- 1 - 1. Patch_SG0000332_Release_Note This release note describes patch SG0000332. 1.1 Supported_Hardware_Platforms This patch contains bug fixes for all hardware platforms. 1.2 Supported_Software_Platforms This patch contains bug fixes for all versions of IRIX 5.2, IRIX 5.3, IRIX 6.0 and IRIX 6.0.1. The software cannot be installed on other configurations. 1.3 Bugs_Fixed_by_Patch_SG0000332 This patch contains fixes for the following bugs in this sendmail patch. Bug numbers from Silicon Graphics bug tracking system are included for reference. o Brings IRIX sendmail to sendmail version 8.6.10 level of security. Fixes a problem with all previous versions of sendmail that allowed any user logged onto the system to use sendmail to read and/or delete any file on the system regardless of that file's permissions. This fix is new to all versions of IRIX sendmail. o This patch is a response to CERT advisory CA-94:12, a problem where sendmail can be subverted to allow root access to the system by any user. (bug #235405) Note that this fix was already in the default IRIX 5.3 sendmail binary. 1.4 Compatibility_Notes_Changes This patch contains all of the bug fixes contained in patchSG0000175 and therefore supersedes that patch. However, patchSG0000175 installed more files than were actually necessary. If patchSG0000175 is currently installed on your system, you must remove it (version remove patchSG0000175) before installing this patch. 1.5 Sendmail_Changes Please note that this patch installs a new /etc/sendmail.cf. It may be installed as /etc/sendmail.cf.N if any modifications have been made to the original file. As with all software, it is recommended that the versions changed command be run after installing this patch. - 2 - Due to the nature of the original problem and the complexity of the fix, this version of sendmail is vastly different from the default IRIX 5.2, IRIX 6.0, or IRIX 6.0.1 version of sendmail. This is a slight change over the IRIX 5.3 version of sendmail. This version of sendmail is based upon sendmail version 8.6.10 from Berkeley and incorporates many of the changes, new features, and security enhancements available in the Berkeley release. This section presents a summary of the changes between earlier IRIX sendmail and this version of sendmail. For more complete sendmail documentation, please see the book ``sendmail'' by Bryan Costales with Eric Allman and Neil Rickert from O'Reilly & Associates, Inc. ISBN 1- 56592-056-2. o Performance Enhancements - Instead of closing SMTP connections immediately, sendmail caches open connections for possible future use. There is a limit to the number of simultaneous open connections and the idle time of any individual connection. See the new `K' and `k' options below. This is of most help during queue processing (when there is the potential of many different messages going to one site), although it can also help when processing MX records which aren't handled by MX Piggybacking. - If two hosts with different names in a single message happen to have the same set of MX hosts, they will be sent in the same transaction. For example, if two sites ``foo.com'' and ``bar.com'' are both served by UUNET, they will have the same set of MX hosts and will be sent in one transaction. UUNET will then split the message and send it to the two individual hosts. o RFC 1123 Changes A number of changes have been made to make sendmail ``conditionally compliant'' (that is, it satisfies all of the MUST clauses and most but not all of the SHOULD clauses in RFC 1123). The major areas of change are (numbers are RFC 1123 section numbers): - 3 - 5.2.7 Response to RCPT command is fast. Previously, sendmail expanded all aliases as far as it could. This could take a very long time, particularly if there were name server delays. This version of sendmail only checks for the existence of an alias and does the expansion later. It does still do a DNS lookup if there is an explicit host name in the RCPT command, but this time is bounded. 5.2.8 Numeric IP addresses are logged in Received: lines. This helps tracing spoofed messages. 5.2.17 Self domain literal is properly handled. Previously, if someone sent to user@[1.2.3.4], where 1.2.3.4 is your IP address, the mail would probably be rejected with a ``configuration error''. This version of sendmail can handle these addresses. 5.3.2 Better control over individual timeouts. RFC 821 specified no timeouts. Older versions of IRIX sendmail had a single timeout, typically set to two hours. This version of sendmail allows the configuration file to set timeouts for various SMTP commands individually. 5.3.3 Error messages are sent as From:<>. This was urged by RFC 821 and reiterated by RFC 1123, but older versions of IRIX sendmail never really did it properly. This version of sendmail does. However, some systems cannot handle this perfectly legal address; if necessary, you can create a special mailer that uses the `g' flag to disable this. 5.3.3 Error messages are never sent to <>. Previously, sendmail was happy to send responses-to-responses which sometimes resulted in responses-to-responses-to- responses which resulted in .... you get the idea. 5.3.3 Route-addrs (the cumbersome ``<@hosta,@hostb:user@hostc>'' syntax) are pruned. RFC 821 urged the use of this syntax. RFC 1123 has seen the light and officially deprecates them, further urging that you eliminate all but ``user@hostc'' should you receive one of these things. This version of sendmail is slightly more generous than the - 4 - standards suggest; instead of stripping off all the route addressees, it only strips hosts off up to the one before the last one known to DNS, thus allowing you to have pseudo-hosts such as foo.BITNET. The `R' option (see below) will turn this off. The areas in which sendmail is not ``unconditionally compliant'' are: 5.2.6 Sendmail does do header munging. 5.2.10 Sendmail doesn't always use the exact SMTP message text from RFC 821. This is a rather silly requirement. 5.3.1.1 Sendmail doesn't guarantee only one connect for each host on queue runs. Connection caching gives you most of this, but it does not provide a guarantee. 5.3.1.1 Sendmail doesn't always provide an adequate limit on concurrency. That is, there can be several independent sendmails running at once. o Extended SMTP Support This version of sendmail includes both sending and receiving support for Extended SMTP support as defined by RFC 1425 (basic) and RFC 1427 (SIZE); and limited support for RFC 1426 (BODY). The body support is minimal because the ``8BITMIME'' body type is not currently advertised. Although such a body type will be accepted, it will not be correctly converted to 7 bits if speaking to a non-8-bit-MIME aware SMTP server. Sendmail tries to speak ESMTP if you have the `a' flag set in the flags for the mailer descriptor, or if the other end advertises the fact that it speaks ESMTP. This is a non-standard advertisement: sendmail announces ``ESMTP spoken here'' during the initial connection message, and client sendmails search for this message. This may create problems for some PC- based mailers, which do not understand two-line greeting messages as required by RFC 821. o Eight-Bit Clean Previous versions of IRIX sendmail used the `8' option to set ``eight-bit clean'' mode. This version of sendmail runs in ``eight-bit clean'' mode by default - 5 - and the `8' option is no longer available. However, you can set the `7' option to get seven bit stripping for compatibility with RFC 821, which is a 7-bit protocol. This option says ``strip to 7 bits on input''. Individual mailers can still produce seven bit output using the `7' mailer flag. This flag says ``strip to 7 bits on output''. o Keyed Files Generalized keyed files is an idea taken directly from IDA sendmail (albeit with a completely different implementation). They can be useful for large sites. Note that previous versions of IRIX sendmail supported the IDA lookup syntax. Since the IDA lookup syntax is incompatible with the generalized keyed file lookup syntax, the support for IDA syntax has been dropped in favor of the more powerful alternative. This version of sendmail includes the following built- in map classes: dbm Support for the ndbm(3) library. nis Support for NIS (a.k.a. YP) maps. NIS+ is not supported in this version. host Support for DNS lookups. dequote A ``pseudo-map'' (that is, once that does not have any external data) that allows a configuration file to break apart a quoted string in the address. This is primarily useful for DECnet addresses, which often have quoted addresses that need to be unwrapped on gateways. o Separate Envelope/Header Processing Since the From: line is passed in separately from the envelope sender, these have both been made visible; the $g macro is set to the envelope sender during processing of mailer argument vectors and the header sender during processing of headers. It is also possible to specify separate per-mailer envelope and header processing. The SenderRWSet and RecipientRWset arguments for mailers can be specified as ``envelope/header'' to give different rewritings for - 6 - envelope versus header addresses. o Owner-List Propagates to Envelope When an alias has an associated "owner-" alias, the "owner-" alias is used to change the envelope sender (SMTP MAIL FROM:) address as required by RFC 1123, section 5.3.6. This will cause downstream errors to be returned to the alias owner rather than to the message originator. Some people find this confusing because the envelope sender is what appears in the first ``From_'' line in UNIX messages (that is, the line beginning ``From'' instead of ``From:''; the latter is the header from, which does indicate the sender of the message). In previous versions, sendmail has tried to avoid changing the envelope sender for backward compatibility with UNIX convention; at this point that backward compatibility is creating too many problems, and it is necessary to move forward into the 1980s. It is understood that some users will desire continued backward compatibility and that some mail reader programs erroneously use the address in the ``From_'' line for replies. Users who desire continued backward compatibility can set the new `G' mailer flag (see below) although use of this flag is discouraged. o Command Line Flags - The -B flag has been added to pass in body type information. - The -p flag has been added to pass in protocol information that was previously passed in by defining the $r and $s macros. - The -X flag has been added to allow logging of all protocol in and out of sendmail for debugging. You can set ``-X filename'' and a complete transcript will be logged in that file. This gets big fast: the option is only for debugging. - The -q flag can limit a queue run to specific recipients, senders, or queue ids using -qRsubstring, -qSsubstring, or -qIsubstring respectively. o New Configuration Line Types - 7 - - The `T' (Trusted users) configuration line has been deleted. It will still be accepted but will be ignored. - The `K' line has been added to declare database maps. - The `V' line has been added to declare the configuration version level. - The `M' (mailer) line takes a D= field to specify execution directory. o New and Modified Options Several new options have been added, many to support new features, others to allow tuning that was previously available only by recompiling. Some old options have been extended or modified. Briefly: A The alias file specification can now be a list of alias files. Also, the configuration can specify a class of file (see ``Keyed Files'' above). For example, to search the NIS aliases, use OAnis:mail.aliases Note that for backward compatibility, This version of sendmail also supports the special ``+:+'' alias in the local aliases file (/etc/aliases). This special alias directs sendmail to search the NIS aliases database if a match cannot be found in the local aliases file. b Insist on a minimum number of disk blocks. C Delivery checkpoint interval. Checkpoint the queue (to avoid duplicate deliveries) every C addresses. E Default error message. This message (or the contents of the indicated file) are prepended to error messages. G Enable GECOS matching. If you can't find a local user name and this option is enabled, do a sequential scan of the passwd file to match against full names. Previously a compile option. h Maximum hop count. Previously this was compiled in. - 8 - I This option has been extended to allow setting of resolver parameters. j Send errors in MIME-encapsulated format. J Forward file path. Where to search for .forward files (defaults to $HOME/.forward). k Connection cache size. The total number of connections that will be kept open at any time. K Connection cache lifetime. The amount of time any connection will be permitted to sit idle. Note that in previous versions of IRIX sendmail, the `K' option was used to define an IDA database. The IDA syntax is no longer supported. See ``Keyed Files'' above. l Enable Errors-To: header. These headers violate RFC 1123; this option is included to provide back compatibility with old versions of sendmail. L Sendmail log level. The type of information logged by each of the various log levels has changed somewhat from previous releases. For example, message collection information (sender, received- from, etc.) used to be logged by level 2. That same information now requires a log level of at least 5. Briefly, the kind of information now logged at the various levels is as follows: 0 No logging. 1 Serious system failures and potential security problems. 2 Network problems and protocol failures. 3 Forwarding and received message errors. 4 Minor errors. 5 Received messages/message collection stats. 6 Creation of error messages, VRFY and EXPN commands. 7 Message delivery failures. - 9 - 8 Successful deliveries. 9 Messages being deferred (due to a host being down, etc.). 10 Alias/forward expansion. 12 Connecting hosts. 20 Attempts to run locked queue files. O Incoming daemon options (for example, use alternate SMTP port). p Privacy options. These can be used to make your SMTP server less friendly. r This option has been extended to allow finer grained control over timeouts. For example, you can set the timeout for SMTP commands individually. R Don't prune route-addrs. Normally, if version 8 sees an address like "<@hostA,@hostB:user@hostC>, sendmail will try to strip off as much as it can (up to user@hostC) as suggested by RFC 1123. This option disables that behavior. T The ``Return To Sender'' timeout has been extended to allow specification of a warning message interval, typically something on the order of four hours. If a message cannot be delivered in that interval, a warning message is sent back to the sender but the message continues to be tried. U User database spec. This is still experimental. V Fallback ``MX'' host. This can be thought of as an MX host that applies to all addresses that has a very high preference value (that is, use it only if everything else fails). w If set, assume that if you are the best MX host for a host, you should send directly to that host. This is intended for compatibility with UIUC sendmail, and may have some use on firewalls. In this version of sendmail, this option is set by default. 7 Do not run eight bit clean. Technically, you have to assert this option to be RFC 821 compatible. - 10 - o New Mailer Definitions L= Set the allowable line length. In V5, the L mailer flag implied a line length limit of 990 characters; this is now settable to an arbitrary value. F=a Try to use ESMTP. It will fall back to SMTP if the initial EHLO packet is rejected. F=b Ensure a blank line at the end of messages. Useful on the *file* mailer. F=c Strip all comments from addresses; this should only be used as a last resort when dealing with cranky mailers. F=g Never use the null sender as the envelope sender, even when running SMTP. This violates RFC 1123. F=G Force the $g macro to equal the header from (From:) address when expanding the $l macro (UNIX From_ line format). This provides backward compatibility for mail programs that expect to use the From_ line address for replies. This behavior violates RFC 1123 and use of this flag is therefore discouraged. F=7 Strip all output to this mailer to 7 bits. F=L Used to set the line limit to 990 bytes for SMTP compatibility. It now does that only if the L= keyletter is not specified. This flag is obsolete and should not be used. o New or Changed Pre-Defined Macros $k UUCP node name from uname(2). $m Domain part of our full hostname. $_ RFC 1413-provided sender address. $w Previously was sometimes the full domain name, sometimes just the first word. Now guaranteed to be the first word of the domain name (i.e., the host name). $j Previously had to be defined, it is now predefined to be the full domain name, if that - 11 - can be determined. That is, it is equivalent to $w.$m. o New and Changed Classes $=k Initialized to contain $k. $=w Now includes ``[1.2.3.4]'' (where 1.2.3.4 is your IP address) to allow the configuration file to recognize your own IP address. o New Rewriting Tokens The $& construct has been adopted from IDA to defer macro evaluation. Normally, macros in rulesets are bound when the rule is first parsed during startup. Some macros change during processing and are uninteresting during startup. However, that macro can be referenced using ``$&x'' to defer the evaluation of $x until the rule is processed. The tokens $( and $) are used for generalized keyed file map lookups. Note that in previous releases of IRIX sendmail, these tokens were used for IDA-style lookups but that the IDA syntax and implementation has been abandoned in favor of the more powerful generalized keyed file implementation. See ``Keyed Files'' above. This version of sendmail allows $@ on the Left Hand Side of an `R' line to match zero tokens. This is intended to be used to match the null input. o Bigger Defaults - The total number of MX records that can be used has been raised to 20. - The number of queued messages that can be handled at one time has been raised from 600 to 1000. o Different Default Tuning Parameters This version of sendmail has changed the default parameters for tuning queue costs to make the number of recipients more important than the size of the message (for small messages). This is reasonable if you are connected with reasonably fast links. o Auto-Quoting in Addresses - 12 - Previously, the ``Full Name '' syntax would generate incorrect protocol output if ``Full Name'' had special characters such as dot. This version puts quotes around such names. o Symbolic Names On Error Mailer Several names have been built in to the $@ portion of the $#error mailer. For example: $#error $@NOHOST $: Host unknown Prints the indicated message and sets the exit status of sendmail to EX_NOHOST . o New Built-In Mailers Two new mailers, *file* and *include*, are included to define options when mailing to a file or a :include: file respectively. Previously these were overloaded on the local mailer. o SMTP VRFY Doesn't Expand Previous versions of sendmail treated VRFY and EXPN the same. In this version, VRFY doesn't expand aliases or follow .forward files. As an optimization, if you run with your default delivery mode being queue-only, the RCPT command will also not chase aliases and .forward files. It will chase them when it processes the queue. This speeds up RCPT processing. o [IPC] Mailers Allow Multiple Hosts When an address resolves to a mailer that has ``[IPC]'' as its ``Path'', the $@ part (host name) can be a colon-separated list of hosts instead of a single hostname. This asks sendmail to search the list for the first entry that is available exactly as though it were an MX record. The intent is to route internal traffic through internal networks without publishing an MX record to the net. MX expansion is still done on the individual items. o Aliases Extended The implementation has been merged with maps. Among other things, this supports multiple alias files and NIS-based aliases. For example: - 13 - OA/etc/aliases,nis:mail.aliases will search first the local database ``/etc/aliases'' followed by the NIS map o Portability and Security Enhancements A number of internal changes have been made to enhance portability. Several fixes have been made to increase the paranoia factor. In particular, the permissions required for .forward and :include: files have been tightened up considerably. V5 would pretty much read any file it could get to as root, which exposed some security holes. V8 insists that all directories leading up to the .forward or :include: file be searchable (``x'' permission) by the ``controlling user'' (defined below), that the file itself be readable by the controlling user, and that .forward files be owned by the user who is being forwarded to or root. The ``controlling user'' is the user on whose behalf the mail is being delivered. For example, if you mail to ``user1'' then the controlling user for ~user1/.forward and any mailers invoked by that .forward file, including :include: files. Previously, anyone who had a home directory could create a .forward could forward to a program. Now, sendmail checks to make sure that they have an ``approved shell,'' that is, a shell listed in the /etc/shells file. o Miscellaneous Fixes and Enhancements A number of small bugs having to do with things like backslash-escaped quotes inside of comments have been fixed. The fixed size limit on header lines (such as ``To:'' and ``Cc:'' ) has been eliminated; those buffers are dynamically allocated now. Sendmail writes a /etc/sendmail.pid file with the current process ID and the current invocation flags. Two people using the same program (for example, submit) are considered ``different'' so that duplicate - 14 - elimination doesn't delete one of them. For example, two people forwarding their email to |submit will be treated as two recipients. Many minor bugs have been fixed, such as handling of backslashes inside of quotes. A hook has been added to allow rewriting of local addresses after aliasing. 1.6 Subsystems_Included_in_Patch_SG0000332 This patch release includes these subsystems: o patchSG0000332.eoe1_man o patchSG0000332.eoe1_sw 1.7 Installation_Instructions Because you want to install patches for only the problems you have encountered, patch software is not installed by default. After reading the descriptions of the bugs fixed in this patch, determine the patches that meet your specific needs. Patch software is installed like any other Silicon Graphics software product. It must be installed from the miniroot. Follow the instructions in your IRIS Software Installation Guide to bring up the miniroot form of the software installation tools. Follow these steps to select a patch for installation: 1. At the Inst>prompt, type install patchSGxxxxxxx where xxxxxxx is the patch number. 2. Select the desired patches for installation. 3. Initiate the installation sequence. Type Inst> go 4. You may find that two patches have been marked as incompatible. If this occurs, you must deselect one of the patches. - 15 - Inst> keep patchSGxxxxxxx where xxxxxxx is the patch number. 5. After completing the installation process, exit the inst program by typing Inst> quit To remove a patch, use the versions remove command as you would for any other software subsystem. The removal process reinstates the original version of software unless you have specifically removed the patch history from your system. versions remove patchSGxxxxxxx where xxxxxxx is the patch number. To keep a patch but increase your disk space, use the versions removehist command to remove the patch history. versions removehist patchSGxxxxxxx where xxxxxxx is the patch number.