sendmail 8.16.1 available

[Claus Aßmann]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Proofpoint, Inc., and the Sendmail Consortium announce the availability
of sendmail 8.16.1. This version:

o adds initial support for DANE.
o has many STARTTLS related enhancements.
o improves logging in several situations.

and has several other fixes and enhancements as listed below.

Please send bug reports and general feedback to one of the addresses
listed at: http://www.sendmail.org/email-addresses.html

The version can be found at

ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.16.1.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.16.1.tar.gz.sig
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.16.1.tar.Z
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.16.1.tar.Z.sig

SHA-256 checksums

7886d5dc4b436b86175f32b5b9c7305c80787749847e2909bf99123ecc4e64ba sendmail.8.16.1.tar.gz
c605fdbca2db71839f4fd74e12b17ddc15cf32cdbb5bd3869036fd993f4c174d sendmail.8.16.1.tar.gz.sig
f8ba92541f809ac46f87fe831eb42ec974d8d72366cee9ef6b85a08df820a11c sendmail.8.16.1.tar.Z
619c65aed314345f8adbb49c7f821a467672ded6dcca5a7778200a4e54af7ea5 sendmail.8.16.1.tar.Z.sig

You either need the first two files or the third and fourth,
i.e., the gzip'ed version or the compressed version and the
corresponding sig file. The PGP signature was created using
the Sendmail Signing Key/2020, available on the web site
(http://www.sendmail.com/sm/open_source/download/) or on
the public key servers (keyid ).

Since sendmail 8.11 and later includes hooks to cryptography, the
following information from OpenSSL applies to sendmail as well.

PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY
SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING
TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME
PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR
COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL
SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE
YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT
AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR
ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY.


SENDMAIL RELEASE NOTES


This listing shows the version of the sendmail binary, the version
of the sendmail configuration files, the date of release, and a
summary of the changes in that release.

8.16.1/8.16.1 2020/07/XX
SECURITY: If sendmail tried to reuse an SMTP session which had
already been closed by the server, then the connection
cache could have invalid information about the session.
One possible consequence was that STARTTLS was not
used even if offered. This problem has been fixed
by clearing out all relevant status information
when a closed session is encountered.
OpenSSL versions before 0.9.8 are no longer supported.
OpenSSL version 1.1.0 and 1.1.1 are supported.
Initial support for DANE (see RFC 7672 et.al.) is available if
the compile time option DANE is set. Only TLSA RR 3-1-x
is currently implemented.
New options SSLEngine and SSLEnginePath to support OpenSSL engines.
Note: this feature has so far only been tested with the
"chil" engine; please report problems with other engines
if you encounter any.
New option CRLPath to specify a directory which contains
hashes pointing to certificate revocations files.
Based on patch from Al Smith.
New rulesets tls_srv_features and tls_clt_features which
can return a (semicolon separated) list of TLS related
options, e.g., CipherList, CertFile, KeyFile,
see doc/op/op.me for details.
To automatically handle TLS interoperability problems for outgoing
mail, sendmail can now immediately try a connection again
without STARTTLS after a TLS handshake failure.
This can be configured globally via the option
TLSFallbacktoClear or per session via the 'C' flag
of tls_clt_features.
This also adds the new value "CLEAR" for the macro
{verify}: STARTTLS has been disabled internally for
a clear text delivery attempt.
Apply Timeout.starttls also to the server waiting for the TLS
handshake to begin. Based on patch from Simon Hradecky.
New compile time option TLS_EC to enable the use of elliptic
curve cryptography in STARTTLS (previously available as
_FFR_TLS_EC).
Handle MIME boundaries specified in headers which contain CRLF.
Fix detection of loopback net (it was broken when compiled
with NETINET6) and only set the macros {if_addr_out}
and {if_family_out} if the interface of the outgoing
connection does not belong to the loopback net.
Fix logic to enable a milter to delete a recipient in
DeliveryMode=interactive even if it might be subject
to alias expansion.
Log name of a milter making changes (this was missing for
some functions).
Log the actual reply of a server when an SMTP delivery problem
occurs in a "reply=" field if possible.
Log user= for failed AUTH attempts if possible. Based on
patch from Packet Hack, Jim Hranicky, Kevin A. McGrail,
and Joe Quinn.
Add CDB as map type. Note: CDB is a "Constant DataBase", i.e.,
no changes can be made after it is created, hence it
does not work with vacation(1) nor editmap(8) (except
for query mode).
Fix some memory leaks (mostly in error cases) and properly handle
copied varargs in sm_io_vfprintf(). The issues were found
using Coverity Scan and reported (including patches) by
Ondřej Lysoněk of Red Hat.
Do not override ServerSSLOptions and ClientSSLOptions when they
are specified on the command line. Based on patch from
Hiroki Sato.
Add RFC7505 Null MX support for domains that declare they do not
accept mail.
New compile time option LDAP_NETWORK_TIMEOUT which is set
automatically when LDAPMAP is used and
LDAP_OPT_NETWORK_TIMEOUT is available to enable the
new -c option for LDAP maps to specify the network timeout.
CONFIG: New FEATURE(`tls_session_features') to enable standard
rules for tls_srv_features and tls_clt_features; for
details see cf/README.
CONFIG: New options confSSL_ENGINE and confSSL_ENGINE_PATH
for SSLEngine and SSLEnginePath, respectively.
CONFIG: New options confDANE to enable DANE support.
CONFIG: New option confTLS_FALLBACK_TO_CLEAR for TLSFallbacktoClear.
CONFIG: New extension CITag: for TLS restrictions, see cf/README
for details.
CONTRIB: cidrexpand updated to support IPv6 CIDR ranges and to
canonicalize IPv6 addresses; if cidrexpand is used with IPv6
addresses then UseCompressedIPv6Addresses must be disabled.
DOC: The dns map can return multiple values in a single result
if the -z option is used.
DOC: Note to set MustQuoteChars=. due to DKIM signatures.
LIBMILTER: Fix typo in a macro. Patch from Ignacio Goyret
of Alcatel-Lucent.
LIBMILTER: Fix reference in xxfi_negotiate documentation.
Patch from Sven Neuhaus.
LIBMILTER: Fix function name in smfi_addrcpt_par documentation.
Patch from G.W. Haywood.
LIBMILTER: Fix a potential memory leak in smfi_setsymlist().
Patch from Martin Svec.
MAKEMAP: New map type "implicit" refers to the first available type,
i.e., it depends on the compile time options NEWDB, DBM,
and CDB. This can be used in conjunction with the
"implicit" map type in sendmail.cf.
Note: makemap, libsmdb, and sendmail must be compiled
with the same options (and library versions of course).
Portability:
Add support for Darwin 14-18 (Mac OS X 10.x).
New option HAS_GETHOSTBYNAME2: set if your system
supports gethostbyname2(2).
Set SM_CONF_SEM=2 for FreeBSD 12 and later due to
changes in sys/sem.h
On Linux set MAXHOSTNAMELEN (the maximum length
of a FQHN) to 256 if it is less than that value.
Added Files:
cf/feature/tls_failures.m4
devtools/OS/Darwin.14.x
devtools/OS/Darwin.15.x
devtools/OS/Darwin.16.x
libsmdb/smcdb.c
sendmail/ratectrl.h

-----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJfAFyOAAoJENWDIQ71FHGnGMEP/1nzS9nwahxngfQBQKQwgfpw
MpHDHmSO4zHpIvfjL9GaYVqiX1/YTOPCvlbWUcVxLNRi/mT/spvFjTnR7VDhdfob
PU7kdPjIiJm/BpRxtkxzPH6w7UDXNd6EOBV5oBTMPchzs0e2G/YytMQzCPclXUSA
ukZaK365FHgi8Pt2Fe97zcGp2iwQPK8UIaO5jfN7LdjXW+RkvRm+2CaOx8mNyRVq
CIZhRDvlIV3wE6D0tjpfCxmgP2cvjBrtWCt+cLLf+SBUy1h4LjXFlgrMKTP8pg1L
Slu6XSrsHMkVdVpGY4sdO7xvSEi6WoolkiK9HNJmkIVQq2pNGcr3CyxQtj9O0Y5C
Qi3IbAR4Cu2HVPlTNf8GPdySIZ0KEskndMyMjpM+0EsQfoP7YpstlmUcOQtbuefQ
ydi+3GmM4qiJWFbcoP+4BmYFXE4kajOaZeWqxXuc3SDzfAX22mpUQIFaPJ2Zz4Xn
y+v69taczI8eqwGirbdLTGw9bgvVIvh49pcTQZA8XkzRZWkYoVgMpGCm4s2baZic
qcH0U982Ni78PIn7N5hCYFp5qt8GQ8QeGbqHybCLUjEsFjcR80VBNrVqUBenWDq4
dRrGNtfFy6BDj7+N/jyeekAtEMRaCNWScs8uZD58yFH06Xvad3fisvJZQEmhBY75
wV6peh8B0U6u7bhW7REn
=tqHa
-----END PGP SIGNATURE-----

[AMM]

On Sunday, July 5, 2020 at 1:04:03 PM UTC+5:30, Claus Aßmann wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Proofpoint, Inc., and the Sendmail Consortium announce the availability
> of sendmail 8.16.1. This version:
>
> o adds initial support for DANE.
> o has many STARTTLS related enhancements.
> o improves logging in several situations.
>

To compile DANE support, do I need to put -D DANE in confENVDEF or it is enough to put it in conf_sendmail_ENVDEF?

Also is _FFR_AUTH_FAIL_LOG_USER now built by default? (seems so from RELEASE NOTES but just wanted to make sure)

Thank you for finally releasing new stable version!! It has been ages!! Hope that there will be quick releases now.

I am sendmail fan since 1998 and didnt want to switch over to postfix.

Regards

[Claus Aßmann]

AMM wrote:

> To compile DANE support, do I need to put -D DANE in confENVDEF or it is enough to put
> it in conf_sendmail_ENVDEF?

The latter.

General hint about conf_*_: this could be checked by something like
grep -w DANE */*.[ch] inc*/*/*.h | fgrep -v sendmail/

> Also is _FFR_AUTH_FAIL_LOG_USER now built by default? (seems so from RELEASE NOTES but

Yes.
fgrep -RI _FFR_AUTH_FAIL_LOG_USER .
should show no match.


--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.

[AMM]

On Monday, July 6, 2020 at 9:54:18 AM UTC+5:30, Claus Aßmann wrote:
> AMM wrote:
>
> > To compile DANE support, do I need to put -D DANE in confENVDEF or it is enough to put
> > it in conf_sendmail_ENVDEF?
>
> The latter.
>

Thank you for your prompt reply.

Just FYI, putting -DDANE in confENVDEF gave this error. Not sure why? I thought it would make no difference (as if not present)

In file included from debug.c:11:
../../sendmail/sendmail.h:1650:3: error: unknown type name ‘dane_tlsa_P’
1650 | dane_tlsa_P sv_tlsa; /* pointer to TLSA RRs */

But putting it in conf_sendmail_ENVDEF compiled fine.

(Arch Linux)

Here is working site.config.m4
define(`confSTDIO_TYPE', `portable')
define(`confGBINGRP', `25')
define(`confMSPQOWN', `150')
define(`confINCGRP', `root')
define(`confLIBGRP', `root')
define(`confMANGRP', `root')
define(`confMANOWN', `root')
define(`confMBINGRP', `root')
define(`confSBINGRP', `root')
define(`confUBINGRP', `root')
define(`confUBINOWN', `root')
define(`confEBINDIR', `/usr/bin')
define(`confMBINDIR', `/usr/bin')
define(`confSBINDIR', `/usr/bin')
define(`confMANROOT', `/usr/share/man/man')
APPENDDEF(`confENVDEF', `-DNETINET6 -DHAS_GETHOSTBYNAME2 -D_FFR_MILTER_CHECK_REJECTIONS_TOO')
APPENDDEF(`conf_sendmail_ENVDEF', `-DSTARTTLS -DSASL=2 -DDANE -DTLS_EC=2 -D_FFR_TLS_USE_CERTIFICATE_CHAIN_FILE')
APPENDDEF(`conf_sendmail_LIBS', `-lssl -lcrypto -lresolv -lsasl2')

[Claus Aßmann]

AMM wrote:

> Just FYI, putting -DDANE in confENVDEF gave this error. Not sure why? I thought it

> In file included from debug.c:11:
> ../../sendmail/sendmail.h:1650:3: error: unknown type name ‘dane_tlsa_P’
> 1650 | dane_tlsa_P sv_tlsa; /* pointer to TLSA RRs */

Because DANE requires STARTTLS to be defined. That was not checked
in sendmail.h but somewhere else (conf.c) -- this will be fixed in
the next version. Thanks for the information.

[kettyc...@gmail.com]