to indicate this is a gateway submission. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. SMRSH: Use the vendor supplied directory on FreeBSD 3.3 and later. VACATION: Change Auto-Submitted: header value from auto-generated to auto-replied. From Kenneth Murchison of Oceana Matrix Ltd. VACATION: New option -d to send error/debug messages to stdout instead of syslog. VACATION: New option -U which prevents the attempt to lookup login in the password file. The -f and -m options must be used to specify the database and message file since there is no home directory for the default settings for these options. VACATION: Vacation now uses the libsm mbdb package to look up local mail recipients; it reads the MailboxDatabase option from the sendmail.cf file. New option -C cffile which specifies the path of the sendmail.cf file. New Directories: libmilter/docs New Files: cf/cf/README cf/cf/submit.cf cf/cf/submit.mc cf/feature/authinfo.m4 cf/feature/compat_check.m4 cf/feature/enhdnsbl.m4 cf/feature/msp.m4 cf/feature/local_no_masquerade.m4 cf/feature/lookupdotdomain.m4 cf/feature/preserve_luser_host.m4 cf/feature/preserve_local_plus_detail.m4 cf/feature/queuegroup.m4 cf/sendmail.schema contrib/dnsblaccess.m4 devtools/M4/UNIX/sm-test.m4 devtools/OS/OpenUNIX.5.i386 editmap/* include/sm/* libsm/* libsmutil/cf.c libsmutil/err.c sendmail/SECURITY sendmail/TUNING sendmail/bf.c sendmail/bf.h sendmail/sasl.c sendmail/sm_resolve.c sendmail/sm_resolve.h sendmail/tls.c Deleted Files: cf/feature/rbl.m4 cf/ostype/aix2.m4 devtools/OS/AIX.2 include/sendmail/cdefs.h include/sendmail/errstring.h include/sendmail/useful.h libsmutil/errstring.c sendmail/bf_portable.c sendmail/bf_portable.h sendmail/bf_torek.c sendmail/bf_torek.h sendmail/clock.c Renamed Files: cf/cf/generic-solaris2.mc => cf/cf/generic-solaris.mc cf/cf/generic-solaris2.cf => cf/cf/generic-solaris.cf cf/ostype/aux.m4 => cf/ostype/a-ux.m4

8.11.7/8.11.7 2003/03/29 SECURITY: Fix a remote buffer overflow in header parsing by dropping sender and recipient header comments if the comments are too long. Problem noted by Mark Dowd of ISS X-Force. SECURITY: Fix a buffer overflow in address parsing due to a char to int conversion problem which is potentially remotely exploitable. Problem found by Michal Zalewski. Note: an MTA that is not patched might be vulnerable to data that it receives from untrusted sources, which includes DNS. To provide partial protection to internal, unpatched sendmail MTAs, 8.11.7 changes by default (char)0xff to (char)0x7f in headers etc. To turn off this conversion compile with -DALLOW_255 or use the command line option -d82.101. To provide partial protection for internal, unpatched MTAs that may be performing 7->8 or 8->7 bit MIME conversions, the default for MaxMimeHeaderLength has been changed to 2048/1024. Note: this does have a performance impact, and it only protects against frontal attacks from the outside. To disable the checks and return to pre-8.11.7 defaults, set MaxMimeHeaderLength to 0/0. Properly clean up macros to avoid persistence of session data across various connections. This could cause session oriented restrictions, e.g., STARTTLS requirements, to erroneously allow a connection. Problem noted by Tim Maletic of Priority Health. Ignore comments in NIS host records when trying to find the canonical name for a host. Fix a memory leak when closing Hesiod maps. Set ${msg_size} macro when reading a message from the command line or the queue. Prevent a segmentation fault when clearing the event list by turning off alarms before checking if event list is empty. Problem noted by Allan E Johannesen of Worcester Polytechnic Institute. Fix a potential core dump problem if the environment variable NAME is set. Problem noted by Beth A. Chaney of Purdue University. Prevent a race condition on child cleanup for delivery to files. Problem noted by Fletcher Mattox of the University of Texas. CONFIG: Do not bounce mail if FEATURE(`ldap_routing')'s bounce parameter is set and the LDAP lookup returns a temporary error. CONFIG: Fix a syntax error in the try_tls ruleset if FEATURE(`access_db') is not enabled. LIBSMDB: Fix a lock race condition that affects makemap, praliases, and vacation. LIBSMDB: Avoid a file creation race condition for Berkeley DB 1.X and NDBM on systems with the O_EXLOCK open(2) flag. MAKEMAP: Avoid going beyond the end of an input line if it does not contain a value for a key. Based on patch from Mark Bixby from Hewlett-Packard. MAIL.LOCAL: Fix a truncation race condition if the close() on the mailbox fails. Problem noted by Tomoko Fukuzawa of Sun Microsystems. SMRSH: SECURITY: Only allow regular files or symbolic links to be used for a command. Problem noted by David Endler of iDEFENSE, Inc.

8.11.6/8.11.6 2001/08/20 SECURITY: Fix a possible memory access violation when specifying out-of-bounds debug parameters. Problem detected by Cade Cairns of SecurityFocus. Avoid leaking recipient information in unrelated DSNs. This could happen if a connection is aborted, several mails had been scheduled for delivery via that connection, and the timeout is reached such that several DSNs are sent next. Problem noted by Dileepan Moorkanat of Hewlett-Packard. Fix a possible segmentation violation when specifying too many wildcard operators in a rule. Problem detected by Werner Wiethege. Avoid a segmentation fault on non-matching Hesiod lookups. Problem noted by Russell McOrmond of flora.ca

8.11.5/8.11.5 2001/07/31 Fix a possible race condition when sending a HUP signal to restart the daemon. This could terminate the current process without starting a new daemon. Problem reported by Wolfgang Breyha of SE Netway Communications. Only apply MaxHeadersLength when receiving a message via SMTP or the command line. Problem noted by Andrey J. Melnikoff. When finding the system's local hostname on an IPv6-enabled system which doesn't have any IPv6 interface addresses, fall back to looking up only IPv4 addresses. Problem noted by Tim Bosserman of EarthLink. When commands were being rejected due to check_relay or TCP Wrappers, the ETRN command was not giving a response. Incoming IPv4 connections on a Family=inet6 daemon (using IPv4-mapped addresses) were incorrectly labeled as "may be forged". Problem noted by Per Steinar Iversen of Oslo University College. Shutdown address test mode cleanly on SIGTERM. Problem noted by Greg King of the OAO Corporation. Restore the original real uid (changed in main() to prevent out of band signals) before invoking a delivery agent. Some delivery agents use this for the "From " envelope "header". Problem noted by Leslie Carroll of the University at Albany. Mark closed file descriptors properly to avoid reuse. Problem noted by Jeff Bronson of J.D. Bronson, Inc. Setting Timeout options on the command line will also override their sub-suboptions in the .cf file, e.g., -O Timeout.queuereturn=2d will set all queuereturn timeouts to 2 days. Problem noted by Roger B.A. Klorese. Portability: BSD/OS has a broken setreuid() implementation. Problem noted by Vernon Schryver of Rhyolite Software. BSD/OS has /dev/urandom(4) (as of version 4.1/199910 ?). Noted by Vernon Schryver of Rhyolite Software. BSD/OS has fchown(2). Noted by Dave Yadallee of Netline 2000 Internet Solutions Inc. Solaris 2.X and later have strerror(3). From Sebastian Hagedorn of Cologne University. CONFIG: Fix parsing for IPv6 domain literals in addresses (user@[IPv6:address]). Problem noted by Liyuan Zhou.

8.11.4/8.11.4 2001/05/28 Clean up signal handling routines to reduce the chances of heap corruption and other potential race conditions. Terminating and restarting the daemon may not be instantaneous due to this change. Also, non-root users can no longer send out-of-band signals. Problem reported by Michal Zalewski of BindView. If LogLevel is greater than 9 and SASL fails to negotiate an encryption layer, avoid core dump logging the encryption strength. Problem noted by Miroslav Zubcic of Crol. If a server offers "AUTH=" and "AUTH " and the list of mechanisms is different in those two lines, sendmail might not have recognized (and used) all of the offered mechanisms. Fix an IP address lookup problem on Solaris 2.0 - 2.3. Patch from Kenji Miyake. This time, really don't use the .. directory when expanding QueueDirectory wildcards. If a process is interrupted while closing a map, don't try to close the same map again while exiting. Allow local mailers (F=l) to contact remote hosts (e.g., via LMTP). Problem noted by Norbert Klasen of the University of Tuebingen. If Timeout.QueueReturn was set to a value less the time it took to write a new queue file (e.g., 0 seconds), the bounce message would be lost. Problem noted by Lorraine L Goff of Oklahoma State University. Pass map argument vector into map rewriting engine for the regex and prog map types. Problem noted by Stephen Gildea of InTouch Systems, Inc. When closing an LDAP map due to a temporary error, close all of the other LDAP maps which share the original map's connection to the LDAP server. Patch from Victor Duchovni of Morgan Stanley. To detect changes of NDBM aliases files check the timestamp of the .pag file instead of the .dir file. Problem noted by Neil Rickert of Northern Illinois University. Don't treat temporary hesiod lookup failures as permanent. Patch from Werner Wiethege. If ClientPortOptions is set, make sure to create the outgoing socket with the family set in that option. Patch from Sean Farley. Avoid a segmentation fault trying to dereference a NULL pointer when logging a MaxHopCount exceeded error with an empty recipient list. Problem noted by Chris Adams of HiWAAY Internet Services. Fix DSN for "Too many hops" bounces. Problem noticed by Ulrich Windl of the Universitaet Regensburg. Fix DSN for "mail loops back to me" bounces. Problem noticed by Kari Hurtta of the Finnish Meteorological Institute. Portability: OpenBSD has a broken setreuid() implementation. CONFIG: Undo change from 8.11.1: change 501 SMTP reply code back to 553 since it is allowed by DRUMS. CONFIG: Add OSTYPE(freebsd4) for FreeBSD 4.X. DEVTOOLS: install.sh did not properly handle paths in the source file name argument. Noted by Kari Hurtta of the Finnish Meteorological Institute. DEVTOOLS: Add FAST_PID_RECYCLE to compile time options for OpenBSD since it generates random process ids. PRALIASES: Add back adaptive algorithm to deal with different endings of entries in the database (with/without trailing ' '). Patch from John Beck of Sun Microsystems. New Files: cf/ostype/freebsd4.m4

8.11.3/8.11.3 2001/02/27 Prevent a segmentation fault when a bogus value was used in the LDAPDefaultSpec option's -r, -s, or -M flags and if a bogus option was used. Problem noted by Allan E Johannesen of Worcester Polytechnic Institute. Prevent "token too long" message by shortening {currHeader} which could be too long if the last copied character was a quote. Problem detected by Jan Krueger of digitalanswers communications consulting gmbh. Additional IPv6 check for unspecified addresses. Patch from Jun-ichiro itojun Hagino of the KAME Project. Do not ignore the ClientPortOptions setting if DaemonPortOptions Modifier=b (bind to same interface) is set and the connection came in from the command line. Do not bind to the loopback address if DaemonPortOptions Modifier=b (bind to same interface) is set. Patch from John Beck of Sun Microsystems. Properly deal with open failures on non-optional maps used in check_* rulesets by returning a temporary failure. Buffered file I/O files were not being properly fsync'ed to disk when they were committed. Properly encode '=' for the AUTH= parameter of the MAIL command. Problem noted by Hadmut Danisch. Under certain circumstances the macro {server_name} could be set to the wrong hostname (of a previous connection), which may cause some rulesets to return wrong results. This would usually cause mail to be queued up and delivered later on. Ignore F=z (LMTP) mailer flag if $u is given in the mailer A= equate. Problem noted by Motonori Nakamura of Kyoto University. Work around broken accept() implementations which only partially fill in the peer address if the socket is closed before accept() completes. Return an SMTP "421" temporary failure if the data file can't be opened where the "354" reply would normally be given. Prevent a CPU loop in trying to expand a macro which doesn't exist in a queue run. Problem noted by Gordon Lack of Glaxo Wellcome. If delivering via a program and that program exits with EX_TEMPFAIL, note that fact for the mailq display instead of just showing "Deferred". Problem noted by Motonori Nakamura of Kyoto University. If doing canonification via /etc/hosts, try both the fully qualified hostname as well as the first portion of the hostname. Problem noted by David Bremner of the University of New Brunswick. Portability: Fix a compilation problem for mail.local and rmail if SFIO is in use. Problem noted by Auteria Wally Winzer Jr. of Champion Nutrition. IPv6 changes for platforms using KAME. Patch from Jun-ichiro itojun Hagino of the KAME Project. OpenBSD 2.7 and higher has srandomdev(3). OpenBSD 2.8 and higher has BSDI-style login classes. Patch from Todd C. Miller of Courtesan Consulting. Unixware 7.1.1 doesn't allow h_errno to be set directly if sendmail is being compiled with -kthread. Problem noted by Orion Poplawski of CQG, Inc. CONTRIB: buildvirtuser: Substitute current domain for $DOMAIN and current left hand side for $LHS in virtuser files. DEVTOOLS: Do not pass make targets to recursive Build invocations. Problem noted by Jeff Bronson of J.D. Bronson, Inc. MAIL.LOCAL: In LMTP mode, do not return errors regarding problems storing the temporary message file until after the remote side has sent the final DATA termination dot. Problem noted by Allan E Johannesen of Worcester Polytechnic Institute. MAIL.LOCAL: If LMTP mode is set, give a temporary error if users are also specified on the command line. Patch from Motonori Nakamura of Kyoto University. PRALIASES: Skip over AliasFile specifications which aren't based on database files (i.e., only show dbm, hash, and btree). Renamed Files: devtools/OS/OSF1.V5.0 => devtools/OS/OSF1.V5.x

8.11.2/8.11.2 2000/12/29 Prevent a segmentation fault when trying to set a class in address test mode due to a negative array index. Audit other array indexing. This bug is not believed to be exploitable. Noted by Michal Zalewski of the "Internet for Schools" project (IdS). Add an FFR (for future release) to drop privileges when using address test mode. This will be turned on in 8.12. It can be enabled by compiling with: APPENDDEF(`conf_sendmail_ENVDEF', `-D_FFR_TESTMODE_DROP_PRIVS') in your devtools/Site/site.config.m4 file. Suggested by Michal Zalewski of the "Internet for Schools" project (IdS). Fix potential problem with Cyrus-SASL security layer which may have caused I/O errors, especially for mechanism DIGEST-MD5. When QueueSortOrder was set to host, sendmail might not read enough of the queue file to determine the host, making the sort sub-optimal. Problem noted by Jeff Earickson of Colby College. Don't issue DSNs for addresses which use the NOTIFY parameter (per RFC 1891) but don't have FAILURE as value. Initialize Cyrus-SASL library before the SMTP daemon is started. This implies that every change to SASL related files requires a restart of the daemon, e.g., Sendmail.conf, new SASL mechanisms (in form of shared libraries). Properly set the STARTTLS related macros during a queue run for a cached connection. Bug reported by Michael Kellen of NxNetworks, Inc. Log the server name in relay= for ruleset tls_server instead of the client name. Include original length of bad field/header when reporting MaxMimeHeaderLength problems. Requested by Ulrich Windl of the Universitat Regensburg. Fix delivery to set-user-ID files that are expanded from aliases in DeliveryMode queue. Problem noted by Ric Anderson of the University of Arizona. Fix LDAP map -m (match only) flag. Problem noted by Jeff Giuliano of Collective Technologies. Avoid using a negative argument for sleep() calls when delaying answers to EXPN/VRFY commands on systems which respond very slowly. Problem noted by Mikolaj J. Habryn of Optus Internet Engineering. Make sure the F=u flag is set in the default prog mailer definition. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. Fix IPv6 check for unspecified addresses. Patch from Jun-ichiro itojun Hagino of the KAME Project. Fix return values for IRIX nsd map. From Kari Hurtta of the Finnish Meteorological Institute. Fix parsing of DaemonPortOptions and ClientPortOptions. Read all of the parameters to find Family= setting before trying to interpret Addr= and Port=. Problem noted by Valdis Kletnieks of Virginia Tech. When delivering to a file directly from an alias, do not call initgroups(); instead use the DefaultUser group information. Problem noted by Marc Schaefer of ALPHANET NF. RunAsUser now overrides the ownership of the control socket, if created. Otherwise, sendmail can not remove it upon close. Problem noted by Werner Wiethege. Fix ConnectionRateThrottle counting as the option is the number of overall connections, not the number of connections per socket. A future version may change this to per socket counting. Portability: Clean up libsmdb so it functions properly on platforms where sizeof(u_int32_t) != sizeof(size_t). Problem noted by Rein Tollevik of Basefarm AS. Fix man page formatting for compatibility with Solaris' whatis. From Stephen Gildea of InTouch Systems, Inc. UnixWare 7 includes snprintf() support. From Larry Rosenman. IPv6 changes for platforms using KAME. Patch from Jun-ichiro itojun Hagino of the KAME Project. Avoid a typedef compile conflict with Berkeley DB 3.X and Solaris 2.5 or earlier. Problem noted by Bob Hughes of Pacific Access. Add preliminary support for AIX 5. Contributed by Valdis Kletnieks of Virginia Tech. Solaris 9 load average support from Andrew Tucker of Sun Microsystems. CONFIG: Reject addresses of the form a!b if FEATURE(`nouucp', `r') is used. Problem noted by Phil Homewood of Asia Online, patch from Neil Rickert of Northern Illinois University. CONFIG: Change the default DNS based blacklist server for FEATURE(`dnsbl') to blackholes.mail-abuse.org. CONFIG: Deal correctly with the 'C' flag in {daemon_flags}, i.e., implicitly assume canonical host names. CONFIG: Deal with "::" in IPv6 addresses for access_db. Based on patch by Motonori Nakamura of Kyoto University. CONFIG: New OSTYPE(`aix5') contributed by Valdis Kletnieks of Virginia Tech. CONFIG: Pass the illegal header form <list:;> through untouched instead of making it worse. Problem noted by Motonori Nakamura of Kyoto University. CONTRIB: Added buildvirtuser (see `perldoc contrib/buildvirtuser`). CONTRIB: qtool.pl: An empty queue is not an error. Problem noted by Jan Krueger of digitalanswers communications consulting gmbh. CONTRIB: domainmap.m4: Handle domains with '-' in them. From Mark Roth of the University of Illinois at Urbana-Champaign. DEVTOOLS: Change the internal devtools OS, REL, and ARCH m4 variables into bldOS, bldREL, and bldARCH to prevent namespace collisions. Problem noted by Motonori Nakamura of Kyoto University. RMAIL: Undo the 8.11.1 change to use -G when calling sendmail. It causes some changes in behavior and may break rmail for installations where sendmail is actually a wrapper to another MTA. The change will re-appear in a future version. SMRSH: Use the vendor supplied directory on HPUX 10.X, HPUX 11.X, and SunOS 5.8. Requested by Jeff A. Earickson of Colby College and John Beck of Sun Microsystems. VACATION: Fix pattern matching for addresses to ignore. VACATION: Don't reply to addresses of the form owner-* or *-owner. New Files: cf/ostype/aix5.m4 contrib/buildvirtuser devtools/OS/AIX.5.0

8.11.1/8.11.1 2000/09/27 Fix SMTP EXPN command output if the address expands to a single name. Fix from John Beck of Sun Microsystems. Don't try STARTTLS in the client if the PRNG has not been properly seeded. This problem only occurs on systems without /dev/urandom. Problem detected by Jan Krueger of digitalanswers communications consulting gmbh and Neil Rickert of Northern Illinois University. Don't use the . and .. directories when expanding QueueDirectory wildcards. Do not try to cache LDAP connections across processes as a parent process may close the connection before the child process has completed. Problem noted by Lai Yiu Fai of the Hong Kong University of Science and Technology and Wolfgang Hottgenroth of UUNET. Use Timeout.fileopen to limit the amount of time spent trying to read the LDAP secret from a file. Prevent SIGTERM from removing a command line submitted item after the user submits the message and before the first delivery attempt completes. Problem noted by Max France of AlphaNet. Fix from Neil Rickert of Northern Illinois University. Deal correctly with MaxMessageSize restriction if message size is greater than 2^31. Problem noted by Tim "Darth Dice" Bosserman of EarthLink. Turn off queue checkpointing if CheckpointInterval is set to zero. Treat an empty home directory (from getpw*() or $HOME) as non-existent instead of treating it as /. Problem noted by Todd C. Miller of Courtesan Consulting. Don't drop duplicate headers when reading a queued item. Problem noted by Motonori Nakamura of Kyoto University. Avoid bogus error text when logging the savemail panic "cannot save rejected email anywhere". Problem noted by Marc G. Fournier of Acadia University. If an LDAP search fails because the LDAP server went down, close the map so subsequent searches reopen the map. If there are multiple LDAP servers, the down server will be skipped and one of the others may be able to take over. Set the ${load_avg} macro to the current load average, not the previous load average query result. If a non-optional map used in a check_* ruleset can't be opened, return a temporary failure to the remote SMTP client instead of ignoring the map. Problem noted by Allan E Johannesen of Worcester Polytechnic Institute. Avoid a race condition when queuing up split envelopes by saving the split envelopes before the original envelope. Fix a bug in the PH_MAP code which caused mail to bounce instead of defer if the PH server could not be contacted. From Mark Roth of the University of Illinois at Urbana-Champaign. Prevent QueueSortOrder=Filename from interfering with -qR, -qS, and ETRN. Problem noted by Erik R. Leo of SoVerNet. Change error code for unrecognized parameters to the SMTP MAIL and RCPT commands from 501 to 555 per RFC 1869. Problem reported to Postfix by Robert Norris of Monash University. Prevent overwriting the argument of -B on certain OS. Problem noted by Matteo Gelosa of I.NET S.p.A. Use the proper routine for freeing memory with Netscape's LDAP client libraries. Patch from Paul Hilchey of the University of British Columbia. Portability: Move the NETINET6 define to devtools/OS/SunOS.5.{8,9} instead of defining it in conf.h so users can override the setting. Suggested by Henrik Nordstrom of Ericsson. On HP-UX 10.X and 11.X, use /usr/sbin/sendmail instead of /usr/lib/sendmail for rmail and vacation. From Jeff A. Earickson of Colby College. On HP-UX 11.X, use /usr/sbin instead of /usr/libexec (which does not exist). From Jeff A. Earickson of Colby College. Avoid using the UCB subsystem on NCR MP-RAS 3.x. From Tom Moore of NCR. NeXT 3.X and 4.X installs man pages in /usr/man. From Hisanori Gogota of NTT/InterCommunicationCenter. Solaris 8 and later include /var/run. The default PID file location is now /var/run/sendmail.pid. From John Beck of Sun Microsystems. SFIO includes snprintf() for those operating systems which do not. From Todd C. Miller of Courtesan Consulting. CONFIG: Use the result of _CERT_REGEX_SUBJECT_ not {cert_subject}. Problem noted by Kaspar Brand of futureLab AG. CONFIG: Change 553 SMTP reply code to 501 to avoid problems with errors in the MAIL address. CONFIG: Fix FEATURE(nouucp) usage in example .mc files. Problem noted by Ron Jarrell of Virginia Tech. CONFIG: Add support for Solaris 8 (and later) as OSTYPE(solaris8). Contributed by John Beck of Sun Microsystems. CONFIG: Set confFROM_HEADER such that the mail hub can possibly add GECOS information for an address. This more closely matches pre-8.10 nullclient behavior. From Per Hedeland of Ericsson. CONFIG: Fix MODIFY_MAILER_FLAGS(): apply the flag modifications for SMTP to all *smtp* mailers and those for RELAY to the relay mailer as described in cf/README. MAIL.LOCAL: Open the mailbox as the recipient not root so quotas are obeyed. Problem noted by Damian Kuczynski of NIK. MAKEMAP: Do not change a map's owner to the TrustedUser if using makemap to 'unmake' the map. RMAIL: Avoid overflowing the list of recipients being passed to sendmail. RMAIL: Invoke sendmail with '-G' to indicate this is a gateway submission. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. VACATION: Read the complete message to avoid "broken pipe" signals. VACATION: Do not cut off vacation.msg files which have a single dot as the only character on the line. New Files: cf/ostype/solaris8.m4

8.11.0/8.11.0 2000/07/19 SECURITY: If sendmail is installed as a non-root set-user-ID binary (not the normal case), some operating systems will still keep a saved-uid of the effective-uid when sendmail tries to drop all of its privileges. If sendmail needs to drop these privileges and the operating system doesn't set the saved-uid as well, exit with an error. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. SECURITY: sendmail depends on snprintf() NUL terminating the string it populates. It is possible that some broken implementations of snprintf() exist that do not do this. Systems in this category should compile with -DSNPRINTF_IS_BROKEN=1. Use test/t_snprintf.c to test your system and report broken implementations to sendmail-bugs@sendmail.org and your OS vendor. Problem noted by Slawomir Piotrowski of TELSAT GP. Support SMTP Service Extension for Secure SMTP (RFC 2487) (STARTTLS). Implementation influenced by the example programs of OpenSSL and the work of Lutz Jaenicke of TU Cottbus. Add new STARTTLS related options CACERTPath, CACERTFile, ClientCertFile, ClientKeyFile, DHParameters, RandFile, ServerCertFile, and ServerKeyFile. These are documented in cf/README and doc/op/op.*. New STARTTLS related macros: ${cert_issuer}, ${cert_subject}, ${tls_version}, ${cipher}, ${cipher_bits}, ${verify}, ${server_name}, and ${server_addr}. These are documented in cf/README and doc/op/op.*. Add support for the Entropy Gathering Daemon (EGD) for better random data. New DontBlameSendmail option InsufficientEntropy for systems which don't properly seed the PRNG for OpenSSL but want to try to use STARTTLS despite the security problems. Support the security layer in SMTP AUTH for mechanisms which support encryption. Based on code contributed by Tim Martin of CMU. Add new macro ${auth_ssf} to reflect the SMTP AUTH security strength factor. LDAP's -1 (single match only) flag was not honored if the -z (delimiter) flag was not given. Problem noted by ST Wong of the Chinese University of Hong Kong. Fix from Mark Adamson of CMU. Add more protection from accidentally tripping OpenLDAP 1.X's ld_errno == LDAP_DECODING_ERROR hack on ldap_next_attribute(). Suggested by Kurt Zeilenga of OpenLDAP. Fix the default family selection for DaemonPortOptions. As documented, unless a family is specified in a DaemonPortOptions option, "inet" is the default. It is also the default if no DaemonPortOptions value is set. Therefore, IPv6 users should configure additional sockets by adding DaemonPortOptions settings with Family=inet6 if they wish to also listen on IPv6 interfaces. Problem noted by Jun-ichiro itojun Hagino of the KAME Project. Set ${if_family} when setting ${if_addr} and ${if_name} to reflect the interface information for an outgoing connection. Not doing so was creating a mismatch between the socket family and address used in subsequent connections if the M=b modifier was set in DaemonPortOptions. Problem noted by John Beck of Sun Microsystems. If DaemonPortOptions modifier M=b is used, determine the socket family based on the IP address. ${if_family} is no longer persistent (i.e., saved in qf files). Patch from John Beck of Sun Microsystems. sendmail 8.10 and 8.11 reused the ${if_addr} and ${if_family} macros for both the incoming interface address/family and the outgoing interface address/family. In order for M=b modifier in DaemonPortOptions to work properly, preserve the incoming information in the queue file for later delivery attempts. Use SMTP error code and enhanced status code from check_relay in responses to commands. Problem noted by Jeff Wasilko of smoe.org. Add more vigilance in checking for putc() errors on output streams to protect from a bug in Solaris 2.6's putc(). Problem noted by Graeme Hewson of Oracle. The LDAP map -n option (return attribute names only) wasn't working. Problem noted by Ajay Matia. Under certain circumstances, an address could be listed as deferred but would be bounced back to the sender as failed to be delivered when it really should have been queued. Problem noted by Allan E Johannesen of Worcester Polytechnic Institute. Prevent a segmentation fault in a child SMTP process from getting the SMTP transaction out of sync. Problem noted by Per Hedeland of Ericsson. Turn off RES_DEBUG if SFIO is defined unless SFIO_STDIO_COMPAT is defined to avoid a core dump due to incompatibilities between sfio and stdio. Problem noted by Neil Rickert of Northern Illinois University. Don't log useless envelope ID on initial connection log. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. Convert the free disk space shown in a control socket status query to kilobyte units. If TryNullMXList is True and there is a temporary DNS failure looking up the hostname, requeue the message for a later attempt. Problem noted by Ari Heikkinen of Pohjois-Savo Polytechnic. Under the proper circumstances, failed connections would be recorded as "Bad file number" instead of "Connection failed" in the queue file and persistent host status. Problem noted by Graeme Hewson of Oracle. Avoid getting into an endless loop if a non-hoststat directory exists within the hoststatus directory (e.g., lost+found). Patch from Valdis Kletnieks of Virginia Tech. Make sure Timeout.queuereturn=now returns a bounce message to the sender. Problem noted by Per Hedeland of Ericsson. If a message data file can't be opened at delivery time, panic and abort the attempt instead of delivering a message that states "<<< No Message Collected >>>". Fixup the GID checking code from 8.10.2 as it was overly restrictive. Problem noted by Mark G. Thomas of Mark G. Thomas Consulting. Preserve source port number instead of replacing it with the ident port number (113). Document the queue status characters in the mailq man page. Suggested by Ulrich Windl of the Universitat Regensburg. Process queued items in which none of the recipient addresses have host portions (or there are no recipients). Problem noted by Valdis Kletnieks of Virginia Tech. If a cached LDAP connection is used for multiple maps, make sure only the first to open the connection is allowed to close it so a later map close doesn't break the connection for other maps. Problem noted by Wolfgang Hottgenroth of UUNET. Netscape's LDAP libraries do not support Kerberos V4 authentication. Patch from Rainer Schoepf of the University of Mainz. Provide workaround for inconsistent handling of data passed via callbacks to Cyrus SASL prior to version 1.5.23. Mention ENHANCEDSTATUSCODES in the SMTP HELP helpfile. Omission noted by Ulrich Windl of the Universitat Regensburg. Portability: Add the ability to read IPv6 interface addresses into class 'w' under FreeBSD (and possibly others). From Jun Kuriyama of IMG SRC, Inc. and the FreeBSD Project. Replace code for finding the number of CPUs on HPUX. NCRUNIX MP-RAS 3.02 SO_REUSEADDR socket option does not work properly causing problems if the accept() fails and the socket needs to be reopened. Patch from Tom Moore of NCR. NetBSD uses a .0 extension of formatted man pages. From Andrew Brown of Crossbar Security. Return to using the IPv6 AI_DEFAULT flag instead of AI_V4MAPPED for calls to getipnodebyname(). The Linux implementation is broken so AI_ADDRCONFIG is stripped under Linux. From John Beck of Sun Microsystems and John Kennedy of Cal State University, Chico. CONFIG: Catch invalid addresses containing a ',' at the wrong place. Patch from Neil Rickert of Northern Illinois University. CONFIG: New variables for the new sendmail options: confCACERT_PATH CACERTPath confCACERT CACERTFile confCLIENT_CERT ClientCertFile confCLIENT_KEY ClientKeyFile confDH_PARAMETERS DHParameters confRAND_FILE RandFile confSERVER_CERT ServerCertFile confSERVER_KEY ServerKeyFile CONFIG: Provide basic rulesets for TLS policy control and add new tags to the access database to support these policies. See cf/README for more information. CONFIG: Add TLS information to the Received: header. CONFIG: Call tls_client ruleset from check_mail in case it wasn't called due to a STARTTLS command. CONFIG: If TLS_PERM_ERR is defined, TLS related errors are permanent instead of temporary. CONFIG: FEATURE(`relay_hosts_only') didn't work in combination with the access map and relaying to a domain without using a To: tag. Problem noted by Mark G. Thomas of Mark G. Thomas Consulting. CONFIG: Set confEBINDIR to /usr/sbin to match the devtools entry in OSTYPE(`linux') and OSTYPE(`mklinux'). From Tim Pierce of RootsWeb.com. CONFIG: Make sure FEATURE(`nullclient') doesn't use aliasing and forwarding to make it as close to the old behavior as possible. Problem noted by George W. Baltz of the University of Maryland. CONFIG: Added OSTYPE(`darwin') for Mac OS X and Darwin users. From Wilfredo Sanchez of Apple Computer, Inc. CONFIG: Changed the map names used by FEATURE(`ldap_routing') from ldap_mailhost and ldap_mailroutingaddress to ldapmh and ldapmra as underscores in map names cause problems if underscore is in OperatorChars. Problem noted by Bob Zeitz of the University of Alberta. CONFIG: Apply blacklist_recipients also to hosts in class {w}. Patch from Michael Tratz of Esosoft Corporation. CONFIG: Use A=TCP ... instead of A=IPC ... in SMTP mailers. CONTRIB: Add link_hash.sh to create symbolic links to the hash of X.509 certificates. CONTRIB: passwd-to-alias.pl: More protection from special characters; treat special shells as root aliases; skip entries where the GECOS full name and username match. From Ulrich Windl of the Universitat Regensburg. CONTRIB: qtool.pl: Add missing last_modified_time method and fix a typo. Patch from Graeme Hewson of Oracle. CONTRIB: re-mqueue.pl: Improve handling of a race between re-mqueue and sendmail. Patch from Graeme Hewson of Oracle. CONTRIB: re-mqueue.pl: Don't exit(0) at end so can be called as subroutine Patch from Graeme Hewson of Oracle. CONTRIB: Add movemail.pl (move old mail messages between queues by calling re-mqueue.pl) and movemail.conf (configuration script for movemail.pl). From Graeme Hewson of Oracle. CONTRIB: Add cidrexpand (expands CIDR blocks as a preprocessor to makemap). From Derek J. Balling of Yahoo,Inc. DEVTOOLS: INSTALL_RAWMAN installation option mistakenly applied any extension modifications (e.g., MAN8EXT) to the installation target. Patch from James Ralston of Carnegie Mellon University. DEVTOOLS: Add support for SunOS 5.9. DEVTOOLS: New option confLN contains the command used to create links. LIBSMDB: Berkeley DB 2.X and 3.X errors might be lost and not reported. MAIL.LOCAL: DG/UX portability. Problem noted by Tim Boyer of Denman Tire Corporation. MAIL.LOCAL: Prevent a possible DoS attack when compiled with -DCONTENTLENGTH. Based on patch from 3APA3A@SECURITY.NNOV.RU. MAILSTATS: Fix usage statement (-p and -o are optional). MAKEMAP: Change man page layout as workaround for problem with nroff and -man on Solaris 7. Patch from Larry Williamson. RMAIL: AIX 4.3 has snprintf(). Problem noted by David Hayes of Black Diamond Equipment, Limited. RMAIL: Prevent a segmentation fault if the incoming message does not have a From line. VACATION: Read all of the headers before deciding whether or not to respond instead of stopping after finding recipient. Added Files: cf/ostype/darwin.m4 contrib/cidrexpand contrib/link_hash.sh contrib/movemail.conf contrib/movemail.pl devtools/OS/SunOS.5.9 test/t_snprintf.c

8.10.2/8.10.2 2000/06/07 SECURITY: Work around broken Linux setuid() implementation. On Linux, a normal user process has the ability to subvert the setuid() call such that it is impossible for a root process to drop its privileges. Problem noted by Wojciech Purczynski of elzabsoft.pl. SECURITY: Add more vigilance around set*uid(), setgid(), setgroups(), initgroups(), and chroot() calls. Added Files: test/t_setuid.c

Sendmail 8.12.9 Known Problems

The following are the known problems and limitations in Sendmail 8.12.9, as provided by sendmail.org. For descriptions of bugs that have been fixed, see the ``Sendmail Version 8.12.9 Release Notes''.

   

* Delivery to programs that generate too much output may cause problems

If e-mail is delivered to a program which generates too much output, then sendmail may issue an error:

timeout waiting for input from local during Draining Input

Make sure that the program does not generate output beyond a status message (corresponding to the exit status). This may require a wrapper around the actual program to redirect output to /dev/null.

Such a problem has been reported for bulk_mailer.

* Null bytes are not handled properly in headers.

Sendmail should handle full binary data. As it stands, it handles all values in the body, but only 0x01-0x80 and 0xA0-0xFF in the header. Notably missing is 0x00, which would require a major restructuring of the code -- for example, almost no C library support could be used to handle strings.

* Header checks are not called if header value is too long or empty.

If the value of a header is longer than 1250 (MAXNAME + MAXATOM - 6) characters or it contains a single word longer than 256 (MAXNAME) characters then no header check is done even if one is configured for the header.

* Sender addresses whose domain part cause a temporary A record lookup failure but have a valid MX record will be temporarily rejected in the default configuration. Solution: fix the DNS at the sender side. If that's not easy to achieve, possible workarounds are: - add an entry to the access map: dom.ain OK - (only for advanced users) replace

# Resolve map (to check if a host exists in check_mail) Kresolve host -a<OKR> -T<TEMP>

with

# Resolve map (to check if a host exists in check_mail) Kcanon host -a<OKR> -T<TEMP> Kdnsmx dns -R MX -a<OKR> -T<TEMP> Kresolve sequence dnsmx canon

* Duplicate error messages.

Sometimes identical, duplicate error messages can be generated. As near as I can tell, this is rare and relatively innocuous.

* Misleading error messages.

If an illegal address is specified on the command line together with at least one valid address and PostmasterCopy is set, the DSN does not contain the illegal address, but only the valid address(es).

* \231 considered harmful.

Header addresses that have the \231 character (and possibly others in the range \201 - \237) behave in odd and usually unexpected ways.

* accept() problem on SVR4.

Apparently, the sendmail daemon loop (doing accept()s on the network) can get into a weird state on SVR4; it starts logging ``SYSERR: getrequests: accept: Protocol Error''. The workaround is to kill and restart the sendmail daemon. We don't have an SVR4 system at Berkeley that carries more than token mail load, so I can't validate this. It is likely to be a glitch in the sockets emulation, since "Protocol Error" is not possible error code with Berkeley TCP/IP.

I've also had someone report the message ``sendmail: accept: SIOCGPGRP failed errno 22'' on an SVR4 system. This message is not in the sendmail source code, so I assume it is also a bug in the sockets emulation. (Errno 22 is EINVAL "Invalid Argument" on all the systems I have available, including Solaris 2.x.) Apparently, this problem is due to linking -lc before -lsocket; if you are having this problem, check your Makefile.

* accept() problem on Linux.

The accept() in sendmail daemon loop can return ETIMEDOUT. An error is reported to syslog:

Jun 9 17:14:12 hostname sendmail[207]: NOQUEUE: SYSERR(root): getrequests: accept: Connection timed out

"Connection timed out" is not documented as a valid return from accept(2) and this was believed to be a bug in the Linux kernel. Later information from the Linux kernel group states that Linux 2.0 kernels follow RFC1122 while sendmail follows the original BSD (now POSIX 1003.1g draft) specification. The 2.1.X and later kernels will follow the POSIX draft.

* Excessive mailing list nesting can run out of file descriptors.

If you have a mailing list that includes lots of other mailing lists, each of which has a separate owner, you can run out of file descriptors. Each mailing list with a separate owner uses one open file descriptor (prior to 8.6.6 it was three open file descriptors per list). This is particularly egregious if you have your connection cache set to be large.

* Connection caching breaks if you pass the port number as an argument.

If you have a definition such as:

Mport, P=[IPC], F=kmDFMuX, S=11/31, R=21, M=2100000, T=DNS/RFC822/SMTP, A=IPC [127.0.0.1] $h

(i.e., where $h is the port number instead of the host name) the connection caching code will break because it won't notice that two messages addressed to different ports should use different connections.

* ESMTP SIZE underestimates the size of a message

Sendmail makes no allowance for headers that it adds, nor does it account for the SMTP on-the-wire \r\n expansion. It probably doesn't allow for 8->7 bit MIME conversions either.

* Client ignores SIZE parameter.

When sendmail acts as client and the server specifies a limit for the mail size, sendmail will ignore this and try to send the mail anyway. The server will usually reject the MAIL command which specifies the size of the message and hence this problem is not significant.

* Paths to programs being executed and the mode of program files are not checked. Essentially, the RunProgramInUnsafeDirPath and RunWritableProgram bits in the DontBlameSendmail option are always set. This is not a problem if your system is well managed (that is, if binaries and system directories are mode 755 instead of something foolish like 777).

* 8-bit data in GECOS field

If the GECOS (personal name) information in the passwd file contains 8-bit characters, those characters can be included in the message header, which can cause problems when sending SMTP to hosts that only accept 7-bit characters.

* 8->7 bit MIME conversion

When sendmail is doing 8->7 bit MIME conversions, and the message contains certain MIME body types that cannot be converted to 7-bit, sendmail will strip the message to 7-bit.

* 7->8 bit MIME conversion

If a message that is encoded as 7-bit MIME is converted to 8-bit and that message when decoded is illegal (e.g., because of long lines or illegal characters), sendmail can produce an illegal message.

* MIME encoded full name phrases in the From: header

If a full name phrase includes characters from MustQuoteChars, sendmail will quote the entire full name phrase. If MustQuoteChars includes characters which are not special characters according to STD 11 (RFC 822), this quotation can interfere with MIME encoded full name phrases. By default, sendmail includes the single quote character (') in MustQuoteChars even though it is not listed as a special character in STD 11.

* bestmx map with -z flag truncates the list of MX hosts

A bestmx map configured with the -z flag will truncate the list of MX hosts. This prevents creation of strings which are too long for ruleset parsing. This can have an adverse effect on the relay_based_on_MX feature.

* Saving to ~sender/dead.letter fails if su'ed to root

If ErrorMode is set to print and an error in sending mail occurs, the normal action is to print a message to the screen and append the message to a dead.letter file in the sender's home directory. In the case where the sender is using su to act as root, the file safety checks prevent sendmail from saving the dead.letter file because the sender's uid and the current real uid do not match.

* Berkeley DB 2.X race condition with fcntl() locking

There is a race condition for Berkeley DB 2.X databases on operating systems which use fcntl() style locking, such as Solaris. Sendmail locks the map before calling db_open() to prevent others from modifying the map while it is being opened. Unfortunately, Berkeley DB opens the map, closes it, and then reopens it. fcntl() locking drops the lock when any file descriptor pointing to the file is closed, even if it is a different file descriptor than the one used to initially lock the file. As a result there is a possibility that entries in a map might not be found during a map rebuild. As a workaround, you can use makemap to build a map with a new name and then "mv" the new db file to replace the old one.

Sleepycat Software has added code to avoid this race condition to Berkeley DB versions after 2.7.5.

* File open timeouts not available on hard mounted NFS file systems

Since SIGALRM does not interrupt an RPC call for hard mounted NFS file systems, it is impossible to implement a timeout on a file open operation. Therefore, while the NFS server is not responding, attempts to open a file on that server will hang. Systems with local mail delivery and NFS hard mounted home directories should be avoided, as attempts to open the forward files could hang.

* Race condition for delivery to set-user-ID files

Sendmail will deliver to a fail if the file is owned by the DefaultUser or has the set-user-ID bit set. Unfortunately, some systems clear that bit when a file is modified. Sendmail compensates by resetting the file mode back to it's original settings. Unfortunately, there's still a permission failure race as sendmail checks the permissions before locking the file. This is unavoidable as sendmail must verify the file is safe to open before opening it. A file can not be locked until it is open.

* MAIL_HUB always takes precedence over LOCAL_RELAY

Despite the information in the documentation, MAIL_HUB ($H) will always be used if set instead of LOCAL_RELAY ($R). This will be fixed in a future version.

$Revision: 8.55.2.1 $, Last updated $Date: 2002/12/18 22:38:48 $


© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 22 April 2004