Email客户端

开发平台：

Unix_Linux

RELEASE_NOTES：源码内容

Rinske of Siemens Business Services VAS.
Solaris: Make sure HASGETUSERSHELL setting for SunOS is not
used on a Solaris machine. Problem noted by
Stephen Ma of Jtec Pty Limited.
CONFIG: SINIX: Update from Gerald Rinske of Siemens Business
Services VAS.
MAKEMAP: Use a better heuristic for detecting GDBM.
CONTRIB: expn.pl: Updated version from the author, David Muir Sharnoff.
OP.ME: Document the F=i mailer flag. Problem noted by Per Hedeland of
Ericsson.
8.8.7/8.8.7 1997/08/03
If using Berkeley DB on systems without O_EXLOCK (open a file with
an exclusive lock already set -- i.e., almost all systems
except 4.4-BSD derived systems), the initial attempt at
rebuilding aliases file if the database didn't already
exist would fail. Patch from Raymund Will of LST Software
GmbH.
Bogus incoming SMTP commands would reset the SMTP conversation.
Problem noted by Fredrik J鰊sson of the Royal Institute
of Technology, Stockholm.
Since TCP Wrappers includes setenv(), unsetenv(), and putenv(),
some environments could give "multiple definitions" for these
routines during compilation. If using TCP Wrappers, assume
that these routines are included as though they were in the
C library. Patch from Robert La Ferla.
When a NEWDB database map was rebuilt at the same time it was being
used by a queue run, the maps could be left locked for the
duration of the queue run, causing other processes to hang.
Problem noted by Kendall Libby of Shore.NET.
In some cases, NoRecipientAction=add-bcc was being ignored, so the
mail was passed on without any recipient header. This could
cause problems downstream. Problem noted by Xander Jansen
of SURFnet ExpertiseCentrum.
Give error when GDBM is used with sendmail. GDBM's locking and
linking of the .dir and .pag files interferes with sendmail's
locking and security checks. Problems noted by Fyodor
Yarochkin of the Kyrgyz Republic FreeNet.
Don't fsync qf files if SuperSafe option is not set.
Avoid extra calls to gethostbyname for addresses for which a
gethostbyaddr found no value. Also, ignore any returns
from gethostbyaddr that look like a dotted quad.
If PTR lookup fails when looking up an SMTP peer, don't tag it as
"may be forged", since at the network level we pretty much
have to assume that the information is good.
In some cases, errors during an SMTP session could leave files
open or locked.
Better handling of missing file descriptors (0, 1, 2) on startup.
Better handling of non-setuid binaries -- avoids certain obnoxious
errors during testing.
Errors in file locking of NEWDB maps had the incorrect file name
printed in the error message.
If the AllowBogusHELO option were set and an EHLO with a bad or
missing parameter were issued, the EHLO behaved like a HELO.
Load limiting never kicked in for incoming SMTP transactions if the
DeliveryMode=background and any recipient was an alias or
had a .forward file. From Nik Conwell of Boston University.
On some non-Posix systems, the decision of whether chown(2) permits
file giveaway was undefined. From Tetsu Ushijima of the
Tokyo Institute of Technology.
Fix race condition that could cause the body of a message to be
lost (so only the header was delivered). This only occurs
on systems that do not use flock(2), and only when a queue
runner runs during a critical section in another message
delivery. Based on a patch from Steve Schweinhart of
Results Computing.
If a qf file was found in a mail queue directory that had a problem
(wrong ownership, bad format, etc.) and the file name was
exactly MAXQFNAME bytes long, then instead of being tried
once, it would be tried on every queue run. Problem noted
by Bryan Costales of Mercury Mail.
If the system supports an st_gen field in the status structure,
include it when reporting that a file has changed after open.
This adds a new compile flag, HAS_ST_GEN (0/1 option).
This out to be checked as well as reported, since it is
theoretically possible for an attacker to remove a file after
it is opened and replace it with another file that has the
same i-number, but some filesystems (notably AFS) return
garbage in this field, and hence always look like the file
has changed. As a practical matter this is not a security
problem, since the files can be neither hard nor soft links,
and on no filesystem (that I am aware of) is it possible to
have two files on the same filesystem with the same i-number
simultaneously.
Delete the root Makefile from the distribution -- it is only for
use internally, and does not work at customer sites.
Fix botch that caused the second MAIL FROM: command in a single
transaction to clear the entire transaction. Problem
noted by John Kennedy of Cal State University, Chico.
Work properly on machines that have _PATH_VARTMP defined without
a trailing slash. (And a pox on vendors that decide to
ignore the established conventions!) Problem noted by
Gregory Neil Shapiro of WPI.
Internal changes to make it easier to add another protocol family
(intended for IPv6). Patches are from John Kennedy of
CSU Chico.
In certain cases, 7->8 bit MIME decoding of Base64 text could leave
an extra space at the beginning of some lines. Problem
noted by Charles Karney of Princeton University; fix based
on a patch from Christophe Wolfhugel.
Portability:
Allow _PATH_VENDOR_CF to be set in Makefile for consistency
with the _Sendmail_ book, 2nd edition. Note that
the book is actually wrong: _PATH_SENDMAILCF should
be used instead.
AIX 3.x: Include <sys/select.h>. Patch from Gene Rackow
of Argonne National Laboratory.
OpenBSD from from Paul DuBois of the University of Wisconsin.
RISC/os 4.0 from Paul DuBois of the University of Wisconsin.
SunOS: Include <memory.h> to fix warning from util.c. From
James Aldridge of EUnet Ltd.
Solaris: Change STDIR (location of status file) to /etc/mail
in Makefiles.
Linux, Dynix, UNICOS: Remove -DNDBM and -lgdbm from
Makefiles. Use NEWDB on Linux instead.
NCR MP-RAS 3.x with STREAMware TCP/IP: SIOCGIFNUM ioctl
exists but behaves differently than other OSes.
Add SIOCGIFNUM_IS_BROKEN compile flag to get
around the problem. Problem noted by Tom Moore of
NCR Corp.
HP-UX 9.x: fix compile warnings for old select API. Problem
noted by Tom Smith of Digital Equipment Corp.
UnixWare 2.x: compile warnings on offsetof macro. Problem
noted by Tom Good of the Community Access Information
Resource Network
SCO 4.2: compile problems caused by a change in the type of
the "length" parameters passed to accept, getpeername,
getsockname, and getsockopt. Adds new compile flags
SOCKADDR_SIZE_T and SOCKOPT_SIZE_T. Problem reported
by Tom Good of St. Vincent's North Richmond Community
Mental Health Center Residential Services.
AIX 4: Use size_t for SOCKADDR_SIZE_T and SOCKOPT_SIZE_T.
Suggested by Brett Hogden of Rochester Gas & Electric
Corp.
Linux: avoid compile problem for versions of <setjmp.h> that
#define both setjmp and longjmp. Problem pointed out
by J.R. Oldroyd of TerraNet.
CONFIG: SCO UnixWare 2.1: Support for OSTYPE(sco-uw-2.1)
from Christopher Durham of SCO.
CONFIG: NEXTSTEP: define confCW_FILE to
/etc/sendmail/sendmail.cw to match the usual
configuration. Patch from Dennis Glatting of
PlainTalk.
CONFIG: MAILER(fax) called a program that hasn't existed for a long
time. Convert to use the HylaFAX 4.0 conventions. Suggested
by Harry Styron.
CONFIG: Improve sample anti-spam rulesets in cf/cf/knecht.mc. These
are the rulesets in use on sendmail.org.
MAKEMAP: give error on GDBM files.
MAIL.LOCAL: Make error messages a bit more explicit, for example,
telling more details on what actually changed when "file
changed after open".
CONTRIB: etrn.pl: Ignore comments in Fw files. Support multiple Fw
files.
CONTRIB: passwd-to-alias.pl: Handle 8 bit characters and '-'.
NEW FILES:
src/Makefiles/Makefile.OpenBSD
src/Makefiles/Makefile.RISCos.4_0
test/t_exclopen.c
cf/ostype/sco-uw-2.1.m4
DELETED FILES:
Makefile
8.8.6/8.8.6 1997/06/14
*************************************************************
* The extensive assistance of Gregory Neil Shapiro of WPI *
* in preparing this release is gratefully appreciated. *
* Sun Microsystems has also provided resources toward *
* continued sendmail development. *
*************************************************************
SECURITY: A few systems allow an open with the O_EXCL|O_CREAT open
mode bits set to create a file that is a symbolic link that
points nowhere. This makes it possible to create a root
owned file in an arbitrary directory by inserting the symlink
into a writable directory after the initial lstat(2) check
determined that the file did not exist. The only verified
example of a system having these odd semantics for O_EXCL
and symbolic links was HP-UX prior to version 9.07. Most
systems do not have the problem, since a exclusive create
of a file disallows symbolic links. Systems that have been
verified to NOT have the problem include AIX 3.x, *BSD,
DEC OSF/1, HP-UX 9.07 and higher, Linux, SunOS, Solaris,
and Ultrix. This is a potential exposure on systems that
have this bug and which do not have a MAILER-DAEMON alias
pointing at a legitimate account, since this will cause old
mail to be dropped in /var/tmp/dead.letter.
SECURITY: Problems can occur on poorly managed systems, specifically,
if maps or alias files are in world writable directories.
If your system has alias maps in writable directories, it
is potentially possible for an attacker to replace the .db
(or .dir and .pag) files by symbolic links pointing at
another database; this can be used either to expose
information (e.g., by pointing an alias file at /etc/spwd.db
and probing for accounts), or as a denial-of-service attack
(by trashing the password database). The fix disallows
symbolic links entirely when rebuilding alias files or on
maps that are in writable directories, and always warns on
writable directories; 8.9 will probably consider writable
directories to be fatal errors. This does not represent an
exposure on systems that have alias files in unwritable
system directories.
SECURITY: disallow .forward or :include: files that are links (hard
or soft) if the parent directory (or any directory in the
path) is writable by anyone other than the owner. This is
similar to the previous case for user files. This change
should not affect most systems, but is necessary to prevent
an attacker who can write the directory from pointing such
files at other files that are readable only by the owner.
SECURITY: Tighten safechown rules: many systems will say that they
have a safe (restricted to root) chown even on files that
are mounted from another system that allows owners to give
away files. The new rules are very strict, trusting file
ownership only in those few cases where the system has
been verified to be at least as paranoid as necessary.
However, it is possible to relax the rules to partially
trust the ownership if the directory path is not world or
group writable. This might allow someone who has a legitimate
:include: file (referenced directly from /etc/aliases) to
become another non-root user if the :include: file is in a
non-writable directory on an NFS-mounted filesystem where
the local system says that giveaway is denied but it is
actually permitted. I believe this to be a very small set
of cases. If in doubt, do not point :include: aliases at
NFS-mounted filesystems.
SECURITY: When setting a numeric group id using the RunAsUser option
(e.g., "O RunAsUser=10:20", the group id would not be set.
Implicit group ids (e.g., "O RunAsUser=mailnull") or alpha
group ids (e.g., "O RunAsUser=mailuser:mailgrp") worked fine.
The user id was still set properly. Problem noted by Uli
Pralle of the Technical University of Berlin.
Save the initial gid set for use when checking for if the
PrivacyOptions=restrictmailq option is set. Problem reported
by Wolfgang Ley of DFN-CERT.
Make 55x reply codes to the SMTP DATA-"." be non-sticky (i.e., a
failure on one message won't affect future messages to the
same host).
IP source route printing had an "off by one" error that would
affect any options that came after the route option. Patch
from Theo de Raadt.
The "Message is too large" error didn't successfully bounce the error
back to the sender. Problem reported by Stephen More of
PSI; patch from Gregory Neil Shapiro of WPI.
Change SMTP status code 553 to map into Extended code 5.1.0 (instead
of 5.1.3); it apparently gets used in multiple ways.
Suggested by John Myers of Portola Communications.
Fix possible extra null byte generated during collection if errors
occur at the beginning of the stream. Patch contributed by
Andrey A. Chernov and Gregory Neil Shapiro.
Code changes to avoid possible reentrant call of malloc/free within
a signal handler. Problem noted by John Beck of Sun
Microsystems.
Move map initialization to be earlier so that check_relay ruleset
will have the latest version of the map data. Problem noted
by Paul Forgey of Metainfo; patch from Gregory Neil Shapiro.
If there are fatal errors during the collection phase (e.g., message
too large) don't send the bogus message.
Avoid "cannot open xfAAA00000" messages when sending to aliases that
have errors and have owner- aliases. Problem noted by Michael
Barber of MTU; fix from Gregory Neil Shapiro of WPI.
Avoid null pointer dereference on illegal Boundary= parameters in
multipart/mixed Content-Type: header. Problem noted by
Richard Muirden of RMIT University.
Always print error messages during newaliases (-bi) even if the
ErrorMode is not set to "print". Fix from Gregory Neil
Shapiro.
Test mode could core dump if you did a /map lookup in an optional map
that could not be opened. Based on a fix from John Beck of
Sun Microsystems.
If DNS is misconfigured so that the last MX record tried points to
a host that does not have an A record, but other MX records
pointed to something reasonable, don't bounce the message
with a "host unknown" error. Note that this should really
be fixed in the zone file for the domain. Problem noted by
Joe Rhett of Navigist, Inc.
If a map fails (e.g., DNS times out) on all recipient addresses, mark
the message as having been tried; otherwise the next queue
run will not realize that this is a second attempt and will
retry immediately. Problem noted by Bryan Costales of
Mercury Mail.
If the clock is set backwards, and a MinQueueAge is set, no jobs
will be run until the later setting of the clock is reached.
"Problem" (I use the term loosely) noted by Eric Hagberg of
Morgan Stanley.
If the load average rises above the cutoff threshold (above which
sendmail will not process the queue at all) during a queue
run, abort the queue run immediately. Problem noted by
Bryan Costales of Mercury Mail.
The variable queue processing algorithm (based on the message size,
number of recipients, message precedence, and job age) was
non-functional -- either the entire queue was processed or
none of the queue was processed. The updated algorithm
does no queue run if a single recipient zero size job will
not be run.
If there is a fatal ("panic") message that will cause sendmail to
die immediately, never hold the error message for future
printing.
Force ErrorMode=print in -bt mode so that all errors are printed
regardless of the setting of the ErrorMode option in the
configuration file. Patch from Gregory Neil Shapiro.
New compile flag HASSTRERROR says that this OS has the strerror(3)
routine available in one of the libraries. Use it in conf.h.
The -m (match only) flag now works on host class maps.
If class hash or btree maps are rebuilt, sendmail will now detect
this and reopen the map. Previously, they could give
erroneous results during a single message processing
(but would recover when the next message was received).
Don't delete zero length queue files when doing queue runs until the
files are at least ten minutes old. This avoids a potential
race condition: the creator creates the qf file, getting back
a file descriptor. The queue runner locks it and deletes it
because it is zero length. The creator then writes the
descriptor that is now for a disconnected file, and the
job goes away. Based on a suggestion by Bryan Costales.
When determining the "validated" host name ($_ macro), do a forward
(A) DNS lookup on the result of the PTR lookup and compare
results. If they differ or if the PTR lookup fails, tag the
address as "may be forged".
Log null connections (i.e., hosts that connect but do not do any
substantive activity on the connection before disconnecting;
"substantive" is defined to be MAIL, EXPN, VRFY, or ETRN.
Always permit "writes" to /dev/null regardless of the link count.
This is safe because /dev/null is special cased, and no open
or write is ever actually attempted. Patch from Villy Kruse
of TwinCom.
If a message cannot be sent because of a 552 (exceeded storage
allocation) response to the MAIL FROM:<>, and a SIZE= parameter
was given, don't return the body in the bounce, since there
is a very good chance that the message will double-bounce.
Fix possible line truncation if a quoted-printable had an =00 escape
in the body. Problem noted by Charles Karney of the Princeton
Plasma Physics Laboratory.
Notify flags (e.g., -NSUCCESS) were lost on user+detail addresses.
Problem noted by Kari Hurtta of the Finnish Meteorological
Institute.
The MaxDaemonChildren option wasn't applying to queue runs as
documented. Note that this increases the potential denial
of service problems with this option: an attacker can
connect many times, and thereby lock out queue runs as well
as incoming connections. If you use this option, you should
run the "sendmail -bd" and "sendmail -q30m" jobs separately
to avoid this attack. Failure to limit noted by Matthew
Dillon of BEST Internet Communications.
Always give a message in newaliases if alias files cannot be
opened instead of failing silently. Suggested by Gregory
Neil Shapiro. This change makes the code match the O'Reilly
book (2nd edition).
Some older versions of the resolver could return with h_errno == -1
if no name server could be reached, causing mail to bounce
instead of queueing. Treat this like TRY_AGAIN. Fix from
John Beck of SunSoft.
If a :include: file is owned by a user that does not have an entry
in the passwd file, sendmail could dereference a null pointer.
Problem noted by Satish Mynam of Sun Microsystems.
Take precautions to make sure that the SMTP protocol cannot get out
of sync if (for example) an alias file cannot be opened.
Fix a possible race condition that can cause a SIGALRM to come in
immediately after a SIGHUP, causing the new sendmail to die.
Avoid possible hang on SVr3 systems when doing child reaping. Patch
from Villy Kruse of TwinCom.
Ignore improperly formatted SMTP reply codes. Previously these were
partially processed, which could cause confusing error
returns.
Fix possible bogus pointer dereference when doing ldapx map lookups
on some architectures.
Portability:
A/UX: from Jim Jagielski of NASA/GSFC.
glibc: SOCK_STREAM was changed from a #define to an enum,
thus breaking #ifdef SOCK_STREAM. Only option seems
to be to assume SOCK_STREAM if __GNU_LIBRARY__ is
defined. Problem reported by A Sun of the University
of Washington.
Solaris: use SIOCGIFNUM to get the number of interfaces on
the system rather than guessing at compile time.
Patch contributed by John Beck of Sun Microsystems.
Intel Paragon: from Wendy Lin of Purdue University.
GNU Hurd: from Miles Bader of the GNU project.
RISC/os 4.50 from Harlan Stenn of PFCS Corporation.
ISC Unix: wait never returns if SIGCLD signals are blocked.
Unfortunately releasing them opens a race condition,
but there appears to be no fix for this. Patch from
Gregory Neil Shapiro.
BIND 8.1 for IPv6 compatibility from John Kennedy.
Solaris: a bug in strcasecmp caused characters with the
high order bit set to apparently randomly match
letters -- for example, $| (0233) matches "i" and "I".
Problem noted by John Gregson of the University of
Cambridge.
IRIX 6.x: make Makefile.IRIX.6.2 apply to all 6.x. From
Kari Hurtta.
IRIX 6.x: Create Makefiles for systems that claim to be
IRIX64 but are 6.2 or higher (so use the regular
IRIX Makefile).
IRIX 6.x: Fix load average computation on 64 bit kernels.
Problem noted by Eric Hagberg of Morgan Stanley.
CONFIG: Some canonification was still done for UUCP-like addresses
even if FEATURE(nocanonify) was set. Problem pointed out by
Brian Candler.
CONFIG: In some cases UUCP mailers wouldn't properly recognize all
local names as local. Problem noted by Jeff Polk of BSDI;
fix provided by Gregory Neil Shapiro.
CONFIG: The "local:user" syntax entries in mailertables and other
"mailer:user" syntax locations returned an incorrect value
for the $h macro. Problem noted by Gregory Neil Shapiro.
CONFIG: Retain "+detail" information when forwarding mail to a
MAIL_HUB, LUSER_RELAY, or LOCAL_RELAY. Patch from Philip
Guenther of Gustavus Adolphus College.
CONFIG: Make sure user+detail works for FEATURE(virtusertable);
rules are the same as for aliasing. Based on a patch from
Gregory Neil Shapiro.
CONFIG: Break up parsing rules into several pieces; this should
have no functional change in this release, but makes it
possible to have better anti-spam rulesets in the future.
CONFIG: Disallow double dots in host names to avoid having the
HostStatusDirectory store status under the wrong name.
In some cases this can be used as a denial-of-service attack.
Problem noted by Ron Jarrell of Virginia Tech, patch from
Gregory Neil Shapiro.
CONFIG: Don't use F=m (multiple recipients per invocation) for
MAILER(procmail), but do pass F=Pn9 (include Return-Path:,
don't include From_, and convert to 8-bit). Suggestions
from Kimmo Suominen and Roderick Schertler.
CONFIG: Domains under $=M (specified with MASQUERADE_DOMAIN) were
being masqueraded as though FEATURE(masquerade_entire_domain)
was specified, even when it wasn't.
MAIL.LOCAL: Solaris 2.6 has snprintf. From John Beck of SunSoft.
MAIL.LOCAL: SECURITY: check to make sure that an attacker doesn't
"slip in" a symbolic link between the lstat(2) call and the
exclusive open. This is only a problem on System V derived
systems that allow an exclusive create on files that are
symbolic links pointing nowhere.
MAIL.LOCAL: If the final mailbox close() failed, the user id was
not reset back to root, which on some systems would cause
later mailboxes to fail. Also, any partial message would
not be truncated, which could result in repeated deliveries.
Problem noted by Bruce Evans via Peter Wemm (FreeBSD
developers).
MAKEMAP: Handle cases where O_EXLOCK is #defined to be 0. A similar
change to the sendmail map code was made in 8.8.3. Problem
noted by Gregory Neil Shapiro.
MAKEMAP: Give warnings on file problems such as map files that are
symbolic links; although makemap is not setuid root, it is
often run as root and hence has the potential for the same
sorts of problems as alias rebuilds.
MAKEMAP: Change compilation so that it will link properly on
NEXTSTEP.
CONTRIB: etrn.pl: search for Cw as well as Fw lines in sendmail.cf.
Accept an optional list of arguments following the server
name for the ETRN arguments to use (instead of $=w). Other
miscellaneous bug fixes. From Christian von Roques via
John Beck of Sun Microsystems.
CONTRIB: Add passwd-to-alias.pl, contributed by Kari Hurtta. This
Perl script converts GECOS information in the /etc/passwd
file into aliases, allowing for faster access to full name
lookups; it is also clever about adding aliases (to root)
for system accounts.
NEW FILES:
src/safefile.c
cf/ostype/gnuhurd.m4
cf/ostype/irix6.m4
contrib/passwd-to-alias.pl
src/Makefiles/Makefile.IRIX64.6.1
src/Makefiles/Makefile.IRIX64.6.x
RENAMED FILES:
src/Makefiles/Makefile.IRIX.6.2 => Makefile.IRIX.6.x
src/Makefiles/Makefile.IRIX64 => Makefile.IRIX64.6.0
8.8.5/8.8.5 1997/01/21
SECURITY: Clear out group list during startup. Without this, sendmail
will continue to run with the group permissions of the caller,
even if RunAsUser is specified.
SECURITY: Make purgestat (-bH) be root-only. This is not in response
to any known attack, but it's best to be conservative.
Suggested by Peter Wemm of DIALix.
SECURITY: Fix buffer overrun problem in MIME code that has possible
security implications. Patch from Alex Garthwaite of the
University of Pennsylvania.
Use of a -f flag with a phrase attached (e.g., "-f 'Full Name <addr>'")
would truncate the address after "Full". Although the -f
syntax is incorrect (since it is in the envelope, it
shouldn't have comments and full names), the failure mode
was unnecessarily awful.
Fix a possible null pointer dereference when converting 8-bit data
to a 7-bit format. Problem noted by Jim Hutchins of
Sandia National Labs and David James of British Telecom.
Clear out stale state that affected F=9 on SMTP mailers in queue
runs. Although this really shouldn't be used (F=9 is for
final delivery only, and using it on an SMTP mailer makes
it possible for a message to be converted from 8->7->8->7
bits several times), it shouldn't have failed with a syserr.
Problem noted by Eric Hagberg of Morgan Stanley.
_Really_ fix the multiple :maildrop code in the user database
module. Patch from Roy Mongiovi of Georgia Tech.
Let F lines in the configuration file actually read root-only
files if the configuration file is safe. Based on a
patch from Keith Reynolds of SCO.
ETRN followed by QUIT would hold the connection open until the queue
run completed. Problem noted by Truck Lewis of TDK
Semiconductor Corp.
It turns out that despite the documentation, the TCP wrappers library
does _not_ log rejected connections. Do the logging ourselves.
Problem noted by Fletcher Mattox of the University of Texas
at Austin.
If sendmail finds a qf file in its queue directory that is an unknown
version (e.g., when backing out to an old version), the
error is reported on every queue run. Change it to only
give the error once (and rename the qf => Qf). Patch from
William A. Gianopoulos of Raytheon Company.
Start a new session when doing background delivery; currently it
ignored signals but didn't start a new signal, that caused
some problems if a background process tried to send mail
under certain circumstances. Problem noted by Eric Hagberg
of Morgan Stanley; fix from Kari Hurtta.
Simplify test for skipping a queue run to just check if the current
load average is >= the queueing load average. Previously
the check factored in some other parameters that caused it
to essentially never skip the queue run. Patch from Bryan
Costales.
If the SMTP server is running in "nullserver" mode (that is, it is
rejecting all commands), start sleeping after MAXBADCOMMAND
(25) commands; this helps prevent a bad guy from putting
you into a tight loop as a denial-of-service attack. Based
on an e-mail conversation with Brad Knowles of AOL.
Slow down when too many "light weight" commands have been issued;
this helps prevent a class of denial-of-service attacks.
The current values and defaults are:
MAXNOOPCOMMANDS 20 NOOP, VERB, ONEX, XUSR
MAXHELOCOMMANDS 3 HELO, EHLO
MAXVRFYCOMMANDS 6 VRFY, EXPN
MAXETRNCOMMANDS 8 ETRN
These will probably be configurable in a future release.
On systems that have uid_t typedefed to be an unsigned short, programs
that had the F=S flag and no U= equate would be invoked with
the real uid set to 65535 rather than being left unchanged.
In some cases, NOTIFY=NEVER was not being honored. Problem noted
by Steve Hubert of the University of Washington, Seattle.
Mail that was Quoted-Printable encoded and had a soft line break on
the last line (i.e., an incomplete continuation) had the last
line dropped. Since this appears to be illegal it isn't
clear what to do with it, but flushing the last line seems
to be a better "fail soft" approach. Based on a patch from
Eric Hagberg.
If AllowBogusHELO and PrivacyOptions=needmailhelo are both set, a
bogus HELO command still causes the "Polite people say HELO
first" error message. Problem pointed out by Chris Thomas
of UCLA; patch from John Beck of SunSoft.
Handle "sendmail -bp -qSfoobar" properly if restrictqrun is set
in PrivacyOptions. The -q shouldn't turn this command off.
Problem noted by Murray Kucherawy of Pacific Bell Internet;
based on a patch from Gregory Neil Shapiro of WPI.
Don't consider SMTP reply codes 452 or 552 (exceeded storage allocation)
in a DATA transaction to be sticky; these can occur because
a message is too large, and smaller messages should still go
through. Problem noted by Matt Dillon of Best Internet
Communications.
In some cases bounces were saved in /var/tmp/dead.letter even if they
had been successfully delivered to the envelope sender.
Problem noted Eric Hagberg of Morgan Stanley; solution from
Gregory Neil Shapiro of WPI.
Give better diagnostics on long alias lines. Based on code contributed
by Patrick Gosling of the University of Cambridge.
Increase the number of virtual interfaces that will be probed for
alternate names. Problem noted by Amy Rich of Shore.Net.
PORTABILITY:
UXP/DS V20L10 for Fujitsu DS/90: Makefile patches from
Toshiaki Nomura of Fujitsu Limited.
SunOS with LDAP support: compile problems with struct timeval.
Patch from Nick Cuccia of TCSI Corporation.
SCO: from Keith Reynolds of SCO.
Solaris: kstat load average computation wasn't being used.
Fixes from Michael Ju. Tokarev of Telecom Service, JSC
(Moscow).
OpenBSD: from Jason Downs of teeny.org.
Altos System V: from Tim Rice.
Solaris 2.5: from Alan Perry of SunSoft.
Solaris 2.6: from John Beck of SunSoft.
Harris Nighthawk PowerUX (mh6000 box): from Bob Miorelli
of Pratt & Whitney <miorelli@pweh.com>.
CONFIG: It seems that I hadn't gotten the Received: line syntax
_just_right_ yet. Tweak it again. I'll omit the names
of the "contributors" (quantity two) in this one case.
As of now, NO MORE DISCUSSION about the syntax of the
Received: line.
CONFIG: Although FEATURE(nullclient) uses EXPOSED_USER (class $=E),
it never inserts that class into the output file. Fix it
so it will honor EXPOSED_USER but will _not_ include root
automatically in this class. Problem noted by Ronan KERYELL
of Centre de Recherche en Informatique de l'蒫ole Nationale
Sup閞ieure des Mines de Paris (CRI-ENSMP).
CONFIG: Clean up handling of "local:" syntax in relay specifications
such as LUSER_RELAY. This change permits the following
syntaxes: ``local:'' will send to the same user on the
local machine (e.g., in a mailertable entry for "host",
``local:'' will cause an address addressed to user@host to
go to user on the local machone). ``local:user'' will send
to the named user on the local machine. ``local:user@host''
is equivalent to ``local:user'' (the host is ignored). In
all cases, the original user@host is passed in $@ (i.e., the
detail information). Inspired by a report from Michael Fuhr.
CONFIG: Strip quotes from the first word of an "error:" host
indication. This lets you set (for example) the LUSER_RELAY
to be ``error:"5.1.1" Your Message Here''. Note the use
of the " so that the resulting string is properly quoted.
Problem noted by Gregory Neil Shapiro of WPI.
OP.ME: documentation was inconsistent about whether sendmail did a
NOOP or a RSET to probe the connection (it does a RSET).
Inconsistency noted by Deeran Peethamparam.
OP.ME: insert additional blank pages so it will print properly on
a duplex printer. From Matthew Black of Cal State University,
Long Beach.
8.8.4/8.8.4 1996/12/02
SECURITY: under some circumstances, an attacker could get additional
permissions by hard linking to files that were group
writable by the attacker. The solution is to disallow any
files that have hard links -- this will affect .forward,
:include:, and output files. Problem noted by Terry
Kyriacopoulos of Interlog Internet Services. As a
workaround, set UnsafeGroupWrites -- always a good idea.
SECURITY: the TryNullMXList (w) option should not be safe -- if it
is, it is possible to do a denial-of-service attack on
MX hosts that rely on the use of the null MX list. There
is no danger if you have this option turned off (the default).
Problem noted by Dan Bernstein. Also, make the DontInitGroups
unsafe. I know of no specific attack against this, although
a denial-of-service attack is probably possible, but in theory
you should not be able to safely tweak anything that affects
the permissions that are used when mail is delivered.
Purgestat could go into an infinite loop if one of the host status
directories somehow became empty. Problem noted by Roy
Mongiovi of Georgia Tech.
Processes got "lost" when counting children due to a race condition.
This caused "proc_list_probe: lost pid" messages to be logged.
Problem noted by several people.
On systems with System V SIGCLD child signal semantics (notably AIX
and HP-UX), mail transactions would print the message "451
SMTP-MAIL: lost child: No child processes". Problem noted
by several people.
Miscellaneous compiler warnings on picky compilers (or when setting
gcc to high warning levels). From Tom Moore of NCR Corp.
SMTP protocol errors, and most errors on MAIL FROM: lines should
not be persistent between runs, since they are based on the
message rather than the host. Problem noted by Matt Dillon
of Best Internet Communications.
The F=7 flag was ignored on SMTP mailers. Problem noted by Tom Moore
of NCR (a.k.a., AT&T Global Information Solutions).
Avoid the possibility of having a child daemon run to completion
(including closing the SMTP socket) before the parent has
had a chance to close the socket; this can cause the parent
to hang for a long time waiting for the socket to drain.
Patch from Don Lewis of TDK Semiconductor.
If the fork() failed in a queue run, the queue runners would not be
rescheduled (so queue runs would stop). Patch from Don Lewis.
Some error conditions in ETRN could cause output without an SMTP
status code. Problem noted by Don Lewis.
Multiple :maildrop addresses in the user database didn't work properly.
Patch from Roy Mongiovi of Georgia Tech.
Add ".db" automatically onto any user database spec that does not
already have it; this is for consistency with makemap, the
K line, and the documentation. Inconsistency pointed out
by Roy Mongiovi.
Allow sendmail to be properly called in nohup mode. Patch from
Kyle Jones of UUNET.
Change ETRN to ignore but still update host status files; previously
it would ignore them and not save the updated status, which
caused stale information to be maintained. Based on a patch
from Christopher Davis of Kapor Enterprises Inc. Also, have
ETRN ignore the MinQueueAge option.
Patch long term host status to recover more gracefully from an empty
host status file condition. Patch from NAKAMURA Motonori
of Kyoto University.
Several patches to signal handling code to fix potential race
conditions from Don Lewis.
Make it possible to compile with -DDAEMON=0 (previously it had some
compile errors). This turns DAEMON, QUEUE, and SMTP into
0/1 compilation flags. Note that DAEMON is an obsolete
compile flag; use NETINET instead. Solution based on a
patch from Bryan Costales.
PORTABILITY FIXES:
AIX4: getpwnam() and getpwuid() do a sequential scan of the
/etc/security/passwd file when called as root. This
is very slow on some systems. To speed it up, use the
(undocumented) _getpw{nam,uid}_shadow() routines.
Patch from Chris Thomas of UCLA/OAC Systems Group.
SCO 5.x: include -lprot in the Makefile. Patch from Bill
Glicker of Burrelle's Information Service.
NEWS-OS 4.x: need a definition for MODE_T to compile. Patch
from Makoto MATSUSHITA of Osaka University.
SunOS 4.0.3: compile problems. Patches from Andrew Cole of
Leeds University and SASABE Tetsuro of the University
of Tokyo.
DG/UX 5.4.4.11 from Brian J. Murrell of InterLinx Support
Services, Inc.
Domain/OS from Don (Truck) Lewis of TDK Semiconductor Corp.
I believe this to have only been a problem if you
compiled with -DUSE_VENDOR_CF_PATH -- another reason
to stick with /etc/sendmail.cf as your One True Path.
Digital UNIX (OSF/1 on Alpha) load average computation from
Martin Laubach of the Technischen Universit鋞 Wien.
CONFIG: change default Received: line to be multiple lines rather
than one long one. By popular demand.
MAIL.LOCAL: warnings weren't being logged on some systems. Patch
from Jerome Berkman of U.C. Berkeley.
MAKEMAP: be sure to zero hinfo to avoid cruft that can cause runs
to take a very long time. Problem noted by Yoshiro YONEYA
of NTT Software Corporation.
CONTRIB: add etrn.pl, contributed by John Beck.
NEW FILES:
contrib/etrn.pl
8.8.3/8.8.3 1996/11/17
SECURITY: it was possible to get a root shell by lying to sendmail
about argv[0] and then sending it a signal. Problem noted
by Leshka Zakharoff <leshka@leshka.chuvashia.su> on the
best-of-security list.
Log sendmail binary version number in "Warning: .cf version level
(%d) exceeds program functionality (%d) message" -- this
should make it clearer to people that they are running
the wrong binary.
Fix a problem that occurs when you open an SMTP connection and then
do one or more ETRN commands followed by a MAIL command; at
the end of the DATA phase sendmail would incorrectly report
"451 SMTP-MAIL: lost child: No child processes". Problem
noted by Eric Bishop of Virginia Tech.
When doing text-based host canonification (typically /etc/hosts
lookup), a null host name would match any /etc/hosts entry
with space at the end of the line. Problem noted by Steve
Hubert of the University of Washington, Seattle.
7 to 8 bit BASE64 MIME conversions could duplicate bits of text.
Problem reported by Tom Smith of Digital Equipment Corp.
Increase the size of the DNS answer buffer -- the standard UDP packet
size PACKETSZ (512) is not sufficient for some nameserver
answers containing very many resource records. The resolver
may also switch to TCP and retry if it detects UDP packet
overflow. Also, allow for the fact that the resolver
routines res_query and res_search return the size of the
*un*truncated answer in case the supplied answer buffer it
not big enough to accommodate the entire answer. Patch from
Eric Wassenaar.
Improvements to MaxDaemonChildren code. If you think you have too
many children, probe the ones you have to verify that they
are still around. Suggested by Jared Mauch of CICnet, Inc.
Also, do this probe before growing the vector of children
pids; this previously caused the vector to grow indefinitely
due to a race condition. Problem reported by Kyle Jones of
UUNET.
On some architectures, <db.h> (from the Berkeley DB library) defines
O_EXLOCK to zero; this fools the map compilation code into
thinking that it can avoid race conditions by locking on open.
Change it to check for O_EXLOCK non-zero. Problem noted by
Leif Erlingsson of Data Lege.
Always call res_init() on startup (if compiled in, of course) to
allow the sendmail.cf file to tweak resolver flags; without
it, flag tweaks in ResolverOptions are ignored. Patch from
Andrew Sun of Merrill Lynch.
Improvements to host status printing code. Suggested by Steve Hubert
of the University of Washington, Seattle.
Change MinQueueAge option processing to do the check for the job age
when reading the queue file, rather than at the end; this
avoids parsing the addresses, which can do DNS lookups.
Problem noted by John Beck of InReference, Inc.
When MIME was being 7->8 bit decoded, "From " lines weren't being
properly escaped. Problem noted by Peter Nilsson of the
University of Linkoping.
In some cases, sendmail would retain root permissions during queue
runs even if RunAsUser was set. Problem noted by Mark
Thomas of Mark G. Thomas Consulting.
If the F=l flag was set on an SMTP mailer to indicate that it is
actually local delivery, and NOTIFY=SUCCESS is specified in
the envelope, and the receiving SMTP server speaks DSN, then
the DSN would be both generated locally and propagated to the
other end.
The U= mailer field didn't correctly extract the group id if the
user id was numeric. Problem noted by Kenneth Herron of
MCI Telecommunications Communications.
If a message exceeded the fixed maximum size on input, the body of
the message was included in the bounce. Note that this did
not occur if it exceeded the maximum _output_ size. Problem
reported by Kyle Jones of UUNET.
PORTABILITY FIXES:
AIX4: 4.1 doesn't have a working setreuid(2); change the
AIX4 defines to use seteuid(2) instead, which
works on 4.1 as well as 4.2. Problem noted by
H錵an Lindholm of interAF, Sweden.
AIX4: use tzname[] vector to determine time zone name.
Patch from NAKAMURA Motonori of Kyoto University.
MkLinux: add Makefile.Linux.ppc and OSTYPE(mklinux) support.
Contributed by Paul DuBois <dubois@primate.wisc.edu>.
Solaris: kstat(3k) support for retrieving the load average.
This adds the LA_KSTAT definition for LA_TYPE.
The outline of the implementation was contributed
by Michael Tokarev of Telecom Service, JSC, Moscow.
HP-UX 10.0 gripes about the (perfectly legal!) forward
declaration of struct rusage at the top of conf.h;
change it to only be included if you are using gcc,
which is apparently the only compiler that requires
it in the first place. Problem noted by Jeff
Earickson of Colby College.
IRIX: don't default to using gcc. IRIX is a civilized
operating system that comes with a decent compiler
by default. Problem noted by Barry Bouwsma and
Kari Hurtta.
CONFIG: specify F=9 as default in FEATURE(local_procmail) for
consistency with other local mailers. Inconsistency
pointed out by Teddy Hogeborn <teddy@fukt.hk-r.se>.
CONFIG: if the "limited best mx" feature is used (to reduce DNS
overhead) as part of the bestmx_is_local feature, the
domain part was dropped from the name. Patch from Steve
Hubert of the University of Washington, Seattle.
CONFIG: catch addresses of the form "user@.dom.ain"; these could
end up being translated to the null host name, which would
return any entry in /etc/hosts that had a space at the end
of the line. Problem noted by Steve Hubert of the
University of Washington, Seattle.
CONFIG: add OSTYPE(aix4). From Michael Sofka of Rensselaer
Polytechnic Institute.
MAKEMAP: tweak hash and btree parameters for better performance.
Patch from Matt Dillon of Best Internet Communications.
NEW FILES:
src/Makefiles/Makefile.Linux.ppc
cf/ostype/aix4.m4
cf/ostype/mklinux.m4
8.8.2/8.8.2 1996/10/18
SECURITY: fix a botch in the 7-bit MIME patch; the previous patch
changed the code but didn't fix the problem.
PORTABILITY FIXES:
Solaris: Don't use the system getusershell(3); it can
apparently corrupt the heap in some circumstances.
Problem found by Ken Pizzini of Spry, Inc.
OP.ME: document several mailer flags that were accidentally omitted
from this document. These flags were F=d, F=j, F=R, and F=9.
CONFIG: no changes.
8.8.1/8.8.1 1996/10/17
SECURITY: unset all environment variables that the resolver will
examine during queue runs and daemon mode. Problem noted
by Dan Bernstein of the University of Illinois at Chicago.
SECURITY: in some cases an illegal 7-bit MIME-encoded text/plain
message could overflow a buffer if it was converted back
to 8 bits. This caused core dumps and has the potential
for a remote attack. Problem first noted by Gregory Shapiro
of WPI.
Avoid duplicate deliveries of error messages on systems that don't
have flock(2) support. Patch from Motonori Nakamura of
Kyoto University.
Ignore null FallBackMX (V) options. If this option is null (as
opposed to undefined) it can cause "null signature" syserrs
on illegal host names.
If a Base64 encoded text/plain message has no trailing newline in
the encoded text, conversion back to 8 bits will drop the
final line. Problem noted by Pierre David.
If running with a RunAsUser, sendmail would give bogus "cannot
setuid" (or seteuid, or setreuid) messages on some systems.
Problem pointed out by Jordan Mendelson of Web Services, Inc.
Always print error messages in -bv mode -- previously, -bv would
be absolutely silent on errors if the error mode was sent
to (say) mail-back. Problem noted by Kyle Jones of UUNET.
If -qI/R/S is set (or the ETRN command is used), ignore all long
term host status. This is necessary because it is common
to do this when you know a host has just come back up.
Disallow duplicate HELO/EHLO commands as required by RFC 1651 section
4.2. Excessive permissiveness noted by Lee Flight of the
University of Leicester.
If a service (such as NIS) is specified as the last entry in the
service switch, but that service is not compiled in, sendmail
would return a temporary failure when an entry was not found
in the map. This caused the message to be queued instead of
bouncing immediately. Problem noted by Harry Edmon of the
University of Washington.
PORTABILITY FIXES:
Solaris 2.3 had compilation problems in conf.c. Several
people pointed this out.
NetBSD from Charles Hannum of MIT.
AIX4 improvements based on info from Steve Bauer of South
Dakota School of Mines & Technology.
CONFIG: ``error:code message'' syntax was broken in virtusertable.
Patch from Gil Kloepfer Jr.
CONFIG: if FEATURE(nocanonify) was specified, hosts in $=M (set
using MASQUERADE_DOMAIN) were not masqueraded unless they
were also in $=w. Problem noted by Zoltan Basti of
Softec.
MAIL.LOCAL: patches to compile and link cleanly on AIX. Based
on a patch from Eric Hagberg of Morgan Stanley.
MAIL.LOCAL: patches to compile on NEXTSTEP. From Patrick Nolan
of Stanford via Robert La Ferla.
8.8.0/8.8.0 1996/09/26
Under some circumstances, Bcc: headers would not be properly
deleted. Pointed out by Jonathan Kamens of OpenVision.
Log a warning if the sendmail daemon is invoked without a full
pathname, which prevents "kill -1" from working. I was
urged to put this in by Andrey A. Chernov of DEMOS (Russia).
Fix small buffer overflow. Since the data in this buffer was not
read externally, there was no security problem (and in fact
probably wouldn't really overflow on most compilers). Pointed
out by KIZU takashi of Osaka University.
Fix problem causing domain literals such as [1.2.3.4] to be ignored
if a FallbackMXHost was specified in the configuration file
-- all mail would be sent to the fallback even if the original
host was accessible. Pointed out by Munenari Hirayama of
NSC (Japan).
A message that didn't terminate with a newline would (sometimes) not
have the trailing "." added properly in the SMTP dialogue,
causing SMTP to hang. Patch from Per Hedeland of Ericsson.
The DaemonPortOptions suboption to bind to a particular address was
incorrect and nonfunctional due to a misunderstanding of the
semantics of binding on a passive socket. Patch from
NIIBE Yutaka of Mitsubishi Research Institute.
Increase the number of MX hosts for a single name to 100 to better
handle the truly huge service providers such as AOL, which
has 13 at the moment (and climbing). In order to avoid
trashing memory, the buffer for all names has only been
slightly increased in size, to 12.8K from 10.2K -- this means
that if a single name had 100 MX records, the average size
of those records could not exceed 128 bytes. Requested by
Brad Knowles of America On Line.
Restore use of IDENT returns where the OSTYPE field equals "OTHER".
Urged by Dan Bernstein of U.C. Berkeley.
Print q_statdate and q_specificity in address structure debugging
printout.
Expand MCI structure flag bits for debugging output.
Support IPv6-style domain literals, which can have colons between
square braces.
Log open file descriptors for the "cannot dup" messages in deliver();
this is an attempt to track down a bug that one person seems
to be having (it may be a Solaris bug!).
DSN NOTIFY parameters were not properly propagated across queue runs;
this caused the NOTIFY info to sometimes be lost. Problem
pointed out by Claus Assmann of the
Christian-Albrechts-University of Kiel.
The statistics gathered in the sendmail.st file were too high; in
some cases failures (e.g., user unknown or temporary failure)
would count as a delivery as far as the statistics were
concerned. Problem noted by Tom Moore of AT&T GIS.
Systems that don't have flock() would not send split envelopes in
the initial run. Problem pointed out by Leonard Zubkoff of
Dandelion Digital.
Move buffer overflow checking -- these primarily involve distrusting
results that may come from NIS and DNS.
4.4-BSD-derived systems, including FreeBSD, NetBSD, and BSD/OS didn't
include <paths.h> and hence had the wrong pathnames for a few
things like /var/tmp. Reported by Matthew Green.
Conditions were reversed for the Priority: header, resulting in all
values being interpreted as non-urgent except for non-urgent,
which was interpreted as normal. Patch from Bryan Costales.
The -o (optional) flag was being ignored on hash and btree maps
since 8.7.2. Fix from Bryan Costales.
Content-Types listed in class "q" will always be encoded as
Quoted-Printable (or more accurately, will never be encoded
as base64). The class can have primary types (e.g., "text")
or full types (e.g., "text/plain"). Based on a suggestion by
Marius Olafsson of the University of Iceland.
Define ${envid} to be the original envelope id (from the ESMTP DSN
dialogue) so it can be passed to programs in mailers.
Define ${bodytype} to be the body type (from the -B flag or the
BODY= ESMTP parameter) so it can be passed to programs in
mailers.
Cause the VRFY command to return 252 instead of 250 unless the F=q
flag is set in the mailer descriptor. Suggested by John
Myers of CMU.
Implement ESMTP ETRN command to flush the queue for a specific host.
The command takes a host name; data for that host is
immediately (and asynchronously) flushed. Because this shares
the -qR implementation, other hosts may be attempted, but
there should be no security implications. Implementation
from John Beck of InReference, Inc. See RFC 1985 for details.
Add three new command line flags to pass in DSN parameters: -V envid
(equivalent to ENVID=envid on the MAIL command), -R ret
(equivalent to RET=ret on the MAIL command), and -Nnotify
(equivalent to NOTIFY=notify on the RCPT command). Note
that the -N flag applies to all recipients; there is no way
to specify per-address notifications on the command line,
nor is there an equivalent for the ORCPT= per-address
parameter.
Restore LogLevel option to be safe (it can only be increased);
apparently I went into paranoid mode between 8.6 and 8.7
and made it unsafe. Pointed out by Dabe Murphy of the
University of Maryland.
New logging on log level 15: all SMTP traffic. Patches from
Andrew Gross of San Diego Supercomputer Center.
NetInfo property value searching code wasn't stopping when it found
a match. This was causing the wrong values to be found (and
had a memory leak). Found by Bastian Schleuter of TU-Berlin.
Add new F=0 (zero) mailer flag to turn off MX lookups. It was pointed
out by Bill Wisner of Electronics for Imaging that you can't
use the bracket address form for the MAIL_HUB macro, since
that causes the brackets to remain in the envelope recipient
address used for delivery. The simple fix (stripping off the
brackets in the config file) breaks the use of IP literal
addresses. This flag will solve that problem.
Add MustQuoteChars option. This is a list of characters that must
be quoted if they are found in the phrase part of an address
(that is, the full name part). The characters @,;:()[] are
always in this list and cannot be removed. The default is
this list plus . and ' to match RFC 822.
Add AllowBogusHELO option; if set, sendmail will allow HELO commands
that do not include a host name for back compatibility with
some stupid SMTP clients. Setting this violates RFC 1123
section 5.2.5.
Add MaxDaemonChildren option; if this is set, sendmail will start
rejecting connections if it has more than this many
outstanding children accepting mail. Note that you may
see more processes than this because of outgoing mail; this
is for incoming connections only.
Add ConnectionRateThrottle option. If set to a positive value, the
number of incoming SMTP connections that will be permitted
in a single second is limited to this number. Connections are
not refused during this time, just deferred. The intent is to
flatten out demand so that load average limiting can kick in.
It is less radical than MaxDaemonChildren, which will stop
accepting connections even if all the connections are idle
(e.g., due to connection caching).
Add Timeout.hoststatus option. This interval (defaulting to 30m)
specifies how long cached information about the state of a
host will be kept before they are considered stale and the
host is retried. If you are using persistent host status
(i.e., the HostStatusDirectory option is set) this will apply
between runs; otherwise, it applies only within a single queue
run and hence is useful only for hosts that have large queues
that take a very long time to run.
Add SingleLineFromHeader option. If set, From: headers are coerced
into being a single line even if they had newlines in them
when read. This is to get around a botch in Lotus Notes.
Text class maps were totally broken -- if you ever retrieved the last
item in a table it would be truncated. Problem noted by
Gregory Neil Shapiro of WPI.
Extend the lines printed by the mailq command (== the -bp flag) when
-v is given to 120 characters; this allows more information
to be displayed. Suggested by Gregory Neil Shapiro of WPI.
Allow macro definitions (`D' lines) with unquoted commas; previously
this was treated as end-of-input. Problem noted by Bryan
Costales.
The RET= envelope parameter (used for DSNs) wasn't properly written
to the queue file. Fix from John Hughes of Atlantic
Technologies, Inc.
Close /var/tmp/dead.letter after a successful write -- otherwise
if this happens in a queue run it can cause nasty delays.
Problem noted by Mark Horton of AT&T.
If userdb entries pointed to userdb entries, and there were multiple
values for a given key, the database cursor would get
trashed by the recursive call. Problem noted by Roy Mongiovi
of Georgia Tech. Fixed by reading all the values and creating
a comma-separated list; thus, the -v output will be somewhat
different for this case.
Fix buffer allocation problem with Hesiod-based userdb maps when
HES_GETMAILHOST is defined. Based on a patch by Betty Lee
of Stanford University.
When envelopes were split due to aliases with owner- aliases, and
there was some error on one of the lists, more than one of
the owners would get the message. Problem pointed out by
Roy Mongiovi of Georgia Tech.
Detect excessive recursion in macro expansions, e.g., $X defined
in terms of $Y which is defined in terms of $X. Problem
noted by Bryan Costales; patch from Eric Wassenaar.
When using F=U to get "ugly UUCP" From_ lines, a buffer could in
some cases get trashed causing bogus From_ lines. Fix from
Kyle Jones of UUNET.
When doing load average initialization, if the nlist call for avenrun
failed, the second and subsequent lookups wouldn't notice
that fact causing bogus load averages to be returned. Noted
by Casper Dik of Sun Holland.
Fix problem with incompatibility with some versions of inet_aton that
have changed the return value to unsigned, so a check for an
error return of -1 doesn't work. Use INADDR_NONE instead.
This could cause mail to addresses such as [foo.com] to bounce
or get dropped. Problem noted by Christophe Wolfhugel of the
Pasteur Institute.
DSNs were inconsistent if a failure occurred during the DATA phase
rather than the RCPT phase: the Action: would be correct, but
the detailed status information would be wrong. Problem noted
by Bob Snyder of General Electric Company.
Add -U command line flag and the XUSR ESMTP extension, both indicating
that this is the initial MUA->MTA submission. The flag current
does nothing, but in future releases (when MUAs start using
these flags) it will probably turn on things like DNS
canonification.
Default end-of-line string (E= specification on mailer [M] lines)
to rn on SMTP mailers. Default remains n on non-SMTP
mailers.
Change the internal definition for the *file* and *include* mailers
to have $u in the argument vectors so that they aren't
misinterpreted as SMTP mailers and thus use rn line
termination. This will affect anyone who has redefined
either of these in their configuration file.
Don't assume that IDENT servers close the connection after a query;
responses can be newline terminated. From Terry Kennedy of
St. Peter's College.
Avoid core dumps on erroneous configuration files that have
$#mailer with nothing following. From Bryan Costales.
Avoid null pointer dereference with high debug values in unlockqueue.
Fix from Randy Martin of Clemson University.
Fix possible buffer overrun when expanding very large macros. Fix
from Kyle Jones of UUNET.
After 25 EXPN or VRFY commands, start pausing for a second before
processing each one. This avoids a certain form of denial
of service attack. Potential attack pointed out by Bryan
Costales.
Allow new named (not numbered!) config file rules to do validity
checking on SMTP arguments: check_mail for MAIL commands and
check_rcpt for RCPT commands. These rulesets can do anything
they want; their result is ignored unless they resolve to the
$#error mailer, in which case the indicated message is printed
and the command is rejected. Similarly, the check_compat
ruleset is called before delivery with "from_addr $| to_addr"
(the $| is a meta-symbol used to separate the two addresses);
it can give a "this sender can't send to this recipient"
notification. Note that this patch allows $| to stand alone
in rulesets.
Define new macros ${client_name}, ${client_addr}, and ${client_port}
that have the name, IP address, and port number (respectively)
of the SMTP client (that is, the entity at the other end of
the connection. These can be used in (e.g.) check_rcpt to
verify that someone isn't trying to relay mail through your
host inappropriately. Be sure to use the deferred evaluation
form, for example $&{client_name}, to avoid having these bound
when sendmail reads the configuration file.
Add new config file rule check_relay to check the incoming connection
information. Like check_compat, it is passed the host name
and host address separated by $| and can reject connections
on that basis.
Allow IDA-style recursive function calls. Code contributed by Mark
Lovell and Paul Vixie.
Eliminate the "No ! in UUCP From address!" message" -- instead, create
a virtual UUCP address using either a domain address or the $k
macro. Based on code contributed by Mark Lovell and Paul
Vixie.
Add Stanford LDAP map. Requires special libraries that are not
included with sendmail. Contributed by Booker C. Bense
<bbense@networking.stanford.edu>; contact him for support.
See also the src/READ_ME file.
Allow -dANSI to turn on ANSI escape sequences in debug output; this
puts metasymbols (e.g., $+) in reverse video. Really useful
only for debugging deep bits of code where it is important to
distinguish between the single-character metasymbol $+ and the
two characters $, +.
Changed ruleset 89 (executed in dumpstate()) to a named ruleset,
debug_dumpstate.
Add new UnsafeGroupWrites option; if set, .forward and :include:
files that are group writable are considered "unsafe" -- that
is, programs and files referenced from such files are not
valid recipients.
Delete bogosity test for FallBackMX host; this prevented it to be a
name that was not in DNS or was a domain-literal. Problem
noted by Tom May.
Change the introduction to error messages to more clearly delineate
permanent from temporary failures; if both existed in a
single message it could be confusing. Suggested by John
Beck of InReference, Inc.
The IngoreDot (i) option didn't work for lines that were terminated
with CRLF. Problem noted by Ted Stockwell of Secure
Computing Corporation.
Add a heuristic to improve the handling of unbalanced `<' signs in
message headers. Problem reported by Matt Dillon of Best
Internet Communications.
Check for bogus characters in the 0200-0237 range; since these are
used internally, very strange errors can occur if those
characters appear in headers. Problem noted by Anders Gertz
of Lysator.
Implement 7 -> 8 bit MIME conversions. This only takes place if the
recipient mailer has the F=9 flag set, and only works on
text/plain body types. Code contributed by Marius Olafsson
of the University of Iceland.
Special case "postmaster" name so that it is always treated as lower
case in alias files regardless of configuration settings;
this prevents some potential problems where "Postmaster" or
"POSTMASTER" might not match "postmaster". In most cases
this change is a no-op.
The -o map flag was ignored for text maps. Problem noted by Bryan
Costales.
The -a map flag was ignored for dequote maps. Problem noted by
Bryan Costales.
Fix core dump when a lookup of a class "prog" map returns no
response. Patch from Bryan Costales.
Log instances where sendmail is deferring or rejecting connections
on LogLevel 14. Suggested by Kyle Jones of UUNET.
Include port number in process title for network daemons. Suggested
by Kyle Jones of UUNET.
Send ``double bounces'' (errors that occur when sending an error
message) to the address indicated in the DoubleBounceAddress
option (default: postmaster). Previously they were always
sent to postmaster. Suggested by Kyle Jones of UUNET.
Add new mode, -bD, that acts like -bd in all respects except that
it runs in foreground. This is useful for using with a
wrapper that "watches" system services. Suggested by Kyle
Jones of UUNET.
Fix botch in spacing around (parenthesized) comments in addresses
when the comment comes before the address. Patch from
Motonori Nakamura of Kyoto University.
Use the prefix "Postmaster notify" on the Subject: lines of messages
that are being bounced to postmaster, rather than "Returned
mail". This permits the person who is postmaster more
easily determine what messages are to their role as
postmaster versus bounces to mail they actually sent. Based
on a suggestion by Motonori Nakamura.
Add new value "time" for QueueSortOrder option; this causes the queue
to be sorted strictly by the time of submission. Note that
this can cause very bad behavior over slow lines (because
large jobs will tend to delay small jobs) and on nodes with
heavy traffic (because old things in the queue for hosts that
are down delay processing of new jobs). Also, this does not
guarantee that jobs will be delivered in submission order
unless you also set DeliveryMode=queue. In general, it should
probably only be used on the command line, and only in
conjunction with -qRhost.domain. In fact, there are very few
cases where it should be used at all. Based on an
implementation by Motonori Nakamura.
If a map lookup in ruleset 5 returns tempfail, queue the message in
the same manner as other rulesets. Previously a temporary
failure in ruleset 5 was ignored. Patch from Booker Bense
of Stanford University.
Don't proceed to the next MX host if an SMTP MAIL command returns a
5yz (permanent failure) code. The next MX host will still be
tried if the connection cannot be opened in the first place
or if the MAIL command returns a 4yz (temporary failure) code.
(It's hard to know what to do here, since neither RFC 974 nor
RFC 1123 specify when to proceed to the next MX host.)
Suggested by Jonathan Kamens of OpenVision, Inc.
Add new "-t" flag for map definitions (the "K" line in the .cf file).
This causes map lookups that get a temporary failure (e.g.,
name server failure) to _not_ defer the delivery of the
message. This should only be used if your configuration file
is prepared to do something sensible in this case. Based on
an idea by Gregory Shapiro of WPI.
Fix problem finding network interface addresses. Patch from
Motonori Nakamura.
Don't reject qf entries that are not owned by your effective uid if
you are not running setuid; this makes management of certain
kinds of firewall setups difficult. Patch suggested by
Eamonn Coleman of Qualcomm.
Add persistent host status. This keeps the information normally
maintained within a single queue run in disk files that are
shared between sendmail instances. The HostStatusDirectory
is the directory in which the information is maintained. If
not set, persistent host status is turned off. If not a full
pathname, it is relative to the queue directory. A common
value is ".hoststat".
There are also two new operation modes:
* -bh prints the status of hosts that have had recent
connections.
* -bH purges the host statuses. No attempt is made to save
recent status information.
This feature was originally written by Paul Vixie of Vixie
Enterprises for KJS and adapted for V8 by Mark Lovell of
Bigrock Consulting. Paul's funding of Mark and Mark's patience
with my insistence that things fit cleanly into the V8
framework is gratefully appreciated.
New SingleThreadDelivery option (requires HostStatusDirectory to
operate). Avoids letting two sendmails on the local machine
open connections to the same remote host at the same time.
This reduces load on the other machine, but can cause mail to
be delayed (for example, if one sendmail is delivering a huge
message, other sendmails won't be able to send even small
messages). Also, it requires another file descriptor (for the
lock file) per connection, so you may have to reduce
ConnectionCacheSize to avoid running out of per-process
file descriptors. Based on the persistent host status code
contributed by Paul Vixie and Mark Lovell.
Allow sending to non-simple files (e.g., /dev/null) even if the
SafeFileEnvironment option is set. Problem noted by Bryan
Costales.
The -qR flag mistakenly matched flags in the "R" line of the queue
file. Problem noted by Bryan Costales.
If a job was aborted using the interrupt signal (e.g., control-C from
the keyboard), on some occasions an empty df file would be
left around; these would collect in the queue directory.
Problem noted by Bryan Costales.
Change the makesendmail script to enhance the search for Makefiles
based on release number. For example, on SunOS 5.5.1, it will
search for Makefile.SunOS.5.5.1, Makefile.SunOS.5.5, and then
Makefile.SunOS.5.x (in addition to the other rules, e.g.,
adding $arch). Problem noted by Jason Mastaler of Atlanta
Webmasters.
When creating maps using "newaliases", always map the keys to lower
case when creating the map unless the -f flag is specified on
the map itself. Previously this was done based on the F=u
flag in the local mailer, which meant you could create aliases
that you could never access. Problem noted by Bob Wu of DEC.
When a job was read from the queue, the bits causing notification on
failure or delay were always set. This caused those
notifications to be sent even if NOTIFY=NEVER had been
specified. Problem noted by Steve Hubert of the University
of Washington, Seattle.
Add new configurable routine validate_connection (in conf.c). This
lets you decide if you are willing to accept traffic from
this host. If it returns FALSE, all SMTP commands will return
"550 Access denied". -DTCPWRAPPERS will include support for
TCP wrappers; you will need to add -lwrap to the link line.
(See src/READ_ME for details.)
Don't include the "THIS IS A WARNING MESSAGE ONLY" banner on postmaster
bounces. Some people seemed to think that this could be
confusing (even though it is true). Suggested by Motonori
Nakamura.
Add new RunAsUser option; this causes sendmail to do a setuid to that
user early in processing to avoid potential security problems.
However, this means that all .forward and :include: files must
be readable by that user, and all files to be written must be
writable by that user and all programs will be executed by that
user. It is also incompatible with the SafeFileEnvironment
option. In other words, it may not actually add much to
security. However, it should be useful on firewalls and other
places where users don't have accounts and the aliases file is
well constrained.
Add Timeout.iconnect. This is like Timeout.connect except it is used
only on the first attempt to delivery to an address. It could
be set to be lower than Timeout.connect on the principle that
the mail should go through quickly to responsive hosts; less
responsive hosts get to wait for the next queue run.
Fix a problem on Solaris that occasionally causes programs
(such as vacation) to hang with their standard input connected
to a UDP port. It also created some signal handling problems.
The problems turned out to be an interaction between vfork(2)
and some of the libraries, particularly NIS/NIS+. I am
indebted to Tor Egge <tegge@idt.ntnu.no> for this fix.
Change user class map to do the same matching that actual delivery
will do instead of just a /etc/passwd lookup. This adds
fuzzy matching to the user map. Patch from Dan Oscarsson.
The Timeout.* options are not safe -- they can be used to create a
denial-of-service attack. Problem noted by Christophe
Wolfhugel.
Don't send PostmasterCopy messages in the event of a "delayed"
notification. Suggested by Barry Bouwsma.
Don't advertise "VERB" ESMTP extension if the "noexpn" privacy
option is set, since this disables VERB mode. Suggested
by John Hawkinson of MIT.
Complain if the QueueDirectory (Q) option is not set. Problem noted
by Motonori Nakamura of Kyoto University.
Only queue messages on transient .forward open failures if there
were no successful opens. The previous behavior caused it
to queue even if a "fall back" .forward was found. Problem
noted by Ann-Kian Yeo of the Dept. of Information Systems
and Computer Science (DISCS), NUS, Singapore.
Don't do 8->7 bit conversions when bouncing a MIME message that
is bouncing because of a MIME error during 8->7 bit conversion;
the encapsulated message will bounce again, causing a loop.
Problem noted by Steve Hubert of the University of Washington.
Create xf (transcript) files using the TempFileMode option value
instead of 0644. Suggested by Ann-Kian Yeo of the
National University of Singapore.
Print errors if setgid/setuid/etc. fail during delivery. This helps
detect cases where DefaultUid is set to something that the
system can't cope with.
PORTABILITY FIXES:
Support for AIX/RS 2.2.1 from Mark Whetzel of Western
Atlas International.
Patches for Intel Paragon OSF/1 1.3 from Leo Bicknell
<bicknell@ufp.org>.
On DEC OSF/1 3.2 and earlier, the MatchGECOS code would only
work on the first recipient of a message due to a
bug in the getpwent family. If this is something you
use, you can define DEC_OSF_BROKEN_GETPWENT=1 for a
workaround. From Maximum Entropy of Sanford C.
Bernstein and Associates.
FreeBSD 1.1.5.1 uname -r returns a string containing
parentheses, which breaks makesendmail. Reported
by Piero Serini <piero@strider.ibenet.it>.
Sequent DYNIX/ptx 4.0.2 patches from Jack Woolley of
Systems and Computer Technology Corporation.
Solaris 2.x: omit the UUCP grade parameter (-g flag) because
it is system-dependent. Problem noted by J.J. Bailey
of Bailey Computer Consulting.
Pyramid NILE running DC/OSx support from Earle F. Ake of
Hassler Communication Systems Technology, Inc.
HP-UX 10.x compile glitches, reported by Anne Brink of the
U.S. Army and James Byrne of Harte & Lyne Limited.
NetBSD from Matthew Green of the NetBSD crew.
SCO 5.x from Keith Reynolds of SCO.
IRIX 6.2 from Robert Tarrall of the University of
Colorado and Kari Hurtta of the Finnish Meteorological
Institute.
UXP/DS (Fujitsu/ICL DS/90 series) support from Diego R.
Lopez, CICA (Seville).
NCR SVR4 MP-RAS 3.x support from Tom Moore of NCR.
PTX 3.2.0 from Kenneth Stailey of the US Department of Labor
Employment Standards Administration.
Altos System V (5.3.1) from Tim Rice of Multitalents.
Concurrent Systems Corporation Maxion from Donald R. Laster
Jr.
NetInfo maps (improved debugging and multi-valued aliases)
from Adrian Steinmann of Steinmann Consulting.
ConvexOS 11.5 (including SecureWare C2 and the Share Scheduler)
from Eric Schnoebelen of Convex.
Linux 2.0 mail.local patches from Horst von Brand.
NEXTSTEP 3.x compilation from Robert La Ferla.
NEXTSTEP 3.x code changes from Allan J. Nathanson of NeXT.
Solaris 2.5 configuration fixes for mail.local by Jim Davis
of the University of Arizona.
Solaris 2.5 has a working setreuid. Noted by David Linn of
Vanderbilt University.
Solaris changes for praliases, makemap, mailstats, and smrsh.
Previously you had to add -DSOLARIS in Makefile.dist;
this auto-detects. Based on a patch from Randall
Winchester of the University of Maryland.
CONFIG: add generic-nextstep3.3.mc file. Contributed by
Robert La Ferla of Hot Software.
CONFIG: allow mailertables to resolve to ``error:code message''
(where "code" is an exit status) on domains (previously
worked only on hosts). Patch from Cor Bosman of Xs4all
Foundation.
CONFIG: hooks for IPv6-style domain literals.
CONFIG: predefine ALIAS_FILE and change the prototype file so that
if it is undefined the AliasFile option is never set; this
should be transparent for most everyone. Suggested by John
Myers of CMU.
CONFIG: add FEATURE(limited_masquerade). Without this feature, any
domain listed in $=w is masqueraded. With it, only those
domains listed in a MASQUERADE_DOMAIN macro are masqueraded.
CONFIG: add FEATURE(masquerade_entire_domain). This causes
masquerading specified by MASQUERADE_DOMAIN to apply to all
hosts under those domains as well as the domain headers
themselves. For example, if a configuration had
MASQUERADE_DOMAIN(foo.com), then without this feature only
foo.com would be masqueraded; with it, *.foo.com would be
masqueraded as well. Based on an implementation by Richard
(Pug) Bainter of U. Texas.
CONFIG: add FEATURE(genericstable) to do a more general rewriting of
outgoing addresses. Defaults to ``hash -o /etc/genericstable''.
Keys are user names; values are outgoing mail addresses. Yes,
this does overlap with the user database, and figuring out
just when to use which one may be tricky. Based on code
contributed by Richard (Pug) Bainter of U. Texas with updates
from Per Hedeland of Ericsson.
CONFIG: add FEATURE(virtusertable) to do generalized rewriting of
incoming addresses. Defaults to ``hash -o /etc/virtusertable''.
Keys are either fully qualified addresses or just the host
part (with the @ sign). For example, a table containing:
info@foo.com foo-info
info@bar.com bar-info
@baz.org jane@elsewhere.net
would send all mail destined for info@foo.com to foo-info
(which is presumably an alias), mail addressed to info@bar.com
to bar-info, and anything addressed to anyone at baz.org will
be sent to jane@elsewhere.net. The names foo.com, bar.com,
and baz.org must all be in $=w. Based on discussions with
a great many people.
CONFIG: add nullclient configurations to define SMTP_MAILER_FLAGS.
Suggested by Richard Bainter.
CONFIG: add FAX_MAILER_ARGS to tweak the arguments passed to the
"fax" mailer.
CONFIG: allow mailertable entries to resolve to local:user; this
passes the original user@host in to procmail-style local
mailers as the "detail" information to allow them to do
additional clever processing. From Joe Pruett of
Teleport Corporation. Delivery to the original user can
be done by specifying "local:" (with nothing after the colon).
CONFIG: allow any context that takes "mailer:domain" to also take
"mailer:user@domain" to force mailing to the given user;
"local:user" can also be used to do local delivery. This
applies on *_RELAY and in the mailertable entries. Based
on a suggestion by Ribert Kiessling of Easynet.
CONFIG: Allow FEATURE(bestmx_is_local) to take an argument that
limits the possible domains; this reduces the number of DNS
lookups required to support this feature. For example,
FEATURE(bestmx_is_local, my.site.com) limits the lookups
to domains under my.site.com. Code contributed by Anthony
Thyssen <anthony@cit.gu.edu.au>.
CONFIG: LOCAL_RULESETS introduces any locally defined rulesets,
such as the check_rcpt ruleset. Suggested by Gregory Shapiro
of WPI.
CONFIG: MAILER_DEFINITIONS introduces any mailer definitions, in the
event you have to define local mailers. Suggested by
Gregory Shapiro of WPI.
CONFIG: fix cases where a three- (or more-) stage route-addr could
be misinterpreted as a list:...; syntax. Based on a patch by
Vlado Potisk <Vlado_Potisk@tempest.sk>.
CONFIG: Fix masquerading of UUCP addresses when the UUCP relay is
remotely connected. The address host!user was being
converted to host!user@thishost instead of host!user@uurelay.
Problem noted by William Gianopoulos of Raytheon Company.
CONFIG: add confTO_ICONNECT to set Timeout.iconnect.
CONFIG: change FEATURE(redirect) message from "User not local" to
"User has moved"; the former wording was confusing if the
new address is still on the local host. Based on a suggestion
by Andreas Luik.
CONFIG: add support in FEATURE(nullclient) for $=E (exposed users).
However, the class is not pre-initialized to contain root.
Suggested by Gregory Neil Shapiro.
CONTRIB: Remove XLA code at the request of the author, Christophe
Wolfhugel.
CONTRIB: Add re-mqueue.pl, contributed by Paul Pomes of Qualcomm.
MAIL.LOCAL: make it possible to compile mail.local on Solaris. Note
well: this produces a slightly different mailbox format (no
Content-Length: headers), file ownerships and modes are
different (not owned by group mail; mode 600 instead of 660),
and the local mailer flags will have to be tweaked (make them
match bsd4.4) in order to use this mailer. Patches from Paul
Hammann of the Missouri Research and Education Network.
MAIL.LOCAL: in some cases it could return EX_OK even though there
was a delivery error, such as if the ownership on the file
was wrong or the mode changed between the initial stat and
the open. Problem reported by William Colburn of the New
Mexico Institute of Mining and Technology.
MAILSTATS: handle zero length files more reliably. Patch from Bryan
Costales.
MAILSTATS: add man page contributed by Keith Bostic of BSDI.
MAKEMAP: The -d flag (to allow duplicate keys) to a btree map wasn't
honored. Fix from Michael Scott Shappe.
PRALIASES: add man page contributed by Keith Bostic of BSDI.
NEW FILES:
src/Makefiles/Makefile.AIX.2
src/Makefiles/Makefile.IRIX.6.2
src/Makefiles/Makefile.maxion
src/Makefiles/Makefile.NCR.MP-RAS.3.x
src/Makefiles/Makefile.SCO.5.x
src/Makefiles/Makefile.UXPDSV20
mailstats/mailstats.8
praliases/praliases.8
cf/cf/generic-nextstep3.3.mc
cf/feature/genericstable.m4
cf/feature/limited_masquerade.m4
cf/feature/masquerade_entire_domain.m4
cf/feature/virtusertable.m4
cf/ostype/aix2.m4
cf/ostype/altos.m4
cf/ostype/maxion.m4
cf/ostype/solaris2.ml.m4
cf/ostype/uxpds.m4
contrib/re-mqueue.pl
DELETED FILES:
src/Makefiles/Makefile.Solaris
contrib/xla/README
contrib/xla/xla.c
RENAMED FILES:
src/Makefiles/Makefile.NCR3000 => Makefile.NCR.MP-RAS.2.x
src/Makefiles/Makefile.SCO.3.2v4.2 => Makefile.SCO.4.2
src/Makefiles/Makefile.UXPDS => Makefile.UXPDSV10
src/Makefiles/Makefile.NeXT => Makefile.NeXT.2.x
src/Makefiles/Makefile.NEXTSTEP => Makefile.NeXT.3.x
8.7.6/8.7.3 1996/09/17
SECURITY: It is possible to force getpwuid to fail when writing the
queue file, causing sendmail to fall back to running programs
as the default user. This is not exploitable from off-site.
Workarounds include using a unique user for the DefaultUser
(old u & g options) and using smrsh as the local shell.
SECURITY: fix some buffer overruns; in at least one case this allows
a local user to get root. This is not known to be exploitable
from off-site. The workaround is to disable chfn(1) commands.
8.7.5/8.7.3 1996/03/04
Fix glitch in 8.7.4 when putting certain internal lines; this can
in some case cause connections to hang or messages to have
extra spaces in odd places. Patch from Eric Wassenaar;
reports from Eric Hall of Chiron Corporation, Stephen
Hansen of Stanford University, Dean Gaudet of HotWired,
and others.
8.7.4/8.7.3 1996/02/18
SECURITY: In some cases it was still possible for an attacker to
insert newlines into a queue file, thus allowing access to
any user (except root).
CONFIG: no changes -- it is not a bug that the configuration
version number is unchanged.
8.7.3/8.7.3 1995/12/03
Fix botch in name server timeout in RCPT code; this problem caused
two responses in SMTP, which breaks things horribly. Fix
from Gregory Neil Shapiro of WPI.
Verify that L= value on M lines cannot be negative, which could cause
negative array subscripting. Not a security problem since
this has to be in the config file, but it could have caused
core dumps. Pointed out by Bryan Costales.
Fix -d21 debug output for long macro names. Pointed out by Bryan
Costales.
PORTABILITY FIXES:
SCO doesn't have ftruncate. From Bill Aten of Computerizers.
IBM's version of arpa/nameser.h defaults to the wrong byte
order. Tweak it to work properly. Based on fixes
from Fletcher Mattox of UTexas and Betty Lee of
Stanford University.
CONFIG: add confHOSTS_FILE m4 variable to set HostsFile option.
Deficiency pointed out by Bryan Costales of ICSI.
8.7.2/8.7.2 1995/11/19
REALLY fix the backslash escapes in SmtpGreetingMessage,
OperatorChars, and UnixFromLine options. They were not
properly repaired in 8.7.1.
Completely delete the Bcc: header if and only if there are other
valid recipient headers (To:, Cc: or Apparently-To:, the
last being a historic botch, of course). If Bcc: is the
only recipient header in the message, its value is tossed,
but the header name is kept. The old behavior (always keep
the header name and toss the value) allowed primary recipients
to see that a Bcc: went to _someone_.
Include queue id on ``Authentication-Warning: <host>: <user> set
sender to <address> using -f'' syslog messages. Suggested
by Kari Hurtta.
If a sequence or switch map lookup entry gets a tempfail but then
continues on to another map type, but the name is not found,
return a temporary failure from the sequence or switch map.
For example, if hosts search ``dns files'' and DNS fails
with a tempfail, the hosts map will go on and search files,
but if it fails the whole thing should be a tempfail, not
a permanent (host unknown) failure, even though that is the
failure in the hosts.files map. This error caused hard
bounces when it should have requeued.
Aliases to files such as /users/bar/foo/inbox, with /users/bar/foo
owned by bar mode 700 and inbox being setuid bar stopped
working properly due to excessive paranoia. Pointed out by
John Hawkinson of Panix.
An SMTP RCPT command referencing a host that gave a nameserver
timeout would return a 451 command (8.6 accepted it and
queued it locally). Revert to the 8.6 behavior in order
to simplify queue management for clustered systems. Suggested
by Gregory Neil Shapiro of WPI. The same problem could break
MH, which assumes that the SMTP session will succeed (tsk, tsk
-- mail gets lost!); this was pointed out by Stuart Pook of
Infobiogen.
Fix possible buffer overflow in munchstring(). This was not a security
problem because you couldn't specify any argument to this
without first giving up root privileges, but it is still a
good idea to avoid future problems. Problem noted by John
Hawkinson and Sam Hartman of MIT.
``452 Out of disk space for temp file'' messages weren't being
printed. Fix from David Perlin of Nanosoft.
Don't advertise the ESMTP DSN extension if the SendMimeErrors option
is not set, since this is required to get the actual DSNs
created. Problem pointed out by John Gardiner Myers of CMU.
Log permission problems that cause .forward and :include: files to
be untrusted or ignored on log level 12 and higher. Suggested
by Randy Martin of Clemson University.
Allow user ids in U= clauses of M lines to have hyphens and
underscores.
Fix overcounting of recipients -- only happened when sending to an
alias. Pointed out by Mark Andrews of SGI and Jack Woolley
of Systems and Computer Technology Corporation.
If a message is sent to an address that fails, the error message that
is returned could show some extraneous "success" information
included even if the user did not request success notification,
which was confusing. Pointed out by Allan Johannesen of WPI.
Config files that had no AliasFile definition were defaulting to
using /etc/aliases; this caused problems with nullclient
configurations. Change it back to the 8.6 semantics of
having no local alias file unless it is declared. Problem
noted by Charles Karney of Princeton University.
Fix compile problem if NOTUNIX is defined. Pointed out by Bryan
Costales of ICSI.
Map lookups of class "userdb" maps were always case sensitive; they
should be controlled by the -f flag like other maps. Pointed
out by Bjart Kvarme <bjart.kvarme@usit.uio.no>.
Fix problem that caused some addresses to be passed through ruleset 5
even when they were tagged as "sticky" by prefixing the
address with an "@". Patch from Thomas Dwyer III of Michigan
Technological University.
When converting a message to Quoted-Printable, prevent any lines with
dots alone on a line by themselves. This is because of the
preponderance of broken mailers that still get this wrong.
Code contributed by Per Hedeland of Ericsson.
Fix F{macro}/file construct -- it previously did nothing. Pointed
out by Bjart Kvarme of USIT/UiO (Norway).
Announce whether a cached connection is SMTP or ESMTP (in -v mode).
Requested by Allan Johannesen.
Delete check for text format of alias files -- it should be legal
to have the database format of the alias files without the
text version. Problem pointed out by Joe Rhett of Navigist,
Inc.
If "Ot" was specified with no value, the TZ variable was not properly
imported from the environment. Pointed out by Frank Crawford
<frank@ansto.gov.au>.
Some architectures core dumped on "program" maps that didn't have
extra arguments. Patch from Booker C. Bense of Stanford
University.
Queue run processes would re-spawn daemons when given a SIGHUP; only
the parent should do this. Fix from Brian Coan of the
Association for Progressive Communications.
If MinQueueAge was set and a message was considered but not run
during a queue run and the Timeout.queuereturn interval was
reached, a "timed out" error message would be returned that
didn't include the failed address (and claimed to be a warning
even though it was fatal). The fix is to not return such
messages until they are actually tried, i.e., in the next
MinQueueAge interval. Problem noted by Rein Tollevik of
SINTEF RUNIT, Oslo.
Add HES_GETMAILHOST compile flag to support MIT Hesiod distributions
that have the hes_getmailhost() routine. DEC Hesiod
distributions do not have this routine. Based on a patch
from Betty Lee of Stanford University.
Extensive cleanups to map open code to handle a locking race condition
in ndbm, hash, and btree format database files on some (most
non-4.4-BSD based) OS architectures. This should solve the
occasional "user unknown" problem during alias rebuilds that
has plagued me for quite some time. Based on a patch from
Thomas Dwyer III of Michigan Technological University.
PORTABILITY FIXES:
Solaris: Change location of newaliases and mailq from
/usr/ucb to /usr/bin to match Sun settings. From
James B. Davis of TCI.
DomainOS: Makefile.DomainOS doesn't require -ldbm. From
Don Lewis of Silicon Systems.
HP-UX 10: rename Makefile.HP-UX.10 => Makefile.HP-UX.10.x
so that the makesendmail script will find it. Pointed
out by Richard Allen of the University of Iceland.
Also, use -Aa -D_HPUX_SOURCE instead of -Ae, which
isn't supported on all compilers.
UXPDS: compilation fixes from Diego R. Lopez.
CONFIG: FAX mailer wasn't setting .FAX as a pseudo-domain unless
you also had a FAX_RELAY. From Thomas.Tornblom@Hax.SE.
CONFIG: Minor glitch in S21 -- attachment of local domain name
didn't have trailing dot. From Jim Hickstein of Teradyne.
CONFIG: Fix best_mx_is_local feature to allow nested addresses such as
user%host@thishost. From Claude Scarpelli of Infobiogen
(France).
CONFIG: OSTYPE(hpux10) failed to define the location of the help file.
Pointed out by Hannu Martikka of Nokia Telecommunications.
CONFIG: Diagnose some inappropriate ordering in configuration files,
such as FEATURE(smrsh) listed after MAILER(local). Based on
a bug report submitted by Paul Hoffman of Proper Publishing.
CONFIG: Make OSTYPE files consistently not override settings that
have already been set. Previously it worked differently
for different files.
CONFIG: Change relay mailer to do masquerading like 8.6 did. My take
is that this is wrong, but the change was causing problems
for some people. From Per Hedeland of Ericsson.
CONTRIB: bitdomain.c patch from John Gardiner Myers <jgm+@CMU.EDU>;
portability changes for Posix environments (no functional
changes).
8.7.1/8.7.1 1995/10/01
Old macros that have become options (SmtpGreetingMessage,
OperatorChars, and UnixFromLine) didn't allow backslash
escapes in the options, where they previously had. Bug
pointed out by John Hawkinson of MIT.
Fix strange case of an executable called by a program map that
returns a value but also a non-zero exit status; this
would give contradictory results in the higher level; in
particular, the default clause in the map lookup would be
ignored. Change to ignore the value if the program returns
non-zero exit status. From Tom Moore of AT&T GIS.
Shorten parameters passed to syslog() in some contexts to avoid a
bug in many vendors' implementations of that routine. Although
this isn't really a bug in sendmail per se, and my solution
has to assume that syslog() has at least a 1K buffer size
internally (I know some vendors have shortened this
dramatically -- they're on their own), sendmail is a popular
target. Also, limit the size of %s arguments in sprintf.
These both have possible security implications. Solutions
suggested by Casper Dik of Sun's Network Security Group
(Holland), Mark Seiden, and others.
Fix a problem that might cause a non-standard -B (body type)
parameter to be passed to the next server with undefined
results. This could have security implications.
If a filesystem was at > 100% utilization, the freediskspace()
routine incorrectly returned an error rather than zero.
Problem noted by G. Paul Ziemba of Alantec.
Change MX sort order so that local hostnames (those in $=w) always
sort first within a given preference. This forces the bestmx
map to always return the local host first, if it is included
in the list of highest priority MX records. From K. Robert
Elz.
Avoid some possible null pointer dereferences. Fixes from Randy
Martin <WOLF@CLEMSON.EDU>
When sendmail starts up on systems that have no fully qualified
domain name (FQDN) anywhere in the first matching host map
(e.g., /etc/hosts if the hosts service searches "files dns"),
sendmail would sleep to try to find a FQDN, which it really
really needs. This has been changed to fall through to the
next map type if it can't find a FQDN -- i.e., if the hosts
file doesn't have a FQDN, it will try dns even though the
short name was found in /etc/hosts. This is probably a crock,
but many people have hosts files without FQDNs. Remember:
domain names are your friends.
Log a high-priority message if you can't find your FQDN during startup.
Suggested by Simon Barnes of Schlumberger Limited.
When using Hesiod, initialize it early to improve error reporting.
Patch from Don Lewis of Silicon Systems, Inc.
Apparently at least some versions of Linux have a 90 !minute! TCP
connection timeout in the kernel. Add a new "connect" timeout
to limit this time. Defaults to zero (use whatever the
kernel provides). Based on code contributed by J.R. Oldroyd
of TerraNet.
Under some circumstances, a failed message would not be properly
removed from the queue, causing tons of bogus error messages.
(This fix eliminates the problematic EF_KEEPQUEUE flag.)
Problem noted by Allan E Johannesen and Gregory Neil Shapiro
of WPI.
PORTABILITY FIXES:
On IRIX 5.x, there was an inconsistency in the setting
of sendmail.st location. Change the Makefile to
install it in /var/sendmail.st to match the OSTYPE
file and SGI standards. From Andre
<andre@curry.zfe.siemens.de>.
Support for Fujitsu/ICL UXP/DS (For the DS/90 Series)
from Diego R. Lopez <drlopez@cica.es>.
Linux compilation patches from J.R. Oldroyd of TerraNet, Inc.
LUNA 2 Mach patches from Motonori Nakamura.
SunOS Makefile was including -ldbm, which is for the old
dbm library. The ndbm library is part of libc.
CONFIG: avoid bouncing ``user@host.'' (note trailing dot) with
``local configuration error'' in nullclient configuration.
Patch from Gregory Neil Shapiro of WPI.
CONFIG: don't allow an alias file in nullclient configurations --
since all addresses are relayed, they give errors during
rebuild. Suggested by Per Hedeland of Ericsson.
CONFIG: local mailer on Solaris 2 should always get a -f flag because
otherwise the F=S causes the From_ line to imply that root is
the sender. Problem pointed out by Claude Scarpelli of
Infobiogen (France).
NEW FILES:
cf/feature/use_ct_file.m4 (omitted from 8.7 by mistake)
src/Makefiles/Makefile.KSR (omitted from 8.7 by mistake)
src/Makefiles/Makefile.UXPDS
8.7/8.7 1995/09/16
Fix a problem that could cause sendmail to run out of file
descriptors due to a trashed data structure after a
vfork. Fix from Brian Coan of the Institute for
Global Communications.
Change the VRFY response if you have disabled VRFY -- some
people seemed to think that it was too rude.
Avoid reference to uninitialized file descriptor if HASFLOCK
was not defined. This was used "safely" in the sense
that it only did a stat, but it would have set the
map modification time improperly. Problem pointed out
by Roy Mongiovi of Georgia Tech.
Clean up the Subject: line on warning messages and return
receipts so that they don't say "Returned mail:"; this
can be confusing.
Move ruleset entry/exit debugging from 21.2 to 21.1 -- this is
useful enough to make it worthwhile printing on "-d".
Avoid logging alias statistics every time you read the alias
file on systems with no database method compiled in.
If you have a name with a trailing dot, and you try looking it
up using gethostbyname without the dot (for /etc/hosts
compatibility), be sure to turn off RES_DEFNAMES and
RES_DNSRCH to avoid finding the wrong name accidentally.
Problem noted by Charles Amos of the University of
Maryland.
Don't do timeouts in collect if you are not running SMTP.
There is nothing that says you can't have a long
running program piped into sendmail (possibly via
/bin/mail, which just execs sendmail). Problem reported
by Don "Truck" Lewis of Silicon Systems.
Try gethostbyname() even if the DNS lookup fails iff option I
is not set. This allows you to have hosts listed in
NIS or /etc/hosts that are not known to DNS. It's normally
a bad idea, but can be useful on firewall machines. This
should really be broken out on a separate flag, I suppose.
Avoid compile warnings against BIND 4.9.3, which uses function
prototypes. From Don Lewis of Silicon Systems.
Avoid possible incorrect diagnosis of DNS-related errors caused
by things like attempts to resolve uucp names using
$[ ... $] -- the fix is to clear h_errno at appropriate
times. From Kyle Jones of UUNET.
SECURITY: avoid denial-of-service attacks possible by destroying
the alias database file by setting resource limits low.
This involves adding two new compile-time options:
HASSETRLIMIT (indicating that setrlimit(2) support is
available) and HASULIMIT (indicating that ulimit(2) support
is available -- the Release 3 form is used). The former
is assumed on BSD-based systems, the latter on System
V-based systems. Attack noted by Phil Brandenberger of
Swarthmore University.
New syntaxes in test (-bt) mode:
``.Dmvalue'' will define macro "m" to "value".
``.Ccvalue'' will add "value" to class "c".
``=Sruleset'' will dump the contents of the indicated
ruleset.
``=M'' will display the known mailers.
``-ddebug-spec'' is equivalent to the command-line
-d debug flag.
``$m'' will print the value of macro $m.
``$=c'' will print the contents of class $=c.
``/mx host'' returns the MX records for ``host''.
``/parse address'' will parse address, returning the value of
crackaddr (essentially, the comment information)
and the parsed address.
``/try mailer address'' will rewrite address into the form
it will have when presented to the indicated mailer.
``/tryflags flags'' will set flags used by parsing. The
flags can be `H' for header or `E' for envelope,
and `S' for sender or `R' for recipient. These
can be combined, so `HR' sets flags for header
recipients.
``/canon hostname'' will try to canonify hostname and
return the result.
``/map mapname key'' will look up `key' in the indicated
`mapname' and return the result.
Somewhat better handling of UNIX-domain socket addresses -- it
should show the pathname rather than hex bytes.
Restore ``-ba'' mode -- this reads a file from stdin and parses
the header for envelope sender information and uses
CR-LF as message terminators. It was thought to be
obsolete (used only for Arpanet NCP protocols), but it
turns out that the UK ``Grey Book'' protocols require
that functionality.
Fix a fix in previous release -- if gethostname and gethostbyname
return a name without dots, and if an attempt to canonify
that name fails, wait one minute and try again. This can
result in an extra 60 second delay on startup if your system
hostname (as returned by hostname(1)) has no dot and no names
listed in /etc/hosts or your NIS map have a dot.
Check for proper domain name on HELO and EHLO commands per
RFC 1123 section 5.2.5. Problem noted by Thomas Dwyer III
of Michigan Technological University.
Relax chownsafe rules slightly -- old version said that if you
can't tell if _POSIX_CHOWN_RESTRICTED is set (that is,
if fpathconf returned EINVAL or ENOSYS), assume that
chown is not safe. The new version falls back to whether
you are on a BSD system or not. This is important for
SunOS, which apparently always returns one of those
error codes. This impacts whether you can mail to files
or not.
Syntax errors such as unbalanced parentheses in the configuration
file could be omitted if you had "Oem" prior to the
syntax error in the config file. Change to always print
the error message. It was especially weird because it
would cause a "warning" message to be sent to the Postmaster
for every message sent (but with no transcript). Problem
noted by Gregory Paris of Motorola.
Rewrite collect and putbody to handle full 8-bit data, including
zero bytes. These changes are internally extensive, but
should have minimal impact on external function.
Allow full words for option names -- if the option letter is
(apparently) a space, then take the word following -- e.g.,
O MatchGECOS=TRUE
The full list of old and new names is as follows:
7 SevenBitInput
8 EightBitMode
A AliasFile
a AliasWait
B BlankSub
b MinFreeBlocks/MaxMessageSize
C CheckpointInterval
c HoldExpensive
D AutoRebuildAliases
d DeliveryMode
E ErrorHeader
e ErrorMode
f SaveFromLine
F TempFileMode
G MatchGECOS
H HelpFile
h MaxHopCount
i IgnoreDots
I ResolverOptions
J ForwardPath
j SendMimeErrors
k ConnectionCacheSize
K ConnectionCacheTimeout
L LogLevel
l UseErrorsTo
m MeToo
n CheckAliases
O DaemonPortOptions
o OldStyleHeaders
P PostmasterCopy
p PrivacyOptions
Q QueueDirectory
q QueueFactor
R DontPruneRoutes
r, T Timeout
S StatusFile
s SuperSafe
t TimeZoneSpec
u DefaultUser
U UserDatabaseSpec
V FallbackMXHost
v Verbose
w TryNullMXList
x QueueLA
X RefuseLA
Y ForkEachJob
y RecipientFactor
z ClassFactor
Z RetryFactor
The old macros that passed information into sendmail have
been changed to options; those correspondences are:
$e SmtpGreetingMessage
$l UnixFromLine
$o OperatorChars
$q (deleted -- not necessary)
To avoid possible problems with an older sendmail,
configuration level 6 is accepted by this version of
sendmail; any config file using the new names should
specify "V6" in the configuration.
Change address parsing to properly note that a phrase before a
colon and a trailing semicolon are essentially the same
as text outside of angle brackets (i.e., sendmail should
treat them as comments). This is to handle the
``group name: addr1, addr2, ..., addrN;'' syntax (it will
assume that ``group name:'' is a comment on the first
address and the ``;'' is a comment on the last address).
This requires config file support to get right. It does
understand that :: is NOT this syntax, and can be turned
off completely by setting the ColonOkInAddresses option.
Level 6 config files added with new mailer flags:
A Addresses are aliasable.
i Do udb rewriting on envelope as well as header
sender lines. Applies to the from address mailer
flags rather than the recipient mailer flags.
j Do udb rewriting on header recipient addresses.
Applies to the sender mailer flags rather than the
recipient mailer flags.
k Disable check for loops when doing HELO command.
o Always run as the mail recipient, even on local
delivery.
w Check for an /etc/passwd entry for this user.
5 Pass addresses through ruleset 5.
: Check for :include: on this address.
| Check for |program on this address.
/ Check for /file on this address.
@ Look up sender header addresses in the user
database. Applies to the mailer flags for the
mailer corresponding to the envelope sender
address, rather than to recipient mailer flags.
Pre-level 6 configuration files set A, w, 5, :, |, /, and @
on the "local" mailer, the o flag on the "prog" and "*file*"
mailers, and the ColonOkInAddresses option.
Eight-to-seven bit MIME conversions. This borrows ideas from
John Beck of Hewlett-Packard, who generously contributed
their implementation to me, which I then didn't use (see
mime.c for an explanation of why). This adds the
EightBitMode option (a.k.a. `8') and an F=8 mailer flag
to control handling of 8-bit data. These have to cope with
two types of 8-bit data: unlabelled 8-bit data (that is,
8-bit data that is entered without declaring it as 8-bit
MIME -- technically this is illegal according to the
specs) and labelled 8-bit data (that is, it was declared
as 8BITMIME in the ESMTP session or by using the
-B8BITMIME command line flag). If the F=8 mailer flag is
set then 8-bit data is sent to non-8BITMIME machines
instead of converting to 7 bit (essentially using
just-send-8 semantics). The values for EightBitMode are:
m convert unlabelled 8-bit input to 8BITMIME, and do
any necessary conversion of 8BITMIME to 7BIT
(essentially, the full MIME option).
p pass unlabelled 8-bit input, but convert labelled
8BITMIME input to 7BIT as required (default).
s strict adherence: reject unlabelled 8-bit input,
convert 8BITMIME to 7BIT as required. The F=8
flag is ignored.
Unlabelled 8-bit data is rejected in mode `s' regardless of
the setting of F=8.
Add new internal class 'n', which is the set of MIME Content-Types
which can not be 8 to 7 bit encoded because of other
considerations. Types "multipart/*" and "message/*" are
never directly encoded (although their components can be).
Add new internal class 's', which is the set of subtypes of the
MIME message/* content type that can be treated as though
they are an RFC822 message. It is predefined to have
"rfc822". Suggested By Kari Hurtta.
Add new internal class 'e'. This is the set of MIME
Content-Transfer-Encodings that can be converted to
a seven bit format (Quoted-Printable or Base64). It is
preinitialized to contain "7bit", "8bit", and "binary".
Add C=charset mailer parameter and the the DefaultCharSet option (no
short name) to set the default character set to use in the
Content-Type: header when doing encoding of an 8-bit message
which isn't marked as MIME into MIME format. If the C=
parameter is set on the Envelope From address, use that as
the default encoding; else use the DefaultCharSet option.
If neither is set, it defaults to "unknown-8bit" as
suggested by RFC 1428 section 3.
Allow ``U=user:group'' field in mailer definition to set a default
user and group that a mailer will be executed as. This
overrides the 'u' and 'g' options, and if the `F=S' flag is
also set, it is the uid/gid that will always be used (that
is, the controlling address is ignored). The values may be
numeric or symbolic; if only a symbolic user is given (no
group) that user's default group in the passwd file is used
as the group. Based on code donated by Chip Rosenthal of
Unicom.
Allow `u' option to also accept user:group as a value, in the same
fashion as the U= mailer option.
Add the symbolic time zone name in the Arpanet format dates (as
a comment). This adds a new compile-time configuration
flag: TZ_TYPE can be set to TZ_TM_NAME (use the value
of (struct tm *)->tm_name), TZ_TM_ZONE (use the value
of (struct tm *)->tm_zone), TZ_TZNAME (use extern char
*tzname[(struct tm *)->tm_isdst]), TZ_TIMEZONE (use
timezone()), or TZ_NONE (don't include the comment). Code
from Chip Rosenthal.
The "Timeout" option (formerly "r") is extended to allow suboptions.
For example,
O Timeout.helo = 2m
There are also two new suboptions "queuereturn" and
"queuewarn"; these subsume the old T option. Thus, to
set them both the preferred new syntax is
O Timeout.queuereturn = 5d
O Timeout.queuewarn = 4h
Sort queue by host name instead of by message priority if the
QueueSortOrder option (no short name) is set is set to
``host''. This makes better use of the connection cache,
but may delay more ``interactive'' messages behind large
backlogs under some circumstances. This is probably a
good option if you have high speed links or don't do lots
of ``batch'' messages, but less good if you are using
something like PPP on a 14.4 modem. Based on code
contributed by Roy Mongiovi of Georgia Tech (my main
contribution was to make it configurable).
Save i-number of df file in qf file to simplify rebuilding of queue
after disastrous disk crash. Suggested by Kyle Jones of
UUNET; closely based on code from KJS DECWRL code written
by Paul Vixie. NOTA BENE: The qf files produced by 8.7
are NOT back compatible with 8.6 -- that is, you can convert
from 8.6 to 8.7, but not the other direction.
Add ``F=d'' mailer flag to disable all use of angle brackets in
route-addrs in envelopes; this is because in some cases
they can be sent to the shell, which interprets them as
I/O redirection.
Don't include error file (option E) with return-receipts; this
can be confusing.
Don't send "Warning: cannot send" messages to owner-* or
*-request addresses. Suggested by Christophe Wolfhugel
of the Institut Pasteur, Paris.
Allow -O command line flag to set long form options.
Add "MinQueueAge" option to set the minimum time between attempts
to run the queue. For example, if the queue interval
(-q value) is five minutes, but the minimum queue age
is fifteen minutes, jobs won't be tried more often than
once every fifteen minutes. This can be used to give
you more responsiveness if your delivery mode is set to
queue-only.
Allow "fileopen" timeout (default: 60 seconds) for opening
:include: and .forward files.
Add "-k", "-v", and "-z" flags to map definitions; these set the
key field name, the value field name, and the field
delimiter. The field delimiter can be a single character
or the sequence "t" or "n" for tab or newline.
These are for use by NIS+ and similar access methods.
Change maps to always strip quotes before lookups; the -q flag
turns off this behavior. Suggested by Motonori Nakamura.
Add "nisplus" map class. Takes -k and -v flags to choose the
key and value field names respectively. Code donated by
Sun Microsystems.
Add "hesiod" map class. The "file name" is used as the
"HesiodNameType" parameter to hes_resolve(3). Returns the
first value found for the match. Code donated by Scott
Hutton of Indiana University.
Add "netinfo" (NeXT NetInfo) map class. Maps can have a -k flag to
specify the name of the property that is searched as the
key and a -v flag to specify the name of the property that
is returned as the value (defaults to "members"). The
default map is "/aliases". Some code based on code
contributed by Robert La Ferla of Hot Software.
Add "text" map class. This does slow, linear searches through
text files. The -z flag specifies a column delimiter
(defaults to any sequence of white space), the -k flag
sets the key column number, and the -v flag sets the
value column number. Lines beginning with `#' are treated
as comments.
Add "program" map class to execute arbitrary programs. The search
key is presented as the last argument; the output is one
line read from the programs standard output. Exit statuses
are from sysexits.h.
Add "sequence" map class -- searches maps in sequence until it
finds a match. For example, the declarations:
Kmap1 ...
Kmap2 ...
Kmapseq sequence map1 map2
defines a map "mapseq" that first searches map1; if the
value is found it is returned immediately, otherwise
map2 is searched and the value returned.
Add "switch" map class. This is much like "sequence" except that
the ordering is fetched from an external file, usually
the system service switch. The parameter is the name of
the service to switch on, and the maps that it will use
are the name of the switch map followed by ".service_type".
For example, if the declaration of the map is
Ksample switch hosts
and the system service switch specifies that hosts are
looked up using dns and nis in that order, then this is
equivalent to
Ksample sequence sample.dns sample.nis
The subordinate maps (sample.*) must already be defined.
Add "user" map class -- looks up users using getpwnam. Takes a
"-v field" flag on the definition that tells what passwd
entry to return -- legal values are name, passwd, uid, gid,
gecos, dir, and shell. Generally expected to be used with
the -m (matchonly) flag.
Add "bestmx" map class -- returns the best MX value for the host
listed as the value. If there are several "best" MX records
for this host, one will be chosen at random.
Add "userdb" map class -- looks up entries in the user database.
The "file name" is actually the tag that will be used,
typically "mailname". If there are multiple entries
matching the name, the one chosen is undefined.
Add multiple queue timeouts (both return and warning). These are
set by the Precedence: or Priority: header fields to one of
three values. If a Priority: is set and has value "normal",
"urgent", or "non-urgent" the corresponding timeouts are
used. If no priority is set, the Precedence: is consulted;
if negative, non-urgent timeouts are used; if greater than
zero, urgent timeouts are used. Otherwise, normal timeouts
are used. The timeouts are set by setting the six timeouts
queue{warn,return}.{urgent,normal,non-urgent}.
Fix problem when a mail address is resolved to a $#error mailer
with a temporary failure indication; it works in SMTP,
but when delivering locally the mail is silently discarded.
This patch, from Kyle Jones of UUNET, bounces it instead
of queueing it (queueing is very hard).
When using /etc/hosts or NIS-style lookups, don't assume that
the first name in the list is the best one -- instead,
search for the first one with a dot. For example, if
an /etc/hosts entry reads
128.32.149.68 mammoth mammoth.CS.Berkeley.EDU
this change will use the second name as the canonical
machine name instead of the initial, unqualified name.
Change dequote map to replace spaces in quoted text with a value
indicated by the -s flag on the dequote map definition.
For example, ``Mdequote dequote -s_'' will change
"Foo Bar" into an unquoted Foo_Bar instead of leaving it
quoted (because of the space character). Suggested by Dan
Oscarsson for use in X.400 addresses.
Implement long macro names as ${name}; long class names can
be similarly referenced as $={name} and $~{name}.
Definitions are (e.g.) ``D{name}value''. Names that have
a leading lower case letter or punctuation characters are
reserved for internal use by sendmail; i.e., config files
should use names that begin with a capital letter. Based
on code contributed by Dan Oscarsson.
Fix core dump if getgrgid returns a null group list (as opposed
to an empty group list, that is, a pointer to a list
with no members). Fix from Andrew Chang of Sun Microsystems.
Fix possible core dump if malloc fails -- if the malloc in xalloc
failed, it called syserr which called newstr which called
xalloc.... The newstr is now avoided for "panic" messages.
Reported by Stuart Kemp of James Cook University.
Improve connection cache timeouts; previously, they were not even
checked if you were delivering to anything other than an
IPC-connected host, so a series of (say) local mail
deliveries could cause cached connections to be open
much longer than the specified timeout.
If an incoming message exceeds the maximum message size, stop
writing the incoming bytes to the queue data file, since