sendmail snapshot 8.18.0.2

[Claus Aßmann]

sendmail snapshot 8.18.0.2 is available for testing. It offers the
new srv_features option 'o' to require CR LF . CR LF as end of an
SMTP message and fixes parsing of UTF8 addresses when
SMTPUTF8 BODY=3D7BIT are used as parameters for the MAIL command.

SHA256 (sendmail.8.18.0.2.tar.gz) =3D b8f64c67f94dc6ff0f65498636f8f90b794e58ded15a05650a98115167b60773
SHA256 (sendmail.8.18.0.2.tar.gz.sig) =3D 95c3f2845f0d099d6e2d4662f73a0e1afe83f028b69e3c62a9fdf12bbdaccdec

Available at:
https://ftp.sendmail.org/snapshots/sendmail.8.18.0.2.tar.gz
https://ftp.sendmail.org/snapshots/sendmail.8.18.0.2.tar.gz.sig

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.

[Alex H]

FYI - not sure you want to add a check against OpenSSL 3.2.0 and disable DANE, or let us to remove DANE for the time being until this is fixed. Plus, a few deprecations here and there.

cc -M -I. -I../../include -DNEWDB -DNETINET6 -DIPV6_FULL -DNEWDB -DSTARTTLS -DDANE -DSASL=2 -DTCPWRAPPERS -DNIS -DMAP_REGEX -DSOCKETMAP -DTLS_EC -DUSE_EAI -DDNSSEC_TEST -D_FFR_TLS_ALTNAMES -D_FFR_MTA_STS -DMILTER main.c alias.c arpadate.c bf.c collect.c conf.c control.c convtime.c daemon.c deliver.c domain.c envelope.c err.c headers.c macro.c map.c mci.c milter.c mime.c parseaddr.c queue.c ratectrl.c readcf.c recipient.c sasl.c savemail.c sched.c sfsasl.c shmticklib.c sm_resolve.c srvrsmtp.c stab.c stats.c sysexits.c timers.c tlsh.c tls.c trace.c udb.c usersmtp.c util.c version.c >> Makefile
tls.c:33:4: error: #error OpenSSL 3.2.0 has a bug related to DANE
33 | # error OpenSSL 3.2.0 has a bug related to DANE
| ^~~~~
tls.c:34:4: error: #error see https:
34 | # error see https://github.com/openssl/openssl/pull/22821
| ^~~~~
make[1]: *** [Makefile:403: depend] Error 1

cc -O2 -fPIC -DDANE -I. -I../../include -DNEWDB -DNETINET6 -DIPV6_FULL -DNEWDB -DSTARTTLS -DDANE -DSASL=2 -DTCPWRAPPERS -DNIS -DMAP_REGEX -DSOCKETMAP -DTLS_EC -DUSE_EAI -DDNSSEC_TEST -D_FFR_TLS_ALTNAMES -D_FFR_MTA_STS -DMILTER -c -o readcf.o readcf.c
readcf.c:2821:24: warning: RES_AAONLY is deprecated
2821 | { "aaonly", RES_AAONLY },
| ^~~~~~~~~~~~~~~~~~~~~~~
readcf.c:2823:20: warning: RES_PRIMARY is deprecated
2823 | { "primary", RES_PRIMARY },
| ^~~~~~~~~~~~~~~~~~~~~~~

cc -O2 -fPIC -DDANE -I. -I../../include -DNEWDB -DNETINET6 -DIPV6_FULL -DNEWDB -DSTARTTLS -DDANE -DSASL=2 -DTCPWRAPPERS -DNIS -DMAP_REGEX -DSOCKETMAP -DTLS_EC -DUSE_EAI -DDNSSEC_TEST -D_FFR_TLS_ALTNAMES -D_FFR_MTA_STS -DMILTER -c -o tls.o tls.c
tls.c:33:4: error: #error OpenSSL 3.2.0 has a bug related to DANE
33 | # error OpenSSL 3.2.0 has a bug related to DANE
| ^~~~~
tls.c:34:4: error: #error see https:
34 | # error see https://github.com/openssl/openssl/pull/22821
| ^~~~~
tls.c: In function ‘get_dh512’:
tls.c:114:9: warning: ‘DH_new’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
114 | if ((dh = DH_new()) == NULL)
| ^~
In file included from /usr/include/openssl/dsa.h:31,
from /usr/include/openssl/x509.h:37,
from /usr/include/openssl/ssl.h:32,
from ./sendmail.h:43,
from tls.c:11:
/usr/include/openssl/dh.h:206:27: note: declared here
206 | OSSL_DEPRECATEDIN_3_0 DH *DH_new(void);
| ^~~~~~
tls.c:119:9: warning: ‘DH_set0_pqg’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
119 | if (dhp_bn == NULL || dhg_bn == NULL || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
| ^~
/usr/include/openssl/dh.h:262:27: note: declared here
262 | OSSL_DEPRECATEDIN_3_0 int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
| ^~~~~~~~~~~
tls.c:120:17: warning: ‘DH_free’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
120 | DH_free(dh);
| ^~~~~~~
/usr/include/openssl/dh.h:207:28: note: declared here
207 | OSSL_DEPRECATEDIN_3_0 void DH_free(DH *dh);
| ^~~~~~~
tls.c: In function ‘get_dh2048’:
tls.c:184:9: warning: ‘DH_new’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
184 | if ((dh=DH_new()) == NULL)
| ^~
/usr/include/openssl/dh.h:206:27: note: declared here
206 | OSSL_DEPRECATEDIN_3_0 DH *DH_new(void);
| ^~~~~~
tls.c:189:9: warning: ‘DH_set0_pqg’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
189 | if (dhp_bn == NULL || dhg_bn == NULL || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
| ^~
/usr/include/openssl/dh.h:262:27: note: declared here
262 | OSSL_DEPRECATEDIN_3_0 int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
| ^~~~~~~~~~~
tls.c:190:17: warning: ‘DH_free’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
190 | DH_free(dh);
| ^~~~~~~
/usr/include/openssl/dh.h:207:28: note: declared here
207 | OSSL_DEPRECATEDIN_3_0 void DH_free(DH *dh);
| ^~~~~~~
tls.c: In function ‘inittls’:
tls.c:1400:33: warning: ‘PEM_read_bio_DHparams’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
1400 | dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
| ^~
In file included from /usr/include/openssl/ssl.h:37:
/usr/include/openssl/pem.h:473:1: note: declared here
473 | DECLARE_PEM_rw_attr(OSSL_DEPRECATEDIN_3_0, DHparams, DH)
| ^~~~~~~~~~~~~~~~~~~
tls.c:1441:25: warning: ‘DSA_new’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
1441 | dsa = DSA_new();
| ^~~
/usr/include/openssl/dsa.h:130:28: note: declared here
130 | OSSL_DEPRECATEDIN_3_0 DSA *DSA_new(void);
| ^~~~~~~
tls.c:1444:33: warning: ‘DSA_generate_parameters_ex’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
1444 | r = DSA_generate_parameters_ex(dsa, bits, NULL,
| ^
/usr/include/openssl/dsa.h:172:27: note: declared here
172 | OSSL_DEPRECATEDIN_3_0 int DSA_generate_parameters_ex(DSA *dsa, int bits,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
tls.c:1447:41: warning: ‘DSA_dup_DH’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
1447 | dh = DSA_dup_DH(dsa);
| ^~
/usr/include/openssl/dsa.h:203:27: note: declared here
203 | OSSL_DEPRECATEDIN_3_0 DH *DSA_dup_DH(const DSA *r);
| ^~~~~~~~~~
tls.c:1455:25: warning: ‘DSA_free’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
1455 | DSA_free(dsa);
| ^~~~~~~~
/usr/include/openssl/dsa.h:132:28: note: declared here
132 | OSSL_DEPRECATEDIN_3_0 void DSA_free(DSA *r);
| ^~~~~~~~
tls.c:1493:43: warning: ‘DH_size’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
1493 | who, 8 * DH_size(dh), *dhparam);
| ^~~
/usr/include/openssl/dh.h:210:27: note: declared here
210 | OSSL_DEPRECATEDIN_3_0 int DH_size(const DH *dh);
| ^~~~~~~
tls.c:1494:25: warning: ‘DH_free’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
1494 | DH_free(dh);
| ^~~~~~~
/usr/include/openssl/dh.h:207:28: note: declared here
207 | OSSL_DEPRECATEDIN_3_0 void DH_free(DH *dh);
| ^~~~~~~
tls.c:1501:17: warning: ‘EC_KEY_new_by_curve_name’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
1501 | ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
| ^~~~
In file included from /usr/include/openssl/x509.h:33:
/usr/include/openssl/ec.h:1017:31: note: declared here
1017 | OSSL_DEPRECATEDIN_3_0 EC_KEY *EC_KEY_new_by_curve_name(int nid);
| ^~~~~~~~~~~~~~~~~~~~~~~~
tls.c:1506:25: warning: ‘EC_KEY_free’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
1506 | EC_KEY_free(ecdh);
| ^~~~~~~~~~~
/usr/include/openssl/ec.h:1022:28: note: declared here
1022 | OSSL_DEPRECATEDIN_3_0 void EC_KEY_free(EC_KEY *key);
| ^~~~~~~~~~~
tls.c: In function ‘tlslogerr’:
tls.c:2917:9: warning: ‘ERR_get_error_line_data’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
2917 | while ((l = MTA_SSL_ERR_get((const char **) &file, &line,
| ^~~~~
In file included from tls.c:16:
/usr/include/openssl/err.h:425:15: note: declared here
425 | unsigned long ERR_get_error_line_data(const char **file, int *line,
| ^~~~~~~~~~~~~~~~~~~~~~~
tls.c: In function ‘TLS_set_engine’:
tls.c:3010:9: warning: ‘ENGINE_load_builtin_engines’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
3010 | ENGINE_load_builtin_engines();
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from tls.c:22:
/usr/include/openssl/engine.h:358:28: note: declared here
358 | OSSL_DEPRECATEDIN_3_0 void ENGINE_load_builtin_engines(void);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
tls.c:3014:17: warning: ‘ENGINE_by_id’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
3014 | if ((e = ENGINE_by_id("dynamic")) == NULL)
| ^~
/usr/include/openssl/engine.h:336:31: note: declared here
336 | OSSL_DEPRECATEDIN_3_0 ENGINE *ENGINE_by_id(const char *id);
| ^~~~~~~~~~~~
tls.c:3024:17: warning: ‘ENGINE_ctrl_cmd_string’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
3024 | if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", enginepath, 0))
| ^~
/usr/include/openssl/engine.h:479:5: note: declared here
479 | int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg,
| ^~~~~~~~~~~~~~~~~~~~~~
tls.c:3033:17: warning: ‘ENGINE_ctrl_cmd_string’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
3033 | if (!ENGINE_ctrl_cmd_string(e, "ID", id, 0))
| ^~
/usr/include/openssl/engine.h:479:5: note: declared here
479 | int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg,
| ^~~~~~~~~~~~~~~~~~~~~~
tls.c:3041:17: warning: ‘ENGINE_ctrl_cmd_string’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
3041 | if (!ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0))
| ^~
/usr/include/openssl/engine.h:479:5: note: declared here
479 | int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg,
| ^~~~~~~~~~~~~~~~~~~~~~
tls.c:3049:9: warning: ‘ENGINE_by_id’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
3049 | else if ((e = ENGINE_by_id(id)) == NULL)
| ^~~~
/usr/include/openssl/engine.h:336:31: note: declared here
336 | OSSL_DEPRECATEDIN_3_0 ENGINE *ENGINE_by_id(const char *id);
| ^~~~~~~~~~~~
tls.c:3057:9: warning: ‘ENGINE_init’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
3057 | if (!ENGINE_init(e))
| ^~
/usr/include/openssl/engine.h:620:27: note: declared here
620 | OSSL_DEPRECATEDIN_3_0 int ENGINE_init(ENGINE *e);
| ^~~~~~~~~~~
tls.c:3063:9: warning: ‘ENGINE_set_default’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
3063 | if (!ENGINE_set_default(e, ENGINE_METHOD_ALL))
| ^~
/usr/include/openssl/engine.h:708:27: note: declared here
708 | OSSL_DEPRECATEDIN_3_0 int ENGINE_set_default(ENGINE *e, unsigned int flags);
| ^~~~~~~~~~~~~~~~~~
tls.c:3072:17: warning: ‘ENGINE_ctrl’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
3072 | ENGINE_ctrl(e, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, 0, 0);
| ^~~~~~~~~~~
/usr/include/openssl/engine.h:429:27: note: declared here
429 | OSSL_DEPRECATEDIN_3_0 int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p,
| ^~~~~~~~~~~
tls.c:3076:9: warning: ‘ENGINE_free’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
3076 | ENGINE_free(e);
| ^~~~~~~~~~~
/usr/include/openssl/engine.h:493:27: note: declared here
493 | OSSL_DEPRECATEDIN_3_0 int ENGINE_free(ENGINE *e);
| ^~~~~~~~~~~
tls.c:3085:17: warning: ‘ENGINE_free’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
3085 | ENGINE_free(e);
| ^~~~~~~~~~~
/usr/include/openssl/engine.h:493:27: note: declared here
493 | OSSL_DEPRECATEDIN_3_0 int ENGINE_free(ENGINE *e);
| ^~~~~~~~~~~
make[1]: *** [<builtin>: tls.o] Error 1
make[1]: Leaving directory '/tmp/sendmail-8.18.0.2/obj.Linux.6.1.66.x86_64/sendmail'

cc -O2 -I. -I../../sendmail -I../../include -DNETINET6 -DIPV6_FULL -DNEWDB -DSTARTTLS -DDANE -DSASL=2 -DTCPWRAPPERS -DNIS -DMAP_REGEX -DSOCKETMAP -DTLS_EC -DUSE_EAI -DDNSSEC_TEST -D_FFR_TLS_ALTNAMES -D_FFR_MTA_STS -DNOT_SENDMAIL -Dsm_snprintf=snprintf -DMILTER -D_REENTRANT -DXP_MT -c -o listener.o listener.c
listener.c: In function ‘mi_thread_handle_wrapper’:
listener.c:579:16: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
579 | return (void *) mi_handle_session(arg);
| ^

[Alex H]

... or maybe add this to the Known bugs and/or to the Release notes files. While I see you reported this DANE bug to the OpenSSL team, there is no mention about this version limitation on sendmail supporting files. Since it looks like they put the fix into the master tree, guess I'll be downloading the current OpenSSL tree and praying nothing else gets broken - assuming I can compile sendmail with the -master version and it pass your version check.

[Claus Aßmann]

Alex H wrote:
> FYI - not sure you want to add a check against OpenSSL 3.2.0 and disable
> DANE, or let us to remove DANE for the time being until this is fixed.

Just use OpenSSL 3.0.x instead for DANE support until OpenSSL fixes
their stuff (1 committer + 3 reviewers - and still such common error).

> DH_new is deprecated: Since OpenSSL 3.0

-DNO_DH

> 2917 | while ((l = MTA_SSL_ERR_get((const char **) &file, &line,

Try
-DHAVE_ERR_get_error_all
?

> 3010 | ENGINE_load_builtin_engines();

-DUSE_OPENSSL_ENGINE=0
or
-DOPENSSL_NO_ENGINE

[Claus Aßmann]

Alex H wrote:
> ... or maybe add this to the Known bugs and/or to the Release notes

8.18.1/8.18.1 202X/XX/XX
OpenSSL version 3.0.x is supported. Note: OpenSSL 3 loads by
...

Neither OpenSSL 3.1 nor 3.2 are mentioned as supported (yet),
which means they may or may not work...

> is no mention about this version limitation on sendmail supporting

Nobody reads the documentation... but a compilation error
is hard to ignore :-)

[HQuest]

Well, I'm the exception then since I usually read it (had my hand slapped by you once), and while I see where you are coming from official vs unofficial support, the Release notes are slightly confusing:

8.18.1/8.18.1 202X/XX/XX
Full DANE support is available if OpenSSL versions 1.1.1 or 3.x
are used

OpenSSL version 3.0.x is supported.

If DANE support is provided via OpenSSL 3.x (!= 3.0.x), I would think 3.2 would too be supported - even though the line below says version 3.0.x is supported and with the fact previous versions up to 8.18.0.Alpha3 did compile against OpenSSL 3.2 with no errors (just the usual DH deprecation warnings). I suppose this error via the DANE bug you reported was added just in time for this snapshot. Anyhow, thanks to the magic of containers, I managed to get OpenSSL v3.3.0-dev deployed, compiled 8.18.0.2 against it, and during the first 24h, things look absolutely fine so far. However, I'm just a small fish so surely large-scale tests are necessary. Appreciate all you do, and happy holiday season.

[Claus Aßmann]

Alex H wrote:
> Plus, a few deprecations here and there.

Which configuration options do you use for OpenSSL 3.2?
I'm trying to reproduce this locally.

[HQuest]

OpenSSL 3.2 settings are the default ones from Slackware -current. Pat builds it as of below. I reused it with the git clone of yesterday's 3.3.0-dev tree.

/config
--prefix=/usr
--openssldir=/etc/ssl
zlib
enable-camellia
enable-seed
enable-rfc3779
enable-cms
enable-md2
enable-rc5
enable-ssl3
enable-ssl3-method
no-weak-ssl-ciphers
no-mdc2
no-ec2m
no-sm2
no-sm4
no-sse2
shared

On the sendmail side, my site.config.m4 looks like

APPENDDEF(`confMAPDEF', `-DNEWDB')
APPENDDEF(`confLIBS', `-lnsl -lssl -lcrypto -lsasl2 -lwrap -lm -ldb -lresolv -licuuc -licui18n -licudata')
APPENDDEF(`conf_libmilter_ENVDEF', `-DMILTER')
APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER')
APPENDDEF(`confENVDEF', `-DNETINET6 -DIPV6_FULL -DNEWDB -DSTARTTLS -DDANE -DSASL=2 -DTCPWRAPPERS -DNIS -DMAP_REGEX -DSOC
KETMAP -DTLS_EC -DUSE_EAI -DDNSSEC_TEST -D_FFR_TLS_ALTNAMES -D_FFR_MTA_STS')dnl

[Jan Sørensen]

> > DH_new is deprecated: Since OpenSSL 3.0
> -DNO_DH

I gives me

conf.c:6040:4: error: #error "NO_DH disables TLS_EC"
6040 | # error "NO_DH disables TLS_EC"

[Claus Aßmann]

You use -DTLS_EC, right?
Currently the code for TLS_EC is not independent of the DH code,
so you have to use DH + EC or neither -- until someone writes
a patch to "separate" those two features...