diff options
Diffstat (limited to 'cf')
| -rw-r--r-- | cf/README | 29 | ||||
| -rw-r--r-- | cf/cf/generic-bsd4.4.cf | 15 | ||||
| -rw-r--r-- | cf/cf/generic-hpux10.cf | 15 | ||||
| -rw-r--r-- | cf/cf/generic-hpux9.cf | 15 | ||||
| -rw-r--r-- | cf/cf/generic-linux.cf | 15 | ||||
| -rw-r--r-- | cf/cf/generic-mpeix.cf | 15 | ||||
| -rw-r--r-- | cf/cf/generic-nextstep3.3.cf | 15 | ||||
| -rw-r--r-- | cf/cf/generic-osf1.cf | 15 | ||||
| -rw-r--r-- | cf/cf/generic-solaris.cf | 15 | ||||
| -rw-r--r-- | cf/cf/generic-sunos4.1.cf | 15 | ||||
| -rw-r--r-- | cf/cf/generic-ultrix4.cf | 15 | ||||
| -rw-r--r-- | cf/cf/submit.cf | 15 | ||||
| -rw-r--r-- | cf/feature/check_cert_altnames.m4 | 2 | ||||
| -rw-r--r-- | cf/feature/enhdnsbl.m4 | 14 | ||||
| -rw-r--r-- | cf/feature/fips3.m4 | 16 | ||||
| -rw-r--r-- | cf/feature/ldap_routing.m4 | 2 | ||||
| -rw-r--r-- | cf/hack/xconnect.m4 | 4 | ||||
| -rw-r--r-- | cf/m4/proto.m4 | 84 | ||||
| -rw-r--r-- | cf/m4/version.m4 | 2 | ||||
| -rw-r--r-- | cf/sh/makeinfo.sh | 2 |
20 files changed, 214 insertions, 106 deletions
diff --git a/cf/README b/cf/README index cfabe5eefe45..6191337ea625 100644 --- a/cf/README +++ b/cf/README @@ -1301,6 +1301,8 @@ dnsbl Turns on rejection, discarding, or quarantining of hosts definition from `host'. Set the DNSBL_MAP_OPT mc option to add additional options to the map specification used. + Note: currently only IPv4 addresses are checked. + Some DNS based rejection lists cause failures if asked for AAAA records. If your sendmail version is compiled with IPv6 support (NETINET6) and you experience this @@ -1326,10 +1328,10 @@ enhdnsbl Enhanced version of dnsbl (see above). Further arguments compared with the supplied argument(s), and only if a match occurs an error is generated. For example, - FEATURE(`enhdnsbl', `dnsbl.example.com', `', `t', `127.0.0.2.') + FEATURE(`enhdnsbl', `dnsbl.example.com', `', `t', `127.0.0.2') will reject the e-mail if the lookup returns the value - ``127.0.0.2.'', or generate a 451 response if the lookup + ``127.0.0.2'', or generate a 451 response if the lookup temporarily failed. The arguments can contain metasymbols as they are allowed in the LHS of rules. As the example shows, the default values are also used if an empty argument, @@ -1616,6 +1618,12 @@ sts Experimental support for Strict Transport Security for the default value). For more information see doc/op/op.me. +fips3 Basic support for FIPS in OpenSSL 3 by setting + the environment variables OPENSSL_CONF and + OPENSSL_MODULES to the first and second argument, + respectively. For details, see the file and + the OpenSSL documentation. + +-------+ | HACKS | +-------+ @@ -1688,6 +1696,7 @@ The macro LOCAL_UUCP can be used to add rules into the generated cf file at the place where MAILER(`uucp') inserts its rules. This should only be used if really necessary. + +--------------------+ | USING UUCP MAILERS | +--------------------+ @@ -3183,8 +3192,8 @@ VERIFY:bits verification must have succeeded and ${cipher_bits} must ENCR:bits ${cipher_bits} must be greater than or equal bits. The RHS can optionally be prefixed by TEMP+ or PERM+ to select a temporary -or permanent error. The default is a temporary error code (403 4.7.0) -unless the macro TLS_PERM_ERR is set during generation of the .cf file. +or permanent error. The default is a temporary error code unless +the macro TLS_PERM_ERR is set during generation of the .cf file. If a certain level of encryption is required, then it might also be possible that this level is provided by the security layer from a SASL @@ -3256,9 +3265,10 @@ default TLS options are not modified. About 2): the rulesets try_tls, srv_features, and clt_features can be used together with the access map. Entries for the access map must be tagged with Try_TLS, Srv_Features, Clt_Features and refer -to the hostname or IP address of the connecting system. A default -case can be specified by using just the tag. For example, the -following entries in the access map: +to the hostname or IP address of the connecting system (the latter +is not available for clt_features). A default case can be specified +by using just the tag. For example, the following entries in the +access map: Try_TLS:broken.server NO Srv_Features:my.domain v @@ -3376,6 +3386,7 @@ or FEATURE(`authinfo') must be used which provides a separate map. Notice: It is not checked whether the map is actually group/world-unreadable, this is left to the user. + +--------------------------------+ | ADDING NEW MAILERS OR RULESETS | +--------------------------------+ @@ -3461,6 +3472,7 @@ groups can be defined using the command: For details about queue groups, please see doc/op/op.{me,ps,txt}. + +-------------------------------+ | NON-SMTP BASED CONFIGURATIONS | +-------------------------------+ @@ -4406,6 +4418,9 @@ confCERT_FINGERPRINT_ALGORITHM CertFingerprintAlgorithm confSSL_ENGINE SSLEngine [undefined] Name of SSLEngine. confSSL_ENGINE_PATH SSLEnginePath [undefined] Path to dynamic library for SSLEngine. +confOPENSSL_CNF [/etc/mail/sendmail.ossl] Set the + environment variable OPENSSL_CONF. + An empty value disables setting it. confNICE_QUEUE_RUN NiceQueueRun [undefined] If set, the priority of queue runners is set the given value (nice(3)). diff --git a/cf/cf/generic-bsd4.4.cf b/cf/cf/generic-bsd4.4.cf index b60ce6d913bb..1f492542757d 100644 --- a/cf/cf/generic-bsd4.4.cf +++ b/cf/cf/generic-bsd4.4.cf @@ -16,8 +16,8 @@ ##### ##### SENDMAIL CONFIGURATION FILE ##### -##### built by ca@lab.smi.sendmail.com on Sun Aug 15 23:04:59 PDT 2021 -##### in /var/tmp/ca/sm8.head/sendmail/OpenSource/sendmail-8.17.1/cf/cf +##### built by xbuild@xenon14.us.proofpoint.com on Tue Jan 30 22:39:25 PST 2024 +##### in /export/jenkins/jenkins3/workspace/pps-sendmail/OpenSource/sendmail-8.18.1/cf/cf ##### using ../ as configuration include directory ##### ###################################################################### @@ -120,10 +120,12 @@ C{E}root DnMAILER-DAEMON + CPREDIRECT +EOPENSSL_CONF=/etc/mail/sendmail.ossl # Configuration version number -DZ8.17.1 +DZ8.18.1 ############### @@ -1256,6 +1258,7 @@ Stry_tls + ###################################################################### ### tls_rcpt: is connection with server "good" enough? ### (done in client, per recipient) @@ -1264,7 +1267,10 @@ Stry_tls ### $1: recipient ###################################################################### Stls_rcpt - +R$* $: $1 $| $&{verify} +R$* $| DANE_NOTLS $#error $@ 4.7.0 $: "454 DANE: missing STARTTLS." +R$* $| DANE_TEMP $#error $@ 4.7.0 $: "454 DANE check failed temporarily." +R$* $| DANE_FAIL $#error $@ 4.7.0 $: "454 DANE check failed." ###################################################################### ### tls_client: is connection with client "good" enough? @@ -1296,7 +1302,6 @@ R$* $@ $>"TLS_connection" $1 ###################################################################### STLS_connection RSOFTWARE $#error $@ 4.7.0 $: "454 TLS handshake failed." -RDANE_FAIL $#error $@ 4.7.0 $: "454 DANE check failed." RPROTOCOL $#error $@ 4.7.0 $: "454 STARTTLS failed." RCONFIG $#error $@ 4.7.0 $: "454 STARTTLS temporarily not possible." diff --git a/cf/cf/generic-hpux10.cf b/cf/cf/generic-hpux10.cf index c475525bd701..31ef07d83cde 100644 --- a/cf/cf/generic-hpux10.cf +++ b/cf/cf/generic-hpux10.cf @@ -16,8 +16,8 @@ ##### ##### SENDMAIL CONFIGURATION FILE ##### -##### built by ca@lab.smi.sendmail.com on Sun Aug 15 23:04:59 PDT 2021 -##### in /var/tmp/ca/sm8.head/sendmail/OpenSource/sendmail-8.17.1/cf/cf +##### built by xbuild@xenon14.us.proofpoint.com on Tue Jan 30 22:39:25 PST 2024 +##### in /export/jenkins/jenkins3/workspace/pps-sendmail/OpenSource/sendmail-8.18.1/cf/cf ##### using ../ as configuration include directory ##### ###################################################################### @@ -121,10 +121,12 @@ C{E}root DnMAILER-DAEMON + CPREDIRECT +EOPENSSL_CONF=/etc/mail/sendmail.ossl # Configuration version number -DZ8.17.1 +DZ8.18.1 ############### @@ -1257,6 +1259,7 @@ Stry_tls + ###################################################################### ### tls_rcpt: is connection with server "good" enough? ### (done in client, per recipient) @@ -1265,7 +1268,10 @@ Stry_tls ### $1: recipient ###################################################################### Stls_rcpt - +R$* $: $1 $| $&{verify} +R$* $| DANE_NOTLS $#error $@ 4.7.0 $: "454 DANE: missing STARTTLS." +R$* $| DANE_TEMP $#error $@ 4.7.0 $: "454 DANE check failed temporarily." +R$* $| DANE_FAIL $#error $@ 4.7.0 $: "454 DANE check failed." ###################################################################### ### tls_client: is connection with client "good" enough? @@ -1297,7 +1303,6 @@ R$* $@ $>"TLS_connection" $1 ###################################################################### STLS_connection RSOFTWARE $#error $@ 4.7.0 $: "454 TLS handshake failed." -RDANE_FAIL $#error $@ 4.7.0 $: "454 DANE check failed." RPROTOCOL $#error $@ 4.7.0 $: "454 STARTTLS failed." RCONFIG $#error $@ 4.7.0 $: "454 STARTTLS temporarily not possible." diff --git a/cf/cf/generic-hpux9.cf b/cf/cf/generic-hpux9.cf index a067a19c3b63..e05da839a518 100644 --- a/cf/cf/generic-hpux9.cf +++ b/cf/cf/generic-hpux9.cf @@ -16,8 +16,8 @@ ##### ##### SENDMAIL CONFIGURATION FILE ##### -##### built by ca@lab.smi.sendmail.com on Sun Aug 15 23:04:59 PDT 2021 -##### in /var/tmp/ca/sm8.head/sendmail/OpenSource/sendmail-8.17.1/cf/cf +##### built by xbuild@xenon14.us.proofpoint.com on Tue Jan 30 22:39:25 PST 2024 +##### in /export/jenkins/jenkins3/workspace/pps-sendmail/OpenSource/sendmail-8.18.1/cf/cf ##### using ../ as configuration include directory ##### ###################################################################### @@ -121,10 +121,12 @@ C{E}root DnMAILER-DAEMON + CPREDIRECT +EOPENSSL_CONF=/etc/mail/sendmail.ossl # Configuration version number -DZ8.17.1 +DZ8.18.1 ############### @@ -1257,6 +1259,7 @@ Stry_tls + ###################################################################### ### tls_rcpt: is connection with server "good" enough? ### (done in client, per recipient) @@ -1265,7 +1268,10 @@ Stry_tls ### $1: recipient ###################################################################### Stls_rcpt - +R$* $: $1 $| $&{verify} +R$* $| DANE_NOTLS $#error $@ 4.7.0 $: "454 DANE: missing STARTTLS." +R$* $| DANE_TEMP $#error $@ 4.7.0 $: "454 DANE check failed temporarily." +R$* $| DANE_FAIL $#error $@ 4.7.0 $: "454 DANE check failed." ###################################################################### ### tls_client: is connection with client "good" enough? @@ -1297,7 +1303,6 @@ R$* $@ $>"TLS_connection" $1 ###################################################################### STLS_connection RSOFTWARE $#error $@ 4.7.0 $: "454 TLS handshake failed." -RDANE_FAIL $#error $@ 4.7.0 $: "454 DANE check failed." RPROTOCOL $#error $@ 4.7.0 $: "454 STARTTLS failed." RCONFIG $#error $@ 4.7.0 $: "454 STARTTLS temporarily not possible." diff --git a/cf/cf/generic-linux.cf b/cf/cf/generic-linux.cf index 5d1f08151226..e1c2701db584 100644 --- a/cf/cf/generic-linux.cf +++ b/cf/cf/generic-linux.cf @@ -16,8 +16,8 @@ ##### ##### SENDMAIL CONFIGURATION FILE ##### -##### built by ca@lab.smi.sendmail.com on Sun Aug 15 23:04:59 PDT 2021 -##### in /var/tmp/ca/sm8.head/sendmail/OpenSource/sendmail-8.17.1/cf/cf +##### built by xbuild@xenon14.us.proofpoint.com on Tue Jan 30 22:39:25 PST 2024 +##### in /export/jenkins/jenkins3/workspace/pps-sendmail/OpenSource/sendmail-8.18.1/cf/cf ##### using ../ as configuration include directory ##### ###################################################################### @@ -125,10 +125,12 @@ C{E}root DnMAILER-DAEMON + CPREDIRECT +EOPENSSL_CONF=/etc/mail/sendmail.ossl # Configuration version number -DZ8.17.1 +DZ8.18.1 ############### @@ -1261,6 +1263,7 @@ Stry_tls + ###################################################################### ### tls_rcpt: is connection with server "good" enough? ### (done in client, per recipient) @@ -1269,7 +1272,10 @@ Stry_tls ### $1: recipient ###################################################################### Stls_rcpt - +R$* $: $1 $| $&{verify} +R$* $| DANE_NOTLS $#error $@ 4.7.0 $: "454 DANE: missing STARTTLS." +R$* $| DANE_TEMP $#error $@ 4.7.0 $: "454 DANE check failed temporarily." +R$* $| DANE_FAIL $#error $@ 4.7.0 $: "454 DANE check failed." ###################################################################### ### tls_client: is connection with client "good" enough? @@ -1301,7 +1307,6 @@ R$* $@ $>"TLS_connection" $1 ###################################################################### STLS_connection RSOFTWARE $#error $@ 4.7.0 $: "454 TLS handshake failed." -RDANE_FAIL $#error $@ 4.7.0 $: "454 DANE check failed." RPROTOCOL $#error $@ 4.7.0 $: "454 STARTTLS failed." RCONFIG $#error $@ 4.7.0 $: "454 STARTTLS temporarily not possible." diff --git a/cf/cf/generic-mpeix.cf b/cf/cf/generic-mpeix.cf index 5f5d8b5714be..333b9968d106 100644 --- a/cf/cf/generic-mpeix.cf +++ b/cf/cf/generic-mpeix.cf @@ -16,8 +16,8 @@ ##### ##### SENDMAIL CONFIGURATION FILE ##### -##### built by ca@lab.smi.sendmail.com on Sun Aug 15 23:04:59 PDT 2021 -##### in /var/tmp/ca/sm8.head/sendmail/OpenSource/sendmail-8.17.1/cf/cf +##### built by xbuild@xenon14.us.proofpoint.com on Tue Jan 30 22:39:25 PST 2024 +##### in /export/jenkins/jenkins3/workspace/pps-sendmail/OpenSource/sendmail-8.18.1/cf/cf ##### using ../ as configuration include directory ##### ###################################################################### @@ -121,10 +121,12 @@ C{E}root DnMAILER-DAEMON + CPREDIRECT +EOPENSSL_CONF=/etc/mail/sendmail.ossl # Configuration version number -DZ8.17.1 +DZ8.18.1 ############### @@ -1257,6 +1259,7 @@ Stry_tls + ###################################################################### ### tls_rcpt: is connection with server "good" enough? ### (done in client, per recipient) @@ -1265,7 +1268,10 @@ Stry_tls ### $1: recipient ###################################################################### Stls_rcpt - +R$* $: $1 $| $&{verify} +R$* $| DANE_NOTLS $#error $@ 4.7.0 $: "454 DANE: missing STARTTLS." +R$* $| DANE_TEMP $#error $@ 4.7.0 $: "454 DANE check failed temporarily." +R$* $| DANE_FAIL $#error $@ 4.7.0 $: "454 DANE check failed." ###################################################################### ### tls_client: is connection with client "good" enough? @@ -1297,7 +1303,6 @@ R$* $@ $>"TLS_connection" $1 ###################################################################### STLS_connection RSOFTWARE $#error $@ 4.7.0 $: "454 TLS handshake failed." -RDANE_FAIL $#error $@ 4.7.0 $: "454 DANE check failed." RPROTOCOL $#error $@ 4.7.0 $: "454 STARTTLS failed." RCONFIG $#error $@ 4.7.0 $: "454 STARTTLS temporarily not possible." diff --git a/cf/cf/generic-nextstep3.3.cf b/cf/cf/generic-nextstep3.3.cf index 705210e51dd7..02f82eadc10c 100644 --- a/cf/cf/generic-nextstep3.3.cf +++ b/cf/cf/generic-nextstep3.3.cf @@ -16,8 +16,8 @@ ##### ##### SENDMAIL CONFIGURATION FILE ##### -##### built by ca@lab.smi.sendmail.com on Sun Aug 15 23:04:59 PDT 2021 -##### in /var/tmp/ca/sm8.head/sendmail/OpenSource/sendmail-8.17.1/cf/cf +##### built by xbuild@xenon14.us.proofpoint.com on Tue Jan 30 22:39:25 PST 2024 +##### in /export/jenkins/jenkins3/workspace/pps-sendmail/OpenSource/sendmail-8.18.1/cf/cf ##### using ../ as configuration include directory ##### ###################################################################### @@ -120,10 +120,12 @@ C{E}root DnMAILER-DAEMON + CPREDIRECT +EOPENSSL_CONF=/etc/mail/sendmail.ossl # Configuration version number -DZ8.17.1 +DZ8.18.1 ############### @@ -1256,6 +1258,7 @@ Stry_tls + ###################################################################### ### tls_rcpt: is connection with server "good" enough? ### (done in client, per recipient) @@ -1264,7 +1267,10 @@ Stry_tls ### $1: recipient ###################################################################### Stls_rcpt - +R$* $: $1 $| $&{verify} +R$* $| DANE_NOTLS $#error $@ 4.7.0 $: "454 DANE: missing STARTTLS." +R$* $| DANE_TEMP $#error $@ 4.7.0 $: "454 DANE check failed temporarily." +R$* $| DANE_FAIL $#error $@ 4.7.0 $: "454 DANE check failed." ###################################################################### ### tls_client: is connection with client "good" enough? @@ -1296,7 +1302,6 @@ R$* $@ $>"TLS_connection" $1 ###################################################################### STLS_connection RSOFTWARE $#error $@ 4.7.0 $: "454 TLS handshake failed." -RDANE_FAIL $#error $@ 4.7.0 $: "454 DANE check failed." RPROTOCOL $#error $@ 4.7.0 $: "454 STARTTLS failed." RCONFIG $#error $@ 4.7.0 $: "454 STARTTLS temporarily not possible." diff --git a/cf/cf/generic-osf1.cf b/cf/cf/generic-osf1.cf index 2100bc3f9a09..7ba4704da8da 100644 --- a/cf/cf/generic-osf1.cf +++ b/cf/cf/generic-osf1.cf @@ -16,8 +16,8 @@ ##### ##### SENDMAIL CONFIGURATION FILE ##### -##### built by ca@lab.smi.sendmail.com on Sun Aug 15 23:04:59 PDT 2021 -##### in /var/tmp/ca/sm8.head/sendmail/OpenSource/sendmail-8.17.1/cf/cf +##### built by xbuild@xenon14.us.proofpoint.com on Tue Jan 30 22:39:25 PST 2024 +##### in /export/jenkins/jenkins3/workspace/pps-sendmail/OpenSource/sendmail-8.18.1/cf/cf ##### using ../ as configuration include directory ##### ###################################################################### @@ -121,10 +121,12 @@ C{E}root DnMAILER-DAEMON + CPREDIRECT +EOPENSSL_CONF=/etc/mail/sendmail.ossl # Configuration version number -DZ8.17.1 +DZ8.18.1 ############### @@ -1257,6 +1259,7 @@ Stry_tls + ###################################################################### ### tls_rcpt: is connection with server "good" enough? ### (done in client, per recipient) @@ -1265,7 +1268,10 @@ Stry_tls ### $1: recipient ###################################################################### Stls_rcpt - +R$* $: $1 $| $&{verify} +R$* $| DANE_NOTLS $#error $@ 4.7.0 $: "454 DANE: missing STARTTLS." +R$* $| DANE_TEMP $#error $@ 4.7.0 $: "454 DANE check failed temporarily." +R$* $| DANE_FAIL $#error $@ 4.7.0 $: "454 DANE check failed." ###################################################################### ### tls_client: is connection with client "good" enough? @@ -1297,7 +1303,6 @@ R$* $@ $>"TLS_connection" $1 ###################################################################### STLS_connection RSOFTWARE $#error $@ 4.7.0 $: "454 TLS handshake failed." -RDANE_FAIL $#error $@ 4.7.0 $: "454 DANE check failed." RPROTOCOL $#error $@ 4.7.0 $: "454 STARTTLS failed." RCONFIG $#error $@ 4.7.0 $: "454 STARTTLS temporarily not possible." diff --git a/cf/cf/generic-solaris.cf b/cf/cf/generic-solaris.cf index a1553a26e06a..c139f1c530a1 100644 --- a/cf/cf/generic-solaris.cf +++ b/cf/cf/generic-solaris.cf @@ -16,8 +16,8 @@ ##### ##### SENDMAIL CONFIGURATION FILE ##### -##### built by ca@lab.smi.sendmail.com on Sun Aug 15 23:05:00 PDT 2021 -##### in /var/tmp/ca/sm8.head/sendmail/OpenSource/sendmail-8.17.1/cf/cf +##### built by xbuild@xenon14.us.proofpoint.com on Tue Jan 30 22:39:25 PST 2024 +##### in /export/jenkins/jenkins3/workspace/pps-sendmail/OpenSource/sendmail-8.18.1/cf/cf ##### using ../ as configuration include directory ##### ###################################################################### @@ -120,10 +120,12 @@ C{E}root DnMAILER-DAEMON + CPREDIRECT +EOPENSSL_CONF=/etc/mail/sendmail.ossl # Configuration version number -DZ8.17.1 +DZ8.18.1 ############### @@ -1256,6 +1258,7 @@ Stry_tls + ###################################################################### ### tls_rcpt: is connection with server "good" enough? ### (done in client, per recipient) @@ -1264,7 +1267,10 @@ Stry_tls ### $1: recipient ###################################################################### Stls_rcpt - +R$* $: $1 $| $&{verify} +R$* $| DANE_NOTLS $#error $@ 4.7.0 $: "454 DANE: missing STARTTLS." +R$* $| DANE_TEMP $#error $@ 4.7.0 $: "454 DANE check failed temporarily." +R$* $| DANE_FAIL $#error $@ 4.7.0 $: "454 DANE check failed." ###################################################################### ### tls_client: is connection with client "good" enough? @@ -1296,7 +1302,6 @@ R$* $@ $>"TLS_connection" $1 ###################################################################### STLS_connection RSOFTWARE $#error $@ 4.7.0 $: "454 TLS handshake failed." -RDANE_FAIL $#error $@ 4.7.0 $: "454 DANE check failed." RPROTOCOL $#error $@ 4.7.0 $: "454 STARTTLS failed." RCONFIG $#error $@ 4.7.0 $: "454 STARTTLS temporarily not possible." diff --git a/cf/cf/generic-sunos4.1.cf b/cf/cf/generic-sunos4.1.cf index b323360678da..df6b2b2885bf 100644 --- a/cf/cf/generic-sunos4.1.cf +++ b/cf/cf/generic-sunos4.1.cf @@ -16,8 +16,8 @@ ##### ##### SENDMAIL CONFIGURATION FILE ##### -##### built by ca@lab.smi.sendmail.com on Sun Aug 15 23:05:00 PDT 2021 -##### in /var/tmp/ca/sm8.head/sendmail/OpenSource/sendmail-8.17.1/cf/cf +##### built by xbuild@xenon14.us.proofpoint.com on Tue Jan 30 22:39:25 PST 2024 +##### in /export/jenkins/jenkins3/workspace/pps-sendmail/OpenSource/sendmail-8.18.1/cf/cf ##### using ../ as configuration include directory ##### ###################################################################### @@ -121,10 +121,12 @@ C{E}root DnMAILER-DAEMON + CPREDIRECT +EOPENSSL_CONF=/etc/mail/sendmail.ossl # Configuration version number -DZ8.17.1 +DZ8.18.1 ############### @@ -1257,6 +1259,7 @@ Stry_tls + ###################################################################### ### tls_rcpt: is connection with server "good" enough? ### (done in client, per recipient) @@ -1265,7 +1268,10 @@ Stry_tls ### $1: recipient ###################################################################### Stls_rcpt - +R$* $: $1 $| $&{verify} +R$* $| DANE_NOTLS $#error $@ 4.7.0 $: "454 DANE: missing STARTTLS." +R$* $| DANE_TEMP $#error $@ 4.7.0 $: "454 DANE check failed temporarily." +R$* $| DANE_FAIL $#error $@ 4.7.0 $: "454 DANE check failed." ###################################################################### ### tls_client: is connection with client "good" enough? @@ -1297,7 +1303,6 @@ R$* $@ $>"TLS_connection" $1 ###################################################################### STLS_connection RSOFTWARE $#error $@ 4.7.0 $: "454 TLS handshake failed." -RDANE_FAIL $#error $@ 4.7.0 $: "454 DANE check failed." RPROTOCOL $#error $@ 4.7.0 $: "454 STARTTLS failed." RCONFIG $#error $@ 4.7.0 $: "454 STARTTLS temporarily not possible." diff --git a/cf/cf/generic-ultrix4.cf b/cf/cf/generic-ultrix4.cf index 5adb1ef6b32e..2960c9d07de8 100644 --- a/cf/cf/generic-ultrix4.cf +++ b/cf/cf/generic-ultrix4.cf @@ -16,8 +16,8 @@ ##### ##### SENDMAIL CONFIGURATION FILE ##### -##### built by ca@lab.smi.sendmail.com on Sun Aug 15 23:05:00 PDT 2021 -##### in /var/tmp/ca/sm8.head/sendmail/OpenSource/sendmail-8.17.1/cf/cf +##### built by xbuild@xenon14.us.proofpoint.com on Tue Jan 30 22:39:25 PST 2024 +##### in /export/jenkins/jenkins3/workspace/pps-sendmail/OpenSource/sendmail-8.18.1/cf/cf ##### using ../ as configuration include directory ##### ###################################################################### @@ -121,10 +121,12 @@ C{E}root DnMAILER-DAEMON + CPREDIRECT +EOPENSSL_CONF=/etc/mail/sendmail.ossl # Configuration version number -DZ8.17.1 +DZ8.18.1 ############### @@ -1257,6 +1259,7 @@ Stry_tls + ###################################################################### ### tls_rcpt: is connection with server "good" enough? ### (done in client, per recipient) @@ -1265,7 +1268,10 @@ Stry_tls ### $1: recipient ###################################################################### Stls_rcpt - +R$* $: $1 $| $&{verify} +R$* $| DANE_NOTLS $#error $@ 4.7.0 $: "454 DANE: missing STARTTLS." +R$* $| DANE_TEMP $#error $@ 4.7.0 $: "454 DANE check failed temporarily." +R$* $| DANE_FAIL $#error $@ 4.7.0 $: "454 DANE check failed." ###################################################################### ### tls_client: is connection with client "good" enough? @@ -1297,7 +1303,6 @@ R$* $@ $>"TLS_connection" $1 ###################################################################### STLS_connection RSOFTWARE $#error $@ 4.7.0 $: "454 TLS handshake failed." -RDANE_FAIL $#error $@ 4.7.0 $: "454 DANE check failed." RPROTOCOL $#error $@ 4.7.0 $: "454 STARTTLS failed." RCONFIG $#error $@ 4.7.0 $: "454 STARTTLS temporarily not possible." diff --git a/cf/cf/submit.cf b/cf/cf/submit.cf index 1faab23e9e39..92e8cb497c22 100644 --- a/cf/cf/submit.cf +++ b/cf/cf/submit.cf @@ -16,8 +16,8 @@ ##### ##### SENDMAIL CONFIGURATION FILE ##### -##### built by ca@lab.smi.sendmail.com on Sun Aug 15 23:05:00 PDT 2021 -##### in /var/tmp/ca/sm8.head/sendmail/OpenSource/sendmail-8.17.1/cf/cf +##### built by xbuild@xenon14.us.proofpoint.com on Tue Jan 30 22:39:25 PST 2024 +##### in /export/jenkins/jenkins3/workspace/pps-sendmail/OpenSource/sendmail-8.18.1/cf/cf ##### using ../ as configuration include directory ##### ###################################################################### @@ -111,11 +111,13 @@ Kdequote dequote DnMAILER-DAEMON + D{MTAHost}[127.0.0.1] +EOPENSSL_CONF=/etc/mail/sendmail.ossl # Configuration version number -DZ8.17.1/Submit +DZ8.18.1/Submit ############### @@ -1248,6 +1250,7 @@ Stry_tls + ###################################################################### ### tls_rcpt: is connection with server "good" enough? ### (done in client, per recipient) @@ -1256,7 +1259,10 @@ Stry_tls ### $1: recipient ###################################################################### Stls_rcpt - +R$* $: $1 $| $&{verify} +R$* $| DANE_NOTLS $#error $@ 4.7.0 $: "454 DANE: missing STARTTLS." +R$* $| DANE_TEMP $#error $@ 4.7.0 $: "454 DANE check failed temporarily." +R$* $| DANE_FAIL $#error $@ 4.7.0 $: "454 DANE check failed." ###################################################################### ### tls_client: is connection with client "good" enough? @@ -1288,7 +1294,6 @@ R$* $@ $>"TLS_connection" $1 ###################################################################### STLS_connection RSOFTWARE $#error $@ 4.7.0 $: "454 TLS handshake failed." -RDANE_FAIL $#error $@ 4.7.0 $: "454 DANE check failed." RPROTOCOL $#error $@ 4.7.0 $: "454 STARTTLS failed." RCONFIG $#error $@ 4.7.0 $: "454 STARTTLS temporarily not possible." diff --git a/cf/feature/check_cert_altnames.m4 b/cf/feature/check_cert_altnames.m4 index baa10697fd95..428ef28c8587 100644 --- a/cf/feature/check_cert_altnames.m4 +++ b/cf/feature/check_cert_altnames.m4 @@ -13,5 +13,5 @@ divert(0)dnl VERSIONID(`$Id: check_cert_altnames.m4 1.0 2019-01-01 01:01:01 ca Exp $') divert(-1) define(`_FFR_TLS_ALTNAMES', `1') -divert(6)dnl +LOCAL_CONFIG O SetCertAltnames=true diff --git a/cf/feature/enhdnsbl.m4 b/cf/feature/enhdnsbl.m4 index a1f5f62a004b..72ef7c98bd56 100644 --- a/cf/feature/enhdnsbl.m4 +++ b/cf/feature/enhdnsbl.m4 @@ -17,7 +17,7 @@ VERSIONID(`$Id: enhdnsbl.m4,v 1.13 2013-11-22 20:51:11 ca Exp $') LOCAL_CONFIG define(`_EDNSBL_R_',`')dnl # map for enhanced DNS based blocklist lookups -Kednsbl dns -R A -a. -T<TMP> -r`'ifdef(`EDNSBL_TO',`EDNSBL_TO',`5') +Kednsbl dns -R A -T<TMP> -z -Z32 -r`'ifdef(`EDNSBL_TO',`EDNSBL_TO',`5') ') divert(-1) define(`_EDNSBL_SRV_', `_ARG_')dnl @@ -39,15 +39,15 @@ R<?>OK $: OKSOFAR ifelse(len(X`'_ARG3_),`1', `R<?>$+<TMP> $: TMPOK', `R<?>$+<TMP> $#error $@ 4.4.3 $: _EDNSBL_MSG_TMP_') -R<?>_EDNSBL_MATCH_ _EDNSBL_ACTION_ $: _EDNSBL_MSG_ +R<?>$* patsubst(_EDNSBL_MATCH_, `\.$', `') $* _EDNSBL_ACTION_ $: _EDNSBL_MSG_ ifelse(len(X`'_ARG5_),`1',`dnl', -`R<?>_ARG5_ _EDNSBL_ACTION_ $: _EDNSBL_MSG_') +`R<?>$* patsubst(_ARG5_, `\.$', `') $* _EDNSBL_ACTION_ $: _EDNSBL_MSG_') ifelse(len(X`'_ARG6_),`1',`dnl', -`R<?>_ARG6_ _EDNSBL_ACTION_ $: _EDNSBL_MSG_') +`R<?>$* patsubst(_ARG6_, `\.$', `') $* _EDNSBL_ACTION_ $: _EDNSBL_MSG_') ifelse(len(X`'_ARG7_),`1',`dnl', -`R<?>_ARG7_ _EDNSBL_ACTION_ $: _EDNSBL_MSG_') +`R<?>$* patsubst(_ARG7_, `\.$', `') $* _EDNSBL_ACTION_ $: _EDNSBL_MSG_') ifelse(len(X`'_ARG8_),`1',`dnl', -`R<?>_ARG8_ _EDNSBL_ACTION_ $: _EDNSBL_MSG_') +`R<?>$* patsubst(_ARG8_, `\.$', `') $* _EDNSBL_ACTION_ $: _EDNSBL_MSG_') ifelse(len(X`'_ARG9_),`1',`dnl', -`R<?>_ARG9_ _EDNSBL_ACTION_ $: _EDNSBL_MSG_') +`R<?>$* patsubst(_ARG9_, `\.$', `') $* _EDNSBL_ACTION_ $: _EDNSBL_MSG_') divert(-1) diff --git a/cf/feature/fips3.m4 b/cf/feature/fips3.m4 new file mode 100644 index 000000000000..0d17642a111b --- /dev/null +++ b/cf/feature/fips3.m4 @@ -0,0 +1,16 @@ +divert(-1) +# +# Copyright (c) 2023 Proofpoint, Inc. and its suppliers. +# All rights reserved. +# +# By using this file, you agree to the terms and conditions set +# forth in the LICENSE file which can be found at the top level of +# the sendmail distribution. +# +# + +divert(0) +define(`confOPENSSL_CNF', dnl +ifelse(defn(`_ARG_'), `', `/etc/mail/fips.ossl', `_ARG_'))dnl +ifelse(len(X`'_ARG2_),`1',`',`LOCAL_CONFIG +EOPENSSL_MODULES=_ARG2_') diff --git a/cf/feature/ldap_routing.m4 b/cf/feature/ldap_routing.m4 index 0d8ccb9730c2..f8717877ad58 100644 --- a/cf/feature/ldap_routing.m4 +++ b/cf/feature/ldap_routing.m4 @@ -18,7 +18,7 @@ ifelse(len(X`'_ARG1_), `1', `define(`_LDAP_ROUTING_WARN_', `yes')') ifelse(len(X`'_ARG2_), `1', `define(`_LDAP_ROUTING_WARN_', `yes')') ifelse(len(X`'_ARG5_), `1', `', `define(`_LDAP_ROUTE_NODOMAIN_', `yes')') -# Check for third argument to indicate how to deal with non-existant +# Check for third argument to indicate how to deal with non-existent # LDAP records ifelse(len(X`'_ARG3_), `1', `define(`_LDAP_ROUTING_', `_PASS_THROUGH_')', _ARG3_, `passthru', `define(`_LDAP_ROUTING_', `_PASS_THROUGH_')', diff --git a/cf/hack/xconnect.m4 b/cf/hack/xconnect.m4 index 72fba31d7bdb..b6b46baa7af1 100644 --- a/cf/hack/xconnect.m4 +++ b/cf/hack/xconnect.m4 @@ -20,6 +20,8 @@ LOCAL_RULESETS # # x_connect ruleset for looking up XConnect: tag in access DB to enable # XCONNECT support in MTA +# if the RHS of the map entry is haproxy1, +# then HAproxy protocol version 1 is used # Sx_connect dnl workspace: {client_name} $| {client_addr} @@ -32,6 +34,6 @@ R<?> <$+> $: $>A < $1 > <?> <! XConnect> <> no: another lookup dnl workspace: <result-of-lookup> (<>|<{client_addr}>) R<?> <$*> $# no found nothing dnl workspace: <result-of-lookup> (<>|<{client_addr}>) | OK -R<$+> <$*> $@ yes found in access DB', +R<$+> <$*> $@ $1 found in access DB', `errprint(`*** ERROR: HACK(xconnect) requires FEATURE(access_db) ')') diff --git a/cf/m4/proto.m4 b/cf/m4/proto.m4 index cfd71b3f9cad..ff7eb0bedc2a 100644 --- a/cf/m4/proto.m4 +++ b/cf/m4/proto.m4 @@ -247,7 +247,9 @@ DM`'MASQUERADE_NAME') # my name for error messages ifdef(`confMAILER_NAME', `Dn`'confMAILER_NAME', `#DnMAILER-DAEMON') +ifdef(`confOPENSSL_CNF',, `define(`confOPENSSL_CNF', `/etc/mail/sendmail.ossl')') undivert(6)dnl LOCAL_CONFIG +ifelse(defn(`confOPENSSL_CNF'), `', `', `EOPENSSL_CONF=confOPENSSL_CNF') include(_CF_DIR_`m4/version.m4') ############### @@ -938,7 +940,7 @@ ifdef(`_CANONIFY_HOSTS_', `dnl dnl this should only apply to unqualified hostnames dnl but if a valid character inside an unqualified hostname is an OperatorChar dnl then $- does not work. -# lookup unqualified hostnames +# look up unqualified hostnames R$* $| $* < @ $* > $* $: $2 < @ $[ $3 $] > $4', `dnl')', `dnl dnl _NO_CANONIFY_ is not set: canonify unless: dnl {daemon_flags} contains CC (do not canonify) @@ -1234,7 +1236,7 @@ R$+ . USENET $#usenet $@ usenet $: $1', ifdef(`_LOCAL_RULES_', `# figure out what should stay in our local mail system -undivert(1)', `dnl') +undivert(1)dnl LOCAL_NET_CONFIG', `dnl') # pass names that still have a host to a smarthost (if defined) R$* < @ $* > $* $: $>MailerToTriple < $S > $1 < @ $2 > $3 glue on smarthost name @@ -1436,11 +1438,12 @@ dnl if generics should be applied add a @ as mark R$+ < @ *LOCAL* > $: < $1@$j > $1 < @ *LOCAL* > @ mark dnl workspace: either user<@domain> or <user@domain> user <@domain> @ dnl ignore the first case for now -dnl if it has the mark lookup full address +dnl if it has the mark look up full address dnl broken: %1 is full address not just detail R< $+ > $+ < $* > @ $: < $(generics $1 $: @ $1 $) > $2 < $3 > dnl workspace: ... or <match|@user@domain> user <@domain> -dnl no match, try user+detail@domain +dnl no match, try user+detail@domain: +dnl look up user+*@domain and user@domain R<@$+ + $* @ $+> $+ < @ $+ > $: < $(generics $1+*@$3 $@ $2 $:@$1 + $2@$3 $) > $4 < @ $5 > R<@$+ + $* @ $+> $+ < @ $+ > @@ -1527,7 +1530,7 @@ R$={SMTPOpModes} $| TMPF <e r> $| $+ $#error $@ 4.3.0 $: _TMPFMSG_(`OPM')') # ... return original address for MTA to queue up R$* $| TMPF <$*> $| $+ $@ $3 -# if mailRoutingAddress and local or non-existant mailHost, +# if mailRoutingAddress and local or non-existent mailHost, # return the new mailRoutingAddress ifelse(_LDAP_ROUTE_DETAIL_, `_PRESERVE_', `dnl R<$+@$+> <$=w> <$+> <$+> <$*> $@ $>Parse0 $>canonify $1 $6 @ $2 @@ -1610,14 +1613,14 @@ dnl <result> <passthru> SD dnl workspace <key> <default> <passthru> <mark> -dnl lookup with tag (in front, no delimiter here) +dnl look up with tag (in front, no delimiter here) dnl 2 3 4 5 R<$*> <$+> <$- $-> <$*> $: < $(access $4`'_TAG_DELIM_`'$1 $: ? $) > <$1> <$2> <$3 $4> <$5> dnl workspace <result-of-lookup|?> <key> <default> <passthru> <mark> -dnl lookup without tag? +dnl look up without tag? dnl 1 2 3 4 R<?> <$+> <$+> <+ $-> <$*> $: < $(access $1 $: ? $) > <$1> <$2> <+ $3> <$4> -ifdef(`_LOOKUPDOTDOMAIN_', `dnl omit first component: lookup .rest +ifdef(`_LOOKUPDOTDOMAIN_', `dnl omit first component: look up .rest dnl XXX apply this also to IP addresses? dnl currently it works the wrong way round for [1.2.3.4] dnl 1 2 3 4 5 6 @@ -1640,7 +1643,7 @@ R<?> <[$+:$-]> <$+> <$- $-> <$*> $: $>D <[$1]> <$3> <$4 $5> <$6>') dnl not found, but subdomain: try again dnl 1 2 3 4 5 6 R<?> <$+.$+> <$+> <$- $-> <$*> $@ $>D <$2> <$3> <$4 $5> <$6> -ifdef(`_FFR_LOOKUPTAG_', `dnl lookup Tag: +ifdef(`_FFR_LOOKUPTAG_', `dnl look up Tag: dnl 1 2 3 4 R<?> <$+> <$+> <! $-> <$*> $: < $(access $3`'_TAG_DELIM_ $: ? $) > <$1> <$2> <! $3> <$4>', `dnl') dnl not found, no subdomain: return <default> and <passthru> @@ -1669,10 +1672,10 @@ dnl <result> <passthru> ###################################################################### SA -dnl lookup with tag +dnl look up with tag dnl 2 3 4 5 R<$+> <$+> <$- $-> <$*> $: < $(access $4`'_TAG_DELIM_`'$1 $: ? $) > <$1> <$2> <$3 $4> <$5> -dnl lookup without tag +dnl look up without tag dnl 1 2 3 4 R<?> <$+> <$+> <+ $-> <$*> $: < $(access $1 $: ? $) > <$1> <$2> <+ $3> <$4> dnl workspace <result-of-lookup|?> <key> <default> <mark> <passthru> @@ -2402,7 +2405,7 @@ dnl otherwise call tls_client; see above R$+ $| $#$* $@ $>"Delay_TLS_Clt" $2 R$+ $| $* $: <?> $>FullAddr $>CanonAddr $1 ifdef(`_SPAM_FH_', -`dnl lookup user@ and user@address +`dnl look up user@ and user@address ifdef(`_ACCESS_TABLE_', `', `errprint(`*** ERROR: FEATURE(`delay_checks', `argument') requires FEATURE(`access_db') ')')dnl @@ -2412,7 +2415,7 @@ dnl and simplified by omitting some < >. R<?> $+ < @ $=w > $: <> $1 < @ $2 > $| <F: $1@$2 > <D: $2 > <U: $1@> R<?> $+ < @ $* > $: <> $1 < @ $2 > $| <F: $1@$2 > <D: $2 > dnl R<?> $@ something_is_very_wrong_here -# lookup the addresses only with Spam tag +# look up the addresses only with Spam tag R<> $* $| <$+> $: <@> $1 $| $>SearchList <! Spam> $| <$2> <> R<@> $* $| $* $: $2 $1 reverse result dnl', `dnl') @@ -2608,16 +2611,16 @@ R<$+> <$*> <$- $-> <$*> $@ <$1> <$5> ### Parameters: ### <exact tag> $| <mark:address> <mark:address> ... <> dnl maybe we should have a @ (again) in front of the mark to -dnl avoid errorneous matches (with error messages?) +dnl avoid erroneous matches (with error messages?) dnl if we can make sure that tag is always a single token dnl then we can omit the delimiter $|, otherwise we need it -dnl to avoid errorneous matchs (first rule: D: if there +dnl to avoid erroneous matches (first rule: D: if there dnl is that mark somewhere in the list, it will be taken). dnl moreover, we can do some tricks to enforce lookup with dnl the tag only, e.g.: ### where "exact" is either "+" or "!": -### <+ TAG> lookup with and w/o tag -### <! TAG> lookup with tag +### <+ TAG> look up with and w/o tag +### <! TAG> look up with tag dnl Warning: + and ! should be in OperatorChars (otherwise there must be dnl a blank between them and the tag. ### possible values for "mark" are: @@ -2706,8 +2709,9 @@ R$* $: $1 $| $>"Local_clt_features" $1 R$* $| $#$* $#$2 R$* $| $* $: $1', `dnl') ifdef(`_ACCESS_TABLE_', `dnl -R$* $: $>D <$&{client_name}> <?> <! CLT_FEAT_TAG> <> -R<?>$* $: $>A <$&{client_addr}> <?> <! CLT_FEAT_TAG> <> +dnl the servername can have a trailing dot from canonification +R$* . $1 +R$+ $: $>D <$1> <?> <! CLT_FEAT_TAG> <> R<?>$* $: <$(access CLT_FEAT_TAG`'_TAG_DELIM_ $: ? $)> R<?>$* $@ OK ifdef(`_ATMPF_', `dnl tempfail? @@ -2802,6 +2806,18 @@ R:$* $| $-.$+ $: $(macro {TLS_Name} $@ .$3 $) $>TLS_NameInList :$1 R$* ok $@ $>STS_SAN R:$*: $#error $@ 4.7.0 $: 450 $&{server_name} not found in " "$1', `dnl') +ifdef(`TLS_PERM_ERR', `dnl +define(`TLS_DSNCODE', `5.7.0')dnl +define(`TLS_ERRCODE', `554')',`dnl +define(`TLS_DSNCODE', `4.7.0')dnl +define(`TLS_ERRCODE', `454')')dnl +define(`SW_MSG', `TLS handshake failed.')dnl +define(`DANE_MSG', `DANE check failed.')dnl +define(`DANE_TEMP_MSG', `DANE check failed temporarily.')dnl +define(`DANE_NOTLS_MSG', `DANE: missing STARTTLS.')dnl +define(`PROT_MSG', `STARTTLS failed.')dnl +define(`CNF_MSG', `STARTTLS temporarily not possible.')dnl + ###################################################################### ### tls_rcpt: is connection with server "good" enough? ### (done in client, per recipient) @@ -2833,12 +2849,22 @@ R<?> $+ $: $1 $| <U:$1@> <E:> dnl look it up dnl also look up a default value via E: R$* $| $+ $: $1 $| $>SearchList <! TLS_RCPT_TAG> $| $2 <> +dnl no applicable requirements; trigger an error on DANE_FAIL +dnl note: this allows to disable DANE per RCPT. +R$* $| <?> $: $1 $| $&{verify} $| <?> +R$* $| DANE_FAIL $| <?> $#error $@ TLS_DSNCODE $: "TLS_ERRCODE DANE_MSG" +R$* $| DANE_NOTLS $| <?> $#error $@ TLS_DSNCODE $: "TLS_ERRCODE DANE_NOTLS_MSG" +R$* $| DANE_TEMP $| <?> $#error $@ TLS_DSNCODE $: "TLS_ERRCODE DANE_TEMP_MSG" dnl found nothing: stop here R$* $| <?> $@ OK ifdef(`_ATMPF_', `dnl tempfail? R$* $| <$* _ATMPF_> $#error $@ 4.3.0 $: _TMPFMSG_(`TR')', `dnl') dnl use the generic routine (for now) -R$* $| <$+> $@ $>"TLS_connection" $&{verify} $| <$2>') +R$* $| <$+> $@ $>"TLS_connection" $&{verify} $| <$2>', `dnl +R$* $: $1 $| $&{verify} +R$* $| DANE_NOTLS $#error $@ TLS_DSNCODE $: "TLS_ERRCODE DANE_NOTLS_MSG" +R$* $| DANE_TEMP $#error $@ TLS_DSNCODE $: "TLS_ERRCODE DANE_TEMP_MSG" +R$* $| DANE_FAIL $#error $@ TLS_DSNCODE $: "TLS_ERRCODE DANE_MSG"') ###################################################################### ### tls_client: is connection with client "good" enough? @@ -2915,22 +2941,14 @@ dnl [(PERM|TEMP)+] (VERIFY[:bits]|ENCR:bits) [+extensions] dnl extensions: could be a list of further requirements dnl for now: CN:string {cn_subject} == string ###################################################################### -ifdef(`TLS_PERM_ERR', `dnl -define(`TLS_DSNCODE', `5.7.0')dnl -define(`TLS_ERRCODE', `554')',`dnl -define(`TLS_DSNCODE', `4.7.0')dnl -define(`TLS_ERRCODE', `454')')dnl -define(`SW_MSG', `TLS handshake failed.')dnl -define(`DANE_MSG', `DANE check failed.')dnl -define(`PROT_MSG', `STARTTLS failed.')dnl -define(`CNF_MSG', `STARTTLS temporarily not possible.')dnl STLS_connection ifdef(`_FULL_TLS_CONNECTION_CHECK_', `dnl', `dnl use default error dnl deal with TLS handshake failures: abort RSOFTWARE $#error $@ TLS_DSNCODE $: "TLS_ERRCODE SW_MSG" -RDANE_FAIL $#error $@ TLS_DSNCODE $: "TLS_ERRCODE DANE_MSG" +dnl RDANE_FAIL $#error $@ TLS_DSNCODE $: "TLS_ERRCODE DANE_MSG" RPROTOCOL $#error $@ TLS_DSNCODE $: "TLS_ERRCODE PROT_MSG" RCONFIG $#error $@ TLS_DSNCODE $: "TLS_ERRCODE CNF_MSG" +dnl RDANE_TEMP $#error $@ 4.7.0 $: "454 DANE_TEMP_MSG" divert(-1)') dnl common ruleset for tls_{client|server} dnl input: ${verify} $| <ResultOfLookup> [<>] @@ -2953,10 +2971,12 @@ R`'$1 $| $`'* $`'#error $`'@ TLS_DSNCODE $: "TLS_ERRCODE $2"')dnl TLS_ERRORS(SOFTWARE,SW_MSG) # deal with TLS protocol errors: abort TLS_ERRORS(PROTOCOL,PROT_MSG) -# deal with DANE errors: abort -TLS_ERRORS(DANE_FAIL,DANE_MSG) +dnl # deal with DANE errors: abort +dnl TLS_ERRORS(DANE_FAIL,DANE_MSG) # deal with CONFIG (tls_clt_features) errors: abort TLS_ERRORS(CONFIG,CNF_MSG) +dnl # deal with DANE tempfail: abort +dnl TLS_ERRORS(DANE_TEMP,DANE_TEMP_MSG) R$* $| <$*> <VERIFY> $: <$2> <VERIFY> <> $1 dnl separate optional requirements R$* $| <$*> <VERIFY + $+> $: <$2> <VERIFY> <$3> $1 diff --git a/cf/m4/version.m4 b/cf/m4/version.m4 index 3942ca1a0691..bcdd76333d20 100644 --- a/cf/m4/version.m4 +++ b/cf/m4/version.m4 @@ -15,4 +15,4 @@ VERSIONID(`$Id: version.m4,v 8.237 2014-01-27 12:55:17 ca Exp $') # divert(0) # Configuration version number -DZ8.17.1`'ifdef(`confCF_VERSION', `/confCF_VERSION') +DZ8.18.1`'ifdef(`confCF_VERSION', `/confCF_VERSION') diff --git a/cf/sh/makeinfo.sh b/cf/sh/makeinfo.sh index bd5da9c76ef1..29d6ac4a8fd6 100644 --- a/cf/sh/makeinfo.sh +++ b/cf/sh/makeinfo.sh @@ -55,4 +55,4 @@ fi echo '#####' built by $user@$host on `date` echo '#####' in `pwd` | sed 's/\/tmp_mnt//' echo '#####' using $1 as configuration include directory | sed 's/\/tmp_mnt//' -echo "define(\`__HOST__', $host)dnl" +echo "define(\`__HOST__', \`$host')dnl" |