Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
In addition to the names listed below, the following people provided
useful inputs on many occasions: Paul D. Robertson, Simon J. Mudd.
Apologies for any names omitted.
19980105
The compiled-in default value for resolve_smtp_sender was
wrong (from the days that it was a boolean), causing smtpd
to dump core when the variable was not set in main.cf.
The INSTALL instructions now have separate sections for
the three basic ways of running vmailer.
The INSTALL instructions now have discusses how to deal
with chrooted processes.
Ported to RedHat 5.0. My, these people have re-organized
their include files quite a bit, haven't they.
19980106
On RedHat Linux 4.2/5.0, when a FIFO listener opens the
FIFO with mode O_RDONLY, the FIFO remains forever readable
after the writer has closed it. Workaround: open the FIFO
mode O_RDWR.
Test program: util/fifo_rdonly_bug.c
Unfortunately, the above fix triggers a bug on BSD/OS 3.1
where opening the FIFO mode O_RDWR causes select() to claim
that the FIFO is readable even before any data is written
to it, causing read() to block or to fail.
Test program: util/fifo_rdwr_bug.c
printfck (check arguments of printf-like function calls)
found a missing argument in local/command.c
Miscellaneous Makefile cleanups that I didn't finish before
the first alpha release.
19980107
Sometimes the DNS will claim that a domain does not exist,
when in fact it does. Thus, it is a bad idea to reject mail
from apparently non-existent domains. I have changed the
smtpd so that it produces a soft error responses when a
resolve_smtp_sender test fails with HOST_NOT_FOUND. Note:
by default, this test is still disabled.
The DB and DBM read routines will now automagically figure
out if (key, value) pairs were written including a terminating
null byte or not. The DB and DBM write routines will use
this result to determine how to write, and will fall back
to per-system defaults otherwise.
Renamed the README to MUSINGS, and wrote up a README that
reflects the current status of the software.
Added -d (don't disconnect) and -c (show running counter)
option to te smtp-source test program. These tools are
great torture tests for the mail software, and for the
system that it runs on.
Turned down the process_limit parameter (# of parallel smtp
clients or servers) to avoid unpleasant surprises. You can
crank up the process_limit parameter in main.cf.
19980111
Feature: when run by the superuser, mailq now shows the
mail queue even when the mail system is down. To this end,
mailq (sendmail -bp) runs the showq program directly instead
of connecting to the UNIX-domain service socket, and drops
privileges etc. as usual.
19980119
Bugfix: Edwin Kremer spotted an oversight in the negated
host matching code (for name or address patterns prefixed
by !).
Bugfix: upon receipt of a SIGHUP signal, the master now
disconnects from its child processes, so that the current
generation of child processes commits suicide, and so that
the next generation of child processes will use the new
configuration settings.
Bugfix: the smtp server now skips the sender DNS domain
lookup test for foo@[address]
Bugfix: don't append the local domain to foo@[address]
19980120
Bugfix: old low-priority bug in some list walk code that
caused the master to drop core when a service was turned
off in master.cf.
Robustness: the mail system should be able to start up and
to accept local postings even while the naming service is
down. For this reason, the mail system no longer uses
gethostbyname() to look up its own machine name. Sites
that use short hostnames will have to specify their FQDN
in main.cf (this will eventually be done by the system
installation/configuration procedure). Should the config
language support backticks so one can say `domainname`? What
about $name stuff between the backtics?
Security: the master now creates FIFOs and UNIX-domain
sockets as the mail owner instead of as root, for better
protection against subverted mail systems. chmod() is
susceptible to race conditions. fchmod(), although safer,
often does not work on sockets.
Portability: anticipate that all major UNIXes will create
UNIX-domain sockets with permissions modified by the process
umask (required by POSIX). For this reason, we always
chmod() UNIX-domain sockets, unless the system allows us
to use the safer fchmod() instead.
Portability: the semi-resident servers now properly handle
EWOULDBLOCK returns from accept() in addition to EGAIN
(on some systems, EAGAIN and EWOULDBLOCK have different
values).
Bugfix: the semi-resident servers now properly handle EINTR
returns From accept().
Bugfix: Edwin Kremer found that mynetworks() would compute
(32 - mask) instead of mask.
19980121
Feature: /etc/vmailer/relocated is used by the local delivery
program and specifies what mail should be bounced with a
"user has moved to XXX" message. The main.cf configuration
parameter is "relocated_maps". Just like the "virtual_maps"
config parameter, this feature is off by default, and the
parameter can have values such as "files" or "files, nis"
(on hosts equipped with NIS).
19980123
Cleanup: virtual domain support moved from the queue manager
to the resolve service, where it belongs.
Feature: /etc/vmailer/canonical is used by the rewrite
service for all addresses, and maps a canonical address
(user@domain) to another address. Typical use is to generate
Firstname.Lastname@domain addresses, or to clean up dirty
addresses from non-RFC 822 mail systems. The main.cf
configuration parameter is "canonical_maps". Just like
the "virtual_maps" config parameter, this feature is off
by default, and the parameter can have values such as
"files" or "files, nis" (on hosts equipped with NIS).
19980124
HPUX10 port and many little fixes from Pieter Schoenmakers.
Bugfix: isolated an old mysterious bug that could make the
master deaf for new connections while no child process was
running. A typical result was that no pickup daemon would
be started after the previous one had terminated voluntarily.
Bugfix: the NIS lookup code did not mystrdup() the NIS map
name and would access free()d memory.
19980125
Bugfix: the vstream routines would sometimes ignore flushing
errors. The error would still be reported by vstream_fclose()
and vstream_ferror().
Feature: time limit on delivery to shell commands. Config
parameter: command_time_limit. Default value: 100 sec. The
idea is to prevent one bad .forward file or alias file
entry from slowly using up all local delivery process slots.
19980126
Code cleanup: in preparation for SMTP extensions such as
SIZE, allow an extended SMTP command to have a variable
number of options.
19980127
Bugfix: moved canonical map lookups away from the rewriting
module to the cleanup service, so that canonical map lookups
do not interfere with address rewriting on behalf of other
programs. Back to an older trivial-rewrite program version.
Bugfix: moved virtual map lookups away from the resolver
back to the queue manager, so that virtual domain lookup
does not interfere with address resolution on behalf of
other programs. Back to an older qmgr program version.
19980131
Feature: integrated and adapted Guido van Rooij's SIZE
option (RFC 1870), carefully avoiding potential problems
due to overflow (by multiplying large numbers) or unsigned
underflow (by subtracting numbers).
Code cleanup: cleaned up the code that parses the server
response to the HELO/EHLO command, so that we can more
reliably recognize what options a server supports.
19980201
Portability: integrated the IRIX 6 port by Oved Ben-Aroya.
Portability: the software now figures out by itself if a
server should open its FIFO read-write or read-only, to
avoid getting stuck with a FIFO that stays readable forever.
Bugfix: the cleanup service would terminate with a fatal
vstream_fseek() error when the queue file was too large.
Bugfix: the cleanup service could be killed by a signal
when the queue file became too large.
19980203
Portability: some systems have statfs(), some have statvfs(),
and the relevant include files are in a different place on
almost every system.
Portability: the makedefs script now nukes the -O compiler
flag when building on AIX with IBM's own compiler...
19980204
Portability: HP-UX 9.x support by Pieter Schoenmakers.
Portability: added SYSV-style ulimit() file size limit
support for HP-UX 9.x.
Portability: added some #includes that appeared to be
missing according to the Digital UNIX cc compiler.
Bugfix: sys_defs.h now correctly specifies NIS support for
LINUX2, HPUX9 and HPUX10.
Security: fixed a file descriptor leak in the local delivery
agent that could give shell commands access to the VMailer
IPC streams. This should not cause a vulnerability, given
the design and implementation of the mailer, but it would
be like asking for trouble.
Bugfix: the sendmail -B (body type) option did not take a
value.
19980205
Bugfix (SUNOS5): should not have deleted the SVID_GETTOD
definition from util/sys_defs.h.
Bugfix (HPUX9): forgot to specify whether to use statfs()
or statvfs().
Bugfix (HPUX9): don't try to raise the file size ulimit.
Bugfix (HPUX9): must specify file size limit in 512-blocks.
19980207
Robustness: the master process now raises the file size
limit when it is started with a limit that is less than
VMailer's file size limit. File: util/file_limit.c.
Security: the dns lookup routines now screen all result
names with valid_hostname(). Bad names are treated as
transient errors.
Feature: qmail compatibility: when the home_mailbox parameter
is set, mail is delivered to ~/$home_mailbox instead of to
/var[/spool]/mail/username. This hopefully makes it easier
to lure people away from qmail :-)
Robustness: several testers by accident configured relayhost
the same as myhostname. The programs now explicitly check
for this mistake.
Bugfix: deliver_request_read() would free unallocated memory
when it received an incomplete delivery request from the
queue manager.
Robustness: local_destination_concurrency=1 prevents parallel
delivery to the same user (with possibly disastrous effects
when that user has an expensive pipeline in the .forward
or procmail config file). Each transport can have its own
XXX_destination_concurrency parameter, to limit the number
of simultaneous deliveries to the same destination.
19980208
Robustness: added "slow open" mode, to gradually increase
the number of simultaneous connections to the same site as
long as delivery succeeds, and to gradually decrease the
number of connections while delivery fails. Brad Knowles
provided the inspiration to do this.
This also solves the "thundering herd" problem (making a
bunch of connections to a dead host when it was time to
retry that host). Let's see when other mailers fix this.
Feature: Added $smtpd_banner and $mail_version, for those
who want to show the world what software version they are
running.
Bugfix: vmailer-script now properly labels each syslog
entry.
19980210
Portability: merged in NEXTSTEP 3 port from Pieter Schoenmakers
Bugfix: the local delivery program now checks that a
destination is a regular file before locking it.
19980211
Robustness: the local delivery agent sets HOME, LOGNAME,
and SHELL when delivering to a user shell command. PATH is
always set, and TZ is passed through if it is set.
19980212
Feature: mailq (sendmail -bp) now also lists the maildrop
queue (with mail that hasn't been picked up yet).
19980213
Feature: the smtpd now says: 502 HELP not implemented. This
should impress the heck out of the competition :-)
19980214
Feature: local delivery to configurable system-wide command
(e.g. procmail) avoids the need for per-user ~/.forward
shell commands. Config parameter: mailbox_command.
19980215
Performance: avoid running a shell when a command contains
no shell magic characters or built-in shell commands. This
speeds up delivery to all commands. File: util/exec_command.c.
Bugfix: the local delivery agent, after reading EOF from
a child process, now sends SIGKILL only when the child does
not terminate within a limited amount of time. This avoids
some problems with procmail. File: util/timed_wait.c.
19980217
Portability: folded in NetInfo support from Pieter
Schoenmakers.
19980218
Feature: new vmlock command to run a command while keeping
an exclusive lock on a mailbox.
Feature: with "recipient_delimiter = +", mail for local
address "user+foo" is delivered to "foo", with a "Delivered-To:
user+foo@domain" message header. Files: qmgr/qmgr_message.c,
local/recipient.c. This must be the cheapest feature.
19980219
Code cleanup: moved error handling into functions that
should always succeed (non_blocking(), close_on_exec()).
19980223
Bugfix: null pointer bug in the cleanup program after
processing a From: header with no mail address (or with
only a comment).
19980226
Robustness: now detects when getpwnam() returns a name that
differs from the requested name.
Feature: Added %p support to the vbuf_print formatting
module.
Code cleanup: revamped the alias/include/.forward loop
detection and duplicate suppression code in the local
delivery agent. This must be the fourth iteration, and
again the code has been simplified.
19980228
Robustness: don't treat anything starting with whitespace
as a header record. Instead, explicitly test for leading
whitespace where we permit it. Files: global/is_header.c,
bounce/bounce_flush_service.c, local/delivered.c.
19980301
Compatibility: the sendmail program now accepts the -N
command-line option (delivery status notification) but
ignores it entirely, just like many other sendmail options.
Bugfix: dns_lookup.c was too conservative with buffer sizes
and would incorrectly report "malformed name server reply".
19980302
Bugfix: the local delivery agent was not null-byte clean.
19980307
Feature: integrated Pieter Schoenmaker's code for transport
lookup tables that list (transport, nexthop) by destination.
19980309
Bugfix: delivery agents no longer rename corrupt queue
files, because programs might fall over each other doing
so. Instead, when a delivery agent detects queue file
corruption, it chmods the queue file, simulates a soft
error, and lets the queue manager take care of the problem.
Bugfix: the SMTP server implemented VRFY incorrectly.
Feature: first shot at a pipe mailer, which can be used to
extend VMailer with external mail transports such as UUCP
(provided that the remote site understands domain addressing,
because VMailer version 1 does not rewrite addresses).
Cleanup: extended the master/child interface so that the
service name (from master.cf) is passed on to the child.
The pipe mailer needs the service name so it can look up
service-specific configuration parameters (privilege level,
recipient limit, time limit, and so on).
19980310-12
Cleanup: factored out the pipe_command() code, so it can
be shared between pipe mailer and local delivery agent.
19980314
Compatibility: the sendmail program now parses each
command-line recipient as if it were an RFC 822 message
header; some MUAs specify comma-separated recipients in a
command-line argument; and some MUAs even specify "word
word <address>" forms as command-line arguments.
19980315
Bugfix: VMailer's queue processing randomization wasn't
adequate for unloaded systems with small backlogs.
Bugfix: smtpd now uses double-buffered stream I/O to prevent
loss of input sent ahead of responses.
19980316
Bugfix: the smtpd anti-relay code didn't treat all hosts
listed in $mydestinations as local, so it would accept mail
only for hosts listed in $relay_domains (default: my own
domain).
Bugfix: smtpd now replies with 502 when given an unknown
command.
19980318
Cleanup: resolve/rewrite clients now automatically disconnect
after a configurable amount of idle time (ipc_idle).
19980322
Tolerance: VRFY now permits user@domain, even though the
RFC requires that special characters such as @ be escaped.
19980325
Bugfix: a recipient delimiter of "-" could interfere with
special addresses such as owner-xxx or double-bounce.
Tolerance: the SMTP client now permits blank lines in SMTP
server responses.
Tolerance: the SMTP client now falls back to SMTP when it
apparently mistook an SMTP server as ESMTP capable.
Bugfix: eliminated strtok() calls in favor of mystrtok().
Symptom: master.cf parsing would break if $inet_interfaces
was more than one word.
19980328
Bugfix: user->addr patterns in canonical and virtual tables
matched only $myorigin, not hosts listed in $mydestination
or addresses listed in $inet_interfaces. The man pages
were wrong too. File: global/addr_match.c.
19980401
Robustness: FIFO file permissions now default to 0622. On
some systems, opening a FIFO read-only could deafen the
pickup daemon. Only the listener end (which is opened as
root) needs read access anyway, so there should not be a
loss of functionality by making FIFOs non-readable for
non-mail processes.
19980402
Compatibility: sendmail -I and -c options added.
19980403
Feature: virtual lookups are now recursive. File:
qmgr/qmgr_message.c
19980405
Implemented sendmail -bs (stand-alone) mode. This mode runs
as the user and therefore deposits into the maildrop queue.
19980406
The pickup service now removes malformed maildrop files.
19980407
The pickup service now guards against maildrop files with
time stamps dated into the future.
19980408
Bugfix: in the canonical and virtual maps, foo->address
would match foo@$myorigin only. This has been fixed to also
match hosts listed in main.cf:$mydestination and the
addresses listed in main.cf:$inet_interfaces.
Bugfix: added double buffering support to the VMailer SMTP
server. This makes the SMTP server robust against SMTP
clients that talk ahead of time, and should have been in
there from day one.
19980409
Bugfix: the VMailer SMTP client now recognizes its own
hostname in the SMTP greeting banner only when that name
appears as the first word on the first line.
19980410
Feature: smtpd now logs the local queue ID along with the
client name/address, and pickup now logs the local queue
ID along with the message owner.
Bugfix: still didn't do virtual/canonical lookups right
(code used the non-case-folded key instead of the case
folded one).
19980418
Bugfix: the SMTP server did not flush the "250 OK queued
as XXXX" message from the SMTP conversation history.
19980419
Bugfix: qmgr would not notice that a malformed message has
multiple senders, and would leak memory (Tom Ptacek).
19980421
Portability: in the mantools scripts, the expr pattern no
longer has ^ at the beginning, and the scripts now use the
expand program instead of my own detab utility.
19980425
NetBSD 1.x patch by Soren S. Jorvang.
19980511
Feature: the SMTP server now logs the protocol (SMTP or
ESMTP) as part of the Received: header.
Feature: smtpd now logs the last command when a session is
aborted due to timeout, unexpected EOF, or too many client
errors.
19980514
Bugfix: the queue manager did not update the counter for
in-core message structures, so the in-core message limit
had no effect. This can be bad when you have a large backlog
with many messages eligible for delivery.
Robustness: the queue manager now also limits the total
number of in-core recipient structures, so that it won't
use excessive amounts of memory on sites that have large
mailing lists.
19980518
Bugfix: the SMTP client did not notice that the DNS client
received a truncated response. As a result, a backup MX
host could incorrectly claim that it was the best MX host
and declare a mailer loop.
Added start_msg/stop_msg entries to the vmailer startup
script, for easy installation.
Cleanup: VMailer databases are now explicitly specified as
type:name, for example, hash:/etc/aliases or nis:mail.aliases,
instead of implicitly as "files", "nis" and so on. Test
program: util/dict_open. This change allowed me to
eliminate a lot of redundant code from mkmap_xxx.c, and
from everything that does map lookups.
19980525
Bugfix: local/dotforward.c compared the result of opening
a user's ~/.forward against the wrong error value.
19980526
Bugfix: the smtpd VRFY command could look at free()d memory.
Robustness: the smtpd program had a fixed limit on the
number of token structures. The code now dynamically
allocates token structures.
Bugfix: the queue manager still used the deprecated parameter
name xxx_deliver_concurrency for concurrency control, but
the documentation talks about the preferred parameter name
xxx_destination_concurrency. Fix: try xxx_destination_concurrency
first, then fall back to xxx_deliver_concurrency.
19980621-19980702
Cleanup: the string read routines now report the last
character read or VSTREAM_EOF. This change is necessary
for the implementation of the long SMTP line bugfix.
Bugfix: the smtp server exited the DATA command prematurely
when the client sent long lines. Reason: the smtp server
did not remember that it broke long lines, so that '.'
could appear to be the first character on a line when in
fact it wasn't.
Bugfix: the queue manager made lots of stupid errors while
reading $qmgr_message_recipient_limit chunks of recipients
from a queue file. This code has been restructured.
19980706
Performance: the cleanup program now always adds return-receipt
and errors-to records to a queue file, so that the queue
manager does not have to plow through huge lists of
recipients.
Robustness: the initial destination concurrency now defaults
to 2, so that one bad message or one bad connection does
not stop all mail to a site. The configuration parameter
is called initial_destination_concurrency.
Performance: the per-message recipient limit is now enforced
by the queue manager instead of by the transport. Thus, a
large list of recipients for the same site is now mapped
onto several delivery requests which can be handled in
parallel, instead of being mapped onto one delivery request
that is sent to limited numbers of recipients, one group
after the other.
19980707
Cleanup: the queue manager now does an additional recipient
sort after the recipients have been resolved, so that the
code can do better aggregation of recipients by next hop
destination.
Feature: lines in the master.cf file can now be continued
in the same manner as lines in the main.cf file, i.e. by
starting the next line with whitespace.
Feature: the smtp client now warns that a message may be
delivered multiple times when the response to "." is not
received (the problem described in RFC 1047).
Cleanup: when the queue manager changes its little mind
after contacting a delivery agent (for example, it decides
to skip the host because a transport or host goes bad),
the delivery agent no longer complains about premature EOF.
File: global/deliver_request.c
19980709
Bugfix: when breaking long lines, the SMTP client did not
escape leading dots in secondary etc. line fragments. Fix:
don't break lines. This change makes VMailer line-length
transparent. Files: global/smtp_stream.c, smtp/smtp_proto.c.
19980712
Cleanup: the queue manager to deliver agent protocol now
distinguishes between domain-specific soft errors and
recipient-specific soft errors. Result: many soft errors
with SMTP delivery no longer affect other mail the same
domain.
19980713
Feature: the file modification time stamp of deferred queue
files is set to the nearest wakeup time of their recipient
hosts, or if delivery was deferred due to a non-host problem,
the time stamp is set into the future by the configurable
minimal backoff time.
Bugfix: the SMTP client and the MAILQ command would report
as message size the total queue file size. That would
grossly overestimate the size of a message with many
recipients.
Bugfix: the 19980709 fix screwed up locally-posted mail
that didn't end in newline.
19980714
Robustness: the makedefs script now defaults to no optimization
when compiling for purify.
19980715
Robustness: the makedefs script now defaults to no optimization
when compiling with gcc 2.8, until this compiler is known
to be OK.
Workaround: when sending multiple messages over the same
SMTP connection, some SMTP servers need an RSET command
before the second etc. MAIL FROM command. The VMailer SMTP
client now sends a redundant RSET command just in case.
The queue manager now logs explicitly when delivery is
deferred because of a "dead" message transport.
19980716
Feature: mailq and mail bounces now finally report why mail
was deferred (the reason was logged to the syslog file
only). Changes were made to the bounce service (generalized
to be usable for defer logs), showq service (to show reasons)
and the queue manager.
As a result the defer directory (with one log per deferred
message) may contain many files; also, this directory is
accessed each time a message is let into the active queue,
in order to delete its old defer log. This means that hashed
directories are now a must.
19980718-20
Feature: configurable timeout for establishing smtp
connections. Parameter: smtp_connect_timeout (default 0,
which means use the timeout as wired into the kernel).
Inspired by code from Lamont Jones. For a clean but far
from trivial implementation, see util/timed_connect.c
Cleaned up the interfaces that implement read/write deadlines.
Instead of returning -2, the routines now set errno to
ETIMEDOUT; the readable/writable tests are now separate.
19980722
Feature: the default indexed file type (hash, btree, dbm)
is now configurable with the "database_type" parameter.
The default value for this parameter is system specific.
Feature: selectively turn on verbose logging for hosts that
match the patterns specified via the "debug_peer_list"
config parameter. Syntax is like the "bad_smtp_clients"
parameter (see global/peer_list.c). The verbose logging
level is specified with "debug_peer_level" (default 2).
Security: the local delivery agent no longer delivers to
files that have execute permission enabled.
19980723
Workarounds for Solaris 2.x UNIX-domain sockets: they lose
data when you close them immediately after writing to them.
This could screw up the delivery agent to queue manager
protocol.
19980724
Cleanup: spent most of the day cleaning up queue manager
code that defers mail when a site or transport dies, and
fixed a few obscure problems in the process.
19980726
Feature: the admin can now configure what classes of problems
result in mail to the postmaster. Configuration parameter:
"notify_classes". Default is backwards compatible: bounce,
policy, protocol, resource, and software.
19980726-28
Feature: the admin can now configure what smtp server access
control restrictions must be applied, and in what order.
Configuration parameters: smtpd_client_restrictions,
smtpd_helo_restrictions, smtpd_mail_restrictions and
smtpd_rcpt_restrictions. Defaults are intended to be
backwards compatible. The bad_senders and bad_clients lists
are gone and have become db (dbm, nis, etc) maps. Files:
smtpd/smtpd_check.c, config/main.cf.
19980729-31
Feature: hashed queues. Rewrote parts of the mail queue
API. Configuration parameters: "hash_queue_names" specifies
what queue directories will be hashed (default: the defer
log directory), "hash_queue_depth" specifies the number of
subdirectories used for hashing (default 2).
19980802
Bugfix: the pipe mailer should expand command-line arguments
with $recipient once for every recipient (producing one
command-line argument per recipient), instead of replacing
$recipient by of all recipients (i.e. producing only one
command-line argument). This is required for compatibility
with programs that expect to be run from sendmail, such as
uux. Thanks to Ollivier Robert for helping me to get this
right.
Code cleanup: for the above, cleaned up the macro expansion
code in dict.c and factored out the parsing into a separate
module, mac_parse.c.
19980803
"|command" and /file/name destinations in alias databases
are now executed with the privileges of the database owner
(unless root or vmailer). Thus, with: "alias_maps =
hash:/etc/aliases, hash:/home/majordomo/aliases", and with
/home/majordomo/aliases* owned by the majordomo account,
you no longer need the majordomo set-uid wrapper program,
and you no longer need root privileges in order to install
a new mailing list.
19980804
Added support for the real-time blackhole list. Example:
"client_restrictions = permit_mynetworks, reject_maps_rbl"
All SMTP server "reject" status codes are now configurable:
unknown_client_reject_code, mynetworks_reject_code,
invalid_hostname_reject_code, unknown_hostname_reject_code,
unknown_address_reject_code, relay_domains_reject_code,
access_map_reject_code, maps_rbl_reject_code. Default values
are documented in the smtpd/smtpd_check.c man page.
19980806-8
Code cleanup: after eye balling line-by line diffs, started
deleting code that duplicated functionality because it was
at the wrong abstraction level (smtp_trouble.c), moved
functionality that was in the wrong place (dictionary
reference counts in maps.c instead of dict.c), simplified
code that was too complex (password-file structure cache)
and fixed some code that was just wrong.
19980808
Robustness: the number of queue manager in-core structures
for dead hosts is limited; the limit scales with the limit
on the number of in-core recipient structures. The idea is
to not run out of memory under conditions of stress.
19980809
Feature: mail to files and commands can now be restricted
by class: alias, forward file or include file. The default
restrictions are: "allow_mail_to_files = alias, forward"
and allow_mail_to_commands = alias, forward". The idea is
to protect against buggy mailing list managers that allow
intruders to subscribe /file/name or "|command".
19980810-12
Cleanup: deleted a couple hundred lines of code from the
local delivery agent. It will never be a great program;
sendmail compatibility is asking a severe toll.
19980814
Cleanup: made the program shut up about some benign error
conditions that were reported by Daniel Eisenbud.
19980814-7
Documentation: made a start of HTML docs that describe all
configuration parameters.
Feature: while documenting things, added smtpd_helo_required.
19980817
Bugfix: at startup the queue manager now updates the time
stamps of active queue files some time into the future.
This eliminates duplicate deliveries after "vmailer reload".
Bugfix: the local delivery agent now applies the recipient
delimiter after looking in the alias database, instead of
before.
Documentation bugfixes by Matt Shibla, Tom Limoncelli,
Eilon Gishri.
19980819
GLIBC fixes from Myrdraal.
Bugfix: applied showq buffer reallocation workaround in
the wrong place.
Bugfix: can't use shorts in varargs lists. SunOS 4 has
short uid_t and gid_t. pipe_command() would complain.
Bugfix: can't use signed char in ctype macros. All ctype
arguments are now casted to unsigned char. Thanks, Casper
Dik.
19980820
Bugfix: save the alias lookup result before looking up the
owner. The previous alpha release did this right.
Cleanup: mail_trigger() no longer complains when the trigger
FIFO or socket is unavailable. This change is necessary to
shut up the sendmail mail posting program, so that it can
be used on mail clients that mount their maildrop via NFS.
Experiment: pickup and pipe now run as vmailer most of the
time, and switch to user privileges only temporarily.
Files: util/set_eugid.c global/pipe_command.c pipe/pipe.c
pickup/pickup.c. Is this more secure/ What about someone
manipulating such a process while not root? It still has
ruid == 0.
19980822
Portability: with GNU make, commands such as "(false;true)"
and "while :; do false; done" don't fail. Workaround: use
"set -e" all over the place. Problem found by Jeff Wolfe.
Feature: "check_XXX_access maptype:mapname" (XXX = client,
helo, sender, recipient). Now you can make recipient and
other SPAM restrictions dependent on client or sender access
tables lookup results.
19980823
Bugfix: smtpd access table lookup keys were case sensitive.
Added "permit" and "reject" operators. These are useful at
the end of SPAM restriction lists (smtpd_XXX_restrictions).
Added a first implementation of the permit_mx_backup SPAM
restriction. This permits mail relaying to any domain that
lists this mail system as an MX host (including mail for
the local machine). Thanks to Ollivier Robert for useful
discussions.
19980824
Bugfix: transport table lookup keys were case sensitive.
19980825
Portability: sa_len is some ugly #define on some SGI systems,
so we must rename identifiers (file util/connect.c).
Bugfix: uucp delivery errors are now sent to the sender.
Thanks, Mark Delany.
Bugfix: the pipe delivery agent now replaces empty sender
by the mailer daemon address. Mark Delany, again.
Portability: GNU getopt looks at all command-line arguments.
Fix: insert -- into the pipe/uucp definition in master.cf.
Bugfix: the smtp server command tokenizer silently discarded
the [] around [text], so that HELO [x.x.x.x] was read as
if the client had sent: HELO x.x.x.x. Thanks, Peter Bivesand.
Bugfix: the HELO unknown hostname/bad hostname restrictions