Compare commits

...

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

20 changed files with 211 additions and 1058 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/sendmail.8.15.2.tar.gz
SOURCES/sendmail.8.16.1.tar.gz

View File

@ -1 +1 @@
5801d4b06f4e38ef228a5954a44d17636eaa5a16 SOURCES/sendmail.8.15.2.tar.gz
748b6dfc47dfbb83ebfdd2e334c87032c4698eab SOURCES/sendmail.8.16.1.tar.gz

View File

@ -1,127 +0,0 @@
diff --git a/sendmail/envelope.c b/sendmail/envelope.c
index bae6b00..beb91a1 100644
--- a/sendmail/envelope.c
+++ b/sendmail/envelope.c
@@ -323,7 +323,7 @@ dropenvelope(e, fulldrop, split)
/* don't free, allocated from e_rpool */
e->e_message = sm_rpool_strdup_x(e->e_rpool, buf);
- message(buf);
+ message("%s", buf);
e->e_flags |= EF_CLRQUEUE;
}
if (msg_timeout == MSG_NOT_BY)
@@ -420,7 +420,7 @@ dropenvelope(e, fulldrop, split)
/* don't free, allocated from e_rpool */
e->e_message = sm_rpool_strdup_x(e->e_rpool,
buf);
- message(buf);
+ message("%s", buf);
e->e_flags |= EF_WARNING;
}
if (msg_timeout == MSG_WARN_BY)
diff --git a/sendmail/parseaddr.c b/sendmail/parseaddr.c
index 2adb39c..ba99414 100644
--- a/sendmail/parseaddr.c
+++ b/sendmail/parseaddr.c
@@ -218,7 +218,7 @@ parseaddr(addr, a, flags, delim, delimptr, e, isrcpt)
msg = "Deferring message until queue run";
if (tTd(20, 1))
sm_dprintf("parseaddr: queueing message\n");
- message(msg);
+ message("%s", msg);
if (e->e_message == NULL && e->e_sendmode != SM_DEFER)
e->e_message = sm_rpool_strdup_x(e->e_rpool, msg);
a->q_state = QS_QUEUEUP;
diff --git a/sendmail/srvrsmtp.c b/sendmail/srvrsmtp.c
index ba636a8..46c5356 100644
--- a/sendmail/srvrsmtp.c
+++ b/sendmail/srvrsmtp.c
@@ -122,6 +122,26 @@ extern ENVELOPE BlankEnvelope;
#define SKIP_SPACE(s) while (isascii(*s) && isspace(*s)) \
(s)++
+static inline void
+message1(fmt)
+ char *fmt;
+{
+ if (strchr(fmt, '%') == NULL)
+ message(fmt, NULL);
+ else
+ message("%s", fmt);
+}
+
+static inline void
+usrerr1(fmt)
+ char *fmt;
+{
+ if (strchr(fmt, '%') == NULL)
+ usrerr(fmt, NULL);
+ else
+ usrerr("%s", fmt);
+}
+
/*
** PARSE_ESMTP_ARGS -- parse EMSTP arguments (for MAIL, RCPT)
**
@@ -578,13 +598,13 @@ static bool smtp_data __P((SMTP_T *, ENVELOPE *));
bool tsave = QuickAbort; \
\
QuickAbort = false; \
- usrerr(response); \
+ usrerr1(response); \
QuickAbort = tsave; \
e->e_sendqueue = NULL; \
goto doquit; \
} \
else \
- usrerr(response); \
+ usrerr1(response); \
break; \
\
case SMFIR_REJECT: \
@@ -931,7 +951,7 @@ smtp(nullserver, d_flags, e)
}
else if (strncmp(nullserver, "421 ", 4) == 0)
{
- message(nullserver);
+ message1(nullserver);
goto doquit;
}
@@ -1849,7 +1869,7 @@ smtp(nullserver, d_flags, e)
if (nullserver != NULL)
{
if (ISSMTPREPLY(nullserver))
- usrerr(nullserver);
+ usrerr1(nullserver);
else
usrerr("550 5.0.0 %s",
nullserver);
@@ -2449,7 +2469,7 @@ smtp(nullserver, d_flags, e)
tempfail = true;
smtp.sm_milterize = false;
if (response != NULL)
- usrerr(response);
+ usrerr1(response);
else
message("421 4.7.0 %s closing connection",
MyHostName);
@@ -3656,7 +3676,7 @@ smtp_data(smtp, e)
(void) extenhsc(response + 4, ' ', e->e_enhsc);
#endif /* _FFR_MILTER_ENHSC */
- usrerr(response);
+ usrerr1(response);
if (strncmp(response, "421 ", 4) == 0
|| strncmp(response, "421-", 4) == 0)
{
@@ -3776,7 +3796,7 @@ smtp_data(smtp, e)
if (ISSMTPCODE(response))
(void) extenhsc(response + 4, ' ', e->e_enhsc);
#endif /* _FFR_MILTER_ENHSC */
- usrerr(response);
+ usrerr1(response);
if (strncmp(response, "421 ", 4) == 0
|| strncmp(response, "421-", 4) == 0)
rv = false;

View File

@ -1,20 +0,0 @@
diff --git a/sendmail/tls.c b/sendmail/tls.c
index 16cb93f..9338380 100644
--- a/sendmail/tls.c
+++ b/sendmail/tls.c
@@ -1329,13 +1329,8 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
}
#if _FFR_TLS_EC
- ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
- if (ecdh != NULL)
- {
- SSL_CTX_set_options(*ctx, SSL_OP_SINGLE_ECDH_USE);
- SSL_CTX_set_tmp_ecdh(*ctx, ecdh);
- EC_KEY_free(ecdh);
- }
+ SSL_CTX_set_options(*ctx, SSL_OP_SINGLE_ECDH_USE);
+ SSL_CTX_set_ecdh_auto(*ctx, 1);
#endif /* _FFR_TLS_EC */
}

View File

@ -1,182 +0,0 @@
--- sendmail-8.15.2.orig/sendmail/tls.c 2016-12-01 15:20:59.953546417 +0100
+++ sendmail-8.15.2.orig/sendmail/tls.c 2016-12-01 17:26:43.868521378 +0100
@@ -63,14 +63,28 @@ static unsigned char dh512_g[] =
static DH *
get_dh512()
{
- DH *dh = NULL;
+ DH *dh;
+ BIGNUM *p, *g;
if ((dh = DH_new()) == NULL)
return NULL;
- dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
- dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
- if ((dh->p == NULL) || (dh->g == NULL))
+ p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
+ g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
+ if (p == NULL || g == NULL)
+ {
+ BN_free(p);
+ BN_free(g);
+ DH_free(dh);
return NULL;
+ }
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100005L
+ DH_set0_pqg(dh, p, NULL, g);
+#else
+ dh->p = p;
+ dh->g = g;
+#endif
+
return dh;
}
@@ -117,16 +131,27 @@ get_dh2048()
};
static unsigned char dh2048_g[]={ 0x02, };
DH *dh;
+ BIGNUM *p, *g;
if ((dh=DH_new()) == NULL)
return(NULL);
- dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
- dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
- if ((dh->p == NULL) || (dh->g == NULL))
+ p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
+ g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
+ if (p == NULL || g == NULL)
{
+ BN_free(p);
+ BN_free(g);
DH_free(dh);
- return(NULL);
+ return NULL;
}
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100005L
+ DH_set0_pqg(dh, p, NULL, g);
+#else
+ dh->p = p;
+ dh->g = g;
+#endif
+
return(dh);
}
# endif /* !NO_DH */
@@ -715,6 +740,54 @@ static char server_session_id_context[]
# define SM_SSL_OP_TLS_BLOCK_PADDING_BUG 0
#endif
+static RSA *
+generate_rsa_key(bits, e)
+ int bits;
+ unsigned long e;
+{
+#if OPENSSL_VERSION_NUMBER < 0x00908000L
+ return RSA_generate_key(bits, e, NULL, NULL);
+#else
+ BIGNUM *bne;
+ RSA *rsa = NULL;
+
+ bne = BN_new();
+ if (bne && BN_set_word(bne, e) != 1)
+ rsa = RSA_new();
+ if (rsa && RSA_generate_key_ex(rsa, bits, bne, NULL) != 1)
+ {
+ RSA_free(rsa);
+ rsa = NULL;
+ }
+ BN_free(bne);
+ return rsa;
+#endif
+}
+
+static DSA *
+generate_dsa_parameters(bits, seed, seed_len, counter_ret, h_ret)
+ int bits;
+ unsigned char *seed;
+ int seed_len;
+ int *counter_ret;
+ unsigned long *h_ret;
+{
+#if OPENSSL_VERSION_NUMBER < 0x00908000L
+ return DSA_generate_parameters(bits, seed, seed_len, counter_ret,
+ h_ret, NULL, NULL);
+#else
+ DSA *dsa = DSA_new();
+
+ if (dsa && DSA_generate_parameters_ex(dsa, bits, seed, seed_len,
+ counter_ret, h_ret, NULL) != 1)
+ {
+ DSA_free(dsa);
+ dsa = NULL;
+ }
+ return dsa;
+#endif
+}
+
bool
inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhparam)
SSL_CTX **ctx;
@@ -926,7 +999,7 @@ inittls(ctx, req, options, srv, certfile
{
/* get a pointer to the current certificate validation store */
store = SSL_CTX_get_cert_store(*ctx); /* does not fail */
- crl_file = BIO_new(BIO_s_file_internal());
+ crl_file = BIO_new(BIO_s_file());
if (crl_file != NULL)
{
if (BIO_read_filename(crl_file, CRLFile) >= 0)
@@ -1003,8 +1076,7 @@ inittls(ctx, req, options, srv, certfile
if (bitset(TLS_I_RSA_TMP, req)
# if SM_CONF_SHM
&& ShmId != SM_SHM_NO_ID &&
- (rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL,
- NULL)) == NULL
+ (rsa_tmp = generate_rsa_key(RSA_KEYLENGTH, RSA_F4)) == NULL
# else /* SM_CONF_SHM */
&& 0 /* no shared memory: no need to generate key now */
# endif /* SM_CONF_SHM */
@@ -1210,8 +1282,8 @@ inittls(ctx, req, options, srv, certfile
sm_dprintf("inittls: Generating %d bit DH parameters\n", bits);
/* this takes a while! */
- dsa = DSA_generate_parameters(bits, NULL, 0, NULL,
- NULL, 0, NULL);
+ dsa = generate_dsa_parameters(bits, NULL, 0, NULL,
+ NULL);
dh = DSA_dup_DH(dsa);
DSA_free(dsa);
}
@@ -1747,7 +1819,7 @@ tmp_rsa_key(s, export, keylength)
if (rsa_tmp != NULL)
RSA_free(rsa_tmp);
- rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, NULL);
+ rsa_tmp = generate_rsa_key(RSA_KEYLENGTH, RSA_F4);
if (rsa_tmp == NULL)
{
if (LogLevel > 0)
@@ -1974,11 +2046,20 @@ x509_verify_cb(ok, ctx)
{
if (LogLevel > 13)
tls_verify_log(ok, ctx, "x509");
+#if OPENSSL_VERSION_NUMBER >= 0x10100005L
+ if (X509_STORE_CTX_get_error(ctx) ==
+ X509_V_ERR_UNABLE_TO_GET_CRL)
+ {
+ X509_STORE_CTX_set_error(ctx, 0);
+ return 1; /* override it */
+ }
+#else
if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL)
{
ctx->error = 0;
return 1; /* override it */
}
+#endif
}
return ok;
}

View File

@ -1,249 +0,0 @@
diff -ru a/sendmail/deliver.c b/sendmail/deliver.c
--- a/sendmail/deliver.c 2016-02-29 06:01:55.000000000 -0800
+++ b/sendmail/deliver.c 2016-02-29 06:02:06.000000000 -0800
@@ -6274,8 +6274,7 @@
tlslogerr(LOG_WARNING, "client");
}
- SSL_free(clt_ssl);
- clt_ssl = NULL;
+ SM_SSL_FREE(clt_ssl);
return EX_SOFTWARE;
}
mci->mci_ssl = clt_ssl;
@@ -6287,8 +6286,7 @@
return EX_OK;
/* failure */
- SSL_free(clt_ssl);
- clt_ssl = NULL;
+ SM_SSL_FREE(clt_ssl);
return EX_SOFTWARE;
}
/*
@@ -6309,7 +6307,7 @@
if (!bitset(MCIF_TLSACT, mci->mci_flags))
return EX_OK;
- r = endtls(mci->mci_ssl, "client");
+ r = endtls(&mci->mci_ssl, "client");
mci->mci_flags &= ~MCIF_TLSACT;
return r;
}
diff -ru a/sendmail/macro.c b/sendmail/macro.c
--- a/sendmail/macro.c 2016-02-29 06:01:55.000000000 -0800
+++ b/sendmail/macro.c 2016-02-29 06:02:06.000000000 -0800
@@ -362,6 +362,33 @@
}
/*
+** MACTABCLEAR -- clear entire macro table
+**
+** Parameters:
+** mac -- Macro table.
+**
+** Returns:
+** none.
+**
+** Side Effects:
+** clears entire mac structure including rpool pointer!
+*/
+
+void
+mactabclear(mac)
+ MACROS_T *mac;
+{
+ int i;
+
+ if (mac->mac_rpool == NULL)
+ {
+ for (i = 0; i < MAXMACROID; i++)
+ SM_FREE_CLR(mac->mac_table[i]);
+ }
+ memset((char *) mac, '\0', sizeof(*mac));
+}
+
+/*
** MACDEFINE -- bind a macro name to a value
**
** Set a macro to a value, with fancy storage management.
diff -ru a/sendmail/mci.c b/sendmail/mci.c
--- a/sendmail/mci.c 2016-02-29 06:01:55.000000000 -0800
+++ b/sendmail/mci.c 2016-02-29 06:02:06.000000000 -0800
@@ -25,6 +25,7 @@
int, bool));
static bool mci_load_persistent __P((MCI *));
static void mci_uncache __P((MCI **, bool));
+static void mci_clear __P((MCI *));
static int mci_lock_host_statfile __P((MCI *));
static int mci_read_persistent __P((SM_FILE_T *, MCI *));
@@ -253,6 +254,7 @@
SM_FREE_CLR(mci->mci_status);
SM_FREE_CLR(mci->mci_rstatus);
SM_FREE_CLR(mci->mci_heloname);
+ mci_clear(mci);
if (mci->mci_rpool != NULL)
{
sm_rpool_free(mci->mci_rpool);
@@ -315,6 +317,41 @@
}
/*
+** MCI_CLEAR -- clear mci
+**
+** Parameters:
+** mci -- the connection to clear.
+**
+** Returns:
+** none.
+*/
+
+static void
+mci_clear(mci)
+ MCI *mci;
+{
+ if (mci == NULL)
+ return;
+
+ mci->mci_maxsize = 0;
+ mci->mci_min_by = 0;
+ mci->mci_deliveries = 0;
+#if SASL
+ if (bitset(MCIF_AUTHACT, mci->mci_flags))
+ sasl_dispose(&mci->mci_conn);
+#endif
+#if STARTTLS
+ if (bitset(MCIF_TLSACT, mci->mci_flags) && mci->mci_ssl != NULL)
+ SM_SSL_FREE(mci->mci_ssl);
+#endif
+
+ /* which flags to preserve? */
+ mci->mci_flags &= MCIF_CACHED;
+ mactabclear(&mci->mci_macro);
+}
+
+
+/*
** MCI_GET -- get information about a particular host
**
** Parameters:
@@ -419,6 +456,7 @@
mci->mci_errno = 0;
mci->mci_exitstat = EX_OK;
}
+ mci_clear(mci);
}
return mci;
diff -ru a/sendmail/sendmail.h b/sendmail/sendmail.h
--- a/sendmail/sendmail.h 2016-02-29 06:01:55.000000000 -0800
+++ b/sendmail/sendmail.h 2016-02-29 06:02:06.000000000 -0800
@@ -1186,6 +1186,7 @@
#define macid(name) macid_parse(name, NULL)
extern char *macname __P((int));
extern char *macvalue __P((int, ENVELOPE *));
+extern void mactabclear __P((MACROS_T *));
extern int rscheck __P((char *, char *, char *, ENVELOPE *, int, int, char *, char *, ADDRESS *, char **));
extern int rscap __P((char *, char *, char *, ENVELOPE *, char ***, char *, int));
extern void setclass __P((int, char *));
@@ -2002,7 +2003,15 @@
extern void setclttls __P((bool));
extern bool initsrvtls __P((bool));
extern int tls_get_info __P((SSL *, bool, char *, MACROS_T *, bool));
-extern int endtls __P((SSL *, char *));
+#define SM_SSL_FREE(ssl) \
+ do { \
+ if (ssl != NULL) \
+ { \
+ SSL_free(ssl); \
+ ssl = NULL; \
+ } \
+ } while (0)
+extern int endtls __P((SSL **, char *));
extern void tlslogerr __P((int, const char *));
diff -ru a/sendmail/srvrsmtp.c b/sendmail/srvrsmtp.c
--- a/sendmail/srvrsmtp.c 2016-02-29 06:01:55.000000000 -0800
+++ b/sendmail/srvrsmtp.c 2016-02-29 06:02:06.000000000 -0800
@@ -2122,8 +2122,7 @@
if (get_tls_se_options(e, srv_ssl, true) != 0)
{
message("454 4.3.3 TLS not available: error setting options");
- SSL_free(srv_ssl);
- srv_ssl = NULL;
+ SM_SSL_FREE(srv_ssl);
goto tls_done;
}
@@ -2145,8 +2144,7 @@
SSL_set_wfd(srv_ssl, wfd) <= 0)
{
message("454 4.3.3 TLS not available: error set fd");
- SSL_free(srv_ssl);
- srv_ssl = NULL;
+ SM_SSL_FREE(srv_ssl);
goto tls_done;
}
if (!smtps)
@@ -2188,8 +2186,7 @@
tlslogerr(LOG_WARNING, "server");
}
tls_ok_srv = false;
- SSL_free(srv_ssl);
- srv_ssl = NULL;
+ SM_SSL_FREE(srv_ssl);
/*
** according to the next draft of
@@ -3416,7 +3413,7 @@
/* shutdown TLS connection */
if (tls_active)
{
- (void) endtls(srv_ssl, "server");
+ (void) endtls(&srv_ssl, "server");
tls_active = false;
}
#endif /* STARTTLS */
diff -ru a/sendmail/tls.c b/sendmail/tls.c
--- a/sendmail/tls.c 2016-02-29 06:01:55.000000000 -0800
+++ b/sendmail/tls.c 2016-02-29 06:02:06.000000000 -0800
@@ -1624,7 +1624,7 @@
** ENDTLS -- shutdown secure connection
**
** Parameters:
-** ssl -- SSL connection information.
+** pssl -- pointer to TLS session context
** side -- server/client (for logging).
**
** Returns:
@@ -1632,12 +1632,16 @@
*/
int
-endtls(ssl, side)
- SSL *ssl;
+endtls(pssl, side)
+ SSL **pssl;
char *side;
{
int ret = EX_OK;
+ SSL *ssl;
+ SM_REQUIRE(pssl != NULL);
+ ret = EX_OK;
+ ssl = *pssl;
if (ssl != NULL)
{
int r;
@@ -1703,8 +1707,7 @@
ret = EX_SOFTWARE;
}
# endif /* !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER > 0x0090602fL */
- SSL_free(ssl);
- ssl = NULL;
+ SM_SSL_FREE(*pssl);
}
return ret;
}

View File

@ -1,204 +0,0 @@
commit 72c678024d5f7b97bae8c20cc3fb2e0299778d5b
Author: Tomas Korbar <tkorbar@redhat.com>
Date: Mon Sep 7 12:41:05 2020 +0200
Backport confTLS_FALLBACK_TO_CLEAR Configuration option
diff --git a/cf/README b/cf/README
index 91e69a9..e8941ad 100644
--- a/cf/README
+++ b/cf/README
@@ -4011,6 +4011,10 @@ confUSERDB_SPEC UserDatabaseSpec
confFALLBACK_MX FallbackMXhost [undefined] Fallback MX host.
confFALLBACK_SMARTHOST FallbackSmartHost
[undefined] Fallback smart host.
+confTLS_FALLBACK_TO_CLEAR TLSFallbacktoClear
+ [undefined] If set, immediately try
+ a connection again without STARTTLS
+ after a TLS handshake failure.
confTRY_NULL_MX_LIST TryNullMXList [False] If this host is the best MX
for a host and other arrangements
haven't been made, try connecting
diff --git a/cf/m4/proto.m4 b/cf/m4/proto.m4
index 0df3416..a741d97 100644
--- a/cf/m4/proto.m4
+++ b/cf/m4/proto.m4
@@ -656,6 +656,8 @@ _OPTION(CipherList, `confCIPHER_LIST', `')
_OPTION(ServerSSLOptions, `confSERVER_SSL_OPTIONS', `')
# client side SSL options
_OPTION(ClientSSLOptions, `confCLIENT_SSL_OPTIONS', `')
+# TLS: fall back to clear text after handshake failure?
+_OPTION(TLSFallbacktoClear, `confTLS_FALLBACK_TO_CLEAR', `')
# Input mail filters
_OPTION(InputMailFilters, `confINPUT_MAIL_FILTERS', `')
@@ -2856,6 +2858,7 @@ R<$-:$+><VERIFY $*> <$*> FAIL $#error $@ $2 $: $1 " authentication failed"
R<$-:$+><VERIFY $*> <$*> NO $#error $@ $2 $: $1 " not authenticated"
R<$-:$+><VERIFY $*> <$*> NOT $#error $@ $2 $: $1 " no authentication requested"
R<$-:$+><VERIFY $*> <$*> NONE $#error $@ $2 $: $1 " other side does not support STARTTLS"
+R<$-:$+><VERIFY $*> <$*> CLEAR $#error $@ $2 $: $1 " STARTTLS disabled locally"
dnl some other value for ${verify}
R<$-:$+><VERIFY $*> <$*> $+ $#error $@ $2 $: $1 " authentication failure " $4
dnl some level of encryption required: get the maximum level (case 2.)
diff --git a/doc/op/op.me b/doc/op/op.me
index 57e25cd..97d3b9c 100644
--- a/doc/op/op.me
+++ b/doc/op/op.me
@@ -8340,6 +8340,22 @@ PostMilter is useful only when
.i sendmail
is running as an SMTP server; in all other situations it
acts the same as True.
+.ip TLSFallbacktoClear
+[no short name]
+If set,
+.i sendmail
+immediately tries an outbound connection again without STARTTLS
+after a TLS handshake failure.
+Note:
+this applies to all connections even if TLS specific requirements are set
+(see rulesets
+.i tls_rcpt
+and
+.i tls_client
+).
+Hence such requirements will cause an error on a retry without STARTTLS.
+Therefore they should only trigger a temporary failure so the connection
+is later on tried again.
.ip TLSSrvOptions
[no short name]
List of options for SMTP STARTTLS for the server
diff --git a/sendmail/deliver.c b/sendmail/deliver.c
index 8027a50..af42e8f 100644
--- a/sendmail/deliver.c
+++ b/sendmail/deliver.c
@@ -1334,6 +1334,10 @@ deliver(e, firstto)
char *pv[MAXPV + 1];
char buf[MAXNAME + 1];
char cbuf[MAXPATHLEN];
+#if STARTTLS
+ /* 0: try TLS, 1: try without TLS again, >1: don't try again */
+ int tlsstate;
+#endif
errno = 0;
SM_REQUIRE(firstto != NULL); /* same as to */
@@ -1349,7 +1353,9 @@ deliver(e, firstto)
e->e_statmsg = NULL;
SmtpError[0] = '\0';
xstart = curtime();
-
+#if STARTTLS
+ tlsstate = 0;
+#endif
if (tTd(10, 1))
sm_dprintf("\n--deliver, id=%s, mailer=%s, host=`%s', first user=`%s'\n",
e->e_id, m->m_name, host, to->q_user);
@@ -2073,6 +2079,9 @@ tryhost:
hostnum++;
if (endp != NULL)
*endp = sep;
+#if STARTTLS
+ tlsstate = 0;
+#endif
one_last_try:
/* see if we already know that this host is fried */
@@ -2960,6 +2969,8 @@ reconnect: /* after switching to an encrypted connection */
usetls = bitset(MCIF_TLS, mci->mci_flags);
if (usetls)
usetls = !iscltflgset(e, D_NOTLS);
+ if (usetls)
+ usetls = tlsstate == 0;
host = macvalue(macid("{server_name}"), e);
if (usetls)
@@ -3025,8 +3036,11 @@ reconnect: /* after switching to an encrypted connection */
}
}
else
+ {
+ p = tlsstate == 0 ? "NONE": "CLEAR";
macdefine(&e->e_macro, A_PERM,
- macid("{verify}"), "NONE");
+ macid("{verify}"), p);
+ }
olderrors = Errors;
QuickAbort = false;
SuprErrs = true;
@@ -3077,6 +3091,10 @@ reconnect: /* after switching to an encrypted connection */
}
mci->mci_flags &= ~MCIF_TLSACT;
(void) endmailer(mci, e, pv);
+ if (TLSFallbacktoClear)
+ {
+ ++tlsstate;
+ }
}
else
{
@@ -3119,6 +3137,27 @@ reconnect: /* after switching to an encrypted connection */
mci_clr_extensions(mci);
goto reconnect;
}
+ if (tlsstate == 1)
+ {
+ if (tTd(11, 1))
+ {
+ sm_syslog(LOG_DEBUG, NOQID,
+ "STARTTLS=client, relay=%.100s, tlsstate=%d, status=trying_again",
+ mci->mci_host, tlsstate);
+ mci_dump(NULL, mci, true);
+ }
+ ++tlsstate;
+ /*
+ ** Fake the status so a new connection is
+ ** tried, otherwise the TLS error will
+ ** "persist" during this delivery attempt.
+ */
+
+ mci->mci_errno = 0;
+ rcode = EX_OK;
+ mci_setstat(mci, rcode, NULL, NULL);
+ goto one_last_try;
+ }
}
# endif /* STARTTLS */
# if SASL
diff --git a/sendmail/readcf.c b/sendmail/readcf.c
index 86892f5..82660f4 100644
--- a/sendmail/readcf.c
+++ b/sendmail/readcf.c
@@ -2911,7 +2911,10 @@ static struct optioninfo
#endif
#define O_USECOMPRESSEDIPV6ADDRESSES 0xec
{ "UseCompressedIPv6Addresses", O_USECOMPRESSEDIPV6ADDRESSES, OI_NONE },
-
+#if STARTTLS
+# define O_TLSFB2CLEAR 0xef
+ { "TLSFallbacktoClear", O_TLSFB2CLEAR, OI_NONE },
+#endif
{ NULL, '\0', OI_NONE }
};
@@ -4305,6 +4308,9 @@ setoption(opt, val, safe, sticky, e)
#endif /* SASL */
#if STARTTLS
+ case O_TLSFB2CLEAR:
+ TLSFallbacktoClear = atobool(val);
+ break;
case O_SRVCERTFILE:
SET_STRING_EXP(SrvCertFile);
case O_SRVKEYFILE:
diff --git a/sendmail/sendmail.h b/sendmail/sendmail.h
index 441399c..9be1e76 100644
--- a/sendmail/sendmail.h
+++ b/sendmail/sendmail.h
@@ -2032,6 +2032,7 @@ EXTERN char *CRLPath; /* path to CRLs (dir. with hashes) */
#endif /* _FFR_CRLPATH */
EXTERN unsigned long TLS_Srv_Opts; /* TLS server options */
EXTERN unsigned long Srv_SSL_Options, Clt_SSL_Options; /* SSL options */
+EXTERN bool TLSFallbacktoClear;
#endif /* STARTTLS */
/*

View File

@ -1,149 +0,0 @@
diff --git a/include/sm/varargs.h b/include/sm/varargs.h
index 612858d..2609630 100644
--- a/include/sm/varargs.h
+++ b/include/sm/varargs.h
@@ -32,6 +32,11 @@
# define SM_VA_COPY(dst, src) __va_copy((dst), (src))
# else
# define SM_VA_COPY(dst, src) memcpy(&(dst), &(src), sizeof((dst)))
+# define SM_VA_END_COPY(ap) do { } while (0)
+# endif
+
+# ifndef SM_VA_END_COPY
+# define SM_VA_END_COPY(ap) va_end(ap)
# endif
/*
diff --git a/libsm/vfprintf.c b/libsm/vfprintf.c
index 87c353c..c99d4e5 100644
--- a/libsm/vfprintf.c
+++ b/libsm/vfprintf.c
@@ -782,6 +782,7 @@ number: if ((dprec = prec) >= 0)
done:
FLUSH();
error:
+ SM_VA_END_COPY(orgap);
if ((argtable != NULL) && (argtable != statargtable))
sm_free(argtable);
return sm_error(fp) ? SM_IO_EOF : ret;
diff --git a/sendmail/milter.c b/sendmail/milter.c
index 462efd2..af6dc66 100644
--- a/sendmail/milter.c
+++ b/sendmail/milter.c
@@ -2437,8 +2437,7 @@ milter_negotiate(m, e, milters)
sm_syslog(LOG_ERR, e->e_id,
"Milter (%s): negotiate: returned %c instead of %c",
m->mf_name, rcmd, SMFIC_OPTNEG);
- if (response != NULL)
- sm_free(response); /* XXX */
+ SM_FREE(response);
milter_error(m, e);
return -1;
}
@@ -2453,8 +2452,7 @@ milter_negotiate(m, e, milters)
sm_syslog(LOG_ERR, e->e_id,
"Milter (%s): negotiate: did not return valid info",
m->mf_name);
- if (response != NULL)
- sm_free(response); /* XXX */
+ SM_FREE(response);
milter_error(m, e);
return -1;
}
@@ -2472,8 +2470,7 @@ milter_negotiate(m, e, milters)
sm_syslog(LOG_ERR, e->e_id,
"Milter (%s): negotiate: did not return enough info",
m->mf_name);
- if (response != NULL)
- sm_free(response); /* XXX */
+ SM_FREE(response);
milter_error(m, e);
return -1;
}
@@ -2589,11 +2586,11 @@ milter_negotiate(m, e, milters)
if (tTd(64, 5))
sm_dprintf("milter_negotiate(%s): received: version %u, fflags 0x%x, pflags 0x%x\n",
m->mf_name, m->mf_fvers, m->mf_fflags, m->mf_pflags);
+ SM_FREE(response);
return 0;
error:
- if (response != NULL)
- sm_free(response); /* XXX */
+ SM_FREE(response);
return -1;
}
@@ -3230,6 +3227,7 @@ milter_changeheader(m, response, rlen, e)
addheader(newstr(field), mh_value, H_USER, e,
!bitset(SMFIP_HDR_LEADSPC, m->mf_pflags));
}
+ SM_FREE(mh_value);
return;
}
@@ -3438,6 +3436,8 @@ milter_chgfrom(response, rlen, e)
{
if (tTd(64, 10))
sm_dprintf("didn't follow protocol argc=%d\n", argc);
+ if (argv != NULL)
+ free(argv);
return;
}
@@ -3456,6 +3456,7 @@ milter_chgfrom(response, rlen, e)
mail_esmtp_args);
}
Errors = olderrors;
+ free(argv);
return;
}
@@ -3503,6 +3504,8 @@ milter_addrcpt_par(response, rlen, e)
{
if (tTd(64, 10))
sm_dprintf("didn't follow protocol argc=%d\n", argc);
+ if (argv != NULL)
+ free(argv);
return;
}
olderrors = Errors;
@@ -3527,6 +3530,7 @@ milter_addrcpt_par(response, rlen, e)
}
Errors = olderrors;
+ free(argv);
return;
}
diff --git a/sendmail/queue.c b/sendmail/queue.c
index 503f296..c9153c8 100644
--- a/sendmail/queue.c
+++ b/sendmail/queue.c
@@ -8590,6 +8590,7 @@ split_by_recipient(e)
if (split_within_queue(ee) == SM_SPLIT_FAIL)
{
e->e_sibling = firstsibling;
+ SM_FREE(lsplits);
return false;
}
ee->e_flags |= EF_SPLIT;
@@ -8604,8 +8605,7 @@ split_by_recipient(e)
if (p == NULL)
{
/* let's try to get this done */
- sm_free(lsplits);
- lsplits = NULL;
+ SM_FREE(lsplits);
}
else
lsplits = p;
@@ -8627,7 +8627,7 @@ split_by_recipient(e)
{
sm_syslog(LOG_NOTICE, e->e_id, "split: count=%d, id%s=%s",
n - 1, n > 2 ? "s" : "", lsplits);
- sm_free(lsplits);
+ SM_FREE(lsplits);
}
split = split_within_queue(e) != SM_SPLIT_FAIL;
if (split)

View File

@ -1,8 +1,8 @@
diff --git a/cf/m4/cfhead.m4 b/cf/m4/cfhead.m4
index 714a3ec..3fd6c1c 100644
index 6d12e85..15af608 100644
--- a/cf/m4/cfhead.m4
+++ b/cf/m4/cfhead.m4
@@ -260,7 +260,7 @@ ifdef(`MAIL_SETTINGS_DIR', , `define(`MAIL_SETTINGS_DIR', `/etc/mail/')')
@@ -269,7 +269,7 @@ ifdef(`MAIL_SETTINGS_DIR', , `define(`MAIL_SETTINGS_DIR', `/etc/mail/')')
define(`DATABASE_MAP_TYPE', `hash')
# set up default values for options
@ -12,10 +12,10 @@ index 714a3ec..3fd6c1c 100644
define(`confFROM_LINE', `From $g $d')
define(`confOPERATORS', `.:%@!^/[]+')
diff --git a/sendmail/aliases.0 b/sendmail/aliases.0
index cfdbe17..5ea4c28 100644
index ba855d4..edb3b19 100644
--- a/sendmail/aliases.0
+++ b/sendmail/aliases.0
@@ -63,7 +63,7 @@ DDEESSCCRRIIPPTTIIOONN
@@ -63,7 +63,7 @@ ALIASES(5) ALIASES(5)
the list of users defined in that file.
This is only the raw data file; the actual aliasing information is
@ -47,26 +47,26 @@ index f09b49c..7b16db2 100644
newaliases(1).
A
diff --git a/sendmail/newaliases.0 b/sendmail/newaliases.0
index c77f401..e2a1670 100644
index 49ff2b0..247a276 100644
--- a/sendmail/newaliases.0
+++ b/sendmail/newaliases.0
@@ -10,7 +10,7 @@ SSYYNNOOPPSSIISS
@@ -10,7 +10,7 @@ NEWALIASES(1) NEWALIASES(1)
DDEESSCCRRIIPPTTIIOONN
NNeewwaalliiaasseess rebuilds the random access data base for the mail aliases
DESCRIPTION
Newaliases rebuilds the random access data base for the mail aliases
- file /etc/mail/aliases. It must be run each time this file is changed
+ file /etc/aliases. It must be run each time this file is changed
in order for the change to take effect.
NNeewwaalliiaasseess is identical to ``sendmail -bi''.
@@ -22,7 +22,7 @@ DDEESSCCRRIIPPTTIIOONN
sseennddmmaaiill..
Newaliases is identical to ``sendmail -bi''.
@@ -22,7 +22,7 @@ NEWALIASES(1) NEWALIASES(1)
sendmail.
FFIILLEESS
FILES
- /etc/mail/aliases The mail aliases file
+ /etc/aliases The mail aliases file
SSEEEE AALLSSOO
SEE ALSO
aliases(5), sendmail(8)
diff --git a/sendmail/newaliases.1 b/sendmail/newaliases.1
index 59dc0de..9ba8752 100644
@ -91,10 +91,10 @@ index 59dc0de..9ba8752 100644
.SH SEE ALSO
aliases(5), sendmail(8)
diff --git a/sendmail/sendmail.0 b/sendmail/sendmail.0
index 515d5f7..8236411 100644
index 60ab1cd..5f3bf93 100644
--- a/sendmail/sendmail.0
+++ b/sendmail/sendmail.0
@@ -434,10 +434,10 @@ FFIILLEESS
@@ -434,10 +434,10 @@ SENDMAIL(8) SENDMAIL(8)
are only approximations.

View File

@ -39,8 +39,8 @@
define(`confREQUIRE_SM_OS_H', `true')
PREPENDDEF(`confENVDEF', `confMAPDEF')
bldPRODUCT_START(`library', `libsm')
-define(`bldSOURCES', ` assert.c debug.c errstring.c exc.c heap.c match.c rpool.c strdup.c strerror.c strl.c clrerr.c fclose.c feof.c ferror.c fflush.c fget.c fpos.c findfp.c flags.c fopen.c fprintf.c fpurge.c fput.c fread.c fscanf.c fseek.c fvwrite.c fwalk.c fwrite.c get.c makebuf.c put.c refill.c rewind.c setvbuf.c smstdio.c snprintf.c sscanf.c stdio.c strio.c ungetc.c vasprintf.c vfprintf.c vfscanf.c vprintf.c vsnprintf.c wbuf.c wsetup.c string.c stringf.c xtrap.c strto.c test.c strcasecmp.c strrevcmp.c signal.c clock.c config.c shm.c sem.c mbdb.c strexit.c cf.c ldap.c niprop.c mpeix.c memstat.c util.c inet6_ntop.c ')
+define(`bldSOURCES', ` assert.c debug.c errstring.c exc.c heap.c match.c rpool.c strdup.c strl.c clrerr.c fclose.c feof.c ferror.c fflush.c fget.c fpos.c findfp.c flags.c fopen.c fprintf.c fpurge.c fput.c fread.c fscanf.c fseek.c fvwrite.c fwalk.c fwrite.c get.c makebuf.c put.c refill.c rewind.c setvbuf.c smstdio.c snprintf.c sscanf.c stdio.c strio.c ungetc.c vasprintf.c vfprintf.c vfscanf.c vprintf.c vsnprintf.c wbuf.c wsetup.c string.c stringf.c xtrap.c strto.c test.c strcasecmp.c strrevcmp.c signal.c clock.c config.c shm.c sem.c mbdb.c strexit.c cf.c ldap.c niprop.c mpeix.c memstat.c util.c inet6_ntop.c ')
-define(`bldSOURCES', ` assert.c debug.c errstring.c exc.c heap.c match.c rpool.c strdup.c strerror.c strl.c clrerr.c fclose.c feof.c ferror.c fflush.c fget.c fpos.c findfp.c flags.c fopen.c fprintf.c fpurge.c fput.c fread.c fscanf.c fseek.c fvwrite.c fwalk.c fwrite.c get.c makebuf.c put.c refill.c rewind.c setvbuf.c smstdio.c snprintf.c sscanf.c stdio.c strio.c ungetc.c vasprintf.c vfprintf.c vfscanf.c vprintf.c vsnprintf.c wbuf.c wsetup.c string.c stringf.c xtrap.c strto.c test.c strcasecmp.c strrevcmp.c signal.c clock.c config.c shm.c sem.c mbdb.c strexit.c cf.c ldap.c niprop.c mpeix.c memstat.c util.c inet6_ntop.c notify.c ')
+define(`bldSOURCES', ` assert.c debug.c errstring.c exc.c heap.c match.c rpool.c strdup.c strl.c clrerr.c fclose.c feof.c ferror.c fflush.c fget.c fpos.c findfp.c flags.c fopen.c fprintf.c fpurge.c fput.c fread.c fscanf.c fseek.c fvwrite.c fwalk.c fwrite.c get.c makebuf.c put.c refill.c rewind.c setvbuf.c smstdio.c snprintf.c sscanf.c stdio.c strio.c ungetc.c vasprintf.c vfprintf.c vfscanf.c vprintf.c vsnprintf.c wbuf.c wsetup.c string.c stringf.c xtrap.c strto.c test.c strcasecmp.c strrevcmp.c signal.c clock.c config.c shm.c sem.c mbdb.c strexit.c cf.c ldap.c niprop.c mpeix.c memstat.c util.c inet6_ntop.c notify.c ')
bldPRODUCT_END
dnl msg.c
dnl syslogio.c

View File

@ -1,10 +1,8 @@
Description: systemd-like socket activation support for libmilter
Author: Mikhail Gusarov <dottedmag@debian.org
diff --git a/libmilter/docs/smfi_setconn.html b/libmilter/docs/smfi_setconn.html
index eba7c5b..5b272a0 100644
index 8897f5a..0e04120 100644
--- a/libmilter/docs/smfi_setconn.html
+++ b/libmilter/docs/smfi_setconn.html
@@ -43,6 +43,7 @@ Set the socket through which this filter should communicate with sendmail.
@@ -44,6 +44,7 @@ Set the socket through which this filter should communicate with sendmail.
<LI><CODE>{unix|local}:/path/to/file</CODE> -- A named pipe.
<LI><CODE>inet:port@{hostname|ip-address}</CODE> -- An IPV4 socket.
<LI><CODE>inet6:port@{hostname|ip-address}</CODE> -- An IPV6 socket.
@ -13,7 +11,7 @@ index eba7c5b..5b272a0 100644
</TD></TR>
</TABLE>
diff --git a/libmilter/listener.c b/libmilter/listener.c
index 11d92bb..2ab533d 100644
index 0468a62..72e7a4f 100644
--- a/libmilter/listener.c
+++ b/libmilter/listener.c
@@ -197,6 +197,11 @@ mi_milteropen(conn, backlog, rmsocket, name)
@ -54,7 +52,7 @@ index 11d92bb..2ab533d 100644
@@ -466,6 +485,7 @@ mi_milteropen(conn, backlog, rmsocket, name)
#if NETUNIX
addr.sa.sa_family != AF_UNIX &&
#endif /* NETUNIX */
#endif
+ addr.sa.sa_family != AF_UNSPEC &&
setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *) &sockopt,
sizeof(sockopt)) == -1)
@ -72,7 +70,7 @@ index 11d92bb..2ab533d 100644
@@ -818,7 +839,7 @@ mi_listener(conn, dbg, smfi, timeout, backlog)
# ifdef BSD4_4_SOCKADDR
cliaddr.sa.sa_len == 0 ||
# endif /* BSD4_4_SOCKADDR */
# endif
- cliaddr.sa.sa_family != L_family))
+ (L_family != AF_UNSPEC && cliaddr.sa.sa_family != L_family)))
{

View File

@ -1,8 +1,8 @@
diff --git a/cf/m4/proto.m4 b/cf/m4/proto.m4
index 696bf36..5a5963b 100644
index 618dde0..8c460ce 100644
--- a/cf/m4/proto.m4
+++ b/cf/m4/proto.m4
@@ -1898,6 +1898,8 @@ R<@> < $* @ [IPv6:::1] >
@@ -1910,6 +1910,8 @@ R<@> < $* @ [IPv6:::1] >
$: < ? $&{client_name} > < $1 @ [IPv6:::1] >
R<@> < $* @ localhost.$m >
$: < ? $&{client_name} > < $1 @ localhost.$m >

View File

@ -0,0 +1,19 @@
diff --git a/sendmail/tls.c b/sendmail/tls.c
index 696d32f..b8527c4 100644
--- a/sendmail/tls.c
+++ b/sendmail/tls.c
@@ -29,7 +29,13 @@ SM_RCSID("@(#)$Id: tls.c,v 8.127 2013-11-27 02:51:11 gshapiro Exp $")
# ERROR: OpenSSL version OPENSSL_VERSION_NUMBER is unsupported.
# endif
-# if OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x20000000L
+/*
+ ** *SSL version numbers:
+ ** OpenSSL 0.9 - 1.1 (so far), 3.0 (in alpha)
+ ** LibreSSL 2.0 (0x20000000L - part of "These will never change")
+ */
+
+# if (OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x20000000L) || OPENSSL_VERSION_NUMBER >= 0x30000000L
# define MTA_HAVE_DH_set0_pqg 1
# define MTA_HAVE_DSA_GENERATE_EX 1

View File

@ -12,10 +12,10 @@ index b9dfb16..cb325cc 100644
dnl define(`confDIRECT_SUBMISSION_MODIFIERS',`C')dnl
FEATURE(`use_ct_file')dnl
diff --git a/cf/m4/proto.m4 b/cf/m4/proto.m4
index 5a5963b..0df3416 100644
index 8c460ce..a68ab8d 100644
--- a/cf/m4/proto.m4
+++ b/cf/m4/proto.m4
@@ -251,6 +251,9 @@ _OPTION(SevenBitInput, `confSEVEN_BIT_INPUT', `False')
@@ -253,6 +253,9 @@ _OPTION(SevenBitInput, `confSEVEN_BIT_INPUT', `False')
# 8-bit data handling
_OPTION(EightBitMode, `confEIGHT_BIT_HANDLING', `pass8')
@ -26,11 +26,11 @@ index 5a5963b..0df3416 100644
_OPTION(AliasWait, `confALIAS_WAIT', `5m')
diff --git a/sendmail/conf.c b/sendmail/conf.c
index cbb9c76..1b55533 100644
index e9fa42c..fa64b11 100644
--- a/sendmail/conf.c
+++ b/sendmail/conf.c
@@ -6430,6 +6430,10 @@ char *FFRCompileOptions[] =
#if _FFR_QF_PARANOIA
@@ -6614,6 +6614,10 @@ char *FFRCompileOptions[] =
/* Check to make sure key fields were read from qf */
"_FFR_QF_PARANOIA",
#endif
+#if _FFR_QOS && defined(SOL_IP) && defined(IP_TOS)
@ -41,10 +41,10 @@ index cbb9c76..1b55533 100644
/* Allow QueueSortOrder per queue group. */
/* XXX: Still need to actually use qgrp->qg_sortorder */
diff --git a/sendmail/daemon.c b/sendmail/daemon.c
index 4288365..86fe319 100644
index 19a9378..5561cf5 100644
--- a/sendmail/daemon.c
+++ b/sendmail/daemon.c
@@ -104,6 +104,10 @@ static int NDaemons = 0; /* actual number of daemons */
@@ -124,6 +124,10 @@ static int NDaemons = 0; /* actual number of daemons */
static time_t NextDiskSpaceCheck = 0;
@ -55,7 +55,7 @@ index 4288365..86fe319 100644
/*
** GETREQUESTS -- open mail IPC port and get requests.
**
@@ -1139,6 +1143,16 @@ opendaemonsocket(d, firsttime)
@@ -1159,6 +1163,16 @@ opendaemonsocket(d, firsttime)
(void) setsockopt(d->d_socket, SOL_SOCKET,
SO_KEEPALIVE, (char *)&on, sizeof(on));
@ -72,7 +72,7 @@ index 4288365..86fe319 100644
#ifdef SO_RCVBUF
if (d->d_tcprcvbufsize > 0)
{
@@ -2571,6 +2585,16 @@ gothostent:
@@ -2688,6 +2702,16 @@ gothostent:
return EX_TEMPFAIL;
}
@ -90,21 +90,21 @@ index 4288365..86fe319 100644
if (ClientSettings[family].d_tcpsndbufsize > 0)
{
diff --git a/sendmail/readcf.c b/sendmail/readcf.c
index 2b0fbf7..86892f5 100644
index e6f6296..adb09da 100644
--- a/sendmail/readcf.c
+++ b/sendmail/readcf.c
@@ -18,6 +18,7 @@ SM_RCSID("@(#)$Id: readcf.c,v 8.692 2013-11-22 20:51:56 ca Exp $")
@@ -24,6 +24,7 @@ SM_RCSID("@(#)$Id: readcf.c,v 8.692 2013-11-22 20:51:56 ca Exp $")
#if NETINET || NETINET6
# include <arpa/inet.h>
+# include <netinet/ip.h>
#endif /* NETINET || NETINET6 */
#endif
@@ -2888,8 +2889,8 @@ static struct optioninfo
@@ -2917,8 +2918,8 @@ static struct optioninfo
# define O_RCPTTHROTDELAY 0xe6
{ "BadRcptThrottleDelay", O_RCPTTHROTDELAY, OI_SAFE },
#endif /* _FFR_RCPTTHROTDELAY */
#endif
-#if 0 && _FFR_QOS && defined(SOL_IP) && defined(IP_TOS)
-# define O_INETQOS 0xe7 /* reserved for FFR_QOS */
+#if _FFR_QOS && defined(SOL_IP) && defined(IP_TOS)
@ -112,7 +112,7 @@ index 2b0fbf7..86892f5 100644
{ "InetQoS", O_INETQOS, OI_NONE },
#endif
#if STARTTLS && _FFR_FIPSMODE
@@ -2914,6 +2915,77 @@ static struct optioninfo
@@ -2982,6 +2983,77 @@ static struct optioninfo
{ NULL, '\0', OI_NONE }
};
@ -190,9 +190,9 @@ index 2b0fbf7..86892f5 100644
# define CANONIFY(val)
# define SET_OPT_DEFAULT(opt, val) opt = val
@@ -4540,6 +4612,33 @@ setoption(opt, val, safe, sticky, e)
UseCompressedIPv6Addresses = atobool(val);
@@ -4679,6 +4751,33 @@ setoption(opt, val, safe, sticky, e)
break;
# endif
+#ifdef O_INETQOS
+ case O_INETQOS:
@ -225,22 +225,22 @@ index 2b0fbf7..86892f5 100644
if (tTd(37, 1))
{
diff --git a/sendmail/sendmail.h b/sendmail/sendmail.h
index b2d0211..3bcc2e2 100644
index e6cf45d..7f5cf9f 100644
--- a/sendmail/sendmail.h
+++ b/sendmail/sendmail.h
@@ -2537,7 +2537,14 @@ EXTERN struct termescape TermEscape; /* terminal escape codes */
EXTERN SOCKADDR ConnectOnlyTo; /* override connection address (for testing) */
@@ -2566,6 +2566,15 @@ EXTERN SOCKADDR ConnectOnlyTo; /* override connection address (for testing) */
EXTERN SOCKADDR RealHostAddr; /* address of host we are talking to */
extern const SM_EXC_TYPE_T EtypeQuickAbort; /* type of a QuickAbort exception */
-
+#if _FFR_QOS
+# if !defined(SOL_IP) && defined(IPPROTO_IP)
+# define SOL_IP IPPROTO_IP
+# endif
+# if defined(SOL_IP) && defined(IP_TOS)
+EXTERN int InetQoS; /* QoS mapping */
+extern int InetQoS; /* QoS mapping */
+# endif
+#endif
EXTERN int ConnectionRateWindowSize;
#if STARTTLS && USE_OPENSSL_ENGINE
+
#if _FFR_BLANKENV_MACV
EXTERN int Hacks; /* bit field of run-time enabled "hacks" */
# define H_LOOKUP_MACRO_IN_BLANKENV 0x0001

View File

@ -1,18 +1,18 @@
diff --git a/sendmail/usersmtp.c b/sendmail/usersmtp.c
index c217ffa..e4dadd3 100644
index b4ff5cc..dddbb0a 100644
--- a/sendmail/usersmtp.c
+++ b/sendmail/usersmtp.c
@@ -1331,9 +1331,7 @@ safesaslfile(context, file)
@@ -1346,9 +1346,7 @@ safesaslfile(context, file)
{
long sff;
int r;
-#if SASL <= 10515
size_t len;
-#endif /* SASL <= 10515 */
-#endif
char *p;
if (file == NULL || *file == '\0')
@@ -1369,9 +1367,16 @@ safesaslfile(context, file)
@@ -1386,9 +1384,16 @@ safesaslfile(context, file)
#endif /* SASL <= 10515 */
p = (char *) file;

View File

@ -165,18 +165,18 @@ diff -up sendmail-8.14.3/smrsh/smrsh.c.smrsh_paths sendmail-8.14.3/smrsh/smrsh.c
@@ -77,7 +77,7 @@ SM_IDSTR(id, "@(#)$Id: smrsh.c,v 8.65 20
# ifdef SMRSH_CMDDIR
# define CMDDIR SMRSH_CMDDIR
# else /* SMRSH_CMDDIR */
# else
-# define CMDDIR "/usr/adm/sm.bin"
+# define CMDDIR "/etc/smrsh"
# endif /* SMRSH_CMDDIR */
# endif
#endif /* ! CMDDIR */
@@ -89,7 +89,7 @@ SM_IDSTR(id, "@(#)$Id: smrsh.c,v 8.65 20
# ifdef SMRSH_PATH
# define PATH SMRSH_PATH
# else /* SMRSH_PATH */
# else
-# define PATH "/bin:/usr/bin:/usr/ucb"
+# define PATH "/bin:/usr/bin"
# endif /* SMRSH_PATH */
# endif
#endif /* ! PATH */

View File

@ -1,13 +1,13 @@
diff --git a/sendmail/conf.c b/sendmail/conf.c
index c73334e..cbb9c76 100644
index 63c545c..e9fa42c 100644
--- a/sendmail/conf.c
+++ b/sendmail/conf.c
@@ -986,7 +986,7 @@ switch_map_find(service, maptype, mapreturn)
@@ -1039,7 +1039,7 @@ switch_map_find(service, maptype, mapreturn)
if (p != NULL)
*p = '\0';
#ifndef SM_NSSWITCH_DELIMS
-# define SM_NSSWITCH_DELIMS " \t"
+# define SM_NSSWITCH_DELIMS " \t:"
#endif /* SM_NSSWITCH_DELIMS */
#endif
p = strpbrk(buf, SM_NSSWITCH_DELIMS);
if (p != NULL)

View File

@ -104,7 +104,7 @@ dnl # The -t option will retry delivery if e.g. the user runs over his quota.
dnl #
FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`blocklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl #
dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery uncomment

View File

@ -13,6 +13,9 @@ EnvironmentFile=-/etc/sysconfig/sendmail
ExecStartPre=-/etc/mail/make
ExecStartPre=-/etc/mail/make aliases
ExecStart=/usr/sbin/sendmail -bd $SENDMAIL_OPTS $SENDMAIL_OPTARG
ExecReload=/usr/bin/kill -HUP $MAINPID
# hack to allow async reload to complete, otherwise systemd may signal error
ExecReload=/usr/bin/sleep 2
[Install]
WantedBy=multi-user.target

View File

@ -3,6 +3,11 @@
%global with_sasl2 yes
%global with_milter yes
%global with_ldap yes
%if 0%{?rhel} < 9
%global with_nis yes
%else
%global with_nis no
%endif
%global enable_pie yes
%global sendmailcf %{_datadir}/sendmail-cf
@ -16,13 +21,18 @@
# hardened build if not overridden
%{!?_hardened_build:%global _hardened_build 1}
%if "%{with_nis}" == "yes"
%global nis_cflags -DNIS
%global nis_ldadd -lnsl
%endif
Summary: A widely used Mail Transport Agent (MTA)
Name: sendmail
Version: 8.15.2
Release: 34%{?dist}
Version: 8.16.1
Release: 11%{?dist}
License: Sendmail
Group: System Environment/Daemons
URL: http://www.sendmail.org/
Source0: ftp://ftp.sendmail.org/pub/sendmail/sendmail.%{version}.tar.gz
# Systemd Service file
Source1: sendmail.service
@ -57,50 +67,41 @@ Source17: sendmail-etc-mail-virtusertable
# fix man path and makemap man page
Patch3: sendmail-8.14.4-makemapman.patch
# fix smrsh paths
Patch4: sendmail-8.14.3-smrsh_paths.patch
Patch4: sendmail-8.16.1-smrsh_paths.patch
# fix sm-client.pid path
Patch7: sendmail-8.14.9-pid.patch
# fix sendmail man page
Patch10: sendmail-8.15.1-manpage.patch
# compile with -fpie
Patch11: sendmail-8.15.1-dynamic.patch
Patch11: sendmail-8.16.1-dynamic.patch
# fix cyrus path
Patch12: sendmail-8.13.0-cyrus.patch
# fix aliases.db path
Patch13: sendmail-8.15.1-aliases_dir.patch
Patch13: sendmail-8.16.1-aliases_dir.patch
# fix vacation Makefile
Patch14: sendmail-8.14.9-vacation.patch
# remove version information from sendmail helpfile
Patch15: sendmail-8.14.9-noversion.patch
# do not accept localhost.localdomain as valid address from SMTP
Patch16: sendmail-8.15.2-localdomain.patch
Patch16: sendmail-8.16.1-localdomain.patch
# build libmilter as DSO
Patch17: sendmail-8.14.3-sharedmilter.patch
# skip colon separator when parsing service name in ServiceSwitchFile
Patch18: sendmail-8.15.2-switchfile.patch
Patch18: sendmail-8.16.1-switchfile.patch
# silence warning about missing sasl2 config in /usr/lib*, now in /etc/sasl2
Patch23: sendmail-8.14.8-sasl2-in-etc.patch
Patch23: sendmail-8.16.1-sasl2-in-etc.patch
# add QoS support, patch from Philip Prindeville <philipp@fedoraproject.org>
# upstream reserved option ID 0xe7 for testing of this new feature, #576643
Patch25: sendmail-8.15.2-qos.patch
Patch26: sendmail-8.15.2-libmilter-socket-activation.patch
# patch provided by upstream
Patch27: sendmail-8.15.2-smtp-session-reuse-fix.patch
Patch28: sendmail-8.15.2-openssl-1.1.0-fix.patch
# patch taken from Debian
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807258
Patch29: sendmail-8.15.2-format-security.patch
# rhbz#1473971
Patch30: sendmail-8.15.2-openssl-1.1.0-ecdhe-fix.patch
# Upstream patch:
Patch31: sendmail-8.16.0.29-fix-covscan-issues.patch
# Enable sendmail to stop using STARTTLS after a certain amount of previous failures
# rhbz#1868041
Patch32: sendmail-8.15.2-tlsfallback.patch
Patch25: sendmail-8.16.1-qos.patch
Patch26: sendmail-8.16.1-libmilter-socket-activation.patch
Patch27: sendmail-8.16.1-openssl-3.0-fix.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: make
BuildRequires: libdb-devel
%if "%{with_nis}" == "yes"
BuildRequires: libnsl2-devel
%endif
BuildRequires: tinycdb-devel
BuildRequires: groff
BuildRequires: ghostscript
BuildRequires: m4
@ -125,6 +126,8 @@ Requires: %{_sbindir}/saslauthd
%if "%{with_ldap}" == "yes"
BuildRequires: openldap-devel openssl-devel
%endif
# Old NetworkManager expects the dispatcher scripts in a different place
Conflicts: NetworkManager < 1.20
%description
@ -140,7 +143,6 @@ Sendmail, you can install the sendmail-doc package.
%package doc
Summary: Documentation about the Sendmail Mail Transport Agent program
Group: Documentation
BuildArch: noarch
Requires: sendmail = %{version}-%{release}
@ -151,7 +153,6 @@ contributed scripts and tools for use with Sendmail.
%package milter-devel
Summary: Development files for the sendmail milter library
Group: Development/Libraries
Requires: sendmail-milter%{?_isa} = %{version}-%{release}
# The following Provides: and Obsoletes: can be dropped in f28+
Provides: sendmail-devel%{?_isa} = %{version}-%{release}
@ -163,7 +164,6 @@ Include files and devel libraries for the milter add-ons as part of sendmail.
%package cf
Summary: The files needed to reconfigure Sendmail
Group: System Environment/Daemons
Requires: sendmail = %{version}-%{release}
BuildArch: noarch
Requires: m4
@ -176,7 +176,6 @@ your sendmail.cf file.
%package milter
Summary: The sendmail milter library
Group: System Environment/Libraries
%description milter
The sendmail Mail Filter API (Milter) is designed to allow third-party
@ -206,12 +205,7 @@ cp devtools/M4/UNIX/{,shared}library.m4
%patch23 -p1 -b .sasl2-in-etc
%patch25 -p1 -b .qos
%patch26 -p1 -b .libmilter-socket-activation
%patch27 -p1 -b .smtp-session-reuse-fix
%patch28 -p1 -b .openssl-1.1.0-fix
%patch29 -p1 -b .format-security
%patch30 -p1 -b .openssl-1.1.0-ecdhe-fix
%patch31 -p1 -b .fix-covscan-issues
%patch32 -p1
%patch27 -p1 -b .openssl-3.0-fix
for f in RELEASE_NOTES contrib/etrn.0; do
iconv -f iso8859-1 -t utf8 -o ${f}{_,} &&
@ -223,11 +217,11 @@ sed -i 's|/usr/local/bin/perl|%{_bindir}/perl|' contrib/*.pl
%build
# generate redhat config file
cat > redhat.config.m4 << EOF
define(\`confMAPDEF', \`-DNEWDB -DNIS -DMAP_REGEX -DSOCKETMAP -DNAMED_BIND=1')
define(\`confMAPDEF', \`-DNEWDB -DCDB %{?nis_cflags} -DMAP_REGEX -DSOCKETMAP -DNAMED_BIND=1')
define(\`confOPTIMIZE', \`\`\`\`${RPM_OPT_FLAGS}'''')
define(\`confENVDEF', \`-I%{_includedir}/libdb -I%{_prefix}/kerberos/include -Wall -DXDEBUG=0 -DNETINET6 -DHES_GETMAILHOST -DUSE_VENDOR_CF_PATH=1 -D_FFR_LINUX_MHNL -D_FFR_QOS -D_FILE_OFFSET_BITS=64')
define(\`confENVDEF', \`-I%{_includedir}/libdb -I%{_prefix}/kerberos/include -Wall -DXDEBUG=0 -DNETINET6 -DHES_GETMAILHOST -DUSE_VENDOR_CF_PATH=1 -D_FFR_LINUX_MHNL -D_FFR_QOS -D_FILE_OFFSET_BITS=64 -DHAS_GETHOSTBYNAME2')
define(\`confLIBDIRS', \`-L%{_prefix}/kerberos/%{_lib}')
define(\`confLIBS', \`-lnsl -lcrypt -ldb -lresolv')
define(\`confLIBS', \`%{?nis_ldadd} -lcrypt -ldb -lcdb -lresolv')
%{?_hardened_build:define(\`confLDOPTS', \`-Xlinker -z -Xlinker relro -Xlinker -z -Xlinker now')}
define(\`confMANOWN', \`root')
define(\`confMANGRP', \`root')
@ -238,6 +232,7 @@ define(\`confMAN8SRC', \`8')
define(\`confSTDIR', \`%{stdir}')
define(\`STATUS_FILE', \`%{stdir}/statistics')
define(\`confLIBSEARCH', \`db resolv 44bsd')
define(\`confCC', \`%{__cc}')
EOF
#'
@ -263,7 +258,7 @@ EOF
%if "%{with_tls}" == "yes"
cat >> redhat.config.m4 << EOF
APPENDDEF(\`conf_sendmail_ENVDEF', \`-DSTARTTLS -D_FFR_TLS_1 -D_FFR_TLS_EC -D_FFR_TLS_USE_CERTIFICATE_CHAIN_FILE')dnl
APPENDDEF(\`conf_sendmail_ENVDEF', \`-DSTARTTLS -D_FFR_TLS_1 -DTLS_EC -D_FFR_TLS_USE_CERTIFICATE_CHAIN_FILE -DDANE')dnl
APPENDDEF(\`conf_sendmail_LIBS', \`-lssl -lcrypto')dnl
EOF
%endif
@ -305,15 +300,13 @@ done
make -C doc/op op.pdf
%install
rm -rf %{buildroot}
# create directories
for d in %{_bindir} %{_sbindir} %{_includedir}/libmilter \
%{_libdir} %{_mandir}/man{1,5,8} %{maildir} %{stdir} %{spooldir} \
%{_docdir}/sendmail %{sendmailcf} %{_sysconfdir}/smrsh\
%{spooldir}/clientmqueue %{_sysconfdir}/sysconfig %{_initrddir} \
%{_sysconfdir}/pam.d %{_docdir}/sendmail/contrib \
%{_sysconfdir}/NetworkManager/dispatcher.d
%{_prefix}/lib/NetworkManager/dispatcher.d
do
install -m 755 -d %{buildroot}$d
done
@ -426,7 +419,7 @@ touch %{buildroot}%{maildir}/aliasesdb-stamp
touch %{buildroot}%{spooldir}/clientmqueue/sm-client.st
install -p -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/sendmail
install -p -m 755 %{SOURCE2} %{buildroot}%{_sysconfdir}/NetworkManager/dispatcher.d/10-sendmail
install -p -m 755 %{SOURCE2} %{buildroot}%{_prefix}/lib/NetworkManager/dispatcher.d/10-sendmail
install -p -m 755 %{SOURCE3} %{buildroot}%{maildir}/make
install -p -m 644 %{SOURCE5} %{buildroot}%{maildir}/Makefile
@ -573,7 +566,7 @@ if [ ! -f %{sslcert} ]; then
%{_bindir}/openssl req -new -key %{sslkey} -x509 -sha256 -days 365 -set_serial $RANDOM -out %{sslcert} \
-subj "/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=${FQDN}/emailAddress=root@${FQDN}"
chmod 644 %{sslcert}
chmod 600 %{sslcert}
fi
exit 0
@ -585,9 +578,7 @@ if [ $1 = 0 ]; then
fi
exit 0
%post milter -p /sbin/ldconfig
%postun milter -p /sbin/ldconfig
%ldconfig_scriptlets milter
%files
@ -675,7 +666,7 @@ exit 0
%{_unitdir}/sm-client.service
%config(noreplace) %{_sysconfdir}/sysconfig/sendmail
%config(noreplace) %{_sysconfdir}/pam.d/smtp.sendmail
%{_sysconfdir}/NetworkManager/dispatcher.d/10-sendmail
%{_prefix}/lib/NetworkManager
%if "%{with_sasl2}" == "yes"
%config(noreplace) %{_sysconfdir}/sasl2/Sendmail.conf
@ -718,27 +709,100 @@ exit 0
%changelog
* Tue Dec 01 2020 Tomas Korbar <tkorbar@redhat.com> - 8.15.2-34
- Fix verification of ghost files
- Resolves: rhbz#1730804
* Mon Aug 14 2023 Jaroslav Škarvada <jskarvad@redhat.com> - 8.16.1-11
- Fixed verification of the ghost files
Resolves: rhbz#2052091
* Tue Sep 08 2020 Tomas Korbar <tkorbar@redhat.com> - 8.15.2-33
- Backport confTLS_FALLBACK_TO_CLEAR option
- Resolves: rhbz#1868041
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 8.16.1-10
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Fri May 03 2019 Ondřej Lysoněk <olysonek@redhat.com> - 8.15.2-32
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 8.16.1-9
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Fri May 7 2021 Jaroslav Škarvada <jskarvad@redhat.com> - 8.16.1-8
- Added support for openssl-3.0
Resolves: rhbz#1953504
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 8.16.1-7
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Thu Mar 25 2021 Jaroslav Škarvada <jskarvad@redhat.com> - 8.16.1-6
- Disable NIS support for RHEL9+
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 8.16.1-5
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 8.16.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Dec 2 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 8.16.1-3
- Enabled CDB map support
Related: rhbz#1781181
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 8.16.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 7 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 8.16.1-1
- New version
Resolves: rhbz#1853885
- Dropped smtp-session-reuse-fix, openssl-1.1.0-fix, openssl-1.1.0-ecdhe-fix,
gethostbyname2, fix-covscan-issues, gcc-10-fix patches (not needed)
- Dropped format-security patch (upstreamed)
- Updated patches
* Fri Apr 03 2020 Tom Stellard <tstellar@redhat.com> - 8.15.2-44
- Specify value for confCC in redhat.config.m4
* Mon Feb 10 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 8.15.2-43
- Fixed FTBFS with gcc-10
Resolves: rhbz#1800082
- De-fuzzified fix-covscan-issues patch
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 8.15.2-42
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Mon Nov 04 2019 Ondřej Lysoněk <olysonek@redhat.com> - 8.15.2-41
- Fix issues discovered by Coverity scan
- Resolves: rhbz#1602689
* Mon Nov 19 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 8.15.2-31
* Thu Aug 22 2019 Lubomir Rintel <lkundrak@v3.sk> - 8.15.2-40
- Move the NetworkManager dispatcher script out of /etc
* Fri Aug 2 2019 Jaroslav Škarvada <jskarvad@redhat.com> - 8.15.2-39
- Used gethostbyname2 instead of gethostbyname to fix FTBFS caused by
glibc update dropping support for obsolete RES_USE_INET6
Resolves: rhbz#1736650
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 8.15.2-38
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 8.15.2-37
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 8.15.2-36
- Rebuilt for libcrypt.so.2 (#1666033)
* Mon Nov 19 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 8.15.2-35
- Used _prefix macro for more hardcoded /usr directories
* Mon Nov 19 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 8.15.2-34
- Used _prefix macro for /usr
Resolves: rhbz#1650256
* Thu Nov 15 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 8.15.2-30
- Dropped sysvinit support
Resolves: rhbz#1610287
* Mon Oct 29 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 8.15.2-33
- Dropped hesiod support
Resolves: rhbz#1638491
Resolves: rhbz#1643264
* Tue Oct 16 2018 Peter Robinson <pbrobinson@fedoraproject.org> 8.15.2-32
- Drop old pre F-23 conditionals, minor spec cleanups
* Wed Aug 29 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 8.15.2-31
- Added support for sendmail service reload
Resolves: rhbz#1618552
* Mon Aug 20 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 8.15.2-30
- Fixed sendmail.pem unsafe: Group readable file
* Mon Jul 23 2018 Robert Scheck <robert@fedoraproject.org> - 8.15.2-29
- Add basic sendmail TLS configuration by default (#1607314 #c11)