Compare commits
No commits in common. "c8" and "imports/c8/sendmail-8.15.2-31.el8" have entirely different histories.
c8
...
imports/c8
@ -1,204 +0,0 @@
|
||||
commit 72c678024d5f7b97bae8c20cc3fb2e0299778d5b
|
||||
Author: Tomas Korbar <tkorbar@redhat.com>
|
||||
Date: Mon Sep 7 12:41:05 2020 +0200
|
||||
|
||||
Backport confTLS_FALLBACK_TO_CLEAR Configuration option
|
||||
|
||||
diff --git a/cf/README b/cf/README
|
||||
index 91e69a9..e8941ad 100644
|
||||
--- a/cf/README
|
||||
+++ b/cf/README
|
||||
@@ -4011,6 +4011,10 @@ confUSERDB_SPEC UserDatabaseSpec
|
||||
confFALLBACK_MX FallbackMXhost [undefined] Fallback MX host.
|
||||
confFALLBACK_SMARTHOST FallbackSmartHost
|
||||
[undefined] Fallback smart host.
|
||||
+confTLS_FALLBACK_TO_CLEAR TLSFallbacktoClear
|
||||
+ [undefined] If set, immediately try
|
||||
+ a connection again without STARTTLS
|
||||
+ after a TLS handshake failure.
|
||||
confTRY_NULL_MX_LIST TryNullMXList [False] If this host is the best MX
|
||||
for a host and other arrangements
|
||||
haven't been made, try connecting
|
||||
diff --git a/cf/m4/proto.m4 b/cf/m4/proto.m4
|
||||
index 0df3416..a741d97 100644
|
||||
--- a/cf/m4/proto.m4
|
||||
+++ b/cf/m4/proto.m4
|
||||
@@ -656,6 +656,8 @@ _OPTION(CipherList, `confCIPHER_LIST', `')
|
||||
_OPTION(ServerSSLOptions, `confSERVER_SSL_OPTIONS', `')
|
||||
# client side SSL options
|
||||
_OPTION(ClientSSLOptions, `confCLIENT_SSL_OPTIONS', `')
|
||||
+# TLS: fall back to clear text after handshake failure?
|
||||
+_OPTION(TLSFallbacktoClear, `confTLS_FALLBACK_TO_CLEAR', `')
|
||||
|
||||
# Input mail filters
|
||||
_OPTION(InputMailFilters, `confINPUT_MAIL_FILTERS', `')
|
||||
@@ -2856,6 +2858,7 @@ R<$-:$+><VERIFY $*> <$*> FAIL $#error $@ $2 $: $1 " authentication failed"
|
||||
R<$-:$+><VERIFY $*> <$*> NO $#error $@ $2 $: $1 " not authenticated"
|
||||
R<$-:$+><VERIFY $*> <$*> NOT $#error $@ $2 $: $1 " no authentication requested"
|
||||
R<$-:$+><VERIFY $*> <$*> NONE $#error $@ $2 $: $1 " other side does not support STARTTLS"
|
||||
+R<$-:$+><VERIFY $*> <$*> CLEAR $#error $@ $2 $: $1 " STARTTLS disabled locally"
|
||||
dnl some other value for ${verify}
|
||||
R<$-:$+><VERIFY $*> <$*> $+ $#error $@ $2 $: $1 " authentication failure " $4
|
||||
dnl some level of encryption required: get the maximum level (case 2.)
|
||||
diff --git a/doc/op/op.me b/doc/op/op.me
|
||||
index 57e25cd..97d3b9c 100644
|
||||
--- a/doc/op/op.me
|
||||
+++ b/doc/op/op.me
|
||||
@@ -8340,6 +8340,22 @@ PostMilter is useful only when
|
||||
.i sendmail
|
||||
is running as an SMTP server; in all other situations it
|
||||
acts the same as True.
|
||||
+.ip TLSFallbacktoClear
|
||||
+[no short name]
|
||||
+If set,
|
||||
+.i sendmail
|
||||
+immediately tries an outbound connection again without STARTTLS
|
||||
+after a TLS handshake failure.
|
||||
+Note:
|
||||
+this applies to all connections even if TLS specific requirements are set
|
||||
+(see rulesets
|
||||
+.i tls_rcpt
|
||||
+and
|
||||
+.i tls_client
|
||||
+).
|
||||
+Hence such requirements will cause an error on a retry without STARTTLS.
|
||||
+Therefore they should only trigger a temporary failure so the connection
|
||||
+is later on tried again.
|
||||
.ip TLSSrvOptions
|
||||
[no short name]
|
||||
List of options for SMTP STARTTLS for the server
|
||||
diff --git a/sendmail/deliver.c b/sendmail/deliver.c
|
||||
index 8027a50..af42e8f 100644
|
||||
--- a/sendmail/deliver.c
|
||||
+++ b/sendmail/deliver.c
|
||||
@@ -1334,6 +1334,10 @@ deliver(e, firstto)
|
||||
char *pv[MAXPV + 1];
|
||||
char buf[MAXNAME + 1];
|
||||
char cbuf[MAXPATHLEN];
|
||||
+#if STARTTLS
|
||||
+ /* 0: try TLS, 1: try without TLS again, >1: don't try again */
|
||||
+ int tlsstate;
|
||||
+#endif
|
||||
|
||||
errno = 0;
|
||||
SM_REQUIRE(firstto != NULL); /* same as to */
|
||||
@@ -1349,7 +1353,9 @@ deliver(e, firstto)
|
||||
e->e_statmsg = NULL;
|
||||
SmtpError[0] = '\0';
|
||||
xstart = curtime();
|
||||
-
|
||||
+#if STARTTLS
|
||||
+ tlsstate = 0;
|
||||
+#endif
|
||||
if (tTd(10, 1))
|
||||
sm_dprintf("\n--deliver, id=%s, mailer=%s, host=`%s', first user=`%s'\n",
|
||||
e->e_id, m->m_name, host, to->q_user);
|
||||
@@ -2073,6 +2079,9 @@ tryhost:
|
||||
hostnum++;
|
||||
if (endp != NULL)
|
||||
*endp = sep;
|
||||
+#if STARTTLS
|
||||
+ tlsstate = 0;
|
||||
+#endif
|
||||
|
||||
one_last_try:
|
||||
/* see if we already know that this host is fried */
|
||||
@@ -2960,6 +2969,8 @@ reconnect: /* after switching to an encrypted connection */
|
||||
usetls = bitset(MCIF_TLS, mci->mci_flags);
|
||||
if (usetls)
|
||||
usetls = !iscltflgset(e, D_NOTLS);
|
||||
+ if (usetls)
|
||||
+ usetls = tlsstate == 0;
|
||||
|
||||
host = macvalue(macid("{server_name}"), e);
|
||||
if (usetls)
|
||||
@@ -3025,8 +3036,11 @@ reconnect: /* after switching to an encrypted connection */
|
||||
}
|
||||
}
|
||||
else
|
||||
+ {
|
||||
+ p = tlsstate == 0 ? "NONE": "CLEAR";
|
||||
macdefine(&e->e_macro, A_PERM,
|
||||
- macid("{verify}"), "NONE");
|
||||
+ macid("{verify}"), p);
|
||||
+ }
|
||||
olderrors = Errors;
|
||||
QuickAbort = false;
|
||||
SuprErrs = true;
|
||||
@@ -3077,6 +3091,10 @@ reconnect: /* after switching to an encrypted connection */
|
||||
}
|
||||
mci->mci_flags &= ~MCIF_TLSACT;
|
||||
(void) endmailer(mci, e, pv);
|
||||
+ if (TLSFallbacktoClear)
|
||||
+ {
|
||||
+ ++tlsstate;
|
||||
+ }
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -3119,6 +3137,27 @@ reconnect: /* after switching to an encrypted connection */
|
||||
mci_clr_extensions(mci);
|
||||
goto reconnect;
|
||||
}
|
||||
+ if (tlsstate == 1)
|
||||
+ {
|
||||
+ if (tTd(11, 1))
|
||||
+ {
|
||||
+ sm_syslog(LOG_DEBUG, NOQID,
|
||||
+ "STARTTLS=client, relay=%.100s, tlsstate=%d, status=trying_again",
|
||||
+ mci->mci_host, tlsstate);
|
||||
+ mci_dump(NULL, mci, true);
|
||||
+ }
|
||||
+ ++tlsstate;
|
||||
+ /*
|
||||
+ ** Fake the status so a new connection is
|
||||
+ ** tried, otherwise the TLS error will
|
||||
+ ** "persist" during this delivery attempt.
|
||||
+ */
|
||||
+
|
||||
+ mci->mci_errno = 0;
|
||||
+ rcode = EX_OK;
|
||||
+ mci_setstat(mci, rcode, NULL, NULL);
|
||||
+ goto one_last_try;
|
||||
+ }
|
||||
}
|
||||
# endif /* STARTTLS */
|
||||
# if SASL
|
||||
diff --git a/sendmail/readcf.c b/sendmail/readcf.c
|
||||
index 86892f5..82660f4 100644
|
||||
--- a/sendmail/readcf.c
|
||||
+++ b/sendmail/readcf.c
|
||||
@@ -2911,7 +2911,10 @@ static struct optioninfo
|
||||
#endif
|
||||
#define O_USECOMPRESSEDIPV6ADDRESSES 0xec
|
||||
{ "UseCompressedIPv6Addresses", O_USECOMPRESSEDIPV6ADDRESSES, OI_NONE },
|
||||
-
|
||||
+#if STARTTLS
|
||||
+# define O_TLSFB2CLEAR 0xef
|
||||
+ { "TLSFallbacktoClear", O_TLSFB2CLEAR, OI_NONE },
|
||||
+#endif
|
||||
{ NULL, '\0', OI_NONE }
|
||||
};
|
||||
|
||||
@@ -4305,6 +4308,9 @@ setoption(opt, val, safe, sticky, e)
|
||||
#endif /* SASL */
|
||||
|
||||
#if STARTTLS
|
||||
+ case O_TLSFB2CLEAR:
|
||||
+ TLSFallbacktoClear = atobool(val);
|
||||
+ break;
|
||||
case O_SRVCERTFILE:
|
||||
SET_STRING_EXP(SrvCertFile);
|
||||
case O_SRVKEYFILE:
|
||||
diff --git a/sendmail/sendmail.h b/sendmail/sendmail.h
|
||||
index 441399c..9be1e76 100644
|
||||
--- a/sendmail/sendmail.h
|
||||
+++ b/sendmail/sendmail.h
|
||||
@@ -2032,6 +2032,7 @@ EXTERN char *CRLPath; /* path to CRLs (dir. with hashes) */
|
||||
#endif /* _FFR_CRLPATH */
|
||||
EXTERN unsigned long TLS_Srv_Opts; /* TLS server options */
|
||||
EXTERN unsigned long Srv_SSL_Options, Clt_SSL_Options; /* SSL options */
|
||||
+EXTERN bool TLSFallbacktoClear;
|
||||
#endif /* STARTTLS */
|
||||
|
||||
/*
|
@ -1,149 +0,0 @@
|
||||
diff --git a/include/sm/varargs.h b/include/sm/varargs.h
|
||||
index 612858d..2609630 100644
|
||||
--- a/include/sm/varargs.h
|
||||
+++ b/include/sm/varargs.h
|
||||
@@ -32,6 +32,11 @@
|
||||
# define SM_VA_COPY(dst, src) __va_copy((dst), (src))
|
||||
# else
|
||||
# define SM_VA_COPY(dst, src) memcpy(&(dst), &(src), sizeof((dst)))
|
||||
+# define SM_VA_END_COPY(ap) do { } while (0)
|
||||
+# endif
|
||||
+
|
||||
+# ifndef SM_VA_END_COPY
|
||||
+# define SM_VA_END_COPY(ap) va_end(ap)
|
||||
# endif
|
||||
|
||||
/*
|
||||
diff --git a/libsm/vfprintf.c b/libsm/vfprintf.c
|
||||
index 87c353c..c99d4e5 100644
|
||||
--- a/libsm/vfprintf.c
|
||||
+++ b/libsm/vfprintf.c
|
||||
@@ -782,6 +782,7 @@ number: if ((dprec = prec) >= 0)
|
||||
done:
|
||||
FLUSH();
|
||||
error:
|
||||
+ SM_VA_END_COPY(orgap);
|
||||
if ((argtable != NULL) && (argtable != statargtable))
|
||||
sm_free(argtable);
|
||||
return sm_error(fp) ? SM_IO_EOF : ret;
|
||||
diff --git a/sendmail/milter.c b/sendmail/milter.c
|
||||
index 462efd2..af6dc66 100644
|
||||
--- a/sendmail/milter.c
|
||||
+++ b/sendmail/milter.c
|
||||
@@ -2437,8 +2437,7 @@ milter_negotiate(m, e, milters)
|
||||
sm_syslog(LOG_ERR, e->e_id,
|
||||
"Milter (%s): negotiate: returned %c instead of %c",
|
||||
m->mf_name, rcmd, SMFIC_OPTNEG);
|
||||
- if (response != NULL)
|
||||
- sm_free(response); /* XXX */
|
||||
+ SM_FREE(response);
|
||||
milter_error(m, e);
|
||||
return -1;
|
||||
}
|
||||
@@ -2453,8 +2452,7 @@ milter_negotiate(m, e, milters)
|
||||
sm_syslog(LOG_ERR, e->e_id,
|
||||
"Milter (%s): negotiate: did not return valid info",
|
||||
m->mf_name);
|
||||
- if (response != NULL)
|
||||
- sm_free(response); /* XXX */
|
||||
+ SM_FREE(response);
|
||||
milter_error(m, e);
|
||||
return -1;
|
||||
}
|
||||
@@ -2472,8 +2470,7 @@ milter_negotiate(m, e, milters)
|
||||
sm_syslog(LOG_ERR, e->e_id,
|
||||
"Milter (%s): negotiate: did not return enough info",
|
||||
m->mf_name);
|
||||
- if (response != NULL)
|
||||
- sm_free(response); /* XXX */
|
||||
+ SM_FREE(response);
|
||||
milter_error(m, e);
|
||||
return -1;
|
||||
}
|
||||
@@ -2589,11 +2586,11 @@ milter_negotiate(m, e, milters)
|
||||
if (tTd(64, 5))
|
||||
sm_dprintf("milter_negotiate(%s): received: version %u, fflags 0x%x, pflags 0x%x\n",
|
||||
m->mf_name, m->mf_fvers, m->mf_fflags, m->mf_pflags);
|
||||
+ SM_FREE(response);
|
||||
return 0;
|
||||
|
||||
error:
|
||||
- if (response != NULL)
|
||||
- sm_free(response); /* XXX */
|
||||
+ SM_FREE(response);
|
||||
return -1;
|
||||
}
|
||||
|
||||
@@ -3230,6 +3227,7 @@ milter_changeheader(m, response, rlen, e)
|
||||
addheader(newstr(field), mh_value, H_USER, e,
|
||||
!bitset(SMFIP_HDR_LEADSPC, m->mf_pflags));
|
||||
}
|
||||
+ SM_FREE(mh_value);
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -3438,6 +3436,8 @@ milter_chgfrom(response, rlen, e)
|
||||
{
|
||||
if (tTd(64, 10))
|
||||
sm_dprintf("didn't follow protocol argc=%d\n", argc);
|
||||
+ if (argv != NULL)
|
||||
+ free(argv);
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -3456,6 +3456,7 @@ milter_chgfrom(response, rlen, e)
|
||||
mail_esmtp_args);
|
||||
}
|
||||
Errors = olderrors;
|
||||
+ free(argv);
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -3503,6 +3504,8 @@ milter_addrcpt_par(response, rlen, e)
|
||||
{
|
||||
if (tTd(64, 10))
|
||||
sm_dprintf("didn't follow protocol argc=%d\n", argc);
|
||||
+ if (argv != NULL)
|
||||
+ free(argv);
|
||||
return;
|
||||
}
|
||||
olderrors = Errors;
|
||||
@@ -3527,6 +3530,7 @@ milter_addrcpt_par(response, rlen, e)
|
||||
}
|
||||
|
||||
Errors = olderrors;
|
||||
+ free(argv);
|
||||
return;
|
||||
}
|
||||
|
||||
diff --git a/sendmail/queue.c b/sendmail/queue.c
|
||||
index 503f296..c9153c8 100644
|
||||
--- a/sendmail/queue.c
|
||||
+++ b/sendmail/queue.c
|
||||
@@ -8590,6 +8590,7 @@ split_by_recipient(e)
|
||||
if (split_within_queue(ee) == SM_SPLIT_FAIL)
|
||||
{
|
||||
e->e_sibling = firstsibling;
|
||||
+ SM_FREE(lsplits);
|
||||
return false;
|
||||
}
|
||||
ee->e_flags |= EF_SPLIT;
|
||||
@@ -8604,8 +8605,7 @@ split_by_recipient(e)
|
||||
if (p == NULL)
|
||||
{
|
||||
/* let's try to get this done */
|
||||
- sm_free(lsplits);
|
||||
- lsplits = NULL;
|
||||
+ SM_FREE(lsplits);
|
||||
}
|
||||
else
|
||||
lsplits = p;
|
||||
@@ -8627,7 +8627,7 @@ split_by_recipient(e)
|
||||
{
|
||||
sm_syslog(LOG_NOTICE, e->e_id, "split: count=%d, id%s=%s",
|
||||
n - 1, n > 2 ? "s" : "", lsplits);
|
||||
- sm_free(lsplits);
|
||||
+ SM_FREE(lsplits);
|
||||
}
|
||||
split = split_within_queue(e) != SM_SPLIT_FAIL;
|
||||
if (split)
|
@ -19,7 +19,7 @@
|
||||
Summary: A widely used Mail Transport Agent (MTA)
|
||||
Name: sendmail
|
||||
Version: 8.15.2
|
||||
Release: 34%{?dist}
|
||||
Release: 31%{?dist}
|
||||
License: Sendmail
|
||||
Group: System Environment/Daemons
|
||||
URL: http://www.sendmail.org/
|
||||
@ -92,12 +92,6 @@ Patch28: sendmail-8.15.2-openssl-1.1.0-fix.patch
|
||||
Patch29: sendmail-8.15.2-format-security.patch
|
||||
# rhbz#1473971
|
||||
Patch30: sendmail-8.15.2-openssl-1.1.0-ecdhe-fix.patch
|
||||
# Upstream patch:
|
||||
Patch31: sendmail-8.16.0.29-fix-covscan-issues.patch
|
||||
# Enable sendmail to stop using STARTTLS after a certain amount of previous failures
|
||||
# rhbz#1868041
|
||||
Patch32: sendmail-8.15.2-tlsfallback.patch
|
||||
|
||||
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
BuildRequires: libdb-devel
|
||||
BuildRequires: libnsl2-devel
|
||||
@ -210,8 +204,6 @@ cp devtools/M4/UNIX/{,shared}library.m4
|
||||
%patch28 -p1 -b .openssl-1.1.0-fix
|
||||
%patch29 -p1 -b .format-security
|
||||
%patch30 -p1 -b .openssl-1.1.0-ecdhe-fix
|
||||
%patch31 -p1 -b .fix-covscan-issues
|
||||
%patch32 -p1
|
||||
|
||||
for f in RELEASE_NOTES contrib/etrn.0; do
|
||||
iconv -f iso8859-1 -t utf8 -o ${f}{_,} &&
|
||||
@ -664,12 +656,12 @@ exit 0
|
||||
%config(noreplace) %{maildir}/virtusertable
|
||||
|
||||
%ghost %{maildir}/aliasesdb-stamp
|
||||
%ghost %attr(0640, root,root) %verify(not md5 size mtime) %{maildir}/virtusertable.db
|
||||
%ghost %attr(0640, root,root) %verify(not md5 size mtime) %{maildir}/access.db
|
||||
%ghost %attr(0640, root,root) %verify(not md5 size mtime) %{maildir}/domaintable.db
|
||||
%ghost %attr(0640, root,root) %verify(not md5 size mtime) %{maildir}/mailertable.db
|
||||
%ghost %{maildir}/virtusertable.db
|
||||
%ghost %{maildir}/access.db
|
||||
%ghost %{maildir}/domaintable.db
|
||||
%ghost %{maildir}/mailertable.db
|
||||
|
||||
%ghost %attr(0660, smmsp, smmsp) %verify(not md5 size mtime) %{spooldir}/clientmqueue/sm-client.st
|
||||
%ghost %{spooldir}/clientmqueue/sm-client.st
|
||||
|
||||
%{_unitdir}/sendmail.service
|
||||
%{_unitdir}/sm-client.service
|
||||
@ -718,18 +710,6 @@ exit 0
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Dec 01 2020 Tomas Korbar <tkorbar@redhat.com> - 8.15.2-34
|
||||
- Fix verification of ghost files
|
||||
- Resolves: rhbz#1730804
|
||||
|
||||
* Tue Sep 08 2020 Tomas Korbar <tkorbar@redhat.com> - 8.15.2-33
|
||||
- Backport confTLS_FALLBACK_TO_CLEAR option
|
||||
- Resolves: rhbz#1868041
|
||||
|
||||
* Fri May 03 2019 Ondřej Lysoněk <olysonek@redhat.com> - 8.15.2-32
|
||||
- Fix issues discovered by Coverity scan
|
||||
- Resolves: rhbz#1602689
|
||||
|
||||
* Mon Nov 19 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 8.15.2-31
|
||||
- Used _prefix macro for /usr
|
||||
Resolves: rhbz#1650256
|
||||
|
Loading…
Reference in New Issue
Block a user