[LWN Logo]

From: jericho@dimensional.com
Date: Thu, 26 Mar 1998 21:38:14 -0700 (MST)
To: InfoSec News <isn@sekurity.org>
Subject: [ISN] sendmail 8.9.0.Beta3 available for testing 



[Moderator: I am including the full text of the release for a few reasons.
 Eric Allman has done a lot of work on this release to make Sendmail more
 spam resistant, or give the admin the ability oto make it that way. He
 has added a better default setup, and (finally :) taken care of some
 legacy file read problems. If you currently have problems with spam, or
 security concerns with sendmail, I encourage you to read through the
 following announcement.]

-----BEGIN PGP SIGNED MESSAGE-----

I am pleased to announce the availability of sendmail 8.9.0.Beta3
for testing.  Access information follows:

  FTP://ftp.sendmail.org/pub/sendmail/sendmail.8.9.0.Beta3.tar.gz
  MD5 = b2abb360dc6ea591b8522eaec1c81722 (sendmail.8.9.0.Beta3.tar.gz)
  MD5 = e427bcf84570837bc119916015981a8c (sendmail.8.9.0.Beta3.tar)

The focus of this release is on spam control.  Major changes include:

  * SMTP relaying is turned off by default.
  * SMTP Messages are rejected by default if the sender domain cannot
    be resolved.
  * Messages can be rejected on the basis of the contents of headers.
  * A new Build script that works in all directories for compiling.
  * More security checks on files being opened.

People who have included anti-spam rulesets in their configurations
will probably have to remove or modify their old rules.  In particular,
the check_* rulesets are defined by default.  Also, people who use
SMTP relaying (e.g., for PC mailers) will have to configure sendmail
to allow relaying as needed in their domain.  I realize this will be
painful for many, but it seems necessary to avoid spam.  This is just
another example of how spammers hurt us all.  Lastly, the checks on
file modes have been tightened up considerably -- for example, by
default sendmail will refuse to read .forward files that are group
writable or are in group writable directories.  This behaviour can be
turned down using the DontBlameSendmail option.  Refer to the README
file in the distribution for more information.

The complete release notes are attached.

Please note that there is a new sendmail signing key for 1998.  It
is available on the public key servers, and should be signed by the
1997 key as well as many individuals.

As usual, please send bug reports and comments to sendmail@Sendmail.ORG.

eric

- ----------------------------------------------------------------------

	SECURITY: To prevent users from reading files not normally
		readable, sendmail will no longer open forward, :include:,
		sendmail.cf, class, ErrorHeader, or HelpFile files located
		in unsafe (i.e. group or world writable) directory paths.
		Sites which need the ability to override security can use
		the DontBlameSendmail option.  See the README file for
		more information.
	SECURITY: Problems can occur on poorly managed systems, specifically,
		if maps or alias files are in world writable directories.
		This fixes the change added to 8.8.6 to prevent links in these
		world writable directories.
	SECURITY: Make sure ServiceSwitchFile option file is not a link if
		it is in a world writable directory.
	SECURITY: Never pass a tty to a mailer -- if a mailer can get at the
		tty it may be able to push bytes back to the senders input.
		Unfortunately this breaks -v mode.  Problem noted by
		Wietse Venema of the Global Security Analysis Lab at
		IBM T.J. Watson Research.
	SECURITY: Empty group list if DontInitGroups is set to true to
		prevent program deliveries from picking up extra group
		privileges.  Problem reported by Wolfgang Ley of DFN-CERT.
	SECURITY: The default value for DefaultUser is now set to the
		uid and gid of the first existing user mailnull, nobody,
		or daemon.  If none of these three exist, sendmail reverts
		back to the old behavior of using uid 1 and gid 1.  This
		is a security problem for Linux which has chosen that uid
		and gid for user bin instead of daemon.  If DefaultUser is
		set in the configuration file, that value overrides this
		default.
	Add support for Berkeley DB 2.X.  Based on patch from John Kennedy
		of Cal State University, Chico.
	Remove support for OLD_NEWDB (pre-1.5 version of Berkeley DB).  Users
		which previously defined OLD_NEWDB=1 must now upgrade to the
		current version of Berkeley DB.
	Added support for regular expressions using the new map class regex.
		From Jan Krueger of Unix-AG of University of Hannover.
	Support for BIND 8.1.1's hesiod for hesiod maps and hesiod
		UserDatabases from Randall Winchester of the University
		of Maryland.
	Allow any shell for user shell on program deliveries on V1
		configurations for backwards compatibility on machines which
		do not have getusershell().  Fix from John Beck of Sun
		Microsystems.
	On operating systems which change the process title by reusing the
		argument vector memory, sendmail could corrupt memory if the
		last argument was either "-q" or "-d".  Problem noted by
		Frank Langbein of the University of Stuttgart.
	Support Local Mail Transfer Protocol (LMTP) between sendmail and
		mail.local on the F=z flag.
	Macro-expand the contents of the ErrMsgFile.  Previously this was
		only done if you had magic characters (0x81) to indicate
		macro expansion.  Now $x will be expanded.  This means that
		real dollar signs have to be backslash escaped.
	TCP Wrappers expects "unknown" in the hostname argument if the
		reverse DNS lookup for the incoming connection fails.
		Problem noted by Randy Grimshaw of Syracuse University and
		Wietse Venema of the Global Security Analysis Lab at
		IBM T.J. Watson Research.
	DSN success bounces generated from an invocation of sendmail -t
		would be sent to both the sender and MAILER-DAEMON.
		Problem noted by Claus Assmann of
		Christian-Albrechts-University of Kiel.
	Avoid "Error 0" messages on delivery mailers which exit with a
		valid exit value such as EX_NOPERM.  Fix from Andreas Luik
		of ISA Informationssysteme GmbH.
	Tokenize $&x expansions on right hand side of rules.  This eliminates
		the need to use tricks like $(dequote "" $&{client_name} $)
		to cause the ${client_name} macro to be properly tokenized.
	Add the MaxRecipientsPerMessage option: this limits the number of
		recipients that will be accepted in a single SMTP
		transaction.  After this number is reached, sendmail
		starts returning "452 Too many recipients" to all RCPT
		commands.  This can be used to limit the number of recipients
		per envelope (in particular, to discourage use of the server
		for spamming).  Note: a better approach is to restrict
		relaying entirely.
	Fixed pointer initialization for LDAP lmap struct, fixed -s option
		to ldapx map and added timeout for ldap_open call to
		avoid hanging sendmail in the event of hung LDAP servers.
		Patch from Booker Bense of Stanford University.
	Allow multiple -qI, -qR, or -qS queue run limiters.  For example,
		'-qRfoo -qRbar' would deliver mail to recipients with foo or
		bar in their address.  Patch from Allan E Johannesen of
		Worcester Polytechnic Institute.
	The bestmx map will now return a list of the MX servers for a host if
		passed a column delimiter via the -z map flag.  This can be
		used to check if the server is an MX server for the recipient
		of a message.  This can be used to help prevent relaying.
		Patch from Mitchell Blank Jr of Exec-PC.
	Mark failures for the *file* mailer and return bounce messages to the
		sender for those failures.
	Prevent bogus syslog timestamps on errors in sendmail.cf by
		preserving the TZ environment variable until TimeZoneSpec
		has been determined.  Problem noted by Ralf Hildebrandt of
		Technical University of Braunschweig.  Patch from Per Hedeland
		of Ericsson.
	Print test input in address test mode when input is not from the tty
		when the -v flag is given (i.e. sendmail -bt -v) to make
		output easier to decipher.  Problem noted by Aidan Nichol
		of Procter & Gamble.
	The LDAP map -s flag was not properly parsed and the error message
		given included the remainder of the arguments instead of
		solely the argument in error.  Problem noted by Aidan Nichol
		of Procter & Gamble.
	New DontBlameSendmail option.  This option allows administrators to
		bypass some of sendmail's file security checks at the expense
		of system security.  This should only be used if you are
		absolutely sure you know the consequences.  The available
		DontBlameSendmail options are:
			safe
			assumesafechown
			classfileinunsafedirpath
			errorheaderinunsafedirpath
			groupwritabledirpathsafe
			groupwritableforwardfilesafe
			groupwritableincludefilesafe
			groupwritablealiasfile
			helpfileinunsafedirpath
			worldwritablealiasfile
			forwardfileingroupwritabledirpath
			includefileingroupwritabledirpath
			forwardfileinunsafedirpath
			includefileinunsafedirpath
			forwardfileinunsafedirpathsafe
			includefileinunsafedirpathsafe
			mapinunsafedirpath
			linkedaliasfileinwritabledir
			linkedclassfileinwritabledir
			linkedforwardfileinwritabledir
			linkedincludefileinwritabledir
			linkedmapinwritabledir
			linkedserviceswitchfileinwritabledir
			filedeliverytohardlink
			filedeliverytosymlink
			writemaptohardlink
			writemaptosymlink
			writestatstohardlink
			writestatstosymlink
	New DontProbeInterfaces option to turn off the inclusion of all the
		interface names in $=w on startup.  In particular, if you
		have lots of virtual interfaces, this option will speed up
		startup.  However, unless you make other arrangements, mail
		sent to those addresses will be bounced.
	Automatically create alias databases if they don't exist and
		AutoRebuildAliases is set.
	Add PrivacyOptions=noetrn flag to disable the ETRN command.
		Suggested by Christophe Wolfhugel of the Institut Pasteur.
	When determining the client host name ($&{client_name} macro), do
		a forward (A) DNS lookup on the result of the PTR lookup
		and compare results.  If they differ or if the PTR lookup
		fails, &{client_name} will contain the IP address
		surrounded by square brackets (e.g. [127.0.0.1]).
	New map flag: -Tx appends "x" to lookups that return temporary failure
		(i.e, it is like -ax for the temporary failure case, in
		contrast to the success case).
	New syntax to do limited checking of header syntax.  A config line
		of the form:
			HHeader: $>Ruleset
		causes the indicated Ruleset to be invoked on the Header
		when read.  This ruleset works like the check_* rulesets --
		that is, it can reject mail on the basis of the contents.
	Limit the size of the HELO/EHLO parameter to prevent spammers
		from hiding their connection information in Received:
		headers.
	When SingleThreadDelivery is active, deliveries to locked hosts
		are skipped.  This will cause the delivering process to
		try the next MX host or queue the message if no other MX
		hosts are available.  Suggested by Alexander Litvin.
	The [FILE] mailer type now delivers to the file specified in the
		A= equate of the mailer definition instead of $u.  It also
		obeys all of the F= mailer flags such as the MIME
		7/8 bit conversion flags.  This is useful for defining
		a mailer which delivers to the same file regardless of the
		recipient (e.g. 'A=FILE /dev/null' to discard unwanted mail).
	Do not assume the identity of a remote connection is root@localhost
		if the remote connection closes the socket before the
		remote identity can be queried.
	Change semantics of the F=S mailer flag back to 8.7.5 behavior.
		Some mailers, including procmail, require that the real
		uid is left unchanged by sendmail.  Problem noted by Per
		Hedeland of Ericsson.
	No longer is the src/obj*/Makefile selected from a large list -- it
		is now generated using the information in BuildTools/OS/ --
		some of the details are determined dynamically via
		BuildTools/bin/configure.sh.
	The other programs in the sendmail distribution -- mail.local,
		mailstats, makemap, praliases, rmail, and smrsh -- now use
		the new Build method which creates an operating system
		specific Makefile using the information in BuildTools.
	Make 4xx reply codes to the SMTP MAIL command be non-sticky (i.e.,
		a failure on one message won't affect future messages to the
		same host).  This is necessary if the remote host sends
		a 451 error if the domain of the sender does not resolve
		as is common in anti-spam configurations.  Problem noted
		by Mitchell Blank Jr of Exec-PC.
	New "discard" mailer for check_* rulesets and header checking
		rulesets.  If one of the above rulesets resolves to the
		$#discard mailer, the commands will be accepted but the
		message will be completely discarded after it is accepting.
		This means that even if only one of the recipients
		resolves to the $#discard mailer, none of the recipients
		will receive the mail.  Suggested by Brian Kantor.
	All but the last cloned envelope of a split envelope were queued
		instead of being delivered.  Problem noted by John Caruso
		of CNET: The Computer Network.
	Syslog an error if a user forward file could not be read due to
		an error.  Patch from John Beck of Sun Microsystems.
	Use the first name returned on machine lookups when canonifying a
		hostname via NetInfo.  Patch from Timm Wetzel of GWDG.
	Clear the $&{client_addr}, $&{client_name}, and $&{client_port}
		macros when delivering a bounce message to prevent
		rejection by a check_compat ruleset which uses these macros.
		Problem noted by Jens Hamisch of AgiX Internetservices GmbH.
	If the check_relay ruleset resolves to the the error mailer, the
		error in the $: portion of the resolved triplet is used
		in the rejection message given to the remote machine.
		Suggested by Scott Gifford of The Internet Ramp.
	Set the $&{client_addr}, $&{client_name}, and $&{client_port} macros
		before calling the check_relay ruleset.  Suggested by Scott
		Gifford of The Internet Ramp.
	Sendmail would get a segmentation fault if a mailer exited with an
		exit code of 79.  Problem noted by Aaron Schrab of ExecPC
		Internet.  Fix from Christophe Wolfhugel of the Pasteur
		Institute.
	Separate snprintf/vsnprintf routines into separate file for use by
		mail.local.
	Allow multiple map lookups on right hand side, e.g.,
		R$*	$( host $1 $) $| $( passwd $1 $).  Patch from
		Christophe Wolfhugel of the Pasteur Institute.
	Properly generate success DSN messages if requested for aliases
		which have owner- aliases.  Problem noted by Kari Hurtta
		of the Finnish Meteorological Institute.
	Properly display delayed-expansion macros ($&{macroname}) in
		address test mode (-bt).  Problem noted by Bryan Costales
		of InfoBeat, Inc.
	-qR could sometimes match names incorrectly.  Problem noted by
		Lutz Euler of Lavielle EDV Systemberatung GmbH & Co.
	Include a magic number and version in the StatusFile for the
		mailstats command.
	Record the number of rejected messages in the StatusFile for
		display by the mailstats command.  Patch from Randall
		Winchester of the University of Maryland.
	Portability:
		AIX 4.1 uses int for SOCKADDR_LEN_T from Motonori Nakamura
			of Kyoto University.
		AIX 4.2 requires <userpw.h> before <usersec.h>.  Patch from
			Randall S. Winchester of the University of
			Maryland.
		AIX 4.3 from Valdis Kletnieks of Virginia Tech CNS.
		Digital UNIX now uses statvfs for determining free
			disk space.  Patch from Randall S. Winchester of
			the University of Maryland.
		HP-UX 11.x from Richard Allen of Opin Kerfi HF.
		IRIX 64 bit fixes from Kari Hurtta of the Finnish
			Meteorological Institute.
		IRIX 6.2 configuration fix for mail.local from Michael Kyle
			of CIC/Advanced Computing Laboratory.
		QNX from Glen McCready <glen@qnx.com>.
		SCO 4.2 and 5.x use /usr/bin instead of /usr/ucb for links
			to sendmail.  Install with group bin instead of kmem
			as kmem does not exist.  From Guillermo Freige of
			Gobernacion de la Pcia de Buenos Aires and Paul
			Fischer of BTG, Inc.
		SunOS 4.X does not include bcopy().  Patch from
			Per Hedeland of Ericsson.
		SunOS 5.7 includes getloadavg() function for determining
			load average.  Patch from John Beck of Sun
			Microsystems.
	CONFIG: add DATABASE_MAP_TYPE to set the default type of database
		map for the various maps.  The default is hash.  Patch from
		Robert Harker of Harker Systems.
	CONFIG: new confEBINDIR m4 variable for defining the executable
		directory for certain programs.
	CONFIG: new FEATURE(local_lmtp) to use the new LMTP support for
		local mail delivery.  By the default, /usr/libexec/mail.local
		is used.  This is expected to be the mail.local shipped
		with 8.9 which is LMTP capable.  The path is based on the
		new confEBINDIR m4 variable.
	CONFIG: Use confEBINDIR in determining path to smrsh for
		FEATURE(smrsh).  Note that this changes the default from
		/usr/local/etc/smrsh to /usr/libexec/smrsh.  To obtain the
		old path for smrsh, use FEATURE(smrsh, /usr/local/etc/smrsh).
	CONFIG: DOMAIN(generic) changes the default confFORWARD_PATH to
		include $z/.forward.$w+$h and $z/.forward+$h which allow
		the user to setup different .forward files for
		user+detail addressing.
	CONFIG: add confMAX_RCPTS_PER_MESSAGE, confDONT_PROBE_INTERFACES,
		and confDONT_BLAME_SENDMAIL to set MaxRecipientsPerMessage,
		DontProbeInterfaces, and DontBlameSendmail options.
	CONFIG: by default do not allow relaying (that is, accepting mail
		from outside your domain and sending it to another host
		outside your domain).
	CONFIG: new FEATURE(promiscuous_relay) to allow mail relaying from
		any site to any site.
	CONFIG: new FEATURE(relay_entire_domain) allows any host in your
		domain as defined by the 'm' class ($=m) to relay.
	CONFIG: new FEATURE(relay_based_on_MX) to allow relaying based on
		the MX records of the host portion of an incoming recipient.
	CONFIG: new FEATURE(access_db) which turns on the access database
		feature.  This database give you the ability to allow
		or refuse to accept mail from specified domains for
		administrative reasons.  By default, names that are listed
		as "OK" in the access db are domain names, not host names.
	CONFIG: new confCR_FILE m4 variable for defining the name of the file
		used for class 'R'.  Defaults to /etc/mail/relay-domains.
	CONFIG: new command RELAY_DOMAIN(domain) and RELAY_DOMAIN_FILE(file)
		to add items to class 'R' ($=R) for hosts allowed to relay.
	CONFIG: new FEATURE(relay_hosts_only) to change the behavior
		of FEATURE(access_db) and class 'R' to lookup individual
		host names only.
	CONFIG: new FEATURE(blacklist_recipients) turns on the ability to
		block incoming mail destined for certain recipient
		usernames, hostnames, or addresses.
	CONFIG: By default, MAIL FROM: commands in the SMTP session will be
		refused if the host part of the argument to MAIL FROM: cannot
		be located in the host name service (e.g., DNS).
	CONFIG: new FEATURE(accept_unresolvable_domains) accepts
		unresolvable hostnames in MAIL FROM: SMTP commands.
	CONFIG: new FEATURE(accept_unqualified_senders) accepts
		MAIL FROM: senders which do not include a domain.
	CONFIG: new FEATURE(rbl) Turns on rejection of hosts found in the
		Realtime Blackhole List.  You can specify the RBL name
		server to contact by specifying it as an optional argument.
		The default is rbl.maps.vix.com.  For details, see
		http://maps.vix.com/rbl/.
	CONFIG: Call Local_check_relay, Local_check_mail, and
		Local_check_rcpt from check_relay, check_mail, and
		check_rcpt.  Users with local rulesets should place the
		rules using LOCAL_RULESETS.  If a Local_check_* ruleset
		returns OK, the message is accepted.  If the ruleset
		returns a mailer, the appropriate action is taken, else
		the return of the ruleset is ignored.
	CONFIG: CYRUS_MAILER_FLAGS now includes the /:| mailer flags by
		default to support file, :include:, and program deliveries.
	CONFIG: Remove the default for confDEF_USER_ID so the binary can
		pick the proper default value.  See the SECURITY note
		above for more information.
	MAIL.LOCAL: support -l flag to run LMTP on stdin/stdout.  This
		SMTP-like protocol allows detailed reporting of delivery
		status on a per-user basis.  Code donated by John Myers of
		CMU (now of Netscape).
	MAIL.LOCAL: HP-UX support from Randall S. Winchester of the
		University of Maryland.  NOTE: mail.local is not
		compatible with the stock HP-UX mail format.  Be sure to
		read mail.local/README.
	MAIL.LOCAL: Prevent other mail delivery agents from stealing a
		mailbox lock.  Patch from Randall S. Winchester of the
		University of Maryland.
	MAIL.LOCAL: glibc portability from John Kennedy of Cal State
		University, Chico.
	MAIL.LOCAL: IRIX portability from Kari Hurtta of the Finnish
		Meteorological Institute.
	MAILSTATS: Display the number of rejected messages in the
		StatusFile.  Patch from Randall Winchester of the
		University of Maryland.
	MAKEMAP: New -s flag to ignore safety checks on database map files
		such as linked files in world writable directories.
	MAKEMAP: Add support for Berkeley DB 2.X.  Remove OLD_NEWDB support.
	PRALIASES: Add support for Berkeley DB 2.X.
	RMAIL: Improve portability for other platforms.  Patches from
		Randall S. Winchester of the University of Maryland and
		Kari Hurtta of the Finnish Meteorological Institute.
	Changed Files:
		src/Makefiles/Makefile.* files have been modified to use
			the new build mechanism and are now BuildTools/OS/*.
		src/makesendmail changed to symbolic link to src/Build.
	New Files:
		BuildTools/M4/header.m4
		BuildTools/M4/depend/BSD.m4
		BuildTools/M4/depend/CC-M.m4
		BuildTools/M4/depend/NCR.m4
		BuildTools/M4/depend/Solaris.m4
		BuildTools/M4/depend/generic.m4
		BuildTools/OS/AIX.4.2
		BuildTools/OS/AIX.4.x
		BuildTools/OS/HP-UX.11.x
		BuildTools/OS/NeXT.4.x
		BuildTools/OS/NetBSD.8.3
		BuildTools/OS/QNX
		BuildTools/OS/SunOS.5.7
		BuildTools/README
		BuildTools/bin/Build
		BuildTools/bin/configure.sh
		BuildTools/bin/find_m4.sh
		BuildTools/bin/install.sh
		Makefile
		cf/cf/Build
		cf/cf/obj/generic-hpux10.cf
		cf/feature/accept_unqualified_senders.m4
		cf/feature/accept_unresolvable_domains.m4
		cf/feature/access_db.m4
		cf/feature/blacklist_recipients.m4
		cf/feature/local_lmtp.m4
		cf/feature/promiscuous_relay.m4
		cf/feature/rbl.m4
		cf/feature/relay_based_on_MX.m4
		cf/feature/relay_entire_domain.m4
		cf/feature/relay_hosts_only.m4
		cf/ostype/qnx.m4
		contrib/doublebounce.pl
		mail.local/Build
		mail.local/Makefile.m4
		mail.local/README
		mailstats/Build
		mailstats/Makefile.m4
		makemap/Build
		makemap/Makefile.m4
		praliases/Build
		praliases/Makefile.m4
		rmail/Build
		rmail/Makefile.m4
		rmail/rmail.0
		smrsh/Build
		smrsh/Makefile.m4
		src/Build
		src/Makefile.m4
		src/snprintf.c
	Deleted Files:
		mail.local/Makefile
		mail.local/Makefile.dist
		mailstats/Makefile
		mailstats/Makefile.dist
		makemap/Makefile
		makemap/Makefile.dist
		praliases/Makefile
		praliases/Makefile.dist
		rmail/Makefile
		smrsh/Makefile
		smrsh/Makefile.dist
		src/Makefile
		src/Makefiles/Makefile.AIX.4 (split into AIX.4.x and AIX.4.2)
		src/Makefiles/Makefile.Utah (obsolete platform)
	Renamed Files:
		READ_ME => README
		cf/cf/Makefile => Makefile.BSD
		cf/cf/Makefile.dist => Makefile
		src/READ_ME => src/README

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNQ6LbCPkYtS/e6QhAQF04AP/edkcGAqYuLM0EkSWxP+5bsS497/GxuMn
xG8rHbOzgEyd3F0cMXI+SfVm4+RMCoiapAAOJ3Y9L9zt+k3cjcwwKZH02J9CFzdD
edhJOxfLYgNX6VztGjZCIOFimgWFLERLYwn1ldYIypiNRKcUIv0YGdXQNbrX9aDo
jAK817ejo8M=
=0etY
-----END PGP SIGNATURE-----


-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated