sendmail 8.12

Last Update 2002-09-16

Introduction

sendmail 8.12 aims at higher performance and better security.

sendmail 8.12.6 is available (2002-08-26).

Problems and Patches

In some cases the MSP might complain during a queue run about "MX list for ... points back to ...". This can be fixed by a patch for recipient.c.
If you use Cyrus-SASLv2 and DIGEST-MD5 then transferring larger messages will fail unless you apply this patch.
If you use FallbackMXhost and FEATURE(`relay_based_on_MX') together then your system may become an open relay. If you have an older version than 8.12.6 and you use those features then please apply this patch.
If you run 8.12.x (x >= 4) and you use sendmail as client to authenticate against a server using LOGIN, then you need also this patch.
8.12.3 may cause a bus error on some OSs if the environment variable NAME is set. Either upgrade to the latest version or apply this patch.
On HP-UX you may need to add
```
APPENDDEF(`conf_smrsh_ENVDEF', `-DNOT_SENDMAIL')
APPENDDEF(`conf_mail_local_ENVDEF', `-DNOT_SENDMAIL')
```
to devtools/Site/site.config.m4 if you want to compile/use smrsh or mail.local.
On HP-UX 11.11 you may need to reduce the optimization level from +O3 to +O2. Otherwise additional bogus characters may end up in a qf file.
On HP-UX 10.x you may get a compilation error in bf.c. Either upgrade to the latest version or try this patch.

libmilter

If multiple milters replace the body of an e-mail, then the body may become corrupted. Apply this patch (for 8.12.0 - 8.12.3).

New Features

sendmail 8.12 has several new features which are listed in the RELEASE_NOTES. In the following some of them are explained.

Most important of all: sendmail is not set-user-ID root anymore. See sendmail/SECURITY for details.

To deal with broken MTAs it is possible to turn off STARTTLS (and other features) on a per host basis using the tagged entries in the access map. For the server, you can use:

Srv_Features:some.domain flags

where flags can be a (comma or space separated) list of the following characters:

A	Do not offer AUTH
P	Do not offer PIPELINING
S	Do not offer STARTTLS
V	Do not request a client certificate in STARTTLS

Generally upper case characters turn off a feature while lower case characters turn it on.

STARTTLS related

sendmail 8.12 allows more control over the use of STARTTLS. In addition to the features of 8.11, a new tag TLS_Rcpt has been introduced that controls STARTTLS on a per-recipient basis instead of per-host. Furthermore, there can be a list of extensions. Such a list starts with + and the items are separated by ++. Allowed extensions are:

CN:name	name must match ${cn_subject}
CN	${server_name} must match ${cn_subject}
CS:name	name must match ${cert_subject}
CI:name	name must match ${cert_issuer}

Example: e-mail send to secure.example.com should only use an encrypted connection. e-mail received from hosts within the laptop.example.com domain should only be accepted if they have been authenticated. The host which receives e-mail for darth@endmail.org must present a cert that uses the CN smtp.endmail.org.

TLS_Srv:secure.example.com	ENCR:112
TLS_Clt:laptop.example.com	PERM+VERIFY:112
TLS_Rcpt:darth@endmail.org	ENCR:112+CN:smtp.endmail.org

The STARTTLS related part of the Received: header has been changed:

(version=${tls_version} cipher=${cipher} bit=${cipher_bits}  verify=${verify})

AUTH related

If sendmail acts as client, it needs some information how to authenticate against another MTA. This information can be provided by the ruleset authinfo. The authinfo ruleset looks up {server_name} using the tag AuthInfo: in the access map. If no entry is found, {server_addr} is looked up in the same way and finally just the tag AuthInfo: to provide default values.

The RHS for an Auth: entry in the access map should consists of a list of tokens, each of which has the form: "TDstring" (including the quotes). T is a tag which describes the item, D is a delimiter, either ':' for simple text or '=' for a base64 encoded string. Valid values for the tag are:

U user (authorization) id

I authentication id

P password

R realm

M list of mechanisms delimited by spaces

Example entries are:

AuthInfo:other.dom "U:user" "I:user" "P:secret" "R:other.dom" "M:DIGEST-MD5"
AuthInfo:more.dom "U:user" "P=c2VjcmV0"

User or authentication id must exist as well as the password. All other entries have default values. If one of user or authentication id is missing, the existing value is used for the missing item. Realm defaults to $j and the list of mechanisms to those specified by AuthMechanisms.

Since this map contains sensitive information, either the access map must be unreadable by everyone but root (or the trusted user) or FEATURE(`authinfo') must be used which provides a separate map. Notice: It is not checked whether the map is actually group/world-unreadable, this is left to the user.

Notice: the default configuration file causes the option DefaultAuthInfo to fail since the ruleset authinfo is in the .cf file. If you really want to use DefaultAuthInfo (it is deprecated) then you have to remove the ruleset.

Misc

A first version of a TUNING guide is available. Please send feedback to me.

[(links)] [Hints] [Avoiding UBE] [cf/README] [New]

Disclaimer: the information provided may be inaccurate or outdated or incomplete. Please contact me if you find an error.

U	user (authorization) id
I	authentication id
P	password
R	realm
M	list of mechanisms delimited by spaces