pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/mail/sendmail
Module Name: pkgsrc
Committed By: jnemeth
Date: Mon Feb 12 03:23:06 UTC 2024
Modified Files:
pkgsrc/mail/sendmail: Makefile.common PLIST distinfo
pkgsrc/mail/sendmail/patches: patch-at patch-az
Log Message:
Update to sendmail 8.18.1.
Main changes are:
- stricter RFC compliance to close some security issues
- FIPS 3 support
- full DANE support
SENDMAIL RELEASE NOTES
This listing shows the version of the sendmail binary, the version
of the sendmail configuration files, the date of release, and a
summary of the changes in that release.
8.18.1/8.18.1 2024/01/31
sendmail is now stricter in following the RFCs and rejects
some invalid input with respect to line endings
and pipelining:
- Prevent transaction stuffing by ensuring SMTP clients
wait for the HELO/EHLO and DATA response before sending
further SMTP commands. This can be disabled using
the new srv_features option 'F'. Issue reported by
Yepeng Pan and Christian Rossow from CISPA Helmholtz
Center for Information Security.
- Accept only CRLF . CRLF as end of an SMTP message
as required by the RFCs, which can disabled by the
new srv_features option 'O'.
- Do not accept a CR or LF except in the combination
CRLF (as required by the RFCs). These checks can
be disabled by the new srv_features options
'U' and 'G', respectively. In this case it is
suggested to use 'u2' and 'g2' instead so the server
replaces offending bare CR or bare LF with a space.
It is recommended to only turn these protections off
for trusted networks due to the potential for abuse.
Full DANE support is available if OpenSSL versions 1.1.1 or 3.x
are used, i.e., TLSA RR 2-x-y and 3-x-y are supported
as required by RFC 7672.
OpenSSL version 3.0.x is supported. Note: OpenSSL 3 loads by
default an openssl.cnf file from a location specified
in the library which may cause unwanted behaviour
in sendmail. Hence sendmail sets the environment
variable OPENSSL_CONF to /etc/mail/sendmail.ossl
to override the default. The file name can be
changed by defining confOPENSSL_CNF in the mc file;
using an empty value prevents setting OPENSSL_CONF.
Note: referring to a file which does not exist does
not cause an an error.
Two new values have been added for {verify}:
"DANE_TEMP": DANE verification failed temporarily.
"DANE_NOTLS": DANE was required but STARTTLS was not
offered by the server.
The default rules return a temporary error for these
cases, so delivery is not attempted.
If the TLS setup code in the client fails and DANE requirements
exist then {verify} will be set to "DANE_TEMP" thus
preventing delivery by default.
DANE related logging has been slightly changed for clarification:
"DANE configured in DNS but no STARTTLS available"
changed to
"DANE configured in DNS but STARTTLS not offered"
When the compile time option USE_EAI is enabled, vacation could
fail to respond when it should (the code change in
8.17.2 was incomplete). Problem reported by Alex
Hautequest.
If SMTPUTF8 BODY=7BIT are used as parameters for the MAIL command
the parsing of UTF8 addresses could fail (USE_EAI).
If a reply to a previous RCPT was received while sending
another RCPT in pipelining mode then parts of the
reply could have been assigned to the wrong RCPT.
New DontBlameSendmail option CertOwner to relax requirement
for certificate public and private key ownership.
Based on suggestion from Marius Strobl of the
FreeBSD project.
clt_features was not checked for connections via Unix domain
sockets.
CONFIG: FEATURE(`enhdnsbl') did not handle multiple replies
from DNS lookups thus potentially causing random
"false negatives".
Note: the fix creates an incompatibility:
the arguments must not have a trailing dot anymore
because the -a. option has been removed (as it only
applies to the entire result, not individual values).
CONFIG: New FEATURE(`fips3') for basic FIPS support in OpenSSL 3.
VACATION: Add support for Return-Path header to set sender
to match OpenBSD and NetBSD functionality.
VACATION: Honor RFC3834 and avoid an auto-reply if
'Auto-Submitted: no' is found in the headers to
match OpenBSD and NetBSD functionality.
VACATION: Avoid an auto-reply if a 'List-Id:' is found in
the headers to match OpenBSD functionality.
VACATION: Add support for $SUBJECT in .vacation.msg which
is replaced with the first line of the subject of the
original message to match OpenBSD and NetBSD
functionality.
Portability:
Add support for Darwin 23.
New Files:
cf/feature/fips3.m4
devtools/OS/Darwin.23.x
To generate a diff of this commit:
cvs rdiff -u -r1.69 -r1.70 pkgsrc/mail/sendmail/Makefile.common
cvs rdiff -u -r1.26 -r1.27 pkgsrc/mail/sendmail/PLIST
cvs rdiff -u -r1.70 -r1.71 pkgsrc/mail/sendmail/distinfo
cvs rdiff -u -r1.3 -r1.4 pkgsrc/mail/sendmail/patches/patch-at
cvs rdiff -u -r1.4 -r1.5 pkgsrc/mail/sendmail/patches/patch-az
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/mail/sendmail/Makefile.common
diff -u pkgsrc/mail/sendmail/Makefile.common:1.69 pkgsrc/mail/sendmail/Makefile.common:1.70
--- pkgsrc/mail/sendmail/Makefile.common:1.69 Mon Jan 15 04:43:22 2024
+++ pkgsrc/mail/sendmail/Makefile.common Mon Feb 12 03:23:05 2024
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.common,v 1.69 2024/01/15 04:43:22 jnemeth Exp $
+# $NetBSD: Makefile.common,v 1.70 2024/02/12 03:23:05 jnemeth Exp $
#
# used by mail/libmilter/Makefile
# used by mail/sendmail/Makefile
@@ -22,7 +22,7 @@ PATCHDIR= ${.CURDIR}/../../mail/sendmail
USE_CC_FEATURES= c99
-DIST_VERS= 8.17.2
+DIST_VERS= 8.18.1
MAKE_ENV+= BSD_BINOWN=${BINOWN} BSD_BINGRP=${BINGRP} \
BSD_MANOWN=${MANOWN} BSD_MANGRP=${MANGRP} \
Index: pkgsrc/mail/sendmail/PLIST
diff -u pkgsrc/mail/sendmail/PLIST:1.26 pkgsrc/mail/sendmail/PLIST:1.27
--- pkgsrc/mail/sendmail/PLIST:1.26 Mon Jan 15 04:43:22 2024
+++ pkgsrc/mail/sendmail/PLIST Mon Feb 12 03:23:05 2024
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.26 2024/01/15 04:43:22 jnemeth Exp $
+@comment $NetBSD: PLIST,v 1.27 2024/02/12 03:23:05 jnemeth Exp $
bin/hoststat
bin/mailq
bin/newaliases
@@ -110,6 +110,7 @@ share/sendmail/feature/delay_checks.m4
share/sendmail/feature/dnsbl.m4
share/sendmail/feature/domaintable.m4
share/sendmail/feature/enhdnsbl.m4
+share/sendmail/feature/fips3.m4
share/sendmail/feature/generics_entire_domain.m4
share/sendmail/feature/genericstable.m4
share/sendmail/feature/greet_pause.m4
Index: pkgsrc/mail/sendmail/distinfo
diff -u pkgsrc/mail/sendmail/distinfo:1.70 pkgsrc/mail/sendmail/distinfo:1.71
--- pkgsrc/mail/sendmail/distinfo:1.70 Mon Jan 15 04:43:22 2024
+++ pkgsrc/mail/sendmail/distinfo Mon Feb 12 03:23:05 2024
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.70 2024/01/15 04:43:22 jnemeth Exp $
+$NetBSD: distinfo,v 1.71 2024/02/12 03:23:05 jnemeth Exp $
-BLAKE2s (sendmail.8.17.2.tar.gz) = 0af32d01e11ef8c414f66903b3f59b5b4dc2bacb9f3ee5a7782a35527dfab2fc
-SHA512 (sendmail.8.17.2.tar.gz) = a25d964136a3efeb7737c34aed34804dd61292bd70eaaba724274a862604a6cd5ca3bcac635e445864c23699b1704c3662d262a5694bd26e298fc1c0e8ba817d
-Size (sendmail.8.17.2.tar.gz) = 2313458 bytes
+BLAKE2s (sendmail.8.18.1.tar.gz) = 959e83d47978867cf89f817e51ce16a834998ef94a417ead59ddfdfdf0debff0
+SHA512 (sendmail.8.18.1.tar.gz) = 9ce713b44439d4de6faa9e3cdfa2226b44b4fbeb352a5f81584c062570e9472da244158287e489aabe258d28fe54ca4964565c7b0adc7e1763d212be42f98061
+Size (sendmail.8.18.1.tar.gz) = 2401566 bytes
SHA1 (patch-aa) = bd1ab754f7146d002eaf8c0347e114b4049a7776
SHA1 (patch-af) = 8c80610916000dfb4e4e28a64eeb0b283535fc93
SHA1 (patch-ag) = 6dcca8944aa854f1767c7ee12fe14872a4e14d2e
@@ -14,13 +14,13 @@ SHA1 (patch-ao) = 88dd76b71ad57a8d0efdb6
SHA1 (patch-aq) = 5c083d9f9f71bcc42811a3d085e936eaaa404c96
SHA1 (patch-ar) = 4e9162c96329716f844c0c64efb9d0a2915ad1cb
SHA1 (patch-as) = e5e266d3c488494a12c303b068c15edde24e0504
-SHA1 (patch-at) = 7bd83d1171f665ed4fb62181dac7c31098a5e2ee
+SHA1 (patch-at) = abb43369d751cf5969db2729da3454c67934b0af
SHA1 (patch-au) = 08a96e145a9c37ba1ba836457157f1ab781380dc
SHA1 (patch-av) = bb6ecd69f6b0db22056b492890d2c6369cd08977
SHA1 (patch-aw) = e340bd366ce04c4d5ddd15f964bc4040e715a6c9
SHA1 (patch-ax) = 771c9c8a951a09c80eb85233986af1fc7fedbe77
SHA1 (patch-ay) = 0a043f2ff0028d475ee852b302844626f4ff4609
-SHA1 (patch-az) = 53738dc9d3618838a6e6fd2f0ec9c4fd1f19ae2e
+SHA1 (patch-az) = c951d7f00b92b1783fc5e633897d33238f1970d9
SHA1 (patch-ba) = c190b11b9874f00a18b9c75b6e734f4a9dd3f68f
SHA1 (patch-bb) = 6c86a60af25b02fc0389f1d40f59c5031d9679f1
SHA1 (patch-bc) = 9e7346342dfe1ca5d84053b913df4be41a979683
Index: pkgsrc/mail/sendmail/patches/patch-at
diff -u pkgsrc/mail/sendmail/patches/patch-at:1.3 pkgsrc/mail/sendmail/patches/patch-at:1.4
--- pkgsrc/mail/sendmail/patches/patch-at:1.3 Mon Jan 15 04:43:22 2024
+++ pkgsrc/mail/sendmail/patches/patch-at Mon Feb 12 03:23:06 2024
@@ -1,6 +1,6 @@
-$NetBSD: patch-at,v 1.3 2024/01/15 04:43:22 jnemeth Exp $
+$NetBSD: patch-at,v 1.4 2024/02/12 03:23:06 jnemeth Exp $
---- sendmail/domain.c.orig 2023-05-31 19:55:42.000000000 +0000
+--- sendmail/domain.c.orig 2024-01-31 06:38:32.000000000 +0000
+++ sendmail/domain.c
@@ -23,6 +23,7 @@ SM_RCSID("@(#)$Id: domain.c,v 8.205 2013
#include <sm/sendmail.h>
@@ -19,7 +19,7 @@ $NetBSD: patch-at,v 1.3 2024/01/15 04:43
# endif
# ifndef HFIXEDSZ
-@@ -623,9 +624,9 @@ getmxrr(host, mxhosts, mxprefs, flags, r
+@@ -909,9 +910,9 @@ getmxrr(host, mxhosts, mxprefs, flags, r
# if DANE
cname2mx = false;
qname[0] = '\0';
@@ -31,7 +31,7 @@ $NetBSD: patch-at,v 1.3 2024/01/15 04:43
# endif
if ((fallbackMX != NULL && (flags & DROPLOCALHOST) != 0 &&
-@@ -784,7 +785,7 @@ getmxrr(host, mxhosts, mxprefs, flags, r
+@@ -1072,7 +1073,7 @@ getmxrr(host, mxhosts, mxprefs, flags, r
# endif
if (type != T_MX)
{
@@ -40,7 +40,7 @@ $NetBSD: patch-at,v 1.3 2024/01/15 04:43
# if DANE
&& type != T_RRSIG
# endif
-@@ -1102,13 +1103,13 @@ punt:
+@@ -1410,13 +1411,13 @@ punt:
}
done:
# if DANE
@@ -56,7 +56,7 @@ $NetBSD: patch-at,v 1.3 2024/01/15 04:43
# endif
return -1;
}
-@@ -1178,7 +1179,7 @@ bestmx_map_lookup(map, name, av, statp)
+@@ -1486,7 +1487,7 @@ bestmx_map_lookup(map, name, av, statp)
int *statp;
{
int nmx;
@@ -65,19 +65,19 @@ $NetBSD: patch-at,v 1.3 2024/01/15 04:43
int i;
ssize_t len = 0;
char *result;
-@@ -1190,9 +1191,9 @@ bestmx_map_lookup(map, name, av, statp)
+@@ -1498,9 +1499,9 @@ bestmx_map_lookup(map, name, av, statp)
char buf[PSBUFSIZE / 2];
# endif
- _res.options &= ~(RES_DNSRCH|RES_DEFNAMES);
+ sm_res.options &= ~(RES_DNSRCH|RES_DEFNAMES);
- nmx = getmxrr(name, mxhosts, NULL, 0, statp, NULL, -1);
+ nmx = getmxrr(name, mxhosts, NULL, 0, statp, NULL, -1, NULL);
- _res.options = saveopts;
+ sm_res.options = saveopts;
if (nmx <= 0)
return NULL;
if (bitset(MF_MATCHONLY, map->map_mflags))
-@@ -1342,16 +1343,22 @@ dns_getcanonname(host, hbsize, trymx, st
+@@ -1650,16 +1651,22 @@ dns_getcanonname(host, hbsize, trymx, st
if (tTd(8, 2))
sm_dprintf("dns_getcanonname(%s, trymx=%d)\n", host, trymx);
@@ -106,7 +106,7 @@ $NetBSD: patch-at,v 1.3 2024/01/15 04:43
# endif
*statp = EX_OK;
-@@ -1401,7 +1408,7 @@ cnameloop:
+@@ -1709,7 +1716,7 @@ cnameloop:
searchlist[sli++] = NameSearchList;
}
# endif
@@ -115,7 +115,7 @@ $NetBSD: patch-at,v 1.3 2024/01/15 04:43
{
/* make sure there are less than MAXDNSRCH domains */
for (domain = RES_DNSRCH_VARIABLE, ret = 0;
-@@ -1409,10 +1416,10 @@ cnameloop:
+@@ -1717,10 +1724,10 @@ cnameloop:
ret++)
searchlist[sli++] = *domain++;
}
@@ -128,7 +128,7 @@ $NetBSD: patch-at,v 1.3 2024/01/15 04:43
}
else if (*cp == '.')
{
-@@ -1718,13 +1725,13 @@ nexttype:
+@@ -2026,13 +2033,13 @@ nexttype:
if (ttl > 0 && pttl != NULL)
*pttl = ttl;
# if DANE
Index: pkgsrc/mail/sendmail/patches/patch-az
diff -u pkgsrc/mail/sendmail/patches/patch-az:1.4 pkgsrc/mail/sendmail/patches/patch-az:1.5
--- pkgsrc/mail/sendmail/patches/patch-az:1.4 Sun Jul 4 07:57:13 2021
+++ pkgsrc/mail/sendmail/patches/patch-az Mon Feb 12 03:23:06 2024
@@ -1,8 +1,8 @@
-$NetBSD: patch-az,v 1.4 2021/07/04 07:57:13 jnemeth Exp $
+$NetBSD: patch-az,v 1.5 2024/02/12 03:23:06 jnemeth Exp $
---- sendmail/srvrsmtp.c.orig 2020-06-08 08:35:03.000000000 +0000
+--- sendmail/srvrsmtp.c.orig 2024-01-31 06:38:32.000000000 +0000
+++ sendmail/srvrsmtp.c
-@@ -48,6 +48,10 @@ static bool tls_ok_srv = false;
+@@ -51,6 +51,10 @@ static bool tls_ok_srv = false;
static bool NotFirstDelivery = false;
#endif
@@ -11,17 +11,17 @@ $NetBSD: patch-az,v 1.4 2021/07/04 07:57
+#endif
+
/* server features */
- #define SRV_NONE 0x0000 /* none... */
- #define SRV_OFFER_TLS 0x0001 /* offer STARTTLS */
-@@ -1408,6 +1412,7 @@ smtp(nullserver, d_flags, e)
- (int) tp.tv_sec +
- (tp.tv_usec >= 500000 ? 1 : 0)
+ #define SRV_NONE 0x00000000 /* none... */
+ #define SRV_OFFER_TLS 0x00000001 /* offer STARTTLS */
+@@ -1537,6 +1541,7 @@ smtp(nullserver, d_flags, e)
+ (int) tp->tv_sec +
+ (tp->tv_usec >= 500000 ? 1 : 0)
);
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, fd, "pre-greeting traffic");
}
}
}
-@@ -1680,7 +1685,12 @@ smtp(nullserver, d_flags, e)
+@@ -1822,7 +1827,12 @@ smtp(nullserver, d_flags, e)
/* get an OK if we're done */
if (result == SASL_OK)
{
@@ -34,7 +34,7 @@ $NetBSD: patch-az,v 1.4 2021/07/04 07:57
message("235 2.0.0 OK Authenticated");
authenticating = SASL_IS_AUTH;
macdefine(&BlankEnvelope.e_macro, A_TEMP,
-@@ -1825,6 +1835,7 @@ smtp(nullserver, d_flags, e)
+@@ -1967,6 +1977,7 @@ smtp(nullserver, d_flags, e)
{ \
SET_AUTH_USER_CONDITIONALLY \
message("535 5.7.0 authentication failed"); \
@@ -42,7 +42,7 @@ $NetBSD: patch-az,v 1.4 2021/07/04 07:57
if (LogLevel >= 9) \
sm_syslog(LOG_WARNING, e->e_id, \
"AUTH failure (%s): %s (%d) %s%s%.*s, relay=%.100s", \
-@@ -1940,6 +1951,10 @@ smtp(nullserver, d_flags, e)
+@@ -2082,6 +2093,10 @@ smtp(nullserver, d_flags, e)
if (nullserver != NULL &&
++n_badcmds > MAXBADCOMMANDS)
{
@@ -53,7 +53,7 @@ $NetBSD: patch-az,v 1.4 2021/07/04 07:57
message("421 4.7.0 %s Too many bad commands; closing connection",
MyHostName);
-@@ -3663,7 +3678,11 @@ doquit:
+@@ -3926,7 +3941,11 @@ smtp(nullserver, d_flags, e)
#if MAXBADCOMMANDS > 0
if (++n_badcmds > MAXBADCOMMANDS)
{
@@ -65,7 +65,7 @@ $NetBSD: patch-az,v 1.4 2021/07/04 07:57
message("421 4.7.0 %s Too many bad commands; closing connection",
MyHostName);
-@@ -4136,8 +4155,8 @@ smtp_data(smtp, e)
+@@ -4422,8 +4441,8 @@ smtp_data(smtp, e, check_stuffing)
id = e->e_id;
#if NAMED_BIND
Home |
Main Index |
Thread Index |
Old Index