~olbohlen/oi-userland.git

			@@ -1,7 +1,5 @@
			# This patch is Solaris-specific and thus has not been contributed upstream.

			--- sendmail-8.17.1/cf/README 2021-06-09 10:27:53.000000000 +0000
			+++ sendmail-8.17.1/cf/README.new 2022-02-01 10:41:18.120722024 +0000
			--- sendmail-8.18.1/cf/README 2024-01-31 07:38:32.000000000 +0100
			+++ sendmail-8.18.1/cf/README.new 2024-03-06 18:47:12.042203400 +0100
			@@ -4,12 +4,10 @@
			This document describes the sendmail configuration files. It
			explains how to create a sendmail.cf file for use with sendmail.
			@@ -19,7 +17,16 @@

			Table of Content:

			@@ -30,7 +28,6 @@
			@@ -20,8 +18,6 @@
			DOMAINS
			MAILERS
			FEATURES
			-HACKS
			-SITE CONFIGURATION
			USING UUCP MAILERS
			TWEAKING RULESETS
			MASQUERADING AND RELAYING
			@@ -30,7 +26,6 @@
			ANTI-SPAM CONFIGURATION CONTROL
			CONNECTION CONTROL
			STARTTLS
			@@ -27,7 +34,7 @@
			ADDING NEW MAILERS OR RULESETS
			ADDING NEW MAIL FILTERS
			QUEUE GROUP DEFINITIONS
			@@ -61,7 +58,7 @@
			@@ -61,7 +56,7 @@
			Alternatively, you can simply:

			cd ${CFDIR}/cf
			@@ -36,7 +43,7 @@

			where ${CFDIR} is the root of the cf directory and config.mc is the
			name of your configuration file. If you are running a version of M4
			@@ -149,14 +146,6 @@
			@@ -149,14 +144,6 @@
			a define(`PROCMAIL_MAILER_PATH', ...) should be done before
			FEATURE(`local_procmail').

			@@ -51,7 +58,7 @@

			Note:
			Some rulesets, features, and options are only useful if the sendmail
			@@ -218,19 +207,6 @@
			@@ -218,19 +205,6 @@
			directly in the generated .cf file, which however is not advised.


			@@ -71,7 +78,7 @@
			+----------------+
			\| FILE LOCATIONS \|
			+----------------+
			@@ -339,8 +315,7 @@
			@@ -339,8 +313,7 @@
			corresponding queue file types as explained in
			doc/op/op.me. See also QUEUE GROUP DEFINITIONS.
			MSP_QUEUE_DIR [/var/spool/clientmqueue] The directory containing
			@@ -81,7 +88,7 @@
			STATUS_FILE [/etc/mail/statistics] The file containing status
			information.
			LOCAL_MAILER_PATH [/bin/mail] The program used to deliver local mail.
			@@ -370,17 +345,6 @@
			@@ -370,17 +343,6 @@
			LOCAL_SHELL_DIR [$z:/] The directory search path in which the
			shell should run.
			LOCAL_MAILER_QGRP [undefined] The queue group for the local mailer.
			@@ -99,7 +106,7 @@
			SMTP_MAILER_FLAGS [undefined] Flags added to SMTP mailer. Default
			flags are `mDFMuX' for all SMTP-based mailers; the
			"esmtp" mailer adds `a'; "smtp8" adds `8'; and
			@@ -437,17 +401,6 @@
			@@ -437,17 +399,6 @@
			the UUCP mailers and which are converted to MIME will
			be labeled with this character set.
			UUCP_MAILER_QGRP [undefined] The queue group for the UUCP mailers.
			@@ -117,7 +124,7 @@
			PROCMAIL_MAILER_PATH [/usr/local/bin/procmail] The path to the procmail
			program. This is also used by
			FEATURE(`local_procmail').
			@@ -462,60 +415,9 @@
			@@ -462,60 +413,9 @@
			PROCMAIL_MAILER_MAX [undefined] If set, the maximum size message that
			will be accepted by the procmail mailer.
			PROCMAIL_MAILER_QGRP [undefined] The queue group for the procmail mailer.
			@@ -178,7 +185,7 @@
			LOCAL_PROG_QGRP [undefined] The queue group for the prog mailer.

			Note: to tweak Name_MAILER_FLAGS use the macro MODIFY_MAILER_FLAGS:
			@@ -633,18 +535,6 @@
			@@ -633,18 +533,6 @@
			See the section below describing UUCP mailers in more
			detail.

			@@ -197,7 +204,7 @@
			procmail An interface to procmail (does not come with sendmail).
			This is designed to be used in mailertables. For example,
			a common question is "how do I forward all mail for a given
			@@ -667,37 +557,6 @@
			@@ -667,37 +555,6 @@
			Of course there are other ways to solve this particular
			problem, e.g., a catch-all entry in a virtusertable.

			@@ -235,7 +242,7 @@
			The local mailer accepts addresses of the form "user+detail", where
			the "+detail" is not used for mailbox matching but is available
			to certain local mail programs (in particular, see
			@@ -1418,12 +1277,6 @@
			@@ -1420,12 +1277,6 @@
			user@site for relaying. This feature changes that
			behavior. It should not be needed for most installations.

			@@ -248,7 +255,7 @@
			preserve_luser_host
			Preserve the name of the recipient host if LUSER_RELAY is
			used. Without this option, the domain part of the
			@@ -1460,7 +1313,7 @@
			@@ -1462,7 +1313,7 @@
			FEATURE and introduce new settings via DAEMON_OPTIONS().

			msp Defines config file for Message Submission Program.
			@@ -257,173 +264,9 @@
			to use it. An optional argument can be used to override
			the default of `[localhost]' to use as host to send all
			e-mails to. Note that MX records will be used if the
			@@ -2475,7 +2256,7 @@
			map entries. This feature allows spammers to abuse your mail server
			by specifying a return address that you enabled in your access file.
			This may be harder to figure out for spammers, but it should not
			-be used unless necessary. Instead use SMTP AUTH or STARTTLS to
			+be used unless necessary. Instead use STARTTLS to
			allow relaying for roaming users.


			@@ -2943,8 +2724,7 @@
			tokenization. It might be simpler to use a regex map and apply it
			to $&{currHeader}.
			2. There are no default rulesets coming with this distribution of
			-sendmail. You can write your own, can search the WWW for examples,
			-or take a look at cf/cf/knecht.mc.
			+sendmail. You can write your own or search the WWW for examples.
			3. When using a default ruleset for headers, the name of the header
			currently being checked can be found in the $&{hdr_name} macro.

			@@ -3701,8 +3386,6 @@
			This list is shown in four columns: the name you define, the default
			value for that definition, the option or macro that is affected
			(either Ox for an option or Dx for a macro), and a brief description.
			-Greater detail of the semantics can be found in the Installation
			-and Operations Guide.

			Some options are likely to be deprecated in future versions -- that is,
			the option is only included to provide back-compatibility. These are
			@@ -3932,8 +3615,6 @@
			(e.g., :include: file) to be opened.
			confTO_LHLO Timeout.lhlo [2m] The timeout waiting for a response
			to an LMTP LHLO command.
			-confTO_AUTH Timeout.auth [10m] The timeout waiting for a
			- response in an AUTH dialogue.
			confTO_STARTTLS Timeout.starttls
			[1h] The timeout waiting for a
			response to an SMTP STARTTLS command.
			@@ -4303,46 +3984,6 @@
			memory-buffered transcript (xf)
			file before a disk-based file is
			used.
			-confAUTH_MECHANISMS AuthMechanisms [EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5
			- CRAM-MD5] List of authentication
			- mechanisms for AUTH (separated by
			- spaces). The advertised list of
			- authentication mechanisms will be the
			- intersection of this list and the list
			- of available mechanisms as determined
			- by the Cyrus SASL library.
			-confAUTH_REALM AuthRealm [undefined] The authentication realm
			- that is passed to the Cyrus SASL
			- library. If no realm is specified,
			- $j is used. See KNOWNBUGS.
			-confDEF_AUTH_INFO DefaultAuthInfo [undefined] Name of file that contains
			- authentication information for
			- outgoing connections. This file must
			- contain the user id, the authorization
			- id, the password (plain text), the
			- realm to use, and the list of
			- mechanisms to try, each on a separate
			- line and must be readable by root (or
			- the trusted user) only. If no realm
			- is specified, $j is used. If no
			- mechanisms are given in the file,
			- AuthMechanisms is used. Notice: this
			- option is deprecated and will be
			- removed in future versions; it doesn't
			- work for the MSP since it can't read
			- the file. Use the authinfo ruleset
			- instead. See also the section SMTP
			- AUTHENTICATION.
			-confAUTH_OPTIONS AuthOptions [undefined] If this option is 'A'
			- then the AUTH= parameter for the
			- MAIL FROM command is only issued
			- when authentication succeeded.
			- See doc/op/op.me for more options
			- and details.
			-confAUTH_MAX_BITS AuthMaxBits [INT_MAX] Limit the maximum encryption
			- strength for the security layer in
			- SMTP AUTH (SASL). Default is
			- essentially unlimited.
			confTLS_SRV_OPTIONS TLSSrvOptions If this option is 'V' no client
			verification is performed, i.e.,
			the server doesn't ask for a
			@@ -4413,7 +4054,7 @@
			[undefined] Defines {daemon_flags}
			for direct submissions.
			confUSE_MSP UseMSP [undefined] Use as mail submission
			- program, see sendmail/SECURITY.
			+ program.
			confDELIVER_BY_MIN DeliverByMin [0] Minimum time for Deliver By
			SMTP Service Extension (RFC 2852).
			confREQUIRES_DIR_FSYNC RequiresDirfsync [true] RequiresDirfsync can
			@@ -4559,8 +4200,7 @@
			\| MESSAGE SUBMISSION PROGRAM \|
			+----------------------------+

			-The purpose of the message submission program (MSP) is explained
			-in sendmail/SECURITY. This section contains a list of caveats and
			+This section contains a list of caveats and
			a few hints how for those who want to tweak the default configuration
			for it (which is installed as submit.cf).

			@@ -4575,13 +4215,10 @@
			of the default background mode.
			- FEATURE(stickyhost) and LOCAL_RELAY to send unqualified addresses
			to the LOCAL_RELAY instead of the default relay.
			-- confRAND_FILE if you use STARTTLS and sendmail is not compiled with
			- the flag HASURANDOM.

			-The MSP performs hostname canonicalization by default. As also
			-explained in sendmail/SECURITY, mail may end up for various DNS
			-related reasons in the MSP queue. This problem can be minimized by
			-using
			+The MSP performs hostname canonicalization by default. Mail may end
			+up for various DNS related reasons in the MSP queue. This problem
			+can be minimized by using

			FEATURE(`nocanonify', `canonify_hosts')
			define(`confDIRECT_SUBMISSION_MODIFIERS', `C')
			@@ -4597,39 +4234,10 @@
			can cause security problems.

			Other things don't work well with the MSP and require tweaking or
			-workarounds. For example, to allow for client authentication it
			-is not just sufficient to provide a client certificate and the
			-corresponding key, but it is also necessary to make the key group
			-(smmsp) readable and tell sendmail not to complain about that, i.e.,
			-
			- define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile')
			-
			-If the MSP should actually use AUTH then the necessary data
			-should be placed in a map as explained in SMTP AUTHENTICATION:
			-
			-FEATURE(`authinfo', `DATABASE_MAP_TYPE /etc/mail/msp-authinfo')
			-
			-/etc/mail/msp-authinfo should contain an entry like:
			-
			- AuthInfo:127.0.0.1 "U:smmsp" "P:secret" "M:DIGEST-MD5"
			+workarounds.

			The file and the map created by makemap should be owned by smmsp,
			-its group should be smmsp, and it should have mode 640. The database
			-used by the MTA for AUTH must have a corresponding entry.
			-Additionally the MTA must trust this authentication data so the AUTH=
			-part will be relayed on to the next hop. This can be achieved by
			-adding the following to your sendmail.mc file:
			-
			- LOCAL_RULESETS
			- SLocal_trust_auth
			- R$* $: $&{auth_authen}
			- Rsmmsp $# OK
			-
			-Note: the authentication data can leak to local users who invoke
			-the MSP with debug options or even with -v. For that reason either
			-an authentication mechanism that does not show the password in the
			-AUTH dialogue (e.g., DIGEST-MD5) or a different authentication
			-method like STARTTLS should be used.
			+its group should be smmsp, and it should have mode 640.

			feature/msp.m4 defines almost all settings for the MSP. Most of
			those should not be changed at all. Some of the features and options
			--- sendmail-8.17.2/cf/README 2023-05-31 21:55:42.000000000 +0200
			+++ sendmail-8.17.2/cf/README.new 2023-10-13 18:04:44.902861539 +0200
			@@ -1617,79 +1617,6 @@
			For more information see doc/op/op.me.

			@@ -1624,79 +1475,6 @@
			respectively. For details, see the file and
			the OpenSSL documentation.

			-+-------+
			-\| HACKS \|
			@@ -501,7 +344,26 @@
			+--------------------+
			\| USING UUCP MAILERS \|
			+--------------------+
			@@ -3284,102 +3211,6 @@
			@@ -2484,7 +2262,7 @@
			map entries. This feature allows spammers to abuse your mail server
			by specifying a return address that you enabled in your access file.
			This may be harder to figure out for spammers, but it should not
			-be used unless necessary. Instead use SMTP AUTH or STARTTLS to
			+be used unless necessary. Instead use STARTTLS to
			allow relaying for roaming users.


			@@ -2952,8 +2730,7 @@
			tokenization. It might be simpler to use a regex map and apply it
			to $&{currHeader}.
			2. There are no default rulesets coming with this distribution of
			-sendmail. You can write your own, can search the WWW for examples,
			-or take a look at cf/cf/knecht.mc.
			+sendmail. You can write your own or search the WWW for examples.
			3. When using a default ruleset for headers, the name of the header
			currently being checked can be found in the $&{hdr_name} macro.

			@@ -3291,102 +3068,6 @@
			(version=${tls_version} cipher=${cipher} bits=${cipher_bits} verify=${verify})


			@@ -604,3 +466,137 @@
			+--------------------------------+
			\| ADDING NEW MAILERS OR RULESETS \|
			+--------------------------------+
			@@ -3713,8 +3394,6 @@
			This list is shown in four columns: the name you define, the default
			value for that definition, the option or macro that is affected
			(either Ox for an option or Dx for a macro), and a brief description.
			-Greater detail of the semantics can be found in the Installation
			-and Operations Guide.

			Some options are likely to be deprecated in future versions -- that is,
			the option is only included to provide back-compatibility. These are
			@@ -3944,8 +3623,6 @@
			(e.g., :include: file) to be opened.
			confTO_LHLO Timeout.lhlo [2m] The timeout waiting for a response
			to an LMTP LHLO command.
			-confTO_AUTH Timeout.auth [10m] The timeout waiting for a
			- response in an AUTH dialogue.
			confTO_STARTTLS Timeout.starttls
			[1h] The timeout waiting for a
			response to an SMTP STARTTLS command.
			@@ -4315,46 +3992,6 @@
			memory-buffered transcript (xf)
			file before a disk-based file is
			used.
			-confAUTH_MECHANISMS AuthMechanisms [EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5
			- CRAM-MD5] List of authentication
			- mechanisms for AUTH (separated by
			- spaces). The advertised list of
			- authentication mechanisms will be the
			- intersection of this list and the list
			- of available mechanisms as determined
			- by the Cyrus SASL library.
			-confAUTH_REALM AuthRealm [undefined] The authentication realm
			- that is passed to the Cyrus SASL
			- library. If no realm is specified,
			- $j is used. See KNOWNBUGS.
			-confDEF_AUTH_INFO DefaultAuthInfo [undefined] Name of file that contains
			- authentication information for
			- outgoing connections. This file must
			- contain the user id, the authorization
			- id, the password (plain text), the
			- realm to use, and the list of
			- mechanisms to try, each on a separate
			- line and must be readable by root (or
			- the trusted user) only. If no realm
			- is specified, $j is used. If no
			- mechanisms are given in the file,
			- AuthMechanisms is used. Notice: this
			- option is deprecated and will be
			- removed in future versions; it doesn't
			- work for the MSP since it can't read
			- the file. Use the authinfo ruleset
			- instead. See also the section SMTP
			- AUTHENTICATION.
			-confAUTH_OPTIONS AuthOptions [undefined] If this option is 'A'
			- then the AUTH= parameter for the
			- MAIL FROM command is only issued
			- when authentication succeeded.
			- See doc/op/op.me for more options
			- and details.
			-confAUTH_MAX_BITS AuthMaxBits [INT_MAX] Limit the maximum encryption
			- strength for the security layer in
			- SMTP AUTH (SASL). Default is
			- essentially unlimited.
			confTLS_SRV_OPTIONS TLSSrvOptions If this option is 'V' no client
			verification is performed, i.e.,
			the server doesn't ask for a
			@@ -4574,8 +4211,7 @@
			\| MESSAGE SUBMISSION PROGRAM \|
			+----------------------------+

			-The purpose of the message submission program (MSP) is explained
			-in sendmail/SECURITY. This section contains a list of caveats and
			+This section contains a list of caveats and
			a few hints how for those who want to tweak the default configuration
			for it (which is installed as submit.cf).

			@@ -4590,13 +4226,10 @@
			of the default background mode.
			- FEATURE(stickyhost) and LOCAL_RELAY to send unqualified addresses
			to the LOCAL_RELAY instead of the default relay.
			-- confRAND_FILE if you use STARTTLS and sendmail is not compiled with
			- the flag HASURANDOM.

			-The MSP performs hostname canonicalization by default. As also
			-explained in sendmail/SECURITY, mail may end up for various DNS
			-related reasons in the MSP queue. This problem can be minimized by
			-using
			+The MSP performs hostname canonicalization by default. Mail may end
			+up for various DNS related reasons in the MSP queue. This problem
			+can be minimized by using

			FEATURE(`nocanonify', `canonify_hosts')
			define(`confDIRECT_SUBMISSION_MODIFIERS', `C')
			@@ -4612,39 +4245,10 @@
			can cause security problems.

			Other things don't work well with the MSP and require tweaking or
			-workarounds. For example, to allow for client authentication it
			-is not just sufficient to provide a client certificate and the
			-corresponding key, but it is also necessary to make the key group
			-(smmsp) readable and tell sendmail not to complain about that, i.e.,
			-
			- define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile')
			-
			-If the MSP should actually use AUTH then the necessary data
			-should be placed in a map as explained in SMTP AUTHENTICATION:
			-
			-FEATURE(`authinfo', `DATABASE_MAP_TYPE /etc/mail/msp-authinfo')
			-
			-/etc/mail/msp-authinfo should contain an entry like:
			-
			- AuthInfo:127.0.0.1 "U:smmsp" "P:secret" "M:DIGEST-MD5"
			+workarounds.

			The file and the map created by makemap should be owned by smmsp,
			-its group should be smmsp, and it should have mode 640. The database
			-used by the MTA for AUTH must have a corresponding entry.
			-Additionally the MTA must trust this authentication data so the AUTH=
			-part will be relayed on to the next hop. This can be achieved by
			-adding the following to your sendmail.mc file:
			-
			- LOCAL_RULESETS
			- SLocal_trust_auth
			- R$* $: $&{auth_authen}
			- Rsmmsp $# OK
			-
			-Note: the authentication data can leak to local users who invoke
			-the MSP with debug options or even with -v. For that reason either
			-an authentication mechanism that does not show the password in the
			-AUTH dialogue (e.g., DIGEST-MD5) or a different authentication
			-method like STARTTLS should be used.
			+its group should be smmsp, and it should have mode 640.

			feature/msp.m4 defines almost all settings for the MSP. Most of
			those should not be changed at all. Some of the features and options