Last Update 1998-05-20
	     @(#)RELEASE_NOTES	8.9 (Berkeley) 5/19/98

This listing shows the version of the sendmail binary, the version
of the sendmail configuration files, the date of release, and a
summary of the changes in that release.

8.9.0/8.9.0	98/05/19
	SECURITY: To prevent users from reading files not normally
		readable, sendmail will no longer open forward, :include:,
		class, ErrorHeader, or HelpFile files located in unsafe
		(i.e. group or world writable) directory paths.  Sites
		which need the ability to override security can use the
		DontBlameSendmail option.  See the README file for more
	SECURITY: Problems can occur on poorly managed systems, specifically,
		if maps or alias files are in world writable directories.
		This fixes the change added to 8.8.6 to prevent links in these
		world writable directories.
	SECURITY: Make sure ServiceSwitchFile option file is not a link if
		it is in a world writable directory.
	SECURITY: Never pass a tty to a mailer -- if a mailer can get at the
		tty it may be able to push bytes back to the senders input.
		Unfortunately this breaks -v mode.  Problem noted by
		Wietse Venema of the Global Security Analysis Lab at
		IBM T.J. Watson Research.
	SECURITY: Empty group list if DontInitGroups is set to true to
		prevent program deliveries from picking up extra group
		privileges.  Problem reported by Wolfgang Ley of DFN-CERT.
	SECURITY: The default value for DefaultUser is now set to the uid and
		gid of the first existing user mailnull, sendmail, or daemon
		that has a non-zero uid.  If none of these exist, sendmail
		reverts back to the old behavior of using uid 1 and gid 1.
		This is a security problem for Linux which has chosen that
		uid and gid for user bin instead of daemon.  If DefaultUser
		is set in the configuration file, that value overrides this
	SECURITY: Since 8.8.7, the check for non-setuid binaries
		interfered with setting an alternate group id for the
		RunAsUser option.  Problem noted by Randall Winchester of
		the University of Maryland.
	Add support for Berkeley DB 2.X.  Based on patch from John Kennedy
		of Cal State University, Chico.
	Remove support for OLD_NEWDB (pre-1.5 version of Berkeley DB).  Users
		which previously defined OLD_NEWDB=1 must now upgrade to the
		current version of Berkeley DB.
	Added support for regular expressions using the new map class regex.
		From Jan Krueger of Unix-AG of University of Hannover.
	Support for BIND 8.1.1's hesiod for hesiod maps and hesiod
		UserDatabases from Randall Winchester of the University
		of Maryland.
	Allow any shell for user shell on program deliveries on V1
		configurations for backwards compatibility on machines which
		do not have getusershell().  Fix from John Beck of Sun
	On operating systems which change the process title by reusing the
		argument vector memory, sendmail could corrupt memory if the
		last argument was either "-q" or "-d".  Problem noted by
		Frank Langbein of the University of Stuttgart.
	Support Local Mail Transfer Protocol (LMTP) between sendmail and
		mail.local on the F=z flag.
	Macro-expand the contents of the ErrMsgFile.  Previously this was
		only done if you had magic characters (0x81) to indicate
		macro expansion.  Now $x will be expanded.  This means that
		real dollar signs have to be backslash escaped.
	TCP Wrappers expects "unknown" in the hostname argument if the 
		reverse DNS lookup for the incoming connection fails.
		Problem noted by Randy Grimshaw of Syracuse University and
		Wietse Venema of the Global Security Analysis Lab at
		IBM T.J. Watson Research.
	DSN success bounces generated from an invocation of sendmail -t
		would be sent to both the sender and MAILER-DAEMON.
		Problem noted by Claus Assmann of
		Christian-Albrechts-University of Kiel.
	Avoid "Error 0" messages on delivery mailers which exit with a
		valid exit value such as EX_NOPERM.  Fix from Andreas Luik
		of ISA Informationssysteme GmbH.
	Tokenize $&x expansions on right hand side of rules.  This eliminates
		the need to use tricks like $(dequote "" $&{client_name} $)
		to cause the ${client_name} macro to be properly tokenized.
	Add the MaxRecipientsPerMessage option: this limits the number of
		recipients that will be accepted in a single SMTP
		transaction.  After this number is reached, sendmail
		starts returning "452 Too many recipients" to all RCPT
		commands.  This can be used to limit the number of recipients
		per envelope (in particular, to discourage use of the server
		for spamming).  Note: a better approach is to restrict
		relaying entirely.
	Fixed pointer initialization for LDAP lmap struct, fixed -s option
		to ldapx map and added timeout for ldap_open call to
		avoid hanging sendmail in the event of hung LDAP servers.
		Patch from Booker Bense of Stanford University.
	Allow multiple -qI, -qR, or -qS queue run limiters.  For example,
		'-qRfoo -qRbar' would deliver mail to recipients with foo or
		bar in their address.  Patch from Allan E Johannesen of
		Worcester Polytechnic Institute.
	The bestmx map will now return a list of the MX servers for a host if
		passed a column delimiter via the -z map flag.  This can be
		used to check if the server is an MX server for the recipient
		of a message.  This can be used to help prevent relaying.
		Patch from Mitchell Blank Jr of Exec-PC.
	Mark failures for the *file* mailer and return bounce messages to the
		sender for those failures.
	Prevent bogus syslog timestamps on errors in sendmail.cf by
		preserving the TZ environment variable until TimeZoneSpec
		has been determined.  Problem noted by Ralf Hildebrandt of
		Technical University of Braunschweig.  Patch from Per Hedeland
		of Ericsson.
	Print test input in address test mode when input is not from the tty
		when the -v flag is given (i.e. sendmail -bt -v) to make
		output easier to decipher.  Problem noted by Aidan Nichol
		of Procter & Gamble.
	The LDAP map -s flag was not properly parsed and the error message
		given included the remainder of the arguments instead of 
		solely the argument in error.  Problem noted by Aidan Nichol
		of Procter & Gamble.
	New DontBlameSendmail option.  This option allows administrators to
		bypass some of sendmail's file security checks at the expense
		of system security.  This should only be used if you are
		absolutely sure you know the consequences.  The available
		DontBlameSendmail options are:
	New DontProbeInterfaces option to turn off the inclusion of all the
		interface names in $=w on startup.  In particular, if you
		have lots of virtual interfaces, this option will speed up
		startup.  However, unless you make other arrangements, mail
		sent to those addresses will be bounced.
	Automatically create alias databases if they don't exist and
		AutoRebuildAliases is set.
	Add PrivacyOptions=noetrn flag to disable the SMTP ETRN command.
		Suggested by Christophe Wolfhugel of the Institut Pasteur.
	Add PrivacyOptions=noverb flag to disable the SMTP VERB command.
	When determining the client host name ($&{client_name} macro), do
		a forward (A) DNS lookup on the result of the PTR lookup
		and compare results.  If they differ or if the PTR lookup
		fails, &{client_name} will contain the IP address
		surrounded by square brackets (e.g. []).
	New map flag: -Tx appends "x" to lookups that return temporary failure
		(i.e, it is like -ax for the temporary failure case, in
		contrast to the success case).
	New syntax to do limited checking of header syntax.  A config line
		of the form:
			HHeader: $>Ruleset
		causes the indicated Ruleset to be invoked on the Header
		when read.  This ruleset works like the check_* rulesets --
		that is, it can reject mail on the basis of the contents.
	Limit the size of the HELO/EHLO parameter to prevent spammers
		from hiding their connection information in Received:
	When SingleThreadDelivery is active, deliveries to locked hosts
		are skipped.  This will cause the delivering process to
		try the next MX host or queue the message if no other MX
		hosts are available.  Suggested by Alexander Litvin.
	The [FILE] mailer type now delivers to the file specified in the
		A= equate of the mailer definition instead of $u.  It also
		obeys all of the F= mailer flags such as the MIME
		7/8 bit conversion flags.  This is useful for defining
		a mailer which delivers to the same file regardless of the
		recipient (e.g. 'A=FILE /dev/null' to discard unwanted mail).
	Do not assume the identity of a remote connection is root@localhost
		if the remote connection closes the socket before the
		remote identity can be queried.
	Change semantics of the F=S mailer flag back to 8.7.5 behavior.
		Some mailers, including procmail, require that the real
		uid is left unchanged by sendmail.  Problem noted by Per
		Hedeland of Ericsson.
	No longer is the src/obj*/Makefile selected from a large list -- it
		is now generated using the information in BuildTools/OS/ --
		some of the details are determined dynamically via
	The other programs in the sendmail distribution -- mail.local,
		mailstats, makemap, praliases, rmail, and smrsh -- now use
		the new Build method which creates an operating system
		specific Makefile using the information in BuildTools.
	Make 4xx reply codes to the SMTP MAIL command be non-sticky (i.e.,
		a failure on one message won't affect future messages to the
		same host).  This is necessary if the remote host sends
		a 451 error if the domain of the sender does not resolve
		as is common in anti-spam configurations.  Problem noted
		by Mitchell Blank Jr of Exec-PC.
	New "discard" mailer for check_* rulesets and header checking
		rulesets.  If one of the above rulesets resolves to the
		$#discard mailer, the commands will be accepted but the
		message will be completely discarded after it is accepting.
		This means that even if only one of the recipients
		resolves to the $#discard mailer, none of the recipients
		will receive the mail.  Suggested by Brian Kantor.
	All but the last cloned envelope of a split envelope were queued
		instead of being delivered.  Problem noted by John Caruso
		of CNET: The Computer Network.
	Fix deadlock situation in persistent host status file locking.
	Syslog an error if a user forward file could not be read due to
		an error.  Patch from John Beck of Sun Microsystems.
	Use the first name returned on machine lookups when canonifying a
		hostname via NetInfo.  Patch from Timm Wetzel of GWDG.
	Clear the $&{client_addr}, $&{client_name}, and $&{client_port}
		macros when delivering a bounce message to prevent
		rejection by a check_compat ruleset which uses these macros.
		Problem noted by Jens Hamisch of AgiX Internetservices GmbH.
	If the check_relay ruleset resolves to the the error mailer, the
		error in the $: portion of the resolved triplet is used
		in the rejection message given to the remote machine.
		Suggested by Scott Gifford of The Internet Ramp.
	Set the $&{client_addr}, $&{client_name}, and $&{client_port} macros
		before calling the check_relay ruleset.  Suggested by Scott
		Gifford of The Internet Ramp.
	Sendmail would get a segmentation fault if a mailer exited with an
		exit code of 79.  Problem noted by Aaron Schrab of ExecPC
		Internet.  Fix from Christophe Wolfhugel of the Pasteur
	Separate snprintf/vsnprintf routines into separate file for use by
	Allow multiple map lookups on right hand side, e.g.,
		R$*	$( host $1 $) $| $( passwd $1 $).  Patch from
		Christophe Wolfhugel of the Pasteur Institute.
	Properly generate success DSN messages if requested for aliases
		which have owner- aliases.  Problem noted by Kari Hurtta
		of the Finnish Meteorological Institute.
	Properly display delayed-expansion macros ($&{macroname}) in
		address test mode (-bt).  Problem noted by Bryan Costales
		of InfoBeat, Inc.
	-qR could sometimes match names incorrectly.  Problem noted by
		Lutz Euler of Lavielle EDV Systemberatung GmbH & Co.
	Include a magic number and version in the StatusFile for the
		mailstats command.
	Record the number of rejected and discarded messages in the
		StatusFile for display by the mailstats command.  Patch
		from Randall Winchester of the University of Maryland.
	IDENT returns where the OSTYPE field equals "OTHER" now list the
		user portion as IDENT:username@site instead of
		username@site to differentiate the two.  Suggested by
		Kari Hurtta of the Finnish Meteorological Institute.
	Enforce timeout for LDAP queries.  Patch from Per Hedeland of
	Change persistent host status filename substitution so '/' is
		replaced by ':' instead of '|' to avoid clashes.  Also
		avoid clashes with hostnames with leading dots.  Fix from
		Mitchell Blank Jr. of Exec-PC.
	If the system lock table is full, only attempt to create a new
		queue entry five times before giving up.  Previously, it
		was attempted indefinitely which could cause the partition
		to run out of inodes.  Problem noted by Suzie Weigand of
		Stratus Computer, Inc.
	In verbose mode, warn if the sendmail.cf version is less than the
		currently supported version.
	Sorting for QueueSortOrder=host is now case insensitive.  Patch
		from Randall S. Winchester of the University of Maryland.
	Properly quote a full name passed via the -F command line option,
		the Full-Name: header, or the NAME environment variable if
		it contains characters which must be quoted.  Problem noted
		by Kari Hurtta of the Finnish Meteorological Institute.
	Avoid possible race condition that unlocked a mail job before
		releasing the transcript file on systems that use flock(2).
		In some cases, this might result in a "Transcript Unavailable"
		message in error bounces.
	Accept SMTP replies which contain only a reply code and no
		accompanying text.  Problem noted by Fernando Fraticelli of
		Digital Equipment Corporation.
		AIX 4.1 uses int for SOCKADDR_LEN_T from Motonori Nakamura
			of Kyoto University.
		AIX 4.2 requires <userpw.h> before <usersec.h>.  Patch from
			Randall S. Winchester of the University of
		AIX 4.3 from Valdis Kletnieks of Virginia Tech CNS.
		CRAY T3E from Manu Mahonen of Center for Scientific Computing
			in Finland.
		Digital UNIX now uses statvfs for determining free
			disk space.  Patch from Randall S. Winchester of
			the University of Maryland.
		HP-UX 11.x from Richard Allen of Opin Kerfi HF and
			Regis McEwen of Progress Software Corproration.
		IRIX 64 bit fixes from Kari Hurtta of the Finnish
			Meteorological Institute.
		IRIX 6.2 configuration fix for mail.local from Michael Kyle
			of CIC/Advanced Computing Laboratory.
		IRIX 6.5 from Thomas H Jones II of SGI.
		IRIX 6.X load average code from Bob Mende of SGI.
		QNX from Glen McCready <glen@qnx.com>.
		SCO 4.2 and 5.x use /usr/bin instead of /usr/ucb for links
			to sendmail.  Install with group bin instead of kmem
			as kmem does not exist.  From Guillermo Freige of
			Gobernacion de la Pcia de Buenos Aires and Paul
			Fischer of BTG, Inc.
		SunOS 4.X does not include memmove().  Patch from
			Per Hedeland of Ericsson.
		SunOS 5.7 includes getloadavg() function for determining
			load average.  Patch from John Beck of Sun
	CONFIG: Increment version number of config file.
	CONFIG: add DATABASE_MAP_TYPE to set the default type of database
		map for the various maps.  The default is hash.  Patch from
		Robert Harker of Harker Systems.
	CONFIG: new confEBINDIR m4 variable for defining the executable
		directory for certain programs.
	CONFIG: new FEATURE(local_lmtp) to use the new LMTP support for
		local mail delivery.  By the default, /usr/libexec/mail.local
		is used.  This is expected to be the mail.local shipped
		with 8.9 which is LMTP capable.  The path is based on the
		new confEBINDIR m4 variable.
	CONFIG: Use confEBINDIR in determining path to smrsh for
		FEATURE(smrsh).  Note that this changes the default from
		/usr/local/etc/smrsh to /usr/libexec/smrsh.  To obtain the
		old path for smrsh, use FEATURE(smrsh, /usr/local/etc/smrsh).
	CONFIG: DOMAIN(generic) changes the default confFORWARD_PATH to
		include $z/.forward.$w+$h and $z/.forward+$h which allow
		the user to setup different .forward files for
		user+detail addressing.
		and confDONT_BLAME_SENDMAIL to set MaxRecipientsPerMessage,
		DontProbeInterfaces, and DontBlameSendmail options.
	CONFIG: by default do not allow relaying (that is, accepting mail
		from outside your domain and sending it to another host
		outside your domain).
	CONFIG: new FEATURE(promiscuous_relay) to allow mail relaying from
		any site to any site.
	CONFIG: new FEATURE(relay_entire_domain) allows any host in your
		domain as defined by the 'm' class ($=m) to relay.
	CONFIG: new FEATURE(relay_based_on_MX) to allow relaying based on
		the MX records of the host portion of an incoming recipient.
	CONFIG: new FEATURE(access_db) which turns on the access database
		feature.  This database give you the ability to allow
		or refuse to accept mail from specified domains for
		administrative reasons.  By default, names that are listed
		as "OK" in the access db are domain names, not host names.
	CONFIG: new confCR_FILE m4 variable for defining the name of the file
		used for class 'R'.  Defaults to /etc/mail/relay-domains.
	CONFIG: new command RELAY_DOMAIN(domain) and RELAY_DOMAIN_FILE(file)
		to add items to class 'R' ($=R) for hosts allowed to relay.
	CONFIG: new FEATURE(relay_hosts_only) to change the behavior
		of FEATURE(access_db) and class 'R' to lookup individual
		host names only.
	CONFIG: new FEATURE(loose_relay_check).  Normally, if a recipient
		using % addressing is used, e.g.  user%site@othersite,
		and othersite is in class 'R', the check_rcpt ruleset
		will strip @othersite and recheck user@site for relaying.
		This feature changes that behavior.  It should not be
		needed for most installations.
	CONFIG: new FEATURE(relay_local_from) to allow relaying if the
		domain portion of the mail sender is a local host.  This
		should only be used if absolutely necessary as it opens
		a window for spammers.  Patch from Randall S. Winchester of
		the University of Maryland.
	CONFIG: new FEATURE(blacklist_recipients) turns on the ability to
		block incoming mail destined for certain recipient
		usernames, hostnames, or addresses.
	CONFIG: By default, MAIL FROM: commands in the SMTP session will be
		refused if the host part of the argument to MAIL FROM: cannot
		be located in the host name service (e.g., DNS).
	CONFIG: new FEATURE(accept_unresolvable_domains) accepts
		unresolvable hostnames in MAIL FROM: SMTP commands.
	CONFIG: new FEATURE(accept_unqualified_senders) accepts
		MAIL FROM: senders which do not include a domain.
	CONFIG: new FEATURE(rbl) Turns on rejection of hosts found in the
		Realtime Blackhole List.  You can specify the RBL name
		server to contact by specifying it as an optional argument.
		The default is rbl.maps.vix.com.  For details, see
	CONFIG: Call Local_check_relay, Local_check_mail, and
		Local_check_rcpt from check_relay, check_mail, and
		check_rcpt.  Users with local rulesets should place the
		rules using LOCAL_RULESETS.  If a Local_check_* ruleset
		returns $#OK, the message is accepted.  If the ruleset
		returns a mailer, the appropriate action is taken, else
		the return of the ruleset is ignored.
	CONFIG: CYRUS_MAILER_FLAGS now includes the /:| mailer flags by
		default to support file, :include:, and program deliveries.
	CONFIG: Remove the default for confDEF_USER_ID so the binary can
		pick the proper default value.  See the SECURITY note
		above for more information.
	CONFIG: FEATURE(nodns) now warns the user that the feature is a
		no-op.  Patch from Kari Hurtta of the Finnish
		Meteorological Institute.
	CONFIG: OSTYPE(osf1) now sets DefaultUserID (confDEF_USER_ID) to
		daemon since DEC's /bin/mail will drop the envelope
		sender if run as mailnull.  See the Digital UNIX section
		of src/README for more information.  Problem noted by
		Kari Hurtta of the Finnish Meteorological Institute.
	CONFIG: .cf files are now stored in the same directory with the
		.mc files instead of in the obj directory.
		setting SingleLineFromHeader, AllowBogusHELO, and
		MustQuoteChars respectively.
	MAIL.LOCAL: support -l flag to run LMTP on stdin/stdout.  This
		SMTP-like protocol allows detailed reporting of delivery
		status on a per-user basis.  Code donated by John Myers of
		CMU (now of Netscape).
	MAIL.LOCAL: HP-UX support from Randall S. Winchester of the
		University of Maryland.  NOTE: mail.local is not 
		compatible with the stock HP-UX mail format.  Be sure to
		read mail.local/README.
	MAIL.LOCAL: Prevent other mail delivery agents from stealing a
		mailbox lock.  Patch from Randall S. Winchester of the
		University of Maryland.
	MAIL.LOCAL: glibc portability from John Kennedy of Cal State
		University, Chico.
	MAIL.LOCAL: IRIX portability from Kari Hurtta of the Finnish
		Meteorological Institute.
	MAILSTATS: Display the number of rejected and discarded messages
		in the StatusFile.  Patch from Randall Winchester of the
		University of Maryland.
	MAKEMAP: New -s flag to ignore safety checks on database map files
		such as linked files in world writable directories.
	MAKEMAP: Add support for Berkeley DB 2.X.  Remove OLD_NEWDB support.
	PRALIASES: Add support for Berkeley DB 2.X.
	PRALIASES: Do not automatically include NDBM support.  Problem
		noted by Ralf Hildebrandt of the Technical University of
	RMAIL: Improve portability for other platforms.  Patches from
		Randall S. Winchester of the University of Maryland and
		Kari Hurtta of the Finnish Meteorological Institute.
	Changed Files:
		src/Makefiles/Makefile.* files have been modified to use
			the new build mechanism and are now BuildTools/OS/*.
		src/makesendmail changed to symbolic link to src/Build.
	New Files:
	Deleted Files:
		cf/cf/Makefile (replaced by Makefile.dist)
		src/Makefiles/Makefile.AIX.4 (split into AIX.4.x and AIX.4.2)
			(renamed BuildTools/OS/dcosx.1.x.NILE)
		src/Makefiles/Makefile.Utah (obsolete platform)
	Renamed Files:
		cf/cf/Makefile.dist => Makefile
		cf/cf/obj/* => cf/cf/*
		src/READ_ME => src/README

[(links)] [Hints] [Avoiding UBE] [New]
Copyright © Claus Aßmann Please send comments to: <ca@informatik.uni-kiel.de>