.gitignore

@@ -1 +1,4 @@
-SOURCES/sendmail.8.15.2.tar.gz
+/sendmail.8.14.?.tar.gz
+/sendmail.8.15.1.tar.gz
+/sendmail.8.15.2.tar.gz
+/sendmail.8.16.1.tar.gz

.sendmail.metadata

@@ -1 +1 @@
-5801d4b06f4e38ef228a5954a44d17636eaa5a16 SOURCES/sendmail.8.15.2.tar.gz
+748b6dfc47dfbb83ebfdd2e334c87032c4698eab sendmail.8.16.1.tar.gz

SOURCES/sendmail-8.15.2-format-security.patch

@@ -1,127 +0,0 @@
-diff --git a/sendmail/envelope.c b/sendmail/envelope.c
-index bae6b00..beb91a1 100644
---- a/sendmail/envelope.c
-+++ b/sendmail/envelope.c
-@@ -323,7 +323,7 @@ dropenvelope(e, fulldrop, split)
- 
- 			/* don't free, allocated from e_rpool */
- 			e->e_message = sm_rpool_strdup_x(e->e_rpool, buf);
--			message(buf);
-+			message("%s", buf);
- 			e->e_flags |= EF_CLRQUEUE;
- 		}
- 		if (msg_timeout == MSG_NOT_BY)
-@@ -420,7 +420,7 @@ dropenvelope(e, fulldrop, split)
- 				/* don't free, allocated from e_rpool */
- 				e->e_message = sm_rpool_strdup_x(e->e_rpool,
- 								 buf);
--				message(buf);
-+				message("%s", buf);
- 				e->e_flags |= EF_WARNING;
- 			}
- 			if (msg_timeout == MSG_WARN_BY)
-diff --git a/sendmail/parseaddr.c b/sendmail/parseaddr.c
-index 2adb39c..ba99414 100644
---- a/sendmail/parseaddr.c
-+++ b/sendmail/parseaddr.c
-@@ -218,7 +218,7 @@ parseaddr(addr, a, flags, delim, delimptr, e, isrcpt)
- 			msg = "Deferring message until queue run";
- 		if (tTd(20, 1))
- 			sm_dprintf("parseaddr: queueing message\n");
--		message(msg);
-+		message("%s", msg);
- 		if (e->e_message == NULL && e->e_sendmode != SM_DEFER)
- 			e->e_message = sm_rpool_strdup_x(e->e_rpool, msg);
- 		a->q_state = QS_QUEUEUP;
-diff --git a/sendmail/srvrsmtp.c b/sendmail/srvrsmtp.c
-index ba636a8..46c5356 100644
---- a/sendmail/srvrsmtp.c
-+++ b/sendmail/srvrsmtp.c
-@@ -122,6 +122,26 @@ extern ENVELOPE	BlankEnvelope;
- #define SKIP_SPACE(s)	while (isascii(*s) && isspace(*s))	\
- 				(s)++
- 
-+static inline void
-+message1(fmt)
-+	char *fmt;
-+{
-+	if (strchr(fmt, '%') == NULL)
-+		message(fmt, NULL);
-+	else
-+		message("%s", fmt);
-+}
-+
-+static inline void
-+usrerr1(fmt)
-+	char *fmt;
-+{
-+	if (strchr(fmt, '%') == NULL)
-+		usrerr(fmt, NULL);
-+	else
-+		usrerr("%s", fmt);
-+}
-+
- /*
- **  PARSE_ESMTP_ARGS -- parse EMSTP arguments (for MAIL, RCPT)
- **
-@@ -578,13 +598,13 @@ static bool	smtp_data __P((SMTP_T *, ENVELOPE *));
- 				bool tsave = QuickAbort;		\
- 									\
- 				QuickAbort = false;			\
--				usrerr(response);			\
-+				usrerr1(response);			\
- 				QuickAbort = tsave;			\
- 				e->e_sendqueue = NULL;			\
- 				goto doquit;				\
- 			}						\
- 			else						\
--				usrerr(response);			\
-+				usrerr1(response);			\
- 			break;						\
- 									\
- 		  case SMFIR_REJECT:					\
-@@ -931,7 +951,7 @@ smtp(nullserver, d_flags, e)
- 	}
- 	else if (strncmp(nullserver, "421 ", 4) == 0)
- 	{
--		message(nullserver);
-+		message1(nullserver);
- 		goto doquit;
- 	}
- 
-@@ -1849,7 +1869,7 @@ smtp(nullserver, d_flags, e)
- 				if (nullserver != NULL)
- 				{
- 					if (ISSMTPREPLY(nullserver))
--						usrerr(nullserver);
-+						usrerr1(nullserver);
- 					else
- 						usrerr("550 5.0.0 %s",
- 						       nullserver);
-@@ -2449,7 +2469,7 @@ smtp(nullserver, d_flags, e)
- 					tempfail = true;
- 					smtp.sm_milterize = false;
- 					if (response != NULL)
--						usrerr(response);
-+						usrerr1(response);
- 					else
- 						message("421 4.7.0 %s closing connection",
- 							MyHostName);
-@@ -3656,7 +3676,7 @@ smtp_data(smtp, e)
- 				(void) extenhsc(response + 4, ' ', e->e_enhsc);
- #endif /* _FFR_MILTER_ENHSC */
- 
--			usrerr(response);
-+			usrerr1(response);
- 			if (strncmp(response, "421 ", 4) == 0
- 			    || strncmp(response, "421-", 4) == 0)
- 			{
-@@ -3776,7 +3796,7 @@ smtp_data(smtp, e)
- 			if (ISSMTPCODE(response))
- 				(void) extenhsc(response + 4, ' ', e->e_enhsc);
- #endif /* _FFR_MILTER_ENHSC */
--			usrerr(response);
-+			usrerr1(response);
- 			if (strncmp(response, "421 ", 4) == 0
- 			    || strncmp(response, "421-", 4) == 0)
- 				rv = false;

SOURCES/sendmail-8.15.2-openssl-1.1.0-ecdhe-fix.patch

@@ -1,20 +0,0 @@
-diff --git a/sendmail/tls.c b/sendmail/tls.c
-index 16cb93f..9338380 100644
---- a/sendmail/tls.c
-+++ b/sendmail/tls.c
-@@ -1329,13 +1329,8 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
- 		}
- 
- #if _FFR_TLS_EC
--		ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
--		if (ecdh != NULL)
--		{
--			SSL_CTX_set_options(*ctx, SSL_OP_SINGLE_ECDH_USE);
--			SSL_CTX_set_tmp_ecdh(*ctx, ecdh);
--			EC_KEY_free(ecdh);
--		}
-+		SSL_CTX_set_options(*ctx, SSL_OP_SINGLE_ECDH_USE);
-+		SSL_CTX_set_ecdh_auto(*ctx, 1);
- #endif /* _FFR_TLS_EC */
- 
- 	}

SOURCES/sendmail-8.15.2-openssl-1.1.0-fix.patch

@@ -1,182 +0,0 @@
---- sendmail-8.15.2.orig/sendmail/tls.c	2016-12-01 15:20:59.953546417 +0100
-+++ sendmail-8.15.2.orig/sendmail/tls.c	2016-12-01 17:26:43.868521378 +0100
-@@ -63,14 +63,28 @@ static unsigned char dh512_g[] =
- static DH *
- get_dh512()
- {
--	DH *dh = NULL;
-+	DH *dh;
-+	BIGNUM *p, *g;
- 
- 	if ((dh = DH_new()) == NULL)
- 		return NULL;
--	dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
--	dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
--	if ((dh->p == NULL) || (dh->g == NULL))
-+	p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
-+	g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
-+	if (p == NULL || g == NULL)
-+	{
-+		BN_free(p);
-+		BN_free(g);
-+		DH_free(dh);
- 		return NULL;
-+	}
-+
-+#if OPENSSL_VERSION_NUMBER >= 0x10100005L
-+	DH_set0_pqg(dh, p, NULL, g);
-+#else
-+	dh->p = p;
-+	dh->g = g;
-+#endif
-+
- 	return dh;
- }
- 
-@@ -117,16 +131,27 @@ get_dh2048()
- 		};
- 	static unsigned char dh2048_g[]={ 0x02, };
- 	DH *dh;
-+	BIGNUM *p, *g;
- 
- 	if ((dh=DH_new()) == NULL)
- 		return(NULL);
--	dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
--	dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
--	if ((dh->p == NULL) || (dh->g == NULL))
-+	p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
-+	g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
-+	if (p == NULL || g == NULL)
- 	{
-+		BN_free(p);
-+		BN_free(g);
- 		DH_free(dh);
--		return(NULL);
-+		return NULL;
- 	}
-+
-+#if OPENSSL_VERSION_NUMBER >= 0x10100005L
-+	DH_set0_pqg(dh, p, NULL, g);
-+#else
-+	dh->p = p;
-+	dh->g = g;
-+#endif
-+
- 	return(dh);
- }
- # endif /* !NO_DH */
-@@ -715,6 +740,54 @@ static char server_session_id_context[]
- # define SM_SSL_OP_TLS_BLOCK_PADDING_BUG	0
- #endif
- 
-+static RSA *
-+generate_rsa_key(bits, e)
-+	int bits;
-+	unsigned long e;
-+{
-+#if OPENSSL_VERSION_NUMBER < 0x00908000L
-+	return RSA_generate_key(bits, e, NULL, NULL);
-+#else
-+	BIGNUM *bne;
-+	RSA *rsa = NULL;
-+
-+	bne = BN_new();
-+	if (bne && BN_set_word(bne, e) != 1)
-+		rsa = RSA_new();
-+	if (rsa && RSA_generate_key_ex(rsa, bits, bne, NULL) != 1)
-+	{
-+		RSA_free(rsa);
-+		rsa = NULL;
-+	}
-+	BN_free(bne);
-+	return rsa;
-+#endif
-+}
-+
-+static DSA *
-+generate_dsa_parameters(bits, seed, seed_len, counter_ret, h_ret)
-+	int bits;
-+	unsigned char *seed;
-+	int seed_len;
-+	int *counter_ret;
-+	unsigned long *h_ret;
-+{
-+#if OPENSSL_VERSION_NUMBER < 0x00908000L
-+	return DSA_generate_parameters(bits, seed, seed_len, counter_ret,
-+			               h_ret, NULL, NULL);
-+#else
-+	DSA *dsa = DSA_new();
-+
-+	if (dsa && DSA_generate_parameters_ex(dsa, bits, seed, seed_len,
-+				              counter_ret, h_ret, NULL) != 1)
-+	{
-+		DSA_free(dsa);
-+		dsa = NULL;
-+	}
-+	return dsa;
-+#endif
-+}
-+
- bool
- inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhparam)
- 	SSL_CTX **ctx;
-@@ -926,7 +999,7 @@ inittls(ctx, req, options, srv, certfile
- 	{
- 		/* get a pointer to the current certificate validation store */
- 		store = SSL_CTX_get_cert_store(*ctx);	/* does not fail */
--		crl_file = BIO_new(BIO_s_file_internal());
-+		crl_file = BIO_new(BIO_s_file());
- 		if (crl_file != NULL)
- 		{
- 			if (BIO_read_filename(crl_file, CRLFile) >= 0)
-@@ -1003,8 +1076,7 @@ inittls(ctx, req, options, srv, certfile
- 	if (bitset(TLS_I_RSA_TMP, req)
- #  if SM_CONF_SHM
- 	    && ShmId != SM_SHM_NO_ID &&
--	    (rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL,
--					NULL)) == NULL
-+	    (rsa_tmp = generate_rsa_key(RSA_KEYLENGTH, RSA_F4)) == NULL
- #  else /* SM_CONF_SHM */
- 	    && 0	/* no shared memory: no need to generate key now */
- #  endif /* SM_CONF_SHM */
-@@ -1210,8 +1282,8 @@ inittls(ctx, req, options, srv, certfile
- 				sm_dprintf("inittls: Generating %d bit DH parameters\n", bits);
- 
- 			/* this takes a while! */
--			dsa = DSA_generate_parameters(bits, NULL, 0, NULL,
--						      NULL, 0, NULL);
-+			dsa = generate_dsa_parameters(bits, NULL, 0, NULL,
-+						      NULL);
- 			dh = DSA_dup_DH(dsa);
- 			DSA_free(dsa);
- 		}
-@@ -1747,7 +1819,7 @@ tmp_rsa_key(s, export, keylength)
- 
- 	if (rsa_tmp != NULL)
- 		RSA_free(rsa_tmp);
--	rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, NULL);
-+	rsa_tmp = generate_rsa_key(RSA_KEYLENGTH, RSA_F4);
- 	if (rsa_tmp == NULL)
- 	{
- 		if (LogLevel > 0)
-@@ -1974,11 +2046,20 @@ x509_verify_cb(ok, ctx)
- 	{
- 		if (LogLevel > 13)
- 			tls_verify_log(ok, ctx, "x509");
-+#if OPENSSL_VERSION_NUMBER >= 0x10100005L
-+		if (X509_STORE_CTX_get_error(ctx) ==
-+		    X509_V_ERR_UNABLE_TO_GET_CRL)
-+		{
-+			X509_STORE_CTX_set_error(ctx, 0);
-+			return 1;	/* override it */
-+		}
-+#else
- 		if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL)
- 		{
- 			ctx->error = 0;
- 			return 1;	/* override it */
- 		}
-+#endif
- 	}
- 	return ok;
- }

SOURCES/sendmail-8.15.2-smtp-session-reuse-fix.patch

@@ -1,249 +0,0 @@
-diff -ru a/sendmail/deliver.c b/sendmail/deliver.c
---- a/sendmail/deliver.c	2016-02-29 06:01:55.000000000 -0800
-+++ b/sendmail/deliver.c	2016-02-29 06:02:06.000000000 -0800
-@@ -6274,8 +6274,7 @@
- 				tlslogerr(LOG_WARNING, "client");
- 		}
- 
--		SSL_free(clt_ssl);
--		clt_ssl = NULL;
-+		SM_SSL_FREE(clt_ssl);
- 		return EX_SOFTWARE;
- 	}
- 	mci->mci_ssl = clt_ssl;
-@@ -6287,8 +6286,7 @@
- 		return EX_OK;
- 
- 	/* failure */
--	SSL_free(clt_ssl);
--	clt_ssl = NULL;
-+	SM_SSL_FREE(clt_ssl);
- 	return EX_SOFTWARE;
- }
- /*
-@@ -6309,7 +6307,7 @@
- 
- 	if (!bitset(MCIF_TLSACT, mci->mci_flags))
- 		return EX_OK;
--	r = endtls(mci->mci_ssl, "client");
-+	r = endtls(&mci->mci_ssl, "client");
- 	mci->mci_flags &= ~MCIF_TLSACT;
- 	return r;
- }
-diff -ru a/sendmail/macro.c b/sendmail/macro.c
---- a/sendmail/macro.c	2016-02-29 06:01:55.000000000 -0800
-+++ b/sendmail/macro.c	2016-02-29 06:02:06.000000000 -0800
-@@ -362,6 +362,33 @@
- }
- 
- /*
-+**  MACTABCLEAR -- clear entire macro table
-+**
-+**	Parameters:
-+**		mac -- Macro table.
-+**
-+**	Returns:
-+**		none.
-+**
-+**	Side Effects:
-+**		clears entire mac structure including rpool pointer!
-+*/
-+
-+void
-+mactabclear(mac)
-+	MACROS_T *mac;
-+{
-+	int i;
-+
-+	if (mac->mac_rpool == NULL)
-+	{
-+		for (i = 0; i < MAXMACROID; i++)
-+	    		SM_FREE_CLR(mac->mac_table[i]);
-+	}
-+	memset((char *) mac, '\0', sizeof(*mac));
-+}
-+
-+/*
- **  MACDEFINE -- bind a macro name to a value
- **
- **	Set a macro to a value, with fancy storage management.
-diff -ru a/sendmail/mci.c b/sendmail/mci.c
---- a/sendmail/mci.c	2016-02-29 06:01:55.000000000 -0800
-+++ b/sendmail/mci.c	2016-02-29 06:02:06.000000000 -0800
-@@ -25,6 +25,7 @@
- 						  int, bool));
- static bool	mci_load_persistent __P((MCI *));
- static void	mci_uncache __P((MCI **, bool));
-+static void	mci_clear __P((MCI *));
- static int	mci_lock_host_statfile __P((MCI *));
- static int	mci_read_persistent __P((SM_FILE_T *, MCI *));
- 
-@@ -253,6 +254,7 @@
- 	SM_FREE_CLR(mci->mci_status);
- 	SM_FREE_CLR(mci->mci_rstatus);
- 	SM_FREE_CLR(mci->mci_heloname);
-+ 	mci_clear(mci);
- 	if (mci->mci_rpool != NULL)
- 	{
- 		sm_rpool_free(mci->mci_rpool);
-@@ -315,6 +317,41 @@
- }
- 
- /*
-+**  MCI_CLEAR -- clear mci
-+**
-+**	Parameters:
-+**		mci -- the connection to clear.
-+**
-+**	Returns:
-+**		none.
-+*/
-+
-+static void
-+mci_clear(mci)
-+	MCI *mci;
-+{
-+	if (mci == NULL)
-+		return;
-+
-+	mci->mci_maxsize = 0;
-+	mci->mci_min_by = 0;
-+	mci->mci_deliveries = 0;
-+#if SASL
-+	if (bitset(MCIF_AUTHACT, mci->mci_flags))
-+		sasl_dispose(&mci->mci_conn);
-+#endif
-+#if STARTTLS
-+	if (bitset(MCIF_TLSACT, mci->mci_flags) && mci->mci_ssl != NULL)
-+		SM_SSL_FREE(mci->mci_ssl);
-+#endif
-+
-+	/* which flags to preserve? */
-+	mci->mci_flags &= MCIF_CACHED;
-+	mactabclear(&mci->mci_macro);
-+}
-+
-+
-+/*
- **  MCI_GET -- get information about a particular host
- **
- **	Parameters:
-@@ -419,6 +456,7 @@
- 			mci->mci_errno = 0;
- 			mci->mci_exitstat = EX_OK;
- 		}
-+	 	mci_clear(mci);
- 	}
- 
- 	return mci;
-diff -ru a/sendmail/sendmail.h b/sendmail/sendmail.h
---- a/sendmail/sendmail.h	2016-02-29 06:01:55.000000000 -0800
-+++ b/sendmail/sendmail.h	2016-02-29 06:02:06.000000000 -0800
-@@ -1186,6 +1186,7 @@
- #define macid(name)  macid_parse(name, NULL)
- extern char	*macname __P((int));
- extern char	*macvalue __P((int, ENVELOPE *));
-+extern void	mactabclear __P((MACROS_T *));
- extern int	rscheck __P((char *, char *, char *, ENVELOPE *, int, int, char *, char *, ADDRESS *, char **));
- extern int	rscap __P((char *, char *, char *, ENVELOPE *, char ***, char *, int));
- extern void	setclass __P((int, char *));
-@@ -2002,7 +2003,15 @@
- extern void	setclttls __P((bool));
- extern bool	initsrvtls __P((bool));
- extern int	tls_get_info __P((SSL *, bool, char *, MACROS_T *, bool));
--extern int	endtls __P((SSL *, char *));
-+#define SM_SSL_FREE(ssl)			\
-+	do {					\
-+		if (ssl != NULL)		\
-+		{				\
-+			SSL_free(ssl);		\
-+			ssl = NULL;		\
-+		}				\
-+	} while (0)
-+extern int	endtls __P((SSL **, char *));
- extern void	tlslogerr __P((int, const char *));
- 
- 
-diff -ru a/sendmail/srvrsmtp.c b/sendmail/srvrsmtp.c
---- a/sendmail/srvrsmtp.c	2016-02-29 06:01:55.000000000 -0800
-+++ b/sendmail/srvrsmtp.c	2016-02-29 06:02:06.000000000 -0800
-@@ -2122,8 +2122,7 @@
- 			if (get_tls_se_options(e, srv_ssl, true) != 0)
- 			{
- 				message("454 4.3.3 TLS not available: error setting options");
--				SSL_free(srv_ssl);
--				srv_ssl = NULL;
-+				SM_SSL_FREE(srv_ssl);
- 				goto tls_done;
- 			}
- 
-@@ -2145,8 +2144,7 @@
- 			    SSL_set_wfd(srv_ssl, wfd) <= 0)
- 			{
- 				message("454 4.3.3 TLS not available: error set fd");
--				SSL_free(srv_ssl);
--				srv_ssl = NULL;
-+				SM_SSL_FREE(srv_ssl);
- 				goto tls_done;
- 			}
- 			if (!smtps)
-@@ -2188,8 +2186,7 @@
- 						tlslogerr(LOG_WARNING, "server");
- 				}
- 				tls_ok_srv = false;
--				SSL_free(srv_ssl);
--				srv_ssl = NULL;
-+				SM_SSL_FREE(srv_ssl);
- 
- 				/*
- 				**  according to the next draft of
-@@ -3416,7 +3413,7 @@
- 			/* shutdown TLS connection */
- 			if (tls_active)
- 			{
--				(void) endtls(srv_ssl, "server");
-+				(void) endtls(&srv_ssl, "server");
- 				tls_active = false;
- 			}
- #endif /* STARTTLS */
-diff -ru a/sendmail/tls.c b/sendmail/tls.c
---- a/sendmail/tls.c	2016-02-29 06:01:55.000000000 -0800
-+++ b/sendmail/tls.c	2016-02-29 06:02:06.000000000 -0800
-@@ -1624,7 +1624,7 @@
- **  ENDTLS -- shutdown secure connection
- **
- **	Parameters:
--**		ssl -- SSL connection information.
-+**		pssl -- pointer to TLS session context
- **		side -- server/client (for logging).
- **
- **	Returns:
-@@ -1632,12 +1632,16 @@
- */
- 
- int
--endtls(ssl, side)
--	SSL *ssl;
-+endtls(pssl, side)
-+	SSL **pssl;
- 	char *side;
- {
- 	int ret = EX_OK;
-+	SSL *ssl;
- 
-+	SM_REQUIRE(pssl != NULL);
-+ 	ret = EX_OK;
-+	ssl = *pssl;
- 	if (ssl != NULL)
- 	{
- 		int r;
-@@ -1703,8 +1707,7 @@
- 			ret = EX_SOFTWARE;
- 		}
- # endif /* !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER > 0x0090602fL */
--		SSL_free(ssl);
--		ssl = NULL;
-+		SM_SSL_FREE(*pssl);
- 	}
- 	return ret;
- }

SOURCES/sendmail-8.15.2-tlsfallback.patch

@@ -1,204 +0,0 @@
-commit 72c678024d5f7b97bae8c20cc3fb2e0299778d5b
-Author: Tomas Korbar <tkorbar@redhat.com>
-Date:   Mon Sep 7 12:41:05 2020 +0200
-
-    Backport confTLS_FALLBACK_TO_CLEAR Configuration option
-
-diff --git a/cf/README b/cf/README
-index 91e69a9..e8941ad 100644
---- a/cf/README
-+++ b/cf/README
-@@ -4011,6 +4011,10 @@ confUSERDB_SPEC		UserDatabaseSpec
- confFALLBACK_MX		FallbackMXhost	[undefined] Fallback MX host.
- confFALLBACK_SMARTHOST	FallbackSmartHost
- 					[undefined] Fallback smart host.
-+confTLS_FALLBACK_TO_CLEAR	TLSFallbacktoClear
-+					[undefined] If set, immediately try
-+					a connection again without STARTTLS
-+					after a TLS handshake failure.
- confTRY_NULL_MX_LIST	TryNullMXList	[False] If this host is the best MX
- 					for a host and other arrangements
- 					haven't been made, try connecting
-diff --git a/cf/m4/proto.m4 b/cf/m4/proto.m4
-index 0df3416..a741d97 100644
---- a/cf/m4/proto.m4
-+++ b/cf/m4/proto.m4
-@@ -656,6 +656,8 @@ _OPTION(CipherList, `confCIPHER_LIST', `')
- _OPTION(ServerSSLOptions, `confSERVER_SSL_OPTIONS', `')
- # client side SSL options
- _OPTION(ClientSSLOptions, `confCLIENT_SSL_OPTIONS', `')
-+# TLS: fall back to clear text after handshake failure?
-+_OPTION(TLSFallbacktoClear, `confTLS_FALLBACK_TO_CLEAR', `')
- 
- # Input mail filters
- _OPTION(InputMailFilters, `confINPUT_MAIL_FILTERS', `')
-@@ -2856,6 +2858,7 @@ R<$-:$+><VERIFY $*> <$*> FAIL	$#error $@ $2 $: $1 " authentication failed"
- R<$-:$+><VERIFY $*> <$*> NO	$#error $@ $2 $: $1 " not authenticated"
- R<$-:$+><VERIFY $*> <$*> NOT	$#error $@ $2 $: $1 " no authentication requested"
- R<$-:$+><VERIFY $*> <$*> NONE	$#error $@ $2 $: $1 " other side does not support STARTTLS"
-+R<$-:$+><VERIFY $*> <$*> CLEAR	$#error $@ $2 $: $1 " STARTTLS disabled locally"
- dnl some other value for ${verify}
- R<$-:$+><VERIFY $*> <$*> $+	$#error $@ $2 $: $1 " authentication failure " $4
- dnl some level of encryption required: get the maximum level (case 2.)
-diff --git a/doc/op/op.me b/doc/op/op.me
-index 57e25cd..97d3b9c 100644
---- a/doc/op/op.me
-+++ b/doc/op/op.me
-@@ -8340,6 +8340,22 @@ PostMilter is useful only when
- .i sendmail
- is running as an SMTP server; in all other situations it
- acts the same as True.
-+.ip TLSFallbacktoClear
-+[no short name]
-+If set,
-+.i sendmail
-+immediately tries an outbound connection again without STARTTLS
-+after a TLS handshake failure.
-+Note:
-+this applies to all connections even if TLS specific requirements are set
-+(see rulesets
-+.i tls_rcpt
-+and
-+.i tls_client
-+).
-+Hence such requirements will cause an error on a retry without STARTTLS.
-+Therefore they should only trigger a temporary failure so the connection
-+is later on tried again.
- .ip TLSSrvOptions
- [no short name]
- List of options for SMTP STARTTLS for the server
-diff --git a/sendmail/deliver.c b/sendmail/deliver.c
-index 8027a50..af42e8f 100644
---- a/sendmail/deliver.c
-+++ b/sendmail/deliver.c
-@@ -1334,6 +1334,10 @@ deliver(e, firstto)
- 	char *pv[MAXPV + 1];
- 	char buf[MAXNAME + 1];
- 	char cbuf[MAXPATHLEN];
-+#if STARTTLS
-+	/* 0: try TLS, 1: try without TLS again, >1: don't try again */
-+	int tlsstate;
-+#endif
- 
- 	errno = 0;
- 	SM_REQUIRE(firstto != NULL);	/* same as to */
-@@ -1349,7 +1353,9 @@ deliver(e, firstto)
- 	e->e_statmsg = NULL;
- 	SmtpError[0] = '\0';
- 	xstart = curtime();
--
-+#if STARTTLS
-+	tlsstate = 0;
-+#endif
- 	if (tTd(10, 1))
- 		sm_dprintf("\n--deliver, id=%s, mailer=%s, host=`%s', first user=`%s'\n",
- 			e->e_id, m->m_name, host, to->q_user);
-@@ -2073,6 +2079,9 @@ tryhost:
- 			hostnum++;
- 			if (endp != NULL)
- 				*endp = sep;
-+#if STARTTLS
-+			tlsstate = 0;
-+#endif
- 
-   one_last_try:
- 			/* see if we already know that this host is fried */
-@@ -2960,6 +2969,8 @@ reconnect:	/* after switching to an encrypted connection */
- 			usetls = bitset(MCIF_TLS, mci->mci_flags);
- 			if (usetls)
- 				usetls = !iscltflgset(e, D_NOTLS);
-+			if (usetls)
-+				usetls = tlsstate == 0;
- 
- 			host = macvalue(macid("{server_name}"), e);
- 			if (usetls)
-@@ -3025,8 +3036,11 @@ reconnect:	/* after switching to an encrypted connection */
- 				}
- 			}
- 			else
-+			{
-+				p = tlsstate == 0 ? "NONE": "CLEAR";
- 				macdefine(&e->e_macro, A_PERM,
--					  macid("{verify}"), "NONE");
-+					  macid("{verify}"), p);
-+			}
- 			olderrors = Errors;
- 			QuickAbort = false;
- 			SuprErrs = true;
-@@ -3077,6 +3091,10 @@ reconnect:	/* after switching to an encrypted connection */
- 					}
- 					mci->mci_flags &= ~MCIF_TLSACT;
- 					(void) endmailer(mci, e, pv);
-+					if (TLSFallbacktoClear)
-+					{
-+						++tlsstate;
-+					}
- 				}
- 				else
- 				{
-@@ -3119,6 +3137,27 @@ reconnect:	/* after switching to an encrypted connection */
- 				mci_clr_extensions(mci);
- 				goto reconnect;
- 			}
-+			if (tlsstate == 1)
-+			{
-+				if (tTd(11, 1))
-+				{
-+					sm_syslog(LOG_DEBUG, NOQID,
-+						"STARTTLS=client, relay=%.100s, tlsstate=%d, status=trying_again",
-+						mci->mci_host, tlsstate);
-+					mci_dump(NULL, mci, true);
-+				}
-+				++tlsstate;
-+				/*
-+				**  Fake the status so a new connection is
-+				**  tried, otherwise the TLS error will
-+				**  "persist" during this delivery attempt.
-+				*/
-+
-+				mci->mci_errno = 0;
-+				rcode = EX_OK;
-+				mci_setstat(mci, rcode, NULL, NULL);
-+				goto one_last_try;
-+			}
- 		}
- # endif /* STARTTLS */
- # if SASL
-diff --git a/sendmail/readcf.c b/sendmail/readcf.c
-index 86892f5..82660f4 100644
---- a/sendmail/readcf.c
-+++ b/sendmail/readcf.c
-@@ -2911,7 +2911,10 @@ static struct optioninfo
- #endif
- #define O_USECOMPRESSEDIPV6ADDRESSES 0xec
- 	{ "UseCompressedIPv6Addresses",	O_USECOMPRESSEDIPV6ADDRESSES, OI_NONE },
--
-+#if STARTTLS
-+# define O_TLSFB2CLEAR		0xef
-+	{ "TLSFallbacktoClear",	O_TLSFB2CLEAR,	OI_NONE	},
-+#endif
- 	{ NULL,				'\0',		OI_NONE	}
- };
- 
-@@ -4305,6 +4308,9 @@ setoption(opt, val, safe, sticky, e)
- #endif /* SASL */
- 
- #if STARTTLS
-+	  case O_TLSFB2CLEAR:
-+		TLSFallbacktoClear = atobool(val);
-+		break;
- 	  case O_SRVCERTFILE:
- 		SET_STRING_EXP(SrvCertFile);
- 	  case O_SRVKEYFILE:
-diff --git a/sendmail/sendmail.h b/sendmail/sendmail.h
-index 441399c..9be1e76 100644
---- a/sendmail/sendmail.h
-+++ b/sendmail/sendmail.h
-@@ -2032,6 +2032,7 @@ EXTERN char	*CRLPath;	/* path to CRLs (dir. with hashes) */
- #endif /* _FFR_CRLPATH */
- EXTERN unsigned long	TLS_Srv_Opts;	/* TLS server options */
- EXTERN unsigned long	Srv_SSL_Options, Clt_SSL_Options; /* SSL options */
-+EXTERN bool	TLSFallbacktoClear;
- #endif /* STARTTLS */
- 
- /*

SOURCES/sendmail-8.16.0.29-fix-covscan-issues.patch

@@ -1,149 +0,0 @@
-diff --git a/include/sm/varargs.h b/include/sm/varargs.h
-index 612858d..2609630 100644
---- a/include/sm/varargs.h
-+++ b/include/sm/varargs.h
-@@ -32,6 +32,11 @@
- #  define SM_VA_COPY(dst, src)	__va_copy((dst), (src))
- # else
- #  define SM_VA_COPY(dst, src)	memcpy(&(dst), &(src), sizeof((dst)))
-+#  define SM_VA_END_COPY(ap)	do { } while (0)
-+# endif
-+
-+# ifndef SM_VA_END_COPY
-+#  define SM_VA_END_COPY(ap)	va_end(ap)
- # endif
- 
- /*
-diff --git a/libsm/vfprintf.c b/libsm/vfprintf.c
-index 87c353c..c99d4e5 100644
---- a/libsm/vfprintf.c
-+++ b/libsm/vfprintf.c
-@@ -782,6 +782,7 @@ number:			if ((dprec = prec) >= 0)
- done:
- 	FLUSH();
- error:
-+	SM_VA_END_COPY(orgap);
- 	if ((argtable != NULL) && (argtable != statargtable))
- 		sm_free(argtable);
- 	return sm_error(fp) ? SM_IO_EOF : ret;
-diff --git a/sendmail/milter.c b/sendmail/milter.c
-index 462efd2..af6dc66 100644
---- a/sendmail/milter.c
-+++ b/sendmail/milter.c
-@@ -2437,8 +2437,7 @@ milter_negotiate(m, e, milters)
- 			sm_syslog(LOG_ERR, e->e_id,
- 				  "Milter (%s): negotiate: returned %c instead of %c",
- 				  m->mf_name, rcmd, SMFIC_OPTNEG);
--		if (response != NULL)
--			sm_free(response); /* XXX */
-+		SM_FREE(response);
- 		milter_error(m, e);
- 		return -1;
- 	}
-@@ -2453,8 +2452,7 @@ milter_negotiate(m, e, milters)
- 			sm_syslog(LOG_ERR, e->e_id,
- 				  "Milter (%s): negotiate: did not return valid info",
- 				  m->mf_name);
--		if (response != NULL)
--			sm_free(response); /* XXX */
-+		SM_FREE(response);
- 		milter_error(m, e);
- 		return -1;
- 	}
-@@ -2472,8 +2470,7 @@ milter_negotiate(m, e, milters)
- 			sm_syslog(LOG_ERR, e->e_id,
- 				  "Milter (%s): negotiate: did not return enough info",
- 				  m->mf_name);
--		if (response != NULL)
--			sm_free(response); /* XXX */
-+		SM_FREE(response);
- 		milter_error(m, e);
- 		return -1;
- 	}
-@@ -2589,11 +2586,11 @@ milter_negotiate(m, e, milters)
- 	if (tTd(64, 5))
- 		sm_dprintf("milter_negotiate(%s): received: version %u, fflags 0x%x, pflags 0x%x\n",
- 			m->mf_name, m->mf_fvers, m->mf_fflags, m->mf_pflags);
-+	SM_FREE(response);
- 	return 0;
- 
-   error:
--	if (response != NULL)
--		sm_free(response); /* XXX */
-+	SM_FREE(response);
- 	return -1;
- }
- 
-@@ -3230,6 +3227,7 @@ milter_changeheader(m, response, rlen, e)
- 			addheader(newstr(field), mh_value, H_USER, e,
- 				!bitset(SMFIP_HDR_LEADSPC, m->mf_pflags));
- 		}
-+		SM_FREE(mh_value);
- 		return;
- 	}
- 
-@@ -3438,6 +3436,8 @@ milter_chgfrom(response, rlen, e)
- 	{
- 		if (tTd(64, 10))
- 			sm_dprintf("didn't follow protocol argc=%d\n", argc);
-+		if (argv != NULL)
-+			free(argv);
- 		return;
- 	}
- 
-@@ -3456,6 +3456,7 @@ milter_chgfrom(response, rlen, e)
- 				mail_esmtp_args);
- 	}
- 	Errors = olderrors;
-+	free(argv);
- 	return;
- }
- 
-@@ -3503,6 +3504,8 @@ milter_addrcpt_par(response, rlen, e)
- 	{
- 		if (tTd(64, 10))
- 			sm_dprintf("didn't follow protocol argc=%d\n", argc);
-+		if (argv != NULL)
-+			free(argv);
- 		return;
- 	}
- 	olderrors = Errors;
-@@ -3527,6 +3530,7 @@ milter_addrcpt_par(response, rlen, e)
- 	}
- 
- 	Errors = olderrors;
-+	free(argv);
- 	return;
- }
- 
-diff --git a/sendmail/queue.c b/sendmail/queue.c
-index 503f296..c9153c8 100644
---- a/sendmail/queue.c
-+++ b/sendmail/queue.c
-@@ -8590,6 +8590,7 @@ split_by_recipient(e)
- 		if (split_within_queue(ee) == SM_SPLIT_FAIL)
- 		{
- 			e->e_sibling = firstsibling;
-+			SM_FREE(lsplits);
- 			return false;
- 		}
- 		ee->e_flags |= EF_SPLIT;
-@@ -8604,8 +8605,7 @@ split_by_recipient(e)
- 				if (p == NULL)
- 				{
- 					/* let's try to get this done */
--					sm_free(lsplits);
--					lsplits = NULL;
-+					SM_FREE(lsplits);
- 				}
- 				else
- 					lsplits = p;
-@@ -8627,7 +8627,7 @@ split_by_recipient(e)
- 	{
- 		sm_syslog(LOG_NOTICE, e->e_id, "split: count=%d, id%s=%s",
- 			  n - 1, n > 2 ? "s" : "", lsplits);
--		sm_free(lsplits);
-+		SM_FREE(lsplits);
- 	}
- 	split = split_within_queue(e) != SM_SPLIT_FAIL;
- 	if (split)

gating.yaml

@@ -0,0 +1,7 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation}

sendmail-8.16.1-aliases_dir.patch

@@ -1,8 +1,8 @@
 diff --git a/cf/m4/cfhead.m4 b/cf/m4/cfhead.m4
-index 714a3ec..3fd6c1c 100644
+index 6d12e85..15af608 100644
 --- a/cf/m4/cfhead.m4
 +++ b/cf/m4/cfhead.m4
-@@ -260,7 +260,7 @@ ifdef(`MAIL_SETTINGS_DIR', , `define(`MAIL_SETTINGS_DIR', `/etc/mail/')')
+@@ -269,7 +269,7 @@ ifdef(`MAIL_SETTINGS_DIR', , `define(`MAIL_SETTINGS_DIR', `/etc/mail/')')
  define(`DATABASE_MAP_TYPE', `hash')
  
  # set up default values for options
@@ -12,10 +12,10 @@ index 714a3ec..3fd6c1c 100644
  define(`confFROM_LINE', `From $g $d')
  define(`confOPERATORS', `.:%@!^/[]+')
 diff --git a/sendmail/aliases.0 b/sendmail/aliases.0
-index cfdbe17..5ea4c28 100644
+index ba855d4..edb3b19 100644
 --- a/sendmail/aliases.0
 +++ b/sendmail/aliases.0
-@@ -63,7 +63,7 @@ DDEESSCCRRIIPPTTIIOONN
+@@ -63,7 +63,7 @@ ALIASES(5)                                                          ALIASES(5)
         the list of users defined in that file.
  
         This  is  only  the  raw  data file; the actual aliasing information is
@@ -47,26 +47,26 @@ index f09b49c..7b16db2 100644
  newaliases(1).  
  A 
 diff --git a/sendmail/newaliases.0 b/sendmail/newaliases.0
-index c77f401..e2a1670 100644
+index 49ff2b0..247a276 100644
 --- a/sendmail/newaliases.0
 +++ b/sendmail/newaliases.0
-@@ -10,7 +10,7 @@ SSYYNNOOPPSSIISS
+@@ -10,7 +10,7 @@ NEWALIASES(1)                                                    NEWALIASES(1)
  
- DDEESSCCRRIIPPTTIIOONN
-        NNeewwaalliiaasseess  rebuilds  the  random access data base for the mail aliases
+ DESCRIPTION
+        Newaliases  rebuilds  the  random access data base for the mail aliases
 -       file /etc/mail/aliases.  It must be run each time this file is  changed
 +       file /etc/aliases.  It must be run each time this file is  changed
         in order for the change to take effect.
  
-        NNeewwaalliiaasseess is identical to ``sendmail -bi''.
-@@ -22,7 +22,7 @@ DDEESSCCRRIIPPTTIIOONN
-        sseennddmmaaiill..
+        Newaliases is identical to ``sendmail -bi''.
+@@ -22,7 +22,7 @@ NEWALIASES(1)                                                    NEWALIASES(1)
+        sendmail.
  
- FFIILLEESS
+ FILES
 -       /etc/mail/aliases   The mail aliases file
 +       /etc/aliases   The mail aliases file
  
- SSEEEE AALLSSOO
+ SEE ALSO
         aliases(5), sendmail(8)
 diff --git a/sendmail/newaliases.1 b/sendmail/newaliases.1
 index 59dc0de..9ba8752 100644
@@ -91,10 +91,10 @@ index 59dc0de..9ba8752 100644
  .SH SEE ALSO
  aliases(5), sendmail(8)
 diff --git a/sendmail/sendmail.0 b/sendmail/sendmail.0
-index 515d5f7..8236411 100644
+index 60ab1cd..5f3bf93 100644
 --- a/sendmail/sendmail.0
 +++ b/sendmail/sendmail.0
-@@ -434,10 +434,10 @@ FFIILLEESS
+@@ -434,10 +434,10 @@ SENDMAIL(8)                                                        SENDMAIL(8)
         are only approximations.
  
  

sendmail-8.16.1-dynamic.patch

@@ -39,8 +39,8 @@
  define(`confREQUIRE_SM_OS_H', `true')
  PREPENDDEF(`confENVDEF', `confMAPDEF')
  bldPRODUCT_START(`library', `libsm')
--define(`bldSOURCES', ` assert.c debug.c errstring.c exc.c heap.c match.c rpool.c strdup.c strerror.c strl.c clrerr.c fclose.c feof.c ferror.c fflush.c fget.c fpos.c findfp.c flags.c fopen.c fprintf.c fpurge.c fput.c fread.c fscanf.c fseek.c fvwrite.c fwalk.c fwrite.c get.c makebuf.c put.c refill.c rewind.c setvbuf.c smstdio.c snprintf.c sscanf.c stdio.c strio.c ungetc.c vasprintf.c vfprintf.c vfscanf.c vprintf.c vsnprintf.c wbuf.c wsetup.c string.c stringf.c xtrap.c strto.c test.c strcasecmp.c strrevcmp.c signal.c clock.c config.c shm.c sem.c mbdb.c strexit.c cf.c ldap.c niprop.c mpeix.c memstat.c util.c inet6_ntop.c ')
-+define(`bldSOURCES', ` assert.c debug.c errstring.c exc.c heap.c match.c rpool.c strdup.c strl.c clrerr.c fclose.c feof.c ferror.c fflush.c fget.c fpos.c findfp.c flags.c fopen.c fprintf.c fpurge.c fput.c fread.c fscanf.c fseek.c fvwrite.c fwalk.c fwrite.c get.c makebuf.c put.c refill.c rewind.c setvbuf.c smstdio.c snprintf.c sscanf.c stdio.c strio.c ungetc.c vasprintf.c vfprintf.c vfscanf.c vprintf.c vsnprintf.c wbuf.c wsetup.c string.c stringf.c xtrap.c strto.c test.c strcasecmp.c strrevcmp.c signal.c clock.c config.c shm.c sem.c mbdb.c strexit.c cf.c ldap.c niprop.c mpeix.c memstat.c util.c inet6_ntop.c ')
+-define(`bldSOURCES', ` assert.c debug.c errstring.c exc.c heap.c match.c rpool.c strdup.c strerror.c strl.c clrerr.c fclose.c feof.c ferror.c fflush.c fget.c fpos.c findfp.c flags.c fopen.c fprintf.c fpurge.c fput.c fread.c fscanf.c fseek.c fvwrite.c fwalk.c fwrite.c get.c makebuf.c put.c refill.c rewind.c setvbuf.c smstdio.c snprintf.c sscanf.c stdio.c strio.c ungetc.c vasprintf.c vfprintf.c vfscanf.c vprintf.c vsnprintf.c wbuf.c wsetup.c string.c stringf.c xtrap.c strto.c test.c strcasecmp.c strrevcmp.c signal.c clock.c config.c shm.c sem.c mbdb.c strexit.c cf.c ldap.c niprop.c mpeix.c memstat.c util.c inet6_ntop.c notify.c ')
++define(`bldSOURCES', ` assert.c debug.c errstring.c exc.c heap.c match.c rpool.c strdup.c strl.c clrerr.c fclose.c feof.c ferror.c fflush.c fget.c fpos.c findfp.c flags.c fopen.c fprintf.c fpurge.c fput.c fread.c fscanf.c fseek.c fvwrite.c fwalk.c fwrite.c get.c makebuf.c put.c refill.c rewind.c setvbuf.c smstdio.c snprintf.c sscanf.c stdio.c strio.c ungetc.c vasprintf.c vfprintf.c vfscanf.c vprintf.c vsnprintf.c wbuf.c wsetup.c string.c stringf.c xtrap.c strto.c test.c strcasecmp.c strrevcmp.c signal.c clock.c config.c shm.c sem.c mbdb.c strexit.c cf.c ldap.c niprop.c mpeix.c memstat.c util.c inet6_ntop.c notify.c ')
  bldPRODUCT_END
  dnl msg.c
  dnl syslogio.c

sendmail-8.16.1-libmilter-socket-activation.patch

@@ -1,10 +1,8 @@
-Description: systemd-like socket activation support for libmilter
-Author: Mikhail Gusarov <dottedmag@debian.org
 diff --git a/libmilter/docs/smfi_setconn.html b/libmilter/docs/smfi_setconn.html
-index eba7c5b..5b272a0 100644
+index 8897f5a..0e04120 100644
 --- a/libmilter/docs/smfi_setconn.html
 +++ b/libmilter/docs/smfi_setconn.html
-@@ -43,6 +43,7 @@ Set the socket through which this filter should communicate with sendmail.
+@@ -44,6 +44,7 @@ Set the socket through which this filter should communicate with sendmail.
  	<LI><CODE>{unix|local}:/path/to/file</CODE> -- A named pipe.
  	<LI><CODE>inet:port@{hostname|ip-address}</CODE> -- An IPV4 socket.
  	<LI><CODE>inet6:port@{hostname|ip-address}</CODE> -- An IPV6 socket.
@@ -13,7 +11,7 @@ index eba7c5b..5b272a0 100644
  	</TD></TR>
      </TABLE>
 diff --git a/libmilter/listener.c b/libmilter/listener.c
-index 11d92bb..2ab533d 100644
+index 0468a62..72e7a4f 100644
 --- a/libmilter/listener.c
 +++ b/libmilter/listener.c
 @@ -197,6 +197,11 @@ mi_milteropen(conn, backlog, rmsocket, name)
@@ -54,7 +52,7 @@ index 11d92bb..2ab533d 100644
 @@ -466,6 +485,7 @@ mi_milteropen(conn, backlog, rmsocket, name)
  #if NETUNIX
  	    addr.sa.sa_family != AF_UNIX &&
- #endif /* NETUNIX */
+ #endif
 +	    addr.sa.sa_family != AF_UNSPEC &&
  	    setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *) &sockopt,
  		       sizeof(sockopt)) == -1)
@@ -72,7 +70,7 @@ index 11d92bb..2ab533d 100644
 @@ -818,7 +839,7 @@ mi_listener(conn, dbg, smfi, timeout, backlog)
  # ifdef BSD4_4_SOCKADDR
  		     cliaddr.sa.sa_len == 0 ||
- # endif /* BSD4_4_SOCKADDR */
+ # endif
 -		     cliaddr.sa.sa_family != L_family))
 +		     (L_family != AF_UNSPEC && cliaddr.sa.sa_family != L_family)))
  		{

sendmail-8.16.1-localdomain.patch

@@ -1,8 +1,8 @@
 diff --git a/cf/m4/proto.m4 b/cf/m4/proto.m4
-index 696bf36..5a5963b 100644
+index 618dde0..8c460ce 100644
 --- a/cf/m4/proto.m4
 +++ b/cf/m4/proto.m4
-@@ -1898,6 +1898,8 @@ R<@> < $* @ [IPv6:::1] >
+@@ -1910,6 +1910,8 @@ R<@> < $* @ [IPv6:::1] >
  			$: < ? $&{client_name} > < $1 @ [IPv6:::1] >
  R<@> < $* @ localhost.$m >
  			$: < ? $&{client_name} > < $1 @ localhost.$m >

sendmail-8.16.1-openssl-3.0-fix.patch

@@ -0,0 +1,19 @@
+diff --git a/sendmail/tls.c b/sendmail/tls.c
+index 696d32f..b8527c4 100644
+--- a/sendmail/tls.c
++++ b/sendmail/tls.c
+@@ -29,7 +29,13 @@ SM_RCSID("@(#)$Id: tls.c,v 8.127 2013-11-27 02:51:11 gshapiro Exp $")
+ # ERROR: OpenSSL version OPENSSL_VERSION_NUMBER is unsupported.
+ # endif
+ 
+-# if OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x20000000L
++/*
++ **  *SSL version numbers:
++ **  OpenSSL 0.9 - 1.1 (so far), 3.0 (in alpha)
++ **  LibreSSL 2.0 (0x20000000L - part of "These will never change")
++ */
++
++# if (OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x20000000L) || OPENSSL_VERSION_NUMBER >= 0x30000000L
+ #  define MTA_HAVE_DH_set0_pqg 1
+ #  define MTA_HAVE_DSA_GENERATE_EX	1
+ 

sendmail-8.16.1-qos.patch

@@ -12,10 +12,10 @@ index b9dfb16..cb325cc 100644
  dnl define(`confDIRECT_SUBMISSION_MODIFIERS',`C')dnl
  FEATURE(`use_ct_file')dnl
 diff --git a/cf/m4/proto.m4 b/cf/m4/proto.m4
-index 5a5963b..0df3416 100644
+index 8c460ce..a68ab8d 100644
 --- a/cf/m4/proto.m4
 +++ b/cf/m4/proto.m4
-@@ -251,6 +251,9 @@ _OPTION(SevenBitInput, `confSEVEN_BIT_INPUT', `False')
+@@ -253,6 +253,9 @@ _OPTION(SevenBitInput, `confSEVEN_BIT_INPUT', `False')
  # 8-bit data handling
  _OPTION(EightBitMode, `confEIGHT_BIT_HANDLING', `pass8')
  
@@ -26,11 +26,11 @@ index 5a5963b..0df3416 100644
  _OPTION(AliasWait, `confALIAS_WAIT', `5m')
  
 diff --git a/sendmail/conf.c b/sendmail/conf.c
-index cbb9c76..1b55533 100644
+index e9fa42c..fa64b11 100644
 --- a/sendmail/conf.c
 +++ b/sendmail/conf.c
-@@ -6430,6 +6430,10 @@ char	*FFRCompileOptions[] =
- #if _FFR_QF_PARANOIA
+@@ -6614,6 +6614,10 @@ char	*FFRCompileOptions[] =
+ 	/* Check to make sure key fields were read from qf */
  	"_FFR_QF_PARANOIA",
  #endif
 +#if _FFR_QOS && defined(SOL_IP) && defined(IP_TOS)
@@ -41,10 +41,10 @@ index cbb9c76..1b55533 100644
  	/* Allow QueueSortOrder per queue group. */
  /* XXX: Still need to actually use qgrp->qg_sortorder */
 diff --git a/sendmail/daemon.c b/sendmail/daemon.c
-index 4288365..86fe319 100644
+index 19a9378..5561cf5 100644
 --- a/sendmail/daemon.c
 +++ b/sendmail/daemon.c
-@@ -104,6 +104,10 @@ static int	NDaemons = 0;			/* actual number of daemons */
+@@ -124,6 +124,10 @@ static int	NDaemons = 0;			/* actual number of daemons */
  
  static time_t	NextDiskSpaceCheck = 0;
  
@@ -55,7 +55,7 @@ index 4288365..86fe319 100644
  /*
  **  GETREQUESTS -- open mail IPC port and get requests.
  **
-@@ -1139,6 +1143,16 @@ opendaemonsocket(d, firsttime)
+@@ -1159,6 +1163,16 @@ opendaemonsocket(d, firsttime)
  			(void) setsockopt(d->d_socket, SOL_SOCKET,
  					  SO_KEEPALIVE, (char *)&on, sizeof(on));
  
@@ -72,7 +72,7 @@ index 4288365..86fe319 100644
  #ifdef SO_RCVBUF
  			if (d->d_tcprcvbufsize > 0)
  			{
-@@ -2571,6 +2585,16 @@ gothostent:
+@@ -2688,6 +2702,16 @@ gothostent:
  			return EX_TEMPFAIL;
  		}
  
@@ -90,21 +90,21 @@ index 4288365..86fe319 100644
  		if (ClientSettings[family].d_tcpsndbufsize > 0)
  		{
 diff --git a/sendmail/readcf.c b/sendmail/readcf.c
-index 2b0fbf7..86892f5 100644
+index e6f6296..adb09da 100644
 --- a/sendmail/readcf.c
 +++ b/sendmail/readcf.c
-@@ -18,6 +18,7 @@ SM_RCSID("@(#)$Id: readcf.c,v 8.692 2013-11-22 20:51:56 ca Exp $")
+@@ -24,6 +24,7 @@ SM_RCSID("@(#)$Id: readcf.c,v 8.692 2013-11-22 20:51:56 ca Exp $")
  
  #if NETINET || NETINET6
  # include <arpa/inet.h>
 +# include <netinet/ip.h>
- #endif /* NETINET || NETINET6 */
+ #endif
  
  
-@@ -2888,8 +2889,8 @@ static struct optioninfo
+@@ -2917,8 +2918,8 @@ static struct optioninfo
  # define O_RCPTTHROTDELAY	0xe6
  	{ "BadRcptThrottleDelay",	O_RCPTTHROTDELAY,	OI_SAFE	},
- #endif /* _FFR_RCPTTHROTDELAY */
+ #endif
 -#if 0 && _FFR_QOS && defined(SOL_IP) && defined(IP_TOS)
 -# define O_INETQOS	0xe7	/* reserved for FFR_QOS */
 +#if _FFR_QOS && defined(SOL_IP) && defined(IP_TOS)
@@ -112,7 +112,7 @@ index 2b0fbf7..86892f5 100644
  	{ "InetQoS",			O_INETQOS,	OI_NONE },
  #endif
  #if STARTTLS && _FFR_FIPSMODE
-@@ -2914,6 +2915,77 @@ static struct optioninfo
+@@ -2982,6 +2983,77 @@ static struct optioninfo
  	{ NULL,				'\0',		OI_NONE	}
  };
  
@@ -190,9 +190,9 @@ index 2b0fbf7..86892f5 100644
  # define CANONIFY(val)
  
  # define SET_OPT_DEFAULT(opt, val)	opt = val
-@@ -4540,6 +4612,33 @@ setoption(opt, val, safe, sticky, e)
- 		UseCompressedIPv6Addresses = atobool(val);
+@@ -4679,6 +4751,33 @@ setoption(opt, val, safe, sticky, e)
  		break;
+ # endif
  
 +#ifdef O_INETQOS
 +	  case O_INETQOS:
@@ -225,22 +225,22 @@ index 2b0fbf7..86892f5 100644
  		if (tTd(37, 1))
  		{
 diff --git a/sendmail/sendmail.h b/sendmail/sendmail.h
-index b2d0211..3bcc2e2 100644
+index e6cf45d..7f5cf9f 100644
 --- a/sendmail/sendmail.h
 +++ b/sendmail/sendmail.h
-@@ -2537,7 +2537,14 @@ EXTERN struct termescape	TermEscape;	/* terminal escape codes */
- EXTERN SOCKADDR	ConnectOnlyTo;	/* override connection address (for testing) */
+@@ -2566,6 +2566,15 @@ EXTERN SOCKADDR	ConnectOnlyTo;	/* override connection address (for testing) */
  EXTERN SOCKADDR RealHostAddr;	/* address of host we are talking to */
  extern const SM_EXC_TYPE_T EtypeQuickAbort; /* type of a QuickAbort exception */
--
+ 
 +#if _FFR_QOS
 +# if !defined(SOL_IP) && defined(IPPROTO_IP)
 +#  define SOL_IP IPPROTO_IP
 +# endif
 +# if defined(SOL_IP) && defined(IP_TOS)
-+EXTERN int	InetQoS;	/* QoS mapping */
++extern int	InetQoS;	/* QoS mapping */
 +# endif
 +#endif
- 
- EXTERN int ConnectionRateWindowSize;
- #if STARTTLS && USE_OPENSSL_ENGINE
++
+ #if _FFR_BLANKENV_MACV
+ EXTERN int Hacks;	/* bit field of run-time enabled "hacks" */
+ # define H_LOOKUP_MACRO_IN_BLANKENV	0x0001

sendmail-8.16.1-sasl2-in-etc.patch

@@ -1,18 +1,18 @@
 diff --git a/sendmail/usersmtp.c b/sendmail/usersmtp.c
-index c217ffa..e4dadd3 100644
+index b4ff5cc..dddbb0a 100644
 --- a/sendmail/usersmtp.c
 +++ b/sendmail/usersmtp.c
-@@ -1331,9 +1331,7 @@ safesaslfile(context, file)
+@@ -1346,9 +1346,7 @@ safesaslfile(context, file)
  {
  	long sff;
  	int r;
 -#if SASL <= 10515
  	size_t len;
--#endif /* SASL <= 10515 */
+-#endif
  	char *p;
  
  	if (file == NULL || *file == '\0')
-@@ -1369,9 +1367,16 @@ safesaslfile(context, file)
+@@ -1386,9 +1384,16 @@ safesaslfile(context, file)
  #endif /* SASL <= 10515 */
  
  	p = (char *) file;

sendmail-8.16.1-smrsh_paths.patch

@@ -165,18 +165,18 @@ diff -up sendmail-8.14.3/smrsh/smrsh.c.smrsh_paths sendmail-8.14.3/smrsh/smrsh.c
 @@ -77,7 +77,7 @@ SM_IDSTR(id, "@(#)$Id: smrsh.c,v 8.65 20
  # ifdef SMRSH_CMDDIR
  #  define CMDDIR	SMRSH_CMDDIR
- # else /* SMRSH_CMDDIR */
+ # else
 -#  define CMDDIR	"/usr/adm/sm.bin"
 +#  define CMDDIR	"/etc/smrsh"
- # endif /* SMRSH_CMDDIR */
+ # endif
  #endif /* ! CMDDIR */
  
 @@ -89,7 +89,7 @@ SM_IDSTR(id, "@(#)$Id: smrsh.c,v 8.65 20
  # ifdef SMRSH_PATH
  #  define PATH		SMRSH_PATH
- # else /* SMRSH_PATH */
+ # else
 -#  define PATH		"/bin:/usr/bin:/usr/ucb"
 +#  define PATH		"/bin:/usr/bin"
- # endif /* SMRSH_PATH */
+ # endif
  #endif /* ! PATH */
  

sendmail-8.16.1-switchfile.patch

@@ -1,13 +1,13 @@
 diff --git a/sendmail/conf.c b/sendmail/conf.c
-index c73334e..cbb9c76 100644
+index 63c545c..e9fa42c 100644
 --- a/sendmail/conf.c
 +++ b/sendmail/conf.c
-@@ -986,7 +986,7 @@ switch_map_find(service, maptype, mapreturn)
+@@ -1039,7 +1039,7 @@ switch_map_find(service, maptype, mapreturn)
  				if (p != NULL)
  					*p = '\0';
  #ifndef SM_NSSWITCH_DELIMS
 -# define SM_NSSWITCH_DELIMS	" \t"
 +# define SM_NSSWITCH_DELIMS	" \t:"
- #endif /* SM_NSSWITCH_DELIMS */
+ #endif
  				p = strpbrk(buf, SM_NSSWITCH_DELIMS);
  				if (p != NULL)

sendmail-redhat.mc

@@ -104,7 +104,7 @@ dnl # The -t option will retry delivery if e.g. the user runs over his quota.
 dnl #
 FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
 FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
-FEATURE(`blacklist_recipients')dnl
+FEATURE(`blocklist_recipients')dnl
 EXPOSED_USER(`root')dnl
 dnl #
 dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery uncomment

sendmail.service

@@ -13,6 +13,9 @@ EnvironmentFile=-/etc/sysconfig/sendmail
 ExecStartPre=-/etc/mail/make
 ExecStartPre=-/etc/mail/make aliases
 ExecStart=/usr/sbin/sendmail -bd $SENDMAIL_OPTS $SENDMAIL_OPTARG
+ExecReload=/usr/bin/kill -HUP $MAINPID
+# hack to allow async reload to complete, otherwise systemd may signal error
+ExecReload=/usr/bin/sleep 2
 
 [Install]
 WantedBy=multi-user.target

sendmail.spec

@@ -3,6 +3,11 @@
 %global with_sasl2	yes
 %global with_milter	yes
 %global with_ldap	yes
+%if 0%{?rhel} < 9
+%global with_nis	yes
+%else
+%global with_nis	no
+%endif
 %global enable_pie	yes
 
 %global sendmailcf %{_datadir}/sendmail-cf
@@ -16,13 +21,18 @@
 # hardened build if not overridden
 %{!?_hardened_build:%global _hardened_build 1}
 
+%if "%{with_nis}" == "yes"
+%global nis_cflags	-DNIS
+%global nis_ldadd	-lnsl
+%endif
+
 Summary: A widely used Mail Transport Agent (MTA)
 Name: sendmail
-Version: 8.15.2
-Release: 34%{?dist}
+Version: 8.16.1
+Release: 11%{?dist}
 License: Sendmail
-Group: System Environment/Daemons
 URL: http://www.sendmail.org/
+
 Source0: ftp://ftp.sendmail.org/pub/sendmail/sendmail.%{version}.tar.gz
 # Systemd Service file
 Source1: sendmail.service
@@ -57,50 +67,41 @@ Source17: sendmail-etc-mail-virtusertable
 # fix man path and makemap man page
 Patch3: sendmail-8.14.4-makemapman.patch
 # fix smrsh paths
-Patch4: sendmail-8.14.3-smrsh_paths.patch
+Patch4: sendmail-8.16.1-smrsh_paths.patch
 # fix sm-client.pid path
 Patch7: sendmail-8.14.9-pid.patch
 # fix sendmail man page
 Patch10: sendmail-8.15.1-manpage.patch
 # compile with -fpie
-Patch11: sendmail-8.15.1-dynamic.patch
+Patch11: sendmail-8.16.1-dynamic.patch
 # fix cyrus path
 Patch12: sendmail-8.13.0-cyrus.patch
 # fix aliases.db path
-Patch13: sendmail-8.15.1-aliases_dir.patch
+Patch13: sendmail-8.16.1-aliases_dir.patch
 # fix vacation Makefile
 Patch14: sendmail-8.14.9-vacation.patch
 # remove version information from sendmail helpfile
 Patch15: sendmail-8.14.9-noversion.patch
 # do not accept localhost.localdomain as valid address from SMTP
-Patch16: sendmail-8.15.2-localdomain.patch
+Patch16: sendmail-8.16.1-localdomain.patch
 # build libmilter as DSO
 Patch17: sendmail-8.14.3-sharedmilter.patch
 # skip colon separator when parsing service name in ServiceSwitchFile
-Patch18: sendmail-8.15.2-switchfile.patch
+Patch18: sendmail-8.16.1-switchfile.patch
 # silence warning about missing sasl2 config in /usr/lib*, now in /etc/sasl2
-Patch23: sendmail-8.14.8-sasl2-in-etc.patch
+Patch23: sendmail-8.16.1-sasl2-in-etc.patch
 # add QoS support, patch from Philip Prindeville <philipp@fedoraproject.org>
 # upstream reserved option ID 0xe7 for testing of this new feature, #576643
-Patch25: sendmail-8.15.2-qos.patch
-Patch26: sendmail-8.15.2-libmilter-socket-activation.patch
-# patch provided by upstream
-Patch27: sendmail-8.15.2-smtp-session-reuse-fix.patch
-Patch28: sendmail-8.15.2-openssl-1.1.0-fix.patch
-# patch taken from Debian
-# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807258
-Patch29: sendmail-8.15.2-format-security.patch
-# rhbz#1473971
-Patch30: sendmail-8.15.2-openssl-1.1.0-ecdhe-fix.patch
-# Upstream patch:
-Patch31: sendmail-8.16.0.29-fix-covscan-issues.patch
-# Enable sendmail to stop using STARTTLS after a certain amount of previous failures
-# rhbz#1868041
-Patch32: sendmail-8.15.2-tlsfallback.patch
+Patch25: sendmail-8.16.1-qos.patch
+Patch26: sendmail-8.16.1-libmilter-socket-activation.patch
+Patch27: sendmail-8.16.1-openssl-3.0-fix.patch
 
-Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+BuildRequires: make
 BuildRequires: libdb-devel
+%if "%{with_nis}" == "yes"
 BuildRequires: libnsl2-devel
+%endif
+BuildRequires: tinycdb-devel
 BuildRequires: groff
 BuildRequires: ghostscript
 BuildRequires: m4
@@ -125,6 +126,8 @@ Requires: %{_sbindir}/saslauthd
 %if "%{with_ldap}" == "yes"
 BuildRequires: openldap-devel openssl-devel
 %endif
+# Old NetworkManager expects the dispatcher scripts in a different place
+Conflicts: NetworkManager < 1.20
 
 
 %description
@@ -140,7 +143,6 @@ Sendmail, you can install the sendmail-doc package.
 
 %package doc
 Summary: Documentation about the Sendmail Mail Transport Agent program
-Group: Documentation
 BuildArch: noarch
 Requires: sendmail = %{version}-%{release}
 
@@ -151,7 +153,6 @@ contributed scripts and tools for use with Sendmail.
 
 %package milter-devel
 Summary: Development files for the sendmail milter library
-Group: Development/Libraries
 Requires: sendmail-milter%{?_isa} = %{version}-%{release}
 # The following Provides: and Obsoletes: can be dropped in f28+
 Provides: sendmail-devel%{?_isa} = %{version}-%{release}
@@ -163,7 +164,6 @@ Include files and devel libraries for the milter add-ons as part of sendmail.
 
 %package cf
 Summary: The files needed to reconfigure Sendmail
-Group: System Environment/Daemons
 Requires: sendmail = %{version}-%{release}
 BuildArch: noarch
 Requires: m4
@@ -176,7 +176,6 @@ your sendmail.cf file.
 
 %package milter
 Summary: The sendmail milter library
-Group: System Environment/Libraries
 
 %description milter
 The sendmail Mail Filter API (Milter) is designed to allow third-party
@@ -206,12 +205,7 @@ cp devtools/M4/UNIX/{,shared}library.m4
 %patch23 -p1 -b .sasl2-in-etc
 %patch25 -p1 -b .qos
 %patch26 -p1 -b .libmilter-socket-activation
-%patch27 -p1 -b .smtp-session-reuse-fix
-%patch28 -p1 -b .openssl-1.1.0-fix
-%patch29 -p1 -b .format-security
-%patch30 -p1 -b .openssl-1.1.0-ecdhe-fix
-%patch31 -p1 -b .fix-covscan-issues
-%patch32 -p1
+%patch27 -p1 -b .openssl-3.0-fix
 
 for f in RELEASE_NOTES contrib/etrn.0; do
 	iconv -f iso8859-1 -t utf8 -o ${f}{_,} &&
@@ -223,11 +217,11 @@ sed -i 's|/usr/local/bin/perl|%{_bindir}/perl|' contrib/*.pl
 %build
 # generate redhat config file
 cat > redhat.config.m4 << EOF
-define(\`confMAPDEF', \`-DNEWDB -DNIS -DMAP_REGEX -DSOCKETMAP -DNAMED_BIND=1')
+define(\`confMAPDEF', \`-DNEWDB -DCDB %{?nis_cflags} -DMAP_REGEX -DSOCKETMAP -DNAMED_BIND=1')
 define(\`confOPTIMIZE', \`\`\`\`${RPM_OPT_FLAGS}'''')
-define(\`confENVDEF', \`-I%{_includedir}/libdb -I%{_prefix}/kerberos/include -Wall -DXDEBUG=0 -DNETINET6 -DHES_GETMAILHOST -DUSE_VENDOR_CF_PATH=1 -D_FFR_LINUX_MHNL -D_FFR_QOS -D_FILE_OFFSET_BITS=64')
+define(\`confENVDEF', \`-I%{_includedir}/libdb -I%{_prefix}/kerberos/include -Wall -DXDEBUG=0 -DNETINET6 -DHES_GETMAILHOST -DUSE_VENDOR_CF_PATH=1 -D_FFR_LINUX_MHNL -D_FFR_QOS -D_FILE_OFFSET_BITS=64 -DHAS_GETHOSTBYNAME2')
 define(\`confLIBDIRS', \`-L%{_prefix}/kerberos/%{_lib}')
-define(\`confLIBS', \`-lnsl -lcrypt -ldb -lresolv')
+define(\`confLIBS', \`%{?nis_ldadd} -lcrypt -ldb -lcdb -lresolv')
 %{?_hardened_build:define(\`confLDOPTS', \`-Xlinker -z -Xlinker relro -Xlinker -z -Xlinker now')}
 define(\`confMANOWN', \`root')
 define(\`confMANGRP', \`root')
@@ -238,6 +232,7 @@ define(\`confMAN8SRC', \`8')
 define(\`confSTDIR', \`%{stdir}')
 define(\`STATUS_FILE', \`%{stdir}/statistics')
 define(\`confLIBSEARCH', \`db resolv 44bsd')
+define(\`confCC', \`%{__cc}')
 EOF
 #'
 
@@ -263,7 +258,7 @@ EOF
 
 %if "%{with_tls}" == "yes"
 cat >> redhat.config.m4 << EOF
-APPENDDEF(\`conf_sendmail_ENVDEF', \`-DSTARTTLS -D_FFR_TLS_1 -D_FFR_TLS_EC -D_FFR_TLS_USE_CERTIFICATE_CHAIN_FILE')dnl
+APPENDDEF(\`conf_sendmail_ENVDEF', \`-DSTARTTLS -D_FFR_TLS_1 -DTLS_EC -D_FFR_TLS_USE_CERTIFICATE_CHAIN_FILE -DDANE')dnl
 APPENDDEF(\`conf_sendmail_LIBS', \`-lssl -lcrypto')dnl
 EOF
 %endif
@@ -305,15 +300,13 @@ done
 make -C doc/op op.pdf
 
 %install
-rm -rf %{buildroot}
-
 # create directories
 for d in %{_bindir} %{_sbindir} %{_includedir}/libmilter \
 	%{_libdir} %{_mandir}/man{1,5,8} %{maildir} %{stdir} %{spooldir} \
 	%{_docdir}/sendmail %{sendmailcf} %{_sysconfdir}/smrsh\
 	%{spooldir}/clientmqueue %{_sysconfdir}/sysconfig %{_initrddir} \
 	%{_sysconfdir}/pam.d %{_docdir}/sendmail/contrib \
-	%{_sysconfdir}/NetworkManager/dispatcher.d
+	%{_prefix}/lib/NetworkManager/dispatcher.d
 do
 	install -m 755 -d %{buildroot}$d
 done
@@ -426,7 +419,7 @@ touch %{buildroot}%{maildir}/aliasesdb-stamp
 touch %{buildroot}%{spooldir}/clientmqueue/sm-client.st
 
 install -p -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/sendmail
-install -p -m 755 %{SOURCE2} %{buildroot}%{_sysconfdir}/NetworkManager/dispatcher.d/10-sendmail
+install -p -m 755 %{SOURCE2} %{buildroot}%{_prefix}/lib/NetworkManager/dispatcher.d/10-sendmail
 install -p -m 755 %{SOURCE3} %{buildroot}%{maildir}/make
 install -p -m 644 %{SOURCE5} %{buildroot}%{maildir}/Makefile
 
@@ -573,7 +566,7 @@ if [ ! -f %{sslcert} ]; then
 
   %{_bindir}/openssl req -new -key %{sslkey} -x509 -sha256 -days 365 -set_serial $RANDOM -out %{sslcert} \
     -subj "/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=${FQDN}/emailAddress=root@${FQDN}"
-  chmod 644 %{sslcert}
+  chmod 600 %{sslcert}
 fi
 
 exit 0
@@ -585,9 +578,7 @@ if [ $1 = 0 ]; then
 fi
 exit 0
 
-%post milter -p /sbin/ldconfig
-
-%postun milter -p /sbin/ldconfig
+%ldconfig_scriptlets milter
 
 
 %files
@@ -675,7 +666,7 @@ exit 0
 %{_unitdir}/sm-client.service
 %config(noreplace) %{_sysconfdir}/sysconfig/sendmail
 %config(noreplace) %{_sysconfdir}/pam.d/smtp.sendmail
-%{_sysconfdir}/NetworkManager/dispatcher.d/10-sendmail
+%{_prefix}/lib/NetworkManager
 
 %if "%{with_sasl2}" == "yes"
 %config(noreplace) %{_sysconfdir}/sasl2/Sendmail.conf
@@ -718,27 +709,100 @@ exit 0
 
 
 %changelog
-* Tue Dec 01 2020 Tomas Korbar <tkorbar@redhat.com> - 8.15.2-34
-- Fix verification of ghost files
-- Resolves: rhbz#1730804
+* Mon Aug 14 2023 Jaroslav Škarvada <jskarvad@redhat.com> - 8.16.1-11
+- Fixed verification of the ghost files
+  Resolves: rhbz#2052091
 
-* Tue Sep 08 2020 Tomas Korbar <tkorbar@redhat.com> - 8.15.2-33
-- Backport confTLS_FALLBACK_TO_CLEAR option
-- Resolves: rhbz#1868041
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 8.16.1-10
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
-* Fri May 03 2019 Ondřej Lysoněk <olysonek@redhat.com> - 8.15.2-32
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 8.16.1-9
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065
+
+* Fri May  7 2021 Jaroslav Škarvada <jskarvad@redhat.com> - 8.16.1-8
+- Added support for openssl-3.0
+  Resolves: rhbz#1953504
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 8.16.1-7
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Thu Mar 25 2021 Jaroslav Škarvada <jskarvad@redhat.com> - 8.16.1-6
+- Disable NIS support for RHEL9+
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 8.16.1-5
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 8.16.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Dec  2 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 8.16.1-3
+- Enabled CDB map support
+  Related: rhbz#1781181
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 8.16.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul  7 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 8.16.1-1
+- New version
+  Resolves: rhbz#1853885
+- Dropped smtp-session-reuse-fix, openssl-1.1.0-fix, openssl-1.1.0-ecdhe-fix,
+  gethostbyname2, fix-covscan-issues, gcc-10-fix patches (not needed)
+- Dropped format-security patch (upstreamed)
+- Updated patches
+
+* Fri Apr 03 2020 Tom Stellard <tstellar@redhat.com> - 8.15.2-44
+- Specify value for confCC in redhat.config.m4
+
+* Mon Feb 10 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 8.15.2-43
+- Fixed FTBFS with gcc-10
+  Resolves: rhbz#1800082
+- De-fuzzified fix-covscan-issues patch
+
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 8.15.2-42
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Mon Nov 04 2019 Ondřej Lysoněk <olysonek@redhat.com> - 8.15.2-41
 - Fix issues discovered by Coverity scan
-- Resolves: rhbz#1602689
 
-* Mon Nov 19 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 8.15.2-31
+* Thu Aug 22 2019 Lubomir Rintel <lkundrak@v3.sk> - 8.15.2-40
+- Move the NetworkManager dispatcher script out of /etc
+
+* Fri Aug  2 2019 Jaroslav Škarvada <jskarvad@redhat.com> - 8.15.2-39
+- Used gethostbyname2 instead of gethostbyname to fix FTBFS caused by
+  glibc update dropping support for obsolete RES_USE_INET6
+  Resolves: rhbz#1736650
+
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 8.15.2-38
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 8.15.2-37
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 8.15.2-36
+- Rebuilt for libcrypt.so.2 (#1666033)
+
+* Mon Nov 19 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 8.15.2-35
+- Used _prefix macro for more hardcoded /usr directories
+
+* Mon Nov 19 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 8.15.2-34
 - Used _prefix macro for /usr
-  Resolves: rhbz#1650256
 
-* Thu Nov 15 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 8.15.2-30
-- Dropped sysvinit support
-  Resolves: rhbz#1610287
+* Mon Oct 29 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 8.15.2-33
 - Dropped hesiod support
-  Resolves: rhbz#1638491
+  Resolves: rhbz#1643264
+
+* Tue Oct 16 2018 Peter Robinson <pbrobinson@fedoraproject.org> 8.15.2-32
+- Drop old pre F-23 conditionals, minor spec cleanups
+
+* Wed Aug 29 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 8.15.2-31
+- Added support for sendmail service reload
+  Resolves: rhbz#1618552
+
+* Mon Aug 20 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 8.15.2-30
+- Fixed sendmail.pem unsafe: Group readable file
 
 * Mon Jul 23 2018 Robert Scheck <robert@fedoraproject.org> - 8.15.2-29
 - Add basic sendmail TLS configuration by default (#1607314 #c11)

sources

@@ -0,0 +1 @@
+SHA512 (sendmail.8.16.1.tar.gz) = d7d4aac3c6d7505782abdb166204901b8b51cac000d610dfe40eda9eef7441a073af9e8e0b14c8719b07b445f55a1e2c28ac63d663d0daa7f1eafc5a101788b2