- Update to version sendmail 8.18.1 2024/01/31
* sendmail is now stricter in following the RFCs and rejects
some invalid input with respect to line endings
and pipelining:
- Prevent transaction stuffing by ensuring SMTP clients
wait for the HELO/EHLO and DATA response before sending
further SMTP commands. This can be disabled using
the new srv_features option 'F'. Issue reported by
Yepeng Pan and Christian Rossow from CISPA Helmholtz
Center for Information Security.
- Accept only CRLF . CRLF as end of an SMTP message
as required by the RFCs, which can disabled by the
new srv_features option 'O'.
- Do not accept a CR or LF except in the combination
CRLF (as required by the RFCs). These checks can
be disabled by the new srv_features options
'U' and 'G', respectively. In this case it is
suggested to use 'u2' and 'g2' instead so the server
replaces offending bare CR or bare LF with a space.
It is recommended to only turn these protections off
for trusted networks due to the potential for abuse.
* Full DANE support is available if OpenSSL versions 1.1.1 or 3.x
are used, i.e., TLSA RR 2-x-y and 3-x-y are supported
as required by RFC 7672.
* OpenSSL version 3.0.x is supported. Note: OpenSSL 3 loads by
default an openssl.cnf file from a location specified
in the library which may cause unwanted behaviour
in sendmail. Hence sendmail sets the environment
variable OPENSSL_CONF to /etc/mail/sendmail.ossl
to override the default. The file name can be
OBS-URL: https://build.opensuse.org/request/show/1144171
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sendmail?expand=0&rev=122
- Correct permisson files path to /usr/share/permissions/permissions.d/ (boo#1219339)
- Fix file provides of openssl and timeout
- Avoid error messages of chkstat as this tools does not
accept slashes at the end of directory paths!
- Move sendmails permissions files to /usr/share/permissions/
- Work on certificates usage of smart and relay host
- Work on certificates for running sendmail
OBS-URL: https://build.opensuse.org/request/show/1142755
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sendmail?expand=0&rev=121
- Update to pre version sendmail 8.17.2
* Make sure DANE checks (if enabled) are performed even if
CACertPath or CACertFile are not set or unusable.
* Note: if the code to set up TLS in the client fails, then
{verify} will be set to TEMP but DANE requirements
will be ignored, i.e., by default mail will be sent
without STARTTLS. This can be changed via a
LOCAL_TLS_SERVER ruleset.
* Pass server name to clt_features ruleset instead of client
name to account for limitations in macro availability
described below in CONFIG section. This may break
custom clt_features rulesets which expect to receive
the client name as input.
* Fix a regression introduced in 8.17.1: aliases file which
contain continuation lines caused parsing errors.
* Add an FFR (for future release) compile time option _FFR_LOG_STAGE
to log the protocol stage as stage= for some errors during
delivery attempts to make troubleshooting simpler. This
new logging may be enabled in a future release.
* When EAI is enabled, milters also got the arguments of MAIL/RCPT
commands in argv[0] for xxfi_envfrom()/xxfi_envrcpt()
callbacks instead of just the mail address.
Problem reported by Dilyan Palauzo.
* When EAI is enabled, mailq prints UTF-8 addresses as such
if SMTPUTF8 was used.
* When EAI is enabled, the $h macro is now in the correct format.
Previously this could cause wrong values for relay=
in log entries and the mailer argument vector.
* When the compile time option USE_EAI is enabled, vacation could
fail to respond when it should. Problem reported by
OBS-URL: https://build.opensuse.org/request/show/1094805
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sendmail?expand=0&rev=119
- Do not start sendmail-client as user mail as this one is not
allowed to check port smtp aka 25
- Fix sm-client.pre script as ports are not only numbers but
also alias names
- Rework system service unit files
* sendmail-client now use user and group mail which requires
* /etc/mail/system/ becomes readable by all users e.g. mail
* sendmail now uses -bD to avoid a fork, this requires Type=exec
- Various bug fixes
- Require user and group mail for post and verify scriptlets
- Add a %ghost for /run/sendmail whic his created by
tmpfile systemd configuration of sendmail
- Own /var/spool/mail (boo#1179574)
- Avoid older alias.db
- Avoid that sendmail can not write its pid file
- Allow sendmail and its helper like maildrop and procmail
to write into the users mail folder
OBS-URL: https://build.opensuse.org/request/show/1008186
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sendmail?expand=0&rev=112
- Re-add 'sysvinit(network)' build dependency
- Use %set_permissions on path /var/spool/clientmqueue/ as well (boo#1187809)
- Update to pre version sendmail 8.17.1 (8.17.0.3)
* Deprecation notice: due to compatibility problems with some
third party code, we plan to finally switch from K&R
to ANSI C. If you are using sendmail on a system
which does not have a compiler for ANSI C contact us
with details as soon as possible so we can determine
how to proceed.
* Experimental support for SMTPUTF8 (EAI, see RFC 6530-6533)
is available when using the compile time option USE_EAI
(see also devtools/Site/site.config.m4.sample for other
required settings) and the cf option SMTPUTF8.
If a mail submission via the command line requires
the use of SMTPUTF8, e.g., because a header uses UTF-8
encoding, but the addresses on the command line are all
ASCII, then the new option -U must be used, and
the cf option SMTPUTF8 must be set in submit.cf.
Please test and provide feedback.
* Experimental support for SMTP MTA Strict Transport Security
(MTA-STS, see RFC 8461) is available when using
- the compile time option _FFR_MTA_STS (which requires
STARTTLS, MAP_REGEX, SOCKETMAP, and _FFR_TLS_ALTNAMES),
- FEATURE(sts), which implicitly sets the cf option
StrictTransportSecurity,
- postfix-mta-sts-resolver, see
https://github.com/Snawoot/postfix-mta-sts-resolver.git
* New ruleset check_other which is called for all unknown SMTP
OBS-URL: https://build.opensuse.org/request/show/903383
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sendmail?expand=0&rev=107
