From 4d2b827223a76e377061414226397173e8d8927d Mon Sep 17 00:00:00 2001 From: millert Date: Wed, 19 Apr 2000 16:08:54 +0000 Subject: [PATCH] cvs missed removing these before --- usr.sbin/sendmail/FAQ | 6 - usr.sbin/sendmail/KNOWNBUGS | 185 - usr.sbin/sendmail/LICENSE | 89 - usr.sbin/sendmail/Makefile | 8 - usr.sbin/sendmail/Makefile.dist | 26 - usr.sbin/sendmail/README | 399 -- usr.sbin/sendmail/RELEASE_NOTES | 6587 ------------------------------- 7 files changed, 7300 deletions(-) delete mode 100644 usr.sbin/sendmail/FAQ delete mode 100644 usr.sbin/sendmail/KNOWNBUGS delete mode 100644 usr.sbin/sendmail/LICENSE delete mode 100644 usr.sbin/sendmail/Makefile delete mode 100644 usr.sbin/sendmail/Makefile.dist delete mode 100644 usr.sbin/sendmail/README delete mode 100644 usr.sbin/sendmail/RELEASE_NOTES diff --git a/usr.sbin/sendmail/FAQ b/usr.sbin/sendmail/FAQ deleted file mode 100644 index b4cb2e6d177..00000000000 --- a/usr.sbin/sendmail/FAQ +++ /dev/null @@ -1,6 +0,0 @@ -The FAQ is no longer maintained with the sendmail release. It is -available at http://www.sendmail.org/faq/ . - -A plain-text version of the questions only, with URLs referring to -the answers, is posted to comp.mail.sendmail on the 10th and 25th -of each month. diff --git a/usr.sbin/sendmail/KNOWNBUGS b/usr.sbin/sendmail/KNOWNBUGS deleted file mode 100644 index 85409a00fb3..00000000000 --- a/usr.sbin/sendmail/KNOWNBUGS +++ /dev/null @@ -1,185 +0,0 @@ - - - K N O W N B U G S I N S E N D M A I L - (for 8.9.0) - - -The following are bugs or deficiencies in sendmail that I am aware of -but which have not been fixed in the current release. You probably -want to get the most up to date version of this from ftp.sendmail.org -in /pub/sendmail/KNOWNBUGS. For descriptions of bugs that have been -fixed, see the file RELEASE_NOTES (in the root directory of the sendmail -distribution). - -This list is not guaranteed to be complete. - - -* Null bytes are not handled properly in headers. - - Sendmail should handle full binary data. As it stands, it handles - all values in the body, but only 0x01-0x80 and 0xA0-0xFF in - the header. Notably missing is 0x00, which would require a major - restructuring of the code -- for example, almost no C library support - could be used to handle strings. - -* Duplicate error messages. - - Sometimes identical, duplicate error messages can be generated. As - near as I can tell, this is rare and relatively innocuous. - -* $c (hop count) macro improperly set. - - The $c macro is supposed to contain the current hop count, for use - when calling a mailer. This macro is initialized too early, and - is always zero (or the value of the -c command line flag, if any). - This macro will probably be removed entirely in a future release; - I don't believe there are any mailers left that require it. - -* If you EXPN a list or user that has a program mailer, the output of - EXPN will include ``@local.host.name''. You can't actually mail to - this address. It's not clear what the right behavior is in this - circumstance. - -* \231 considered harmful. - - Header addresses that have the \231 character (and possibly others - in the range \201 - \237) behave in odd and usually unexpected ways. - -* accept() problem on SVR4. - - Apparently, the sendmail daemon loop (doing accept()s on the network) - can get into a weird state on SVR4; it starts logging ``SYSERR: - getrequests: accept: Protocol Error''. The workaround is to kill - and restart the sendmail daemon. We don't have an SVR4 system at - Berkeley that carries more than token mail load, so I can't validate - this. It is likely to be a glitch in the sockets emulation, since - "Protocol Error" is not possible error code with Berkeley TCP/IP. - - I've also had someone report the message ``sendmail: accept: - SIOCGPGRP failed errno 22'' on an SVR4 system. This message is - not in the sendmail source code, so I assume it is also a bug - in the sockets emulation. (Errno 22 is EINVAL "Invalid Argument" - on all the systems I have available, including Solaris 2.x.) - Apparently, this problem is due to linking -lc before -lsocket; - if you are having this problem, check your Makefile. - -* accept() problem on Linux. - - The accept() in sendmail daemon loop can return ETIMEDOUT. An - error is reported to syslog: - - Jun 9 17:14:12 hostname sendmail[207]: NOQUEUE: SYSERR(root): - getrequests: accept: Connection timed out - - "Connection timed out" is not documented as a valid return from - accept(2) and this was believed to be a bug in the Linux kernel. - Later information from the Linux kernel group states that Linux - 2.0 kernels follow RFC1122 while sendmail follows the original BSD - (now POSIX 1003.1g draft) specification. The 2.1.X and later kernels - will follow the POSIX draft. - -* Excessive mailing list nesting can run out of file descriptors. - - If you have a mailing list that includes lots of other mailing - lists, each of which has a separate owner, you can run out of - file descriptors. Each mailing list with a separate owner uses - one open file descriptor (prior to 8.6.6 it was three open - file descriptors per list). This is particularly egregious if - you have your connection cache set to be large. - -* Connection caching breaks if you pass the port number as an argument. - - If you have a definition such as: - - Mport, P=[IPC], F=kmDFMuX, S=11/31, R=21, - M=2100000, T=DNS/RFC822/SMTP, - A=IPC [127.0.0.1] $h - - (i.e., where $h is the port number instead of the host name) the - connection caching code will break because it won't notice that - two messages addressed to different ports should use different - connections. - -* ESMTP SIZE underestimates the size of a message - - Sendmail makes no allowance for headers that it adds, nor does it - account for the SMTP on-the-wire \r\n expansion. It probably doesn't - allow for 8->7 bit MIME conversions either. - -* Paths to programs being executed and the mode of program files are - not checked. Essentially, the RunProgramInUnsafeDirPath and - RunWritableProgram bits in the DontBlameSendmail option are always - set. This is not a problem if your system is well managed (that is, - if binaries and system directories are mode 755 instead of something - foolish like 777). - -* 8-bit data in GECOS field - - If the GECOS (personal name) information in the passwd file contains - 8-bit characters, those characters can be included in the message - header, which can cause problems when sending SMTP to hosts that - only accept 7-bit characters. - -* 8->7 bit MIME conversion - - When sendmail is doing 8->7 bit MIME conversions, and the message - contains certain MIME body types that cannot be converted to 7-bit, - sendmail will strip the message to 7-bit. - -* 7->8 bit MIME conversion - - If a message that is encoded as 7-bit MIME is converted to 8-bit and - that message when decoded is illegal (e.g., because of long lines or - illegal characters), sendmail can produce an illegal message. - -* MIME encoded full name phrases in the From: header - - If a full name phrase includes characters from MustQuoteChars, sendmail - will quote the entire full name phrase. If MustQuoteChars includes - characters which are not special characters according to STD 11 (RFC - 822), this quotation can interfere with MIME encoded full name phrases. - By default, sendmail includes the single quote character (') in - MustQuoteChars even though it is not listed as a special character in - STD 11. - -* bestmx map with -z flag truncates the list of MX hosts - - A bestmx map configured with the -z flag will truncate the list - of MX hosts. This prevents creation of strings which are too - long for ruleset parsing. This can have an adverse effect on the - relay_based_on_MX feature. - -* Saving to ~sender/dead.letter fails if su'ed to root - - If ErrorMode is set to print and an error in sending mail occurs, - the normal action is to print a message to the screen and append - the message to a dead.letter file in the sender's home directory. - In the case where the sender is using su to act as root, the file - safety checks prevent sendmail from saving the dead.letter file - because the sender's uid and the current real uid do not match. - -* Berkeley DB 2.X race condition with fcntl() locking - - There is a race condition for Berkeley DB 2.X databases on - operating systems which use fcntl() style locking, such as - Solaris. Sendmail locks the map before calling db_open() to - prevent others from modifying the map while it is being opened. - Unfortunately, Berkeley DB opens the map, closes it, and then - reopens it. fcntl() locking drops the lock when any file - descriptor pointing to the file is closed, even if it is a - different file descriptor than the one used to initially lock - the file. As a result there is a possibility that entries in a - map might not be found during a map rebuild. As a workaround, - you can use makemap to build a map with a new name and then - "mv" the new db file to replace the old one. - -* File open timeouts not available on hard mounted NFS file systems - - Since SIGALRM does not interrupt an RPC call for hard mounted - NFS file systems, it is impossible to implement a timeout on a file - open operation. Therefore, while the NFS server is not responding, - attempts to open a file on that server will hang. Systems with - local mail delivery and NFS hard mounted home directories should be - avoided, as attempts to open the forward files could hang. - -(Version 8.36, last updated 2/4/1999) diff --git a/usr.sbin/sendmail/LICENSE b/usr.sbin/sendmail/LICENSE deleted file mode 100644 index d0ff63a9cb1..00000000000 --- a/usr.sbin/sendmail/LICENSE +++ /dev/null @@ -1,89 +0,0 @@ - SENDMAIL LICENSE - -The following license terms and conditions apply, unless a different -license is obtained from Sendmail, Inc., 1401 Park Avenue, Emeryville, CA -94608, or by electronic mail at license@sendmail.com. - -License Terms: - -Use, Modification and Redistribution (including distribution of any -modified or derived work) in source and binary forms is permitted only if -each of the following conditions is met: - -1. Redistributions qualify as "freeware" or "Open Source Software" under - one of the following terms: - - (a) Redistributions are made at no charge beyond the reasonable cost of - materials and delivery. - - (b) Redistributions are accompanied by a copy of the Source Code or by an - irrevocable offer to provide a copy of the Source Code for up to three - years at the cost of materials and delivery. Such redistributions - must allow further use, modification, and redistribution of the Source - Code under substantially the same terms as this license. For the - purposes of redistribution "Source Code" means the complete source - code of sendmail including all modifications. - - Other forms of redistribution are allowed only under a separate royalty- - free agreement permitting such redistribution subject to standard - commercial terms and conditions. A copy of such agreement may be - obtained from Sendmail, Inc. at the above address. - -2. Redistributions of source code must retain the copyright notices as they - appear in each source code file, these license terms, and the - disclaimer/limitation of liability set forth as paragraph 6 below. - -3. Redistributions in binary form must reproduce the Copyright Notice, - these license terms, and the disclaimer/limitation of liability set - forth as paragraph 6 below, in the documentation and/or other materials - provided with the distribution. For the purposes of binary distribution - the "Copyright Notice" refers to the following language: - "Copyright (c) 1998 Sendmail, Inc. All rights reserved." - -4. Neither the name of Sendmail, Inc. nor the University of California nor - the names of their contributors may be used to endorse or promote - products derived from this software without specific prior written - permission. The name "sendmail" is a trademark of Sendmail, Inc. - -5. All redistributions must comply with the conditions imposed by the - University of California on certain embedded code, whose copyright - notice and conditions for redistribution are as follows: - - (a) Copyright (c) 1988, 1993 The Regents of the University of - California. All rights reserved. - - (b) Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions - are met: - - (i) Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - - (ii) Redistributions in binary form must reproduce the above - copyright notice, this list of conditions and the following - disclaimer in the documentation and/or other materials provided - with the distribution. - - (iii) All advertising materials mentioning features or use of this - software must display the following acknowledgement: "This - product includes software developed by the University of - California, Berkeley and its contributors." - - (iv) Neither the name of the University nor the names of its - contributors may be used to endorse or promote products derived - from this software without specific prior written permission. - -6. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY - SENDMAIL, INC. AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED - WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF - MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN - NO EVENT SHALL SENDMAIL, INC., THE REGENTS OF THE UNIVERSITY OF - CALIFORNIA OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF - USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. - -(Version 8.6, last updated 6/24/1998) diff --git a/usr.sbin/sendmail/Makefile b/usr.sbin/sendmail/Makefile deleted file mode 100644 index 08634bd5fc9..00000000000 --- a/usr.sbin/sendmail/Makefile +++ /dev/null @@ -1,8 +0,0 @@ -# $OpenBSD: Makefile,v 1.5 1998/05/19 16:56:48 millert Exp $ - -SUBDIR= src smrsh mailstats makemap praliases cf/cf -.if make(install) -SUBDIR+= doc/intro doc/op cf -.endif - -.include diff --git a/usr.sbin/sendmail/Makefile.dist b/usr.sbin/sendmail/Makefile.dist deleted file mode 100644 index 98ad6e5b8f4..00000000000 --- a/usr.sbin/sendmail/Makefile.dist +++ /dev/null @@ -1,26 +0,0 @@ -# @(#)Makefile.dist 8.2 (Berkeley) 2/17/1998 - -SHELL= /bin/sh -SUBDIRS= src mail.local mailstats makemap praliases rmail smrsh -BUILD= ./Build -OPTIONS= $(CONFIG) $(FLAGS) - -all clean install:: FRC - @for x in $(SUBDIRS); \ - do \ - (cd $$x; echo Making $@ in:; pwd; \ - $(SHELL) $(BUILD) $(OPTIONS) $@); \ - done - -fresh:: FRC - @for x in $(SUBDIRS); \ - do \ - (cd $$x; echo Making $@ in:; pwd; \ - $(SHELL) $(BUILD) $(OPTIONS) -c); \ - done - -$(SUBDIRS):: FRC - @cd $@; pwd; \ - $(SHELL) $(BUILD) $(OPTIONS) - -FRC: diff --git a/usr.sbin/sendmail/README b/usr.sbin/sendmail/README deleted file mode 100644 index c7ff734b925..00000000000 --- a/usr.sbin/sendmail/README +++ /dev/null @@ -1,399 +0,0 @@ -/*- - * @(#)README 8.51 (Berkeley) 1/25/1999 - */ - - SENDMAIL RELEASE 8 - -This directory has the latest sendmail(TM) software from Sendmail, Inc. -See doc/changes/changes.me for a summary of changes since 5.67. - -Report any bugs to sendmail-bugs@sendmail.ORG - -There is a web site at http://WWW.Sendmail.ORG -- see that site for -the latest updates. - -****************************************************************** -** A new Build architecture is in place that allows you to ** -** use the "Build" shell script in any of the program ** -** directories. On many environments this will do everything ** -** for you, no fuss, no muss. See src/README for more details ** -** of compilation. See cf/README for details about building ** -** a runtime configuration file. ** -****************************************************************** - -Sendmail is a trademark of Sendmail, Inc. - -+-----------------------+ -| DIRECTORY PERMISSIONS | -+-----------------------+ - -Sendmail often gets blamed for many problems that are actually the -result of other problems, such as overly permissive modes on directories. -For this reason, sendmail checks the modes on system directories and -files to determine if can have been trusted. For sendmail to run -without complaining, you MUST execute the following command: - - chmod go-w / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue - chown root / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue - -You will probably have to tweak this for your environment (for example, -some systems put the spool directory into /usr/spool instead of -/var/spool and use /etc/mail for aliases file instead of /etc). If you -set the RunAsUser option in your sendmail.cf, the /var/spool/mqueue -directory will have to be owned by the RunAsUser user. As a general rule, -after you have compiled sendmail, run the command - - sendmail -v -bi - -to initialize the alias database. If it gives messages such as - - WARNING: writable directory /etc - WARNING: writable directory /usr/spool/mqueue - -then the directories listed have inappropriate write permissions and -should be secured to avoid various possible security attacks. - -Beginning with sendmail 8.9, these checks have become more strict to -prevent users from being able to access files they would normally not -be able to read. In particular, .forward and :include: files in unsafe -directory paths (directory paths which are group or world writable) will -no longer be allowed. This would mean that if user joe's home directory -was writable by group staff, sendmail would not use his .forward file. -This behavior can be altered, at the expense of system security, by -setting the DontBlameSendmail option. For example, to allow .forward -files in group writable directories: - - O DontBlameSendmail=forwardfileingroupwritabledirpath - -Or to allow them in both group and world writable directories: - - O DontBlameSendmail=forwardfileinunsafedirpath - -Items from these unsafe .forward and :include: files will be marked -as unsafe addresses -- the items can not be deliveries to files or -programs. This behavior can also be altered via DontBlameSendmail: - - O DontBlameSendmail=forwardfileinunsafedirpath, - forwardfileinunsafedirpathsafe - -The first flag allows the .forward file to be read, the second allows -the items in the file to be marked as safe for file and program -delivery. - -Other files affected by this strengthened security include class -files (i.e. Fw /etc/sendmail.cw), persistent host status files, and -the files specified by the ErrorHeader and HelpFile options. Similar -DontBlameSendmail flags are available for the class, ErrorHeader, and -HelpFile files. - -If you have an unsafe configuration of .forward and :include: -files, you can make it safe by finding all such files, and doing -a "chmod go-w $FILE" on each. Also, do a "chmod go-w $DIR" for -each directory in the file's path. - - -+--------------+ -| MANUAL PAGES | -+--------------+ - -The sendmail manual pages use contemporary Berkeley troff macros. If -your system does not process these manual pages, you can pick up the -new macros in a BSD Net/2 FTP site (e.g. on FTP.UU.NET, the files -/systems/unix/bsd-sources/share/tmac/*). - -The strip.sed file is only used in installation. - -After installation, edit tmac.doc and tmac.andoc to reflect the -installation path of the tmac files. Those files contain pointers to -/usr/share/tmac/, and those pointers are not changed by the `make -install` process. There's also a bug in those files -- make the -following patch: - -*** tmac.an~ Tue Jul 12 14:29:09 1994 ---- tmac.an Fri Jul 15 13:17:54 1994 -*************** -*** 50,55 **** - .de TH - .rn TH xX - .so /usr/share/lib/tmac/tmac.an.old -! .TH \\$1 \\$2 \\$3 \\$4 \\$5 \\$6 \\$7 \\$8 - .rm xX - .. ---- 50,55 ---- - .de TH - .rn TH xX - .so /usr/share/lib/tmac/tmac.an.old -! .TH "\\$1" "\\$2" "\\$3" "\\$4" "\\$5" "\\$6" "\\$7" "\\$8" - .rm xX - .. - -Rename the existing tmac.an to be tmac.an.old, and rename tmac.andoc -to be tmac.an. - -tmac.an will choose between tmac.an.old, your old macros, or tmac.doc, -which are the new macros, so that both the new man pages and the -existing man pages will be translated properly. - -I'm also told that the groff distribution from MIT has a tmac.doc -macro set that is compatible with these macros. - - -+-----------------------+ -| RELATED DOCUMENTATION | -+-----------------------+ - -There are other files you should read. Rooted in this directory are: - - doc/changes/changes.ps - Describes changes between Release 5 and Release 8 of sendmail. - There are some things that may behave somewhat differently. - For example, the rules governing when :include: files will - be read have been tightened up for security reasons. - FAQ - Answers to Frequently Asked Questions. - KNOWNBUGS - Known bugs in the current release. I try to keep this up - to date -- get the latest version from FTP.Sendmail.ORG - in /ucb/sendmail/KNOWNBUGS. - RELEASE_NOTES - A detailed description of the changes in each version. This - is quite long, but informative. - src/README - Details on compiling and installing sendmail. - cf/README - Details on configuring sendmail. - doc/op/op.me - The sendmail Installation & Operations Guide. Be warned: if - you are running this off on SunOS or some other system with an - old version of -me, you need to add the following macro to the - macros: - - .de sm - \s-1\\$1\\s0\\$2 - .. - - This sets a word in a smaller pointsize. - - -+--------------+ -| RELATED RFCS | -+--------------+ - -There are several related RFCs that you may wish to read -- they are -available via anonymous FTP to several sites, including: - - ftp://nic.ddn.mil/rfc/ - ftp://nis.nsf.net/documents/rfc/ - ftp://nisc.jvnc.net/rfc/ - ftp://venera.isi.edu/in-notes/ - ftp://wuarchive.wustl.edu/doc/rfc/ - -For a list of the primary repositories see: - - http://www.isi.edu/in-notes/rfc-retrieval.txt - -They are also online at: - - http://www.ietf.org/ - -They can also be retrieved via electronic mail by sending -email to one of: - - mail-server@nisc.sri.com - Put "send rfcNNN" in message body - nis-info@nis.nsf.net - Put "send RFCnnn.TXT-1" in message body - sendrfc@jvnc.net - Put "RFCnnn" as Subject: line - -For further instructions see: - - http://www.isi.edu/in-notes/rfc-editor/rfc-info - -Important RFCs for electronic mail are: - - RFC821 SMTP protocol - RFC822 Mail header format - RFC974 MX routing - RFC976 UUCP mail format - RFC1123 Host requirements (modifies 821, 822, and 974) - RFC1413 Identification server - RFC1869 SMTP Service Extensions (ESMTP spec) - RFC1652 SMTP Service Extension for 8bit-MIMEtransport - RFC1870 SMTP Service Extension for Message Size Declaration - RFC2045 Multipurpose Internet Mail Extensions (MIME) Part One: - Format of Internet Message Bodies - RFC1344 Implications of MIME for Internet Mail Gateways - RFC1428 Transition of Internet Mail from Just-Send-8 to - 8-bit SMTP/MIME - RFC1891 SMTP Service Extension for Delivery Status Notifications - RFC1892 Multipart/Report Content Type for the Reporting of - Mail System Administrative Messages - RFC1893 Enhanced Mail System Status Codes - RFC1894 An Extensible Message Format for Delivery Status - Notifications - RFC1985 SMTP Service Extension for Remote Message Queue Starting - RFC2033 Local Mail Transfer Protocol - -Other standards that may be of interest (but which are less directly -relevant to sendmail) are: - - RFC987 Mapping between RFC822 and X.400 - RFC1049 Content-Type header field (extension to RFC822) - -Warning to AIX users: this version of sendmail does not implement -MB, MR, or MG DNS resource records, as defined (as experiments) in -RFC1035. - - -+-------------------+ -| DATABASE ROUTINES | -+-------------------+ - -IF YOU WANT TO RUN THE NEW BERKELEY DB SOFTWARE: **** DO NOT **** -use the version that was on the Net2 tape -- it has a number of -nefarious bugs that were bad enough when I got them; you shouldn't have -to go through the same thing. Instead, get a new version via the web at -http://www.sleepycat.com/. This software is highly recommended; it gets -rid of several stupid limits, it's much faster, and the interface is -nicer to animals and plants. If the Berkeley DB include files -are installed in a location other than those which your compiler searches, -you will need to provide that directory when building: - - Build -I/path/to/include/directory - -If you are using Berkeley DB versions 1.85 or 1.86, you are *strongly* -urged to upgrade to DB version 2, available from http://www.sleepycat.com/. -Berkeley DB versions 1.85 and 1.86 are known to be broken in various nasty -ways (see http://www.sleepycat.com/db.185.html), and can cause sendmail -to dump core. In addition, the newest versions of gcc and the Solaris -compilers perform optimizations in those versions that may cause fairly -random core dumps. - -If you have no choice but to use Berkeley DB 1.85 or 1.86, and you are -using both Berkeley DB and files in the UNIX ndbm format, remove ndbm.h -and ndbm.o from the DB library after building it. You should also apply -all of the patches for DB 1.85 and 1.86 found at the Sleepycat web site -(see http://www.sleepycat.com/db.185.html), as they fix some of the known -problems. - -If you are using a version of Berkeley DB 2 previous to 2.3.15, and you -are using both Berkeley DB and files in the UNIX ndbm format, remove dbm.o -from the DB library after building it. No other changes are necessary. - -If you are using Berkeley DB version 2.3.15 or greater, no changes are -necessary. - -The underlying database file formats changed between Berkeley DB versions -1.85 and 1.86, and again between DB 1.86 and version 2.0. If you are -upgrading from one of those versions, you must recreate your database -file(s). Do this by rebuilding all maps with makemap and rebuilding the -alias file with newaliases. - - -+--------------------+ -| HOST NAME SERVICES | -+--------------------+ - -If you are using NIS or /etc/hosts, it is critical that you -list the long (fully qualified) name somewhere (preferably first) in -the /etc/hosts file used to build the NIS database. For example, the -line should read - - 128.32.149.68 mastodon.CS.Berkeley.EDU mastodon - -**** NOT **** - - 128.32.149.68 mastodon - -If you do not include the long name, sendmail will complain loudly -about ``unable to qualify my own domain name (mastodon) -- using -short name'' and conclude that your canonical name is the short -version and use that in messages. The name "mastodon" doesn't mean -much outside of Berkeley, and so this creates incorrect and unreplyable -messages. - - -+-------------+ -| USE WITH MH | -+-------------+ - -This version of sendmail notices and reports certain kinds of SMTP -protocol violations that were ignored by older versions. If you -are running MH you may wish to install the patch in contrib/mh.patch -that will prevent these warning reports. This patch also works -with the old version of sendmail, so it's safe to go ahead and -install it. - - -+----------------+ -| USE WITH IDENT | -+----------------+ - -Sendmail 8 supports the IDENT protocol, as defined by RFC 1413. -No ident server is included with this distribution. I have found -copies available on: - - ftp.lysator.liu.se /pub/ident/servers - romulus.ucs.uoknor.edu /networking/ident/servers - ftp.cyf-kr.edu.pl /agh/uciagh/network/ident - -If you want to run an IDENT server, I suggest getting a copy from -one of those sites. Versions are available for several different -systems, including Apollo, BSD, NeXT, AIX, TOPS20, and VMS. - - -+-------------------------+ -| INTEROPERATION PROBLEMS | -+-------------------------+ - -Microsoft Exchange Server 5.0 - We have had a report that ``about 7% of messages from Sendmail - to Exchange were not being delivered with status messages of - "connection reset" and "I/O error".'' Upgrading Exchange from - Version 5.0 to Version 5.5 Service Pack 2 solved this problem. - - -+---------------------+ -| DIRECTORY STRUCTURE | -+---------------------+ - -The structure of this directory tree is: - -cf Source for sendmail configuration files. These are - different than what you've seen before. They are a - fairly dramatic rewrite, requiring the new sendmail - (since they use new features). -contrib Some contributed tools to help with sendmail. THESE - ARE NOT SUPPORTED by sendmail -- contact the original - authors if you have problems. (This directory is not - on the 4.4BSD tape.) -doc Documentation. If you are getting source, read - op.me -- it's long, but worth it. -mail.local The source for the local delivery agent used for 4.4BSD. - THIS IS NOT PART OF SENDMAIL! and may not compile - everywhere, since it depends on some 4.4-isms. Warning: - it does mailbox locking differently than other systems. -mailstats Statistics printing program. It has the pathname of - sendmail.st compiled in, so if you've changed that, - beware. -makemap A program that creates the keyed maps used by the $( ... $) - construct in sendmail. It is primitive but effective. - It takes a very simple input format, so you will probably - expect to preprocess must human-convenient formats - using sed scripts before this program will like them. - But it should be functionally complete. -praliases A program to print the DBM or NEWDB version of the - aliases file. -rmail Source for rmail(8). This is used as a delivery - agent for for UUCP, and could presumably be used by - other non-socket oriented mailers. Older versions of - rmail are probably deficient. RMAIL IS NOT PART OF - SENDMAIL!!! The 4.4BSD source is included for you to - look at or try to port to your system. I know it doesn't - compile on {SunOS, HP-UX, OSF/1, other} (pick one). -smrsh The "sendmail restricted shell", which can be used as - a replacement for /bin/sh in the prog mailer to provide - increased security control. NOT PART OF SENDMAIL! -src Source for the sendmail program itself. -test Some test scripts (currently only for compilation aids). diff --git a/usr.sbin/sendmail/RELEASE_NOTES b/usr.sbin/sendmail/RELEASE_NOTES deleted file mode 100644 index e50c3b58862..00000000000 --- a/usr.sbin/sendmail/RELEASE_NOTES +++ /dev/null @@ -1,6587 +0,0 @@ - SENDMAIL RELEASE NOTES - @(#)RELEASE_NOTES 8.9.3.1 (Berkeley) 2/4/1999 - - -This listing shows the version of the sendmail binary, the version -of the sendmail configuration files, the date of release, and a -summary of the changes in that release. - -8.9.3/8.9.3 99/02/04 - SECURITY: Limit message headers to a maximum of 32K bytes (total - of all headers in a single message) to prevent a denial of - service attack. This limit will be configurable in 8.10. - Problem noted by Michal Zalewski of the "Internet for - Schools" project (IdS). - Prevent segmentation fault on an LDAP lookup if the LDAP map - was closed due to an earlier failure. Problem noted by - Jeff Wasilko of smoe.org. Fix from Booker Bense of - Stanford University and Per Hedeland of Ericsson. - Preserve the order of the MIME headers in multipart messages - when performing the MIME header length check. This - will allow PGP signatures to function properly. Problem - noted by Lars Hecking of University College, Cork, Ireland. - If ruleset 5 rewrote the local address to an :include: directive, - the delivery would fail with an "aliasing/forwarding loop - broken" error. Problem noted by Eric C Hagberg of Morgan - Stanley. Fix from Per Hedeland of Ericsson. - Allow -T to work for bestmx maps. Fix from Aaron Schrab of - ExecPC Internet Systems. - During the transfer of a message in an SMTP transaction, if a - TCP timeout occurs, the message would be properly queued - for later retry but the failure would be logged as - "Illegal Seek" instead of a timeout. Problem noted by - Piotr Kucharski of the Warsaw School of Economics (SGH) - and Carles Xavier Munyoz Baldo of CTV Internet. - Prevent multiple deliveries on a self-referencing alias if the - F=w mailer flag is not set. Problem noted by Murray S. - Kucherawy of Concentric Network Corporation and Per - Hedeland of Ericsson. - Do not strip empty headers but if there is no value and a - default is defined in sendmail.cf, use the default. - Problem noted by Philip Guenther of Gustavus Adolphus - College and Christopher McCrory of Netus, Inc. - Don't inherit information about the sender (notably the full name) - in SMTP (-bs) mode, since this might be called from inetd. - Accept any 3xx reply code in response to DATA command instead of - requiring 354. This change will match the wording to be - published in the updated SMTP specification from the DRUMS - group of the IETF. - Portability: - AIX 4.2.0.2 ships with a /usr/lib/libbind.a which should - not be used. It conflicts with the resolver - built into libc.a. "bind" has been removed - from the confLIBSEARCH BuildTools variable. - Users who have installed BIND 8.X will have - to add it back in their site.config.m4 file. - Problem noted by Ole Holm Nielsen of the - Technical University of Denmark. - CRAY TS 10.0.x from Sven Nielsen of San Diego - Supercomputer Center. - Improved LDAP version 3 integration based on input - from Kurt D. Zeilenga of the OpenLDAP Foundation, - John Beck of Sun Microsystems, and Booker Bense - of Stanford University. - Linux doesn't have a standard way to get the timezone - between different releases. Back out the - change in 8.9.2 and don't attempt to derive - a timezone. Problem reported by Igor S. Livshits - of the University of Illinois at Urbana-Champaign - and Michael Dickens of Tetranet Communications. - Reliant UNIX, the new name for SINIX, from Gert-Jan Looy - of Siemens/SNI. - SunOS 5.8 from John Beck of Sun Microsystems. - CONFIG: SCO UnixWare 2.1 and 7.0 need TZ to get the proper - timezone. Problem noted by Petr Lampa of Technical - University of Brno. - CONFIG: Handle <@bestmx-host:user@otherhost> addressing properly - when using FEATURE(bestmx_is_local). Patch from Neil W. - Rickert of Northern Illinois University. - CONFIG: Properly handle source routed and %-hack addresses on - hosts which the mailertable remaps to local:. Patch from - Neil W. Rickert of Northern Illinois University. - CONFIG: Internal fixup of mailertable local: map value. Patch from - Larry Parmelee of Cornell University. - CONFIG: Only add back +detail from host portion of mailer triplet - on local mailer triplets if it was originally +detail. - Patch from Neil W. Rickert of Northern Illinois University. - CONFIG: The bestmx_is_local checking done in check_rcpt would - cause later checks to fail. Patch from Paul J Murphy of - MIDS Europe. - New files: - BuildTools/OS/CRAYTS.10.0.x - BuildTools/OS/ReliantUNIX - BuildTools/OS/SunOS.5.8 - -8.9.2/8.9.2 98/12/30 - SECURITY: Remove five second sleep on accepting daemon connections - due to an accept() failure. This sleep could be used - for a denial of service attack. - Do not silently ignore queue files with names which are too long. - Patch from Bryan Costales of InfoBeat, Inc. - Do not store failures closing an SMTP session in persistent - host status. Reported by Graeme Hewson of Oracle - Corporation UK. - Allow symbolic link forward files if they are in safe directories. - Problem noted by Andreas Schott of the Max Planck Society. - Missing columns in a text map could cause a segmentation fault. - Fix from David Lee of the University of Durham. - Note that for 8.9.X, PrivacyOptions=goaway also includes the - noetrn flag. This is scheduled to change in a future - version of sendmail. Problem noted by Theo Van Dinter of - Chrysalis Symbolic Designa and Alan Brown of Manawatu - Internet Services. - When trying to do host canonification in a Wildcard MX - environment, try an MX lookup of the hostname without the - default domain appended. Problem noted by Olaf Seibert of - Polderland Language & Speech Technology. - Reject SMTP RCPT To: commands with only comments (i.e. - 'RCPT TO: (comment)'. Problem noted by Earle Ake of - Hassler Communication Systems Technology, Inc. - Handle any number of %s in the LDAP filter spec. Patch from - Per Hedeland of Ericsson. - Clear ldapx open timeouts even if the map open failed to prevent - a segmentation fault. Patch from Wayne Knowles of the - National Institute of Water & Atmospheric Research Ltd. - Do not syslog envelope clone messages when using address - verification (-bv). Problem noted by Kari Hurtta of the - Finnish Meteorological Institute. - Continue to perform queue runs while in daemon mode even if the - daemon is rejecting connections due to a disk full - condition. Problem noted by JR Oldroyd of TerraNet - Internet Services. - Include full filename on installation of the sendmail.hf file - in case the $HFDIR directory does not exist. Problem - noted by Josef Svitak of Montana State University. - Close all maps when exiting the process with one exception. - Berkeley DB can use internal shared memory locking for - its memory pool. Closing a map opened by another process - will interfere with the shared memory and locks of the - parent process leaving things in a bad state. For - Berkeley DB, only close the map if the current process - is also the one that opened the map, otherwise only close - the map file descriptor. Thanks to Yoseff Francus of - Collective Technologies for volunteering his system for - extended testing. - Avoid null pointer dereference on XDEBUG output for SMTP reply - failures. Problem noted by Carlos Canau of EUnet Portugal. - On mailq and hoststat listings being piped to another program, such - as more, if the pipe closes (i.e. the user quits more), - stop sending output and exit. Patch from Allan E Johannesen - of Worcester Polytechnic Institute. - In accordance with the documentation, LDAP map lookup failures - are now considered temporary failures instead of permanent - failures unless the -t flag is used in the map definition. - Problem noted by Booker Bense of Stanford University and - Eric C. Hagberg of Morgan Stanley. - Fix by one error reporting on long alias names. Problem noted by - H. Paul Hammann of the Missouri Research and Education - Network. - Fix DontBlameSendmail=IncludeFileInUnsafeDirPath behavior. Problem - noted by Barry S. Finkel of Argonne National Laboratory. - When automatically converting from 8 bit to quoted printable MIME, - be careful not to miss a multi-part boundary if that - boundary is preceded by a boundary-like line. Problem - noted by Andreas Raschle of Ansid Inc. Fix from - Kari Hurtta of the Finnish Meteorological Institute. - Avoid bogus reporting of "LMTP tobuf overflow" when the buffer - has enough space for the additional address. Problem - noted by Steve Cliffe of the University of Wollongong. - Fix DontBlameSendmail=FileDeliveryToSymlink behavior. Problem - noted by Alex Vorobiev of Swarthmore College. - If the check_compat ruleset resolves to the $#discard mailer, - discard the current recipient. Unlike check_relay, - check_mail, and check_rcpt, the entire envelope is not - discarded. Problem noted by RZ D. Rahlfs. Fix from - Claus Assmann of Christian-Albrechts-University of Kiel. - Avoid segmentation fault when reading ServiceSwitchFile files with - bogus formatting. Patch from Kari Hurtta of the Finnish - Meteorological Institute. - Support Berkeley DB 2.6.4 API change. - OP.ME: Pages weren't properly output on duplexed printers. Fix - from Matthew Black of CSU Long Beach. - Portability: - Apple Rhapsody from Wilfredo Sanchez of Apple Computer, Inc. - Avoid a clash with IRIX 6.2 getopt.h and the UserDatabase - option structure. Problem noted by Ashley M. - Kirchner of Photo Craft Laboratories, Inc. - Break out IP address to hostname translation for - reading network interface addresses into - class 'w'. Patch from John Kennedy of - Cal State University, Chico. - AIX 4.x use -qstrict with -O3 to prevent the optimized - from changing the semantics of the compiled - program. From Simon Travaglia of the - University of Waikato, New Zealand. - FreeBSD 2.2.2 and later support setusercontext(). From - Peter Wemm of DIALix. - FreeBSD 3.x fix from Peter Wemm of DIALix. - IRIX 5.x has a syslog buffer size of 512 bytes. From - Nao NINOMIYA of Utsunomiya University. - IRIX 6.5 64-bit Build support. - LDAP Version 3 support from John Beck and Ravi Iyer - of Sun Microsystems. - Linux does not implement seteuid() properly. From - John Kennedy of Cal State University, Chico. - Linux timezone type was set improperly. From Takeshi Itoh - of Bits Co., Ltd. - NCR MP-RAS 3.x needs -lresolv for confLIBS. From - Tom J. Moore of NCR. - NeXT 4.x correction to man page path. From J. P. McCann - of E I A. - System V Rel 5.x (a.k.a UnixWare7 w/o BSD-Compatibility Libs) - from Paul Gampe of the Asia Pacific Network - Information Center. - ULTRIX now requires an optimization limit of 970 from - Allan E Johannesen of Worcester Polytechnic - Institute. - Fix extern declaration for sm_dopr(). Fix from Henk - van Oers of Algemeen Nederlands Persbureau. - CONFIG: Catch @hostname,user@anotherhost.domain as relaying. - Problem noted by Mark Rogov of AirMedia, Inc. Fix from - Claus Assmann of Christian-Albrechts-University of Kiel. - CONFIG: Do not refer to http://maps.vix.com/ on RBL rejections as - there are multiple RBL's available and the MAPS RBL may - not be the one in use. Suggested by Alan Brown of - Manawatu Internet Services. - CONFIG: Properly strip route addresses (i.e. @host1:user@host2) - when stripping down a recipient address to check for - relaying. Patch from Claus Assmann of - Christian-Albrechts-University of Kiel and Neil W Rickert - of Northern Illinois University. - CONFIG: Allow the access database to override RBL lookups. Patch - from Claus Assmann of Christian-Albrechts-University of - Kiel. - CONFIG: UnixWare 7 support from Phillip P. Porch of The Porch - Dot Com. - CONFIG: Fixed check for deferred delivery mode warning. Patch - from Claus Assmann of Christian-Albrechts-University of - Kiel and Per Hedeland of Ericsson. - CONFIG: If a recipient using % addressing is used, e.g. - user%site@othersite, and othersite's MX records are now - checked for local hosts if FEATURE(relay_based_on_MX) is - used. Problem noted by Alexander Litvin of Lucky Net Ltd. - Patch from Alexander Litvin of Lucky Net Ltd and - Claus Assmann of Christian-Albrechts-University of Kiel. - MAIL.LOCAL: Prevent warning messages from appearing in the LMTP - stream. Do not allow more than one response per recipient. - MAIL.LOCAL: Handle routed addresses properly when using LMTP. Fix - from John Beck of Sun Microsystems. - MAIL.LOCAL: Properly check for CRLF when using LMTP. Fix from - John Beck of Sun Microsystems. - MAIL.LOCAL: Substitute MAILER-DAEMON for the LMTP empty sender in - the envelope From header. - MAIL.LOCAL: Accept underscores in hostnames in LMTP mode. - Problem noted by Glenn A. Malling of Syracuse University. - MAILSTATS: Document msgsrej and msgsdis fields in the man page. - Problem noted by Richard Wong of Princeton University. - MAKEMAP: Build group list so group writable files are allowed with - the -s flag. Problem noted by Curt Sampson of Internet - Portal Services, Inc. - PRALIASES: Automatically handle alias files created without the - NULL byte at the end of the key. Patch from John Beck of - Sun Microsystems. - PRALIASES: Support Berkeley DB 2.6.4 API change. - New Files: - BuildTools/OS/IRIX64.6.5 - BuildTools/OS/UnixWare.5.i386 - cf/cf/unixware7.m4 - contrib/smcontrol.pl - src/control.c - -8.9.1/8.9.1 98/07/02 - If both an OS specific site configuration file and a generic - site.config.m4 file existed, only the latter was used - instead of both. Problem noted by Geir Johannessen of - the Norwegian University of Science and Technology. - Fix segmentation fault while converting 8 bit to 7 bit MIME - multipart messages by trying to write to an unopened - file descriptor. Fix from Kari Hurtta of the Finnish - Meteorological Institute. - Do not assume Message: and Text: headers indicate the end of - the header area when parsing MIME headers. Problem noted - by Kari Hurtta of the Finnish Meteorological Institute. - Setting the confMAN#SRC Build variable would only effect the - installation commands. The man pages would still be - built with .0 extensions. Problem noted by Bryan - Costales of InfoBeat, Inc. - Installation of manual pages didn't honor the DESTDIR environment - variable. Problem noted by Bryan Costales of InfoBeat, Inc. - If the check_relay ruleset resolved to the discard mailer, messages - were still delivered. Problem noted by Mirek Luc of NASK. - Mail delivery to files would fail with an Operating System Error - if sendmail was not running as root, i.e. RunAsUser was set. - Problem noted by Leonard N. Zubkoff of Dandelion Digital. - Prevent MinQueueAge from interfering from queued items created - in the future, i.e. if the system clock was set ahead - and then back. Problem noted by Michael Miller of the - University of Natal, Pietermaritzburg. - Do not advertise ETRN support in ESTMP EHLO reply if noetrn is - set in the PrivacyOptions option. Fix from Ted Rule of - Flextech TV. - Log invalid persistent host status file lines instead of - bouncing the message. Problem noted by David Lindes of - DaveLtd Enterprises. - Move creation of empty sendmail.st file from installation to - compilation. Installation may be done from a read-only - mount. Fix from Bryan Costales of InfoBeat, Inc. and Ric - Anderson of the Oasis Research Center, Inc. - Enforce the maximum number of User Database entries limit. Problem - noted by Gary Buchanan of Credence Systems Inc. - Allow dead.letter files in root's home directory. Problem noted - by Anna Ullman of Sun Microsystems. - Program deliveries in forward files could be marked unsafe if - any directory listed in the ForwardPath option did not - exist. Problem noted by Jorg Bielak of Coastal Web Online. - Do not trust the length of the address structure returned by - gethostbyname(). Problem noted by Chris Evans of Oxford - University. - If the SIZE= MAIL From: ESMTP parameter is too large, use the - 5.3.4 DSN status code instead of 5.2.2. Similarly, for - non-local deliveries, if the message is larger than the - mailer maximum message size, use 5.3.4 instead of 5.2.3. - Suggested by Antony Bowesman of - Fujitsu/TeaWARE Mail/MIME System. - Portability: - Fix the check for an IP address reverse lookup for - use in $&{client_name} on 64 bit platforms. - From Gilles Gallot of Institut for Development - and Resources in Intensive Scientific computing. - BSD-OS uses .0 for man page extensions. From Jeff Polk - of BSDI. - DomainOS detection for Build. Also, version 10.4 and later - ship a unistd.h. Fixes from Takanobu Ishimura of - PICT Inc. - NeXT 4.x uses /usr/lib/man/cat for its man pages. From - J. P. McCann of E I A. - SCO 4.X and 5.X include NDBM support. From Vlado Potisk - of TEMPEST, Ltd. - CONFIG: Do not pass spoofed PTR results through resolver for - qualification. Problem noted by Michiel Boland of - Digital Valley Internet Professionals; fix from - Kari Hurtta of the Finnish Meteorological Institute. - CONFIG: Do not try to resolve non-DNS hostnames such as UUCP, - BITNET, and DECNET addresses for resolvable senders. - Problem noted by Alexander Litvin of Lucky Net Ltd. - CONFIG: Work around Sun's broken configuration which sends bounce - messages as coming from @@hostname instead of <>. LMTP - would not accept @@hostname. - OP.ME: Corrections to complex sendmail startup script from Rick - Troxel of the National Institutes of Health. - RMAIL: Do not install rmail by default, require 'make force-install' - as this rmail isn't the same as others. Suggested by - Kari Hurtta of the Finnish Meteorological Institute. - New Files: - BuildTools/OS/DomainOS.10.4 - -8.9.0/8.9.0 98/05/19 - SECURITY: To prevent users from reading files not normally - readable, sendmail will no longer open forward, :include:, - class, ErrorHeader, or HelpFile files located in unsafe - (i.e. group or world writable) directory paths. Sites - which need the ability to override security can use the - DontBlameSendmail option. See the README file for more - information. - SECURITY: Problems can occur on poorly managed systems, specifically, - if maps or alias files are in world writable directories. - This fixes the change added to 8.8.6 to prevent links in these - world writable directories. - SECURITY: Make sure ServiceSwitchFile option file is not a link if - it is in a world writable directory. - SECURITY: Never pass a tty to a mailer -- if a mailer can get at the - tty it may be able to push bytes back to the senders input. - Unfortunately this breaks -v mode. Problem noted by - Wietse Venema of the Global Security Analysis Lab at - IBM T.J. Watson Research. - SECURITY: Empty group list if DontInitGroups is set to true to - prevent program deliveries from picking up extra group - privileges. Problem reported by Wolfgang Ley of DFN-CERT. - SECURITY: The default value for DefaultUser is now set to the uid and - gid of the first existing user mailnull, sendmail, or daemon - that has a non-zero uid. If none of these exist, sendmail - reverts back to the old behavior of using uid 1 and gid 1. - This is a security problem for Linux which has chosen that - uid and gid for user bin instead of daemon. If DefaultUser - is set in the configuration file, that value overrides this - default. - SECURITY: Since 8.8.7, the check for non-setuid binaries - interfered with setting an alternate group id for the - RunAsUser option. Problem noted by Randall Winchester of - the University of Maryland. - Add support for Berkeley DB 2.X. Based on patch from John Kennedy - of Cal State University, Chico. - Remove support for OLD_NEWDB (pre-1.5 version of Berkeley DB). Users - which previously defined OLD_NEWDB=1 must now upgrade to the - current version of Berkeley DB. - Added support for regular expressions using the new map class regex. - From Jan Krueger of Unix-AG of University of Hannover. - Support for BIND 8.1.1's hesiod for hesiod maps and hesiod - UserDatabases from Randall Winchester of the University - of Maryland. - Allow any shell for user shell on program deliveries on V1 - configurations for backwards compatibility on machines which - do not have getusershell(). Fix from John Beck of Sun - Microsystems. - On operating systems which change the process title by reusing the - argument vector memory, sendmail could corrupt memory if the - last argument was either "-q" or "-d". Problem noted by - Frank Langbein of the University of Stuttgart. - Support Local Mail Transfer Protocol (LMTP) between sendmail and - mail.local on the F=z flag. - Macro-expand the contents of the ErrMsgFile. Previously this was - only done if you had magic characters (0x81) to indicate - macro expansion. Now $x will be expanded. This means that - real dollar signs have to be backslash escaped. - TCP Wrappers expects "unknown" in the hostname argument if the - reverse DNS lookup for the incoming connection fails. - Problem noted by Randy Grimshaw of Syracuse University and - Wietse Venema of the Global Security Analysis Lab at - IBM T.J. Watson Research. - DSN success bounces generated from an invocation of sendmail -t - would be sent to both the sender and MAILER-DAEMON. - Problem noted by Claus Assmann of - Christian-Albrechts-University of Kiel. - Avoid "Error 0" messages on delivery mailers which exit with a - valid exit value such as EX_NOPERM. Fix from Andreas Luik - of ISA Informationssysteme GmbH. - Tokenize $&x expansions on right hand side of rules. This eliminates - the need to use tricks like $(dequote "" $&{client_name} $) - to cause the ${client_name} macro to be properly tokenized. - Add the MaxRecipientsPerMessage option: this limits the number of - recipients that will be accepted in a single SMTP - transaction. After this number is reached, sendmail - starts returning "452 Too many recipients" to all RCPT - commands. This can be used to limit the number of recipients - per envelope (in particular, to discourage use of the server - for spamming). Note: a better approach is to restrict - relaying entirely. - Fixed pointer initialization for LDAP lmap struct, fixed -s option - to ldapx map and added timeout for ldap_open call to - avoid hanging sendmail in the event of hung LDAP servers. - Patch from Booker Bense of Stanford University. - Allow multiple -qI, -qR, or -qS queue run limiters. For example, - '-qRfoo -qRbar' would deliver mail to recipients with foo or - bar in their address. Patch from Allan E Johannesen of - Worcester Polytechnic Institute. - The bestmx map will now return a list of the MX servers for a host if - passed a column delimiter via the -z map flag. This can be - used to check if the server is an MX server for the recipient - of a message. This can be used to help prevent relaying. - Patch from Mitchell Blank Jr of Exec-PC. - Mark failures for the *file* mailer and return bounce messages to the - sender for those failures. - Prevent bogus syslog timestamps on errors in sendmail.cf by - preserving the TZ environment variable until TimeZoneSpec - has been determined. Problem noted by Ralf Hildebrandt of - Technical University of Braunschweig. Patch from Per Hedeland - of Ericsson. - Print test input in address test mode when input is not from the tty - when the -v flag is given (i.e. sendmail -bt -v) to make - output easier to decipher. Problem noted by Aidan Nichol - of Procter & Gamble. - The LDAP map -s flag was not properly parsed and the error message - given included the remainder of the arguments instead of - solely the argument in error. Problem noted by Aidan Nichol - of Procter & Gamble. - New DontBlameSendmail option. This option allows administrators to - bypass some of sendmail's file security checks at the expense - of system security. This should only be used if you are - absolutely sure you know the consequences. The available - DontBlameSendmail options are: - Safe - AssumeSafeChown - ClassFileInUnsafeDirPath - ErrorHeaderInUnsafeDirPath - GroupWritableDirPathSafe - GroupWritableForwardFileSafe - GroupWritableIncludeFileSafe - GroupWritableAliasFile - HelpFileinUnsafeDirPath - WorldWritableAliasFile - ForwardFileInGroupWritableDirPath - IncludeFileInGroupWritableDirPath - ForwardFileInUnsafeDirPath - IncludeFileInUnsafeDirPath - ForwardFileInUnsafeDirPathSafe - IncludeFileInUnsafeDirPathSafe - MapInUnsafeDirPath - LinkedAliasFileInWritableDir - LinkedClassFileInWritableDir - LinkedForwardFileInWritableDir - LinkedIncludeFileInWritableDir - LinkedMapInWritableDir - LinkedServiceSwitchFileInWritableDir - FileDeliveryToHardLink - FileDeliveryToSymLink - WriteMapToHardLink - WriteMapToSymLink - WriteStatsToHardLink - WriteStatsToSymLink - RunProgramInUnsafeDirPath - RunWritableProgram - New DontProbeInterfaces option to turn off the inclusion of all the - interface names in $=w on startup. In particular, if you - have lots of virtual interfaces, this option will speed up - startup. However, unless you make other arrangements, mail - sent to those addresses will be bounced. - Automatically create alias databases if they don't exist and - AutoRebuildAliases is set. - Add PrivacyOptions=noetrn flag to disable the SMTP ETRN command. - Suggested by Christophe Wolfhugel of the Institut Pasteur. - Add PrivacyOptions=noverb flag to disable the SMTP VERB command. - When determining the client host name ($&{client_name} macro), do - a forward (A) DNS lookup on the result of the PTR lookup - and compare results. If they differ or if the PTR lookup - fails, &{client_name} will contain the IP address - surrounded by square brackets (e.g. [127.0.0.1]). - New map flag: -Tx appends "x" to lookups that return temporary failure - (i.e, it is like -ax for the temporary failure case, in - contrast to the success case). - New syntax to do limited checking of header syntax. A config line - of the form: - HHeader: $>Ruleset - causes the indicated Ruleset to be invoked on the Header - when read. This ruleset works like the check_* rulesets -- - that is, it can reject mail on the basis of the contents. - Limit the size of the HELO/EHLO parameter to prevent spammers - from hiding their connection information in Received: - headers. - When SingleThreadDelivery is active, deliveries to locked hosts - are skipped. This will cause the delivering process to - try the next MX host or queue the message if no other MX - hosts are available. Suggested by Alexander Litvin. - The [FILE] mailer type now delivers to the file specified in the - A= equate of the mailer definition instead of $u. It also - obeys all of the F= mailer flags such as the MIME - 7/8 bit conversion flags. This is useful for defining - a mailer which delivers to the same file regardless of the - recipient (e.g. 'A=FILE /dev/null' to discard unwanted mail). - Do not assume the identity of a remote connection is root@localhost - if the remote connection closes the socket before the - remote identity can be queried. - Change semantics of the F=S mailer flag back to 8.7.5 behavior. - Some mailers, including procmail, require that the real - uid is left unchanged by sendmail. Problem noted by Per - Hedeland of Ericsson. - No longer is the src/obj*/Makefile selected from a large list -- it - is now generated using the information in BuildTools/OS/ -- - some of the details are determined dynamically via - BuildTools/bin/configure.sh. - The other programs in the sendmail distribution -- mail.local, - mailstats, makemap, praliases, rmail, and smrsh -- now use - the new Build method which creates an operating system - specific Makefile using the information in BuildTools. - Make 4xx reply codes to the SMTP MAIL command be non-sticky (i.e., - a failure on one message won't affect future messages to the - same host). This is necessary if the remote host sends - a 451 error if the domain of the sender does not resolve - as is common in anti-spam configurations. Problem noted - by Mitchell Blank Jr of Exec-PC. - New "discard" mailer for check_* rulesets and header checking - rulesets. If one of the above rulesets resolves to the - $#discard mailer, the commands will be accepted but the - message will be completely discarded after it is accepting. - This means that even if only one of the recipients - resolves to the $#discard mailer, none of the recipients - will receive the mail. Suggested by Brian Kantor. - All but the last cloned envelope of a split envelope were queued - instead of being delivered. Problem noted by John Caruso - of CNET: The Computer Network. - Fix deadlock situation in persistent host status file locking. - Syslog an error if a user forward file could not be read due to - an error. Patch from John Beck of Sun Microsystems. - Use the first name returned on machine lookups when canonifying a - hostname via NetInfo. Patch from Timm Wetzel of GWDG. - Clear the $&{client_addr}, $&{client_name}, and $&{client_port} - macros when delivering a bounce message to prevent - rejection by a check_compat ruleset which uses these macros. - Problem noted by Jens Hamisch of AgiX Internetservices GmbH. - If the check_relay ruleset resolves to the the error mailer, the - error in the $: portion of the resolved triplet is used - in the rejection message given to the remote machine. - Suggested by Scott Gifford of The Internet Ramp. - Set the $&{client_addr}, $&{client_name}, and $&{client_port} macros - before calling the check_relay ruleset. Suggested by Scott - Gifford of The Internet Ramp. - Sendmail would get a segmentation fault if a mailer exited with an - exit code of 79. Problem noted by Aaron Schrab of ExecPC - Internet. Fix from Christophe Wolfhugel of the Pasteur - Institute. - Separate snprintf/vsnprintf routines into separate file for use by - mail.local. - Allow multiple map lookups on right hand side, e.g., - R$* $( host $1 $) $| $( passwd $1 $). Patch from - Christophe Wolfhugel of the Pasteur Institute. - Properly generate success DSN messages if requested for aliases - which have owner- aliases. Problem noted by Kari Hurtta - of the Finnish Meteorological Institute. - Properly display delayed-expansion macros ($&{macroname}) in - address test mode (-bt). Problem noted by Bryan Costales - of InfoBeat, Inc. - -qR could sometimes match names incorrectly. Problem noted by - Lutz Euler of Lavielle EDV Systemberatung GmbH & Co. - Include a magic number and version in the StatusFile for the - mailstats command. - Record the number of rejected and discarded messages in the - StatusFile for display by the mailstats command. Patch - from Randall Winchester of the University of Maryland. - IDENT returns where the OSTYPE field equals "OTHER" now list the - user portion as IDENT:username@site instead of - username@site to differentiate the two. Suggested by - Kari Hurtta of the Finnish Meteorological Institute. - Enforce timeout for LDAP queries. Patch from Per Hedeland of - Ericsson. - Change persistent host status filename substitution so '/' is - replaced by ':' instead of '|' to avoid clashes. Also - avoid clashes with hostnames with leading dots. Fix from - Mitchell Blank Jr. of Exec-PC. - If the system lock table is full, only attempt to create a new - queue entry five times before giving up. Previously, it - was attempted indefinitely which could cause the partition - to run out of inodes. Problem noted by Suzie Weigand of - Stratus Computer, Inc. - In verbose mode, warn if the sendmail.cf version is less than the - currently supported version. - Sorting for QueueSortOrder=host is now case insensitive. Patch - from Randall S. Winchester of the University of Maryland. - Properly quote a full name passed via the -F command line option, - the Full-Name: header, or the NAME environment variable if - it contains characters which must be quoted. Problem noted - by Kari Hurtta of the Finnish Meteorological Institute. - Avoid possible race condition that unlocked a mail job before - releasing the transcript file on systems that use flock(2). - In some cases, this might result in a "Transcript Unavailable" - message in error bounces. - Accept SMTP replies which contain only a reply code and no - accompanying text. Problem noted by Fernando Fraticelli of - Digital Equipment Corporation. - Portability: - AIX 4.1 uses int for SOCKADDR_LEN_T from Motonori Nakamura - of Kyoto University. - AIX 4.2 requires before . Patch from - Randall S. Winchester of the University of - Maryland. - AIX 4.3 from Valdis Kletnieks of Virginia Tech CNS. - CRAY T3E from Manu Mahonen of Center for Scientific Computing - in Finland. - Digital UNIX now uses statvfs for determining free - disk space. Patch from Randall S. Winchester of - the University of Maryland. - HP-UX 11.x from Richard Allen of Opin Kerfi HF and - Regis McEwen of Progress Software Corporation. - IRIX 64 bit fixes from Kari Hurtta of the Finnish - Meteorological Institute. - IRIX 6.2 configuration fix for mail.local from Michael Kyle - of CIC/Advanced Computing Laboratory. - IRIX 6.5 from Thomas H Jones II of SGI. - IRIX 6.X load average code from Bob Mende of SGI. - QNX from Glen McCready . - SCO 4.2 and 5.x use /usr/bin instead of /usr/ucb for links - to sendmail. Install with group bin instead of kmem - as kmem does not exist. From Guillermo Freige of - Gobernacion de la Pcia de Buenos Aires and Paul - Fischer of BTG, Inc. - SunOS 4.X does not include memmove(). Patch from - Per Hedeland of Ericsson. - SunOS 5.7 includes getloadavg() function for determining - load average. Patch from John Beck of Sun - Microsystems. - CONFIG: Increment version number of config file. - CONFIG: add DATABASE_MAP_TYPE to set the default type of database - map for the various maps. The default is hash. Patch from - Robert Harker of Harker Systems. - CONFIG: new confEBINDIR m4 variable for defining the executable - directory for certain programs. - CONFIG: new FEATURE(local_lmtp) to use the new LMTP support for - local mail delivery. By the default, /usr/libexec/mail.local - is used. This is expected to be the mail.local shipped - with 8.9 which is LMTP capable. The path is based on the - new confEBINDIR m4 variable. - CONFIG: Use confEBINDIR in determining path to smrsh for - FEATURE(smrsh). Note that this changes the default from - /usr/local/etc/smrsh to /usr/libexec/smrsh. To obtain the - old path for smrsh, use FEATURE(smrsh, /usr/local/etc/smrsh). - CONFIG: DOMAIN(generic) changes the default confFORWARD_PATH to - include $z/.forward.$w+$h and $z/.forward+$h which allow - the user to setup different .forward files for - user+detail addressing. - CONFIG: add confMAX_RCPTS_PER_MESSAGE, confDONT_PROBE_INTERFACES, - and confDONT_BLAME_SENDMAIL to set MaxRecipientsPerMessage, - DontProbeInterfaces, and DontBlameSendmail options. - CONFIG: by default do not allow relaying (that is, accepting mail - from outside your domain and sending it to another host - outside your domain). - CONFIG: new FEATURE(promiscuous_relay) to allow mail relaying from - any site to any site. - CONFIG: new FEATURE(relay_entire_domain) allows any host in your - domain as defined by the 'm' class ($=m) to relay. - CONFIG: new FEATURE(relay_based_on_MX) to allow relaying based on - the MX records of the host portion of an incoming recipient. - CONFIG: new FEATURE(access_db) which turns on the access database - feature. This database give you the ability to allow - or refuse to accept mail from specified domains for - administrative reasons. By default, names that are listed - as "OK" in the access db are domain names, not host names. - CONFIG: new confCR_FILE m4 variable for defining the name of the file - used for class 'R'. Defaults to /etc/mail/relay-domains. - CONFIG: new command RELAY_DOMAIN(domain) and RELAY_DOMAIN_FILE(file) - to add items to class 'R' ($=R) for hosts allowed to relay. - CONFIG: new FEATURE(relay_hosts_only) to change the behavior - of FEATURE(access_db) and class 'R' to lookup individual - host names only. - CONFIG: new FEATURE(loose_relay_check). Normally, if a recipient - using % addressing is used, e.g. user%site@othersite, - and othersite is in class 'R', the check_rcpt ruleset - will strip @othersite and recheck user@site for relaying. - This feature changes that behavior. It should not be - needed for most installations. - CONFIG: new FEATURE(relay_local_from) to allow relaying if the - domain portion of the mail sender is a local host. This - should only be used if absolutely necessary as it opens - a window for spammers. Patch from Randall S. Winchester of - the University of Maryland. - CONFIG: new FEATURE(blacklist_recipients) turns on the ability to - block incoming mail destined for certain recipient - usernames, hostnames, or addresses. - CONFIG: By default, MAIL FROM: commands in the SMTP session will be - refused if the host part of the argument to MAIL FROM: cannot - be located in the host name service (e.g., DNS). - CONFIG: new FEATURE(accept_unresolvable_domains) accepts - unresolvable hostnames in MAIL FROM: SMTP commands. - CONFIG: new FEATURE(accept_unqualified_senders) accepts - MAIL FROM: senders which do not include a domain. - CONFIG: new FEATURE(rbl) Turns on rejection of hosts found in the - Realtime Blackhole List. You can specify the RBL name - server to contact by specifying it as an optional argument. - The default is rbl.maps.vix.com. For details, see - http://maps.vix.com/rbl/. - CONFIG: Call Local_check_relay, Local_check_mail, and - Local_check_rcpt from check_relay, check_mail, and - check_rcpt. Users with local rulesets should place the - rules using LOCAL_RULESETS. If a Local_check_* ruleset - returns $#OK, the message is accepted. If the ruleset - returns a mailer, the appropriate action is taken, else - the return of the ruleset is ignored. - CONFIG: CYRUS_MAILER_FLAGS now includes the /:| mailer flags by - default to support file, :include:, and program deliveries. - CONFIG: Remove the default for confDEF_USER_ID so the binary can - pick the proper default value. See the SECURITY note - above for more information. - CONFIG: FEATURE(nodns) now warns the user that the feature is a - no-op. Patch from Kari Hurtta of the Finnish - Meteorological Institute. - CONFIG: OSTYPE(osf1) now sets DefaultUserID (confDEF_USER_ID) to - daemon since DEC's /bin/mail will drop the envelope - sender if run as mailnull. See the Digital UNIX section - of src/README for more information. Problem noted by - Kari Hurtta of the Finnish Meteorological Institute. - CONFIG: .cf files are now stored in the same directory with the - .mc files instead of in the obj directory. - CONFIG: New options confSINGLE_LINE_FROM_HEADER, - confALLOW_BOGUS_HELO, and confMUST_QUOTE_CHARS for - setting SingleLineFromHeader, AllowBogusHELO, and - MustQuoteChars respectively. - MAIL.LOCAL: support -l flag to run LMTP on stdin/stdout. This - SMTP-like protocol allows detailed reporting of delivery - status on a per-user basis. Code donated by John Myers of - CMU (now of Netscape). - MAIL.LOCAL: HP-UX support from Randall S. Winchester of the - University of Maryland. NOTE: mail.local is not - compatible with the stock HP-UX mail format. Be sure to - read mail.local/README. - MAIL.LOCAL: Prevent other mail delivery agents from stealing a - mailbox lock. Patch from Randall S. Winchester of the - University of Maryland. - MAIL.LOCAL: glibc portability from John Kennedy of Cal State - University, Chico. - MAIL.LOCAL: IRIX portability from Kari Hurtta of the Finnish - Meteorological Institute. - MAILSTATS: Display the number of rejected and discarded messages - in the StatusFile. Patch from Randall Winchester of the - University of Maryland. - MAKEMAP: New -s flag to ignore safety checks on database map files - such as linked files in world writable directories. - MAKEMAP: Add support for Berkeley DB 2.X. Remove OLD_NEWDB support. - PRALIASES: Add support for Berkeley DB 2.X. - PRALIASES: Do not automatically include NDBM support. Problem - noted by Ralf Hildebrandt of the Technical University of - Braunschweig. - RMAIL: Improve portability for other platforms. Patches from - Randall S. Winchester of the University of Maryland and - Kari Hurtta of the Finnish Meteorological Institute. - Changed Files: - src/Makefiles/Makefile.* files have been modified to use - the new build mechanism and are now BuildTools/OS/*. - src/makesendmail changed to symbolic link to src/Build. - New Files: - BuildTools/M4/header.m4 - BuildTools/M4/depend/BSD.m4 - BuildTools/M4/depend/CC-M.m4 - BuildTools/M4/depend/NCR.m4 - BuildTools/M4/depend/Solaris.m4 - BuildTools/M4/depend/X11.m4 - BuildTools/M4/depend/generic.m4 - BuildTools/OS/AIX.4.2 - BuildTools/OS/AIX.4.x - BuildTools/OS/CRAYT3E.2.0.x - BuildTools/OS/HP-UX.11.x - BuildTools/OS/IRIX.6.5 - BuildTools/OS/NEXTSTEP.4.x - BuildTools/OS/NeXT.4.x - BuildTools/OS/NetBSD.8.3 - BuildTools/OS/QNX - BuildTools/OS/SunOS.5.7 - BuildTools/OS/dcosx.1.x.NILE - BuildTools/README - BuildTools/Site/README - BuildTools/bin/Build - BuildTools/bin/configure.sh - BuildTools/bin/find_m4.sh - BuildTools/bin/install.sh - Makefile - cf/cf/Build - cf/cf/generic-hpux10.cf - cf/feature/accept_unqualified_senders.m4 - cf/feature/accept_unresolvable_domains.m4 - cf/feature/access_db.m4 - cf/feature/blacklist_recipients.m4 - cf/feature/loose_relay_check.m4 - cf/feature/local_lmtp.m4 - cf/feature/promiscuous_relay.m4 - cf/feature/rbl.m4 - cf/feature/relay_based_on_MX.m4 - cf/feature/relay_entire_domain.m4 - cf/feature/relay_hosts_only.m4 - cf/feature/relay_local_from.m4 - cf/ostype/qnx.m4 - contrib/doublebounce.pl - mail.local/Build - mail.local/Makefile.m4 - mail.local/README - mailstats/Build - mailstats/Makefile.m4 - makemap/Build - makemap/Makefile.m4 - praliases/Build - praliases/Makefile.m4 - rmail/Build - rmail/Makefile.m4 - rmail/rmail.0 - smrsh/Build - smrsh/Makefile.m4 - src/Build - src/Makefile.m4 - src/snprintf.c - Deleted Files: - cf/cf/Makefile (replaced by Makefile.dist) - mail.local/Makefile - mail.local/Makefile.dist - mailstats/Makefile - mailstats/Makefile.dist - makemap/Makefile - makemap/Makefile.dist - praliases/Makefile - praliases/Makefile.dist - rmail/Makefile - smrsh/Makefile - smrsh/Makefile.dist - src/Makefile - src/Makefiles/Makefile.AIX.4 (split into AIX.4.x and AIX.4.2) - src/Makefiles/Makefile.SMP_DC.OSx.NILE - (renamed BuildTools/OS/dcosx.1.x.NILE) - src/Makefiles/Makefile.Utah (obsolete platform) - Renamed Files: - READ_ME => README - cf/cf/Makefile.dist => Makefile - cf/cf/obj/* => cf/cf/* - src/READ_ME => src/README - -8.8.8/8.8.8 97/10/24 - If the check_relay ruleset failed, the relay= field was logged - incorrectly. Problem noted by Kari Hurtta of the Finnish - Meteorological Institute. - If /usr/tmp/dead.letter already existed, sendmail could not - add additional bounces to it. Problem noted by Thomas J. - Arseneault of SRI International. - If an SMTP mailer used a non-standard port number for the outgoing - connection, it would be displayed incorrectly in verbose mode. - Problem noted by John Kennedy of Cal State University, Chico. - Log the ETRN parameter specified by the client before altering them - to internal form. Suggested by Bob Kupiec of GES-Verio. - EXPN and VRFY SMTP commands on malformed addresses were logging as - User unknown with bogus delay= values. Change them to log - the same as compliant addresses. Problem noted by Kari E. - Hurtta of the Finnish Meteorological Institute. - Ignore the debug resolver option unless using sendmail debug trace - option for resolver. Problem noted by Greg Nichols of Wind - River Systems. - If SingleThreadDelivery was enabled and the remote server returned a - protocol error on the DATA command, the connection would be - closed but the persistent host status file would not be - unlocked so other sendmail processes could not deliver to - that host. Problem noted by Peter Wemm of DIALix. - If queueing up a message due to an expensive mailer, don't increment - the number of delivery attempts or set the last delivery - attempt time so the message will be delivered on the next - queue run regardless of MinQueueAge. Problem noted by - Brian J. Coan of the Institute for Global Communications. - Authentication warnings of "Processed from queue _directory_" and - "Processed by _username_ with -C _filename_" would be logged - with the incorrect timestamp. Problem noted by Kari E. Hurtta - of the Finnish Meteorological Institute. - Use a better heuristic for detecting GDBM. - Log null connections on dropped connections. Problem noted by - Jon Lewis of Florida Digital Turnpike. - If class dbm maps are rebuilt, sendmail will now detect this and - reopen the map. Previously, they could give stale - results during a single message processing (but would - recover when the next message was received). Fix from - Joe Pruett of Q7 Enterprises. - Do not log failures such as "User unknown" on -bv or SMTP VRFY - requests. Problem noted by Kari E. Hurtta of the - Finnish Meteorological Institute. - Do not send a bounce message back to the sender regarding bad - recipients if the SMTP connection is dropped before the - message is accepted. Problem noted by Kari E. Hurtta of the - Finnish Meteorological Institute. - Use "localhost" instead of "[UNIX: localhost]" when connecting to - sendmail via a UNIX pipe. This will allow rulesets using - $&{client_name} to process without sending the string through - dequote. Problem noted by Alan Barrett of Internet Africa. - A combination of deferred delivery mode, a double bounce situation, - and the inability to save a bounce message to - /var/tmp/dead.letter would cause sendmail to send a bounce - to postmaster but not remove the offending envelope from the - queue causing it to create a new bounce message each time the - queue was run. Problem noted by Brad Doctor of Net Daemons - Associates. - Remove newlines from hostname information returned via DNS. There are - no known security implications of newlines in hostnames as - sendmail filters newlines in all vital areas; however, this - could cause confusing error messages. - Starting with sendmail 8.8.6, mail sent with the '-t' option would be - rejected if any of the specified addresses were bad. This - behavior was modified to only reject the bad addresses and not - the entire message. Problem noted by Jozsef Hollosi of - SuperNet, Inc. - Use Timeout.fileopen when delivering mail to a file. Suggested by - Bryan Costales of InfoBeat, Inc. - Display the proper Final-Recipient on DSN messages for non-SMTP - mailers. Problem noted by Kari E. Hurtta of the - Finnish Meteorological Institute. - An error in calculating the available space in the list of addresses - for logging deliveries could cause an address to be silently - dropped. - Include the initial user environment if sendmail is restarted via - a HUP signal. This will give room for the process title. - Problem noted by Jon Lewis of Florida Digital Turnpike. - Mail could be delivered without a body if the machine does not - support flock locking and runs out of processes during - delivery. Fix from Chuck Lever of the University of Michigan. - Drop recipient address from 251 and 551 SMTP responses per RFC 821. - Problem noted by Kari E. Hurtta of the Finnish Meteorological - Institute. - Make sure non-rebuildable database maps are opened before the - rebuildable maps (i.e. alias files) in case the database maps - are needed for verifying the left hand side of the aliases. - Problem noted by Lloyd Parkes of Victoria University. - Make sure sender RFC822 source route addresses are alias expanded for - bounce messages. Problem noted by Juergen Georgi of - RUS University of Stuttgart. - Minor lint fixes. - Return a temporary error instead of a permanent error if an LDAP map - search returns an error. This will allow sequenced maps which - use other LDAP servers to be checked. Fix from Booker Bense - of Stanford University. - When automatically converting from quoted printable to 8bit text do - not pad bare linefeeds with a space. Problem noted by Theo - Nolte of the University of Technology Aachen, Germany. - Portability: - Non-standard C compilers may have had a problem compiling - conf.c due to a standard C external declaration of - setproctitle(). Problem noted by Ted Roberts of - Electronic Data Systems. - AUX: has a broken O_EXCL implementation. Reported by Jim - Jagielski of jaguNET Access Services. - BSD/OS: didn't compile if HASSETUSERCONTEXT was defined. - Digital UNIX: Digital UNIX (and possibly others) moves - loader environment variables into the loader memory - area. If one of these environment variables (such as - LD_LIBRARY_PATH) was the last environment variable, - an invalid memory address would be used by the process - title routine causing memory corruption. Problem - noted by Sam Hartman of Mesa Internet Systems. - GNU libc: uses an enum for _PC_CHOWN_RESTRICTED which caused - chownsafe() to always return 0 even if the OS does - not permit file giveaways. Problem noted by - Yasutaka Sumi of The University of Tokyo. - IRIX6: Syslog buffer size set to 512 bytes. Reported by - Gerald Rinske of Siemens Business Services VAS. - Linux: Pad process title with NULLs. Problem noted by - Jon Lewis of Florida Digital Turnpike. - SCO OpenServer 5.0: SIOCGIFCONF ioctl call returns an - incorrect value for the number of interfaces. - Problem noted by Chris Loelke of JetStream Internet - Services. - SINIX: Update for Makefile and syslog buffer size from Gerald - Rinske of Siemens Business Services VAS. - Solaris: Make sure HASGETUSERSHELL setting for SunOS is not - used on a Solaris machine. Problem noted by - Stephen Ma of Jtec Pty Limited. - CONFIG: SINIX: Update from Gerald Rinske of Siemens Business - Services VAS. - MAKEMAP: Use a better heuristic for detecting GDBM. - CONTRIB: expn.pl: Updated version from the author, David Muir Sharnoff. - OP.ME: Document the F=i mailer flag. Problem noted by Per Hedeland of - Ericsson. - -8.8.7/8.8.7 97/08/03 - If using Berkeley DB on systems without O_EXLOCK (open a file with - an exclusive lock already set -- i.e., almost all systems - except 4.4-BSD derived systems), the initial attempt at - rebuilding aliases file if the database didn't already - exist would fail. Patch from Raymund Will of LST Software - GmbH. - Bogus incoming SMTP commands would reset the SMTP conversation. - Problem noted by Fredrik Jönsson of the Royal Institute - of Technology, Stockholm. - Since TCP Wrappers includes setenv(), unsetenv(), and putenv(), - some environments could give "multiple definitions" for these - routines during compilation. If using TCP Wrappers, assume - that these routines are included as though they were in the - C library. Patch from Robert La Ferla. - When a NEWDB database map was rebuilt at the same time it was being - used by a queue run, the maps could be left locked for the - duration of the queue run, causing other processes to hang. - Problem noted by Kendall Libby of Shore.NET. - In some cases, NoRecipientAction=add-bcc was being ignored, so the - mail was passed on without any recipient header. This could - cause problems downstream. Problem noted by Xander Jansen - of SURFnet ExpertiseCentrum. - Give error when GDBM is used with sendmail. GDBM's locking and - linking of the .dir and .pag files interferes with sendmail's - locking and security checks. Problems noted by Fyodor - Yarochkin of the Kyrgyz Republic FreeNet. - Don't fsync qf files if SuperSafe option is not set. - Avoid extra calls to gethostbyname for addresses for which a - gethostbyaddr found no value. Also, ignore any returns - from gethostbyaddr that look like a dotted quad. - If PTR lookup fails when looking up an SMTP peer, don't tag it as - "may be forged", since at the network level we pretty much - have to assume that the information is good. - In some cases, errors during an SMTP session could leave files - open or locked. - Better handling of missing file descriptors (0, 1, 2) on startup. - Better handling of non-setuid binaries -- avoids certain obnoxious - errors during testing. - Errors in file locking of NEWDB maps had the incorrect file name - printed in the error message. - If the AllowBogusHELO option were set and an EHLO with a bad or - missing parameter were issued, the EHLO behaved like a HELO. - Load limiting never kicked in for incoming SMTP transactions if the - DeliveryMode=background and any recipient was an alias or - had a .forward file. From Nik Conwell of Boston University. - On some non-Posix systems, the decision of whether chown(2) permits - file giveaway was undefined. From Tetsu Ushijima of the - Tokyo Institute of Technology. - Fix race condition that could cause the body of a message to be - lost (so only the header was delivered). This only occurs - on systems that do not use flock(2), and only when a queue - runner runs during a critical section in another message - delivery. Based on a patch from Steve Schweinhart of - Results Computing. - If a qf file was found in a mail queue directory that had a problem - (wrong ownership, bad format, etc.) and the file name was - exactly MAXQFNAME bytes long, then instead of being tried - once, it would be tried on every queue run. Problem noted - by Bryan Costales of Mercury Mail. - If the system supports an st_gen field in the status structure, - include it when reporting that a file has changed after open. - This adds a new compile flag, HAS_ST_GEN (0/1 option). - This out to be checked as well as reported, since it is - theoretically possible for an attacker to remove a file after - it is opened and replace it with another file that has the - same i-number, but some filesystems (notably AFS) return - garbage in this field, and hence always look like the file - has changed. As a practical matter this is not a security - problem, since the files can be neither hard nor soft links, - and on no filesystem (that I am aware of) is it possible to - have two files on the same filesystem with the same i-number - simultaneously. - Delete the root Makefile from the distribution -- it is only for - use internally, and does not work at customer sites. - Fix botch that caused the second MAIL FROM: command in a single - transaction to clear the entire transaction. Problem - noted by John Kennedy of Cal State University, Chico. - Work properly on machines that have _PATH_VARTMP defined without - a trailing slash. (And a pox on vendors that decide to - ignore the established conventions!) Problem noted by - Gregory Neil Shapiro of WPI. - Internal changes to make it easier to add another protocol family - (intended for IPv6). Patches are from John Kennedy of - CSU Chico. - In certain cases, 7->8 bit MIME decoding of Base64 text could leave - an extra space at the beginning of some lines. Problem - noted by Charles Karney of Princeton University; fix based - on a patch from Christophe Wolfhugel. - Portability: - Allow _PATH_VENDOR_CF to be set in Makefile for consistency - with the _Sendmail_ book, 2nd edition. Note that - the book is actually wrong: _PATH_SENDMAILCF should - be used instead. - AIX 3.x: Include . Patch from Gene Rackow - of Argonne National Laboratory. - OpenBSD from from Paul DuBois of the University of Wisconsin. - RISC/os 4.0 from Paul DuBois of the University of Wisconsin. - SunOS: Include to fix warning from util.c. From - James Aldridge of EUnet Ltd. - Solaris: Change STDIR (location of status file) to /etc/mail - in Makefiles. - Linux, Dynix, UNICOS: Remove -DNDBM and -lgdbm from - Makefiles. Use NEWDB on Linux instead. - NCR MP-RAS 3.x with STREAMware TCP/IP: SIOCGIFNUM ioctl - exists but behaves differently than other OSes. - Add SIOCGIFNUM_IS_BROKEN compile flag to get - around the problem. Problem noted by Tom Moore of - NCR Corp. - HP-UX 9.x: fix compile warnings for old select API. Problem - noted by Tom Smith of Digital Equipment Corp. - UnixWare 2.x: compile warnings on offsetof macro. Problem - noted by Tom Good of the Community Access Information - Resource Network - SCO 4.2: compile problems caused by a change in the type of - the "length" parameters passed to accept, getpeername, - getsockname, and getsockopt. Adds new compile flags - SOCKADDR_SIZE_T and SOCKOPT_SIZE_T. Problem reported - by Tom Good of St. Vincent's North Richmond Community - Mental Health Center Residential Services. - AIX 4: Use size_t for SOCKADDR_SIZE_T and SOCKOPT_SIZE_T. - Suggested by Brett Hogden of Rochester Gas & Electric - Corp. - Linux: avoid compile problem for versions of that - #define both setjmp and longjmp. Problem pointed out - by J.R. Oldroyd of TerraNet. - CONFIG: SCO UnixWare 2.1: Support for OSTYPE(sco-uw-2.1) - from Christopher Durham of SCO. - CONFIG: NEXTSTEP: define confCW_FILE to - /etc/sendmail/sendmail.cw to match the usual - configuration. Patch from Dennis Glatting of - PlainTalk. - CONFIG: MAILER(fax) called a program that hasn't existed for a long - time. Convert to use the HylaFAX 4.0 conventions. Suggested - by Harry Styron. - CONFIG: Improve sample anti-spam rulesets in cf/cf/knecht.mc. These - are the rulesets in use on sendmail.org. - MAKEMAP: give error on GDBM files. - MAIL.LOCAL: Make error messages a bit more explicit, for example, - telling more details on what actually changed when "file - changed after open". - CONTRIB: etrn.pl: Ignore comments in Fw files. Support multiple Fw - files. - CONTRIB: passwd-to-alias.pl: Handle 8 bit characters and '-'. - NEW FILES: - src/Makefiles/Makefile.OpenBSD - src/Makefiles/Makefile.RISCos.4_0 - test/t_exclopen.c - cf/ostype/sco-uw-2.1.m4 - DELETED FILES: - Makefile - -8.8.6/8.8.6 97/06/14 - ************************************************************* - * The extensive assistance of Gregory Neil Shapiro of WPI * - * in preparing this release is gratefully appreciated. * - * Sun Microsystems has also provided resources toward * - * continued sendmail development. * - ************************************************************* - SECURITY: A few systems allow an open with the O_EXCL|O_CREAT open - mode bits set to create a file that is a symbolic link that - points nowhere. This makes it possible to create a root - owned file in an arbitrary directory by inserting the symlink - into a writable directory after the initial lstat(2) check - determined that the file did not exist. The only verified - example of a system having these odd semantics for O_EXCL - and symbolic links was HP-UX prior to version 9.07. Most - systems do not have the problem, since a exclusive create - of a file disallows symbolic links. Systems that have been - verified to NOT have the problem include AIX 3.x, *BSD, - DEC OSF/1, HP-UX 9.07 and higher, Linux, SunOS, Solaris, - and Ultrix. This is a potential exposure on systems that - have this bug and which do not have a MAILER-DAEMON alias - pointing at a legitimate account, since this will cause old - mail to be dropped in /var/tmp/dead.letter. - SECURITY: Problems can occur on poorly managed systems, specifically, - if maps or alias files are in world writable directories. - If your system has alias maps in writable directories, it - is potentially possible for an attacker to replace the .db - (or .dir and .pag) files by symbolic links pointing at - another database; this can be used either to expose - information (e.g., by pointing an alias file at /etc/spwd.db - and probing for accounts), or as a denial-of-service attack - (by trashing the password database). The fix disallows - symbolic links entirely when rebuilding alias files or on - maps that are in writable directories, and always warns on - writable directories; 8.9 will probably consider writable - directories to be fatal errors. This does not represent an - exposure on systems that have alias files in unwritable - system directories. - SECURITY: disallow .forward or :include: files that are links (hard - or soft) if the parent directory (or any directory in the - path) is writable by anyone other than the owner. This is - similar to the previous case for user files. This change - should not affect most systems, but is necessary to prevent - an attacker who can write the directory from pointing such - files at other files that are readable only by the owner. - SECURITY: Tighten safechown rules: many systems will say that they - have a safe (restricted to root) chown even on files that - are mounted from another system that allows owners to give - away files. The new rules are very strict, trusting file - ownership only in those few cases where the system has - been verified to be at least as paranoid as necessary. - However, it is possible to relax the rules to partially - trust the ownership if the directory path is not world or - group writable. This might allow someone who has a legitimate - :include: file (referenced directly from /etc/aliases) to - become another non-root user if the :include: file is in a - non-writable directory on an NFS-mounted filesystem where - the local system says that giveaway is denied but it is - actually permitted. I believe this to be a very small set - of cases. If in doubt, do not point :include: aliases at - NFS-mounted filesystems. - SECURITY: When setting a numeric group id using the RunAsUser option - (e.g., "O RunAsUser=10:20", the group id would not be set. - Implicit group ids (e.g., "O RunAsUser=mailnull") or alpha - group ids (e.g., "O RunAsUser=mailuser:mailgrp") worked fine. - The user id was still set properly. Problem noted by Uli - Pralle of the Technical University of Berlin. - Save the initial gid set for use when checking for if the - PrivacyOptions=restrictmailq option is set. Problem reported - by Wolfgang Ley of DFN-CERT. - Make 55x reply codes to the SMTP DATA-"." be non-sticky (i.e., a - failure on one message won't affect future messages to the - same host). - IP source route printing had an "off by one" error that would - affect any options that came after the route option. Patch - from Theo de Raadt. - The "Message is too large" error didn't successfully bounce the error - back to the sender. Problem reported by Stephen More of - PSI; patch from Gregory Neil Shapiro of WPI. - Change SMTP status code 553 to map into Extended code 5.1.0 (instead - of 5.1.3); it apparently gets used in multiple ways. - Suggested by John Myers of Portola Communications. - Fix possible extra null byte generated during collection if errors - occur at the beginning of the stream. Patch contributed by - Andrey A. Chernov and Gregory Neil Shapiro. - Code changes to avoid possible reentrant call of malloc/free within - a signal handler. Problem noted by John Beck of Sun - Microsystems. - Move map initialization to be earlier so that check_relay ruleset - will have the latest version of the map data. Problem noted - by Paul Forgey of Metainfo; patch from Gregory Neil Shapiro. - If there are fatal errors during the collection phase (e.g., message - too large) don't send the bogus message. - Avoid "cannot open xfAAA00000" messages when sending to aliases that - have errors and have owner- aliases. Problem noted by Michael - Barber of MTU; fix from Gregory Neil Shapiro of WPI. - Avoid null pointer dereference on illegal Boundary= parameters in - multipart/mixed Content-Type: header. Problem noted by - Richard Muirden of RMIT University. - Always print error messages during newaliases (-bi) even if the - ErrorMode is not set to "print". Fix from Gregory Neil - Shapiro. - Test mode could core dump if you did a /map lookup in an optional map - that could not be opened. Based on a fix from John Beck of - Sun Microsystems. - If DNS is misconfigured so that the last MX record tried points to - a host that does not have an A record, but other MX records - pointed to something reasonable, don't bounce the message - with a "host unknown" error. Note that this should really - be fixed in the zone file for the domain. Problem noted by - Joe Rhett of Navigist, Inc. - If a map fails (e.g., DNS times out) on all recipient addresses, mark - the message as having been tried; otherwise the next queue - run will not realize that this is a second attempt and will - retry immediately. Problem noted by Bryan Costales of - Mercury Mail. - If the clock is set backwards, and a MinQueueAge is set, no jobs - will be run until the later setting of the clock is reached. - "Problem" (I use the term loosely) noted by Eric Hagberg of - Morgan Stanley. - If the load average rises above the cutoff threshold (above which - sendmail will not process the queue at all) during a queue - run, abort the queue run immediately. Problem noted by - Bryan Costales of Mercury Mail. - The variable queue processing algorithm (based on the message size, - number of recipients, message precedence, and job age) was - non-functional -- either the entire queue was processed or - none of the queue was processed. The updated algorithm - does no queue run if a single recipient zero size job will - not be run. - If there is a fatal ("panic") message that will cause sendmail to - die immediately, never hold the error message for future - printing. - Force ErrorMode=print in -bt mode so that all errors are printed - regardless of the setting of the ErrorMode option in the - configuration file. Patch from Gregory Neil Shapiro. - New compile flag HASSTRERROR says that this OS has the strerror(3) - routine available in one of the libraries. Use it in conf.h. - The -m (match only) flag now works on host class maps. - If class hash or btree maps are rebuilt, sendmail will now detect - this and reopen the map. Previously, they could give - erroneous results during a single message processing - (but would recover when the next message was received). - Don't delete zero length queue files when doing queue runs until the - files are at least ten minutes old. This avoids a potential - race condition: the creator creates the qf file, getting back - a file descriptor. The queue runner locks it and deletes it - because it is zero length. The creator then writes the - descriptor that is now for a disconnected file, and the - job goes away. Based on a suggestion by Bryan Costales. - When determining the "validated" host name ($_ macro), do a forward - (A) DNS lookup on the result of the PTR lookup and compare - results. If they differ or if the PTR lookup fails, tag the - address as "may be forged". - Log null connections (i.e., hosts that connect but do not do any - substantive activity on the connection before disconnecting; - "substantive" is defined to be MAIL, EXPN, VRFY, or ETRN. - Always permit "writes" to /dev/null regardless of the link count. - This is safe because /dev/null is special cased, and no open - or write is ever actually attempted. Patch from Villy Kruse - of TwinCom. - If a message cannot be sent because of a 552 (exceeded storage - allocation) response to the MAIL FROM:<>, and a SIZE= parameter - was given, don't return the body in the bounce, since there - is a very good chance that the message will double-bounce. - Fix possible line truncation if a quoted-printable had an =00 escape - in the body. Problem noted by Charles Karney of the Princeton - Plasma Physics Laboratory. - Notify flags (e.g., -NSUCCESS) were lost on user+detail addresses. - Problem noted by Kari Hurtta of the Finnish Meteorological - Institute. - The MaxDaemonChildren option wasn't applying to queue runs as - documented. Note that this increases the potential denial - of service problems with this option: an attacker can - connect many times, and thereby lock out queue runs as well - as incoming connections. If you use this option, you should - run the "sendmail -bd" and "sendmail -q30m" jobs separately - to avoid this attack. Failure to limit noted by Matthew - Dillon of BEST Internet Communications. - Always give a message in newaliases if alias files cannot be - opened instead of failing silently. Suggested by Gregory - Neil Shapiro. This change makes the code match the O'Reilly - book (2nd edition). - Some older versions of the resolver could return with h_errno == -1 - if no name server could be reached, causing mail to bounce - instead of queueing. Treat this like TRY_AGAIN. Fix from - John Beck of SunSoft. - If a :include: file is owned by a user that does not have an entry - in the passwd file, sendmail could dereference a null pointer. - Problem noted by Satish Mynam of Sun Microsystems. - Take precautions to make sure that the SMTP protocol cannot get out - of sync if (for example) an alias file cannot be opened. - Fix a possible race condition that can cause a SIGALRM to come in - immediately after a SIGHUP, causing the new sendmail to die. - Avoid possible hang on SVr3 systems when doing child reaping. Patch - from Villy Kruse of TwinCom. - Ignore improperly formatted SMTP reply codes. Previously these were - partially processed, which could cause confusing error - returns. - Fix possible bogus pointer dereference when doing ldapx map lookups - on some architectures. - Portability: - A/UX: from Jim Jagielski of NASA/GSFC. - glibc: SOCK_STREAM was changed from a #define to an enum, - thus breaking #ifdef SOCK_STREAM. Only option seems - to be to assume SOCK_STREAM if __GNU_LIBRARY__ is - defined. Problem reported by A Sun of the University - of Washington. - Solaris: use SIOCGIFNUM to get the number of interfaces on - the system rather than guessing at compile time. - Patch contributed by John Beck of Sun Microsystems. - Intel Paragon: from Wendy Lin of Purdue University. - GNU Hurd: from Miles Bader of the GNU project. - RISC/os 4.50 from Harlan Stenn of PFCS Corporation. - ISC Unix: wait never returns if SIGCLD signals are blocked. - Unfortunately releasing them opens a race condition, - but there appears to be no fix for this. Patch from - Gregory Neil Shapiro. - BIND 8.1 for IPv6 compatibility from John Kennedy. - Solaris: a bug in strcasecmp caused characters with the - high order bit set to apparently randomly match - letters -- for example, $| (0233) matches "i" and "I". - Problem noted by John Gregson of the University of - Cambridge. - IRIX 6.x: make Makefile.IRIX.6.2 apply to all 6.x. From - Kari Hurtta. - IRIX 6.x: Create Makefiles for systems that claim to be - IRIX64 but are 6.2 or higher (so use the regular - IRIX Makefile). - IRIX 6.x: Fix load average computation on 64 bit kernels. - Problem noted by Eric Hagberg of Morgan Stanley. - CONFIG: Some canonification was still done for UUCP-like addresses - even if FEATURE(nocanonify) was set. Problem pointed out by - Brian Candler. - CONFIG: In some cases UUCP mailers wouldn't properly recognize all - local names as local. Problem noted by Jeff Polk of BSDI; - fix provided by Gregory Neil Shapiro. - CONFIG: The "local:user" syntax entries in mailertables and other - "mailer:user" syntax locations returned an incorrect value - for the $h macro. Problem noted by Gregory Neil Shapiro. - CONFIG: Retain "+detail" information when forwarding mail to a - MAIL_HUB, LUSER_RELAY, or LOCAL_RELAY. Patch from Philip - Guenther of Gustavus Adolphus College. - CONFIG: Make sure user+detail works for FEATURE(virtusertable); - rules are the same as for aliasing. Based on a patch from - Gregory Neil Shapiro. - CONFIG: Break up parsing rules into several pieces; this should - have no functional change in this release, but makes it - possible to have better anti-spam rulesets in the future. - CONFIG: Disallow double dots in host names to avoid having the - HostStatusDirectory store status under the wrong name. - In some cases this can be used as a denial-of-service attack. - Problem noted by Ron Jarrell of Virginia Tech, patch from - Gregory Neil Shapiro. - CONFIG: Don't use F=m (multiple recipients per invocation) for - MAILER(procmail), but do pass F=Pn9 (include Return-Path:, - don't include From_, and convert to 8-bit). Suggestions - from Kimmo Suominen and Roderick Schertler. - CONFIG: Domains under $=M (specified with MASQUERADE_DOMAIN) where - being masqueraded as though FEATURE(masquerade_entire_domain) - was specified, even when it wasn't. - MAIL.LOCAL: Solaris 2.6 has snprintf. From John Beck of SunSoft. - MAIL.LOCAL: SECURITY: check to make sure that an attacker doesn't - "slip in" a symbolic link between the lstat(2) call and the - exclusive open. This is only a problem on System V derived - systems that allow an exclusive create on files that are - symbolic links pointing nowhere. - MAIL.LOCAL: If the final mailbox close() failed, the user id was - not reset back to root, which on some systems would cause - later mailboxes to fail. Also, any partial message would - not be truncated, which could result in repeated deliveries. - Problem noted by Bruce Evans via Peter Wemm (FreeBSD - developers). - MAKEMAP: Handle cases where O_EXLOCK is #defined to be 0. A similar - change to the sendmail map code was made in 8.8.3. Problem - noted by Gregory Neil Shapiro. - MAKEMAP: Give warnings on file problems such as map files that are - symbolic links; although makemap is not setuid root, it is - often run as root and hence has the potential for the same - sorts of problems as alias rebuilds. - MAKEMAP: Change compilation so that it will link properly on - NEXTSTEP. - CONTRIB: etrn.pl: search for Cw as well as Fw lines in sendmail.cf. - Accept an optional list of arguments following the server - name for the ETRN arguments to use (instead of $=w). Other - miscellaneous bug fixes. From Christian von Roques via - John Beck of Sun Microsystems. - CONTRIB: Add passwd-to-alias.pl, contributed by Kari Hurtta. This - Perl script converts GECOS information in the /etc/passwd - file into aliases, allowing for faster access to full name - lookups; it is also clever about adding aliases (to root) - for system accounts. - NEW FILES: - src/safefile.c - cf/ostype/gnuhurd.m4 - cf/ostype/irix6.m4 - contrib/passwd-to-alias.pl - src/Makefiles/Makefile.IRIX64.6.1 - src/Makefiles/Makefile.IRIX64.6.x - RENAMED FILES: - src/Makefiles/Makefile.IRIX.6.2 => Makefile.IRIX.6.x - src/Makefiles/Makefile.IRIX64 => Makefile.IRIX64.6.0 - -8.8.5/8.8.5 97/01/21 - SECURITY: Clear out group list during startup. Without this, sendmail - will continue to run with the group permissions of the caller, - even if RunAsUser is specified. - SECURITY: Make purgestat (-bH) be root-only. This is not in response - to any known attack, but it's best to be conservative. - Suggested by Peter Wemm of DIALix. - SECURITY: Fix buffer overrun problem in MIME code that has possible - security implications. Patch from Alex Garthwaite of the - University of Pennsylvania. - Use of a -f flag with a phrase attached (e.g., "-f 'Full Name '") - would truncate the address after "Full". Although the -f - syntax is incorrect (since it is in the envelope, it - shouldn't have comments and full names), the failure mode - was unnecessarily awful. - Fix a possible null pointer dereference when converting 8-bit data - to a 7-bit format. Problem noted by Jim Hutchins of - Sandia National Labs and David James of British Telecom. - Clear out stale state that affected F=9 on SMTP mailers in queue - runs. Although this really shouldn't be used (F=9 is for - final delivery only, and using it on an SMTP mailer makes - it possible for a message to be converted from 8->7->8->7 - bits several times), it shouldn't have failed with a syserr. - Problem noted by Eric Hagberg of Morgan Stanley. - _Really_ fix the multiple :maildrop code in the user database - module. Patch from Roy Mongiovi of Georgia Tech. - Let F lines in the configuration file actually read root-only - files if the configuration file is safe. Based on a - patch from Keith Reynolds of SCO. - ETRN followed by QUIT would hold the connection open until the queue - run completed. Problem noted by Truck Lewis of TDK - Semiconductor Corp. - It turns out that despite the documentation, the TCP wrappers library - does _not_ log rejected connections. Do the logging ourselves. - Problem noted by Fletcher Mattox of the University of Texas - at Austin. - If sendmail finds a qf file in its queue directory that is an unknown - version (e.g., when backing out to an old version), the - error is reported on every queue run. Change it to only - give the error once (and rename the qf => Qf). Patch from - William A. Gianopoulos of Raytheon Company. - Start a new session when doing background delivery; currently it - ignored signals but didn't start a new signal, that caused - some problems if a background process tried to send mail - under certain circumstances. Problem noted by Eric Hagberg - of Morgan Stanley; fix from Kari Hurtta. - Simplify test for skipping a queue run to just check if the current - load average is >= the queueing load average. Previously - the check factored in some other parameters that caused it - to essentially never skip the queue run. Patch from Bryan - Costales. - If the SMTP server is running in "nullserver" mode (that is, it is - rejecting all commands), start sleeping after MAXBADCOMMAND - (25) commands; this helps prevent a bad guy from putting - you into a tight loop as a denial-of-service attack. Based - on an e-mail conversation with Brad Knowles of AOL. - Slow down when too many "light weight" commands have been issued; - this helps prevent a class of denial-of-service attacks. - The current values and defaults are: - MAXNOOPCOMMANDS 20 NOOP, VERB, ONEX, XUSR - MAXHELOCOMMANDS 3 HELO, EHLO - MAXVRFYCOMMANDS 6 VRFY, EXPN - MAXETRNCOMMANDS 8 ETRN - These will probably be configurable in a future release. - On systems that have uid_t typedefed to be an unsigned short, programs - that had the F=S flag and no U= equate would be invoked with - the real uid set to 65535 rather than being left unchanged. - In some cases, NOTIFY=NEVER was not being honored. Problem noted - by Steve Hubert of the University of Washington, Seattle. - Mail that was Quoted-Printable encoded and had a soft line break on - the last line (i.e., an incomplete continuation) had the last - line dropped. Since this appears to be illegal it isn't - clear what to do with it, but flushing the last line seems - to be a better "fail soft" approach. Based on a patch from - Eric Hagberg. - If AllowBogusHELO and PrivacyOptions=needmailhelo are both set, a - bogus HELO command still causes the "Polite people say HELO - first" error message. Problem pointed out by Chris Thomas - of UCLA; patch from John Beck of SunSoft. - Handle "sendmail -bp -qSfoobar" properly if restrictqrun is set - in PrivacyOptions. The -q shouldn't turn this command off. - Problem noted by Murray Kucherawy of Pacific Bell Internet; - based on a patch from Gregory Neil Shapiro of WPI. - Don't consider SMTP reply codes 452 or 552 (exceeded storage allocation) - in a DATA transaction to be sticky; these can occur because - a message is too large, and smaller messages should still go - through. Problem noted by Matt Dillon of Best Internet - Communications. - In some cases bounces were saved in /var/tmp/dead.letter even if they - had been successfully delivered to the envelope sender. - Problem noted Eric Hagberg of Morgan Stanley; solution from - Gregory Neil Shapiro of WPI. - Give better diagnostics on long alias lines. Based on code contributed - by Patrick Gosling of the University of Cambridge. - Increase the number of virtual interfaces that will be probed for - alternate names. Problem noted by Amy Rich of Shore.Net. - PORTABILITY: - UXP/DS V20L10 for Fujitsu DS/90: Makefile patches from - Toshiaki Nomura of Fujitsu Limited. - SunOS with LDAP support: compile problems with struct timeval. - Patch from Nick Cuccia of TCSI Corporation. - SCO: from Keith Reynolds of SCO. - Solaris: kstat load average computation wasn't being used. - Fixes from Michael Ju. Tokarev of Telecom Service, JSC - (Moscow). - OpenBSD: from Jason Downs of teeny.org. - Altos System V: from Tim Rice. - Solaris 2.5: from Alan Perry of SunSoft. - Solaris 2.6: from John Beck of SunSoft. - Harris Nighthawk PowerUX (mh6000 box): from Bob Miorelli - of Pratt & Whitney . - CONFIG: It seems that I hadn't gotten the Received: line syntax - _just_right_ yet. Tweak it again. I'll omit the names - of the "contributors" (quantity two) in this one case. - As of now, NO MORE DISCUSSION about the syntax of the - Received: line. - CONFIG: Although FEATURE(nullclient) uses EXPOSED_USER (class $=E), - it never inserts that class into the output file. Fix it - so it will honor EXPOSED_USER but will _not_ include root - automatically in this class. Problem noted by Ronan KERYELL - of Centre de Recherche en Informatique de l'École Nationale - Supérieure des Mines de Paris (CRI-ENSMP). - CONFIG: Clean up handling of "local:" syntax in relay specifications - such as LUSER_RELAY. This change permits the following - syntaxes: ``local:'' will send to the same user on the - local machine (e.g., in a mailertable entry for "host", - ``local:'' will cause an address addressed to user@host to - go to user on the local machone). ``local:user'' will send - to the named user on the local machine. ``local:user@host'' - is equivalent to ``local:user'' (the host is ignored). In - all cases, the original user@host is passed in $@ (i.e., the - detail information). Inspired by a report from Michael Fuhr. - CONFIG: Strip quotes from the first word of an "error:" host - indication. This lets you set (for example) the LUSER_RELAY - to be ``error:\"5.1.1\" Your Message Here''. Note the use - of the \" so that the resulting string is properly quoted. - Problem noted by Gregory Neil Shapiro of WPI. - OP.ME: documentation was inconsistent about whether sendmail did a - NOOP or a RSET to probe the connection (it does a RSET). - Inconsistency noted by Deeran Peethamparam. - OP.ME: insert additional blank pages so it will print properly on - a duplex printer. From Matthew Black of Cal State University, - Long Beach. - -8.8.4/8.8.4 96/12/02 - SECURITY: under some circumstances, an attacker could get additional - permissions by hard linking to files that were group - writable by the attacker. The solution is to disallow any - files that have hard links -- this will affect .forward, - :include:, and output files. Problem noted by Terry - Kyriacopoulos of Interlog Internet Services. As a - workaround, set UnsafeGroupWrites -- always a good idea. - SECURITY: the TryNullMXList (w) option should not be safe -- if it - is, it is possible to do a denial-of-service attack on - MX hosts that rely on the use of the null MX list. There - is no danger if you have this option turned off (the default). - Problem noted by Dan Bernstein. Also, make the DontInitGroups - unsafe. I know of no specific attack against this, although - a denial-of-service attack is probably possible, but in theory - you should not be able to safely tweak anything that affects - the permissions that are used when mail is delivered. - Purgestat could go into an infinite loop if one of the host status - directories somehow became empty. Problem noted by Roy - Mongiovi of Georgia Tech. - Processes got "lost" when counting children due to a race condition. - This caused "proc_list_probe: lost pid" messages to be logged. - Problem noted by several people. - On systems with System V SIGCLD child signal semantics (notably AIX - and HP-UX), mail transactions would print the message "451 - SMTP-MAIL: lost child: No child processes". Problem noted - by several people. - Miscellaneous compiler warnings on picky compilers (or when setting - gcc to high warning levels). From Tom Moore of NCR Corp. - SMTP protocol errors, and most errors on MAIL FROM: lines should - not be persistent between runs, since they are based on the - message rather than the host. Problem noted by Matt Dillon - of Best Internet Communications. - The F=7 flag was ignored on SMTP mailers. Problem noted by Tom Moore - of NCR (a.k.a., AT&T Global Information Solutions). - Avoid the possibility of having a child daemon run to completion - (including closing the SMTP socket) before the parent has - had a chance to close the socket; this can cause the parent - to hang for a long time waiting for the socket to drain. - Patch from Don Lewis of TDK Semiconductor. - If the fork() failed in a queue run, the queue runners would not be - rescheduled (so queue runs would stop). Patch from Don Lewis. - Some error conditions in ETRN could cause output without an SMTP - status code. Problem noted by Don Lewis. - Multiple :maildrop addresses in the user database didn't work properly. - Patch from Roy Mongiovi of Georgia Tech. - Add ".db" automatically onto any user database spec that does not - already have it; this is for consistency with makemap, the - K line, and the documentation. Inconsistency pointed out - by Roy Mongiovi. - Allow sendmail to be properly called in nohup mode. Patch from - Kyle Jones of UUNET. - Change ETRN to ignore but still update host status files; previously - it would ignore them and not save the updated status, which - caused stale information to be maintained. Based on a patch - from Christopher Davis of Kapor Enterprises Inc. Also, have - ETRN ignore the MinQueueAge option. - Patch long term host status to recover more gracefully from an empty - host status file condition. Patch from NAKAMURA Motonori - of Kyoto University. - Several patches to signal handling code to fix potential race - conditions from Don Lewis. - Make it possible to compile with -DDAEMON=0 (previously it had some - compile errors). This turns DAEMON, QUEUE, and SMTP into - 0/1 compilation flags. Note that DAEMON is an obsolete - compile flag; use NETINET instead. Solution based on a - patch from Bryan Costales. - PORTABILITY FIXES: - AIX4: getpwnam() and getpwuid() do a sequential scan of the - /etc/security/passwd file when called as root. This - is very slow on some systems. To speed it up, use the - (undocumented) _getpw{nam,uid}_shadow() routines. - Patch from Chris Thomas of UCLA/OAC Systems Group. - SCO 5.x: include -lprot in the Makefile. Patch from Bill - Glicker of Burrelle's Information Service. - NEWS-OS 4.x: need a definition for MODE_T to compile. Patch - from Makoto MATSUSHITA of Osaka University. - SunOS 4.0.3: compile problems. Patches from Andrew Cole of - Leeds University and SASABE Tetsuro of the University - of Tokyo. - DG/UX 5.4.4.11 from Brian J. Murrell of InterLinx Support - Services, Inc. - Domain/OS from Don (Truck) Lewis of TDK Semiconductor Corp. - I believe this to have only been a problem if you - compiled with -DUSE_VENDOR_CF_PATH -- another reason - to stick with /etc/sendmail.cf as your One True Path. - Digital UNIX (OSF/1 on Alpha) load average computation from - Martin Laubach of the Technischen Universität Wien. - CONFIG: change default Received: line to be multiple lines rather - than one long one. By popular demand. - MAIL.LOCAL: warnings weren't being logged on some systems. Patch - from Jerome Berkman of U.C. Berkeley. - MAKEMAP: be sure to zero hinfo to avoid cruft that can cause runs - to take a very long time. Problem noted by Yoshiro YONEYA - of NTT Software Corporation. - CONTRIB: add etrn.pl, contributed by John Beck. - NEW FILES: - contrib/etrn.pl - -8.8.3/8.8.3 96/11/17 - SECURITY: it was possible to get a root shell by lying to sendmail - about argv[0] and then sending it a signal. Problem noted - by Leshka Zakharoff on the - best-of-security list. - Log sendmail binary version number in "Warning: .cf version level - (%d) exceeds program functionality (%d) message" -- this - should make it clearer to people that they are running - the wrong binary. - Fix a problem that occurs when you open an SMTP connection and then - do one or more ETRN commands followed by a MAIL command; at - the end of the DATA phase sendmail would incorrectly report - "451 SMTP-MAIL: lost child: No child processes". Problem - noted by Eric Bishop of Virginia Tech. - When doing text-based host canonification (typically /etc/hosts - lookup), a null host name would match any /etc/hosts entry - with space at the end of the line. Problem noted by Steve - Hubert of the University of Washington, Seattle. - 7 to 8 bit BASE64 MIME conversions could duplicate bits of text. - Problem reported by Tom Smith of Digital Equipment Corp. - Increase the size of the DNS answer buffer -- the standard UDP packet - size PACKETSZ (512) is not sufficient for some nameserver - answers containing very many resource records. The resolver - may also switch to TCP and retry if it detects UDP packet - overflow. Also, allow for the fact that the resolver - routines res_query and res_search return the size of the - *un*truncated answer in case the supplied answer buffer it - not big enough to accommodate the entire answer. Patch from - Eric Wassenaar. - Improvements to MaxDaemonChildren code. If you think you have too - many children, probe the ones you have to verify that they - are still around. Suggested by Jared Mauch of CICnet, Inc. - Also, do this probe before growing the vector of children - pids; this previously caused the vector to grow indefinitely - due to a race condition. Problem reported by Kyle Jones of - UUNET. - On some architectures, (from the Berkeley DB library) defines - O_EXLOCK to zero; this fools the map compilation code into - thinking that it can avoid race conditions by locking on open. - Change it to check for O_EXLOCK non-zero. Problem noted by - Leif Erlingsson of Data Lege. - Always call res_init() on startup (if compiled in, of course) to - allow the sendmail.cf file to tweak resolver flags; without - it, flag tweaks in ResolverOptions are ignored. Patch from - Andrew Sun of Merrill Lynch. - Improvements to host status printing code. Suggested by Steve Hubert - of the University of Washington, Seattle. - Change MinQueueAge option processing to do the check for the job age - when reading the queue file, rather than at the end; this - avoids parsing the addresses, which can do DNS lookups. - Problem noted by John Beck of InReference, Inc. - When MIME was being 7->8 bit decoded, "From " lines weren't being - properly escaped. Problem noted by Peter Nilsson of the - University of Linkoping. - In some cases, sendmail would retain root permissions during queue - runs even if RunAsUser was set. Problem noted by Mark - Thomas of Mark G. Thomas Consulting. - If the F=l flag was set on an SMTP mailer to indicate that it is - actually local delivery, and NOTIFY=SUCCESS is specified in - the envelope, and the receiving SMTP server speaks DSN, then - the DSN would be both generated locally and propagated to the - other end. - The U= mailer field didn't correctly extract the group id if the - user id was numeric. Problem noted by Kenneth Herron of - MCI Telecommunications Communications. - If a message exceeded the fixed maximum size on input, the body of - the message was included in the bounce. Note that this did - not occur if it exceeded the maximum _output_ size. Problem - reported by Kyle Jones of UUNET. - PORTABILITY FIXES: - AIX4: 4.1 doesn't have a working setreuid(2); change the - AIX4 defines to use seteuid(2) instead, which - works on 4.1 as well as 4.2. Problem noted by - Håkan Lindholm of interAF, Sweden. - AIX4: use tzname[] vector to determine time zone name. - Patch from NAKAMURA Motonori of Kyoto University. - MkLinux: add Makefile.Linux.ppc and OSTYPE(mklinux) support. - Contributed by Paul DuBois . - Solaris: kstat(3k) support for retrieving the load average. - This adds the LA_KSTAT definition for LA_TYPE. - The outline of the implementation was contributed - by Michael Tokarev of Telecom Service, JSC, Moscow. - HP-UX 10.0 gripes about the (perfectly legal!) forward - declaration of struct rusage at the top of conf.h; - change it to only be included if you are using gcc, - which is apparently the only compiler that requires - it in the first place. Problem noted by Jeff - Earickson of Colby College. - IRIX: don't default to using gcc. IRIX is a civilized - operating system that comes with a decent compiler - by default. Problem noted by Barry Bouwsma and - Kari Hurtta. - CONFIG: specify F=9 as default in FEATURE(local_procmail) for - consistency with other local mailers. Inconsistency - pointed out by Teddy Hogeborn . - CONFIG: if the "limited best mx" feature is used (to reduce DNS - overhead) as part of the bestmx_is_local feature, the - domain part was dropped from the name. Patch from Steve - Hubert of the University of Washington, Seattle. - CONFIG: catch addresses of the form "user@.dom.ain"; these could - end up being translated to the null host name, which would - return any entry in /etc/hosts that had a space at the end - of the line. Problem noted by Steve Hubert of the - University of Washington, Seattle. - CONFIG: add OSTYPE(aix4). From Michael Sofka of Rensselaer - Polytechnic Institute. - MAKEMAP: tweak hash and btree parameters for better performance. - Patch from Matt Dillon of Best Internet Communications. - NEW FILES: - src/Makefiles/Makefile.Linux.ppc - cf/ostype/aix4.m4 - cf/ostype/mklinux.m4 - -8.8.2/8.8.2 96/10/18 - SECURITY: fix a botch in the 7-bit MIME patch; the previous patch - changed the code but didn't fix the problem. - PORTABILITY FIXES: - Solaris: Don't use the system getusershell(3); it can - apparently corrupt the heap in some circumstances. - Problem found by Ken Pizzini of Spry, Inc. - OP.ME: document several mailer flags that were accidentally omitted - from this document. These flags were F=d, F=j, F=R, and F=9. - CONFIG: no changes. - -8.8.1/8.8.1 96/10/17 - SECURITY: unset all environment variables that the resolver will - examine during queue runs and daemon mode. Problem noted - by Dan Bernstein of the University of Illinois at Chicago. - SECURITY: in some cases an illegal 7-bit MIME-encoded text/plain - message could overflow a buffer if it was converted back - to 8 bits. This caused core dumps and has the potential - for a remote attack. Problem first noted by Gregory Shapiro - of WPI. - Avoid duplicate deliveries of error messages on systems that don't - have flock(2) support. Patch from Motonori Nakamura of - Kyoto University. - Ignore null FallBackMX (V) options. If this option is null (as - opposed to undefined) it can cause "null signature" syserrs - on illegal host names. - If a Base64 encoded text/plain message has no trailing newline in - the encoded text, conversion back to 8 bits will drop the - final line. Problem noted by Pierre David. - If running with a RunAsUser, sendmail would give bogus "cannot - setuid" (or seteuid, or setreuid) messages on some systems. - Problem pointed out by Jordan Mendelson of Web Services, Inc. - Always print error messages in -bv mode -- previously, -bv would - be absolutely silent on errors if the error mode was sent - to (say) mail-back. Problem noted by Kyle Jones of UUNET. - If -qI/R/S is set (or the ETRN command is used), ignore all long - term host status. This is necessary because it is common - to do this when you know a host has just come back up. - Disallow duplicate HELO/EHLO commands as required by RFC 1651 section - 4.2. Excessive permissiveness noted by Lee Flight of the - University of Leicester. - If a service (such as NIS) is specified as the last entry in the - service switch, but that service is not compiled in, sendmail - would return a temporary failure when an entry was not found - in the map. This caused the message to be queued instead of - bouncing immediately. Problem noted by Harry Edmon of the - University of Washington. - PORTABILITY FIXES: - Solaris 2.3 had compilation problems in conf.c. Several - people pointed this out. - NetBSD from Charles Hannum of MIT. - AIX4 improvements based on info from Steve Bauer of South - Dakota School of Mines & Technology. - CONFIG: ``error:code message'' syntax was broken in virtusertable. - Patch from Gil Kloepfer Jr. - CONFIG: if FEATURE(nocanonify) was specified, hosts in $=M (set - using MASQUERADE_DOMAIN) were not masqueraded unless they - were also in $=w. Problem noted by Zoltan Basti of - Softec. - MAIL.LOCAL: patches to compile and link cleanly on AIX. Based - on a patch from Eric Hagberg of Morgan Stanley. - MAIL.LOCAL: patches to compile on NEXTSTEP. From Patrick Nolan - of Stanford via Robert La Ferla. - -8.8.0/8.8.0 96/09/26 - Under some circumstances, Bcc: headers would not be properly - deleted. Pointed out by Jonathan Kamens of OpenVision. - Log a warning if the sendmail daemon is invoked without a full - pathname, which prevents "kill -1" from working. I was - urged to put this in by Andrey A. Chernov of DEMOS (Russia). - Fix small buffer overflow. Since the data in this buffer was not - read externally, there was no security problem (and in fact - probably wouldn't really overflow on most compilers). Pointed - out by KIZU takashi of Osaka University. - Fix problem causing domain literals such as [1.2.3.4] to be ignored - if a FallbackMXHost was specified in the configuration file - -- all mail would be sent to the fallback even if the original - host was accessible. Pointed out by Munenari Hirayama of - NSC (Japan). - A message that didn't terminate with a newline would (sometimes) not - have the trailing "." added properly in the SMTP dialogue, - causing SMTP to hang. Patch from Per Hedeland of Ericsson. - The DaemonPortOptions suboption to bind to a particular address was - incorrect and nonfunctional due to a misunderstanding of the - semantics of binding on a passive socket. Patch from - NIIBE Yutaka of Mitsubishi Research Institute. - Increase the number of MX hosts for a single name to 100 to better - handle the truly huge service providers such as AOL, which - has 13 at the moment (and climbing). In order to avoid - trashing memory, the buffer for all names has only been - slightly increased in size, to 12.8K from 10.2K -- this means - that if a single name had 100 MX records, the average size - of those records could not exceed 128 bytes. Requested by - Brad Knowles of America On Line. - Restore use of IDENT returns where the OSTYPE field equals "OTHER". - Urged by Dan Bernstein of U.C. Berkeley. - Print q_statdate and q_specificity in address structure debugging - printout. - Expand MCI structure flag bits for debugging output. - Support IPv6-style domain literals, which can have colons between - square braces. - Log open file descriptors for the "cannot dup" messages in deliver(); - this is an attempt to track down a bug that one person seems - to be having (it may be a Solaris bug!). - DSN NOTIFY parameters were not properly propagated across queue runs; - this caused the NOTIFY info to sometimes be lost. Problem - pointed out by Claus Assmann of the - Christian-Albrechts-University of Kiel. - The statistics gathered in the sendmail.st file were too high; in - some cases failures (e.g., user unknown or temporary failure) - would count as a delivery as far as the statistics were - concerned. Problem noted by Tom Moore of AT&T GIS. - Systems that don't have flock() would not send split envelopes in - the initial run. Problem pointed out by Leonard Zubkoff of - Dandelion Digital. - Move buffer overflow checking -- these primarily involve distrusting - results that may come from NIS and DNS. - 4.4-BSD-derived systems, including FreeBSD, NetBSD, and BSD/OS didn't - include and hence had the wrong pathnames for a few - things like /var/tmp. Reported by Matthew Green. - Conditions were reversed for the Priority: header, resulting in all - values being interpreted as non-urgent except for non-urgent, - which was interpreted as normal. Patch from Bryan Costales. - The -o (optional) flag was being ignored on hash and btree maps - since 8.7.2. Fix from Bryan Costales. - Content-Types listed in class "q" will always be encoded as - Quoted-Printable (or more accurately, will never be encoded - as base64). The class can have primary types (e.g., "text") - or full types (e.g., "text/plain"). Based on a suggestion by - Marius Olafsson of the University of Iceland. - Define ${envid} to be the original envelope id (from the ESMTP DSN - dialogue) so it can be passed to programs in mailers. - Define ${bodytype} to be the body type (from the -B flag or the - BODY= ESMTP parameter) so it can be passed to programs in - mailers. - Cause the VRFY command to return 252 instead of 250 unless the F=q - flag is set in the mailer descriptor. Suggested by John - Myers of CMU. - Implement ESMTP ETRN command to flush the queue for a specific host. - The command takes a host name; data for that host is - immediately (and asynchronously) flushed. Because this shares - the -qR implementation, other hosts may be attempted, but - there should be no security implications. Implementation - from John Beck of InReference, Inc. See RFC 1985 for details. - Add three new command line flags to pass in DSN parameters: -V envid - (equivalent to ENVID=envid on the MAIL command), -R ret - (equivalent to RET=ret on the MAIL command), and -Nnotify - (equivalent to NOTIFY=notify on the RCPT command). Note - that the -N flag applies to all recipients; there is no way - to specify per-address notifications on the command line, - nor is there an equivalent for the ORCPT= per-address - parameter. - Restore LogLevel option to be safe (it can only be increased); - apparently I went into paranoid mode between 8.6 and 8.7 - and made it unsafe. Pointed out by Dabe Murphy of the - University of Maryland. - New logging on log level 15: all SMTP traffic. Patches from - Andrew Gross of San Diego Supercomputer Center. - NetInfo property value searching code wasn't stopping when it found - a match. This was causing the wrong values to be found (and - had a memory leak). Found by Bastian Schleuter of TU-Berlin. - Add new F=0 (zero) mailer flag to turn off MX lookups. It was pointed - out by Bill Wisner of Electronics for Imaging that you can't - use the bracket address form for the MAIL_HUB macro, since - that causes the brackets to remain in the envelope recipient - address used for delivery. The simple fix (stripping off the - brackets in the config file) breaks the use of IP literal - addresses. This flag will solve that problem. - Add MustQuoteChars option. This is a list of characters that must - be quoted if they are found in the phrase part of an address - (that is, the full name part). The characters @,;:\()[] are - always in this list and cannot be removed. The default is - this list plus . and ' to match RFC 822. - Add AllowBogusHELO option; if set, sendmail will allow HELO commands - that do not include a host name for back compatibility with - some stupid SMTP clients. Setting this violates RFC 1123 - section 5.2.5. - Add MaxDaemonChildren option; if this is set, sendmail will start - rejecting connections if it has more than this many - outstanding children accepting mail. Note that you may - see more processes than this because of outgoing mail; this - is for incoming connections only. - Add ConnectionRateThrottle option. If set to a positive value, the - number of incoming SMTP connections that will be permitted - in a single second is limited to this number. Connections are - not refused during this time, just deferred. The intent is to - flatten out demand so that load average limiting can kick in. - It is less radical than MaxDaemonChildren, which will stop - accepting connections even if all the connections are idle - (e.g., due to connection caching). - Add Timeout.hoststatus option. This interval (defaulting to 30m) - specifies how long cached information about the state of a - host will be kept before they are considered stale and the - host is retried. If you are using persistent host status - (i.e., the HostStatusDirectory option is set) this will apply - between runs; otherwise, it applies only within a single queue - run and hence is useful only for hosts that have large queues - that take a very long time to run. - Add SingleLineFromHeader option. If set, From: headers are coerced - into being a single line even if they had newlines in them - when read. This is to get around a botch in Lotus Notes. - Text class maps were totally broken -- if you ever retrieved the last - item in a table it would be truncated. Problem noted by - Gregory Neil Shapiro of WPI. - Extend the lines printed by the mailq command (== the -bp flag) when - -v is given to 120 characters; this allows more information - to be displayed. Suggested by Gregory Neil Shapiro of WPI. - Allow macro definitions (`D' lines) with unquoted commas; previously - this was treated as end-of-input. Problem noted by Bryan - Costales. - The RET= envelope parameter (used for DSNs) wasn't properly written - to the queue file. Fix from John Hughes of Atlantic - Technologies, Inc. - Close /var/tmp/dead.letter after a successful write -- otherwise - if this happens in a queue run it can cause nasty delays. - Problem noted by Mark Horton of AT&T. - If userdb entries pointed to userdb entries, and there were multiple - values for a given key, the database cursor would get - trashed by the recursive call. Problem noted by Roy Mongiovi - of Georgia Tech. Fixed by reading all the values and creating - a comma-separated list; thus, the -v output will be somewhat - different for this case. - Fix buffer allocation problem with Hesiod-based userdb maps when - HES_GETMAILHOST is defined. Based on a patch by Betty Lee - of Stanford University. - When envelopes were split due to aliases with owner- aliases, and - there was some error on one of the lists, more than one of - the owners would get the message. Problem pointed out by - Roy Mongiovi of Georgia Tech. - Detect excessive recursion in macro expansions, e.g., $X defined - in terms of $Y which is defined in terms of $X. Problem - noted by Bryan Costales; patch from Eric Wassenaar. - When using F=U to get "ugly UUCP" From_ lines, a buffer could in - some cases get trashed causing bogus From_ lines. Fix from - Kyle Jones of UUNET. - When doing load average initialization, if the nlist call for avenrun - failed, the second and subsequent lookups wouldn't notice - that fact causing bogus load averages to be returned. Noted - by Casper Dik of Sun Holland. - Fix problem with incompatibility with some versions of inet_aton that - have changed the return value to unsigned, so a check for an - error return of -1 doesn't work. Use INADDR_NONE instead. - This could cause mail to addresses such as [foo.com] to bounce - or get dropped. Problem noted by Christophe Wolfhugel of the - Pasteur Institute. - DSNs were inconsistent if a failure occurred during the DATA phase - rather than the RCPT phase: the Action: would be correct, but - the detailed status information would be wrong. Problem noted - by Bob Snyder of General Electric Company. - Add -U command line flag and the XUSR ESMTP extension, both indicating - that this is the initial MUA->MTA submission. The flag current - does nothing, but in future releases (when MUAs start using - these flags) it will probably turn on things like DNS - canonification. - Default end-of-line string (E= specification on mailer [M] lines) - to \r\n on SMTP mailers. Default remains \n on non-SMTP - mailers. - Change the internal definition for the *file* and *include* mailers - to have $u in the argument vectors so that they aren't - misinterpreted as SMTP mailers and thus use \r\n line - termination. This will affect anyone who has redefined - either of these in their configuration file. - Don't assume that IDENT servers close the connection after a query; - responses can be newline terminated. From Terry Kennedy of - St. Peter's College. - Avoid core dumps on erroneous configuration files that have - $#mailer with nothing following. From Bryan Costales. - Avoid null pointer dereference with high debug values in unlockqueue. - Fix from Randy Martin of Clemson University. - Fix possible buffer overrun when expanding very large macros. Fix - from Kyle Jones of UUNET. - After 25 EXPN or VRFY commands, start pausing for a second before - processing each one. This avoids a certain form of denial - of service attack. Potential attack pointed out by Bryan - Costales. - Allow new named (not numbered!) config file rules to do validity - checking on SMTP arguments: check_mail for MAIL commands and - check_rcpt for RCPT commands. These rulesets can do anything - they want; their result is ignored unless they resolve to the - $#error mailer, in which case the indicated message is printed - and the command is rejected. Similarly, the check_compat - ruleset is called before delivery with "from_addr $| to_addr" - (the $| is a meta-symbol used to separate the two addresses); - it can give a "this sender can't send to this recipient" - notification. Note that this patch allows $| to stand alone - in rulesets. - Define new macros ${client_name}, ${client_addr}, and ${client_port} - that have the name, IP address, and port number (respectively) - of the SMTP client (that is, the entity at the other end of - the connection. These can be used in (e.g.) check_rcpt to - verify that someone isn't trying to relay mail through your - host inappropriately. Be sure to use the deferred evaluation - form, for example $&{client_name}, to avoid having these bound - when sendmail reads the configuration file. - Add new config file rule check_relay to check the incoming connection - information. Like check_compat, it is passed the host name - and host address separated by $| and can reject connections - on that basis. - Allow IDA-style recursive function calls. Code contributed by Mark - Lovell and Paul Vixie. - Eliminate the "No ! in UUCP From address!" message" -- instead, create - a virtual UUCP address using either a domain address or the $k - macro. Based on code contributed by Mark Lovell and Paul - Vixie. - Add Stanford LDAP map. Requires special libraries that are not - included with sendmail. Contributed by Booker C. Bense - ; contact him for support. - See also the src/READ_ME file. - Allow -dANSI to turn on ANSI escape sequences in debug output; this - puts metasymbols (e.g., $+) in reverse video. Really useful - only for debugging deep bits of code where it is important to - distinguish between the single-character metasymbol $+ and the - two characters $, +. - Changed ruleset 89 (executed in dumpstate()) to a named ruleset, - debug_dumpstate. - Add new UnsafeGroupWrites option; if set, .forward and :include: - files that are group writable are considered "unsafe" -- that - is, programs and files referenced from such files are not - valid recipients. - Delete bogosity test for FallBackMX host; this prevented it to be a - name that was not in DNS or was a domain-literal. Problem - noted by Tom May. - Change the introduction to error messages to more clearly delineate - permanent from temporary failures; if both existed in a - single message it could be confusing. Suggested by John - Beck of InReference, Inc. - The IngoreDot (i) option didn't work for lines that were terminated - with CRLF. Problem noted by Ted Stockwell of Secure - Computing Corporation. - Add a heuristic to improve the handling of unbalanced `<' signs in - message headers. Problem reported by Matt Dillon of Best - Internet Communications. - Check for bogus characters in the 0200-0237 range; since these are - used internally, very strange errors can occur if those - characters appear in headers. Problem noted by Anders Gertz - of Lysator. - Implement 7 -> 8 bit MIME conversions. This only takes place if the - recipient mailer has the F=9 flag set, and only works on - text/plain body types. Code contributed by Marius Olafsson - of the University of Iceland. - Special case "postmaster" name so that it is always treated as lower - case in alias files regardless of configuration settings; - this prevents some potential problems where "Postmaster" or - "POSTMASTER" might not match "postmaster". In most cases - this change is a no-op. - The -o map flag was ignored for text maps. Problem noted by Bryan - Costales. - The -a map flag was ignored for dequote maps. Problem noted by - Bryan Costales. - Fix core dump when a lookup of a class "prog" map returns no - response. Patch from Bryan Costales. - Log instances where sendmail is deferring or rejecting connections - on LogLevel 14. Suggested by Kyle Jones of UUNET. - Include port number in process title for network daemons. Suggested - by Kyle Jones of UUNET. - Send ``double bounces'' (errors that occur when sending an error - message) to the address indicated in the DoubleBounceAddress - option (default: postmaster). Previously they were always - sent to postmaster. Suggested by Kyle Jones of UUNET. - Add new mode, -bD, that acts like -bd in all respects except that - it runs in foreground. This is useful for using with a - wrapper that "watches" system services. Suggested by Kyle - Jones of UUNET. - Fix botch in spacing around (parenthesized) comments in addresses - when the comment comes before the address. Patch from - Motonori Nakamura of Kyoto University. - Use the prefix "Postmaster notify" on the Subject: lines of messages - that are being bounced to postmaster, rather than "Returned - mail". This permits the person who is postmaster more - easily determine what messages are to their role as - postmaster versus bounces to mail they actually sent. Based - on a suggestion by Motonori Nakamura. - Add new value "time" for QueueSortOrder option; this causes the queue - to be sorted strictly by the time of submission. Note that - this can cause very bad behavior over slow lines (because - large jobs will tend to delay small jobs) and on nodes with - heavy traffic (because old things in the queue for hosts that - are down delay processing of new jobs). Also, this does not - guarantee that jobs will be delivered in submission order - unless you also set DeliveryMode=queue. In general, it should - probably only be used on the command line, and only in - conjunction with -qRhost.domain. In fact, there are very few - cases where it should be used at all. Based on an - implementation by Motonori Nakamura. - If a map lookup in ruleset 5 returns tempfail, queue the message in - the same manner as other rulesets. Previously a temporary - failure in ruleset 5 was ignored. Patch from Booker Bense - of Stanford University. - Don't proceed to the next MX host if an SMTP MAIL command returns a - 5yz (permanent failure) code. The next MX host will still be - tried if the connection cannot be opened in the first place - or if the MAIL command returns a 4yz (temporary failure) code. - (It's hard to know what to do here, since neither RFC 974 nor - RFC 1123 specify when to proceed to the next MX host.) - Suggested by Jonathan Kamens of OpenVision, Inc. - Add new "-t" flag for map definitions (the "K" line in the .cf file). - This causes map lookups that get a temporary failure (e.g., - name server failure) to _not_ defer the delivery of the - message. This should only be used if your configuration file - is prepared to do something sensible in this case. Based on - an idea by Gregory Shapiro of WPI. - Fix problem finding network interface addresses. Patch from - Motonori Nakamura. - Don't reject qf entries that are not owned by your effective uid if - you are not running setuid; this makes management of certain - kinds of firewall setups difficult. Patch suggested by - Eamonn Coleman of Qualcomm. - Add persistent host status. This keeps the information normally - maintained within a single queue run in disk files that are - shared between sendmail instances. The HostStatusDirectory - is the directory in which the information is maintained. If - not set, persistent host status is turned off. If not a full - pathname, it is relative to the queue directory. A common - value is ".hoststat". - There are also two new operation modes: - * -bh prints the status of hosts that have had recent - connections. - * -bH purges the host statuses. No attempt is made to save - recent status information. - This feature was originally written by Paul Vixie of Vixie - Enterprises for KJS and adapted for V8 by Mark Lovell of - Bigrock Consulting. Paul's funding of Mark and Mark's patience - with my insistence that things fit cleanly into the V8 - framework is gratefully appreciated. - New SingleThreadDelivery option (requires HostStatusDirectory to - operate). Avoids letting two sendmails on the local machine - open connections to the same remote host at the same time. - This reduces load on the other machine, but can cause mail to - be delayed (for example, if one sendmail is delivering a huge - message, other sendmails won't be able to send even small - messages). Also, it requires another file descriptor (for the - lock file) per connection, so you may have to reduce - ConnectionCacheSize to avoid running out of per-process - file descriptors. Based on the persistent host status code - contributed by Paul Vixie and Mark Lovell. - Allow sending to non-simple files (e.g., /dev/null) even if the - SafeFileEnvironment option is set. Problem noted by Bryan - Costales. - The -qR flag mistakenly matched flags in the "R" line of the queue - file. Problem noted by Bryan Costales. - If a job was aborted using the interrupt signal (e.g., control-C from - the keyboard), on some occasions an empty df file would be - left around; these would collect in the queue directory. - Problem noted by Bryan Costales. - Change the makesendmail script to enhance the search for Makefiles - based on release number. For example, on SunOS 5.5.1, it will - search for Makefile.SunOS.5.5.1, Makefile.SunOS.5.5, and then - Makefile.SunOS.5.x (in addition to the other rules, e.g., - adding $arch). Problem noted by Jason Mastaler of Atlanta - Webmasters. - When creating maps using "newaliases", always map the keys to lower - case when creating the map unless the -f flag is specified on - the map itself. Previously this was done based on the F=u - flag in the local mailer, which meant you could create aliases - that you could never access. Problem noted by Bob Wu of DEC. - When a job was read from the queue, the bits causing notification on - failure or delay were always set. This caused those - notifications to be sent even if NOTIFY=NEVER had been - specified. Problem noted by Steve Hubert of the University - of Washington, Seattle. - Add new configurable routine validate_connection (in conf.c). This - lets you decide if you are willing to accept traffic from - this host. If it returns FALSE, all SMTP commands will return - "550 Access denied". -DTCPWRAPPERS will include support for - TCP wrappers; you will need to add -lwrap to the link line. - (See src/READ_ME for details.) - Don't include the "THIS IS A WARNING MESSAGE ONLY" banner on postmaster - bounces. Some people seemed to think that this could be - confusing (even though it is true). Suggested by Motonori - Nakamura. - Add new RunAsUser option; this causes sendmail to do a setuid to that - user early in processing to avoid potential security problems. - However, this means that all .forward and :include: files must - be readable by that user, and all files to be written must be - writable by that user and all programs will be executed by that - user. It is also incompatible with the SafeFileEnvironment - option. In other words, it may not actually add much to - security. However, it should be useful on firewalls and other - places where users don't have accounts and the aliases file is - well constrained. - Add Timeout.iconnect. This is like Timeout.connect except it is used - only on the first attempt to delivery to an address. It could - be set to be lower than Timeout.connect on the principle that - the mail should go through quickly to responsive hosts; less - responsive hosts get to wait for the next queue run. - Fix a problem on Solaris that occasionally causes programs - (such as vacation) to hang with their standard input connected - to a UDP port. It also created some signal handling problems. - The problems turned out to be an interaction between vfork(2) - and some of the libraries, particularly NIS/NIS+. I am - indebted to Tor Egge for this fix. - Change user class map to do the same matching that actual delivery - will do instead of just a /etc/passwd lookup. This adds - fuzzy matching to the user map. Patch from Dan Oscarsson. - The Timeout.* options are not safe -- they can be used to create a - denial-of-service attack. Problem noted by Christophe - Wolfhugel. - Don't send PostmasterCopy messages in the event of a "delayed" - notification. Suggested by Barry Bouwsma. - Don't advertise "VERB" ESMTP extension if the "noexpn" privacy - option is set, since this disables VERB mode. Suggested - by John Hawkinson of MIT. - Complain if the QueueDirectory (Q) option is not set. Problem noted - by Motonori Nakamura of Kyoto University. - Only queue messages on transient .forward open failures if there - were no successful opens. The previous behavior caused it - to queue even if a "fall back" .forward was found. Problem - noted by Ann-Kian Yeo of the Dept. of Information Systems - and Computer Science (DISCS), NUS, Singapore. - Don't do 8->7 bit conversions when bouncing a MIME message that - is bouncing because of a MIME error during 8->7 bit conversion; - the encapsulated message will bounce again, causing a loop. - Problem noted by Steve Hubert of the University of Washington. - Create xf (transcript) files using the TempFileMode option value - instead of 0644. Suggested by Ann-Kian Yeo of the - National University of Singapore. - Print errors if setgid/setuid/etc. fail during delivery. This helps - detect cases where DefaultUid is set to something that the - system can't cope with. - PORTABILITY FIXES: - Support for AIX/RS 2.2.1 from Mark Whetzel of Western - Atlas International. - Patches for Intel Paragon OSF/1 1.3 from Leo Bicknell - . - On DEC OSF/1 3.2 and earlier, the MatchGECOS code would only - work on the first recipient of a message due to a - bug in the getpwent family. If this is something you - use, you can define DEC_OSF_BROKEN_GETPWENT=1 for a - workaround. From Maximum Entropy of Sanford C. - Bernstein and Associates. - FreeBSD 1.1.5.1 uname -r returns a string containing - parentheses, which breaks makesendmail. Reported - by Piero Serini . - Sequent DYNIX/ptx 4.0.2 patches from Jack Woolley of - Systems and Computer Technology Corporation. - Solaris 2.x: omit the UUCP grade parameter (-g flag) because - it is system-dependent. Problem noted by J.J. Bailey - of Bailey Computer Consulting. - Pyramid NILE running DC/OSx support from Earle F. Ake of - Hassler Communication Systems Technology, Inc. - HP-UX 10.x compile glitches, reported by Anne Brink of the - U.S. Army and James Byrne of Harte & Lyne Limited. - NetBSD from Matthew Green of the NetBSD crew. - SCO 5.x from Keith Reynolds of SCO. - IRIX 6.2 from Robert Tarrall of the University of - Colorado and Kari Hurtta of the Finnish Meteorological - Institute. - UXP/DS (Fujitsu/ICL DS/90 series) support from Diego R. - Lopez, CICA (Seville). - NCR SVR4 MP-RAS 3.x support from Tom Moore of NCR. - PTX 3.2.0 from Kenneth Stailey of the US Department of Labor - Employment Standards Administration. - Altos System V (5.3.1) from Tim Rice of Multitalents. - Concurrent Systems Corporation Maxion from Donald R. Laster - Jr. - NetInfo maps (improved debugging and multi-valued aliases) - from Adrian Steinmann of Steinmann Consulting. - ConvexOS 11.5 (including SecureWare C2 and the Share Scheduler) - from Eric Schnoebelen of Convex. - Linux 2.0 mail.local patches from Horst von Brand. - NEXTSTEP 3.x compilation from Robert La Ferla. - NEXTSTEP 3.x code changes from Allan J. Nathanson of NeXT. - Solaris 2.5 configuration fixes for mail.local by Jim Davis - of the University of Arizona. - Solaris 2.5 has a working setreuid. Noted by David Linn of - Vanderbilt University. - Solaris changes for praliases, makemap, mailstats, and smrsh. - Previously you had to add -DSOLARIS in Makefile.dist; - this auto-detects. Based on a patch from Randall - Winchester of the University of Maryland. - CONFIG: add generic-nextstep3.3.mc file. Contributed by - Robert La Ferla of Hot Software. - CONFIG: allow mailertables to resolve to ``error:code message'' - (where "code" is an exit status) on domains (previously - worked only on hosts). Patch from Cor Bosman of Xs4all - Foundation. - CONFIG: hooks for IPv6-style domain literals. - CONFIG: predefine ALIAS_FILE and change the prototype file so that - if it is undefined the AliasFile option is never set; this - should be transparent for most everyone. Suggested by John - Myers of CMU. - CONFIG: add FEATURE(limited_masquerade). Without this feature, any - domain listed in $=w is masqueraded. With it, only those - domains listed in a MASQUERADE_DOMAIN macro are masqueraded. - CONFIG: add FEATURE(masquerade_entire_domain). This causes - masquerading specified by MASQUERADE_DOMAIN to apply to all - hosts under those domains as well as the domain headers - themselves. For example, if a configuration had - MASQUERADE_DOMAIN(foo.com), then without this feature only - foo.com would be masqueraded; with it, *.foo.com would be - masqueraded as well. Based on an implementation by Richard - (Pug) Bainter of U. Texas. - CONFIG: add FEATURE(genericstable) to do a more general rewriting of - outgoing addresses. Defaults to ``hash -o /etc/genericstable''. - Keys are user names; values are outgoing mail addresses. Yes, - this does overlap with the user database, and figuring out - just when to use which one may be tricky. Based on code - contributed by Richard (Pug) Bainter of U. Texas with updates - from Per Hedeland of Ericsson. - CONFIG: add FEATURE(virtusertable) to do generalized rewriting of - incoming addresses. Defaults to ``hash -o /etc/virtusertable''. - Keys are either fully qualified addresses or just the host - part (with the @ sign). For example, a table containing: - info@foo.com foo-info - info@bar.com bar-info - @baz.org jane@elsewhere.net - would send all mail destined for info@foo.com to foo-info - (which is presumably an alias), mail addressed to info@bar.com - to bar-info, and anything addressed to anyone at baz.org will - be sent to jane@elsewhere.net. The names foo.com, bar.com, - and baz.org must all be in $=w. Based on discussions with - a great many people. - CONFIG: add nullclient configurations to define SMTP_MAILER_FLAGS. - Suggested by Richard Bainter. - CONFIG: add FAX_MAILER_ARGS to tweak the arguments passed to the - "fax" mailer. - CONFIG: allow mailertable entries to resolve to local:user; this - passes the original user@host in to procmail-style local - mailers as the "detail" information to allow them to do - additional clever processing. From Joe Pruett of - Teleport Corporation. Delivery to the original user can - be done by specifying "local:" (with nothing after the colon). - CONFIG: allow any context that takes "mailer:domain" to also take - "mailer:user@domain" to force mailing to the given user; - "local:user" can also be used to do local delivery. This - applies on *_RELAY and in the mailertable entries. Based - on a suggestion by Ribert Kiessling of Easynet. - CONFIG: Allow FEATURE(bestmx_is_local) to take an argument that - limits the possible domains; this reduces the number of DNS - lookups required to support this feature. For example, - FEATURE(bestmx_is_local, my.site.com) limits the lookups - to domains under my.site.com. Code contributed by Anthony - Thyssen . - CONFIG: LOCAL_RULESETS introduces any locally defined rulesets, - such as the check_rcpt ruleset. Suggested by Gregory Shapiro - of WPI. - CONFIG: MAILER_DEFINITIONS introduces any mailer definitions, in the - event you have to define local mailers. Suggested by - Gregory Shapiro of WPI. - CONFIG: fix cases where a three- (or more-) stage route-addr could - be misinterpreted as a list:...; syntax. Based on a patch by - Vlado Potisk . - CONFIG: Fix masquerading of UUCP addresses when the UUCP relay is - remotely connected. The address host!user was being - converted to host!user@thishost instead of host!user@uurelay. - Problem noted by William Gianopoulos of Raytheon Company. - CONFIG: add confTO_ICONNECT to set Timeout.iconnect. - CONFIG: change FEATURE(redirect) message from "User not local" to - "User has moved"; the former wording was confusing if the - new address is still on the local host. Based on a suggestion - by Andreas Luik. - CONFIG: add support in FEATURE(nullclient) for $=E (exposed users). - However, the class is not pre-initialized to contain root. - Suggested by Gregory Neil Shapiro. - CONTRIB: Remove XLA code at the request of the author, Christophe - Wolfhugel. - CONTRIB: Add re-mqueue.pl, contributed by Paul Pomes of Qualcomm. - MAIL.LOCAL: make it possible to compile mail.local on Solaris. Note - well: this produces a slightly different mailbox format (no - Content-Length: headers), file ownerships and modes are - different (not owned by group mail; mode 600 instead of 660), - and the local mailer flags will have to be tweaked (make them - match bsd4.4) in order to use this mailer. Patches from Paul - Hammann of the Missouri Research and Education Network. - MAIL.LOCAL: in some cases it could return EX_OK even though there - was a delivery error, such as if the ownership on the file - was wrong or the mode changed between the initial stat and - the open. Problem reported by William Colburn of the New - Mexico Institute of Mining and Technology. - MAILSTATS: handle zero length files more reliably. Patch from Bryan - Costales. - MAILSTATS: add man page contributed by Keith Bostic of BSDI. - MAKEMAP: The -d flag (to allow duplicate keys) to a btree map wasn't - honored. Fix from Michael Scott Shappe. - PRALIASES: add man page contributed by Keith Bostic of BSDI. - NEW FILES: - src/Makefiles/Makefile.AIX.2 - src/Makefiles/Makefile.IRIX.6.2 - src/Makefiles/Makefile.maxion - src/Makefiles/Makefile.NCR.MP-RAS.3.x - src/Makefiles/Makefile.SCO.5.x - src/Makefiles/Makefile.UXPDSV20 - mailstats/mailstats.8 - praliases/praliases.8 - cf/cf/generic-nextstep3.3.mc - cf/feature/genericstable.m4 - cf/feature/limited_masquerade.m4 - cf/feature/masquerade_entire_domain.m4 - cf/feature/virtusertable.m4 - cf/ostype/aix2.m4 - cf/ostype/altos.m4 - cf/ostype/maxion.m4 - cf/ostype/solaris2.ml.m4 - cf/ostype/uxpds.m4 - contrib/re-mqueue.pl - DELETED FILES: - src/Makefiles/Makefile.Solaris - contrib/xla/README - contrib/xla/xla.c - RENAMED FILES: - src/Makefiles/Makefile.NCR3000 => Makefile.NCR.MP-RAS.2.x - src/Makefiles/Makefile.SCO.3.2v4.2 => Makefile.SCO.4.2 - src/Makefiles/Makefile.UXPDS => Makefile.UXPDSV10 - src/Makefiles/Makefile.NeXT => Makefile.NeXT.2.x - src/Makefiles/Makefile.NEXTSTEP => Makefile.NeXT.3.x - -8.7.6/8.7.3 96/09/17 - SECURITY: It is possible to force getpwuid to fail when writing the - queue file, causing sendmail to fall back to running programs - as the default user. This is not exploitable from off-site. - Workarounds include using a unique user for the DefaultUser - (old u & g options) and using smrsh as the local shell. - SECURITY: fix some buffer overruns; in at least one case this allows - a local user to get root. This is not known to be exploitable - from off-site. The workaround is to disable chfn(1) commands. - -8.7.5/8.7.3 96/03/04 - Fix glitch in 8.7.4 when putting certain internal lines; this can - in some case cause connections to hang or messages to have - extra spaces in odd places. Patch from Eric Wassenaar; - reports from Eric Hall of Chiron Corporation, Stephen - Hansen of Stanford University, Dean Gaudet of HotWired, - and others. - -8.7.4/8.7.3 96/02/18 - SECURITY: In some cases it was still possible for an attacker to - insert newlines into a queue file, thus allowing access to - any user (except root). - CONFIG: no changes -- it is not a bug that the configuration - version number is unchanged. - -8.7.3/8.7.3 95/12/03 - Fix botch in name server timeout in RCPT code; this problem caused - two responses in SMTP, which breaks things horribly. Fix - from Gregory Neil Shapiro of WPI. - Verify that L= value on M lines cannot be negative, which could cause - negative array subscripting. Not a security problem since - this has to be in the config file, but it could have caused - core dumps. Pointed out by Bryan Costales. - Fix -d21 debug output for long macro names. Pointed out by Bryan - Costales. - PORTABILITY FIXES: - SCO doesn't have ftruncate. From Bill Aten of Computerizers. - IBM's version of arpa/nameser.h defaults to the wrong byte - order. Tweak it to work properly. Based on fixes - from Fletcher Mattox of UTexas and Betty Lee of - Stanford University. - CONFIG: add confHOSTS_FILE m4 variable to set HostsFile option. - Deficiency pointed out by Bryan Costales of ICSI. - -8.7.2/8.7.2 95/11/19 - REALLY fix the backslash escapes in SmtpGreetingMessage, - OperatorChars, and UnixFromLine options. They were not - properly repaired in 8.7.1. - Completely delete the Bcc: header if and only if there are other - valid recipient headers (To:, Cc: or Apparently-To:, the - last being a historic botch, of course). If Bcc: is the - only recipient header in the message, its value is tossed, - but the header name is kept. The old behavior (always keep - the header name and toss the value) allowed primary recipients - to see that a Bcc: went to _someone_. - Include queue id on ``Authentication-Warning: : set - sender to
using -f'' syslog messages. Suggested - by Kari Hurtta. - If a sequence or switch map lookup entry gets a tempfail but then - continues on to another map type, but the name is not found, - return a temporary failure from the sequence or switch map. - For example, if hosts search ``dns files'' and DNS fails - with a tempfail, the hosts map will go on and search files, - but if it fails the whole thing should be a tempfail, not - a permanent (host unknown) failure, even though that is the - failure in the hosts.files map. This error caused hard - bounces when it should have requeued. - Aliases to files such as /users/bar/foo/inbox, with /users/bar/foo - owned by bar mode 700 and inbox being setuid bar stopped - working properly due to excessive paranoia. Pointed out by - John Hawkinson of Panix. - An SMTP RCPT command referencing a host that gave a nameserver - timeout would return a 451 command (8.6 accepted it and - queued it locally). Revert to the 8.6 behavior in order - to simplify queue management for clustered systems. Suggested - by Gregory Neil Shapiro of WPI. The same problem could break - MH, which assumes that the SMTP session will succeed (tsk, tsk - -- mail gets lost!); this was pointed out by Stuart Pook of - Infobiogen. - Fix possible buffer overflow in munchstring(). This was not a security - problem because you couldn't specify any argument to this - without first giving up root privileges, but it is still a - good idea to avoid future problems. Problem noted by John - Hawkinson and Sam Hartman of MIT. - ``452 Out of disk space for temp file'' messages weren't being - printed. Fix from David Perlin of Nanosoft. - Don't advertise the ESMTP DSN extension if the SendMimeErrors option - is not set, since this is required to get the actual DSNs - created. Problem pointed out by John Gardiner Myers of CMU. - Log permission problems that cause .forward and :include: files to - be untrusted or ignored on log level 12 and higher. Suggested - by Randy Martin of Clemson University. - Allow user ids in U= clauses of M lines to have hyphens and - underscores. - Fix overcounting of recipients -- only happened when sending to an - alias. Pointed out by Mark Andrews of SGI and Jack Woolley - of Systems and Computer Technology Corporation. - If a message is sent to an address that fails, the error message that - is returned could show some extraneous "success" information - included even if the user did not request success notification, - which was confusing. Pointed out by Allan Johannesen of WPI. - Config files that had no AliasFile definition were defaulting to - using /etc/aliases; this caused problems with nullclient - configurations. Change it back to the 8.6 semantics of - having no local alias file unless it is declared. Problem - noted by Charles Karney of Princeton University. - Fix compile problem if NOTUNIX is defined. Pointed out by Bryan - Costales of ICSI. - Map lookups of class "userdb" maps were always case sensitive; they - should be controlled by the -f flag like other maps. Pointed - out by Bjart Kvarme . - Fix problem that caused some addresses to be passed through ruleset 5 - even when they were tagged as "sticky" by prefixing the - address with an "@". Patch from Thomas Dwyer III of Michigan - Technological University. - When converting a message to Quoted-Printable, prevent any lines with - dots alone on a line by themselves. This is because of the - preponderance of broken mailers that still get this wrong. - Code contributed by Per Hedeland of Ericsson. - Fix F{macro}/file construct -- it previously did nothing. Pointed - out by Bjart Kvarme of USIT/UiO (Norway). - Announce whether a cached connection is SMTP or ESMTP (in -v mode). - Requested by Allan Johannesen. - Delete check for text format of alias files -- it should be legal - to have the database format of the alias files without the - text version. Problem pointed out by Joe Rhett of Navigist, - Inc. - If "Ot" was specified with no value, the TZ variable was not properly - imported from the environment. Pointed out by Frank Crawford - . - Some architectures core dumped on "program" maps that didn't have - extra arguments. Patch from Booker C. Bense of Stanford - University. - Queue run processes would re-spawn daemons when given a SIGHUP; only - the parent should do this. Fix from Brian Coan of the - Association for Progressive Communications. - If MinQueueAge was set and a message was considered but not run - during a queue run and the Timeout.queuereturn interval was - reached, a "timed out" error message would be returned that - didn't include the failed address (and claimed to be a warning - even though it was fatal). The fix is to not return such - messages until they are actually tried, i.e., in the next - MinQueueAge interval. Problem noted by Rein Tollevik of - SINTEF RUNIT, Oslo. - Add HES_GETMAILHOST compile flag to support MIT Hesiod distributions - that have the hes_getmailhost() routine. DEC Hesiod - distributions do not have this routine. Based on a patch - from Betty Lee of Stanford University. - Extensive cleanups to map open code to handle a locking race condition - in ndbm, hash, and btree format database files on some (most - non-4.4-BSD based) OS architectures. This should solve the - occasional "user unknown" problem during alias rebuilds that - has plagued me for quite some time. Based on a patch from - Thomas Dwyer III of Michigan Technological University. - PORTABILITY FIXES: - Solaris: Change location of newaliases and mailq from - /usr/ucb to /usr/bin to match Sun settings. From - James B. Davis of TCI. - DomainOS: Makefile.DomainOS doesn't require -ldbm. From - Don Lewis of Silicon Systems. - HP-UX 10: rename Makefile.HP-UX.10 => Makefile.HP-UX.10.x - so that the makesendmail script will find it. Pointed - out by Richard Allen of the University of Iceland. - Also, use -Aa -D_HPUX_SOURCE instead of -Ae, which - isn't supported on all compilers. - UXPDS: compilation fixes from Diego R. Lopez. - CONFIG: FAX mailer wasn't setting .FAX as a pseudo-domain unless - you also had a FAX_RELAY. From Thomas.Tornblom@Hax.SE. - CONFIG: Minor glitch in S21 -- attachment of local domain name - didn't have trailing dot. From Jim Hickstein of Teradyne. - CONFIG: Fix best_mx_is_local feature to allow nested addresses such as - user%host@thishost. From Claude Scarpelli of Infobiogen - (France). - CONFIG: OSTYPE(hpux10) failed to define the location of the help file. - Pointed out by Hannu Martikka of Nokia Telecommunications. - CONFIG: Diagnose some inappropriate ordering in configuration files, - such as FEATURE(smrsh) listed after MAILER(local). Based on - a bug report submitted by Paul Hoffman of Proper Publishing. - CONFIG: Make OSTYPE files consistently not override settings that - have already been set. Previously it worked differently - for different files. - CONFIG: Change relay mailer to do masquerading like 8.6 did. My take - is that this is wrong, but the change was causing problems - for some people. From Per Hedeland of Ericsson. - CONTRIB: bitdomain.c patch from John Gardiner Myers ; - portability changes for Posix environments (no functional - changes). - -8.7.1/8.7.1 95/10/01 - Old macros that have become options (SmtpGreetingMessage, - OperatorChars, and UnixFromLine) didn't allow backslash - escapes in the options, where they previously had. Bug - pointed out by John Hawkinson of MIT. - Fix strange case of an executable called by a program map that - returns a value but also a non-zero exit status; this - would give contradictory results in the higher level; in - particular, the default clause in the map lookup would be - ignored. Change to ignore the value if the program returns - non-zero exit status. From Tom Moore of AT&T GIS. - Shorten parameters passed to syslog() in some contexts to avoid a - bug in many vendors' implementations of that routine. Although - this isn't really a bug in sendmail per se, and my solution - has to assume that syslog() has at least a 1K buffer size - internally (I know some vendors have shortened this - dramatically -- they're on their own), sendmail is a popular - target. Also, limit the size of %s arguments in sprintf. - These both have possible security implications. Solutions - suggested by Casper Dik of Sun's Network Security Group - (Holland), Mark Seiden, and others. - Fix a problem that might cause a non-standard -B (body type) - parameter to be passed to the next server with undefined - results. This could have security implications. - If a filesystem was at > 100% utilization, the freediskspace() - routine incorrectly returned an error rather than zero. - Problem noted by G. Paul Ziemba of Alantec. - Change MX sort order so that local hostnames (those in $=w) always - sort first within a given preference. This forces the bestmx - map to always return the local host first, if it is included - in the list of highest priority MX records. From K. Robert - Elz. - Avoid some possible null pointer dereferences. Fixes from Randy - Martin - When sendmail starts up on systems that have no fully qualified - domain name (FQDN) anywhere in the first matching host map - (e.g., /etc/hosts if the hosts service searches "files dns"), - sendmail would sleep to try to find a FQDN, which it really - really needs. This has been changed to fall through to the - next map type if it can't find a FQDN -- i.e., if the hosts - file doesn't have a FQDN, it will try dns even though the - short name was found in /etc/hosts. This is probably a crock, - but many people have hosts files without FQDNs. Remember: - domain names are your friends. - Log a high-priority message if you can't find your FQDN during startup. - Suggested by Simon Barnes of Schlumberger Limited. - When using Hesiod, initialize it early to improve error reporting. - Patch from Don Lewis of Silicon Systems, Inc. - Apparently at least some versions of Linux have a 90 !minute! TCP - connection timeout in the kernel. Add a new "connect" timeout - to limit this time. Defaults to zero (use whatever the - kernel provides). Based on code contributed by J.R. Oldroyd - of TerraNet. - Under some circumstances, a failed message would not be properly - removed from the queue, causing tons of bogus error messages. - (This fix eliminates the problematic EF_KEEPQUEUE flag.) - Problem noted by Allan E Johannesen and Gregory Neil Shapiro - of WPI. - PORTABILITY FIXES: - On IRIX 5.x, there was an inconsistency in the setting - of sendmail.st location. Change the Makefile to - install it in /var/sendmail.st to match the OSTYPE - file and SGI standards. From Andre - . - Support for Fujitsu/ICL UXP/DS (For the DS/90 Series) - from Diego R. Lopez . - Linux compilation patches from J.R. Oldroyd of TerraNet, Inc. - LUNA 2 Mach patches from Motonori Nakamura. - SunOS Makefile was including -ldbm, which is for the old - dbm library. The ndbm library is part of libc. - CONFIG: avoid bouncing ``user@host.'' (note trailing dot) with - ``local configuration error'' in nullclient configuration. - Patch from Gregory Neil Shapiro of WPI. - CONFIG: don't allow an alias file in nullclient configurations -- - since all addresses are relayed, they give errors during - rebuild. Suggested by Per Hedeland of Ericsson. - CONFIG: local mailer on Solaris 2 should always get a -f flag because - otherwise the F=S causes the From_ line to imply that root is - the sender. Problem pointed out by Claude Scarpelli of - Infobiogen (France). - NEW FILES: - cf/feature/use_ct_file.m4 (omitted from 8.7 by mistake) - src/Makefiles/Makefile.KSR (omitted from 8.7 by mistake) - src/Makefiles/Makefile.UXPDS - -8.7/8.7 95/09/16 - Fix a problem that could cause sendmail to run out of file - descriptors due to a trashed data structure after a - vfork. Fix from Brian Coan of the Institute for - Global Communications. - Change the VRFY response if you have disabled VRFY -- some - people seemed to think that it was too rude. - Avoid reference to uninitialized file descriptor if HASFLOCK - was not defined. This was used "safely" in the sense - that it only did a stat, but it would have set the - map modification time improperly. Problem pointed out - by Roy Mongiovi of Georgia Tech. - Clean up the Subject: line on warning messages and return - receipts so that they don't say "Returned mail:"; this - can be confusing. - Move ruleset entry/exit debugging from 21.2 to 21.1 -- this is - useful enough to make it worthwhile printing on "-d". - Avoid logging alias statistics every time you read the alias - file on systems with no database method compiled in. - If you have a name with a trailing dot, and you try looking it - up using gethostbyname without the dot (for /etc/hosts - compatibility), be sure to turn off RES_DEFNAMES and - RES_DNSRCH to avoid finding the wrong name accidentally. - Problem noted by Charles Amos of the University of - Maryland. - Don't do timeouts in collect if you are not running SMTP. - There is nothing that says you can't have a long - running program piped into sendmail (possibly via - /bin/mail, which just execs sendmail). Problem reported - by Don "Truck" Lewis of Silicon Systems. - Try gethostbyname() even if the DNS lookup fails iff option I - is not set. This allows you to have hosts listed in - NIS or /etc/hosts that are not known to DNS. It's normally - a bad idea, but can be useful on firewall machines. This - should really be broken out on a separate flag, I suppose. - Avoid compile warnings against BIND 4.9.3, which uses function - prototypes. From Don Lewis of Silicon Systems. - Avoid possible incorrect diagnosis of DNS-related errors caused - by things like attempts to resolve uucp names using - $[ ... $] -- the fix is to clear h_errno at appropriate - times. From Kyle Jones of UUNET. - SECURITY: avoid denial-of-service attacks possible by destroying - the alias database file by setting resource limits low. - This involves adding two new compile-time options: - HASSETRLIMIT (indicating that setrlimit(2) support is - available) and HASULIMIT (indicating that ulimit(2) support - is available -- the Release 3 form is used). The former - is assumed on BSD-based systems, the latter on System - V-based systems. Attack noted by Phil Brandenberger of - Swarthmore University. - New syntaxes in test (-bt) mode: - ``.Dmvalue'' will define macro "m" to "value". - ``.Ccvalue'' will add "value" to class "c". - ``=Sruleset'' will dump the contents of the indicated - ruleset. - ``=M'' will display the known mailers. - ``-ddebug-spec'' is equivalent to the command-line - -d debug flag. - ``$m'' will print the value of macro $m. - ``$=c'' will print the contents of class $=c. - ``/mx host'' returns the MX records for ``host''. - ``/parse address'' will parse address, returning the value of - crackaddr (essentially, the comment information) - and the parsed address. - ``/try mailer address'' will rewrite address into the form - it will have when presented to the indicated mailer. - ``/tryflags flags'' will set flags used by parsing. The - flags can be `H' for header or `E' for envelope, - and `S' for sender or `R' for recipient. These - can be combined, so `HR' sets flags for header - recipients. - ``/canon hostname'' will try to canonify hostname and - return the result. - ``/map mapname key'' will look up `key' in the indicated - `mapname' and return the result. - Somewhat better handling of UNIX-domain socket addresses -- it - should show the pathname rather than hex bytes. - Restore ``-ba'' mode -- this reads a file from stdin and parses - the header for envelope sender information and uses - CR-LF as message terminators. It was thought to be - obsolete (used only for Arpanet NCP protocols), but it - turns out that the UK ``Grey Book'' protocols require - that functionality. - Fix a fix in previous release -- if gethostname and gethostbyname - return a name without dots, and if an attempt to canonify - that name fails, wait one minute and try again. This can - result in an extra 60 second delay on startup if your system - hostname (as returned by hostname(1)) has no dot and no names - listed in /etc/hosts or your NIS map have a dot. - Check for proper domain name on HELO and EHLO commands per - RFC 1123 section 5.2.5. Problem noted by Thomas Dwyer III - of Michigan Technological University. - Relax chownsafe rules slightly -- old version said that if you - can't tell if _POSIX_CHOWN_RESTRICTED is set (that is, - if fpathconf returned EINVAL or ENOSYS), assume that - chown is not safe. The new version falls back to whether - you are on a BSD system or not. This is important for - SunOS, which apparently always returns one of those - error codes. This impacts whether you can mail to files - or not. - Syntax errors such as unbalanced parentheses in the configuration - file could be omitted if you had "Oem" prior to the - syntax error in the config file. Change to always print - the error message. It was especially weird because it - would cause a "warning" message to be sent to the Postmaster - for every message sent (but with no transcript). Problem - noted by Gregory Paris of Motorola. - Rewrite collect and putbody to handle full 8-bit data, including - zero bytes. These changes are internally extensive, but - should have minimal impact on external function. - Allow full words for option names -- if the option letter is - (apparently) a space, then take the word following -- e.g., - O MatchGECOS=TRUE - The full list of old and new names is as follows: - 7 SevenBitInput - 8 EightBitMode - A AliasFile - a AliasWait - B BlankSub - b MinFreeBlocks/MaxMessageSize - C CheckpointInterval - c HoldExpensive - D AutoRebuildAliases - d DeliveryMode - E ErrorHeader - e ErrorMode - f SaveFromLine - F TempFileMode - G MatchGECOS - H HelpFile - h MaxHopCount - i IgnoreDots - I ResolverOptions - J ForwardPath - j SendMimeErrors - k ConnectionCacheSize - K ConnectionCacheTimeout - L LogLevel - l UseErrorsTo - m MeToo - n CheckAliases - O DaemonPortOptions - o OldStyleHeaders - P PostmasterCopy - p PrivacyOptions - Q QueueDirectory - q QueueFactor - R DontPruneRoutes - r, T Timeout - S StatusFile - s SuperSafe - t TimeZoneSpec - u DefaultUser - U UserDatabaseSpec - V FallbackMXHost - v Verbose - w TryNullMXList - x QueueLA - X RefuseLA - Y ForkEachJob - y RecipientFactor - z ClassFactor - Z RetryFactor - The old macros that passed information into sendmail have - been changed to options; those correspondences are: - $e SmtpGreetingMessage - $l UnixFromLine - $o OperatorChars - $q (deleted -- not necessary) - To avoid possible problems with an older sendmail, - configuration level 6 is accepted by this version of - sendmail; any config file using the new names should - specify "V6" in the configuration. - Change address parsing to properly note that a phrase before a - colon and a trailing semicolon are essentially the same - as text outside of angle brackets (i.e., sendmail should - treat them as comments). This is to handle the - ``group name: addr1, addr2, ..., addrN;'' syntax (it will - assume that ``group name:'' is a comment on the first - address and the ``;'' is a comment on the last address). - This requires config file support to get right. It does - understand that :: is NOT this syntax, and can be turned - off completely by setting the ColonOkInAddresses option. - Level 6 config files added with new mailer flags: - A Addresses are aliasable. - i Do udb rewriting on envelope as well as header - sender lines. Applies to the from address mailer - flags rather than the recipient mailer flags. - j Do udb rewriting on header recipient addresses. - Applies to the sender mailer flags rather than the - recipient mailer flags. - k Disable check for loops when doing HELO command. - o Always run as the mail recipient, even on local - delivery. - w Check for an /etc/passwd entry for this user. - 5 Pass addresses through ruleset 5. - : Check for :include: on this address. - | Check for |program on this address. - / Check for /file on this address. - @ Look up sender header addresses in the user - database. Applies to the mailer flags for the - mailer corresponding to the envelope sender - address, rather than to recipient mailer flags. - Pre-level 6 configuration files set A, w, 5, :, |, /, and @ - on the "local" mailer, the o flag on the "prog" and "*file*" - mailers, and the ColonOkInAddresses option. - Eight-to-seven bit MIME conversions. This borrows ideas from - John Beck of Hewlett-Packard, who generously contributed - their implementation to me, which I then didn't use (see - mime.c for an explanation of why). This adds the - EightBitMode option (a.k.a. `8') and an F=8 mailer flag - to control handling of 8-bit data. These have to cope with - two types of 8-bit data: unlabelled 8-bit data (that is, - 8-bit data that is entered without declaring it as 8-bit - MIME -- technically this is illegal according to the - specs) and labelled 8-bit data (that is, it was declared - as 8BITMIME in the ESMTP session or by using the - -B8BITMIME command line flag). If the F=8 mailer flag is - set then 8-bit data is sent to non-8BITMIME machines - instead of converting to 7 bit (essentially using - just-send-8 semantics). The values for EightBitMode are: - m convert unlabelled 8-bit input to 8BITMIME, and do - any necessary conversion of 8BITMIME to 7BIT - (essentially, the full MIME option). - p pass unlabelled 8-bit input, but convert labelled - 8BITMIME input to 7BIT as required (default). - s strict adherence: reject unlabelled 8-bit input, - convert 8BITMIME to 7BIT as required. The F=8 - flag is ignored. - Unlabelled 8-bit data is rejected in mode `s' regardless of - the setting of F=8. - Add new internal class 'n', which is the set of MIME Content-Types - which can not be 8 to 7 bit encoded because of other - considerations. Types "multipart/*" and "message/*" are - never directly encoded (although their components can be). - Add new internal class 's', which is the set of subtypes of the - MIME message/* content type that can be treated as though - they are an RFC822 message. It is predefined to have - "rfc822". Suggested By Kari Hurtta. - Add new internal class 'e'. This is the set of MIME - Content-Transfer-Encodings that can be converted to - a seven bit format (Quoted-Printable or Base64). It is - preinitialized to contain "7bit", "8bit", and "binary". - Add C=charset mailer parameter and the the DefaultCharSet option (no - short name) to set the default character set to use in the - Content-Type: header when doing encoding of an 8-bit message - which isn't marked as MIME into MIME format. If the C= - parameter is set on the Envelope From address, use that as - the default encoding; else use the DefaultCharSet option. - If neither is set, it defaults to "unknown-8bit" as - suggested by RFC 1428 section 3. - Allow ``U=user:group'' field in mailer definition to set a default - user and group that a mailer will be executed as. This - overrides the 'u' and 'g' options, and if the `F=S' flag is - also set, it is the uid/gid that will always be used (that - is, the controlling address is ignored). The values may be - numeric or symbolic; if only a symbolic user is given (no - group) that user's default group in the passwd file is used - as the group. Based on code donated by Chip Rosenthal of - Unicom. - Allow `u' option to also accept user:group as a value, in the same - fashion as the U= mailer option. - Add the symbolic time zone name in the Arpanet format dates (as - a comment). This adds a new compile-time configuration - flag: TZ_TYPE can be set to TZ_TM_NAME (use the value - of (struct tm *)->tm_name), TZ_TM_ZONE (use the value - of (struct tm *)->tm_zone), TZ_TZNAME (use extern char - *tzname[(struct tm *)->tm_isdst]), TZ_TIMEZONE (use - timezone()), or TZ_NONE (don't include the comment). Code - from Chip Rosenthal. - The "Timeout" option (formerly "r") is extended to allow suboptions. - For example, - O Timeout.helo = 2m - There are also two new suboptions "queuereturn" and - "queuewarn"; these subsume the old T option. Thus, to - set them both the preferred new syntax is - O Timeout.queuereturn = 5d - O Timeout.queuewarn = 4h - Sort queue by host name instead of by message priority if the - QueueSortOrder option (no short name) is set is set to - ``host''. This makes better use of the connection cache, - but may delay more ``interactive'' messages behind large - backlogs under some circumstances. This is probably a - good option if you have high speed links or don't do lots - of ``batch'' messages, but less good if you are using - something like PPP on a 14.4 modem. Based on code - contributed by Roy Mongiovi of Georgia Tech (my main - contribution was to make it configurable). - Save i-number of df file in qf file to simplify rebuilding of queue - after disastrous disk crash. Suggested by Kyle Jones of - UUNET; closely based on code from KJS DECWRL code written - by Paul Vixie. NOTA BENE: The qf files produced by 8.7 - are NOT back compatible with 8.6 -- that is, you can convert - from 8.6 to 8.7, but not the other direction. - Add ``F=d'' mailer flag to disable all use of angle brackets in - route-addrs in envelopes; this is because in some cases - they can be sent to the shell, which interprets them as - I/O redirection. - Don't include error file (option E) with return-receipts; this - can be confusing. - Don't send "Warning: cannot send" messages to owner-* or - *-request addresses. Suggested by Christophe Wolfhugel - of the Institut Pasteur, Paris. - Allow -O command line flag to set long form options. - Add "MinQueueAge" option to set the minimum time between attempts - to run the queue. For example, if the queue interval - (-q value) is five minutes, but the minimum queue age - is fifteen minutes, jobs won't be tried more often than - once every fifteen minutes. This can be used to give - you more responsiveness if your delivery mode is set to - queue-only. - Allow "fileopen" timeout (default: 60 seconds) for opening - :include: and .forward files. - Add "-k", "-v", and "-z" flags to map definitions; these set the - key field name, the value field name, and the field - delimiter. The field delimiter can be a single character - or the sequence "\t" or "\n" for tab or newline. - These are for use by NIS+ and similar access methods. - Change maps to always strip quotes before lookups; the -q flag - turns off this behavior. Suggested by Motonori Nakamura. - Add "nisplus" map class. Takes -k and -v flags to choose the - key and value field names respectively. Code donated by - Sun Microsystems. - Add "hesiod" map class. The "file name" is used as the - "HesiodNameType" parameter to hes_resolve(3). Returns the - first value found for the match. Code donated by Scott - Hutton of Indiana University. - Add "netinfo" (NeXT NetInfo) map class. Maps can have a -k flag to - specify the name of the property that is searched as the - key and a -v flag to specify the name of the property that - is returned as the value (defaults to "members"). The - default map is "/aliases". Some code based on code - contributed by Robert La Ferla of Hot Software. - Add "text" map class. This does slow, linear searches through - text files. The -z flag specifies a column delimiter - (defaults to any sequence of white space), the -k flag - sets the key column number, and the -v flag sets the - value column number. Lines beginning with `#' are treated - as comments. - Add "program" map class to execute arbitrary programs. The search - key is presented as the last argument; the output is one - line read from the programs standard output. Exit statuses - are from sysexits.h. - Add "sequence" map class -- searches maps in sequence until it - finds a match. For example, the declarations: - Kmap1 ... - Kmap2 ... - Kmapseq sequence map1 map2 - defines a map "mapseq" that first searches map1; if the - value is found it is returned immediately, otherwise - map2 is searched and the value returned. - Add "switch" map class. This is much like "sequence" except that - the ordering is fetched from an external file, usually - the system service switch. The parameter is the name of - the service to switch on, and the maps that it will use - are the name of the switch map followed by ".service_type". - For example, if the declaration of the map is - Ksample switch hosts - and the system service switch specifies that hosts are - looked up using dns and nis in that order, then this is - equivalent to - Ksample sequence sample.dns sample.nis - The subordinate maps (sample.*) must already be defined. - Add "user" map class -- looks up users using getpwnam. Takes a - "-v field" flag on the definition that tells what passwd - entry to return -- legal values are name, passwd, uid, gid, - gecos, dir, and shell. Generally expected to be used with - the -m (matchonly) flag. - Add "bestmx" map class -- returns the best MX value for the host - listed as the value. If there are several "best" MX records - for this host, one will be chosen at random. - Add "userdb" map class -- looks up entries in the user database. - The "file name" is actually the tag that will be used, - typically "mailname". If there are multiple entries - matching the name, the one chosen is undefined. - Add multiple queue timeouts (both return and warning). These are - set by the Precedence: or Priority: header fields to one of - three values. If a Priority: is set and has value "normal", - "urgent", or "non-urgent" the corresponding timeouts are - used. If no priority is set, the Precedence: is consulted; - if negative, non-urgent timeouts are used; if greater than - zero, urgent timeouts are used. Otherwise, normal timeouts - are used. The timeouts are set by setting the six timeouts - queue{warn,return}.{urgent,normal,non-urgent}. - Fix problem when a mail address is resolved to a $#error mailer - with a temporary failure indication; it works in SMTP, - but when delivering locally the mail is silently discarded. - This patch, from Kyle Jones of UUNET, bounces it instead - of queueing it (queueing is very hard). - When using /etc/hosts or NIS-style lookups, don't assume that - the first name in the list is the best one -- instead, - search for the first one with a dot. For example, if - an /etc/hosts entry reads - 128.32.149.68 mammoth mammoth.CS.Berkeley.EDU - this change will use the second name as the canonical - machine name instead of the initial, unqualified name. - Change dequote map to replace spaces in quoted text with a value - indicated by the -s flag on the dequote map definition. - For example, ``Mdequote dequote -s_'' will change - "Foo Bar" into an unquoted Foo_Bar instead of leaving it - quoted (because of the space character). Suggested by Dan - Oscarsson for use in X.400 addresses. - Implement long macro names as ${name}; long class names can - be similarly referenced as $={name} and $~{name}. - Definitions are (e.g.) ``D{name}value''. Names that have - a leading lower case letter or punctuation characters are - reserved for internal use by sendmail; i.e., config files - should use names that begin with a capital letter. Based - on code contributed by Dan Oscarsson. - Fix core dump if getgrgid returns a null group list (as opposed - to an empty group list, that is, a pointer to a list - with no members). Fix from Andrew Chang of Sun Microsystems. - Fix possible core dump if malloc fails -- if the malloc in xalloc - failed, it called syserr which called newstr which called - xalloc.... The newstr is now avoided for "panic" messages. - Reported by Stuart Kemp of James Cook University. - Improve connection cache timeouts; previously, they were not even - checked if you were delivering to anything other than an - IPC-connected host, so a series of (say) local mail - deliveries could cause cached connections to be open - much longer than the specified timeout. - If an incoming message exceeds the maximum message size, stop - writing the incoming bytes to the queue data file, since - this can fill your mqueue partition -- this is a possible - denial-of-service attack. - Don't reject all numeric local user names unless HESIOD is - defined. It turns out that Posix allows all-numeric - user names. Fix from Tony Sanders of BSDI. - Add service switch support. If the local OS has a service - switch (e.g., /etc/nsswitch.conf on Solaris or /etc/svc.conf - on DEC systems) that will be used; otherwise, it falls back - to using a local mechanism based on the ServiceSwitchFile - option (default: /etc/service.switch). For example, if the - service switch lists "files" and "nis" for the aliases - service, that will be the default lookup order. the "files" - ("local" on DEC) service type expands to any alias files - you listed in the configuration file, even if they aren't - actually file lookups. - Option I (NameServerOptions) no longer sets the "UseNameServer" - variable which tells whether or not DNS should be considered - canonical. This is now determined based on whether or not - "dns" is in the service list for "hosts". - Add preliminary support for the ESMTP "DSN" extension (Delivery - Status Notifications). DSN notifications override - Return-Receipt-To: headers, which are bogus anyhow -- - support for them has been removed. - Add T=mts-name-type/address-type/diagnostic-type keyletter to mailer - definitions to define the types used in DSN returns for - MTA names, addresses, and diagnostics respectively. - Extend heuristic to force running in ESMTP mode to look for the - five-character string "ESMTP" anywhere in the 220 greeting - message (not just the second line). This is to provide - better compatibility with other ESMTP servers. - Print sequence number of job when running the queue so you can - easily see how much progress you have made. Suggested - by Peter Wemm of DIALix. - Map newlines to spaces in logged message-ids; some versions of - syslog truncate the rest of the line after newlines. - Suggested by Fletcher Mattox of U. Texas. - Move up forking for job runs so that if a message is split into - multiple envelopes you don't get "fork storms" -- this - also improves the connection cache utilization. - Accept "<<>>", "<<<>>>", and so forth as equivalent to "<>" for - the purposes of refusing to send error returns. Suggested - by Motonori Nakamura of Ritsumeikan University. - Relax rules on when a file can be written when referenced from - the aliases file: use the default uid/gid instead of the - real uid/gid. This allows you to create a file owned by - and writable only by the default uid/gid that will work - all the time (without having the setuid bit set). Change - suggested by Shau-Ping Lo and Andrew Cheng of Sun - Microsystems. - Add "DialDelay" option (no short name) to provide an "extra" - delay for dial on demand systems. If this is non-zero - and a connect fails, sendmail will wait this long and - then try again. If it takes longer than the kernel - timeout interval to establish the connection, this - option can give the network software time to establish - the link. The default units are seconds. - Move logging of sender information to be as early as possible; - previously, it could be delayed a while for SMTP mail - sent to aliases. Suggested by Brad Knowles of the - Defense Information Systems Agency. - Call res_init() before setting RES_DEBUG; this is required by - BIND 4.9.3, or so I'm told. From Douglas Anderson of - the National Computer Security Center. - Add xdelay= field in logs -- this is a transaction delay, telling - you how long it took to deliver to this address on the - last try. It is intended to be used for sorting mailing - lists to favor "quick" addresses. Provided for use by - the mailprio scripts (see below). - If a map cannot be opened, and that map is non-optional, and - an address requires that map for resolution, queue the - map instead of bouncing it. This involves creating a - pseudo-class of maps called "bogus-map" -- if a required - map cannot be opened, the class is changed to bogus-map; - all queries against bogus-map return "tempfail". The - bogus-map class is not directly accessible. A sample - implementation was donated by Jem Taylor of Glasgow - University Computing Service. - Fix a possible core dump when mailing to a program that talks - SMTP on its standard input. Fix from Keith Moore of - the University of Kentucky. - Make it possible to resolve filenames to $#local $: @ /filename; - previously, the "@" would cause it to not be recognized - as a file. Problem noted by Brian Hill of U.C. Davis. - Accept a -1 signal to re-exec the daemon. This only works if - argv[0] is a full path to sendmail. - Fix bug in "addr=..." field in O option on little-endian machines - -- the network number wasn't being converted to network - byte order. Patch from Kurt Lidl of Pix Technologies - Corporation. - Pre-initialize the resolver early on; this is to avoid a bug with - BIND 4.9.3 that can cause the _res.retry field to get - reset to zero, causing all name server lookups to time - out. Fix from Matt Day of Artisoft. - Restore T line (trusted users) in config file -- but instead of - locking out the -f flag, they just tell whether or not - an X-Authentication-Warning: will be added. This really - just creates new entries in class 't', so "Ft/file/name" - can be used to read trusted user names from a file. - Trusted users are also allowed to execute programs even - if they have a shell that isn't in /etc/shells. - Improve NEWDB alias file rebuilding so it will create them - properly if they do not already exist. This had been - a MAYBENEXTRELEASE feature in 8.6.9. - Check for @:@ entry in NIS maps before starting up to avoid - (but not prevent, sigh) race conditions. This ought to - be handled properly in ypserv, but isn't. Suggested by - Michael Beirne of Motorola. - Refuse connections if there isn't enough space on the filesystem - holding the queue. Contributed by Robert Dana of Wolf - Communications. - Skip checking for directory permissions in the path to a file - when checking for file permissions iff setreuid() - succeeded -- it is unnecessary in that case. This avoids - significant performance problems when looking for .forward - files. Based on a suggestion by Win Bent of USC. - Allow symbolic ruleset names. Syntax can be "Sname" to get an - arbitrary ruleset number assigned or "Sname = integer" - to assign a specific ruleset number. Reference is - $>name_or_number. Names can be composed of alphas, digits, - underscore, or hyphen (first character must be non-numeric). - Allow -o flag on AliasFile lines to make the alias file optional. - From Bryan Costales of ICSI. - Add NoRecipientAction option to handle the case where there is - no legal recipient header in the message. It can take - on values: - None Leave the message as is. The - message will be passed on even - though it is in technically - illegal syntax. - Add-To Add a To: header with any - recipients that it can find from - the envelope. This risks exposing - Bcc: recipients. - Add-Apparently-To Add an Apparently-To: header. This - has almost no redeeming social value, - and is provided only for back - compatibility. - Add-To-Undisclosed Add a header reading - To: undisclosed-recipients:; - which will have the effect of - making the message legal without - exposing Bcc: recipients. - Add-Bcc To add an empty Bcc: header. - There is a chance that mailers down - the line will delete this header, - which could cause exposure of Bcc: - recipients. - The default is NoRecipientAction=None. - Truncate (rather than delete) Bcc: lines in the header. This - should prevent later sendmails (at least, those that don't - themselves delete Bcc:) from considering this message to - be non-conforming -- although it does imply that non-blind - recipients can see that a Bcc: was sent, albeit not to whom. - Add SafeFileEnvironment option. If declared, files named as delivery - targets must be regular files in addition to the regular - checks. Also, if the option is non-null then it is used as - the name of a directory that is used as a chroot(2) - environment for the delivery; the file names listed in an - alias or forward should include the name of this root. - For example, if you run with - O SafeFileEnvironment=/arch - then aliases should reference "/arch/rest/of/path". If a - value is given, sendmail also won't try to save to - /usr/tmp/dead.letter (instead it just leaves the job in the - queue as Qfxxxxxx). Inspired by *Hobbit*'s sendmail patch kit. - Support -A flag for alias files; this will comma concatenate like - entries. For example, given the aliases: - list: member1 - list: member2 - and an alias file declared as: - OAhash:-A /etc/aliases - the final alias inserted will be "list: member1,member2"; - without -A you will get an error on the second and subsequent - alias for "list". Contributed by Bryan Costales of ICSI. - Line-buffer transcript file. Suggested by Liudvikas Bukys. - Fix a problem that could cause very long addresses to core dump in - some special circumstances. Problem pointed out by Allan - Johannesen. - (Internal change.) Change interface to expand() (macro expansion) - to be simpler and more consistent. - Delete check for funny qf file names. This didn't really give - any extra security and caused some people some problems. - (If you -really- want this, define PICKY_QF_NAME_CHECK - at compile time.) Suggested by Kyle Jones of UUNET. - (Internal change.) Change EF_NORETURN to EF_NO_BODY_RETN and - merge with DSN code; this is simpler and more consistent. - This may affect some people who have written their own - checkcompat() routine. - (Internal change.) Eliminate `D' line in qf file. The df file - is now assumed to be the same name as the qf file (with - the `q' changed to a `d', of course). - Avoid forking for delivery if all recipient mailers are marked as - "expensive" -- this can be a major cost on some systems. - Essentially, this forces sendmail into "queue only" mode - if all it is going to do is queue anyway. - Avoid sending a null message in some rather unusual circumstances - (specifically, the RCPT command returns a temporary - failure but the connection is lost before the DATA - command). Fix from Scott Hammond of Secure Computing - Corporation. - Change makesendmail to use a somewhat more rational naming scheme: - Makefiles and obj directories are named $os.$rel.$arch, - where $os is the operating system (e.g., SunOS), $rel is - the release number (e.g., 5.3), and $arch is the machine - architecture (e.g., sun4). Any of these can be omitted, - and anything after the first dot in a release number can - be replaced with "x" (e.g., SunOS.4.x.sun4). The previous - version used $os.$arch.$rel and was rather less general. - Change makesendmail to do a "make depend" in the target directory - when it is being created. This involves adding an empty - "depend:" entry in most Makefiles. - Ignore IDENT return value if the OSTYPE field returns "OTHER", - as indicated by RFC 1413. Pointed out by Kari Hurtta - of the Finnish Meteorological Institute. - Fix problem that could cause multiple responses to DATA command - on header syntax errors (e.g., lines beginning with colons). - Problem noted by Jens Thomassen of the University of Oslo. - Don't let null bytes in headers cause truncation of the rest of - the header. - Log Authentication-Warning:s. Suggested by Motonori Nakamura. - Increase timeouts on message data puts to allow time for receivers - to canonify addresses in headers on the fly. This is still - a rather ugly heuristic. From Motonori Nakamura. - Add "HasWildcardMX" suboption to ResolverOptions; if set, MX - records are not used when canonifying names, and when MX - lookups are done for addressing they must be fully - qualified. This is useful if you have a wildcard MX record, - although it may cause other problems. In general, don't use - wildcard MX records. Patch from Motonori Nakamura. - Eliminate default two-line SMTP greeting message. Instead of - adding an extra "ESMTP spoken here" line, the word "ESMTP" - is added between the first and second word of the first - line of the greeting message (i.e., immediately after the - host name). This eliminates the need for the BROKEN_SMTP_PEERS - compile flag. Old sendmails won't see the ESMTP, but that's - acceptable because SIZE was the only useful extension that - old sendmails understand. - Avoid gethostbyname calls on UNIX domain sockets during SIGUSR1 - invoked state dumps. From Masaharu Onishi. - Allow on-line comments in .forward and :include: files; they are - introduced by the string "#@#", where - is a space or a tab. This is intended for native - representation of non-ASCII sets such as Japanese, where - existing encodings would be unreadable or would lose - data -- for example, - NAKAMURA Motonori - (romanized/less information) - =?ISO-2022-JP?B?GyRCQ2ZCPBsoQg==?= - =?ISO-2022-JP?B?GyRCQUdFNRsoQg==?= - (with MIME encoding, not human readable) - #@# ^[$BCfB<^[(B ^[$BAGE5^[(B - (native encoding with ISO-2022-JP) - The last form is human readable in the Japanese environment. - Based on a fix from (surprise!) Motonori Nakamura. - Don't make SMTP error returns on MAIL FROM: line be "sticky" for all - messages to that host; these are most frequently associated - with addresses rather than the host, with the exception of - 421 (service shutting down). The effect was to cause queues - to sometimes take an excessive time to flush. Reported by - Robert Sargent of Southern Geographics Technologies and - Eric Prestemon of American University. - Add Nice=N mailer option to set the niceness at which a mailer will - run. This is actually a relative niceness (that is, an - increment on the background value). - Log queue runs that are skipped due to high loads. They are logged - at LOG_INFO priority iff the log level is > 8. Contributed - by Bruce Nagel of Data General. - Allow the error mailer to accept a DSN-style error status code - instead of an sysexits status code in the host part. - Anything with a dot will be interpreted as a DSN-style code. - Add new mailer flag: F=3 will tell translations to Quoted-Printable - to encode characters that might be munged by an EBCDIC system - in addition to the set required by RFC 1521. The additional - characters are !, ", #, $, @, [, \, ], ^, `, {, |, }, and ~. - (Think of "IBM 360" as the mnemonic for this flag.) - Change check for mailing to files to look for a pathname of [FILE] - rather than looking for the mailer named *file*. The mapping - of leading slashes still goes to the *file* mailer. This - allows you to implement the *file* mailer as a separate - program, for example, to insert a Content-Length: header - or do special security policy. However, note that the usual - initial checking for the file permissions is still done, and - the program in question needs to be very careful about how - it does the file write to avoid security problems. - Be able to read ~root/.forward even if the path isn't accessible to - regular users. This is disrecommended because sendmail - sometimes does not run as root (e.g., when an unsafe option - is specified on the command line), but should otherwise be - safe because .forward files must be owned by the user for - whom mail is being forwarded, and cannot be a symbolic link. - Suggested by Forrest Aldrich of Wang Laboratories. - Add new "HostsFile" option that is the pathname to the /etc/hosts - file. This is used for canonifying hostnames when the - service type is "files". - Implement programs on F (read class from file) line. The syntax is - Fc|/path/to/program to read the output from the program - into class "c". - Probe the network interfaces to find alternate names for this - host. Requires the SIOCGIFCONF ioctl call. Code - contributed by SunSoft. - Add "E" configuration line to set or propagate environment - variables into children. "E" will propagate - the named variable from the environment when sendmail - was invoked into any children it calls; "E=" - sets the named variable to the indicated value. Any - variables not explicitly named will not be in the child - environment. However, sendmail still forces an - "AGENT=sendmail" environment variable, in part to enforce - at least one environment variable, since many programs and - libraries die horribly if this is not guaranteed. - Change heuristic for rebuilding both NEWDB and NDBM versions of - alias databases -- new algorithm looks for the substring - "/yp/" in the file name. This is more portable and involves - less overhead. Suggested by Motonori Nakamura. - Dynamically allocate the queue work list so that you don't lose - jobs in large queue runs. The old QUEUESIZE compile parameter - is replaced by QUEUESEGSIZE (the unit of allocation, which - should not need to be changed) and the MaxQueueRunSize option, - which is the absolute maximum number of jobs that will ever - be handled in a single queue run. Based on code contributed - by Brian Coan of the Institute for Global Communications. - Log message when a message is dropped because it exceeds the maximum - message size. Suggested by Leo Bicknell of Virginia Tech. - Allow trusted users (those on a T line or in $=t) to use -bs without - an X-Authentication-Warning: added. Suggested by Mark Thomas - of Mark G. Thomas Consulting. - Announce state of compile flags on -d0.1 (-d0.10 throws in the - OS-dependent defines). The old semantic of -d0.1 to not - run the daemon in background has been moved to -d99.100, - and the old 52.5 flag (to avoid disconnect() from closing - all output files) has been moved to 52.100. This makes - things more consistent (flags below .100 don't change - semantics) and separates out the backgrounding so that - it doesn't happen automatically on other unrelated debugging - flags. - If -t is used but no addresses are found in the header, give an - error message rather than just doing nothing. Fix from - Motonori Nakamura. - On systems (like SunOS) where the effective gid is not necessarily - included in the group list returned by getgroups(), the - `restrictmailq' option could sometimes cause an authorized - user to not be able to use `mailq'. Fix from Charles Hannum - of MIT. - Allow symbolic service names for [IPC] mailers. Suggested by - Gerry Magennis of Logica International. - Add DontExpandCnames option to prevent $[ ... $] from expanding CNAMEs - when running DNS. For example, if the name FTP.Foo.ORG is - a CNAME for Cruft.Foo.ORG, then when sitting on a machine in - the Foo.ORG domain a lookup of "FTP" returns "Cruft.Foo.ORG" - if this option is not set, or "FTP.Foo.ORG" if it is set. - This is technically illegal under RFC 822 and 1123, but the - IETF is moving toward legalizing it. Note that turning on - this option is not sufficient to guarantee that a downstream - neighbor won't rewrite the address for you. - Add "-m" flag to makesendmail script -- this tells you what object - directory and Makefile it will use, but doesn't actually do - the make. - Do some additional checking on the contents of the qf file to try - to detect attacks against the qf file. In particular, - abort on any line beginning "From ", and add an "end of - file" line -- any data after that line is prohibited. - Always use /etc/sendmail.cf, regardless of the arbitrary vendor - choices. This can be overridden in the Makefile by using - either -DUSE_VENDOR_CF_PATH to get the vendor location - (to the extent that we know it) or by defining - _PATH_SENDMAILCF (which is a "hard override"). This allows - sendmail 8 to have more consistent installation instructions. - Allow macros on `K' line in config file. Suggested by Andrew Chang - of Sun Microsystems. - Improved symbol table hash function from Eric Wassenaar. This one - is at least 50% faster. - Fix problem that didn't notice that timeout on file open was a - transient error. Fix from Larry Parmelee of Cornell - University. - Allow comments (lines beginning with a `#') in files read for - classes. Suggested by Motonori Nakamura. - Make SIGINT (usually ^C) in test mode return to the prompt instead - of dropping out entirely. This makes testing some of the - name server lookups easier to deal with when there are - hung servers. From Motonori Nakamura. - Add new ${opMode} macro that is set to the current operation mode - (e.g., `s' for -bs, `t' for -bt, etc.). Suggested by - Claude Marinier . - Add new delivery mode (Odd) that defers all map lookups to queue runs. - Kind of like queue-only mode (Odq) except it tries to avoid - any external service requests; for dial-on-demand hosts that - want to minimize DNS lookups when mail is being queued. For - this to work you will also have to make sure that gethostbyname - of your local host name does not do a DNS lookup. - Improved handling of "out of space" conditions from John Myers of - Carnegie Mellon. - Improved security for mailing to files on systems that have fchmod(2) - support. - Improve "cannot send message for N days" message -- now says "could - not send for past N days". Suggested by Tom Moore of AT&T - Global Information Solutions. - Less misleading Subject: line on messages sent to postmaster only. - From Motonori Nakamura. - Avoid duplicate error messages on bad command line flags. From - Motonori Nakamura. - Better error message for case where ruleset 0 falls off the end - or otherwise does not resolve to a canonical triple. - Fix a problem that could cause multiple bounce messages if a bad - address was sent along with a good address to an SMTP - site where that SMTP site returned a 4yz code in response - to the final dot of the data. Problem reported by David - James of British Telecom. - Add "volatile" declarations so that gcc -O2 will work. Patches - from Alexander Dupuy of System Management ARTS. - Delete duplicates in MX lists -- believe it or not, there are sites - that list the same host twice in an MX list. This deletion - only works on adjacent preferences, so an MX list that - had A=5, B=10, A=15 would leave both As, but one that had - A=5, A=10, B=15 would reduce to A, B. This is intentional, - just in case there is something weird I haven't thought of. - Suggested by Barry Shein of Software Tool & Die. - SECURITY: .forward files cannot be symbolic links. If they are, - a bad guy can read your private files. - PORTABILITY FIXES: - Solaris 2 from Rob McMahon . - System V Release 4 from Motonori Nakamura of Ritsumeikan - University. This expands the disk size - checking to include all (?) SVR4 configurations. - System V Release 4 from Kimmo Suominen -- initgroups(3) - and setrlimit(2) are both available. - System V Release 4 from sob@sculley.ffg.com -- some versions - apparently "have EX_OK defined in other headerfiles." - Linux Makefile typo. - Linux getusershell(3) is broken in Slackware 2.0 -- - from Andrew Pam of Xanadu Australia. - More Linux tweaking from John Kennedy of California State - University, Chico. - Cray changes from Eric Wassenaar: ``On Cray, shorts, - ints, and longs are all 64 bits, and all structs - are multiples of 64 bits. This means that the - sizeof operator returns only multiples of 8. - This requires adaptation of code that really - deals with 32 bit or 16 bit fields, such as IP - addresses or nameserver fields.'' - DG/UX 5.4.3 from Mark T. Robinson . To - get the old behavior, use -DDGUX_5_4_2. - DG/UX hack: add _FORCE_MAIL_LOCAL_=yes environment - variable to fix bogus /bin/mail behavior. - Tandem NonStop-UX from Rick McCarty . - This also cleans up some System V Release 4 compile - problems. - Solaris 2: sendmail.cw file should be in /etc/mail to - match all the other configuration files. Fix - from Glenn Barry of Emory University. - Solaris 2.3: compile problem in conf.c. Fix from Alain - Nissen of the University of Liege, Belgium. - Ultrix: freespace calculation was incorrect. Fix from - Takashi Kizu of Osaka University. - SVR4: running in background gets a SIGTTOU because the - emulation code doesn't realize that "getpeername" - doesn't require reading the file. Fix from Peter - Wemm of DIALix. - Solaris 2.3: due to an apparent bug in the socket emulation - library, sockets can get into a "wedged" state where - they just return EPROTO; closing and re-opening the - socket clears the problem. Fix from Bob Manson - of Ohio State University. - Hitachi 3050R & 3050RX running HI-UX/WE2: portability - fixes from Akihiro Hashimoto ("Hash") of Chiba - University. - AIX changes to allow setproctitle to work from Rainer Schöpf - of Zentrum für Datenverarbeitung der Universität - Mainz. - AIX changes for load average from Ed Ravin of NASA/Goddard. - SCO Unix from Chip Rosenthal of Unicom (code was using the - wrong statfs call). - ANSI C fixes from Adam Glass (NetBSD project). - Stardent Titan/ANSI C fixes from Kate Hedstrom of Rutgers - University. - DG-UX fixes from Bruce Nagel of Data General. - IRIX64 updates from Mark Levinson of the University of - Rochester Medical Center. - Altos System V (``the first UNIX/XENIX merge the Altos - did for their Series 1000 & Series 2000 line; - their merged code was licensed back to AT&T and - Microsoft and became System V release 3.2'') from - Tim Rice . - OSF/1 running on Intel Paragon from Jeff A. Earickson - of Intel Scalable Systems - Division. - Amdahl UTS System V 2.1.5 (SVr3-based) from Janet Jackson - . - System V Release 4 (statvfs semantic fix) from Alain - Durand of I.M.A.G. - HP-UX 10.x multiprocessor load average changes from - Scott Hutton and Jeff Sumler of Indiana University. - Cray CSOS from Scott Bolte of Cray Computer Corporation. - Unicos 8.0 from Douglas K. Rand of the University of North - Dakota, Scientific Computing Center. - Solaris 2.4 fixes from Sanjay Dani of Dani Communications. - ConvexOS 11.0 from Christophe Wolfhugel. - IRIX 4.0.5 from David Ashton-Reader of CADcentre. - ISC UNIX from J. J. Bailey. - HP-UX 9.xx on the 8xx series machines from Remy Giraud - of Meteo France. - HP-UX configuration from Tom Lane . - IRIX 5.2 and 5.3 from Kari E. Hurtta. - FreeBSD 2.0 from Mike Hickey of Federal Data Corporation. - Sony NEWS-OS 4.2.1R and 6.0.3 from Motonori Nakamura. - Omron LUNA unios-b, mach from Motonori Nakamura. - NEC EWS-UX/V 4.2 from Motonori Nakamura. - NeXT 2.1 from Bryan Costales. - AUX patch thanks to Mike Erwin of Apple Computer. - HP-UX 10.0 from John Beck of Hewlett-Packard. - Ultrix: allow -DBROKEN_RES_SEARCH=0 if you are using a - non-DEC resolver. Suggested by Allan Johannesen. - UnixWare 2.0 fixes from Petr Lampa of the Technical - University of Brno (Czech Republic). - KSR OS 1.2.2 support from Todd Miller of the University - of Colorado. - UX4800 support from Kazuhisa Shimizu of NEC. - MAKEMAP: allow -d flag to allow insertion of duplicate aliases - in type ``btree'' maps. The semantics of this are undefined - for regular maps, but it can be useful for the user database. - MAKEMAP: lock database file while rebuilding to avoid sendmail - lookups while the rebuild is going on. There is a race - condition between the open(... O_TRUNC ...) and the lock - on the file, but it should be quite small. - SMRSH: sendmail restricted shell added to the release. This can - be used as an alternative to /bin/sh for the "prog" mailer, - giving the local administrator more control over what - programs can be run from sendmail. - MAIL.LOCAL: add this local mailer to the tape. It is not really - part of the release proper, and isn't fully supported; in - particular, it does not run on System V based systems and - never will. - CONTRIB: a patch to rmail.c from Bill Gianopoulos of Raytheon - to allow rmail to compile on systems that don't have - function prototypes and systems that don't have snprintf. - CONTRIB: add the "mailprio" scripts that will help you sort mailing - lists by transaction delay times so that addresses that - respond quickly get sent first. This is to prevent very - sluggish servers from delaying other peoples' mail. - Contributed by Tony Sanders of BSDI. - CONTRIB: add the "bsdi.mc" file as contributed by Tony Sanders - of BSDI. This has a lot of comments to help people out. - CONFIG: Don't have .mc files include(../m4/cf.m4) -- instead, - put this on the m4 command line. On GNU m4 (which - supports the __file__ primitive) you can run m4 in an - arbitrary directory -- use either: - m4 ${CFDIR}/m4/cf.m4 config.mc > config.cf - or - m4 -I${CFDIR} m4/cf.m4 config.mc > config.cf - On other versions of m4 that don't support __file__, you - can use: - m4 -D_CF_DIR_=${CFDIR}/ ${CFDIR}/m4/cf.m4 ... - (Note the trailing slash on the _CF_DIR_ definition.) - Old versions of m4 will default to _CF_DIR_=.. for back - compatibility. - CONFIG: fix mail from <> so it will properly convert to - MAILER-DAEMON on local addresses. - CONFIG: fix code that was supposed to catch colons in host - names. Problem noted by John Gardiner Myers of CMU. - CONFIG: allow use of SMTP_MAILER_MAX in nullclient configuration. - From Paul Riddle of the University of Maryland, Baltimore - County. - CONFIG: Catch and reject "." as a host address. - CONFIG: Generalize domaintable to look up all domains, not - just unqualified ones. - CONFIG: Delete OLD_SENDMAIL support -- as near as I can tell, it - was never used and didn't work anyway. - CONFIG: Set flags A, w, 5, :, /, |, and @ on the "local" mailer - and d on all mailers in the UUCP class. - CONFIG: Allow "user+detail" to be aliased specially: it will first - look for an alias for "user+detail", then for "user+*", and - finally for "user". This is intended for forwarding mail - for system aliases such as root and postmaster to a - centralized hub. - CONFIG: add confEIGHT_BIT_HANDLING to set option 8 (see above). - CONFIG: add smtp8 mailer; this has the F=8 (just-send-8) flag set. - The F=8 flag is also set on the "relay" mailer, since - this is expected to be another sendmail. - CONFIG: avoid qualifying all UUCP addresses sent via SMTP with - the name of the UUCP_RELAY -- in some cases, this is the - wrong value (e.g., when we have local UUCP connections), - and this can create unreplyable addresses. From Chip - Rosenthal of Unicom. - CONFIG: add confRECEIVED_HEADER to change the format of the - Received: header inserted into all messages. Suggested by - Gary Mills of the University of Manitoba. - CONFIG: Make "notsticky" the default; use FEATURE(stickyhost) - to get the old behavior. I did this upon observing - that almost everyone needed this feature, and that the - concept I was trying to make happen didn't work with - some user agents anyway. FEATURE(notsticky) still works, - but it is a no-op. - CONFIG: Add LUSER_RELAY -- the host to which unrecognized user - names are sent, rather than immediately diagnosing them - as User Unknown. - CONFIG: Add SMTP_MAILER_ARGS, ESMTP_MAILER_ARGS, SMTP8_MAILER_ARGS, - and RELAY_MAILER_ARGS to set the arguments for the - indicated mailers. All default to "IPC $h". Patch from - Larry Parmelee of Cornell University. - CONFIG: pop mailer needs F=n flag to avoid "annoying side effects - on the client side" and F=P to get an appropriate - return-path. From Kimmo Suominen. - CONFIG: add FEATURE(local_procmail) to use the procmail program - as the local mailer. For addresses of the form "user+detail" - the "detail" part is passed to procmail via the -a flag. - Contributed by Kimmo Suominen. - CONFIG: add MAILER(procmail) to add an interface to procmail for - use from mailertables. This lets you execute arbitrary - procmail scripts. Contributed by Kimmo Suominen. - CONFIG: add T= fields (MTS type) to local, smtp, and uucp mailers. - CONFIG: add OSTYPE(ptx2) for DYNIX/ptx 2.x from Sequent. From - Paul Southworth of CICNet Systems Support. - CONFIG: use -a$g as default to UUCP mailers, instead of -a$f. - This causes the null return path to be rewritten as - MAILER-DAEMON; otherwise UUCP gets horribly confused. - From Michael Hohmuth of Technische Universitat Dresden. - CONFIG: Add FEATURE(bestmx_is_local) to cause any hosts that - list us as the best possible MX record to be treated as - though they were local (essentially, assume that they - are included in $=w). This can cause additional DNS - traffic, but is easier to administer if this fits your - local model. It does not work reliably if there are - multiple hosts that share the best MX preference. - Code contributed by John Oleynick of Rutgers. - CONFIG: Add FEATURE(smrsh) to use smrsh (the SendMail Restricted - SHell) instead of /bin/sh as the program used for delivery - to programs. If an argument is included, it is used as - the path to smrsh; otherwise, /usr/local/etc/smrsh is - assumed. - CONFIG: Add LOCAL_MAILER_MAX and PROCMAILER_MAILER_MAX to limit the - size of messages to the local and procmail mailers - respectively. Contributed by Brad Knowles of the Defense - Information Systems Agency. - CONFIG: Handle leading ``phrase:'' and trailing ``;'' as comments - (just like text outside of angle brackets) in order to - properly deal with ``group: addr1, ... addrN;'' syntax. - CONFIG: Require OSTYPE macro (the defaults really don't apply to - any real systems any more) and tweak the DOMAIN macro - so that it is less likely that users will accidentally use - the Berkeley defaults. Also, create some generic files - that really can be used in the real world. - CONFIG: Add new configuration macros to set character sets for - messages _arriving from_ various mailers: LOCAL_MAILER_CHARSET, - SMTP_MAILER_CHARSET, and UUCP_MAILER_CHARSET. - CONFIG: Change UUCP_MAX_SIZE to UUCP_MAILER_MAX for consistency. - The old name will still be accepted for a while at least. - CONFIG: Implement DECNET_RELAY as spec for host to which DECNET - mail (.DECNET pseudo-domain or node::user) will be sent. - As with all relays, it can be ``mailer:hostname''. Suggested - by Scott Hutton. - CONFIG: Add MAILER(mail11) to get DECnet support. Code contributed - by Barb Dijker of Labyrinth Computer Services. - CONFIG: change confCHECK_ALIASES to default to False -- it has poor - performance for large alias files, and this confused many - people. - CONFIG: Add confCF_VERSION to append local information to the - configuration version number displayed during SMTP startup. - CONFIG: fix some.newsgroup.usenet@local.host syntax (previously it - would only work when locally addressed. Fix from - Edvard Tuinder of Cistron Internet Services. - CONFIG: use ${opMode} to avoid error on .REDIRECT addresses if option - "n" (CheckAliases) is set when rebuilding alias database. - Based on code contributed by Claude Marinier. - CONFIG: Allow mailertable to have values of the form - ``error:code message''. The ``code'' is a status code - derived from the sysexits codes -- e.g., NOHOST or UNAVAILABLE. - Contributed by David James . - CONFIG: add MASQUERADE_DOMAIN(domain list) to extend the list of - sender domains that will be replaced with the masquerade name. - These domains will not be treated as local, but if mail passes - through with sender addresses in those domains they will be - replaced by the masquerade name. These can also be specified - in a file using MASQUERADE_DOMAIN_FILE(filename). - CONFIG: add FEATURE(masquerade_envelope) to masquerade the envelope - as well as the header. Substantial improvements to this - code were contributed by Per Hedeland. - CONFIG: add MAILER(phquery) to define a new "ph" mailer; this can be - accessed from a mailertable to do CCSO ph lookups. Contributed - by Kimmo Suominen. - CONFIG: add MAILER(cyrus) to define a new Cyrus mailer; this can be - used to define cyrus and cyrusbb mailers (for IMAP support). - Contributed by John Gardiner Myers of Carnegie Mellon. - CONFIG: add confUUCP_MAILER to select default mailer to use for - UUCP addressing. Suggested by Tom Moore of AT&T GIS. - NEW FILES: - cf/cf/cs-hpux10.mc - cf/cf/cs-solaris2.mc - cf/cf/cyrusproto.mc - cf/cf/generic-bsd4.4.mc - cf/cf/generic-hpux10.mc - cf/cf/generic-hpux9.mc - cf/cf/generic-osf1.mc - cf/cf/generic-solaris2.mc - cf/cf/generic-sunos4.1.mc - cf/cf/generic-ultrix4.mc - cf/cf/huginn.cs.mc - cf/domain/berkeley-only.m4 - cf/domain/generic.m4 - cf/feature/bestmx_is_local.m4 - cf/feature/local_procmail.m4 - cf/feature/masquerade_envelope.m4 - cf/feature/smrsh.m4 - cf/feature/stickyhost.m4 - cf/feature/use_ct_file.m4 - cf/m4/cfhead.m4 - cf/mailer/cyrus.m4 - cf/mailer/mail11.m4 - cf/mailer/phquery.m4 - cf/mailer/procmail.m4 - cf/ostype/amdahl-uts.m4 - cf/ostype/bsdi2.0.m4 - cf/ostype/hpux10.m4 - cf/ostype/irix5.m4 - cf/ostype/isc4.1.m4 - cf/ostype/ptx2.m4 - cf/ostype/unknown.m4 - contrib/bsdi.mc - contrib/mailprio - contrib/rmail.oldsys.patch - mail.local/mail.local.0 - makemap/makemap.0 - smrsh/README - smrsh/smrsh.0 - smrsh/smrsh.8 - smrsh/smrsh.c - src/Makefiles/Makefile.CSOS - src/Makefiles/Makefile.EWS-UX_V - src/Makefiles/Makefile.HP-UX.10 - src/Makefiles/Makefile.IRIX.5.x - src/Makefiles/Makefile.IRIX64 - src/Makefiles/Makefile.ISC - src/Makefiles/Makefile.KSR - src/Makefiles/Makefile.NEWS-OS.4.x - src/Makefiles/Makefile.NEWS-OS.6.x - src/Makefiles/Makefile.NEXTSTEP - src/Makefiles/Makefile.NonStop-UX - src/Makefiles/Makefile.Paragon - src/Makefiles/Makefile.SCO.3.2v4.2 - src/Makefiles/Makefile.SunOS.5.3 - src/Makefiles/Makefile.SunOS.5.4 - src/Makefiles/Makefile.SunOS.5.5 - src/Makefiles/Makefile.UNIX_SV.4.x.i386 - src/Makefiles/Makefile.uts.systemV - src/Makefiles/Makefile.UX4800 - src/aliases.0 - src/mailq.0 - src/mime.c - src/newaliases.0 - src/sendmail.0 - test/t_seteuid.c - RENAMED FILES: - cf/cf/alpha.mc => cf/cf/s2k-osf1.mc - cf/cf/chez.mc => cf/cf/chez.cs.mc - cf/cf/hpux-cs-exposed.mc => cf/cf/cs-hpux9.mc - cf/cf/osf1-cs-exposed.mc => cf/cf/cs-osf1.mc - cf/cf/s2k.mc => cf/cf/s2k-ultrix4.mc - cf/cf/sunos4.1-cs-exposed.mc => cf/cf/cs-sunos4.1.mc - cf/cf/ultrix4.1-cs-exposed.mc => cf/cf/cs-ultrix4.mc - cf/cf/vangogh.mc => cf/cf/vangogh.cs.mc - cf/domain/Berkeley.m4 => cf/domain/Berkeley.EDU.m4 - cf/domain/cs-exposed.m4 => cf/domain/CS.Berkeley.EDU.m4 - cf/domain/eecs-hidden.m4 => cf/domain/EECS.Berkeley.EDU.m4 - cf/domain/s2k.m4 => cf/domain/S2K.Berkeley.EDU.m4 - cf/ostype/hpux.m4 => cf/ostype/hpux9.m4 - cf/ostype/irix.m4 => cf/ostype/irix4.m4 - cf/ostype/ultrix4.1.m4 => cf/ostype/ultrix4.m4 - src/Makefile.* => src/Makefiles/Makefile.* - src/Makefile.AUX => src/Makefiles/Makefile.A-UX - src/Makefile.BSDI => src/Makefiles/Makefile.BSD-OS - src/Makefile.DGUX => src/Makefiles/Makefile.dgux - src/Makefile.RISCos => src/Makefiles/Makefile.UMIPS - src/Makefile.SunOS.4.0.3 => src/Makefiles/Makefile.SunOS.4.0 - OBSOLETED FILES: - cf/cf/cogsci.mc - cf/cf/cs-exposed.mc - cf/cf/cs-hidden.mc - cf/cf/hpux-cs-hidden.mc - cf/cf/knecht.mc - cf/cf/osf1-cs-hidden.mc - cf/cf/sunos3.5-cs-exposed.mc - cf/cf/sunos3.5-cs-hidden.mc - cf/cf/sunos4.1-cs-hidden.mc - cf/cf/ultrix4.1-cs-hidden.mc - cf/domain/cs-hidden.m4 - contrib/rcpt-streaming - src/Makefiles/Makefile.SunOS.5.x - -8.6.13/8.6.12 96/01/25 - SECURITY: In some cases it was still possible for an attacker to - insert newlines into a queue file, thus allowing access to - any user (except root). - CONFIG: no changes -- it is not a bug that the configuration - version number is unchanged. - -8.6.12/8.6.12 95/03/28 - Fix to IDENT code (it was getting the size of the reply buffer - too small, so nothing was ever accepted). Fix from several - people, including Allan Johannesen, Shane Castle of the - Boulder County Information Services, and Jeff Smith of - Warwick University (all arrived within a few hours of - each other!). - Fix a problem that could cause large jobs to run out of - file descriptors on systems that use vfork() rather - than fork(). - -8.6.11/8.6.11 95/03/08 - The ``possible attack'' message would be logged more often - than necessary if you are using Pine as a user agent. - The wrong host would be reported in the ``possible attack'' - message when attempted from IDENT. - In some cases the syslog buffer could be overflowed when - reporting the ``possible attack'' message. This can - cause denial of service attacks. Truncate the message - to 80 characters to prevent this problem. - When reading the IDENT response a loop is needed around the - read from the network to ensure that you don't get - partial lines. - Password entries without any shell listed (that is, a null - shell) wouldn't match as "ok". Problem noted by - Rob McMahon. - When running BIND 4.9.x a problem could occur because the - _res.options field is initialized differently than it - was historically -- this requires that sendmail call - res_init before it tweaks any bits. - Fix an incompatibility in openxscript() between the file open mode - and the stdio mode passed to fdopen. This caused UnixWare - 2.0 to have conniptions. Fix from Martin Sohnius of - Novell Labs Europe. - Fix problem with static linking of local getopt routine when - using GNU's ld command. Fix from John Kennedy of - Cal State Chico. - It was possible to turn off privacy flags. Problem noted by - *Hobbit*. - Be more paranoid about writing files. Suggestions by *Hobbit* - and Liudvikas Bukys. - MAKEMAP: fixes for 64 bit machines (DEC Alphas in particular) - from Spider Boardman. - CONFIG: No changes (version number only, to keep it in sync - with the binaries). - -8.6.10/8.6.10 95/02/10 - SECURITY: Diagnose bogus values to some command line flags that - could allow trash to get into headers and qf files. - Validate the name of the user returned by the IDENT protocol. - Some systems that really dislike IDENT send intentionally - bogus information. Problem pointed out by Michael Bushnell - of the Free Software Foundation. Has some security - implications. - Fix a problem causing error messages about DNS problems when - the host name contained a percent sign to act oddly - because it was passed as a printf-style format string. - In some cases this could cause core dumps. - Avoid possible buffer overrun in returntosender() if error - message is quite long. From Fletcher Mattox of the - University of Texas. - Fix a problem that would silently drop "too many hops" error - messages if and only if you were sending to an alias. - From Jon Giltner of the University of Colorado and - Dan Harton of Oak Ridge National Laboratory. - Fix a bug that caused core dumps on some systems if -d11.2 was - set and e->e_message was null. Fix from Bruce Nagel of - Data General. - Fix problem that can still cause df files to be left around - after "hop count exceeded" messages. Fix from Andrew - Chang and Shau-Ping Lo of SunSoft. - Fix a problem that can cause buffer overflows on very long - user names (as might occur if you piped to a program - with a lot of arguments). - Avoid returning an error and re-queueing if the host signature - is null; this can occur on addresses like ``user@.''. - Problem noted by Wesley Craig and the University of - Michigan. - Avoid possible calls to malloc(0) if MCI caching is turned - off. Bug fix from Pierre David of the Laboratoire - Parallelisme, Reseaux, Systemes et Modelisation (PRiSM), - Universite de Versailles - St Quentin, and Jacky - Thibault. - Make a local copy of the line being sent via senttolist() -- in - some cases, buffers could get trashed by map lookups - causing it to do unexpected things. This also simplifies - some of the map code. - CONFIG: No changes (version number only, to keep it in sync - with the binaries). - -8.6.9/8.6.9 94/04/19 - Do all mail delivery completely disconnected from any terminal. - This provides consistency with daemon delivery and - may have some security implications. - Make sure that malloc doesn't get called with zero size, - since that fails on some systems. Reported by Ed - Hill of the University of Iowa. - Fix multi-line values for $e (SMTP greeting message). Reported - by Mike O'Connor of Ford Motor Company. - Avoid syserr if no NIS domain name is defined, but the map it - is trying to open is optional. From Win Bent of USC. - Changes for picky compilers from Ed Gould of Digital Equipment. - Hesiod support for UDB from Todd Miller of the University of - Colorado. Use "hesiod" as the service name in the U - option. - Fix a problem that failed to set the "authentic" host name (that - is, the one derived from the socket info) if you called - sendmail -bs from inetd. Based on code contributed by - Todd Miller (this problem was also reported by Guy Helmer - of Dakota State University). This also fixes a related - problem reported by Liudvikas Bukys of the University of - Rochester. - Parameterize "nroff -h" in all the Makefiles so people with - variant versions can use them easily. Suggested by - Peter Collinson of Hillside Systems. - SMTP "MAIL" commands with multiple ESMTP parameters required two - spaces between parameters instead of one. Reported by - Valdis Kletnieks of Virginia Tech. - Reduce the number of system calls during message collection by - using global timeouts around the collect() loop. This - code was contributed by Eric Wassenaar. - If the initial hostname name gathering results in a name - without a dot (usually caused by NIS misconfiguration) - and BIND is compiled in, directly access DNS to get - the canonical name. This should make life easier for - Solaris systems. If it still can't be resolved, and - if the name server is listed as "required", try again - in 30 seconds. If that also fails, exit immediately to - avoid bogus "config error: mail loops back to myself" - messages. - Improve the "MAIL DELETED BECAUSE OF LACK OF DISK SPACE" error - message to explain how much space was available and - sound a bit less threatening. Suggested by Stan Janet - of the National Institute of Standards and Technology. - If mail is delivered to an alias that has an owner, deliver any - requested return-receipt immediately, and strip the - Return-Receipt-To: header from the subsequent message. - This prevents a certain class of denial of service - attack, arguably gives more reasonable semantics, and - moves things more towards what will probably become a - network standard. Suggested by Christopher Davis of - Kapor Enterprises. - Add a "noreceipts" privacy flag to turn off all return receipts - without recompiling. - Avoid printing ESMTP parameters as part of the error message - if there are errors during parsing. This change is - purely cosmetic. - Avoid sending out error messages during the collect phase of - SMTP; there is an MVS mailer from UCLA that gets - confused by this. Of course, I think it's their bug.... - Check for the $j macro getting undefined, losing a dot, or getting - lost from $=w in the daemon before accepting a connection; - if it is, it dumps state, prints a LOG_ALERT message, - and drops core for debugging. This is an attempt to - track down a bug that I thought was long since gone. - If you see this, please forward the log fragment to - sendmail@sendmail.ORG. - Change OLD_NEWDB from a #ifdef to a #if so it can be turned off - with -DOLD_NEWDB=0 on the command line. From Christophe - Wolfhugel. - Instead of trying to truncate the listen queue for the server - SMTP port when the load average is too high, just close - the port completely and reopen it later as needed. - This ensures that the other end gets a quick "connection - refused" response, and that the connection can be - recovered later. In particular, some socket emulations - seem to get confused if you tweak the listen queue - size around and can never start listening to connections - again. The down side is that someone could start up - another daemon process in the interim, so you could - have multiple daemons all not listening to connections; - this could in turn cause the sendmail.pid file to be - incorrect. A better approach might be to accept the - connection and give a 421 code, but that could break - other mailers in mysterious ways and have paging behavior - implications. - Fix a glitch in TCP-level debugging that caused flag 16.101 to - set debugging on the wrong socket. From Eric Wassenaar. - When creating a df* temporary file, be sure you truncate any - existing data in the file -- otherwise system crashes - and the like could result in extra data being sent. - DOC: Replace the CHANGES-R5-R8 readme file with a paper in the - doc directory. This includes some additional - information. - CONFIG: change UUCP rules to never add $U! or $k! on the front - of recipient envelope addresses. This should have been - handled by the $&h trick, but broke if people were - mixing domainized and UUCP addresses. They should - probably have converted all the way over to uucp-uudom - instead of uucp-{new,old}, but the failure mode was to - loop the mail, which was bad news. - Portability fixes: - Newer BSDI systems (several people). - Older BSDI systems from Christophe Wolfhugel. - Intergraph CLIX, from Paul Southworth of CICNet. - UnixWare, from Evan Champion. - NetBSD from Adam Glass. - Solaris from Quentin Campbell of the University of - Newcastle upon Tyne. - IRIX from Dean Cookson and Bill Driscoll of Mitre - Corporation. - NCR 3000 from Kevin Darcy of Chrysler Financial Corporation. - SunOS (it has setsid() and setvbuf() calls) from - Jonathan Kamens of OpenVision Technologies. - HP-UX from Tor Lillqvist. - New Files: - src/Makefile.CLIX - src/Makefile.NCR3000 - doc/changes/Makefile - doc/changes/changes.me - doc/changes/changes.ps - -8.6.8/8.6.6 94/03/21 - SECURITY: it was possible to read any file as root using the - E (error message) option. Reported by Richard Jones; - fixed by Michael Corrigan and Christophe Wolfhugel. - -8.6.7/8.6.6 94/03/14 - SECURITY: it was possible to get root access by using weird - values to the -d flag. Thanks to Alain Durand of - INRIA for forwarding me the notice from the bugtraq - list. - -8.6.6/8.6.6 94/03/13 - SECURITY: the ability to give files away on System V-based - systems proved dangerous -- don't run as the owner - of a :include: file on a system that allows giveaways. - Unfortunately, this also applies to determining a - valid shell. - IMPORTANT: Previous versions weren't expiring old connections - in the connection cache for a long time under some - circumstances. This could result in resource exhaustion, - both at your end and at the other end. This checks the - connections for timeouts much more frequently. From - Doug Anderson of NCSC. - Fix a glitch that snuck in that caused programs to be run as - the sender instead of the recipient if the mail was - from a local user to another local user. From - Motonori Nakamura of Kyoto University. - Fix "wildcard" on /etc/shells matching -- instead of looking - for "*", look for "/SENDMAIL/ANY/SHELL/". From - Bryan Costales of ICSI. - Change the method used to declare the "statfs" availability; - instead of HASSTATFS and/or HASUSTAT with a ton of - tweaking in conf.c, there is a single #define called - SFS_TYPE which takes on one of six values (SFS_NONE - for no statfs availability, SFS_USTAT for the ustat(2) - syscall, SFS_4ARGS for a four argument statfs(2) call, - and SFS_VFS, SFS_MOUNT, or SFS_STATFS for a two argument - statfs(2) call with the declarations in , - , or respectively). - Fix glitch in NetInfo support that could return garbage if - there was no "/locations/sendmail" property. From - David Meyer of the University of Virginia. - Change HASFLOCK from defined/not-defined to a 0/1 definition - to allow Linux to turn it off even though it is a - BSD-like system. - Allow setting of "ident" timeout to zero to turn off the ident - protocol entirely. - Make 7-bit stripping local to a connection (instead of to a - mailer); this allows you to specify that SMTP is a - 7-bit channel, but revert to 8-bit should it advertise - that it supports 8BITMIME. You still have to specify - mailer flag 7 to get this stripping at all. - Improve makesendmail script so it handles more cases automatically. - Tighten up restrictions on taking ownership of :include: files - to avoid problems on systems that allow you to give away - files. - Fix a problem that made it impossible to rebuild the alias - file if it was on a read-only file system. From - Harry Edmon of the University of Washington. - Improve MX randomization function. From John Gardiner Myers - of CMU. - Fix a minor glitch causing a bogus message to be printed (used - %s instead of %d in a printf string for the line number) - when a bad queue file was read. From Harry Edmon. - Allow $s to remain NULL on locally generated mail. I'm not - sure this is necessary, but a lot of people have complained - about it, and there is a legitimate question as to whether - "localhost" is legal as an 822-style domain. - Fix a problem with very short line lengths (mailer L= flag) in - headers. This causes a leading space to be added onto - continuation lines (including in the body!), and also - tries to wrap headers containing addresses (From:, To:, - etc) intelligently at the shorter line lengths. Problem - Reported by Lars-Johan Liman of SUNET Operations Center. - Log the real user name when logging syserrs, since these can have - security implications. Suggested by several people. - Fix address logging of cached connections -- it used to always - log the numeric address as zero. This is a somewhat - bogus implementation in that it does an extra system - call, but it should be an inexpensive one. Fix from - Motonori Nakamura. - Tighten up handling of short syslog buffers even more -- there - were cases where the outgoing relay= name was too long - to share a line with delay= and mailer= logging. - Limit the overhead on split envelopes to one open file descriptor - per envelope -- previously the overhead was three - descriptors. This was in response to a problem reported - by P{r (Pell) Emanuelsson. - Fixes to better handle the case of unexpected connection closes; - this redirects the output to the transcript so the info - is not lost. From Eric Wassenaar. - Fix potential string overrun if you macro evaluate a string that - has a naked $ at the end. Problem noted by James Matheson - . - Make default error number on $#error messages 553 (``Requested - action not taken: mailbox name not allowed'') instead of - 501 (``Syntax error in parameters or arguments'') to - avoid bogus "protocol error" messages. - Strip off any existing trailing dot on names during $[ ... $] - lookup. This prevents it from ending up with two dots - on the end of dot terminated names. From Wesley Craig - of the University of Michigan and Bryan Costales of ICSI. - Clean up file class reading so that the debugging information is - more informative. It hadn't been using setclass, so you - didn't see the class items being added. - Avoid core dump if you are running a version of sendmail where - NIS is compiled in, and you specify an NIS map, but - NIS is not running. Fix from John Oleynick of - Rutgers. - Diagnose bizarre case where res_search returns a failure value, - but sets h_errno to a success value. - Make sure that "too many hops" messages are considered important - enough to send an error to the Postmaster (that is, the - address specified in the P option). This fix should - help problems that cause the df file to be left around - sometimes -- unfortunately, I can't seem to reproduce - the problem myself. - Avoid core dump (null pointer reference) on EXPN command; this - only occurred if your log level was set to 10 or higher - and the target account was an alias or had a .forward file. - Problem noted by Janne Himanka. - Avoid "denial of service" attacks by someone who is flooding your - SMTP port with bad commands by shutting the connection - after 25 bad commands are issued. From Kyle Jones of - UUNET. - Fix core dump on error messages with very long "to" buffers; - fmtmsg overflows the message buffer. Fixed by trimming - the to address to 203 characters. Problem reported by - John Oleynick. - Fix configuration for HASFLOCK -- there were some spots where - a #ifndef was incorrectly #ifdef. Pointed out by - George Baltz of the University of Maryland. - Fix a typo in savemail() that could cause the error message To: - lists to be incorrect in some places. From Motonori - Nakamura. - Fix a glitch that can cause duplicate error messages on split - envelopes where an address on one of the lists has a - name server failure. Fix from Voradesh Yenbut of the - University of Washington. - Fix possible bogus pointer reference on ESMTP parameters that - don't have an ``=value'' part. - CNAME loops caused an error message to be generated, but also - re-queued the message. Changed to just re-queue the - message (it's really hard to just bounce it because - of the weird way the name server works in the presence - of CNAME loops). Problem noted by James M.R.Matheson - of Cambridge University. - Avoid giving ``warning: foo owned process doing -bs'' messages - if they use ``MAIL FROM:'' where foo is their true - user name. Suggested by Andreas Stolcke of ICSI. - Change the NAMED_BIND compile flag to be a 0/1 flag so you can - override it easily in the Makefile -- that is, you can - turn it off using -DNAMED_BIND=0. - If a gethostbyname(...) of an address with a trailing dot fails, - try it without the trailing dot. This is because if - you have a version of gethostbyname() that falls back - to NIS or the /etc/hosts file it will fail to find - perfectly reasonable names that just don't happen to - be dot terminated in the hosts file. You don't want to - strip the dot first though because we're trying to ensure - that country names that match one of your subdomains get - a chance. - PRALIASES: fix bogus output on non-null-terminated strings. - From Bill Gianopoulos of Raytheon. - CONFIG: Avoid rewriting anything that matches $w to be $j. - This was in code intended to only catch the self-literal - address (that is, [1.2.3.4], where 1.2.3.4 is your - IP address), but the code was broken. However, it will - still do this if $M is defined; this is necessary to - get client configurations to work (sigh). Note that this - means that $M overrides :mailname entries in the user - database! Problem noted by Paul Southworth. - CONFIG: Fix definition of Solaris help file location. From - Steve Cliffe . - CONFIG: Fix bug that broke news.group.USENET mappings. - CONFIG: Allow declaration of SMTP_MAILER_MAX, FAX_MAILER_MAX, - and USENET_MAILER_MAX to tweak the maximum message - size for various mailers. - CONFIG: Change definition of USENET_MAILER_ARGS to include argv[0] - instead of assuming that it is "inews" for consistency - with other mailers. From Michael Corrigan of UC San Diego. - CONFIG: When mail is forwarded to a LOCAL_RELAY or a MAIL_HUB, - qualify the address in the SMTP envelope as user@{relay|hub} - instead of user@$j. From Bill Wisner of The Well. - CONFIG: Fix route-addr syntax in nullrelay configuration set. - CONFIG: Don't turn off case mapping of user names in the local - mailer for IRIX. This was different than most every other - system. - CONFIG: Avoid infinite loops on certainly list:; syntaxes in - envelope. Noted by Thierry Besancon - . - CONFIG: Don't include -z by default on uux line -- most systems - don't want it set by default. Pointed out by Philippe - Michel of Thomson CSF. - CONFIG: Fix some bugs with mailertables -- for example, if your - host name was foo.bar.ray.com and you matched against - ".ray.com", the old implementation bound %1 to "bar" - instead of "foo.bar". Also, allow "." in the mailertable - to match anything -- essentially, take over SMART_HOST. - This also moves matching of explicit local host names - before the mailertable so they don't have to be special - cased in the mailertable data. Reported by Bill - Gianopoulos of Raytheon; the fix for the %1 binding - problem was contributed by Nicholas Comanos of the - University of Sydney. - CONFIG: Don't include "root" in class $=L (users to deliver - locally, even if a hub or relay exists) by default. - This is because of the known bug where definition of - both a LOCAL_RELAY and a MAIL_HUB causes $=L to ignore - both and deliver into the local mailbox. - CONFIG: Move up bitdomain and uudomain handling so that they - are done before .UUCP class matching; uudomain was - reported as ineffective before. This also frees up - diversion 8 for future use. Problem reported by Kimmo - Suominen. - CONFIG: Don't try to convert dotted IP address (e.g., [1.2.3.4]) - into host names. As pointed out by Jonathan Kamens, - these are often used because either the forward or reverse - mapping is broken; this translation makes it broken again. - DOC: Clarify $@ and $: in the Install & Op Guide. From Kimmo - Suominen. - Portability fixes: - Unicos from David L. Kensiski of Sterling Software. - DomainOS from Don Lewis of Silicon Systems. - GNU m4 1.0.3 from Karst Koymans of Utrecht University. - Convex from Kimmo Suominen . - NetBSD from Adam Glass . - BSD/386 from Tony Sanders of BSDI. - Apollo from Eric Wassenaar. - DGUX from Doug Anderson. - Sequent DYNIX/ptx 2.0 from Tim Wright of Sequent. - NEW FILES: - src/Makefile.DomainOS - src/Makefile.PTX - src/Makefile.SunOS.5.1 - src/Makefile.SunOS.5.2 - src/Makefile.SunOS.5.x - src/mailq.1 - cf/ostype/domainos.m4 - doc/op/Makefile - doc/intro/Makefile - doc/usenix/Makefile - -8.6.5/8.6.5 94/01/13 - Security fix: /.forward could be owned by anyone (the test - to allow root to own any file was backwards). From - Bob Campbell at U.C. Berkeley. - Security fix: group ids were not completely set when programs - were invoked. This caused programs to have group - permissions they should not have had (usually group - daemon instead of their own group). In particular, - Perl scripts would refuse to run. - Security: check to make sure files that are written are not - symbolic links (at least under some circumstances). - Although this does not respond to a specific known - attack, it's just a good idea. Suggested by - Christian Wettergren. - Security fix: if a user had an NFS mounted home directory on - a system with a restricted shell listed in their - /etc/passwd entry, they could still execute any - program by putting that in their .forward file. - This fix prevents that by insisting that their shell - appear in /etc/shells before allowing a .forward to - execute a program or write a file. You can disable - this by putting "*" in /etc/shells. It also won't - permit world-writable :include: files to reference - programs or files (there's no way to disable this). - These behaviors are only one level deep -- for - example, it is legal for a world-writable :include: - file to reference an alias that writes a file, on - the assumption that the alias file is well controlled. - Security fix: root was not treated suspiciously enough when - looking into subdirectories. This would potentially - allow a cracker to examine files that were publicly - readable but in a non-publicly searchable directory. - Fix a problem that causes an error on QUIT on a cached - connection to create problems on the current job. - These are typically unrelated, so errors occur in - the wrong place. - Reset CurrentLA in sendall() -- this makes sendmail queue - runs more responsive to load average, and fixes a - problem that ignored the load average in locally - generated mail. From Eric Wassenaar. - Fix possible core dump on aliases with null LHS. From - John Orthoefer of BB&N. - Revert to using flock() whenever possible -- there are just - too many bugs in fcntl() locking, particularly over - NFS, that cause sendmail to fail in perverse ways. - Fix a bug that causes the connection cache to get confused - when sending error messages. This resulted in - "unexpected close" messages. It should fix itself - on the following queue run. Problem noted by - Liudvikas Bukys of the University of Rochester. - Include $k in $=k as documented in the Install & Op Guide. - This seems odd, but it was documented.... From - Michael Corrigan of UCSD. - Fix problem that caused :include:s from alias files to be - forced to be owned by root instead of daemon - (actually DefUid). From Tim Irvin. - Diagnose unrecognized I option values -- from Mortin Forssen - of the Chalmers University of Technology. - Make "error" mailer work consistently when there is no error - code associated with it -- previously it returned OK - even though there was a real problem. Now it assumes - EX_UNAVAILABLE. - Fix bug that caused the last header line of messages that had - no body and which were terminated with EOF instead of - "." to be discarded. Problem noted by Liudvikas Bukys. - Fix core dump on SMTP mail to programs that failed -- it tried - to go to a "next MX host" when none existed, causing - a core dump. From der Mouse at McGill University. - Change IDENTPROTO from a defined/not defined to a 0/1 switch; - this makes it easier to turn it off (using - -DIDENTPROTO=0 in the Makefile). From der Mouse. - Fix YP_MASTER_NAME store to use the unupdated result of - gethostname() (instead of myhostname(), which tries - to fully qualify the name) to be consistent with - SunOS. If your hostname is unqualified, this fixes - transfers to slave servers. Bug noted by Keith - McMillan of Ameritech Services, Inc. - Fix Ultrix problem: gethostbyname() can return a very large - (> 500) h_length field, which causes the sockaddr - to be trashed. Use the size of the sockaddr instead. - Fix from Bob Manson of Ohio State. - Don't assume "-a." on host lookups if NAMED_BIND is not - defined -- this confuses gethostbyname on hosts - file lookups, which doesn't understand the trailing - dot convention. - Log SMTP server subprocesses that die with a signal instead - of from a clean exit. - If you don't have option "I" set, don't assume that a DNS - "host unknown" message is authoritative -- it - might still be found in /etc/hosts. - Fix a problem that would cause Deferred: messages to be sent - as the subject of an error message, even though the - actual cause of a message was more severe than that. - Problem noted by Chris Seabrook of OSSI. - Fix race condition in DBM alias file locking. From Kyle - Jones of UUNET. - Limit delivery syslog line length to avoid bugs in some - versions of syslog(3). This adds a new compile time - variable SYSLOG_BUFSIZE. From Jay Plett of Princeton - University, which is in turn derived from IDA. - Fix quotes inside of comments in addresses -- previously - it insisted that they be balanced, but the 822 spec - says that they should be ignored. - Dump open file state to syslog upon receiving SIGUSR1 (for - debugging). This also evaluates ruleset 89, if set - (with the null input), and logs the result. This - should be used sparingly, since the rewrite process - is not reentrant. - Change -qI, -qR, and -qS flags to be case-insensitive as - documented in the Bat Book. - If the mailer returned EX_IOERR or EX_OSERR, sendmail did not - return an error message and did not requeue the message. - Fix based on code from Roland Dirlewanger of - Reseau Regional Aquarel, Bordeaux, France. - Fix a problem that caused a seg fault if you got a 421 error - code during some parts of connection initialization. - I've only seen this when talking to buggy mailers on - the other end, but it shouldn't give a seg fault in - any case. From Amir Plivatsky. - Fix core dump caused by a ruleset call that returns null. - Fix from Bryan Costales of ICSI. - Full-Name: field was being ignored. Fix from Motonori Nakamura - of Kyoto University. - Fix a possible problem with very long input lines in setproctitle. - From P{r Emanuelsson. - Avoid putting "This is a warning message" out on return receipts. - Suggested by Douglas Anderson. - Detect loops caused by recursive ruleset calls. Suggested by - Bryan Costales. - Initialize non-alias maps during alias rebuilds -- they may be - needed for parsing. Problem noted by Douglas Anderson. - Log sender address even if no message was collected in SMTP - (e.g., if all RCPTs failed). Suggested by Motonori - Nakamura. - Don't reflect the owner-list contents into the envelope sender - address if the value contains ", :, /, or | (to avoid - illegal addresses appearing there). - Efficiency hack for toktype macro -- from Craig Partridge of - BB&N. - Clean up DNS error printing so that a host name is always - included. - Remember to set $i during queue runs. Reported by Stephen - Campbell of Dartmouth University. - If the environment variable HOSTALIASES is set, use it during - canonification as the name of a file with per-user host - translations so that headers are properly mapped. Reported - by Anne Bennett of Concordia University. - Avoid printing misleading error message if SMTP mailer (not - using [IPC]) should die on a core dump. - Avoid incorrect diagnosis of "file 1 closed" when it is caused - by the other end closing the connection. From - Dave Morrison of Oracle. - Improve several of the error messages printed by "mailq" - to include a host name or other useful information. - Add NetInfo preliminary support for NeXT systems. From Vince - DeMarco. - Fix a glitch that sometimes caused :include:s that pointed to - NFS filesystems that were down to give an "aliasing/ - forwarding loop broken" message instead of queueing - the message for retry. Noted by William C Fenner of - the NRL Connection Machine Facility. - Fix a problem that could cause a core dump if the input sequence - had (or somehow acquired) a \231 character. - Make sure that route-addrs always have around - them in non-SMTP envelopes (SMTP envelopes already do - this properly). - Avoid weird headers on unbalanced punctuation of the form: - ``Joe User ; this - has uucp-dom semantics but old UUCP syntax. This - also permits "uucp-old" as an alias for "uucp" and - "uucp-new" as a synonym for "suucp" for consistency. - CONFIG: add POP mailer support (from Kimmo Suominen - ). - CONFIG: drop CSNET_RELAY support -- CSNET is long gone. - CONFIG: fix bug caused with domain literal addresses (e.g., - ``[128.32.131.12]'') when FEATURE(allmasquerade) - was set; it would get an additional @masquerade.host - added to the address. Problem noted by Peter Wan - of Georgia Tech. - CONFIG: make sure that the local UUCP name is in $=w. From - Jim Murray of Stratus. - CONFIG: changes to UUCP rewriting to simulate IDA-style "V" - mailer flag. Briefly, if you are sending to host - "foo", then it rewrites "foo!...!baz" to "...!baz", - "foo!baz" remains "foo!baz", and anything else has - the local name prepended. - CONFIG: portability fixes for HP-UX. - DOC: several minor problems fixed in the Install & Op Guide. - MAKEMAP: fix core dump problem on lines that are too long or - which lack newline. From Mark Delany. - MAILSTATS: print sums of columns (total messages & kbytes - in and out of the system). From Tom Ferrin of UC - San Francisco Computer Graphics Lab. - SIGNIFICANT USER- OR SYSAD-VISIBLE CHANGES: - On HP-UX, /etc/sendmail.cf has been moved to - /usr/lib/sendmail.cf to match HP sendmail. - Permissions have been tightened up on world-writable - :include: files and accounts that have shells - that are not listed in /etc/shells. This may - cause some .forward files that have worked - before to start failing. - SIGUSR1 dumps some state to the log. - NEW FILES: - src/Makefile.DGUX - src/Makefile.Dynix - src/Makefile.FreeBSD - src/Makefile.Mach386 - src/Makefile.NetBSD - src/Makefile.RISCos - src/Makefile.SCO - src/Makefile.SVR4 - src/Makefile.Titan - cf/mailer/pop.m4 - cf/ostype/bsdi1.0.m4 - cf/ostype/dgux.m4 - cf/ostype/dynix3.2.m4 - cf/ostype/sco3.2.m4 - makemap/Makefile.dist - praliases/Makefile.dist - -8.6.4/8.6.4 93/10/31 - Repair core-dump problem (write to read-only memory segment) - if you fall back to the return-to-Postmaster case in - savemail. Problem reported by Richard Liu. - Immediately diagnose bogus sender addresses in SMTP. This - makes quite certain that crackers can't use this - class of attack. - Reliability Fix: check return value from fclose() and fsync() - in a few critical places. - Minor problem in initsys() that reversed a condition for - redirecting the output channel on queue runs. It's - not clear this code even does anything. From Eric - Wassenaar of the Dutch National Institute for Nuclear - and High-Energy Physics. - Fix some problems that caused queue runs to do "too much work", - such as double-reading the Errors-To: header. From - Eric Wassenaar. - Error messages on writing the temporary file (including the - data file) were getting suppressed in SMTP -- this - fix causes them to be properly reported. From Eric - Wassenaar. - Some changes to support AF_UNIX sockets -- this will only - really become relevant in the next release, but some - people need it for local patches. From Michael - Corrigan of UC San Diego. - Use dynamically allocated memory (instead of static buffers) - for macros defined in initsys() and settime(); since - these can have different values depending on which - envelope they are in. From Eric Wassenaar. - Improve logging to show ctladdr on to= logging; this tells you - what uid/gid processes ran as. - Fix a problem that caused error messages to be discarded if - the sender address was unparseable for some reason; - this was supposed to fall back to the "return to - postmaster" case. - Improve aliaswait backoff algorithm. - Portability patches for Linux (8.6.3 required another header - file) (from Karl London) and SCO UNIX. - CONFIG: patch prog mailer to not strip host name off of envelope - addresses (so that it matches local again). From - Christopher Davis. - CONFIG: change uucp-dom mailer so that "<>" translates to $n; - this prevents uux from seeing lines with null names like - ``From Sat Oct 30 14:55:31 1993''. From Motonori - Nakamura of Kyoto University. - CONFIG: handle syntax correctly. This isn't legal, but - it shouldn't fail miserably. From Motonori Nakamura. - -8.6.2/8.6.2 93/10/15 - Put a "successful delivery" message in the transcript for - addresses that get return-receipts. - Put a prominent "this is only a warning" message in warning - messages -- some people don't read carefully enough - and end up sending the message several times. - Include reason for temporary failure in the "warning" return - message. Currently, it just says "cannot send for - four hours". - Fix the "Original message received" time generated for - returntosender messages. It was previously listed as - the current time. Bug reported by Eric Hagberg of - Cornell University Medical College. - If there is an error when writing the body of a message, - don't send the trailing dot and wait for a response - in sender SMTP, as this could cause the connection to - hang up under some bizarre circumstances. From Eric - Wassenaar. - Fix some server SMTP synchronization problems caused when - connections fail during message collection. From - Eric Wassenaar. - Fix a problem that can cause srvrsmtp to reject mail if the - name server is down -- it accepts the RCPT but rejects - the DATA command. Problem reported by Jim Murray of - Stratus. - Fix a problem that can cause core dumps if the config file - incorrectly resolves to a null hostname. Reported by - Allan Johannesen of WPI. - Non-root use of -C flag, dangerous -f flags, and use of -oQ - by non-root users were not put into - X-Authentication-Warning:s as intended because the - config file hadn't set the PrivacyOptions yet. Fix - from Sven-Ove Westberg of the University of Lulea. - Under very odd circumstances, the alias file rebuild code - could get confused as to whether a database was - open or not. - Check "vendor code" on the end of V lines -- this is - intended to provide a hook for vendor-specific - configuration syntax. (This is a "new feature", - but I've made an exception to my rule in a belief - that this is a highly exceptional case.) - Portability fixes for DG/UX (from Douglas Anderson of NCSC), - SCO Unix (from Murray Kucherawy), A/UX, and OSF/1 - (from Jon Forrest of UC Berkeley) - CONFIG: fix ``mailer:host'' form of UUCP relay naming. - -8.6.1/8.6 93/10/08 - Portability fixes for A/UX and Encore UMAX V. - Fix error message handling -- if you had a name server down - causing an error during parsing, that message was never - propagated to the queue file. - -8.6/8.6 93/10/05 - Configuration cleanup: make it easier to undo IDENTPROTO in - conf.h (other systems have the same bug). - If HASGETDTABLESIZE and _SC_OPEN_MAX are both defined, assume - getdtablesize() instead of sysconf(); a disturbingly - large number of systems defined _SC_OPEN_MAX in the - header files but don't have the syscall. - Another patch to really truly ignore MX records in getcanonname - if trymx == FALSE. - Fix problem that caused the "250 IAA25499 Message accepted for - delivery" message to be omitted if there was an error - in the header of the message (e.g., a bad Errors-To: - line). Pointed out by Michael Corrigan of UCSD. - Announce name of host we are chatting when we get errors; this - is an IDA-ism suggested by Christophe Wolfhugel. - Portability fixes for Alpha OSF/1 (from Anthony Baxter of the - Australian Artificial Intelligence Institute), SCO Unix - (from Murray Kucherawy of Hookup Communication Corp.), - NeXT (from Vince DeMarco and myself), Linux (from - Karl London ), BSDI (from - Christophe Wolfhugel, and SVR4 on Dell (from Kimmo - Suominen), AUX 3.0 on Macintosh, and ANSI C compilers. - Some changes to get around gcc optimizer bugs. From Takahiro - Kanbe. - Fix error recovery in queueup if another tf file of the same - name already exists. Problem stumbled over by Bill - Wisner of The Well. - Output YP_MASTER_NAME and YP_LAST_MODIFIED without null bytes. - Problem noted by Keith McMillan of Ameritech Services. - Deal with group permissions properly when opening .forward and - :include: files. This relaxes the 8.1C restrictions - slightly more. This includes proper setting of groups - when reading :include: files, allowing you to read some - files that you should be able to read but have previously - been denied unless you owned them or they had "other" - read permission. - Make certain that $j is in $=w (after the .cf is read) so that - if the user is forced to override some silly system, - MX suppression will still work. - Fix a couple of efficiency problems where newstr was double- - calling expensive routines. In at least one case, it - wasn't guaranteed that they would always return the - same result. Problem noted by Christophe Wolfhugel. - Fix null pointer dereference in putoutmsg -- only on an error - condition from a non-SMTP mailer. From Motonori - Nakamura. - Macro expand "C" line class definitions before scanning so that - "CX $Z" works. - Fix problem that caused error message to be sent while still - trying to send the original message if the connection - is closed during a DATA command after getting an error - on an RCPT command (pretty obscure). Problem reported - by John Myers of CMU. - Fix reply to NOOP to be 250 instead of 200 -- this is a long - term bug. - Fix a nasty bug causing core dumps when returning the "warning: - cannot deliver for N hours -- will keep trying" message; - it only occurred if you had PostmasterCopy set and - only on some architectures. Although sendmail would - keep trying, it would send error messages on each - queue interval. This is an important fix. - Allow u and g options to take user and group names respectively. - Don't do a chdir into the queue directory in -bt mode to make - ruleset testing a bit easier. - Don't allow users to turn off logging (using -oL) on the command - line -- command line can only raise, not lower, logging - level. - Set $u to the original recipient on the SMTP transaction or on - the command line. This is only done if there is exactly - one recipient. Technically, this does not meet the - specs, because it does not guarantee a domain on the - address. - Fix a problem that dumped error messages on bad addresses if - you used the -t flag. Problem noted by Josh Smith of - Harvey Mudd College. - Given an address such as `` '', auto-quote the first - ``'' part, giving ``"" ''. This is to - avoid the problem of people who use angle brackets in - their full name information. - Fix a null pointer dereference if you set option "l", have - an Errors-To: header in the message, and have Errors-To: - defined in the config file H lines. From J.R. Oldroyd. - Put YPCOMPAT on #ifdef NIS instead -- it's one less thing to get - wrong when compiling. Suggested by Rick McCarty of TI. - Fix a problem that could pass negative SIZE parameter if the - df file got lost; this would cause servers to always - give a temporary failure, making the problem even worse. - Problem noted by Allan Johannesen of WPI. - Add "ident" timeout (one of the "r" option selectors) for IDENT - protocol timeouts (30s default). Requested by Murray - Kucherawy of HookUp Communication Corp. to handle bogus - PC TCP/IP implementations. - Change $w default definition to be just the first component of - the domain name on config level 5. The $j macro defaults - to the FQDN; $m remains as before. This lets well-behaved - config files use any of the short, long, or subdomain - names. - Add makesendmail script in src to try to automate multi-architecture - builds. I know, this is sub-optimal, but it is still - helpful. - Fix very obscure race condition that can cause a queue run to - get a queue file for an already completed job. This - problem has existed for years. Problem noted by the - long suffering Allan Johannesen of WPI. - Fix a problem that caused the raw sender name to be passed to - udbsender instead of the canonified name -- this caused - it to sometimes miss records that it should have found. - Relax check of name on HELO packet so that a program using -bs - that claims to be itself works properly. - Restore rewriting of $: part of address through 2, R, 4 in - buildaddr -- this requires passing a lot of flags to get - it right. Unlike old versions, this ONLY rewrites - recipient addresses, not sender addresses. - Fix a bug that caused core dumps in config files that cannot - resolve /file/name style addresses. Fix from Jonathan - Kamens of OpenVision Technologies. - Fix problem with fcntl locking that can cause error returns to - be lost if the lock is lost; this required fully - queueing everything, dropping the envelope (so errors - would get returned), and then re-reading the queue from - scratch. - Fix a problem that caused aliases that redefine an otherwise - true address to still send to the original address - if and only if the alias failed in certain bizarre - ways (e.g, if they pointed at a list:; syntax address). - Problem pointed out by Jonathan Kamens. - Remove support for frozen configuration files. They caused - more trouble than it was worth. - Fix problem that can cause error messages to get ignored when - using both -odb and -t flags. Problem noted by Rob - McNicholas at U.C. Berkeley. - Include all "normal" variations on hostname in $=w. For example, - if the host name is vangogh.cs.berkeley.edu, $=w will - contain vangogh, vangogh.cs, and vangogh.cs.berkeley.edu. - Add "restrictqrun" privacy flag -- without this, anyone can run - the queue. - Reset SmtpPhase global on initial connection creation so that - messages don't come out with stale information. - Pass an "ext" argument to lockfile so that error/log messages - will properly reflect the true filename being locked. - Put all [...] address forms into $=w -- this eliminates the need - for MAXIPADDR in conf.h. Suggested by John Gardiner - Myers of CMU. - Fix a bug that can cause qf files to be left around even after - an SMTP RSET command. Problem and fix from Michael - Corrigan. - Don't send a PostmasterCopy to errors when the Precedence: is - negative. Error reports still go to the envelope - sender address. - Add LA_SHORT for load averages. - Lock sendmail.st file when posting statistics. - Add "SendBufSize" and "RcvBufSize" suboptions to "O" option to - set the size of the TCP send and receive buffers; if you - run over a slow slip line you may need to set these down - (although it would be better to fix the SLIP implementation - so that it's not necessary to recompile every program - that does bulk data transfer). - Allow null defaults on $( ... $) lookups. Problem reported by - Amir Plivatsky. - Diagnose crufty S and V config lines. This resulted from an - observation that some people were using the SITE macro - without the SITECONFIG macro first, which was causing - bogus config files that were not caught. - Fix makemap -f flag to turn off case folding (it was turning it - on instead). THIS IS A USER VISIBLE CHANGE!!! - Fix a problem that caused multiple error messages to be sent if - you used "sendmail -t -oem -odb", your system uses fcntl - locking, and one of the recipient addresses is unknown. - Reset uid earlier in include() so that recursive .forwards or - :include:s don't use the wrong uid. - If file descriptor 0, 1, or 2 was closed when sendmail was - called, the code to recover the descriptor was broken. - This sometimes (only sometimes) caused problems with the - alias file. Fix from Motonori Nakamura. - Fix a problem that caused aliaswait to go into infinite recursion - if the @:@ metasymbol wasn't found in the alias file. - Improve error message on newaliases if database files cannot be - opened or if running with no database format defined. - Do a better estimation of the size of error messages when NoReturn - is set. Problem noted by P{r (Pell) Emanuelsson. - Fix a problem causing the "c" option (don't connect to expensive - mailers) to be ignored in SMTP. Problem noted and the - solution suggested by Robert Elz of The University of - Melbourne. - Improve connection caching algorithm by passing "[host]" to - hostsignature, which strips the square brackets and - returns the real name. This allows mailertable entries - to match regular entries. - Re-enable Return-Receipt-To: -- people seem to want this stupid - feature, even if it doesn't work right. - Catch and log attempts to try the "wiz" command in server SMTP. - This also ups the log level from LOG_NOTICE to LOG_CRIT. - Be more generous at assigning $z to the home directory -- do this - for programs that are specified through a .forward file. - Fix from Andrew Chang of Sun Microsystems. - Always save a fatal error message in preference to a non-fatal - error message so that the "subject" line of return - messages is the best possible. - CONFIG: reduce the number of quotes needed to quote configuration - parameters with commas: two quotes should work now, e.g., - define(ALIAS_FILE, ``/etc/aliases,/etc/aliases.local''). - CONFIG: class $=Z is a set of UUCP hosts that use uucp-dom - connections (domain-ized UUCP). - CONFIG: fix bug in default maps (-o must be before database file - name). Pointed out by Christophe Wolfhugel. - CONFIG: add FEATURE(nodns) to state that we are not relying on - DNS. This would presumably be used in UUCP islands. - CONFIG: add OSTYPE(nextstep) and OSTYPE(linux). - CONFIG: log $u in Received: line. This is in technical violation - of the standards, since it doesn't guarantee a domain - on the address. - CONFIG: don't assume "m" in local mailer flags -- this means that - if you redefine LOCAL_MAILER_FLAGS you will have to include - the "m" flag should you want it. Apparently some Solaris 2.2 - installations can't handle multiple local recipients. - Problem noted by Josh Smith. - CONFIG: add confDOMAIN_NAME to set $j (if undefined, $j defaults). - CONFIG: change default version level from 4 to 5. - CONFIG: add FEATURE(nullclient) to create a config file that - forwards all mail to a hub without ever looking at the - addresses in any detail. - CONFIG: properly strip mailer: information off of relays when - used to change .BITNET form into %-hack form. - CONFIG: fix a problem that caused infinite loops if presented - with an address such as "!foo". - CONFIG: check for self literal (e.g., [128.32.131.12]) even if - the reverse "PTR" mapping is broken. There's a better - way to do this, but the change is fairly major and I - want to hold it for another release. Problem noted by - Bret Marquis. - -8.5/8.5 93/07/23 - Serious bug: if you used a command line recipient that was unknown - sendmail would not send a return message (it was treating - everything as though it had an SMTP-style client that - would do the return itself). Problem noted by Josh Smith. - Change "trymx" option in getcanonname() to ignore all MX data, - even during a T_ANY query. This actually didn't break - anything, because the only time you called getcanonname - with !trymx was if you already knew there were no MX - records, but it is somewhat cleaner. From Motonori - Nakamura. - Don't call getcanonname from getmxrr if you already know there - are no DNS records matching the name. - Fix a problem causing error messages to always include "The - original message was received ... from localhost". - The correct original host information is now included. - Previous change to cf/sh/makeinfo.sh doesn't port to Ultrix (their - version of "test" doesn't have the -x flag). Change it - to use -f instead. From John Myers. - CONFIG: 8.4 mistakenly set the default SMTP-style mailer to - esmtp -- it should be smtp. - CONFIG: send all relayed mail using confRELAY_MAILER (defaults - to "relay" (a variant of "smtp") if MAILER(smtp) is used, - else "suucp" if MAILER(uucp) is used, else "unknown"); - this cleans up the configs somewhat. This fixes a serious - problem that caused route-addrs to get mistaken as relays, - pointed out by John Myers. WARNING: this also causes - the default on SMART_HOST to change from "suucp" to - "relay" if you have MAILER(smtp) specified. - -8.4/8.4 93/07/22 - Add option `w'. If you receive a message that comes to you because - you are the best (lowest preference) target of an MX, and - you haven't explicitly recognized the source MX host in - your .cf file, this option will cause you to try the target - host directly (as if there were no MX for it at all). If - `w' is not set, this case is a configuration error. - Beware: if `w' is set, senders may get bogus errors like - "message timed out" or "host unknown" for problems that - are really configuration errors. This option is - disrecommended, provided only for compatibility with - UIUC sendmail. - Fix a problem that caused the incoming socket to be left open - when sendmail forks after the DATA command. This caused - calling systems to wait in FIN_WAIT_2 state until the - entire list was processed and the child closed -- a - potentially prodigious amount of time. Problem noted - by Neil Rickert. - Fix problem (created in 6.64) that caused mail sent to multiple - addresses, one of which was a bad address, to completely - suppress the sending of the message. This changes - handling of EF_FATALERRS somewhat, and adds an - EF_GLOBALERRS flag. This also fixes a potential problem - with duplicate error messages if there is a syntax error - in the header of a message that isn't noticed until late - in processing. Original problem pointed out by Josh Smith - of Harvey Mudd College. This release includes quite a bit - of dickering with error handling (see below). - Back out SMTP transaction if MAIL gets nested 501 error. This - will only hurt already-broken software and should help - humans. - Fix a problem that broke aliases when neither NDBM nor NEWDB were - compiled in. It would never read the alias file. - Repair unbalanced `)' and `>' (the "open" versions are already - repaired). - Logging of "done" in dropenvelope() was incorrect: it would - log this even when the queue file still existed. Change - this to only log "done" (at log level 11) when the - queue file is actually removed. From John Myers. - Log "lost connection" in server SMTP at log level 20 if there - is no pending transaction. Some senders just close the - connection rather than sending QUIT. - Fix a bug causing getmxrr to add a dot to the end of unqualified - domains that do not have MX records -- this would cause - the subsequent host name lookup to fail. The problem - only occurred if you had FEATURE(nocanonify) set. - Problem noted by Rick McCarty of Texas Instruments. - Fix invocation of setvbuf when passed a -X flag -- I had - unwittingly used an ANSI C extension, and this caused - core dumps on some machines. - Diagnose self-destructive alias loops on RCPT as well as EXPN. - Previously it just gave an empty send queue, which - then gave either "Need RCPT (recipient)" at the DATA - (confusing, since you had given an RCPT command which - returned 250) or just dropped the email, depending on - whether you were running VERBose mode. Now it usually - diagnoses this case as "aliasing/forwarding loop broken". - Unfortunately, it still doesn't adequately diagnose - some true error conditions. - Add internal concept of "warning messages" using 6xx codes. - These are not reported only to Postmaster. Unbalanced - parens, brackets, and quotes are printed as 653 codes. - They are always mapped to 5xx codes before use in SMTP. - Clean up error messages to tell both the actual address that - failed and the alias they arose from. This makes it - somewhat easier to diagnose problems. Difficulty noted - by Motonori Nakamura. - Fix a problem that inappropriately added a ctladdr to addresses - that shouldn't have had one during a queue run. This - caused error messages to be handled differently during - a queue run than a direct run. - Don't print the qf name and line number if you get errors during - the direct run of the queue from srvrsmtp -- this was - just extra stuff for users to crawl through. - Put command line flags on second line of pid file so you can - auto-restart the daemon with all appropriate arguments. - Use "kill `head -1 /etc/sendmail.pid`" to stop the - daemon, and "eval `tail -1 /etc/sendmail.pid`" to - restart it. - Remove the ``setuid(getuid())'' in main -- this caused the - IDENT daemon to screw up. This required that I change - HASSETEUID to HASSETREUID and complicate the mode - changing somewhat because both Ultrix and SunOS seem - to have a bug causing seteuid() to set the saved uid - as well as the effective. The program test/t_setreuid.c - will test to see if your implementation of setreuid(2) - is appropriately functional. - The FallBackMX (option V) handling failed to properly identify - fallback to yourself -- most of the code was there, - but it wasn't being enabled. Problem noted by Murray - Kucherawy of the University of Waterloo. - Change :include: open timeout from ETIMEDOUT to an internal - code EOPENTIMEOUT; this avoids adding "during SmtpPhase - with CurHostName" in error messages, which can be - confusing. Reported by Jonathan Kamens of OpenVision - Technologies. - Back out setpgrp (setpgid on POSIX systems) call to reset the - process group id. The original fix was to get around - some problems with recalcitrant MUAs, but it breaks - any call from a shell that creates a process group id - different from the process id. I could try to fix - this by diddling the tty owner (using tcsetpgrp or - equivalent) but this is too likely to break other - things. - Portability changes: - Support -M as equivalent to -oM on Ultrix -- apparently - DECnet calls sendmail with -MrDECnet -Ms -bs - instead of using standard flags. Oh joy. This - behavior reported by Jon Giltner of University - of Colorado. - SGI IRIX -- this includes several changes that should - help other strict ANSI compilers. - SCO Unix -- from Murray Kucherawy of HookUp Communication - Corporation. - Solaris running the Sun C compiler (which despite the - documentation apparently doesn't define - __STDC__ by default). - ConvexOS from Eric Schnoebelen of Convex. - Sony NEWS workstations and Omron LUNA workstations from - Motonori Nakamura. - CONFIG: add confTRY_NULL_MX_LIST to set option `w'. - CONFIG: delete `C' and `e' from default SMTP mailers flags; - several people have made a good argument that this - creates more problems than it solves (although this - may prove painful in the short run). - CONFIG: generalize all the relays to accept a "mailer:host" - format. - CONFIG: move local processing in ruleset 0 into a new ruleset - 98 (8 on old sendmail). Domain literal [a.b.c.d] - addresses are also passed through this ruleset. - CONFIG: if neither SMART_HOST nor MAILER(smtp) were defined, - internet-style addresses would "fall off the end" of - ruleset zero and be interpreted as local -- however, - the angle brackets confused the recursive call. - These are now diagnosed as "Unrecognized host name". - CONFIG: USENET rules weren't included in S0 because of a mistaken - ifdef(`_MAILER_USENET_') instead of - ifdef(`_MAILER_usenet_'). Problem found by Rein Tollevik - of SINTEF RUNIT, Oslo. - CONFIG: move up LOCAL_RULE_0 processing so that it happens very - early in ruleset 0; this allows .mc authors to bypass - things like the "short circuit" code for local addresses. - Prompted by a comment by Bill Wisner of The Well. - CONFIG: add confSMTP_MAILER to define the mailer used (smtp or - esmtp) to send SMTP mail. This allows you to default - to esmtp but use a mailertable or other override to - deal with broken servers. This logic was pointed out - to me by Bill Wisner. Ditto for confLOCAL_MAILER. - Changes to cf/sh/makeinfo.sh to make it portable to SVR4 - environments. Ugly as sin. - -8.3/8.3 93/07/13 - Fix setuid problems introduced in 8.2 that caused messages - like "Cannot create qfXXXXXX: Invalid argument" - or "Cannot reopen dfXXXXXX: Permission denied". This - involved a new compile flag "HASSETEUID" that takes - the place of the old _POSIX_SAVED_IDS -- it turns out - that the POSIX interface is broken enough to break - some systems badly. This includes some fixes for - HP-UX. Also fixes problems where the real uid is - not reset properly on startup (from Neil Rickert). - Fix a problem that caused timed out messages to not report the - addresses that timed out. Error messages are also more - "user friendly". - Drop required bandwidth on connections from 64 bytes/sec to - 16 bytes/sec. - Further Solaris portability changes -- doesn't require the BSD - compatibility library. This also adds a new - "HASGETDTABLESIZE" compile flag which can be used if - you want to use getdtablesize(2) instead of sysconf(2). - These are loosely based on changes from David Meyer at - University of Oregon. This now seems to work, at least - for quick test cases. - Fix a problem that can cause duplicate error messages to be - sent if you are in SMTP, you send to multiple addresses, - and at least one of those addresses is good and points - to an account that has a .forward file (whew!). - Fix a problem causing messages to be discarded if checkcompat() - returned EX_TEMPFAIL (because it didn't properly mark - the "to" address). Problem noted by John Myers. - Fix dfopen to return NULL if the open failed; I was depending - on fdopen(-1) returning NULL, which isn't the case. This - isn't serious, but does result in weird error diagnoses. - From Michael Corrigan. - CONFIG: add UUCP_MAX_SIZE M4 macro to set the maximum size of - messages sent through UUCP-family mailers. Suggested - by Bill Wisner of The Well. - CONFIG: if both MAILER(uucp) and MAILER(smtp) are specified, - include a "uucp-dom" mailer that uses domain-style - addressing. Suggested by Bill Wisner. - CONFIG: Add LOCAL_SHELL_FLAGS and LOCAL_SHELL_ARGS to match - LOCAL_MAILER_FLAGS and LOCAL_MAILER_ARGS. Suggested by - Christophe Wolfhugel. - CONFIG: Add OSTYPE(aix3). From Christophe Wolfhugel. - -8.2/8.2 93/07/11 - Don't drop out on config file parse errors in -bt mode. - On older configuration files, assume option "l" (use Errors-To - header) for back compatibility. NOTE: this DOES NOT - imply an endorsement of the Errors-To: header in any way. - Accept -x flag on AIX-3 as well as OSF/1. Why, why, why??? - Don't log errors on EHLO -- it isn't a "real" error for an old - SMTP server to give an error on this command, and - logging it in the transcript can be confusing. Fix - from Bill Wisner. - IRIX compatibility changes provided by Dan Rich - . - Solaris 2 compatibility changes. Provided by Bob Cunningham - , John Oleynick - - Debugging: -d17 was overloaded (hostsignature and usersmtp.c); - move usersmtp (smtpinit and smtpmailfrom) to -d18 to - match the other flags in that file. - Flush transcript before fork in mailfile(). From Eric Wassenaar. - Save h_errno in mci struct and improve error message display. - Changes from Eric Wassenaar. - Open /dev/null for the transcript if the create of the xf file - failed; this avoids at least one possible null pointer - reference in very weird cases. From Eric Wassenaar. - Clean up statistics gathering; it was over-reporting because of - forks. From Eric Wassenaar. - Fix problem that causes old Return-Path: line to override new - Return-Path: line (conf.c needs H_FORCE to avoid - re-using old value). From Motonori Nakamura. - Fix broken -m flag in K definition -- even if -m (match only) - was specified, it would still replace the key with the - value. Noted by Rick McCarty of Texas Instruments. - If the name server timed out over several days, no "timed out" - message would ever be sent back. The timeout code - has been moved from markfailure() to dropenvelope() - so that all such failures should be diagnosed. Pointed - out by Christophe Wolfhugel and others. - Relax safefile() constraints: directories in an include or - forward path must be readable by self if the controlling - user owns the entry, readable by all otherwise (e.g., - when reading your .forward file, you have to own and - have X permission in it; everyone needs X permission in - the root and directories leading up to your home); - include files must be readable by anyone, but need not - be owned by you. - If _POSIX_SAVED_IDS is defined, setuid to the owner before - reading a .forward file; this gets around some problems - on NFS mounts if root permission is not exported and - the user's home directory isn't x'able. - Additional NeXT portability enhancements from Axel Zinser. - Additional HP-UX portability enhancements from Brian Bullen. - Add a timeout around SMTP message writes; this assumes you can - get throughput of at least 64 bytes/second. Note that - this does not impact the "datafinal" default, which - is separate; this is just intended to work around - network clogs that will occur before the final dot - is sent. From Eric Wassenaar. - Change map code to set the "include null" flag adaptively -- - it initially tries both, but if it finds anything - matching without a null it never tries again with a - null and vice versa. If -N is specified, it never - tries without the null and creates new maps with a - null byte. If -O is specified, it never tries with - the null (for efficiency). If -N and -O are specified, - you get -NO (get it?) lookup at all, so this would - be a bad idea. If you don't specify either -N or -O, - it adapts. - Fix recognition of "same from address" so that MH submissions - will insert the appropriate full name information; - this used to work and got broken somewhere along the - way. - Some changes to eliminate some unnecessary SYSERRs in the - log. For example, if you lost a connection, don't - bother reporting that fact on the connection you lost. - Add some "extended debugging" flags to try to track down - why we get occasional problems with file descriptor - one being closed when execing a mailer; it seems to - only happen when there has been another error in the - same transaction. This requires XDEBUG, defined - by default in conf.h. - Add "-X filename" command line flag, which logs both sides of - all SMTP transactions. This is intended ONLY for - debugging bad implementations of other mailers; start - it up, send a message from a mailer that is failing, - and then kill it off and examine the indicated log. - This output is not intended to be particularly human - readable. This also adds the HASSETVBUF compile - flag, defaulted on if your compiler defines __STDC__. - CONFIG: change SMART_HOST to override an SMTP mailer. If you - have a local net that should get direct connects, you - will need to use LOCAL_NET_CONFIG to catch these hosts. - See cf/README for an example. - CONFIG: add LOCAL_MAILER_ARGS (default: `mail -d $u') to handle - sites that don't use the -d flag. - CONFIG: hide recipient addresses as well as sender addresses - behind $M if FEATURE(allmasquerade) is specified; this - has been requested by several people, but can break - local aliases. For example, if you mail to "localalias" - this will be rewritten as "localalias@masqueradehost"; - although initial delivery will work, replies will be - broken. Use it sparingly. - CONFIG: add FEATURE(domaintable). This maps unqualified domains - to qualified domains in headers. I believe this is - largely equivalent to the IDA feature of the same name. - CONFIG: use $U as UUCP name instead of $k. This permits you - to override the "system name" as your UUCP name -- - in particular, to use domain-ized UUCP names. From - Bill Wisner of The Well. - CONFIG: create new mailer "esmtp" that always tries EHLO - first. This is currently unused in the config files, - but could be used in a mailertable entry. - -8.1C/8.1B 93/06/27 - Serious security bug fix: it was possible to read any file on - the system, regardless of ownership and permissions. - If a subroutine returns a fully qualified address, return it - immediately instead of feeding it back into rewriting. - This fixes a problem with mailertable lookups. - CONFIG: fix some M4 frotz (concat => CONCAT) - -8.1B/8.1A 93/06/12 - Serious bug fix: pattern matching backup algorithm stepped by - two tokens in classes instead of one. Found by Claus - Assmann at University of Kiel, Germany. - -8.1A/8.1A 93/06/08 - Another mailertable fix.... - -8.1/8.1 93/06/07 - 4.4BSD freeze. No semantic changes. - -6.65/6.34 93/06/06 - Fix some lintish problems. - Fix some cases where server SMTP behaved poorly when handed bogus - input, pointed out by Eric Wassenaar. - CONFIG: fix some more (sigh) mailertable bugs -- thanks to - Motonori Nakamura of Kyoto University (again). - -6.64/6.33 93/06/05 - Don't send 050 (-v) information after the 250 response to a QUIT - command in srvrsmtp -- clients usually close the connection - at this point, and it causes bogus error messages. - Don't send messages that have errors on input (such as unbalanced - parentheses) during SMTP transactions, since a return - message has (probably) already been sent. - Give better diagnostics on timeouts during network reads, including - information similar to the SMTP phase. - Fix bug that caused SMTP messages to deliver synchronously; this - happened after the DATA 250, and hence caused reading the - next command to be delayed. - Ignore Errors-To: header unless 'l' (lower case el) header is - specified. The Errors-To: header violates RFC 1123. - Errors-To: was only needed to take the place of the - envelope sender in the days when most Unix mailers - didn't understand about the two kinds of senders. - Don't send warning messages in response to automatically generated - messages (that is, those From:<>). - CONFIG: fix some rather stupid typos in the mailertable code - pointed out by Motonori Nakamura of Kyoto University. - CONFIG: add confUSE_ERRORS_TO configuration option. - CONFIG: if ALWAYS_ADD_DOMAIN is selected, try to use $M - (masquerade name) instead of $j. - CONFIG: don't add dots to relay names (added in 6.29); it breaks - several things, and can be simulated by dot terminating - the names of relays. For example, use: - DBbit.net.relay. - (note the trailing dot). - -6.63/6.32 93/06/01 - Fix prototypes to eliminate chars in argument lists -- some - compilers are pissy about this. - Log protocol ($r) and body type if set so we can determine if - the adaptive algorithms are working. - Pessimize on locking of database files (particularly for NEWDB - databases) during opens. There were problems with - processes opening the file while it was rebuilt; since - NEWDB caches heavily, the reader opened an empty file, - which is an error. If your system has the ability to - lock atomically on open, this works properly; otherwise, - there are race conditions. - Check mod time on .pag file instead of .dir in NDBM aliases - because the .dir file doesn't get updated for small - alias files. From John Gardiner Myers of CMU. - More Solaris portability -- it now compiles on Solaris, but - hangs up in gethostbyname(). - Move setting of RES_DEBUG flag before first myhostname() call - so we can see name server traffic on that call. - Fsync() queue files. - Fix a problem that causes -bi to try to rebuild maps other than - the alias file(s). - Fix a problem that caused udb to reject entries from any but - the first database listed. - Rearrange doc subdirectory for 4.4BSD release tape. - CONFIG: put $r into the Received line. This was an oversight. - CONFIG: fix typo (call to ruleset 99 should have been ruleset 90). - CONFIG: move "auxiliary" subroutines to be in ruleset 90-99 - range -- in the long run, single digit rulesets may - become reserved for builtin use by sendmail. - CONFIG: fix major problem that causes host aliases (that is, - anything in $=w != $j) to not be recognized. This has - been around since 6.30. - -6.62/6.31 93/05/28 - BETA RELEASE - Fix recursive syserr (if there is an error printing a syserr - message). This makes the code much less eager to consider - a write error as serious. This also includes some - heuristics to be clever about closed connections. - Lock NEWDB files during gets. This requires version 1.5 or later - of the db library. If you have an older version, you - can use -DOLD_NEWDB. This will go away in a few weeks. - Fix problem causing aliases that use host maps to get overwritten. - Do appropriate byte swapping on port numbers in ident protocol - code. Fix from Allan Johannesen of WPI. - Defer opening of map files to the same time as alias files so that - the daemon will tend to pick up new versions more promptly. - Prototype a bunch more functions. - Some Solaris 2.1 changes (still doesn't link though). - Try to simplify Makefiles by including more subordinate #defines - in conf.h (based on OS type). - CONFIG: check for domains if FEATURE(mailertable) is defined. - For example, if the host name is "knecht.cs.berkeley.edu" - it will search the following mailertable keys: - knecht.cs.berkeley.edu - .cs.berkeley.edu - .berkeley.edu - .edu - This could be used to replace the special relays for bitnet - and similar nets. - -6.61/6.30 93/05/24 - Fix problem that prevented appending dots on canonified host - names. This breaks tons of config files -- very - important fix. - Fix improper pointer dereference in response to HELO command. - Fix core dump if debugging set in map_rewrite. - CONFIG: add FEATURE(always_add_domain) to always attach the - local domain (only impacts local mail). - CONFIG: try to avoid turning names into $j -- although - technically a host can only have one "canonical name", - it seems to be common practice to have several. - -6.60/6.29 93/05/22 - Major change: merge alias databases with maps. This expands and - changes the map class interface but fixes a bunch of bugs. - The important user-visible change is that the file name - in a K line now does not include the ".db" extension; this - is added automatically. Also, the -d (NIS domain) flag is - missing from the K config line; use @domain instead. - When compiling, the *_MAP names are gone -- just compile - in NDBM, NEWDB, and/or NIS support. - Announce mailer/host/user triple on -bv flag -- from Brian - Bullen of Stirling University. - Don't send more than one line in response to HELO -- it confuses - Pony Express, which then behaves very badly. However, - this change does send two line 220 greetings, with the - second line reading "ESMTP spoken here". The usersmtp - module recognizes this and goes into ESMTP mode regardless - of the setting of the "a" mailer flag. Thus, "a" means - "always try EHLO". - AIX portability changes (thanks to Christophe Wolfhugel of - Herve Schauer Consultants (Paris) for providing me with - an INSA account for this purpose). Lightly tested. Use - -D_AIX3. This probably breaks compatibility with some - older systems (e.g., 4.2bsd) but still works on SunOS - 4.1.2, Ultrix 4.2A, HP-UX 8.07, OSF/1 T1.3, and AIX 3.2.3. - Fix a problem causing an error message loop if the output channel - is hosed. - Add the Makefiles that I use for various environments -- some are - Berkeley make versions and some are old make versions. - My makefile for the NeXT box has gotten lost, alas! - PRALIASES: support for printing NEWDB databases. From - Michael J. Corrigan of U.C. San Diego. - CONFIG: don't pass pseudo-domains to $[ ... $] (if you have - a wildcard MX it can have weird results). From - Christophe Wolfhugel. - CONFIG: dot terminate relay hostnames in S0. From Christophe - Wolfhugel. - -6.59/6.28 93/05/13 - Log version with SMTP daemon startup message. - Adjust setproctitle to work on NetBSD and BSD/386. - Fix null pointer reference in MX fallback code. - A bunch of minor fixes from Eric Wassenaar: - If deliver cannot execv the mailer, return EX_OSERR - instead of EX_TEMPFAIL (to give better - error messages). - Consistently malloc e_message. - Catch degenerate case of calling returntosender() - with an empty returnq. - MIME reformatting. - -6.58/6.28 93/05/13 - Fix bug that can cause incorrect verbose display of user smtp - messages. - Disable SMTP VERB command if PRIV_NOEXPN is set (since this - could reveal the same information. - Allow failure when reading SMTP greeting message to go on to - next MX host. - Add "MIME-Version: 1.0" header if using MIME (this was NOT - included in RFC 1344, but Bill King of Allan-Bradley - Company forwarded me email from Nathaniel Borenstein - claiming that it was an inadvertent omission). - Don't use Content-Type: X-message-header. According to John - Myers of CMU, many MIME readers will completely ignore - the data if they don't recognize it. Instead, just - add a blank line to make it a legal (empty) message. - Fix problem causing dots to keep getting appended to cached - hostnames. This can cause buffer overrun conditions. - The problem was found by Erik Forsberg of Retix, - although I used a different bug fix than he provided. - Fix parsing of split header/envelope rewriting specs -- from - Eric Forsberg. - Fix from Eric Wassenaar to correct To: lists in error messages. - -6.57/6.28 93/05/11 - Fix minor glitch causing extra ctladdrs to be output to queue - file. Just an annoyance. - Cache results of name server canonification lookups to avoid - backed up queue runs. - Major rewrite of alias.c: considerable cleanup, plus sample - (untested) support for NIS aliases. The "A" option - can now be a comma separated list (or be repeated) -- - that is, you can have multiple alias databases. Each - database can have the syntax ``class:file''; if no class - is specified, the "implicit" class is assumed. Implicit - searches through a list of compiled in types -- hash, - dbm, nis, and stab. Alias files are searched in the - order they are listed. For example: - OAhash:/etc/aliases.local,/etc/aliases - OAnis:mail.aliases@my.nis.domain - first searches the hash database /etc/aliases.local, - then the regular /etc/aliases database, then the NIS - map "mail.aliases" in the NIS domain "my.nis.domain". - If in Verbose mode (probably from VERB command) run SMTP job - in foreground and don't do RCPT optimizations. - Add udb :mailsender as equivalent to owner- for regular aliases. - Delete option 8; add option 7 that means the opposite. That is, - default to 8-bit mode; a special option is needed to - force sendmail into 7 bit mode. - Send error messages in encapsulated MIME format. - New compile flag "NIS" that turns on NIS alias and NIS map - support. - Add "j" option to send error messages in MIME (RFC 1341) - encapsulated message format per RFC 1344. The - syntax is pretty ugly if you don't have MIME-aware - user agents. - Clean up message handling (for display in mailq output). - New setproctitle implementation for 4.4bsd. - Create files (such as ~/dead.letter) using mode FileMode (the - F option value) instead of 0666. - Fix bug causing output of EXPN command to not be fully qualified. - This may cause some problems with UUCP addresses that - will require some config file assistance -- specifically, - the $: part has to include the host name for this output - to make sense. - Fix a problem that sometimes diagnosed errors and still sent the - message if the header syntax was bad. - Fix a bug that caused an error message to be emailed when sendmail - was operating in -bv mode. - Add "ListenQueueSize" keyword to daemon options option (OO) to - set the queue size parameter passed to listen(). You - will normally have to tweak your kernel to up this. - Strip spaces off of beginning of message-id before logging (in - case it was folded across lines). - Tweak compile flags in daemon.c -- there were some cases where - it wouldn't work without NETINET. - Change *file* mailer to output all the usual default headers - (From, Date, Message-Id). It gets used when sending - back error messages. - CONFIG: explicitly catch and diagnose list:; syntax in ruleset - zero -- this is not a valid recipient syntax according - to RFC 821. - CONFIG: add confMIME_FORMAT_ERRORS to send error messages in - MIME format. Defaults to on. - CONFIG: add SMTP_MAILER_FLAGS and UUCP_MAILER_FLAGS to augment - the flags for those mailers. - -6.56/6.27 93/05/01 - Fix problem that causes the fallback mail to postmaster - (case ESM_POSTMASTER in savemail()) to not look at - aliases (ugh). - Some more HPUX tweaking (compile flag hpux => __hpux so it - still works in ANSI mode). - Don't try to flock non-regular files when mailing to a file. - In particular, this was a problem if you tried to - send to /dev/null. - Fix a weird bug that can cause senders to be queued as - recipients if the name server is down when the mail - is initially sent. This hack just ignores sender - deletion (essentially, it sets the MeToo flag) if there - is a TEMPFAIL during processing of the sender address. - Obscure. - Fix a dangling else problem -- from Brian Bullen from University - of Stirling, UK. - Add the "b" mailer flag to force a blank line on the end of - messages. Some brilliant versions of /bin/mail insist - on this but do not add it themselves. - Add the "g" mailer flag to prevent user SMTP from sending - "MAIL From:<>". This is only intended to be a - transitional gesture, and should not be used if at - all possible. It appears that Berkeley and IDA - config files have always handled this properly; the - UK config kit apparently does not. - Don't lowercase and then capitalize header field names -- leave - them with original capitalization. Fixes from Bill - King of Allen-Bradley Company. - Further cleanup and improved reporting of error messages, - particularly conditions that cause messages to be - requeued for future delivery. - Tweak syslog priorities in some cases. - CONFIG: clean up route-addr on UUCP addresses. - -6.55/6.25 93/04/27 - HPUX 8.07 compatibility changes in getla() -- I had to make - these changes to get it to work at Berkeley, although - others seem to have been working before (???). - Various patches to XLA code. - Fix problem that causes setuid bit on files to be ignored from - SMTP or in queue runs. Problem noted by Jason Ornstein - of Under The Wire, Inc. - Fix problem that can cause CNAMEs to be ignored. - Generalize getmxrr to match local host in $=w instead of a - single name passed in. - Some cleanup from Eric Wassenaar: - Use FileMailer instead of ProgMailer in two places. - Eliminate duplicate 8th-bit stripping in commaize. - Fix a problem with mis-parsing of backslash escapes - under some circumstances. - NIS map fix (was always including trailing null character) - from Mike Glendinning of Ingres UK. - Add "a" mailer flag to try using ESMTP. It tries the EHLO - command and if that fails falls back to regular SMTP. - Also parses EHLO option keywords. If host supports - SIZE extension, this is added to the MAIL FROM: - command. - Extend "b" option to include a second value which is the - maximum message size this server is willing to accept. - For example, a value of "10/1000000" says that there - must be ten blocks free, and sendmail will reject - any message larger than one megabyte. - Some portability hooks for NeXT (this could be applicable - to Mach in general). You have to create an empty - file called "unistd.h" to get it to compile. - Adjust config values (MAXLINE, MAXATOM, and PSBUFSIZE) to - be more generous. - Add X400-Received: to the list of headers tagged with H_TRACE - in conf.c. From Bill King, Allen-Bradley Co. - -6.54/6.25 93/04/19 - Fix problem that caused redefinition of SMTP and QUEUE compile - flags. Pointed out by Jon Forrest of the Sequoia 2000 - project at Berkeley. - Properly handle \! hack -- it was treating host\!user as one - token (host!user) instead of three (host, !, user). - Fix from Eric Wassenaar of NIKHEF-H. - Fix compilation problem in getauthinfo() if IDENTPROTO is off. - Turn off DEFNAMES and DNSRCH when getting the hostsignature - (i.e., MX records) in level 1 configuration files; this - matches the old behavior. From Motonori Nakamura of - Kyoto University. - Improve error message printing -- if sent through an alias, - error messages include the name of the alias in the - message. Unfortunately, in order to make this work - properly in queue runs, this changes the format of the - C line in the qf file. The relatively uselessness of - the previous information was pointed out to me by - Allan E Johannesen of WPI. - Add XLA compile flag to add hooks to Christophe Wolfhugel's - extended load average code. This is still in very early - form. For information regarding the guts of the xla - code, contact Christophe.Wolfhugel@grasp.insa-lyon.fr. - Additional hooks for detecting tempfails in rewriting rules - (that is, in map lookups). - -6.53/6.25 93/04/15 - Properly diagnose ruleset zero returning null (instead of a mailer - triple). From Motonori Nakamura of Kyoto University. - More generalization of socket code for other protocols. - Shorten timeouts on reverse name lookups -- since they are done - during connection establishment, long timeouts here can - cause higher level timeouts. This mainly serves to accept - mail from hosts that do not have proper reverse (PTR) DNS - records set up. - Reset e_statmsg before each mailer invocation to avoid bogus - messages in the log. - Redefine $r, $s, and $_ in error envelopes so you don't get - incorrect cruft in the error message. Problem noted by - Motonori Nakamura of Kyoto University. - Fix a problem that can cause failure to return errors to Postmaster - in certain cases. From Motonori Nakamura. - Fix a problem that can cause some systems to give duplicate error - messages when a bad syntax address such as " $3 - the input "user@a.b.c" failed instead of being properly - rewritten as "user@a..c". - Neil also convinced me that it was correct that $~ should match - only one token -- the problem is that it's always possible - to add another token, so $~ matches far too eagerly. - -6.45/6.21 93/03/25 - Implement multi-word classes (properly!). - -6.44/6.21 93/03/25 - Add X-Authentication-Warning: headers to clue users into possible - attempts to forge mail. This is on the authwarnings - privacy flag, but is the default. Suggested by Bryan - Costales of ICSI. - Pass default units for convtime in so they can be more reasonable. - Allow config files to always add a new Comments: header (i.e., - they will be added even if an old one already exists). - Suggested by Bryan Costales of ICSI. - Allow config files to delete an existing Return-Path: header. - These should only be added at final delivery. Suggested - by Bryan Costales of ICSI. - Some debugging additions. Suggested by Bryan Costales of ICSI. - Clean up logging of Family 0 addresses. Noted by David Muir - Sharnoff and others. - Add a "dequote" map class. This allows config files to strip - quotes off of addresses. Note that this is not a builtin - map, just a class -- so you have to define the map - using the K line. - Fix a bug in the queueup() loop getting a locked tf where in - very odd cases it can fall off the bottom and core dump. - Of course, it was P{r Emanuelsson who found it.... - Open a new transcript when splitting an envelope. Problem found - by Allan E Johannesen of WPI. - Improved error output in endmailer if the mailer core dumps. - CONFIG: Fix typo in UUCP mailer definition. - CONFIG: Default several of the new options on: eight bit input, - privacy flags set to "authwarnings", and message warning - set to 4h. - CONFIG: Use dequote map. - -6.43/6.20 93/03/23 - Fix problem with assumption of an sa_len field in a generic - sockaddr -- it turns out that most vendors haven't - picked up this (very important) fix. - Change compilation flags for daemon code -- select one or both - of NETINET or NETISO, but don't ever set DAEMON manually. - CONFIG: add FEATURE(mailertable) to do IDA-style mailertables. - -6.42/6.19 93/03/19 - Use Postmaster as default fallback return address, not root. - POSIX changes for file descriptor handling. - Diagnose errors writing new queue file. - If you change the owner using an owner- alias, also change the - error mode to EM_MAIL so that errors don't get dropped - into an inappropriate directory. Problem noted by - Allan E Johannesen of WPI. - If you are su'ed to root, send email as who you really are, not - as root. From Brian Kantor of U.C. San Diego. - Allow warning messages to be sent after a configurable interval - has passed without delivery. The message is sent only - once per envelope. This changes the format of the qf - file to have an F line, and the format of the T option - to accept take the format "return/warn" (both intervals). - Don't force all local names to lower case -- this was left over - from the weird handling of case mapping on aliases. It - is now driven (as expected) by the "u" mailer flag. - Problem noted by P{r Emanuelsson. - Fix problem that caused headers on returned email to be trashed; - they were getting freed, but are still accessible via - BlankEnvelope. - Fix problem that caused bogus ids to be created on returned - mail. - Add support for ISO and other non-INET networking. This is by - no means finished yet. This does assume a lot of other - system support, like a version of gethostbyname that - returns non-AF_INET addresses. - CONFIG: change default on prog mailer to keep upper case in - user names (i.e., in the program command line). - CONFIG: strip trailing dots off of hosts in uucp mailer before - convert to bang format. - CONFIG: create new "relay" mailer for $R (LOCAL_RELAY) and $H - (MAIL_HUB) delivery that doesn't add local domain. Note - that this violates 821, but is probably "more correct" - for what we are trying to do. Problem pointed out by - Michael Graff of Iowa State. - -6.41/6.18 93/03/18 - Clean up unnecessary creates of queue ids (i.e., empty qf files) - when not needed, such as when starting up an SMTP - connection. - Fix problem where split envelopes aren't instantiated in the queue. - This is quite a serious bug. - Owner- aliases had problems with leading spaces causing a - premature delimitation. - -6.40/6.18 93/03/18 - Have ending 250 (after DATA) include the id; suggested by - Brian Kantor of UC San Diego. - Add logging on envelope splitting. - Change queue ids to have one more letter encoding the hour of - the day so that during a single day there is a greater - likelihood of uniqueness; requested by Brian Kantor. - -6.39/6.18 93/03/18 - Fix minor compile problem if LOCKF is defined. - Define size of tobuf in conf.h. Observed by Toshinari Takahashi - of Toshiba. - Restore e_sender -- this is equivalent to e_from.q_paddr without - decorations such as angle brackets and comments. - OSF/1 on Alpha changes from Allan E Johannesen of WPI. - CONFIG: fix typo in S3 for list syntax (;: => :;). Thanks to - Christopher Hoover for noting the problem. - -6.38/6.17 93/03/17 - Pass envelope to disconnect to avoid another use of CurEnv, which - can apparently end up being null at inopportune times. - Log "received from" as "relay=" for consistency (suggested by - John Gardiner Myers). - Fix major bug in header handling: if no From: line existed in - the header (so sendmail inserts one), and the sender is - an alias that has an owner, the From: line shows the - owner (as well as the envelope). Fixed by early binding - the headers (which will change debugging output). - HPUX portability patches from Michael J. Corrigan of UC San Diego. - Some attempts to adapt better to out of open file conditions. - Some changes to ctladdr handling in queue files. - -6.37/6.17 93/03/16 - MAJOR CHANGE: delete e_sender and e_returnpath (why are these - different from e_from?) and $< macro. - Log correct IP address in relay= field even if the connection - times out. - Log "received from [RESPONSE]" on EF_RESPONSE messages (from - John Gardiner Myers). - Fixes to SysExMsg logging (sometimes just got "message: %s" - instead of "message: error message"), noted by Eric - Wassenaar. Also reported by Motonori Nakamura. - Improvements to MX piggybacking code, from Motonori Nakamura. - Fix case where CurHostName points to an auto variable that has - been deallocated (from Motonori Nakamura). - Fix bug causing newlines to be included in aliases if option - "n" (check alias RHS) is set; bug noted by David Muir - Sharnoff. - Fix problem causing user names that should be mapped to lower - case to not be mapped if they are sent during a queue - run. This greatly simplifies the case mapping code. - Problem noted by Allan E Johannesen of WPI. - Don't do recipient address rewriting in buildaddr. This - improperly did recipient rewriting on sender addresses, - and just seems bogus in general -- but the change could - break some .cf files. - Pass TZ envariable to child processes for System V. - CONFIG: allow LOCAL_RULE_1 and LOCAL_RULE_2 if you want to - define those rulesets. - KNOWN PROBLEM: I have seen some problems on SunOS that causes - the User Data Base to give errors on some addresses. I - have tracked the problem back at least as far as 93.02.15 - (version 6.22). Running with debugging on makes it - go away, so I conclude that it is referencing uninitialized - stack data. I haven't been able to track this down yet. - -6.36/6.16 93/03/08 - Allow local mailer to specify $@host -- this lets you assign the - "foo" part of jgm+foo to $h for passing in to the local - mailer. - Additional debug printing in getcanonname (show query type). - Don't add the e_fromdomain on sender addresses -- this interacts - weirdly with the owner- code. - Improve delivery logging to not log obvious or meaningless stuff. - Include numeric IP address in Received: lines per RFC 1123 section - 5.2.8. - Fixed a bug in checking stat() return value if restrictmailq is - set. Also, check the entire group set instead of just the - primary group. Both from John Gardiner Myers. - Don't have usrerr automatically print errno, since this is often - misleading. - Use transienterror() in makeconnection after connect() fails and - in openmailer after execve() fails (from Eric Wassenaar). - Also moved transienterror() from util.c to conf.c. - Clean up from= logging on response messages. - Undo patch allowing prescan to return a null vector -- it breaks - too many things. - Config: FEATURE(notsticky) lets you use UDB for everything coming - in to the machine, even if it is specifically targetted - to this machine. Without it, UDB is bypassed if the user - name is fully qualified. - Config: fix another minor botch with <> (local mailer wasn't - mapping them properly). - -6.35/6.15 93/03/05 - Fix getrealhostname to return null if sinlen <= 0 -- this can - occur if stdin is a pipe. - Avoid infinite loop in getcanonname if name server return - NO_DATA (for example). - Config: avoid having C flag qualify list syntax and error syntax. - -6.34/6.14 93/03/05 - Fix logging in deliver to not pass too many parameters to Ultrix - versions of syslog. - Don't write the pid file until after the daemon has actually - opened and conditioned the connection. - Consider addresses "different" if their q_uids differ (so that - two users forwarding to the same program will be seen - as different, rather than the same). - Fix problem with bad parameters in main() -- they set ExitStat - but don't exit. - Fix null pointer references through RealHostName -- painfully - discovered by Allan E Johannesen of WPI. - Fix bug causing user@@localhost to core dump (yuch). - Config: don't put two @host.dom.ain on users in $=E in SMTP - mailer. Also, catch user@ (no host) in ruleset 0. - -6.33/6.13 93/03/03 - Config: add confCW_FILE as the name of the cw configuration file - (defaults to /etc/sendmail.cw). From P{r Emanuelsson. - Allow prescan to return a pointer to an empty list -- this is - not an error. Also, clean up error reporting to avoid - double errors (prescan reports once, then the caller - reports again). - Changes to avoid trusting T_ANY queries -- run them, but if you - don't get the info you expected, do T_A and T_MX queries - anyhow. This also fixes an oversight where _res.options - bits were being ignored. - If PRIV_NOVRFY is set, use 252 response code instead of 502 per - RFC 1123 section 5.2.3. It's not 100% clear that this - is correct, but it probably works better with stupid - mailers that do a VRFY and only check the first digit. - -6.32/6.12 93/03/02 - Fix uninitialized variable "protocol" in smtp code. - Include in sendmail.h -- move towards POSIX/ANSI. - Additional hooks for RFC 1427 (ESMTP SIZE extension). This - includes requiring that enoughspace() know the system - block size, which will undoubtedly break most ports. - Trace flag 19 in use for srvrsmtp.c. - Additional logging -- notably the sending mailer name. This - also changes the delivery logging to strict field=value - syntax. - Fix some problems with messages getting sent even to addresses - that had been marked bad -- from Eric Wassenaar. - More WIDE changes: accept host name inside [...] as non-MXed - host. This is intended ONLY for use inside firewalled - environments, where the MX points at the gateway. - Change .cf file conventions so that mapping for <> addresses - don't have an @ in them (to avoid confusing the C mailer - flag). Pointed out by Neil Rickert. - Config extensions for Sam Leffler's FlexFAX software. - -6.31/6.10 93/02/28 - Fix some more bugs in alias owner code -- there were some weird - cases where an error in a non-aliased name would override - the return info in an aliased name with an owner. - Changes from WIDE Project, forwarded to me by Motonori Nakamura: - Log actual delivery host (after MX et al); from - yasuhiro@dcl.co.jp. - Log daemon startup. - Deliver Postmaster copies without a body. - Better logging of SMTP senders. - Send all program email as daemon even when local. - As requested in various forms from many people, accept -qIstring - to limit queue runs to jobs with queue-id matching string. - Similarly for -qRstring for recipients, -qSstring for - senders. - Initial hooks for ESMTP support (see RFC 1425). - Fixed a syntax error in the UUCP mailer specification that caused - core dumps on startup. - Check for missing A= or P= arguments in mailer definitions. - -6.30/6.10 93/02/27 - Require FROZENCONFIG compilation flag to include frozen - configuration code. Frozen configuration is really - not a very good idea any more, particularly in shared - library environments. - Do better checking of errno after opens of :include: and .forward - files to defer delivery on network and other transient - errors. Suggestion from Craig Everhart. - Fix minor botch in read timeout macro processing. - Add FEATURE(nouucp) to config files for sites that know absolutely - nothing about UUCP. - Add built cf files to distribution tape and clarify how to build - them if you don't have the Berkeley make. - Some sizeof(long) portability changes for the Alpha, from Allan - E Johannesen. - Add "restrictmailq" privacy flag -- if set, only people in the same - group as your queue directory can print the queue. If you - set this, be sure you also restrict access to log files.... - Fix another bug in owner-list stuff that can cause data files to - be "lost". - Fix a bug with queue runs that cause forwards to yourself to go - into alias/forwarding loops. I'm still iffy about this - fix. - Fix from Eric Wassenaar for suppression of return message code. - -6.29/6.9 93/02/24 - Fix yet another problem in alias owner code -- put the wrong return - address on the enclosed return-to-sender letter. - -6.28/6.9 93/02/24 - Fix botch in alias owner code that caused it to not operate if the - error was detected locally. - -6.27/6.9 93/02/24 - M_LOCAL => M_LOCALMAILER to avoid conflict with Ultrix include - file . - Miscellaneous bug fixes from Eric Wassenaar: - sendmail -bv -t logs the from line even though in verify - mode only. - sendmail -v can go into queue mode if shouldqueue returns - TRUE. - Add route-addr pruning per RFC 1123 section 5.3.3. This can be - disabled using the "R" option. - Delete (always undocumented) -R flag (save original recipients); - there are ways to syslog(3) these now. - Clean up SMTP reply codes -- specify them as needed in the code, - instead of in conf.c -- this was needed during the NCP to - TCP transition, but seems silly now. This also changes - parameters to message and nmessage. - Have mailstats read the .cf file to find the sendmail.st file and - get text versions of mailer names. An initial version of - this code was provided by Tuominen Keijo (although the - comments indicate the good bits were written by "E.V."). - Add yet more System V compatibility hacks. - Fix bug in VRFY code (assumes everything must be a local user). - Allow specification of any of the hard-wired pathnames in the - Makefile. - Delete concept of "trusted users" -- this really didn't provide - any security anyway, and caused some problems. - Delete last vestige of support for the word "at" as an equivalent - to the character "@". - Propagate owner-foo alias information into the envelope sender. - Based on code from John Gardiner Myers. This is a major - semantic change -- beware! - Allow $@ on LHS to indicate "match zero" -- this is used to match - the null expression. - -6.26/6.8 93/02/21 - Don't "lose" queue runs. Very important fix from (who else?) - Eric Wassenaar. - Completely reset state on RSET command -- from Eric Wassenaar. - Send error messages and return receipts using an envelope sender - of <> regardless of the setting of $n. Rewriting rules - can undo this if they feel the necessity, as might be - needed for networks that don't understand the syntax. - This is permitted by RFC 821 section 3.6 and required by - RFC 1123 section 5.3.3. THIS REQUIRES VERSION 4 CONFIG - FILES because the rulesets must be able to parse <> - properly. - Don't ever send error messages to "<>" -- they will get sent to - the local postmaster or dumped in /usr/tmp/dead.letter - instead. Per RFC 1123 section 5.3.3. - Explicitly check for email to yourself as a dotted quad. You - have to call $[ [ ... ] $] to get this. - Up the message timeout to five days per RFC 1123 section 5.3.1.1. - Make all read timeouts individually configurable, as strongly - recommended by RFC 1123 section 5.3.2. - Use f_bavail (blocks available to regular users) instead of f_bfree - (blocks available to superuser) in free block checks. - Change $d macro to be the current time, not the origination time, - since this is consistent with how it is used now. - Generalization of enoughspace from Eric Wassenaar covering - SGI, Apollo, HPUX, Ultrix, and SunOS. - Ignore process group signals -- some front ends can do this if - you kill a window too quickly. From Eric Wassenaar. - Change umask to 022. - -6.25/6.8 93/02/20 - Close all cached connections before calling mailers and after - forking for delivery (caused double closes which resulted - in false errors). - Add FEATURE(redirect) in config files -- this allows you to alias - old addresses to a pointer to the new address that will - give a 551 error message, but not deliver the mail. - Some code changes to make the 551 errors look pretty. - Names of M4 program paths in config files have changed -- they - are all XXX_MAILER_PATH now, to match XXX_MAILER_FLAGS. - Fix a bug in the QSELFREF code having to do with empty .forward - files, reported by Eric Wassenaar. - Add option "p" (privacy flags); this allows you to tune how - picky the SMTP server will be. This also adds the - confPRIVACY_FLAGS M4 macro in the config files. - Add option "b" (minimum blocks free). If there are fewer than - this number of blocks free on the filesystem containing - the queue directory, the SMTP MAIL command will return - a 452 response and ask you to try again later. This - also adds the confMIN_FREE_BLOCKS M4 macro in the config - files. - Made VRFY just verify (doesn't expand aliases and .forward files); - EXPN does full expansion. RCPT in queue-only mode also - doesn't chase aliases and .forward. - -6.24/6.7 93/02/19 - Increase the number of domain search entries in domain.c to allow - for the extra "" entry indicating the root domain. - Reported by Motonori Nakamura of Kyoto U. - Add a "SMART_HOST" in the configs for UUCP-connected sites that - want to forward all mail with extra "@"s to that site. - Also allows SMART_HOST, LOCAL_RELAY, and MAIL_HUB to - be specified as ``mailer:hostname'' to use an alternate - mailer. - Clarified and updated some wording in the Operations Guide. - Add the "c" mailer flag -- this suppresses all comment parts of - addresses (requested by John Curran of NEARnet). - Have -v print prompts in -bt mode even if stdin is not a terminal - (default behavior is to be silent if not reading from - a terminal). Suggested by Bryan Costales, ICSI. - Move the metacharacters from C0 space (\001-\037) into C1 space - (\201-\237). This also fixes a bunch of potential bugs - with G1 characters (\240-\276) in headers relating to - negative numbers passed to isspace() et al. - Add YP_LAST_MODIFIED and YP_MASTER_NAME to DBM version of alias - database if YPCOMPAT is #defined. Enhancement from - Takahiro Kanbe of Fuji Xerox Information Systems Co., Ltd. - Add "list" Precedence (-30); this can be used with old sendmails - which will map to precedence 0 (which will return error - messages). Suggested by Stephen R. van den Berg. - Many bug fixes from Eric Wassenaar of the National Institute for - Nuclear and High-Energy Physics, Amsterdam: - Clear timeouts properly on open failures in include(). - Don't dereference through NULL if no home directory found. - Re-establish SIGCHLD signal on System 5 in reapchild(). - Avoid NULL pointer reference on -pFOO flag. - Properly handle backslash escapes in comments. - Correctly check reply status on SMTP NOOP command. - Properly save SMTP error message if peer gives - "Service Shutting Down" message. - Avoid writing to the transcript if it couldn't be opened. - Signal errors in SMTP children to parent properly. - Handle self references in a list more globally (include a - QSELFREF bit in the address flags). This enhancement - was suggested by Eric Wassenaar. - Use initgroups() in hpux, even though it's System-V based. The - HASINITGROUPS compile flag can set this on other systems. - This HPUX behavior was pointed out by Eric Wassenaar. - -6.23/6.6 93/02/16 - Clean up handling of LogLevel to make it easier to figure out - what's on what level. - Change log levels to have some consistency: - 1 serious system failures, security problems - 2 lost communications, protocol failures - 3 other serious failures - 4 minor errors - 5 message collection - 6 vrfy logging, creation of return-to-sender - 7 delivery failures - 8 delivery successes - 9 delivery tempfails (queue ups) - 10 database expansion - >64 debugging - Allow IDA-style separated processing on S= and R= in Mailer - definition lines. Note that rulesets 1 and 2 are - still used for both addresses as before. Bruce Lilly - gave a convincing argument that RFC976 insists on - this behavior. - Added some time zones to arpatounix -- they may not be in the - standards, but they are in use. However, I may delete - arpatounix entirely -- there appears to be no reason - for it to exist. - Change to UUCP mailer (in cf directory) to try to do a saner job. - I'm still not certain about this mailer in general. - -6.22/6.5 93/02/15 - Fix bug that prevents saving letters in ~/dead.letter. - Don't add angle brackets in VRFY command if angle brackets already - exist in the address. - Fix bogus error message in udbexpand. - Null terminate host buffers in buildaddr (broken in 6.21) -- - IMPORTANT FIX!! - -6.21/6.5 93/02/15 - Fix another incorrect error message in alias.c, found by Azuma - Okamoto. - Fix a couple of problems in the more-configurable config files, - found by Tom Ivar Helbekkmo. - Fix problem with quoted :include: entries. - Don't duplicate the filename on verbose printing of .forward and - :include: contents. - Extend size of prescan buffer (to allow bigger addresses). Also, - detect some buffer overflows. - Log user SMTP protocol errors (log level 4). - -6.20/6.4 93/02/14 - Fix another problem in the MCI state machine caused when there - were errors generated from the other end to commands - other than RCPT. - -6.19/6.4 93/02/14 - Include load average support for DEC Alpha running OSF/1. - Fix multiple-response problem with errors in MAIL From: line. - Fix SMTP reply codes for invalid address syntaxes (give 501; - never give multiple error messages for a single message). - Fix problem where a cached connection timeout rejects all - later connects to that host. - Fix incorrect error message if alias.c is compiled with DBM only. - Additional changes to fix nested conditionals (from Bruce Lilly). - Recover more gracefully from operating system failures, particularly - NULL returns from openmailer (from Noritoshi Demizu, - OMRON Corporation). - Log forward, alias, and userdb expand operations on log level 10; - concept suggested by P{r (Pell) Emanuelsson. - Changes for HPUX 8.07 compatibility. - -6.18/6.4 93/02/12 - Allow any config option to be set using an M4 define. - Change UNAME compile flag to HASUNAME for IDA compatibility - (besides, it's a better name). - Note in README that on SunOS it must be linked -Bstatic. - Fairly major change in domain.c to handle wildcard MX records - more rationally. NOTE: the "w" option (no wildcard MX - records match local domain) has been eliminated. - Fix some unset variable references pointed out by Bruce Lilly. - Fix host name in process titles when using cached connection. - -6.17/6.3 93/01/28 - Fix System 5 compatibility changes to be compatible with the rest - of the world. - -6.16/6.3 93/01/28 - Experimental fix for problem handling errors in the SMTP - protocol in conjunction with connection caching. - System 5 compatibility changes. - -6.15/6.3 93/01/26 - Fix a bug that causes local mail delivered using -odq to be - eliminated as a duplicate (because it matched the - ctladdr, now passed in as a C line). These changes - are pretty tricky...... - -6.14/6.3 93/01/25 - Add debugging for some MCI errors. - -6.13/6.3 93/01/22 - Fix -e compatibility flag to take a value. - Fix a couple of minor compilation warnings on Sun cc. - Improve error messages in a few cases to be more self-explanatory. - -6.12/6.3 93/01/21 - Fix yet-another problem with environment handling, pointed out - by Yoshitaka Tokugawa and Tom Ivar Helbekkmo. - Some heuristics to try to limit resource exhaustion problems - if a downstream host has been down for a long time. - Fix problem with incorrect host name being logged in "Connection - timed out" messages (from Tom Ivar Helbekkmo). - Fix some ANSI C problems (from Takahiro Kanbe). - Properly log message sender on returned mail during queue run. - Count number of recipients properly. - Fix a problem in yp map code. - Diagnose "message timed out" (from Motonori Nakamura). - -6.11/6.3 93/01/20 - Fix problem with address delimitor inside quotes. - Define $k and $=k to be the UUCP name (from the uname call) - based on code from Bruce Lilly. - -6.10/6.2 93/01/18 - Implement arpatounix (largely code from Bruce Lilly). - Log more info (suggested by John Myers). - Allow nested $?...$|...$. (inspired by code from Bruce Lilly of - Sony US). - POSIX compatibility (noted by Keith Bostic). - Handle SMTP MAIL command errors properly (urged by several people, - notably John Myers of CMU). - Do early diagnosis of .cf errors (notably referencing a RHS - substitution that isn't on the LHS). - Adjust checkpointing to better handle batched recipients, suggested - by John Myers. - Fix miscellaneous bugs. - (config files:) Implement MAIL_HUB for all local mail (to handle - NFS-mounted directories) as urged by Tom Ivar Helbekkmo - of the Norwegian School of Economics. - -6.9/6.1 93/01/13 - Environment handling simplification/bug fix -- child processes - get a minimal, fixed environment. This avoids different - behavior in queue runs. - Handle commas inside comments properly. - Properly limit large messages submitted in -obq mode. - -6.8/6.1 93/01/10 - Check mtime of thaw file against .cf and sendmail binary, based on - code from John Myers. - -6.7/6.1 93/01/10 - MX piggybacking, based on code from John Myers@CMU. - Allow checkcompat to return -1 to mean tempfail. - Bug fix in m_mno computation. - -6.6/6.1 93/01/09 - Tuning of queueing functions as recommended by John Gardiner Myers. - Return mail headers (no body) on messages with negative precedence. - Minor other bug fixes. - -6.5/6.1 93/01/03 - Fix botch causing queued headers to have ?XX? prefixes. - -6.4/6.1 93/01/02 - Changes to recognize special mailer types (e.g., file) early. - -6.3/6.1 93/01/01 - Pass timeouts to sfgets. - Check for control characters in addresses. - Fixed deferred error reporting. - Report duplicate aliases. - Handle mixed case recursive aliases. - Misc bug fixes. - -6.2/6.1 92/12/30 - Put return-receipt-to on a conf.c flag (but don't set it). - Fix minor syslog problem. -- 2.20.1