From c5a42e3bfaae2bc9d3a69e04f3d588f15761126c Mon Sep 17 00:00:00 2001 From: fritzkink <96341974+fritzkink@users.noreply.github.com> Date: Wed, 06 Mar 2024 22:00:55 +0100 Subject: [PATCH] sendmail - update to version 8.18.1 --- components/mail/sendmail/patches/README.patch | 364 +++++++++++++++++++++++++-------------------------- 1 files changed, 180 insertions(+), 184 deletions(-) diff --git a/components/mail/sendmail/patches/README.patch b/components/mail/sendmail/patches/README.patch index bbe8ac6..623cb3f 100644 --- a/components/mail/sendmail/patches/README.patch +++ b/components/mail/sendmail/patches/README.patch @@ -1,7 +1,5 @@ -# This patch is Solaris-specific and thus has not been contributed upstream. - ---- sendmail-8.17.1/cf/README 2021-06-09 10:27:53.000000000 +0000 -+++ sendmail-8.17.1/cf/README.new 2022-02-01 10:41:18.120722024 +0000 +--- sendmail-8.18.1/cf/README 2024-01-31 07:38:32.000000000 +0100 ++++ sendmail-8.18.1/cf/README.new 2024-03-06 18:47:12.042203400 +0100 @@ -4,12 +4,10 @@ This document describes the sendmail configuration files. It explains how to create a sendmail.cf file for use with sendmail. @@ -19,7 +17,16 @@ Table of Content: -@@ -30,7 +28,6 @@ +@@ -20,8 +18,6 @@ + DOMAINS + MAILERS + FEATURES +-HACKS +-SITE CONFIGURATION + USING UUCP MAILERS + TWEAKING RULESETS + MASQUERADING AND RELAYING +@@ -30,7 +26,6 @@ ANTI-SPAM CONFIGURATION CONTROL CONNECTION CONTROL STARTTLS @@ -27,7 +34,7 @@ ADDING NEW MAILERS OR RULESETS ADDING NEW MAIL FILTERS QUEUE GROUP DEFINITIONS -@@ -61,7 +58,7 @@ +@@ -61,7 +56,7 @@ Alternatively, you can simply: cd ${CFDIR}/cf @@ -36,7 +43,7 @@ where ${CFDIR} is the root of the cf directory and config.mc is the name of your configuration file. If you are running a version of M4 -@@ -149,14 +146,6 @@ +@@ -149,14 +144,6 @@ a define(`PROCMAIL_MAILER_PATH', ...) should be done before FEATURE(`local_procmail'). @@ -51,7 +58,7 @@ Note: Some rulesets, features, and options are only useful if the sendmail -@@ -218,19 +207,6 @@ +@@ -218,19 +205,6 @@ directly in the generated .cf file, which however is not advised. @@ -71,7 +78,7 @@ +----------------+ | FILE LOCATIONS | +----------------+ -@@ -339,8 +315,7 @@ +@@ -339,8 +313,7 @@ corresponding queue file types as explained in doc/op/op.me. See also QUEUE GROUP DEFINITIONS. MSP_QUEUE_DIR [/var/spool/clientmqueue] The directory containing @@ -81,7 +88,7 @@ STATUS_FILE [/etc/mail/statistics] The file containing status information. LOCAL_MAILER_PATH [/bin/mail] The program used to deliver local mail. -@@ -370,17 +345,6 @@ +@@ -370,17 +343,6 @@ LOCAL_SHELL_DIR [$z:/] The directory search path in which the shell should run. LOCAL_MAILER_QGRP [undefined] The queue group for the local mailer. @@ -99,7 +106,7 @@ SMTP_MAILER_FLAGS [undefined] Flags added to SMTP mailer. Default flags are `mDFMuX' for all SMTP-based mailers; the "esmtp" mailer adds `a'; "smtp8" adds `8'; and -@@ -437,17 +401,6 @@ +@@ -437,17 +399,6 @@ the UUCP mailers and which are converted to MIME will be labeled with this character set. UUCP_MAILER_QGRP [undefined] The queue group for the UUCP mailers. @@ -117,7 +124,7 @@ PROCMAIL_MAILER_PATH [/usr/local/bin/procmail] The path to the procmail program. This is also used by FEATURE(`local_procmail'). -@@ -462,60 +415,9 @@ +@@ -462,60 +413,9 @@ PROCMAIL_MAILER_MAX [undefined] If set, the maximum size message that will be accepted by the procmail mailer. PROCMAIL_MAILER_QGRP [undefined] The queue group for the procmail mailer. @@ -178,7 +185,7 @@ LOCAL_PROG_QGRP [undefined] The queue group for the prog mailer. Note: to tweak Name_MAILER_FLAGS use the macro MODIFY_MAILER_FLAGS: -@@ -633,18 +535,6 @@ +@@ -633,18 +533,6 @@ See the section below describing UUCP mailers in more detail. @@ -197,7 +204,7 @@ procmail An interface to procmail (does not come with sendmail). This is designed to be used in mailertables. For example, a common question is "how do I forward all mail for a given -@@ -667,37 +557,6 @@ +@@ -667,37 +555,6 @@ Of course there are other ways to solve this particular problem, e.g., a catch-all entry in a virtusertable. @@ -235,7 +242,7 @@ The local mailer accepts addresses of the form "user+detail", where the "+detail" is not used for mailbox matching but is available to certain local mail programs (in particular, see -@@ -1418,12 +1277,6 @@ +@@ -1420,12 +1277,6 @@ user@site for relaying. This feature changes that behavior. It should not be needed for most installations. @@ -248,7 +255,7 @@ preserve_luser_host Preserve the name of the recipient host if LUSER_RELAY is used. Without this option, the domain part of the -@@ -1460,7 +1313,7 @@ +@@ -1462,7 +1313,7 @@ FEATURE and introduce new settings via DAEMON_OPTIONS(). msp Defines config file for Message Submission Program. @@ -257,173 +264,9 @@ to use it. An optional argument can be used to override the default of `[localhost]' to use as host to send all e-mails to. Note that MX records will be used if the -@@ -2475,7 +2256,7 @@ - map entries. This feature allows spammers to abuse your mail server - by specifying a return address that you enabled in your access file. - This may be harder to figure out for spammers, but it should not --be used unless necessary. Instead use SMTP AUTH or STARTTLS to -+be used unless necessary. Instead use STARTTLS to - allow relaying for roaming users. - - -@@ -2943,8 +2724,7 @@ - tokenization. It might be simpler to use a regex map and apply it - to $&{currHeader}. - 2. There are no default rulesets coming with this distribution of --sendmail. You can write your own, can search the WWW for examples, --or take a look at cf/cf/knecht.mc. -+sendmail. You can write your own or search the WWW for examples. - 3. When using a default ruleset for headers, the name of the header - currently being checked can be found in the $&{hdr_name} macro. - -@@ -3701,8 +3386,6 @@ - This list is shown in four columns: the name you define, the default - value for that definition, the option or macro that is affected - (either Ox for an option or Dx for a macro), and a brief description. --Greater detail of the semantics can be found in the Installation --and Operations Guide. - - Some options are likely to be deprecated in future versions -- that is, - the option is only included to provide back-compatibility. These are -@@ -3932,8 +3615,6 @@ - (e.g., :include: file) to be opened. - confTO_LHLO Timeout.lhlo [2m] The timeout waiting for a response - to an LMTP LHLO command. --confTO_AUTH Timeout.auth [10m] The timeout waiting for a -- response in an AUTH dialogue. - confTO_STARTTLS Timeout.starttls - [1h] The timeout waiting for a - response to an SMTP STARTTLS command. -@@ -4303,46 +3984,6 @@ - memory-buffered transcript (xf) - file before a disk-based file is - used. --confAUTH_MECHANISMS AuthMechanisms [EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 -- CRAM-MD5] List of authentication -- mechanisms for AUTH (separated by -- spaces). The advertised list of -- authentication mechanisms will be the -- intersection of this list and the list -- of available mechanisms as determined -- by the Cyrus SASL library. --confAUTH_REALM AuthRealm [undefined] The authentication realm -- that is passed to the Cyrus SASL -- library. If no realm is specified, -- $j is used. See KNOWNBUGS. --confDEF_AUTH_INFO DefaultAuthInfo [undefined] Name of file that contains -- authentication information for -- outgoing connections. This file must -- contain the user id, the authorization -- id, the password (plain text), the -- realm to use, and the list of -- mechanisms to try, each on a separate -- line and must be readable by root (or -- the trusted user) only. If no realm -- is specified, $j is used. If no -- mechanisms are given in the file, -- AuthMechanisms is used. Notice: this -- option is deprecated and will be -- removed in future versions; it doesn't -- work for the MSP since it can't read -- the file. Use the authinfo ruleset -- instead. See also the section SMTP -- AUTHENTICATION. --confAUTH_OPTIONS AuthOptions [undefined] If this option is 'A' -- then the AUTH= parameter for the -- MAIL FROM command is only issued -- when authentication succeeded. -- See doc/op/op.me for more options -- and details. --confAUTH_MAX_BITS AuthMaxBits [INT_MAX] Limit the maximum encryption -- strength for the security layer in -- SMTP AUTH (SASL). Default is -- essentially unlimited. - confTLS_SRV_OPTIONS TLSSrvOptions If this option is 'V' no client - verification is performed, i.e., - the server doesn't ask for a -@@ -4413,7 +4054,7 @@ - [undefined] Defines {daemon_flags} - for direct submissions. - confUSE_MSP UseMSP [undefined] Use as mail submission -- program, see sendmail/SECURITY. -+ program. - confDELIVER_BY_MIN DeliverByMin [0] Minimum time for Deliver By - SMTP Service Extension (RFC 2852). - confREQUIRES_DIR_FSYNC RequiresDirfsync [true] RequiresDirfsync can -@@ -4559,8 +4200,7 @@ - | MESSAGE SUBMISSION PROGRAM | - +----------------------------+ - --The purpose of the message submission program (MSP) is explained --in sendmail/SECURITY. This section contains a list of caveats and -+This section contains a list of caveats and - a few hints how for those who want to tweak the default configuration - for it (which is installed as submit.cf). - -@@ -4575,13 +4215,10 @@ - of the default background mode. - - FEATURE(stickyhost) and LOCAL_RELAY to send unqualified addresses - to the LOCAL_RELAY instead of the default relay. --- confRAND_FILE if you use STARTTLS and sendmail is not compiled with -- the flag HASURANDOM. - --The MSP performs hostname canonicalization by default. As also --explained in sendmail/SECURITY, mail may end up for various DNS --related reasons in the MSP queue. This problem can be minimized by --using -+The MSP performs hostname canonicalization by default. Mail may end -+up for various DNS related reasons in the MSP queue. This problem -+can be minimized by using - - FEATURE(`nocanonify', `canonify_hosts') - define(`confDIRECT_SUBMISSION_MODIFIERS', `C') -@@ -4597,39 +4234,10 @@ - can cause security problems. - - Other things don't work well with the MSP and require tweaking or --workarounds. For example, to allow for client authentication it --is not just sufficient to provide a client certificate and the --corresponding key, but it is also necessary to make the key group --(smmsp) readable and tell sendmail not to complain about that, i.e., -- -- define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile') -- --If the MSP should actually use AUTH then the necessary data --should be placed in a map as explained in SMTP AUTHENTICATION: -- --FEATURE(`authinfo', `DATABASE_MAP_TYPE /etc/mail/msp-authinfo') -- --/etc/mail/msp-authinfo should contain an entry like: -- -- AuthInfo:127.0.0.1 "U:smmsp" "P:secret" "M:DIGEST-MD5" -+workarounds. - - The file and the map created by makemap should be owned by smmsp, --its group should be smmsp, and it should have mode 640. The database --used by the MTA for AUTH must have a corresponding entry. --Additionally the MTA must trust this authentication data so the AUTH= --part will be relayed on to the next hop. This can be achieved by --adding the following to your sendmail.mc file: -- -- LOCAL_RULESETS -- SLocal_trust_auth -- R$* $: $&{auth_authen} -- Rsmmsp $# OK -- --Note: the authentication data can leak to local users who invoke --the MSP with debug options or even with -v. For that reason either --an authentication mechanism that does not show the password in the --AUTH dialogue (e.g., DIGEST-MD5) or a different authentication --method like STARTTLS should be used. -+its group should be smmsp, and it should have mode 640. - - feature/msp.m4 defines almost all settings for the MSP. Most of - those should not be changed at all. Some of the features and options ---- sendmail-8.17.2/cf/README 2023-05-31 21:55:42.000000000 +0200 -+++ sendmail-8.17.2/cf/README.new 2023-10-13 18:04:44.902861539 +0200 -@@ -1617,79 +1617,6 @@ - For more information see doc/op/op.me. - +@@ -1624,79 +1475,6 @@ + respectively. For details, see the file and + the OpenSSL documentation. -+-------+ -| HACKS | @@ -501,7 +344,26 @@ +--------------------+ | USING UUCP MAILERS | +--------------------+ -@@ -3284,102 +3211,6 @@ +@@ -2484,7 +2262,7 @@ + map entries. This feature allows spammers to abuse your mail server + by specifying a return address that you enabled in your access file. + This may be harder to figure out for spammers, but it should not +-be used unless necessary. Instead use SMTP AUTH or STARTTLS to ++be used unless necessary. Instead use STARTTLS to + allow relaying for roaming users. + + +@@ -2952,8 +2730,7 @@ + tokenization. It might be simpler to use a regex map and apply it + to $&{currHeader}. + 2. There are no default rulesets coming with this distribution of +-sendmail. You can write your own, can search the WWW for examples, +-or take a look at cf/cf/knecht.mc. ++sendmail. You can write your own or search the WWW for examples. + 3. When using a default ruleset for headers, the name of the header + currently being checked can be found in the $&{hdr_name} macro. + +@@ -3291,102 +3068,6 @@ (version=${tls_version} cipher=${cipher} bits=${cipher_bits} verify=${verify}) @@ -604,3 +466,137 @@ +--------------------------------+ | ADDING NEW MAILERS OR RULESETS | +--------------------------------+ +@@ -3713,8 +3394,6 @@ + This list is shown in four columns: the name you define, the default + value for that definition, the option or macro that is affected + (either Ox for an option or Dx for a macro), and a brief description. +-Greater detail of the semantics can be found in the Installation +-and Operations Guide. + + Some options are likely to be deprecated in future versions -- that is, + the option is only included to provide back-compatibility. These are +@@ -3944,8 +3623,6 @@ + (e.g., :include: file) to be opened. + confTO_LHLO Timeout.lhlo [2m] The timeout waiting for a response + to an LMTP LHLO command. +-confTO_AUTH Timeout.auth [10m] The timeout waiting for a +- response in an AUTH dialogue. + confTO_STARTTLS Timeout.starttls + [1h] The timeout waiting for a + response to an SMTP STARTTLS command. +@@ -4315,46 +3992,6 @@ + memory-buffered transcript (xf) + file before a disk-based file is + used. +-confAUTH_MECHANISMS AuthMechanisms [EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 +- CRAM-MD5] List of authentication +- mechanisms for AUTH (separated by +- spaces). The advertised list of +- authentication mechanisms will be the +- intersection of this list and the list +- of available mechanisms as determined +- by the Cyrus SASL library. +-confAUTH_REALM AuthRealm [undefined] The authentication realm +- that is passed to the Cyrus SASL +- library. If no realm is specified, +- $j is used. See KNOWNBUGS. +-confDEF_AUTH_INFO DefaultAuthInfo [undefined] Name of file that contains +- authentication information for +- outgoing connections. This file must +- contain the user id, the authorization +- id, the password (plain text), the +- realm to use, and the list of +- mechanisms to try, each on a separate +- line and must be readable by root (or +- the trusted user) only. If no realm +- is specified, $j is used. If no +- mechanisms are given in the file, +- AuthMechanisms is used. Notice: this +- option is deprecated and will be +- removed in future versions; it doesn't +- work for the MSP since it can't read +- the file. Use the authinfo ruleset +- instead. See also the section SMTP +- AUTHENTICATION. +-confAUTH_OPTIONS AuthOptions [undefined] If this option is 'A' +- then the AUTH= parameter for the +- MAIL FROM command is only issued +- when authentication succeeded. +- See doc/op/op.me for more options +- and details. +-confAUTH_MAX_BITS AuthMaxBits [INT_MAX] Limit the maximum encryption +- strength for the security layer in +- SMTP AUTH (SASL). Default is +- essentially unlimited. + confTLS_SRV_OPTIONS TLSSrvOptions If this option is 'V' no client + verification is performed, i.e., + the server doesn't ask for a +@@ -4574,8 +4211,7 @@ + | MESSAGE SUBMISSION PROGRAM | + +----------------------------+ + +-The purpose of the message submission program (MSP) is explained +-in sendmail/SECURITY. This section contains a list of caveats and ++This section contains a list of caveats and + a few hints how for those who want to tweak the default configuration + for it (which is installed as submit.cf). + +@@ -4590,13 +4226,10 @@ + of the default background mode. + - FEATURE(stickyhost) and LOCAL_RELAY to send unqualified addresses + to the LOCAL_RELAY instead of the default relay. +-- confRAND_FILE if you use STARTTLS and sendmail is not compiled with +- the flag HASURANDOM. + +-The MSP performs hostname canonicalization by default. As also +-explained in sendmail/SECURITY, mail may end up for various DNS +-related reasons in the MSP queue. This problem can be minimized by +-using ++The MSP performs hostname canonicalization by default. Mail may end ++up for various DNS related reasons in the MSP queue. This problem ++can be minimized by using + + FEATURE(`nocanonify', `canonify_hosts') + define(`confDIRECT_SUBMISSION_MODIFIERS', `C') +@@ -4612,39 +4245,10 @@ + can cause security problems. + + Other things don't work well with the MSP and require tweaking or +-workarounds. For example, to allow for client authentication it +-is not just sufficient to provide a client certificate and the +-corresponding key, but it is also necessary to make the key group +-(smmsp) readable and tell sendmail not to complain about that, i.e., +- +- define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile') +- +-If the MSP should actually use AUTH then the necessary data +-should be placed in a map as explained in SMTP AUTHENTICATION: +- +-FEATURE(`authinfo', `DATABASE_MAP_TYPE /etc/mail/msp-authinfo') +- +-/etc/mail/msp-authinfo should contain an entry like: +- +- AuthInfo:127.0.0.1 "U:smmsp" "P:secret" "M:DIGEST-MD5" ++workarounds. + + The file and the map created by makemap should be owned by smmsp, +-its group should be smmsp, and it should have mode 640. The database +-used by the MTA for AUTH must have a corresponding entry. +-Additionally the MTA must trust this authentication data so the AUTH= +-part will be relayed on to the next hop. This can be achieved by +-adding the following to your sendmail.mc file: +- +- LOCAL_RULESETS +- SLocal_trust_auth +- R$* $: $&{auth_authen} +- Rsmmsp $# OK +- +-Note: the authentication data can leak to local users who invoke +-the MSP with debug options or even with -v. For that reason either +-an authentication mechanism that does not show the password in the +-AUTH dialogue (e.g., DIGEST-MD5) or a different authentication +-method like STARTTLS should be used. ++its group should be smmsp, and it should have mode 640. + + feature/msp.m4 defines almost all settings for the MSP. Most of + those should not be changed at all. Some of the features and options -- Gitblit v1.9.3