head 1.4; access; symbols pkgsrc-2026Q1:1.4.0.2 pkgsrc-2026Q1-base:1.4 pkgsrc-2025Q4:1.3.0.36 pkgsrc-2025Q4-base:1.3 pkgsrc-2025Q3:1.3.0.34 pkgsrc-2025Q3-base:1.3 pkgsrc-2025Q2:1.3.0.32 pkgsrc-2025Q2-base:1.3 pkgsrc-2025Q1:1.3.0.30 pkgsrc-2025Q1-base:1.3 pkgsrc-2024Q4:1.3.0.28 pkgsrc-2024Q4-base:1.3 pkgsrc-2024Q3:1.3.0.26 pkgsrc-2024Q3-base:1.3 pkgsrc-2024Q2:1.3.0.24 pkgsrc-2024Q2-base:1.3 pkgsrc-2024Q1:1.3.0.22 pkgsrc-2024Q1-base:1.3 pkgsrc-2023Q4:1.3.0.20 pkgsrc-2023Q4-base:1.3 pkgsrc-2023Q3:1.3.0.18 pkgsrc-2023Q3-base:1.3 pkgsrc-2023Q2:1.3.0.16 pkgsrc-2023Q2-base:1.3 pkgsrc-2023Q1:1.3.0.14 pkgsrc-2023Q1-base:1.3 pkgsrc-2022Q4:1.3.0.12 pkgsrc-2022Q4-base:1.3 pkgsrc-2022Q3:1.3.0.10 pkgsrc-2022Q3-base:1.3 pkgsrc-2022Q2:1.3.0.8 pkgsrc-2022Q2-base:1.3 pkgsrc-2022Q1:1.3.0.6 pkgsrc-2022Q1-base:1.3 pkgsrc-2021Q4:1.3.0.4 pkgsrc-2021Q4-base:1.3 pkgsrc-2021Q3:1.3.0.2 pkgsrc-2021Q3-base:1.3 pkgsrc-2021Q2:1.2.0.16 pkgsrc-2021Q2-base:1.2 pkgsrc-2021Q1:1.2.0.14 pkgsrc-2021Q1-base:1.2 pkgsrc-2020Q4:1.2.0.12 pkgsrc-2020Q4-base:1.2 pkgsrc-2020Q3:1.2.0.10 pkgsrc-2020Q3-base:1.2 pkgsrc-2020Q2:1.2.0.8 pkgsrc-2020Q2-base:1.2 pkgsrc-2020Q1:1.2.0.4 pkgsrc-2020Q1-base:1.2 pkgsrc-2019Q4:1.2.0.6 pkgsrc-2019Q4-base:1.2 pkgsrc-2019Q3:1.2.0.2 pkgsrc-2019Q3-base:1.2 pkgsrc-2019Q2:1.1.0.44 pkgsrc-2019Q2-base:1.1 pkgsrc-2019Q1:1.1.0.42 pkgsrc-2019Q1-base:1.1 pkgsrc-2018Q4:1.1.0.40 pkgsrc-2018Q4-base:1.1 pkgsrc-2018Q3:1.1.0.38 pkgsrc-2018Q3-base:1.1 pkgsrc-2018Q2:1.1.0.36 pkgsrc-2018Q2-base:1.1 pkgsrc-2018Q1:1.1.0.34 pkgsrc-2018Q1-base:1.1 pkgsrc-2017Q4:1.1.0.32 pkgsrc-2017Q4-base:1.1 pkgsrc-2017Q3:1.1.0.30 pkgsrc-2017Q3-base:1.1 pkgsrc-2017Q2:1.1.0.26 pkgsrc-2017Q2-base:1.1 pkgsrc-2017Q1:1.1.0.24 pkgsrc-2017Q1-base:1.1 pkgsrc-2016Q4:1.1.0.22 pkgsrc-2016Q4-base:1.1 pkgsrc-2016Q3:1.1.0.20 pkgsrc-2016Q3-base:1.1 pkgsrc-2016Q2:1.1.0.18 pkgsrc-2016Q2-base:1.1 pkgsrc-2016Q1:1.1.0.16 pkgsrc-2016Q1-base:1.1 pkgsrc-2015Q4:1.1.0.14 pkgsrc-2015Q4-base:1.1 pkgsrc-2015Q3:1.1.0.12 pkgsrc-2015Q3-base:1.1 pkgsrc-2015Q2:1.1.0.10 pkgsrc-2015Q2-base:1.1 pkgsrc-2015Q1:1.1.0.8 pkgsrc-2015Q1-base:1.1 pkgsrc-2014Q4:1.1.0.6 pkgsrc-2014Q4-base:1.1 pkgsrc-2014Q3:1.1.0.4 pkgsrc-2014Q3-base:1.1 pkgsrc-2014Q2:1.1.0.2 pkgsrc-2014Q2-base:1.1; locks; strict; comment @# @; 1.4 date 2026.03.02.07.39.29; author jnemeth; state Exp; branches; next 1.3; commitid hRaoxTwMYU3L7nwG; 1.3 date 2021.07.04.07.57.13; author jnemeth; state Exp; branches; next 1.2; commitid L27iNpThA37ZWDZC; 1.2 date 2019.07.15.04.32.49; author jnemeth; state Exp; branches; next 1.1; commitid jIGa2kaE2N2eT5vB; 1.1 date 2014.06.15.20.48.50; author jnemeth; state Exp; branches; next ; commitid y0gYCG4vNLA71FEx; desc @@ 1.4 log @Update to sendmail 8.18.2 pkgsrc changes: - fix one thing related to resn - convert from NetBSD's old blocklistd to blacklistd NOTE: UseBlocklist is now UseBlacklist SENDMAIL RELEASE NOTES This listing shows the version of the sendmail binary, the version of the sendmail configuration files, the date of release, and a summary of the changes in that release. 8.18.2/8.18.2 2025/12/27 Avoid adding a second To: header to DSNs, instead any additional addresses are appended to an existing To: header (this also applies to Cc: and Bcc:). Fix matching of wildcard SANs in the experimental support for SMTP MTA Strict Transport Security (MTA-STS). Problem reported by Dilyan Palauzo. The experimental support for SMTP MTA Strict Transport Security has been significantly rewritten to handle the problems caused by it being tied to the domain of a RCPT address (instead to an SMTP server for all the domains it handles - compare DANE). The most visible change is that an SMTP transaction where the first RCPT has an STS policy will have only RCPTs with the same domain instead of all RCPTs going to the same servers (MX). Accordingly, MTA-STS can be disabled per RCPT domain by adding access map entries of the form STS:domain NO Successful deliveries to RCPTs which have an STS policy show STS=OK in the to=... stat=Sent log entry. If an STS policy for a RCPT could not be fulfilled then the RCPT is not being sent and an error containing the string "STS" is logged. MaxQueueAge is now observed for all types of QueueSortOrder even those which internally skip some code (including the MaxQueueAge check). On some systems the rejection of a RCPT by a milter could silently be ignored. Increase size for an internal buffer which can contain AUTH data because XOAUTH2 could use very long tokens. Patch from Frank Schmirler. Portability: Add support for Darwin 24 and 25. LIBSM: Fix compilation of vfscanf.c with gcc-15. Problem reported by Jaroslav Škarvada of RedHat. MAILSTATS: Fix compilation with gcc-15. Problem reported by Jaroslav Škarvada of RedHat. New Files: cf/feature/same_domain_only.m4 devtools/OS/Darwin.24.x devtools/OS/Darwin.25.x @ text @$NetBSD: patch-ar,v 1.3 2021/07/04 07:57:13 jnemeth Exp $ --- sendmail/daemon.c.orig 2020-06-02 09:41:43.000000000 +0000 +++ sendmail/daemon.c @@@@ -75,6 +75,10 @@@@ SM_RCSID("@@(#)$Id: daemon.c,v 8.698 2013 # endif /* HAS_IN_H */ #endif /* IP_SRCROUTE && NETINET */ +#if NAMED_BIND +extern struct __res_state sm_res; +#endif + #include #include @@@@ -774,6 +778,8 @@@@ getrequests(e) anynet_ntoa(&RealHostAddr)); } + BLOCKLIST_INIT(); + if (pipefd[0] != -1) { auto char c; @@@@ -2335,16 +2341,16 @@@@ makeconnection(host, port, mci, e, enoug if (hp == NULL && p[-1] == '.') { #if NAMED_BIND - int oldopts = _res.options; + int oldopts = sm_res.options; - _res.options &= ~(RES_DEFNAMES|RES_DNSRCH); + sm_res.options &= ~(RES_DEFNAMES|RES_DNSRCH); #endif /* NAMED_BIND */ p[-1] = '\0'; hp = sm_gethostbyname(&host[1], family); p[-1] = '.'; #if NAMED_BIND - _res.options = oldopts; + sm_res.options = oldopts; #endif } *p = ']'; @@@@ -2420,15 +2426,15 @@@@ makeconnection(host, port, mci, e, enoug if (hp == NULL && *p == '.') { #if NAMED_BIND - int oldopts = _res.options; + int oldopts = sm_res.options; - _res.options &= ~(RES_DEFNAMES|RES_DNSRCH); + sm_res.options &= ~(RES_DEFNAMES|RES_DNSRCH); #endif *p = '\0'; hp = sm_gethostbyname(host, family); *p = '.'; #if NAMED_BIND - _res.options = oldopts; + sm_res.options = oldopts; #endif } } @@@@ -4136,13 +4142,13 @@@@ host_map_lookup(map, name, av, statp) #if NAMED_BIND if (map->map_timeout > 0) { - retrans = _res.retrans; - _res.retrans = map->map_timeout; + retrans = sm_res.retrans; + sm_res.retrans = map->map_timeout; } if (map->map_retry > 0) { - retry = _res.retry; - _res.retry = map->map_retry; + retry = sm_res.retry; + sm_res.retry = map->map_retry; } #endif /* NAMED_BIND */ @@@@ -4220,9 +4226,9 @@@@ host_map_lookup(map, name, av, statp) } #if NAMED_BIND if (map->map_timeout > 0) - _res.retrans = retrans; + sm_res.retrans = retrans; if (map->map_retry > 0) - _res.retry = retry; + sm_res.retry = retry; #endif /* NAMED_BIND */ s->s_namecanon.nc_flags |= NCF_VALID; /* will be soon */ @@@@ -4551,11 +4557,11 @@@@ hostnamebyanyaddr(sap) # if NAMED_BIND /* shorten name server timeout to avoid higher level timeouts */ - saveretry = _res.retry; - if (_res.retry * _res.retrans > 20) - _res.retry = 20 / _res.retrans; - if (_res.retry == 0) - _res.retry = 1; + saveretry = sm_res.retry; + if (sm_res.retry * sm_res.retrans > 20) + sm_res.retry = 20 / sm_res.retrans; + if (sm_res.retry == 0) + sm_res.retry = 1; # endif /* NAMED_BIND */ switch (sap->sa.sa_family) @@@@ -4594,7 +4600,7 @@@@ hostnamebyanyaddr(sap) } # if NAMED_BIND - _res.retry = saveretry; + sm_res.retry = saveretry; # endif # if NETINET || NETINET6 @ 1.3 log @comms/sendmail: update to 8.16.1 8.16.1/8.16.1 2020/07/05 SECURITY: If sendmail tried to reuse an SMTP session which had already been closed by the server, then the connection cache could have invalid information about the session. One possible consequence was that STARTTLS was not used even if offered. This problem has been fixed by clearing out all relevant status information when a closed session is encountered. OpenSSL versions before 0.9.8 are no longer supported. OpenSSL version 1.1.0 and 1.1.1 are supported. Initial support for DANE (see RFC 7672 et.al.) is available if the compile time option DANE is set. Only TLSA RR 3-1-x is currently implemented. New options SSLEngine and SSLEnginePath to support OpenSSL engines. Note: this feature has so far only been tested with the "chil" engine; please report problems with other engines if you encounter any. New option CRLPath to specify a directory which contains hashes pointing to certificate revocations files. Based on patch from Al Smith. New rulesets tls_srv_features and tls_clt_features which can return a (semicolon separated) list of TLS related options, e.g., CipherList, CertFile, KeyFile, see doc/op/op.me for details. To automatically handle TLS interoperability problems for outgoing mail, sendmail can now immediately try a connection again without STARTTLS after a TLS handshake failure. This can be configured globally via the option TLSFallbacktoClear or per session via the 'C' flag of tls_clt_features. This also adds the new value "CLEAR" for the macro {verify}: STARTTLS has been disabled internally for a clear text delivery attempt. Apply Timeout.starttls also to the server waiting for the TLS handshake to begin. Based on patch from Simon Hradecky. New compile time option TLS_EC to enable the use of elliptic curve cryptography in STARTTLS (previously available as _FFR_TLS_EC). Handle MIME boundaries specified in headers which contain CRLF. Fix detection of loopback net (it was broken when compiled with NETINET6) and only set the macros {if_addr_out} and {if_family_out} if the interface of the outgoing connection does not belong to the loopback net. Fix logic to enable a milter to delete a recipient in DeliveryMode=interactive even if it might be subject to alias expansion. Log name of a milter making changes (this was missing for some functions). Log the actual reply of a server when an SMTP delivery problem occurs in a "reply=" field if possible. Log user= for failed AUTH attempts if possible. Based on patch from Packet Hack, Jim Hranicky, Kevin A. McGrail, and Joe Quinn. Add CDB as map type. Note: CDB is a "Constant DataBase", i.e., no changes can be made after it is created, hence it does not work with vacation(1) nor editmap(8) (except for query mode). Fix some memory leaks (mostly in error cases) and properly handle copied varargs in sm_io_vfprintf(). The issues were found using Coverity Scan and reported (including patches) by Ondřej Lysoněk of Red Hat. Do not override ServerSSLOptions and ClientSSLOptions when they are specified on the command line. Based on patch from Hiroki Sato. Add RFC7505 Null MX support for domains that declare they do not accept mail. New compile time option LDAP_NETWORK_TIMEOUT which is set automatically when LDAPMAP is used and LDAP_OPT_NETWORK_TIMEOUT is available to enable the new -c option for LDAP maps to specify the network timeout. CONFIG: New FEATURE(`tls_session_features') to enable standard rules for tls_srv_features and tls_clt_features; for details see cf/README. CONFIG: New options confSSL_ENGINE and confSSL_ENGINE_PATH for SSLEngine and SSLEnginePath, respectively. CONFIG: New options confDANE to enable DANE support. CONFIG: New option confTLS_FALLBACK_TO_CLEAR for TLSFallbacktoClear. CONFIG: New extension CITag: for TLS restrictions, see cf/README for details. CONFIG: FEATURE(`blacklist_recipients') renamed to FEATURE(`blocklist_recipients'). CONTRIB: cidrexpand updated to support IPv6 CIDR ranges and to canonicalize IPv6 addresses; if cidrexpand is used with IPv6 addresses then UseCompressedIPv6Addresses must be disabled. DOC: The dns map can return multiple values in a single result if the -z option is used. DOC: Note to set MustQuoteChars=. due to DKIM signatures. LIBMILTER: Fix typo in a macro. Patch from Ignacio Goyret of Alcatel-Lucent. LIBMILTER: Fix reference in xxfi_negotiate documentation. Patch from Sven Neuhaus. LIBMILTER: Fix function name in smfi_addrcpt_par documentation. Patch from G.W. Haywood. LIBMILTER: Fix a potential memory leak in smfi_setsymlist(). Patch from Martin Svec. MAKEMAP: New map type "implicit" refers to the first available type, i.e., it depends on the compile time options NEWDB, DBM, and CDB. This can be used in conjunction with the "implicit" map type in sendmail.cf. Note: makemap, libsmdb, and sendmail must be compiled with the same options (and library versions of course). Portability: Add support for Darwin 14-18 (Mac OS X 10.x). New option HAS_GETHOSTBYNAME2: set if your system supports gethostbyname2(2). Set SM_CONF_SEM=2 for FreeBSD 12 and later due to changes in sys/sem.h On Linux set MAXHOSTNAMELEN (the maximum length of a FQHN) to 256 if it is less than that value. Added Files: cf/feature/blocklist_recipients.m4 cf/feature/tls_failures.m4 devtools/OS/Darwin.14.x devtools/OS/Darwin.15.x devtools/OS/Darwin.16.x libsmdb/smcdb.c sendmail/ratectrl.h @ text @d1 1 a1 1 $NetBSD$ d20 1 a20 1 + BLACKLIST_INIT(); @ 1.2 log @Add support for working with blacklistd. These patches were originally created for FreeBSD and were ported to pkgsrc by Hauke Fath with some cleanup by myself. These patches add a new "UseBlacklist" option to sendmail to have it send authentication failure notices to blacklistd. @ text @d3 1 a3 1 --- sendmail/daemon.c.orig 2015-02-28 00:50:03.000000000 +0000 d5 1 a5 1 @@@@ -57,6 +57,10 @@@@ SM_RCSID("@@(#)$Id: daemon.c,v 8.698 2013 d15 2 a16 2 #define DAEMON_C 1 @@@@ -754,6 +758,8 @@@@ getrequests(e) d25 1 a25 1 @@@@ -2298,16 +2304,16 @@@@ makeconnection(host, port, mci, e, enoug d42 1 a42 1 #endif /* NAMED_BIND */ d45 1 a45 1 @@@@ -2336,15 +2342,15 @@@@ makeconnection(host, port, mci, e, enoug d54 1 a54 1 #endif /* NAMED_BIND */ d61 1 a61 1 #endif /* NAMED_BIND */ d64 1 a64 1 @@@@ -4007,13 +4013,13 @@@@ host_map_lookup(map, name, av, statp) d82 1 a82 1 @@@@ -4076,9 +4082,9 @@@@ host_map_lookup(map, name, av, statp) d94 1 a94 1 @@@@ -4407,11 +4413,11 @@@@ hostnamebyanyaddr(sap) d111 1 a111 1 @@@@ -4450,7 +4456,7 @@@@ hostnamebyanyaddr(sap) d117 1 a117 1 # endif /* NAMED_BIND */ @ 1.1 log @Update to sendmail 8.14.9: this fixes a minor potential security issue pkgsrc changes: - consolidate several patches into site.config.m4 - pkgsrc LDFLAGS should always be used - don't bother specifying file owner/group anywhere except in Makefile - create include/sm/os/sm_os_netbsd.h to fix warnings and OS specific stuff - install mail.local and rmail - convert to use res_n* functions - allows for linking against threaded libraries - add a TODO file - PR/35249 - Loren M. Lang - can't find libraries on Linux, this should be fixed by using pkgsrc LDFLAGS - PR/46694 - Makoto Fujiwara - bring back netbsd-proto.mc from when sendmail was part of the base system - PR/47207 - Richard Palo - let pkgsrc infrastructure handle file ownership and group - PR/48566 - Emmanuel Dreyfus - always set _FFR_USE_GETPWNAM_ERRNO on NetBSD - roll ffr_tls_1 and the suggested ffr_tls_ec into one new ffr_tls option - not enabled by default because it changes behaviour 8.14.9/8.14.9 2014/05/21 SECURITY: Properly set the close-on-exec flag for file descriptors (except stdin, stdout, and stderr) before executing mailers. Fix a misformed comment in conf.c: "/*" within comment which may cause a compilation error on some systems. Problem reported by John Beck of Oracle. DEVTOOLS: Fix regression in auto-detection of libraries when only shared libraries are available. Problem reported by Bryan Costales. @ text @d3 1 a3 1 --- sendmail/daemon.c.orig 2014-05-16 20:40:15.000000000 +0000 d16 10 a25 1 @@@@ -2295,16 +2299,16 @@@@ makeconnection(host, port, mci, e, enoug d45 1 a45 1 @@@@ -2333,15 +2337,15 @@@@ makeconnection(host, port, mci, e, enoug d64 1 a64 1 @@@@ -4005,13 +4009,13 @@@@ host_map_lookup(map, name, av, statp) d82 1 a82 1 @@@@ -4074,9 +4078,9 @@@@ host_map_lookup(map, name, av, statp) d94 1 a94 1 @@@@ -4407,11 +4411,11 @@@@ hostnamebyanyaddr(sap) d111 1 a111 1 @@@@ -4450,7 +4454,7 @@@@ hostnamebyanyaddr(sap) @