Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#13776 closed enhancement (fixed)


Reported by: Bruce Dubbs Owned by: Douglas R. Reno
Priority: high Milestone: 10.0
Component: BOOK Version: SVN
Severity: normal Keywords:


New minor version.

Change History (6)

comment:1 by Douglas R. Reno, 2 years ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Douglas R. Reno, 2 years ago

Priority: normalhigh
8.16.1/8.16.1  2020/07/05
   SECURITY: If sendmail tried to reuse an SMTP session which had
      already been closed by the server, then the connection
      cache could have invalid information about the session.
      One possible consequence was that STARTTLS was not
      used even if offered.  This problem has been fixed
      by clearing out all relevant status information
      when a closed session is encountered.
   OpenSSL versions before 0.9.8 are no longer supported.
   OpenSSL version 1.1.0 and 1.1.1 are supported.
   Initial support for DANE (see RFC 7672 is available if
      the compile time option DANE is set.  Only TLSA RR 3-1-x
      is currently implemented.
   New options SSLEngine and SSLEnginePath to support OpenSSL engines.
      Note: this feature has so far only been tested with the
      "chil" engine; please report problems with other engines
      if you encounter any.
   New option CRLPath to specify a directory which contains
      hashes pointing to certificate revocations files.
      Based on patch from Al Smith.
   New rulesets tls_srv_features and tls_clt_features which
      can return a (semicolon separated) list of TLS related
      options, e.g., CipherList, CertFile, KeyFile,
      see doc/op/ for details.
   To automatically handle TLS interoperability problems for outgoing
      mail, sendmail can now immediately try a connection again
      without STARTTLS after a TLS handshake failure.
      This can be configured globally via the option
      TLSFallbacktoClear or per session via the 'C' flag
      of tls_clt_features.
      This also adds the new value "CLEAR" for the macro
      {verify}: STARTTLS has been disabled internally for
      a clear text delivery attempt.
   Apply Timeout.starttls also to the server waiting for the TLS
      handshake to begin.  Based on patch from Simon Hradecky.
   New compile time option TLS_EC to enable the use of elliptic
      curve cryptography in STARTTLS (previously available as
   Handle MIME boundaries specified in headers which contain CRLF.
   Fix detection of loopback net (it was broken when compiled
      with NETINET6) and only set the macros {if_addr_out}
      and {if_family_out} if the interface of the outgoing
      connection does not belong to the loopback net.
   Fix logic to enable a milter to delete a recipient in
      DeliveryMode=interactive even if it might be subject
      to alias expansion.
   Log name of a milter making changes (this was missing for
      some functions).
   Log the actual reply of a server when an SMTP delivery problem
      occurs in a "reply=" field if possible.
   Log user= for failed AUTH attempts if possible.  Based on
      patch from Packet Hack, Jim Hranicky, Kevin A. McGrail,
      and Joe Quinn.
   Add CDB as map type. Note: CDB is a "Constant DataBase", i.e.,
      no changes can be made after it is created, hence it
      does not work with vacation(1) nor editmap(8) (except
      for query mode).
   Fix some memory leaks (mostly in error cases) and properly handle
      copied varargs in sm_io_vfprintf(). The issues were found
      using Coverity Scan and reported (including patches) by
      OndÅ<99>ej LysonÄ<9b>k of Red Hat.
   Do not override ServerSSLOptions and ClientSSLOptions when they
      are specified on the command line.  Based on patch from
      Hiroki Sato.
   Add RFC7505 Null MX support for domains that declare they do not
      accept mail.
   New compile time option LDAP_NETWORK_TIMEOUT which is set
      automatically when LDAPMAP is used and
      LDAP_OPT_NETWORK_TIMEOUT is available to enable the
      new -c option for LDAP maps to specify the network timeout.
   CONFIG: New FEATURE(`tls_session_features') to enable standard
      rules for tls_srv_features and tls_clt_features; for
      details see cf/README.
   CONFIG: New options confSSL_ENGINE and confSSL_ENGINE_PATH
      for SSLEngine and SSLEnginePath, respectively.
   CONFIG: New options confDANE to enable DANE support.
   CONFIG: New option confTLS_FALLBACK_TO_CLEAR for TLSFallbacktoClear.
   CONFIG: New extension CITag: for TLS restrictions, see cf/README
      for details.
   CONFIG: FEATURE(`blacklist_recipients') renamed to
   CONTRIB: cidrexpand updated to support IPv6 CIDR ranges and to
      canonicalize IPv6 addresses; if cidrexpand is used with IPv6
      addresses then UseCompressedIPv6Addresses must be disabled.
   DOC: The dns map can return multiple values in a single result
      if the -z option is used.
   DOC: Note to set MustQuoteChars=. due to DKIM signatures.
   LIBMILTER: Fix typo in a macro. Patch from Ignacio Goyret
      of Alcatel-Lucent.
   LIBMILTER: Fix reference in xxfi_negotiate documentation.
      Patch from Sven Neuhaus.
   LIBMILTER: Fix function name in smfi_addrcpt_par documentation.
      Patch from G.W. Haywood.
   LIBMILTER: Fix a potential memory leak in smfi_setsymlist().
      Patch from Martin Svec.
   MAKEMAP: New map type "implicit" refers to the first available type,
      i.e., it depends on the compile time options NEWDB, DBM,
      and CDB. This can be used in conjunction with the
      "implicit" map type in
      Note: makemap, libsmdb, and sendmail must be compiled
      with the same options (and library versions of course).
      Add support for Darwin 14-18 (Mac OS X 10.x).
      New option HAS_GETHOSTBYNAME2: set if your system
      supports gethostbyname2(2).
      Set SM_CONF_SEM=2 for FreeBSD 12 and later due to
      changes in sys/sem.h
      On Linux set MAXHOSTNAMELEN (the maximum length
      of a FQHN) to 256 if it is less than that value.
   Added Files:

comment:3 by Douglas R. Reno, 2 years ago

If you're doing a DESTDIR install, e.g. to check for new installed files, you'll need to create $DEST/usr/{bin,sbin,share/man/man{1,5,8}} before installation

The OpenSSL patch is no longer required and can be removed.

comment:4 by Douglas R. Reno, 2 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r23369

comment:5 by Bruce Dubbs, 2 years ago

Milestone: 9.210,0

Milestone renamed

comment:6 by Bruce Dubbs, 2 years ago

Milestone: 10,010.0

Milestone renamed

Note: See TracTickets for help on using tickets.