diff --git a/SOURCES/sendmail-8.14.7-add-ec-support.patch b/SOURCES/sendmail-8.14.7-add-ec-support.patch new file mode 100644 index 0000000..6de9851 --- /dev/null +++ b/SOURCES/sendmail-8.14.7-add-ec-support.patch @@ -0,0 +1,32 @@ +diff --git a/sendmail/tls.c b/sendmail/tls.c +index 60d408e..72da987 100644 +--- a/sendmail/tls.c ++++ b/sendmail/tls.c +@@ -970,6 +970,9 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar + /* Diffie-Hellman initialization */ + if (bitset(TLS_I_TRY_DH, req)) + { ++#if _FFR_TLS_EC ++ EC_KEY *ecdh; ++#endif /* _FFR_TLS_EC */ + if (bitset(TLS_S_DHPAR_OK, status)) + { + BIO *bio; +@@ -1044,6 +1047,17 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar + who, 8 * DH_size(dh), *dhparam); + DH_free(dh); + } ++ ++#if _FFR_TLS_EC ++ ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); ++ if (ecdh != NULL) ++ { ++ SSL_CTX_set_options(*ctx, SSL_OP_SINGLE_ECDH_USE); ++ SSL_CTX_set_tmp_ecdh(*ctx, ecdh); ++ EC_KEY_free(ecdh); ++ } ++#endif /* _FFR_TLS_EC */ ++ + } + # endif /* !NO_DH */ + diff --git a/SOURCES/sendmail-8.14.7-client-port.patch b/SOURCES/sendmail-8.14.7-client-port.patch new file mode 100644 index 0000000..6f3f3f9 --- /dev/null +++ b/SOURCES/sendmail-8.14.7-client-port.patch @@ -0,0 +1,20 @@ +diff --git a/sendmail/main.c b/sendmail/main.c +index 021262c..7769148 100644 +--- a/sendmail/main.c ++++ b/sendmail/main.c +@@ -2620,13 +2620,13 @@ main(argc, argv, envp) + #if NETINET + case AF_INET: + (void) sm_snprintf(pbuf, sizeof(pbuf), "%d", +- RealHostAddr.sin.sin_port); ++ ntohs(RealHostAddr.sin.sin_port)); + break; + #endif /* NETINET */ + #if NETINET6 + case AF_INET6: + (void) sm_snprintf(pbuf, sizeof(pbuf), "%d", +- RealHostAddr.sin6.sin6_port); ++ ntohs(RealHostAddr.sin6.sin6_port)); + break; + #endif /* NETINET6 */ + default: diff --git a/SOURCES/sendmail-8.14.7-ipv6-mx-cname-fix.patch b/SOURCES/sendmail-8.14.7-ipv6-mx-cname-fix.patch new file mode 100644 index 0000000..47ce904 --- /dev/null +++ b/SOURCES/sendmail-8.14.7-ipv6-mx-cname-fix.patch @@ -0,0 +1,88 @@ +--- sendmail-8.14.7/sendmail/conf.c.orig 2015-12-30 14:24:10.000000000 -0800 ++++ sendmail-8.14.7/sendmail/conf.c 2015-12-30 14:30:32.000000000 -0800 +@@ -4234,7 +4234,18 @@ + h = gethostbyname(name); + if (!resv6) + _res.options &= ~RES_USE_INET6; +- *err = h_errno; ++ ++ /* the function is supposed to return only the requested family */ ++ if (h != NULL && h->h_addrtype != family) ++ { ++# if NETINET6 ++ freehostent(h); ++# endif /* NETINET6 */ ++ h = NULL; ++ *err = NO_DATA; ++ } ++ else ++ *err = h_errno; + return h; + } + +@@ -4363,6 +4374,17 @@ + } + } + #endif /* (SOLARIS > 10000 && SOLARIS < 20400) || (defined(SOLARIS) && SOLARIS < 204) || (defined(sony_news) && defined(__svr4)) */ ++ ++ /* the function is supposed to return only the requested family */ ++ if (h != NULL && h->h_addrtype != family) ++ { ++# if NETINET6 ++ freehostent(h); ++# endif /* NETINET6 */ ++ h = NULL; ++ SM_SET_H_ERRNO(NO_DATA); ++ } ++ + if (tTd(61, 10)) + { + if (h == NULL) +@@ -4372,13 +4394,12 @@ + sm_dprintf("%s\n", h->h_name); + if (tTd(61, 11)) + { ++ struct in_addr ia; ++ size_t i; + #if NETINET6 + struct in6_addr ia6; + char buf6[INET6_ADDRSTRLEN]; +-#else /* NETINET6 */ +- struct in_addr ia; + #endif /* NETINET6 */ +- size_t i; + + if (h->h_aliases != NULL) + for (i = 0; h->h_aliases[i] != NULL; +@@ -4389,16 +4410,23 @@ + { + char *addr; + ++ addr = NULL; + #if NETINET6 +- memmove(&ia6, h->h_addr_list[i], +- IN6ADDRSZ); +- addr = anynet_ntop(&ia6, +- buf6, sizeof(buf6)); +-#else /* NETINET6 */ +- memmove(&ia, h->h_addr_list[i], +- INADDRSZ); +- addr = (char *) inet_ntoa(ia); ++ if (h->h_addrtype == AF_INET6) ++ { ++ memmove(&ia6, h->h_addr_list[i], ++ IN6ADDRSZ); ++ addr = anynet_ntop(&ia6, ++ buf6, sizeof(buf6)); ++ } ++ else + #endif /* NETINET6 */ ++ /* "else" in #if code above */ ++ { ++ memmove(&ia, h->h_addr_list[i], ++ INADDRSZ); ++ addr = (char *) inet_ntoa(ia); ++ } + if (addr != NULL) + sm_dprintf("\taddr: %s\n", addr); + } diff --git a/SOURCES/sendmail-8.14.7-tls11-12-config-options.patch b/SOURCES/sendmail-8.14.7-tls11-12-config-options.patch new file mode 100644 index 0000000..6cdbc2f --- /dev/null +++ b/SOURCES/sendmail-8.14.7-tls11-12-config-options.patch @@ -0,0 +1,17 @@ +diff --git a/sendmail/readcf.c b/sendmail/readcf.c +index b749e1f..140f4b0 100644 +--- a/sendmail/readcf.c ++++ b/sendmail/readcf.c +@@ -2374,6 +2374,12 @@ static struct ssl_options + #ifdef SSL_OP_NO_TLSv1 + { "SSL_OP_NO_TLSv1", SSL_OP_NO_TLSv1 }, + #endif ++#ifdef SSL_OP_NO_TLSv1_1 ++ { "SSL_OP_NO_TLSv1_1", SSL_OP_NO_TLSv1_1 }, ++#endif /* SSL_OP_NO_TLSv1_1 */ ++#ifdef SSL_OP_NO_TLSv1_2 ++ { "SSL_OP_NO_TLSv1_2", SSL_OP_NO_TLSv1_2 }, ++#endif /* SSL_OP_NO_TLSv1_2 */ + #ifdef SSL_OP_PKCS1_CHECK_1 + { "SSL_OP_PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1 }, + #endif diff --git a/SOURCES/sendmail.nm-dispatcher b/SOURCES/sendmail.nm-dispatcher index 3922a4f..b3122e5 100644 --- a/SOURCES/sendmail.nm-dispatcher +++ b/SOURCES/sendmail.nm-dispatcher @@ -2,6 +2,6 @@ case "$2" in up|down|vpn-up|vpn-down) - /bin/systemctl try-restart sendmail.service || : + /bin/systemctl --no-block try-restart sendmail.service || : ;; esac diff --git a/SOURCES/sendmail.service b/SOURCES/sendmail.service index 1926882..4181a32 100644 --- a/SOURCES/sendmail.service +++ b/SOURCES/sendmail.service @@ -6,6 +6,7 @@ Wants=sm-client.service [Service] Type=forking +StartLimitInterval=0 PIDFile=/run/sendmail.pid Environment=SENDMAIL_OPTS=-q1h EnvironmentFile=-/etc/sysconfig/sendmail diff --git a/SOURCES/sm-client.service b/SOURCES/sm-client.service index df66425..c2f7bf7 100644 --- a/SOURCES/sm-client.service +++ b/SOURCES/sm-client.service @@ -6,6 +6,7 @@ BindTo=sendmail.service [Service] Type=forking +StartLimitInterval=0 PIDFile=/run/sm-client.pid Environment=SENDMAIL_OPTS=-q1h EnvironmentFile=-/etc/sysconfig/sendmail diff --git a/SPECS/sendmail.spec b/SPECS/sendmail.spec index 9b9fd05..0b2e194 100644 --- a/SPECS/sendmail.spec +++ b/SPECS/sendmail.spec @@ -26,7 +26,7 @@ Summary: A widely used Mail Transport Agent (MTA) Name: sendmail Version: 8.14.7 -Release: 4%{?dist} +Release: 5%{?dist} License: Sendmail Group: System Environment/Daemons URL: http://www.sendmail.org/ @@ -100,6 +100,18 @@ Patch23: sendmail-8.14.4-sasl2-in-etc.patch # add QoS support, patch from Philip Prindeville # upstream reserved option ID 0xe7 for testing of this new feature, #576643 Patch25: sendmail-8.14.7-qos.patch +# add support for EC ciphers, #1124827 +Patch26: sendmail-8.14.7-add-ec-support.patch +# properly set {client_port} value on little endian machines, +# patch by Kelsey Cumminngs +Patch27: sendmail-8.14.7-client-port.patch +# add support for config options disabling TLS 1.1/2 +# patch backported from upstream +Patch28: sendmail-8.14.7-tls11-12-config-options.patch +# fix for IPv6 enabled server to correctly send mails to servers which +# have MX record pointing to the CNAME +# patch backported from upstream +Patch29: sendmail-8.14.7-ipv6-mx-cname-fix.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: tcp_wrappers-devel BuildRequires: libdb-devel @@ -221,6 +233,10 @@ cp devtools/M4/UNIX/{,shared}library.m4 %patch22 -p1 -b .libdb5 %patch23 -p1 -b .sasl2-in-etc %patch25 -p1 -b .qos +%patch26 -p1 -b .ec-support +%patch27 -p1 -b .client-port +%patch28 -p1 -b .tls11-12-config-options +%patch29 -p1 -b .ipv6-mx-cname-fix for f in RELEASE_NOTES contrib/etrn.0; do iconv -f iso8859-1 -t utf8 -o ${f}{_,} && @@ -234,7 +250,7 @@ sed -i 's|/usr/local/bin/perl|%{_bindir}/perl|' contrib/*.pl cat > redhat.config.m4 << EOF define(\`confMAPDEF', \`-DNEWDB -DNIS -DHESIOD -DMAP_REGEX -DSOCKETMAP -DNAMED_BIND=1') define(\`confOPTIMIZE', \`\`\`\`${RPM_OPT_FLAGS}'''') -define(\`confENVDEF', \`-I%{_includedir}/libdb -I/usr/kerberos/include -Wall -DXDEBUG=0 -DTCPWRAPPERS -DNETINET6 -DHES_GETMAILHOST -DUSE_VENDOR_CF_PATH=1 -D_FFR_TLS_1 -D_FFR_LINUX_MHNL -D_FFR_QOS') +define(\`confENVDEF', \`-I%{_includedir}/libdb -I/usr/kerberos/include -Wall -DXDEBUG=0 -DTCPWRAPPERS -DNETINET6 -DHES_GETMAILHOST -DUSE_VENDOR_CF_PATH=1 -D_FFR_TLS_1 -D_FFR_LINUX_MHNL -D_FFR_QOS -D_FFR_TLS_EC') define(\`confLIBDIRS', \`-L/usr/kerberos/%{_lib}') define(\`confLIBS', \`-lnsl -lwrap -lhesiod -lcrypt -ldb -lresolv %{?relro:%{relro}}') define(\`confMANOWN', \`root') @@ -297,7 +313,7 @@ APPENDDEF(\`confLIBS', \`-lldap -llber -lssl -lcrypto')dnl EOF %endif -DIRS="libsmutil sendmail mailstats rmail praliases smrsh makemap" +DIRS="libsmutil sendmail mailstats rmail praliases smrsh makemap editmap" %if "%{with_milter}" == "yes" DIRS="libmilter $DIRS" @@ -359,6 +375,7 @@ Make force-install -C $OBJDIR/rmail Make install -C $OBJDIR/praliases Make install -C $OBJDIR/smrsh Make install -C $OBJDIR/makemap +Make install -C $OBJDIR/editmap # replace absolute with relative symlinks ln -sf ../sbin/makemap %{buildroot}%{_bindir}/makemap @@ -429,6 +446,8 @@ done touch %{buildroot}%{maildir}/aliasesdb-stamp +touch %{buildroot}%{spooldir}/clientmqueue/sm-client.st + install -p -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/sendmail install -p -m 755 %{SOURCE9} %{buildroot}%{_initrddir}/sendmail install -p -m 755 %{SOURCE2} %{buildroot}%{_sysconfdir}/NetworkManager/dispatcher.d/10-sendmail @@ -443,7 +462,7 @@ install -m644 %{SOURCE1} %{buildroot}%{_unitdir} install -m644 %{SOURCE7} %{buildroot}%{_unitdir} # fix permissions to allow debuginfo extraction and stripping -chmod 755 %{buildroot}%{_sbindir}/{mailstats,makemap,praliases,sendmail,smrsh} +chmod 755 %{buildroot}%{_sbindir}/{mailstats,makemap,editmap,praliases,sendmail,smrsh} chmod 755 %{buildroot}%{_bindir}/rmail %if "%{with_sasl2}" == "yes" @@ -460,6 +479,10 @@ sed -i -e 's:%{maildir}/statistics:%{stdir}/statistics:' %{buildroot}%{_mandir}/ # rename files for alternative usage mv %{buildroot}%{_sbindir}/sendmail %{buildroot}%{_sbindir}/sendmail.sendmail touch %{buildroot}%{_sbindir}/sendmail +mv %{buildroot}%{_sbindir}/makemap %{buildroot}%{_sbindir}/makemap.sendmail +touch %{buildroot}%{_sbindir}/makemap +mv %{buildroot}%{_sbindir}/editmap %{buildroot}%{_sbindir}/editmap.sendmail +touch %{buildroot}%{_sbindir}/editmap for i in mailq newaliases rmail; do mv %{buildroot}%{_bindir}/$i %{buildroot}%{_bindir}/$i.sendmail touch %{buildroot}%{_bindir}/$i @@ -474,6 +497,10 @@ mv %{buildroot}%{_mandir}/man8/sendmail.8 %{buildroot}%{_mandir}/man8/sendmail.s touch %{buildroot}%{_mandir}/man8/sendmail.8 mv %{buildroot}%{_mandir}/man8/rmail.8 %{buildroot}%{_mandir}/man8/rmail.sendmail.8 touch %{buildroot}%{_mandir}/man8/rmail.8 +mv %{buildroot}%{_mandir}/man8/makemap.8 %{buildroot}%{_mandir}/man8/makemap.sendmail.8 +touch %{buildroot}%{_mandir}/man8/makemap.8 +mv %{buildroot}%{_mandir}/man8/editmap.8 %{buildroot}%{_mandir}/man8/editmap.sendmail.8 +touch %{buildroot}%{_mandir}/man8/editmap.8 touch %{buildroot}/usr/lib/sendmail touch %{buildroot}%{_sysconfdir}/pam.d/smtp @@ -497,6 +524,11 @@ getent group smmsp >/dev/null || \ getent passwd smmsp >/dev/null || \ %{_sbindir}/useradd -u 51 -g smmsp -d %{spooldir}/mqueue -r \ -s %{smshell} smmsp >/dev/null 2>&1 + +# hack to turn sbin/makemap and man8/makemap.8.gz into alternatives symlink +[ -h %{_sbindir}/makemap ] || rm -f %{_sbindir}/makemap || : +[ -h %{_mandir}/man8/makemap.8.gz ] || rm -f %{_mandir}/man8/makemap.8.gz || : + exit 0 %postun @@ -514,6 +546,8 @@ exit 0 # Set up the alternatives files for MTAs. %{_sbindir}/alternatives --install %{_sbindir}/sendmail mta %{_sbindir}/sendmail.sendmail 90 \ + --slave %{_sbindir}/makemap mta-makemap %{_sbindir}/makemap.sendmail \ + --slave %{_sbindir}/editmap mta-editmap %{_sbindir}/editmap.sendmail \ --slave %{_bindir}/mailq mta-mailq %{_bindir}/mailq.sendmail \ --slave %{_bindir}/newaliases mta-newaliases %{_bindir}/newaliases.sendmail \ --slave %{_bindir}/rmail mta-rmail %{_bindir}/rmail.sendmail \ @@ -524,6 +558,8 @@ exit 0 --slave %{_mandir}/man1/newaliases.1.gz mta-newaliasesman %{_mandir}/man1/newaliases.sendmail.1.gz \ --slave %{_mandir}/man5/aliases.5.gz mta-aliasesman %{_mandir}/man5/aliases.sendmail.5.gz \ --slave %{_mandir}/man8/rmail.8.gz mta-rmailman %{_mandir}/man8/rmail.sendmail.8.gz \ + --slave %{_mandir}/man8/makemap.8.gz mta-makemapman %{_mandir}/man8/makemap.sendmail.8.gz \ + --slave %{_mandir}/man8/editmap.8.gz mta-editmapman %{_mandir}/man8/editmap.sendmail.8.gz \ --initscript sendmail > /dev/null 2>&1 # Rebuild maps. @@ -541,6 +577,14 @@ exit 0 %{_libdir}/sasl2/Sendmail.conf ] && mv -f %{_libdir}/sasl2/Sendmail.conf \ %{_sysconfdir}/sasl2 2>/dev/null || : %endif + +# Create sm-client.st if it doesn't exist +if [ ! -f %{spooldir}/clientmqueue/sm-client.st ]; then + touch %{spooldir}/clientmqueue/sm-client.st + chown smmsp:smmsp %{spooldir}/clientmqueue/sm-client.st + chmod 0660 %{spooldir}/clientmqueue/sm-client.st +fi + exit 0 %preun @@ -593,7 +637,8 @@ fi %{_bindir}/makemap %{_bindir}/purgestat %{_sbindir}/mailstats -%{_sbindir}/makemap +%{_sbindir}/makemap.sendmail +%{_sbindir}/editmap.sendmail %{_sbindir}/praliases %attr(2755,root,smmsp) %{_sbindir}/sendmail.sendmail %{_bindir}/rmail.sendmail @@ -605,7 +650,8 @@ fi %{_mandir}/man8/rmail.sendmail.8.gz %{_mandir}/man8/praliases.8.gz %{_mandir}/man8/mailstats.8.gz -%{_mandir}/man8/makemap.8.gz +%{_mandir}/man8/makemap.sendmail.8.gz +%{_mandir}/man8/editmap.sendmail.8.gz %{_mandir}/man8/sendmail.sendmail.8.gz %{_mandir}/man8/smrsh.8.gz %{_mandir}/man8/hoststat.8.gz @@ -616,6 +662,8 @@ fi # dummy attributes for rpmlint %ghost %attr(0755,-,-) %{_sbindir}/sendmail +%ghost %attr(0755,-,-) %{_sbindir}/makemap +%ghost %attr(0755,-,-) %{_sbindir}/editmap %ghost %attr(0755,-,-) %{_bindir}/mailq %ghost %attr(0755,-,-) %{_bindir}/newaliases %ghost %attr(0755,-,-) %{_bindir}/rmail @@ -627,6 +675,8 @@ fi %ghost %{_mandir}/man1/newaliases.1.gz %ghost %{_mandir}/man5/aliases.5.gz %ghost %{_mandir}/man8/rmail.8.gz +%ghost %{_mandir}/man8/makemap.8.gz +%ghost %{_mandir}/man8/editmap.8.gz %dir %{stdir} %dir %{_sysconfdir}/smrsh @@ -655,6 +705,8 @@ fi %ghost %{maildir}/domaintable.db %ghost %{maildir}/mailertable.db +%ghost %{spooldir}/clientmqueue/sm-client.st + %{_unitdir}/sendmail.service %{_unitdir}/sm-client.service %config(noreplace) %{_sysconfdir}/sysconfig/sendmail @@ -709,6 +761,32 @@ fi %{_initrddir}/sendmail %changelog +* Thu Mar 23 2017 Jaroslav Škarvada - 8.14.7-5 +- Explicitly enabled sm-client statistics + Resolves: rhbz#890585 +- Enable ECDHE support + Resolves: rhbz#1124827 +- Properly set {client_port} value on little endian machines, + patch by Kelsey Cumminngs + Resolves: rhbz#1210914 +- Added makemap and its manual page into alternatives + Resolves: rhbz#1225891 +- Modified nm-dispatcher script to asynchronously restart sendmail and + not block the connection activation + Resolves: rhbz#1237070 +- Added config options allowing disablement of TLS 1.1/2 + Resolves: rhbz#1281476 +- Fixed problem with e-mails not sending from IPv6 enabled server + to servers with MX record pointing to CNAME + Resolves: rhbz#1294870 +- Added editmap + Resolves: rhbz#1342393 +- Removed systemd limit for sendmail restarts to workaround failure due to + rapid restarts caused by NetworkManager dispatcher script + Resolves: rhbz#1395102 +- Fixed op.pdf + Resolves: rhbz#1401070 + * Fri Jan 24 2014 Daniel Mach - 8.14.7-4 - Mass rebuild 2014-01-24