Revisions of sendmail
Ana Guerrero (anag+factory)
accepted
request 1151694
from
Dr. Werner Fink (WernerFink)
(revision 123)
Prepare for RPM 4.20 (forwarded request 1151482 from dimstar)
Ana Guerrero (anag+factory)
accepted
request 1144171
from
Dr. Werner Fink (WernerFink)
(revision 122)
- Update to version sendmail 8.18.1 2024/01/31
* sendmail is now stricter in following the RFCs and rejects
some invalid input with respect to line endings
and pipelining:
- Prevent transaction stuffing by ensuring SMTP clients
wait for the HELO/EHLO and DATA response before sending
further SMTP commands. This can be disabled using
the new srv_features option 'F'. Issue reported by
Yepeng Pan and Christian Rossow from CISPA Helmholtz
Center for Information Security.
- Accept only CRLF . CRLF as end of an SMTP message
as required by the RFCs, which can disabled by the
new srv_features option 'O'.
- Do not accept a CR or LF except in the combination
CRLF (as required by the RFCs). These checks can
be disabled by the new srv_features options
'U' and 'G', respectively. In this case it is
suggested to use 'u2' and 'g2' instead so the server
replaces offending bare CR or bare LF with a space.
It is recommended to only turn these protections off
for trusted networks due to the potential for abuse.
* Full DANE support is available if OpenSSL versions 1.1.1 or 3.x
are used, i.e., TLSA RR 2-x-y and 3-x-y are supported
as required by RFC 7672.
* OpenSSL version 3.0.x is supported. Note: OpenSSL 3 loads by
default an openssl.cnf file from a location specified
in the library which may cause unwanted behaviour
in sendmail. Hence sendmail sets the environment
variable OPENSSL_CONF to /etc/mail/sendmail.ossl
to override the default. The file name can be
Ana Guerrero (anag+factory)
accepted
request 1142755
from
Dr. Werner Fink (WernerFink)
(revision 121)
- Correct permisson files path to /usr/share/permissions/permissions.d/ (boo#1219339) - Fix file provides of openssl and timeout - Avoid error messages of chkstat as this tools does not accept slashes at the end of directory paths! - Move sendmails permissions files to /usr/share/permissions/ - Work on certificates usage of smart and relay host - Work on certificates for running sendmail
Ana Guerrero (anag+factory)
accepted
request 1135112
from
Factory Maintainer (factory-maintainer)
(revision 120)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 1094805
from
Dr. Werner Fink (WernerFink)
(revision 119)
- Update to pre version sendmail 8.17.2
* Make sure DANE checks (if enabled) are performed even if
CACertPath or CACertFile are not set or unusable.
* Note: if the code to set up TLS in the client fails, then
{verify} will be set to TEMP but DANE requirements
will be ignored, i.e., by default mail will be sent
without STARTTLS. This can be changed via a
LOCAL_TLS_SERVER ruleset.
* Pass server name to clt_features ruleset instead of client
name to account for limitations in macro availability
described below in CONFIG section. This may break
custom clt_features rulesets which expect to receive
the client name as input.
* Fix a regression introduced in 8.17.1: aliases file which
contain continuation lines caused parsing errors.
* Add an FFR (for future release) compile time option _FFR_LOG_STAGE
to log the protocol stage as stage= for some errors during
delivery attempts to make troubleshooting simpler. This
new logging may be enabled in a future release.
* When EAI is enabled, milters also got the arguments of MAIL/RCPT
commands in argv[0] for xxfi_envfrom()/xxfi_envrcpt()
callbacks instead of just the mail address.
Problem reported by Dilyan Palauzo.
* When EAI is enabled, mailq prints UTF-8 addresses as such
if SMTPUTF8 was used.
* When EAI is enabled, the $h macro is now in the correct format.
Previously this could cause wrong values for relay=
in log entries and the mailer argument vector.
* When the compile time option USE_EAI is enabled, vacation could
fail to respond when it should. Problem reported by
Dominique Leuenberger (dimstar_suse)
accepted
request 1090230
from
Dr. Werner Fink (WernerFink)
(revision 118)
- Use the bash intrinsic virtual file /dev/tcp/localhost/<port> to check for MTA port - Avoid fuser for detecting if sendmail is listen on MTA port
Dominique Leuenberger (dimstar_suse)
accepted
request 1065705
from
Dr. Werner Fink (WernerFink)
(revision 117)
- Drop NIS/NISPLUS support for Tumbleweed (boo#1208221)
Dominique Leuenberger (dimstar_suse)
accepted
request 1060641
from
Dr. Werner Fink (WernerFink)
(revision 116)
- Fix source URLs: ftp.sendmail.com was restructured and the pub/sendmail directory is now the root directory. - Switch over to https URLs (forwarded request 1060633 from dimstar)
Dominique Leuenberger (dimstar_suse)
accepted
request 1057036
from
Dr. Werner Fink (WernerFink)
(revision 115)
- Migration of PAM settings to /usr/lib/pam.d. (forwarded request 1045669 from schubi2)
Dominique Leuenberger (dimstar_suse)
accepted
request 1031106
from
Dr. Werner Fink (WernerFink)
(revision 114)
- Remove maybe perilous shell script code from sm-client.pre (boo#1202937)
Dominique Leuenberger (dimstar_suse)
accepted
request 1010237
from
Factory Maintainer (factory-maintainer)
(revision 113)
Automatic submission by obs-autosubmit
Fabian Vogt (favogt_factory)
accepted
request 1008186
from
Dr. Werner Fink (WernerFink)
(revision 112)
- Do not start sendmail-client as user mail as this one is not allowed to check port smtp aka 25 - Fix sm-client.pre script as ports are not only numbers but also alias names - Rework system service unit files * sendmail-client now use user and group mail which requires * /etc/mail/system/ becomes readable by all users e.g. mail * sendmail now uses -bD to avoid a fork, this requires Type=exec - Various bug fixes - Require user and group mail for post and verify scriptlets - Add a %ghost for /run/sendmail whic his created by tmpfile systemd configuration of sendmail - Own /var/spool/mail (boo#1179574) - Avoid older alias.db - Avoid that sendmail can not write its pid file - Allow sendmail and its helper like maildrop and procmail to write into the users mail folder
Dominique Leuenberger (dimstar_suse)
accepted
request 950458
from
Dr. Werner Fink (WernerFink)
(revision 111)
- Allow mail delivery below /home again, that is disable "ProtectHome=read-only" for now
Dominique Leuenberger (dimstar_suse)
accepted
request 948986
from
Dr. Werner Fink (WernerFink)
(revision 110)
- No snapshots
- Update to final version sendmail 8.17.1
* Several potential memory leaks and other similar problems
(mostly in error handling code) have been fixed.
Problems reported by Tomas Korbar of RedHat.
- Port patches to new version
* sendmail-8.14.7-select.dif
* sendmail-8.17.1.dif
Dominique Leuenberger (dimstar_suse)
accepted
request 932215
from
Dr. Werner Fink (WernerFink)
(revision 109)
Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort (forwarded request 932207 from jsegitz)
Dominique Leuenberger (dimstar_suse)
accepted
request 906268
from
Factory Maintainer (factory-maintainer)
(revision 108)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 903383
from
Dr. Werner Fink (WernerFink)
(revision 107)
- Re-add 'sysvinit(network)' build dependency
- Use %set_permissions on path /var/spool/clientmqueue/ as well (boo#1187809)
- Update to pre version sendmail 8.17.1 (8.17.0.3)
* Deprecation notice: due to compatibility problems with some
third party code, we plan to finally switch from K&R
to ANSI C. If you are using sendmail on a system
which does not have a compiler for ANSI C contact us
with details as soon as possible so we can determine
how to proceed.
* Experimental support for SMTPUTF8 (EAI, see RFC 6530-6533)
is available when using the compile time option USE_EAI
(see also devtools/Site/site.config.m4.sample for other
required settings) and the cf option SMTPUTF8.
If a mail submission via the command line requires
the use of SMTPUTF8, e.g., because a header uses UTF-8
encoding, but the addresses on the command line are all
ASCII, then the new option -U must be used, and
the cf option SMTPUTF8 must be set in submit.cf.
Please test and provide feedback.
* Experimental support for SMTP MTA Strict Transport Security
(MTA-STS, see RFC 8461) is available when using
- the compile time option _FFR_MTA_STS (which requires
STARTTLS, MAP_REGEX, SOCKETMAP, and _FFR_TLS_ALTNAMES),
- FEATURE(sts), which implicitly sets the cf option
StrictTransportSecurity,
- postfix-mta-sts-resolver, see
https://github.com/Snawoot/postfix-mta-sts-resolver.git
* New ruleset check_other which is called for all unknown SMTP
Dominique Leuenberger (dimstar_suse)
accepted
request 897975
from
Dr. Werner Fink (WernerFink)
(revision 106)
- sendmail-suse.tar.bz2: don't set /var/spool/mail perms, it is part of filesystem (forwarded request 897434 from gmbr3)
Dominique Leuenberger (dimstar_suse)
accepted
request 896007
from
Dr. Werner Fink (WernerFink)
(revision 105)
- sendmail-suse.tar.bz2: add file tmpfile which will be installed in tmpfiles.d as sendmail.conf. With this /run/sendmail will be created at boot. - Fix locations in permissions files to fit _libexecdir change (boo#1186592) - sendmail-suse.tar.bz2: add trailing slash to permissions entries for /var/spool/mail, because it is a directory and `chkstat` expects trailing slashes for directories.
Dominique Leuenberger (dimstar_suse)
accepted
request 893554
from
Dr. Werner Fink (WernerFink)
(revision 104)
- Remove /var/mail to /var/spool/mail patch (forwarded request 893473 from gmbr3)
Displaying revisions 1 - 20 of 123
