import sendmail-8.15.2-33.el8

This commit is contained in:
CentOS Sources 2020-11-30 18:10:45 +00:00 committed by Andrew Lukoshko
commit a2aaa59a7a
39 changed files with 4316 additions and 0 deletions

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/sendmail.8.15.2.tar.gz

1
.sendmail.metadata Normal file
View File

@ -0,0 +1 @@
5801d4b06f4e38ef228a5954a44d17636eaa5a16 SOURCES/sendmail.8.15.2.tar.gz

View File

@ -0,0 +1 @@
pwcheck_method:saslauthd

View File

@ -0,0 +1,11 @@
--- sendmail-8.13.0/cf/mailer/cyrus.m4.cyrus 2004-06-30 11:47:47.116910591 +0200
+++ sendmail-8.13.0/cf/mailer/cyrus.m4 2004-06-30 11:49:02.262556546 +0200
@@ -36,7 +36,7 @@
#
_DEFIFNOT(`CYRUS_MAILER_FLAGS', `Ah5@/:|')
-ifdef(`CYRUS_MAILER_PATH',, `define(`CYRUS_MAILER_PATH', /usr/cyrus/bin/deliver)')
+ifdef(`CYRUS_MAILER_PATH',, `define(`CYRUS_MAILER_PATH', /usr/lib/cyrus-imapd/deliver)')
ifdef(`CYRUS_MAILER_ARGS',, `define(`CYRUS_MAILER_ARGS', `deliver -e -m $h -- $u')')
ifdef(`CYRUS_MAILER_USER',, `define(`CYRUS_MAILER_USER', `cyrus:mail')')
_DEFIFNOT(`CYRUS_BB_MAILER_FLAGS', `u')

View File

@ -0,0 +1,50 @@
diff -up sendmail-8.14.3/devtools/M4/UNIX/sharedlibrary.m4.sharedmilter sendmail-8.14.3/devtools/M4/UNIX/sharedlibrary.m4
--- sendmail-8.14.3/devtools/M4/UNIX/sharedlibrary.m4.sharedmilter 2009-01-20 15:19:34.000000000 +0100
+++ sendmail-8.14.3/devtools/M4/UNIX/sharedlibrary.m4 2009-01-20 15:19:34.000000000 +0100
@@ -15,22 +15,23 @@ divert(-1)
divert(0)dnl
include(confBUILDTOOLSDIR`/M4/'bldM4_TYPE_DIR`/links.m4')dnl
bldLIST_PUSH_ITEM(`bldC_PRODUCTS', bldCURRENT_PRODUCT)dnl
-bldPUSH_TARGET(bldCURRENT_PRODUCT`.a')dnl
+bldPUSH_TARGET(bldCURRENT_PRODUCT.so.confSOVER.confSOPLVL)dnl
bldPUSH_INSTALL_TARGET(`install-'bldCURRENT_PRODUCT)dnl
bldPUSH_CLEAN_TARGET(bldCURRENT_PRODUCT`-clean')dnl
include(confBUILDTOOLSDIR`/M4/'bldM4_TYPE_DIR`/defines.m4')
divert(bldTARGETS_SECTION)
-bldCURRENT_PRODUCT.a: ${BEFORE} ${bldCURRENT_PRODUCT`OBJS'}
- ${AR} ${AROPTS} bldCURRENT_PRODUCT.a ${bldCURRENT_PRODUCT`OBJS'}
- ${RANLIB} ${RANLIBOPTS} bldCURRENT_PRODUCT.a
+bldCURRENT_PRODUCT.so.confSOVER.confSOPLVL: ${BEFORE} ${bldCURRENT_PRODUCT`OBJS'}
+ ${CC} ${CFLAGS} ${LDOPTS_SO} -o bldCURRENT_PRODUCT.so.confSOVER.confSOPLVL `-Wl,'confSONAME`,'bldCURRENT_PRODUCT`.so.'confSOVER ${bldCURRENT_PRODUCT`OBJS'}
ifdef(`bldLINK_SOURCES', `bldMAKE_SOURCE_LINKS(bldLINK_SOURCES)')
-install-`'bldCURRENT_PRODUCT: bldCURRENT_PRODUCT.a
+install-`'bldCURRENT_PRODUCT: bldCURRENT_PRODUCT.so.confSOVER.confSOPLVL
ifdef(`bldINSTALLABLE', ` ifdef(`confMKDIR', `if [ ! -d ${DESTDIR}${bldINSTALL_DIR`'LIBDIR} ]; then confMKDIR -p ${DESTDIR}${bldINSTALL_DIR`'LIBDIR}; else :; fi ')
- ${INSTALL} -c -o ${LIBOWN} -g ${LIBGRP} -m ${LIBMODE} bldCURRENT_PRODUCT.a ${DESTDIR}${LIBDIR}')
+ ${LN} ${LNOPTS} bldCURRENT_PRODUCT.so.confSOVER.confSOPLVL ${DESTDIR}${LIBDIR}/bldCURRENT_PRODUCT.so.confSOVER
+ ${LN} ${LNOPTS} bldCURRENT_PRODUCT.so.confSOVER ${DESTDIR}${LIBDIR}/bldCURRENT_PRODUCT.so
+ ${INSTALL} -c -o ${LIBOWN} -g ${LIBGRP} -m ${LIBMODE} bldCURRENT_PRODUCT.so.confSOVER`.'confSOPLVL ${DESTDIR}${LIBDIR}')
bldCURRENT_PRODUCT-clean:
- rm -f ${OBJS} bldCURRENT_PRODUCT.a ${MANPAGES}
+ rm -f ${OBJS} bldCURRENT_PRODUCT.so* ${MANPAGES}
divert(0)
diff -up sendmail-8.14.3/libmilter/Makefile.m4.sharedmilter sendmail-8.14.3/libmilter/Makefile.m4
--- sendmail-8.14.3/libmilter/Makefile.m4.sharedmilter 2008-04-08 07:23:44.000000000 +0200
+++ sendmail-8.14.3/libmilter/Makefile.m4 2009-01-20 15:26:05.000000000 +0100
@@ -9,7 +9,11 @@ define(`confMT', `true')
SMSRCDIR=ifdef(`confSMSRCDIR', `confSMSRCDIR', `${SRCDIR}/sendmail')
PREPENDDEF(`confINCDIRS', `-I${SMSRCDIR} ')
-bldPRODUCT_START(`library', `libmilter')
+APPENDDEF(`confOPTIMIZE', `-fno-pie -fPIC')
+define(`runCtest', `esyscmd(`echo -e "#include <stdio.h>\n#include \"../include/libmilter/mfapi.h\"\nint main(){'$1`;return 0;}" | gcc -x c -I../include -o ctest - && ./ctest && rm -f ctest')')dnl
+define(`confSOVER', runCtest(`printf(\"%d.%d\", SM_LM_VRS_MAJOR(SMFI_VERSION), SM_LM_VRS_MINOR(SMFI_VERSION))'))dnl
+define(`confSOPLVL', runCtest(`printf(\"%d\", SM_LM_VRS_PLVL(SMFI_VERSION))'))dnl
+bldPRODUCT_START(`sharedlibrary', `libmilter')
define(`bldINSTALLABLE', `true')
define(`LIBMILTER_EXTRAS', `errstring.c strl.c')
APPENDDEF(`confENVDEF', `-DNOT_SENDMAIL -Dsm_snprintf=snprintf')

View File

@ -0,0 +1,182 @@
diff -up sendmail-8.14.3/smrsh/README.smrsh_paths sendmail-8.14.3/smrsh/README
--- sendmail-8.14.3/smrsh/README.smrsh_paths 2008-02-12 17:40:06.000000000 +0100
+++ sendmail-8.14.3/smrsh/README 2008-07-15 14:40:36.000000000 +0200
@@ -6,7 +6,7 @@ Software Engineering Institute, Carnegie
intended as a supplement to the CERT advisory CA-93:16.sendmail.vulnerability,
and to the software, smrsh.c, written by Eric Allman.
-
+* Modified by Red Hat, Inc., to reflect different paths. *
The smrsh(8) program is intended as a replacement for /bin/sh in the
program mailer definition of sendmail(8). This README file describes
@@ -56,15 +56,15 @@ These can be added to the devtools/Site/
global M4 macro confENVDEF or the smrsh specific M4 macro
conf_smrsh_ENVDEF.
-As root, install smrsh in /usr/libexec. Using the Build script:
+As root, install smrsh in /usr/sbin. Using the Build script:
host.domain# sh ./Build install
-For manual installation: install smrsh in the /usr/libexec
+For manual installation: install smrsh in the /usr/sbin
directory, with mode 511.
- host.domain# mv smrsh /usr/libexec
- host.domain# chmod 511 /usr/libexec/smrsh
+ host.domain# mv smrsh /usr/sbin
+ host.domain# chmod 511 /usr/sbin/smrsh
@@ -86,7 +86,7 @@ perl(1), uudecode(1) or the stream edito
acceptable commands.
If your platform doesn't have a default SMRSH_CMDDIR setting, you will
-next need to create the directory /usr/adm/sm.bin and populate
+next need to create the directory /etc/smrsh and populate
it with the programs that your site feels are allowable for sendmail
to execute. This directory is explicitly specified in the source
code for smrsh, so changing this directory must be accompanied with
@@ -95,22 +95,22 @@ a change in smrsh.c.
You will have to be root to make these modifications.
-After creating the /usr/adm/sm.bin directory, either copy the programs
+After creating the /etc/smrsh directory, either copy the programs
to the directory, or establish links to the allowable programs from
-/usr/adm/sm.bin. Change the file permissions, so that these programs
+/etc/smrsh. Change the file permissions, so that these programs
can not be modified by non-root users. If you use links, you should
ensure that the target programs are not modifiable.
To allow the popular vacation(1) program by creating a link in the
-/usr/adm/sm.bin directory, you should:
+/etc/smrsh directory, you should:
- host.domain# cd /usr/adm/sm.bin
+ host.domain# cd /etc/smrsh
host.domain# ln -s /usr/ucb/vacation vacation
-After populating the /usr/adm/sm.bin directory, you can now configure
+After populating the /etc/smrsh directory, you can now configure
sendmail to use the restricted shell. Save the current sendmail.cf
file prior to modifying it, as a prudent precaution.
@@ -125,7 +125,7 @@ help to locate it.
In order to configure sendmail to use smrsh, you must modify the Mprog
definition in the sendmail.cf file, by replacing the /bin/sh specification
-with /usr/libexec/smrsh.
+with /usr/sbin/smrsh.
As an example:
@@ -133,14 +133,14 @@ In most Sun Microsystems' sendmail.cf fi
Mprog, P=/bin/sh, F=lsDFMeuP, S=10, R=20, A=sh -c $u
which should be changed to:
-Mprog, P=/usr/libexec/smrsh, F=lsDFMeuP, S=10, R=20, A=sh -c $u
- ^^^^^^^^^^^^^^^^^^
+Mprog, P=/usr/sbin/smrsh, F=lsDFMeuP, S=10, R=20, A=sh -c $u
+ ^^^^^^^^^^^^^^^^
A more generic line may be:
Mprog, P=/bin/sh, F=lsDFM, A=sh -c $u
and should be changed to;
-Mprog, P=/usr/libexec/smrsh, F=lsDFM, A=sh -c $u
+Mprog, P=/usr/sbin/smrsh, F=lsDFM, A=sh -c $u
After modifying the Mprog definition in the sendmail.cf file, if a frozen
@@ -151,7 +151,7 @@ or /etc/mail directories. The specific
a search of the strings(1) output of the sendmail binary.
In order to create a new frozen configuration, if it is required:
- host.domain# /usr/lib/sendmail -bz
+ host.domain# /usr/sbin/sendmail -bz
Now re-start the sendmail process. An example of how to do this on
a typical system follows:
diff -up sendmail-8.14.3/smrsh/smrsh.8.smrsh_paths sendmail-8.14.3/smrsh/smrsh.8
--- sendmail-8.14.3/smrsh/smrsh.8.smrsh_paths 2004-08-06 05:55:35.000000000 +0200
+++ sendmail-8.14.3/smrsh/smrsh.8 2008-07-15 14:38:07.000000000 +0200
@@ -39,7 +39,7 @@ Briefly,
.I smrsh
limits programs to be in a single directory,
by default
-/usr/adm/sm.bin,
+/etc/smrsh,
allowing the system administrator to choose the set of acceptable commands,
and to the shell builtin commands ``exec'', ``exit'', and ``echo''.
It also rejects any commands with the characters
@@ -56,10 +56,10 @@ so forwarding to ``/usr/ucb/vacation'',
and
``vacation''
all actually forward to
-``/usr/adm/sm.bin/vacation''.
+``/etc/smrsh/vacation''.
.PP
System administrators should be conservative about populating
-the sm.bin directory.
+the /etc/smrsh directory.
For example, a reasonable additions is
.IR vacation (1),
and the like.
@@ -68,7 +68,7 @@ never include any shell or shell-like pr
(such as
.IR perl (1))
in the
-sm.bin
+/etc/smrsh
directory.
Note that this does not restrict the use of shell or perl scripts
in the sm.bin directory (using the ``#!'' syntax);
@@ -79,20 +79,7 @@ is a very bad idea.
.IR procmail (1)
allows users to run arbitrary programs in their
.IR procmailrc (5).
-.SH COMPILATION
-Compilation should be trivial on most systems.
-You may need to use \-DSMRSH_PATH=\e"\fIpath\fP\e"
-to adjust the default search path
-(defaults to ``/bin:/usr/bin:/usr/ucb'')
-and/or \-DSMRSH_CMDDIR=\e"\fIdir\fP\e"
-to change the default program directory
-(defaults to ``/usr/adm/sm.bin'').
.SH FILES
-/usr/adm/sm.bin \- default directory for restricted programs on most OSs
-.PP
-/var/adm/sm.bin \- directory for restricted programs on HP UX and Solaris
-.PP
-/usr/libexec/sm.bin \- directory for restricted programs on FreeBSD (>= 3.3) and DragonFly BSD
-
+/etc/smrsh \- directory for restricted programs
.SH SEE ALSO
sendmail(8)
diff -up sendmail-8.14.3/smrsh/smrsh.c.smrsh_paths sendmail-8.14.3/smrsh/smrsh.c
--- sendmail-8.14.3/smrsh/smrsh.c.smrsh_paths 2004-08-06 20:54:22.000000000 +0200
+++ sendmail-8.14.3/smrsh/smrsh.c 2008-07-15 14:38:07.000000000 +0200
@@ -77,7 +77,7 @@ SM_IDSTR(id, "@(#)$Id: smrsh.c,v 8.65 20
# ifdef SMRSH_CMDDIR
# define CMDDIR SMRSH_CMDDIR
# else /* SMRSH_CMDDIR */
-# define CMDDIR "/usr/adm/sm.bin"
+# define CMDDIR "/etc/smrsh"
# endif /* SMRSH_CMDDIR */
#endif /* ! CMDDIR */
@@ -89,7 +89,7 @@ SM_IDSTR(id, "@(#)$Id: smrsh.c,v 8.65 20
# ifdef SMRSH_PATH
# define PATH SMRSH_PATH
# else /* SMRSH_PATH */
-# define PATH "/bin:/usr/bin:/usr/ucb"
+# define PATH "/bin:/usr/bin"
# endif /* SMRSH_PATH */
#endif /* ! PATH */

View File

@ -0,0 +1,56 @@
--- sendmail-8.14.4/cf/cf/Build 1999-03-02 03:37:12.000000000 +0100
+++ sendmail-8.14.4/cf/cf/Build.makemapman 2010-01-03 22:49:38.000000000 +0100
@@ -18,7 +18,7 @@
SMROOT=${SMROOT-../..}
BUILDTOOLS=${BUILDTOOLS-$SMROOT/devtools}
-M4=`sh $BUILDTOOLS/bin/find_m4.sh`
+M4=/usr/bin/m4
ret=$?
if [ $ret -ne 0 ]
then
--- sendmail-8.14.4/devtools/OS/Linux 2009-01-22 03:15:42.000000000 +0100
+++ sendmail-8.14.4/devtools/OS/Linux.makemapman 2010-01-03 22:50:27.000000000 +0100
@@ -6,7 +6,7 @@
define(`confDEPEND_TYPE', `CC-M')
define(`confCCOPTS_SO', `-fPIC')
define(`confSM_OS_HEADER', `sm_os_linux')
-define(`confMANROOT', `/usr/man/man')
+define(`confMANROOT', `/usr/share/man/man')
define(`confLIBS', `-ldl')
define(`confEBINDIR', `/usr/sbin')
APPENDDEF(`confLIBSEARCH', `crypt nsl')
@@ -16,6 +16,8 @@
define(`confMTLDOPTS', `-lpthread')
define(`confLDOPTS_SO', `-shared')
define(`confSONAME',`-soname')
+define('confSBINGRP', 'mail')
+define('confSBINMODE', '6755')
ifelse(confBLDVARIANT, `DEBUG',
dnl Debug build
--- sendmail-8.14.4/makemap/makemap.8 2008-05-03 01:07:48.000000000 +0200
+++ sendmail-8.14.4/makemap/makemap.8.makemapman 2010-01-03 22:51:04.000000000 +0100
@@ -52,12 +52,6 @@
parameter.
They may be
.TP
-dbm
-DBM format maps.
-This requires the
-ndbm(3)
-library.
-.TP
btree
B-Tree format maps.
This requires the new Berkeley DB
--- sendmail-8.14.4/rmail/rmail.c 2001-09-18 23:45:29.000000000 +0200
+++ sendmail-8.14.4/rmail/rmail.c.makemapman 2010-01-03 22:51:36.000000000 +0100
@@ -276,7 +276,6 @@
args[i++] = _PATH_SENDMAIL; /* Build sendmail's argument list. */
args[i++] = "-G"; /* relay submission */
args[i++] = "-oee"; /* No errors, just status. */
- args[i++] = "-odq"; /* Queue it, don't try to deliver. */
args[i++] = "-oi"; /* Ignore '.' on a line by itself. */
/* set from system and protocol used */

View File

@ -0,0 +1,31 @@
diff --git a/sendmail/usersmtp.c b/sendmail/usersmtp.c
index c217ffa..e4dadd3 100644
--- a/sendmail/usersmtp.c
+++ b/sendmail/usersmtp.c
@@ -1331,9 +1331,7 @@ safesaslfile(context, file)
{
long sff;
int r;
-#if SASL <= 10515
size_t len;
-#endif /* SASL <= 10515 */
char *p;
if (file == NULL || *file == '\0')
@@ -1369,9 +1367,16 @@ safesaslfile(context, file)
#endif /* SASL <= 10515 */
p = (char *) file;
+ len = strlen(p);
if ((r = safefile(p, RunAsUid, RunAsGid, RunAsUserName, sff,
S_IRUSR, NULL)) == 0)
return SASL_OK;
+#if SASL > 10515
+ /* Expect /usr/lib/sasl2/Sendmail.conf to be missing - config now in /etc/sasl2 */
+ if (type == SASL_VRFY_CONF && r == ENOENT &&
+ len >= 8 && strncmp(p, "/usr/lib", 8) == 0)
+ return SASL_CONTINUE;
+#endif /* SASL > 10515 */
if (LogLevel > (r != ENOENT ? 8 : 10))
sm_syslog(LOG_WARNING, NOQID, "error: safesasl(%s) failed: %s",
p, sm_errstring(r));

View File

@ -0,0 +1,13 @@
--- sendmail-8.14.9/sendmail/helpfile 2014-03-06 18:31:31.000000000 +0100
+++ sendmail-8.14.9/sendmail/helpfile.noversion 2014-05-21 17:25:29.000000000 +0200
@@ -11,9 +11,7 @@
cpyr forth in the LICENSE file which can be found at the top level of
cpyr the sendmail distribution.
cpyr
-cpyr $$Id: helpfile,v 8.49 2013-11-22 20:51:55 ca Exp $$
-cpyr
-smtp This is sendmail version $v
+smtp This is sendmail
smtp Topics:
smtp HELO EHLO MAIL RCPT DATA
smtp RSET NOOP QUIT HELP VRFY

View File

@ -0,0 +1,20 @@
--- sendmail-8.14.9/cf/cf/submit.mc 2014-03-06 18:31:28.000000000 +0100
+++ sendmail-8.14.9/cf/cf/submit.mc.pid 2014-05-21 17:20:14.000000000 +0200
@@ -15,12 +15,16 @@
#
divert(0)dnl
-VERSIONID(`$Id: submit.mc,v 8.15 2013-11-22 20:51:08 ca Exp $')
+sinclude(`/usr/share/sendmail-cf/m4/cf.m4')dnl
+VERSIONID(`linux setup')dnl
define(`confCF_VERSION', `Submit')dnl
define(`__OSTYPE__',`')dnl dirty hack to keep proto.m4 from complaining
define(`_USE_DECNET_SYNTAX_', `1')dnl support DECnet
define(`confTIME_ZONE', `USE_TZ')dnl
define(`confDONT_INIT_GROUPS', `True')dnl
+define(`confPID_FILE', `/run/sm-client.pid')dnl
+dnl define(`confDIRECT_SUBMISSION_MODIFIERS',`C')dnl
+FEATURE(`use_ct_file')dnl
dnl
dnl If you use IPv6 only, change [127.0.0.1] to [IPv6:0:0:0:0:0:0:0:1]
FEATURE(`msp', `[127.0.0.1]')dnl

View File

@ -0,0 +1,11 @@
--- sendmail-8.14.9/vacation/Makefile 2014-03-06 18:31:31.000000000 +0100
+++ sendmail-8.14.9/vacation/Makefile.vacation 2014-05-21 17:22:47.000000000 +0200
@@ -1,7 +1,7 @@
# $Id: Makefile,v 8.5 1999-09-23 22:36:45 ca Exp $
SHELL= /bin/sh
-BUILD= ./Build
+BUILD= ./Build -f ../redhat.config.m4
OPTIONS= $(CONFIG) $(FLAGS)
all: FRC

View File

@ -0,0 +1,126 @@
diff --git a/cf/m4/cfhead.m4 b/cf/m4/cfhead.m4
index 714a3ec..3fd6c1c 100644
--- a/cf/m4/cfhead.m4
+++ b/cf/m4/cfhead.m4
@@ -260,7 +260,7 @@ ifdef(`MAIL_SETTINGS_DIR', , `define(`MAIL_SETTINGS_DIR', `/etc/mail/')')
define(`DATABASE_MAP_TYPE', `hash')
# set up default values for options
-define(`ALIAS_FILE', `MAIL_SETTINGS_DIR`'aliases')
+define(`ALIAS_FILE', `/etc/aliases')
define(`confMAILER_NAME', ``MAILER-DAEMON'')
define(`confFROM_LINE', `From $g $d')
define(`confOPERATORS', `.:%@!^/[]+')
diff --git a/sendmail/aliases.0 b/sendmail/aliases.0
index cfdbe17..5ea4c28 100644
--- a/sendmail/aliases.0
+++ b/sendmail/aliases.0
@@ -63,7 +63,7 @@ DDEESSCCRRIIPPTTIIOONN
the list of users defined in that file.
This is only the raw data file; the actual aliasing information is
- placed into a binary format in the file /etc/mail/aliases.db using the
+ placed into a binary format in the file /etc/aliases.db using the
program newaliases(1). A newaliases command should be executed each
time the aliases file is changed for the change to take effect.
diff --git a/sendmail/aliases.5 b/sendmail/aliases.5
index f09b49c..7b16db2 100644
--- a/sendmail/aliases.5
+++ b/sendmail/aliases.5
@@ -23,7 +23,7 @@ ID
aliases used by
sendmail.
The file resides in
-/etc/mail
+/etc
and
is formatted as a series of lines of the form
.IP
@@ -96,7 +96,7 @@ list of users defined in that file.
.PP
This is only the raw data file; the actual aliasing information is
placed into a binary format in the file
-/etc/mail/aliases.db
+/etc/aliases.db
using the program
newaliases(1).
A
diff --git a/sendmail/newaliases.0 b/sendmail/newaliases.0
index c77f401..e2a1670 100644
--- a/sendmail/newaliases.0
+++ b/sendmail/newaliases.0
@@ -10,7 +10,7 @@ SSYYNNOOPPSSIISS
DDEESSCCRRIIPPTTIIOONN
NNeewwaalliiaasseess rebuilds the random access data base for the mail aliases
- file /etc/mail/aliases. It must be run each time this file is changed
+ file /etc/aliases. It must be run each time this file is changed
in order for the change to take effect.
NNeewwaalliiaasseess is identical to ``sendmail -bi''.
@@ -22,7 +22,7 @@ DDEESSCCRRIIPPTTIIOONN
sseennddmmaaiill..
FFIILLEESS
- /etc/mail/aliases The mail aliases file
+ /etc/aliases The mail aliases file
SSEEEE AALLSSOO
aliases(5), sendmail(8)
diff --git a/sendmail/newaliases.1 b/sendmail/newaliases.1
index 59dc0de..9ba8752 100644
--- a/sendmail/newaliases.1
+++ b/sendmail/newaliases.1
@@ -20,7 +20,7 @@ newaliases
.SH DESCRIPTION
.B Newaliases
rebuilds the random access data base for the mail aliases file
-/etc/mail/aliases. It must be run each time this file is changed
+/etc/aliases. It must be run each time this file is changed
in order for the change to take effect.
.PP
.B Newaliases
@@ -40,7 +40,7 @@ puts a special token into the data base that is required by
.B sendmail.
.SH FILES
.TP 2i
-/etc/mail/aliases
+/etc/aliases
The mail aliases file
.SH SEE ALSO
aliases(5), sendmail(8)
diff --git a/sendmail/sendmail.0 b/sendmail/sendmail.0
index 515d5f7..8236411 100644
--- a/sendmail/sendmail.0
+++ b/sendmail/sendmail.0
@@ -434,10 +434,10 @@ FFIILLEESS
are only approximations.
- /etc/mail/aliases
+ /etc/aliases
raw data for alias names
- /etc/mail/aliases.db
+ /etc/aliases.db
data base of alias names
/etc/mail/sendmail.cf
diff --git a/sendmail/sendmail.8 b/sendmail/sendmail.8
index 0356839..1258c26 100644
--- a/sendmail/sendmail.8
+++ b/sendmail/sendmail.8
@@ -711,10 +711,10 @@ Thus,
these values are only approximations.
.PP
.TP
- /etc/mail/aliases
+ /etc/aliases
raw data for alias names
.TP
- /etc/mail/aliases.db
+ /etc/aliases.db
data base of alias names
.TP
/etc/mail/sendmail.cf

View File

@ -0,0 +1,46 @@
--- sendmail-8.14.4/devtools/OS/Linux 2010-01-03 22:55:35.000000000 +0100
+++ sendmail-8.14.4/devtools/OS/Linux.dynamic 2010-01-03 22:59:03.000000000 +0100
@@ -7,7 +7,7 @@
define(`confCCOPTS_SO', `-fPIC')
define(`confSM_OS_HEADER', `sm_os_linux')
define(`confMANROOT', `/usr/share/man/man')
-define(`confLIBS', `-ldl')
+define(`confLIBS', `-pie -ldl')
define(`confEBINDIR', `/usr/sbin')
APPENDDEF(`confLIBSEARCH', `crypt nsl')
@@ -22,19 +22,19 @@
ifelse(confBLDVARIANT, `DEBUG',
dnl Debug build
`
- define(`confOPTIMIZE',`-g -Wall')
+ define(`confOPTIMIZE',`-g -Wall -fpie')
',
dnl Optimized build
confBLDVARIANT, `OPTIMIZED',
`
- define(`confOPTIMIZE',`-O2')
+ define(`confOPTIMIZE',`-O2 -fpie')
',
dnl Purify build
confBLDVARIANT, `PURIFY',
`
- define(`confOPTIMIZE',`-g')
+ define(`confOPTIMIZE',`-g -fpie')
',
dnl default
`
- define(`confOPTIMIZE',`-O2')
+ define(`confOPTIMIZE',`-O2 -fpie')
')
--- sendmail-8.14.4/libsm/Makefile.m4 2006-08-16 23:06:31.000000000 +0200
+++ sendmail-8.14.4/libsm/Makefile.m4.dynamic 2010-01-03 23:01:36.000000000 +0100
@@ -6,7 +6,7 @@
define(`confREQUIRE_SM_OS_H', `true')
PREPENDDEF(`confENVDEF', `confMAPDEF')
bldPRODUCT_START(`library', `libsm')
-define(`bldSOURCES', ` assert.c debug.c errstring.c exc.c heap.c match.c rpool.c strdup.c strerror.c strl.c clrerr.c fclose.c feof.c ferror.c fflush.c fget.c fpos.c findfp.c flags.c fopen.c fprintf.c fpurge.c fput.c fread.c fscanf.c fseek.c fvwrite.c fwalk.c fwrite.c get.c makebuf.c put.c refill.c rewind.c setvbuf.c smstdio.c snprintf.c sscanf.c stdio.c strio.c ungetc.c vasprintf.c vfprintf.c vfscanf.c vprintf.c vsnprintf.c wbuf.c wsetup.c string.c stringf.c xtrap.c strto.c test.c strcasecmp.c strrevcmp.c signal.c clock.c config.c shm.c sem.c mbdb.c strexit.c cf.c ldap.c niprop.c mpeix.c memstat.c util.c inet6_ntop.c ')
+define(`bldSOURCES', ` assert.c debug.c errstring.c exc.c heap.c match.c rpool.c strdup.c strl.c clrerr.c fclose.c feof.c ferror.c fflush.c fget.c fpos.c findfp.c flags.c fopen.c fprintf.c fpurge.c fput.c fread.c fscanf.c fseek.c fvwrite.c fwalk.c fwrite.c get.c makebuf.c put.c refill.c rewind.c setvbuf.c smstdio.c snprintf.c sscanf.c stdio.c strio.c ungetc.c vasprintf.c vfprintf.c vfscanf.c vprintf.c vsnprintf.c wbuf.c wsetup.c string.c stringf.c xtrap.c strto.c test.c strcasecmp.c strrevcmp.c signal.c clock.c config.c shm.c sem.c mbdb.c strexit.c cf.c ldap.c niprop.c mpeix.c memstat.c util.c inet6_ntop.c ')
bldPRODUCT_END
dnl msg.c
dnl syslogio.c

View File

@ -0,0 +1,18 @@
diff --git a/sendmail/sendmail.8 b/sendmail/sendmail.8
index 9e0b9af..0356839 100644
--- a/sendmail/sendmail.8
+++ b/sendmail/sendmail.8
@@ -729,13 +729,11 @@ collected statistics
/var/spool/mqueue/*
temp files
.SH SEE ALSO
-binmail(1),
mail(1),
rmail(1),
syslog(3),
aliases(5),
mailaddr(7),
-rc(8)
.PP
DARPA
Internet Request For Comments

View File

@ -0,0 +1,127 @@
diff --git a/sendmail/envelope.c b/sendmail/envelope.c
index bae6b00..beb91a1 100644
--- a/sendmail/envelope.c
+++ b/sendmail/envelope.c
@@ -323,7 +323,7 @@ dropenvelope(e, fulldrop, split)
/* don't free, allocated from e_rpool */
e->e_message = sm_rpool_strdup_x(e->e_rpool, buf);
- message(buf);
+ message("%s", buf);
e->e_flags |= EF_CLRQUEUE;
}
if (msg_timeout == MSG_NOT_BY)
@@ -420,7 +420,7 @@ dropenvelope(e, fulldrop, split)
/* don't free, allocated from e_rpool */
e->e_message = sm_rpool_strdup_x(e->e_rpool,
buf);
- message(buf);
+ message("%s", buf);
e->e_flags |= EF_WARNING;
}
if (msg_timeout == MSG_WARN_BY)
diff --git a/sendmail/parseaddr.c b/sendmail/parseaddr.c
index 2adb39c..ba99414 100644
--- a/sendmail/parseaddr.c
+++ b/sendmail/parseaddr.c
@@ -218,7 +218,7 @@ parseaddr(addr, a, flags, delim, delimptr, e, isrcpt)
msg = "Deferring message until queue run";
if (tTd(20, 1))
sm_dprintf("parseaddr: queueing message\n");
- message(msg);
+ message("%s", msg);
if (e->e_message == NULL && e->e_sendmode != SM_DEFER)
e->e_message = sm_rpool_strdup_x(e->e_rpool, msg);
a->q_state = QS_QUEUEUP;
diff --git a/sendmail/srvrsmtp.c b/sendmail/srvrsmtp.c
index ba636a8..46c5356 100644
--- a/sendmail/srvrsmtp.c
+++ b/sendmail/srvrsmtp.c
@@ -122,6 +122,26 @@ extern ENVELOPE BlankEnvelope;
#define SKIP_SPACE(s) while (isascii(*s) && isspace(*s)) \
(s)++
+static inline void
+message1(fmt)
+ char *fmt;
+{
+ if (strchr(fmt, '%') == NULL)
+ message(fmt, NULL);
+ else
+ message("%s", fmt);
+}
+
+static inline void
+usrerr1(fmt)
+ char *fmt;
+{
+ if (strchr(fmt, '%') == NULL)
+ usrerr(fmt, NULL);
+ else
+ usrerr("%s", fmt);
+}
+
/*
** PARSE_ESMTP_ARGS -- parse EMSTP arguments (for MAIL, RCPT)
**
@@ -578,13 +598,13 @@ static bool smtp_data __P((SMTP_T *, ENVELOPE *));
bool tsave = QuickAbort; \
\
QuickAbort = false; \
- usrerr(response); \
+ usrerr1(response); \
QuickAbort = tsave; \
e->e_sendqueue = NULL; \
goto doquit; \
} \
else \
- usrerr(response); \
+ usrerr1(response); \
break; \
\
case SMFIR_REJECT: \
@@ -931,7 +951,7 @@ smtp(nullserver, d_flags, e)
}
else if (strncmp(nullserver, "421 ", 4) == 0)
{
- message(nullserver);
+ message1(nullserver);
goto doquit;
}
@@ -1849,7 +1869,7 @@ smtp(nullserver, d_flags, e)
if (nullserver != NULL)
{
if (ISSMTPREPLY(nullserver))
- usrerr(nullserver);
+ usrerr1(nullserver);
else
usrerr("550 5.0.0 %s",
nullserver);
@@ -2449,7 +2469,7 @@ smtp(nullserver, d_flags, e)
tempfail = true;
smtp.sm_milterize = false;
if (response != NULL)
- usrerr(response);
+ usrerr1(response);
else
message("421 4.7.0 %s closing connection",
MyHostName);
@@ -3656,7 +3676,7 @@ smtp_data(smtp, e)
(void) extenhsc(response + 4, ' ', e->e_enhsc);
#endif /* _FFR_MILTER_ENHSC */
- usrerr(response);
+ usrerr1(response);
if (strncmp(response, "421 ", 4) == 0
|| strncmp(response, "421-", 4) == 0)
{
@@ -3776,7 +3796,7 @@ smtp_data(smtp, e)
if (ISSMTPCODE(response))
(void) extenhsc(response + 4, ' ', e->e_enhsc);
#endif /* _FFR_MILTER_ENHSC */
- usrerr(response);
+ usrerr1(response);
if (strncmp(response, "421 ", 4) == 0
|| strncmp(response, "421-", 4) == 0)
rv = false;

View File

@ -0,0 +1,80 @@
Description: systemd-like socket activation support for libmilter
Author: Mikhail Gusarov <dottedmag@debian.org
diff --git a/libmilter/docs/smfi_setconn.html b/libmilter/docs/smfi_setconn.html
index eba7c5b..5b272a0 100644
--- a/libmilter/docs/smfi_setconn.html
+++ b/libmilter/docs/smfi_setconn.html
@@ -43,6 +43,7 @@ Set the socket through which this filter should communicate with sendmail.
<LI><CODE>{unix|local}:/path/to/file</CODE> -- A named pipe.
<LI><CODE>inet:port@{hostname|ip-address}</CODE> -- An IPV4 socket.
<LI><CODE>inet6:port@{hostname|ip-address}</CODE> -- An IPV6 socket.
+ <LI><CODE>fd:number</CODE> -- Pre-opened file descriptor.
</UL>
</TD></TR>
</TABLE>
diff --git a/libmilter/listener.c b/libmilter/listener.c
index 11d92bb..2ab533d 100644
--- a/libmilter/listener.c
+++ b/libmilter/listener.c
@@ -197,6 +197,11 @@ mi_milteropen(conn, backlog, rmsocket, name)
L_socksize = sizeof addr.sin6;
}
#endif /* NETINET6 */
+ else if (strcasecmp(p, "fd") == 0)
+ {
+ addr.sa.sa_family = AF_UNSPEC;
+ L_socksize = sizeof (_SOCK_ADDR);
+ }
else
{
smi_log(SMI_LOG_ERR, "%s: unknown socket type %s",
@@ -443,7 +448,21 @@ mi_milteropen(conn, backlog, rmsocket, name)
}
#endif /* NETINET || NETINET6 */
- sock = socket(addr.sa.sa_family, SOCK_STREAM, 0);
+ if (addr.sa.sa_family == AF_UNSPEC)
+ {
+ char *end;
+ sock = strtol(colon, &end, 10);
+ if (*end != '\0' || sock < 0)
+ {
+ smi_log(SMI_LOG_ERR, "%s: expected positive integer as fd, got %s", name, colon);
+ return INVALID_SOCKET;
+ }
+ }
+ else
+ {
+ sock = socket(addr.sa.sa_family, SOCK_STREAM, 0);
+ }
+
if (!ValidSocket(sock))
{
smi_log(SMI_LOG_ERR,
@@ -466,6 +485,7 @@ mi_milteropen(conn, backlog, rmsocket, name)
#if NETUNIX
addr.sa.sa_family != AF_UNIX &&
#endif /* NETUNIX */
+ addr.sa.sa_family != AF_UNSPEC &&
setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *) &sockopt,
sizeof(sockopt)) == -1)
{
@@ -511,7 +531,8 @@ mi_milteropen(conn, backlog, rmsocket, name)
}
#endif /* NETUNIX */
- if (bind(sock, &addr.sa, L_socksize) < 0)
+ if (addr.sa.sa_family != AF_UNSPEC &&
+ bind(sock, &addr.sa, L_socksize) < 0)
{
smi_log(SMI_LOG_ERR,
"%s: Unable to bind to port %s: %s",
@@ -818,7 +839,7 @@ mi_listener(conn, dbg, smfi, timeout, backlog)
# ifdef BSD4_4_SOCKADDR
cliaddr.sa.sa_len == 0 ||
# endif /* BSD4_4_SOCKADDR */
- cliaddr.sa.sa_family != L_family))
+ (L_family != AF_UNSPEC && cliaddr.sa.sa_family != L_family)))
{
(void) closesocket(connfd);
connfd = INVALID_SOCKET;

View File

@ -0,0 +1,13 @@
diff --git a/cf/m4/proto.m4 b/cf/m4/proto.m4
index 696bf36..5a5963b 100644
--- a/cf/m4/proto.m4
+++ b/cf/m4/proto.m4
@@ -1898,6 +1898,8 @@ R<@> < $* @ [IPv6:::1] >
$: < ? $&{client_name} > < $1 @ [IPv6:::1] >
R<@> < $* @ localhost.$m >
$: < ? $&{client_name} > < $1 @ localhost.$m >
+R<@> < $* @ localhost.localdomain >
+ $: < ? $&{client_name} > < $1 @ localhost.localdomain >
ifdef(`_NO_UUCP_', `dnl',
`R<@> < $* @ localhost.UUCP >
$: < ? $&{client_name} > < $1 @ localhost.UUCP >')

View File

@ -0,0 +1,20 @@
diff --git a/sendmail/tls.c b/sendmail/tls.c
index 16cb93f..9338380 100644
--- a/sendmail/tls.c
+++ b/sendmail/tls.c
@@ -1329,13 +1329,8 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
}
#if _FFR_TLS_EC
- ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
- if (ecdh != NULL)
- {
- SSL_CTX_set_options(*ctx, SSL_OP_SINGLE_ECDH_USE);
- SSL_CTX_set_tmp_ecdh(*ctx, ecdh);
- EC_KEY_free(ecdh);
- }
+ SSL_CTX_set_options(*ctx, SSL_OP_SINGLE_ECDH_USE);
+ SSL_CTX_set_ecdh_auto(*ctx, 1);
#endif /* _FFR_TLS_EC */
}

View File

@ -0,0 +1,182 @@
--- sendmail-8.15.2.orig/sendmail/tls.c 2016-12-01 15:20:59.953546417 +0100
+++ sendmail-8.15.2.orig/sendmail/tls.c 2016-12-01 17:26:43.868521378 +0100
@@ -63,14 +63,28 @@ static unsigned char dh512_g[] =
static DH *
get_dh512()
{
- DH *dh = NULL;
+ DH *dh;
+ BIGNUM *p, *g;
if ((dh = DH_new()) == NULL)
return NULL;
- dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
- dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
- if ((dh->p == NULL) || (dh->g == NULL))
+ p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
+ g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
+ if (p == NULL || g == NULL)
+ {
+ BN_free(p);
+ BN_free(g);
+ DH_free(dh);
return NULL;
+ }
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100005L
+ DH_set0_pqg(dh, p, NULL, g);
+#else
+ dh->p = p;
+ dh->g = g;
+#endif
+
return dh;
}
@@ -117,16 +131,27 @@ get_dh2048()
};
static unsigned char dh2048_g[]={ 0x02, };
DH *dh;
+ BIGNUM *p, *g;
if ((dh=DH_new()) == NULL)
return(NULL);
- dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
- dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
- if ((dh->p == NULL) || (dh->g == NULL))
+ p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
+ g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
+ if (p == NULL || g == NULL)
{
+ BN_free(p);
+ BN_free(g);
DH_free(dh);
- return(NULL);
+ return NULL;
}
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100005L
+ DH_set0_pqg(dh, p, NULL, g);
+#else
+ dh->p = p;
+ dh->g = g;
+#endif
+
return(dh);
}
# endif /* !NO_DH */
@@ -715,6 +740,54 @@ static char server_session_id_context[]
# define SM_SSL_OP_TLS_BLOCK_PADDING_BUG 0
#endif
+static RSA *
+generate_rsa_key(bits, e)
+ int bits;
+ unsigned long e;
+{
+#if OPENSSL_VERSION_NUMBER < 0x00908000L
+ return RSA_generate_key(bits, e, NULL, NULL);
+#else
+ BIGNUM *bne;
+ RSA *rsa = NULL;
+
+ bne = BN_new();
+ if (bne && BN_set_word(bne, e) != 1)
+ rsa = RSA_new();
+ if (rsa && RSA_generate_key_ex(rsa, bits, bne, NULL) != 1)
+ {
+ RSA_free(rsa);
+ rsa = NULL;
+ }
+ BN_free(bne);
+ return rsa;
+#endif
+}
+
+static DSA *
+generate_dsa_parameters(bits, seed, seed_len, counter_ret, h_ret)
+ int bits;
+ unsigned char *seed;
+ int seed_len;
+ int *counter_ret;
+ unsigned long *h_ret;
+{
+#if OPENSSL_VERSION_NUMBER < 0x00908000L
+ return DSA_generate_parameters(bits, seed, seed_len, counter_ret,
+ h_ret, NULL, NULL);
+#else
+ DSA *dsa = DSA_new();
+
+ if (dsa && DSA_generate_parameters_ex(dsa, bits, seed, seed_len,
+ counter_ret, h_ret, NULL) != 1)
+ {
+ DSA_free(dsa);
+ dsa = NULL;
+ }
+ return dsa;
+#endif
+}
+
bool
inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhparam)
SSL_CTX **ctx;
@@ -926,7 +999,7 @@ inittls(ctx, req, options, srv, certfile
{
/* get a pointer to the current certificate validation store */
store = SSL_CTX_get_cert_store(*ctx); /* does not fail */
- crl_file = BIO_new(BIO_s_file_internal());
+ crl_file = BIO_new(BIO_s_file());
if (crl_file != NULL)
{
if (BIO_read_filename(crl_file, CRLFile) >= 0)
@@ -1003,8 +1076,7 @@ inittls(ctx, req, options, srv, certfile
if (bitset(TLS_I_RSA_TMP, req)
# if SM_CONF_SHM
&& ShmId != SM_SHM_NO_ID &&
- (rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL,
- NULL)) == NULL
+ (rsa_tmp = generate_rsa_key(RSA_KEYLENGTH, RSA_F4)) == NULL
# else /* SM_CONF_SHM */
&& 0 /* no shared memory: no need to generate key now */
# endif /* SM_CONF_SHM */
@@ -1210,8 +1282,8 @@ inittls(ctx, req, options, srv, certfile
sm_dprintf("inittls: Generating %d bit DH parameters\n", bits);
/* this takes a while! */
- dsa = DSA_generate_parameters(bits, NULL, 0, NULL,
- NULL, 0, NULL);
+ dsa = generate_dsa_parameters(bits, NULL, 0, NULL,
+ NULL);
dh = DSA_dup_DH(dsa);
DSA_free(dsa);
}
@@ -1747,7 +1819,7 @@ tmp_rsa_key(s, export, keylength)
if (rsa_tmp != NULL)
RSA_free(rsa_tmp);
- rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, NULL);
+ rsa_tmp = generate_rsa_key(RSA_KEYLENGTH, RSA_F4);
if (rsa_tmp == NULL)
{
if (LogLevel > 0)
@@ -1974,11 +2046,20 @@ x509_verify_cb(ok, ctx)
{
if (LogLevel > 13)
tls_verify_log(ok, ctx, "x509");
+#if OPENSSL_VERSION_NUMBER >= 0x10100005L
+ if (X509_STORE_CTX_get_error(ctx) ==
+ X509_V_ERR_UNABLE_TO_GET_CRL)
+ {
+ X509_STORE_CTX_set_error(ctx, 0);
+ return 1; /* override it */
+ }
+#else
if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL)
{
ctx->error = 0;
return 1; /* override it */
}
+#endif
}
return ok;
}

View File

@ -0,0 +1,246 @@
diff --git a/cf/cf/submit.mc b/cf/cf/submit.mc
index b9dfb16..cb325cc 100644
--- a/cf/cf/submit.mc
+++ b/cf/cf/submit.mc
@@ -22,6 +22,8 @@ define(`__OSTYPE__',`')dnl dirty hack to keep proto.m4 from complaining
define(`_USE_DECNET_SYNTAX_', `1')dnl support DECnet
define(`confTIME_ZONE', `USE_TZ')dnl
define(`confDONT_INIT_GROUPS', `True')dnl
+dnl # If you're operating in a DSCP/RFC-4594 environment with QoS
+dnl define(`confINET_QOS', `AF11')dnl
define(`confPID_FILE', `/run/sm-client.pid')dnl
dnl define(`confDIRECT_SUBMISSION_MODIFIERS',`C')dnl
FEATURE(`use_ct_file')dnl
diff --git a/cf/m4/proto.m4 b/cf/m4/proto.m4
index 5a5963b..0df3416 100644
--- a/cf/m4/proto.m4
+++ b/cf/m4/proto.m4
@@ -251,6 +251,9 @@ _OPTION(SevenBitInput, `confSEVEN_BIT_INPUT', `False')
# 8-bit data handling
_OPTION(EightBitMode, `confEIGHT_BIT_HANDLING', `pass8')
+# DSCP marking of traffic (IP_TOS)
+_OPTION(InetQoS, `confINET_QOS', `none')
+
# wait for alias file rebuild (default units: minutes)
_OPTION(AliasWait, `confALIAS_WAIT', `5m')
diff --git a/sendmail/conf.c b/sendmail/conf.c
index cbb9c76..1b55533 100644
--- a/sendmail/conf.c
+++ b/sendmail/conf.c
@@ -6430,6 +6430,10 @@ char *FFRCompileOptions[] =
#if _FFR_QF_PARANOIA
"_FFR_QF_PARANOIA",
#endif
+#if _FFR_QOS && defined(SOL_IP) && defined(IP_TOS)
+ /* QoS */
+ "_FFR_QOS",
+#endif /* _FFR_QOS && defined(SOL_IP) && defined(IP_TOS) */
#if _FFR_QUEUE_GROUP_SORTORDER
/* Allow QueueSortOrder per queue group. */
/* XXX: Still need to actually use qgrp->qg_sortorder */
diff --git a/sendmail/daemon.c b/sendmail/daemon.c
index 4288365..86fe319 100644
--- a/sendmail/daemon.c
+++ b/sendmail/daemon.c
@@ -104,6 +104,10 @@ static int NDaemons = 0; /* actual number of daemons */
static time_t NextDiskSpaceCheck = 0;
+#if _FFR_QOS && defined(SOL_IP) && defined(IP_TOS)
+int InetQoS = 0; /* none by default */
+#endif /* _FFR_QOS && defined(SOL_IP) && defined(IP_TOS) */
+
/*
** GETREQUESTS -- open mail IPC port and get requests.
**
@@ -1139,6 +1143,16 @@ opendaemonsocket(d, firsttime)
(void) setsockopt(d->d_socket, SOL_SOCKET,
SO_KEEPALIVE, (char *)&on, sizeof(on));
+#if _FFR_QOS && defined(SOL_IP) && defined(IP_TOS)
+ if (InetQoS != 0x00
+ && (d->d_addr.sa.sa_family == AF_INET
+ || (d->d_addr.sin6.sin6_family == AF_INET6 && IN6_IS_ADDR_V4MAPPED(d->d_addr.sin6.sin6_addr.s6_addr32)))) {
+ if (setsockopt(d->d_socket, SOL_IP,
+ IP_TOS, (char *)&InetQoS, sizeof(InetQoS)) < 0)
+ syserr("opendaemonsock: daemon %s: setsockopt(IP_TOS)", d->d_name);
+ }
+#endif /* _FFR_QOS && defined(SOL_IP) && defined(IP_TOS) */
+
#ifdef SO_RCVBUF
if (d->d_tcprcvbufsize > 0)
{
@@ -2571,6 +2585,16 @@ gothostent:
return EX_TEMPFAIL;
}
+#if _FFR_QOS && defined(SOL_IP) && defined(IP_TOS)
+ if (InetQoS != 0x00
+ && (family == AF_INET
+ || (family == AF_INET6 && IN6_IS_ADDR_V4MAPPED(addr.sin6.sin6_addr.s6_addr32))))
+ {
+ if (setsockopt(s, SOL_IP, IP_TOS,
+ (char *)&InetQoS, sizeof(InetQoS)) < 0)
+ syserr("makeconnection: setsockopt(IP_TOS)");
+ }
+#endif /* _FFR_QOS && defined(SOL_IP) && defined(IP_TOS) */
#ifdef SO_SNDBUF
if (ClientSettings[family].d_tcpsndbufsize > 0)
{
diff --git a/sendmail/readcf.c b/sendmail/readcf.c
index 2b0fbf7..86892f5 100644
--- a/sendmail/readcf.c
+++ b/sendmail/readcf.c
@@ -18,6 +18,7 @@ SM_RCSID("@(#)$Id: readcf.c,v 8.692 2013-11-22 20:51:56 ca Exp $")
#if NETINET || NETINET6
# include <arpa/inet.h>
+# include <netinet/ip.h>
#endif /* NETINET || NETINET6 */
@@ -2888,8 +2889,8 @@ static struct optioninfo
# define O_RCPTTHROTDELAY 0xe6
{ "BadRcptThrottleDelay", O_RCPTTHROTDELAY, OI_SAFE },
#endif /* _FFR_RCPTTHROTDELAY */
-#if 0 && _FFR_QOS && defined(SOL_IP) && defined(IP_TOS)
-# define O_INETQOS 0xe7 /* reserved for FFR_QOS */
+#if _FFR_QOS && defined(SOL_IP) && defined(IP_TOS)
+# define O_INETQOS 0xe7
{ "InetQoS", O_INETQOS, OI_NONE },
#endif
#if STARTTLS && _FFR_FIPSMODE
@@ -2914,6 +2915,77 @@ static struct optioninfo
{ NULL, '\0', OI_NONE }
};
+#ifdef O_INETQOS
+static struct qosmap
+{
+ char *name; /* name of the setting */
+ int value; /* corresponding setsockopt() value */
+} QoSMap[] = {
+#ifdef IPTOS_CLASS_CS0
+ { "CS0", IPTOS_CLASS_CS0 },
+#endif
+#ifdef IPTOS_CLASS_CS1
+ { "CS1", IPTOS_CLASS_CS1 },
+#endif
+#ifdef IPTOS_DSCP_AF11
+ { "AF11", IPTOS_DSCP_AF11 },
+#endif
+#ifdef IPTOS_DSCP_AF12
+ { "AF12", IPTOS_DSCP_AF12 },
+#endif
+#ifdef IPTOS_DSCP_AF13
+ { "AF13", IPTOS_DSCP_AF13 },
+#endif
+#ifdef IPTOS_CLASS_CS2
+ { "CS2", IPTOS_CLASS_CS2 },
+#endif
+#ifdef IPTOS_DSCP_AF21
+ { "AF21", IPTOS_DSCP_AF21 },
+#endif
+#ifdef IPTOS_DSCP_AF22
+ { "AF22", IPTOS_DSCP_AF22 },
+#endif
+#ifdef IPTOS_DSCP_AF23
+ { "AF23", IPTOS_DSCP_AF23 },
+#endif
+#ifdef IPTOS_CLASS_CS3
+ { "CS3", IPTOS_CLASS_CS3 },
+#endif
+#ifdef IPTOS_DSCP_AF31
+ { "AF31", IPTOS_DSCP_AF31 },
+#endif
+#ifdef IPTOS_DSCP_AF32
+ { "AF32", IPTOS_DSCP_AF32 },
+#endif
+#ifdef IPTOS_DSCP_AF33
+ { "AF33", IPTOS_DSCP_AF33 },
+#endif
+#ifdef IPTOS_CLASS_CS4
+ { "CS4", IPTOS_CLASS_CS4 },
+#endif
+#ifdef IPTOS_DSCP_AF41
+ { "AF41", IPTOS_DSCP_AF41 },
+#endif
+#ifdef IPTOS_DSCP_AF42
+ { "AF42", IPTOS_DSCP_AF42 },
+#endif
+#ifdef IPTOS_DSCP_AF43
+ { "AF43", IPTOS_DSCP_AF43 },
+#endif
+#ifdef IPTOS_CLASS_CS5
+ { "CS5", IPTOS_CLASS_CS5 },
+#endif
+#ifdef IPTOS_CLASS_CS6
+ { "CS6", IPTOS_CLASS_CS6 },
+#endif
+#ifdef IPTOS_CLASS_CS7
+ { "CS7", IPTOS_CLASS_CS7 },
+#endif
+ { "none", 0x00 },
+ { NULL, 0 }
+};
+#endif
+
# define CANONIFY(val)
# define SET_OPT_DEFAULT(opt, val) opt = val
@@ -4540,6 +4612,33 @@ setoption(opt, val, safe, sticky, e)
UseCompressedIPv6Addresses = atobool(val);
break;
+#ifdef O_INETQOS
+ case O_INETQOS:
+ {
+ struct qosmap *qmp;
+ InetQoS = -1;
+
+ for (qmp = QoSMap; qmp->name != NULL; ++qmp) {
+ if (!strcmp(val, qmp->name)) {
+ InetQoS = qmp->value;
+ break;
+ }
+ }
+
+ /*
+ ** we could allow writing it as a hex value, but
+ ** we don't at this time.
+ **/
+ if (qmp->name == NULL) {
+ (void) sm_io_fprintf(smioout, SM_TIME_DEFAULT,
+ "Warning: Option: %s unknown parameter '%s'\n",
+ OPTNAME, val);
+ break;
+ }
+ break;
+ }
+#endif
+
default:
if (tTd(37, 1))
{
diff --git a/sendmail/sendmail.h b/sendmail/sendmail.h
index b2d0211..3bcc2e2 100644
--- a/sendmail/sendmail.h
+++ b/sendmail/sendmail.h
@@ -2537,7 +2537,14 @@ EXTERN struct termescape TermEscape; /* terminal escape codes */
EXTERN SOCKADDR ConnectOnlyTo; /* override connection address (for testing) */
EXTERN SOCKADDR RealHostAddr; /* address of host we are talking to */
extern const SM_EXC_TYPE_T EtypeQuickAbort; /* type of a QuickAbort exception */
-
+#if _FFR_QOS
+# if !defined(SOL_IP) && defined(IPPROTO_IP)
+# define SOL_IP IPPROTO_IP
+# endif
+# if defined(SOL_IP) && defined(IP_TOS)
+EXTERN int InetQoS; /* QoS mapping */
+# endif
+#endif
EXTERN int ConnectionRateWindowSize;
#if STARTTLS && USE_OPENSSL_ENGINE

View File

@ -0,0 +1,249 @@
diff -ru a/sendmail/deliver.c b/sendmail/deliver.c
--- a/sendmail/deliver.c 2016-02-29 06:01:55.000000000 -0800
+++ b/sendmail/deliver.c 2016-02-29 06:02:06.000000000 -0800
@@ -6274,8 +6274,7 @@
tlslogerr(LOG_WARNING, "client");
}
- SSL_free(clt_ssl);
- clt_ssl = NULL;
+ SM_SSL_FREE(clt_ssl);
return EX_SOFTWARE;
}
mci->mci_ssl = clt_ssl;
@@ -6287,8 +6286,7 @@
return EX_OK;
/* failure */
- SSL_free(clt_ssl);
- clt_ssl = NULL;
+ SM_SSL_FREE(clt_ssl);
return EX_SOFTWARE;
}
/*
@@ -6309,7 +6307,7 @@
if (!bitset(MCIF_TLSACT, mci->mci_flags))
return EX_OK;
- r = endtls(mci->mci_ssl, "client");
+ r = endtls(&mci->mci_ssl, "client");
mci->mci_flags &= ~MCIF_TLSACT;
return r;
}
diff -ru a/sendmail/macro.c b/sendmail/macro.c
--- a/sendmail/macro.c 2016-02-29 06:01:55.000000000 -0800
+++ b/sendmail/macro.c 2016-02-29 06:02:06.000000000 -0800
@@ -362,6 +362,33 @@
}
/*
+** MACTABCLEAR -- clear entire macro table
+**
+** Parameters:
+** mac -- Macro table.
+**
+** Returns:
+** none.
+**
+** Side Effects:
+** clears entire mac structure including rpool pointer!
+*/
+
+void
+mactabclear(mac)
+ MACROS_T *mac;
+{
+ int i;
+
+ if (mac->mac_rpool == NULL)
+ {
+ for (i = 0; i < MAXMACROID; i++)
+ SM_FREE_CLR(mac->mac_table[i]);
+ }
+ memset((char *) mac, '\0', sizeof(*mac));
+}
+
+/*
** MACDEFINE -- bind a macro name to a value
**
** Set a macro to a value, with fancy storage management.
diff -ru a/sendmail/mci.c b/sendmail/mci.c
--- a/sendmail/mci.c 2016-02-29 06:01:55.000000000 -0800
+++ b/sendmail/mci.c 2016-02-29 06:02:06.000000000 -0800
@@ -25,6 +25,7 @@
int, bool));
static bool mci_load_persistent __P((MCI *));
static void mci_uncache __P((MCI **, bool));
+static void mci_clear __P((MCI *));
static int mci_lock_host_statfile __P((MCI *));
static int mci_read_persistent __P((SM_FILE_T *, MCI *));
@@ -253,6 +254,7 @@
SM_FREE_CLR(mci->mci_status);
SM_FREE_CLR(mci->mci_rstatus);
SM_FREE_CLR(mci->mci_heloname);
+ mci_clear(mci);
if (mci->mci_rpool != NULL)
{
sm_rpool_free(mci->mci_rpool);
@@ -315,6 +317,41 @@
}
/*
+** MCI_CLEAR -- clear mci
+**
+** Parameters:
+** mci -- the connection to clear.
+**
+** Returns:
+** none.
+*/
+
+static void
+mci_clear(mci)
+ MCI *mci;
+{
+ if (mci == NULL)
+ return;
+
+ mci->mci_maxsize = 0;
+ mci->mci_min_by = 0;
+ mci->mci_deliveries = 0;
+#if SASL
+ if (bitset(MCIF_AUTHACT, mci->mci_flags))
+ sasl_dispose(&mci->mci_conn);
+#endif
+#if STARTTLS
+ if (bitset(MCIF_TLSACT, mci->mci_flags) && mci->mci_ssl != NULL)
+ SM_SSL_FREE(mci->mci_ssl);
+#endif
+
+ /* which flags to preserve? */
+ mci->mci_flags &= MCIF_CACHED;
+ mactabclear(&mci->mci_macro);
+}
+
+
+/*
** MCI_GET -- get information about a particular host
**
** Parameters:
@@ -419,6 +456,7 @@
mci->mci_errno = 0;
mci->mci_exitstat = EX_OK;
}
+ mci_clear(mci);
}
return mci;
diff -ru a/sendmail/sendmail.h b/sendmail/sendmail.h
--- a/sendmail/sendmail.h 2016-02-29 06:01:55.000000000 -0800
+++ b/sendmail/sendmail.h 2016-02-29 06:02:06.000000000 -0800
@@ -1186,6 +1186,7 @@
#define macid(name) macid_parse(name, NULL)
extern char *macname __P((int));
extern char *macvalue __P((int, ENVELOPE *));
+extern void mactabclear __P((MACROS_T *));
extern int rscheck __P((char *, char *, char *, ENVELOPE *, int, int, char *, char *, ADDRESS *, char **));
extern int rscap __P((char *, char *, char *, ENVELOPE *, char ***, char *, int));
extern void setclass __P((int, char *));
@@ -2002,7 +2003,15 @@
extern void setclttls __P((bool));
extern bool initsrvtls __P((bool));
extern int tls_get_info __P((SSL *, bool, char *, MACROS_T *, bool));
-extern int endtls __P((SSL *, char *));
+#define SM_SSL_FREE(ssl) \
+ do { \
+ if (ssl != NULL) \
+ { \
+ SSL_free(ssl); \
+ ssl = NULL; \
+ } \
+ } while (0)
+extern int endtls __P((SSL **, char *));
extern void tlslogerr __P((int, const char *));
diff -ru a/sendmail/srvrsmtp.c b/sendmail/srvrsmtp.c
--- a/sendmail/srvrsmtp.c 2016-02-29 06:01:55.000000000 -0800
+++ b/sendmail/srvrsmtp.c 2016-02-29 06:02:06.000000000 -0800
@@ -2122,8 +2122,7 @@
if (get_tls_se_options(e, srv_ssl, true) != 0)
{
message("454 4.3.3 TLS not available: error setting options");
- SSL_free(srv_ssl);
- srv_ssl = NULL;
+ SM_SSL_FREE(srv_ssl);
goto tls_done;
}
@@ -2145,8 +2144,7 @@
SSL_set_wfd(srv_ssl, wfd) <= 0)
{
message("454 4.3.3 TLS not available: error set fd");
- SSL_free(srv_ssl);
- srv_ssl = NULL;
+ SM_SSL_FREE(srv_ssl);
goto tls_done;
}
if (!smtps)
@@ -2188,8 +2186,7 @@
tlslogerr(LOG_WARNING, "server");
}
tls_ok_srv = false;
- SSL_free(srv_ssl);
- srv_ssl = NULL;
+ SM_SSL_FREE(srv_ssl);
/*
** according to the next draft of
@@ -3416,7 +3413,7 @@
/* shutdown TLS connection */
if (tls_active)
{
- (void) endtls(srv_ssl, "server");
+ (void) endtls(&srv_ssl, "server");
tls_active = false;
}
#endif /* STARTTLS */
diff -ru a/sendmail/tls.c b/sendmail/tls.c
--- a/sendmail/tls.c 2016-02-29 06:01:55.000000000 -0800
+++ b/sendmail/tls.c 2016-02-29 06:02:06.000000000 -0800
@@ -1624,7 +1624,7 @@
** ENDTLS -- shutdown secure connection
**
** Parameters:
-** ssl -- SSL connection information.
+** pssl -- pointer to TLS session context
** side -- server/client (for logging).
**
** Returns:
@@ -1632,12 +1632,16 @@
*/
int
-endtls(ssl, side)
- SSL *ssl;
+endtls(pssl, side)
+ SSL **pssl;
char *side;
{
int ret = EX_OK;
+ SSL *ssl;
+ SM_REQUIRE(pssl != NULL);
+ ret = EX_OK;
+ ssl = *pssl;
if (ssl != NULL)
{
int r;
@@ -1703,8 +1707,7 @@
ret = EX_SOFTWARE;
}
# endif /* !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER > 0x0090602fL */
- SSL_free(ssl);
- ssl = NULL;
+ SM_SSL_FREE(*pssl);
}
return ret;
}

View File

@ -0,0 +1,13 @@
diff --git a/sendmail/conf.c b/sendmail/conf.c
index c73334e..cbb9c76 100644
--- a/sendmail/conf.c
+++ b/sendmail/conf.c
@@ -986,7 +986,7 @@ switch_map_find(service, maptype, mapreturn)
if (p != NULL)
*p = '\0';
#ifndef SM_NSSWITCH_DELIMS
-# define SM_NSSWITCH_DELIMS " \t"
+# define SM_NSSWITCH_DELIMS " \t:"
#endif /* SM_NSSWITCH_DELIMS */
p = strpbrk(buf, SM_NSSWITCH_DELIMS);
if (p != NULL)

View File

@ -0,0 +1,204 @@
commit 72c678024d5f7b97bae8c20cc3fb2e0299778d5b
Author: Tomas Korbar <tkorbar@redhat.com>
Date: Mon Sep 7 12:41:05 2020 +0200
Backport confTLS_FALLBACK_TO_CLEAR Configuration option
diff --git a/cf/README b/cf/README
index 91e69a9..e8941ad 100644
--- a/cf/README
+++ b/cf/README
@@ -4011,6 +4011,10 @@ confUSERDB_SPEC UserDatabaseSpec
confFALLBACK_MX FallbackMXhost [undefined] Fallback MX host.
confFALLBACK_SMARTHOST FallbackSmartHost
[undefined] Fallback smart host.
+confTLS_FALLBACK_TO_CLEAR TLSFallbacktoClear
+ [undefined] If set, immediately try
+ a connection again without STARTTLS
+ after a TLS handshake failure.
confTRY_NULL_MX_LIST TryNullMXList [False] If this host is the best MX
for a host and other arrangements
haven't been made, try connecting
diff --git a/cf/m4/proto.m4 b/cf/m4/proto.m4
index 0df3416..a741d97 100644
--- a/cf/m4/proto.m4
+++ b/cf/m4/proto.m4
@@ -656,6 +656,8 @@ _OPTION(CipherList, `confCIPHER_LIST', `')
_OPTION(ServerSSLOptions, `confSERVER_SSL_OPTIONS', `')
# client side SSL options
_OPTION(ClientSSLOptions, `confCLIENT_SSL_OPTIONS', `')
+# TLS: fall back to clear text after handshake failure?
+_OPTION(TLSFallbacktoClear, `confTLS_FALLBACK_TO_CLEAR', `')
# Input mail filters
_OPTION(InputMailFilters, `confINPUT_MAIL_FILTERS', `')
@@ -2856,6 +2858,7 @@ R<$-:$+><VERIFY $*> <$*> FAIL $#error $@ $2 $: $1 " authentication failed"
R<$-:$+><VERIFY $*> <$*> NO $#error $@ $2 $: $1 " not authenticated"
R<$-:$+><VERIFY $*> <$*> NOT $#error $@ $2 $: $1 " no authentication requested"
R<$-:$+><VERIFY $*> <$*> NONE $#error $@ $2 $: $1 " other side does not support STARTTLS"
+R<$-:$+><VERIFY $*> <$*> CLEAR $#error $@ $2 $: $1 " STARTTLS disabled locally"
dnl some other value for ${verify}
R<$-:$+><VERIFY $*> <$*> $+ $#error $@ $2 $: $1 " authentication failure " $4
dnl some level of encryption required: get the maximum level (case 2.)
diff --git a/doc/op/op.me b/doc/op/op.me
index 57e25cd..97d3b9c 100644
--- a/doc/op/op.me
+++ b/doc/op/op.me
@@ -8340,6 +8340,22 @@ PostMilter is useful only when
.i sendmail
is running as an SMTP server; in all other situations it
acts the same as True.
+.ip TLSFallbacktoClear
+[no short name]
+If set,
+.i sendmail
+immediately tries an outbound connection again without STARTTLS
+after a TLS handshake failure.
+Note:
+this applies to all connections even if TLS specific requirements are set
+(see rulesets
+.i tls_rcpt
+and
+.i tls_client
+).
+Hence such requirements will cause an error on a retry without STARTTLS.
+Therefore they should only trigger a temporary failure so the connection
+is later on tried again.
.ip TLSSrvOptions
[no short name]
List of options for SMTP STARTTLS for the server
diff --git a/sendmail/deliver.c b/sendmail/deliver.c
index 8027a50..af42e8f 100644
--- a/sendmail/deliver.c
+++ b/sendmail/deliver.c
@@ -1334,6 +1334,10 @@ deliver(e, firstto)
char *pv[MAXPV + 1];
char buf[MAXNAME + 1];
char cbuf[MAXPATHLEN];
+#if STARTTLS
+ /* 0: try TLS, 1: try without TLS again, >1: don't try again */
+ int tlsstate;
+#endif
errno = 0;
SM_REQUIRE(firstto != NULL); /* same as to */
@@ -1349,7 +1353,9 @@ deliver(e, firstto)
e->e_statmsg = NULL;
SmtpError[0] = '\0';
xstart = curtime();
-
+#if STARTTLS
+ tlsstate = 0;
+#endif
if (tTd(10, 1))
sm_dprintf("\n--deliver, id=%s, mailer=%s, host=`%s', first user=`%s'\n",
e->e_id, m->m_name, host, to->q_user);
@@ -2073,6 +2079,9 @@ tryhost:
hostnum++;
if (endp != NULL)
*endp = sep;
+#if STARTTLS
+ tlsstate = 0;
+#endif
one_last_try:
/* see if we already know that this host is fried */
@@ -2960,6 +2969,8 @@ reconnect: /* after switching to an encrypted connection */
usetls = bitset(MCIF_TLS, mci->mci_flags);
if (usetls)
usetls = !iscltflgset(e, D_NOTLS);
+ if (usetls)
+ usetls = tlsstate == 0;
host = macvalue(macid("{server_name}"), e);
if (usetls)
@@ -3025,8 +3036,11 @@ reconnect: /* after switching to an encrypted connection */
}
}
else
+ {
+ p = tlsstate == 0 ? "NONE": "CLEAR";
macdefine(&e->e_macro, A_PERM,
- macid("{verify}"), "NONE");
+ macid("{verify}"), p);
+ }
olderrors = Errors;
QuickAbort = false;
SuprErrs = true;
@@ -3077,6 +3091,10 @@ reconnect: /* after switching to an encrypted connection */
}
mci->mci_flags &= ~MCIF_TLSACT;
(void) endmailer(mci, e, pv);
+ if (TLSFallbacktoClear)
+ {
+ ++tlsstate;
+ }
}
else
{
@@ -3119,6 +3137,27 @@ reconnect: /* after switching to an encrypted connection */
mci_clr_extensions(mci);
goto reconnect;
}
+ if (tlsstate == 1)
+ {
+ if (tTd(11, 1))
+ {
+ sm_syslog(LOG_DEBUG, NOQID,
+ "STARTTLS=client, relay=%.100s, tlsstate=%d, status=trying_again",
+ mci->mci_host, tlsstate);
+ mci_dump(NULL, mci, true);
+ }
+ ++tlsstate;
+ /*
+ ** Fake the status so a new connection is
+ ** tried, otherwise the TLS error will
+ ** "persist" during this delivery attempt.
+ */
+
+ mci->mci_errno = 0;
+ rcode = EX_OK;
+ mci_setstat(mci, rcode, NULL, NULL);
+ goto one_last_try;
+ }
}
# endif /* STARTTLS */
# if SASL
diff --git a/sendmail/readcf.c b/sendmail/readcf.c
index 86892f5..82660f4 100644
--- a/sendmail/readcf.c
+++ b/sendmail/readcf.c
@@ -2911,7 +2911,10 @@ static struct optioninfo
#endif
#define O_USECOMPRESSEDIPV6ADDRESSES 0xec
{ "UseCompressedIPv6Addresses", O_USECOMPRESSEDIPV6ADDRESSES, OI_NONE },
-
+#if STARTTLS
+# define O_TLSFB2CLEAR 0xef
+ { "TLSFallbacktoClear", O_TLSFB2CLEAR, OI_NONE },
+#endif
{ NULL, '\0', OI_NONE }
};
@@ -4305,6 +4308,9 @@ setoption(opt, val, safe, sticky, e)
#endif /* SASL */
#if STARTTLS
+ case O_TLSFB2CLEAR:
+ TLSFallbacktoClear = atobool(val);
+ break;
case O_SRVCERTFILE:
SET_STRING_EXP(SrvCertFile);
case O_SRVKEYFILE:
diff --git a/sendmail/sendmail.h b/sendmail/sendmail.h
index 441399c..9be1e76 100644
--- a/sendmail/sendmail.h
+++ b/sendmail/sendmail.h
@@ -2032,6 +2032,7 @@ EXTERN char *CRLPath; /* path to CRLs (dir. with hashes) */
#endif /* _FFR_CRLPATH */
EXTERN unsigned long TLS_Srv_Opts; /* TLS server options */
EXTERN unsigned long Srv_SSL_Options, Clt_SSL_Options; /* SSL options */
+EXTERN bool TLSFallbacktoClear;
#endif /* STARTTLS */
/*

View File

@ -0,0 +1,149 @@
diff --git a/include/sm/varargs.h b/include/sm/varargs.h
index 612858d..2609630 100644
--- a/include/sm/varargs.h
+++ b/include/sm/varargs.h
@@ -32,6 +32,11 @@
# define SM_VA_COPY(dst, src) __va_copy((dst), (src))
# else
# define SM_VA_COPY(dst, src) memcpy(&(dst), &(src), sizeof((dst)))
+# define SM_VA_END_COPY(ap) do { } while (0)
+# endif
+
+# ifndef SM_VA_END_COPY
+# define SM_VA_END_COPY(ap) va_end(ap)
# endif
/*
diff --git a/libsm/vfprintf.c b/libsm/vfprintf.c
index 87c353c..c99d4e5 100644
--- a/libsm/vfprintf.c
+++ b/libsm/vfprintf.c
@@ -782,6 +782,7 @@ number: if ((dprec = prec) >= 0)
done:
FLUSH();
error:
+ SM_VA_END_COPY(orgap);
if ((argtable != NULL) && (argtable != statargtable))
sm_free(argtable);
return sm_error(fp) ? SM_IO_EOF : ret;
diff --git a/sendmail/milter.c b/sendmail/milter.c
index 462efd2..af6dc66 100644
--- a/sendmail/milter.c
+++ b/sendmail/milter.c
@@ -2437,8 +2437,7 @@ milter_negotiate(m, e, milters)
sm_syslog(LOG_ERR, e->e_id,
"Milter (%s): negotiate: returned %c instead of %c",
m->mf_name, rcmd, SMFIC_OPTNEG);
- if (response != NULL)
- sm_free(response); /* XXX */
+ SM_FREE(response);
milter_error(m, e);
return -1;
}
@@ -2453,8 +2452,7 @@ milter_negotiate(m, e, milters)
sm_syslog(LOG_ERR, e->e_id,
"Milter (%s): negotiate: did not return valid info",
m->mf_name);
- if (response != NULL)
- sm_free(response); /* XXX */
+ SM_FREE(response);
milter_error(m, e);
return -1;
}
@@ -2472,8 +2470,7 @@ milter_negotiate(m, e, milters)
sm_syslog(LOG_ERR, e->e_id,
"Milter (%s): negotiate: did not return enough info",
m->mf_name);
- if (response != NULL)
- sm_free(response); /* XXX */
+ SM_FREE(response);
milter_error(m, e);
return -1;
}
@@ -2589,11 +2586,11 @@ milter_negotiate(m, e, milters)
if (tTd(64, 5))
sm_dprintf("milter_negotiate(%s): received: version %u, fflags 0x%x, pflags 0x%x\n",
m->mf_name, m->mf_fvers, m->mf_fflags, m->mf_pflags);
+ SM_FREE(response);
return 0;
error:
- if (response != NULL)
- sm_free(response); /* XXX */
+ SM_FREE(response);
return -1;
}
@@ -3230,6 +3227,7 @@ milter_changeheader(m, response, rlen, e)
addheader(newstr(field), mh_value, H_USER, e,
!bitset(SMFIP_HDR_LEADSPC, m->mf_pflags));
}
+ SM_FREE(mh_value);
return;
}
@@ -3438,6 +3436,8 @@ milter_chgfrom(response, rlen, e)
{
if (tTd(64, 10))
sm_dprintf("didn't follow protocol argc=%d\n", argc);
+ if (argv != NULL)
+ free(argv);
return;
}
@@ -3456,6 +3456,7 @@ milter_chgfrom(response, rlen, e)
mail_esmtp_args);
}
Errors = olderrors;
+ free(argv);
return;
}
@@ -3503,6 +3504,8 @@ milter_addrcpt_par(response, rlen, e)
{
if (tTd(64, 10))
sm_dprintf("didn't follow protocol argc=%d\n", argc);
+ if (argv != NULL)
+ free(argv);
return;
}
olderrors = Errors;
@@ -3527,6 +3530,7 @@ milter_addrcpt_par(response, rlen, e)
}
Errors = olderrors;
+ free(argv);
return;
}
diff --git a/sendmail/queue.c b/sendmail/queue.c
index 503f296..c9153c8 100644
--- a/sendmail/queue.c
+++ b/sendmail/queue.c
@@ -8590,6 +8590,7 @@ split_by_recipient(e)
if (split_within_queue(ee) == SM_SPLIT_FAIL)
{
e->e_sibling = firstsibling;
+ SM_FREE(lsplits);
return false;
}
ee->e_flags |= EF_SPLIT;
@@ -8604,8 +8605,7 @@ split_by_recipient(e)
if (p == NULL)
{
/* let's try to get this done */
- sm_free(lsplits);
- lsplits = NULL;
+ SM_FREE(lsplits);
}
else
lsplits = p;
@@ -8627,7 +8627,7 @@ split_by_recipient(e)
{
sm_syslog(LOG_NOTICE, e->e_id, "split: count=%d, id%s=%s",
n - 1, n > 2 ? "s" : "", lsplits);
- sm_free(lsplits);
+ SM_FREE(lsplits);
}
split = split_within_queue(e) != SM_SPLIT_FAIL;
if (split)

View File

@ -0,0 +1,12 @@
# Check the /usr/share/doc/sendmail/README.cf file for a description
# of the format of this file. (search for access_db in that file)
# The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
# package.
#
# If you want to use AuthInfo with "M:PLAIN LOGIN", make sure to have the
# cyrus-sasl-plain package installed.
#
# By default we allow relaying from localhost...
Connect:localhost.localdomain RELAY
Connect:localhost RELAY
Connect:127.0.0.1 RELAY

View File

@ -0,0 +1,4 @@
# The "domain table" can be used to provide domain name mapping.
# Use of this should really be limited to your own domains.
# It may be useful if you change names (e.g., your company
# changes names from oldname.com to newname.com)

View File

@ -0,0 +1 @@
# local-host-names - include all aliases for your machine here.

View File

@ -0,0 +1,30 @@
# The "mailer table" can be used to override routing for particular domains
# (which are not in class {w}, i.e. local host names).
#
# hash /etc/mail/mailertable
#
# Keys in this database are fully qualified domain names or partial domains
# preceded by a dot -- for example, "vangogh.CS.Berkeley.EDU" or
# ".CS.Berkeley.EDU". As a special case of the latter, "." matches any domain
# not covered by other keys. Values must be of the form:
#
# mailer:domain
#
# where "mailer" is the internal mailer name, and "domain" is where to send
# the message. These maps are not reflected into the message header. As a
# special case, the forms:
#
# local:user
#
# will forward to the indicated user using the local mailer,
#
# local:
#
# will forward to the original user in the e-mail address using the local
# mailer, and
#
# error:code message
# error:D.S.N:code message
#
# will give an error message with the indicated SMTP reply code and message,
# where D.S.N is an RFC 1893 compliant error code.

View File

@ -0,0 +1,2 @@
# trusted-users - users that can send mail as others without a warning
# apache, mailman, majordomo, uucp, are good candidates

View File

@ -0,0 +1,41 @@
# A domain-specific form of aliasing, allowing multiple virtual domains to be
# hosted on one machine.
#
# info@foo.com foo-info
# info@bar.com bar-info
# joe@bar.com error:nouser 550 No such user here
# jax@bar.com error:5.7.0:550 Address invalid
# @baz.org jane@example.net
#
# then mail addressed to info@foo.com will be sent to the address foo-info,
# mail addressed to info@bar.com will be delivered to bar-info, and mail
# addressed to anyone at baz.org will be sent to jane@example.net, mail to
# joe@bar.com will be rejected with the specified error message, and mail to
# jax@bar.com will also have a RFC 1893 compliant error code 5.7.0.
#
# The username from the original address is passed as %1 allowing:
#
# @foo.org %1@example.com
#
# Additionally, if the local part consists of "user+detail" then "detail" is
# passed as %2 and "+detail" is passed as %3 when a match against user+* is
# attempted, so entries like
#
# old+*@foo.org new+%2@example.com
# gen+*@foo.org %2@example.com
# +*@foo.org %1%3@example.com
# X++@foo.org Z%3@example.com
# @bar.org %1%3
#
# Note: to preserve "+detail" for a default case (@domain) %1%3 must be used
# as RHS. There are two wildcards after "+": "+" matches only a non-empty
# detail, "*" matches also empty details, e.g., user+@foo.org matches#
# +*@foo.org but not ++@foo.org. This can be used to ensure that the
# parameters %2 and %3 are not empty.
#
# All the host names on the left hand side (foo.com, bar.com, and baz.org)
# must be in class {w} or class {VirtHost}. The latter can be defined by the
# macros VIRTUSER_DOMAIN or VIRTUSER_DOMAIN_FILE (analogously to
# MASQUERADE_DOMAIN and MASQUERADE_DOMAIN_FILE). If VIRTUSER_DOMAIN or
# VIRTUSER_DOMAIN_FILE is used, then the entries of class {VirtHost} are
# added to class {R}, i.e., relaying is allowed to (and from) those domains.

181
SOURCES/sendmail-redhat.mc Normal file
View File

@ -0,0 +1,181 @@
divert(-1)dnl
dnl #
dnl # This is the sendmail macro config file for m4. If you make changes to
dnl # /etc/mail/sendmail.mc, you will need to regenerate the
dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is
dnl # installed and then performing a
dnl #
dnl # /etc/mail/make
dnl #
include(`@@PATH@@/m4/cf.m4')dnl
VERSIONID(`setup for linux')dnl
OSTYPE(`linux')dnl
dnl #
dnl # Do not advertize sendmail version.
dnl #
dnl define(`confSMTP_LOGIN_MSG', `$j Sendmail; $b')dnl
dnl #
dnl # default logging level is 9, you might want to set it higher to
dnl # debug the configuration
dnl #
dnl define(`confLOG_LEVEL', `9')dnl
dnl #
dnl # Uncomment and edit the following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl #
dnl define(`SMART_HOST', `smtp.your.provider')dnl
dnl #
define(`confDEF_USER_ID', ``8:12'')dnl
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST', `True')dnl
define(`confDONT_PROBE_INTERFACES', `True')dnl
define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl define(`confAUTH_OPTIONS', `A p')dnl
dnl #
dnl # which realm to use in SASL database (sasldb2)
dnl #
define(`confAUTH_REALM', `mail')dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH.
dnl #
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl #
dnl # Basic sendmail TLS configuration with self-signed certificate for
dnl # inbound SMTP (and also opportunistic TLS for outbound SMTP).
dnl #
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/etc/pki/tls/private/sendmail.key')dnl
define(`confTLS_SRV_OPTIONS', `V')dnl
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
dnl # If you're operating in a DSCP/RFC-4594 environment with QoS
dnl define(`confINET_QOS', `AF11')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa', `dnl')dnl
FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl #
dnl # The following limits the number of processes sendmail can fork to accept
dnl # incoming messages or process its message queues to 20.) sendmail refuses
dnl # to accept connections once it has reached its quota of child processes.
dnl #
dnl define(`confMAX_DAEMON_CHILDREN', `20')dnl
dnl #
dnl # Limits the number of new connections per second. This caps the overhead
dnl # incurred due to forking new sendmail processes. May be useful against
dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP address
dnl # limit would be useful but is not available as an option at this writing.)
dnl #
dnl define(`confCONNECTION_RATE_THROTTLE', `3')dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his quota.
dnl #
FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl #
dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery uncomment
dnl # the following 2 definitions and activate below in the MAILER section the
dnl # cyrusv2 mailer.
dnl #
dnl define(`confLOCAL_MAILER', `cyrusv2')dnl
dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl #
dnl # The following causes sendmail to additionally listen on the IPv6 loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl #
dnl # enable both ipv6 and ipv4 in sendmail:
dnl #
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
FEATURE(`accept_unresolvable_domains')dnl
dnl #
dnl FEATURE(`relay_based_on_MX')dnl
dnl #
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl #
LOCAL_DOMAIN(`localhost.localdomain')dnl
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
dnl MASQUERADE_AS(`mydomain.com')dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl MAILER(cyrusv2)dnl

View File

@ -0,0 +1,8 @@
# Pass everything to the make script
all:
%: force
@./make $@
force:;
$(MAKEFILE_LIST):;

View File

@ -0,0 +1,129 @@
#!/bin/sh
# Generate db and cf files if necessary. This used to be handled by
# /etc/mail/Makefile.
teste() {
if ! test -e "$1"; then
echo "$1 doesn't exist"
exit 2
fi
}
makedb() {
teste "${1%.db}"
if [ -z "$SM_FORCE_DBREBUILD" ]; then
test "${1%.db}" -nt "$1" || return 0
fi
if [ "$1" = userdb.db ]; then
makemap btree "$1" < "${1%.db}"
else
makemap hash "$1" < "${1%.db}"
fi
}
makealiasesdb() {
uptodate=1
if [ -z "$SM_FORCE_DBREBUILD" ]; then
files=$(grep '^O AliasFile=' sendmail.cf |
while read a; do echo ${a#*=}; done)
for a in $files; do
if [ "$a" = /etc/aliases ]; then
# /etc/aliases.db may be used by other MTA, make sure nothing
# has touched it since our last newaliases call
test "$a" -nt "${a}.db" ||
test aliasesdb-stamp -nt "${a}.db" ||
test aliasesdb-stamp -ot "${a}.db" || continue
else
test "$a" -nt "${a}.db" || continue
fi
uptodate=0
break
done
else
uptodate=0
fi
[ $uptodate = 1 ] && return 0
# check if alternatives is configured to sendmail
if [ "$(readlink -e /usr/bin/newaliases)" = /usr/sbin/sendmail.sendmail ]
then
/usr/bin/newaliases > /dev/null
touch -r /etc/aliases.db aliasesdb-stamp 2> /dev/null
else
rm -f aliasesdb-stamp
fi
}
makecf() {
mc=${1%.cf}.mc
teste "$mc"
if [ -z "$SM_FORCE_CFREBUILD" ]; then
test "$mc" -nt "$1" || return 0
fi
if test -f /usr/share/sendmail-cf/m4/cf.m4; then
umask 022
[ -e "$1" ] && mv -f "$1" "$1".bak
m4 "$mc" > "$1"
else
echo "WARNING: '$mc' is modified. Please install package sendmail-cf to update your configuration."
exit 15
fi
}
makeall() {
# These could be used by sendmail, but are not part of the default install.
# To use them you will have to generate your own sendmail.cf with
# FEATURE('whatever')
test -f bitdomain && makedb bitdomain.db
test -f uudomain && makedb uudomain.db
test -f genericstable && makedb genericstable.db
test -f userdb && makedb userdb.db
test -f authinfo && makedb authinfo.db
makedb virtusertable.db
makedb access.db
makedb domaintable.db
makedb mailertable.db
makecf sendmail.cf
makecf submit.cf
}
cd /etc/mail || exit 1
[ $# -eq 0 ] && makeall
for target; do
case "$target" in
*.db)
makedb "$target"
;;
*.cf)
makecf "$target"
;;
all)
makeall
;;
aliases)
makealiasesdb
;;
clean)
rm -f *.db *~ aliasesdb-stamp
;;
start|stop|restart)
service sendmail "$target"
;;
*)
echo "Don't know how to make $target"
exit 2
esac
done

View File

@ -0,0 +1,7 @@
#!/bin/sh
case "$2" in
up|down|vpn-up|vpn-down)
/bin/systemctl --no-block try-restart sendmail.service || :
;;
esac

3
SOURCES/sendmail.pam Normal file
View File

@ -0,0 +1,3 @@
#%PAM-1.0
auth include password-auth
account include password-auth

19
SOURCES/sendmail.service Normal file
View File

@ -0,0 +1,19 @@
[Unit]
Description=Sendmail Mail Transport Agent
After=syslog.target network.target
Conflicts=postfix.service exim.service
Wants=sm-client.service
StartLimitIntervalSec=0
[Service]
Type=forking
PIDFile=/run/sendmail.pid
Environment=SENDMAIL_OPTS=-q1h
EnvironmentFile=-/etc/sysconfig/sendmail
ExecStartPre=-/etc/mail/make
ExecStartPre=-/etc/mail/make aliases
ExecStart=/usr/sbin/sendmail -bd $SENDMAIL_OPTS $SENDMAIL_OPTARG
[Install]
WantedBy=multi-user.target
Also=sm-client.service

View File

@ -0,0 +1 @@
SENDMAIL_OPTS="-q1h"

20
SOURCES/sm-client.service Normal file
View File

@ -0,0 +1,20 @@
[Unit]
Description=Sendmail Mail Transport Client
After=syslog.target network.target sendmail.service
Conflicts=postfix.service exim.service
BindTo=sendmail.service
StartLimitIntervalSec=0
[Service]
Type=forking
PIDFile=/run/sm-client.pid
Environment=SENDMAIL_OPTS=-q1h
EnvironmentFile=-/etc/sysconfig/sendmail
ExecStartPre=/bin/touch /run/sm-client.pid
ExecStartPre=/bin/chown smmsp:smmsp /run/sm-client.pid
ExecStartPre=-/sbin/restorecon /run/sm-client.pid
ExecStartPre=-/etc/mail/make
ExecStart=/usr/sbin/sendmail -L sm-msp-queue -Ac $SENDMAIL_OPTS $SENDMAIL_OPTARG
[Install]
WantedBy=multi-user.target

2008
SPECS/sendmail.spec Normal file

File diff suppressed because it is too large Load Diff