1 SENDMAIL RELEASE NOTES 2 @(#)RELEASE_NOTES 8.9.3.1 (Berkeley) 2/4/1999 3 4 5This listing shows the version of the sendmail binary, the version 6of the sendmail configuration files, the date of release, and a 7summary of the changes in that release. 8 98.9.3/8.9.3 99/02/04 10 SECURITY: Limit message headers to a maximum of 32K bytes (total 11 of all headers in a single message) to prevent a denial of 12 service attack. This limit will be configurable in 8.10. 13 Problem noted by Michal Zalewski of the "Internet for 14 Schools" project (IdS). 15 Prevent segmentation fault on an LDAP lookup if the LDAP map 16 was closed due to an earlier failure. Problem noted by 17 Jeff Wasilko of smoe.org. Fix from Booker Bense of 18 Stanford University and Per Hedeland of Ericsson. 19 Preserve the order of the MIME headers in multipart messages 20 when performing the MIME header length check. This 21 will allow PGP signatures to function properly. Problem 22 noted by Lars Hecking of University College, Cork, Ireland. 23 If ruleset 5 rewrote the local address to an :include: directive, 24 the delivery would fail with an "aliasing/forwarding loop 25 broken" error. Problem noted by Eric C Hagberg of Morgan 26 Stanley. Fix from Per Hedeland of Ericsson. 27 Allow -T to work for bestmx maps. Fix from Aaron Schrab of 28 ExecPC Internet Systems. 29 During the transfer of a message in an SMTP transaction, if a 30 TCP timeout occurs, the message would be properly queued 31 for later retry but the failure would be logged as 32 "Illegal Seek" instead of a timeout. Problem noted by 33 Piotr Kucharski of the Warsaw School of Economics (SGH) 34 and Carles Xavier Munyoz Baldo of CTV Internet. 35 Prevent multiple deliveries on a self-referencing alias if the 36 F=w mailer flag is not set. Problem noted by Murray S. 37 Kucherawy of Concentric Network Corporation and Per 38 Hedeland of Ericsson. 39 Do not strip empty headers but if there is no value and a 40 default is defined in sendmail.cf, use the default. 41 Problem noted by Philip Guenther of Gustavus Adolphus 42 College and Christopher McCrory of Netus, Inc. 43 Don't inherit information about the sender (notably the full name) 44 in SMTP (-bs) mode, since this might be called from inetd. 45 Accept any 3xx reply code in response to DATA command instead of 46 requiring 354. This change will match the wording to be 47 published in the updated SMTP specification from the DRUMS 48 group of the IETF. 49 Portability: 50 AIX 4.2.0.2 ships with a /usr/lib/libbind.a which should 51 not be used. It conflicts with the resolver 52 built into libc.a. "bind" has been removed 53 from the confLIBSEARCH BuildTools variable. 54 Users who have installed BIND 8.X will have 55 to add it back in their site.config.m4 file. 56 Problem noted by Ole Holm Nielsen of the 57 Technical University of Denmark. 58 CRAY TS 10.0.x from Sven Nielsen of San Diego 59 Supercomputer Center. 60 Improved LDAP version 3 integration based on input 61 from Kurt D. Zeilenga of the OpenLDAP Foundation, 62 John Beck of Sun Microsystems, and Booker Bense 63 of Stanford University. 64 Linux doesn't have a standard way to get the timezone 65 between different releases. Back out the 66 change in 8.9.2 and don't attempt to derive 67 a timezone. Problem reported by Igor S. Livshits 68 of the University of Illinois at Urbana-Champaign 69 and Michael Dickens of Tetranet Communications. 70 Reliant UNIX, the new name for SINIX, from Gert-Jan Looy 71 of Siemens/SNI. 72 SunOS 5.8 from John Beck of Sun Microsystems. 73 CONFIG: SCO UnixWare 2.1 and 7.0 need TZ to get the proper 74 timezone. Problem noted by Petr Lampa of Technical 75 University of Brno. 76 CONFIG: Handle <@bestmx-host:user@otherhost> addressing properly 77 when using FEATURE(bestmx_is_local). Patch from Neil W. 78 Rickert of Northern Illinois University. 79 CONFIG: Properly handle source routed and %-hack addresses on 80 hosts which the mailertable remaps to local:. Patch from 81 Neil W. Rickert of Northern Illinois University. 82 CONFIG: Internal fixup of mailertable local: map value. Patch from 83 Larry Parmelee of Cornell University. 84 CONFIG: Only add back +detail from host portion of mailer triplet 85 on local mailer triplets if it was originally +detail. 86 Patch from Neil W. Rickert of Northern Illinois University. 87 CONFIG: The bestmx_is_local checking done in check_rcpt would 88 cause later checks to fail. Patch from Paul J Murphy of 89 MIDS Europe. 90 New files: 91 BuildTools/OS/CRAYTS.10.0.x 92 BuildTools/OS/ReliantUNIX 93 BuildTools/OS/SunOS.5.8 94 958.9.2/8.9.2 98/12/30 96 SECURITY: Remove five second sleep on accepting daemon connections 97 due to an accept() failure. This sleep could be used 98 for a denial of service attack. 99 Do not silently ignore queue files with names which are too long. 100 Patch from Bryan Costales of InfoBeat, Inc. 101 Do not store failures closing an SMTP session in persistent 102 host status. Reported by Graeme Hewson of Oracle 103 Corporation UK. 104 Allow symbolic link forward files if they are in safe directories. 105 Problem noted by Andreas Schott of the Max Planck Society. 106 Missing columns in a text map could cause a segmentation fault. 107 Fix from David Lee of the University of Durham. 108 Note that for 8.9.X, PrivacyOptions=goaway also includes the 109 noetrn flag. This is scheduled to change in a future 110 version of sendmail. Problem noted by Theo Van Dinter of 111 Chrysalis Symbolic Designa and Alan Brown of Manawatu 112 Internet Services. 113 When trying to do host canonification in a Wildcard MX 114 environment, try an MX lookup of the hostname without the 115 default domain appended. Problem noted by Olaf Seibert of 116 Polderland Language & Speech Technology. 117 Reject SMTP RCPT To: commands with only comments (i.e. 118 'RCPT TO: (comment)'. Problem noted by Earle Ake of 119 Hassler Communication Systems Technology, Inc. 120 Handle any number of %s in the LDAP filter spec. Patch from 121 Per Hedeland of Ericsson. 122 Clear ldapx open timeouts even if the map open failed to prevent 123 a segmentation fault. Patch from Wayne Knowles of the 124 National Institute of Water & Atmospheric Research Ltd. 125 Do not syslog envelope clone messages when using address 126 verification (-bv). Problem noted by Kari Hurtta of the 127 Finnish Meteorological Institute. 128 Continue to perform queue runs while in daemon mode even if the 129 daemon is rejecting connections due to a disk full 130 condition. Problem noted by JR Oldroyd of TerraNet 131 Internet Services. 132 Include full filename on installation of the sendmail.hf file 133 in case the $HFDIR directory does not exist. Problem 134 noted by Josef Svitak of Montana State University. 135 Close all maps when exiting the process with one exception. 136 Berkeley DB can use internal shared memory locking for 137 its memory pool. Closing a map opened by another process 138 will interfere with the shared memory and locks of the 139 parent process leaving things in a bad state. For 140 Berkeley DB, only close the map if the current process 141 is also the one that opened the map, otherwise only close 142 the map file descriptor. Thanks to Yoseff Francus of 143 Collective Technologies for volunteering his system for 144 extended testing. 145 Avoid null pointer dereference on XDEBUG output for SMTP reply 146 failures. Problem noted by Carlos Canau of EUnet Portugal. 147 On mailq and hoststat listings being piped to another program, such 148 as more, if the pipe closes (i.e. the user quits more), 149 stop sending output and exit. Patch from Allan E Johannesen 150 of Worcester Polytechnic Institute. 151 In accordance with the documentation, LDAP map lookup failures 152 are now considered temporary failures instead of permanent 153 failures unless the -t flag is used in the map definition. 154 Problem noted by Booker Bense of Stanford University and 155 Eric C. Hagberg of Morgan Stanley. 156 Fix by one error reporting on long alias names. Problem noted by 157 H. Paul Hammann of the Missouri Research and Education 158 Network. 159 Fix DontBlameSendmail=IncludeFileInUnsafeDirPath behavior. Problem 160 noted by Barry S. Finkel of Argonne National Laboratory. 161 When automatically converting from 8 bit to quoted printable MIME, 162 be careful not to miss a multi-part boundary if that 163 boundary is preceded by a boundary-like line. Problem 164 noted by Andreas Raschle of Ansid Inc. Fix from 165 Kari Hurtta of the Finnish Meteorological Institute. 166 Avoid bogus reporting of "LMTP tobuf overflow" when the buffer 167 has enough space for the additional address. Problem 168 noted by Steve Cliffe of the University of Wollongong. 169 Fix DontBlameSendmail=FileDeliveryToSymlink behavior. Problem 170 noted by Alex Vorobiev of Swarthmore College. 171 If the check_compat ruleset resolves to the $#discard mailer, 172 discard the current recipient. Unlike check_relay, 173 check_mail, and check_rcpt, the entire envelope is not 174 discarded. Problem noted by RZ D. Rahlfs. Fix from 175 Claus Assmann of Christian-Albrechts-University of Kiel. 176 Avoid segmentation fault when reading ServiceSwitchFile files with 177 bogus formatting. Patch from Kari Hurtta of the Finnish 178 Meteorological Institute. 179 Support Berkeley DB 2.6.4 API change. 180 OP.ME: Pages weren't properly output on duplexed printers. Fix 181 from Matthew Black of CSU Long Beach. 182 Portability: 183 Apple Rhapsody from Wilfredo Sanchez of Apple Computer, Inc. 184 Avoid a clash with IRIX 6.2 getopt.h and the UserDatabase 185 option structure. Problem noted by Ashley M. 186 Kirchner of Photo Craft Laboratories, Inc. 187 Break out IP address to hostname translation for 188 reading network interface addresses into 189 class 'w'. Patch from John Kennedy of 190 Cal State University, Chico. 191 AIX 4.x use -qstrict with -O3 to prevent the optimized 192 from changing the semantics of the compiled 193 program. From Simon Travaglia of the 194 University of Waikato, New Zealand. 195 FreeBSD 2.2.2 and later support setusercontext(). From 196 Peter Wemm of DIALix. 197 FreeBSD 3.x fix from Peter Wemm of DIALix. 198 IRIX 5.x has a syslog buffer size of 512 bytes. From 199 Nao NINOMIYA of Utsunomiya University. 200 IRIX 6.5 64-bit Build support. 201 LDAP Version 3 support from John Beck and Ravi Iyer 202 of Sun Microsystems. 203 Linux does not implement seteuid() properly. From 204 John Kennedy of Cal State University, Chico. 205 Linux timezone type was set improperly. From Takeshi Itoh 206 of Bits Co., Ltd. 207 NCR MP-RAS 3.x needs -lresolv for confLIBS. From 208 Tom J. Moore of NCR. 209 NeXT 4.x correction to man page path. From J. P. McCann 210 of E I A. 211 System V Rel 5.x (a.k.a UnixWare7 w/o BSD-Compatibility Libs) 212 from Paul Gampe of the Asia Pacific Network 213 Information Center. 214 ULTRIX now requires an optimization limit of 970 from 215 Allan E Johannesen of Worcester Polytechnic 216 Institute. 217 Fix extern declaration for sm_dopr(). Fix from Henk 218 van Oers of Algemeen Nederlands Persbureau. 219 CONFIG: Catch @hostname,user@anotherhost.domain as relaying. 220 Problem noted by Mark Rogov of AirMedia, Inc. Fix from 221 Claus Assmann of Christian-Albrechts-University of Kiel. 222 CONFIG: Do not refer to http://maps.vix.com/ on RBL rejections as 223 there are multiple RBL's available and the MAPS RBL may 224 not be the one in use. Suggested by Alan Brown of 225 Manawatu Internet Services. 226 CONFIG: Properly strip route addresses (i.e. @host1:user@host2) 227 when stripping down a recipient address to check for 228 relaying. Patch from Claus Assmann of 229 Christian-Albrechts-University of Kiel and Neil W Rickert 230 of Northern Illinois University. 231 CONFIG: Allow the access database to override RBL lookups. Patch 232 from Claus Assmann of Christian-Albrechts-University of 233 Kiel. 234 CONFIG: UnixWare 7 support from Phillip P. Porch of The Porch 235 Dot Com. 236 CONFIG: Fixed check for deferred delivery mode warning. Patch 237 from Claus Assmann of Christian-Albrechts-University of 238 Kiel and Per Hedeland of Ericsson. 239 CONFIG: If a recipient using % addressing is used, e.g. 240 user%site@othersite, and othersite's MX records are now 241 checked for local hosts if FEATURE(relay_based_on_MX) is 242 used. Problem noted by Alexander Litvin of Lucky Net Ltd. 243 Patch from Alexander Litvin of Lucky Net Ltd and 244 Claus Assmann of Christian-Albrechts-University of Kiel. 245 MAIL.LOCAL: Prevent warning messages from appearing in the LMTP 246 stream. Do not allow more than one response per recipient. 247 MAIL.LOCAL: Handle routed addresses properly when using LMTP. Fix 248 from John Beck of Sun Microsystems. 249 MAIL.LOCAL: Properly check for CRLF when using LMTP. Fix from 250 John Beck of Sun Microsystems. 251 MAIL.LOCAL: Substitute MAILER-DAEMON for the LMTP empty sender in 252 the envelope From header. 253 MAIL.LOCAL: Accept underscores in hostnames in LMTP mode. 254 Problem noted by Glenn A. Malling of Syracuse University. 255 MAILSTATS: Document msgsrej and msgsdis fields in the man page. 256 Problem noted by Richard Wong of Princeton University. 257 MAKEMAP: Build group list so group writable files are allowed with 258 the -s flag. Problem noted by Curt Sampson of Internet 259 Portal Services, Inc. 260 PRALIASES: Automatically handle alias files created without the 261 NULL byte at the end of the key. Patch from John Beck of 262 Sun Microsystems. 263 PRALIASES: Support Berkeley DB 2.6.4 API change. 264 New Files: 265 BuildTools/OS/IRIX64.6.5 266 BuildTools/OS/UnixWare.5.i386 267 cf/cf/unixware7.m4 268 contrib/smcontrol.pl 269 src/control.c 270 2718.9.1/8.9.1 98/07/02 272 If both an OS specific site configuration file and a generic 273 site.config.m4 file existed, only the latter was used 274 instead of both. Problem noted by Geir Johannessen of 275 the Norwegian University of Science and Technology. 276 Fix segmentation fault while converting 8 bit to 7 bit MIME 277 multipart messages by trying to write to an unopened 278 file descriptor. Fix from Kari Hurtta of the Finnish 279 Meteorological Institute. 280 Do not assume Message: and Text: headers indicate the end of 281 the header area when parsing MIME headers. Problem noted 282 by Kari Hurtta of the Finnish Meteorological Institute. 283 Setting the confMAN#SRC Build variable would only effect the 284 installation commands. The man pages would still be 285 built with .0 extensions. Problem noted by Bryan 286 Costales of InfoBeat, Inc. 287 Installation of manual pages didn't honor the DESTDIR environment 288 variable. Problem noted by Bryan Costales of InfoBeat, Inc. 289 If the check_relay ruleset resolved to the discard mailer, messages 290 were still delivered. Problem noted by Mirek Luc of NASK. 291 Mail delivery to files would fail with an Operating System Error 292 if sendmail was not running as root, i.e. RunAsUser was set. 293 Problem noted by Leonard N. Zubkoff of Dandelion Digital. 294 Prevent MinQueueAge from interfering from queued items created 295 in the future, i.e. if the system clock was set ahead 296 and then back. Problem noted by Michael Miller of the 297 University of Natal, Pietermaritzburg. 298 Do not advertise ETRN support in ESTMP EHLO reply if noetrn is 299 set in the PrivacyOptions option. Fix from Ted Rule of 300 Flextech TV. 301 Log invalid persistent host status file lines instead of 302 bouncing the message. Problem noted by David Lindes of 303 DaveLtd Enterprises. 304 Move creation of empty sendmail.st file from installation to 305 compilation. Installation may be done from a read-only 306 mount. Fix from Bryan Costales of InfoBeat, Inc. and Ric 307 Anderson of the Oasis Research Center, Inc. 308 Enforce the maximum number of User Database entries limit. Problem 309 noted by Gary Buchanan of Credence Systems Inc. 310 Allow dead.letter files in root's home directory. Problem noted 311 by Anna Ullman of Sun Microsystems. 312 Program deliveries in forward files could be marked unsafe if 313 any directory listed in the ForwardPath option did not 314 exist. Problem noted by Jorg Bielak of Coastal Web Online. 315 Do not trust the length of the address structure returned by 316 gethostbyname(). Problem noted by Chris Evans of Oxford 317 University. 318 If the SIZE= MAIL From: ESMTP parameter is too large, use the 319 5.3.4 DSN status code instead of 5.2.2. Similarly, for 320 non-local deliveries, if the message is larger than the 321 mailer maximum message size, use 5.3.4 instead of 5.2.3. 322 Suggested by Antony Bowesman of 323 Fujitsu/TeaWARE Mail/MIME System. 324 Portability: 325 Fix the check for an IP address reverse lookup for 326 use in $&{client_name} on 64 bit platforms. 327 From Gilles Gallot of Institut for Development 328 and Resources in Intensive Scientific computing. 329 BSD-OS uses .0 for man page extensions. From Jeff Polk 330 of BSDI. 331 DomainOS detection for Build. Also, version 10.4 and later 332 ship a unistd.h. Fixes from Takanobu Ishimura of 333 PICT Inc. 334 NeXT 4.x uses /usr/lib/man/cat for its man pages. From 335 J. P. McCann of E I A. 336 SCO 4.X and 5.X include NDBM support. From Vlado Potisk 337 of TEMPEST, Ltd. 338 CONFIG: Do not pass spoofed PTR results through resolver for 339 qualification. Problem noted by Michiel Boland of 340 Digital Valley Internet Professionals; fix from 341 Kari Hurtta of the Finnish Meteorological Institute. 342 CONFIG: Do not try to resolve non-DNS hostnames such as UUCP, 343 BITNET, and DECNET addresses for resolvable senders. 344 Problem noted by Alexander Litvin of Lucky Net Ltd. 345 CONFIG: Work around Sun's broken configuration which sends bounce 346 messages as coming from @@hostname instead of <>. LMTP 347 would not accept @@hostname. 348 OP.ME: Corrections to complex sendmail startup script from Rick 349 Troxel of the National Institutes of Health. 350 RMAIL: Do not install rmail by default, require 'make force-install' 351 as this rmail isn't the same as others. Suggested by 352 Kari Hurtta of the Finnish Meteorological Institute. 353 New Files: 354 BuildTools/OS/DomainOS.10.4 355 3568.9.0/8.9.0 98/05/19 357 SECURITY: To prevent users from reading files not normally 358 readable, sendmail will no longer open forward, :include:, 359 class, ErrorHeader, or HelpFile files located in unsafe 360 (i.e. group or world writable) directory paths. Sites 361 which need the ability to override security can use the 362 DontBlameSendmail option. See the README file for more 363 information. 364 SECURITY: Problems can occur on poorly managed systems, specifically, 365 if maps or alias files are in world writable directories. 366 This fixes the change added to 8.8.6 to prevent links in these 367 world writable directories. 368 SECURITY: Make sure ServiceSwitchFile option file is not a link if 369 it is in a world writable directory. 370 SECURITY: Never pass a tty to a mailer -- if a mailer can get at the 371 tty it may be able to push bytes back to the senders input. 372 Unfortunately this breaks -v mode. Problem noted by 373 Wietse Venema of the Global Security Analysis Lab at 374 IBM T.J. Watson Research. 375 SECURITY: Empty group list if DontInitGroups is set to true to 376 prevent program deliveries from picking up extra group 377 privileges. Problem reported by Wolfgang Ley of DFN-CERT. 378 SECURITY: The default value for DefaultUser is now set to the uid and 379 gid of the first existing user mailnull, sendmail, or daemon 380 that has a non-zero uid. If none of these exist, sendmail 381 reverts back to the old behavior of using uid 1 and gid 1. 382 This is a security problem for Linux which has chosen that 383 uid and gid for user bin instead of daemon. If DefaultUser 384 is set in the configuration file, that value overrides this 385 default. 386 SECURITY: Since 8.8.7, the check for non-setuid binaries 387 interfered with setting an alternate group id for the 388 RunAsUser option. Problem noted by Randall Winchester of 389 the University of Maryland. 390 Add support for Berkeley DB 2.X. Based on patch from John Kennedy 391 of Cal State University, Chico. 392 Remove support for OLD_NEWDB (pre-1.5 version of Berkeley DB). Users 393 which previously defined OLD_NEWDB=1 must now upgrade to the 394 current version of Berkeley DB. 395 Added support for regular expressions using the new map class regex. 396 From Jan Krueger of Unix-AG of University of Hannover. 397 Support for BIND 8.1.1's hesiod for hesiod maps and hesiod 398 UserDatabases from Randall Winchester of the University 399 of Maryland. 400 Allow any shell for user shell on program deliveries on V1 401 configurations for backwards compatibility on machines which 402 do not have getusershell(). Fix from John Beck of Sun 403 Microsystems. 404 On operating systems which change the process title by reusing the 405 argument vector memory, sendmail could corrupt memory if the 406 last argument was either "-q" or "-d". Problem noted by 407 Frank Langbein of the University of Stuttgart. 408 Support Local Mail Transfer Protocol (LMTP) between sendmail and 409 mail.local on the F=z flag. 410 Macro-expand the contents of the ErrMsgFile. Previously this was 411 only done if you had magic characters (0x81) to indicate 412 macro expansion. Now $x will be expanded. This means that 413 real dollar signs have to be backslash escaped. 414 TCP Wrappers expects "unknown" in the hostname argument if the 415 reverse DNS lookup for the incoming connection fails. 416 Problem noted by Randy Grimshaw of Syracuse University and 417 Wietse Venema of the Global Security Analysis Lab at 418 IBM T.J. Watson Research. 419 DSN success bounces generated from an invocation of sendmail -t 420 would be sent to both the sender and MAILER-DAEMON. 421 Problem noted by Claus Assmann of 422 Christian-Albrechts-University of Kiel. 423 Avoid "Error 0" messages on delivery mailers which exit with a 424 valid exit value such as EX_NOPERM. Fix from Andreas Luik 425 of ISA Informationssysteme GmbH. 426 Tokenize $&x expansions on right hand side of rules. This eliminates 427 the need to use tricks like $(dequote "" $&{client_name} $) 428 to cause the ${client_name} macro to be properly tokenized. 429 Add the MaxRecipientsPerMessage option: this limits the number of 430 recipients that will be accepted in a single SMTP 431 transaction. After this number is reached, sendmail 432 starts returning "452 Too many recipients" to all RCPT 433 commands. This can be used to limit the number of recipients 434 per envelope (in particular, to discourage use of the server 435 for spamming). Note: a better approach is to restrict 436 relaying entirely. 437 Fixed pointer initialization for LDAP lmap struct, fixed -s option 438 to ldapx map and added timeout for ldap_open call to 439 avoid hanging sendmail in the event of hung LDAP servers. 440 Patch from Booker Bense of Stanford University. 441 Allow multiple -qI, -qR, or -qS queue run limiters. For example, 442 '-qRfoo -qRbar' would deliver mail to recipients with foo or 443 bar in their address. Patch from Allan E Johannesen of 444 Worcester Polytechnic Institute. 445 The bestmx map will now return a list of the MX servers for a host if 446 passed a column delimiter via the -z map flag. This can be 447 used to check if the server is an MX server for the recipient 448 of a message. This can be used to help prevent relaying. 449 Patch from Mitchell Blank Jr of Exec-PC. 450 Mark failures for the *file* mailer and return bounce messages to the 451 sender for those failures. 452 Prevent bogus syslog timestamps on errors in sendmail.cf by 453 preserving the TZ environment variable until TimeZoneSpec 454 has been determined. Problem noted by Ralf Hildebrandt of 455 Technical University of Braunschweig. Patch from Per Hedeland 456 of Ericsson. 457 Print test input in address test mode when input is not from the tty 458 when the -v flag is given (i.e. sendmail -bt -v) to make 459 output easier to decipher. Problem noted by Aidan Nichol 460 of Procter & Gamble. 461 The LDAP map -s flag was not properly parsed and the error message 462 given included the remainder of the arguments instead of 463 solely the argument in error. Problem noted by Aidan Nichol 464 of Procter & Gamble. 465 New DontBlameSendmail option. This option allows administrators to 466 bypass some of sendmail's file security checks at the expense 467 of system security. This should only be used if you are 468 absolutely sure you know the consequences. The available 469 DontBlameSendmail options are: 470 Safe 471 AssumeSafeChown 472 ClassFileInUnsafeDirPath 473 ErrorHeaderInUnsafeDirPath 474 GroupWritableDirPathSafe 475 GroupWritableForwardFileSafe 476 GroupWritableIncludeFileSafe 477 GroupWritableAliasFile 478 HelpFileinUnsafeDirPath 479 WorldWritableAliasFile 480 ForwardFileInGroupWritableDirPath 481 IncludeFileInGroupWritableDirPath 482 ForwardFileInUnsafeDirPath 483 IncludeFileInUnsafeDirPath 484 ForwardFileInUnsafeDirPathSafe 485 IncludeFileInUnsafeDirPathSafe 486 MapInUnsafeDirPath 487 LinkedAliasFileInWritableDir 488 LinkedClassFileInWritableDir 489 LinkedForwardFileInWritableDir 490 LinkedIncludeFileInWritableDir 491 LinkedMapInWritableDir 492 LinkedServiceSwitchFileInWritableDir 493 FileDeliveryToHardLink 494 FileDeliveryToSymLink 495 WriteMapToHardLink 496 WriteMapToSymLink 497 WriteStatsToHardLink 498 WriteStatsToSymLink 499 RunProgramInUnsafeDirPath 500 RunWritableProgram 501 New DontProbeInterfaces option to turn off the inclusion of all the 502 interface names in $=w on startup. In particular, if you 503 have lots of virtual interfaces, this option will speed up 504 startup. However, unless you make other arrangements, mail 505 sent to those addresses will be bounced. 506 Automatically create alias databases if they don't exist and 507 AutoRebuildAliases is set. 508 Add PrivacyOptions=noetrn flag to disable the SMTP ETRN command. 509 Suggested by Christophe Wolfhugel of the Institut Pasteur. 510 Add PrivacyOptions=noverb flag to disable the SMTP VERB command. 511 When determining the client host name ($&{client_name} macro), do 512 a forward (A) DNS lookup on the result of the PTR lookup 513 and compare results. If they differ or if the PTR lookup 514 fails, &{client_name} will contain the IP address 515 surrounded by square brackets (e.g. [127.0.0.1]). 516 New map flag: -Tx appends "x" to lookups that return temporary failure 517 (i.e, it is like -ax for the temporary failure case, in 518 contrast to the success case). 519 New syntax to do limited checking of header syntax. A config line 520 of the form: 521 HHeader: $>Ruleset 522 causes the indicated Ruleset to be invoked on the Header 523 when read. This ruleset works like the check_* rulesets -- 524 that is, it can reject mail on the basis of the contents. 525 Limit the size of the HELO/EHLO parameter to prevent spammers 526 from hiding their connection information in Received: 527 headers. 528 When SingleThreadDelivery is active, deliveries to locked hosts 529 are skipped. This will cause the delivering process to 530 try the next MX host or queue the message if no other MX 531 hosts are available. Suggested by Alexander Litvin. 532 The [FILE] mailer type now delivers to the file specified in the 533 A= equate of the mailer definition instead of $u. It also 534 obeys all of the F= mailer flags such as the MIME 535 7/8 bit conversion flags. This is useful for defining 536 a mailer which delivers to the same file regardless of the 537 recipient (e.g. 'A=FILE /dev/null' to discard unwanted mail). 538 Do not assume the identity of a remote connection is root@localhost 539 if the remote connection closes the socket before the 540 remote identity can be queried. 541 Change semantics of the F=S mailer flag back to 8.7.5 behavior. 542 Some mailers, including procmail, require that the real 543 uid is left unchanged by sendmail. Problem noted by Per 544 Hedeland of Ericsson. 545 No longer is the src/obj*/Makefile selected from a large list -- it 546 is now generated using the information in BuildTools/OS/ -- 547 some of the details are determined dynamically via 548 BuildTools/bin/configure.sh. 549 The other programs in the sendmail distribution -- mail.local, 550 mailstats, makemap, praliases, rmail, and smrsh -- now use 551 the new Build method which creates an operating system 552 specific Makefile using the information in BuildTools. 553 Make 4xx reply codes to the SMTP MAIL command be non-sticky (i.e., 554 a failure on one message won't affect future messages to the 555 same host). This is necessary if the remote host sends 556 a 451 error if the domain of the sender does not resolve 557 as is common in anti-spam configurations. Problem noted 558 by Mitchell Blank Jr of Exec-PC. 559 New "discard" mailer for check_* rulesets and header checking 560 rulesets. If one of the above rulesets resolves to the 561 $#discard mailer, the commands will be accepted but the 562 message will be completely discarded after it is accepting. 563 This means that even if only one of the recipients 564 resolves to the $#discard mailer, none of the recipients 565 will receive the mail. Suggested by Brian Kantor. 566 All but the last cloned envelope of a split envelope were queued 567 instead of being delivered. Problem noted by John Caruso 568 of CNET: The Computer Network. 569 Fix deadlock situation in persistent host status file locking. 570 Syslog an error if a user forward file could not be read due to 571 an error. Patch from John Beck of Sun Microsystems. 572 Use the first name returned on machine lookups when canonifying a 573 hostname via NetInfo. Patch from Timm Wetzel of GWDG. 574 Clear the $&{client_addr}, $&{client_name}, and $&{client_port} 575 macros when delivering a bounce message to prevent 576 rejection by a check_compat ruleset which uses these macros. 577 Problem noted by Jens Hamisch of AgiX Internetservices GmbH. 578 If the check_relay ruleset resolves to the the error mailer, the 579 error in the $: portion of the resolved triplet is used 580 in the rejection message given to the remote machine. 581 Suggested by Scott Gifford of The Internet Ramp. 582 Set the $&{client_addr}, $&{client_name}, and $&{client_port} macros 583 before calling the check_relay ruleset. Suggested by Scott 584 Gifford of The Internet Ramp. 585 Sendmail would get a segmentation fault if a mailer exited with an 586 exit code of 79. Problem noted by Aaron Schrab of ExecPC 587 Internet. Fix from Christophe Wolfhugel of the Pasteur 588 Institute. 589 Separate snprintf/vsnprintf routines into separate file for use by 590 mail.local. 591 Allow multiple map lookups on right hand side, e.g., 592 R$* $( host $1 $) $| $( passwd $1 $). Patch from 593 Christophe Wolfhugel of the Pasteur Institute. 594 Properly generate success DSN messages if requested for aliases 595 which have owner- aliases. Problem noted by Kari Hurtta 596 of the Finnish Meteorological Institute. 597 Properly display delayed-expansion macros ($&{macroname}) in 598 address test mode (-bt). Problem noted by Bryan Costales 599 of InfoBeat, Inc. 600 -qR could sometimes match names incorrectly. Problem noted by 601 Lutz Euler of Lavielle EDV Systemberatung GmbH & Co. 602 Include a magic number and version in the StatusFile for the 603 mailstats command. 604 Record the number of rejected and discarded messages in the 605 StatusFile for display by the mailstats command. Patch 606 from Randall Winchester of the University of Maryland. 607 IDENT returns where the OSTYPE field equals "OTHER" now list the 608 user portion as IDENT:username@site instead of 609 username@site to differentiate the two. Suggested by 610 Kari Hurtta of the Finnish Meteorological Institute. 611 Enforce timeout for LDAP queries. Patch from Per Hedeland of 612 Ericsson. 613 Change persistent host status filename substitution so '/' is 614 replaced by ':' instead of '|' to avoid clashes. Also 615 avoid clashes with hostnames with leading dots. Fix from 616 Mitchell Blank Jr. of Exec-PC. 617 If the system lock table is full, only attempt to create a new 618 queue entry five times before giving up. Previously, it 619 was attempted indefinitely which could cause the partition 620 to run out of inodes. Problem noted by Suzie Weigand of 621 Stratus Computer, Inc. 622 In verbose mode, warn if the sendmail.cf version is less than the 623 currently supported version. 624 Sorting for QueueSortOrder=host is now case insensitive. Patch 625 from Randall S. Winchester of the University of Maryland. 626 Properly quote a full name passed via the -F command line option, 627 the Full-Name: header, or the NAME environment variable if 628 it contains characters which must be quoted. Problem noted 629 by Kari Hurtta of the Finnish Meteorological Institute. 630 Avoid possible race condition that unlocked a mail job before 631 releasing the transcript file on systems that use flock(2). 632 In some cases, this might result in a "Transcript Unavailable" 633 message in error bounces. 634 Accept SMTP replies which contain only a reply code and no 635 accompanying text. Problem noted by Fernando Fraticelli of 636 Digital Equipment Corporation. 637 Portability: 638 AIX 4.1 uses int for SOCKADDR_LEN_T from Motonori Nakamura 639 of Kyoto University. 640 AIX 4.2 requires <userpw.h> before <usersec.h>. Patch from 641 Randall S. Winchester of the University of 642 Maryland. 643 AIX 4.3 from Valdis Kletnieks of Virginia Tech CNS. 644 CRAY T3E from Manu Mahonen of Center for Scientific Computing 645 in Finland. 646 Digital UNIX now uses statvfs for determining free 647 disk space. Patch from Randall S. Winchester of 648 the University of Maryland. 649 HP-UX 11.x from Richard Allen of Opin Kerfi HF and 650 Regis McEwen of Progress Software Corporation. 651 IRIX 64 bit fixes from Kari Hurtta of the Finnish 652 Meteorological Institute. 653 IRIX 6.2 configuration fix for mail.local from Michael Kyle 654 of CIC/Advanced Computing Laboratory. 655 IRIX 6.5 from Thomas H Jones II of SGI. 656 IRIX 6.X load average code from Bob Mende of SGI. 657 QNX from Glen McCready <glen@qnx.com>. 658 SCO 4.2 and 5.x use /usr/bin instead of /usr/ucb for links 659 to sendmail. Install with group bin instead of kmem 660 as kmem does not exist. From Guillermo Freige of 661 Gobernacion de la Pcia de Buenos Aires and Paul 662 Fischer of BTG, Inc. 663 SunOS 4.X does not include memmove(). Patch from 664 Per Hedeland of Ericsson. 665 SunOS 5.7 includes getloadavg() function for determining 666 load average. Patch from John Beck of Sun 667 Microsystems. 668 CONFIG: Increment version number of config file. 669 CONFIG: add DATABASE_MAP_TYPE to set the default type of database 670 map for the various maps. The default is hash. Patch from 671 Robert Harker of Harker Systems. 672 CONFIG: new confEBINDIR m4 variable for defining the executable 673 directory for certain programs. 674 CONFIG: new FEATURE(local_lmtp) to use the new LMTP support for 675 local mail delivery. By the default, /usr/libexec/mail.local 676 is used. This is expected to be the mail.local shipped 677 with 8.9 which is LMTP capable. The path is based on the 678 new confEBINDIR m4 variable. 679 CONFIG: Use confEBINDIR in determining path to smrsh for 680 FEATURE(smrsh). Note that this changes the default from 681 /usr/local/etc/smrsh to /usr/libexec/smrsh. To obtain the 682 old path for smrsh, use FEATURE(smrsh, /usr/local/etc/smrsh). 683 CONFIG: DOMAIN(generic) changes the default confFORWARD_PATH to 684 include $z/.forward.$w+$h and $z/.forward+$h which allow 685 the user to setup different .forward files for 686 user+detail addressing. 687 CONFIG: add confMAX_RCPTS_PER_MESSAGE, confDONT_PROBE_INTERFACES, 688 and confDONT_BLAME_SENDMAIL to set MaxRecipientsPerMessage, 689 DontProbeInterfaces, and DontBlameSendmail options. 690 CONFIG: by default do not allow relaying (that is, accepting mail 691 from outside your domain and sending it to another host 692 outside your domain). 693 CONFIG: new FEATURE(promiscuous_relay) to allow mail relaying from 694 any site to any site. 695 CONFIG: new FEATURE(relay_entire_domain) allows any host in your 696 domain as defined by the 'm' class ($=m) to relay. 697 CONFIG: new FEATURE(relay_based_on_MX) to allow relaying based on 698 the MX records of the host portion of an incoming recipient. 699 CONFIG: new FEATURE(access_db) which turns on the access database 700 feature. This database give you the ability to allow 701 or refuse to accept mail from specified domains for 702 administrative reasons. By default, names that are listed 703 as "OK" in the access db are domain names, not host names. 704 CONFIG: new confCR_FILE m4 variable for defining the name of the file 705 used for class 'R'. Defaults to /etc/mail/relay-domains. 706 CONFIG: new command RELAY_DOMAIN(domain) and RELAY_DOMAIN_FILE(file) 707 to add items to class 'R' ($=R) for hosts allowed to relay. 708 CONFIG: new FEATURE(relay_hosts_only) to change the behavior 709 of FEATURE(access_db) and class 'R' to lookup individual 710 host names only. 711 CONFIG: new FEATURE(loose_relay_check). Normally, if a recipient 712 using % addressing is used, e.g. user%site@othersite, 713 and othersite is in class 'R', the check_rcpt ruleset 714 will strip @othersite and recheck user@site for relaying. 715 This feature changes that behavior. It should not be 716 needed for most installations. 717 CONFIG: new FEATURE(relay_local_from) to allow relaying if the 718 domain portion of the mail sender is a local host. This 719 should only be used if absolutely necessary as it opens 720 a window for spammers. Patch from Randall S. Winchester of 721 the University of Maryland. 722 CONFIG: new FEATURE(blacklist_recipients) turns on the ability to 723 block incoming mail destined for certain recipient 724 usernames, hostnames, or addresses. 725 CONFIG: By default, MAIL FROM: commands in the SMTP session will be 726 refused if the host part of the argument to MAIL FROM: cannot 727 be located in the host name service (e.g., DNS). 728 CONFIG: new FEATURE(accept_unresolvable_domains) accepts 729 unresolvable hostnames in MAIL FROM: SMTP commands. 730 CONFIG: new FEATURE(accept_unqualified_senders) accepts 731 MAIL FROM: senders which do not include a domain. 732 CONFIG: new FEATURE(rbl) Turns on rejection of hosts found in the 733 Realtime Blackhole List. You can specify the RBL name 734 server to contact by specifying it as an optional argument. 735 The default is rbl.maps.vix.com. For details, see 736 http://maps.vix.com/rbl/. 737 CONFIG: Call Local_check_relay, Local_check_mail, and 738 Local_check_rcpt from check_relay, check_mail, and 739 check_rcpt. Users with local rulesets should place the 740 rules using LOCAL_RULESETS. If a Local_check_* ruleset 741 returns $#OK, the message is accepted. If the ruleset 742 returns a mailer, the appropriate action is taken, else 743 the return of the ruleset is ignored. 744 CONFIG: CYRUS_MAILER_FLAGS now includes the /:| mailer flags by 745 default to support file, :include:, and program deliveries. 746 CONFIG: Remove the default for confDEF_USER_ID so the binary can 747 pick the proper default value. See the SECURITY note 748 above for more information. 749 CONFIG: FEATURE(nodns) now warns the user that the feature is a 750 no-op. Patch from Kari Hurtta of the Finnish 751 Meteorological Institute. 752 CONFIG: OSTYPE(osf1) now sets DefaultUserID (confDEF_USER_ID) to 753 daemon since DEC's /bin/mail will drop the envelope 754 sender if run as mailnull. See the Digital UNIX section 755 of src/README for more information. Problem noted by 756 Kari Hurtta of the Finnish Meteorological Institute. 757 CONFIG: .cf files are now stored in the same directory with the 758 .mc files instead of in the obj directory. 759 CONFIG: New options confSINGLE_LINE_FROM_HEADER, 760 confALLOW_BOGUS_HELO, and confMUST_QUOTE_CHARS for 761 setting SingleLineFromHeader, AllowBogusHELO, and 762 MustQuoteChars respectively. 763 MAIL.LOCAL: support -l flag to run LMTP on stdin/stdout. This 764 SMTP-like protocol allows detailed reporting of delivery 765 status on a per-user basis. Code donated by John Myers of 766 CMU (now of Netscape). 767 MAIL.LOCAL: HP-UX support from Randall S. Winchester of the 768 University of Maryland. NOTE: mail.local is not 769 compatible with the stock HP-UX mail format. Be sure to 770 read mail.local/README. 771 MAIL.LOCAL: Prevent other mail delivery agents from stealing a 772 mailbox lock. Patch from Randall S. Winchester of the 773 University of Maryland. 774 MAIL.LOCAL: glibc portability from John Kennedy of Cal State 775 University, Chico. 776 MAIL.LOCAL: IRIX portability from Kari Hurtta of the Finnish 777 Meteorological Institute. 778 MAILSTATS: Display the number of rejected and discarded messages 779 in the StatusFile. Patch from Randall Winchester of the 780 University of Maryland. 781 MAKEMAP: New -s flag to ignore safety checks on database map files 782 such as linked files in world writable directories. 783 MAKEMAP: Add support for Berkeley DB 2.X. Remove OLD_NEWDB support. 784 PRALIASES: Add support for Berkeley DB 2.X. 785 PRALIASES: Do not automatically include NDBM support. Problem 786 noted by Ralf Hildebrandt of the Technical University of 787 Braunschweig. 788 RMAIL: Improve portability for other platforms. Patches from 789 Randall S. Winchester of the University of Maryland and 790 Kari Hurtta of the Finnish Meteorological Institute. 791 Changed Files: 792 src/Makefiles/Makefile.* files have been modified to use 793 the new build mechanism and are now BuildTools/OS/*. 794 src/makesendmail changed to symbolic link to src/Build. 795 New Files: 796 BuildTools/M4/header.m4 797 BuildTools/M4/depend/BSD.m4 798 BuildTools/M4/depend/CC-M.m4 799 BuildTools/M4/depend/NCR.m4 800 BuildTools/M4/depend/Solaris.m4 801 BuildTools/M4/depend/X11.m4 802 BuildTools/M4/depend/generic.m4 803 BuildTools/OS/AIX.4.2 804 BuildTools/OS/AIX.4.x 805 BuildTools/OS/CRAYT3E.2.0.x 806 BuildTools/OS/HP-UX.11.x 807 BuildTools/OS/IRIX.6.5 808 BuildTools/OS/NEXTSTEP.4.x 809 BuildTools/OS/NeXT.4.x 810 BuildTools/OS/NetBSD.8.3 811 BuildTools/OS/QNX 812 BuildTools/OS/SunOS.5.7 813 BuildTools/OS/dcosx.1.x.NILE 814 BuildTools/README 815 BuildTools/Site/README 816 BuildTools/bin/Build 817 BuildTools/bin/configure.sh 818 BuildTools/bin/find_m4.sh 819 BuildTools/bin/install.sh 820 Makefile 821 cf/cf/Build 822 cf/cf/generic-hpux10.cf 823 cf/feature/accept_unqualified_senders.m4 824 cf/feature/accept_unresolvable_domains.m4 825 cf/feature/access_db.m4 826 cf/feature/blacklist_recipients.m4 827 cf/feature/loose_relay_check.m4 828 cf/feature/local_lmtp.m4 829 cf/feature/promiscuous_relay.m4 830 cf/feature/rbl.m4 831 cf/feature/relay_based_on_MX.m4 832 cf/feature/relay_entire_domain.m4 833 cf/feature/relay_hosts_only.m4 834 cf/feature/relay_local_from.m4 835 cf/ostype/qnx.m4 836 contrib/doublebounce.pl 837 mail.local/Build 838 mail.local/Makefile.m4 839 mail.local/README 840 mailstats/Build 841 mailstats/Makefile.m4 842 makemap/Build 843 makemap/Makefile.m4 844 praliases/Build 845 praliases/Makefile.m4 846 rmail/Build 847 rmail/Makefile.m4 848 rmail/rmail.0 849 smrsh/Build 850 smrsh/Makefile.m4 851 src/Build 852 src/Makefile.m4 853 src/snprintf.c 854 Deleted Files: 855 cf/cf/Makefile (replaced by Makefile.dist) 856 mail.local/Makefile 857 mail.local/Makefile.dist 858 mailstats/Makefile 859 mailstats/Makefile.dist 860 makemap/Makefile 861 makemap/Makefile.dist 862 praliases/Makefile 863 praliases/Makefile.dist 864 rmail/Makefile 865 smrsh/Makefile 866 smrsh/Makefile.dist 867 src/Makefile 868 src/Makefiles/Makefile.AIX.4 (split into AIX.4.x and AIX.4.2) 869 src/Makefiles/Makefile.SMP_DC.OSx.NILE 870 (renamed BuildTools/OS/dcosx.1.x.NILE) 871 src/Makefiles/Makefile.Utah (obsolete platform) 872 Renamed Files: 873 READ_ME => README 874 cf/cf/Makefile.dist => Makefile 875 cf/cf/obj/* => cf/cf/* 876 src/READ_ME => src/README 877 8788.8.8/8.8.8 97/10/24 879 If the check_relay ruleset failed, the relay= field was logged 880 incorrectly. Problem noted by Kari Hurtta of the Finnish 881 Meteorological Institute. 882 If /usr/tmp/dead.letter already existed, sendmail could not 883 add additional bounces to it. Problem noted by Thomas J. 884 Arseneault of SRI International. 885 If an SMTP mailer used a non-standard port number for the outgoing 886 connection, it would be displayed incorrectly in verbose mode. 887 Problem noted by John Kennedy of Cal State University, Chico. 888 Log the ETRN parameter specified by the client before altering them 889 to internal form. Suggested by Bob Kupiec of GES-Verio. 890 EXPN and VRFY SMTP commands on malformed addresses were logging as 891 User unknown with bogus delay= values. Change them to log 892 the same as compliant addresses. Problem noted by Kari E. 893 Hurtta of the Finnish Meteorological Institute. 894 Ignore the debug resolver option unless using sendmail debug trace 895 option for resolver. Problem noted by Greg Nichols of Wind 896 River Systems. 897 If SingleThreadDelivery was enabled and the remote server returned a 898 protocol error on the DATA command, the connection would be 899 closed but the persistent host status file would not be 900 unlocked so other sendmail processes could not deliver to 901 that host. Problem noted by Peter Wemm of DIALix. 902 If queueing up a message due to an expensive mailer, don't increment 903 the number of delivery attempts or set the last delivery 904 attempt time so the message will be delivered on the next 905 queue run regardless of MinQueueAge. Problem noted by 906 Brian J. Coan of the Institute for Global Communications. 907 Authentication warnings of "Processed from queue _directory_" and 908 "Processed by _username_ with -C _filename_" would be logged 909 with the incorrect timestamp. Problem noted by Kari E. Hurtta 910 of the Finnish Meteorological Institute. 911 Use a better heuristic for detecting GDBM. 912 Log null connections on dropped connections. Problem noted by 913 Jon Lewis of Florida Digital Turnpike. 914 If class dbm maps are rebuilt, sendmail will now detect this and 915 reopen the map. Previously, they could give stale 916 results during a single message processing (but would 917 recover when the next message was received). Fix from 918 Joe Pruett of Q7 Enterprises. 919 Do not log failures such as "User unknown" on -bv or SMTP VRFY 920 requests. Problem noted by Kari E. Hurtta of the 921 Finnish Meteorological Institute. 922 Do not send a bounce message back to the sender regarding bad 923 recipients if the SMTP connection is dropped before the 924 message is accepted. Problem noted by Kari E. Hurtta of the 925 Finnish Meteorological Institute. 926 Use "localhost" instead of "[UNIX: localhost]" when connecting to 927 sendmail via a UNIX pipe. This will allow rulesets using 928 $&{client_name} to process without sending the string through 929 dequote. Problem noted by Alan Barrett of Internet Africa. 930 A combination of deferred delivery mode, a double bounce situation, 931 and the inability to save a bounce message to 932 /var/tmp/dead.letter would cause sendmail to send a bounce 933 to postmaster but not remove the offending envelope from the 934 queue causing it to create a new bounce message each time the 935 queue was run. Problem noted by Brad Doctor of Net Daemons 936 Associates. 937 Remove newlines from hostname information returned via DNS. There are 938 no known security implications of newlines in hostnames as 939 sendmail filters newlines in all vital areas; however, this 940 could cause confusing error messages. 941 Starting with sendmail 8.8.6, mail sent with the '-t' option would be 942 rejected if any of the specified addresses were bad. This 943 behavior was modified to only reject the bad addresses and not 944 the entire message. Problem noted by Jozsef Hollosi of 945 SuperNet, Inc. 946 Use Timeout.fileopen when delivering mail to a file. Suggested by 947 Bryan Costales of InfoBeat, Inc. 948 Display the proper Final-Recipient on DSN messages for non-SMTP 949 mailers. Problem noted by Kari E. Hurtta of the 950 Finnish Meteorological Institute. 951 An error in calculating the available space in the list of addresses 952 for logging deliveries could cause an address to be silently 953 dropped. 954 Include the initial user environment if sendmail is restarted via 955 a HUP signal. This will give room for the process title. 956 Problem noted by Jon Lewis of Florida Digital Turnpike. 957 Mail could be delivered without a body if the machine does not 958 support flock locking and runs out of processes during 959 delivery. Fix from Chuck Lever of the University of Michigan. 960 Drop recipient address from 251 and 551 SMTP responses per RFC 821. 961 Problem noted by Kari E. Hurtta of the Finnish Meteorological 962 Institute. 963 Make sure non-rebuildable database maps are opened before the 964 rebuildable maps (i.e. alias files) in case the database maps 965 are needed for verifying the left hand side of the aliases. 966 Problem noted by Lloyd Parkes of Victoria University. 967 Make sure sender RFC822 source route addresses are alias expanded for 968 bounce messages. Problem noted by Juergen Georgi of 969 RUS University of Stuttgart. 970 Minor lint fixes. 971 Return a temporary error instead of a permanent error if an LDAP map 972 search returns an error. This will allow sequenced maps which 973 use other LDAP servers to be checked. Fix from Booker Bense 974 of Stanford University. 975 When automatically converting from quoted printable to 8bit text do 976 not pad bare linefeeds with a space. Problem noted by Theo 977 Nolte of the University of Technology Aachen, Germany. 978 Portability: 979 Non-standard C compilers may have had a problem compiling 980 conf.c due to a standard C external declaration of 981 setproctitle(). Problem noted by Ted Roberts of 982 Electronic Data Systems. 983 AUX: has a broken O_EXCL implementation. Reported by Jim 984 Jagielski of jaguNET Access Services. 985 BSD/OS: didn't compile if HASSETUSERCONTEXT was defined. 986 Digital UNIX: Digital UNIX (and possibly others) moves 987 loader environment variables into the loader memory 988 area. If one of these environment variables (such as 989 LD_LIBRARY_PATH) was the last environment variable, 990 an invalid memory address would be used by the process 991 title routine causing memory corruption. Problem 992 noted by Sam Hartman of Mesa Internet Systems. 993 GNU libc: uses an enum for _PC_CHOWN_RESTRICTED which caused 994 chownsafe() to always return 0 even if the OS does 995 not permit file giveaways. Problem noted by 996 Yasutaka Sumi of The University of Tokyo. 997 IRIX6: Syslog buffer size set to 512 bytes. Reported by 998 Gerald Rinske of Siemens Business Services VAS. 999 Linux: Pad process title with NULLs. Problem noted by 1000 Jon Lewis of Florida Digital Turnpike. 1001 SCO OpenServer 5.0: SIOCGIFCONF ioctl call returns an 1002 incorrect value for the number of interfaces. 1003 Problem noted by Chris Loelke of JetStream Internet 1004 Services. 1005 SINIX: Update for Makefile and syslog buffer size from Gerald 1006 Rinske of Siemens Business Services VAS. 1007 Solaris: Make sure HASGETUSERSHELL setting for SunOS is not 1008 used on a Solaris machine. Problem noted by 1009 Stephen Ma of Jtec Pty Limited. 1010 CONFIG: SINIX: Update from Gerald Rinske of Siemens Business 1011 Services VAS. 1012 MAKEMAP: Use a better heuristic for detecting GDBM. 1013 CONTRIB: expn.pl: Updated version from the author, David Muir Sharnoff. 1014 OP.ME: Document the F=i mailer flag. Problem noted by Per Hedeland of 1015 Ericsson. 1016 10178.8.7/8.8.7 97/08/03 1018 If using Berkeley DB on systems without O_EXLOCK (open a file with 1019 an exclusive lock already set -- i.e., almost all systems 1020 except 4.4-BSD derived systems), the initial attempt at 1021 rebuilding aliases file if the database didn't already 1022 exist would fail. Patch from Raymund Will of LST Software 1023 GmbH. 1024 Bogus incoming SMTP commands would reset the SMTP conversation. 1025 Problem noted by Fredrik J�nsson of the Royal Institute 1026 of Technology, Stockholm. 1027 Since TCP Wrappers includes setenv(), unsetenv(), and putenv(), 1028 some environments could give "multiple definitions" for these 1029 routines during compilation. If using TCP Wrappers, assume 1030 that these routines are included as though they were in the 1031 C library. Patch from Robert La Ferla. 1032 When a NEWDB database map was rebuilt at the same time it was being 1033 used by a queue run, the maps could be left locked for the 1034 duration of the queue run, causing other processes to hang. 1035 Problem noted by Kendall Libby of Shore.NET. 1036 In some cases, NoRecipientAction=add-bcc was being ignored, so the 1037 mail was passed on without any recipient header. This could 1038 cause problems downstream. Problem noted by Xander Jansen 1039 of SURFnet ExpertiseCentrum. 1040 Give error when GDBM is used with sendmail. GDBM's locking and 1041 linking of the .dir and .pag files interferes with sendmail's 1042 locking and security checks. Problems noted by Fyodor 1043 Yarochkin of the Kyrgyz Republic FreeNet. 1044 Don't fsync qf files if SuperSafe option is not set. 1045 Avoid extra calls to gethostbyname for addresses for which a 1046 gethostbyaddr found no value. Also, ignore any returns 1047 from gethostbyaddr that look like a dotted quad. 1048 If PTR lookup fails when looking up an SMTP peer, don't tag it as 1049 "may be forged", since at the network level we pretty much 1050 have to assume that the information is good. 1051 In some cases, errors during an SMTP session could leave files 1052 open or locked. 1053 Better handling of missing file descriptors (0, 1, 2) on startup. 1054 Better handling of non-setuid binaries -- avoids certain obnoxious 1055 errors during testing. 1056 Errors in file locking of NEWDB maps had the incorrect file name 1057 printed in the error message. 1058 If the AllowBogusHELO option were set and an EHLO with a bad or 1059 missing parameter were issued, the EHLO behaved like a HELO. 1060 Load limiting never kicked in for incoming SMTP transactions if the 1061 DeliveryMode=background and any recipient was an alias or 1062 had a .forward file. From Nik Conwell of Boston University. 1063 On some non-Posix systems, the decision of whether chown(2) permits 1064 file giveaway was undefined. From Tetsu Ushijima of the 1065 Tokyo Institute of Technology. 1066 Fix race condition that could cause the body of a message to be 1067 lost (so only the header was delivered). This only occurs 1068 on systems that do not use flock(2), and only when a queue 1069 runner runs during a critical section in another message 1070 delivery. Based on a patch from Steve Schweinhart of 1071 Results Computing. 1072 If a qf file was found in a mail queue directory that had a problem 1073 (wrong ownership, bad format, etc.) and the file name was 1074 exactly MAXQFNAME bytes long, then instead of being tried 1075 once, it would be tried on every queue run. Problem noted 1076 by Bryan Costales of Mercury Mail. 1077 If the system supports an st_gen field in the status structure, 1078 include it when reporting that a file has changed after open. 1079 This adds a new compile flag, HAS_ST_GEN (0/1 option). 1080 This out to be checked as well as reported, since it is 1081 theoretically possible for an attacker to remove a file after 1082 it is opened and replace it with another file that has the 1083 same i-number, but some filesystems (notably AFS) return 1084 garbage in this field, and hence always look like the file 1085 has changed. As a practical matter this is not a security 1086 problem, since the files can be neither hard nor soft links, 1087 and on no filesystem (that I am aware of) is it possible to 1088 have two files on the same filesystem with the same i-number 1089 simultaneously. 1090 Delete the root Makefile from the distribution -- it is only for 1091 use internally, and does not work at customer sites. 1092 Fix botch that caused the second MAIL FROM: command in a single 1093 transaction to clear the entire transaction. Problem 1094 noted by John Kennedy of Cal State University, Chico. 1095 Work properly on machines that have _PATH_VARTMP defined without 1096 a trailing slash. (And a pox on vendors that decide to 1097 ignore the established conventions!) Problem noted by 1098 Gregory Neil Shapiro of WPI. 1099 Internal changes to make it easier to add another protocol family 1100 (intended for IPv6). Patches are from John Kennedy of 1101 CSU Chico. 1102 In certain cases, 7->8 bit MIME decoding of Base64 text could leave 1103 an extra space at the beginning of some lines. Problem 1104 noted by Charles Karney of Princeton University; fix based 1105 on a patch from Christophe Wolfhugel. 1106 Portability: 1107 Allow _PATH_VENDOR_CF to be set in Makefile for consistency 1108 with the _Sendmail_ book, 2nd edition. Note that 1109 the book is actually wrong: _PATH_SENDMAILCF should 1110 be used instead. 1111 AIX 3.x: Include <sys/select.h>. Patch from Gene Rackow 1112 of Argonne National Laboratory. 1113 OpenBSD from from Paul DuBois of the University of Wisconsin. 1114 RISC/os 4.0 from Paul DuBois of the University of Wisconsin. 1115 SunOS: Include <memory.h> to fix warning from util.c. From 1116 James Aldridge of EUnet Ltd. 1117 Solaris: Change STDIR (location of status file) to /etc/mail 1118 in Makefiles. 1119 Linux, Dynix, UNICOS: Remove -DNDBM and -lgdbm from 1120 Makefiles. Use NEWDB on Linux instead. 1121 NCR MP-RAS 3.x with STREAMware TCP/IP: SIOCGIFNUM ioctl 1122 exists but behaves differently than other OSes. 1123 Add SIOCGIFNUM_IS_BROKEN compile flag to get 1124 around the problem. Problem noted by Tom Moore of 1125 NCR Corp. 1126 HP-UX 9.x: fix compile warnings for old select API. Problem 1127 noted by Tom Smith of Digital Equipment Corp. 1128 UnixWare 2.x: compile warnings on offsetof macro. Problem 1129 noted by Tom Good of the Community Access Information 1130 Resource Network 1131 SCO 4.2: compile problems caused by a change in the type of 1132 the "length" parameters passed to accept, getpeername, 1133 getsockname, and getsockopt. Adds new compile flags 1134 SOCKADDR_SIZE_T and SOCKOPT_SIZE_T. Problem reported 1135 by Tom Good of St. Vincent's North Richmond Community 1136 Mental Health Center Residential Services. 1137 AIX 4: Use size_t for SOCKADDR_SIZE_T and SOCKOPT_SIZE_T. 1138 Suggested by Brett Hogden of Rochester Gas & Electric 1139 Corp. 1140 Linux: avoid compile problem for versions of <setjmp.h> that 1141 #define both setjmp and longjmp. Problem pointed out 1142 by J.R. Oldroyd of TerraNet. 1143 CONFIG: SCO UnixWare 2.1: Support for OSTYPE(sco-uw-2.1) 1144 from Christopher Durham of SCO. 1145 CONFIG: NEXTSTEP: define confCW_FILE to 1146 /etc/sendmail/sendmail.cw to match the usual 1147 configuration. Patch from Dennis Glatting of 1148 PlainTalk. 1149 CONFIG: MAILER(fax) called a program that hasn't existed for a long 1150 time. Convert to use the HylaFAX 4.0 conventions. Suggested 1151 by Harry Styron. 1152 CONFIG: Improve sample anti-spam rulesets in cf/cf/knecht.mc. These 1153 are the rulesets in use on sendmail.org. 1154 MAKEMAP: give error on GDBM files. 1155 MAIL.LOCAL: Make error messages a bit more explicit, for example, 1156 telling more details on what actually changed when "file 1157 changed after open". 1158 CONTRIB: etrn.pl: Ignore comments in Fw files. Support multiple Fw 1159 files. 1160 CONTRIB: passwd-to-alias.pl: Handle 8 bit characters and '-'. 1161 NEW FILES: 1162 src/Makefiles/Makefile.OpenBSD 1163 src/Makefiles/Makefile.RISCos.4_0 1164 test/t_exclopen.c 1165 cf/ostype/sco-uw-2.1.m4 1166 DELETED FILES: 1167 Makefile 1168 11698.8.6/8.8.6 97/06/14 1170 ************************************************************* 1171 * The extensive assistance of Gregory Neil Shapiro of WPI * 1172 * in preparing this release is gratefully appreciated. * 1173 * Sun Microsystems has also provided resources toward * 1174 * continued sendmail development. * 1175 ************************************************************* 1176 SECURITY: A few systems allow an open with the O_EXCL|O_CREAT open 1177 mode bits set to create a file that is a symbolic link that 1178 points nowhere. This makes it possible to create a root 1179 owned file in an arbitrary directory by inserting the symlink 1180 into a writable directory after the initial lstat(2) check 1181 determined that the file did not exist. The only verified 1182 example of a system having these odd semantics for O_EXCL 1183 and symbolic links was HP-UX prior to version 9.07. Most 1184 systems do not have the problem, since a exclusive create 1185 of a file disallows symbolic links. Systems that have been 1186 verified to NOT have the problem include AIX 3.x, *BSD, 1187 DEC OSF/1, HP-UX 9.07 and higher, Linux, SunOS, Solaris, 1188 and Ultrix. This is a potential exposure on systems that 1189 have this bug and which do not have a MAILER-DAEMON alias 1190 pointing at a legitimate account, since this will cause old 1191 mail to be dropped in /var/tmp/dead.letter. 1192 SECURITY: Problems can occur on poorly managed systems, specifically, 1193 if maps or alias files are in world writable directories. 1194 If your system has alias maps in writable directories, it 1195 is potentially possible for an attacker to replace the .db 1196 (or .dir and .pag) files by symbolic links pointing at 1197 another database; this can be used either to expose 1198 information (e.g., by pointing an alias file at /etc/spwd.db 1199 and probing for accounts), or as a denial-of-service attack 1200 (by trashing the password database). The fix disallows 1201 symbolic links entirely when rebuilding alias files or on 1202 maps that are in writable directories, and always warns on 1203 writable directories; 8.9 will probably consider writable 1204 directories to be fatal errors. This does not represent an 1205 exposure on systems that have alias files in unwritable 1206 system directories. 1207 SECURITY: disallow .forward or :include: files that are links (hard 1208 or soft) if the parent directory (or any directory in the 1209 path) is writable by anyone other than the owner. This is 1210 similar to the previous case for user files. This change 1211 should not affect most systems, but is necessary to prevent 1212 an attacker who can write the directory from pointing such 1213 files at other files that are readable only by the owner. 1214 SECURITY: Tighten safechown rules: many systems will say that they 1215 have a safe (restricted to root) chown even on files that 1216 are mounted from another system that allows owners to give 1217 away files. The new rules are very strict, trusting file 1218 ownership only in those few cases where the system has 1219 been verified to be at least as paranoid as necessary. 1220 However, it is possible to relax the rules to partially 1221 trust the ownership if the directory path is not world or 1222 group writable. This might allow someone who has a legitimate 1223 :include: file (referenced directly from /etc/aliases) to 1224 become another non-root user if the :include: file is in a 1225 non-writable directory on an NFS-mounted filesystem where 1226 the local system says that giveaway is denied but it is 1227 actually permitted. I believe this to be a very small set 1228 of cases. If in doubt, do not point :include: aliases at 1229 NFS-mounted filesystems. 1230 SECURITY: When setting a numeric group id using the RunAsUser option 1231 (e.g., "O RunAsUser=10:20", the group id would not be set. 1232 Implicit group ids (e.g., "O RunAsUser=mailnull") or alpha 1233 group ids (e.g., "O RunAsUser=mailuser:mailgrp") worked fine. 1234 The user id was still set properly. Problem noted by Uli 1235 Pralle of the Technical University of Berlin. 1236 Save the initial gid set for use when checking for if the 1237 PrivacyOptions=restrictmailq option is set. Problem reported 1238 by Wolfgang Ley of DFN-CERT. 1239 Make 55x reply codes to the SMTP DATA-"." be non-sticky (i.e., a 1240 failure on one message won't affect future messages to the 1241 same host). 1242 IP source route printing had an "off by one" error that would 1243 affect any options that came after the route option. Patch 1244 from Theo de Raadt. 1245 The "Message is too large" error didn't successfully bounce the error 1246 back to the sender. Problem reported by Stephen More of 1247 PSI; patch from Gregory Neil Shapiro of WPI. 1248 Change SMTP status code 553 to map into Extended code 5.1.0 (instead 1249 of 5.1.3); it apparently gets used in multiple ways. 1250 Suggested by John Myers of Portola Communications. 1251 Fix possible extra null byte generated during collection if errors 1252 occur at the beginning of the stream. Patch contributed by 1253 Andrey A. Chernov and Gregory Neil Shapiro. 1254 Code changes to avoid possible reentrant call of malloc/free within 1255 a signal handler. Problem noted by John Beck of Sun 1256 Microsystems. 1257 Move map initialization to be earlier so that check_relay ruleset 1258 will have the latest version of the map data. Problem noted 1259 by Paul Forgey of Metainfo; patch from Gregory Neil Shapiro. 1260 If there are fatal errors during the collection phase (e.g., message 1261 too large) don't send the bogus message. 1262 Avoid "cannot open xfAAA00000" messages when sending to aliases that 1263 have errors and have owner- aliases. Problem noted by Michael 1264 Barber of MTU; fix from Gregory Neil Shapiro of WPI. 1265 Avoid null pointer dereference on illegal Boundary= parameters in 1266 multipart/mixed Content-Type: header. Problem noted by 1267 Richard Muirden of RMIT University. 1268 Always print error messages during newaliases (-bi) even if the 1269 ErrorMode is not set to "print". Fix from Gregory Neil 1270 Shapiro. 1271 Test mode could core dump if you did a /map lookup in an optional map 1272 that could not be opened. Based on a fix from John Beck of 1273 Sun Microsystems. 1274 If DNS is misconfigured so that the last MX record tried points to 1275 a host that does not have an A record, but other MX records 1276 pointed to something reasonable, don't bounce the message 1277 with a "host unknown" error. Note that this should really 1278 be fixed in the zone file for the domain. Problem noted by 1279 Joe Rhett of Navigist, Inc. 1280 If a map fails (e.g., DNS times out) on all recipient addresses, mark 1281 the message as having been tried; otherwise the next queue 1282 run will not realize that this is a second attempt and will 1283 retry immediately. Problem noted by Bryan Costales of 1284 Mercury Mail. 1285 If the clock is set backwards, and a MinQueueAge is set, no jobs 1286 will be run until the later setting of the clock is reached. 1287 "Problem" (I use the term loosely) noted by Eric Hagberg of 1288 Morgan Stanley. 1289 If the load average rises above the cutoff threshold (above which 1290 sendmail will not process the queue at all) during a queue 1291 run, abort the queue run immediately. Problem noted by 1292 Bryan Costales of Mercury Mail. 1293 The variable queue processing algorithm (based on the message size, 1294 number of recipients, message precedence, and job age) was 1295 non-functional -- either the entire queue was processed or 1296 none of the queue was processed. The updated algorithm 1297 does no queue run if a single recipient zero size job will 1298 not be run. 1299 If there is a fatal ("panic") message that will cause sendmail to 1300 die immediately, never hold the error message for future 1301 printing. 1302 Force ErrorMode=print in -bt mode so that all errors are printed 1303 regardless of the setting of the ErrorMode option in the 1304 configuration file. Patch from Gregory Neil Shapiro. 1305 New compile flag HASSTRERROR says that this OS has the strerror(3) 1306 routine available in one of the libraries. Use it in conf.h. 1307 The -m (match only) flag now works on host class maps. 1308 If class hash or btree maps are rebuilt, sendmail will now detect 1309 this and reopen the map. Previously, they could give 1310 erroneous results during a single message processing 1311 (but would recover when the next message was received). 1312 Don't delete zero length queue files when doing queue runs until the 1313 files are at least ten minutes old. This avoids a potential 1314 race condition: the creator creates the qf file, getting back 1315 a file descriptor. The queue runner locks it and deletes it 1316 because it is zero length. The creator then writes the 1317 descriptor that is now for a disconnected file, and the 1318 job goes away. Based on a suggestion by Bryan Costales. 1319 When determining the "validated" host name ($_ macro), do a forward 1320 (A) DNS lookup on the result of the PTR lookup and compare 1321 results. If they differ or if the PTR lookup fails, tag the 1322 address as "may be forged". 1323 Log null connections (i.e., hosts that connect but do not do any 1324 substantive activity on the connection before disconnecting; 1325 "substantive" is defined to be MAIL, EXPN, VRFY, or ETRN. 1326 Always permit "writes" to /dev/null regardless of the link count. 1327 This is safe because /dev/null is special cased, and no open 1328 or write is ever actually attempted. Patch from Villy Kruse 1329 of TwinCom. 1330 If a message cannot be sent because of a 552 (exceeded storage 1331 allocation) response to the MAIL FROM:<>, and a SIZE= parameter 1332 was given, don't return the body in the bounce, since there 1333 is a very good chance that the message will double-bounce. 1334 Fix possible line truncation if a quoted-printable had an =00 escape 1335 in the body. Problem noted by Charles Karney of the Princeton 1336 Plasma Physics Laboratory. 1337 Notify flags (e.g., -NSUCCESS) were lost on user+detail addresses. 1338 Problem noted by Kari Hurtta of the Finnish Meteorological 1339 Institute. 1340 The MaxDaemonChildren option wasn't applying to queue runs as 1341 documented. Note that this increases the potential denial 1342 of service problems with this option: an attacker can 1343 connect many times, and thereby lock out queue runs as well 1344 as incoming connections. If you use this option, you should 1345 run the "sendmail -bd" and "sendmail -q30m" jobs separately 1346 to avoid this attack. Failure to limit noted by Matthew 1347 Dillon of BEST Internet Communications. 1348 Always give a message in newaliases if alias files cannot be 1349 opened instead of failing silently. Suggested by Gregory 1350 Neil Shapiro. This change makes the code match the O'Reilly 1351 book (2nd edition). 1352 Some older versions of the resolver could return with h_errno == -1 1353 if no name server could be reached, causing mail to bounce 1354 instead of queueing. Treat this like TRY_AGAIN. Fix from 1355 John Beck of SunSoft. 1356 If a :include: file is owned by a user that does not have an entry 1357 in the passwd file, sendmail could dereference a null pointer. 1358 Problem noted by Satish Mynam of Sun Microsystems. 1359 Take precautions to make sure that the SMTP protocol cannot get out 1360 of sync if (for example) an alias file cannot be opened. 1361 Fix a possible race condition that can cause a SIGALRM to come in 1362 immediately after a SIGHUP, causing the new sendmail to die. 1363 Avoid possible hang on SVr3 systems when doing child reaping. Patch 1364 from Villy Kruse of TwinCom. 1365 Ignore improperly formatted SMTP reply codes. Previously these were 1366 partially processed, which could cause confusing error 1367 returns. 1368 Fix possible bogus pointer dereference when doing ldapx map lookups 1369 on some architectures. 1370 Portability: 1371 A/UX: from Jim Jagielski of NASA/GSFC. 1372 glibc: SOCK_STREAM was changed from a #define to an enum, 1373 thus breaking #ifdef SOCK_STREAM. Only option seems 1374 to be to assume SOCK_STREAM if __GNU_LIBRARY__ is 1375 defined. Problem reported by A Sun of the University 1376 of Washington. 1377 Solaris: use SIOCGIFNUM to get the number of interfaces on 1378 the system rather than guessing at compile time. 1379 Patch contributed by John Beck of Sun Microsystems. 1380 Intel Paragon: from Wendy Lin of Purdue University. 1381 GNU Hurd: from Miles Bader of the GNU project. 1382 RISC/os 4.50 from Harlan Stenn of PFCS Corporation. 1383 ISC Unix: wait never returns if SIGCLD signals are blocked. 1384 Unfortunately releasing them opens a race condition, 1385 but there appears to be no fix for this. Patch from 1386 Gregory Neil Shapiro. 1387 BIND 8.1 for IPv6 compatibility from John Kennedy. 1388 Solaris: a bug in strcasecmp caused characters with the 1389 high order bit set to apparently randomly match 1390 letters -- for example, $| (0233) matches "i" and "I". 1391 Problem noted by John Gregson of the University of 1392 Cambridge. 1393 IRIX 6.x: make Makefile.IRIX.6.2 apply to all 6.x. From 1394 Kari Hurtta. 1395 IRIX 6.x: Create Makefiles for systems that claim to be 1396 IRIX64 but are 6.2 or higher (so use the regular 1397 IRIX Makefile). 1398 IRIX 6.x: Fix load average computation on 64 bit kernels. 1399 Problem noted by Eric Hagberg of Morgan Stanley. 1400 CONFIG: Some canonification was still done for UUCP-like addresses 1401 even if FEATURE(nocanonify) was set. Problem pointed out by 1402 Brian Candler. 1403 CONFIG: In some cases UUCP mailers wouldn't properly recognize all 1404 local names as local. Problem noted by Jeff Polk of BSDI; 1405 fix provided by Gregory Neil Shapiro. 1406 CONFIG: The "local:user" syntax entries in mailertables and other 1407 "mailer:user" syntax locations returned an incorrect value 1408 for the $h macro. Problem noted by Gregory Neil Shapiro. 1409 CONFIG: Retain "+detail" information when forwarding mail to a 1410 MAIL_HUB, LUSER_RELAY, or LOCAL_RELAY. Patch from Philip 1411 Guenther of Gustavus Adolphus College. 1412 CONFIG: Make sure user+detail works for FEATURE(virtusertable); 1413 rules are the same as for aliasing. Based on a patch from 1414 Gregory Neil Shapiro. 1415 CONFIG: Break up parsing rules into several pieces; this should 1416 have no functional change in this release, but makes it 1417 possible to have better anti-spam rulesets in the future. 1418 CONFIG: Disallow double dots in host names to avoid having the 1419 HostStatusDirectory store status under the wrong name. 1420 In some cases this can be used as a denial-of-service attack. 1421 Problem noted by Ron Jarrell of Virginia Tech, patch from 1422 Gregory Neil Shapiro. 1423 CONFIG: Don't use F=m (multiple recipients per invocation) for 1424 MAILER(procmail), but do pass F=Pn9 (include Return-Path:, 1425 don't include From_, and convert to 8-bit). Suggestions 1426 from Kimmo Suominen and Roderick Schertler. 1427 CONFIG: Domains under $=M (specified with MASQUERADE_DOMAIN) where 1428 being masqueraded as though FEATURE(masquerade_entire_domain) 1429 was specified, even when it wasn't. 1430 MAIL.LOCAL: Solaris 2.6 has snprintf. From John Beck of SunSoft. 1431 MAIL.LOCAL: SECURITY: check to make sure that an attacker doesn't 1432 "slip in" a symbolic link between the lstat(2) call and the 1433 exclusive open. This is only a problem on System V derived 1434 systems that allow an exclusive create on files that are 1435 symbolic links pointing nowhere. 1436 MAIL.LOCAL: If the final mailbox close() failed, the user id was 1437 not reset back to root, which on some systems would cause 1438 later mailboxes to fail. Also, any partial message would 1439 not be truncated, which could result in repeated deliveries. 1440 Problem noted by Bruce Evans via Peter Wemm (FreeBSD 1441 developers). 1442 MAKEMAP: Handle cases where O_EXLOCK is #defined to be 0. A similar 1443 change to the sendmail map code was made in 8.8.3. Problem 1444 noted by Gregory Neil Shapiro. 1445 MAKEMAP: Give warnings on file problems such as map files that are 1446 symbolic links; although makemap is not setuid root, it is 1447 often run as root and hence has the potential for the same 1448 sorts of problems as alias rebuilds. 1449 MAKEMAP: Change compilation so that it will link properly on 1450 NEXTSTEP. 1451 CONTRIB: etrn.pl: search for Cw as well as Fw lines in sendmail.cf. 1452 Accept an optional list of arguments following the server 1453 name for the ETRN arguments to use (instead of $=w). Other 1454 miscellaneous bug fixes. From Christian von Roques via 1455 John Beck of Sun Microsystems. 1456 CONTRIB: Add passwd-to-alias.pl, contributed by Kari Hurtta. This 1457 Perl script converts GECOS information in the /etc/passwd 1458 file into aliases, allowing for faster access to full name 1459 lookups; it is also clever about adding aliases (to root) 1460 for system accounts. 1461 NEW FILES: 1462 src/safefile.c 1463 cf/ostype/gnuhurd.m4 1464 cf/ostype/irix6.m4 1465 contrib/passwd-to-alias.pl 1466 src/Makefiles/Makefile.IRIX64.6.1 1467 src/Makefiles/Makefile.IRIX64.6.x 1468 RENAMED FILES: 1469 src/Makefiles/Makefile.IRIX.6.2 => Makefile.IRIX.6.x 1470 src/Makefiles/Makefile.IRIX64 => Makefile.IRIX64.6.0 1471 14728.8.5/8.8.5 97/01/21 1473 SECURITY: Clear out group list during startup. Without this, sendmail 1474 will continue to run with the group permissions of the caller, 1475 even if RunAsUser is specified. 1476 SECURITY: Make purgestat (-bH) be root-only. This is not in response 1477 to any known attack, but it's best to be conservative. 1478 Suggested by Peter Wemm of DIALix. 1479 SECURITY: Fix buffer overrun problem in MIME code that has possible 1480 security implications. Patch from Alex Garthwaite of the 1481 University of Pennsylvania. 1482 Use of a -f flag with a phrase attached (e.g., "-f 'Full Name <addr>'") 1483 would truncate the address after "Full". Although the -f 1484 syntax is incorrect (since it is in the envelope, it 1485 shouldn't have comments and full names), the failure mode 1486 was unnecessarily awful. 1487 Fix a possible null pointer dereference when converting 8-bit data 1488 to a 7-bit format. Problem noted by Jim Hutchins of 1489 Sandia National Labs and David James of British Telecom. 1490 Clear out stale state that affected F=9 on SMTP mailers in queue 1491 runs. Although this really shouldn't be used (F=9 is for 1492 final delivery only, and using it on an SMTP mailer makes 1493 it possible for a message to be converted from 8->7->8->7 1494 bits several times), it shouldn't have failed with a syserr. 1495 Problem noted by Eric Hagberg of Morgan Stanley. 1496 _Really_ fix the multiple :maildrop code in the user database 1497 module. Patch from Roy Mongiovi of Georgia Tech. 1498 Let F lines in the configuration file actually read root-only 1499 files if the configuration file is safe. Based on a 1500 patch from Keith Reynolds of SCO. 1501 ETRN followed by QUIT would hold the connection open until the queue 1502 run completed. Problem noted by Truck Lewis of TDK 1503 Semiconductor Corp. 1504 It turns out that despite the documentation, the TCP wrappers library 1505 does _not_ log rejected connections. Do the logging ourselves. 1506 Problem noted by Fletcher Mattox of the University of Texas 1507 at Austin. 1508 If sendmail finds a qf file in its queue directory that is an unknown 1509 version (e.g., when backing out to an old version), the 1510 error is reported on every queue run. Change it to only 1511 give the error once (and rename the qf => Qf). Patch from 1512 William A. Gianopoulos of Raytheon Company. 1513 Start a new session when doing background delivery; currently it 1514 ignored signals but didn't start a new signal, that caused 1515 some problems if a background process tried to send mail 1516 under certain circumstances. Problem noted by Eric Hagberg 1517 of Morgan Stanley; fix from Kari Hurtta. 1518 Simplify test for skipping a queue run to just check if the current 1519 load average is >= the queueing load average. Previously 1520 the check factored in some other parameters that caused it 1521 to essentially never skip the queue run. Patch from Bryan 1522 Costales. 1523 If the SMTP server is running in "nullserver" mode (that is, it is 1524 rejecting all commands), start sleeping after MAXBADCOMMAND 1525 (25) commands; this helps prevent a bad guy from putting 1526 you into a tight loop as a denial-of-service attack. Based 1527 on an e-mail conversation with Brad Knowles of AOL. 1528 Slow down when too many "light weight" commands have been issued; 1529 this helps prevent a class of denial-of-service attacks. 1530 The current values and defaults are: 1531 MAXNOOPCOMMANDS 20 NOOP, VERB, ONEX, XUSR 1532 MAXHELOCOMMANDS 3 HELO, EHLO 1533 MAXVRFYCOMMANDS 6 VRFY, EXPN 1534 MAXETRNCOMMANDS 8 ETRN 1535 These will probably be configurable in a future release. 1536 On systems that have uid_t typedefed to be an unsigned short, programs 1537 that had the F=S flag and no U= equate would be invoked with 1538 the real uid set to 65535 rather than being left unchanged. 1539 In some cases, NOTIFY=NEVER was not being honored. Problem noted 1540 by Steve Hubert of the University of Washington, Seattle. 1541 Mail that was Quoted-Printable encoded and had a soft line break on 1542 the last line (i.e., an incomplete continuation) had the last 1543 line dropped. Since this appears to be illegal it isn't 1544 clear what to do with it, but flushing the last line seems 1545 to be a better "fail soft" approach. Based on a patch from 1546 Eric Hagberg. 1547 If AllowBogusHELO and PrivacyOptions=needmailhelo are both set, a 1548 bogus HELO command still causes the "Polite people say HELO 1549 first" error message. Problem pointed out by Chris Thomas 1550 of UCLA; patch from John Beck of SunSoft. 1551 Handle "sendmail -bp -qSfoobar" properly if restrictqrun is set 1552 in PrivacyOptions. The -q shouldn't turn this command off. 1553 Problem noted by Murray Kucherawy of Pacific Bell Internet; 1554 based on a patch from Gregory Neil Shapiro of WPI. 1555 Don't consider SMTP reply codes 452 or 552 (exceeded storage allocation) 1556 in a DATA transaction to be sticky; these can occur because 1557 a message is too large, and smaller messages should still go 1558 through. Problem noted by Matt Dillon of Best Internet 1559 Communications. 1560 In some cases bounces were saved in /var/tmp/dead.letter even if they 1561 had been successfully delivered to the envelope sender. 1562 Problem noted Eric Hagberg of Morgan Stanley; solution from 1563 Gregory Neil Shapiro of WPI. 1564 Give better diagnostics on long alias lines. Based on code contributed 1565 by Patrick Gosling of the University of Cambridge. 1566 Increase the number of virtual interfaces that will be probed for 1567 alternate names. Problem noted by Amy Rich of Shore.Net. 1568 PORTABILITY: 1569 UXP/DS V20L10 for Fujitsu DS/90: Makefile patches from 1570 Toshiaki Nomura of Fujitsu Limited. 1571 SunOS with LDAP support: compile problems with struct timeval. 1572 Patch from Nick Cuccia of TCSI Corporation. 1573 SCO: from Keith Reynolds of SCO. 1574 Solaris: kstat load average computation wasn't being used. 1575 Fixes from Michael Ju. Tokarev of Telecom Service, JSC 1576 (Moscow). 1577 OpenBSD: from Jason Downs of teeny.org. 1578 Altos System V: from Tim Rice. 1579 Solaris 2.5: from Alan Perry of SunSoft. 1580 Solaris 2.6: from John Beck of SunSoft. 1581 Harris Nighthawk PowerUX (mh6000 box): from Bob Miorelli 1582 of Pratt & Whitney <miorelli@pweh.com>. 1583 CONFIG: It seems that I hadn't gotten the Received: line syntax 1584 _just_right_ yet. Tweak it again. I'll omit the names 1585 of the "contributors" (quantity two) in this one case. 1586 As of now, NO MORE DISCUSSION about the syntax of the 1587 Received: line. 1588 CONFIG: Although FEATURE(nullclient) uses EXPOSED_USER (class $=E), 1589 it never inserts that class into the output file. Fix it 1590 so it will honor EXPOSED_USER but will _not_ include root 1591 automatically in this class. Problem noted by Ronan KERYELL 1592 of Centre de Recherche en Informatique de l'�cole Nationale 1593 Sup�rieure des Mines de Paris (CRI-ENSMP). 1594 CONFIG: Clean up handling of "local:" syntax in relay specifications 1595 such as LUSER_RELAY. This change permits the following 1596 syntaxes: ``local:'' will send to the same user on the 1597 local machine (e.g., in a mailertable entry for "host", 1598 ``local:'' will cause an address addressed to user@host to 1599 go to user on the local machone). ``local:user'' will send 1600 to the named user on the local machine. ``local:user@host'' 1601 is equivalent to ``local:user'' (the host is ignored). In 1602 all cases, the original user@host is passed in $@ (i.e., the 1603 detail information). Inspired by a report from Michael Fuhr. 1604 CONFIG: Strip quotes from the first word of an "error:" host 1605 indication. This lets you set (for example) the LUSER_RELAY 1606 to be ``error:\"5.1.1\" Your Message Here''. Note the use 1607 of the \" so that the resulting string is properly quoted. 1608 Problem noted by Gregory Neil Shapiro of WPI. 1609 OP.ME: documentation was inconsistent about whether sendmail did a 1610 NOOP or a RSET to probe the connection (it does a RSET). 1611 Inconsistency noted by Deeran Peethamparam. 1612 OP.ME: insert additional blank pages so it will print properly on 1613 a duplex printer. From Matthew Black of Cal State University, 1614 Long Beach. 1615 16168.8.4/8.8.4 96/12/02 1617 SECURITY: under some circumstances, an attacker could get additional 1618 permissions by hard linking to files that were group 1619 writable by the attacker. The solution is to disallow any 1620 files that have hard links -- this will affect .forward, 1621 :include:, and output files. Problem noted by Terry 1622 Kyriacopoulos of Interlog Internet Services. As a 1623 workaround, set UnsafeGroupWrites -- always a good idea. 1624 SECURITY: the TryNullMXList (w) option should not be safe -- if it 1625 is, it is possible to do a denial-of-service attack on 1626 MX hosts that rely on the use of the null MX list. There 1627 is no danger if you have this option turned off (the default). 1628 Problem noted by Dan Bernstein. Also, make the DontInitGroups 1629 unsafe. I know of no specific attack against this, although 1630 a denial-of-service attack is probably possible, but in theory 1631 you should not be able to safely tweak anything that affects 1632 the permissions that are used when mail is delivered. 1633 Purgestat could go into an infinite loop if one of the host status 1634 directories somehow became empty. Problem noted by Roy 1635 Mongiovi of Georgia Tech. 1636 Processes got "lost" when counting children due to a race condition. 1637 This caused "proc_list_probe: lost pid" messages to be logged. 1638 Problem noted by several people. 1639 On systems with System V SIGCLD child signal semantics (notably AIX 1640 and HP-UX), mail transactions would print the message "451 1641 SMTP-MAIL: lost child: No child processes". Problem noted 1642 by several people. 1643 Miscellaneous compiler warnings on picky compilers (or when setting 1644 gcc to high warning levels). From Tom Moore of NCR Corp. 1645 SMTP protocol errors, and most errors on MAIL FROM: lines should 1646 not be persistent between runs, since they are based on the 1647 message rather than the host. Problem noted by Matt Dillon 1648 of Best Internet Communications. 1649 The F=7 flag was ignored on SMTP mailers. Problem noted by Tom Moore 1650 of NCR (a.k.a., AT&T Global Information Solutions). 1651 Avoid the possibility of having a child daemon run to completion 1652 (including closing the SMTP socket) before the parent has 1653 had a chance to close the socket; this can cause the parent 1654 to hang for a long time waiting for the socket to drain. 1655 Patch from Don Lewis of TDK Semiconductor. 1656 If the fork() failed in a queue run, the queue runners would not be 1657 rescheduled (so queue runs would stop). Patch from Don Lewis. 1658 Some error conditions in ETRN could cause output without an SMTP 1659 status code. Problem noted by Don Lewis. 1660 Multiple :maildrop addresses in the user database didn't work properly. 1661 Patch from Roy Mongiovi of Georgia Tech. 1662 Add ".db" automatically onto any user database spec that does not 1663 already have it; this is for consistency with makemap, the 1664 K line, and the documentation. Inconsistency pointed out 1665 by Roy Mongiovi. 1666 Allow sendmail to be properly called in nohup mode. Patch from 1667 Kyle Jones of UUNET. 1668 Change ETRN to ignore but still update host status files; previously 1669 it would ignore them and not save the updated status, which 1670 caused stale information to be maintained. Based on a patch 1671 from Christopher Davis of Kapor Enterprises Inc. Also, have 1672 ETRN ignore the MinQueueAge option. 1673 Patch long term host status to recover more gracefully from an empty 1674 host status file condition. Patch from NAKAMURA Motonori 1675 of Kyoto University. 1676 Several patches to signal handling code to fix potential race 1677 conditions from Don Lewis. 1678 Make it possible to compile with -DDAEMON=0 (previously it had some 1679 compile errors). This turns DAEMON, QUEUE, and SMTP into 1680 0/1 compilation flags. Note that DAEMON is an obsolete 1681 compile flag; use NETINET instead. Solution based on a 1682 patch from Bryan Costales. 1683 PORTABILITY FIXES: 1684 AIX4: getpwnam() and getpwuid() do a sequential scan of the 1685 /etc/security/passwd file when called as root. This 1686 is very slow on some systems. To speed it up, use the 1687 (undocumented) _getpw{nam,uid}_shadow() routines. 1688 Patch from Chris Thomas of UCLA/OAC Systems Group. 1689 SCO 5.x: include -lprot in the Makefile. Patch from Bill 1690 Glicker of Burrelle's Information Service. 1691 NEWS-OS 4.x: need a definition for MODE_T to compile. Patch 1692 from Makoto MATSUSHITA of Osaka University. 1693 SunOS 4.0.3: compile problems. Patches from Andrew Cole of 1694 Leeds University and SASABE Tetsuro of the University 1695 of Tokyo. 1696 DG/UX 5.4.4.11 from Brian J. Murrell of InterLinx Support 1697 Services, Inc. 1698 Domain/OS from Don (Truck) Lewis of TDK Semiconductor Corp. 1699 I believe this to have only been a problem if you 1700 compiled with -DUSE_VENDOR_CF_PATH -- another reason 1701 to stick with /etc/sendmail.cf as your One True Path. 1702 Digital UNIX (OSF/1 on Alpha) load average computation from 1703 Martin Laubach of the Technischen Universit�t Wien. 1704 CONFIG: change default Received: line to be multiple lines rather 1705 than one long one. By popular demand. 1706 MAIL.LOCAL: warnings weren't being logged on some systems. Patch 1707 from Jerome Berkman of U.C. Berkeley. 1708 MAKEMAP: be sure to zero hinfo to avoid cruft that can cause runs 1709 to take a very long time. Problem noted by Yoshiro YONEYA 1710 of NTT Software Corporation. 1711 CONTRIB: add etrn.pl, contributed by John Beck. 1712 NEW FILES: 1713 contrib/etrn.pl 1714 17158.8.3/8.8.3 96/11/17 1716 SECURITY: it was possible to get a root shell by lying to sendmail 1717 about argv[0] and then sending it a signal. Problem noted 1718 by Leshka Zakharoff <leshka@leshka.chuvashia.su> on the 1719 best-of-security list. 1720 Log sendmail binary version number in "Warning: .cf version level 1721 (%d) exceeds program functionality (%d) message" -- this 1722 should make it clearer to people that they are running 1723 the wrong binary. 1724 Fix a problem that occurs when you open an SMTP connection and then 1725 do one or more ETRN commands followed by a MAIL command; at 1726 the end of the DATA phase sendmail would incorrectly report 1727 "451 SMTP-MAIL: lost child: No child processes". Problem 1728 noted by Eric Bishop of Virginia Tech. 1729 When doing text-based host canonification (typically /etc/hosts 1730 lookup), a null host name would match any /etc/hosts entry 1731 with space at the end of the line. Problem noted by Steve 1732 Hubert of the University of Washington, Seattle. 1733 7 to 8 bit BASE64 MIME conversions could duplicate bits of text. 1734 Problem reported by Tom Smith of Digital Equipment Corp. 1735 Increase the size of the DNS answer buffer -- the standard UDP packet 1736 size PACKETSZ (512) is not sufficient for some nameserver 1737 answers containing very many resource records. The resolver 1738 may also switch to TCP and retry if it detects UDP packet 1739 overflow. Also, allow for the fact that the resolver 1740 routines res_query and res_search return the size of the 1741 *un*truncated answer in case the supplied answer buffer it 1742 not big enough to accommodate the entire answer. Patch from 1743 Eric Wassenaar. 1744 Improvements to MaxDaemonChildren code. If you think you have too 1745 many children, probe the ones you have to verify that they 1746 are still around. Suggested by Jared Mauch of CICnet, Inc. 1747 Also, do this probe before growing the vector of children 1748 pids; this previously caused the vector to grow indefinitely 1749 due to a race condition. Problem reported by Kyle Jones of 1750 UUNET. 1751 On some architectures, <db.h> (from the Berkeley DB library) defines 1752 O_EXLOCK to zero; this fools the map compilation code into 1753 thinking that it can avoid race conditions by locking on open. 1754 Change it to check for O_EXLOCK non-zero. Problem noted by 1755 Leif Erlingsson of Data Lege. 1756 Always call res_init() on startup (if compiled in, of course) to 1757 allow the sendmail.cf file to tweak resolver flags; without 1758 it, flag tweaks in ResolverOptions are ignored. Patch from 1759 Andrew Sun of Merrill Lynch. 1760 Improvements to host status printing code. Suggested by Steve Hubert 1761 of the University of Washington, Seattle. 1762 Change MinQueueAge option processing to do the check for the job age 1763 when reading the queue file, rather than at the end; this 1764 avoids parsing the addresses, which can do DNS lookups. 1765 Problem noted by John Beck of InReference, Inc. 1766 When MIME was being 7->8 bit decoded, "From " lines weren't being 1767 properly escaped. Problem noted by Peter Nilsson of the 1768 University of Linkoping. 1769 In some cases, sendmail would retain root permissions during queue 1770 runs even if RunAsUser was set. Problem noted by Mark 1771 Thomas of Mark G. Thomas Consulting. 1772 If the F=l flag was set on an SMTP mailer to indicate that it is 1773 actually local delivery, and NOTIFY=SUCCESS is specified in 1774 the envelope, and the receiving SMTP server speaks DSN, then 1775 the DSN would be both generated locally and propagated to the 1776 other end. 1777 The U= mailer field didn't correctly extract the group id if the 1778 user id was numeric. Problem noted by Kenneth Herron of 1779 MCI Telecommunications Communications. 1780 If a message exceeded the fixed maximum size on input, the body of 1781 the message was included in the bounce. Note that this did 1782 not occur if it exceeded the maximum _output_ size. Problem 1783 reported by Kyle Jones of UUNET. 1784 PORTABILITY FIXES: 1785 AIX4: 4.1 doesn't have a working setreuid(2); change the 1786 AIX4 defines to use seteuid(2) instead, which 1787 works on 4.1 as well as 4.2. Problem noted by 1788 H�kan Lindholm of interAF, Sweden. 1789 AIX4: use tzname[] vector to determine time zone name. 1790 Patch from NAKAMURA Motonori of Kyoto University. 1791 MkLinux: add Makefile.Linux.ppc and OSTYPE(mklinux) support. 1792 Contributed by Paul DuBois <dubois@primate.wisc.edu>. 1793 Solaris: kstat(3k) support for retrieving the load average. 1794 This adds the LA_KSTAT definition for LA_TYPE. 1795 The outline of the implementation was contributed 1796 by Michael Tokarev of Telecom Service, JSC, Moscow. 1797 HP-UX 10.0 gripes about the (perfectly legal!) forward 1798 declaration of struct rusage at the top of conf.h; 1799 change it to only be included if you are using gcc, 1800 which is apparently the only compiler that requires 1801 it in the first place. Problem noted by Jeff 1802 Earickson of Colby College. 1803 IRIX: don't default to using gcc. IRIX is a civilized 1804 operating system that comes with a decent compiler 1805 by default. Problem noted by Barry Bouwsma and 1806 Kari Hurtta. 1807 CONFIG: specify F=9 as default in FEATURE(local_procmail) for 1808 consistency with other local mailers. Inconsistency 1809 pointed out by Teddy Hogeborn <teddy@fukt.hk-r.se>. 1810 CONFIG: if the "limited best mx" feature is used (to reduce DNS 1811 overhead) as part of the bestmx_is_local feature, the 1812 domain part was dropped from the name. Patch from Steve 1813 Hubert of the University of Washington, Seattle. 1814 CONFIG: catch addresses of the form "user@.dom.ain"; these could 1815 end up being translated to the null host name, which would 1816 return any entry in /etc/hosts that had a space at the end 1817 of the line. Problem noted by Steve Hubert of the 1818 University of Washington, Seattle. 1819 CONFIG: add OSTYPE(aix4). From Michael Sofka of Rensselaer 1820 Polytechnic Institute. 1821 MAKEMAP: tweak hash and btree parameters for better performance. 1822 Patch from Matt Dillon of Best Internet Communications. 1823 NEW FILES: 1824 src/Makefiles/Makefile.Linux.ppc 1825 cf/ostype/aix4.m4 1826 cf/ostype/mklinux.m4 1827 18288.8.2/8.8.2 96/10/18 1829 SECURITY: fix a botch in the 7-bit MIME patch; the previous patch 1830 changed the code but didn't fix the problem. 1831 PORTABILITY FIXES: 1832 Solaris: Don't use the system getusershell(3); it can 1833 apparently corrupt the heap in some circumstances. 1834 Problem found by Ken Pizzini of Spry, Inc. 1835 OP.ME: document several mailer flags that were accidentally omitted 1836 from this document. These flags were F=d, F=j, F=R, and F=9. 1837 CONFIG: no changes. 1838 18398.8.1/8.8.1 96/10/17 1840 SECURITY: unset all environment variables that the resolver will 1841 examine during queue runs and daemon mode. Problem noted 1842 by Dan Bernstein of the University of Illinois at Chicago. 1843 SECURITY: in some cases an illegal 7-bit MIME-encoded text/plain 1844 message could overflow a buffer if it was converted back 1845 to 8 bits. This caused core dumps and has the potential 1846 for a remote attack. Problem first noted by Gregory Shapiro 1847 of WPI. 1848 Avoid duplicate deliveries of error messages on systems that don't 1849 have flock(2) support. Patch from Motonori Nakamura of 1850 Kyoto University. 1851 Ignore null FallBackMX (V) options. If this option is null (as 1852 opposed to undefined) it can cause "null signature" syserrs 1853 on illegal host names. 1854 If a Base64 encoded text/plain message has no trailing newline in 1855 the encoded text, conversion back to 8 bits will drop the 1856 final line. Problem noted by Pierre David. 1857 If running with a RunAsUser, sendmail would give bogus "cannot 1858 setuid" (or seteuid, or setreuid) messages on some systems. 1859 Problem pointed out by Jordan Mendelson of Web Services, Inc. 1860 Always print error messages in -bv mode -- previously, -bv would 1861 be absolutely silent on errors if the error mode was sent 1862 to (say) mail-back. Problem noted by Kyle Jones of UUNET. 1863 If -qI/R/S is set (or the ETRN command is used), ignore all long 1864 term host status. This is necessary because it is common 1865 to do this when you know a host has just come back up. 1866 Disallow duplicate HELO/EHLO commands as required by RFC 1651 section 1867 4.2. Excessive permissiveness noted by Lee Flight of the 1868 University of Leicester. 1869 If a service (such as NIS) is specified as the last entry in the 1870 service switch, but that service is not compiled in, sendmail 1871 would return a temporary failure when an entry was not found 1872 in the map. This caused the message to be queued instead of 1873 bouncing immediately. Problem noted by Harry Edmon of the 1874 University of Washington. 1875 PORTABILITY FIXES: 1876 Solaris 2.3 had compilation problems in conf.c. Several 1877 people pointed this out. 1878 NetBSD from Charles Hannum of MIT. 1879 AIX4 improvements based on info from Steve Bauer of South 1880 Dakota School of Mines & Technology. 1881 CONFIG: ``error:code message'' syntax was broken in virtusertable. 1882 Patch from Gil Kloepfer Jr. 1883 CONFIG: if FEATURE(nocanonify) was specified, hosts in $=M (set 1884 using MASQUERADE_DOMAIN) were not masqueraded unless they 1885 were also in $=w. Problem noted by Zoltan Basti of 1886 Softec. 1887 MAIL.LOCAL: patches to compile and link cleanly on AIX. Based 1888 on a patch from Eric Hagberg of Morgan Stanley. 1889 MAIL.LOCAL: patches to compile on NEXTSTEP. From Patrick Nolan 1890 of Stanford via Robert La Ferla. 1891 18928.8.0/8.8.0 96/09/26 1893 Under some circumstances, Bcc: headers would not be properly 1894 deleted. Pointed out by Jonathan Kamens of OpenVision. 1895 Log a warning if the sendmail daemon is invoked without a full 1896 pathname, which prevents "kill -1" from working. I was 1897 urged to put this in by Andrey A. Chernov of DEMOS (Russia). 1898 Fix small buffer overflow. Since the data in this buffer was not 1899 read externally, there was no security problem (and in fact 1900 probably wouldn't really overflow on most compilers). Pointed 1901 out by KIZU takashi of Osaka University. 1902 Fix problem causing domain literals such as [1.2.3.4] to be ignored 1903 if a FallbackMXHost was specified in the configuration file 1904 -- all mail would be sent to the fallback even if the original 1905 host was accessible. Pointed out by Munenari Hirayama of 1906 NSC (Japan). 1907 A message that didn't terminate with a newline would (sometimes) not 1908 have the trailing "." added properly in the SMTP dialogue, 1909 causing SMTP to hang. Patch from Per Hedeland of Ericsson. 1910 The DaemonPortOptions suboption to bind to a particular address was 1911 incorrect and nonfunctional due to a misunderstanding of the 1912 semantics of binding on a passive socket. Patch from 1913 NIIBE Yutaka of Mitsubishi Research Institute. 1914 Increase the number of MX hosts for a single name to 100 to better 1915 handle the truly huge service providers such as AOL, which 1916 has 13 at the moment (and climbing). In order to avoid 1917 trashing memory, the buffer for all names has only been 1918 slightly increased in size, to 12.8K from 10.2K -- this means 1919 that if a single name had 100 MX records, the average size 1920 of those records could not exceed 128 bytes. Requested by 1921 Brad Knowles of America On Line. 1922 Restore use of IDENT returns where the OSTYPE field equals "OTHER". 1923 Urged by Dan Bernstein of U.C. Berkeley. 1924 Print q_statdate and q_specificity in address structure debugging 1925 printout. 1926 Expand MCI structure flag bits for debugging output. 1927 Support IPv6-style domain literals, which can have colons between 1928 square braces. 1929 Log open file descriptors for the "cannot dup" messages in deliver(); 1930 this is an attempt to track down a bug that one person seems 1931 to be having (it may be a Solaris bug!). 1932 DSN NOTIFY parameters were not properly propagated across queue runs; 1933 this caused the NOTIFY info to sometimes be lost. Problem 1934 pointed out by Claus Assmann of the 1935 Christian-Albrechts-University of Kiel. 1936 The statistics gathered in the sendmail.st file were too high; in 1937 some cases failures (e.g., user unknown or temporary failure) 1938 would count as a delivery as far as the statistics were 1939 concerned. Problem noted by Tom Moore of AT&T GIS. 1940 Systems that don't have flock() would not send split envelopes in 1941 the initial run. Problem pointed out by Leonard Zubkoff of 1942 Dandelion Digital. 1943 Move buffer overflow checking -- these primarily involve distrusting 1944 results that may come from NIS and DNS. 1945 4.4-BSD-derived systems, including FreeBSD, NetBSD, and BSD/OS didn't 1946 include <paths.h> and hence had the wrong pathnames for a few 1947 things like /var/tmp. Reported by Matthew Green. 1948 Conditions were reversed for the Priority: header, resulting in all 1949 values being interpreted as non-urgent except for non-urgent, 1950 which was interpreted as normal. Patch from Bryan Costales. 1951 The -o (optional) flag was being ignored on hash and btree maps 1952 since 8.7.2. Fix from Bryan Costales. 1953 Content-Types listed in class "q" will always be encoded as 1954 Quoted-Printable (or more accurately, will never be encoded 1955 as base64). The class can have primary types (e.g., "text") 1956 or full types (e.g., "text/plain"). Based on a suggestion by 1957 Marius Olafsson of the University of Iceland. 1958 Define ${envid} to be the original envelope id (from the ESMTP DSN 1959 dialogue) so it can be passed to programs in mailers. 1960 Define ${bodytype} to be the body type (from the -B flag or the 1961 BODY= ESMTP parameter) so it can be passed to programs in 1962 mailers. 1963 Cause the VRFY command to return 252 instead of 250 unless the F=q 1964 flag is set in the mailer descriptor. Suggested by John 1965 Myers of CMU. 1966 Implement ESMTP ETRN command to flush the queue for a specific host. 1967 The command takes a host name; data for that host is 1968 immediately (and asynchronously) flushed. Because this shares 1969 the -qR implementation, other hosts may be attempted, but 1970 there should be no security implications. Implementation 1971 from John Beck of InReference, Inc. See RFC 1985 for details. 1972 Add three new command line flags to pass in DSN parameters: -V envid 1973 (equivalent to ENVID=envid on the MAIL command), -R ret 1974 (equivalent to RET=ret on the MAIL command), and -Nnotify 1975 (equivalent to NOTIFY=notify on the RCPT command). Note 1976 that the -N flag applies to all recipients; there is no way 1977 to specify per-address notifications on the command line, 1978 nor is there an equivalent for the ORCPT= per-address 1979 parameter. 1980 Restore LogLevel option to be safe (it can only be increased); 1981 apparently I went into paranoid mode between 8.6 and 8.7 1982 and made it unsafe. Pointed out by Dabe Murphy of the 1983 University of Maryland. 1984 New logging on log level 15: all SMTP traffic. Patches from 1985 Andrew Gross of San Diego Supercomputer Center. 1986 NetInfo property value searching code wasn't stopping when it found 1987 a match. This was causing the wrong values to be found (and 1988 had a memory leak). Found by Bastian Schleuter of TU-Berlin. 1989 Add new F=0 (zero) mailer flag to turn off MX lookups. It was pointed 1990 out by Bill Wisner of Electronics for Imaging that you can't 1991 use the bracket address form for the MAIL_HUB macro, since 1992 that causes the brackets to remain in the envelope recipient 1993 address used for delivery. The simple fix (stripping off the 1994 brackets in the config file) breaks the use of IP literal 1995 addresses. This flag will solve that problem. 1996 Add MustQuoteChars option. This is a list of characters that must 1997 be quoted if they are found in the phrase part of an address 1998 (that is, the full name part). The characters @,;:\()[] are 1999 always in this list and cannot be removed. The default is 2000 this list plus . and ' to match RFC 822. 2001 Add AllowBogusHELO option; if set, sendmail will allow HELO commands 2002 that do not include a host name for back compatibility with 2003 some stupid SMTP clients. Setting this violates RFC 1123 2004 section 5.2.5. 2005 Add MaxDaemonChildren option; if this is set, sendmail will start 2006 rejecting connections if it has more than this many 2007 outstanding children accepting mail. Note that you may 2008 see more processes than this because of outgoing mail; this 2009 is for incoming connections only. 2010 Add ConnectionRateThrottle option. If set to a positive value, the 2011 number of incoming SMTP connections that will be permitted 2012 in a single second is limited to this number. Connections are 2013 not refused during this time, just deferred. The intent is to 2014 flatten out demand so that load average limiting can kick in. 2015 It is less radical than MaxDaemonChildren, which will stop 2016 accepting connections even if all the connections are idle 2017 (e.g., due to connection caching). 2018 Add Timeout.hoststatus option. This interval (defaulting to 30m) 2019 specifies how long cached information about the state of a 2020 host will be kept before they are considered stale and the 2021 host is retried. If you are using persistent host status 2022 (i.e., the HostStatusDirectory option is set) this will apply 2023 between runs; otherwise, it applies only within a single queue 2024 run and hence is useful only for hosts that have large queues 2025 that take a very long time to run. 2026 Add SingleLineFromHeader option. If set, From: headers are coerced 2027 into being a single line even if they had newlines in them 2028 when read. This is to get around a botch in Lotus Notes. 2029 Text class maps were totally broken -- if you ever retrieved the last 2030 item in a table it would be truncated. Problem noted by 2031 Gregory Neil Shapiro of WPI. 2032 Extend the lines printed by the mailq command (== the -bp flag) when 2033 -v is given to 120 characters; this allows more information 2034 to be displayed. Suggested by Gregory Neil Shapiro of WPI. 2035 Allow macro definitions (`D' lines) with unquoted commas; previously 2036 this was treated as end-of-input. Problem noted by Bryan 2037 Costales. 2038 The RET= envelope parameter (used for DSNs) wasn't properly written 2039 to the queue file. Fix from John Hughes of Atlantic 2040 Technologies, Inc. 2041 Close /var/tmp/dead.letter after a successful write -- otherwise 2042 if this happens in a queue run it can cause nasty delays. 2043 Problem noted by Mark Horton of AT&T. 2044 If userdb entries pointed to userdb entries, and there were multiple 2045 values for a given key, the database cursor would get 2046 trashed by the recursive call. Problem noted by Roy Mongiovi 2047 of Georgia Tech. Fixed by reading all the values and creating 2048 a comma-separated list; thus, the -v output will be somewhat 2049 different for this case. 2050 Fix buffer allocation problem with Hesiod-based userdb maps when 2051 HES_GETMAILHOST is defined. Based on a patch by Betty Lee 2052 of Stanford University. 2053 When envelopes were split due to aliases with owner- aliases, and 2054 there was some error on one of the lists, more than one of 2055 the owners would get the message. Problem pointed out by 2056 Roy Mongiovi of Georgia Tech. 2057 Detect excessive recursion in macro expansions, e.g., $X defined 2058 in terms of $Y which is defined in terms of $X. Problem 2059 noted by Bryan Costales; patch from Eric Wassenaar. 2060 When using F=U to get "ugly UUCP" From_ lines, a buffer could in 2061 some cases get trashed causing bogus From_ lines. Fix from 2062 Kyle Jones of UUNET. 2063 When doing load average initialization, if the nlist call for avenrun 2064 failed, the second and subsequent lookups wouldn't notice 2065 that fact causing bogus load averages to be returned. Noted 2066 by Casper Dik of Sun Holland. 2067 Fix problem with incompatibility with some versions of inet_aton that 2068 have changed the return value to unsigned, so a check for an 2069 error return of -1 doesn't work. Use INADDR_NONE instead. 2070 This could cause mail to addresses such as [foo.com] to bounce 2071 or get dropped. Problem noted by Christophe Wolfhugel of the 2072 Pasteur Institute. 2073 DSNs were inconsistent if a failure occurred during the DATA phase 2074 rather than the RCPT phase: the Action: would be correct, but 2075 the detailed status information would be wrong. Problem noted 2076 by Bob Snyder of General Electric Company. 2077 Add -U command line flag and the XUSR ESMTP extension, both indicating 2078 that this is the initial MUA->MTA submission. The flag current 2079 does nothing, but in future releases (when MUAs start using 2080 these flags) it will probably turn on things like DNS 2081 canonification. 2082 Default end-of-line string (E= specification on mailer [M] lines) 2083 to \r\n on SMTP mailers. Default remains \n on non-SMTP 2084 mailers. 2085 Change the internal definition for the *file* and *include* mailers 2086 to have $u in the argument vectors so that they aren't 2087 misinterpreted as SMTP mailers and thus use \r\n line 2088 termination. This will affect anyone who has redefined 2089 either of these in their configuration file. 2090 Don't assume that IDENT servers close the connection after a query; 2091 responses can be newline terminated. From Terry Kennedy of 2092 St. Peter's College. 2093 Avoid core dumps on erroneous configuration files that have 2094 $#mailer with nothing following. From Bryan Costales. 2095 Avoid null pointer dereference with high debug values in unlockqueue. 2096 Fix from Randy Martin of Clemson University. 2097 Fix possible buffer overrun when expanding very large macros. Fix 2098 from Kyle Jones of UUNET. 2099 After 25 EXPN or VRFY commands, start pausing for a second before 2100 processing each one. This avoids a certain form of denial 2101 of service attack. Potential attack pointed out by Bryan 2102 Costales. 2103 Allow new named (not numbered!) config file rules to do validity 2104 checking on SMTP arguments: check_mail for MAIL commands and 2105 check_rcpt for RCPT commands. These rulesets can do anything 2106 they want; their result is ignored unless they resolve to the 2107 $#error mailer, in which case the indicated message is printed 2108 and the command is rejected. Similarly, the check_compat 2109 ruleset is called before delivery with "from_addr $| to_addr" 2110 (the $| is a meta-symbol used to separate the two addresses); 2111 it can give a "this sender can't send to this recipient" 2112 notification. Note that this patch allows $| to stand alone 2113 in rulesets. 2114 Define new macros ${client_name}, ${client_addr}, and ${client_port} 2115 that have the name, IP address, and port number (respectively) 2116 of the SMTP client (that is, the entity at the other end of 2117 the connection. These can be used in (e.g.) check_rcpt to 2118 verify that someone isn't trying to relay mail through your 2119 host inappropriately. Be sure to use the deferred evaluation 2120 form, for example $&{client_name}, to avoid having these bound 2121 when sendmail reads the configuration file. 2122 Add new config file rule check_relay to check the incoming connection 2123 information. Like check_compat, it is passed the host name 2124 and host address separated by $| and can reject connections 2125 on that basis. 2126 Allow IDA-style recursive function calls. Code contributed by Mark 2127 Lovell and Paul Vixie. 2128 Eliminate the "No ! in UUCP From address!" message" -- instead, create 2129 a virtual UUCP address using either a domain address or the $k 2130 macro. Based on code contributed by Mark Lovell and Paul 2131 Vixie. 2132 Add Stanford LDAP map. Requires special libraries that are not 2133 included with sendmail. Contributed by Booker C. Bense 2134 <bbense@networking.stanford.edu>; contact him for support. 2135 See also the src/READ_ME file. 2136 Allow -dANSI to turn on ANSI escape sequences in debug output; this 2137 puts metasymbols (e.g., $+) in reverse video. Really useful 2138 only for debugging deep bits of code where it is important to 2139 distinguish between the single-character metasymbol $+ and the 2140 two characters $, +. 2141 Changed ruleset 89 (executed in dumpstate()) to a named ruleset, 2142 debug_dumpstate. 2143 Add new UnsafeGroupWrites option; if set, .forward and :include: 2144 files that are group writable are considered "unsafe" -- that 2145 is, programs and files referenced from such files are not 2146 valid recipients. 2147 Delete bogosity test for FallBackMX host; this prevented it to be a 2148 name that was not in DNS or was a domain-literal. Problem 2149 noted by Tom May. 2150 Change the introduction to error messages to more clearly delineate 2151 permanent from temporary failures; if both existed in a 2152 single message it could be confusing. Suggested by John 2153 Beck of InReference, Inc. 2154 The IngoreDot (i) option didn't work for lines that were terminated 2155 with CRLF. Problem noted by Ted Stockwell of Secure 2156 Computing Corporation. 2157 Add a heuristic to improve the handling of unbalanced `<' signs in 2158 message headers. Problem reported by Matt Dillon of Best 2159 Internet Communications. 2160 Check for bogus characters in the 0200-0237 range; since these are 2161 used internally, very strange errors can occur if those 2162 characters appear in headers. Problem noted by Anders Gertz 2163 of Lysator. 2164 Implement 7 -> 8 bit MIME conversions. This only takes place if the 2165 recipient mailer has the F=9 flag set, and only works on 2166 text/plain body types. Code contributed by Marius Olafsson 2167 of the University of Iceland. 2168 Special case "postmaster" name so that it is always treated as lower 2169 case in alias files regardless of configuration settings; 2170 this prevents some potential problems where "Postmaster" or 2171 "POSTMASTER" might not match "postmaster". In most cases 2172 this change is a no-op. 2173 The -o map flag was ignored for text maps. Problem noted by Bryan 2174 Costales. 2175 The -a map flag was ignored for dequote maps. Problem noted by 2176 Bryan Costales. 2177 Fix core dump when a lookup of a class "prog" map returns no 2178 response. Patch from Bryan Costales. 2179 Log instances where sendmail is deferring or rejecting connections 2180 on LogLevel 14. Suggested by Kyle Jones of UUNET. 2181 Include port number in process title for network daemons. Suggested 2182 by Kyle Jones of UUNET. 2183 Send ``double bounces'' (errors that occur when sending an error 2184 message) to the address indicated in the DoubleBounceAddress 2185 option (default: postmaster). Previously they were always 2186 sent to postmaster. Suggested by Kyle Jones of UUNET. 2187 Add new mode, -bD, that acts like -bd in all respects except that 2188 it runs in foreground. This is useful for using with a 2189 wrapper that "watches" system services. Suggested by Kyle 2190 Jones of UUNET. 2191 Fix botch in spacing around (parenthesized) comments in addresses 2192 when the comment comes before the address. Patch from 2193 Motonori Nakamura of Kyoto University. 2194 Use the prefix "Postmaster notify" on the Subject: lines of messages 2195 that are being bounced to postmaster, rather than "Returned 2196 mail". This permits the person who is postmaster more 2197 easily determine what messages are to their role as 2198 postmaster versus bounces to mail they actually sent. Based 2199 on a suggestion by Motonori Nakamura. 2200 Add new value "time" for QueueSortOrder option; this causes the queue 2201 to be sorted strictly by the time of submission. Note that 2202 this can cause very bad behavior over slow lines (because 2203 large jobs will tend to delay small jobs) and on nodes with 2204 heavy traffic (because old things in the queue for hosts that 2205 are down delay processing of new jobs). Also, this does not 2206 guarantee that jobs will be delivered in submission order 2207 unless you also set DeliveryMode=queue. In general, it should 2208 probably only be used on the command line, and only in 2209 conjunction with -qRhost.domain. In fact, there are very few 2210 cases where it should be used at all. Based on an 2211 implementation by Motonori Nakamura. 2212 If a map lookup in ruleset 5 returns tempfail, queue the message in 2213 the same manner as other rulesets. Previously a temporary 2214 failure in ruleset 5 was ignored. Patch from Booker Bense 2215 of Stanford University. 2216 Don't proceed to the next MX host if an SMTP MAIL command returns a 2217 5yz (permanent failure) code. The next MX host will still be 2218 tried if the connection cannot be opened in the first place 2219 or if the MAIL command returns a 4yz (temporary failure) code. 2220 (It's hard to know what to do here, since neither RFC 974 nor 2221 RFC 1123 specify when to proceed to the next MX host.) 2222 Suggested by Jonathan Kamens of OpenVision, Inc. 2223 Add new "-t" flag for map definitions (the "K" line in the .cf file). 2224 This causes map lookups that get a temporary failure (e.g., 2225 name server failure) to _not_ defer the delivery of the 2226 message. This should only be used if your configuration file 2227 is prepared to do something sensible in this case. Based on 2228 an idea by Gregory Shapiro of WPI. 2229 Fix problem finding network interface addresses. Patch from 2230 Motonori Nakamura. 2231 Don't reject qf entries that are not owned by your effective uid if 2232 you are not running setuid; this makes management of certain 2233 kinds of firewall setups difficult. Patch suggested by 2234 Eamonn Coleman of Qualcomm. 2235 Add persistent host status. This keeps the information normally 2236 maintained within a single queue run in disk files that are 2237 shared between sendmail instances. The HostStatusDirectory 2238 is the directory in which the information is maintained. If 2239 not set, persistent host status is turned off. If not a full 2240 pathname, it is relative to the queue directory. A common 2241 value is ".hoststat". 2242 There are also two new operation modes: 2243 * -bh prints the status of hosts that have had recent 2244 connections. 2245 * -bH purges the host statuses. No attempt is made to save 2246 recent status information. 2247 This feature was originally written by Paul Vixie of Vixie 2248 Enterprises for KJS and adapted for V8 by Mark Lovell of 2249 Bigrock Consulting. Paul's funding of Mark and Mark's patience 2250 with my insistence that things fit cleanly into the V8 2251 framework is gratefully appreciated. 2252 New SingleThreadDelivery option (requires HostStatusDirectory to 2253 operate). Avoids letting two sendmails on the local machine 2254 open connections to the same remote host at the same time. 2255 This reduces load on the other machine, but can cause mail to 2256 be delayed (for example, if one sendmail is delivering a huge 2257 message, other sendmails won't be able to send even small 2258 messages). Also, it requires another file descriptor (for the 2259 lock file) per connection, so you may have to reduce 2260 ConnectionCacheSize to avoid running out of per-process 2261 file descriptors. Based on the persistent host status code 2262 contributed by Paul Vixie and Mark Lovell. 2263 Allow sending to non-simple files (e.g., /dev/null) even if the 2264 SafeFileEnvironment option is set. Problem noted by Bryan 2265 Costales. 2266 The -qR flag mistakenly matched flags in the "R" line of the queue 2267 file. Problem noted by Bryan Costales. 2268 If a job was aborted using the interrupt signal (e.g., control-C from 2269 the keyboard), on some occasions an empty df file would be 2270 left around; these would collect in the queue directory. 2271 Problem noted by Bryan Costales. 2272 Change the makesendmail script to enhance the search for Makefiles 2273 based on release number. For example, on SunOS 5.5.1, it will 2274 search for Makefile.SunOS.5.5.1, Makefile.SunOS.5.5, and then 2275 Makefile.SunOS.5.x (in addition to the other rules, e.g., 2276 adding $arch). Problem noted by Jason Mastaler of Atlanta 2277 Webmasters. 2278 When creating maps using "newaliases", always map the keys to lower 2279 case when creating the map unless the -f flag is specified on 2280 the map itself. Previously this was done based on the F=u 2281 flag in the local mailer, which meant you could create aliases 2282 that you could never access. Problem noted by Bob Wu of DEC. 2283 When a job was read from the queue, the bits causing notification on 2284 failure or delay were always set. This caused those 2285 notifications to be sent even if NOTIFY=NEVER had been 2286 specified. Problem noted by Steve Hubert of the University 2287 of Washington, Seattle. 2288 Add new configurable routine validate_connection (in conf.c). This 2289 lets you decide if you are willing to accept traffic from 2290 this host. If it returns FALSE, all SMTP commands will return 2291 "550 Access denied". -DTCPWRAPPERS will include support for 2292 TCP wrappers; you will need to add -lwrap to the link line. 2293 (See src/READ_ME for details.) 2294 Don't include the "THIS IS A WARNING MESSAGE ONLY" banner on postmaster 2295 bounces. Some people seemed to think that this could be 2296 confusing (even though it is true). Suggested by Motonori 2297 Nakamura. 2298 Add new RunAsUser option; this causes sendmail to do a setuid to that 2299 user early in processing to avoid potential security problems. 2300 However, this means that all .forward and :include: files must 2301 be readable by that user, and all files to be written must be 2302 writable by that user and all programs will be executed by that 2303 user. It is also incompatible with the SafeFileEnvironment 2304 option. In other words, it may not actually add much to 2305 security. However, it should be useful on firewalls and other 2306 places where users don't have accounts and the aliases file is 2307 well constrained. 2308 Add Timeout.iconnect. This is like Timeout.connect except it is used 2309 only on the first attempt to delivery to an address. It could 2310 be set to be lower than Timeout.connect on the principle that 2311 the mail should go through quickly to responsive hosts; less 2312 responsive hosts get to wait for the next queue run. 2313 Fix a problem on Solaris that occasionally causes programs 2314 (such as vacation) to hang with their standard input connected 2315 to a UDP port. It also created some signal handling problems. 2316 The problems turned out to be an interaction between vfork(2) 2317 and some of the libraries, particularly NIS/NIS+. I am 2318 indebted to Tor Egge <tegge@idt.ntnu.no> for this fix. 2319 Change user class map to do the same matching that actual delivery 2320 will do instead of just a /etc/passwd lookup. This adds 2321 fuzzy matching to the user map. Patch from Dan Oscarsson. 2322 The Timeout.* options are not safe -- they can be used to create a 2323 denial-of-service attack. Problem noted by Christophe 2324 Wolfhugel. 2325 Don't send PostmasterCopy messages in the event of a "delayed" 2326 notification. Suggested by Barry Bouwsma. 2327 Don't advertise "VERB" ESMTP extension if the "noexpn" privacy 2328 option is set, since this disables VERB mode. Suggested 2329 by John Hawkinson of MIT. 2330 Complain if the QueueDirectory (Q) option is not set. Problem noted 2331 by Motonori Nakamura of Kyoto University. 2332 Only queue messages on transient .forward open failures if there 2333 were no successful opens. The previous behavior caused it 2334 to queue even if a "fall back" .forward was found. Problem 2335 noted by Ann-Kian Yeo of the Dept. of Information Systems 2336 and Computer Science (DISCS), NUS, Singapore. 2337 Don't do 8->7 bit conversions when bouncing a MIME message that 2338 is bouncing because of a MIME error during 8->7 bit conversion; 2339 the encapsulated message will bounce again, causing a loop. 2340 Problem noted by Steve Hubert of the University of Washington. 2341 Create xf (transcript) files using the TempFileMode option value 2342 instead of 0644. Suggested by Ann-Kian Yeo of the 2343 National University of Singapore. 2344 Print errors if setgid/setuid/etc. fail during delivery. This helps 2345 detect cases where DefaultUid is set to something that the 2346 system can't cope with. 2347 PORTABILITY FIXES: 2348 Support for AIX/RS 2.2.1 from Mark Whetzel of Western 2349 Atlas International. 2350 Patches for Intel Paragon OSF/1 1.3 from Leo Bicknell 2351 <bicknell@ufp.org>. 2352 On DEC OSF/1 3.2 and earlier, the MatchGECOS code would only 2353 work on the first recipient of a message due to a 2354 bug in the getpwent family. If this is something you 2355 use, you can define DEC_OSF_BROKEN_GETPWENT=1 for a 2356 workaround. From Maximum Entropy of Sanford C. 2357 Bernstein and Associates. 2358 FreeBSD 1.1.5.1 uname -r returns a string containing 2359 parentheses, which breaks makesendmail. Reported 2360 by Piero Serini <piero@strider.ibenet.it>. 2361 Sequent DYNIX/ptx 4.0.2 patches from Jack Woolley of 2362 Systems and Computer Technology Corporation. 2363 Solaris 2.x: omit the UUCP grade parameter (-g flag) because 2364 it is system-dependent. Problem noted by J.J. Bailey 2365 of Bailey Computer Consulting. 2366 Pyramid NILE running DC/OSx support from Earle F. Ake of 2367 Hassler Communication Systems Technology, Inc. 2368 HP-UX 10.x compile glitches, reported by Anne Brink of the 2369 U.S. Army and James Byrne of Harte & Lyne Limited. 2370 NetBSD from Matthew Green of the NetBSD crew. 2371 SCO 5.x from Keith Reynolds of SCO. 2372 IRIX 6.2 from Robert Tarrall of the University of 2373 Colorado and Kari Hurtta of the Finnish Meteorological 2374 Institute. 2375 UXP/DS (Fujitsu/ICL DS/90 series) support from Diego R. 2376 Lopez, CICA (Seville). 2377 NCR SVR4 MP-RAS 3.x support from Tom Moore of NCR. 2378 PTX 3.2.0 from Kenneth Stailey of the US Department of Labor 2379 Employment Standards Administration. 2380 Altos System V (5.3.1) from Tim Rice of Multitalents. 2381 Concurrent Systems Corporation Maxion from Donald R. Laster 2382 Jr. 2383 NetInfo maps (improved debugging and multi-valued aliases) 2384 from Adrian Steinmann of Steinmann Consulting. 2385 ConvexOS 11.5 (including SecureWare C2 and the Share Scheduler) 2386 from Eric Schnoebelen of Convex. 2387 Linux 2.0 mail.local patches from Horst von Brand. 2388 NEXTSTEP 3.x compilation from Robert La Ferla. 2389 NEXTSTEP 3.x code changes from Allan J. Nathanson of NeXT. 2390 Solaris 2.5 configuration fixes for mail.local by Jim Davis 2391 of the University of Arizona. 2392 Solaris 2.5 has a working setreuid. Noted by David Linn of 2393 Vanderbilt University. 2394 Solaris changes for praliases, makemap, mailstats, and smrsh. 2395 Previously you had to add -DSOLARIS in Makefile.dist; 2396 this auto-detects. Based on a patch from Randall 2397 Winchester of the University of Maryland. 2398 CONFIG: add generic-nextstep3.3.mc file. Contributed by 2399 Robert La Ferla of Hot Software. 2400 CONFIG: allow mailertables to resolve to ``error:code message'' 2401 (where "code" is an exit status) on domains (previously 2402 worked only on hosts). Patch from Cor Bosman of Xs4all 2403 Foundation. 2404 CONFIG: hooks for IPv6-style domain literals. 2405 CONFIG: predefine ALIAS_FILE and change the prototype file so that 2406 if it is undefined the AliasFile option is never set; this 2407 should be transparent for most everyone. Suggested by John 2408 Myers of CMU. 2409 CONFIG: add FEATURE(limited_masquerade). Without this feature, any 2410 domain listed in $=w is masqueraded. With it, only those 2411 domains listed in a MASQUERADE_DOMAIN macro are masqueraded. 2412 CONFIG: add FEATURE(masquerade_entire_domain). This causes 2413 masquerading specified by MASQUERADE_DOMAIN to apply to all 2414 hosts under those domains as well as the domain headers 2415 themselves. For example, if a configuration had 2416 MASQUERADE_DOMAIN(foo.com), then without this feature only 2417 foo.com would be masqueraded; with it, *.foo.com would be 2418 masqueraded as well. Based on an implementation by Richard 2419 (Pug) Bainter of U. Texas. 2420 CONFIG: add FEATURE(genericstable) to do a more general rewriting of 2421 outgoing addresses. Defaults to ``hash -o /etc/genericstable''. 2422 Keys are user names; values are outgoing mail addresses. Yes, 2423 this does overlap with the user database, and figuring out 2424 just when to use which one may be tricky. Based on code 2425 contributed by Richard (Pug) Bainter of U. Texas with updates 2426 from Per Hedeland of Ericsson. 2427 CONFIG: add FEATURE(virtusertable) to do generalized rewriting of 2428 incoming addresses. Defaults to ``hash -o /etc/virtusertable''. 2429 Keys are either fully qualified addresses or just the host 2430 part (with the @ sign). For example, a table containing: 2431 info@foo.com foo-info 2432 info@bar.com bar-info 2433 @baz.org jane@elsewhere.net 2434 would send all mail destined for info@foo.com to foo-info 2435 (which is presumably an alias), mail addressed to info@bar.com 2436 to bar-info, and anything addressed to anyone at baz.org will 2437 be sent to jane@elsewhere.net. The names foo.com, bar.com, 2438 and baz.org must all be in $=w. Based on discussions with 2439 a great many people. 2440 CONFIG: add nullclient configurations to define SMTP_MAILER_FLAGS. 2441 Suggested by Richard Bainter. 2442 CONFIG: add FAX_MAILER_ARGS to tweak the arguments passed to the 2443 "fax" mailer. 2444 CONFIG: allow mailertable entries to resolve to local:user; this 2445 passes the original user@host in to procmail-style local 2446 mailers as the "detail" information to allow them to do 2447 additional clever processing. From Joe Pruett of 2448 Teleport Corporation. Delivery to the original user can 2449 be done by specifying "local:" (with nothing after the colon). 2450 CONFIG: allow any context that takes "mailer:domain" to also take 2451 "mailer:user@domain" to force mailing to the given user; 2452 "local:user" can also be used to do local delivery. This 2453 applies on *_RELAY and in the mailertable entries. Based 2454 on a suggestion by Ribert Kiessling of Easynet. 2455 CONFIG: Allow FEATURE(bestmx_is_local) to take an argument that 2456 limits the possible domains; this reduces the number of DNS 2457 lookups required to support this feature. For example, 2458 FEATURE(bestmx_is_local, my.site.com) limits the lookups 2459 to domains under my.site.com. Code contributed by Anthony 2460 Thyssen <anthony@cit.gu.edu.au>. 2461 CONFIG: LOCAL_RULESETS introduces any locally defined rulesets, 2462 such as the check_rcpt ruleset. Suggested by Gregory Shapiro 2463 of WPI. 2464 CONFIG: MAILER_DEFINITIONS introduces any mailer definitions, in the 2465 event you have to define local mailers. Suggested by 2466 Gregory Shapiro of WPI. 2467 CONFIG: fix cases where a three- (or more-) stage route-addr could 2468 be misinterpreted as a list:...; syntax. Based on a patch by 2469 Vlado Potisk <Vlado_Potisk@tempest.sk>. 2470 CONFIG: Fix masquerading of UUCP addresses when the UUCP relay is 2471 remotely connected. The address host!user was being 2472 converted to host!user@thishost instead of host!user@uurelay. 2473 Problem noted by William Gianopoulos of Raytheon Company. 2474 CONFIG: add confTO_ICONNECT to set Timeout.iconnect. 2475 CONFIG: change FEATURE(redirect) message from "User not local" to 2476 "User has moved"; the former wording was confusing if the 2477 new address is still on the local host. Based on a suggestion 2478 by Andreas Luik. 2479 CONFIG: add support in FEATURE(nullclient) for $=E (exposed users). 2480 However, the class is not pre-initialized to contain root. 2481 Suggested by Gregory Neil Shapiro. 2482 CONTRIB: Remove XLA code at the request of the author, Christophe 2483 Wolfhugel. 2484 CONTRIB: Add re-mqueue.pl, contributed by Paul Pomes of Qualcomm. 2485 MAIL.LOCAL: make it possible to compile mail.local on Solaris. Note 2486 well: this produces a slightly different mailbox format (no 2487 Content-Length: headers), file ownerships and modes are 2488 different (not owned by group mail; mode 600 instead of 660), 2489 and the local mailer flags will have to be tweaked (make them 2490 match bsd4.4) in order to use this mailer. Patches from Paul 2491 Hammann of the Missouri Research and Education Network. 2492 MAIL.LOCAL: in some cases it could return EX_OK even though there 2493 was a delivery error, such as if the ownership on the file 2494 was wrong or the mode changed between the initial stat and 2495 the open. Problem reported by William Colburn of the New 2496 Mexico Institute of Mining and Technology. 2497 MAILSTATS: handle zero length files more reliably. Patch from Bryan 2498 Costales. 2499 MAILSTATS: add man page contributed by Keith Bostic of BSDI. 2500 MAKEMAP: The -d flag (to allow duplicate keys) to a btree map wasn't 2501 honored. Fix from Michael Scott Shappe. 2502 PRALIASES: add man page contributed by Keith Bostic of BSDI. 2503 NEW FILES: 2504 src/Makefiles/Makefile.AIX.2 2505 src/Makefiles/Makefile.IRIX.6.2 2506 src/Makefiles/Makefile.maxion 2507 src/Makefiles/Makefile.NCR.MP-RAS.3.x 2508 src/Makefiles/Makefile.SCO.5.x 2509 src/Makefiles/Makefile.UXPDSV20 2510 mailstats/mailstats.8 2511 praliases/praliases.8 2512 cf/cf/generic-nextstep3.3.mc 2513 cf/feature/genericstable.m4 2514 cf/feature/limited_masquerade.m4 2515 cf/feature/masquerade_entire_domain.m4 2516 cf/feature/virtusertable.m4 2517 cf/ostype/aix2.m4 2518 cf/ostype/altos.m4 2519 cf/ostype/maxion.m4 2520 cf/ostype/solaris2.ml.m4 2521 cf/ostype/uxpds.m4 2522 contrib/re-mqueue.pl 2523 DELETED FILES: 2524 src/Makefiles/Makefile.Solaris 2525 contrib/xla/README 2526 contrib/xla/xla.c 2527 RENAMED FILES: 2528 src/Makefiles/Makefile.NCR3000 => Makefile.NCR.MP-RAS.2.x 2529 src/Makefiles/Makefile.SCO.3.2v4.2 => Makefile.SCO.4.2 2530 src/Makefiles/Makefile.UXPDS => Makefile.UXPDSV10 2531 src/Makefiles/Makefile.NeXT => Makefile.NeXT.2.x 2532 src/Makefiles/Makefile.NEXTSTEP => Makefile.NeXT.3.x 2533 25348.7.6/8.7.3 96/09/17 2535 SECURITY: It is possible to force getpwuid to fail when writing the 2536 queue file, causing sendmail to fall back to running programs 2537 as the default user. This is not exploitable from off-site. 2538 Workarounds include using a unique user for the DefaultUser 2539 (old u & g options) and using smrsh as the local shell. 2540 SECURITY: fix some buffer overruns; in at least one case this allows 2541 a local user to get root. This is not known to be exploitable 2542 from off-site. The workaround is to disable chfn(1) commands. 2543 25448.7.5/8.7.3 96/03/04 2545 Fix glitch in 8.7.4 when putting certain internal lines; this can 2546 in some case cause connections to hang or messages to have 2547 extra spaces in odd places. Patch from Eric Wassenaar; 2548 reports from Eric Hall of Chiron Corporation, Stephen 2549 Hansen of Stanford University, Dean Gaudet of HotWired, 2550 and others. 2551 25528.7.4/8.7.3 96/02/18 2553 SECURITY: In some cases it was still possible for an attacker to 2554 insert newlines into a queue file, thus allowing access to 2555 any user (except root). 2556 CONFIG: no changes -- it is not a bug that the configuration 2557 version number is unchanged. 2558 25598.7.3/8.7.3 95/12/03 2560 Fix botch in name server timeout in RCPT code; this problem caused 2561 two responses in SMTP, which breaks things horribly. Fix 2562 from Gregory Neil Shapiro of WPI. 2563 Verify that L= value on M lines cannot be negative, which could cause 2564 negative array subscripting. Not a security problem since 2565 this has to be in the config file, but it could have caused 2566 core dumps. Pointed out by Bryan Costales. 2567 Fix -d21 debug output for long macro names. Pointed out by Bryan 2568 Costales. 2569 PORTABILITY FIXES: 2570 SCO doesn't have ftruncate. From Bill Aten of Computerizers. 2571 IBM's version of arpa/nameser.h defaults to the wrong byte 2572 order. Tweak it to work properly. Based on fixes 2573 from Fletcher Mattox of UTexas and Betty Lee of 2574 Stanford University. 2575 CONFIG: add confHOSTS_FILE m4 variable to set HostsFile option. 2576 Deficiency pointed out by Bryan Costales of ICSI. 2577 25788.7.2/8.7.2 95/11/19 2579 REALLY fix the backslash escapes in SmtpGreetingMessage, 2580 OperatorChars, and UnixFromLine options. They were not 2581 properly repaired in 8.7.1. 2582 Completely delete the Bcc: header if and only if there are other 2583 valid recipient headers (To:, Cc: or Apparently-To:, the 2584 last being a historic botch, of course). If Bcc: is the 2585 only recipient header in the message, its value is tossed, 2586 but the header name is kept. The old behavior (always keep 2587 the header name and toss the value) allowed primary recipients 2588 to see that a Bcc: went to _someone_. 2589 Include queue id on ``Authentication-Warning: <host>: <user> set 2590 sender to <address> using -f'' syslog messages. Suggested 2591 by Kari Hurtta. 2592 If a sequence or switch map lookup entry gets a tempfail but then 2593 continues on to another map type, but the name is not found, 2594 return a temporary failure from the sequence or switch map. 2595 For example, if hosts search ``dns files'' and DNS fails 2596 with a tempfail, the hosts map will go on and search files, 2597 but if it fails the whole thing should be a tempfail, not 2598 a permanent (host unknown) failure, even though that is the 2599 failure in the hosts.files map. This error caused hard 2600 bounces when it should have requeued. 2601 Aliases to files such as /users/bar/foo/inbox, with /users/bar/foo 2602 owned by bar mode 700 and inbox being setuid bar stopped 2603 working properly due to excessive paranoia. Pointed out by 2604 John Hawkinson of Panix. 2605 An SMTP RCPT command referencing a host that gave a nameserver 2606 timeout would return a 451 command (8.6 accepted it and 2607 queued it locally). Revert to the 8.6 behavior in order 2608 to simplify queue management for clustered systems. Suggested 2609 by Gregory Neil Shapiro of WPI. The same problem could break 2610 MH, which assumes that the SMTP session will succeed (tsk, tsk 2611 -- mail gets lost!); this was pointed out by Stuart Pook of 2612 Infobiogen. 2613 Fix possible buffer overflow in munchstring(). This was not a security 2614 problem because you couldn't specify any argument to this 2615 without first giving up root privileges, but it is still a 2616 good idea to avoid future problems. Problem noted by John 2617 Hawkinson and Sam Hartman of MIT. 2618 ``452 Out of disk space for temp file'' messages weren't being 2619 printed. Fix from David Perlin of Nanosoft. 2620 Don't advertise the ESMTP DSN extension if the SendMimeErrors option 2621 is not set, since this is required to get the actual DSNs 2622 created. Problem pointed out by John Gardiner Myers of CMU. 2623 Log permission problems that cause .forward and :include: files to 2624 be untrusted or ignored on log level 12 and higher. Suggested 2625 by Randy Martin of Clemson University. 2626 Allow user ids in U= clauses of M lines to have hyphens and 2627 underscores. 2628 Fix overcounting of recipients -- only happened when sending to an 2629 alias. Pointed out by Mark Andrews of SGI and Jack Woolley 2630 of Systems and Computer Technology Corporation. 2631 If a message is sent to an address that fails, the error message that 2632 is returned could show some extraneous "success" information 2633 included even if the user did not request success notification, 2634 which was confusing. Pointed out by Allan Johannesen of WPI. 2635 Config files that had no AliasFile definition were defaulting to 2636 using /etc/aliases; this caused problems with nullclient 2637 configurations. Change it back to the 8.6 semantics of 2638 having no local alias file unless it is declared. Problem 2639 noted by Charles Karney of Princeton University. 2640 Fix compile problem if NOTUNIX is defined. Pointed out by Bryan 2641 Costales of ICSI. 2642 Map lookups of class "userdb" maps were always case sensitive; they 2643 should be controlled by the -f flag like other maps. Pointed 2644 out by Bjart Kvarme <bjart.kvarme@usit.uio.no>. 2645 Fix problem that caused some addresses to be passed through ruleset 5 2646 even when they were tagged as "sticky" by prefixing the 2647 address with an "@". Patch from Thomas Dwyer III of Michigan 2648 Technological University. 2649 When converting a message to Quoted-Printable, prevent any lines with 2650 dots alone on a line by themselves. This is because of the 2651 preponderance of broken mailers that still get this wrong. 2652 Code contributed by Per Hedeland of Ericsson. 2653 Fix F{macro}/file construct -- it previously did nothing. Pointed 2654 out by Bjart Kvarme of USIT/UiO (Norway). 2655 Announce whether a cached connection is SMTP or ESMTP (in -v mode). 2656 Requested by Allan Johannesen. 2657 Delete check for text format of alias files -- it should be legal 2658 to have the database format of the alias files without the 2659 text version. Problem pointed out by Joe Rhett of Navigist, 2660 Inc. 2661 If "Ot" was specified with no value, the TZ variable was not properly 2662 imported from the environment. Pointed out by Frank Crawford 2663 <frank@ansto.gov.au>. 2664 Some architectures core dumped on "program" maps that didn't have 2665 extra arguments. Patch from Booker C. Bense of Stanford 2666 University. 2667 Queue run processes would re-spawn daemons when given a SIGHUP; only 2668 the parent should do this. Fix from Brian Coan of the 2669 Association for Progressive Communications. 2670 If MinQueueAge was set and a message was considered but not run 2671 during a queue run and the Timeout.queuereturn interval was 2672 reached, a "timed out" error message would be returned that 2673 didn't include the failed address (and claimed to be a warning 2674 even though it was fatal). The fix is to not return such 2675 messages until they are actually tried, i.e., in the next 2676 MinQueueAge interval. Problem noted by Rein Tollevik of 2677 SINTEF RUNIT, Oslo. 2678 Add HES_GETMAILHOST compile flag to support MIT Hesiod distributions 2679 that have the hes_getmailhost() routine. DEC Hesiod 2680 distributions do not have this routine. Based on a patch 2681 from Betty Lee of Stanford University. 2682 Extensive cleanups to map open code to handle a locking race condition 2683 in ndbm, hash, and btree format database files on some (most 2684 non-4.4-BSD based) OS architectures. This should solve the 2685 occasional "user unknown" problem during alias rebuilds that 2686 has plagued me for quite some time. Based on a patch from 2687 Thomas Dwyer III of Michigan Technological University. 2688 PORTABILITY FIXES: 2689 Solaris: Change location of newaliases and mailq from 2690 /usr/ucb to /usr/bin to match Sun settings. From 2691 James B. Davis of TCI. 2692 DomainOS: Makefile.DomainOS doesn't require -ldbm. From 2693 Don Lewis of Silicon Systems. 2694 HP-UX 10: rename Makefile.HP-UX.10 => Makefile.HP-UX.10.x 2695 so that the makesendmail script will find it. Pointed 2696 out by Richard Allen of the University of Iceland. 2697 Also, use -Aa -D_HPUX_SOURCE instead of -Ae, which 2698 isn't supported on all compilers. 2699 UXPDS: compilation fixes from Diego R. Lopez. 2700 CONFIG: FAX mailer wasn't setting .FAX as a pseudo-domain unless 2701 you also had a FAX_RELAY. From Thomas.Tornblom@Hax.SE. 2702 CONFIG: Minor glitch in S21 -- attachment of local domain name 2703 didn't have trailing dot. From Jim Hickstein of Teradyne. 2704 CONFIG: Fix best_mx_is_local feature to allow nested addresses such as 2705 user%host@thishost. From Claude Scarpelli of Infobiogen 2706 (France). 2707 CONFIG: OSTYPE(hpux10) failed to define the location of the help file. 2708 Pointed out by Hannu Martikka of Nokia Telecommunications. 2709 CONFIG: Diagnose some inappropriate ordering in configuration files, 2710 such as FEATURE(smrsh) listed after MAILER(local). Based on 2711 a bug report submitted by Paul Hoffman of Proper Publishing. 2712 CONFIG: Make OSTYPE files consistently not override settings that 2713 have already been set. Previously it worked differently 2714 for different files. 2715 CONFIG: Change relay mailer to do masquerading like 8.6 did. My take 2716 is that this is wrong, but the change was causing problems 2717 for some people. From Per Hedeland of Ericsson. 2718 CONTRIB: bitdomain.c patch from John Gardiner Myers <jgm+@CMU.EDU>; 2719 portability changes for Posix environments (no functional 2720 changes). 2721 27228.7.1/8.7.1 95/10/01 2723 Old macros that have become options (SmtpGreetingMessage, 2724 OperatorChars, and UnixFromLine) didn't allow backslash 2725 escapes in the options, where they previously had. Bug 2726 pointed out by John Hawkinson of MIT. 2727 Fix strange case of an executable called by a program map that 2728 returns a value but also a non-zero exit status; this 2729 would give contradictory results in the higher level; in 2730 particular, the default clause in the map lookup would be 2731 ignored. Change to ignore the value if the program returns 2732 non-zero exit status. From Tom Moore of AT&T GIS. 2733 Shorten parameters passed to syslog() in some contexts to avoid a 2734 bug in many vendors' implementations of that routine. Although 2735 this isn't really a bug in sendmail per se, and my solution 2736 has to assume that syslog() has at least a 1K buffer size 2737 internally (I know some vendors have shortened this 2738 dramatically -- they're on their own), sendmail is a popular 2739 target. Also, limit the size of %s arguments in sprintf. 2740 These both have possible security implications. Solutions 2741 suggested by Casper Dik of Sun's Network Security Group 2742 (Holland), Mark Seiden, and others. 2743 Fix a problem that might cause a non-standard -B (body type) 2744 parameter to be passed to the next server with undefined 2745 results. This could have security implications. 2746 If a filesystem was at > 100% utilization, the freediskspace() 2747 routine incorrectly returned an error rather than zero. 2748 Problem noted by G. Paul Ziemba of Alantec. 2749 Change MX sort order so that local hostnames (those in $=w) always 2750 sort first within a given preference. This forces the bestmx 2751 map to always return the local host first, if it is included 2752 in the list of highest priority MX records. From K. Robert 2753 Elz. 2754 Avoid some possible null pointer dereferences. Fixes from Randy 2755 Martin <WOLF@CLEMSON.EDU> 2756 When sendmail starts up on systems that have no fully qualified 2757 domain name (FQDN) anywhere in the first matching host map 2758 (e.g., /etc/hosts if the hosts service searches "files dns"), 2759 sendmail would sleep to try to find a FQDN, which it really 2760 really needs. This has been changed to fall through to the 2761 next map type if it can't find a FQDN -- i.e., if the hosts 2762 file doesn't have a FQDN, it will try dns even though the 2763 short name was found in /etc/hosts. This is probably a crock, 2764 but many people have hosts files without FQDNs. Remember: 2765 domain names are your friends. 2766 Log a high-priority message if you can't find your FQDN during startup. 2767 Suggested by Simon Barnes of Schlumberger Limited. 2768 When using Hesiod, initialize it early to improve error reporting. 2769 Patch from Don Lewis of Silicon Systems, Inc. 2770 Apparently at least some versions of Linux have a 90 !minute! TCP 2771 connection timeout in the kernel. Add a new "connect" timeout 2772 to limit this time. Defaults to zero (use whatever the 2773 kernel provides). Based on code contributed by J.R. Oldroyd 2774 of TerraNet. 2775 Under some circumstances, a failed message would not be properly 2776 removed from the queue, causing tons of bogus error messages. 2777 (This fix eliminates the problematic EF_KEEPQUEUE flag.) 2778 Problem noted by Allan E Johannesen and Gregory Neil Shapiro 2779 of WPI. 2780 PORTABILITY FIXES: 2781 On IRIX 5.x, there was an inconsistency in the setting 2782 of sendmail.st location. Change the Makefile to 2783 install it in /var/sendmail.st to match the OSTYPE 2784 file and SGI standards. From Andre 2785 <andre@curry.zfe.siemens.de>. 2786 Support for Fujitsu/ICL UXP/DS (For the DS/90 Series) 2787 from Diego R. Lopez <drlopez@cica.es>. 2788 Linux compilation patches from J.R. Oldroyd of TerraNet, Inc. 2789 LUNA 2 Mach patches from Motonori Nakamura. 2790 SunOS Makefile was including -ldbm, which is for the old 2791 dbm library. The ndbm library is part of libc. 2792 CONFIG: avoid bouncing ``user@host.'' (note trailing dot) with 2793 ``local configuration error'' in nullclient configuration. 2794 Patch from Gregory Neil Shapiro of WPI. 2795 CONFIG: don't allow an alias file in nullclient configurations -- 2796 since all addresses are relayed, they give errors during 2797 rebuild. Suggested by Per Hedeland of Ericsson. 2798 CONFIG: local mailer on Solaris 2 should always get a -f flag because 2799 otherwise the F=S causes the From_ line to imply that root is 2800 the sender. Problem pointed out by Claude Scarpelli of 2801 Infobiogen (France). 2802 NEW FILES: 2803 cf/feature/use_ct_file.m4 (omitted from 8.7 by mistake) 2804 src/Makefiles/Makefile.KSR (omitted from 8.7 by mistake) 2805 src/Makefiles/Makefile.UXPDS 2806 28078.7/8.7 95/09/16 2808 Fix a problem that could cause sendmail to run out of file 2809 descriptors due to a trashed data structure after a 2810 vfork. Fix from Brian Coan of the Institute for 2811 Global Communications. 2812 Change the VRFY response if you have disabled VRFY -- some 2813 people seemed to think that it was too rude. 2814 Avoid reference to uninitialized file descriptor if HASFLOCK 2815 was not defined. This was used "safely" in the sense 2816 that it only did a stat, but it would have set the 2817 map modification time improperly. Problem pointed out 2818 by Roy Mongiovi of Georgia Tech. 2819 Clean up the Subject: line on warning messages and return 2820 receipts so that they don't say "Returned mail:"; this 2821 can be confusing. 2822 Move ruleset entry/exit debugging from 21.2 to 21.1 -- this is 2823 useful enough to make it worthwhile printing on "-d". 2824 Avoid logging alias statistics every time you read the alias 2825 file on systems with no database method compiled in. 2826 If you have a name with a trailing dot, and you try looking it 2827 up using gethostbyname without the dot (for /etc/hosts 2828 compatibility), be sure to turn off RES_DEFNAMES and 2829 RES_DNSRCH to avoid finding the wrong name accidentally. 2830 Problem noted by Charles Amos of the University of 2831 Maryland. 2832 Don't do timeouts in collect if you are not running SMTP. 2833 There is nothing that says you can't have a long 2834 running program piped into sendmail (possibly via 2835 /bin/mail, which just execs sendmail). Problem reported 2836 by Don "Truck" Lewis of Silicon Systems. 2837 Try gethostbyname() even if the DNS lookup fails iff option I 2838 is not set. This allows you to have hosts listed in 2839 NIS or /etc/hosts that are not known to DNS. It's normally 2840 a bad idea, but can be useful on firewall machines. This 2841 should really be broken out on a separate flag, I suppose. 2842 Avoid compile warnings against BIND 4.9.3, which uses function 2843 prototypes. From Don Lewis of Silicon Systems. 2844 Avoid possible incorrect diagnosis of DNS-related errors caused 2845 by things like attempts to resolve uucp names using 2846 $[ ... $] -- the fix is to clear h_errno at appropriate 2847 times. From Kyle Jones of UUNET. 2848 SECURITY: avoid denial-of-service attacks possible by destroying 2849 the alias database file by setting resource limits low. 2850 This involves adding two new compile-time options: 2851 HASSETRLIMIT (indicating that setrlimit(2) support is 2852 available) and HASULIMIT (indicating that ulimit(2) support 2853 is available -- the Release 3 form is used). The former 2854 is assumed on BSD-based systems, the latter on System 2855 V-based systems. Attack noted by Phil Brandenberger of 2856 Swarthmore University. 2857 New syntaxes in test (-bt) mode: 2858 ``.Dmvalue'' will define macro "m" to "value". 2859 ``.Ccvalue'' will add "value" to class "c". 2860 ``=Sruleset'' will dump the contents of the indicated 2861 ruleset. 2862 ``=M'' will display the known mailers. 2863 ``-ddebug-spec'' is equivalent to the command-line 2864 -d debug flag. 2865 ``$m'' will print the value of macro $m. 2866 ``$=c'' will print the contents of class $=c. 2867 ``/mx host'' returns the MX records for ``host''. 2868 ``/parse address'' will parse address, returning the value of 2869 crackaddr (essentially, the comment information) 2870 and the parsed address. 2871 ``/try mailer address'' will rewrite address into the form 2872 it will have when presented to the indicated mailer. 2873 ``/tryflags flags'' will set flags used by parsing. The 2874 flags can be `H' for header or `E' for envelope, 2875 and `S' for sender or `R' for recipient. These 2876 can be combined, so `HR' sets flags for header 2877 recipients. 2878 ``/canon hostname'' will try to canonify hostname and 2879 return the result. 2880 ``/map mapname key'' will look up `key' in the indicated 2881 `mapname' and return the result. 2882 Somewhat better handling of UNIX-domain socket addresses -- it 2883 should show the pathname rather than hex bytes. 2884 Restore ``-ba'' mode -- this reads a file from stdin and parses 2885 the header for envelope sender information and uses 2886 CR-LF as message terminators. It was thought to be 2887 obsolete (used only for Arpanet NCP protocols), but it 2888 turns out that the UK ``Grey Book'' protocols require 2889 that functionality. 2890 Fix a fix in previous release -- if gethostname and gethostbyname 2891 return a name without dots, and if an attempt to canonify 2892 that name fails, wait one minute and try again. This can 2893 result in an extra 60 second delay on startup if your system 2894 hostname (as returned by hostname(1)) has no dot and no names 2895 listed in /etc/hosts or your NIS map have a dot. 2896 Check for proper domain name on HELO and EHLO commands per 2897 RFC 1123 section 5.2.5. Problem noted by Thomas Dwyer III 2898 of Michigan Technological University. 2899 Relax chownsafe rules slightly -- old version said that if you 2900 can't tell if _POSIX_CHOWN_RESTRICTED is set (that is, 2901 if fpathconf returned EINVAL or ENOSYS), assume that 2902 chown is not safe. The new version falls back to whether 2903 you are on a BSD system or not. This is important for 2904 SunOS, which apparently always returns one of those 2905 error codes. This impacts whether you can mail to files 2906 or not. 2907 Syntax errors such as unbalanced parentheses in the configuration 2908 file could be omitted if you had "Oem" prior to the 2909 syntax error in the config file. Change to always print 2910 the error message. It was especially weird because it 2911 would cause a "warning" message to be sent to the Postmaster 2912 for every message sent (but with no transcript). Problem 2913 noted by Gregory Paris of Motorola. 2914 Rewrite collect and putbody to handle full 8-bit data, including 2915 zero bytes. These changes are internally extensive, but 2916 should have minimal impact on external function. 2917 Allow full words for option names -- if the option letter is 2918 (apparently) a space, then take the word following -- e.g., 2919 O MatchGECOS=TRUE 2920 The full list of old and new names is as follows: 2921 7 SevenBitInput 2922 8 EightBitMode 2923 A AliasFile 2924 a AliasWait 2925 B BlankSub 2926 b MinFreeBlocks/MaxMessageSize 2927 C CheckpointInterval 2928 c HoldExpensive 2929 D AutoRebuildAliases 2930 d DeliveryMode 2931 E ErrorHeader 2932 e ErrorMode 2933 f SaveFromLine 2934 F TempFileMode 2935 G MatchGECOS 2936 H HelpFile 2937 h MaxHopCount 2938 i IgnoreDots 2939 I ResolverOptions 2940 J ForwardPath 2941 j SendMimeErrors 2942 k ConnectionCacheSize 2943 K ConnectionCacheTimeout 2944 L LogLevel 2945 l UseErrorsTo 2946 m MeToo 2947 n CheckAliases 2948 O DaemonPortOptions 2949 o OldStyleHeaders 2950 P PostmasterCopy 2951 p PrivacyOptions 2952 Q QueueDirectory 2953 q QueueFactor 2954 R DontPruneRoutes 2955 r, T Timeout 2956 S StatusFile 2957 s SuperSafe 2958 t TimeZoneSpec 2959 u DefaultUser 2960 U UserDatabaseSpec 2961 V FallbackMXHost 2962 v Verbose 2963 w TryNullMXList 2964 x QueueLA 2965 X RefuseLA 2966 Y ForkEachJob 2967 y RecipientFactor 2968 z ClassFactor 2969 Z RetryFactor 2970 The old macros that passed information into sendmail have 2971 been changed to options; those correspondences are: 2972 $e SmtpGreetingMessage 2973 $l UnixFromLine 2974 $o OperatorChars 2975 $q (deleted -- not necessary) 2976 To avoid possible problems with an older sendmail, 2977 configuration level 6 is accepted by this version of 2978 sendmail; any config file using the new names should 2979 specify "V6" in the configuration. 2980 Change address parsing to properly note that a phrase before a 2981 colon and a trailing semicolon are essentially the same 2982 as text outside of angle brackets (i.e., sendmail should 2983 treat them as comments). This is to handle the 2984 ``group name: addr1, addr2, ..., addrN;'' syntax (it will 2985 assume that ``group name:'' is a comment on the first 2986 address and the ``;'' is a comment on the last address). 2987 This requires config file support to get right. It does 2988 understand that :: is NOT this syntax, and can be turned 2989 off completely by setting the ColonOkInAddresses option. 2990 Level 6 config files added with new mailer flags: 2991 A Addresses are aliasable. 2992 i Do udb rewriting on envelope as well as header 2993 sender lines. Applies to the from address mailer 2994 flags rather than the recipient mailer flags. 2995 j Do udb rewriting on header recipient addresses. 2996 Applies to the sender mailer flags rather than the 2997 recipient mailer flags. 2998 k Disable check for loops when doing HELO command. 2999 o Always run as the mail recipient, even on local 3000 delivery. 3001 w Check for an /etc/passwd entry for this user. 3002 5 Pass addresses through ruleset 5. 3003 : Check for :include: on this address. 3004 | Check for |program on this address. 3005 / Check for /file on this address. 3006 @ Look up sender header addresses in the user 3007 database. Applies to the mailer flags for the 3008 mailer corresponding to the envelope sender 3009 address, rather than to recipient mailer flags. 3010 Pre-level 6 configuration files set A, w, 5, :, |, /, and @ 3011 on the "local" mailer, the o flag on the "prog" and "*file*" 3012 mailers, and the ColonOkInAddresses option. 3013 Eight-to-seven bit MIME conversions. This borrows ideas from 3014 John Beck of Hewlett-Packard, who generously contributed 3015 their implementation to me, which I then didn't use (see 3016 mime.c for an explanation of why). This adds the 3017 EightBitMode option (a.k.a. `8') and an F=8 mailer flag 3018 to control handling of 8-bit data. These have to cope with 3019 two types of 8-bit data: unlabelled 8-bit data (that is, 3020 8-bit data that is entered without declaring it as 8-bit 3021 MIME -- technically this is illegal according to the 3022 specs) and labelled 8-bit data (that is, it was declared 3023 as 8BITMIME in the ESMTP session or by using the 3024 -B8BITMIME command line flag). If the F=8 mailer flag is 3025 set then 8-bit data is sent to non-8BITMIME machines 3026 instead of converting to 7 bit (essentially using 3027 just-send-8 semantics). The values for EightBitMode are: 3028 m convert unlabelled 8-bit input to 8BITMIME, and do 3029 any necessary conversion of 8BITMIME to 7BIT 3030 (essentially, the full MIME option). 3031 p pass unlabelled 8-bit input, but convert labelled 3032 8BITMIME input to 7BIT as required (default). 3033 s strict adherence: reject unlabelled 8-bit input, 3034 convert 8BITMIME to 7BIT as required. The F=8 3035 flag is ignored. 3036 Unlabelled 8-bit data is rejected in mode `s' regardless of 3037 the setting of F=8. 3038 Add new internal class 'n', which is the set of MIME Content-Types 3039 which can not be 8 to 7 bit encoded because of other 3040 considerations. Types "multipart/*" and "message/*" are 3041 never directly encoded (although their components can be). 3042 Add new internal class 's', which is the set of subtypes of the 3043 MIME message/* content type that can be treated as though 3044 they are an RFC822 message. It is predefined to have 3045 "rfc822". Suggested By Kari Hurtta. 3046 Add new internal class 'e'. This is the set of MIME 3047 Content-Transfer-Encodings that can be converted to 3048 a seven bit format (Quoted-Printable or Base64). It is 3049 preinitialized to contain "7bit", "8bit", and "binary". 3050 Add C=charset mailer parameter and the the DefaultCharSet option (no 3051 short name) to set the default character set to use in the 3052 Content-Type: header when doing encoding of an 8-bit message 3053 which isn't marked as MIME into MIME format. If the C= 3054 parameter is set on the Envelope From address, use that as 3055 the default encoding; else use the DefaultCharSet option. 3056 If neither is set, it defaults to "unknown-8bit" as 3057 suggested by RFC 1428 section 3. 3058 Allow ``U=user:group'' field in mailer definition to set a default 3059 user and group that a mailer will be executed as. This 3060 overrides the 'u' and 'g' options, and if the `F=S' flag is 3061 also set, it is the uid/gid that will always be used (that 3062 is, the controlling address is ignored). The values may be 3063 numeric or symbolic; if only a symbolic user is given (no 3064 group) that user's default group in the passwd file is used 3065 as the group. Based on code donated by Chip Rosenthal of 3066 Unicom. 3067 Allow `u' option to also accept user:group as a value, in the same 3068 fashion as the U= mailer option. 3069 Add the symbolic time zone name in the Arpanet format dates (as 3070 a comment). This adds a new compile-time configuration 3071 flag: TZ_TYPE can be set to TZ_TM_NAME (use the value 3072 of (struct tm *)->tm_name), TZ_TM_ZONE (use the value 3073 of (struct tm *)->tm_zone), TZ_TZNAME (use extern char 3074 *tzname[(struct tm *)->tm_isdst]), TZ_TIMEZONE (use 3075 timezone()), or TZ_NONE (don't include the comment). Code 3076 from Chip Rosenthal. 3077 The "Timeout" option (formerly "r") is extended to allow suboptions. 3078 For example, 3079 O Timeout.helo = 2m 3080 There are also two new suboptions "queuereturn" and 3081 "queuewarn"; these subsume the old T option. Thus, to 3082 set them both the preferred new syntax is 3083 O Timeout.queuereturn = 5d 3084 O Timeout.queuewarn = 4h 3085 Sort queue by host name instead of by message priority if the 3086 QueueSortOrder option (no short name) is set is set to 3087 ``host''. This makes better use of the connection cache, 3088 but may delay more ``interactive'' messages behind large 3089 backlogs under some circumstances. This is probably a 3090 good option if you have high speed links or don't do lots 3091 of ``batch'' messages, but less good if you are using 3092 something like PPP on a 14.4 modem. Based on code 3093 contributed by Roy Mongiovi of Georgia Tech (my main 3094 contribution was to make it configurable). 3095 Save i-number of df file in qf file to simplify rebuilding of queue 3096 after disastrous disk crash. Suggested by Kyle Jones of 3097 UUNET; closely based on code from KJS DECWRL code written 3098 by Paul Vixie. NOTA BENE: The qf files produced by 8.7 3099 are NOT back compatible with 8.6 -- that is, you can convert 3100 from 8.6 to 8.7, but not the other direction. 3101 Add ``F=d'' mailer flag to disable all use of angle brackets in 3102 route-addrs in envelopes; this is because in some cases 3103 they can be sent to the shell, which interprets them as 3104 I/O redirection. 3105 Don't include error file (option E) with return-receipts; this 3106 can be confusing. 3107 Don't send "Warning: cannot send" messages to owner-* or 3108 *-request addresses. Suggested by Christophe Wolfhugel 3109 of the Institut Pasteur, Paris. 3110 Allow -O command line flag to set long form options. 3111 Add "MinQueueAge" option to set the minimum time between attempts 3112 to run the queue. For example, if the queue interval 3113 (-q value) is five minutes, but the minimum queue age 3114 is fifteen minutes, jobs won't be tried more often than 3115 once every fifteen minutes. This can be used to give 3116 you more responsiveness if your delivery mode is set to 3117 queue-only. 3118 Allow "fileopen" timeout (default: 60 seconds) for opening 3119 :include: and .forward files. 3120 Add "-k", "-v", and "-z" flags to map definitions; these set the 3121 key field name, the value field name, and the field 3122 delimiter. The field delimiter can be a single character 3123 or the sequence "\t" or "\n" for tab or newline. 3124 These are for use by NIS+ and similar access methods. 3125 Change maps to always strip quotes before lookups; the -q flag 3126 turns off this behavior. Suggested by Motonori Nakamura. 3127 Add "nisplus" map class. Takes -k and -v flags to choose the 3128 key and value field names respectively. Code donated by 3129 Sun Microsystems. 3130 Add "hesiod" map class. The "file name" is used as the 3131 "HesiodNameType" parameter to hes_resolve(3). Returns the 3132 first value found for the match. Code donated by Scott 3133 Hutton of Indiana University. 3134 Add "netinfo" (NeXT NetInfo) map class. Maps can have a -k flag to 3135 specify the name of the property that is searched as the 3136 key and a -v flag to specify the name of the property that 3137 is returned as the value (defaults to "members"). The 3138 default map is "/aliases". Some code based on code 3139 contributed by Robert La Ferla of Hot Software. 3140 Add "text" map class. This does slow, linear searches through 3141 text files. The -z flag specifies a column delimiter 3142 (defaults to any sequence of white space), the -k flag 3143 sets the key column number, and the -v flag sets the 3144 value column number. Lines beginning with `#' are treated 3145 as comments. 3146 Add "program" map class to execute arbitrary programs. The search 3147 key is presented as the last argument; the output is one 3148 line read from the programs standard output. Exit statuses 3149 are from sysexits.h. 3150 Add "sequence" map class -- searches maps in sequence until it 3151 finds a match. For example, the declarations: 3152 Kmap1 ... 3153 Kmap2 ... 3154 Kmapseq sequence map1 map2 3155 defines a map "mapseq" that first searches map1; if the 3156 value is found it is returned immediately, otherwise 3157 map2 is searched and the value returned. 3158 Add "switch" map class. This is much like "sequence" except that 3159 the ordering is fetched from an external file, usually 3160 the system service switch. The parameter is the name of 3161 the service to switch on, and the maps that it will use 3162 are the name of the switch map followed by ".service_type". 3163 For example, if the declaration of the map is 3164 Ksample switch hosts 3165 and the system service switch specifies that hosts are 3166 looked up using dns and nis in that order, then this is 3167 equivalent to 3168 Ksample sequence sample.dns sample.nis 3169 The subordinate maps (sample.*) must already be defined. 3170 Add "user" map class -- looks up users using getpwnam. Takes a 3171 "-v field" flag on the definition that tells what passwd 3172 entry to return -- legal values are name, passwd, uid, gid, 3173 gecos, dir, and shell. Generally expected to be used with 3174 the -m (matchonly) flag. 3175 Add "bestmx" map class -- returns the best MX value for the host 3176 listed as the value. If there are several "best" MX records 3177 for this host, one will be chosen at random. 3178 Add "userdb" map class -- looks up entries in the user database. 3179 The "file name" is actually the tag that will be used, 3180 typically "mailname". If there are multiple entries 3181 matching the name, the one chosen is undefined. 3182 Add multiple queue timeouts (both return and warning). These are 3183 set by the Precedence: or Priority: header fields to one of 3184 three values. If a Priority: is set and has value "normal", 3185 "urgent", or "non-urgent" the corresponding timeouts are 3186 used. If no priority is set, the Precedence: is consulted; 3187 if negative, non-urgent timeouts are used; if greater than 3188 zero, urgent timeouts are used. Otherwise, normal timeouts 3189 are used. The timeouts are set by setting the six timeouts 3190 queue{warn,return}.{urgent,normal,non-urgent}. 3191 Fix problem when a mail address is resolved to a $#error mailer 3192 with a temporary failure indication; it works in SMTP, 3193 but when delivering locally the mail is silently discarded. 3194 This patch, from Kyle Jones of UUNET, bounces it instead 3195 of queueing it (queueing is very hard). 3196 When using /etc/hosts or NIS-style lookups, don't assume that 3197 the first name in the list is the best one -- instead, 3198 search for the first one with a dot. For example, if 3199 an /etc/hosts entry reads 3200 128.32.149.68 mammoth mammoth.CS.Berkeley.EDU 3201 this change will use the second name as the canonical 3202 machine name instead of the initial, unqualified name. 3203 Change dequote map to replace spaces in quoted text with a value 3204 indicated by the -s flag on the dequote map definition. 3205 For example, ``Mdequote dequote -s_'' will change 3206 "Foo Bar" into an unquoted Foo_Bar instead of leaving it 3207 quoted (because of the space character). Suggested by Dan 3208 Oscarsson for use in X.400 addresses. 3209 Implement long macro names as ${name}; long class names can 3210 be similarly referenced as $={name} and $~{name}. 3211 Definitions are (e.g.) ``D{name}value''. Names that have 3212 a leading lower case letter or punctuation characters are 3213 reserved for internal use by sendmail; i.e., config files 3214 should use names that begin with a capital letter. Based 3215 on code contributed by Dan Oscarsson. 3216 Fix core dump if getgrgid returns a null group list (as opposed 3217 to an empty group list, that is, a pointer to a list 3218 with no members). Fix from Andrew Chang of Sun Microsystems. 3219 Fix possible core dump if malloc fails -- if the malloc in xalloc 3220 failed, it called syserr which called newstr which called 3221 xalloc.... The newstr is now avoided for "panic" messages. 3222 Reported by Stuart Kemp of James Cook University. 3223 Improve connection cache timeouts; previously, they were not even 3224 checked if you were delivering to anything other than an 3225 IPC-connected host, so a series of (say) local mail 3226 deliveries could cause cached connections to be open 3227 much longer than the specified timeout. 3228 If an incoming message exceeds the maximum message size, stop 3229 writing the incoming bytes to the queue data file, since 3230 this can fill your mqueue partition -- this is a possible 3231 denial-of-service attack. 3232 Don't reject all numeric local user names unless HESIOD is 3233 defined. It turns out that Posix allows all-numeric 3234 user names. Fix from Tony Sanders of BSDI. 3235 Add service switch support. If the local OS has a service 3236 switch (e.g., /etc/nsswitch.conf on Solaris or /etc/svc.conf 3237 on DEC systems) that will be used; otherwise, it falls back 3238 to using a local mechanism based on the ServiceSwitchFile 3239 option (default: /etc/service.switch). For example, if the 3240 service switch lists "files" and "nis" for the aliases 3241 service, that will be the default lookup order. the "files" 3242 ("local" on DEC) service type expands to any alias files 3243 you listed in the configuration file, even if they aren't 3244 actually file lookups. 3245 Option I (NameServerOptions) no longer sets the "UseNameServer" 3246 variable which tells whether or not DNS should be considered 3247 canonical. This is now determined based on whether or not 3248 "dns" is in the service list for "hosts". 3249 Add preliminary support for the ESMTP "DSN" extension (Delivery 3250 Status Notifications). DSN notifications override 3251 Return-Receipt-To: headers, which are bogus anyhow -- 3252 support for them has been removed. 3253 Add T=mts-name-type/address-type/diagnostic-type keyletter to mailer 3254 definitions to define the types used in DSN returns for 3255 MTA names, addresses, and diagnostics respectively. 3256 Extend heuristic to force running in ESMTP mode to look for the 3257 five-character string "ESMTP" anywhere in the 220 greeting 3258 message (not just the second line). This is to provide 3259 better compatibility with other ESMTP servers. 3260 Print sequence number of job when running the queue so you can 3261 easily see how much progress you have made. Suggested 3262 by Peter Wemm of DIALix. 3263 Map newlines to spaces in logged message-ids; some versions of 3264 syslog truncate the rest of the line after newlines. 3265 Suggested by Fletcher Mattox of U. Texas. 3266 Move up forking for job runs so that if a message is split into 3267 multiple envelopes you don't get "fork storms" -- this 3268 also improves the connection cache utilization. 3269 Accept "<<>>", "<<<>>>", and so forth as equivalent to "<>" for 3270 the purposes of refusing to send error returns. Suggested 3271 by Motonori Nakamura of Ritsumeikan University. 3272 Relax rules on when a file can be written when referenced from 3273 the aliases file: use the default uid/gid instead of the 3274 real uid/gid. This allows you to create a file owned by 3275 and writable only by the default uid/gid that will work 3276 all the time (without having the setuid bit set). Change 3277 suggested by Shau-Ping Lo and Andrew Cheng of Sun 3278 Microsystems. 3279 Add "DialDelay" option (no short name) to provide an "extra" 3280 delay for dial on demand systems. If this is non-zero 3281 and a connect fails, sendmail will wait this long and 3282 then try again. If it takes longer than the kernel 3283 timeout interval to establish the connection, this 3284 option can give the network software time to establish 3285 the link. The default units are seconds. 3286 Move logging of sender information to be as early as possible; 3287 previously, it could be delayed a while for SMTP mail 3288 sent to aliases. Suggested by Brad Knowles of the 3289 Defense Information Systems Agency. 3290 Call res_init() before setting RES_DEBUG; this is required by 3291 BIND 4.9.3, or so I'm told. From Douglas Anderson of 3292 the National Computer Security Center. 3293 Add xdelay= field in logs -- this is a transaction delay, telling 3294 you how long it took to deliver to this address on the 3295 last try. It is intended to be used for sorting mailing 3296 lists to favor "quick" addresses. Provided for use by 3297 the mailprio scripts (see below). 3298 If a map cannot be opened, and that map is non-optional, and 3299 an address requires that map for resolution, queue the 3300 map instead of bouncing it. This involves creating a 3301 pseudo-class of maps called "bogus-map" -- if a required 3302 map cannot be opened, the class is changed to bogus-map; 3303 all queries against bogus-map return "tempfail". The 3304 bogus-map class is not directly accessible. A sample 3305 implementation was donated by Jem Taylor of Glasgow 3306 University Computing Service. 3307 Fix a possible core dump when mailing to a program that talks 3308 SMTP on its standard input. Fix from Keith Moore of 3309 the University of Kentucky. 3310 Make it possible to resolve filenames to $#local $: @ /filename; 3311 previously, the "@" would cause it to not be recognized 3312 as a file. Problem noted by Brian Hill of U.C. Davis. 3313 Accept a -1 signal to re-exec the daemon. This only works if 3314 argv[0] is a full path to sendmail. 3315 Fix bug in "addr=..." field in O option on little-endian machines 3316 -- the network number wasn't being converted to network 3317 byte order. Patch from Kurt Lidl of Pix Technologies 3318 Corporation. 3319 Pre-initialize the resolver early on; this is to avoid a bug with 3320 BIND 4.9.3 that can cause the _res.retry field to get 3321 reset to zero, causing all name server lookups to time 3322 out. Fix from Matt Day of Artisoft. 3323 Restore T line (trusted users) in config file -- but instead of 3324 locking out the -f flag, they just tell whether or not 3325 an X-Authentication-Warning: will be added. This really 3326 just creates new entries in class 't', so "Ft/file/name" 3327 can be used to read trusted user names from a file. 3328 Trusted users are also allowed to execute programs even 3329 if they have a shell that isn't in /etc/shells. 3330 Improve NEWDB alias file rebuilding so it will create them 3331 properly if they do not already exist. This had been 3332 a MAYBENEXTRELEASE feature in 8.6.9. 3333 Check for @:@ entry in NIS maps before starting up to avoid 3334 (but not prevent, sigh) race conditions. This ought to 3335 be handled properly in ypserv, but isn't. Suggested by 3336 Michael Beirne of Motorola. 3337 Refuse connections if there isn't enough space on the filesystem 3338 holding the queue. Contributed by Robert Dana of Wolf 3339 Communications. 3340 Skip checking for directory permissions in the path to a file 3341 when checking for file permissions iff setreuid() 3342 succeeded -- it is unnecessary in that case. This avoids 3343 significant performance problems when looking for .forward 3344 files. Based on a suggestion by Win Bent of USC. 3345 Allow symbolic ruleset names. Syntax can be "Sname" to get an 3346 arbitrary ruleset number assigned or "Sname = integer" 3347 to assign a specific ruleset number. Reference is 3348 $>name_or_number. Names can be composed of alphas, digits, 3349 underscore, or hyphen (first character must be non-numeric). 3350 Allow -o flag on AliasFile lines to make the alias file optional. 3351 From Bryan Costales of ICSI. 3352 Add NoRecipientAction option to handle the case where there is 3353 no legal recipient header in the message. It can take 3354 on values: 3355 None Leave the message as is. The 3356 message will be passed on even 3357 though it is in technically 3358 illegal syntax. 3359 Add-To Add a To: header with any 3360 recipients that it can find from 3361 the envelope. This risks exposing 3362 Bcc: recipients. 3363 Add-Apparently-To Add an Apparently-To: header. This 3364 has almost no redeeming social value, 3365 and is provided only for back 3366 compatibility. 3367 Add-To-Undisclosed Add a header reading 3368 To: undisclosed-recipients:; 3369 which will have the effect of 3370 making the message legal without 3371 exposing Bcc: recipients. 3372 Add-Bcc To add an empty Bcc: header. 3373 There is a chance that mailers down 3374 the line will delete this header, 3375 which could cause exposure of Bcc: 3376 recipients. 3377 The default is NoRecipientAction=None. 3378 Truncate (rather than delete) Bcc: lines in the header. This 3379 should prevent later sendmails (at least, those that don't 3380 themselves delete Bcc:) from considering this message to 3381 be non-conforming -- although it does imply that non-blind 3382 recipients can see that a Bcc: was sent, albeit not to whom. 3383 Add SafeFileEnvironment option. If declared, files named as delivery 3384 targets must be regular files in addition to the regular 3385 checks. Also, if the option is non-null then it is used as 3386 the name of a directory that is used as a chroot(2) 3387 environment for the delivery; the file names listed in an 3388 alias or forward should include the name of this root. 3389 For example, if you run with 3390 O SafeFileEnvironment=/arch 3391 then aliases should reference "/arch/rest/of/path". If a 3392 value is given, sendmail also won't try to save to 3393 /usr/tmp/dead.letter (instead it just leaves the job in the 3394 queue as Qfxxxxxx). Inspired by *Hobbit*'s sendmail patch kit. 3395 Support -A flag for alias files; this will comma concatenate like 3396 entries. For example, given the aliases: 3397 list: member1 3398 list: member2 3399 and an alias file declared as: 3400 OAhash:-A /etc/aliases 3401 the final alias inserted will be "list: member1,member2"; 3402 without -A you will get an error on the second and subsequent 3403 alias for "list". Contributed by Bryan Costales of ICSI. 3404 Line-buffer transcript file. Suggested by Liudvikas Bukys. 3405 Fix a problem that could cause very long addresses to core dump in 3406 some special circumstances. Problem pointed out by Allan 3407 Johannesen. 3408 (Internal change.) Change interface to expand() (macro expansion) 3409 to be simpler and more consistent. 3410 Delete check for funny qf file names. This didn't really give 3411 any extra security and caused some people some problems. 3412 (If you -really- want this, define PICKY_QF_NAME_CHECK 3413 at compile time.) Suggested by Kyle Jones of UUNET. 3414 (Internal change.) Change EF_NORETURN to EF_NO_BODY_RETN and 3415 merge with DSN code; this is simpler and more consistent. 3416 This may affect some people who have written their own 3417 checkcompat() routine. 3418 (Internal change.) Eliminate `D' line in qf file. The df file 3419 is now assumed to be the same name as the qf file (with 3420 the `q' changed to a `d', of course). 3421 Avoid forking for delivery if all recipient mailers are marked as 3422 "expensive" -- this can be a major cost on some systems. 3423 Essentially, this forces sendmail into "queue only" mode 3424 if all it is going to do is queue anyway. 3425 Avoid sending a null message in some rather unusual circumstances 3426 (specifically, the RCPT command returns a temporary 3427 failure but the connection is lost before the DATA 3428 command). Fix from Scott Hammond of Secure Computing 3429 Corporation. 3430 Change makesendmail to use a somewhat more rational naming scheme: 3431 Makefiles and obj directories are named $os.$rel.$arch, 3432 where $os is the operating system (e.g., SunOS), $rel is 3433 the release number (e.g., 5.3), and $arch is the machine 3434 architecture (e.g., sun4). Any of these can be omitted, 3435 and anything after the first dot in a release number can 3436 be replaced with "x" (e.g., SunOS.4.x.sun4). The previous 3437 version used $os.$arch.$rel and was rather less general. 3438 Change makesendmail to do a "make depend" in the target directory 3439 when it is being created. This involves adding an empty 3440 "depend:" entry in most Makefiles. 3441 Ignore IDENT return value if the OSTYPE field returns "OTHER", 3442 as indicated by RFC 1413. Pointed out by Kari Hurtta 3443 of the Finnish Meteorological Institute. 3444 Fix problem that could cause multiple responses to DATA command 3445 on header syntax errors (e.g., lines beginning with colons). 3446 Problem noted by Jens Thomassen of the University of Oslo. 3447 Don't let null bytes in headers cause truncation of the rest of 3448 the header. 3449 Log Authentication-Warning:s. Suggested by Motonori Nakamura. 3450 Increase timeouts on message data puts to allow time for receivers 3451 to canonify addresses in headers on the fly. This is still 3452 a rather ugly heuristic. From Motonori Nakamura. 3453 Add "HasWildcardMX" suboption to ResolverOptions; if set, MX 3454 records are not used when canonifying names, and when MX 3455 lookups are done for addressing they must be fully 3456 qualified. This is useful if you have a wildcard MX record, 3457 although it may cause other problems. In general, don't use 3458 wildcard MX records. Patch from Motonori Nakamura. 3459 Eliminate default two-line SMTP greeting message. Instead of 3460 adding an extra "ESMTP spoken here" line, the word "ESMTP" 3461 is added between the first and second word of the first 3462 line of the greeting message (i.e., immediately after the 3463 host name). This eliminates the need for the BROKEN_SMTP_PEERS 3464 compile flag. Old sendmails won't see the ESMTP, but that's 3465 acceptable because SIZE was the only useful extension that 3466 old sendmails understand. 3467 Avoid gethostbyname calls on UNIX domain sockets during SIGUSR1 3468 invoked state dumps. From Masaharu Onishi. 3469 Allow on-line comments in .forward and :include: files; they are 3470 introduced by the string "<LWSP>#@#<LWSP>", where <LWSP> 3471 is a space or a tab. This is intended for native 3472 representation of non-ASCII sets such as Japanese, where 3473 existing encodings would be unreadable or would lose 3474 data -- for example, 3475 <motonori@cs.ritsumei.ac.jp> NAKAMURA Motonori 3476 (romanized/less information) 3477 <motonori@cs.ritsumei.ac.jp> =?ISO-2022-JP?B?GyRCQ2ZCPBsoQg==?= 3478 =?ISO-2022-JP?B?GyRCQUdFNRsoQg==?= 3479 (with MIME encoding, not human readable) 3480 <motonori@cs.ritsumei.ac.jp> #@# ^[$BCfB<^[(B ^[$BAGE5^[(B 3481 (native encoding with ISO-2022-JP) 3482 The last form is human readable in the Japanese environment. 3483 Based on a fix from (surprise!) Motonori Nakamura. 3484 Don't make SMTP error returns on MAIL FROM: line be "sticky" for all 3485 messages to that host; these are most frequently associated 3486 with addresses rather than the host, with the exception of 3487 421 (service shutting down). The effect was to cause queues 3488 to sometimes take an excessive time to flush. Reported by 3489 Robert Sargent of Southern Geographics Technologies and 3490 Eric Prestemon of American University. 3491 Add Nice=N mailer option to set the niceness at which a mailer will 3492 run. This is actually a relative niceness (that is, an 3493 increment on the background value). 3494 Log queue runs that are skipped due to high loads. They are logged 3495 at LOG_INFO priority iff the log level is > 8. Contributed 3496 by Bruce Nagel of Data General. 3497 Allow the error mailer to accept a DSN-style error status code 3498 instead of an sysexits status code in the host part. 3499 Anything with a dot will be interpreted as a DSN-style code. 3500 Add new mailer flag: F=3 will tell translations to Quoted-Printable 3501 to encode characters that might be munged by an EBCDIC system 3502 in addition to the set required by RFC 1521. The additional 3503 characters are !, ", #, $, @, [, \, ], ^, `, {, |, }, and ~. 3504 (Think of "IBM 360" as the mnemonic for this flag.) 3505 Change check for mailing to files to look for a pathname of [FILE] 3506 rather than looking for the mailer named *file*. The mapping 3507 of leading slashes still goes to the *file* mailer. This 3508 allows you to implement the *file* mailer as a separate 3509 program, for example, to insert a Content-Length: header 3510 or do special security policy. However, note that the usual 3511 initial checking for the file permissions is still done, and 3512 the program in question needs to be very careful about how 3513 it does the file write to avoid security problems. 3514 Be able to read ~root/.forward even if the path isn't accessible to 3515 regular users. This is disrecommended because sendmail 3516 sometimes does not run as root (e.g., when an unsafe option 3517 is specified on the command line), but should otherwise be 3518 safe because .forward files must be owned by the user for 3519 whom mail is being forwarded, and cannot be a symbolic link. 3520 Suggested by Forrest Aldrich of Wang Laboratories. 3521 Add new "HostsFile" option that is the pathname to the /etc/hosts 3522 file. This is used for canonifying hostnames when the 3523 service type is "files". 3524 Implement programs on F (read class from file) line. The syntax is 3525 Fc|/path/to/program to read the output from the program 3526 into class "c". 3527 Probe the network interfaces to find alternate names for this 3528 host. Requires the SIOCGIFCONF ioctl call. Code 3529 contributed by SunSoft. 3530 Add "E" configuration line to set or propagate environment 3531 variables into children. "E<envar>" will propagate 3532 the named variable from the environment when sendmail 3533 was invoked into any children it calls; "E<envar>=<value>" 3534 sets the named variable to the indicated value. Any 3535 variables not explicitly named will not be in the child 3536 environment. However, sendmail still forces an 3537 "AGENT=sendmail" environment variable, in part to enforce 3538 at least one environment variable, since many programs and 3539 libraries die horribly if this is not guaranteed. 3540 Change heuristic for rebuilding both NEWDB and NDBM versions of 3541 alias databases -- new algorithm looks for the substring 3542 "/yp/" in the file name. This is more portable and involves 3543 less overhead. Suggested by Motonori Nakamura. 3544 Dynamically allocate the queue work list so that you don't lose 3545 jobs in large queue runs. The old QUEUESIZE compile parameter 3546 is replaced by QUEUESEGSIZE (the unit of allocation, which 3547 should not need to be changed) and the MaxQueueRunSize option, 3548 which is the absolute maximum number of jobs that will ever 3549 be handled in a single queue run. Based on code contributed 3550 by Brian Coan of the Institute for Global Communications. 3551 Log message when a message is dropped because it exceeds the maximum 3552 message size. Suggested by Leo Bicknell of Virginia Tech. 3553 Allow trusted users (those on a T line or in $=t) to use -bs without 3554 an X-Authentication-Warning: added. Suggested by Mark Thomas 3555 of Mark G. Thomas Consulting. 3556 Announce state of compile flags on -d0.1 (-d0.10 throws in the 3557 OS-dependent defines). The old semantic of -d0.1 to not 3558 run the daemon in background has been moved to -d99.100, 3559 and the old 52.5 flag (to avoid disconnect() from closing 3560 all output files) has been moved to 52.100. This makes 3561 things more consistent (flags below .100 don't change 3562 semantics) and separates out the backgrounding so that 3563 it doesn't happen automatically on other unrelated debugging 3564 flags. 3565 If -t is used but no addresses are found in the header, give an 3566 error message rather than just doing nothing. Fix from 3567 Motonori Nakamura. 3568 On systems (like SunOS) where the effective gid is not necessarily 3569 included in the group list returned by getgroups(), the 3570 `restrictmailq' option could sometimes cause an authorized 3571 user to not be able to use `mailq'. Fix from Charles Hannum 3572 of MIT. 3573 Allow symbolic service names for [IPC] mailers. Suggested by 3574 Gerry Magennis of Logica International. 3575 Add DontExpandCnames option to prevent $[ ... $] from expanding CNAMEs 3576 when running DNS. For example, if the name FTP.Foo.ORG is 3577 a CNAME for Cruft.Foo.ORG, then when sitting on a machine in 3578 the Foo.ORG domain a lookup of "FTP" returns "Cruft.Foo.ORG" 3579 if this option is not set, or "FTP.Foo.ORG" if it is set. 3580 This is technically illegal under RFC 822 and 1123, but the 3581 IETF is moving toward legalizing it. Note that turning on 3582 this option is not sufficient to guarantee that a downstream 3583 neighbor won't rewrite the address for you. 3584 Add "-m" flag to makesendmail script -- this tells you what object 3585 directory and Makefile it will use, but doesn't actually do 3586 the make. 3587 Do some additional checking on the contents of the qf file to try 3588 to detect attacks against the qf file. In particular, 3589 abort on any line beginning "From ", and add an "end of 3590 file" line -- any data after that line is prohibited. 3591 Always use /etc/sendmail.cf, regardless of the arbitrary vendor 3592 choices. This can be overridden in the Makefile by using 3593 either -DUSE_VENDOR_CF_PATH to get the vendor location 3594 (to the extent that we know it) or by defining 3595 _PATH_SENDMAILCF (which is a "hard override"). This allows 3596 sendmail 8 to have more consistent installation instructions. 3597 Allow macros on `K' line in config file. Suggested by Andrew Chang 3598 of Sun Microsystems. 3599 Improved symbol table hash function from Eric Wassenaar. This one 3600 is at least 50% faster. 3601 Fix problem that didn't notice that timeout on file open was a 3602 transient error. Fix from Larry Parmelee of Cornell 3603 University. 3604 Allow comments (lines beginning with a `#') in files read for 3605 classes. Suggested by Motonori Nakamura. 3606 Make SIGINT (usually ^C) in test mode return to the prompt instead 3607 of dropping out entirely. This makes testing some of the 3608 name server lookups easier to deal with when there are 3609 hung servers. From Motonori Nakamura. 3610 Add new ${opMode} macro that is set to the current operation mode 3611 (e.g., `s' for -bs, `t' for -bt, etc.). Suggested by 3612 Claude Marinier <MARINIER@emp.ewd.dreo.dnd.ca>. 3613 Add new delivery mode (Odd) that defers all map lookups to queue runs. 3614 Kind of like queue-only mode (Odq) except it tries to avoid 3615 any external service requests; for dial-on-demand hosts that 3616 want to minimize DNS lookups when mail is being queued. For 3617 this to work you will also have to make sure that gethostbyname 3618 of your local host name does not do a DNS lookup. 3619 Improved handling of "out of space" conditions from John Myers of 3620 Carnegie Mellon. 3621 Improved security for mailing to files on systems that have fchmod(2) 3622 support. 3623 Improve "cannot send message for N days" message -- now says "could 3624 not send for past N days". Suggested by Tom Moore of AT&T 3625 Global Information Solutions. 3626 Less misleading Subject: line on messages sent to postmaster only. 3627 From Motonori Nakamura. 3628 Avoid duplicate error messages on bad command line flags. From 3629 Motonori Nakamura. 3630 Better error message for case where ruleset 0 falls off the end 3631 or otherwise does not resolve to a canonical triple. 3632 Fix a problem that could cause multiple bounce messages if a bad 3633 address was sent along with a good address to an SMTP 3634 site where that SMTP site returned a 4yz code in response 3635 to the final dot of the data. Problem reported by David 3636 James of British Telecom. 3637 Add "volatile" declarations so that gcc -O2 will work. Patches 3638 from Alexander Dupuy of System Management ARTS. 3639 Delete duplicates in MX lists -- believe it or not, there are sites 3640 that list the same host twice in an MX list. This deletion 3641 only works on adjacent preferences, so an MX list that 3642 had A=5, B=10, A=15 would leave both As, but one that had 3643 A=5, A=10, B=15 would reduce to A, B. This is intentional, 3644 just in case there is something weird I haven't thought of. 3645 Suggested by Barry Shein of Software Tool & Die. 3646 SECURITY: .forward files cannot be symbolic links. If they are, 3647 a bad guy can read your private files. 3648 PORTABILITY FIXES: 3649 Solaris 2 from Rob McMahon <cudcv@csv.warwick.ac.uk>. 3650 System V Release 4 from Motonori Nakamura of Ritsumeikan 3651 University. This expands the disk size 3652 checking to include all (?) SVR4 configurations. 3653 System V Release 4 from Kimmo Suominen -- initgroups(3) 3654 and setrlimit(2) are both available. 3655 System V Release 4 from sob@sculley.ffg.com -- some versions 3656 apparently "have EX_OK defined in other headerfiles." 3657 Linux Makefile typo. 3658 Linux getusershell(3) is broken in Slackware 2.0 -- 3659 from Andrew Pam of Xanadu Australia. 3660 More Linux tweaking from John Kennedy of California State 3661 University, Chico. 3662 Cray changes from Eric Wassenaar: ``On Cray, shorts, 3663 ints, and longs are all 64 bits, and all structs 3664 are multiples of 64 bits. This means that the 3665 sizeof operator returns only multiples of 8. 3666 This requires adaptation of code that really 3667 deals with 32 bit or 16 bit fields, such as IP 3668 addresses or nameserver fields.'' 3669 DG/UX 5.4.3 from Mark T. Robinson <mtr@ornl.gov>. To 3670 get the old behavior, use -DDGUX_5_4_2. 3671 DG/UX hack: add _FORCE_MAIL_LOCAL_=yes environment 3672 variable to fix bogus /bin/mail behavior. 3673 Tandem NonStop-UX from Rick McCarty <mccarty@mpd.tandem.com>. 3674 This also cleans up some System V Release 4 compile 3675 problems. 3676 Solaris 2: sendmail.cw file should be in /etc/mail to 3677 match all the other configuration files. Fix 3678 from Glenn Barry of Emory University. 3679 Solaris 2.3: compile problem in conf.c. Fix from Alain 3680 Nissen of the University of Liege, Belgium. 3681 Ultrix: freespace calculation was incorrect. Fix from 3682 Takashi Kizu of Osaka University. 3683 SVR4: running in background gets a SIGTTOU because the 3684 emulation code doesn't realize that "getpeername" 3685 doesn't require reading the file. Fix from Peter 3686 Wemm of DIALix. 3687 Solaris 2.3: due to an apparent bug in the socket emulation 3688 library, sockets can get into a "wedged" state where 3689 they just return EPROTO; closing and re-opening the 3690 socket clears the problem. Fix from Bob Manson 3691 of Ohio State University. 3692 Hitachi 3050R & 3050RX running HI-UX/WE2: portability 3693 fixes from Akihiro Hashimoto ("Hash") of Chiba 3694 University. 3695 AIX changes to allow setproctitle to work from Rainer Sch�pf 3696 of Zentrum f�r Datenverarbeitung der Universit�t 3697 Mainz. 3698 AIX changes for load average from Ed Ravin of NASA/Goddard. 3699 SCO Unix from Chip Rosenthal of Unicom (code was using the 3700 wrong statfs call). 3701 ANSI C fixes from Adam Glass (NetBSD project). 3702 Stardent Titan/ANSI C fixes from Kate Hedstrom of Rutgers 3703 University. 3704 DG-UX fixes from Bruce Nagel of Data General. 3705 IRIX64 updates from Mark Levinson of the University of 3706 Rochester Medical Center. 3707 Altos System V (``the first UNIX/XENIX merge the Altos 3708 did for their Series 1000 & Series 2000 line; 3709 their merged code was licensed back to AT&T and 3710 Microsoft and became System V release 3.2'') from 3711 Tim Rice <timr@crl.com>. 3712 OSF/1 running on Intel Paragon from Jeff A. Earickson 3713 <jeff@ssd.intel.com> of Intel Scalable Systems 3714 Division. 3715 Amdahl UTS System V 2.1.5 (SVr3-based) from Janet Jackson 3716 <janet@dialix.oz.au>. 3717 System V Release 4 (statvfs semantic fix) from Alain 3718 Durand of I.M.A.G. 3719 HP-UX 10.x multiprocessor load average changes from 3720 Scott Hutton and Jeff Sumler of Indiana University. 3721 Cray CSOS from Scott Bolte of Cray Computer Corporation. 3722 Unicos 8.0 from Douglas K. Rand of the University of North 3723 Dakota, Scientific Computing Center. 3724 Solaris 2.4 fixes from Sanjay Dani of Dani Communications. 3725 ConvexOS 11.0 from Christophe Wolfhugel. 3726 IRIX 4.0.5 from David Ashton-Reader of CADcentre. 3727 ISC UNIX from J. J. Bailey. 3728 HP-UX 9.xx on the 8xx series machines from Remy Giraud 3729 of Meteo France. 3730 HP-UX configuration from Tom Lane <tgl@sss.pgh.pa.us>. 3731 IRIX 5.2 and 5.3 from Kari E. Hurtta. 3732 FreeBSD 2.0 from Mike Hickey of Federal Data Corporation. 3733 Sony NEWS-OS 4.2.1R and 6.0.3 from Motonori Nakamura. 3734 Omron LUNA unios-b, mach from Motonori Nakamura. 3735 NEC EWS-UX/V 4.2 from Motonori Nakamura. 3736 NeXT 2.1 from Bryan Costales. 3737 AUX patch thanks to Mike Erwin of Apple Computer. 3738 HP-UX 10.0 from John Beck of Hewlett-Packard. 3739 Ultrix: allow -DBROKEN_RES_SEARCH=0 if you are using a 3740 non-DEC resolver. Suggested by Allan Johannesen. 3741 UnixWare 2.0 fixes from Petr Lampa of the Technical 3742 University of Brno (Czech Republic). 3743 KSR OS 1.2.2 support from Todd Miller of the University 3744 of Colorado. 3745 UX4800 support from Kazuhisa Shimizu of NEC. 3746 MAKEMAP: allow -d flag to allow insertion of duplicate aliases 3747 in type ``btree'' maps. The semantics of this are undefined 3748 for regular maps, but it can be useful for the user database. 3749 MAKEMAP: lock database file while rebuilding to avoid sendmail 3750 lookups while the rebuild is going on. There is a race 3751 condition between the open(... O_TRUNC ...) and the lock 3752 on the file, but it should be quite small. 3753 SMRSH: sendmail restricted shell added to the release. This can 3754 be used as an alternative to /bin/sh for the "prog" mailer, 3755 giving the local administrator more control over what 3756 programs can be run from sendmail. 3757 MAIL.LOCAL: add this local mailer to the tape. It is not really 3758 part of the release proper, and isn't fully supported; in 3759 particular, it does not run on System V based systems and 3760 never will. 3761 CONTRIB: a patch to rmail.c from Bill Gianopoulos of Raytheon 3762 to allow rmail to compile on systems that don't have 3763 function prototypes and systems that don't have snprintf. 3764 CONTRIB: add the "mailprio" scripts that will help you sort mailing 3765 lists by transaction delay times so that addresses that 3766 respond quickly get sent first. This is to prevent very 3767 sluggish servers from delaying other peoples' mail. 3768 Contributed by Tony Sanders of BSDI. 3769 CONTRIB: add the "bsdi.mc" file as contributed by Tony Sanders 3770 of BSDI. This has a lot of comments to help people out. 3771 CONFIG: Don't have .mc files include(../m4/cf.m4) -- instead, 3772 put this on the m4 command line. On GNU m4 (which 3773 supports the __file__ primitive) you can run m4 in an 3774 arbitrary directory -- use either: 3775 m4 ${CFDIR}/m4/cf.m4 config.mc > config.cf 3776 or 3777 m4 -I${CFDIR} m4/cf.m4 config.mc > config.cf 3778 On other versions of m4 that don't support __file__, you 3779 can use: 3780 m4 -D_CF_DIR_=${CFDIR}/ ${CFDIR}/m4/cf.m4 ... 3781 (Note the trailing slash on the _CF_DIR_ definition.) 3782 Old versions of m4 will default to _CF_DIR_=.. for back 3783 compatibility. 3784 CONFIG: fix mail from <> so it will properly convert to 3785 MAILER-DAEMON on local addresses. 3786 CONFIG: fix code that was supposed to catch colons in host 3787 names. Problem noted by John Gardiner Myers of CMU. 3788 CONFIG: allow use of SMTP_MAILER_MAX in nullclient configuration. 3789 From Paul Riddle of the University of Maryland, Baltimore 3790 County. 3791 CONFIG: Catch and reject "." as a host address. 3792 CONFIG: Generalize domaintable to look up all domains, not 3793 just unqualified ones. 3794 CONFIG: Delete OLD_SENDMAIL support -- as near as I can tell, it 3795 was never used and didn't work anyway. 3796 CONFIG: Set flags A, w, 5, :, /, |, and @ on the "local" mailer 3797 and d on all mailers in the UUCP class. 3798 CONFIG: Allow "user+detail" to be aliased specially: it will first 3799 look for an alias for "user+detail", then for "user+*", and 3800 finally for "user". This is intended for forwarding mail 3801 for system aliases such as root and postmaster to a 3802 centralized hub. 3803 CONFIG: add confEIGHT_BIT_HANDLING to set option 8 (see above). 3804 CONFIG: add smtp8 mailer; this has the F=8 (just-send-8) flag set. 3805 The F=8 flag is also set on the "relay" mailer, since 3806 this is expected to be another sendmail. 3807 CONFIG: avoid qualifying all UUCP addresses sent via SMTP with 3808 the name of the UUCP_RELAY -- in some cases, this is the 3809 wrong value (e.g., when we have local UUCP connections), 3810 and this can create unreplyable addresses. From Chip 3811 Rosenthal of Unicom. 3812 CONFIG: add confRECEIVED_HEADER to change the format of the 3813 Received: header inserted into all messages. Suggested by 3814 Gary Mills of the University of Manitoba. 3815 CONFIG: Make "notsticky" the default; use FEATURE(stickyhost) 3816 to get the old behavior. I did this upon observing 3817 that almost everyone needed this feature, and that the 3818 concept I was trying to make happen didn't work with 3819 some user agents anyway. FEATURE(notsticky) still works, 3820 but it is a no-op. 3821 CONFIG: Add LUSER_RELAY -- the host to which unrecognized user 3822 names are sent, rather than immediately diagnosing them 3823 as User Unknown. 3824 CONFIG: Add SMTP_MAILER_ARGS, ESMTP_MAILER_ARGS, SMTP8_MAILER_ARGS, 3825 and RELAY_MAILER_ARGS to set the arguments for the 3826 indicated mailers. All default to "IPC $h". Patch from 3827 Larry Parmelee of Cornell University. 3828 CONFIG: pop mailer needs F=n flag to avoid "annoying side effects 3829 on the client side" and F=P to get an appropriate 3830 return-path. From Kimmo Suominen. 3831 CONFIG: add FEATURE(local_procmail) to use the procmail program 3832 as the local mailer. For addresses of the form "user+detail" 3833 the "detail" part is passed to procmail via the -a flag. 3834 Contributed by Kimmo Suominen. 3835 CONFIG: add MAILER(procmail) to add an interface to procmail for 3836 use from mailertables. This lets you execute arbitrary 3837 procmail scripts. Contributed by Kimmo Suominen. 3838 CONFIG: add T= fields (MTS type) to local, smtp, and uucp mailers. 3839 CONFIG: add OSTYPE(ptx2) for DYNIX/ptx 2.x from Sequent. From 3840 Paul Southworth of CICNet Systems Support. 3841 CONFIG: use -a$g as default to UUCP mailers, instead of -a$f. 3842 This causes the null return path to be rewritten as 3843 MAILER-DAEMON; otherwise UUCP gets horribly confused. 3844 From Michael Hohmuth of Technische Universitat Dresden. 3845 CONFIG: Add FEATURE(bestmx_is_local) to cause any hosts that 3846 list us as the best possible MX record to be treated as 3847 though they were local (essentially, assume that they 3848 are included in $=w). This can cause additional DNS 3849 traffic, but is easier to administer if this fits your 3850 local model. It does not work reliably if there are 3851 multiple hosts that share the best MX preference. 3852 Code contributed by John Oleynick of Rutgers. 3853 CONFIG: Add FEATURE(smrsh) to use smrsh (the SendMail Restricted 3854 SHell) instead of /bin/sh as the program used for delivery 3855 to programs. If an argument is included, it is used as 3856 the path to smrsh; otherwise, /usr/local/etc/smrsh is 3857 assumed. 3858 CONFIG: Add LOCAL_MAILER_MAX and PROCMAILER_MAILER_MAX to limit the 3859 size of messages to the local and procmail mailers 3860 respectively. Contributed by Brad Knowles of the Defense 3861 Information Systems Agency. 3862 CONFIG: Handle leading ``phrase:'' and trailing ``;'' as comments 3863 (just like text outside of angle brackets) in order to 3864 properly deal with ``group: addr1, ... addrN;'' syntax. 3865 CONFIG: Require OSTYPE macro (the defaults really don't apply to 3866 any real systems any more) and tweak the DOMAIN macro 3867 so that it is less likely that users will accidentally use 3868 the Berkeley defaults. Also, create some generic files 3869 that really can be used in the real world. 3870 CONFIG: Add new configuration macros to set character sets for 3871 messages _arriving from_ various mailers: LOCAL_MAILER_CHARSET, 3872 SMTP_MAILER_CHARSET, and UUCP_MAILER_CHARSET. 3873 CONFIG: Change UUCP_MAX_SIZE to UUCP_MAILER_MAX for consistency. 3874 The old name will still be accepted for a while at least. 3875 CONFIG: Implement DECNET_RELAY as spec for host to which DECNET 3876 mail (.DECNET pseudo-domain or node::user) will be sent. 3877 As with all relays, it can be ``mailer:hostname''. Suggested 3878 by Scott Hutton. 3879 CONFIG: Add MAILER(mail11) to get DECnet support. Code contributed 3880 by Barb Dijker of Labyrinth Computer Services. 3881 CONFIG: change confCHECK_ALIASES to default to False -- it has poor 3882 performance for large alias files, and this confused many 3883 people. 3884 CONFIG: Add confCF_VERSION to append local information to the 3885 configuration version number displayed during SMTP startup. 3886 CONFIG: fix some.newsgroup.usenet@local.host syntax (previously it 3887 would only work when locally addressed. Fix from 3888 Edvard Tuinder of Cistron Internet Services. 3889 CONFIG: use ${opMode} to avoid error on .REDIRECT addresses if option 3890 "n" (CheckAliases) is set when rebuilding alias database. 3891 Based on code contributed by Claude Marinier. 3892 CONFIG: Allow mailertable to have values of the form 3893 ``error:code message''. The ``code'' is a status code 3894 derived from the sysexits codes -- e.g., NOHOST or UNAVAILABLE. 3895 Contributed by David James <dwj@agw.bt.co.uk>. 3896 CONFIG: add MASQUERADE_DOMAIN(domain list) to extend the list of 3897 sender domains that will be replaced with the masquerade name. 3898 These domains will not be treated as local, but if mail passes 3899 through with sender addresses in those domains they will be 3900 replaced by the masquerade name. These can also be specified 3901 in a file using MASQUERADE_DOMAIN_FILE(filename). 3902 CONFIG: add FEATURE(masquerade_envelope) to masquerade the envelope 3903 as well as the header. Substantial improvements to this 3904 code were contributed by Per Hedeland. 3905 CONFIG: add MAILER(phquery) to define a new "ph" mailer; this can be 3906 accessed from a mailertable to do CCSO ph lookups. Contributed 3907 by Kimmo Suominen. 3908 CONFIG: add MAILER(cyrus) to define a new Cyrus mailer; this can be 3909 used to define cyrus and cyrusbb mailers (for IMAP support). 3910 Contributed by John Gardiner Myers of Carnegie Mellon. 3911 CONFIG: add confUUCP_MAILER to select default mailer to use for 3912 UUCP addressing. Suggested by Tom Moore of AT&T GIS. 3913 NEW FILES: 3914 cf/cf/cs-hpux10.mc 3915 cf/cf/cs-solaris2.mc 3916 cf/cf/cyrusproto.mc 3917 cf/cf/generic-bsd4.4.mc 3918 cf/cf/generic-hpux10.mc 3919 cf/cf/generic-hpux9.mc 3920 cf/cf/generic-osf1.mc 3921 cf/cf/generic-solaris2.mc 3922 cf/cf/generic-sunos4.1.mc 3923 cf/cf/generic-ultrix4.mc 3924 cf/cf/huginn.cs.mc 3925 cf/domain/berkeley-only.m4 3926 cf/domain/generic.m4 3927 cf/feature/bestmx_is_local.m4 3928 cf/feature/local_procmail.m4 3929 cf/feature/masquerade_envelope.m4 3930 cf/feature/smrsh.m4 3931 cf/feature/stickyhost.m4 3932 cf/feature/use_ct_file.m4 3933 cf/m4/cfhead.m4 3934 cf/mailer/cyrus.m4 3935 cf/mailer/mail11.m4 3936 cf/mailer/phquery.m4 3937 cf/mailer/procmail.m4 3938 cf/ostype/amdahl-uts.m4 3939 cf/ostype/bsdi2.0.m4 3940 cf/ostype/hpux10.m4 3941 cf/ostype/irix5.m4 3942 cf/ostype/isc4.1.m4 3943 cf/ostype/ptx2.m4 3944 cf/ostype/unknown.m4 3945 contrib/bsdi.mc 3946 contrib/mailprio 3947 contrib/rmail.oldsys.patch 3948 mail.local/mail.local.0 3949 makemap/makemap.0 3950 smrsh/README 3951 smrsh/smrsh.0 3952 smrsh/smrsh.8 3953 smrsh/smrsh.c 3954 src/Makefiles/Makefile.CSOS 3955 src/Makefiles/Makefile.EWS-UX_V 3956 src/Makefiles/Makefile.HP-UX.10 3957 src/Makefiles/Makefile.IRIX.5.x 3958 src/Makefiles/Makefile.IRIX64 3959 src/Makefiles/Makefile.ISC 3960 src/Makefiles/Makefile.KSR 3961 src/Makefiles/Makefile.NEWS-OS.4.x 3962 src/Makefiles/Makefile.NEWS-OS.6.x 3963 src/Makefiles/Makefile.NEXTSTEP 3964 src/Makefiles/Makefile.NonStop-UX 3965 src/Makefiles/Makefile.Paragon 3966 src/Makefiles/Makefile.SCO.3.2v4.2 3967 src/Makefiles/Makefile.SunOS.5.3 3968 src/Makefiles/Makefile.SunOS.5.4 3969 src/Makefiles/Makefile.SunOS.5.5 3970 src/Makefiles/Makefile.UNIX_SV.4.x.i386 3971 src/Makefiles/Makefile.uts.systemV 3972 src/Makefiles/Makefile.UX4800 3973 src/aliases.0 3974 src/mailq.0 3975 src/mime.c 3976 src/newaliases.0 3977 src/sendmail.0 3978 test/t_seteuid.c 3979 RENAMED FILES: 3980 cf/cf/alpha.mc => cf/cf/s2k-osf1.mc 3981 cf/cf/chez.mc => cf/cf/chez.cs.mc 3982 cf/cf/hpux-cs-exposed.mc => cf/cf/cs-hpux9.mc 3983 cf/cf/osf1-cs-exposed.mc => cf/cf/cs-osf1.mc 3984 cf/cf/s2k.mc => cf/cf/s2k-ultrix4.mc 3985 cf/cf/sunos4.1-cs-exposed.mc => cf/cf/cs-sunos4.1.mc 3986 cf/cf/ultrix4.1-cs-exposed.mc => cf/cf/cs-ultrix4.mc 3987 cf/cf/vangogh.mc => cf/cf/vangogh.cs.mc 3988 cf/domain/Berkeley.m4 => cf/domain/Berkeley.EDU.m4 3989 cf/domain/cs-exposed.m4 => cf/domain/CS.Berkeley.EDU.m4 3990 cf/domain/eecs-hidden.m4 => cf/domain/EECS.Berkeley.EDU.m4 3991 cf/domain/s2k.m4 => cf/domain/S2K.Berkeley.EDU.m4 3992 cf/ostype/hpux.m4 => cf/ostype/hpux9.m4 3993 cf/ostype/irix.m4 => cf/ostype/irix4.m4 3994 cf/ostype/ultrix4.1.m4 => cf/ostype/ultrix4.m4 3995 src/Makefile.* => src/Makefiles/Makefile.* 3996 src/Makefile.AUX => src/Makefiles/Makefile.A-UX 3997 src/Makefile.BSDI => src/Makefiles/Makefile.BSD-OS 3998 src/Makefile.DGUX => src/Makefiles/Makefile.dgux 3999 src/Makefile.RISCos => src/Makefiles/Makefile.UMIPS 4000 src/Makefile.SunOS.4.0.3 => src/Makefiles/Makefile.SunOS.4.0 4001 OBSOLETED FILES: 4002 cf/cf/cogsci.mc 4003 cf/cf/cs-exposed.mc 4004 cf/cf/cs-hidden.mc 4005 cf/cf/hpux-cs-hidden.mc 4006 cf/cf/knecht.mc 4007 cf/cf/osf1-cs-hidden.mc 4008 cf/cf/sunos3.5-cs-exposed.mc 4009 cf/cf/sunos3.5-cs-hidden.mc 4010 cf/cf/sunos4.1-cs-hidden.mc 4011 cf/cf/ultrix4.1-cs-hidden.mc 4012 cf/domain/cs-hidden.m4 4013 contrib/rcpt-streaming 4014 src/Makefiles/Makefile.SunOS.5.x 4015 40168.6.13/8.6.12 96/01/25 4017 SECURITY: In some cases it was still possible for an attacker to 4018 insert newlines into a queue file, thus allowing access to 4019 any user (except root). 4020 CONFIG: no changes -- it is not a bug that the configuration 4021 version number is unchanged. 4022 40238.6.12/8.6.12 95/03/28 4024 Fix to IDENT code (it was getting the size of the reply buffer 4025 too small, so nothing was ever accepted). Fix from several 4026 people, including Allan Johannesen, Shane Castle of the 4027 Boulder County Information Services, and Jeff Smith of 4028 Warwick University (all arrived within a few hours of 4029 each other!). 4030 Fix a problem that could cause large jobs to run out of 4031 file descriptors on systems that use vfork() rather 4032 than fork(). 4033 40348.6.11/8.6.11 95/03/08 4035 The ``possible attack'' message would be logged more often 4036 than necessary if you are using Pine as a user agent. 4037 The wrong host would be reported in the ``possible attack'' 4038 message when attempted from IDENT. 4039 In some cases the syslog buffer could be overflowed when 4040 reporting the ``possible attack'' message. This can 4041 cause denial of service attacks. Truncate the message 4042 to 80 characters to prevent this problem. 4043 When reading the IDENT response a loop is needed around the 4044 read from the network to ensure that you don't get 4045 partial lines. 4046 Password entries without any shell listed (that is, a null 4047 shell) wouldn't match as "ok". Problem noted by 4048 Rob McMahon. 4049 When running BIND 4.9.x a problem could occur because the 4050 _res.options field is initialized differently than it 4051 was historically -- this requires that sendmail call 4052 res_init before it tweaks any bits. 4053 Fix an incompatibility in openxscript() between the file open mode 4054 and the stdio mode passed to fdopen. This caused UnixWare 4055 2.0 to have conniptions. Fix from Martin Sohnius of 4056 Novell Labs Europe. 4057 Fix problem with static linking of local getopt routine when 4058 using GNU's ld command. Fix from John Kennedy of 4059 Cal State Chico. 4060 It was possible to turn off privacy flags. Problem noted by 4061 *Hobbit*. 4062 Be more paranoid about writing files. Suggestions by *Hobbit* 4063 and Liudvikas Bukys. 4064 MAKEMAP: fixes for 64 bit machines (DEC Alphas in particular) 4065 from Spider Boardman. 4066 CONFIG: No changes (version number only, to keep it in sync 4067 with the binaries). 4068 40698.6.10/8.6.10 95/02/10 4070 SECURITY: Diagnose bogus values to some command line flags that 4071 could allow trash to get into headers and qf files. 4072 Validate the name of the user returned by the IDENT protocol. 4073 Some systems that really dislike IDENT send intentionally 4074 bogus information. Problem pointed out by Michael Bushnell 4075 of the Free Software Foundation. Has some security 4076 implications. 4077 Fix a problem causing error messages about DNS problems when 4078 the host name contained a percent sign to act oddly 4079 because it was passed as a printf-style format string. 4080 In some cases this could cause core dumps. 4081 Avoid possible buffer overrun in returntosender() if error 4082 message is quite long. From Fletcher Mattox of the 4083 University of Texas. 4084 Fix a problem that would silently drop "too many hops" error 4085 messages if and only if you were sending to an alias. 4086 From Jon Giltner of the University of Colorado and 4087 Dan Harton of Oak Ridge National Laboratory. 4088 Fix a bug that caused core dumps on some systems if -d11.2 was 4089 set and e->e_message was null. Fix from Bruce Nagel of 4090 Data General. 4091 Fix problem that can still cause df files to be left around 4092 after "hop count exceeded" messages. Fix from Andrew 4093 Chang and Shau-Ping Lo of SunSoft. 4094 Fix a problem that can cause buffer overflows on very long 4095 user names (as might occur if you piped to a program 4096 with a lot of arguments). 4097 Avoid returning an error and re-queueing if the host signature 4098 is null; this can occur on addresses like ``user@.''. 4099 Problem noted by Wesley Craig and the University of 4100 Michigan. 4101 Avoid possible calls to malloc(0) if MCI caching is turned 4102 off. Bug fix from Pierre David of the Laboratoire 4103 Parallelisme, Reseaux, Systemes et Modelisation (PRiSM), 4104 Universite de Versailles - St Quentin, and Jacky 4105 Thibault. 4106 Make a local copy of the line being sent via senttolist() -- in 4107 some cases, buffers could get trashed by map lookups 4108 causing it to do unexpected things. This also simplifies 4109 some of the map code. 4110 CONFIG: No changes (version number only, to keep it in sync 4111 with the binaries). 4112 41138.6.9/8.6.9 94/04/19 4114 Do all mail delivery completely disconnected from any terminal. 4115 This provides consistency with daemon delivery and 4116 may have some security implications. 4117 Make sure that malloc doesn't get called with zero size, 4118 since that fails on some systems. Reported by Ed 4119 Hill of the University of Iowa. 4120 Fix multi-line values for $e (SMTP greeting message). Reported 4121 by Mike O'Connor of Ford Motor Company. 4122 Avoid syserr if no NIS domain name is defined, but the map it 4123 is trying to open is optional. From Win Bent of USC. 4124 Changes for picky compilers from Ed Gould of Digital Equipment. 4125 Hesiod support for UDB from Todd Miller of the University of 4126 Colorado. Use "hesiod" as the service name in the U 4127 option. 4128 Fix a problem that failed to set the "authentic" host name (that 4129 is, the one derived from the socket info) if you called 4130 sendmail -bs from inetd. Based on code contributed by 4131 Todd Miller (this problem was also reported by Guy Helmer 4132 of Dakota State University). This also fixes a related 4133 problem reported by Liudvikas Bukys of the University of 4134 Rochester. 4135 Parameterize "nroff -h" in all the Makefiles so people with 4136 variant versions can use them easily. Suggested by 4137 Peter Collinson of Hillside Systems. 4138 SMTP "MAIL" commands with multiple ESMTP parameters required two 4139 spaces between parameters instead of one. Reported by 4140 Valdis Kletnieks of Virginia Tech. 4141 Reduce the number of system calls during message collection by 4142 using global timeouts around the collect() loop. This 4143 code was contributed by Eric Wassenaar. 4144 If the initial hostname name gathering results in a name 4145 without a dot (usually caused by NIS misconfiguration) 4146 and BIND is compiled in, directly access DNS to get 4147 the canonical name. This should make life easier for 4148 Solaris systems. If it still can't be resolved, and 4149 if the name server is listed as "required", try again 4150 in 30 seconds. If that also fails, exit immediately to 4151 avoid bogus "config error: mail loops back to myself" 4152 messages. 4153 Improve the "MAIL DELETED BECAUSE OF LACK OF DISK SPACE" error 4154 message to explain how much space was available and 4155 sound a bit less threatening. Suggested by Stan Janet 4156 of the National Institute of Standards and Technology. 4157 If mail is delivered to an alias that has an owner, deliver any 4158 requested return-receipt immediately, and strip the 4159 Return-Receipt-To: header from the subsequent message. 4160 This prevents a certain class of denial of service 4161 attack, arguably gives more reasonable semantics, and 4162 moves things more towards what will probably become a 4163 network standard. Suggested by Christopher Davis of 4164 Kapor Enterprises. 4165 Add a "noreceipts" privacy flag to turn off all return receipts 4166 without recompiling. 4167 Avoid printing ESMTP parameters as part of the error message 4168 if there are errors during parsing. This change is 4169 purely cosmetic. 4170 Avoid sending out error messages during the collect phase of 4171 SMTP; there is an MVS mailer from UCLA that gets 4172 confused by this. Of course, I think it's their bug.... 4173 Check for the $j macro getting undefined, losing a dot, or getting 4174 lost from $=w in the daemon before accepting a connection; 4175 if it is, it dumps state, prints a LOG_ALERT message, 4176 and drops core for debugging. This is an attempt to 4177 track down a bug that I thought was long since gone. 4178 If you see this, please forward the log fragment to 4179 sendmail@sendmail.ORG. 4180 Change OLD_NEWDB from a #ifdef to a #if so it can be turned off 4181 with -DOLD_NEWDB=0 on the command line. From Christophe 4182 Wolfhugel. 4183 Instead of trying to truncate the listen queue for the server 4184 SMTP port when the load average is too high, just close 4185 the port completely and reopen it later as needed. 4186 This ensures that the other end gets a quick "connection 4187 refused" response, and that the connection can be 4188 recovered later. In particular, some socket emulations 4189 seem to get confused if you tweak the listen queue 4190 size around and can never start listening to connections 4191 again. The down side is that someone could start up 4192 another daemon process in the interim, so you could 4193 have multiple daemons all not listening to connections; 4194 this could in turn cause the sendmail.pid file to be 4195 incorrect. A better approach might be to accept the 4196 connection and give a 421 code, but that could break 4197 other mailers in mysterious ways and have paging behavior 4198 implications. 4199 Fix a glitch in TCP-level debugging that caused flag 16.101 to 4200 set debugging on the wrong socket. From Eric Wassenaar. 4201 When creating a df* temporary file, be sure you truncate any 4202 existing data in the file -- otherwise system crashes 4203 and the like could result in extra data being sent. 4204 DOC: Replace the CHANGES-R5-R8 readme file with a paper in the 4205 doc directory. This includes some additional 4206 information. 4207 CONFIG: change UUCP rules to never add $U! or $k! on the front 4208 of recipient envelope addresses. This should have been 4209 handled by the $&h trick, but broke if people were 4210 mixing domainized and UUCP addresses. They should 4211 probably have converted all the way over to uucp-uudom 4212 instead of uucp-{new,old}, but the failure mode was to 4213 loop the mail, which was bad news. 4214 Portability fixes: 4215 Newer BSDI systems (several people). 4216 Older BSDI systems from Christophe Wolfhugel. 4217 Intergraph CLIX, from Paul Southworth of CICNet. 4218 UnixWare, from Evan Champion. 4219 NetBSD from Adam Glass. 4220 Solaris from Quentin Campbell of the University of 4221 Newcastle upon Tyne. 4222 IRIX from Dean Cookson and Bill Driscoll of Mitre 4223 Corporation. 4224 NCR 3000 from Kevin Darcy of Chrysler Financial Corporation. 4225 SunOS (it has setsid() and setvbuf() calls) from 4226 Jonathan Kamens of OpenVision Technologies. 4227 HP-UX from Tor Lillqvist. 4228 New Files: 4229 src/Makefile.CLIX 4230 src/Makefile.NCR3000 4231 doc/changes/Makefile 4232 doc/changes/changes.me 4233 doc/changes/changes.ps 4234 42358.6.8/8.6.6 94/03/21 4236 SECURITY: it was possible to read any file as root using the 4237 E (error message) option. Reported by Richard Jones; 4238 fixed by Michael Corrigan and Christophe Wolfhugel. 4239 42408.6.7/8.6.6 94/03/14 4241 SECURITY: it was possible to get root access by using weird 4242 values to the -d flag. Thanks to Alain Durand of 4243 INRIA for forwarding me the notice from the bugtraq 4244 list. 4245 42468.6.6/8.6.6 94/03/13 4247 SECURITY: the ability to give files away on System V-based 4248 systems proved dangerous -- don't run as the owner 4249 of a :include: file on a system that allows giveaways. 4250 Unfortunately, this also applies to determining a 4251 valid shell. 4252 IMPORTANT: Previous versions weren't expiring old connections 4253 in the connection cache for a long time under some 4254 circumstances. This could result in resource exhaustion, 4255 both at your end and at the other end. This checks the 4256 connections for timeouts much more frequently. From 4257 Doug Anderson of NCSC. 4258 Fix a glitch that snuck in that caused programs to be run as 4259 the sender instead of the recipient if the mail was 4260 from a local user to another local user. From 4261 Motonori Nakamura of Kyoto University. 4262 Fix "wildcard" on /etc/shells matching -- instead of looking 4263 for "*", look for "/SENDMAIL/ANY/SHELL/". From 4264 Bryan Costales of ICSI. 4265 Change the method used to declare the "statfs" availability; 4266 instead of HASSTATFS and/or HASUSTAT with a ton of 4267 tweaking in conf.c, there is a single #define called 4268 SFS_TYPE which takes on one of six values (SFS_NONE 4269 for no statfs availability, SFS_USTAT for the ustat(2) 4270 syscall, SFS_4ARGS for a four argument statfs(2) call, 4271 and SFS_VFS, SFS_MOUNT, or SFS_STATFS for a two argument 4272 statfs(2) call with the declarations in <sys/vfs.h>, 4273 <sys/mount.h>, or <sys/statfs.h> respectively). 4274 Fix glitch in NetInfo support that could return garbage if 4275 there was no "/locations/sendmail" property. From 4276 David Meyer of the University of Virginia. 4277 Change HASFLOCK from defined/not-defined to a 0/1 definition 4278 to allow Linux to turn it off even though it is a 4279 BSD-like system. 4280 Allow setting of "ident" timeout to zero to turn off the ident 4281 protocol entirely. 4282 Make 7-bit stripping local to a connection (instead of to a 4283 mailer); this allows you to specify that SMTP is a 4284 7-bit channel, but revert to 8-bit should it advertise 4285 that it supports 8BITMIME. You still have to specify 4286 mailer flag 7 to get this stripping at all. 4287 Improve makesendmail script so it handles more cases automatically. 4288 Tighten up restrictions on taking ownership of :include: files 4289 to avoid problems on systems that allow you to give away 4290 files. 4291 Fix a problem that made it impossible to rebuild the alias 4292 file if it was on a read-only file system. From 4293 Harry Edmon of the University of Washington. 4294 Improve MX randomization function. From John Gardiner Myers 4295 of CMU. 4296 Fix a minor glitch causing a bogus message to be printed (used 4297 %s instead of %d in a printf string for the line number) 4298 when a bad queue file was read. From Harry Edmon. 4299 Allow $s to remain NULL on locally generated mail. I'm not 4300 sure this is necessary, but a lot of people have complained 4301 about it, and there is a legitimate question as to whether 4302 "localhost" is legal as an 822-style domain. 4303 Fix a problem with very short line lengths (mailer L= flag) in 4304 headers. This causes a leading space to be added onto 4305 continuation lines (including in the body!), and also 4306 tries to wrap headers containing addresses (From:, To:, 4307 etc) intelligently at the shorter line lengths. Problem 4308 Reported by Lars-Johan Liman of SUNET Operations Center. 4309 Log the real user name when logging syserrs, since these can have 4310 security implications. Suggested by several people. 4311 Fix address logging of cached connections -- it used to always 4312 log the numeric address as zero. This is a somewhat 4313 bogus implementation in that it does an extra system 4314 call, but it should be an inexpensive one. Fix from 4315 Motonori Nakamura. 4316 Tighten up handling of short syslog buffers even more -- there 4317 were cases where the outgoing relay= name was too long 4318 to share a line with delay= and mailer= logging. 4319 Limit the overhead on split envelopes to one open file descriptor 4320 per envelope -- previously the overhead was three 4321 descriptors. This was in response to a problem reported 4322 by P{r (Pell) Emanuelsson. 4323 Fixes to better handle the case of unexpected connection closes; 4324 this redirects the output to the transcript so the info 4325 is not lost. From Eric Wassenaar. 4326 Fix potential string overrun if you macro evaluate a string that 4327 has a naked $ at the end. Problem noted by James Matheson 4328 <jmrm@eng.cam.ac.uk>. 4329 Make default error number on $#error messages 553 (``Requested 4330 action not taken: mailbox name not allowed'') instead of 4331 501 (``Syntax error in parameters or arguments'') to 4332 avoid bogus "protocol error" messages. 4333 Strip off any existing trailing dot on names during $[ ... $] 4334 lookup. This prevents it from ending up with two dots 4335 on the end of dot terminated names. From Wesley Craig 4336 of the University of Michigan and Bryan Costales of ICSI. 4337 Clean up file class reading so that the debugging information is 4338 more informative. It hadn't been using setclass, so you 4339 didn't see the class items being added. 4340 Avoid core dump if you are running a version of sendmail where 4341 NIS is compiled in, and you specify an NIS map, but 4342 NIS is not running. Fix from John Oleynick of 4343 Rutgers. 4344 Diagnose bizarre case where res_search returns a failure value, 4345 but sets h_errno to a success value. 4346 Make sure that "too many hops" messages are considered important 4347 enough to send an error to the Postmaster (that is, the 4348 address specified in the P option). This fix should 4349 help problems that cause the df file to be left around 4350 sometimes -- unfortunately, I can't seem to reproduce 4351 the problem myself. 4352 Avoid core dump (null pointer reference) on EXPN command; this 4353 only occurred if your log level was set to 10 or higher 4354 and the target account was an alias or had a .forward file. 4355 Problem noted by Janne Himanka. 4356 Avoid "denial of service" attacks by someone who is flooding your 4357 SMTP port with bad commands by shutting the connection 4358 after 25 bad commands are issued. From Kyle Jones of 4359 UUNET. 4360 Fix core dump on error messages with very long "to" buffers; 4361 fmtmsg overflows the message buffer. Fixed by trimming 4362 the to address to 203 characters. Problem reported by 4363 John Oleynick. 4364 Fix configuration for HASFLOCK -- there were some spots where 4365 a #ifndef was incorrectly #ifdef. Pointed out by 4366 George Baltz of the University of Maryland. 4367 Fix a typo in savemail() that could cause the error message To: 4368 lists to be incorrect in some places. From Motonori 4369 Nakamura. 4370 Fix a glitch that can cause duplicate error messages on split 4371 envelopes where an address on one of the lists has a 4372 name server failure. Fix from Voradesh Yenbut of the 4373 University of Washington. 4374 Fix possible bogus pointer reference on ESMTP parameters that 4375 don't have an ``=value'' part. 4376 CNAME loops caused an error message to be generated, but also 4377 re-queued the message. Changed to just re-queue the 4378 message (it's really hard to just bounce it because 4379 of the weird way the name server works in the presence 4380 of CNAME loops). Problem noted by James M.R.Matheson 4381 of Cambridge University. 4382 Avoid giving ``warning: foo owned process doing -bs'' messages 4383 if they use ``MAIL FROM:<foo>'' where foo is their true 4384 user name. Suggested by Andreas Stolcke of ICSI. 4385 Change the NAMED_BIND compile flag to be a 0/1 flag so you can 4386 override it easily in the Makefile -- that is, you can 4387 turn it off using -DNAMED_BIND=0. 4388 If a gethostbyname(...) of an address with a trailing dot fails, 4389 try it without the trailing dot. This is because if 4390 you have a version of gethostbyname() that falls back 4391 to NIS or the /etc/hosts file it will fail to find 4392 perfectly reasonable names that just don't happen to 4393 be dot terminated in the hosts file. You don't want to 4394 strip the dot first though because we're trying to ensure 4395 that country names that match one of your subdomains get 4396 a chance. 4397 PRALIASES: fix bogus output on non-null-terminated strings. 4398 From Bill Gianopoulos of Raytheon. 4399 CONFIG: Avoid rewriting anything that matches $w to be $j. 4400 This was in code intended to only catch the self-literal 4401 address (that is, [1.2.3.4], where 1.2.3.4 is your 4402 IP address), but the code was broken. However, it will 4403 still do this if $M is defined; this is necessary to 4404 get client configurations to work (sigh). Note that this 4405 means that $M overrides :mailname entries in the user 4406 database! Problem noted by Paul Southworth. 4407 CONFIG: Fix definition of Solaris help file location. From 4408 Steve Cliffe <steve@gorgon.cs.uow.edu.au>. 4409 CONFIG: Fix bug that broke news.group.USENET mappings. 4410 CONFIG: Allow declaration of SMTP_MAILER_MAX, FAX_MAILER_MAX, 4411 and USENET_MAILER_MAX to tweak the maximum message 4412 size for various mailers. 4413 CONFIG: Change definition of USENET_MAILER_ARGS to include argv[0] 4414 instead of assuming that it is "inews" for consistency 4415 with other mailers. From Michael Corrigan of UC San Diego. 4416 CONFIG: When mail is forwarded to a LOCAL_RELAY or a MAIL_HUB, 4417 qualify the address in the SMTP envelope as user@{relay|hub} 4418 instead of user@$j. From Bill Wisner of The Well. 4419 CONFIG: Fix route-addr syntax in nullrelay configuration set. 4420 CONFIG: Don't turn off case mapping of user names in the local 4421 mailer for IRIX. This was different than most every other 4422 system. 4423 CONFIG: Avoid infinite loops on certainly list:; syntaxes in 4424 envelope. Noted by Thierry Besancon 4425 <besancon@excalibur.ens.fr>. 4426 CONFIG: Don't include -z by default on uux line -- most systems 4427 don't want it set by default. Pointed out by Philippe 4428 Michel of Thomson CSF. 4429 CONFIG: Fix some bugs with mailertables -- for example, if your 4430 host name was foo.bar.ray.com and you matched against 4431 ".ray.com", the old implementation bound %1 to "bar" 4432 instead of "foo.bar". Also, allow "." in the mailertable 4433 to match anything -- essentially, take over SMART_HOST. 4434 This also moves matching of explicit local host names 4435 before the mailertable so they don't have to be special 4436 cased in the mailertable data. Reported by Bill 4437 Gianopoulos of Raytheon; the fix for the %1 binding 4438 problem was contributed by Nicholas Comanos of the 4439 University of Sydney. 4440 CONFIG: Don't include "root" in class $=L (users to deliver 4441 locally, even if a hub or relay exists) by default. 4442 This is because of the known bug where definition of 4443 both a LOCAL_RELAY and a MAIL_HUB causes $=L to ignore 4444 both and deliver into the local mailbox. 4445 CONFIG: Move up bitdomain and uudomain handling so that they 4446 are done before .UUCP class matching; uudomain was 4447 reported as ineffective before. This also frees up 4448 diversion 8 for future use. Problem reported by Kimmo 4449 Suominen. 4450 CONFIG: Don't try to convert dotted IP address (e.g., [1.2.3.4]) 4451 into host names. As pointed out by Jonathan Kamens, 4452 these are often used because either the forward or reverse 4453 mapping is broken; this translation makes it broken again. 4454 DOC: Clarify $@ and $: in the Install & Op Guide. From Kimmo 4455 Suominen. 4456 Portability fixes: 4457 Unicos from David L. Kensiski of Sterling Software. 4458 DomainOS from Don Lewis of Silicon Systems. 4459 GNU m4 1.0.3 from Karst Koymans of Utrecht University. 4460 Convex from Kimmo Suominen <kim@tac.nyc.ny.us>. 4461 NetBSD from Adam Glass <glass@sun-lamp.cs.berkeley.edu>. 4462 BSD/386 from Tony Sanders of BSDI. 4463 Apollo from Eric Wassenaar. 4464 DGUX from Doug Anderson. 4465 Sequent DYNIX/ptx 2.0 from Tim Wright of Sequent. 4466 NEW FILES: 4467 src/Makefile.DomainOS 4468 src/Makefile.PTX 4469 src/Makefile.SunOS.5.1 4470 src/Makefile.SunOS.5.2 4471 src/Makefile.SunOS.5.x 4472 src/mailq.1 4473 cf/ostype/domainos.m4 4474 doc/op/Makefile 4475 doc/intro/Makefile 4476 doc/usenix/Makefile 4477 44788.6.5/8.6.5 94/01/13 4479 Security fix: /.forward could be owned by anyone (the test 4480 to allow root to own any file was backwards). From 4481 Bob Campbell at U.C. Berkeley. 4482 Security fix: group ids were not completely set when programs 4483 were invoked. This caused programs to have group 4484 permissions they should not have had (usually group 4485 daemon instead of their own group). In particular, 4486 Perl scripts would refuse to run. 4487 Security: check to make sure files that are written are not 4488 symbolic links (at least under some circumstances). 4489 Although this does not respond to a specific known 4490 attack, it's just a good idea. Suggested by 4491 Christian Wettergren. 4492 Security fix: if a user had an NFS mounted home directory on 4493 a system with a restricted shell listed in their 4494 /etc/passwd entry, they could still execute any 4495 program by putting that in their .forward file. 4496 This fix prevents that by insisting that their shell 4497 appear in /etc/shells before allowing a .forward to 4498 execute a program or write a file. You can disable 4499 this by putting "*" in /etc/shells. It also won't 4500 permit world-writable :include: files to reference 4501 programs or files (there's no way to disable this). 4502 These behaviors are only one level deep -- for 4503 example, it is legal for a world-writable :include: 4504 file to reference an alias that writes a file, on 4505 the assumption that the alias file is well controlled. 4506 Security fix: root was not treated suspiciously enough when 4507 looking into subdirectories. This would potentially 4508 allow a cracker to examine files that were publicly 4509 readable but in a non-publicly searchable directory. 4510 Fix a problem that causes an error on QUIT on a cached 4511 connection to create problems on the current job. 4512 These are typically unrelated, so errors occur in 4513 the wrong place. 4514 Reset CurrentLA in sendall() -- this makes sendmail queue 4515 runs more responsive to load average, and fixes a 4516 problem that ignored the load average in locally 4517 generated mail. From Eric Wassenaar. 4518 Fix possible core dump on aliases with null LHS. From 4519 John Orthoefer of BB&N. 4520 Revert to using flock() whenever possible -- there are just 4521 too many bugs in fcntl() locking, particularly over 4522 NFS, that cause sendmail to fail in perverse ways. 4523 Fix a bug that causes the connection cache to get confused 4524 when sending error messages. This resulted in 4525 "unexpected close" messages. It should fix itself 4526 on the following queue run. Problem noted by 4527 Liudvikas Bukys of the University of Rochester. 4528 Include $k in $=k as documented in the Install & Op Guide. 4529 This seems odd, but it was documented.... From 4530 Michael Corrigan of UCSD. 4531 Fix problem that caused :include:s from alias files to be 4532 forced to be owned by root instead of daemon 4533 (actually DefUid). From Tim Irvin. 4534 Diagnose unrecognized I option values -- from Mortin Forssen 4535 of the Chalmers University of Technology. 4536 Make "error" mailer work consistently when there is no error 4537 code associated with it -- previously it returned OK 4538 even though there was a real problem. Now it assumes 4539 EX_UNAVAILABLE. 4540 Fix bug that caused the last header line of messages that had 4541 no body and which were terminated with EOF instead of 4542 "." to be discarded. Problem noted by Liudvikas Bukys. 4543 Fix core dump on SMTP mail to programs that failed -- it tried 4544 to go to a "next MX host" when none existed, causing 4545 a core dump. From der Mouse at McGill University. 4546 Change IDENTPROTO from a defined/not defined to a 0/1 switch; 4547 this makes it easier to turn it off (using 4548 -DIDENTPROTO=0 in the Makefile). From der Mouse. 4549 Fix YP_MASTER_NAME store to use the unupdated result of 4550 gethostname() (instead of myhostname(), which tries 4551 to fully qualify the name) to be consistent with 4552 SunOS. If your hostname is unqualified, this fixes 4553 transfers to slave servers. Bug noted by Keith 4554 McMillan of Ameritech Services, Inc. 4555 Fix Ultrix problem: gethostbyname() can return a very large 4556 (> 500) h_length field, which causes the sockaddr 4557 to be trashed. Use the size of the sockaddr instead. 4558 Fix from Bob Manson of Ohio State. 4559 Don't assume "-a." on host lookups if NAMED_BIND is not 4560 defined -- this confuses gethostbyname on hosts 4561 file lookups, which doesn't understand the trailing 4562 dot convention. 4563 Log SMTP server subprocesses that die with a signal instead 4564 of from a clean exit. 4565 If you don't have option "I" set, don't assume that a DNS 4566 "host unknown" message is authoritative -- it 4567 might still be found in /etc/hosts. 4568 Fix a problem that would cause Deferred: messages to be sent 4569 as the subject of an error message, even though the 4570 actual cause of a message was more severe than that. 4571 Problem noted by Chris Seabrook of OSSI. 4572 Fix race condition in DBM alias file locking. From Kyle 4573 Jones of UUNET. 4574 Limit delivery syslog line length to avoid bugs in some 4575 versions of syslog(3). This adds a new compile time 4576 variable SYSLOG_BUFSIZE. From Jay Plett of Princeton 4577 University, which is in turn derived from IDA. 4578 Fix quotes inside of comments in addresses -- previously 4579 it insisted that they be balanced, but the 822 spec 4580 says that they should be ignored. 4581 Dump open file state to syslog upon receiving SIGUSR1 (for 4582 debugging). This also evaluates ruleset 89, if set 4583 (with the null input), and logs the result. This 4584 should be used sparingly, since the rewrite process 4585 is not reentrant. 4586 Change -qI, -qR, and -qS flags to be case-insensitive as 4587 documented in the Bat Book. 4588 If the mailer returned EX_IOERR or EX_OSERR, sendmail did not 4589 return an error message and did not requeue the message. 4590 Fix based on code from Roland Dirlewanger of 4591 Reseau Regional Aquarel, Bordeaux, France. 4592 Fix a problem that caused a seg fault if you got a 421 error 4593 code during some parts of connection initialization. 4594 I've only seen this when talking to buggy mailers on 4595 the other end, but it shouldn't give a seg fault in 4596 any case. From Amir Plivatsky. 4597 Fix core dump caused by a ruleset call that returns null. 4598 Fix from Bryan Costales of ICSI. 4599 Full-Name: field was being ignored. Fix from Motonori Nakamura 4600 of Kyoto University. 4601 Fix a possible problem with very long input lines in setproctitle. 4602 From P{r Emanuelsson. 4603 Avoid putting "This is a warning message" out on return receipts. 4604 Suggested by Douglas Anderson. 4605 Detect loops caused by recursive ruleset calls. Suggested by 4606 Bryan Costales. 4607 Initialize non-alias maps during alias rebuilds -- they may be 4608 needed for parsing. Problem noted by Douglas Anderson. 4609 Log sender address even if no message was collected in SMTP 4610 (e.g., if all RCPTs failed). Suggested by Motonori 4611 Nakamura. 4612 Don't reflect the owner-list contents into the envelope sender 4613 address if the value contains ", :, /, or | (to avoid 4614 illegal addresses appearing there). 4615 Efficiency hack for toktype macro -- from Craig Partridge of 4616 BB&N. 4617 Clean up DNS error printing so that a host name is always 4618 included. 4619 Remember to set $i during queue runs. Reported by Stephen 4620 Campbell of Dartmouth University. 4621 If the environment variable HOSTALIASES is set, use it during 4622 canonification as the name of a file with per-user host 4623 translations so that headers are properly mapped. Reported 4624 by Anne Bennett of Concordia University. 4625 Avoid printing misleading error message if SMTP mailer (not 4626 using [IPC]) should die on a core dump. 4627 Avoid incorrect diagnosis of "file 1 closed" when it is caused 4628 by the other end closing the connection. From 4629 Dave Morrison of Oracle. 4630 Improve several of the error messages printed by "mailq" 4631 to include a host name or other useful information. 4632 Add NetInfo preliminary support for NeXT systems. From Vince 4633 DeMarco. 4634 Fix a glitch that sometimes caused :include:s that pointed to 4635 NFS filesystems that were down to give an "aliasing/ 4636 forwarding loop broken" message instead of queueing 4637 the message for retry. Noted by William C Fenner of 4638 the NRL Connection Machine Facility. 4639 Fix a problem that could cause a core dump if the input sequence 4640 had (or somehow acquired) a \231 character. 4641 Make sure that route-addrs always have <angle brackets> around 4642 them in non-SMTP envelopes (SMTP envelopes already do 4643 this properly). 4644 Avoid weird headers on unbalanced punctuation of the form: 4645 ``Joe User <user)'' -- this caused reference to the 4646 null macro. Fix from Rick McCarty of IO.COM. 4647 Fix a problem that caused an alias "user: user@local.host" to 4648 not have the QNOTREMOTE bit set; this caused configs 4649 to act as if FEATURE(notsticky) was defined even when 4650 it was not. The effect of the problem was to make it 4651 very hard to to set up satellite sites that had a few 4652 local accounts, with everything else forwarded to a 4653 corporate hub. Reported by Detlef Drewanz of the 4654 University of Rostock and Mark Frost of NCD. 4655 Change queuing to not call rulesets 3, {1 or 2}, 4 on header 4656 addresses. This is more efficient (fewer name server 4657 calls) and fixes certain unusual configurations, such 4658 as those that have ruleset 4 do something that is 4659 non-idempotent unless a mailer-specific ruleset did 4660 something else. Problem reported by Brian J. Coan 4661 of the Institute for Global Communications. 4662 Fix the "obsolete argument" routine in main to better understand 4663 new arguments. For example, if you used ``sendmail 4664 -C config -v -q'' it would choke on the -q because 4665 the -C would stop looking for old-format arguments. 4666 Fix the code that was intended to allow two users to forward their 4667 mail to the same program and have them appear unique. 4668 Portability fixes for: 4669 SCO UNIX from Murray Kucherawy. 4670 SCO Open Server 3.2v4 from Philippe Brand. 4671 System V Release 4 from Rick Ellis and others. 4672 OSF/1 from Steve Campbell. 4673 DG/UX from Ben Mesander of the USGS and Bryan Curnutt 4674 of Stoner Associates. 4675 Motorola SysV88 from Kevin Johnson of Motorola. 4676 Solaris 2.3 from Casper H.S. Dik of the University 4677 of Amsterdam and John Caruso of University 4678 of Maryland. 4679 FreeBSD from Ollivier Robert. 4680 NetBSD from Adam Glass. 4681 TitanOS from Kate Hedstrom of Rutgers University. 4682 Irix from Bryan Curnutt. 4683 Dynix from Jim Davis of the University of Arizona. 4684 RISC/os. 4685 Linux from John Kennedy of California State University 4686 at Chico. 4687 Solaris 2.x from Tony Boner of the U.S. Air Force. 4688 NEXTSTEP 3.x from Vince DeMarco. 4689 HP-UX from various people. NOTA BENE: the location 4690 of the config file has moved to /usr/lib 4691 to match the HP-UX version of sendmail. 4692 CONFIG: Don't do any recipient rewriting on relay mailer; 4693 since this is intended only for internal use, the 4694 usual RFC 821/822/1123 rules can be relaxed. The 4695 main point of this is to avoid munging (ugh) UUCP 4696 addresses when relaying internally. 4697 CONFIG: fix typo in mailer/uucp.m4 that mutilates list:; 4698 syntax addresses delivered via UUCP. Solution 4699 provided by Peter Wemm. 4700 CONFIG: fix thumb-fumble in default UUCP relaying in ruleset 4701 zero; it caused double @ signs in addresses. From 4702 Irving Reid of the University of Toronto. 4703 CONFIG: Portability fixes for SCO Unix 3.2 with TCP/IP 1.2.1 4704 from Markku Toijala of ICL Personal Systems Oy. 4705 CONFIG: Add trailing "." on pseudo-domains for consistency; 4706 this fixes a problem (noted by Al Whaley of Sunnyside) 4707 that made it hard to recognize your own pseudodomain 4708 names. 4709 CONFIG: catch "@host" syntax errors (i.e., null local-parts) 4710 rather than letting them get "local configuration 4711 error"s. Problem noted by John Gardiner Myers. 4712 CONFIG: add uucp-uudom mailer variant, based on code posted 4713 by Spider Boardman <spider@Orb.Nashua.NH.US>; this 4714 has uucp-dom semantics but old UUCP syntax. This 4715 also permits "uucp-old" as an alias for "uucp" and 4716 "uucp-new" as a synonym for "suucp" for consistency. 4717 CONFIG: add POP mailer support (from Kimmo Suominen 4718 <kim@grendel.lut.fi>). 4719 CONFIG: drop CSNET_RELAY support -- CSNET is long gone. 4720 CONFIG: fix bug caused with domain literal addresses (e.g., 4721 ``[128.32.131.12]'') when FEATURE(allmasquerade) 4722 was set; it would get an additional @masquerade.host 4723 added to the address. Problem noted by Peter Wan 4724 of Georgia Tech. 4725 CONFIG: make sure that the local UUCP name is in $=w. From 4726 Jim Murray of Stratus. 4727 CONFIG: changes to UUCP rewriting to simulate IDA-style "V" 4728 mailer flag. Briefly, if you are sending to host 4729 "foo", then it rewrites "foo!...!baz" to "...!baz", 4730 "foo!baz" remains "foo!baz", and anything else has 4731 the local name prepended. 4732 CONFIG: portability fixes for HP-UX. 4733 DOC: several minor problems fixed in the Install & Op Guide. 4734 MAKEMAP: fix core dump problem on lines that are too long or 4735 which lack newline. From Mark Delany. 4736 MAILSTATS: print sums of columns (total messages & kbytes 4737 in and out of the system). From Tom Ferrin of UC 4738 San Francisco Computer Graphics Lab. 4739 SIGNIFICANT USER- OR SYSAD-VISIBLE CHANGES: 4740 On HP-UX, /etc/sendmail.cf has been moved to 4741 /usr/lib/sendmail.cf to match HP sendmail. 4742 Permissions have been tightened up on world-writable 4743 :include: files and accounts that have shells 4744 that are not listed in /etc/shells. This may 4745 cause some .forward files that have worked 4746 before to start failing. 4747 SIGUSR1 dumps some state to the log. 4748 NEW FILES: 4749 src/Makefile.DGUX 4750 src/Makefile.Dynix 4751 src/Makefile.FreeBSD 4752 src/Makefile.Mach386 4753 src/Makefile.NetBSD 4754 src/Makefile.RISCos 4755 src/Makefile.SCO 4756 src/Makefile.SVR4 4757 src/Makefile.Titan 4758 cf/mailer/pop.m4 4759 cf/ostype/bsdi1.0.m4 4760 cf/ostype/dgux.m4 4761 cf/ostype/dynix3.2.m4 4762 cf/ostype/sco3.2.m4 4763 makemap/Makefile.dist 4764 praliases/Makefile.dist 4765 47668.6.4/8.6.4 93/10/31 4767 Repair core-dump problem (write to read-only memory segment) 4768 if you fall back to the return-to-Postmaster case in 4769 savemail. Problem reported by Richard Liu. 4770 Immediately diagnose bogus sender addresses in SMTP. This 4771 makes quite certain that crackers can't use this 4772 class of attack. 4773 Reliability Fix: check return value from fclose() and fsync() 4774 in a few critical places. 4775 Minor problem in initsys() that reversed a condition for 4776 redirecting the output channel on queue runs. It's 4777 not clear this code even does anything. From Eric 4778 Wassenaar of the Dutch National Institute for Nuclear 4779 and High-Energy Physics. 4780 Fix some problems that caused queue runs to do "too much work", 4781 such as double-reading the Errors-To: header. From 4782 Eric Wassenaar. 4783 Error messages on writing the temporary file (including the 4784 data file) were getting suppressed in SMTP -- this 4785 fix causes them to be properly reported. From Eric 4786 Wassenaar. 4787 Some changes to support AF_UNIX sockets -- this will only 4788 really become relevant in the next release, but some 4789 people need it for local patches. From Michael 4790 Corrigan of UC San Diego. 4791 Use dynamically allocated memory (instead of static buffers) 4792 for macros defined in initsys() and settime(); since 4793 these can have different values depending on which 4794 envelope they are in. From Eric Wassenaar. 4795 Improve logging to show ctladdr on to= logging; this tells you 4796 what uid/gid processes ran as. 4797 Fix a problem that caused error messages to be discarded if 4798 the sender address was unparseable for some reason; 4799 this was supposed to fall back to the "return to 4800 postmaster" case. 4801 Improve aliaswait backoff algorithm. 4802 Portability patches for Linux (8.6.3 required another header 4803 file) (from Karl London) and SCO UNIX. 4804 CONFIG: patch prog mailer to not strip host name off of envelope 4805 addresses (so that it matches local again). From 4806 Christopher Davis. 4807 CONFIG: change uucp-dom mailer so that "<>" translates to $n; 4808 this prevents uux from seeing lines with null names like 4809 ``From Sat Oct 30 14:55:31 1993''. From Motonori 4810 Nakamura of Kyoto University. 4811 CONFIG: handle <list:;> syntax correctly. This isn't legal, but 4812 it shouldn't fail miserably. From Motonori Nakamura. 4813 48148.6.2/8.6.2 93/10/15 4815 Put a "successful delivery" message in the transcript for 4816 addresses that get return-receipts. 4817 Put a prominent "this is only a warning" message in warning 4818 messages -- some people don't read carefully enough 4819 and end up sending the message several times. 4820 Include reason for temporary failure in the "warning" return 4821 message. Currently, it just says "cannot send for 4822 four hours". 4823 Fix the "Original message received" time generated for 4824 returntosender messages. It was previously listed as 4825 the current time. Bug reported by Eric Hagberg of 4826 Cornell University Medical College. 4827 If there is an error when writing the body of a message, 4828 don't send the trailing dot and wait for a response 4829 in sender SMTP, as this could cause the connection to 4830 hang up under some bizarre circumstances. From Eric 4831 Wassenaar. 4832 Fix some server SMTP synchronization problems caused when 4833 connections fail during message collection. From 4834 Eric Wassenaar. 4835 Fix a problem that can cause srvrsmtp to reject mail if the 4836 name server is down -- it accepts the RCPT but rejects 4837 the DATA command. Problem reported by Jim Murray of 4838 Stratus. 4839 Fix a problem that can cause core dumps if the config file 4840 incorrectly resolves to a null hostname. Reported by 4841 Allan Johannesen of WPI. 4842 Non-root use of -C flag, dangerous -f flags, and use of -oQ 4843 by non-root users were not put into 4844 X-Authentication-Warning:s as intended because the 4845 config file hadn't set the PrivacyOptions yet. Fix 4846 from Sven-Ove Westberg of the University of Lulea. 4847 Under very odd circumstances, the alias file rebuild code 4848 could get confused as to whether a database was 4849 open or not. 4850 Check "vendor code" on the end of V lines -- this is 4851 intended to provide a hook for vendor-specific 4852 configuration syntax. (This is a "new feature", 4853 but I've made an exception to my rule in a belief 4854 that this is a highly exceptional case.) 4855 Portability fixes for DG/UX (from Douglas Anderson of NCSC), 4856 SCO Unix (from Murray Kucherawy), A/UX, and OSF/1 4857 (from Jon Forrest of UC Berkeley) 4858 CONFIG: fix ``mailer:host'' form of UUCP relay naming. 4859 48608.6.1/8.6 93/10/08 4861 Portability fixes for A/UX and Encore UMAX V. 4862 Fix error message handling -- if you had a name server down 4863 causing an error during parsing, that message was never 4864 propagated to the queue file. 4865 48668.6/8.6 93/10/05 4867 Configuration cleanup: make it easier to undo IDENTPROTO in 4868 conf.h (other systems have the same bug). 4869 If HASGETDTABLESIZE and _SC_OPEN_MAX are both defined, assume 4870 getdtablesize() instead of sysconf(); a disturbingly 4871 large number of systems defined _SC_OPEN_MAX in the 4872 header files but don't have the syscall. 4873 Another patch to really truly ignore MX records in getcanonname 4874 if trymx == FALSE. 4875 Fix problem that caused the "250 IAA25499 Message accepted for 4876 delivery" message to be omitted if there was an error 4877 in the header of the message (e.g., a bad Errors-To: 4878 line). Pointed out by Michael Corrigan of UCSD. 4879 Announce name of host we are chatting when we get errors; this 4880 is an IDA-ism suggested by Christophe Wolfhugel. 4881 Portability fixes for Alpha OSF/1 (from Anthony Baxter of the 4882 Australian Artificial Intelligence Institute), SCO Unix 4883 (from Murray Kucherawy of Hookup Communication Corp.), 4884 NeXT (from Vince DeMarco and myself), Linux (from 4885 Karl London <karl@borg.demon.co.uk>), BSDI (from 4886 Christophe Wolfhugel, and SVR4 on Dell (from Kimmo 4887 Suominen), AUX 3.0 on Macintosh, and ANSI C compilers. 4888 Some changes to get around gcc optimizer bugs. From Takahiro 4889 Kanbe. 4890 Fix error recovery in queueup if another tf file of the same 4891 name already exists. Problem stumbled over by Bill 4892 Wisner of The Well. 4893 Output YP_MASTER_NAME and YP_LAST_MODIFIED without null bytes. 4894 Problem noted by Keith McMillan of Ameritech Services. 4895 Deal with group permissions properly when opening .forward and 4896 :include: files. This relaxes the 8.1C restrictions 4897 slightly more. This includes proper setting of groups 4898 when reading :include: files, allowing you to read some 4899 files that you should be able to read but have previously 4900 been denied unless you owned them or they had "other" 4901 read permission. 4902 Make certain that $j is in $=w (after the .cf is read) so that 4903 if the user is forced to override some silly system, 4904 MX suppression will still work. 4905 Fix a couple of efficiency problems where newstr was double- 4906 calling expensive routines. In at least one case, it 4907 wasn't guaranteed that they would always return the 4908 same result. Problem noted by Christophe Wolfhugel. 4909 Fix null pointer dereference in putoutmsg -- only on an error 4910 condition from a non-SMTP mailer. From Motonori 4911 Nakamura. 4912 Macro expand "C" line class definitions before scanning so that 4913 "CX $Z" works. 4914 Fix problem that caused error message to be sent while still 4915 trying to send the original message if the connection 4916 is closed during a DATA command after getting an error 4917 on an RCPT command (pretty obscure). Problem reported 4918 by John Myers of CMU. 4919 Fix reply to NOOP to be 250 instead of 200 -- this is a long 4920 term bug. 4921 Fix a nasty bug causing core dumps when returning the "warning: 4922 cannot deliver for N hours -- will keep trying" message; 4923 it only occurred if you had PostmasterCopy set and 4924 only on some architectures. Although sendmail would 4925 keep trying, it would send error messages on each 4926 queue interval. This is an important fix. 4927 Allow u and g options to take user and group names respectively. 4928 Don't do a chdir into the queue directory in -bt mode to make 4929 ruleset testing a bit easier. 4930 Don't allow users to turn off logging (using -oL) on the command 4931 line -- command line can only raise, not lower, logging 4932 level. 4933 Set $u to the original recipient on the SMTP transaction or on 4934 the command line. This is only done if there is exactly 4935 one recipient. Technically, this does not meet the 4936 specs, because it does not guarantee a domain on the 4937 address. 4938 Fix a problem that dumped error messages on bad addresses if 4939 you used the -t flag. Problem noted by Josh Smith of 4940 Harvey Mudd College. 4941 Given an address such as ``<foo> <bar>'', auto-quote the first 4942 ``<foo>'' part, giving ``"<foo>" <bar>''. This is to 4943 avoid the problem of people who use angle brackets in 4944 their full name information. 4945 Fix a null pointer dereference if you set option "l", have 4946 an Errors-To: header in the message, and have Errors-To: 4947 defined in the config file H lines. From J.R. Oldroyd. 4948 Put YPCOMPAT on #ifdef NIS instead -- it's one less thing to get 4949 wrong when compiling. Suggested by Rick McCarty of TI. 4950 Fix a problem that could pass negative SIZE parameter if the 4951 df file got lost; this would cause servers to always 4952 give a temporary failure, making the problem even worse. 4953 Problem noted by Allan Johannesen of WPI. 4954 Add "ident" timeout (one of the "r" option selectors) for IDENT 4955 protocol timeouts (30s default). Requested by Murray 4956 Kucherawy of HookUp Communication Corp. to handle bogus 4957 PC TCP/IP implementations. 4958 Change $w default definition to be just the first component of 4959 the domain name on config level 5. The $j macro defaults 4960 to the FQDN; $m remains as before. This lets well-behaved 4961 config files use any of the short, long, or subdomain 4962 names. 4963 Add makesendmail script in src to try to automate multi-architecture 4964 builds. I know, this is sub-optimal, but it is still 4965 helpful. 4966 Fix very obscure race condition that can cause a queue run to 4967 get a queue file for an already completed job. This 4968 problem has existed for years. Problem noted by the 4969 long suffering Allan Johannesen of WPI. 4970 Fix a problem that caused the raw sender name to be passed to 4971 udbsender instead of the canonified name -- this caused 4972 it to sometimes miss records that it should have found. 4973 Relax check of name on HELO packet so that a program using -bs 4974 that claims to be itself works properly. 4975 Restore rewriting of $: part of address through 2, R, 4 in 4976 buildaddr -- this requires passing a lot of flags to get 4977 it right. Unlike old versions, this ONLY rewrites 4978 recipient addresses, not sender addresses. 4979 Fix a bug that caused core dumps in config files that cannot 4980 resolve /file/name style addresses. Fix from Jonathan 4981 Kamens of OpenVision Technologies. 4982 Fix problem with fcntl locking that can cause error returns to 4983 be lost if the lock is lost; this required fully 4984 queueing everything, dropping the envelope (so errors 4985 would get returned), and then re-reading the queue from 4986 scratch. 4987 Fix a problem that caused aliases that redefine an otherwise 4988 true address to still send to the original address 4989 if and only if the alias failed in certain bizarre 4990 ways (e.g, if they pointed at a list:; syntax address). 4991 Problem pointed out by Jonathan Kamens. 4992 Remove support for frozen configuration files. They caused 4993 more trouble than it was worth. 4994 Fix problem that can cause error messages to get ignored when 4995 using both -odb and -t flags. Problem noted by Rob 4996 McNicholas at U.C. Berkeley. 4997 Include all "normal" variations on hostname in $=w. For example, 4998 if the host name is vangogh.cs.berkeley.edu, $=w will 4999 contain vangogh, vangogh.cs, and vangogh.cs.berkeley.edu. 5000 Add "restrictqrun" privacy flag -- without this, anyone can run 5001 the queue. 5002 Reset SmtpPhase global on initial connection creation so that 5003 messages don't come out with stale information. 5004 Pass an "ext" argument to lockfile so that error/log messages 5005 will properly reflect the true filename being locked. 5006 Put all [...] address forms into $=w -- this eliminates the need 5007 for MAXIPADDR in conf.h. Suggested by John Gardiner 5008 Myers of CMU. 5009 Fix a bug that can cause qf files to be left around even after 5010 an SMTP RSET command. Problem and fix from Michael 5011 Corrigan. 5012 Don't send a PostmasterCopy to errors when the Precedence: is 5013 negative. Error reports still go to the envelope 5014 sender address. 5015 Add LA_SHORT for load averages. 5016 Lock sendmail.st file when posting statistics. 5017 Add "SendBufSize" and "RcvBufSize" suboptions to "O" option to 5018 set the size of the TCP send and receive buffers; if you 5019 run over a slow slip line you may need to set these down 5020 (although it would be better to fix the SLIP implementation 5021 so that it's not necessary to recompile every program 5022 that does bulk data transfer). 5023 Allow null defaults on $( ... $) lookups. Problem reported by 5024 Amir Plivatsky. 5025 Diagnose crufty S and V config lines. This resulted from an 5026 observation that some people were using the SITE macro 5027 without the SITECONFIG macro first, which was causing 5028 bogus config files that were not caught. 5029 Fix makemap -f flag to turn off case folding (it was turning it 5030 on instead). THIS IS A USER VISIBLE CHANGE!!! 5031 Fix a problem that caused multiple error messages to be sent if 5032 you used "sendmail -t -oem -odb", your system uses fcntl 5033 locking, and one of the recipient addresses is unknown. 5034 Reset uid earlier in include() so that recursive .forwards or 5035 :include:s don't use the wrong uid. 5036 If file descriptor 0, 1, or 2 was closed when sendmail was 5037 called, the code to recover the descriptor was broken. 5038 This sometimes (only sometimes) caused problems with the 5039 alias file. Fix from Motonori Nakamura. 5040 Fix a problem that caused aliaswait to go into infinite recursion 5041 if the @:@ metasymbol wasn't found in the alias file. 5042 Improve error message on newaliases if database files cannot be 5043 opened or if running with no database format defined. 5044 Do a better estimation of the size of error messages when NoReturn 5045 is set. Problem noted by P{r (Pell) Emanuelsson. 5046 Fix a problem causing the "c" option (don't connect to expensive 5047 mailers) to be ignored in SMTP. Problem noted and the 5048 solution suggested by Robert Elz of The University of 5049 Melbourne. 5050 Improve connection caching algorithm by passing "[host]" to 5051 hostsignature, which strips the square brackets and 5052 returns the real name. This allows mailertable entries 5053 to match regular entries. 5054 Re-enable Return-Receipt-To: -- people seem to want this stupid 5055 feature, even if it doesn't work right. 5056 Catch and log attempts to try the "wiz" command in server SMTP. 5057 This also ups the log level from LOG_NOTICE to LOG_CRIT. 5058 Be more generous at assigning $z to the home directory -- do this 5059 for programs that are specified through a .forward file. 5060 Fix from Andrew Chang of Sun Microsystems. 5061 Always save a fatal error message in preference to a non-fatal 5062 error message so that the "subject" line of return 5063 messages is the best possible. 5064 CONFIG: reduce the number of quotes needed to quote configuration 5065 parameters with commas: two quotes should work now, e.g., 5066 define(ALIAS_FILE, ``/etc/aliases,/etc/aliases.local''). 5067 CONFIG: class $=Z is a set of UUCP hosts that use uucp-dom 5068 connections (domain-ized UUCP). 5069 CONFIG: fix bug in default maps (-o must be before database file 5070 name). Pointed out by Christophe Wolfhugel. 5071 CONFIG: add FEATURE(nodns) to state that we are not relying on 5072 DNS. This would presumably be used in UUCP islands. 5073 CONFIG: add OSTYPE(nextstep) and OSTYPE(linux). 5074 CONFIG: log $u in Received: line. This is in technical violation 5075 of the standards, since it doesn't guarantee a domain 5076 on the address. 5077 CONFIG: don't assume "m" in local mailer flags -- this means that 5078 if you redefine LOCAL_MAILER_FLAGS you will have to include 5079 the "m" flag should you want it. Apparently some Solaris 2.2 5080 installations can't handle multiple local recipients. 5081 Problem noted by Josh Smith. 5082 CONFIG: add confDOMAIN_NAME to set $j (if undefined, $j defaults). 5083 CONFIG: change default version level from 4 to 5. 5084 CONFIG: add FEATURE(nullclient) to create a config file that 5085 forwards all mail to a hub without ever looking at the 5086 addresses in any detail. 5087 CONFIG: properly strip mailer: information off of relays when 5088 used to change .BITNET form into %-hack form. 5089 CONFIG: fix a problem that caused infinite loops if presented 5090 with an address such as "!foo". 5091 CONFIG: check for self literal (e.g., [128.32.131.12]) even if 5092 the reverse "PTR" mapping is broken. There's a better 5093 way to do this, but the change is fairly major and I 5094 want to hold it for another release. Problem noted by 5095 Bret Marquis. 5096 50978.5/8.5 93/07/23 5098 Serious bug: if you used a command line recipient that was unknown 5099 sendmail would not send a return message (it was treating 5100 everything as though it had an SMTP-style client that 5101 would do the return itself). Problem noted by Josh Smith. 5102 Change "trymx" option in getcanonname() to ignore all MX data, 5103 even during a T_ANY query. This actually didn't break 5104 anything, because the only time you called getcanonname 5105 with !trymx was if you already knew there were no MX 5106 records, but it is somewhat cleaner. From Motonori 5107 Nakamura. 5108 Don't call getcanonname from getmxrr if you already know there 5109 are no DNS records matching the name. 5110 Fix a problem causing error messages to always include "The 5111 original message was received ... from localhost". 5112 The correct original host information is now included. 5113 Previous change to cf/sh/makeinfo.sh doesn't port to Ultrix (their 5114 version of "test" doesn't have the -x flag). Change it 5115 to use -f instead. From John Myers. 5116 CONFIG: 8.4 mistakenly set the default SMTP-style mailer to 5117 esmtp -- it should be smtp. 5118 CONFIG: send all relayed mail using confRELAY_MAILER (defaults 5119 to "relay" (a variant of "smtp") if MAILER(smtp) is used, 5120 else "suucp" if MAILER(uucp) is used, else "unknown"); 5121 this cleans up the configs somewhat. This fixes a serious 5122 problem that caused route-addrs to get mistaken as relays, 5123 pointed out by John Myers. WARNING: this also causes 5124 the default on SMART_HOST to change from "suucp" to 5125 "relay" if you have MAILER(smtp) specified. 5126 51278.4/8.4 93/07/22 5128 Add option `w'. If you receive a message that comes to you because 5129 you are the best (lowest preference) target of an MX, and 5130 you haven't explicitly recognized the source MX host in 5131 your .cf file, this option will cause you to try the target 5132 host directly (as if there were no MX for it at all). If 5133 `w' is not set, this case is a configuration error. 5134 Beware: if `w' is set, senders may get bogus errors like 5135 "message timed out" or "host unknown" for problems that 5136 are really configuration errors. This option is 5137 disrecommended, provided only for compatibility with 5138 UIUC sendmail. 5139 Fix a problem that caused the incoming socket to be left open 5140 when sendmail forks after the DATA command. This caused 5141 calling systems to wait in FIN_WAIT_2 state until the 5142 entire list was processed and the child closed -- a 5143 potentially prodigious amount of time. Problem noted 5144 by Neil Rickert. 5145 Fix problem (created in 6.64) that caused mail sent to multiple 5146 addresses, one of which was a bad address, to completely 5147 suppress the sending of the message. This changes 5148 handling of EF_FATALERRS somewhat, and adds an 5149 EF_GLOBALERRS flag. This also fixes a potential problem 5150 with duplicate error messages if there is a syntax error 5151 in the header of a message that isn't noticed until late 5152 in processing. Original problem pointed out by Josh Smith 5153 of Harvey Mudd College. This release includes quite a bit 5154 of dickering with error handling (see below). 5155 Back out SMTP transaction if MAIL gets nested 501 error. This 5156 will only hurt already-broken software and should help 5157 humans. 5158 Fix a problem that broke aliases when neither NDBM nor NEWDB were 5159 compiled in. It would never read the alias file. 5160 Repair unbalanced `)' and `>' (the "open" versions are already 5161 repaired). 5162 Logging of "done" in dropenvelope() was incorrect: it would 5163 log this even when the queue file still existed. Change 5164 this to only log "done" (at log level 11) when the 5165 queue file is actually removed. From John Myers. 5166 Log "lost connection" in server SMTP at log level 20 if there 5167 is no pending transaction. Some senders just close the 5168 connection rather than sending QUIT. 5169 Fix a bug causing getmxrr to add a dot to the end of unqualified 5170 domains that do not have MX records -- this would cause 5171 the subsequent host name lookup to fail. The problem 5172 only occurred if you had FEATURE(nocanonify) set. 5173 Problem noted by Rick McCarty of Texas Instruments. 5174 Fix invocation of setvbuf when passed a -X flag -- I had 5175 unwittingly used an ANSI C extension, and this caused 5176 core dumps on some machines. 5177 Diagnose self-destructive alias loops on RCPT as well as EXPN. 5178 Previously it just gave an empty send queue, which 5179 then gave either "Need RCPT (recipient)" at the DATA 5180 (confusing, since you had given an RCPT command which 5181 returned 250) or just dropped the email, depending on 5182 whether you were running VERBose mode. Now it usually 5183 diagnoses this case as "aliasing/forwarding loop broken". 5184 Unfortunately, it still doesn't adequately diagnose 5185 some true error conditions. 5186 Add internal concept of "warning messages" using 6xx codes. 5187 These are not reported only to Postmaster. Unbalanced 5188 parens, brackets, and quotes are printed as 653 codes. 5189 They are always mapped to 5xx codes before use in SMTP. 5190 Clean up error messages to tell both the actual address that 5191 failed and the alias they arose from. This makes it 5192 somewhat easier to diagnose problems. Difficulty noted 5193 by Motonori Nakamura. 5194 Fix a problem that inappropriately added a ctladdr to addresses 5195 that shouldn't have had one during a queue run. This 5196 caused error messages to be handled differently during 5197 a queue run than a direct run. 5198 Don't print the qf name and line number if you get errors during 5199 the direct run of the queue from srvrsmtp -- this was 5200 just extra stuff for users to crawl through. 5201 Put command line flags on second line of pid file so you can 5202 auto-restart the daemon with all appropriate arguments. 5203 Use "kill `head -1 /etc/sendmail.pid`" to stop the 5204 daemon, and "eval `tail -1 /etc/sendmail.pid`" to 5205 restart it. 5206 Remove the ``setuid(getuid())'' in main -- this caused the 5207 IDENT daemon to screw up. This required that I change 5208 HASSETEUID to HASSETREUID and complicate the mode 5209 changing somewhat because both Ultrix and SunOS seem 5210 to have a bug causing seteuid() to set the saved uid 5211 as well as the effective. The program test/t_setreuid.c 5212 will test to see if your implementation of setreuid(2) 5213 is appropriately functional. 5214 The FallBackMX (option V) handling failed to properly identify 5215 fallback to yourself -- most of the code was there, 5216 but it wasn't being enabled. Problem noted by Murray 5217 Kucherawy of the University of Waterloo. 5218 Change :include: open timeout from ETIMEDOUT to an internal 5219 code EOPENTIMEOUT; this avoids adding "during SmtpPhase 5220 with CurHostName" in error messages, which can be 5221 confusing. Reported by Jonathan Kamens of OpenVision 5222 Technologies. 5223 Back out setpgrp (setpgid on POSIX systems) call to reset the 5224 process group id. The original fix was to get around 5225 some problems with recalcitrant MUAs, but it breaks 5226 any call from a shell that creates a process group id 5227 different from the process id. I could try to fix 5228 this by diddling the tty owner (using tcsetpgrp or 5229 equivalent) but this is too likely to break other 5230 things. 5231 Portability changes: 5232 Support -M as equivalent to -oM on Ultrix -- apparently 5233 DECnet calls sendmail with -MrDECnet -Ms<HOST> -bs 5234 instead of using standard flags. Oh joy. This 5235 behavior reported by Jon Giltner of University 5236 of Colorado. 5237 SGI IRIX -- this includes several changes that should 5238 help other strict ANSI compilers. 5239 SCO Unix -- from Murray Kucherawy of HookUp Communication 5240 Corporation. 5241 Solaris running the Sun C compiler (which despite the 5242 documentation apparently doesn't define 5243 __STDC__ by default). 5244 ConvexOS from Eric Schnoebelen of Convex. 5245 Sony NEWS workstations and Omron LUNA workstations from 5246 Motonori Nakamura. 5247 CONFIG: add confTRY_NULL_MX_LIST to set option `w'. 5248 CONFIG: delete `C' and `e' from default SMTP mailers flags; 5249 several people have made a good argument that this 5250 creates more problems than it solves (although this 5251 may prove painful in the short run). 5252 CONFIG: generalize all the relays to accept a "mailer:host" 5253 format. 5254 CONFIG: move local processing in ruleset 0 into a new ruleset 5255 98 (8 on old sendmail). Domain literal [a.b.c.d] 5256 addresses are also passed through this ruleset. 5257 CONFIG: if neither SMART_HOST nor MAILER(smtp) were defined, 5258 internet-style addresses would "fall off the end" of 5259 ruleset zero and be interpreted as local -- however, 5260 the angle brackets confused the recursive call. 5261 These are now diagnosed as "Unrecognized host name". 5262 CONFIG: USENET rules weren't included in S0 because of a mistaken 5263 ifdef(`_MAILER_USENET_') instead of 5264 ifdef(`_MAILER_usenet_'). Problem found by Rein Tollevik 5265 of SINTEF RUNIT, Oslo. 5266 CONFIG: move up LOCAL_RULE_0 processing so that it happens very 5267 early in ruleset 0; this allows .mc authors to bypass 5268 things like the "short circuit" code for local addresses. 5269 Prompted by a comment by Bill Wisner of The Well. 5270 CONFIG: add confSMTP_MAILER to define the mailer used (smtp or 5271 esmtp) to send SMTP mail. This allows you to default 5272 to esmtp but use a mailertable or other override to 5273 deal with broken servers. This logic was pointed out 5274 to me by Bill Wisner. Ditto for confLOCAL_MAILER. 5275 Changes to cf/sh/makeinfo.sh to make it portable to SVR4 5276 environments. Ugly as sin. 5277 52788.3/8.3 93/07/13 5279 Fix setuid problems introduced in 8.2 that caused messages 5280 like "Cannot create qfXXXXXX: Invalid argument" 5281 or "Cannot reopen dfXXXXXX: Permission denied". This 5282 involved a new compile flag "HASSETEUID" that takes 5283 the place of the old _POSIX_SAVED_IDS -- it turns out 5284 that the POSIX interface is broken enough to break 5285 some systems badly. This includes some fixes for 5286 HP-UX. Also fixes problems where the real uid is 5287 not reset properly on startup (from Neil Rickert). 5288 Fix a problem that caused timed out messages to not report the 5289 addresses that timed out. Error messages are also more 5290 "user friendly". 5291 Drop required bandwidth on connections from 64 bytes/sec to 5292 16 bytes/sec. 5293 Further Solaris portability changes -- doesn't require the BSD 5294 compatibility library. This also adds a new 5295 "HASGETDTABLESIZE" compile flag which can be used if 5296 you want to use getdtablesize(2) instead of sysconf(2). 5297 These are loosely based on changes from David Meyer at 5298 University of Oregon. This now seems to work, at least 5299 for quick test cases. 5300 Fix a problem that can cause duplicate error messages to be 5301 sent if you are in SMTP, you send to multiple addresses, 5302 and at least one of those addresses is good and points 5303 to an account that has a .forward file (whew!). 5304 Fix a problem causing messages to be discarded if checkcompat() 5305 returned EX_TEMPFAIL (because it didn't properly mark 5306 the "to" address). Problem noted by John Myers. 5307 Fix dfopen to return NULL if the open failed; I was depending 5308 on fdopen(-1) returning NULL, which isn't the case. This 5309 isn't serious, but does result in weird error diagnoses. 5310 From Michael Corrigan. 5311 CONFIG: add UUCP_MAX_SIZE M4 macro to set the maximum size of 5312 messages sent through UUCP-family mailers. Suggested 5313 by Bill Wisner of The Well. 5314 CONFIG: if both MAILER(uucp) and MAILER(smtp) are specified, 5315 include a "uucp-dom" mailer that uses domain-style 5316 addressing. Suggested by Bill Wisner. 5317 CONFIG: Add LOCAL_SHELL_FLAGS and LOCAL_SHELL_ARGS to match 5318 LOCAL_MAILER_FLAGS and LOCAL_MAILER_ARGS. Suggested by 5319 Christophe Wolfhugel. 5320 CONFIG: Add OSTYPE(aix3). From Christophe Wolfhugel. 5321 53228.2/8.2 93/07/11 5323 Don't drop out on config file parse errors in -bt mode. 5324 On older configuration files, assume option "l" (use Errors-To 5325 header) for back compatibility. NOTE: this DOES NOT 5326 imply an endorsement of the Errors-To: header in any way. 5327 Accept -x flag on AIX-3 as well as OSF/1. Why, why, why??? 5328 Don't log errors on EHLO -- it isn't a "real" error for an old 5329 SMTP server to give an error on this command, and 5330 logging it in the transcript can be confusing. Fix 5331 from Bill Wisner. 5332 IRIX compatibility changes provided by Dan Rich 5333 <drich@sandman.lerc.nasa.gov>. 5334 Solaris 2 compatibility changes. Provided by Bob Cunningham 5335 <bob@kahala.soest.hawaii.edu>, John Oleynick 5336 <juo@klinzhai.rutgers.edu> 5337 Debugging: -d17 was overloaded (hostsignature and usersmtp.c); 5338 move usersmtp (smtpinit and smtpmailfrom) to -d18 to 5339 match the other flags in that file. 5340 Flush transcript before fork in mailfile(). From Eric Wassenaar. 5341 Save h_errno in mci struct and improve error message display. 5342 Changes from Eric Wassenaar. 5343 Open /dev/null for the transcript if the create of the xf file 5344 failed; this avoids at least one possible null pointer 5345 reference in very weird cases. From Eric Wassenaar. 5346 Clean up statistics gathering; it was over-reporting because of 5347 forks. From Eric Wassenaar. 5348 Fix problem that causes old Return-Path: line to override new 5349 Return-Path: line (conf.c needs H_FORCE to avoid 5350 re-using old value). From Motonori Nakamura. 5351 Fix broken -m flag in K definition -- even if -m (match only) 5352 was specified, it would still replace the key with the 5353 value. Noted by Rick McCarty of Texas Instruments. 5354 If the name server timed out over several days, no "timed out" 5355 message would ever be sent back. The timeout code 5356 has been moved from markfailure() to dropenvelope() 5357 so that all such failures should be diagnosed. Pointed 5358 out by Christophe Wolfhugel and others. 5359 Relax safefile() constraints: directories in an include or 5360 forward path must be readable by self if the controlling 5361 user owns the entry, readable by all otherwise (e.g., 5362 when reading your .forward file, you have to own and 5363 have X permission in it; everyone needs X permission in 5364 the root and directories leading up to your home); 5365 include files must be readable by anyone, but need not 5366 be owned by you. 5367 If _POSIX_SAVED_IDS is defined, setuid to the owner before 5368 reading a .forward file; this gets around some problems 5369 on NFS mounts if root permission is not exported and 5370 the user's home directory isn't x'able. 5371 Additional NeXT portability enhancements from Axel Zinser. 5372 Additional HP-UX portability enhancements from Brian Bullen. 5373 Add a timeout around SMTP message writes; this assumes you can 5374 get throughput of at least 64 bytes/second. Note that 5375 this does not impact the "datafinal" default, which 5376 is separate; this is just intended to work around 5377 network clogs that will occur before the final dot 5378 is sent. From Eric Wassenaar. 5379 Change map code to set the "include null" flag adaptively -- 5380 it initially tries both, but if it finds anything 5381 matching without a null it never tries again with a 5382 null and vice versa. If -N is specified, it never 5383 tries without the null and creates new maps with a 5384 null byte. If -O is specified, it never tries with 5385 the null (for efficiency). If -N and -O are specified, 5386 you get -NO (get it?) lookup at all, so this would 5387 be a bad idea. If you don't specify either -N or -O, 5388 it adapts. 5389 Fix recognition of "same from address" so that MH submissions 5390 will insert the appropriate full name information; 5391 this used to work and got broken somewhere along the 5392 way. 5393 Some changes to eliminate some unnecessary SYSERRs in the 5394 log. For example, if you lost a connection, don't 5395 bother reporting that fact on the connection you lost. 5396 Add some "extended debugging" flags to try to track down 5397 why we get occasional problems with file descriptor 5398 one being closed when execing a mailer; it seems to 5399 only happen when there has been another error in the 5400 same transaction. This requires XDEBUG, defined 5401 by default in conf.h. 5402 Add "-X filename" command line flag, which logs both sides of 5403 all SMTP transactions. This is intended ONLY for 5404 debugging bad implementations of other mailers; start 5405 it up, send a message from a mailer that is failing, 5406 and then kill it off and examine the indicated log. 5407 This output is not intended to be particularly human 5408 readable. This also adds the HASSETVBUF compile 5409 flag, defaulted on if your compiler defines __STDC__. 5410 CONFIG: change SMART_HOST to override an SMTP mailer. If you 5411 have a local net that should get direct connects, you 5412 will need to use LOCAL_NET_CONFIG to catch these hosts. 5413 See cf/README for an example. 5414 CONFIG: add LOCAL_MAILER_ARGS (default: `mail -d $u') to handle 5415 sites that don't use the -d flag. 5416 CONFIG: hide recipient addresses as well as sender addresses 5417 behind $M if FEATURE(allmasquerade) is specified; this 5418 has been requested by several people, but can break 5419 local aliases. For example, if you mail to "localalias" 5420 this will be rewritten as "localalias@masqueradehost"; 5421 although initial delivery will work, replies will be 5422 broken. Use it sparingly. 5423 CONFIG: add FEATURE(domaintable). This maps unqualified domains 5424 to qualified domains in headers. I believe this is 5425 largely equivalent to the IDA feature of the same name. 5426 CONFIG: use $U as UUCP name instead of $k. This permits you 5427 to override the "system name" as your UUCP name -- 5428 in particular, to use domain-ized UUCP names. From 5429 Bill Wisner of The Well. 5430 CONFIG: create new mailer "esmtp" that always tries EHLO 5431 first. This is currently unused in the config files, 5432 but could be used in a mailertable entry. 5433 54348.1C/8.1B 93/06/27 5435 Serious security bug fix: it was possible to read any file on 5436 the system, regardless of ownership and permissions. 5437 If a subroutine returns a fully qualified address, return it 5438 immediately instead of feeding it back into rewriting. 5439 This fixes a problem with mailertable lookups. 5440 CONFIG: fix some M4 frotz (concat => CONCAT) 5441 54428.1B/8.1A 93/06/12 5443 Serious bug fix: pattern matching backup algorithm stepped by 5444 two tokens in classes instead of one. Found by Claus 5445 Assmann at University of Kiel, Germany. 5446 54478.1A/8.1A 93/06/08 5448 Another mailertable fix.... 5449 54508.1/8.1 93/06/07 5451 4.4BSD freeze. No semantic changes. 5452 54536.65/6.34 93/06/06 5454 Fix some lintish problems. 5455 Fix some cases where server SMTP behaved poorly when handed bogus 5456 input, pointed out by Eric Wassenaar. 5457 CONFIG: fix some more (sigh) mailertable bugs -- thanks to 5458 Motonori Nakamura of Kyoto University (again). 5459 54606.64/6.33 93/06/05 5461 Don't send 050 (-v) information after the 250 response to a QUIT 5462 command in srvrsmtp -- clients usually close the connection 5463 at this point, and it causes bogus error messages. 5464 Don't send messages that have errors on input (such as unbalanced 5465 parentheses) during SMTP transactions, since a return 5466 message has (probably) already been sent. 5467 Give better diagnostics on timeouts during network reads, including 5468 information similar to the SMTP phase. 5469 Fix bug that caused SMTP messages to deliver synchronously; this 5470 happened after the DATA 250, and hence caused reading the 5471 next command to be delayed. 5472 Ignore Errors-To: header unless 'l' (lower case el) header is 5473 specified. The Errors-To: header violates RFC 1123. 5474 Errors-To: was only needed to take the place of the 5475 envelope sender in the days when most Unix mailers 5476 didn't understand about the two kinds of senders. 5477 Don't send warning messages in response to automatically generated 5478 messages (that is, those From:<>). 5479 CONFIG: fix some rather stupid typos in the mailertable code 5480 pointed out by Motonori Nakamura of Kyoto University. 5481 CONFIG: add confUSE_ERRORS_TO configuration option. 5482 CONFIG: if ALWAYS_ADD_DOMAIN is selected, try to use $M 5483 (masquerade name) instead of $j. 5484 CONFIG: don't add dots to relay names (added in 6.29); it breaks 5485 several things, and can be simulated by dot terminating 5486 the names of relays. For example, use: 5487 DBbit.net.relay. 5488 (note the trailing dot). 5489 54906.63/6.32 93/06/01 5491 Fix prototypes to eliminate chars in argument lists -- some 5492 compilers are pissy about this. 5493 Log protocol ($r) and body type if set so we can determine if 5494 the adaptive algorithms are working. 5495 Pessimize on locking of database files (particularly for NEWDB 5496 databases) during opens. There were problems with 5497 processes opening the file while it was rebuilt; since 5498 NEWDB caches heavily, the reader opened an empty file, 5499 which is an error. If your system has the ability to 5500 lock atomically on open, this works properly; otherwise, 5501 there are race conditions. 5502 Check mod time on .pag file instead of .dir in NDBM aliases 5503 because the .dir file doesn't get updated for small 5504 alias files. From John Gardiner Myers of CMU. 5505 More Solaris portability -- it now compiles on Solaris, but 5506 hangs up in gethostbyname(). 5507 Move setting of RES_DEBUG flag before first myhostname() call 5508 so we can see name server traffic on that call. 5509 Fsync() queue files. 5510 Fix a problem that causes -bi to try to rebuild maps other than 5511 the alias file(s). 5512 Fix a problem that caused udb to reject entries from any but 5513 the first database listed. 5514 Rearrange doc subdirectory for 4.4BSD release tape. 5515 CONFIG: put $r into the Received line. This was an oversight. 5516 CONFIG: fix typo (call to ruleset 99 should have been ruleset 90). 5517 CONFIG: move "auxiliary" subroutines to be in ruleset 90-99 5518 range -- in the long run, single digit rulesets may 5519 become reserved for builtin use by sendmail. 5520 CONFIG: fix major problem that causes host aliases (that is, 5521 anything in $=w != $j) to not be recognized. This has 5522 been around since 6.30. 5523 55246.62/6.31 93/05/28 5525 BETA RELEASE 5526 Fix recursive syserr (if there is an error printing a syserr 5527 message). This makes the code much less eager to consider 5528 a write error as serious. This also includes some 5529 heuristics to be clever about closed connections. 5530 Lock NEWDB files during gets. This requires version 1.5 or later 5531 of the db library. If you have an older version, you 5532 can use -DOLD_NEWDB. This will go away in a few weeks. 5533 Fix problem causing aliases that use host maps to get overwritten. 5534 Do appropriate byte swapping on port numbers in ident protocol 5535 code. Fix from Allan Johannesen of WPI. 5536 Defer opening of map files to the same time as alias files so that 5537 the daemon will tend to pick up new versions more promptly. 5538 Prototype a bunch more functions. 5539 Some Solaris 2.1 changes (still doesn't link though). 5540 Try to simplify Makefiles by including more subordinate #defines 5541 in conf.h (based on OS type). 5542 CONFIG: check for domains if FEATURE(mailertable) is defined. 5543 For example, if the host name is "knecht.cs.berkeley.edu" 5544 it will search the following mailertable keys: 5545 knecht.cs.berkeley.edu 5546 .cs.berkeley.edu 5547 .berkeley.edu 5548 .edu 5549 This could be used to replace the special relays for bitnet 5550 and similar nets. 5551 55526.61/6.30 93/05/24 5553 Fix problem that prevented appending dots on canonified host 5554 names. This breaks tons of config files -- very 5555 important fix. 5556 Fix improper pointer dereference in response to HELO command. 5557 Fix core dump if debugging set in map_rewrite. 5558 CONFIG: add FEATURE(always_add_domain) to always attach the 5559 local domain (only impacts local mail). 5560 CONFIG: try to avoid turning names into $j -- although 5561 technically a host can only have one "canonical name", 5562 it seems to be common practice to have several. 5563 55646.60/6.29 93/05/22 5565 Major change: merge alias databases with maps. This expands and 5566 changes the map class interface but fixes a bunch of bugs. 5567 The important user-visible change is that the file name 5568 in a K line now does not include the ".db" extension; this 5569 is added automatically. Also, the -d (NIS domain) flag is 5570 missing from the K config line; use @domain instead. 5571 When compiling, the *_MAP names are gone -- just compile 5572 in NDBM, NEWDB, and/or NIS support. 5573 Announce mailer/host/user triple on -bv flag -- from Brian 5574 Bullen of Stirling University. 5575 Don't send more than one line in response to HELO -- it confuses 5576 Pony Express, which then behaves very badly. However, 5577 this change does send two line 220 greetings, with the 5578 second line reading "ESMTP spoken here". The usersmtp 5579 module recognizes this and goes into ESMTP mode regardless 5580 of the setting of the "a" mailer flag. Thus, "a" means 5581 "always try EHLO". 5582 AIX portability changes (thanks to Christophe Wolfhugel of 5583 Herve Schauer Consultants (Paris) for providing me with 5584 an INSA account for this purpose). Lightly tested. Use 5585 -D_AIX3. This probably breaks compatibility with some 5586 older systems (e.g., 4.2bsd) but still works on SunOS 5587 4.1.2, Ultrix 4.2A, HP-UX 8.07, OSF/1 T1.3, and AIX 3.2.3. 5588 Fix a problem causing an error message loop if the output channel 5589 is hosed. 5590 Add the Makefiles that I use for various environments -- some are 5591 Berkeley make versions and some are old make versions. 5592 My makefile for the NeXT box has gotten lost, alas! 5593 PRALIASES: support for printing NEWDB databases. From 5594 Michael J. Corrigan of U.C. San Diego. 5595 CONFIG: don't pass pseudo-domains to $[ ... $] (if you have 5596 a wildcard MX it can have weird results). From 5597 Christophe Wolfhugel. 5598 CONFIG: dot terminate relay hostnames in S0. From Christophe 5599 Wolfhugel. 5600 56016.59/6.28 93/05/13 5602 Log version with SMTP daemon startup message. 5603 Adjust setproctitle to work on NetBSD and BSD/386. 5604 Fix null pointer reference in MX fallback code. 5605 A bunch of minor fixes from Eric Wassenaar: 5606 If deliver cannot execv the mailer, return EX_OSERR 5607 instead of EX_TEMPFAIL (to give better 5608 error messages). 5609 Consistently malloc e_message. 5610 Catch degenerate case of calling returntosender() 5611 with an empty returnq. 5612 MIME reformatting. 5613 56146.58/6.28 93/05/13 5615 Fix bug that can cause incorrect verbose display of user smtp 5616 messages. 5617 Disable SMTP VERB command if PRIV_NOEXPN is set (since this 5618 could reveal the same information. 5619 Allow failure when reading SMTP greeting message to go on to 5620 next MX host. 5621 Add "MIME-Version: 1.0" header if using MIME (this was NOT 5622 included in RFC 1344, but Bill King of Allan-Bradley 5623 Company forwarded me email from Nathaniel Borenstein 5624 claiming that it was an inadvertent omission). 5625 Don't use Content-Type: X-message-header. According to John 5626 Myers of CMU, many MIME readers will completely ignore 5627 the data if they don't recognize it. Instead, just 5628 add a blank line to make it a legal (empty) message. 5629 Fix problem causing dots to keep getting appended to cached 5630 hostnames. This can cause buffer overrun conditions. 5631 The problem was found by Erik Forsberg of Retix, 5632 although I used a different bug fix than he provided. 5633 Fix parsing of split header/envelope rewriting specs -- from 5634 Eric Forsberg. 5635 Fix from Eric Wassenaar to correct To: lists in error messages. 5636 56376.57/6.28 93/05/11 5638 Fix minor glitch causing extra ctladdrs to be output to queue 5639 file. Just an annoyance. 5640 Cache results of name server canonification lookups to avoid 5641 backed up queue runs. 5642 Major rewrite of alias.c: considerable cleanup, plus sample 5643 (untested) support for NIS aliases. The "A" option 5644 can now be a comma separated list (or be repeated) -- 5645 that is, you can have multiple alias databases. Each 5646 database can have the syntax ``class:file''; if no class 5647 is specified, the "implicit" class is assumed. Implicit 5648 searches through a list of compiled in types -- hash, 5649 dbm, nis, and stab. Alias files are searched in the 5650 order they are listed. For example: 5651 OAhash:/etc/aliases.local,/etc/aliases 5652 OAnis:mail.aliases@my.nis.domain 5653 first searches the hash database /etc/aliases.local, 5654 then the regular /etc/aliases database, then the NIS 5655 map "mail.aliases" in the NIS domain "my.nis.domain". 5656 If in Verbose mode (probably from VERB command) run SMTP job 5657 in foreground and don't do RCPT optimizations. 5658 Add udb :mailsender as equivalent to owner- for regular aliases. 5659 Delete option 8; add option 7 that means the opposite. That is, 5660 default to 8-bit mode; a special option is needed to 5661 force sendmail into 7 bit mode. 5662 Send error messages in encapsulated MIME format. 5663 New compile flag "NIS" that turns on NIS alias and NIS map 5664 support. 5665 Add "j" option to send error messages in MIME (RFC 1341) 5666 encapsulated message format per RFC 1344. The 5667 syntax is pretty ugly if you don't have MIME-aware 5668 user agents. 5669 Clean up message handling (for display in mailq output). 5670 New setproctitle implementation for 4.4bsd. 5671 Create files (such as ~/dead.letter) using mode FileMode (the 5672 F option value) instead of 0666. 5673 Fix bug causing output of EXPN command to not be fully qualified. 5674 This may cause some problems with UUCP addresses that 5675 will require some config file assistance -- specifically, 5676 the $: part has to include the host name for this output 5677 to make sense. 5678 Fix a problem that sometimes diagnosed errors and still sent the 5679 message if the header syntax was bad. 5680 Fix a bug that caused an error message to be emailed when sendmail 5681 was operating in -bv mode. 5682 Add "ListenQueueSize" keyword to daemon options option (OO) to 5683 set the queue size parameter passed to listen(). You 5684 will normally have to tweak your kernel to up this. 5685 Strip spaces off of beginning of message-id before logging (in 5686 case it was folded across lines). 5687 Tweak compile flags in daemon.c -- there were some cases where 5688 it wouldn't work without NETINET. 5689 Change *file* mailer to output all the usual default headers 5690 (From, Date, Message-Id). It gets used when sending 5691 back error messages. 5692 CONFIG: explicitly catch and diagnose list:; syntax in ruleset 5693 zero -- this is not a valid recipient syntax according 5694 to RFC 821. 5695 CONFIG: add confMIME_FORMAT_ERRORS to send error messages in 5696 MIME format. Defaults to on. 5697 CONFIG: add SMTP_MAILER_FLAGS and UUCP_MAILER_FLAGS to augment 5698 the flags for those mailers. 5699 57006.56/6.27 93/05/01 5701 Fix problem that causes the fallback mail to postmaster 5702 (case ESM_POSTMASTER in savemail()) to not look at 5703 aliases (ugh). 5704 Some more HPUX tweaking (compile flag hpux => __hpux so it 5705 still works in ANSI mode). 5706 Don't try to flock non-regular files when mailing to a file. 5707 In particular, this was a problem if you tried to 5708 send to /dev/null. 5709 Fix a weird bug that can cause senders to be queued as 5710 recipients if the name server is down when the mail 5711 is initially sent. This hack just ignores sender 5712 deletion (essentially, it sets the MeToo flag) if there 5713 is a TEMPFAIL during processing of the sender address. 5714 Obscure. 5715 Fix a dangling else problem -- from Brian Bullen from University 5716 of Stirling, UK. 5717 Add the "b" mailer flag to force a blank line on the end of 5718 messages. Some brilliant versions of /bin/mail insist 5719 on this but do not add it themselves. 5720 Add the "g" mailer flag to prevent user SMTP from sending 5721 "MAIL From:<>". This is only intended to be a 5722 transitional gesture, and should not be used if at 5723 all possible. It appears that Berkeley and IDA 5724 config files have always handled this properly; the 5725 UK config kit apparently does not. 5726 Don't lowercase and then capitalize header field names -- leave 5727 them with original capitalization. Fixes from Bill 5728 King of Allen-Bradley Company. 5729 Further cleanup and improved reporting of error messages, 5730 particularly conditions that cause messages to be 5731 requeued for future delivery. 5732 Tweak syslog priorities in some cases. 5733 CONFIG: clean up route-addr on UUCP addresses. 5734 57356.55/6.25 93/04/27 5736 HPUX 8.07 compatibility changes in getla() -- I had to make 5737 these changes to get it to work at Berkeley, although 5738 others seem to have been working before (???). 5739 Various patches to XLA code. 5740 Fix problem that causes setuid bit on files to be ignored from 5741 SMTP or in queue runs. Problem noted by Jason Ornstein 5742 of Under The Wire, Inc. 5743 Fix problem that can cause CNAMEs to be ignored. 5744 Generalize getmxrr to match local host in $=w instead of a 5745 single name passed in. 5746 Some cleanup from Eric Wassenaar: 5747 Use FileMailer instead of ProgMailer in two places. 5748 Eliminate duplicate 8th-bit stripping in commaize. 5749 Fix a problem with mis-parsing of backslash escapes 5750 under some circumstances. 5751 NIS map fix (was always including trailing null character) 5752 from Mike Glendinning of Ingres UK. 5753 Add "a" mailer flag to try using ESMTP. It tries the EHLO 5754 command and if that fails falls back to regular SMTP. 5755 Also parses EHLO option keywords. If host supports 5756 SIZE extension, this is added to the MAIL FROM: 5757 command. 5758 Extend "b" option to include a second value which is the 5759 maximum message size this server is willing to accept. 5760 For example, a value of "10/1000000" says that there 5761 must be ten blocks free, and sendmail will reject 5762 any message larger than one megabyte. 5763 Some portability hooks for NeXT (this could be applicable 5764 to Mach in general). You have to create an empty 5765 file called "unistd.h" to get it to compile. 5766 Adjust config values (MAXLINE, MAXATOM, and PSBUFSIZE) to 5767 be more generous. 5768 Add X400-Received: to the list of headers tagged with H_TRACE 5769 in conf.c. From Bill King, Allen-Bradley Co. 5770 57716.54/6.25 93/04/19 5772 Fix problem that caused redefinition of SMTP and QUEUE compile 5773 flags. Pointed out by Jon Forrest of the Sequoia 2000 5774 project at Berkeley. 5775 Properly handle \! hack -- it was treating host\!user as one 5776 token (host!user) instead of three (host, !, user). 5777 Fix from Eric Wassenaar of NIKHEF-H. 5778 Fix compilation problem in getauthinfo() if IDENTPROTO is off. 5779 Turn off DEFNAMES and DNSRCH when getting the hostsignature 5780 (i.e., MX records) in level 1 configuration files; this 5781 matches the old behavior. From Motonori Nakamura of 5782 Kyoto University. 5783 Improve error message printing -- if sent through an alias, 5784 error messages include the name of the alias in the 5785 message. Unfortunately, in order to make this work 5786 properly in queue runs, this changes the format of the 5787 C line in the qf file. The relatively uselessness of 5788 the previous information was pointed out to me by 5789 Allan E Johannesen of WPI. 5790 Add XLA compile flag to add hooks to Christophe Wolfhugel's 5791 extended load average code. This is still in very early 5792 form. For information regarding the guts of the xla 5793 code, contact Christophe.Wolfhugel@grasp.insa-lyon.fr. 5794 Additional hooks for detecting tempfails in rewriting rules 5795 (that is, in map lookups). 5796 57976.53/6.25 93/04/15 5798 Properly diagnose ruleset zero returning null (instead of a mailer 5799 triple). From Motonori Nakamura of Kyoto University. 5800 More generalization of socket code for other protocols. 5801 Shorten timeouts on reverse name lookups -- since they are done 5802 during connection establishment, long timeouts here can 5803 cause higher level timeouts. This mainly serves to accept 5804 mail from hosts that do not have proper reverse (PTR) DNS 5805 records set up. 5806 Reset e_statmsg before each mailer invocation to avoid bogus 5807 messages in the log. 5808 Redefine $r, $s, and $_ in error envelopes so you don't get 5809 incorrect cruft in the error message. Problem noted by 5810 Motonori Nakamura of Kyoto University. 5811 Fix a problem that can cause failure to return errors to Postmaster 5812 in certain cases. From Motonori Nakamura. 5813 Fix a problem that can cause some systems to give duplicate error 5814 messages when a bad syntax address such as "<a" is presented 5815 to an SMTP server. It doesn't seem to occur on all 5816 machines. From Motonori Nakamura. 5817 Default IDENTPROTO off for Ultrix and HPUX, which apparently have 5818 the interesting "feature" that when they receive a "Host 5819 unreachable" message they closes all open connections to 5820 that host. However, some firewall gateways send this message 5821 if you try to connect to an unauthorized port, such as the 5822 IDENT port (113). Thus, no email can be received from such 5823 hosts. There is some evidence that versions of Ultrix before 5824 4.3 do not have this problem. Thanks to Tom Ivar Helbekkmo 5825 for pointing out this behavior to me and to Michael Corrigan 5826 of U.C. San Diego for informing me about the HPUX problem. 5827 Allow IPC mailers to return a colon-separated list of hosts in the 5828 $@ clause; these are searched in order as though they were 5829 MX records. 5830 When sending an error report, print the list of addresses tagged 5831 as bad. Requested by Allan E Johannesen of WPI. 5832 Change map function calls to return a status code. This gets 5833 passed back as the result of rewrite. Parseaddr marks 5834 the address as a QUEUEUP address if the return code is 5835 EX_TEMPFAIL. All this to queue properly if the name 5836 server is down. This code is not well tested. This code 5837 changes the interface to map lookup functions (a fifth 5838 parameter, int *statp, is added). Feature requested by 5839 Dan Oscarsson. 5840 Don't delete quotes (in the dequote map) if there are spaces in 5841 the string, since this would cause them to be replaced by 5842 the SpaceSub character. 5843 Accept BODY=8BITMIME on SMTP MAIL command. This isn't advertised 5844 because the 8BIT to 7BIT translation doesn't exist yet. 5845 This does add a "bodytype" field to both envelope and 5846 queue file and a -B command line flag to pass the type in 5847 during direct invocations. 5848 Discard return error messages only on responses to responses to 5849 responses, not on responses to responses. That is, the 5850 algorithm is to try return to sender, then return to 5851 postmaster, then discard. Previously it discarded 5852 immediately if the return to sender pass failed. 5853 CONFIG: back out change to hide unqualified hostnames behind %-hack. 5854 This screws up local aliases and .forward files. 5855 CONFIG: add FEATURE(nocanonify) to turn off calls to $[ ... $]; 5856 some sites only handle completely canonified names. 5857 Requested by John Gardiner Myers of CMU. 5858 CONFIG: some UUCP code was still included even if FEATURE(nouucp) 5859 was specified. 5860 58616.52/6.24 93/04/10 5862 Clean up some minor glitches on error return messages pointed out 5863 by Motonori Nakamura of Kyoto University. 5864 Fix reply() to not reset SmtpReplyBuffer on fatal errors; this 5865 was supposed to reset SmtpMsg Buffer. This makes the 5866 client side code virtually useless. Reported by Allan 5867 E Johannesen of WPI and Phil Brandenberger of Swarthmore. 5868 Better debug messages if fuzzy is disabled, suggested by Allan 5869 E Johannesen of WPI. 5870 Offset SmtpReplyBuffer by four in usersmtp when checking for 5871 loopback. From Eric Wassenaar. 5872 Don't set $s until after runinchild in srvrsmtp -- otherwise 5873 it gets cleared. From Eric Wassenaar. 5874 Implement IDA-style $&x for deferred macro expansion. 5875 More POSIX compatibility. 5876 CONFIG: Hide unqualified hostnames behind %-hack using $s as the 5877 actual sender. This is only done if $r is non-null, that 5878 is, if this is not locally submitted mail. 5879 CONFIG: Add FEATURE(bitdomain) allowing mapping of BITNET host 5880 names to internet domains. A program contributed by 5881 John Gardiner Myers of CMU to create the maps is included 5882 in the contrib directory (in the "misc" tar file). 5883 CONFIG: Add FEATURE(uucpdomain) for a similar mapping for UUCP 5884 hosts. There is currently no tool to create this map. 5885 58866.51/6.23 93/04/04 5887 Add D= mailer flag to specify a path of possible working directories 5888 in which to execute the mailer. This is intended for the 5889 prog mailer; some shells can get upset if they don't have 5890 access to the current directory. 5891 Add RFC 1413 (IDENT) protocol support. This is only very loosely 5892 tested. This adds a $_ macro to be the authenticated 5893 info (in ``user@domain [address]'' form) and debug flag 5894 9 to trace the protocol. 5895 Check for loopbacks in usersmtp instead of srvrsmtp -- there is no 5896 reason for a local agent to not be talking to the localhost 5897 (although the inverse is not true). 5898 Add a few hooks for automated map rebuilding. This is certainly 5899 not done yet. 5900 CONFIG: Have prog mailer specify a path of ``D=$z:/'' -- that is, 5901 user's home directory then the root. 5902 CONFIG: Log RFC 1413 identification in Received: line. 5903 59046.50/6.22 93/04/01 5905 Fixes to requeueing code to make it compute priority, nrcpts, 5906 and the like properly. 5907 59086.49/6.22 93/04/01 5909 Diagnose incorrect privacy flags. Suggested by Bryan Costales 5910 of ICSI. 5911 Some ANSI C fixes. 5912 Arrange to quote backslashes as well as other special characters 5913 in the phrase part of a route-addr. 5914 Some fixes to FallBackMX code suggested by Motonori Nakamura of 5915 Kyoto University. 5916 More vigorous zeroing of CurHostAddr to avoid logging of bogus 5917 host addresses when you are actually just printing 5918 information from the MCI structure; problem noted by 5919 Michael Corrigan of U.C. San Diego. 5920 Don't ignore rest of queue if any job is not runnable. This can 5921 also cause an incorrect job to be lost. Fix from 5922 Eric Wassenaar. 5923 Always respond "quickly" to RCPT command; do alias expansion and 5924 the like later. This also means that mail for lists that 5925 have errors will be accepted, and an error sent back 5926 later. This is done by instantiating the queue file 5927 and then immediately running and requeueing it. 5928 59296.48/6.22 93/03/30 5930 Fix incorrect diagnosis of infinite loop in ruleset. Problem noted 5931 by several people. 5932 Improve information printed when infinite loops are discovered. 5933 Zero CurHostAddr to fix erroneous internet addresses in log when no 5934 addresses can be bound. Pointed out by Motonori Nakamura 5935 of Kyoto University. 5936 "Probe" SMTP connections using RSET instead of NOOP "just in case". 5937 Suggested by John Gardiner Myers of CMU. 5938 Don't warn about -f if you are setting sender to yourself. 5939 59406.47/6.22 93/03/29 5941 Fix incompatible call to endmailer in smtpquit which causes core 5942 dumps. Noted by Allan E Johannesen of WPI. 5943 HPUX portability changes from Michael J. Corrigan of UC San Diego. 5944 Require MAIL before RCPT command in srvrsmtp.c. This had been 5945 intentional from the 821 draft days when the order wasn't 5946 clear, but is silly now. 5947 Fix bug in nis_magic routine that was initializing parameters 5948 incorrectly. Fix from Takahiro Kanbe of Fuji Xerox 5949 Information Systems Co., Ltd. 5950 Change default for PrivacyFlags in conf.c to 0 -- since it always 5951 "or"s in new values, there was no way to turn off the 5952 AuthWarning stuff. 5953 Add O option to set SMTP daemon options. 5954 Add V option to set fallback MX host. This always sorts at lower 5955 priority than anything it gets from the name server. It 5956 should only be used for environments with very bad network 5957 connectivity. Requested by several people. 5958 Log sending info. It's not clear this is a good idea. 5959 CONFIG: fix typo in mailertable code. Noted by Phil Brandenberger 5960 of Swarthmore. 5961 CONFIG: add confDAEMON_OPTIONS and confFALLBACK_MX to set options 5962 O and V, respectively. 5963 59646.46/6.21 93/03/26 5965 Fix botch in server SMTP that broke transactions that did not 5966 use HELO first (like MH). Fix from Michael Corrigan 5967 of U.C. San Diego. 5968 Fall back to other MX records if there is an error anywhere 5969 in delivery (actually on MAIL or DATA -- RCPT is harder). 5970 Suggested by John Gardiner Myers and Motonori Nakamura. 5971 Revert to non-prototypes -- it turns out that our ANSI C 5972 compiler is more forgiving than most others about 5973 mixing prototyped extern declarations with non-prototyped 5974 function definitions. 5975 Fix a problem with multi-word class matching pointed out by 5976 Neil Rickert. Given: 5977 CX b a.b.c 5978 R$+ $=X $+ $: $1 < $2 > $3 5979 the input "user@a.b.c" failed instead of being properly 5980 rewritten as "user@a.<b>.c". 5981 Neil also convinced me that it was correct that $~ should match 5982 only one token -- the problem is that it's always possible 5983 to add another token, so $~ matches far too eagerly. 5984 59856.45/6.21 93/03/25 5986 Implement multi-word classes (properly!). 5987 59886.44/6.21 93/03/25 5989 Add X-Authentication-Warning: headers to clue users into possible 5990 attempts to forge mail. This is on the authwarnings 5991 privacy flag, but is the default. Suggested by Bryan 5992 Costales of ICSI. 5993 Pass default units for convtime in so they can be more reasonable. 5994 Allow config files to always add a new Comments: header (i.e., 5995 they will be added even if an old one already exists). 5996 Suggested by Bryan Costales of ICSI. 5997 Allow config files to delete an existing Return-Path: header. 5998 These should only be added at final delivery. Suggested 5999 by Bryan Costales of ICSI. 6000 Some debugging additions. Suggested by Bryan Costales of ICSI. 6001 Clean up logging of Family 0 addresses. Noted by David Muir 6002 Sharnoff and others. 6003 Add a "dequote" map class. This allows config files to strip 6004 quotes off of addresses. Note that this is not a builtin 6005 map, just a class -- so you have to define the map 6006 using the K line. 6007 Fix a bug in the queueup() loop getting a locked tf where in 6008 very odd cases it can fall off the bottom and core dump. 6009 Of course, it was P{r Emanuelsson who found it.... 6010 Open a new transcript when splitting an envelope. Problem found 6011 by Allan E Johannesen of WPI. 6012 Improved error output in endmailer if the mailer core dumps. 6013 CONFIG: Fix typo in UUCP mailer definition. 6014 CONFIG: Default several of the new options on: eight bit input, 6015 privacy flags set to "authwarnings", and message warning 6016 set to 4h. 6017 CONFIG: Use dequote map. 6018 60196.43/6.20 93/03/23 6020 Fix problem with assumption of an sa_len field in a generic 6021 sockaddr -- it turns out that most vendors haven't 6022 picked up this (very important) fix. 6023 Change compilation flags for daemon code -- select one or both 6024 of NETINET or NETISO, but don't ever set DAEMON manually. 6025 CONFIG: add FEATURE(mailertable) to do IDA-style mailertables. 6026 60276.42/6.19 93/03/19 6028 Use Postmaster as default fallback return address, not root. 6029 POSIX changes for file descriptor handling. 6030 Diagnose errors writing new queue file. 6031 If you change the owner using an owner- alias, also change the 6032 error mode to EM_MAIL so that errors don't get dropped 6033 into an inappropriate directory. Problem noted by 6034 Allan E Johannesen of WPI. 6035 If you are su'ed to root, send email as who you really are, not 6036 as root. From Brian Kantor of U.C. San Diego. 6037 Allow warning messages to be sent after a configurable interval 6038 has passed without delivery. The message is sent only 6039 once per envelope. This changes the format of the qf 6040 file to have an F line, and the format of the T option 6041 to accept take the format "return/warn" (both intervals). 6042 Don't force all local names to lower case -- this was left over 6043 from the weird handling of case mapping on aliases. It 6044 is now driven (as expected) by the "u" mailer flag. 6045 Problem noted by P{r Emanuelsson. 6046 Fix problem that caused headers on returned email to be trashed; 6047 they were getting freed, but are still accessible via 6048 BlankEnvelope. 6049 Fix problem that caused bogus ids to be created on returned 6050 mail. 6051 Add support for ISO and other non-INET networking. This is by 6052 no means finished yet. This does assume a lot of other 6053 system support, like a version of gethostbyname that 6054 returns non-AF_INET addresses. 6055 CONFIG: change default on prog mailer to keep upper case in 6056 user names (i.e., in the program command line). 6057 CONFIG: strip trailing dots off of hosts in uucp mailer before 6058 convert to bang format. 6059 CONFIG: create new "relay" mailer for $R (LOCAL_RELAY) and $H 6060 (MAIL_HUB) delivery that doesn't add local domain. Note 6061 that this violates 821, but is probably "more correct" 6062 for what we are trying to do. Problem pointed out by 6063 Michael Graff of Iowa State. 6064 60656.41/6.18 93/03/18 6066 Clean up unnecessary creates of queue ids (i.e., empty qf files) 6067 when not needed, such as when starting up an SMTP 6068 connection. 6069 Fix problem where split envelopes aren't instantiated in the queue. 6070 This is quite a serious bug. 6071 Owner- aliases had problems with leading spaces causing a 6072 premature delimitation. 6073 60746.40/6.18 93/03/18 6075 Have ending 250 (after DATA) include the id; suggested by 6076 Brian Kantor of UC San Diego. 6077 Add logging on envelope splitting. 6078 Change queue ids to have one more letter encoding the hour of 6079 the day so that during a single day there is a greater 6080 likelihood of uniqueness; requested by Brian Kantor. 6081 60826.39/6.18 93/03/18 6083 Fix minor compile problem if LOCKF is defined. 6084 Define size of tobuf in conf.h. Observed by Toshinari Takahashi 6085 of Toshiba. 6086 Restore e_sender -- this is equivalent to e_from.q_paddr without 6087 decorations such as angle brackets and comments. 6088 OSF/1 on Alpha changes from Allan E Johannesen of WPI. 6089 CONFIG: fix typo in S3 for list syntax (;: => :;). Thanks to 6090 Christopher Hoover for noting the problem. 6091 60926.38/6.17 93/03/17 6093 Pass envelope to disconnect to avoid another use of CurEnv, which 6094 can apparently end up being null at inopportune times. 6095 Log "received from" as "relay=" for consistency (suggested by 6096 John Gardiner Myers). 6097 Fix major bug in header handling: if no From: line existed in 6098 the header (so sendmail inserts one), and the sender is 6099 an alias that has an owner, the From: line shows the 6100 owner (as well as the envelope). Fixed by early binding 6101 the headers (which will change debugging output). 6102 HPUX portability patches from Michael J. Corrigan of UC San Diego. 6103 Some attempts to adapt better to out of open file conditions. 6104 Some changes to ctladdr handling in queue files. 6105 61066.37/6.17 93/03/16 6107 MAJOR CHANGE: delete e_sender and e_returnpath (why are these 6108 different from e_from?) and $< macro. 6109 Log correct IP address in relay= field even if the connection 6110 times out. 6111 Log "received from [RESPONSE]" on EF_RESPONSE messages (from 6112 John Gardiner Myers). 6113 Fixes to SysExMsg logging (sometimes just got "message: %s" 6114 instead of "message: error message"), noted by Eric 6115 Wassenaar. Also reported by Motonori Nakamura. 6116 Improvements to MX piggybacking code, from Motonori Nakamura. 6117 Fix case where CurHostName points to an auto variable that has 6118 been deallocated (from Motonori Nakamura). 6119 Fix bug causing newlines to be included in aliases if option 6120 "n" (check alias RHS) is set; bug noted by David Muir 6121 Sharnoff. 6122 Fix problem causing user names that should be mapped to lower 6123 case to not be mapped if they are sent during a queue 6124 run. This greatly simplifies the case mapping code. 6125 Problem noted by Allan E Johannesen of WPI. 6126 Don't do recipient address rewriting in buildaddr. This 6127 improperly did recipient rewriting on sender addresses, 6128 and just seems bogus in general -- but the change could 6129 break some .cf files. 6130 Pass TZ envariable to child processes for System V. 6131 CONFIG: allow LOCAL_RULE_1 and LOCAL_RULE_2 if you want to 6132 define those rulesets. 6133 KNOWN PROBLEM: I have seen some problems on SunOS that causes 6134 the User Data Base to give errors on some addresses. I 6135 have tracked the problem back at least as far as 93.02.15 6136 (version 6.22). Running with debugging on makes it 6137 go away, so I conclude that it is referencing uninitialized 6138 stack data. I haven't been able to track this down yet. 6139 61406.36/6.16 93/03/08 6141 Allow local mailer to specify $@host -- this lets you assign the 6142 "foo" part of jgm+foo to $h for passing in to the local 6143 mailer. 6144 Additional debug printing in getcanonname (show query type). 6145 Don't add the e_fromdomain on sender addresses -- this interacts 6146 weirdly with the owner- code. 6147 Improve delivery logging to not log obvious or meaningless stuff. 6148 Include numeric IP address in Received: lines per RFC 1123 section 6149 5.2.8. 6150 Fixed a bug in checking stat() return value if restrictmailq is 6151 set. Also, check the entire group set instead of just the 6152 primary group. Both from John Gardiner Myers. 6153 Don't have usrerr automatically print errno, since this is often 6154 misleading. 6155 Use transienterror() in makeconnection after connect() fails and 6156 in openmailer after execve() fails (from Eric Wassenaar). 6157 Also moved transienterror() from util.c to conf.c. 6158 Clean up from= logging on response messages. 6159 Undo patch allowing prescan to return a null vector -- it breaks 6160 too many things. 6161 Config: FEATURE(notsticky) lets you use UDB for everything coming 6162 in to the machine, even if it is specifically targetted 6163 to this machine. Without it, UDB is bypassed if the user 6164 name is fully qualified. 6165 Config: fix another minor botch with <> (local mailer wasn't 6166 mapping them properly). 6167 61686.35/6.15 93/03/05 6169 Fix getrealhostname to return null if sinlen <= 0 -- this can 6170 occur if stdin is a pipe. 6171 Avoid infinite loop in getcanonname if name server return 6172 NO_DATA (for example). 6173 Config: avoid having C flag qualify list syntax and error syntax. 6174 61756.34/6.14 93/03/05 6176 Fix logging in deliver to not pass too many parameters to Ultrix 6177 versions of syslog. 6178 Don't write the pid file until after the daemon has actually 6179 opened and conditioned the connection. 6180 Consider addresses "different" if their q_uids differ (so that 6181 two users forwarding to the same program will be seen 6182 as different, rather than the same). 6183 Fix problem with bad parameters in main() -- they set ExitStat 6184 but don't exit. 6185 Fix null pointer references through RealHostName -- painfully 6186 discovered by Allan E Johannesen of WPI. 6187 Fix bug causing user@@localhost to core dump (yuch). 6188 Config: don't put two @host.dom.ain on users in $=E in SMTP 6189 mailer. Also, catch user@ (no host) in ruleset 0. 6190 61916.33/6.13 93/03/03 6192 Config: add confCW_FILE as the name of the cw configuration file 6193 (defaults to /etc/sendmail.cw). From P{r Emanuelsson. 6194 Allow prescan to return a pointer to an empty list -- this is 6195 not an error. Also, clean up error reporting to avoid 6196 double errors (prescan reports once, then the caller 6197 reports again). 6198 Changes to avoid trusting T_ANY queries -- run them, but if you 6199 don't get the info you expected, do T_A and T_MX queries 6200 anyhow. This also fixes an oversight where _res.options 6201 bits were being ignored. 6202 If PRIV_NOVRFY is set, use 252 response code instead of 502 per 6203 RFC 1123 section 5.2.3. It's not 100% clear that this 6204 is correct, but it probably works better with stupid 6205 mailers that do a VRFY and only check the first digit. 6206 62076.32/6.12 93/03/02 6208 Fix uninitialized variable "protocol" in smtp code. 6209 Include <unistd.h> in sendmail.h -- move towards POSIX/ANSI. 6210 Additional hooks for RFC 1427 (ESMTP SIZE extension). This 6211 includes requiring that enoughspace() know the system 6212 block size, which will undoubtedly break most ports. 6213 Trace flag 19 in use for srvrsmtp.c. 6214 Additional logging -- notably the sending mailer name. This 6215 also changes the delivery logging to strict field=value 6216 syntax. 6217 Fix some problems with messages getting sent even to addresses 6218 that had been marked bad -- from Eric Wassenaar. 6219 More WIDE changes: accept host name inside [...] as non-MXed 6220 host. This is intended ONLY for use inside firewalled 6221 environments, where the MX points at the gateway. 6222 Change .cf file conventions so that mapping for <> addresses 6223 don't have an @ in them (to avoid confusing the C mailer 6224 flag). Pointed out by Neil Rickert. 6225 Config extensions for Sam Leffler's FlexFAX software. 6226 62276.31/6.10 93/02/28 6228 Fix some more bugs in alias owner code -- there were some weird 6229 cases where an error in a non-aliased name would override 6230 the return info in an aliased name with an owner. 6231 Changes from WIDE Project, forwarded to me by Motonori Nakamura: 6232 Log actual delivery host (after MX et al); from 6233 yasuhiro@dcl.co.jp. 6234 Log daemon startup. 6235 Deliver Postmaster copies without a body. 6236 Better logging of SMTP senders. 6237 Send all program email as daemon even when local. 6238 As requested in various forms from many people, accept -qIstring 6239 to limit queue runs to jobs with queue-id matching string. 6240 Similarly for -qRstring for recipients, -qSstring for 6241 senders. 6242 Initial hooks for ESMTP support (see RFC 1425). 6243 Fixed a syntax error in the UUCP mailer specification that caused 6244 core dumps on startup. 6245 Check for missing A= or P= arguments in mailer definitions. 6246 62476.30/6.10 93/02/27 6248 Require FROZENCONFIG compilation flag to include frozen 6249 configuration code. Frozen configuration is really 6250 not a very good idea any more, particularly in shared 6251 library environments. 6252 Do better checking of errno after opens of :include: and .forward 6253 files to defer delivery on network and other transient 6254 errors. Suggestion from Craig Everhart. 6255 Fix minor botch in read timeout macro processing. 6256 Add FEATURE(nouucp) to config files for sites that know absolutely 6257 nothing about UUCP. 6258 Add built cf files to distribution tape and clarify how to build 6259 them if you don't have the Berkeley make. 6260 Some sizeof(long) portability changes for the Alpha, from Allan 6261 E Johannesen. 6262 Add "restrictmailq" privacy flag -- if set, only people in the same 6263 group as your queue directory can print the queue. If you 6264 set this, be sure you also restrict access to log files.... 6265 Fix another bug in owner-list stuff that can cause data files to 6266 be "lost". 6267 Fix a bug with queue runs that cause forwards to yourself to go 6268 into alias/forwarding loops. I'm still iffy about this 6269 fix. 6270 Fix from Eric Wassenaar for suppression of return message code. 6271 62726.29/6.9 93/02/24 6273 Fix yet another problem in alias owner code -- put the wrong return 6274 address on the enclosed return-to-sender letter. 6275 62766.28/6.9 93/02/24 6277 Fix botch in alias owner code that caused it to not operate if the 6278 error was detected locally. 6279 62806.27/6.9 93/02/24 6281 M_LOCAL => M_LOCALMAILER to avoid conflict with Ultrix include 6282 file <sys/mount.h>. 6283 Miscellaneous bug fixes from Eric Wassenaar: 6284 sendmail -bv -t logs the from line even though in verify 6285 mode only. 6286 sendmail -v can go into queue mode if shouldqueue returns 6287 TRUE. 6288 Add route-addr pruning per RFC 1123 section 5.3.3. This can be 6289 disabled using the "R" option. 6290 Delete (always undocumented) -R flag (save original recipients); 6291 there are ways to syslog(3) these now. 6292 Clean up SMTP reply codes -- specify them as needed in the code, 6293 instead of in conf.c -- this was needed during the NCP to 6294 TCP transition, but seems silly now. This also changes 6295 parameters to message and nmessage. 6296 Have mailstats read the .cf file to find the sendmail.st file and 6297 get text versions of mailer names. An initial version of 6298 this code was provided by Tuominen Keijo (although the 6299 comments indicate the good bits were written by "E.V."). 6300 Add yet more System V compatibility hacks. 6301 Fix bug in VRFY code (assumes everything must be a local user). 6302 Allow specification of any of the hard-wired pathnames in the 6303 Makefile. 6304 Delete concept of "trusted users" -- this really didn't provide 6305 any security anyway, and caused some problems. 6306 Delete last vestige of support for the word "at" as an equivalent 6307 to the character "@". 6308 Propagate owner-foo alias information into the envelope sender. 6309 Based on code from John Gardiner Myers. This is a major 6310 semantic change -- beware! 6311 Allow $@ on LHS to indicate "match zero" -- this is used to match 6312 the null expression. 6313 63146.26/6.8 93/02/21 6315 Don't "lose" queue runs. Very important fix from (who else?) 6316 Eric Wassenaar. 6317 Completely reset state on RSET command -- from Eric Wassenaar. 6318 Send error messages and return receipts using an envelope sender 6319 of <> regardless of the setting of $n. Rewriting rules 6320 can undo this if they feel the necessity, as might be 6321 needed for networks that don't understand the syntax. 6322 This is permitted by RFC 821 section 3.6 and required by 6323 RFC 1123 section 5.3.3. THIS REQUIRES VERSION 4 CONFIG 6324 FILES because the rulesets must be able to parse <> 6325 properly. 6326 Don't ever send error messages to "<>" -- they will get sent to 6327 the local postmaster or dumped in /usr/tmp/dead.letter 6328 instead. Per RFC 1123 section 5.3.3. 6329 Explicitly check for email to yourself as a dotted quad. You 6330 have to call $[ [ ... ] $] to get this. 6331 Up the message timeout to five days per RFC 1123 section 5.3.1.1. 6332 Make all read timeouts individually configurable, as strongly 6333 recommended by RFC 1123 section 5.3.2. 6334 Use f_bavail (blocks available to regular users) instead of f_bfree 6335 (blocks available to superuser) in free block checks. 6336 Change $d macro to be the current time, not the origination time, 6337 since this is consistent with how it is used now. 6338 Generalization of enoughspace from Eric Wassenaar covering 6339 SGI, Apollo, HPUX, Ultrix, and SunOS. 6340 Ignore process group signals -- some front ends can do this if 6341 you kill a window too quickly. From Eric Wassenaar. 6342 Change umask to 022. 6343 63446.25/6.8 93/02/20 6345 Close all cached connections before calling mailers and after 6346 forking for delivery (caused double closes which resulted 6347 in false errors). 6348 Add FEATURE(redirect) in config files -- this allows you to alias 6349 old addresses to a pointer to the new address that will 6350 give a 551 error message, but not deliver the mail. 6351 Some code changes to make the 551 errors look pretty. 6352 Names of M4 program paths in config files have changed -- they 6353 are all XXX_MAILER_PATH now, to match XXX_MAILER_FLAGS. 6354 Fix a bug in the QSELFREF code having to do with empty .forward 6355 files, reported by Eric Wassenaar. 6356 Add option "p" (privacy flags); this allows you to tune how 6357 picky the SMTP server will be. This also adds the 6358 confPRIVACY_FLAGS M4 macro in the config files. 6359 Add option "b" (minimum blocks free). If there are fewer than 6360 this number of blocks free on the filesystem containing 6361 the queue directory, the SMTP MAIL command will return 6362 a 452 response and ask you to try again later. This 6363 also adds the confMIN_FREE_BLOCKS M4 macro in the config 6364 files. 6365 Made VRFY just verify (doesn't expand aliases and .forward files); 6366 EXPN does full expansion. RCPT in queue-only mode also 6367 doesn't chase aliases and .forward. 6368 63696.24/6.7 93/02/19 6370 Increase the number of domain search entries in domain.c to allow 6371 for the extra "" entry indicating the root domain. 6372 Reported by Motonori Nakamura of Kyoto U. 6373 Add a "SMART_HOST" in the configs for UUCP-connected sites that 6374 want to forward all mail with extra "@"s to that site. 6375 Also allows SMART_HOST, LOCAL_RELAY, and MAIL_HUB to 6376 be specified as ``mailer:hostname'' to use an alternate 6377 mailer. 6378 Clarified and updated some wording in the Operations Guide. 6379 Add the "c" mailer flag -- this suppresses all comment parts of 6380 addresses (requested by John Curran of NEARnet). 6381 Have -v print prompts in -bt mode even if stdin is not a terminal 6382 (default behavior is to be silent if not reading from 6383 a terminal). Suggested by Bryan Costales, ICSI. 6384 Move the metacharacters from C0 space (\001-\037) into C1 space 6385 (\201-\237). This also fixes a bunch of potential bugs 6386 with G1 characters (\240-\276) in headers relating to 6387 negative numbers passed to isspace() et al. 6388 Add YP_LAST_MODIFIED and YP_MASTER_NAME to DBM version of alias 6389 database if YPCOMPAT is #defined. Enhancement from 6390 Takahiro Kanbe of Fuji Xerox Information Systems Co., Ltd. 6391 Add "list" Precedence (-30); this can be used with old sendmails 6392 which will map to precedence 0 (which will return error 6393 messages). Suggested by Stephen R. van den Berg. 6394 Many bug fixes from Eric Wassenaar of the National Institute for 6395 Nuclear and High-Energy Physics, Amsterdam: 6396 Clear timeouts properly on open failures in include(). 6397 Don't dereference through NULL if no home directory found. 6398 Re-establish SIGCHLD signal on System 5 in reapchild(). 6399 Avoid NULL pointer reference on -pFOO flag. 6400 Properly handle backslash escapes in comments. 6401 Correctly check reply status on SMTP NOOP command. 6402 Properly save SMTP error message if peer gives 6403 "Service Shutting Down" message. 6404 Avoid writing to the transcript if it couldn't be opened. 6405 Signal errors in SMTP children to parent properly. 6406 Handle self references in a list more globally (include a 6407 QSELFREF bit in the address flags). This enhancement 6408 was suggested by Eric Wassenaar. 6409 Use initgroups() in hpux, even though it's System-V based. The 6410 HASINITGROUPS compile flag can set this on other systems. 6411 This HPUX behavior was pointed out by Eric Wassenaar. 6412 64136.23/6.6 93/02/16 6414 Clean up handling of LogLevel to make it easier to figure out 6415 what's on what level. 6416 Change log levels to have some consistency: 6417 1 serious system failures, security problems 6418 2 lost communications, protocol failures 6419 3 other serious failures 6420 4 minor errors 6421 5 message collection 6422 6 vrfy logging, creation of return-to-sender 6423 7 delivery failures 6424 8 delivery successes 6425 9 delivery tempfails (queue ups) 6426 10 database expansion 6427 >64 debugging 6428 Allow IDA-style separated processing on S= and R= in Mailer 6429 definition lines. Note that rulesets 1 and 2 are 6430 still used for both addresses as before. Bruce Lilly 6431 gave a convincing argument that RFC976 insists on 6432 this behavior. 6433 Added some time zones to arpatounix -- they may not be in the 6434 standards, but they are in use. However, I may delete 6435 arpatounix entirely -- there appears to be no reason 6436 for it to exist. 6437 Change to UUCP mailer (in cf directory) to try to do a saner job. 6438 I'm still not certain about this mailer in general. 6439 64406.22/6.5 93/02/15 6441 Fix bug that prevents saving letters in ~/dead.letter. 6442 Don't add angle brackets in VRFY command if angle brackets already 6443 exist in the address. 6444 Fix bogus error message in udbexpand. 6445 Null terminate host buffers in buildaddr (broken in 6.21) -- 6446 IMPORTANT FIX!! 6447 64486.21/6.5 93/02/15 6449 Fix another incorrect error message in alias.c, found by Azuma 6450 Okamoto. 6451 Fix a couple of problems in the more-configurable config files, 6452 found by Tom Ivar Helbekkmo. 6453 Fix problem with quoted :include: entries. 6454 Don't duplicate the filename on verbose printing of .forward and 6455 :include: contents. 6456 Extend size of prescan buffer (to allow bigger addresses). Also, 6457 detect some buffer overflows. 6458 Log user SMTP protocol errors (log level 4). 6459 64606.20/6.4 93/02/14 6461 Fix another problem in the MCI state machine caused when there 6462 were errors generated from the other end to commands 6463 other than RCPT. 6464 64656.19/6.4 93/02/14 6466 Include load average support for DEC Alpha running OSF/1. 6467 Fix multiple-response problem with errors in MAIL From: line. 6468 Fix SMTP reply codes for invalid address syntaxes (give 501; 6469 never give multiple error messages for a single message). 6470 Fix problem where a cached connection timeout rejects all 6471 later connects to that host. 6472 Fix incorrect error message if alias.c is compiled with DBM only. 6473 Additional changes to fix nested conditionals (from Bruce Lilly). 6474 Recover more gracefully from operating system failures, particularly 6475 NULL returns from openmailer (from Noritoshi Demizu, 6476 OMRON Corporation). 6477 Log forward, alias, and userdb expand operations on log level 10; 6478 concept suggested by P{r (Pell) Emanuelsson. 6479 Changes for HPUX 8.07 compatibility. 6480 64816.18/6.4 93/02/12 6482 Allow any config option to be set using an M4 define. 6483 Change UNAME compile flag to HASUNAME for IDA compatibility 6484 (besides, it's a better name). 6485 Note in README that on SunOS it must be linked -Bstatic. 6486 Fairly major change in domain.c to handle wildcard MX records 6487 more rationally. NOTE: the "w" option (no wildcard MX 6488 records match local domain) has been eliminated. 6489 Fix some unset variable references pointed out by Bruce Lilly. 6490 Fix host name in process titles when using cached connection. 6491 64926.17/6.3 93/01/28 6493 Fix System 5 compatibility changes to be compatible with the rest 6494 of the world. 6495 64966.16/6.3 93/01/28 6497 Experimental fix for problem handling errors in the SMTP 6498 protocol in conjunction with connection caching. 6499 System 5 compatibility changes. 6500 65016.15/6.3 93/01/26 6502 Fix a bug that causes local mail delivered using -odq to be 6503 eliminated as a duplicate (because it matched the 6504 ctladdr, now passed in as a C line). These changes 6505 are pretty tricky...... 6506 65076.14/6.3 93/01/25 6508 Add debugging for some MCI errors. 6509 65106.13/6.3 93/01/22 6511 Fix -e compatibility flag to take a value. 6512 Fix a couple of minor compilation warnings on Sun cc. 6513 Improve error messages in a few cases to be more self-explanatory. 6514 65156.12/6.3 93/01/21 6516 Fix yet-another problem with environment handling, pointed out 6517 by Yoshitaka Tokugawa and Tom Ivar Helbekkmo. 6518 Some heuristics to try to limit resource exhaustion problems 6519 if a downstream host has been down for a long time. 6520 Fix problem with incorrect host name being logged in "Connection 6521 timed out" messages (from Tom Ivar Helbekkmo). 6522 Fix some ANSI C problems (from Takahiro Kanbe). 6523 Properly log message sender on returned mail during queue run. 6524 Count number of recipients properly. 6525 Fix a problem in yp map code. 6526 Diagnose "message timed out" (from Motonori Nakamura). 6527 65286.11/6.3 93/01/20 6529 Fix problem with address delimitor inside quotes. 6530 Define $k and $=k to be the UUCP name (from the uname call) 6531 based on code from Bruce Lilly. 6532 65336.10/6.2 93/01/18 6534 Implement arpatounix (largely code from Bruce Lilly). 6535 Log more info (suggested by John Myers). 6536 Allow nested $?...$|...$. (inspired by code from Bruce Lilly of 6537 Sony US). 6538 POSIX compatibility (noted by Keith Bostic). 6539 Handle SMTP MAIL command errors properly (urged by several people, 6540 notably John Myers of CMU). 6541 Do early diagnosis of .cf errors (notably referencing a RHS 6542 substitution that isn't on the LHS). 6543 Adjust checkpointing to better handle batched recipients, suggested 6544 by John Myers. 6545 Fix miscellaneous bugs. 6546 (config files:) Implement MAIL_HUB for all local mail (to handle 6547 NFS-mounted directories) as urged by Tom Ivar Helbekkmo 6548 of the Norwegian School of Economics. 6549 65506.9/6.1 93/01/13 6551 Environment handling simplification/bug fix -- child processes 6552 get a minimal, fixed environment. This avoids different 6553 behavior in queue runs. 6554 Handle commas inside comments properly. 6555 Properly limit large messages submitted in -obq mode. 6556 65576.8/6.1 93/01/10 6558 Check mtime of thaw file against .cf and sendmail binary, based on 6559 code from John Myers. 6560 65616.7/6.1 93/01/10 6562 MX piggybacking, based on code from John Myers@CMU. 6563 Allow checkcompat to return -1 to mean tempfail. 6564 Bug fix in m_mno computation. 6565 65666.6/6.1 93/01/09 6567 Tuning of queueing functions as recommended by John Gardiner Myers. 6568 Return mail headers (no body) on messages with negative precedence. 6569 Minor other bug fixes. 6570 65716.5/6.1 93/01/03 6572 Fix botch causing queued headers to have ?XX? prefixes. 6573 65746.4/6.1 93/01/02 6575 Changes to recognize special mailer types (e.g., file) early. 6576 65776.3/6.1 93/01/01 6578 Pass timeouts to sfgets. 6579 Check for control characters in addresses. 6580 Fixed deferred error reporting. 6581 Report duplicate aliases. 6582 Handle mixed case recursive aliases. 6583 Misc bug fixes. 6584 65856.2/6.1 92/12/30 6586 Put return-receipt-to on a conf.c flag (but don't set it). 6587 Fix minor syslog problem. 6588