Linux Cubed Series 7: Sunsite

home *** CD-ROM | disk | FTP | other *** search

/ Linux Cubed Series 7: Sunsite / Linux Cubed Series 7 - Sunsite Vol 1.iso / system / mail / delivery / sendmail.002 / sendmail / sendmail-8.7.3-bin / RELEASE_NOTES < prev next >

Wrap

Text File | 1995-12-10 | 191.5 KB | 4,029 lines

SENDMAIL RELEASE NOTES @(#)RELEASE_NOTES 8.7.3.1 (Berkeley) 12/3/95 This listing shows the version of the sendmail binary, the version of the sendmail configuration files, the date of release, and a summary of the changes in that release. 8.7.3/8.7.3 95/12/xx Fix botch in name server timeout in RCPT code; this problem caused two responses in SMTP, which breaks things horribly. Fix from Gregory Neil Shapiro of WPI. Verify that L= value on M lines cannot be negative, which could cause negative array subscripting. Not a security problem since this has to be in the config file, but it could have caused core dumps. Pointed out by Bryan Costales. Fix -d21 debug output for long macro names. Pointed out by Bryan Costales. PORTABILITY FIXES: SCO doesn't have ftruncate. From Bill Aten of Computerizers. IBM's version of arpa/nameser.h defaults to the wrong byte order. Tweak it to work properly. Based on fixes from Fletcher Mattox of UTexas and Betty Lee of Stanford University. CONFIG: add confHOSTS_FILE m4 variable to set HostsFile option. Deficiency pointed out by Bryan Costales of ICSI. 8.7.2/8.7.2 95/11/19 REALLY fix the backslash escapes in SmtpGreetingMessage, OperatorChars, and UnixFromLine options. They were not properly repaired in 8.7.1. Completely delete the Bcc: header if and only if there are other valid recipient headers (To:, Cc: or Apparently-To:, the last being a historic botch, of course). If Bcc: is the only recipient header in the message, it's value is tossed, but the header name is kept. The old behaviour (always keep the header name and toss the value) allowed primary recipients to see that a Bcc: went to _someone_. Include queue id on ``Authentication-Warning: <host>: <user> set sender to <addresss> using -f'' syslog messages. Suggested by Kari Hurtta. If a sequence or switch map lookup entry gets a tempfail but then continues on to another map type, but the name is not found, return a temporary failure from the sequence or switch map. For example, if hosts search ``dns files'' and DNS fails with a tempfail, the hosts map will go on and search files, but if it fails the whole thing should be a tempfail, not a permanent (host unknown) failure, even though that is the failure in the hosts.files map. This error caused hard bounces when it should have requeued. Aliases to files such as /users/bar/foo/inbox, with /users/bar/foo owned by bar mode 700 and inbox being setuid bar stopped working properly due to excessive paranoia. Pointed out by John Hawkinson of Panix. An SMTP RCPT command referencing a host that gave a nameserver timeout would return a 451 command (8.6 accepted it and queued it locally). Revert to the 8.6 behaviour in order to simplify queue management for clustered systems. Suggested by Gregory Neil Shapiro of WPI. The same problem could break MH, which assumes that the SMTP session will succeed (tsk, tsk -- mail gets lost!); this was pointe dout by Stuart Pook of Infobiogen. Fix possible buffer overflow in munchstring(). This was not a security problem because you couldn't specify any argument to this without first giving up root privileges, but it is still a good idea to avoid future problems. Problem noted by John Hawkinson and Sam Hartman of MIT. ``452 Out of disk space for temp file'' messages weren't being printed. Fix from David Perlin of Nanosoft. Don't advertise the ESMTP DSN extension if the SendMIMEErrors option is not set, since this is required to get the actual DSNs created. Problem pointed out by John Gardiner Myers of CMU. Log permission problems that cause .forward and :include: files to be untrusted or ignored on log level 12 and higher. Suggestted by Randy Martin of Clemson University. Allow user ids in U= clauses of M lines to have hyphens and underscores. Fix overcounting of recipients -- only happened when sending to an alias. Pointed out by Mark Andrews of SGI and Jack Woolley of Systems and Computer Technology Corporation. If a message is sent to an address that fails, the error message that is returned could show some extraneous "success" information included even if the user did not request success notification, which was confusing. Pointed out by Allan Johannesen of WPI. Config files that had no AliasFile definition were defaulting to using /etc/aliases; this caused problems with nullclient configurations. Change it back to the 8.6 semantics of having no local alias file unless it is declared. Problem noted by Charles Karney of Princeton University. Fix compile problem if NOTUNIX is defined. Pointed out by Bryan Costales of ICSI. Map lookups of class "userdb" maps were always case sensitive; they should be controlled by the -f flag like other maps. Pointed out by Bjart Kvarme <bjart.kvarme@usit.uio.no>. Fix problem that caused some addresses to be passed through ruleset 5 even when they were tagged as "sticky" by prefixing the address with an "@". Patch from Thomas Dwyer III of Michigan Technological University. When converting a message to Quoted-Printable, prevent any lines with dots alone on a line by themselves. This is because of the preponderence of broken mailers that still get this wrong. Code contributed by Per Hedeland of Ericsson. Fix F{macro}/file construct -- it previously did nothing. Pointed out by Bjart Kvarme of USIT/UiO (Norway). Announce whether a cached connection is SMTP or ESMTP (in -v mode). Requested by Allan Johannesen. Delete check for text format of alias files -- it should be legal to have the database format of the alias files without the text version. Problem pointed out by Joe Rhett of Navigist, Inc. If "Ot" was specified with no value, the TZ variable was not properly imported from the environment. Pointed out by Frank Crawford <frank@ansto.gov.au>. Some architectures core dumped on "program" maps that didn't have extra arguments. Patch from Booker C. Bense of Stanford University. Queue run processes would re-spawn daemons when given a SIGHUP; only the parent should do this. Fix from Brian Coan of the Association for Progressive Communications. If MinQueueAge was set and a message was considered but not run during a queue run and the Timeout.queuereturn interval was reached, a "timed out" error message would be returned that didn't include the failed address (and claimed to be a warning even though it was fatal). The fix is to not return such messages until they are actually tried, i.e., in the next MinQueueAge interval. Problem noted by Rein Tollevik of SINTEF RUNIT, Oslo. Add HES_GETMAILHOST compile flag to support MIT Hesiod distributions that have the hes_getmailhost() routine. DEC Hesiod distributions do not have this routine. Based on a patch from Betty Lee of Stanford University. Extensive cleanups to map open code to handle a locking race condition in ndbm, hash, and btree format database files on some (most non-4.4-BSD based) OS architectures. This should solve the occassional "user unknown" problem during alias rebuilds that has plagued me for quite some time. Based on a patch from Thomas Dwyer III of Michigan Technological University. PORTABILITY FIXES: Solaris: Change location of newaliases and mailq from /usr/ucb to /usr/bin to match Sun settings. From James B. Davis of TCI. DomainOS: Makefile.DomainOS doesn't require -ldbm. From Don Lewis of Silicon Systems. HP-UX 10: rename Makefile.HP-UX.10 => Makefile.HP-UX.10.x so that the makesendmail script will find it. Pointed out by Richard Allen of the University of Iceland. Also, use -Aa -D_HPUX_SOURCE instead of -Ae, which isn't supported on all compilers. UXPDS: compilation fixes from Diego R. Lopez. CONFIG: FAX mailer wasn't setting .FAX as a pseudo-domain unless you also had a FAX_RELAY. From Thomas.Tornblom@Hax.SE. CONFIG: Minor glitch in S21 -- attachment of local domain name didn't have trailing dot. From Jim Hickstein of Teradyne. CONFIG: Fix best_mx_is_local feature to allow nested addresses such as user%host@thishost. From Claude Scarpelli of Infobiogen (France). CONFIG: OSTYPE(hpux10) failed to define the location of the help file. Pointed out by Hannu Martikka of Nokia Telecommunications. CONFIG: Diagnose some inappropriate ordering in configuration files, such as FEATURE(smrsh) listed after MAILER(local). Based on a bug report submitted by Paul Hoffman of Proper Publishing. CONFIG: Make OSTYPE files consistently not override settings that have already been set. Previously it worked differently for different files. CONFIG: Change relay mailer to do masquerading like 8.6 did. My take is that this is wrong, but the change was causing problems for some people. From Per Hedeland of Ericsson. CONTRIB: bitdomain.c patch from John Gardiner Myers <jgm+@CMU.EDU>; portability changes for Posix environments (no functional changes). 8.7.1/8.7.1 95/10/01 Old macros that have become options (SmtpGreetingMessage, OperatorChars, and UnixFromLine) didn't allow backslash escapes in the options, where they previously had. Bug pointed out by John Hawkinson of MIT. Fix strange case of an executable called by a program map that returns a value but also a non-zero exit status; this would give contradictory results in the higher level; in particular, the default clause in the map lookup would be ignored. Change to ignore the value if the program returns non-zero exit status. From Tom Moore of AT&T GIS. Shorten parameters passed to syslog() in some contexts to avoid a bug in many vendors' implementations of that routine. Although this isn't really a bug in sendmail per se, and my solution has to assume that syslog() has at least a 1K buffer size internally (I know some vendors have shortened this dramatically -- they're on their own), sendmail is a popular target. Also, limit the size of %s arguments in sprintf. These both have possible security implications. Solutions suggested by Casper Dik of Sun's Network Security Group (Holland), Mark Seiden, and others. Fix a problem that might cause a non-standard -B (body type) parameter to be passed to the next server with undefined results. This could have security implications. If a filesystem was at > 100% utilization, the freediskspace() routine incorrectly returned an error rather than zero. Problem noted by G. Paul Ziemba of Alantec. Change MX sort order so that local hostnames (those in $=w) always sort first within a given preference. This forces the bestmx map to always return the local host first, if it is included in the list of highest priority MX records. From K. Robert Elz. Avoid some possible null pointer dereferences. Fixes from Randy Martin <WOLF@CLEMSON.EDU> When sendmail starts up on systems that have no fully qualified domain name (FQDN) anywhere in the first matching host map (e.g., /etc/hosts if the hosts service searches "files dns"), sendmail would sleep to try to find a FQDN, which it really really needs. This has been changed to fall through to the next map type if it can't find a FQDN -- i.e., if the hosts file doesn't have a FQDN, it will try dns even though the short name was found in /etc/hosts. This is probably a crock, but many people have hosts files without FQDNs. Remember: domain names are your friends. Log a high-priority message if you can't find your FQDN during startup. Suggested by Simon Barnes of Schlumberger Limited. When using Hesiod, initialize it early to improve error reporting. Patch from Don Lewis of Silicon Systems, Inc. Apparently at least some versions of Linux have a 90 !minute! TCP connection timeout in the kernel. Add a new "connect" timeout to limit this time. Defaults to zero (use whatever the kernel provides). Based on code contributed by J.R. Oldroyd of TerraNet. Under some circumstances, a failed message would not be properly removed from the queue, causing tons of bogus error messages. (This fix eliminates the problematic EF_KEEPQUEUE flag.) Problem noted by Allan E Johannesen and Gregory Neil Shapiro of WPI. PORTABILITY FIXES: On IRIX 5.x, there was an inconsistency in the setting of sendmail.st location. Change the Makefile to install it in /var/sendmail.st to match the OSTYPE file and SGI standards. From Andre <andre@curry.zfe.siemens.de>. Support for Fujitsu/ICL UXP/DS (For the DS/90 Series) from Diego R. Lopez <drlopez@cica.es>. Linux compilation patches from J.R. Oldroyd of TerraNet, Inc. LUNA 2 Mach patches from Motonori Nakamura. SunOS Makefile was including -ldbm, which is for the old dbm library. The ndbm library is part of libc. CONFIG: avoid bouncing ``user@host.'' (note trailing dot) with ``local configuration error'' in nullclient configuration. Patch from Gregory Neil Shapiro of WPI. CONFIG: don't allow an alias file in nullclient configurations -- since all addresses are relayed, they give errors during rebuild. Suggested by Per Hedeland of Ericsson. CONFIG: local mailer on Solaris 2 should always get a -f flag because otherwise the F=S causes the From_ line to imply that root is the sender. Problem pointed out by Claude Scarpelli of Infobiogen (France). NEW FILES: cf/feature/use_ct_file.m4 (omitted from 8.7 by mistake) src/Makefiles/Makefile.KSR (omitted from 8.7 by mistake) src/Makefiles/Makefile.UXPDS 8.7/8.7 95/09/16 Fix a problem that could cause sendmail to run out of file descriptors due to a trashed data structure after a vfork. Fix from Brian Coan of the Institute for Global Communications. Change the VRFY response if you have disabled VRFY -- some people seemed to think that it was too rude. Avoid reference to uninitialized file descriptor if HASFLOCK was not defined. This was used "safely" in the sense that it only did a stat, but it would have set the map modification time improperly. Problem pointed out by Roy Mongiovi of Georgia Tech. Clean up the Subject: line on warning messages and return receipts so that they don't say "Returned mail:"; this can be confusing. Move ruleset entry/exit debugging from 21.2 to 21.1 -- this is useful enough to make it worthwhile printing on "-d". Avoid logging alias statistics every time you read the alias file on systems with no database method compiled in. If you have a name with a trailing dot, and you try looking it up using gethostbyname without the dot (for /etc/hosts compatibility), be sure to turn off RES_DEFNAMES and RES_DNSRCH to avoid finding the wrong name accidently. Problem noted by Charles Amos of the University of Maryland. Don't do timeouts in collect if you are not running SMTP. There is nothing that says you can't have a long running program piped into sendmail (possibly via /bin/mail, which just execs sendmail). Problem reported by Don "Truck" Lewis of Silicon Systems. Try gethostbyname() even if the DNS lookup fails iff option I is not set. This allows you to have hosts listed in NIS or /etc/hosts that are not known to DNS. It's normally a bad idea, but can be useful on firewall machines. This should really be broken out on a separate flag, I suppose. Avoid compile warnings against BIND 4.9.3, which uses function prototypes. From Don Lewis of Silicon Systems. Avoid possible incorrect diagnosis of DNS-related errors caused by things like attempts to resolve uucp names using $[ ... $] -- the fix is to clear h_errno at appropriate times. From Kyle Jones of UUNET. SECURITY: avoid denial-of-service attacks possible by destroying the alias database file by setting resource limits low. This involves adding two new compile-time options: HASSETRLIMIT (indicating that setrlimit(2) support is available) and HASULIMIT (indicating that ulimit(2) support is available -- the Release 3 form is used). The former is assumed on BSD-based systems, the latter on System V-based systems. Attack noted by Phil Brandenberger of Swarthmore University. New syntaxes in test (-bt) mode: ``.Dmvalue'' will define macro "m" to "value". ``.Ccvalue'' will add "value" to class "c". ``=Sruleset'' will dump the contents of the indicated ruleset. ``=M'' will display the known mailers. ``-ddebug-spec'' is equivalent to the command-line -d debug flag. ``$m'' will print the value of macro $m. ``$=c'' will print the contents of class $=c. ``/mx host'' returns the MX records for ``host''. ``/parse address'' will parse address, returning the value of crackaddr (essentially, the comment information) and the parsed address (the same as -bv). ``/try mailer address'' will rewrite address into the form it will have when presented to the indicated mailer. ``/tryflags flags'' will set flags used by parsing. The flags can be `H' for header or `E' for envelope, and `S' for sender or `R' for recipient. These can be combined, so `HR' sets flags for header recipients. ``/canon hostname'' will try to canonify hostname and return the result. ``/map mapname key'' will look up `key' in the indicated `mapname' and return the result. Somewhat better handling of UNIX-domain socket addresses -- it should show the pathname rather than hex bytes. Restore ``-ba'' mode -- this reads a file from stdin and parses the header for envelope sender information and uses CR-LF as message terminators. It was thought to be obsolete (used only for Arpanet NCP protocols), but it turns out that the UK ``Grey Book'' protocols require that functionality. Fix a fix in previous release -- if gethostname and gethostbyname return a name without dots, and if an attempt to canonify that name fails, wait one minute and try again. This can result in an extra 60 second delay on startup if your system hostname (as returned by hostname(1)) has no dot and no names listed in /etc/hosts or your NIS map have a dot. Check for proper domain name on HELO and EHLO commands per RFC 1123 section 5.2.5. Problem noted by Thomas Dwyer III of Michigan Technological University. Relax chownsafe rules slightly -- old version said that if you can't tell if _POSIX_CHOWN_RESTRICTED is set (that is, if fpathconf returned EINVAL or ENOSYS), assume that chown is not safe. The new version falls back to whether you are on a BSD system or not. This is important for SunOS, which apparently always returns one of those error codes. This impacts whether you can mail to files or not. Syntax errors such as unbalanced parentheses in the configuration file could be omitted if you had "Oem" prior to the syntax error in the config file. Change to always print the error message. It was especially wierd because it would cause a "warning" message to be sent to the Postmaster for every message sent (but with no transcript). Problem noted by Gregory Paris of Motorola. Rewrite collect and putbody to handle full 8-bit data, including zero bytes. These changes are internally extensive, but should have minimal impact on external function. Allow full words for option names -- if the option letter is (apparently) a space, then take the word following -- e.g., O MatchGECOS=TRUE The full list of old and new names is as follows: 7 SevenBitInput 8 EightBitMode A AliasFile a AliasWait B BlankSub b MinFreeBlocks/MaxMessageSize C CheckpointInterval c HoldExpensive D AutoRebuildAliases d DeliveryMode E ErrorHeader e ErrorMode f SaveFromLine F TempFileMode G MatchGECOS H HelpFile h MaxHopCount i IgnoreDots I ResolverOptions J ForwardPath j SendMimeErrors k ConnectionCacheSize K ConnectionCacheTimeout L LogLevel l UseErrorsTo m MeToo n CheckAliases O DaemonPortOptions o OldStyleHeaders P PostmasterCopy p PrivacyOptions Q QueueDirectory q QueueFactor R DontPruneRoutes r, T Timeout S StatusFile s SuperSafe t TimeZoneSpec u DefaultUser U UserDatabaseSpec V FallbackMXhost v Verbose w TryNullMXList x QueueLA X RefuseLA Y ForkEachJob y RecipientFactor z ClassFactor Z RetryFactor The old macros that passed information into sendmail have been changed to options; those correspondences are: $e SmtpGreetingMessage $l UnixFromLine $o OperatorChars $q (deleted -- not necessary) To avoid possible problems with an older sendmail, configuration level 6 is accepted by this version of sendmail; any config file using the new names should specify "V6" in the configuration. Change address parsing to properly note that a phrase before a colon and a trailing semicolon are essentially the same as text outside of angle brackets (i.e., sendmail should treat them as comments). This is to handle the ``group name: addr1, addr2, ..., addrN;'' syntax (it will assume that ``group name:'' is a comment on the first address and the ``;'' is a comment on the last address). This requires config file support to get right. It does understand that :: is NOT this syntax, and can be turned off completely by setting the ColonOkInAddresses option. Level 6 config files added with new mailer flags: A Addresses are aliasable. i Do udb rewriting on envelope as well as header sender lines. Applies to the from address mailer flags rather than the recipient mailer flags. j Do udb rewriting on header recipient addresses. Applies to the sender mailer flags rather than the recipient mailer flags. k Disable check for loops when doing HELO command. o Always run as the mail recipient, even on local delivery. w Check for an /etc/passwd entry for this user. 5 Pass addresses through ruleset 5. : Check for :include: on this address. | Check for |program on this address. / Check for /file on this address. @ Look up sender header addresses in the user database. Applies to the mailer flags for the mailer corresponding to the envelope sender address, rather than to recipient mailer flags. Pre-level 6 configuration files set A, w, 5, :, |, /, and @ on the "local" mailer, the o flag on the "prog" and "*file*" mailers, and the ColonOkInAddresses option. Eight-to-seven bit MIME conversions. This borrows ideas from John Beck of Hewlett-Packard, who generously contributed their implementation to me, which I then didn't use (see mime.c for an explanation of why). This adds the EightBitMode option (a.k.a. `8') and an F=8 mailer flag to control handling of 8-bit data. These have to cope with two types of 8-bit data: unlabelled 8-bit data (that is, 8-bit data that is entered without declaring it as 8-bit MIME -- technically this is illegal according to the specs) and labelled 8-bit data (that is, it was declared as 8BITMIME in the ESMTP session or by using the -B8BITMIME command line flag). If the F=8 mailer flag is set then 8-bit data is sent to non-8BITMIME machines instead of converting to 7 bit (essentially using just-send-8 semantics). The values for EightBitMode are: m convert unlabelled 8-bit input to 8BITMIME, and do any necessary conversion of 8BITMIME to 7BIT (essentially, the full MIME option). p pass unlabelled 8-bit input, but convert labelled 8BITMIME input to 7BIT as required (default). s strict adherence: reject unlabelled 8-bit input, convert 8BITMIME to 7BIT as required. The F=8 flag is ignored. Unlabelled 8-bit data is rejected in mode `s' regardless of the setting of F=8. Add new internal class 'n', which is the set of MIME Content-Types which can not be 8 to 7 bit encoded because of other considerations. Types "multipart/*" and "message/*" are never directly encoded (although their components can be). Add new internal class 's', which is the set of subtypes of the MIME message/* content type that can be treated as though they are an RFC822 message. It is predefined to have "rfc822". Suggested By Kari Hurtta. Add new internal class 'e'. This is the set of MIME Content-Transfer-Encodings that can be converted to a seven bit format (Quoted-Printable or Base64). It is preinitialized to contain "7bit", "8bit", and "binary". Add C=charset mailer parameter and the the DefaultCharSet option (no short name) to set the default character set to use in the Content-Type: header when doing encoding of an 8-bit message which isn't marked as MIME into MIME format. If the C= parameter is set on the Envelope From address, use that as the default encoding; else use the DefaultCharSet option. If neither is set, it defaults to "unknown-8bit" as suggested by RFC 1428 section 3. Allow ``U=user:group'' field in mailer definition to set a default user and group that a mailer will be executed as. This overrides the 'u' and 'g' options, and if the `F=S' flag is also set, it is the uid/gid that will always be used (that is, the controlling address is ignored). The values may be numeric or symbolic; if only a symbolic user is given (no group) that user's default group in the passwd file is used as the group. Based on code donated by Chip Rosenthal of Unicom. Allow `u' option to also accept user:group as a value, in the same fashion as the U= mailer option. Add the symbolic time zone name in the Arpanet format dates (as a comment). This adds a new compile-time configuration flag: TZ_TYPE can be set to TZ_TM_NAME (use the value of (struct tm *)->tm_name), TZ_TM_ZONE (use the value of (struct tm *)->tm_zone), TZ_TZNAME (use extern char *tzname[(struct tm *)->tm_isdst]), TZ_TIMEZONE (use timezone()), or TZ_NONE (don't include the comment). Code from Chip Rosenthal. The "Timeout" option (formerly "r") is extended to allow suboptions. For example, O Timeout.helo = 2m There are also two new suboptions "queuereturn" and "queuewarn"; these subsume the old T option. Thus, to set them both the preferred new syntax is O Timeout.queuereturn = 5d O Timeout.queuewarn = 4h Sort queue by host name instead of by message priority if the QueueSortOrder option (no short name) is set is set to ``host''. This makes better use of the connection cache, but may delay more ``interactive'' messages behind large backlogs under some circumstances. This is probably a good option if you have high speed links or don't do lots of ``batch'' messages, but less good if you are using something like PPP on a 14.4 modem. Based on code contributed by Roy Mongiovi of Georgia Tech (my main contribution was to make it configurable). Save i-number of df file in qf file to simplify rebuilding of queue after disasterous disk crash. Suggested by Kyle Jones of UUNET; closely based on code from KJS DECWRL code written by Paul Vixie. NOTA BENE: The qf files produced by 8.7 are NOT back compatible with 8.6 -- that is, you can convert from 8.6 to 8.7, but not the other direction. Add ``F=d'' mailer flag to disable all use of angle brackets in route-addrs in envelopes; this is because in some cases they can be sent to the shell, which interprets them as I/O redirection. Don't include error file (option E) with return-receipts; this can be confusing. Don't send "Warning: cannot send" messages to owner-* or *-request addresses. Suggested by Christophe Wolfhugel of the Institut Pasteur, Paris. Allow -O command line flag to set long form options. Add "MinQueueAge" option to set the minimum time between attempts to run the queue. For example, if the queue interval (-q value) is five minutes, but the minimum queue age is fifteen minutes, jobs won't be tried more often than once every fifteen minutes. This can be used to give you more responsiveness if your delivery mode is set to queue-only. Allow "fileopen" timeout (default: 60 seconds) for opening :include: and .forward files. Add "-k", "-v", and "-z" flags to map definitions; these set the key field name, the value field name, and the field delimiter. The field delimiter can be a single character or the sequence "\t" or "\n" for tab or newline. These are for use by NIS+ and similar access methods. Change maps to always strip quotes before lookups; the -q flag turns off this behaviour. Suggested by Motonori Nakamura. Add "nisplus" map class. Takes -k and -v flags to choose the key and value field names respectively. Code donated by Sun Microsystems. Add "hesiod" map class. The "file name" is used as the "HesiodNameType" parameter to hes_resolve(3). Returns the first value found for the match. Code donated by Scott Hutton of Indiana University. Add "netinfo" (NeXT NetInfo) map class. Maps can have a -k flag to specify the name of the property that is searched as the key and a -v flag to specify the name of the property that is returned as the value (defaults to "members"). The default map is "/aliases". Some code based on code contributed by Robert La Ferla of Hot Software. Add "text" map class. This does slow, linear searches through text files. The -z flag specifies a column delimiter (defaults to any sequence of white space), the -k flag sets the key column number, and the -v flag sets the value column number. Lines beginning with `#' are treated as comments. Add "program" map class to execute arbitrary programs. The search key is presented as the last argument; the output is one line read from the programs standard output. Exit statuses are from sysexits.h. Add "sequence" map class -- searches maps in sequence until it finds a match. For example, the declarations: Kmap1 ... Kmap2 ... Kmapseq sequence map1 map2 defines a map "mapseq" that first searches map1; if the value is found it is returned immediately, otherwise map2 is searched and the value returned. Add "switch" map class. This is much like "sequence" except that the ordering is fetched from an external file, usually the system service switch. The parameter is the name of the service to switch on, and the maps that it will use are the name of the switch map followed by ".service_type". For example, if the declaration of the map is Ksample switch hosts and the system service switch specifies that hosts are looked up using dns and nis in that order, then this is equivalent to Ksample sequence sample.dns sample.nis The subordinate maps (sample.*) must already be defined. Add "user" map class -- looks up users using getpwnam. Takes a "-v field" flag on the definition that tells what passwd entry to return -- legal values are name, passwd, uid, gid, gecos, dir, and shell. Generally expected to be used with the -m (matchonly) flag. Add "bestmx" map class -- returns the best MX value for the host listed as the value. If there are several "best" MX records for this host, one will be chosen at random. Add "userdb" map class -- looks up entries in the user database. The "file name" is actually the tag that will be used, typically "mailname". If there are multiple entries matching the name, the one chosen is undefined. Add multiple queue timeouts (both return and warning). These are set by the Precedence: or Priority: header fields to one of three values. If a Priority: is set and has value "normal", "urgent", or "non-urgent" the corresponding timeouts are used. If no priority is set, the Precedence: is consulted; if negative, non-urgent timeouts are used; if greater than zero, urgent timeouts are used. Otherwise, normal timeouts are used. The timeouts are set by setting the six timeouts queue{warn,return}.{urgent,normal,non-urgent}. Fix problem when a mail address is resolved to a $#error mailer with a temporary failure indication; it works in SMTP, but when delivering locally the mail is silently discarded. This patch, from Kyle Jones of UUNET, bounces it instead of queueing it (queueing is very hard). When using /etc/hosts or NIS-style lookups, don't assume that the first name in the list is the best one -- instead, search for the first one with a dot. For example, if an /etc/hosts entry reads 128.32.149.68 mammoth mammoth.CS.Berkeley.EDU this change will use the second name as the canonical machine name instead of the initial, unqualified name. Change dequote map to replace spaces in quoted text with a value indicated by the -s flag on the dequote map definition. For example, ``Mdequote dequote -s_'' will change "Foo Bar" into an unquoted Foo_Bar instead of leaving it quoted (because of the space character). Suggested by Dan Oscarsson for use in X.400 addresses. Implement long macro names as ${name}; long class names can be similarly referenced as $={name} and $~{name}. Definitions are (e.g.) ``D{name}value''. Names that have a leading lower case letter or punctuation characters are reserved for internal use by sendmail; i.e., config files should use names that begin with a capital letter. Based on code contributed by Dan Oscarsson. Fix core dump if getgrgid returns a null group list (as opposed to an empty group list, that is, a pointer to a list with no members). Fix from Andrew Chang of Sun Microsystems. Fix possible core dump if malloc fails -- if the malloc in xalloc failed, it called syserr which called newstr which called xalloc.... The newstr is now avoided for "panic" messages. Reported by Stuart Kemp of James Cook University. Improve connection cache timeouts; previously, they were not even checked if you were delivering to anything other than an IPC-connected host, so a series of (say) local mail deliveries could cause cached connections to be open much longer than the specified timeout. If an incoming message exceeds the maximum message size, stop writing the incoming bytes to the queue data file, since this can fill your mqueue partition -- this is a possible denial-of-service attack. Don't reject all numeric local user names unless HESIOD is defined. It turns out that Posix allows all-numeric user names. Fix from Tony Sanders of BSDI. Add service switch support. If the local OS has a service switch (e.g., /etc/nsswitch.conf on Solaris or /etc/svc.conf on DEC systems) that will be used; otherwise, it falls back to using a local mechanism based on the ServiceSwitchFile option (default: /etc/service.switch). For example, if the service switch lists "files" and "nis" for the aliases service, that will be the default lookup order. the "files" ("local" on DEC) service type expands to any alias files you listed in the configuration file, even if they aren't actually file lookups. Option I (NameServerOptions) no longer sets the "UseNameServer" variable which tells whether or not DNS should be considered canonical. This is now determined based on whether or not "dns" is in the service list for "hosts". Add preliminary support for the ESMTP "DSN" extension (Delivery Status Notifications). DSN notifications override Return-Receipt-To: headers, which are bogus anyhow. Add T=mts-name-type/address-type/diagnostic-type keyletter to mailer definitions to define the types used in DSN returns for MTA names, addresses, and diagnostics respectively. Extend heuristic to force running in ESMTP mode to look for the five-character string "ESMTP" anywhere in the 220 greeting message (not just the second line). This is to provide better compatibility with other ESMTP servers. Print sequence number of job when running the queue so you can easily see how much progress you have made. Suggested by Peter Wemm of DIALix. Map newlines to spaces in logged message-ids; some versions of syslog truncate the rest of the line after newlines. Suggested by Fletcher Mattox of U. Texas. Move up forking for job runs so that if a message is split into multiple envelopes you don't get "fork storms" -- this also improves the connection cache utilization. Accept "<<>>", "<<<>>>", and so forth as equivalent to "<>" for the purposes of refusing to send error returns. Suggested by Motonori Nakamura of Ritsumeikan University. Relax rules on when a file can be written when referenced from the aliases file: use the default uid/gid instead of the real uid/gid. This allows you to create a file owned by and writable only by the default uid/gid that will work all the time (without having the setuid bit set). Change suggested by Shau-Ping Lo and Andrew Cheng of Sun Microsystems. Add "DialDelay" option (no short name) to provide an "extra" delay for dial on demand systems. If this is non-zero and a connect fails, sendmail will wait this long and then try again. If it takes longer than the kernel timeout interval to establish the connection, this option can give the network software time to establish the link. The default units are seconds. Move logging of sender information to be as early as possible; previously, it could be delayed a while for SMTP mail sent to aliases. Suggested by Brad Knowles of the Defense Information Systems Agency. Call res_init() before setting RES_DEBUG; this is required by BIND 4.9.3, or so I'm told. From Douglas Anderson of the National Computer Security Center. Add xdelay= field in logs -- this is a transaction delay, telling you how long it took to deliver to this address on the last try. It is intended to be used for sorting mailing lists to favor "quick" addresses. Provided for use by the mailprio scripts (see below). If a map cannot be opened, and that map is non-optional, and an address requires that map for resolution, queue the map instead of bouncing it. This involves creating a pseudo-class of maps called "bogus-map" -- if a required map cannot be opened, the class is changed to bogus-map; all queries against bogus-map return "tempfail". The bogus-map class is not directly accessible. A sample implementation was donated by Jem Taylor of Glasgow University Computing Service. Fix a possible core dump when mailing to a program that talks SMTP on its standard input. Fix from Keith Moore of the University of Kentucky. Make it possible to resolve filenames to $#local $: @ /filename; previously, the "@" would cause it to not be recognized as a file. Problem noted by Brian Hill of U.C. Davis. Accept a -1 signal to re-exec the daemon. This only works if argv[0] is a full path to sendmail. Fix bug in "addr=..." field in O option on little-endian machines -- the network number wasn't being converted to network byte order. Patch from Kurt Lidl of Pix Technologies Corporation. Pre-initialize the resolver early on; this is to avoid a bug with BIND 4.9.3 that can cause the _res.retry field to get reset to zero, causing all name server lookups to time out. Fix from Matt Day of Artisoft. Restore T line (trusted users) in config file -- but instead of locking out the -f flag, they just tell whether or not an X-Authentication-Warning: will be added. This really just creates new entries in class 't', so "Ft/file/name" can be used to read trusted user names from a file. Trusted users are also allowed to execute programs even if they have a shell that isn't in /etc/shells. Improve NEWDB alias file rebuilding so it will create them properly if they do not already exist. This had been a MAYBENEXTRELEASE feature in 8.6.9. Check for @:@ entry in NIS maps before starting up to avoid (but not prevent, sigh) race conditions. This ought to be handled properly in ypserv, but isn't. Suggested by Michael Beirne of Motorola. Refuse connections if there isn't enough space on the filesystem holding the queue. Contributed by Robert Dana of Wolf Communications. Skip checking for directory permissions in the path to a file when checking for file permissions iff setreuid() succeeded -- it is unnecessary in that case. This avoids significant performance problems when looking for .forward files. Based on a suggestion by Win Bent of USC. Allow symbolic ruleset names. Syntax can be "Sname" to get an arbitrary ruleset number assigned or "Sname = integer" to assign a specific ruleset number. Reference is $>name_or_number. Names can be composed of alphas, digits, underscore, or hyphen (first character must be non-numeric). Allow -o flag on AliasFile lines to make the alias file optional. From Bryan Costales of ICSI. Add NoRecipientAction option to handle the case where there is no legal recipient header in the message. It can take on values: None Leave the message as is. The message will be passed on even though it is in technically illegal syntax. Add-To Add a To: header with any recipients that it can find from the envelope. This risks exposing Bcc: recipients. Add-Apparently-To Add an Apparently-To: header. This has almost no redeeming social value, and is provided only for back compatibility. Add-To-Undisclosed Add a header reading To: undisclosed-recipients:; which will have the effect of making the message legal without exposing Bcc: recipients. Add-Bcc To add an empty Bcc: header. There is a chance that mailers down the line will delete this header, which could cause exposure of Bcc: recipients. The default is NoRecipientAction=None. Truncate (rather than delete) Bcc: lines in the header. This should prevent later sendmails (at least, those that don't themselves delete Bcc:) from considering this message to be non-conforming -- although it does imply that non-blind recipients can see that a Bcc: was sent, albeit not to whom. Add SafeFileEnvironment option. If declared, files named as delivery targets must be regular files in addition to the regular checks. Also, if the option is non-null then it is used as the name of a directory that is used as a chroot(2) environment for the delivery; the file names listed in an alias or forward should include the name of this root. For example, if you run with O SafeFileEnvironment=/arch then aliases should reference "/arch/rest/of/path". If a value is given, sendmail also won't try to save to /usr/tmp/dead.letter (instead it just leaves the job in the queue as Qfxxxxxx). Inspired by *Hobbit*'s sendmail patch kit. Support -A flag for alias files; this will comma concatenate like entries. For example, given the aliases: list: member1 list: member2 and an alias file declared as: OAhash:-A /etc/aliases the final alias inserted will be "list: member1,member2"; without -A you will get an error on the second and subsequent alias for "list". Contributed by Bryan Costales of ICSI. Line-buffer transcript file. Suggested by Liudvikas Bukys. Fix a problem that could cause very long addresses to core dump in some special circumstances. Problem pointed out by Allan Johannesen. (Internal change.) Change interface to expand() (macro expansion) to be simpler and more consistent. Delete check for funny qf file names. This didn't really give any extra security and caused some people some problems. (If you -really- want this, define PICKY_QF_NAME_CHECK at compile time.) Suggested by Kyle Jones of UUNET. (Internal change.) Change EF_NORETURN to EF_NO_BODY_RETN and merge with DSN code; this is simpler and more consistent. This may affect some people who have written their own checkcompat() routine. (Internal change.) Eliminate `D' line in qf file. The df file is now assumed to be the same name as the qf file (with the `q' changed to a `d', of course). Avoid forking for delivery if all recipient mailers are marked as "expensive" -- this can be a major cost on some systems. Essentially, this forces sendmail into "queue only" mode if all it is going to do is queue anyway. Avoid sending a null message in some rather unusual circumstances (specifically, the RCPT command returns a temporary failure but the connection is lost before the DATA command). Fix from Scott Hammond of Secure Computing Corporation. Change makesendmail to use a somewhat more rational naming scheme: Makefiles and obj directories are named $os.$rel.$arch, where $os is the operating system (e.g., SunOS), $rel is the release number (e.g., 5.3), and $arch is the machine architecture (e.g., sun4). Any of these can be omitted, and anything after the first dot in a release number can be replaced with "x" (e.g., SunOS.4.x.sun4). The previous version used $os.$arch.$rel and was rather less general. Change makesendmail to do a "make depend" in the target directory when it is being created. This involves adding an empty "depend:" entry in most Makefiles. Ignore IDENT return value if the OSTYPE field returns "OTHER", as indicated by RFC 1413. Pointed out by Kari Hurtta of the Finnish Meteorological Institute. Fix problem that could cause multiple responses to DATA command on header syntax errors (e.g., lines beginning with colons). Problem noted by Jens Thomassen of the University of Oslo. Don't let null bytes in headers cause truncation of the rest of the header. Log Authentication-Warning:s. Suggested by Motonori Nakamura. Increase timeouts on message data puts to allow time for receivers to canonify addresses in headers on the fly. This is still a rather ugly heuristic. From Motonori Nakamura. Add "HasWildcardMX" suboption to ResolverOptions; if set, MX records are not used when canonifying names, and when MX lookups are done for addressing they must be fully qualified. This is useful if you have a wildcard MX record, although it may cause other problems. In general, don't use wildcard MX records. Patch from Motonori Nakamura. Eliminate default two-line SMTP greeting message. Instead of adding an extra "ESMTP spoken here" line, the word "ESMTP" is added between the first and second word of the first line of the greeting message (i.e., immediately after the host name). This eliminates the need for the BROKEN_SMTP_PEERS compile flag. Old sendmails won't see the ESMTP, but that's acceptable because SIZE was the only useful extension that old sendmails understand. Avoid gethostbyname calls on UNIX domain sockets during SIGUSR1 invoked state dumps. From Masaharu Onishi. Allow on-line comments in .forward and :include: files; they are introduced by the string "<LWSP>#@#<LWSP>", where <LWSP> is a space or a tab. This is intended for native representation of non-ASCII sets such as Japanese, where existing encodings would be unreadable or would lose data -- for example, <motonori@cs.ritsumei.ac.jp> NAKAMURA Motonori (romanized/less information) <motonori@cs.ritsumei.ac.jp> =?ISO-2022-JP?B?GyRCQ2ZCPBsoQg==?= =?ISO-2022-JP?B?GyRCQUdFNRsoQg==?= (with MIME encoding, not human readable) <motonori@cs.ritsumei.ac.jp> #@# ^[$BCfB<^[(B ^[$BAGE5^[(B (native encoding with ISO-2022-JP) The last form is human readable in the Japanese environment. Based on a fix from (surprise!) Motonori Nakamura. Don't make SMTP error returns on MAIL FROM: line be "sticky" for all messages to that host; these are most frequently associated with addresses rather than the host, with the exception of 421 (service shutting down). The effect was to cause queues to sometimes take an excessive time to flush. Reported by Robert Sargent of Southern Geographics Technologies and Eric Prestemon of American University. Add Nice=N mailer option to set the niceness at which a mailer will run. This is actually a relative niceness (that is, an increment on the background value). Log queue runs that are skipped due to high loads. They are logged at LOG_INFO priority iff the log level is > 8. Contributed by Bruce Nagel of Data General. Allow the error mailer to accept a DSN-style error status code instead of an sysexits status code in the host part. Anything with a dot will be interpreted as a DSN-style code. Add new mailer flag: F=3 will tell translations to Quoted-Printable to encode characters that might be munged by an EBCDIC system in addition to the set required by RFC 1521. The additional characters are !, ", #, $, @, [, \, ], ^, `, {, |, }, and ~. (Think of "IBM 360" as the mnemonic for this flag.) Change check for mailing to files to look for a pathname of [FILE] rather than looking for the mailer named *file*. The mapping of leading slashes still goes to the *file* mailer. This allows you to implement the *file* mailer as a separate program, for example, to insert a Content-Length: header or do special security policy. However, note that the usual initial checking for the file permissions is still done, and the program in question needs to be very careful about how it does the file write to avoid security problems. Be able to read ~root/.forward even if the path isn't accessible to regular users. This is disrecommended because sendmail sometimes does not run as root (e.g., when an unsafe option is specified on the command line), but should otherwise be safe because .forward files must be owned by the user for whom mail is being forwarded, and cannot be a symbolic link. Suggested by Forrest Aldrich of Wang Laboratories. Add new "HostsFile" option that is the pathname to the /etc/hosts file. This is used for canonifying hostnames when the service type is "files". Implement programs on F (read class from file) line. The syntax is Fc|/path/to/program to read the output from the program into class "c". Probe the network interfaces to find alternate names for this host. Requires the SIOCGIFCONF ioctl call. Code contributed by SunSoft. Add "E" configuration line to set or propogate environment variables into children. "E<envar>" will propogate the named variable from the environment when sendmail was invoked into any children it calls; "E<envar>=<value>" sets the named variable to the indicated value. Any variables not explicitly named will not be in the child environment. However, sendmail still forces an "AGENT=sendmail" environment variable, in part to enforce at least one environment variable, since many programs and libraries die horribly if this is not guaranteed. Change heuristic for rebuilding both NEWDB and NDBM versions of alias databases -- new algorithm looks for the substring "/yp/" in the file name. This is more portable and involves less overhead. Suggested by Motonori Nakamura. Dynamically allocate the queue work list so that you don't lose jobs in large queue runs. The old QUEUESIZE compile parameter is replaced by QUEUESEGSIZE (the unit of allocation, which should not need to be changed) and the MaxQueueRunSize option, which is the absolute maximum number of jobs that will ever be handled in a single queue run. Based on code contributed by Brian Coan of the Institute for Global Communications. Log message when a message is dropped because it exceeds the maximum message size. Suggested by Leo Bicknell of Virginia Tech. Allow trusted users (those on a T line or in $=t) to use -bs without an X-Authentication-Warning: added. Suggested by Mark Thomas of Mark G. Thomas Consulting. Announce state of compile flags on -d0.1 (-d0.10 throws in the OS-dependent defines). The old semantic of -d0.1 to not run the daemon in background has been moved to -d99.100, and the old 52.5 flag (to avoid disconnect() from closing all output files) has been moved to 52.100. This makes things more consistent (flags below .100 don't change semantics) and separates out the backgrounding so that it doesn't happen automatically on other unrelated debugging flags. If -t is used but no addresses are found in the header, give an error message rather than just doing nothing. Fix from Motonori Nakamura. On systems (like SunOS) where the effective gid is not necessarily included in the group list returned by getgroups(), the `restrictmailq' option could sometimes cause an authorized user to not be able to use `mailq'. Fix from Charles Hannum of MIT. Allow symbolic service names for [IPC] mailers. Suggested by Gerry Magennis of Logica International. Add DontExpandCnames option to prevent $[ ... $] from expanding CNAMEs when running DNS. For example, if the name FTP.Foo.ORG is a CNAME for Cruft.Foo.ORG, then when sitting on a machine in the Foo.ORG domain a lookup of "FTP" returns "Cruft.Foo.ORG" if this option is not set, or "FTP.Foo.ORG" if it is set. This is technically illegal under RFC 822 and 1123, but the IETF is moving toward legalizing it. Note that turning on this option is not sufficient to guarantee that a downstream neighbor won't rewrite the address for you. Add "-m" flag to makesendmail script -- this tells you what object directory and Makefile it will use, but doesn't actually do the make. Do some additional checking on the contents of the qf file to try to detect attacks against the qf file. In particular, abort on any line beginning "From ", and add an "end of file" line -- any data after that line is prohibited. Always use /etc/sendmail.cf, regardless of the arbitrary vendor choices. This can be overridden in the Makefile by using either -DUSE_VENDOR_CF_PATH to get the vendor location (to the extent that we know it) or by defining _PATH_SENDMAILCF (which is a "hard override"). This allows sendmail 8 to have more consistent installation instructions. Allow macros on `K' line in config file. Suggested by Andrew Chang of Sun Microsystems. Improved symbol table hash function from Eric Wassenaar. This one is at least 50% faster. Fix problem that didn't notice that timeout on file open was a transient error. Fix from Larry Parmelee of Cornell University. Allow comments (lines beginning with a `#') in files read for classes. Suggested by Motonori Nakamura. Make SIGINT (usually ^C) in test mode return to the prompt instead of dropping out entirely. This makes testing some of the name server lookups easier to deal with when there are hung servers. From Motonori Nakamura. Add new ${opMode} macro that is set to the current operation mode (e.g., `s' for -bs, `t' for -bt, etc.). Suggested by Claude Marinier <MARINIER@emp.ewd.dreo.dnd.ca>. Add new delivery mode (Odd) that defers all map lookups to queue runs. Kind of like queue-only mode (Odq) except it tries to avoid any external service requests; for dial-on-demand hosts that want to minimize DNS lookups when mail is being queued. For this to work you will also have to make sure that gethostbyname of your local host name does not do a DNS lookup. Improved handling of "out of space" conditions from John Myers of Carnegie Mellon. Improved security for mailing to files on systems that have fchmod(2) support. Improve "cannot send message for N days" message -- now says "could not send for past N days". Suggested by Tom Moore of AT&T Global Information Solutions. Less misleading Subject: line on messages sent to postmaster only. From Motonori Nakamura. Avoid duplicate error messages on bad command line flags. From Motonori Nakamura. Better error message for case where ruleset 0 falls off the end or otherwise does not resolve to a canonical triple. Fix a problem that could cause multiple bounce messages if a bad address was sent along with a good address to an SMTP site where that SMTP site returned a 4yz code in response to the final dot of the data. Problem reported by David James of British Telecom. Add "volatile" declarations so that gcc -O2 will work. Patches from Alexander Dupuy of System Management ARTS. Delete duplicates in MX lists -- believe it or not, there are sites that list the same host twice in an MX list. This deletion only works on adjacent preferences, so an MX list that had A=5, B=10, A=15 would leave both As, but one that had A=5, A=10, B=15 would reduce to A, B. This is intentional, just in case there is something wierd I haven't thought of. Suggested by Barry Shein of Software Tool & Die. SECURITY: .forward files cannot be symbolic links. If they are, a bad guy can read your private files. PORTABILITY FIXES: Solaris 2 from Rob McMahon <cudcv@csv.warwick.ac.uk>. System V Release 4 from Motonori Nakamura of Ritsumeikan University. This expands the disk size checking to include all (?) SVR4 configurations. System V Release 4 from Kimmo Suominen -- initgroups(3) and setrlimit(2) are both available. System V Release 4 from sob@sculley.ffg.com -- some versions apparently "have EX_OK defined in other headerfiles." Linux Makefile typo. Linux getusershell(3) is broken in Slackware 2.0 -- from Andrew Pam of Xanadu Australia. More Linux tweaking from John Kennedy of California State University, Chico. Cray changes from Eric Wassenaar: ``On Cray, shorts, ints, and longs are all 64 bits, and all structs are multiples of 64 bits. This means that the sizeof operator returns only multiples of 8. This requires adaptation of code that really deals with 32 bit or 16 bit fields, such as IP addresses or nameserver fields.'' DG/UX 5.4.3 from Mark T. Robinson <mtr@ornl.gov>. To get the old behaviour, use -DDGUX_5_4_2. DG/UX hack: add _FORCE_MAIL_LOCAL_=yes environment variable to fix bogus /bin/mail behaviour. Tandem NonStop-UX from Rick McCarty <mccarty@mpd.tandem.com>. This also cleans up some System V Release 4 compile problems. Solaris 2: sendmail.cw file should be in /etc/mail to match all the other configuration files. Fix from Glenn Barry of Emory University. Solaris 2.3: compile problem in conf.c. Fix from Alain Nissen of the University of Liege, Belgium. Ultrix: freespace calculation was incorrect. Fix from Takashi Kizu of Osaka University. SVR4: running in background gets a SIGTTOU because the emulation code doesn't realize that "getpeername" doesn't require reading the file. Fix from Peter Wemm of DIALix. Solaris 2.3: due to an apparent bug in the socket emulation library, sockets can get into a "wedged" state where they just return EPROTO; closing and re-opening the socket clears the problem. Fix from Bob Manson of Ohio State University. Hitachi 3050R & 3050RX running HI-UX/WE2: portability fixes from Akihiro Hashimoto ("Hash") of Chiba University. AIX changes to allow setproctitle to work from Rainer Sch÷pf of Zentrum fⁿr Datenverarbeitung der UniversitΣt Mainz. AIX changes for load average from Ed Ravin of NASA/Goddard. SCO Unix from Chip Rosenthal of Unicom (code was using the wrong statfs call). ANSI C fixes from Adam Glass (NetBSD project). Stardent Titan/ANSI C fixes from Kate Hedstrom of Rutgers University. DG-UX fixes from Bruce Nagel of Data General. IRIX64 updates from Mark Levinson of the University of Rochester Medical Center. Altos System V (``the first UNIX/XENIX merge the Altos did for their Series 1000 & Series 2000 line; their merged code was licenced back to AT&T and Microsoft and became System V release 3.2'') from Tim Rice <timr@crl.com>. OSF/1 running on Intel Paragon from Jeff A. Earickson <jeff@ssd.intel.com> of Intel Scalable Systems Divison. Amdahl UTS System V 2.1.5 (SVr3-based) from Janet Jackson <janet@dialix.oz.au>. System V Release 4 (statvfs semantic fix) from Alain Durand of I.M.A.G. HP-UX 10.x multiprocessor load average changes from Scott Hutton and Jeff Sumler of Indiana University. Cray CSOS from Scott Bolte of Cray Computer Corporation. Unicos 8.0 from Douglas K. Rand of the University of North Dakota, Scientific Computing Center. Solaris 2.4 fixes from Sanjay Dani of Dani Communications. ConvexOS 11.0 from Christophe Wolfhugel. IRIX 4.0.5 from David Ashton-Reader of CADcentre. ISC UNIX from J. J. Bailey. HP-UX 9.xx on the 8xx series machines from Remy Giraud of Meteo France. HP-UX configuration from Tom Lane <tgl@sss.pgh.pa.us>. IRIX 5.2 and 5.3 from Kari E. Hurtta. FreeBSD 2.0 from Mike Hickey of Federal Data Corporation. Sony NEWS-OS 4.2.1R and 6.0.3 from Motonori Nakamura. Omron LUNA unios-b, mach from Motonori Nakamura. NEC EWS-UX/V 4.2 from Motonori Nakamura. NeXT 2.1 from Bryan Costales. AUX patch thanks to Mike Erwin of Apple Computer. HP-UX 10.0 from John Beck of Hewlett-Packard. Ultrix: allow -DBROKEN_RES_SEARCH=0 if you are using a non-DEC resolver. Suggested by Allan Johannesen. UnixWare 2.0 fixes from Petr Lampa of the Technical University of Brno (Czech Republic). KSR OS 1.2.2 support from Todd Miller of the University of Colorado. UX4800 support from Kazuhisa Shimizu of NEC. MAKEMAP: allow -d flag to allow insertion of duplicate aliases in type ``btree'' maps. The semantics of this are undefined for regular maps, but it can be useful for the user database. MAKEMAP: lock database file while rebuilding to avoid sendmail lookups while the rebuild is going on. There is a race condition between the open(... O_TRUNC ...) and the lock on the file, but it should be quite small. SMRSH: sendmail restricted shell added to the release. This can be used as an alternative to /bin/sh for the "prog" mailer, giving the local administrator more control over what programs can be run from sendmail. MAIL.LOCAL: add this local mailer to the tape. It is not really part of the release proper, and isn't fully supported; in particular, it does not run on System V based systems and never will. CONTRIB: a patch to rmail.c from Bill Gianopoulos of Raytheon to allow rmail to compile on systems that don't have function prototypes and systems that don't have snprintf. CONTRIB: add the "mailprio" scripts that will help you sort mailing lists by transaction delay times so that addresses that respond quickly get sent first. This is to prevent very sluggish servers from delaying other peoples' mail. Contributed by Tony Sanders of BSDI. CONTRIB: add the "bsdi.mc" file as contributed by Tony Sanders of BSDI. This has a lot of comments to help people out. CONFIG: Don't have .mc files include(../m4/cf.m4) -- instead, put this on the m4 command line. On GNU m4 (which supports the __file__ primitive) you can run m4 in an arbitrary directory -- use either: m4 ${CFDIR}/m4/cf.m4 config.mc > config.cf or m4 -I${CFDIR} m4/cf.m4 config.mc > config.cf On other versions of m4 that don't support __file__, you can use: m4 -D_CF_DIR_=${CFDIR}/ ${CFDIR}/m4/cf.m4 ... (Note the trailing slash on the _CF_DIR_ definition.) Old versions of m4 will default to _CF_DIR_=.. for back compatibility. CONFIG: fix mail from <> so it will properly convert to MAILER-DAEMON on local addresses. CONFIG: fix code that was supposed to catch colons in host names. Problem noted by John Gardiner Myers of CMU. CONFIG: allow use of SMTP_MAILER_MAX in nullclient configuration. From Paul Riddle of the University of Maryland, Baltimore County. CONFIG: Catch and reject "." as a host address. CONFIG: Generalize domaintable to look up all domains, not just unqualified ones. CONFIG: Delete OLD_SENDMAIL support -- as near as I can tell, it was never used and didn't work anyway. CONFIG: Set flags A, w, 5, :, /, |, and @ on the "local" mailer and d on all mailers in the UUCP class. CONFIG: Allow "user+detail" to be aliased specially: it will first look for an alias for "user+detail", then for "user+*", and finally for "user". This is intended for forwarding mail for system aliases such as root and postmaster to a centralized hub. CONFIG: add confEIGHT_BIT_HANDLING to set option 8 (see above). CONFIG: add smtp8 mailer; this has the F=8 (just-send-8) flag set. The F=8 flag is also set on the "relay" mailer, since this is expected to be another sendmail. CONFIG: avoid qualifying all UUCP addresses sent via SMTP with the name of the UUCP_RELAY -- in some cases, this is the wrong value (e.g., when we have local UUCP connections), and this can create unreplyable addresses. From Chip Rosenthal of Unicom. CONFIG: add confRECEIVED_HEADER to change the format of the Received: header inserted into all messages. Suggested by Gary Mills of the University of Manitoba. CONFIG: Make "notsticky" the default; use FEATURE(stickyhost) to get the old behaviour. I did this upon observing that almost everyone needed this feature, and that the concept I was trying to make happen didn't work with some user agents anyway. FEATURE(notsticky) still works, but it is a no-op. CONFIG: Add LUSER_RELAY -- the host to which unrecognized user names are sent, rather than immediately diagnosing them as User Unknown. CONFIG: Add SMTP_MAILER_ARGS, ESMTP_MAILER_ARGS, SMTP8_MAILER_ARGS, and RELAY_MAILER_ARGS to set the arguments for the indicated mailers. All default to "IPC $h". Patch from Larry Parmelee of Cornell University. CONFIG: pop mailer needs F=n flag to avoid "annoying side effects on the client side" and F=P to get an appropriate return-path. From Kimmo Suominen. CONFIG: add FEATURE(local_procmail) to use the procmail program as the local mailer. For addresses of the form "user+detail" the "detail" part is passed to procmail via the -a flag. Contributed by Kimmo Suominen. CONFIG: add MAILER(procmail) to add an interface to procmail for use from mailertables. This lets you execute arbitrary procmail scripts. Contributed by Kimmo Suominen. CONFIG: add T= fields (MTS type) to local, smtp, and uucp mailers. CONFIG: add OSTYPE(ptx2) for DYNIX/ptx 2.x from Sequent. From Paul Southworth of CICNet Systems Support. CONFIG: use -a$g as default to UUCP mailers, instead of -a$f. This causes the null return path to be rewritten as MAILER-DAEMON; otherwise UUCP gets horribly confused. From Michael Hohmuth of Technische Universitat Dresden. CONFIG: Add FEATURE(bestmx_is_local) to cause any hosts that list us as the best possible MX record to be treated as though they were local (essentially, assume that they are included in $=w). This can cause additional DNS traffic, but is easier to administer if this fits your local model. It does not work reliably if there are multiple hosts that share the best MX preference. Code contributed by John Oleynick of Rutgers. CONFIG: Add FEATURE(smrsh) to use smrsh (the SendMail Restricted SHell) instead of /bin/sh as the program used for delivery to programs. If an argument is included, it is used as the path to smrsh; otherwise, /usr/local/etc/smrsh is assumed. CONFIG: Add LOCAL_MAILER_MAX and PROCMAILER_MAILER_MAX to limit the size of messages to the local and procmail mailers respectively. Contributed by Brad Knowles of the Defense Information Systems Agency. CONFIG: Handle leading ``phrase:'' and trailing ``;'' as comments (just like text outside of angle brackets) in order to properly deal with ``group: addr1, ... addrN;'' syntax. CONFIG: Require OSTYPE macro (the defaults really don't apply to any real systems any more) and tweak the DOMAIN macro so that it is less likely that users will accidently use the Berkeley defaults. Also, create some generic files that really can be used in the real world. CONFIG: Add new configuration macros to set character sets for messages _arriving from_ various mailers: LOCAL_MAILER_CHARSET, SMTP_MAILER_CHARSET, and UUCP_MAILER_CHARSET. CONFIG: Change UUCP_MAX_SIZE to UUCP_MAILER_MAX for consistency. The old name will still be accepted for a while at least. CONFIG: Implement DECNET_RELAY as spec for host to which DECNET mail (.DECNET pseudo-domain or node::user) will be sent. As with all relays, it can be ``mailer:hostname''. Suggested by Scott Hutton. CONFIG: Add MAILER(mail11) to get DECnet support. Code contributed by Barb Dijker of Labyrinth Computer Services. CONFIG: change confCHECK_ALIASES to default to False -- it has poor performance for large alias files, and this confused many people. CONFIG: Add confCF_VERSION to append local information to the configuration version number displayed during SMTP startup. CONFIG: fix some.newsgroup.usenet@local.host syntax (previously it would only work when locally addressed. Fix from Edvard Tuinder of Cistron Internet Services. CONFIG: use ${opMode} to avoid error on .REDIRECT addresses if option "n" (CheckAlaises) is set when rebuilding alias database. Based on code contributed by Claude Marinier. CONFIG: Allow mailertable to have values of the form ``error:code message''. The ``code'' is a status code derived from the sysexits codes -- e.g., NOHOST or UNAVAILABLE. Contributed by David James <dwj@agw.bt.co.uk>. CONFIG: add MASQUERADE_DOMAIN(domain list) to extend the list of sender domains that will be replaced with the masquerade name. These domains will not be treated as local, but if mail passes through with sender addresses in those domains they will be replaced by the masquerade name. These can also be specified in a file using MASQUERADE_DOMAIN_FILE(filename). CONFIG: add FEATURE(masquerade_envelope) to masquerade the envelope as well as the header. Substantial improvements to this code were contributed by Per Hedeland. CONFIG: add MAILER(phquery) to define a new "ph" mailer; this can be accessed from a mailertable to do CCSO ph lookups. Contributed by Kimmo Suominen. CONFIG: add MAILER(cyrus) to define a new Cyrus mailer; this can be used to define cyrus and cyrusbb mailers (for IMAP support). Contributed by John Gardiner Myers of Carnegie Mellon. CONFIG: add confUUCP_MAILER to select default mailer to use for UUCP addressing. Suggested by Tom Moore of AT&T GIS. NEW FILES: cf/cf/cs-hpux10.mc cf/cf/cs-solaris2.mc cf/cf/cyrusproto.mc cf/cf/generic-bsd4.4.mc cf/cf/generic-hpux10.mc cf/cf/generic-hpux9.mc cf/cf/generic-osf1.mc cf/cf/generic-solaris2.mc cf/cf/generic-sunos4.1.mc cf/cf/generic-ultrix4.mc cf/cf/huginn.cs.mc cf/domain/berkeley-only.m4 cf/domain/generic.m4 cf/feature/bestmx_is_local.m4 cf/feature/local_procmail.m4 cf/feature/masquerade_envelope.m4 cf/feature/smrsh.m4 cf/feature/stickyhost.m4 cf/feature/use_ct_file.m4 cf/m4/cfhead.m4 cf/mailer/cyrus.m4 cf/mailer/mail11.m4 cf/mailer/phquery.m4 cf/mailer/procmail.m4 cf/ostype/amdahl-uts.m4 cf/ostype/bsdi2.0.m4 cf/ostype/hpux10.m4 cf/ostype/irix5.m4 cf/ostype/isc4.1.m4 cf/ostype/ptx2.m4 cf/ostype/unknown.m4 contrib/bsdi.mc contrib/mailprio contrib/rmail.oldsys.patch mail.local/mail.local.0 makemap/makemap.0 smrsh/README smrsh/smrsh.0 smrsh/smrsh.8 smrsh/smrsh.c src/Makefiles/Makefile.CSOS src/Makefiles/Makefile.EWS-UX_V src/Makefiles/Makefile.HP-UX.10 src/Makefiles/Makefile.IRIX.5.x src/Makefiles/Makefile.IRIX64 src/Makefiles/Makefile.ISC src/Makefiles/Makefile.KSR src/Makefiles/Makefile.NEWS-OS.4.x src/Makefiles/Makefile.NEWS-OS.6.x src/Makefiles/Makefile.NEXTSTEP src/Makefiles/Makefile.NonStop-UX src/Makefiles/Makefile.Paragon src/Makefiles/Makefile.SCO.3.2v4.2 src/Makefiles/Makefile.SunOS.5.3 src/Makefiles/Makefile.SunOS.5.4 src/Makefiles/Makefile.SunOS.5.5 src/Makefiles/Makefile.UNIX_SV.4.x.i386 src/Makefiles/Makefile.uts.systemV src/Makefiles/Makefile.UX4800 src/aliases.0 src/mailq.0 src/mime.c src/newaliases.0 src/sendmail.0 test/t_seteuid.c RENAMED FILES: cf/cf/alpha.mc => cf/cf/s2k-osf1.mc cf/cf/chez.mc => cf/cf/chez.cs.mc cf/cf/hpux-cs-exposed.mc => cf/cf/cs-hpux9.mc cf/cf/osf1-cs-exposed.mc => cf/cf/cs-osf1.mc cf/cf/s2k.mc => cf/cf/s2k-ultrix4.mc cf/cf/sunos4.1-cs-exposed.mc => cf/cf/cs-sunos4.1.mc cf/cf/ultrix4.1-cs-exposed.mc => cf/cf/cs-ultrix4.mc cf/cf/vangogh.mc => cf/cf/vangogh.cs.mc cf/domain/Berkeley.m4 => cf/domain/Berkeley.EDU.m4 cf/domain/cs-exposed.m4 => cf/domain/CS.Berkeley.EDU.m4 cf/domain/eecs-hidden.m4 => cf/domain/EECS.Berkeley.EDU.m4 cf/domain/s2k.m4 => cf/domain/S2K.Berkeley.EDU.m4 cf/ostype/hpux.m4 => cf/ostype/hpux9.m4 cf/ostype/irix.m4 => cf/ostype/irix4.m4 cf/ostype/ultrix4.1.m4 => cf/ostype/ultrix4.m4 src/Makefile.* => src/Makefiles/Makefile.* src/Makefile.AUX => src/Makefiles/Makefile.A-UX src/Makefile.BSDI => src/Makefiles/Makefile.BSD-OS src/Makefile.DGUX => src/Makefiles/Makefile.dgux src/Makefile.RISCos => src/Makefiles/Makefile.UMIPS src/Makefile.SunOS.4.0.3 => src/Makefiles/Makefile.SunOS.4.0 OBSOLETED FILES: cf/cf/cogsci.mc cf/cf/cs-exposed.mc cf/cf/cs-hidden.mc cf/cf/hpux-cs-hidden.mc cf/cf/knecht.mc cf/cf/osf1-cs-hidden.mc cf/cf/sunos3.5-cs-exposed.mc cf/cf/sunos3.5-cs-hidden.mc cf/cf/sunos4.1-cs-hidden.mc cf/cf/ultrix4.1-cs-hidden.mc cf/domain/cs-hidden.m4 contrib/rcpt-streaming src/Makefiles/Makefile.SunOS.5.x 8.6.12/8.6.12 95/03/28 Fix to IDENT code (it was getting the size of the reply buffer too small, so nothing was ever accepted). Fix from several people, including Allan Johannesen, Shane Castle of the Boulder County Information Services, and Jeff Smith of Warwick University (all arrived within a few hours of each other!). Fix a problem that could cause large jobs to run out of file descriptors on systems that use vfork() rather than fork(). 8.6.11/8.6.11 95/03/08 The ``possible attack'' message would be logged more often than necessary if you are using Pine as a user agent. The wrong host would be reported in the ``possible attack'' message when attempted from IDENT. In some cases the syslog buffer could be overflowed when reporting the ``possible attack'' message. This can cause denial of service attacks. Truncate the message to 80 characters to prevent this problem. When reading the IDENT response a loop is needed around the read from the network to ensure that you don't get partial lines. Password entries without any shell listed (that is, a null shell) wouldn't match as "ok". Problem noted by Rob McMahon. When running BIND 4.9.x a problem could occur because the _res.options field is initialized differently than it was historically -- this requires that sendmail call res_init before it tweaks any bits. Fix an incompatibility in openxscript() between the file open mode and the stdio mode passed to fdopen. This caused UnixWare 2.0 to have conniptions. Fix from Martin Sohnius of Novell Labs Europe. Fix problem with static linking of local getopt routine when using GNU's ld command. Fix from John Kennedy of Cal State Chico. It was possible to turn off privacy flags. Problem noted by *Hobbit*. Be more paranoid about writing files. Suggestions by *Hobbit* and Liudvikas Bukys. MAKEMAP: fixes for 64 bit machines (DEC Alphas in particular) from Spider Boardman. CONFIG: No changes (version number only, to keep it in sync with the binaries). 8.6.10/8.6.10 95/02/10 SECURITY: Diagnose bogus values to some command line flags that could allow trash to get into headers and qf files. Validate the name of the user returned by the IDENT protocol. Some systems that really dislike IDENT send intentionally bogus information. Problem pointed out by Michael Bushnell of the Free Software Foundation. Has some security implications. Fix a problem causing error messages about DNS problems when the host name contained a percent sign to act oddly because it was passed as a printf-style format string. In some cases this could cause core dumps. Avoid possible buffer overrun in returntosender() if error message is quite ling. From Fletcher Mattox of the University of Texas. Fix a problem that would silently drop "too many hops" error messages if and only if you were sending to an alias. From Jon Giltner of the University of Colorado and Dan Harton of Oak Ridge National Laboratory. Fix a bug that caused core dumps on some systems if -d11.2 was set and e->e_message was null. Fix from Bruce Nagel of Data General. Fix problem that can still cause df files to be left around after "hop count exceeded" messages. Fix from Andrew Chang and Shau-Ping Lo of SunSoft. Fix a problem that can cause buffer overflows on very long user names (as might occur if you piped to a program with a lot of arguments). Avoid returning an error and re-queueing if the host signature is null; this can occur on addresses like ``user@.''. Problem noted by Wesley Craig and the University of Michigan. Avoid possible calls to malloc(0) if MCI caching is turned off. Bug fix from Pierre David of the Laboratoire Parallelisme, Reseaux, Systemes et Modelisation (PRiSM), Universite de Versailles - St Quentin, and Jacky Thibault. Make a local copy of the line being sent via senttolist() -- in some cases, buffers could get trashed by map lookups causing it to do unexpected things. This also simplifies some of the map code. CONFIG: No changes (version number only, to keep it in sync with the binaries). 8.6.9/8.6.9 94/04/19 Do all mail delivery completely disconnected from any terminal. This provides consistency with daemon delivery and may have some security implications. Make sure that malloc doesn't get called with zero size, since that fails on some systems. Reported by Ed Hill of the University of Iowa. Fix multi-line values for $e (SMTP greeting message). Reported by Mike O'Connor of Ford Motor Company. Avoid syserr if no NIS domain name is defined, but the map it is trying to open is optional. From Win Bent of USC. Changes for picky compilers from Ed Gould of Digital Equipment. Hesiod support for UDB from Todd Miller of the University of Colorado. Use "hesiod" as the service name in the U option. Fix a problem that failed to set the "authentic" host name (that is, the one derived from the socket info) if you called sendmail -bs from inetd. Based on code contributed by Todd Miller (this problem was also reported by Guy Helmer of Dakota State University). This also fixes a related problem reported by Liudvikas Bukys of the University of Rochester. Parameterize "nroff -h" in all the Makefiles so people with variant versions can use them easily. Suggested by Peter Collinson of Hillside Systems. SMTP "MAIL" commands with multiple ESMTP parameters required two spaces between parameters instead of one. Reported by Valdis Kletnieks of Virginia Tech. Reduce the number of system calls during message collection by using global timeouts around the collect() loop. This code was contributed by Eric Wassenaar. If the initial hostname name gathering results in a name without a dot (usually caused by NIS misconfiguration) and BIND is compiled in, directly access DNS to get the canonical name. This should make life easier for Solaris systems. If it still can't be resolved, and if the name server is listed as "required", try again in 30 seconds. If that also fails, exit immediately to avoid bogus "config error: mail loops back to myself" messages. Improve the "MAIL DELETED BECAUSE OF LACK OF DISK SPACE" error message to explain how much space was available and sound a bit less threatening. Suggested by Stan Janet of the National Institute of Standards and Technology. If mail is delivered to an alias that has an owner, deliver any requested return-receipt immediately, and strip the Return-Receipt-To: header from the subsequent message. This prevents a certain class of denial of service attack, arguably gives more reasonable semantics, and moves things more towards what will probably become a network standard. Suggested by Christopher Davis of Kapor Enterprises. Add a "noreceipts" privacy flag to turn off all return receipts without recompiling. Avoid printing ESMTP parameters as part of the error message if there are errors during parsing. This change is purely cosmetic. Avoid sending out error messages during the collect phase of SMTP; there is an MVS mailer from UCLA that gets confused by this. Of course, I think it's their bug.... Check for the $j macro getting undefined, losing a dot, or getting lost from $=w in the daemon before accepting a connection; if it is, it dumps state, prints a LOG_ALERT message, and drops core for debugging. This is an attempt to track down a bug that I thought was long since gone. If you see this, please forward the log fragment to sendmail@sendmail.ORG. Change OLD_NEWDB from a #ifdef to a #if so it can be turned off with -DOLD_NEWDB=0 on the command line. From Christophe Wolfhugel. Instead of trying to truncate the listen queue for the server SMTP port when the load average is too high, just close the port completely and reopen it later as needed. This ensures that the other end gets a quick "connection refused" response, and that the connection can be recovered later. In particular, some socket emulations seem to get confused if you tweak the listen queue size around and can never start listening to connections again. The down side is that someone could start up another daemon process in the interim, so you could have multiple daemons all not listening to connections; this could in turn cause the sendmail.pid file to be incorrect. A better approach might be to accept the connection and give a 421 code, but that could break other mailers in mysterious ways and have paging behaviour implications. Fix a glitch in TCP-level debugging that caused flag 16.101 to set debugging on the wrong socket. From Eric Wassenaar. When creating a df* temporary file, be sure you truncate any existing data in the file -- otherwise system crashes and the like could result in extra data being sent. DOC: Replace the CHANGES-R5-R8 readme file with a paper in the doc directory. This includes some additional information. CONFIG: change UUCP rules to never add $U! or $k! on the front of recipient envelope addresses. This should have been handled by the $&h trick, but broke if people were mixing domainized and UUCP addresses. They should probably have converted all the way over to uucp-uudom instead of uucp-{new,old}, but the failure mode was to loop the mail, which was bad news. Portability fixes: Newer BSDI systems (several people). Older BSDI systems from Christophe Wolfhugel. Intergraph CLIX, from Paul Southworth of CICNet. UnixWare, from Evan Champion. NetBSD from Adam Glass. Solaris from Quentin Campbell of the University of Newcastle upon Tyne. IRIX from Dean Cookson and Bill Driscoll of Mitre Corporation. NCR 3000 from Kevin Darcy of Chrysler Financial Corporation. SunOS (it has setsid() and setvbuf() calls) from Jonathan Kamens of OpenVision Technologies. HP-UX from Tor Lillqvist. New Files: src/Makefile.CLIX src/Makefile.NCR3000 doc/changes/Makefile doc/changes/changes.me doc/changes/changes.ps 8.6.8/8.6.6 94/03/21 SECURITY: it was possible to read any file as root using the E (error message) option. Reported by Richard Jones; fixed by Michael Corrigan and Christophe Wolfhugel. 8.6.7/8.6.6 94/03/14 SECURITY: it was possible to get root access by using wierd values to the -d flag. Thanks to Alain Durand of INRIA for forwarding me the notice from the bugtraq list. 8.6.6/8.6.6 94/03/13 SECURITY: the ability to give files away on System V-based systems proved dangerous -- don't run as the owner of a :include: file on a system that allows giveaways. Unfortunately, this also applies to determining a valid shell. IMPORTANT: Previous versions weren't expiring old connections in the connection cache for a long time under some circumstances. This could result in resource exhaustion, both at your end and at the other end. This checks the connections for timeouts much more frequently. From Doug Anderson of NCSC. Fix a glitch that snuck in that caused programs to be run as the sender instead of the recipient if the mail was from a local user to another local user. From Motonori Nakamura of Kyoto University. Fix "wildcard" on /etc/shells matching -- instead of looking for "*", look for "/SENDMAIL/ANY/SHELL/". From Bryan Costales of ICSI. Change the method used to declare the "statfs" availability; instead of HASSTATFS and/or HASUSTAT with a ton of tweaking in conf.c, there is a single #define called SFS_TYPE which takes on one of six values (SFS_NONE for no statfs availability, SFS_USTAT for the ustat(2) syscall, SFS_4ARGS for a four argument statfs(2) call, and SFS_VFS, SFS_MOUNT, or SFS_STATFS for a two argument statfs(2) call with the declarations in <sys/vfs.h>, <sys/mount.h>, or <sys/statfs.h> respectively). Fix glitch in NetInfo support that could return garbage if there was no "/locations/sendmail" property. From David Meyer of the University of Virginia. Change HASFLOCK from defined/not-defined to a 0/1 definition to allow Linux to turn it off even though it is a BSD-like system. Allow setting of "ident" timeout to zero to turn off the ident protocol entirely. Make 7-bit stripping local to a connection (instead of to a mailer); this allows you to specify that SMTP is a 7-bit channel, but revert to 8-bit should it advertise that it supports 8BITMIME. You still have to specify mailer flag 7 to get this stripping at all. Improve makesendmail script so it handles more cases automatically. Tighten up restrictions on taking ownership of :include: files to avoid problems on systems that allow you to give away files. Fix a problem that made it impossible to rebuild the alias file if it was on a read-only file system. From Harry Edmon of the University of Washington. Improve MX randomization function. From John Gardiner Myers of CMU. Fix a minor glitch causing a bogus message to be printed (used %s instead of %d in a printf string for the line number) when a bad queue file was read. From Harry Edmon. Allow $s to remain NULL on locally generated mail. I'm not sure this is necessary, but a lot of people have complained about it, and there is a legitimate question as to whether "localhost" is legal as an 822-style domain. Fix a problem with very short line lengths (mailer L= flag) in headers. This causes a leading space to be added onto continuation lines (including in the body!), and also tries to wrap headers containing addresses (From:, To:, etc) intelligently at the shorter line lengths. Problem Reported by Lars-Johan Liman of SUNET Operations Center. Log the real user name when logging syserrs, since these can have security implications. Suggested by several people. Fix address logging of cached connections -- it used to always log the numeric address as zero. This is a somewhat bogus implementation in that it does an extra system call, but it should be an inexpensive one. Fix from Motonori Nakamura. Tighten up handling of short syslog buffers even more -- there were cases where the outgoing relay= name was too long to share a line with delay= and mailer= logging. Limit the overhead on split envelopes to one open file descriptor per envelope -- previously the overhead was three descriptors. This was in response to a problem reported by P{r (Pell) Emanuelsson. Fixes to better handle the case of unexpected connection closes; this redirects the output to the transcript so the info is not lost. From Eric Wassenaar. Fix potential string overrun if you macro evaluate a string that has a naked $ at the end. Problem noted by James Matheson <jmrm@eng.cam.ac.uk>. Make default error number on $#error messages 553 (``Requested action not taken: mailbox name not allowed'') instead of 501 (``Syntax error in parameters or arguments'') to avoid bogus "protocol error" messages. Strip off any existing trailing dot on names during $[ ... $] lookup. This prevents it from ending up with two dots on the end of dot terminated names. From Wesley Craig of the University of Michigan and Bryan Costales of ICSI. Clean up file class reading so that the debugging information is more informative. It hadn't been using setclass, so you didn't see the class items being added. Avoid core dump if you are running a version of sendmail where NIS is compiled in, and you specify an NIS map, but NIS is not running. Fix from John Oleynick of Rutgers. Diagnose bizarre case where res_search returns a failure value, but sets h_errno to a success value. Make sure that "too many hops" messages are considered important enough to send an error to the Postmaster (that is, the address specified in the P option). This fix should help problems that cause the df file to be left around sometimes -- unfortunately, I can't seem to reproduce the problem myself. Avoid core dump (null pointer reference) on EXPN command; this only occurred if your log level was set to 10 or higher and the target account was an alias or had a .forward file. Problem noted by Janne Himanka. Avoid "denial of service" attacks by someone who is flooding your SMTP port with bad commands by shutting the connection after 25 bad commands are issued. From Kyle Jones of UUNET. Fix core dump on error messages with very long "to" buffers; fmtmsg overflows the message buffer. Fixed by trimming the to address to 203 characters. Problem reported by John Oleynick. Fix configuration for HASFLOCK -- there were some spots where a #ifndef was incorrectly #ifdef. Pointed out by George Baltz of the University of Maryland. Fix a typo in savemail() that could cause the error message To: lists to be incorrect in some places. From Motonori Nakamura. Fix a glitch that can cause duplicate error messages on split envelopes where an address on one of the lists has a name server failure. Fix from Voradesh Yenbut of the University of Washington. Fix possible bogus pointer reference on ESMTP parameters that don't have an ``=value'' part. CNAME loops caused an error message to be generated, but also re-queued the message. Changed to just re-queue the message (it's really hard to just bounce it because of the wierd way the name server works in the presence of CNAME loops). Problem noted by James M.R.Matheson of Cambridge University. Avoid giving ``warning: foo owned process doing -bs'' messages if they use ``MAIL FROM:<foo>'' where foo is their true user name. Suggested by Andreas Stolcke of ICSI. Change the NAMED_BIND compile flag to be a 0/1 flag so you can override it easily in the Makefile -- that is, you can turn it off using -DNAMED_BIND=0. If a gethostbyname(...) of an address with a trailing dot fails, try it without the trailing dot. This is because if you have a version of gethostbyname() that falls back to NIS or the /etc/hosts file it will fail to find perfectly reasonable names that just don't happen to be dot terminated in the hosts file. You don't want to strip the dot first though because we're trying to ensure that country names that match one of your subdomains get a chance. PRALIASES: fix bogus output on non-null-terminated strings. From Bill Gianopoulos of Raytheon. CONFIG: Avoid rewriting anything that matches $w to be $j. This was in code intended to only catch the self-literal address (that is, [1.2.3.4], where 1.2.3.4 is your IP address), but the code was broken. However, it will still do this if $M is defined; this is necessary to get client configurations to work (sigh). Note that this means that $M overrides :mailname entries in the user database! Problem noted by Paul Southworth. CONFIG: Fix definition of Solaris help file location. From Steve Cliffe <steve@gorgon.cs.uow.edu.au>. CONFIG: Fix bug that broke news.group.USENET mappings. CONFIG: Allow declaration of SMTP_MAILER_MAX, FAX_MAILER_MAX, and USENET_MAILER_MAX to tweak the maximum message size for various mailers. CONFIG: Change definition of USENET_MAILER_ARGS to include argv[0] instead of assuming that it is "inews" for consistency with other mailers. From Michael Corrigan of UC San Diego. CONFIG: When mail is forwarded to a LOCAL_RELAY or a MAIL_HUB, qualify the address in the SMTP envelope as user@{relay|hub} instead of user@$j. From Bill Wisner of The Well. CONFIG: Fix route-addr syntax in nullrelay configuration set. CONFIG: Don't turn off case mapping of user names in the local mailer for IRIX. This was different than most every other system. CONFIG: Avoid infinite loops on certainly list:; syntaxes in envelope. Noted by Thierry Besancon <besancon@excalibur.ens.fr>. CONFIG: Don't include -z by default on uux line -- most systems don't want it set by default. Pointed out by Philippe Michel of Thomson CSF. CONFIG: Fix some bugs with mailertables -- for example, if your host name was foo.bar.ray.com and you matched against ".ray.com", the old implementation bound %1 to "bar" instead of "foo.bar". Also, allow "." in the mailertable to match anything -- essentially, take over SMART_HOST. This also moves matching of explicit local host names before the mailertable so they don't have to be special cased in the mailertable data. Reported by Bill Gianopoulos of Raytheon; the fix for the %1 binding problem was contributed by Nicholas Comanos of the University of Sydney. CONFIG: Don't include "root" in class $=L (users to deliver locally, even if a hub or relay exists) by default. This is because of the known bug where definition of both a LOCAL_RELAY and a MAIL_HUB causes $=L to ignore both and deliver into the local mailbox. CONFIG: Move up bitdomain and uudomain handling so that they are done before .UUCP class matching; uudomain was reported as ineffective before. This also frees up diversion 8 for future use. Problem reported by Kimmo Suominen. CONFIG: Don't try to convert dotted IP address (e.g., [1.2.3.4]) into host names. As pointed out by Jonathan Kamens, these are often used because either the forward or reverse mapping is broken; this translation makes it broken again. DOC: Clarify $@ and $: in the Install & Op Guide. From Kimmo Suominen. Portability fixes: Unicos from David L. Kensiski of Sterling Sofware. DomainOS from Don Lewis of Silicon Systems. GNU m4 1.0.3 from Karst Koymans of Utrecht University. Convex from Kimmo Suominen <kim@tac.nyc.ny.us>. NetBSD from Adam Glass <glass@sun-lamp.cs.berkeley.edu>. BSD/386 from Tony Sanders of BSDI. Apollo from Eric Wassenaar. DGUX from Doug Anderson. Sequent DYNIX/ptx 2.0 from Tim Wright of Sequent. NEW FILES: src/Makefile.DomainOS src/Makefile.PTX src/Makefile.SunOS.5.1 src/Makefile.SunOS.5.2 src/Makefile.SunOS.5.x src/mailq.1 cf/ostype/domainos.m4 doc/op/Makefile doc/intro/Makefile doc/usenix/Makefile 8.6.5/8.6.5 94/01/13 Security fix: /.forward could be owned by anyone (the test to allow root to own any file was backwards). From Bob Campbell at U.C. Berkeley. Security fix: group ids were not completely set when programs were invoked. This caused programs to have group permissions they should not have had (usually group daemon instead of their own group). In particular, Perl scripts would refuse to run. Security: check to make sure files that are written are not symbolic links (at least under some circumstances). Although this does not respond to a specific known attack, it's just a good idea. Suggested by Christian Wettergren. Security fix: if a user had an NFS mounted home directory on a system with a restricted shell listed in their /etc/passwd entry, they could still execute any program by putting that in their .forward file. This fix prevents that by insisting that their shell appear in /etc/shells before allowing a .forward to execute a program or write a file. You can disable this by putting "*" in /etc/shells. It also won't permit world-writable :include: files to reference programs or files (there's no way to disable this). These behaviours are only one level deep -- for example, it is legal for a world-writable :include: file to reference an alias that writes a file, on the assumption that the alias file is well controlled. Security fix: root was not treated suspiciously enough when looking into subdirectories. This would potentially allow a cracker to examine files that were publically readable but in a non-publically searchable directory. Fix a problem that causes an error on QUIT on a cached connection to create problems on the current job. These are typically unrelated, so errors occur in the wrong place. Reset CurrentLA in sendall() -- this makes sendmail queue runs more responsive to load average, and fixes a problem that ignored the load average in locally generated mail. From Eric Wassenaar. Fix possible core dump on aliases with null LHS. From John Orthoefer of BB&N. Revert to using flock() whenever possible -- there are just too many bugs in fcntl() locking, particularly over NFS, that cause sendmail to fail in perverse ways. Fix a bug that causes the connection cache to get confused when sending error messages. This resulted in "unexpected close" messages. It should fix itself on the following queue run. Problem noted by Liudvikas Bukys of the University of Rochester. Include $k in $=k as documented in the Install & Op Guide. This seems odd, but it was documented.... From Michael Corrigan of UCSD. Fix problem that caused :include:s from alias files to be forced to be owned by root instead of daemon (actually DefUid). From Tim Irvin. Diagnose unrecognized I option values -- from Mortin Forssen of the Chalmers University of Technology. Make "error" mailer work consistently when there is no error code associated with it -- previously it returned OK even though there was a real problem. Now it assumes EX_UNAVAILABLE. Fix bug that caused the last header line of messages that had no body and which were terminated with EOF instead of "." to be discarded. Problem noted by Liudvikas Bukys. Fix core dump on SMTP mail to programs that failed -- it tried to go to a "next MX host" when none existed, causing a core dump. From der Mouse at McGill University. Change IDENTPROTO from a defined/not defined to a 0/1 switch; this makes it easier to turn it off (using -DIDENTPROTO=0 in the Makefile). From der Mouse. Fix YP_MASTER_NAME store to use the unupdated result of gethostname() (instead of myhostname(), which tries to fully qualify the name) to be consistent with SunOS. If your hostname is unqualified, this fixes transfers to slave servers. Bug noted by Keith McMillan of Ameritech Services, Inc. Fix Ultrix problem: gethostbyname() can return a very large (> 500) h_length field, which causes the sockaddr to be trashed. Use the size of the sockaddr instead. Fix from Bob Manson of Ohio State. Don't assume "-a." on host lookups if NAMED_BIND is not defined -- this confuses gethostbyname on hosts file lookups, which doesn't understand the trailing dot convention. Log SMTP server subprocesses that die with a signal instead of from a clean exit. If you don't have option "I" set, don't assume that a DNS "host unknown" message is authoritative -- it might still be found in /etc/hosts. Fix a problem that would cause Deferred: messages to be sent as the subject of an error message, even though the actual cause of a message was more severe than that. Problem noted by Chris Seabrook of OSSI. Fix race condition in DBM alias file locking. From Kyle Jones of UUNET. Limit delivery syslog line length to avoid bugs in some versions of syslog(3). This adds a new compile time variable SYSLOG_BUFSIZE. From Jay Plett of Princeton University, which is in turn derived from IDA. Fix quotes inside of comments in addresses -- previously it insisted that they be balanced, but the 822 spec says that they should be ignored. Dump open file state to syslog upon receiving SIGUSR1 (for debugging). This also evaluates ruleset 89, if set (with the null input), and logs the result. This should be used sparingly, since the rewrite process is not reentrant. Change -qI, -qR, and -qS flags to be case-insensitive as documented in the Bat Book. If the mailer returned EX_IOERR or EX_OSERR, sendmail did not return an error message and did not requeue the message. Fix based on code from Roland Dirlewanger of Reseau Regional Aquarel, Bordeaux, France. Fix a problem that caused a seg fault if you got a 421 error code during some parts of connection initialization. I've only seen this when talking to buggy mailers on the other end, but it shouldn't give a seg fault in any case. From Amir Plivatsky. Fix core dump caused by a ruleset call that returns null. Fix from Bryan Costales of ICSI. Full-Name: field was being ignored. Fix from Motonori Nakamura of Kyoto University. Fix a possible problem with very long input lines in setproctitle. From P{r Emanuelsson. Avoid putting "This is a warning message" out on return receipts. Suggested by Douglas Anderson. Detect loops caused by recursive ruleset calls. Suggested by Bryan Costales. Initialize non-alias maps during alias rebuilds -- they may be needed for parsing. Problem noted by Douglas Anderson. Log sender address even if no message was collected in SMTP (e.g., if all RCPTs failed). Suggested by Motonori Nakamura. Don't reflect the owner-list contents into the envelope sender address if the value contains ", :, /, or | (to avoid illegal addresses appearing there). Efficiency hack for toktype macro -- from Craig Partridge of BB&N. Clean up DNS error printing so that a host name is always included. Remember to set $i during queue runs. Reported by Stephen Campbell of Dartmouth University. If the environment variable HOSTALIASES is set, use it during canonification as the name of a file with per-user host translations so that headers are properly mapped. Reported by Anne Bennett of Concordia University. Avoid printing misleading error message if SMTP mailer (not using [IPC]) should die on a core dump. Avoid incorrect diagnosis of "file 1 closed" when it is caused by the other end closing the connection. From Dave Morrison of Oracle. Improve several of the error messages printed by "mailq" to include a host name or other useful information. Add NetInfo preliminary support for NeXT systems. From Vince DeMarco. Fix a glitch that sometimes caused :include:s that pointed to NFS filesystems that were down to give an "aliasing/ forwarding loop broken" message instead of queueing the message for retry. Noted by William C Fenner of the NRL Connection Machine Facility. Fix a problem that could cause a core dump if the input sequence had (or somehow acquired) a \231 character. Make sure that route-addrs always have <angle brackets> around them in non-SMTP envelopes (SMTP envelopes already do this properly). Avoid wierd headers on unbalanced punctuation of the form: ``Joe User <user)'' -- this caused reference to the null macro. Fix from Rick McCarty of IO.COM. Fix a problem that caused an alias "user: user@local.host" to not have the QNOTREMOTE bit set; this caused configs to act as if FEATURE(notsticky) was defined even when it was not. The effect of the problem was to make it very hard to to set up satellite sites that had a few local accounts, with everything else forwarded to a corporate hub. Reported by Detlef Drewanz of the University of Rostock and Mark Frost of NCD. Change queuing to not call rulesets 3, {1 or 2}, 4 on header addresses. This is more efficient (fewer name server calls) and fixes certain unusual configurations, such as those that have ruleset 4 do something that is non-idempotent unless a mailer-specific ruleset did something else. Problem reported by Brian J. Coan of the Institute for Global Communications. Fix the "obsolete argument" routine in main to better understand new arguments. For example, if you used ``sendmail -C config -v -q'' it would choke on the -q because the -C would stop looking for old-format arguments. Fix the code that was intended to allow two users to forward their mail to the same program and have them appear unique. Portability fixes for: SCO UNIX from Murray Kucherawy. SCO Open Server 3.2v4 from Philippe Brand. System V Release 4 from Rick Ellis and others. OSF/1 from Steve Campbell. DG/UX from Ben Mesander of the USGS and Bryan Curnutt of Stoner Associates. Motorola SysV88 from Kevin Johnson of Motorola. Solaris 2.3 from Casper H.S. Dik of the University of Amsterdam and John Caruso of University of Maryland. FreeBSD from Ollivier Robert. NetBSD from Adam Glass. TitanOS from Kate Hedstrom of Rutgers University. Irix from Bryan Curnutt. Dynix from Jim Davis of the University of Arizona. RISC/os. Linux from John Kennedy of California State University at Chico. Solaris 2.x from Tony Boner of the U.S. Air Force. NEXTSTEP 3.x from Vince DeMarco. HP-UX from various people. NOTA BENE: the location of the config file has moved to /usr/lib to match the HP-UX version of sendmail. CONFIG: Don't do any recipient rewriting on relay mailer; since this is intended only for internal use, the usual RFC 821/822/1123 rules can be relaxed. The main point of this is to avoid munging (ugh) UUCP addresses when relaying internally. CONFIG: fix typo in mailer/uucp.m4 that mutilates list:; syntax addresses delivered via UUCP. Solution provided by Peter Wemm. CONFIG: fix thumb-fumble in default UUCP relaying in ruleset zero; it caused double @ signs in addresses. From Irving Reid of the University of Toronto. CONFIG: Portability fixes for SCO Unix 3.2 with TCP/IP 1.2.1 from Markku Toijala of ICL Personal Systems Oy. CONFIG: Add trailing "." on pseudo-domains for consistency; this fixes a problem (noted by Al Whaley of Sunnyside) that made it hard to recognize your own pseudodomain names. CONFIG: catch "@host" syntax errors (i.e., null local-parts) rather than letting them get "local configuration error"s. Problem noted by John Gardiner Myers. CONFIG: add uucp-uudom mailer variant, based on code posted by Spider Boardman <spider@Orb.Nashua.NH.US>; this has uucp-dom semantics but old UUCP syntax. This also permits "uucp-old" as an alias for "uucp" and "uucp-new" as a synonym for "suucp" for consistency. CONFIG: add POP mailer support (from Kimmo Suominen <kim@grendel.lut.fi>). CONFIG: drop CSNET_RELAY support -- CSNET is long gone. CONFIG: fix bug caused with domain literal addresses (e.g., ``[128.32.131.12]'') when FEATURE(allmasquerade) was set; it would get an additional @masquerade.host added to the address. Problem noted by Peter Wan of Georgia Tech. CONFIG: make sure that the local UUCP name is in $=w. From Jim Murray of Stratus. CONFIG: changes to UUCP rewriting to simulate IDA-style "V" mailer flag. Briefly, if you are sending to host "foo", then it rewrites "foo!...!baz" to "...!baz", "foo!baz" remains "foo!baz", and anything else has the local name prepended. CONFIG: portability fixes for HP-UX. DOC: several minor problems fixed in the Install & Op Guide. MAKEMAP: fix core dump problem on lines that are too long or which lack newline. From Mark Delany. MAILSTATS: print sums of columns (total messages & kbytes in and out of the system). From Tom Ferrin of UC San Francisco Computer Graphics Lab. SIGNIFICANT USER- OR SYSAD-VISIBLE CHANGES: On HP-UX, /etc/sendmail.cf has been moved to /usr/lib/sendmail.cf to match HP sendmail. Permissions have been tightened up on world-writable :include: files and accounts that have shells that are not listed in /etc/shells. This may cause some .forward files that have worked before to start failing. SIGUSR1 dumps some state to the log. NEW FILES: src/Makefile.DGUX src/Makefile.Dynix src/Makefile.FreeBSD src/Makefile.Mach386 src/Makefile.NetBSD src/Makefile.RISCos src/Makefile.SCO src/Makefile.SVR4 src/Makefile.Titan cf/mailer/pop.m4 cf/ostype/bsdi1.0.m4 cf/ostype/dgux.m4 cf/ostype/dynix3.2.m4 cf/ostype/sco3.2.m4 makemap/Makefile.dist praliases/Makefile.dist 8.6.4/8.6.4 93/10/31 Repair core-dump problem (write to read-only memory segment) if you fall back to the return-to-Postmaster case in savemail. Problem reported by Richard Liu. Immediately diagnose bogus sender addresses in SMTP. This makes quite certain that crackers can't use this class of attack. Reliability Fix: check return value from fclose() and fsync() in a few critical places. Minor problem in initsys() that reversed a condition for redirecting the output channel on queue runs. It's not clear this code even does anything. From Eric Wassenaar of the Dutch National Institute for Nuclear and High-Energy Physics. Fix some problems that caused queue runs to do "too much work", such as double-reading the Errors-To: header. From Eric Wassenaar. Error messages on writing the temporary file (including the data file) were getting suppressed in SMTP -- this fix causes them to be properly reported. From Eric Wassenaar. Some changes to support AF_UNIX sockets -- this will only really become relevant in the next release, but some people need it for local patches. From Michael Corrigan of UC San Diego. Use dynamically allocated memory (instead of static buffers) for macros defined in initsys() and settime(); since these can have different values depending on which envelope they are in. From Eric Wassenaar. Improve logging to show ctladdr on to= logging; this tells you what uid/gid processes ran as. Fix a problem that caused error messages to be discarded if the sender address was unparseable for some reason; this was supposed to fall back to the "return to postmaster" case. Improve aliaswait backoff algorithm. Portability patches for Linux (8.6.3 required another header file) (from Karl London) and SCO UNIX. CONFIG: patch prog mailer to not strip host name off of envelope addresses (so that it matches local again). From Christopher Davis. CONFIG: change uucp-dom mailer so that "<>" translates to $n; this prevents uux from seeing lines with null names like ``From Sat Oct 30 14:55:31 1993''. From Motonori Nakamura of Kyoto University. CONFIG: handle <list:;> syntax correctly. This isn't legal, but it shouldn't fail miserably. From Motonori Nakamura. 8.6.2/8.6.2 93/10/15 Put a "successful delivery" message in the transcript for addresses that get return-receipts. Put a prominent "this is only a warning" message in warning messages -- some people don't read carefully enough and end up sending the message several times. Include reason for temporary failure in the "warning" return message. Currently, it just says "cannot send for four hours". Fix the "Original message received" time generated for returntosender messages. It was previously listed as the current time. Bug reported by Eric Hagberg of Cornell University Medical College. If there is an error when writing the body of a message, don't send the trailing dot and wait for a response in sender SMTP, as this could cause the connection to hang up under some bizarre circumstances. From Eric Wassenaar. Fix some server SMTP synchronization problems caused when connections fail during message collection. From Eric Wassenaar. Fix a problem that can cause srvrsmtp to reject mail if the name server is down -- it accepts the RCPT but rejects the DATA command. Problem reported by Jim Murray of Stratus. Fix a problem that can cause core dumps if the config file incorrectly resolves to a null hostname. Reported by Allan Johannesen of WPI. Non-root use of -C flag, dangerous -f flags, and use of -oQ by non-root users were not put into X-Authentication-Warning:s as intended because the config file hadn't set the PrivacyFlags yet. Fix from Sven-Ove Westberg of the University of Lulea. Under very odd circumstances, the alias file rebuild code could get confused as to whether a database was open or not. Check "vendor code" on the end of V lines -- this is intended to provide a hook for vendor-specific configuration syntax. (This is a "new feature", but I've made an exception to my rule in a belief that this is a highly exceptional case.) Portability fixes for DG/UX (from Douglas Anderson of NCSC), SCO Unix (from Murray Kucherawy), A/UX, and OSF/1 (from Jon Forrest of UC Berkeley) CONFIG: fix ``mailer:host'' form of UUCP relay naming. 8.6.1/8.6 93/10/08 Portability fixes for A/UX and Encore UMAX V. Fix error message handling -- if you had a name server down causing an error during parsing, that message was never propogated to the queue file. 8.6/8.6 93/10/05 Configuration cleanup: make it easier to undo IDENTPROTO in conf.h (other systems have the same bug). If HASGETDTABLESIZE and _SC_OPEN_MAX are both defined, assume getdtablesize() instead of sysconf(); a disturbingly large number of systems defined _SC_OPEN_MAX in the header files but don't have the syscall. Another patch to really truly ignore MX records in getcanonname if trymx == FALSE. Fix problem that caused the "250 IAA25499 Message accepted for delivery" message to be omitted if there was an error in the header of the message (e.g., a bad Errors-To: line). Pointed out by Michael Corrigan of UCSD. Announce name of host we are chatting when we get errors; this is an IDA-ism suggested by Christophe Wolfhugel. Portability fixes for Alpha OSF/1 (from Anthony Baxter of the Australian Artificial Intelligence Institute), SCO Unix (from Murray Kucherawy of Hookup Communication Corp.), NeXT (from Vince DeMarco and myself), Linux (from Karl London <karl@borg.demon.co.uk>), BSDI (from Christophe Wolfhugel, and SVR4 on Dell (from Kimmo Suominen), AUX 3.0 on Macintosh, and ANSI C compilers. Some changes to get around gcc optimizer bugs. From Takahiro Kanbe. Fix error recovery in queueup if another tf file of the same name already exists. Problem stumbled over by Bill Wisner of The Well. Output YP_MASTER_NAME and YP_LAST_MODIFIED without null bytes. Problem noted by Keith McMillan of Ameritech Services. Deal with group permissions properly when opening .forward and :include: files. This relaxes the 8.1C restrictions slightly more. This includes proper setting of groups when reading :include: files, allowing you to read some files that you should be able to read but have previously been denied unless you owned them or they had "other" read permission. Make certain that $j is in $=w (after the .cf is read) so that if the user is forced to override some silly system, MX suppression will still work. Fix a couple of efficiency problems where newstr was double- calling expensive routines. In at least one case, it wasn't guaranteed that they would always return the same result. Problem noted by Christophe Wolfhugel. Fix null pointer dereference in putoutmsg -- only on an error condition from a non-SMTP mailer. From Motonori Nakamura. Macro expand "C" line class definitions before scanning so that "CX $Z" works. Fix problem that caused error message to be sent while still trying to send the original message if the connection is closed during a DATA command after getting an error on an RCPT command (pretty obscure). Problem reported by John Myers of CMU. Fix reply to NOOP to be 250 instead of 200 -- this is a long term bug. Fix a nasty bug causing core dumps when returning the "warning: cannot deliver for N hours -- will keep trying" message; it only occurred if you had PostMasterCopy set and only on some architectures. Although sendmail would keep trying, it would send error messages on each queue interval. This is an important fix. Allow u and g options to take user and group names respectively. Don't do a chdir into the queue directory in -bt mode to make ruleset testing a bit easier. Don't allow users to turn off logging (using -oL) on the command line -- command line can only raise, not lower, logging level. Set $u to the original recipient on the SMTP transaction or on the command line. This is only done if there is exactly one recipient. Technically, this does not meet the specs, because it does not guarantee a domain on the address. Fix a problem that dumped error messages on bad addresses if you used the -t flag. Problem noted by Josh Smith of Harvey Mudd College. Given an address such as ``<foo> <bar>'', auto-quote the first ``<foo>'' part, giving ``"<foo>" <bar>''. This is to avoid the problem of people who use angle brackets in their full name information. Fix a null pointer dereference if you set option "l", have an Errors-To: header in the message, and have Errors-To: defined in the config file H lines. From J.R. Oldroyd. Put YPCOMPAT on #ifdef NIS instead -- it's one less thing to get wrong when compiling. Suggested by Rick McCarty of TI. Fix a problem that could pass negative SIZE parameter if the df file got lost; this would cause servers to always give a temporary failure, making the problem even worse. Problem noted by Allan Johannesen of WPI. Add "ident" timeout (one of the "r" option selectors) for IDENT protocol timeouts (30s default). Requested by Murray Kucherawy of HookUp Communication Corp. to handle bogus PC TCP/IP implementations. Change $w default definition to be just the first component of the domain name on config level 5. The $j macro defaults to the FQDN; $m remains as before. This lets well-behaved config files use any of the short, long, or subdomain names. Add makesendmail script in src to try to automate multi-architecture builds. I know, this is sub-optimal, but it is still helpful. Fix very obscure race condition that can cause a queue run to get a queue file for an already completed job. This problem has existed for years. Problem noted by the long suffering Allan Johannesen of WPI. Fix a problem that caused the raw sender name to be passed to udbsender instead of the canonified name -- this caused it to sometimes miss records that it should have found. Relax check of name on HELO packet so that a program using -bs that claims to be itself works properly. Restore rewriting of $: part of address through 2, R, 4 in buildaddr -- this requires passing a lot of flags to get it right. Unlike old versions, this ONLY rewrites recipient addresses, not sender addresses. Fix a bug that caused core dumps in config files that cannot resolve /file/name style addresses. Fix from Jonathan Kamens of OpenVision Technologies. Fix problem with fcntl locking that can cause error returns to be lost if the lock is lost; this required fully queueing everything, dropping the envelope (so errors would get returned), and then re-reading the queue from scratch. Fix a problem that caused aliases that redefine an otherwise true address to still send to the original address if and only if the alias failed in certain bizarre ways (e.g, if they pointed at a list:; syntax address). Problem pointed out by Jonathan Kamens. Remove support for frozen configuration files. They caused more trouble than it was worth. Fix problem that can cause error messages to get ignored when using both -odb and -t flags. Problem noted by Rob McNicholas at U.C. Berkeley. Include all "normal" variations on hostname in $=w. For example, if the host name is vangogh.cs.berkeley.edu, $=w will contain vangogh, vangogh.cs, and vangogh.cs.berkeley.edu. Add "restrictqrun" privacy flag -- without this, anyone can run the queue. Reset SmtpPhase global on initial connection creation so that messages don't come out with stale information. Pass an "ext" argument to lockfile so that error/log messages will properly reflect the true filename being locked. Put all [...] address forms into $=w -- this eliminates the need for MAXIPADDR in conf.h. Suggested by John Gardiner Myers of CMU. Fix a bug that can cause qf files to be left around even after an SMTP RSET command. Problem and fix from Michael Corrigan. Don't send a PostMasterCopy to errors when the Precedence: is negative. Error reports still go to the envelope sender address. Add LA_SHORT for load averages. Lock sendmail.st file when posting statistics. Add "SendBufSize" and "RcvBufSize" suboptions to "O" option to set the size of the TCP send and receive buffers; if you run over a slow slip line you may need to set these down (although it would be better to fix the SLIP implementation so that it's not necessary to recompile every program that does bulk data transfer). Allow null defaults on $( ... $) lookups. Problem reported by Amir Plivatsky. Diagnose crufty S and V config lines. This resulted from an observation that some people were using the SITE macro without the SITECONFIG macro first, which was causing bogus config files that were not caught. Fix makemap -f flag to turn off case folding (it was turning it on instead). THIS IS A USER VISIBLE CHANGE!!! Fix a problem that caused multiple error messages to be sent if you used "sendmail -t -oem -odb", your system uses fcntl locking, and one of the recipient addresses is unknown. Reset uid earlier in include() so that recursive .forwards or :include:s don't use the wrong uid. If file descriptor 0, 1, or 2 was closed when sendmail was called, the code to recover the descriptor was broken. This sometimes (only sometimes) caused problems with the alias file. Fix from Motonori Nakamura. Fix a problem that caused aliaswait to go into infinite recursion if the @:@ metasymbol wasn't found in the alias file. Improve error message on newaliases if database files cannot be opened or if running with no database format defined. Do a better estimation of the size of error messages when NoReturn is set. Problem noted by P{r (Pell) Emanuelsson. Fix a problem causing the "c" option (don't connect to expensive mailers) to be ignored in SMTP. Problem noted and the solution suggested by Robert Elz of Munnari University. Improve connection caching algorithm by passing "[host]" to hostsignature, which strips the square brackets and returns the real name. This allows mailertable entries to match regular entries. Re-enable Return-Receipt-To: -- people seem to want this stupid feature, even if it doesn't work right. Catch and log attempts to try the "wiz" command in server SMTP. This also ups the log level from LOG_NOTICE to LOG_CRIT. Be more generous at assigning $z to the home directory -- do this for programs that are specified through a .forward file. Fix from Andrew Chang of Sun Microsystems. Always save a fatal error message in preference to a non-fatal error message so that the "subject" line of return messages is the best possible. CONFIG: reduce the number of quotes needed to quote configuration parameters with commas: two quotes should work now, e.g., define(ALIAS_FILE, ``/etc/aliases,/etc/aliases.local''). CONFIG: class $=Z is a set of UUCP hosts that use uucp-dom connections (domain-ized UUCP). CONFIG: fix bug in default maps (-o must be before database file name). Pointed out by Christophe Wolfhugel. CONFIG: add FEATURE(nodns) to state that we are not relying on DNS. This would presumably be used in UUCP islands. CONFIG: add OSTYPE(nextstep) and OSTYPE(linux). CONFIG: log $u in Received: line. This is in technical violation of the standards, since it doesn't guarantee a domain on the address. CONFIG: don't assume "m" in local mailer flags -- this means that if you redefine LOCAL_MAILER_FLAGS you will have to include the "m" flag should you want it. Apparently some Solaris 2.2 installations can't handle multiple local recipients. Problem noted by Josh Smith. CONFIG: add confDOMAIN_NAME to set $j (if undefined, $j defaults). CONFIG: change default version level from 4 to 5. CONFIG: add FEATURE(nullclient) to create a config file that forwards all mail to a hub without ever looking at the addresses in any detail. CONFIG: properly strip mailer: information off of relays when used to change .BITNET form into %-hack form. CONFIG: fix a problem that caused infinite loops if presented with an address such as "!foo". CONFIG: check for self literal (e.g., [128.32.131.12]) even if the reverse "PTR" mapping is broken. There's a better way to do this, but the change is fairly major and I want to hold it for another release. Problem noted by Bret Marquis. 8.5/8.5 93/07/23 Serious bug: if you used a command line recipient that was unknown sendmail would not send a return message (it was treating everything as though it had an SMTP-style client that would do the return itself). Problem noted by Josh Smith. Change "trymx" option in getcanonname() to ignore all MX data, even during a T_ANY query. This actually didn't break anything, because the only time you called getcanonname with !trymx was if you already knew there were no MX records, but it is somewhat cleaner. From Motonori Nakamura. Don't call getcanonname from getmxrr if you already know there are no DNS records matching the name. Fix a problem causing error messages to always include "The original message was received ... from localhost". The correct original host information is now included. Previous change to cf/sh/makeinfo.sh doesn't port to Ultrix (their version of "test" doesn't have the -x flag). Change it to use -f instead. From John Myers. CONFIG: 8.4 mistakenly set the default SMTP-style mailer to esmtp -- it should be smtp. CONFIG: send all relayed mail using confRELAY_MAILER (defaults to "relay" (a variant of "smtp") if MAILER(smtp) is used, else "suucp" if MAILER(uucp) is used, else "unknown"); this cleans up the configs somewhat. This fixes a serious problem that caused route-addrs to get mistaken as relays, pointed out by John Myers. WARNING: this also causes the default on SMART_HOST to change from "suucp" to "relay" if you have MAILER(smtp) specified. 8.4/8.4 93/07/22 Add option `w'. If you receive a message that comes to you because you are the best (lowest preference) target of an MX, and you haven't explicitly recognized the source MX host in your .cf file, this option will cause you to try the target host directly (as if there were no MX for it at all). If `w' is not set, this case is a configuration error. Beware: if `w' is set, senders may get bogus errors like "message timed out" or "host unknown" for problems that are really configuration errors. This option is disrecommended, provided only for compatibility with UIUC sendmail. Fix a problem that caused the incoming socket to be left open when sendmail forks after the DATA command. This caused calling systems to wait in FIN_WAIT_2 state until the entire list was processed and the child closed -- a potentially prodigious amount of time. Problem noted by Neil Rickert. Fix problem (created in 6.64) that caused mail sent to multiple addresses, one of which was a bad address, to completely suppress the sending of the message. This changes handling of EF_FATALERRS somewhat, and adds an EF_GLOBALERRS flag. This also fixes a potential problem with duplicate error messages if there is a syntax error in the header of a message that isn't noticed until late in processing. Original problem pointed out by Josh Smith of Harvey Mudd College. This release includes quite a bit of dickering with error handling (see below). Back out SMTP transaction if MAIL gets nested 501 error. This will only hurt already-broken software and should help humans. Fix a problem that broke aliases when neither NDBM nor NEWDB were compiled in. It would never read the alias file. Repair unbalanced `)' and `>' (the "open" versions are already repaired). Logging of "done" in dropenvelope() was incorrect: it would log this even when the queue file still existed. Change this to only log "done" (at log level 11) when the queue file is actually removed. From John Myers. Log "lost connection" in server SMTP at log level 20 if there is no pending transaction. Some senders just close the connection rather than sending QUIT. Fix a bug causing getmxrr to add a dot to the end of unqualified domains that do not have MX records -- this would cause the subsequent host name lookup to fail. The problem only occurred if you had FEATURE(nocanonify) set. Problem noted by Rick McCarty of Texas Instruments. Fix invocation of setvbuf when passed a -X flag -- I had unwittingly used an ANSI C extension, and this caused core dumps on some machines. Diagnose self-destructive alias loops on RCPT as well as EXPN. Previously it just gave an empty send queue, which then gave either "Need RCPT (recipient)" at the DATA (confusing, since you had given an RCPT command which returned 250) or just dropped the email, depending on whether you were running VERBose mode. Now it usually diagnoses this case as "aliasing/forwarding loop broken". Unfortunately, it still doesn't adequately diagnose some true error conditions. Add internal concept of "warning messages" using 6xx codes. These are not reported only to Postmaster. Unbalanced parens, brackets, and quotes are printed as 653 codes. They are always mapped to 5xx codes before use in SMTP. Clean up error messages to tell both the actual address that failed and the alias they arose from. This makes it somewhat easier to diagnose problems. Difficulty noted by Motonori Nakamura. Fix a problem that inappropriately added a ctladdr to addresses that shouldn't have had one during a queue run. This caused error messages to be handled differently during a queue run than a direct run. Don't print the qf name and line number if you get errors during the direct run of the queue from srvrsmtp -- this was just extra stuff for users to crawl through. Put command line flags on second line of pid file so you can auto-restart the daemon with all appropriate arguments. Use "kill `head -1 /etc/sendmail.pid`" to stop the daemon, and "eval `tail -1 /etc/sendmail.pid`" to restart it. Remove the ``setuid(getuid())'' in main -- this caused the IDENT daemon to screw up. This required that I change HASSETEUID to HASSETREUID and complicate the mode changing somewhat because both Ultrix and SunOS seem to have a bug causing seteuid() to set the saved uid as well as the effective. The program test/t_setreuid.c will test to see if your implementation of setreuid(2) is appropriately functional. The FallBackMX (option V) handling failed to properly identify fallback to yourself -- most of the code was there, but it wasn't being enabled. Problem noted by Murray Kucherawy of the University of Waterloo. Change :include: open timeout from ETIMEDOUT to an internal code EOPENTIMEOUT; this avoids adding "during SmtpPhase with CurHostName" in error messages, which can be confusing. Reported by Jonathan Kamens of OpenVision Technologies. Back out setpgrp (setpgid on POSIX systems) call to reset the process group id. The original fix was to get around some problems with recalcitrant MUAs, but it breaks any call from a shell that creates a process group id different from the process id. I could try to fix this by diddling the tty owner (using tcsetpgrp or equivalent) but this is too likely to break other things. Portability changes: Support -M as equivalent to -oM on Ultrix -- apparently DECnet calls sendmail with -MrDECnet -Ms<HOST> -bs instead of using standard flags. Oh joy. This behaviour reported by Jon Giltner of University of Colorado. SGI IRIX -- this includes several changes that should help other strict ANSI compilers. SCO Unix -- from Murray Kucherawy of HookUp Communication Corporation. Solaris running the Sun C compiler (which despite the documentation apparently doesn't define __STDC__ by default). ConvexOS from Eric Schnoebelen of Convex. Sony NEWS workstations and Omron LUNA workstations from Motonori Nakamura. CONFIG: add confTRY_NULL_MX_LIST to set option `w'. CONFIG: delete `C' and `e' from default SMTP mailers flags; several people have made a good argument that this creates more problems than it solves (although this may prove painful in the short run). CONFIG: generalize all the relays to accept a "mailer:host" format. CONFIG: move local processing in ruleset 0 into a new ruleset 98 (8 on old sendmail). Domain literal [a.b.c.d] addresses are also passed through this ruleset. CONFIG: if neither SMART_HOST nor MAILER(smtp) were defined, internet-style addresses would "fall off the end" of ruleset zero and be interpreted as local -- however, the angle brackets confused the recursive call. These are now diagnosed as "Unrecognized host name". CONFIG: USENET rules weren't included in S0 because of a mistaken ifdef(`_MAILER_USENET_') instead of ifdef(`_MAILER_usenet_'). Problem found by Rein Tollevik of SINTEF RUNIT, Oslo. CONFIG: move up LOCAL_RULE_0 processing so that it happens very early in ruleset 0; this allows .mc authors to bypass things like the "short circuit" code for local addresses. Prompted by a comment by Bill Wisner of The Well. CONFIG: add confSMTP_MAILER to define the mailer used (smtp or esmtp) to send SMTP mail. This allows you to default to esmtp but use a mailertable or other override to deal with broken servers. This logic was pointed out to me by Bill Wisner. Ditto for confLOCAL_MAILER. Changes to cf/sh/makeinfo.sh to make it portable to SVR4 environments. Ugly as sin. 8.3/8.3 93/07/13 Fix setuid problems introduced in 8.2 that caused messages like "Cannot create qfXXXXXX: Invalid argument" or "Cannot reopen dfXXXXXX: Permission denied". This involved a new compile flag "HASSETEUID" that takes the place of the old _POSIX_SAVED_IDS -- it turns out that the POSIX interface is broken enough to break some systems badly. This includes some fixes for HP-UX. Also fixes problems where the real uid is not reset properly on startup (from Neil Rickert). Fix a problem that caused timed out messages to not report the addresses that timed out. Error messages are also more "user friendly". Drop required bandwidth on connections from 64 bytes/sec to 16 bytes/sec. Further Solaris portability changes -- doesn't require the BSD compatibility library. This also adds a new "HASGETDTABLESIZE" compile flag which can be used if you want to use getdtablesize(2) instead of sysconf(2). These are loosely based on changes from David Meyer at University of Oregon. This now seems to work, at least for quick test cases. Fix a problem that can cause duplicate error messages to be sent if you are in SMTP, you send to multiple addresses, and at least one of those addresses is good and points to an account that has a .forward file (whew!). Fix a problem causing messages to be discarded if checkcompat() returned EX_TEMPFAIL (because it didn't properly mark the "to" address). Problem noted by John Myers. Fix dfopen to return NULL if the open failed; I was depending on fdopen(-1) returning NULL, which isn't the case. This isn't serious, but does result in wierd error diagnoses. From Michael Corrigan. CONFIG: add UUCP_MAX_SIZE M4 macro to set the maximum size of messages sent through UUCP-family mailers. Suggested by Bill Wisner of The Well. CONFIG: if both MAILER(uucp) and MAILER(smtp) are specified, include a "uucp-dom" mailer that uses domain-style addressing. Suggested by Bill Wisner. CONFIG: Add LOCAL_SHELL_FLAGS and LOCAL_SHELL_ARGS to match LOCAL_MAILER_FLAGS and LOCAL_MAILER_ARGS. Suggested by Christophe Wolfhugel. CONFIG: Add OSTYPE(aix3). From Christophe Wolfhugel. 8.2/8.2 93/07/11 Don't drop out on config file parse errors in -bt mode. On older configuration files, assume option "l" (use Errors-To header) for back compatibility. NOTE: this DOES NOT imply an endorsement of the Errors-To: header in any way. Accept -x flag on AIX-3 as well as OSF/1. Why, why, why??? Don't log errors on EHLO -- it isn't a "real" error for an old SMTP server to give an error on this command, and logging it in the transcript can be confusing. Fix from Bill Wisner. IRIX compatibility changes provided by Dan Rich <drich@sandman.lerc.nasa.gov>. Solaris 2 compatibility changes. Provided by Bob Cunningham <bob@kahala.soest.hawaii.edu>, John Oleynick <juo@klinzhai.rutgers.edu> Debugging: -d17 was overloaded (hostsignature and usersmtp.c); move usersmtp (smtpinit and smtpmailfrom) to -d18 to match the other flags in that file. Flush transcript before fork in mailfile(). From Eric Wassenaar. Save h_errno in mci struct and improve error message display. Changes from Eric Wassenaar. Open /dev/null for the transcript if the create of the xf file failed; this avoids at least one possible null pointer reference in very wierd cases. From Eric Wassenaar. Clean up statistics gathering; it was over-reporting because of forks. From Eric Wassenaar. Fix problem that causes old Return-Path: line to override new Return-Path: line (conf.c needs H_FORCE to avoid re-using old value). From Motonori Nakamura. Fix broken -m flag in K definition -- even if -m (match only) was specified, it would still replace the key with the value. Noted by Rick McCarty of Texas Instruments. If the name server timed out over several days, no "timed out" message would ever be sent back. The timeout code has been moved from markfailure() to dropenvelope() so that all such failures should be diagnosted. Pointed out by Christophe Wolfhugel and others. Relax safefile() constraints: directories in an include or forward path must be readable by self if the controlling user owns the entry, readable by all otherwise (e.g., when reading your .forward file, you have to own and have X permssion in it; everyone needs X permission in the root and directories leading up to your home); include files must be readable by anyone, but need not be owned by you. If _POSIX_SAVED_IDS is defined, setuid to the owner before reading a .forward file; this gets around some problems on NFS mounts if root permission is not exported and the user's home directory isn't x'able. Additional NeXT portability enhancements from Axel Zinser. Additional HP-UX portability enhancements from Brian Bullen. Add a timeout around SMTP message writes; this assumes you can get throughput of at least 64 bytes/second. Note that this does not impact the "datafinal" default, which is separate; this is just intended to work around network clogs that will occur before the final dot is sent. From Eric Wassenaar. Change map code to set the "include null" flag adaptively -- it initially tries both, but if it finds anything matching without a null it never tries again with a null and vice versa. If -N is specified, it never tries without the null and creates new maps with a null byte. If -O is specified, it never tries with the null (for efficiency). If -N and -O are specified, you get -NO (get it?) lookup at all, so this would be a bad idea. If you don't specify either -N or -O, it adapts. Fix recognition of "same from address" so that MH submissions will insert the appropriate full name information; this used to work and got broken somewhere along the way. Some changes to eliminate some unnecessary SYSERRs in the log. For example, if you lost a connection, don't bother reporting that fact on the connection you lost. Add some "extended debugging" flags to try to track down why we get occassional problems with file descriptor one being closed when execing a mailer; it seems to only happen when there has been another error in the same transaction. This requires XDEBUG, defined by default in conf.h. Add "-X filename" command line flag, which logs both sides of all SMTP transactions. This is intended ONLY for debugging bad implementations of other mailers; start it up, send a message from a mailer that is failing, and then kill it off and examine the indicated log. This output is not intended to be particularly human readable. This also adds the HASSETVBUF compile flag, defaulted on if your compiler defines __STDC__. CONFIG: change SMART_HOST to override an SMTP mailer. If you have a local net that should get direct connects, you will need to use LOCAL_NET_CONFIG to catch these hosts. See cf/README for an example. CONFIG: add LOCAL_MAILER_ARGS (default: `mail -d $u') to handle sites that don't use the -d flag. CONFIG: hide recipient addresses as well as sender addresses behind $M if FEATURE(allmasquerade) is specified; this has been requested by several people, but can break local aliases. For example, if you mail to "localalias" this will be rewritten as "localalias@masqueradehost"; although initial delivery will work, replies will be broken. Use it sparingly. CONFIG: add FEATURE(domaintable). This maps unqualified domains to qualified domains in headers. I believe this is largely equivalent to the IDA feature of the same name. CONFIG: use $U as UUCP name instead of $k. This permits you to override the "system name" as your UUCP name -- in particular, to use domain-ized UUCP names. From Bill Wisner of The Well. CONFIG: create new mailer "esmtp" that always tries EHLO first. This is currently unused in the config files, but could be used in a mailertable entry. 8.1C/8.1B 93/06/27 Serious security bug fix: it was possible to read any file on the system, regardless of ownership and permissions. If a subroutine returns a fully qualified address, return it immediately instead of feeding it back into rewriting. This fixes a problem with mailertable lookups. CONFIG: fix some M4 frotz (concat => CONCAT) 8.1B/8.1A 93/06/12 Serious bug fix: pattern matching backup algorithm stepped by two tokens in classes instead of one. Found by Claus Assmann at University of Kiel, Germany. 8.1A/8.1A 93/06/08 Another mailertable fix.... 8.1/8.1 93/06/07 4.4BSD freeze. No semantic changes. 6.65/6.34 93/06/06 Fix some lintish problems. Fix some cases where server SMTP behaved poorly when handed bogus input, pointed out by Eric Wassenaar. CONFIG: fix some more (sigh) mailertable bugs -- thanks to Motonori Nakamura of Kyoto University (again). 6.64/6.33 93/06/05 Don't send 050 (-v) information after the 250 response to a QUIT command in srvrsmtp -- clients usually close the connection at this point, and it causes bogus error messages. Don't send messages that have errors on input (such as unbalanced parentheses) during SMTP transactions, since a return message has (probably) already been sent. Give better diagnostics on timeouts during network reads, including information similar to the SMTP phase. Fix bug that caused SMTP messages to deliver synchronously; this happened after the DATA 250, and hence caused reading the next command to be delayed. Ignore Errors-To: header unless 'l' (lower case el) header is specified. The Errors-To: header violates RFC 1123. Errors-To: was only needed to take the place of the envelope sender in the days when most Unix mailers didn't understand about the two kinds of senders. Don't send warning messages in response to automatically generated messages (that is, those From:<>). CONFIG: fix some rather stupid typos in the mailertable code pointed out by Motonori Nakamura of Kyoto University. CONFIG: add confUSE_ERRORS_TO configuration option. CONFIG: if ALWAYS_ADD_DOMAIN is selected, try to use $M (masquerade name) instead of $j. CONFIG: don't add dots to relay names (added in 6.29); it breaks several things, and can be simulated by dot terminating the names of relays. For example, use: DBbit.net.relay. (note the trailing dot). 6.63/6.32 93/06/01 Fix prototypes to eliminate chars in argument lists -- some compilers are pissy about this. Log protocol ($r) and body type if set so we can determine if the adaptive algorithms are working. Pessimize on locking of database files (particularly for NEWDB databases) during opens. There were problems with processes opening the file while it was rebuilt; since NEWDB caches heavily, the reader opened an empty file, which is an error. If your system has the ability to lock atomically on open, this works properly; otherwise, there are race conditions. Check mod time on .pag file instead of .dir in NDBM aliases because the .dir file doesn't get updated for small alias files. From John Gardiner Myers of CMU. More Solaris portability -- it now compiles on Solaris, but hangs up in gethostbyname(). Move setting of RES_DEBUG flag before first myhostname() call so we can see name server traffic on that call. Fsync() queue files. Fix a problem that causes -bi to try to rebuild maps other than the alias file(s). Fix a problem that caused udb to reject entries from any but the first database listed. Rearrange doc subdirectory for 4.4BSD release tape. CONFIG: put $r into the Received line. This was an oversight. CONFIG: fix typo (call to ruleset 99 should have been rulset 90). CONFIG: move "auxiliary" subroutines to be in ruleset 90-99 range -- in the long run, single digit rulesets may become reserved for builtin use by sendmail. CONFIG: fix major problem that causes host aliases (that is, anything in $=w != $j) to not be recognized. This has been around since 6.30. 6.62/6.31 93/05/28 BETA RELEASE Fix recursive syserr (if there is an error printing a syserr message). This makes the code much less eager to consider a write error as serious. This also includes some heuristics to be clever about closed connections. Lock NEWDB files during gets. This requires version 1.5 or later of the db library. If you have an older version, you can use -DOLD_NEWDB. This will go away in a few weeks. Fix problem causing aliases that use host maps to get overwritten. Do appropriate byte swapping on port numbers in ident protocol code. Fix from Allan Johannesen of WPI. Defer opening of map files to the same time as alias files so that the daemon will tend to pick up new versions more promptly. Prototype a bunch more functions. Some Solaris 2.1 changes (still doesn't link though). Try to simplify Makefiles by including more subordinate #defines in conf.h (based on OS type). CONFIG: check for domains if FEATURE(mailertable) is defined. For example, if the host name is "knecht.cs.berkeley.edu" it will search the following mailertable keys: knecht.cs.berkeley.edu .cs.berkeley.edu .berkeley.edu .edu This could be used to replace the special relays for bitnet and similar nets. 6.61/6.30 93/05/24 Fix problem that prevented appending dots on canonified host names. This breaks tons of config files -- very important fix. Fix improper pointer dereference in response to HELO command. Fix core dump if debugging set in map_rewrite. CONFIG: add FEATURE(always_add_domain) to always attach the local domain (only impacts local mail). CONFIG: try to avoid turning names into $j -- although technically a host can only have one "canonical name", it seems to be common practice to have several. 6.60/6.29 93/05/22 Major change: merge alias databases with maps. This expands and changes the map class interface but fixes a bunch of bugs. The important user-visible change is that the file name in a K line now does not include the ".db" extension; this is added automatically. Also, the -d (NIS domain) flag is missing from the K config line; use @domain instead. When compiling, the *_MAP names are gone -- just compile in NDBM, NEWDB, and/or NIS support. Announce mailer/host/user triple on -bv flag -- from Brian Bullen of Stirling University. Don't send more than one line in response to HELO -- it confuses Pony Express, which then behaves very badly. However, this change does send two line 220 greetings, with the second line reading "ESMTP spoken here". The usersmtp module recognizes this and goes into ESMTP mode regardless of the setting of the "a" mailer flag. Thus, "a" means "always try EHLO". AIX portability changes (thanks to Christophe Wolfhugel of Herve Schauer Consultants (Paris) for providing me with an INSA account for this purpose). Lightly tested. Use -D_AIX3. This probably breaks compatibility with some older systems (e.g., 4.2bsd) but still works on SunOS 4.1.2, Ultrix 4.2A, HP-UX 8.07, OSF/1 T1.3, and AIX 3.2.3. Fix a problem causing an error message loop if the output channel is hosed. Add the Makefiles that I use for various environments -- some are Berkeley make versions and some are old make versions. My makefile for the NeXT box has gotten lost, alas! PRALIASES: support for printing NEWDB databases. From Michael J. Corrigan of U.C. San Diego. CONFIG: don't pass pseudo-domains to $[ ... $] (if you have a wildcard MX it can have wierd results). From Christophe Wolfhugel. CONFIG: dot terminate relay hostnames in S0. From Christophe Wolfhugel. 6.59/6.28 93/05/13 Log version with SMTP daemon startup message. Adjust setproctitle to work on NetBSD and BSD/386. Fix null pointer reference in MX fallback code. A bunch of minor fixes from Eric Wassenaar: If deliver cannot execv the mailer, return EX_OSERR instead of EX_TEMPFAIL (to give better error messages). Consistently malloc e_message. Catch degenerate case of calling returntosender() with an empty returnq. MIME reformatting. 6.58/6.28 93/05/13 Fix bug that can cause incorrect verbose display of user smtp messages. Disable SMTP VERB command if PRIV_NOEXPN is set (since this could reveal the same information. Allow failure when reading SMTP greeting message to go on to next MX host. Add "MIME-Version: 1.0" header if using MIME (this was NOT included in RFC 1344, but Bill King of Allan-Bradley Company forwarded me email from Nathaniel Borenstein claiming that it was an inadvertent omission). Don't use Content-Type: X-message-header. According to John Myers of CMU, many MIME readers will completely ignore the data if they don't recognize it. Instead, just add a blank line to make it a legal (empty) message. Fix problem causing dots to keep getting appended to cached hostnames. This can cause buffer overrun conditions. The problem was found by Erik Forsberg of Retix, although I used a different bug fix than he provided. Fix parsing of split header/envelope rewriting specs -- from Eric Forsberg. Fix from Eric Wassenaar to correct To: lists in error messages. 6.57/6.28 93/05/11 Fix minor glitch causing extra ctladdrs to be output to queue file. Just an annoyance. Cache results of name server canonification lookups to avoid backed up queue runs. Major rewrite of alias.c: considerable cleanup, plus sample (untested) support for NIS aliases. The "A" option can now be a comma separated list (or be repeated) -- that is, you can have multiple alias databases. Each database can have the syntax ``class:file''; if no class is specified, the "implicit" class is assumed. Implicit searches through a list of compiled in types -- hash, dbm, nis, and stab. Alias files are searched in the order they are listed. For example: OAhash:/etc/aliases.local,/etc/aliases OAnis:mail.aliases@my.nis.domain first searches the hash database /etc/aliases.local, then the regular /etc/aliases database, then the NIS map "mail.aliases" in the NIS domain "my.nis.domain". If in Verbose mode (probably from VERB command) run SMTP job in foreground and don't do RCPT optimizations. Add udb :mailsender as equivalent to owner- for regular aliases. Delete option 8; add option 7 that means the opposite. That is, default to 8-bit mode; a special option is needed to force sendmail into 7 bit mode. Send error messages in encapsulated MIME format. New compile flag "NIS" that turns on NIS alias and NIS map support. Add "j" option to send error messages in MIME (RFC 1341) encapsulated message format per RFC 1344. The syntax is pretty ugly if you don't have MIME-aware user agents. Clean up message handling (for display in mailq output). New setproctitle implementation for 4.4bsd. Create files (such as ~/dead.letter) using mode FileMode (the F option value) instead of 0666. Fix bug causing output of EXPN command to not be fully qualified. This may cause some problems with UUCP addresses that will require some config file assistance -- specifically, the $: part has to include the host name for this output to make sense. Fix a problem that sometimes diagnosed errors and still sent the message if the header syntax was bad. Fix a bug that caused an error message to be emailed when sendmail was operating in -bv mode. Add "ListenQueueSize" keyword to daemon options option (OO) to set the queue size parameter passed to listen(). You will normally have to tweak your kernel to up this. Strip spaces off of beginning of message-id before logging (in case it was folded across lines). Tweak compile flags in daemon.c -- there were some cases where it wouldn't work without NETINET. Change *file* mailer to output all the usual default headers (From, Date, Message-Id). It gets used when sending back error messages. CONFIG: explicitly catch and diagnose list:; syntax in ruleset zero -- this is not a valid recipient syntax according to RFC 821. CONFIG: add confMIME_FORMAT_ERRORS to send error messages in MIME format. Defaults to on. CONFIG: add SMTP_MAILER_FLAGS and UUCP_MAILER_FLAGS to augment the flags for those mailers. 6.56/6.27 93/05/01 Fix problem that causes the fallback mail to postmaster (case ESM_POSTMASTER in savemail()) to not look at aliases (ugh). Some more HPUX tweaking (compile flag hpux => __hpux so it still works in ANSI mode). Don't try to flock non-regular files when mailing to a file. In particular, this was a problem if you tried to send to /dev/null. Fix a wierd bug that can cause senders to be queued as recipients if the name server is down when the mail is initially sent. This hack just ignores sender deletion (essentially, it sets the MeToo flag) if there is a TEMPFAIL during processing of the sender address. Obscure. Fix a dangling else problem -- from Brian Bullen from University of Stirling, UK. Add the "b" mailer flag to force a blank line on the end of messages. Some brilliant versions of /bin/mail insist on this but do not add it themselves. Add the "g" mailer flag to prevent user SMTP from sending "MAIL From:<>". This is only intended to be a transitional gesture, and should not be used if at all possible. It appears that Berkeley and IDA config files have always handled this properly; the UK config kit apparently does not. Don't lowercase and then capitalize header field names -- leave them with original capitalization. Fixes from Bill King of Allen-Bradley Company. Further cleanup and improved reporting of error messages, particularly conditions that cause messages to be requeued for future delivery. Tweak syslog priorities in some cases. CONFIG: clean up route-addr on UUCP addresses. 6.55/6.25 93/04/27 HPUX 8.07 compatibility changes in getla() -- I had to make these changes to get it to work at Berkeley, although others seem to have been working before (???). Various patches to XLA code. Fix problem that causes setuid bit on files to be ignored from SMTP or in queue runs. Problem noted by Jason Ornstein of Under The Wire, Inc. Fix problem that can cause CNAMEs to be ignored. Generalize getmxrr to match local host in $=w instead of a single name passed in. Some cleanup from Eric Wassenaar: Use FileMailer instead of ProgMailer in two places. Eliminate duplicate 8th-bit stripping in commaize. Fix a problem with mis-parsing of backslash escapes under some circumstances. NIS map fix (was always including trailing null character) from Mike Glendinning of Ingres UK. Add "a" mailer flag to try using ESMTP. It tries the EHLO command and if that fails falls back to regular SMTP. Also parses EHLO option keywords. If host supports SIZE extension, this is added to the MAIL FROM: command. Extend "b" option to include a second value which is the maximum message size this server is willing to accept. For example, a value of "10/1000000" says that there must be ten blocks free, and sendmail will reject any message larger than one megabyte. Some portability hooks for NeXT (this could be applicable to Mach in general). You have to create an empty file called "unistd.h" to get it to compile. Adjust config values (MAXLINE, MAXATOM, and PSBUFSIZE) to be more generous. Add X400-Received: to the list of headers tagged with H_TRACE in conf.c. From Bill King, Allen-Bradley Co. 6.54/6.25 93/04/19 Fix problem that caused redefinition of SMTP and QUEUE compile flags. Pointed out by Jon Forrest of the Sequoia 2000 project at Berkeley. Properly handle \! hack -- it was treating host\!user as one token (host!user) instead of three (host, !, user). Fix from Eric Wassenaar of NIKHEF-H. Fix compilation problem in getauthinfo() if IDENTPROTO is off. Turn off DEFNAMES and DNSRCH when getting the hostsignature (i.e., MX records) in level 1 configuration files; this matches the old behaviour. From Motonori Nakamura of Kyoto University. Improve error message printing -- if sent through an alias, error messages include the name of the alias in the message. Unfortunately, in order to make this work properly in queue runs, this changes the format of the C line in the qf file. The relatively uselessness of the previous information was pointed out to me by Allan E Johannesen of WPI. Add XLA compile flag to add hooks to Christophe Wolfhugel's extended load average code. This is still in very early form. For information regarding the guts of the xla code, contact Christophe.Wolfhugel@grasp.insa-lyon.fr. Additional hooks for detecting tempfails in rewriting rules (that is, in map lookups). 6.53/6.25 93/04/15 Properly diagnose ruleset zero returning null (instead of a mailer triple). From Motonori Nakamura of Kyoto University. More generalization of socket code for other protocols. Shorten timeouts on reverse name lookups -- since they are done during connection establishment, long timeouts here can cause higher level timeouts. This mainly serves to accept mail from hosts that do not have proper reverse (PTR) DNS records set up. Reset e_statmsg before each mailer invocation to avoid bogus messages in the log. Redefine $r, $s, and $_ in error envelopes so you don't get incorrect cruft in the error message. Problem noted by Motonori Nakamura of Kyoto University. Fix a problem that can cause failure to return errors to Postmaster in certain cases. From Motonori Nakamura. Fix a problem that can cause some systems to give duplicate error messages when a bad syntax address such as "<a" is presented to an SMTP server. It doesn't seem to occur on all machines. From Motonori Nakamura. Default IDENTPROTO off for Ultrix and HPUX, which apparently have the interesting "feature" that when they receive a "Host unreachable" message they closes all open connections to that host. However, some firewall gateways send this message if you try to connect to an unauthorized port, such as the IDENT port (113). Thus, no email can be received from such hosts. There is some evidence that versions of Ultrix before 4.3 do not have this problem. Thanks to Tom Ivar Helbekkmo for pointing out this behaviour to me and to Michael Corrigan of U.C. San Diego for informing me about the HPUX problem. Allow IPC mailers to return a colon-separated list of hosts in the $@ clause; these are searched in order as though they were MX records. When sending an error report, print the list of addresses tagged as bad. Requested by Allan E Johannesen of WPI. Change map function calls to return a status code. This gets passed back as the result of rewrite. Parseaddr marks the address as a QUEUEUP address if the return code is EX_TEMPFAIL. All this to queue properly if the name server is down. This code is not well tested. This code changes the interface to map lookup functions (a fifth parameter, int *statp, is added). Feature requested by Dan Oscarsson. Don't delete quotes (in the dequote map) if there are spaces in the string, since this would cause them to be replaced by the SpaceSub character. Accept BODY=8BITMIME on SMTP MAIL command. This isn't advertised because the 8BIT to 7BIT translation doesn't exist yet. This does add a "bodytype" field to both envelope and queue file and a -B command line flag to pass the type in during direct invocations. Discard return error messages only on responses to responses to responses, not on responses to responses. That is, the algorithm is to try return to sender, then return to postmaster, then discard. Previously it discarded immediately if the return to sender pass failed. CONFIG: back out change to hide unqualified hostnames behind %-hack. This screws up local aliases and .forward files. CONFIG: add FEATURE(nocanonify) to turn off calls to $[ ... $]; some sites only handle completely canonified names. Requested by John Gardiner Myers of CMU. CONFIG: some UUCP code was still included even if FEATURE(nouucp) was specified. 6.52/6.24 93/04/10 Clean up some minor glitches on error return messages pointed out by Motonori Nakamura of Kyoto University. Fix reply() to not reset SmtpReplyBuffer on fatal errors; this was supposed to reset SmtpMsg Buffer. This makes the client side code virtually useless. Reported by Allan E Johannesen of WPI and Phil Brandenberger of Swarthmore. Better debug messages if fuzzy is disabled, suggested by Allan E Johannesen of WPI. Offset SmtpReplyBuffer by four in usersmtp when checking for loopback. From Eric Wassenaar. Don't set $s until after runinchild in srvrsmtp -- otherwise it gets cleared. From Eric Wassenaar. Implement IDA-style $&x for deferred macro expansion. More POSIX compatibility. CONFIG: Hide unqualified hostnames behind %-hack using $s as the actual sender. This is only done if $r is non-null, that is, if this is not locally submitted mail. CONFIG: Add FEATURE(bitdomain) allowing mapping of BITNET host names to internet domains. A program contributed by John Gardiner Myers of CMU to create the maps is included in the contrib directory (in the "misc" tar file). CONFIG: Add FEATURE(uucpdomain) for a similar mapping for UUCP hosts. There is currently no tool to create this map. 6.51/6.23 93/04/04 Add D= mailer flag to specify a path of possible working directories in which to execute the mailer. This is intended for the prog mailer; some shells can get upset if they don't have access to the current directory. Add RFC 1413 (IDENT) protocol support. This is only very loosely tested. This adds a $_ macro to be the authenticated info (in ``user@domain [address]'' form) and debug flag 9 to trace the protocol. Check for loopbacks in usersmtp instead of srvrsmtp -- there is no reason for a local agent to not be talking to the localhost (although the inverse is not true). Add a few hooks for automated map rebuilding. This is certainly not done yet. CONFIG: Have prog mailer specify a path of ``D=$z:/'' -- that is, user's home directory then the root. CONFIG: Log RFC 1413 identification in Received: line. 6.50/6.22 93/04/01 Fixes to requeueing code to make it compute priority, nrcpts, and the like properly. 6.49/6.22 93/04/01 Diagnose incorrect privacy flags. Suggested by Bryan Costales of ICSI. Some ANSI C fixes. Arrange to quote backslashes as well as other special characters in the phrase part of a route-addr. Some fixes to FallBackMX code suggested by Motonori Nakamura of Kyoto University. More vigorous zeroing of CurHostAddr to avoid logging of bogus host addresses when you are actually just printing information from the MCI structure; problem noted by Michael Corrigan of U.C. San Diego. Don't ignore rest of queue if any job is not runnable. This can also cause an incorrect job to be lost. Fix from Eric Wassenaar. Always respond "quickly" to RCPT command; do alias expansion and the like later. This also means that mail for lists that have errors will be acccepted, and an error sent back later. This is done by instantiating the queue file and then immediately running and requeueing it. 6.48/6.22 93/03/30 Fix incorrect diagnosis of infinite loop in ruleset. Problem noted by several people. Improve information printed when infinite loops are discovered. Zero CurHostAddr to fix erroneous internet addresses in log when no addresses can be bound. Pointed out by Motonori Nakamura of Kyoto University. "Probe" SMTP connections using RSET instead of NOOP "just in case". Suggested by John Gardiner Myers of CMU. Don't warn about -f if you are setting sender to yourself. 6.47/6.22 93/03/29 Fix incompatible call to endmailer in smtpquit which causes core dumps. Noted by Allan E Johannesen of WPI. HPUX portability changes from Michael J. Corrigan of UC San Diego. Require MAIL before RCPT command in srvrsmtp.c. This had been intentional from the 821 draft days when the order wasn't clear, but is silly now. Fix bug in nis_magic routine that was initializing parameters incorrectly. Fix from Takahiro Kanbe of Fuji Xerox Information Systems Co., Ltd. Change default for PrivacyFlags in conf.c to 0 -- since it always "or"s in new values, there was no way to turn off the AuthWarning stuff. Add O option to set SMTP daemon options. Add V option to set fallback MX host. This always sorts at lower priority than anything it gets from the name server. It should only be used for environments with very bad network connectivity. Requested by several people. Log sending info. It's not clear this is a good idea. CONFIG: fix typo in mailertable code. Noted by Phil Brandenberger of Swarthmore. CONFIG: add confDAEMON_OPTIONS and confFALLBACK_MX to set options O and V, respectively. 6.46/6.21 93/03/26 Fix botch in server SMTP that broke transactions that did not use HELO first (like MH). Fix from Michael Corrigan of U.C. San Diego. Fall back to other MX records if there is an error anywhere in delivery (actually on MAIL or DATA -- RCPT is harder). Suggested by John Gardiner Myers and Motonori Nakamura. Revert to non-prototypes -- it turns out that our ANSI C compiler is more forgiving than most others about mixing prototyped extern declarations with non-prototyped function definitions. Fix a problem with multi-word class matching pointed out by Neil Rickert. Given: CX b a.b.c R$+ $=X $+ $: $1 < $2 > $3 the input "user@a.b.c" failed instead of being properly rewritten as "user@a.<b>.c". Neil also convinced me that it was correct that $~ should match only one token -- the problem is that it's always possible to add another token, so $~ matches far too eagerly. 6.45/6.21 93/03/25 Implement multi-word classes (properly!). 6.44/6.21 93/03/25 Add X-Authentication-Warning: headers to clue users into possible attempts to forge mail. This is on the authwarnings privacy flag, but is the default. Suggested by Bryan Costales of ICSI. Pass default units for convtime in so they can be more reasonable. Allow config files to always add a new Comments: header (i.e., they will be added even if an old one already exists). Suggested by Bryan Costales of ICSI. Allow config files to delete an existing Return-Path: header. These should only be added at final delivery. Suggested by Bryan Costales of ICSI. Some debugging additions. Suggested by Bryan Costales of ICSI. Clean up logging of Family 0 addresses. Noted by David Muir Sharnoff and others. Add a "dequote" map class. This allows config files to strip quotes off of addresses. Note that this is not a builtin map, just a class -- so you have to define the map using the K line. Fix a bug in the queueup() loop getting a locked tf where in very odd cases it can fall off the bottom and core dump. Of course, it was P{r Emanuelsson who found it.... Open a new transcript when splitting an envelope. Problem found by Allan E Johannesen of WPI. Improved error output in endmailer if the mailer core dumps. CONFIG: Fix typo in UUCP mailer definition. CONFIG: Default several of the new options on: eight bit input, privacy flags set to "authwarnings", and message warning set to 4h. CONFIG: Use dequote map. 6.43/6.20 93/03/23 Fix problem with assumption of an sa_len field in a generic sockaddr -- it turns out that most vendors haven't picked up this (very important) fix. Change compilation flags for daemon code -- select one or both of NETINET or NETISO, but don't ever set DAEMON manually. CONFIG: add FEATURE(mailertable) to do IDA-style mailertables. 6.42/6.19 93/03/19 Use Postmaster as default fallback return address, not root. POSIX changes for file descriptor handling. Diagnose errors writing new queue file. If you change the owner using an owner- alias, also change the error mode to EM_MAIL so that errors don't get dropped into an inappropriate directory. Problem noted by Allan E Johannesen of WPI. If you are su'ed to root, send email as who you really are, not as root. From Brian Kantor of U.C. San Diego. Allow warning messages to be sent after a configurable interval has passed without delivery. The message is sent only once per envelope. This changes the format of the qf file to have an F line, and the format of the T option to accept take the format "return/warn" (both intervals). Don't force all local names to lower case -- this was left over from the wierd handling of case mapping on aliases. It is now driven (as expected) by the "u" mailer flag. Problem noted by P{r Emanuelsson. Fix problem that caused headers on returned email to be trashed; they were getting freed, but are still accessible via BlankEnvelope. Fix problem that caused bogus ids to be created on returned mail. Add support for ISO and other non-INET networking. This is by no means finished yet. This does assume a lot of other system support, like a version of gethostbyname that returns non-AF_INET addresses. CONFIG: change default on prog mailer to keep upper case in user names (i.e., in the program command line). CONFIG: strip trailing dots off of hosts in uucp mailer before convert to bang format. CONFIG: create new "relay" mailer for $R (LOCAL_RELAY) and $H (MAIL_HUB) delivery that doesn't add local domain. Note that this violates 821, but is probably "more correct" for what we are trying to do. Problem pointed out by Michael Graff of Iowa State. 6.41/6.18 93/03/18 Clean up unnecessary creates of queue ids (i.e., empty qf files) when not needed, such as when starting up an SMTP connection. Fix problem where split envelopes aren't instantiated in the queue. This is quite a serious bug. Owner- aliases had problems with leading spaces causing a premature delimitation. 6.40/6.18 93/03/18 Have ending 250 (after DATA) include the id; suggested by Brian Kantor of UC San Diego. Add logging on envelope splitting. Change queue ids to have one more letter encoding the hour of the day so that during a single day there is a greater likelihood of uniqueness; requested by Brian Kantor. 6.39/6.18 93/03/18 Fix minor compile problem if LOCKF is defined. Define size of tobuf in conf.h. Observed by Toshinari Takahashi of Toshiba. Restore e_sender -- this is equivalent to e_from.q_paddr without decorations such as angle brackets and comments. OSF/1 on Alpha changes from Allan E Johannesen of WPI. CONFIG: fix typo in S3 for list syntax (;: => :;). Thanks to Christopher Hoover for noting the problem. 6.38/6.17 93/03/17 Pass envelope to disconnect to avoid another use of CurEnv, which can apparently end up being null at inopportune times. Log "received from" as "relay=" for consistency (suggested by John Gardiner Myers). Fix major bug in header handling: if no From: line existed in the header (so sendmail inserts one), and the sender is an alias that has an owner, the From: line shows the owner (as well as the envelope). Fixed by early binding the headers (which will change debugging output). HPUX portability patches from Michael J. Corrigan of UC San Diego. Some attempts to adapt better to out of open file conditions. Some changes to ctladdr handling in queue files. 6.37/6.17 93/03/16 MAJOR CHANGE: delete e_sender and e_returnpath (why are these different from e_from?) and $< macro. Log correct IP address in relay= field even if the connection times out. Log "received from [RESPONSE]" on EF_RESPONSE messages (from John Gardiner Myers). Fixes to SysExMsg logging (sometimes just got "message: %s" instead of "message: error message"), noted by Eric Wassenaar. Also reported by Motonori Nakamura. Improvements to MX piggybacking code, from Motonori Nakamura. Fix case where CurHostName points to an auto variable that has been deallocated (from Motonori Nakamura). Fix bug causing newlines to be included in aliases if option "n" (check alias RHS) is set; bug noted by David Muir Sharnoff. Fix problem causing user names that should be mapped to lower case to not be mapped if they are sent during a queue run. This greatly simplifies the case mapping code. Problem noted by Allan E Johannesen of WPI. Don't do recipient address rewriting in buildaddr. This improperly did recipient rewriting on sender addresses, and just seems bogus in general -- but the change could break some .cf files. Pass TZ envariable to child processes for System V. CONFIG: allow LOCAL_RULE_1 and LOCAL_RULE_2 if you want to define those rulesets. KNOWN PROBLEM: I have seen some problems on SunOS that causes the User Data Base to give errors on some addresses. I have tracked the problem back at least as far as 93.02.15 (version 6.22). Running with debugging on makes it go away, so I conclude that it is referencing uninitialized stack data. I haven't been able to track this down yet. 6.36/6.16 93/03/08 Allow local mailer to specify $@host -- this lets you assign the "foo" part of jgm+foo to $h for passing in to the local mailer. Additional debug printing in getcanonname (show query type). Don't add the e_fromdomain on sender addresses -- this interacts wierdly with the owner- code. Improve delivery logging to not log obvious or meaningless stuff. Include numeric IP address in Received: lines per RFC 1123 section 5.2.8. Fixed a bug in checking stat() return value if restrictmailq is set. Also, check the entire group set instead of just the primary group. Both from John Gardiner Myers. Don't have usrerr automatically print errno, since this is often misleading. Use transienterror() in makeconnection after connect() fails and in openmailer after execve() fails (from Eric Wassenaar). Also moved transienterror() from util.c to conf.c. Clean up from= logging on response messages. Undo patch allowing prescan to return a null vector -- it breaks too many things. Config: FEATURE(notsticky) lets you use UDB for everything coming in to the machine, even if it is specifically targetted to this machine. Without it, UDB is bypassed if the user name is fully qualified. Config: fix another minor botch with <> (local mailer wasn't mapping them properly). 6.35/6.15 93/03/05 Fix getrealhostname to return null if sinlen <= 0 -- this can occur if stdin is a pipe. Avoid infinite loop in getcanonname if name server return NO_DATA (for example). Config: avoid having C flag qualify list syntax and error syntax. 6.34/6.14 93/03/05 Fix logging in deliver to not pass too many parameters to Ultrix versions of syslog. Don't write the pid file until after the daemon has actually opened and conditioned the connection. Consider addresses "different" if their q_uids differ (so that two users forwarding to the same program will be seen as different, rather than the same). Fix problem with bad parameters in main() -- they set ExitStat but don't exit. Fix null pointer references through RealHostName -- painfully discovered by Allan E Johannesen of WPI. Fix bug causing user@@localhost to core dump (yuch). Config: don't put two @host.dom.ain on users in $=E in SMTP mailer. Also, catch user@ (no host) in ruleset 0. 6.33/6.13 93/03/03 Config: add confCW_FILE as the name of the cw configuration file (defaults to /etc/sendmail.cw). From P{r Emanuelsson. Allow prescan to return a pointer to an empty list -- this is not an error. Also, clean up error reporting to avoid double errors (prescan reports once, then the caller reports again). Changes to avoid trusting T_ANY queries -- run them, but if you don't get the info you expected, do T_A and T_MX queries anyhow. This also fixes an oversight where _res.options bits were being ignored. If PRIV_NOVRFY is set, use 252 response code instead of 502 per RFC 1123 section 5.2.3. It's not 100% clear that this is correct, but it probably works better with stupid mailers that do a VRFY and only check the first digit. 6.32/6.12 93/03/02 Fix uninitialized variable "protocol" in smtp code. Include <unistd.h> in sendmail.h -- move towards POSIX/ANSI. Additional hooks for RFC 1427 (ESMTP SIZE extension). This includes requiring that enoughspace() know the system block size, which will undoubtedly break most ports. Trace flag 19 in use for srvrsmtp.c. Additional logging -- notably the sending mailer name. This also changes the delivery logging to strict field=value syntax. Fix some problems with messages getting sent even to addresses that had been marked bad -- from Eric Wassenaar. More WIDE changes: accept host name inside [...] as non-MXed host. This is intended ONLY for use inside firewalled environments, where the MX points at the gateway. Change .cf file conventions so that mapping for <> addresses don't have an @ in them (to avoid confusing the C mailer flag). Pointed out by Neil Rickert. Config extensions for Sam Leffler's FlexFAX software. 6.31/6.10 93/02/28 Fix some more bugs in alias owner code -- there were some wierd cases where an error in a non-aliased name would override the return info in an aliased name with an owner. Changes from WIDE Project, forwarded to me by Motonori Nakamura: Log actual delivery host (after MX et al); from yasuhiro@dcl.co.jp. Log daemon startup. Deliver Postmaster copies without a body. Better logging of SMTP senders. Send all program email as daemon even when local. As requested in various forms from many people, accept -qIstring to limit queue runs to jobs with queue-id matching string. Similarly for -qRstring for recipients, -qSstring for senders. Initial hooks for ESMTP support (see RFC 1425). Fixed a syntax error in the UUCP mailer specification that caused core dumps on startup. Check for missing A= or P= arguments in mailer definitions. 6.30/6.10 93/02/27 Require FROZENCONFIG compilation flag to include frozen configuration code. Frozen configuration is really not a very good idea any more, particularly in shared library environments. Do better checking of errno after opens of :include: and .forward files to defer delivery on network and other transient errors. Suggestion from Craig Everhart. Fix minor botch in read timeout macro processing. Add FEATURE(nouucp) to config files for sites that know absolutely nothing about UUCP. Add built cf files to distribution tape and clarify how to build them if you don't have the Berkeley make. Some sizeof(long) portability changes for the Alpha, from Allan E Johannesen. Add "restrictmailq" privacy flag -- if set, only people in the same group as your queue directory can print the queue. If you set this, be sure you also restrict access to log files.... Fix another bug in owner-list stuff that can cause data files to be "lost". Fix a bug with queue runs that cause forwards to yourself to go into alias/forwarding loops. I'm still iffy about this fix. Fix from Eric Wassenaar for suppression of return message code. 6.29/6.9 93/02/24 Fix yet another problem in alias owner code -- put the wrong return address on the enclosed return-to-sender letter. 6.28/6.9 93/02/24 Fix botch in alias owner code that caused it to not operate if the error was detected locally. 6.27/6.9 93/02/24 M_LOCAL => M_LOCALMAILER to avoid conflict with Ultrix include file <sys/mount.h>. Miscellaneous bug fixes from Eric Wassenaar: sendmail -bv -t logs the from line even though in verify mode only. sendmail -v can go into queue mode if shouldqueue returns TRUE. Add route-addr pruning per RFC 1123 section 5.3.3. This can be disabled using the "R" option. Delete (always undocumented) -R flag (save original recipients); there are ways to syslog(3) these now. Clean up SMTP reply codes -- specify them as needed in the code, instead of in conf.c -- this was needed during the NCP to TCP transition, but seems silly now. This also changes parameters to message and nmessage. Have mailstats read the .cf file to find the sendmail.st file and get text versions of mailer names. An initial version of this code was provided by Tuominen Keijo (although the comments indicate the good bits were written by "E.V."). Add yet more System V compatibility hacks. Fix bug in VRFY code (assumes everything must be a local user). Allow specification of any of the hard-wired pathnames in the Makefile. Delete concept of "trusted users" -- this really didn't provide any security anyway, and caused some problems. Delete last vestige of support for the word "at" as an equivalent to the character "@". Propagate owner-foo alias information into the envelope sender. Based on code from John Gardiner Myers. This is a major semantic change -- beware! Allow $@ on LHS to indicate "match zero" -- this is used to match the null expression. 6.26/6.8 93/02/21 Don't "lose" queue runs. Very important fix from (who else?) Eric Wassenaar. Completely reset state on RSET command -- from Eric Wassenaar. Send error messages and return receipts using an envelope sender of <> regardless of the setting of $n. Rewriting rules can undo this if they feel the necessity, as might be needed for networks that don't understand the syntax. This is permitted by RFC 821 section 3.6 and required by RFC 1123 section 5.3.3. THIS REQUIRES VERSION 4 CONFIG FILES because the rulesets must be able to parse <> properly. Don't ever send error messages to "<>" -- they will get sent to the local postmaster or dumped in /usr/tmp/dead.letter instead. Per RFC 1123 section 5.3.3. Explicitly check for email to yourself as a dotted quad. You have to call $[ [ ... ] $] to get this. Up the message timeout to five days per RFC 1123 section 5.3.1.1. Make all read timeouts individually configurable, as strongly recommended by RFC 1123 section 5.3.2. Use f_bavail (blocks available to regular users) instead of f_bfree (blocks available to superuser) in free block checks. Change $d macro to be the current time, not the origination time, since this is consistent with how it is used now. Generalization of enoughspace from Eric Wassenaar covering SGI, Apollo, HPUX, Ultrix, and SunOS. Ignore process group signals -- some front ends can do this if you kill a window too quickly. From Eric Wassenaar. Change umask to 022. 6.25/6.8 93/02/20 Close all cached connections before calling mailers and after forking for delivery (caused double closes which resulted in false errors). Add FEATURE(redirect) in config files -- this allows you to alias old addresses to a pointer to the new address that will give a 551 error message, but not deliver the mail. Some code changes to make the 551 errors look pretty. Names of M4 program paths in config files have changed -- they are all XXX_MAILER_PATH now, to match XXX_MAILER_FLAGS. Fix a bug in the QSELFREF code having to do with empty .forward files, reported by Eric Wassenaar. Add option "p" (privacy flags); this allows you to tune how picky the SMTP server will be. This also adds the confPRIVACY_FLAGS M4 macro in the config files. Add option "b" (minimum blocks free). If there are fewer than this number of blocks free on the filesystem containing the queue directory, the SMTP MAIL command will return a 452 response and ask you to try again later. This also adds the confMIN_FREE_BLOCKS M4 macro in the config files. Made VRFY just verify (doesn't expand aliases and .forward files); EXPN does full expansion. RCPT in queue-only mode also doesn't chase aliases and .forward. 6.24/6.7 93/02/19 Increase the number of domain search entries in domain.c to allow for the extra "" entry indicating the root domain. Reported by Motonori Nakamura of Kyoto U. Add a "SMART_HOST" in the configs for UUCP-connected sites that want to forward all mail with extra "@"s to that site. Also allows SMART_HOST, LOCAL_RELAY, and MAIL_HUB to be specified as ``mailer:hostname'' to use an alternate mailer. Clarified and updated some wording in the Operations Guide. Add the "c" mailer flag -- this suppresses all comment parts of addresses (requested by John Curran of NEARnet). Have -v print prompts in -bt mode even if stdin is not a terminal (default behaviour is to be silent if not reading from a terminal). Suggested by Bryan Costales, ICSI. Move the metacharacters from C0 space (\001-\037) into C1 space (\201-\237). This also fixes a bunch of potential bugs with G1 characters (\240-\276) in headers relating to negative numbers passed to isspace() et al. Add YP_LAST_MODIFIED and YP_MASTER_NAME to DBM version of alias database if YPCOMPAT is #defined. Enhancement from Takahiro Kanbe of Fuji Xerox Information Systems Co., Ltd. Add "list" Precedence (-30); this can be used with old sendmails which will map to precedence 0 (which will return error messages). Suggested by Stephen R. van den Berg. Many bug fixes from Eric Wassenaar of the National Institute for Nuclear and High-Energy Physics, Amsterdam: Clear timeouts properly on open failures in include(). Don't dereference through NULL if no home directory found. Re-establish SIGCHLD signal on System 5 in reapchild(). Avoid NULL pointer reference on -pFOO flag. Properly handle backslash escapes in comments. Correctly check reply status on SMTP NOOP command. Properly save SMTP error message if peer gives "Service Shutting Down" message. Avoid writing to the transcript if it couldn't be opened. Signal errors in SMTP children to parent properly. Handle self references in a list more globally (include a QSELFREF bit in the address flags). This enhancement was suggested by Eric Wassenaar. Use initgroups() in hpux, even though it's System-V based. The HASINITGROUPS compile flag can set this on other systems. This HPUX behaviour was pointed out by Eric Wassenaar. 6.23/6.6 93/02/16 Clean up handling of LogLevel to make it easier to figure out what's on what level. Change log levels to have some consistency: 1 serious system failures, security problems 2 lost communications, protocol failures 3 other serious failures 4 minor errors 5 message collection 6 vrfy logging, creation of return-to-sender 7 delivery failures 8 delivery successes 9 delivery tempfails (queue ups) 10 database expansion >64 debugging Allow IDA-style separated processing on S= and R= in Mailer definition lines. Note that rulesets 1 and 2 are still used for both addresses as before. Bruce Lilly gave a convincing argument that RFC976 insists on this behaviour. Added some time zones to arpatounix -- they may not be in the standards, but they are in use. However, I may delete arpatounix entirely -- there appears to be no reason for it to exist. Change to UUCP mailer (in cf directory) to try to do a saner job. I'm still not certain about this mailer in general. 6.22/6.5 93/02/15 Fix bug that prevents saving letters in ~/dead.letter. Don't add angle brackets in VRFY command if angle brackets already exist in the address. Fix bogus error message in udbexpand. Null terminate host buffers in buildaddr (broken in 6.21) -- IMPORTANT FIX!! 6.21/6.5 93/02/15 Fix another incorrect error message in alias.c, found by Azuma Okamoto. Fix a couple of problems in the more-configurable config files, found by Tom Ivar Helbekkmo. Fix problem with quoted :include: entries. Don't duplicate the filename on verbose printing of .forward and :include: contents. Extend size of prescan buffer (to allow bigger addresses). Also, detect some buffer overflows. Log user SMTP protocol errors (log level 4). 6.20/6.4 93/02/14 Fix another problem in the MCI state machine caused when there were errors generated from the other end to commands other than RCPT. 6.19/6.4 93/02/14 Include load average support for DEC Alpha running OSF/1. Fix multiple-response problem with errors in MAIL From: line. Fix SMTP reply codes for invalid address syntaxes (give 501; never give multiple error messages for a single message). Fix problem where a cached connection timeout rejects all later connects to that host. Fix incorrect error message if alias.c is compiled with DBM only. Additional changes to fix nested conditionals (from Bruce Lilly). Recover more gracefully from operating system failures, particularly NULL returns from openmailer (from Noritoshi Demizu, OMRON Corporation). Log forward, alias, and userdb expand operations on log level 10; concept suggested by P{r (Pell) Emanuelsson. Changes for HPUX 8.07 compatibility. 6.18/6.4 93/02/12 Allow any config option to be set using an M4 define. Change UNAME compile flag to HASUNAME for IDA compatibility (besides, it's a better name). Note in README that on SunOS it must be linked -Bstatic. Fairly major change in domain.c to handle wildcard MX records more rationally. NOTE: the "w" option (no wildcard MX records match local domain) has been eliminated. Fix some unset variable references pointed out by Bruce Lilly. Fix host name in process titles when using cached connection. 6.17/6.3 93/01/28 Fix System 5 compatibility changes to be compatible with the rest of the world. 6.16/6.3 93/01/28 Experimental fix for problem handling errors in the SMTP protocol in conjunction with connection caching. System 5 compatibility changes. 6.15/6.3 93/01/26 Fix a bug that causes local mail delivered using -odq to be eliminated as a duplicate (because it matched the ctladdr, now passed in as a C line). These changes are pretty tricky...... 6.14/6.3 93/01/25 Add debugging for some MCI errors. 6.13/6.3 93/01/22 Fix -e compatibility flag to take a value. Fix a couple of minor compilation warnings on Sun cc. Improve error messages in a few cases to be more self-explanatory. 6.12/6.3 93/01/21 Fix yet-another problem with environment handling, pointed out by Yoshitaka Tokugawa and Tom Ivar Helbekkmo. Some heuristics to try to limit resource exhaustion problems if a downstream host has been down for a long time. Fix problem with incorrect host name being logged in "Connection timed out" messages (from Tom Ivar Helbekkmo). Fix some ANSI C problems (from Takahiro Kanbe). Properly log message sender on returned mail during queue run. Count number of recipients properly. Fix a problem in yp map code. Diagnose "message timed out" (from Motonori Nakamura). 6.11/6.3 93/01/20 Fix problem with address delimitor inside quotes. Define $k and $=k to be the UUCP name (from the uname call) based on code from Bruce Lilly. 6.10/6.2 93/01/18 Implement arpatounix (largely code from Bruce Lilly). Log more info (suggested by John Myers). Allow nested $?...$|...$. (inspired by code from Bruce Lilly of Sony US). POSIX compatibility (noted by Keith Bostic). Handle SMTP MAIL command errors properly (urged by several people, notably John Myers of CMU). Do early diagnosis of .cf errors (notably referencing a RHS substitution that isn't on the LHS). Adjust checkpointing to better handle batched recipients, suggested by John Myers. Fix miscellaneous bugs. (config files:) Implement MAIL_HUB for all local mail (to handle NFS-mounted directories) as urged by Tom Ivar Helbekkmo of the Norwegian School of Economics. 6.9/6.1 93/01/13 Environment handling simplification/bug fix -- child processes get a minimal, fixed environment. This avoids different behaviour in queue runs. Handle commas inside comments properly. Properly limit large messages submitted in -obq mode. 6.8/6.1 93/01/10 Check mtime of thaw file against .cf and sendmail binary, based on code from John Myers. 6.7/6.1 93/01/10 MX piggybacking, based on code from John Myers@CMU. Allow checkcompat to return -1 to mean tempfail. Bug fix in m_mno computation. 6.6/6.1 93/01/09 Tuning of queueing functions as recommended by John Gardiner Myers. Return mail headers (no body) on messages with negative precedence. Minor other bug fixes. 6.5/6.1 93/01/03 Fix botch causing queued headers to have ?XX? prefixes. 6.4/6.1 93/01/02 Changes to recognize special mailer types (e.g., file) early. 6.3/6.1 93/01/01 Pass timeouts to sfgets. Check for control characters in addresses. Fixed deferred error reporting. Report duplicate aliases. Handle mixed case recursive aliases. Misc bug fixes. 6.2/6.1 92/12/30 Put return-receipt-to on a conf.c flag (but don't set it). Fix minor syslog problem.