Import sendmail 8.18.1

KNOWNBUGS

@@ -25,7 +25,7 @@ This list is not guaranteed to be complete.
   For Linux the default is to use fcntl() for file locking.  However,
   this does not work with Berkeley DB 5.x and probably later.
   Switching to flock(), i.e., compile with -DHASFLOCK fixes this
-  (however, the have been problems with flock() on some Linux
+  (however, there have been problems with flock() on some Linux
   versions). Alternatively, use CDB or an earlier BDB version.
 
 * Delivery to programs that generate too much output may cause problems
@@ -105,11 +105,6 @@ Kresolve sequence dnsmx canon
   DSN does not contain the illegal address, but only the valid
   address(es).
 
-* \231 considered harmful.
-
-  Header addresses that have the \231 character (and possibly others
-  in the range \201 - \237) behave in odd and usually unexpected ways.
-
 * AuthRealm for Cyrus SASL may not work as expected. The man page
   and the actual usage for sasl_server_new() seem to differ.
   Feedback for the "correct" usage is welcome, a patch to match
@@ -178,11 +173,11 @@ Kresolve sequence dnsmx canon
 
 * Client ignores SIZE parameter.
 
-  When sendmail acts as client and the server specifies a limit
-  for the mail size, sendmail will ignore this and try to send the
-  mail anyway.  The server will usually reject the MAIL command
-  which specifies the size of the message and hence this problem
-  is not significant.
+  When sendmail acts as client and the server specifies a limit for
+  the mail size, sendmail will ignore this and try to send the mail
+  anyway (unless _FFR_CLIENT_SIZE is used).  The server will usually
+  reject the MAIL command which specifies the size of the message
+  and hence this problem is not significant.
 
 * Paths to programs being executed and the mode of program files are
   not checked.  Essentially, the RunProgramInUnsafeDirPath and

PGPKEYS

@@ -187,6 +187,625 @@ mk6wxhyuojEHuR7it6IU5BP8vaAGrL1jb1c2EeAe+pdJwpAb1Aq6MU6uWqOGup8t
 =xY3m
 -----END PGP PUBLIC KEY BLOCK-----
 
+pub   rsa4096/0xC4065A87C71F6844 2024-01-02 [SC]
+      Key fingerprint = 8AB0 63D7 A4C5 939D A9C0  1E38 C406 5A87 C71F 6844
+uid                   [ultimate] Sendmail Signing Key/2024 <sendmail@Sendmail.ORG>
+sub   rsa4096/0x8DBCFBC42AF9E161 2024-01-02 [E]
+      Key fingerprint = 2B52 755B 17D4 44EB EC39  5497 8DBC FBC4 2AF9 E161
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGWUXHABEADBppmmbLqp0im5U2X6qAhePk4nOkW52VTJV4LC67Po0R2jPMdv
+yCqQfGeqO0RYPCDOF9budPKj5wWZQztBWUlAUOhtt0c20F1wjzvRC+cnlZLFIZp6
+rXlexZxW/2mXXX/8FED+KjLZXCkSV+W7TMIZQtvFGwP8bpqlf31vLOKjMri/QF1Z
+UQwHkWirmabwWx12x2DsYtkoSsyJnMd8ZAjnOxOVpnwY0ZzmXMcRFkmnuBLaIFqz
+h6fnLj65owkxnBKY/mEsuQJp+DZvjXNpPrTgyJ/77e5XKGuKr5fx7h+9BLpOODHb
+Qts+c91eVOybLEyGM+F5mfYMvD54euG06XVy+5Yi2m9+Oxwvkz6cJCPf8/S7PFLa
+WyTorU+qB22T1z43qfBrGivuOyAm8slurpRH1QikkTAI+hk21zwCGnM9Nvvh9zN+
+Kg+uUoiZkEtJ6+J+O5qK6vXV6QuP9D6KBjF0zv9pIgbrLRrT+xE07v9lrYuU7U8e
+znl819atkpNlE9NBb/4sxRdpmrAjQDVHpy0e0GbIKYKfla3rdsvM/2rIdbVGTqST
+gPddPExgPqyq1ssyy/7CdsNmk6qfJ9UJDKtKnTjuAMisfh8P4Uoiwvhqxbx5CW2H
+FqH3Ka0J/fXJlYlt3JgJReV+SJViADUyQYqacIMo7JOQVfVrinaGbxD0kQARAQAB
+tDFTZW5kbWFpbCBTaWduaW5nIEtleS8yMDI0IDxzZW5kbWFpbEBTZW5kbWFpbC5P
+Ukc+iQJVBBMBCgA/FiEEirBj16TFk52pwB44xAZah8cfaEQFAmWUXHACGwMLCwkN
+CAoMBwsEAwIGFQoJCAsDBRYCAwEAAh4FAheAAAoJEMQGWofHH2hEPNcQALOzEpQG
+3RQ6UcvFeHzK1NCV/oyZKQgj3val/QU9VoHi4RhBgosTqVAciHcKuF2b/v47b6AA
+3F3cuNn28LFFr2xC2e0+NaCT8oZGRcnWPi4NfslIQgUhTsVvnisVO2obcRYVjKBS
+9EEoiLStMyhGXWFN34yUQZu5DVuQ3JhyR8dqu4f5wd/1TD9vY8x4b7jdtIUDQQEE
+PvhzcWn60Rpqd59CJZJ1dk54ZzjzNqTPt4fu0EU2L5oKmMS18//9hh/oADfaLgax
+0V1MC3sMzFuMCIoLvd/G2XzyIRNu06brf9XZVMOMA/N6bueY8gyf82eVxNmfvnhN
+RcTINWeOmjG29UYstb3S72BSrBB5/oJDrOJnyeh4xvSjeShVFLyKRo6Bcvy5+w5i
+MIFlkWOl5v6JKSMUMCIzZUp7kAeU5D2CzQbFhgnOY+YFrYGgHQa4I4QmX9LE2svg
+SwFwFpDHC1T7fuO5kFRO8Xa2+YLhKWjEQsljQwyyOC8n/DhhatPC1/TzNNhx2meS
+OIKLy32yeIcHODlKTWwZPGRMiZZ12Z62K/i8bu8NkifXwtLjfbqmxZbP7XSFKNBt
+yDvYhHMQW1YiXbTREy1b2l2Z7m56H4VN67RFlnhb27EzeQ5fbBO2pXvQ5e+sD4Jp
+FcfE0QZVOyVN59FlCdaGvk8MlvHrZhwVnlnoiQEzBBABCgAdFiEEsXWWRFMDXc7d
+e+kZYE378oVBCr4FAmWUXbMACgkQYE378oVBCr781wgAj8iqPRzD6kvgmqOPRh+6
+YBuSZ3+QOZKhIf8HVsutfeB90YBRJbtCKucliRIVLj8qkqIKroWpKPAv1YlqKP2t
+spxfZoz9DzxSnwbXV4hmb/JfT7VLD9TBih7kBMbBxkY3ECIuvZi1roETpK9cSP17
+tPD9eFpvcG1N5DzCZTsMNEap946xVrCrFXA+etDW0BAMXtqzMlFOZt85hw2B7Z3l
+mB0ErTAjeb18QD07TbjMLl+wI5SPYddMBvYYUXic0CBliuF7m+MSWPbNewHcvYG+
+JGotuLZVp29ChKG2Id4qK5IkdYTC1rfwzuPDm5QpPc0ghD6vnNvmX3oiw9V7rQJB
+h4kBMwQQAQoAHRYhBFhyYhipE0AN5mA2ATmkx32peISwBQJllF3JAAoJEDmkx32p
+eISwcY0H/ivF8zsxMSMWxe45atG+4V1QsNW/gasu4MaTSTf8lw1WXEoZ7SA6HduH
+p7gLmRsCspDW5F4ELgpQ5wHux7LlrCRBxGHuFBn+zAptF/Z6zxRhHjcEBRQW2tGR
+BRYkfr8WxY3KvYbiKJBnn3GgmQoexg//oaiAu/BqBkEhKkgDsgp8B12rMUr7zpqe
+9WEGbauvzwvOnbDbJ3AC9LRsQeq+/MbXZYzK096VH799IRe5JFaQndavEPpZnuE8
+naPxesr77rwnOcPeyTxgAfZPEZXl92vznKeEdKZzaWtfKkFgVvInreCOwebyeOsF
+kEaAh71TgGGXgLRUz8LB88Wh4MaMdBiJATMEEAEKAB0WIQTKeo85okGf/7CpqyeO
+Wun7zu70OwUCZZRd3AAKCRCOWun7zu70O8nXB/459fW10n9esxtuWadhwnRlxF2O
+mdFnTLDj8RY1IC8zvi7cONQpPv9vPEMqWjgZf1D2hKYNnjy0Nylww4XV8XNJ3kWa
+riDt3aQkIuXt5iuYdbPp+JQV9rW0Uu5Sw3x0Gy2dVXDYcmSdu/NRkY8R3Uf7DJPj
+4F3zIvm6cLClC9SNXiz8yATnXN8wb4qVOih9JpXas9+OPkehcah1ZhfgYx8lj497
+/CWGx5+tdl2IBIUy19aQ4aCIcIgVX5xSss0x+7WhL6THKf3IPzDKMTfy6Wa1NhvX
++eq/HbU7yWftXiZgsGc1ls4P0NmEEZwPCvmq2mtIoa22DewB9tk0O5dUy8UziQEz
+BBABCgAdFiEEuH1FaYbxlIQH5cy0PWiyXVIHytMFAmWUXeMACgkQPWiyXVIHytOO
++Qf/ZzXfRqub+/gFS3Fi9v1xIPKl9fab3mRQU3HzXmys5AlLQOdi19hzqmmjW9gY
+edvy85I2Buf7K9/hVumvLp+7ZK4rY5PXz97GWC5Mn9mVEaTK2OgPN9KzfvtjxIPs
+KjvyfB0U6YBshuj49arYkefm2QVKRSGfTWDMVDKMOSwXFalYUape2+Ckjyfg8wsB
+V2hRjhMG0PRN5dAXZiPEbYztQanQWAq3DK1ohJLgFwattMpZrh8wUF9LlEtaSSIz
+/A1jv/IqfAVOudLiPa272xQOcGcZrONGcPd3BhpJ4zQM/cd9gNQzXdUPgwuV/Toa
+KFX8lNqY1JIjIIgqARw0c2qqT4kBMwQQAQoAHRYhBEn2qL6EczlJUZFvO2HeEezi
+djpzBQJllF3qAAoJEGHeEezidjpz0p8H/iGf0G9+IBcRK8J6Mz1wA+hemdVdSsTF
+6GYCKFFfq1b40T6Mc3Ao5Ea0P/AyTIFfVBoTvsXqNB1bj1MmOZETHcEbCrjyOKLz
+yC8SSH8PRUDWpPFnbKYyOnEfViASqmxHIB8G6nZ5tfucgasCrOUbkd7/QsaAeiv1
+/VkyGDx8eUDu6+NUCd+K25so8LlEotDhysTI7H1VKLQukduyBs6ziyjfFcGg8r6l
+8BcpMhRZ01eR6ZFQtYRcX0ZEOBHtp7nlx2gLEFrQ11D0+PJHMf5p0oQi+hHGkFJI
+V3i8Uhg9KKH/Zz3VIYoIt5v/73HRExOXMib0YgazoPnF6Q1sCEUrF6mJATMEEAEK
+AB0WIQQPXJauyOaenI5ULlxtTNGUKfsD3gUCZZRd8AAKCRBtTNGUKfsD3jjHB/4+
+up91LA7tS+1nUckjWyEyRNbUFaeZtd2mp7A1D4yIKk46JYS8LI4ION8R5HRgFNN9
+ut5lwsMN6KZJIiVcrM/D/W1NS8zWScw/K1dtzDerdNOU+bwU0aBHZB93SL7MwvTN
+/D+31oxy6LoQnFjEGBbWCoFpdCQceHK3AclqCmHvlfZi3/31sM26daC6Ntgn4JZU
+6BHP27cFdoHy0jUiQt/LXDDtsfXb0cS3us0+7wwSQ9h/H7E777MKsa8CMeVmSBbQ
+lY17TwBMVkMKrKc65aJXKkoezepew+vSO3tk86EzbuMt7iK6LLXKGtLK0IRVY5dU
+jLp8B1ir4qiXiAYWgVqJiQEzBBABCgAdFiEEMLynRwX6QVRVcx17qvW13gW9zFMF
+AmWUXfYACgkQqvW13gW9zFPe5ggAwdDEpOiEtSiNqXmcBfFgarSxrL6yIDzmSqTK
+Q6pkQa1xO2zb7yi0gVZkJQzSeMBi6IJtnPoKEviUdLbdy6mC1ya7u+OY8Ubic2F6
+4V6yaNuLL3T4cCK/7smiB3Fak36IidtOG6P4S45LuSlPu6ndXVSDU19me0hQEAmY
+7BA7qSj1lbuhXPskl2iJOMaS5y239UDYtqLRnBF1OXe+p8O8IrWp7L7anZI6eYCC
+ToVvfkPCvfFDsca0nwZLRdUk69b93JgE8gManrf/qNnv0vIhJX9q4K7sAA305Y6J
+XJo/f/kH7dwZwV5HV33sLc/snvjiq9TKSrlTJ4xjL4/GPxhuK4kCMwQQAQoAHRYh
+BDyKHo5/RMreEU/tRkvJvaZr9yatBQJllF39AAoJEEvJvaZr9yatPwAQALBWFBNG
+QY+qUc2PIcV7KZ/OAdEx8QLFkOVXPiIn6hlp8FD9OzPV9/F0F+VumG2lLCIGFMLO
+T1j1MsRA95tVFj4DgEH62QwhVV4JfxhBdKcK57g7IKEro1Ssc8xGP0FhDGIo96ag
+kmnH6UFhIrXJiZj9rJs/9wIJYvO/VBCB/5Zwc1zqWjdn8PiQMYZm9m1+DZcDEx3e
+8G6xPKjZVRzJMQ6c0tBRE9dZRSzwUaewl/nYwELMMOayZQndBPYlGb3PuYKQTksB
+3g1J4vBKwUqFKxzBXgMjlSpnSa/RMCqfvl2s3PqGARh7DrkULHtPYAl+zHeyTXNh
+Fq/RZ3/0GnuxXL9LHGxZug6LtiL3un8F71YYo9S0963PlxJ2i7b6U1Ul00d+ofmH
+9StrtvqQW+semspBJ+1w+WBr8v0C+vZBcO314dUAFsibEpmwMoy7CQ3PPj6FphZi
+Dmw4JXeqYyv1waS39FAE8kYC3z4yxo20aVlSmZIp79a8l2Ty/lpm40RBjAp9ulQg
+7ANlLRLhdKUFsH8UoaZqlLmJh56oVhJp4aHH2SSijYH5rTSOkTj3b4vIFlDMw8sF
+P88C7q80KaCrV0GIITL18JaI61/BL+96lsz+f91s7KxSR5keABAHmU6u+DNodi6A
+SWuxyZc8G4zli9liAHleKaTxClzkcznp/EC5iQIzBBABCgAdFiEEpoc9JKTW1ihK
+5Cp18GBZ/V3HzD8FAmWUXhYACgkQ8GBZ/V3HzD/c2A//ZQ3ZPUNBHuRHNBTFhEqT
+TW2kZLYlRpElpNqT0CsfKwxb8q/abLfh6Nn6oEBuT4RYDszL9UiBR9UC8v+dzsYa
+2Z+13XiO7n5eonH+oBHOBFDcqvp3jpm1mexhT4I7azyhFd/u7QQsN2R2b2AZQQxT
+/PIlF2sYvaKq7tYd+j2Qgq9ISa/Jy7dZQnAhxPcWTSB2ilgcPu9LXfMobWe6kVLn
+CCTTgpWDQ510u/BLQPShroVDCYi++pkHkcJw+9AAvblCtiYjjK5NDF4dhMu+nqZ2
+Qe57/Dt9VSEnNe7WXMvo25s9ON13ATXI8JijXaN0rJhk/uwuBdC6a/sl/ry4uum8
+PBG9aDvq44v3BOy78kEUAAySvUJ18naaydpSeSLRMDSCI+uzhZZbwRTTNbqN58uH
+4DcSIQCjyJgIrga7x1nTb3MppER8gtlWiaMs5cEWKYPGizCv9bmQR6HD3QbRww/8
+o2XlHeZJg1T8Yv1SwOmz5hro/8RHHYKNwgWZukEJSNFlQgg4FaHICM4c6ODXrD5U
+n4FYZqMgPPtu65i70lFBRL1XEABi8BQn8ZdX6xpRLG7Oi/97fXcSAcb1aQSVQKG1
+NYpFaY+eTkSsVoIIzOeDWxze4krxT/vd9J3HjXxLiqQhKh7iH6BJlNcCduMwTfvL
+fQRFeBX0FAKAt8GgaD7o0kOJAjMEEAEKAB0WIQRQowMJjqLde8vuKtoJ4B+gPAxQ
+TgUCZZReHQAKCRAJ4B+gPAxQThkFD/9nqrAxd121HLtLo81Y7RDgj2EOfRKTOE99
+8CRUGe9YJ1pu22g6leREISjO/641uB3qdosHYIQrX2sgfXX0p5mJCI0BZgTVMHHB
+AMLvrPAua1/BQan/ZVFVaSkL8n552Q9gk7VkGzubfcYs1qT/NoDzFJ18bZ8k6X6t
+EDYMYaQ15oluGb96D7H2BuzSrGugqsNXdVqNFI1uGpaDMbdtFV5ZSFU1vchlmBOx
+uZQFZRA1n7H06FJ5E33bk6evqrYIbmq87OJRdyUr3nbmSTPWaHxH/Xpt9J+kViDv
+78AbzV1y1j0ZTSoJ6pQOw/2oR9kqQrBvMEHr/tYMY0fZCnsGhD/Xcs3LscQdM5Ky
+c3Agh8/VvKU45kIT814CyR1BiYKLwWSthE3Lf/VSoOAdwWyydVBRmzXyOd0bPrp/
+KEaB7AlBXmtgBTnd+44jHOyo0X+CZdscNbCevcwaYXY4aDW8I+NcmLm2+3lG9U4G
+CITW+y7q7vMzisVLzd6JcvSOx1ixdlZDAfv5of4MqCS/pjaqdOuT2F6C8n187KID
+zB07m+ix3D60IN0YlBh8EP9Ptm07y93/bpMf7HzgNPSUmsOnZcFeNiAEFUMfCM8q
+t5ESZO43GMJ8a9Q3KhK/c2BeXiloYasyS5GdJ2meE205extfIyqkZrLQSBWgjzZz
+luaoGI3QkokCMwQQAQoAHRYhBK39twn+HqaC5YVZcdWDIQ71FHGnBQJllF4jAAoJ
+ENWDIQ71FHGndC0QAICBdrTlc3cPct+E3WfcOGSBrtfySXs048YM2gxYbkt6FtE0
+kY4dKK+dQApwpkxCWuAYMjO3hJJkhA8vmuD/RLhN786EgM0yCQoWJjrfZxhf4zLZ
+xyOPX69bY3L5IKQDFhCiGuPK4O4+QOtD5KeNmKrMOtUWD9TWOOyrhgaIApFHxJ7w
+qfWP9K/cYb4ifT3gmGM/RF+sCn9b5nUTf9bdpsnNE8c077V4+eciIfMyD2jEsxR5
+0T7RphhHE6EOfEcoS9hdXWXMD/xYKtZ4S6+iCD7hTfqHRpYfwkLZcY3XZ3BqUTFy
+aIiLPXhlEnEbfYz2iUPXoJlJFFhgG+MjWi9PKq4nMzkMkezJlrhnk+vQjHaehXkM
+ysCtisKFus+LBsf2gvxBXGYeIlDMc/qyPcT8uU7dEqeUZFJEx8QMCPpSvs3bz4Br
+5LsKf4b+/cXOPTv+w/M/kuVRXDQBKi65axu3TZrFRwPoGo0Ye1N5FDVOauhW+KWB
+itVekfqSQv8vXPMhWHyWUVXDyJ+L/gC24HV5BXbubZhjW38AOlc6spzYS8GTteHB
+HYJ0ArVRkonvJ7eKMvhCXPytEpqiZl88gxdApwiEJM0LuFRkZPM1ukmznGOpe+h1
+igbKFI5IWBVW7cpVR8Ga5Got8NIgxW6la+TVRPByOGSDJm8V3Hrgqoq+9/zziQIz
+BBABCgAdFiEEYyfdy15+gOSYfqO3/XncDIHZIQoFAmWUXikACgkQ/XncDIHZIQrc
+wRAAo6y31xOW1Nr8ivnXNXyoUv/vjz0m3FnhoZ6L3Ee3jFgO/LRLAOXertUHd98J
+hfeZs6UGxxMAt3PZsKi5t/DxEXsqtCY5Kh+97/zzoY3a4xOal/IF6yePfm1qs2QB
+b3Cun94eBEceAR/hM8mLZ4hJQbViyNv9HZLMW99gJa9QHqWAHb1WKloJzgZa3ye0
+oSqCf2416V4s4jadMGswGBgz6d1z4muziw+lkq4Ggac38JPtRX0wuNwPCs57ZhPz
+abo0yxFvbalznlRpMb1g1bRxCXkNQAUZ06N8lslO7i1Q6ef6lB6EsAHBD+DwH93c
+Gwuj0/UQlpU5Jc617EgbFw3LAaMwBpapOOMlaAKtGxLL/TjGt/uQqwHl+phlr2K+
+8aJJkR2VxE+ZABQ/GYNsEMxcxGl4f7+z2Apey4xXQ0+6ftcyWuQ5Cz9dDaz2UERo
+BBpzHYJZn0y7eOHt0sYDLSRjS86OIvqlZbSng+hEZRsPSJd0LVH13DfdnqVN8GmT
+N4TYSx5yqwLGrv9f1j5ktb5XruN0bAbiMDswHax+CrOiIS3fLQgaXTSaVOVLAfz1
+TCK3iPD0cW3g9VS1pD+5V1QMtD/+z0a6sCE/2tGNOZTc3EX0BSfG6d1Ib+ns52ag
+k88qQwwUPNVKP/K71VG1s/9pivIEqkybuN0wUQfDPd40/JOJAjMEEAEKAB0WIQT0
+ziJjIQJT1qn5ebBMZuqNS+4b7gUCZZReNQAKCRBMZuqNS+4b7iFnD/sH5tnd4N82
+AMShGyss5+dzuRuSOxow5rBiUxSCU8yM7hR7HS9OEdlUcWrB9JtNEClMfR1ecm3e
+VxiBkwkTS8ufKSq9LCB+31Sl6alQt/cEXZhgIpzD1UtjHEG9W9geL0uDgnYtG4Kx
+6UkbOy6rHjpM1U+bi0EtijbZ7MDCuqaB0G83JOgtJaqrSWn2Gdr95wJIOLe8X1n3
+MR/Th1csKLcDiA8sGmK3/DuuoRFtDSiT/z2RRvtx6pz8Swq6ftRoTdP/8oOncuWX
+vQXuMe2i7YdN1xOv0hPK1tt5ZwOllqtgdG4yabsYif2I+9vnr7NSAthyJLS1sREf
+IPDWRAa9roN1OFIJ4dl8e2SrGTOZUW04Lfi/bmakkzrXrNlv+I/ZJSHAHbhecPY7
++hFhl7bf4WrHMmC3mL/t9/c0k5U/IlCYv+NaE9HJvvkLJO73Em/A58FZIu0WCI8g
+MiJec8utHPSOYfXCuOx4lSfwNZT71Ct5EYwpPYwTEHyMz3gzwJ6Ews6/dcjbfllg
+PFFOKlRQ+2NLPePJJTKao0+/aDde3A/MqemIksndt4l0O88gXATH2L2xQUW8nPRT
+cVCpYYeGb7MMlRs1HrSfv+dqyN5Nru2EhK4+JYg6PDauxE7agBgmEfEFqgm/U0HZ
+993ihlmoKXQ6uf8goQlcw/bNb51oJaGfO4kCMwQQAQoAHRYhBIGGSgN18ngQZP6O
+Tc/5+WdA7ZVQBQJllF5FAAoJEM/5+WdA7ZVQRsQQAJtXGfu30oRqALvnZPOgr6LB
+aJcDKxFreTnCILpKwic/Xtd2xtuUGDJFc9xILF01lo1LC+2HRuJl8/hMUF5l+9PH
+C3sGfLFOHxzIuWxPvbf0rsMerGA2wwOsCyUzJpiMF0Hp4R18NymiIRKtcGrKc21p
+Q+/qAb35DkqKT+C/vRL4b7EgBqjWiyoPIcQpYrl10FNMLBWbLFmAJ5YpK/CKIXnT
+8vsh0V0uC2suDA3lMKqrKJ2SFQXutPoJ2LDa3xzRY8DS/qcGAhtBRSx33rUTgO9G
+M6bAabVZ8u2mbqcYtsl65PmhdlacUdZJs/YcWzLFYz65oIEF+QJEKu27dSkozp9w
+xjO83IVVzi8Z+gto0PpC1TTFqnGIR0GQ8Vxv65R8mmnOlBrylIztkEOSRszukeLD
+gf6FkOoFibWZyKcfrHu7abTjyJQUi7m3kBj6msVXSan6Bkk5/uKCM5Gb5wqilpDl
+B40RLFJ9w4/I15rqrX1b5FGuJuS27fp6EsDQ6Om1KyDOqGQyWqPa8fn++v32EFIH
+DwdxrChDV9Rx4ao6h4hcOxDAkY8azlQQE6AK2PPAFJlBrGW6jP8gVcXWhb3OX1Vg
+gfkOkXBPwNM3OaR8Bi5/OFDC7epKJf/VLDcie/sEWS1C/rYIIajOSOsUelYBw3xx
++H41dtDAUnD8abrpXRzjiQEzBBABCgAdFiEErSDhqotBNnCmQlLYvSdtLm/PqIUF
+AmWUXpcACgkQvSdtLm/PqIV/pQf/RQHfchEDIM8K1T9UUMWB6/cPvTRtevmTS1Pp
+4C3J8tJ5ZVpHws/FpbmEYjlh+qYjEf2+IDOxqQcuDBWYg5+uG3lR/in7tmlBUZL5
+r2o7kgJFlMnQ0xrNzDRtmIKss4b0ZchpFo1FVY9T9yFhf4Hda05mUvgQB9CO12U8
+s0/1Q8bb7ed+i8CBBkd4l31qi71bQRIorYiV/WDi7Rur4rmRifCAHU//LANRu4xs
+zEESREZfdDlWRe/+nV+DfLEBOcEoFyyUKOTfgq3s4982oTc7FwoiF3Y/RnzSGnPT
+81W9p3vYFtvBSKcXT8q9gdpuKVNuqckxSTQanjWoFC33VRxzM4kCMwQQAQoAHRYh
+BClslNvQKAJFv9OR13tSlkjuhXJkBQJllF6oAAoJEHtSlkjuhXJk8r0P/RaCfspm
++dlk+X0CPwS5NB/5PXuUOKX+HkdyEnvw1BKOaLCtoDn6eKYOfxec9X63THmaDRxY
+DS3NVvubJuNnj0jvc0wZC1S+JnljKH9//bBytOS5vaFG6sGlrXtsYmYDuePUV1+p
+lPM56jELbhF43izUqUjiO0l32s7cZUONrXxBnZVVDU8bX6jADAYGDUTOG0/W9Pwu
+rHmWLsjronVk73SQHy+fFnc3YWJLn3YhgQ03Wlhku/BWwIwKhbkd41LO6NKg5c6j
+5PN9wsbnjwoj4//B1mUaGQrrs0A/aLlbnHXkwYnEGDkwtDDc/7aMQptf5ibw5Cuu
+7+19orY6muxQcDoPrlNgOlZQpa4dYuaklqcroyyXtWpjsl7QjQq9Pjd0aQsamK0c
+Rxc5BJAi708xTVdz5AFRqr3Kh5IVSA+vh/feWDPDiGaiZn+VBdpjQnNpQv9XfNOv
+MGreRRWMnaEmSP4aoP+EQFAbJ6AMzMNanHwEqURL/sfyRInwQWU0Ib0slXYJ/1Pc
+8B4Qx6zRfYD7sCN0ITrQosRkgHjAakWD6O4TKrWn4MvOgilpv8L0cvFTDtqoBadz
+Wrg90EtnJNj9aVQldUEf25q3XFJQRBThgrj9nsfWAQrBnLVQYYRNEUYDXr/dUPz8
+jYEKAq/++V1QViOdRQVDVgvPLQkhOxlx4WogiQEzBBABCgAdFiEEsICXn00EPhnQ
+WjacYp747gyLgzMFAmWUXvgACgkQYp747gyLgzOfCwgAw75THwrYnkaZgreXvJ0B
+faaJqMwV9A6XTZqhQPfWOluS0uDf2qvb2xkifbYKYFS1+Zh9CoSS6PG6jeN2eiJ+
+pZGlwDnRPnWW6HmNCIVowHorN7/WikkW6VtgIkStyAWs6ZbDNDe6DCmdaUPl80nB
+lz8odz2MrSWp8g8X4RwY9Gn9ZzjPMEg9vtsfmE3fqrxAFOFXUwnFelIh/gVSzLve
+SFti8xUT1YVp1h6G+idxRtNAa3B4HJmt6J5maYxShGYazDNpECUKbWhhxLZs47dT
+p5JSMK7+YEU4R8o3g5l2z67FiwhzyeeDIxiuLp6jHSLBZgLxCDa2BFnGH6Ih3EZU
+dYkBHAQQAQoABgUCZaBFoQAKCRAQkK8gpapb5owRB/96vSa7bbmOqnw9qSI1APpS
+oSBG55BWcVSYtKK3juAxpoMqECNUcOee6ZNug2UujY8a6e9wQN6XrLZcHC0GfgTW
+EjTnOEYLa1DSOaHykeGsbsn7vSTP3yWnqRzVy82A7K48NSJ9WuEMg2L30bQlPzfD
+YdxRom6lm9fNCGY+pnXNRbNPzaGXvffEpNO1hydOAXJcLcgjHQU4wARwivwJe3mo
+yRroV8dxghzZPwv/Z/yQtv9qi/R8ePURy7TUmHQHFXdB6cGKiRzUqSqPIB4YBG0+
+doGUmM0rcaexLT3bxsATdjlp9BezBMjGfC0zya0qJzgECzQL6ZqP2ZuQcr9VnRHZ
+iHUEEBYIAB0WIQRZXh5FmqkINaZCDETxSlpMnlsyegUCZaPsvAAKCRDxSlpMnlsy
+eozSAQDvFfm/GTRBffAwz0vQz63G6OLvk8fEQRfRmCk7Oz7KVAEAy2xbAIR6be4s
+K7269dx836xUGMhnlaHNEeJm5LWoeAOJARwEEAECAAYFAmWdqGoACgkQEJCvIKWq
+W+bsIgf+MZMeWKF6trlGEMMA4AymDy1noGNh4RhCIMTIMNyNbwolafGgAqXm1SU5
+XWmy5DFX73shK8AUylHbsQgNWP1DvFrDuSJxvV65A7kAaxLZL6iUM86ROU0/JPj/
+sIAu1zXAS4dApZxfoalhtPO0khA3NwsLsRC5KoMhqnflAMqjCLJGU+hUeoRLaRl6
+Wbc+DJDK0Tku3bSe955jQwWSX4n4jvXEY8uWCz9O7Jpdbq3InopxipjaRAI2eZ1c
+x8+giU+dqf+t4PYFWG2wEUj0nYhiJPelPlTZjeoj139wYa4LaQWQNsx/DuNaN/qh
+eLAsSJjEBCLilcGeMjmwxTB1Ye12V4h1BBAWCAAdFiEEm8khXcnQ1jYW4dNowNJz
+SkuCZC4FAmWyHOQACgkQwNJzSkuCZC4/NgEA1i1SxAKy0iuFJh+SEaRPamBm9wJR
+6Fe8ag2puHcGjQgBAOse03HZ16J6dclkKiImzPOeh30OoO7f7XAlfsGCAoIPuQIN
+BGWUXHABEAChE2XRFvR487S4XYimW6Srob3N+l1kNjRG7+mJa4z9bGSjP1krRDF7
+hAoNoMB3xvFePCiBQsoI0uh6I9N0SfCq8/bNbIJ4mKmbFfRQ/Ute+qVjqCsBjVIw
+9BAzXriUzIenVcx/Vc3qGVxOIj0cFVVD2BRz4KCDk7bslcOFyXB0+4dwAP2DCLxY
+Erv5+8woxgCc8bxT+lIumv8CyosLYSzEbJ0rsEowQzYwoFs20HrtKphz7Laxekav
+e7cWySDRmnJ7Ka7QO6Cnno+Uq2MCEV+pyXCKUkhS+tdzTJtOK8wBh0dgJATkgLg8
+fv5prFr5hzZol/2/RNdupHjNbpYY0S+9TiVErbmPwcZ53P6GAVETL/RtEHSFl/D/
+ZSa6cjf3iMs1xKLc5PZOd+7F7VG5YULzJzWZjDNUV33cqdbAb6LtyHIMISkaq53p
+AcUIG0z0OJ8rDxraxCfPB6i9PKLJd30Lor8MJrhZDig4NkY/8Ai260FWiEP5JFQF
+P5gRXAVThSJh8sSmDz9rWP3Ojhr5twnUtQzoACAkMvW6+OW2gu1wZ/PiUkdOavG5
+mPmSqyiGcX2tUdawdXuWCfbdkcuW5lmeFF7SVd2QZBRh2DtvkLDf3v9BgsKhtLHD
+iYxDwFiGTRiBC6m4foBm+r/LybbZTaD7VAvn7h+2g+NXrB4u7BDlOwARAQABiQI2
+BBgBCgAgFiEEirBj16TFk52pwB44xAZah8cfaEQFAmWUXHACGwwACgkQxAZah8cf
+aESmrw/9HmEu0OVw5TSt+uG2nGixGa3RDUSvruJgRrXIkYh8u3ce0FqwCPcNrVMj
+oMVlQbHR7B1TNxIc/HxN/QoObziDM7xCICRw90KgG9KBR5QkkplrVJhUWwIYmVOH
+SI8GJ4cdKxcMqqBTsoXzgVIbY4DYRLgBTbTbw+udhfB6cRFnzwo708cgOgz6AFdW
+X77KFUnkpKSnSIjuoKR6yHoxjoS84dY8Ob/tZ3XPtWGFJdsWjQTuCUh9yfzmgm1W
+4YNsWe6B9JXtbGeV+L7TOmtEA6ZVPUXggWfcAtCpRvDDG7ZLEM8UE1WSqg/48XG6
+novP/rR3btWbg0esNpo+CN59gTjeBRVdar2zwUcefHDOejqvt71X6VPRHOmAlg1c
+2SS38X0ws4+6icv1BIOQwfJue1XaQueREQP40kzyTHfTe37UEDfW2sGJlkq70wVv
+qK/2Qf6f8FQ71agIT7NAGEA3v1fphAXNcjoNDZvDNYJjxYJePV96b3IjLZk/fxDR
+esdocQEXxSQYXOFnKpFLfWInJ2FfbDeXHMCv4agPsr7/jeGP86rTDm4RnbONCueE
+hdLxDtjGiyNBoGE0v8eYvxrvvxexnANI9Hjj8U25OY7xIw/J8b8+bFvZfnCNIZju
+0kBpsSGZOYdsp/To02UB/B9IfnNxgwe7H4CAg49/YIDOFEmm2lI=
+=2S83
+-----END PGP PUBLIC KEY BLOCK-----
+
+pub   rsa4096/0xCFF9F96740ED9550 2023-01-12 [SC]
+      Key fingerprint = 8186 4A03 75F2 7810 64FE  8E4D CFF9 F967 40ED 9550
+uid                   [  full  ] Sendmail Signing Key/2023 <sendmail@Sendmail.ORG>
+sub   rsa4096/0x592DCD45F765BAB2 2023-01-12 [E]
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGPAfZIBEADhYk0WirJ5B3qPnExFOs2UXD07+64hyIUT1UahQC4T0JIUQLyo
+mVgKIcD9yWDdYEFlEIasifCGfE3QaNJCfxa7yQZK7bmXfKYEAhSxUk4RNcQ7e1lL
+v1/Ngq7r3P/7aNp5YWZMobG4qeS8+6VneC/+f6SPajNEj97q8XuGpEw2oNivnb0e
+hJcMDmwC3A2E7OT2drjdO9fTs9GnqX7HwoDO7dopZbU+ggVFPHYXUxvagBqKsnWh
+2QLbJHhiWDgGmjX13s2yIdbq+aHyfYjTvAN2Y8Ej6HERz06qe+IAwRMzC1medASB
+PZlScf3iWfVeoIuUb3nrDturpZ5tWctzrGbX86gJ5QArKMF7W2Wkgo3pDHBpojnj
+T+LTzDBC6DOAlBHxMnwbhnFMhLGkUFaB95Swpipx+Ax+dY6J5/KELSYin+DbDbLQ
+/82U4Vl5mPe6/+4W3Rxudt6kJDqgOvV14brp54fDXNFvTav23N1AeapkVv7CH7JM
+KQ8COVtHlazqi3a8NGiaRPLHcvFl0kpLJAFLePHCIfbgt9O7KKKFbVvm3Npt7z7z
+5c3xV8UnaTw5MCML6diJTVrPdiLXSIhny2WFjG4Igu+MyZ+9gJkbb4E9cl0Eg2Wr
+FFWjUO6SxBjQuoeKqOAKRutHVB2emnGjdFp7RhGZxWl+k0KCXCCL+Ii2PQARAQAB
+tDFTZW5kbWFpbCBTaWduaW5nIEtleS8yMDIzIDxzZW5kbWFpbEBTZW5kbWFpbC5P
+Ukc+iQJVBBMBCgA/FiEEgYZKA3XyeBBk/o5Nz/n5Z0DtlVAFAmPAfZICGwMLCwkN
+CAoMBwsEAwIGFQoJCAsDBRYCAwEAAh4BAheAAAoJEM/5+WdA7ZVQwu8P/2DZZGhX
+eVuWGqss2bGNJWOKjagl1LCHU13OYkWs4Cc90ojGZ2Ls8+wPNbl57EPcUOLp2VF1
+h+gozkmT3XOZaJICno8On17MSbZh9tHwKsu4XnQ6vvDvB4J3dyusU1HJ6LKpBWcP
+3ih6JGaye8X1c0jCxVvdzB0QSns+A4MZ70X0o2ymrM16aPs8qcMAsB1fZ0iUEsA9
+o7DysAK2zOW36sAiAYiOCMsQWbTwdOeFUfmLgVkuVioxFp1+Tuy8LyDvelgkcA7n
+aFupVw7ke+rSmFLNkZ7txICaxVPXqy2m3719k9GY/Ra9Q6Vt3iL5V69sWSnJodt5
+tPOEquApq6pfZiH3FDDKy6rxPk0yYMDh+ReAASXLG48idc6Db7kvhgqRio70C3NA
+rwM/l8x4YVBB5LhNYB2Oh5eR88OCeHjjgtb2pO2SgXhXOHzA46SP+pxX7E6XSmnE
+DBOeBtx/Xr3viw06lBFEXw8AigARMXs0CvVAxdTHr5NkymlZMn9IIvPTS6P7pikI
+KHRK/s53UCOiazNmIJUqpwPkZKwrMtG79ewAYsKkDZ2vZ1nQlhzIahbv39OkJGzY
+x63GIOrc5QfFV0ZVip66BoKulA05HcFfOBS21bQq4bgwH1fAMUkd40XhBCHE3PrN
+ZjSETS+YJk7zFIUoAzIQIrnp/ieQXChV/hsNiQEzBBABCgAdFiEEsICXn00EPhnQ
+WjacYp747gyLgzMFAmPAfpkACgkQYp747gyLgzOsEwf/YZs7y4fYA1K/qN6GaUtX
+SqrktwJSafO1zfzCcXDDr1vkRjGr958Ckd9e+pDvPebBHRCnztFVr0bq7zfVZI6W
+kkp2BNt+6LsJY7Eh1uin/VDLx9SPHjfO3gubyoW6RD9HSXRXuwBJ5eMXclymNQLW
+AR8oeAWl6RMZRe+iwdEXUwS4iVPlJwVd3OOluaRrQ2Lgc1/pbFIPSmgf1dpDGkW9
+8wtlWCQ0rPgKFN+IL7A5s25YQf/rdv2xhYxVpTtzfTto/6Pkznf40O2zB7pbHNqx
+Dtz9AFAWHxy2q/Dd1xELiVAKO63OcHyLJ3jXa/MIYmgD6L1A5w15Xkrb5zQXnfZy
+64kBMwQQAQoAHRYhBLF1lkRTA13O3XvpGWBN+/KFQQq+BQJjwH8kAAoJEGBN+/KF
+QQq+5F0H/18B1V7RcXLbdUUoFxXdAjAi8q3xrt4Q9K8qU7CnwjBiEEVJOs9BLilr
+lYGWglPzoidXFH4xhkU5NIZml4TNTAz43dC7JHshrTiYT/47RlK6ZOiL3TMlGlfB
+k/WxziZmiq0s9LzpKbtzHNYUwPlvajF5XhhB56CgLaHMcJvV/0h7aupxXpSaPRJx
+sL7TpxRbHwUMMHZU8yTg/hqoUPiaOxGrCtDEGPv68I7JDFnJ3mCDJ5HofFp+umo1
++BeDxwA+Ww3M6qOU9tZEcGbeDwbaq4K3DlOT0zSYBWsTebABvUt+ZI7YM4Dw30FL
+hfoh1DqL+84XmGwVh+uehTAQciLc5XCJATMEEAEKAB0WIQRYcmIYqRNADeZgNgE5
+pMd9qXiEsAUCY8B/NQAKCRA5pMd9qXiEsFiaB/9YtG5NUXPb24BR5+kJRHorRzsS
+FxXtqggrCZvKux5Pxp/PB+B6mFBu+Lzs1lH7p3FRWjFe6lCtjuHZ02IzVY+S8VDi
+tfn+RY04Ie3gmLPj7m7oIxwtpf0xAhNWw9WsrC/dqRk+Z71m9ZAWgLSUQOEdVjFe
+S9GrVsMzZAGR1khN9tTuSuBWIvf959A92AcppVKt0BeZGiX1hXuD2jNlastn7FDx
+Th7tNs1jEwcvB8N3/HleziUtRdNLTpHhyL0Kj3MAoFWl3vYScfQjUsyzmvp/xqX2
+IFJ+Wl+R+GX5lRvim/L8mUhFqtdoi9gHKi4zQeSX8euthSKqQIeE9YJ6vbg3iQEz
+BBABCgAdFiEEynqPOaJBn/+wqasnjlrp+87u9DsFAmPAfzkACgkQjlrp+87u9DsW
+vAgAk7MBqFo7zWs/50346LqeP/D6DBRJ0JQ9k0b+WE9C9hnm69B/k/y1lwye5nJu
+3O7P97WQ7Id90tdAPfiFGpiIVf5bTog8Awps77M1A2m8cuTtkyevm3C7IA+UeETV
+5K6v0Mq0xF4AM5aQkpmlRWUfkDJrmePOO0onlKtx/qgGI7wRUlpcBXa9c80U92ug
+3zuoGLkCNFK26NFyWKW4TcJ3JazqqY0qYKZvem84zypx83+9RzLbAO+MbOFZmt5V
+ltQvNe3+Jr8eM4/QAMI0JamRWnYiaPrqXd0LKNm8tjgT7g6OougGE6uz2X2ZnowX
+GjnQCSayuqKbaIsjzwyi1o4JKYkBMwQQAQoAHRYhBLh9RWmG8ZSEB+XMtD1osl1S
+B8rTBQJjwH89AAoJED1osl1SB8rTneQH/0F1YGWsDVYZmJuwk9YdCY92PDznDWqB
+jRNRhLvvCwFlDfuOsdRMxE7JF+n9J5jtxS56+Qgg9GZBeH4t0K0QuxFr5UTO1pg2
+HacEAkjCajqWsj9eiNqM+FkSvqZlhJ5bsQrojbz0HbvjSBqz0VJZPPFvFfW5PnRf
+Ks+pYgsYYYJJr+1pr2gAd632MXXeVVoq59bHfvSSsSBj5pHIOk3avRSUlexKQAKK
+Zguue9Iz/FbHlwtS6JU3zF3GXlVEx1dKi916Pj+qZc5NWqeVj2BFSIkFMzHRnbnC
+5r1J0wnmnrEAbNjXLRyUUAiqygYYNjoMD5ICSdAQlHaIlTelTNZrGjKJATMEEAEK
+AB0WIQRJ9qi+hHM5SVGRbzth3hHs4nY6cwUCY8B/QAAKCRBh3hHs4nY6c24iB/0X
+vLosenZl+cY1v4ziEb6kmpw5UIiq4dk/qiu2E7LSHdQsiRcgMc9OJSiE1Txk2w2d
+RndDoGHmUc5fWHM1L87a1UwQkGDtUcZyvktIRY8C37Jlqa+o39Rfmoc8m23ko4R9
+xg1YfHswPjIw0KeDC86mFkjQ9l4lCVj3FNy8SZ7+XGLPGLonnAp7y+bMqjIPPSgx
+a4ze2V8J8PiQisUQ1qoBGLupUShdyXCo3fasIVcaHBniVamsJIdWU8bcLxLeT6rc
+10JjiYsY86xiMNeDuSQeamBV9wRD9SK/65sa67ZcJKEQxlDbnj6COhHWtNiPWn4j
+7kQoZ8rzJmbG+rSj2g63iQEzBBABCgAdFiEEMLynRwX6QVRVcx17qvW13gW9zFMF
+AmPAf0MACgkQqvW13gW9zFMVNQf/Spe1/kroQ96SexHLif2N489Uk5yQkyHePY0T
+IgyIy+zA39vGcSKeAP6GY0jNaB5tSqtPOhsMzbcmF1r3R9/6BXPRYiXFAYmodqY2
+Azi7DN0HGZXvZ06Vax1fktPQM9SkM1aIo1tPR29QIWB6n3PmoQbfm8azPP7sLkhY
+h3SrEY45836PyYhNv144AhcVNt9DH+X9ghPzOd3+pxxODfcZONFI0zxI/sHVUmzw
+n+vvoG9QWYkubHf46hWKUdPZS53Nr8lJdGJ6Q14MaQROc0WXSD3xDDxpTb3/LhVB
+L8ChtjbFW3DO2LZaAGzxlhajceTHkZhsTl4zFXpRtgqq392u64kBMwQQAQoAHRYh
+BA9clq7I5p6cjlQuXG1M0ZQp+wPeBQJjwH9GAAoJEG1M0ZQp+wPe4ckH/i+wcoKc
+By10pwp+PEa19icMw1yHw8nf/z6y8CNBx8w+dv6c8DAwj4V66A0jqzR1M1JhXHGj
+kawT7tz6xCfb1fFDz4142sujfALzUoBhnUVZdsuhLuUbP8yfqvy8ZzC0eJyL3x2u
+DyNJyhf6QGT3n0sNzMgoKPrfHJ95RiBBK2bZB7Din9hs2Dn+Rwmh78yRzxrF84pp
+KRSlIm/tK/oyriggFjUluw3QJUoXQ+Dr/W46vGq2Yd/Q6z0dmkZaXrhckSsNOZgk
+2PZq9Me5sZqqUJusFKqp7uqrG0Ck4SqYaDPlVRW3MJqpy64PGiFpSbz0ZcgDMEkx
+DTK/3s8EuZPM66uJAjMEEAEKAB0WIQQ8ih6Of0TK3hFP7UZLyb2ma/cmrQUCY8B/
+SQAKCRBLyb2ma/cmrSihEACgDA/XzgwagANu3Ckz7lHKcoMn4FEiIpiWoV8y4wF5
+k5Ku20QYsODBaJlVxn/d+4l7sRrlVd2VqlTNuR4J8Gqv0504iic9vxhIhDZ1AmLy
+Whn6L4eildS6fxIplSLPtippMbTiDuWATuHNy/nC/kym2eZwfPhA/D5XJGvBYadK
+6oRGEW8FkQXINe0EPID4kk47w/tY3BwVNc6IwBL+ayvdH6OgK1ojctYkJDGH7JGU
+C4/EJb+gQH5x/B6vzh2hCqxUMjI60v1Y4bKGLhMDmHEzJnRAEC04m9d8D1VIGBwM
+dhE1wFlwha7BbMoBxeyx502Lqi2T5UYYbC3lVvN70Du5NKTRvgNAb305nKLO/u1r
+l5UrRocediaZA+aKxzgrOH0DVuPumlkM55LmyQh4+SG+/Wx8wQIKrI4mvF6AAQms
+V+YUnhMZDbttTN65wDgIVuWbx/rbooV4UC0UTTGXQgA32XMKBrjF4V6v/xVEvD21
++Pv8hsERngyPg/DmpVhdH1nfzwBIILOeVKEwUfxqat2M28Nh+Rtud/tloqcTBRD/
+CeweYnfE7bHOWa6wrdHgs4ePE0qRKp68aJkZwB1AEU1f3zLHjYTEPA7jsDXpQ7Kk
+UszUWjXvaOTo69TATJOKE+JqcSgPgHAocdfnq3jusyOVsxv70sADbhHHXAMWbr/r
+1IkCMwQQAQoAHRYhBKaHPSSk1tYoSuQqdfBgWf1dx8w/BQJjwH9MAAoJEPBgWf1d
+x8w/e0kP/iCb3A4w3WEjyff2/Rg/+l+MLj/2sQTUn4ESPJXoSzv0k8Ug0HYIp7oQ
+qVM03KFJDkzgrKOv18LQmFmkxbhgPblDr+rmfuUhuEGI8EfJalyn0OWUo5K3Mlb1
+1Uu7JsDfaY/YgLGuCavRU/QmPVkiut8PZe2CcQTCsI+YaSGK2p8bzZKxYDR6/Wft
+p+Wi/UD/K53goa5fr2zH3aGlXT6jwewgbocnq/hrlREhyKuiaYj/99mpi/LXX0/a
+829ObaLO0hysSrSvf6xgDvAdbbkBF3RGAXPTshfDfzaWppCLdGdBSut8t4fw4wEu
+UA9SHwcW6zo3gs++lGUOSWv53KKMI9oSyIJFn1SQAIeRC6qPSPSmu+LkejydaKlO
+/B3nmDdNwTNZA7U3W/amRrFzmhg+vwBWQraLnsAoBO/MdVDrVR9OOypvj/PEK86J
+kF1H1Y6YbbGz9Xv/XxksAeEKafHx1057QR8aZpec47WJRaZqqh3g1D86uMowjYrm
+LKD7mKGq54RkN5FP0/HiYPev81yc8vAOhHsnTx37DGj9sGiloiOSZI+V/D0MoZXb
+g/LoxJEKL616hVdFhloJP4BaRwUVtC0e3kKayCe/ND6IzCLGsG3ZVUihIghz/bLL
+7nN4jdkiIQvOqGnwGQoho9hzI728ZcJDQXonTX/pbWGCvZBs7exciQIzBBABCgAd
+FiEEUKMDCY6i3XvL7iraCeAfoDwMUE4FAmPAf1AACgkQCeAfoDwMUE49mhAAxgOA
+zA8tKzto0jM8GXYHhopYA/xFmFOjfXAgnUIN2CruDqUdEoRcmh55B4VpfA/yH6XW
+EnY7Ll/bT+v5SgR0cZ37bmfqsWLWJZ2qFRF2xLBMQdBWhtI8ZckrfPV286bHAoEX
+iDERHjaGYfGI4KV+gVfo99/SMCMc9J7cirIBXdAhZl/oZmLPZXDdYwso8p9Ypls4
+IEU3u/DSr/91XVk0QxjdusXi+sE0aoAPYZXzgU33S/Ze2VmYK2IW/3FQqxEi8fp6
+JdhCiSuOuPSzDzOHHZ69PkkJrAMR9q4pfHGRFeqHDtR1IIsHgp6x2Nllsn3wXybH
+ViBPW4iiCgnGO1cUyeej+okud5zM+T57D7wlC5YSuTtAhFp2T46ZfY8uMzcAtREj
+17M7yZfJq5CIl3//jRp6es5PrxNIADWlQcJugx+Bqb920uoF/wq+4P3boVL5KQB8
+VPRC7TpJk1Kr2jUQ8AsIue3sNPAeRyLeOSdywL1Nc4LJ/PVLOG3CVMd0/GvpDV7r
+bbNiQ99epowSMhe2tX5BfThA8gvXpXCnryH9ZP9gMYL9aReBgB+fWEQubR2C9/fL
+ChHQEXUFjVbzD9AAqrP+IsI+k3BEx/xC0mqdH+K9r/snmsIvJZpHnEDI5FDlFcK8
+OFsnAJeUHgxnn5YpzftpCiSEt3/4LGKUJsAX5jqJAjMEEAEKAB0WIQSt/bcJ/h6m
+guWFWXHVgyEO9RRxpwUCY8B/UwAKCRDVgyEO9RRxp3QUEACSDSNLfjchj8I7cWIP
+X3H/I6pWBgLfNSaG8HOUJLWtVy1sBa/CjahoARqqAfVrRyxmmlWZaqkL7/MSdHCj
+Vub7QdXoTrygw32CKcEgDhuRfB51DxWzqD6uZg7a5cdpMzWcbyxFXa498CLG6YZS
+0DUYkhxCC7lolyhS+TX5JhLfv2mEYUn0Ut5WFPASEX9ImYDypSo8xMeBNoMaU8GR
+NCDVfrFHXFvMVbJIohy4tLWprSZ0tCiSQqGeqj1kwfu2CaXu0nT+mppv+YN+0kJf
+YG1SGGcjZvMBYuN7TAEk6k5dhUK5oV4NkN6K3av74GnOenjo+9RU+ovS2TSGP5vf
+IAq1mOYL972sB3tSryrVakhNrsXF1Pp8TOXcU0nu0yX1hdZVaZyglmJyZWWydhGP
+h+M5RFPEqzwan3SEUm+VL2IR7DYf2JE7nQ5eNOZzUFHpFqMGGhMsLG96vzct3KiZ
+8EGp4ohGrkP+uomyAiBKTqyPuyhFkV0edWCQfblmXsENi8w3VJN5z+fvcMZ9UDzg
+mU5Pz6XSfh8bQf9gdRB5803TcIbj5bpYsA23UPeJYwa+MlLLVYLl3n+Wt/HwwSLk
+me8dZW6BzjRWiDQ0hPjM++TxIPUzeI5p0VJlaBWcNarKe+z3XwJlfQ/hGLjiuDzn
+v2gH1bJvp6OuiVeWl/45quB1xIkCMwQQAQoAHRYhBPTOImMhAlPWqfl5sExm6o1L
+7hvuBQJjwH9WAAoJEExm6o1L7hvuohMQAKCChgHK1Y/JaLMGkoFBThyaVKCaw0FT
+z5zvjfqunNgFWnip1wQhi6inxvGcjoFFtp4GwQO4yMDkN7dkn5NIcmgePhJMm3xU
+cgLvVuhimNmvYyH2TduMvFOlfrJEPURjxRGc6LUUXincvwo+C+ydYFJCkWIoEgKW
+RzSY3qsISDZmXRY3JLVRjXqO3nnvsR2aB2bgOP/EKS5oK4fjpi8nMBJXX6w6cXFH
+4V/evwpi0IlvELLzILrq4hPoK1jpp7UIUOEC7FJkoFmrNoDvR9WFEC16xoKPpcc7
+ophote6HyhxZc9NKEinTHmy6ICAuCbGL2ADdD6UJKQfclnutw6cjEzA1Huc93MSe
+1LOECsRq27wZ0Gb65qQNiS50oIpMaLSRwxMywLiNbyzdBOoS9P3mtOQLPihwW/Zl
+BdLW29LqTf2NPD/YGWHn4tA45BaTA7Q3nvWIXuoupWfboW8yOxplGSxaDSGfmWhf
+1nWPWHQm12fSHWHTBOX2DL9LVmzERzbjxKJVK20acvwFWbkbJnTcNZCYUqh5DBHA
+FKOFjJ5LykxqIAkLaibqwxsHtaXgWVM8us6UY8fQikt68qMZnd3CUAeHF6xUVWfh
+nJLXjqGcGl7QMbp7c7AuchnXSVNw+ziluzgOV8/ADHAy2vBwISirb+9RylhpRwxK
+oOcSf2vSNE9tiQIzBBABCgAdFiEEYyfdy15+gOSYfqO3/XncDIHZIQoFAmPAf1oA
+CgkQ/XncDIHZIQqAUw/8DKw5e/TRjFx9a87GaE+sPKn1oOMPmqq5lUmTEoFDtKxa
+KCMw15eoGokmy1Lb73bxHHdpShHuo0ZwwtJpGOQC9aXzoVOLw9PJ6QamU61yoSGM
+oAI7rhbYuVVTf8i2Oa/UV4sK+Yc6kzFgM7kZManj0/MF3y89JTnUYkhZ0pvw8ndE
+eRqqElV7derO6ANWwNv8PntkxUB4uP5NanoyvScYqiruIWN3OgPEfqvf7loC6yMe
+g6I0/UdJeUAGERkiGpVh9HnMxZpIxVIVFmA8hFdvR1rDkxTaFVxx6rlwObNy2ewM
+yeqdF/eJm7P3g+z5tX/f/LscoFXDEHPJUf8BUbQCsHyQcvCcHh3dLa++tTMEpHdy
++zjSH/u1CNTfKL8EaHMsffQbUEKqD9Eo756mULzNcsdScEQoCwOyX0+nh5uoZ7UI
+JMhVXDfIXQ1fhtGv3vSy+LdAUeo6yA6F4V4KTp3FrcpBRtcUdmmD377wr7Oz0n8X
+k0Yhty3O3rlRAh+ZWF01sKe3ghYN5J5nktszDOh22rc2KmJn8VbTaNyzBzxB/RQl
+RqyQYxNaBk9jRLRiafdjGjBHvt1eVo5/WyqknD+j/SrpcY508OLM524o27Npl2MM
+xoOwvBX93cVmZpDYJFwNJloyT9AcFLs3qeKfsntevolwbPoE9pLCB+6Mn1DU77uJ
+ATMEEAEKAB0WIQStIOGqi0E2cKZCUti9J20ub8+ohQUCY8B/XQAKCRC9J20ub8+o
+hSOrB/427yQ7WhIsmadnyGOL8HUcE1YGgAz6fWiNnIZiFntHbBKZfxxugGXLj56G
+TqZeoTy3cte9icOaZxbOKNyQrWwYGhPueShbAEGqU837OA0vWOF3Whbw27EPgAsa
+9gBbQUc4QPM2KlNOglZ7e3m3wMEFEdOVTxw22Dthq5xr6U5gj86sug7qOFax/MEs
+1RMCFdy3DLMpS+lbgwoSYeYb6flTN9fqdtsQ1iTzt/XYyP2PPE5LImpDY0oh0RqG
+EndfTbCi5hvnOgb99Ws33ynLzNVBlNOalc0QOa6zexbFzrsAqipFBlarRkHzW7GN
+B6p/o9CP/rdaMsfJFPbPCgotkIk3iQIzBBABCgAdFiEEKWyU29AoAkW/05HXe1KW
+SO6FcmQFAmPAf2gACgkQe1KWSO6FcmQkzQ//ULifrn1CA9hOcFv/wWikZ2ZmdTdN
+tBp5JeyfCspKMTk+s3ojMvbD9iXcOTn6bTAzCiVVFoK1vPrwOd6pW7yBxyR1HTjZ
+5lu1/mW/lF93ASxEDGOgk2I1v+I6+h73E0S6KYMTwLt/D/RBBkgeRA8/zbY/ig7L
+D+mfUrxILwJurPam5Jdfg120zidY/k6pQdHdAtNk6Lb3z0px51SrdSZSKDiPMu8+
+idoCEckl1EUoWXwrLSc1794S6Aa6PmfpJjvkjtV20Kz+4IaFtZWbtFrCid4jBI2g
+HUTQY6ZaUFL5ac/k5alefjRo5PmSqCJgTMPjC0ZeVjbFmhructO+/4dBjaUe3Kxn
+iwsfEVy3QAte6VTA4nORD89UyX4A+vtiosEccKTSIXIS08VW7hJ7OfAzI8HWiTxe
+FBHuROCgIeEqQ9EHNJ9zDqC4nEF/uqWdekdRaKMygkdFI+XY/YC/f5iMSEZgyaQR
++AMRhA6WCXZ8zwbKlbXShsB7nR0n58YyNxiHa39faLTsKXgPGFI4NI6nigwSuo0V
+5E1k0LaqLnbUpAJHhY3F28XO5Tw9hn9EHYesHFjFrtk2V7aP2ZTLKEqUAd6UDJ5I
+AKYQDV1asbFE/DIOmVGLx3Rn/DWqs/EAnRF0kvKPAShL1YFV3Woq4wx6x51EAQUl
+wwwoTWZoVVVTj1WJARwEEAECAAYFAmPBLE0ACgkQEJCvIKWqW+Z2gAgAkiljOYsP
+2M7b1odb/W9MqC9a02pXPYs72QIV4EYG68XwogrifZEzwH3Nyatt8OW/MxyFGbM1
+MyV4N8ESQYQuzrbbESsZj4/pd8gYMugewuOkBqpiAsYQMN7mPk4AQlE7+EVrUv1e
+0ILz/X6Mvtf3v/Oendz3GoLSC8G59wN8CMmiYfKVBBvBOHkMcAR54DcG5qUm9qrH
+9Bj2xsdT85vkjBP57A6QJA8CIPL2whTIj4uh6ITdNJ5Ux8naELn79+nWN6I3XzyY
+mpxIp2k9l4O5kPKnq3O8RQyA0bkKEHo1vEglEntT8+Jp6rerF5T3j610Uzjqorpo
+acXp4TPhzqBT0rkCDQRjwH2SARAAqg0B0q+BxY903PLJ+J1Hl7paYPeSpyFj+SbB
+gck9M7sCBzVFlclkLMsaHyc1GHVzJNPcf0gRmknmb9hAmJFEwEle5aGbSxuTbG8j
+Rww8vzP6KHwlBW7ifenUvqjrBuBxGQW/jnvZTtSaMEaLYQVS8e9PxzToAKbUylc9
+Qqj4hWU2hMQN/YQq5jOAv2RMvNTMX/fXR+hlhsnAy3NeXQRltzOcwHBbY95kQ1sG
+3UpcDc3soEaZCYNCZdwQuaZ+YZ+ixEGTxfQv59HR3eszGrZoe2lfkW0VaO/wXsau
+Gs1xruD3oqnNIDTuzSgz7FKXgTv4QhF4UEf2EtUd2Wt+4IjcBpUPSt5+fDyCHtpI
+bP0FbOmFhGjubi75iFa8H997a0EQR461Wde7/MP4+dgOTaR3wdUqGM6nBKhSgbvW
+C4pXWOHrrh3BzBR9nArVwRTovu40NpoWKAbdIkz67KHVfBLNq84zUFMU6WACrpGw
+0zhE33EQJzb2h/TZH7OsFxOSwiFWYPy9MTDOgdqJftKKWYhWeZVVeHnD+3tbvrag
+OuRCHwmfIaV03vMi5cCJQVKMSOExG4VGWSeMrRWcRzSkLj4gSA3R6mb4zzfo3kDH
+mUW2UfLpx7Ru4Lswm3AAhsClqZn9/bI0oNVyuErQdm8hFSStUQCJwPrMzdtw7Fum
+le/unx0AEQEAAYkCNgQYAQoAIBYhBIGGSgN18ngQZP6OTc/5+WdA7ZVQBQJjwH2S
+AhsMAAoJEM/5+WdA7ZVQf2QP/13LppaOwx2NAvf7wZWf6d67M6EOmpBLPSqtGkdi
+umr6Po1A940R9lAWAk4w8DZRC1MaHyXNb2G4GDcnynL5xb92DLq27VAMZy+fnCTH
+g8Qk0k9WaBuyBAragSinHp4R0ts0uDxBjAwMm+3wjopgJVP0eCm6P1gbXgc1dE74
+xvsK1ak0SEjNJXAyxXw0z6pNOQAoDMYFJglYP7nr/ygh0YsB/EisVxoxCB8jczu6
+6vblp29TzcEapCgWQ5JgG9XZFo8xS0COMb2BTf4kCjJQvkUQ3J7ieDlbbKjO39YB
+Md8WcbZ/lBn7YN1E8XTQoz1NvJ6F7vdyPJvsVfu/Mii/eMKbmKyCHoT9p7vrXCGF
+L9LAHkWA1yDe1uE5h2vLSo7iAoGkAWlZ+BUPV/PEzsusllOUcWl/0GSzJPvMjCoP
+oiRKHqC/wrMw3d2KCEO2y3k7/b1ka7n3ZrUkL9NegX/igRaDosowABmHjoH+/YJ3
+9zzQVGb0q8VqkIyI/r0QHfreaSzU9BYxVe/U4kis04jT4tgVDqeO8cWbIykAQade
+uiF3SDtJ0F5IKEwrpgYBg2jV0cj64hVZMOZ8lcb00LEiA9/7pO5SVPsDKZL7cRmD
+led0tZf4baoNVgr7rosixRvmbkYotj1qxw1rhhVDy/cg5Wskuw0Z5Fwq4sd6vclA
+kYi0
+=c0eH
+-----END PGP PUBLIC KEY BLOCK-----
+
+pub   4096R/81D9210A 2022-01-22
+      Key fingerprint = 6327 DDCB 5E7E 80E4 987E  A3B7 FD79 DC0C 81D9 210A
+uid                  Sendmail Signing Key/2022 <sendmail@Sendmail.ORG>
+sub   4096R/03142938 2022-01-22
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGHsknQBEACuy5ofFGpq84xVTF77J5aYl7lmQ0dzvUfUmnnFBPU4A81LFxjt
+zjFy3t8Gg6RQUoznK38iSsHpNYaipgzKdk02XRWNLK1vNhPhWePDYqDMewysBnqc
+bJC0vX4z0XFP6T+apyjb58G149Qlc/y67T+b8Jy65rNJUr99rQ1EX5lwuz5Sj9C6
+ABmG4u4fZcLsbBZCP3QFC+Vnn+deTr5zzj7qqDv/w0bQad/jzEal7RE3tgJ9E0sa
+I1SoOMUgt7bo/osJxZjAzWCrf9yT3Dps8ZhEAATP4rRKLRbZXiGJiSLXT8y88JP6
+LBtpwU+KU6uApVSKDw1OFUC0bE3/hKUKvKe1BUXOEieP0kBdjclGSvX2iDO9Bn89
+o2KxAZ2kCC7GCHBHiSn0vkWxuQd6Wi2N/sYPdqLd2JHpZ58ltBtUE/2jYWNXQZju
+iRDHWHf3zZCbB93VS61xpcJm974f1caMtc636GROWTqeF+Nd2Hrx1hKEbJerjqZf
++QbE65waP0Rrcfxt1kECEIjG+v86SucfcyEPfTqBqK6+49dhIgmA/6b+2UgVkvpf
+BqM4PZBqRXbwzyfp2fkM6jfTKWhbeJb5JQxHfnzsigJzZhcDfQllhUF4/ec8dEpC
+3Y64Er4qL8IcRiMf+Dyaie3u7ZqtRqSQHMDZ0fYKDtjKmTkUrHfwqHWR/QARAQAB
+tDFTZW5kbWFpbCBTaWduaW5nIEtleS8yMDIyIDxzZW5kbWFpbEBTZW5kbWFpbC5P
+Ukc+iQJVBBMBCgA/FiEEYyfdy15+gOSYfqO3/XncDIHZIQoFAmHsknQCGwMLCwkN
+CAoMBwsEAwIGFQoJCAsDBRYCAwEAAh4BAheAAAoJEP153AyB2SEKoHEQAKouC0qg
+f0OBcyw5EWd0ja2bPakBlNkdE2FGvtOF81WvZ7f0M0kLNRzGRIsRRBxDVw7Vyin5
+wLxxRHxoSrRMTS+3LbKCrtXqUyMO7Ce/SY77yXKbXfnVCmo5pq0QhNVGE1GSuvxF
+R/dGKb9wV2LNbuXHo8xj85yFztFfGRLhkZs5aAaFmq9mRYu8IObf42xCFYALTAnB
+95T91EQbixJuT1AjohgMXHhQQ6nNo5EfND21c5a72Ntzfj5gPfUUITSshxSPmE2F
+/H/WfaVhkALKdMD681bSoXtC5yByTGkM4UBqNOnppplKFW8YFGiJ3Xzm5vN+5Lyo
++a+8lSLIRkBMJrVK2L80r3qQk4xh0lZiG5sFHvkGYzeWqKb0z9ADIz7TEUCUgpag
+vYuSLexegNlYzRG0aL2PbeqVb6Yhy9ghj+42HNmiRGCorixKFJHA70q1uKvcDZ9I
+Q4j18hlxM9B6Aj27MSXqwISNEDCiNIYbSI8UfmJ8NnWnhqNbQ3a9lmOVC0JB5TdF
+enjTuMb3VovjNWo4LTvQdhAgsQn0MzWgdMLgGzLWmR0fBiyTKS7kMOU3SQqaJd7s
+eUTOv3SxdkVGcsqpFlbJGrXwFkpzcay84qeS0afxEpc9yhewzMU9Y7Xa1+vFpqfW
+b7eIeBIB38PwGhp76kQ4P3/mDdlRWIHxK5eNiQEzBBABCgAdFiEEsICXn00EPhnQ
+WjacYp747gyLgzMFAmHsk2oACgkQYp747gyLgzPEswgAwOi7pq+JoQtQiXYlE83w
+QoTUsaBYA/38IuYo7Yf7LdNlpwIQamGNVJtNQAYT4AhMdZELyJUtV5Wa4S/D48Vu
+EvoVLVZmdsbcaRWpWvfptjFsdcC9Tc2W8Ww0Vd+lmphMR049vMuqbR+kYlUxelIS
+CNhKwyg4GFUL86C48TDvRedvLWRX8moahLntVN1QtDYQ3/bn+JsWzHiXOKQ66Wsu
+gg97G7cectwEJnJd8HIRTo7a84LN/gTwt9Uo1cB56pULEA2Xde+oySg+T7pW1eTQ
+Vjq8L6gaHl2tyy7il9tQAhs8Ibzlcahh2BfYENss3pPUpMcASrSXlGBuYKofGt3t
+9okBMwQQAQoAHRYhBLF1lkRTA13O3XvpGWBN+/KFQQq+BQJh7JOEAAoJEGBN+/KF
+QQq+hmQH/AubZHpKbUVstoAa/CJMGtLpox6Enwl3J/FPYsjJXx+xpRZrE9w514tw
+SGD8B9DcAM/JC8ZLeo58OuIDGaxovP7Y96El+9a73bGw2HtVzqlIB6rtg3xMNHCR
+RvYUziIKi1Axdwgn/LLu9aUOduOUtrG4zgNEp46ZjEci87asouUrw5yqyeSDGSRd
+ryYbt9Hgm3WD2cksZUmqYvXfCun9teh5pBn8gn28HPMYzpw2/iTjs894xIW450D9
+BiVIxU/WNub3CA9GjGjB/GRdbVkAEseBmxGBeRx3qjAyYNs+9YUsG5x9bx9zpGd1
+ktNEJ0b9mIgLMhPVC/6z7ye8MWhVzuCJATMEEAEKAB0WIQRYcmIYqRNADeZgNgE5
+pMd9qXiEsAUCYeyTjQAKCRA5pMd9qXiEsL+rCACOFWzHtgEEtJheKj38MVWzgimL
+Fsr7V4M+ewmDc0FSAboBzazZiDtjryJ9u8r9nIklfSL9DxjVPSV6s0mS+oUpG/x4
+FI8eb4VSMue98W5kMIC6k9MfGQAccn41iPd25nCp2VcnkOhXIv9s/XXoo74ZJIKb
+uIRu7fkFwzhn4kxGiphqy7DFsTwLlsbFEGG7USJXT0QtIj42Wvz086622vjAFmVA
+70icww1/0I7gBIVgGmv64AdctCXCJUEa63DGj7Ylqy/t+vG263BBIbz+rM11tCPi
+ah0Qc5L5sX3t4ZkJ8eTSbUzqwpD9BYiXVWc6XTLMc5OVjJ3l/OZpDko4Vnl8iQEz
+BBABCgAdFiEEynqPOaJBn/+wqasnjlrp+87u9DsFAmHsk5EACgkQjlrp+87u9DuM
+VQf+JcdL8c/F3s6IZ+seglYPfLOkfUUaCWKcQ7hYaf31DJULMpTPx6QMB1x4DVns
+b+GnSlY7OEmvClv4iDT5s5pRpAxOjJ3Tyud1XqwQ7en45ZvRNbMOsYV1Wzp+JnBW
+WU5aI1Fg3K6PFMLDP2p5zgzD3m5MD9+5QJ8mx8l12TbtC/h5yWu9f+PV6DsB7m/Y
+zqjiRGf8R3S9+gE9Ve9opnWx6gnEVhqQCNSz2fpmcdxEyTG3Nz8/hJaplVzhdC+E
+neuvD7xOJpcVHG14l2A1uf1gv11Wh5HFnA1ESGxyuQuRHaiHN4tbOpH93eVL73Na
+OS2rlm8YyDMm1sS43YuB2iNaoIkBMwQQAQoAHRYhBLh9RWmG8ZSEB+XMtD1osl1S
+B8rTBQJh7JOVAAoJED1osl1SB8rTuP4H/A2Mqkefj4zFy2HwfrFJ4BOSJDXtZpI4
+SrTmf4+N2WsjsRys21NE+uchZ7+YpkPlj0t+OeXaEMvxe83xOJnJ5w2xpqTy8XMO
+73pqvbQLssl5gjcd9e4V+VQKzXMaywGJnU7DJ1+yMrvZqgmdVUm2SVwixViMxDf1
+c4i8mnTU02J0rNUoSn0pZURu7wwimiRisPa0EfS7O8T74C4Qx+g8Z7uTBbTdtEJt
+rtPectAGS85MxISqaqZshMzc70NhYzanliPvq3XaJ7UXxCSWjrI/8pvZVND8i2JH
+QdqUruYOj8CdtAliz9+XOJFdYE949a7Zb/fXu3cHQqDeOpAxJaSzuLKJATMEEAEK
+AB0WIQRJ9qi+hHM5SVGRbzth3hHs4nY6cwUCYeyTmAAKCRBh3hHs4nY6c9kOB/9l
+OYFFG5vg9ODyQ9TgGH4onZRrTNBZjYtKtgGekSg9u9bIMk/S1MYDaVyV/07ZV+4+
+DKqrk+PQijg3ujpNxguap6eFhuGPkwj73MN/xSNSiplpNDxLP0EKrVbxG3gQhZey
+gyr6gqlYtWCsIuXWV+MOEhd20SrIXzPsX7IDw3JdgGxNkjS01cVvsoiKL17Nr0BX
+Aevyuj+8IdHjsreucBgyz5OG2tRfpK/VQSmzhpQlYJKRsEg2pCANOJiEEBeGBgm3
+Dj5MouGL8ajkl49s38zoMFpxr3KoFj2rF3kfNHTHV5aybjwqLhE9Kquw3Pp59Q6Q
+Njewgf4+S/czLfPLxl22iQEzBBABCgAdFiEEMLynRwX6QVRVcx17qvW13gW9zFMF
+AmHsk5sACgkQqvW13gW9zFMqbAf9H08Gdf/qAdYe4CigvOu147hr89RH0LWtqvXD
+R13cJgwkUQLPQZ3/xt/to/3QNDyETjcQkJcfqobTGPZs83ebXlICTfAkC5uNvyoJ
+Dtgw/e8zf13XhWTP+Dn4+YnhBdCLkH85XvI+QLen73PzlKmgUc+Rf3UoXcDgdSVu
+A/ouNC1A1ZKO1f8zQDM9MTppuRUJis11EO0nkqxu7o9ZnjR/GIr0eAYb5t5YoNLz
+lc0IGskX3IHfCFcrQjBnUkWbUn3CBZTTLLgBX/sGTLqkrzi9W0dSCBsX/gF4nGAS
+hyrpV9yP7bw71LDDdKaI3Ze/gviwyml/9b1UyCLhS6Y0UGRPSYkBMwQQAQoAHRYh
+BA9clq7I5p6cjlQuXG1M0ZQp+wPeBQJh7JOeAAoJEG1M0ZQp+wPeQ4YH/jLO4HtX
+zb7N6+fvH1IoebtpzkIxvyIqunCLd9wmMOd5/E2GWcHwzsi5ImnlfrpX9jdzuPGa
+lFLFMSnK5WQA+G8j7tm9Zs+pmN1E5IcKi08BIDj6UY9NRwVVAxDQFQwNfNupCV2v
+4wEi115eD5inb3uPfETZwgTh1IbMMYQu96vWCjUCwavAiTP/PWiAEdmGTFCgFrsm
+chLHuXiRTLgfnrVdtblvZ+2GIWsi1IbJcOpT2Nt+I9HPksJKGpZWX5bzyHt8t3hv
+tfHWFdX9BZv2jMBJFc8C4mNXX06fnA/OK39GbTDr3qJ5efjP7FxvCTatpuVxpUeo
+bQoiz6yqLtHk11KJAjMEEAEKAB0WIQQ8ih6Of0TK3hFP7UZLyb2ma/cmrQUCYeyT
+oQAKCRBLyb2ma/cmrao/EAC0QcShgqI/EEhInt1ELOXXqWzwyW4GxKZaATBKznYN
+KUgCImW10QxQRG8TK+/x4mtAriPk6ANHHdt3ehzstrmcFlo1TmFqd2SoXHwLWz+D
+ffX0WE1Slmnd4mGvz25LhftrGuGAzOZQ1v9QnlBmE9egZrF7x4sIGrHrRfKDAzec
+rcgNf8zv8nZW0YqbHNMmxh1xFQ7yVTzs48UipyWxfTsje6LxEvsGYAuvSp8AUWhV
+ILJ99c8kJRGdyiVum2SOk4MtP+Nl0w5686kO4Aj4gbiDMdCDGhwxFHDt69HmbHVB
+kDyErjcjlEy9Qsg56YFe70861c5nJXoMslnjRN9F2EyDOFKGorI4jdinNiR7E069
+KXEwnouW0ZuN/RIIUSgIWzalGCkOPCPFEShZKKPWJ3mblEuXyfe4ayL4DVQo+5ha
+/1kqRP7kPgjBkDyRxR7M/UuZVyPuHo0HkETQUlTMDwLAQH/ADSlW0zhqJgKFzOzS
+kJyAciEzW/s1v3pwQR9/7+6LNJEoXE6ANNOnlnEz0hPWgm55XnyTmrLBqpW9XP1V
+jTOm66j4vbS1MNRxtIbvkCKyw/Fv9hWmPauzEi7TepwgY2w4m+EV/0mNV3LTg0OB
+4XH9bJ06LUvp1urY1jVoYD5ID5cyNeblmhXLI9bXQpzEjuw/fkqVaOCLMyiyXYFA
+BokCMwQQAQoAHRYhBKaHPSSk1tYoSuQqdfBgWf1dx8w/BQJh7JOkAAoJEPBgWf1d
+x8w/lJoQAI+SrlWdn+KcotHe/DZiY+HrmYdIAmdvr9xupsqpK5FrcHAZt/lX4iNz
+Cb0/W3bQpgAr1SntGPo69SvZMZiuXLaVZvAjAtFfPAaE6qBOQOfMQM8I9CQ75Olk
+ZTuX9syqqLRx90W+0buI2EnB1m8xdw3Zp03/+JYqXP+8qI8yEEn0+tGPTYOCYDQ8
+C9NnUwc62GVln/b5Cvvr5khURn/OzUAmSv7ah8hHhc4cfxnFjSgErnZ7MPRMm1O/
+aVaqV4Lu9OzT91bhLaJ/aOSPqI5kuKZjgEcOpJhjh2gxLKualF544sTei4GNXgTZ
+ddpZZmRpGCLcOS+nsqeGeKobV5Ixz1ddCJMAX8BKDV/mimiDK4yCckNirK0AnTiF
+bHnqkpPcmmZdp/GFtOWPoSu8qGJpl7T35sFpEFn3Stbd/sfImWhIhue8x3I6Qimw
+DW/23SQlf6r5u0ZbO6ZWMdC3RR+6TfztHv7UDkBWEGRLGkQ/cw36uW3OiqEUS8wS
+2uk96vnJJQTcXP59BYQgH/Oqv5QXfl5l5/h9MnTJDAHiM4CBsZIETl192nBT81Mh
+D0swDdaU95NwMFtSmW+aqd9k+FFaJT019BndzSYZXcpjkBwpXF/HmzrdTLHZfFN0
+28snq/TTG3K3KoTOeW+6HeXlDrsl7HHmpvUo+gF21f8+2X/OuyvtiQIzBBABCgAd
+FiEEUKMDCY6i3XvL7iraCeAfoDwMUE4FAmHsk6cACgkQCeAfoDwMUE4VGg/+JHaT
+yujXRVrsH1dOmhjXc5nyDINZakUBT6fdYxXGsu37AmgYoZrBnTyAmNQd4zSAZ8Mm
+uXGxN8LE23nO6c4/436kt7gH1ySPxlhdsiti0m7pl550i9aL1YAFmdXNzIBQUF5K
+4XFqhdqy2tfdVbF/h1o8dZqrX42vvVba4p4PybtHtRMaiTPFLb5UNYMkf/+u4VfM
+CbCqW/aZyhdoS+tsb2l3lOF6uRx1fv19KVhqnqIt1/+bUiTYVcgPQFKUJK3P0ilj
+tDexFF2niftdgUJLrqbR+bDCPZ5ykfXuZXeCLmpzIqFPvj7dMPpM7WylAInyaheb
+9m1JXJXtIHwlJDdVOYLfOo8U9TfLO/rvDKeeDXm5WCGgQdqEYrTbYNv3wg2x+/io
+BF4dalE9lVrMt9acznZRemFzhihVSc5lHhb+FX6fJRCQh/vFjrMY7mj7SV4yc1X1
+OtdGJMvL3+p+N6AlHpYB+4C+dOmNpUq1W7ZCpwi4LRi73/WdOD4nPlQigvpHPy3g
+L6uYH3Of2CwTonPY6ToTtKFaXjKQfthAIkN3cu2cf2v2F1QpL3PMN92LreQNAazL
+oPpYF4adfPdlK8tkBrzuxN8qJsC6asJ17ztR5h8i5xBS25hTdf6L2dNIene3jwYx
+8lizZ0GwtAVb4pNpg1tmlAKcsjOVZbr5DP0b9MmJAjMEEAEKAB0WIQSt/bcJ/h6m
+guWFWXHVgyEO9RRxpwUCYeyTqwAKCRDVgyEO9RRxp7MoD/9p3eQq941AzizApnOe
+/Hqjp8fkESw6UN1kmZBes7oYUiJGCRMRIKWGATVQDcPzRwkQdqhgc3MHI3rbyy0Q
+NxZHTsZDPZ0EyxiHAJxkVnEyV44DpUCb7b/Hswx1jIhQT4OsC8dxKYQ6MPXODX4l
+NzYvpwcSv4a0hjKDk+MZbtX6g4zK0hIKg4V7WHm6wHsIzgaDIZrY8s53KV7K8jy/
+n1vrrzstiFPpBtZh/RvS+HGocbHpdSYtdL6Qqh4eY7ng6CHqd4lGAXx1isHEJsc+
+G8Lx9JDgpo/kyFJu0mVQmTHpYt8qYwE6/hwwWZ6XDnifZcd7uJiymv8UPYWwSM/G
+vFIqDkMJSQzykK6uzhZsPttcc6DdZ3bx+97qFfIWvQLpFp6iG38T6F0IT+iQDlDM
+Z4KaswIntaDuldE1VJ3D9F0ndDlCJvCXJn9I+jwUKXj2Uqy/1OecLgIz9KULoim6
+A4RmLLRDtoYwXbwsPA1BEVskq6kkfd95VtjqXU2V/sh8YnZP2O1f5udIP8g+KUhA
+zUp4Cppl8jALBlEJ2mBI5GfkWJgnARFu36nY0bpeiOn+1+CumFAC5p0QHZFDCD7I
+7XB9VThWCnAW1mNhxie/o43CByfAM5hXieQeml4dDEGxazW3JCuCV4jpTnogArCC
+5xSoNkIFXsMbSRexC2SFm1pDv4kCMwQQAQoAHRYhBPTOImMhAlPWqfl5sExm6o1L
+7hvuBQJh7JOuAAoJEExm6o1L7hvuYbEP/1Hizeq3tkm8FZey5VewtvDCJNXTfkvg
+3/+Cu1GxjeT8bfWGQKNEalaHQ1xU/pHpqD7QBvdt4pK3TaYp+kqfM87i1+JkCoy2
+Qv6YsP2Sf+VL7rLHGFF5JWKOj4mmL4Sy2ON+NhrZUN5qGtYSKu3P4y6NP5u5YxzF
+kpCL1rYugc801SSGI4dagLyTEan0vwToXPDGYrS3Px6HGgKw7JL60dl9DqNsvEiU
+iU/VNYoSklU9SHYIbDA2siGGkaEwKX9fGaeWsgErFg57G+az8lzvvm97da0HIQP8
+jQBQt9Q8gqUaISsVlrAL0fV3Eh/pGo+LabpufMXqcO1CoHIv4hD3HS0CTouAvpUe
+32igiJyrE5esk7yIOPMuTaNFWUQvjioXO3mLh5qBsKtRyY05g9zAuhOzEefOrBue
+0mx/uROL4dJht4v1b/UGdf2CT8JKtj6NZgQpJqMu9410EEYYhaFqIjAC5tDBe+K1
+ngHqr89u85nrwbuZEs+KGWYnD5jlHsz2bbwPSsMZkP0Y4oeZ5uqUDjPHBB7npnCg
+Kp3McmB5dw32rDqolEkKXxRCupYeRb8KlyoN6DNriU0yjSQgqeQTCtHTnWAjigLn
+Z7zJHOmDfE1t8p+e9kXAm94N2jAI72gWGD2bI1HM7kUgUbOqIgj/tafIA6wpMI6u
+U+m/D7JBScmjiQEzBBABCgAdFiEErSDhqotBNnCmQlLYvSdtLm/PqIUFAmHsk7MA
+CgkQvSdtLm/PqIXJ9ggAs6cAy7yKyO7sneFbSUJXDAAxH6tfN+/qPKYasakSkiYw
+xQc0fU9+mcbrSXl6uNrQFdVBQUEUb1OWSOZN64Cy26KAa07RrgcJijEGVrQ/qg1i
+IpaJxu7wheE1fE8wqfU8VGBsjw9pEn7LmsY4L5IbptCHMfN4l3Q6nKj25hosy6R2
+wiTdNHs77HP3IaAekHfy3QwnrcOdQjSQykcHb+DkC38Qd14SDxRBTkwq09LNigF/
+MNqpvA47i/Jc9bqn/SBJ5mki5v9Li5Nj6eu0dr7BDgzr5ZqGiKAXDe0rJxJ/n93l
+qjBA3vEDs6m2L0vuujQj4y2Cp4Qrp5/yy+a1eHmSpokCMwQQAQoAHRYhBClslNvQ
+KAJFv9OR13tSlkjuhXJkBQJh7JPHAAoJEHtSlkjuhXJkFGoP/j1E0YIUZLAtnJl6
+yTIn2RRebYHXKyZpwFQlbckgvkliezJHDO6EmN7UZcK9CLUTMulr2kq2o3BLTnV3
+7Qm+ROSSIQuGwZEzWliRlJVouZ6gMkfuhoxyYaxOCceIBWBgzZ6cbXnneRvtap7E
+aKr57W0sO8QiFd0uq4gk5a4LYv1YiDgJMtHSsSrA//TGmInptvFQ6WQtPJ59HH4y
+BQwCeEc1o6MRUL/fqIDGbkZTwjncczNbC4ZUIBlfeC57jzPUYih4C1feTk2YuArd
+QhPEQQAlQHggFzLAc2iHgxRkk8gtZfeZ6Kk4vcdyXufn9Br2Nu7QT5v7wM3lmRks
+EAcQucWOH6Mh1H6WmTOOyDUevzZxtx0Cb5G/l1TF1Bj94FNggsRdni7NUCc00OpO
+ptsPFdIOYqm4jxe9ykoi4IDVkx1OgV7C/ND9V8VXZOi7hbAR+8Rc1pWzIXC7qMtL
+T6PAbtE3H76nKsdi802KltAitFGSZTc/WkVm2Y7dcJyShasSSN7p2Y0NoCCM81AL
+Lq+BYBO18yu6kQyXaJgN69n45Miui102cDpZKDWBOU2tP0YXVJr2M9fg9gmH64w+
+BzLGl8HcrjZkhgcM9hxQqDSzxYVodny/NMfEezyAsiK9bf4YPlhZx6YEy3uq6pS6
+ZLvOOWMbDn0W0EjHZfv3xIrtu9uDuQINBGHsknQBEADC/9jm2xZwcF8NgNc74t/u
+ZPD6k7qqwb3Sz0DL+Dla/x9wbp5tcZsSPQIP4Nk8UQfxZoid0g0nT6tImrWBTxtZ
+u5MYoaioDQ2FjE2qIrqjOypOckmFHVsWzYM4j7EJNn1JUZ72Ye2sdy0cGKDFhr0r
+JwBrBQENM7QiuCu6fHMbwCvC1NE8IBx2SpLzFKDqemtMQ2Beao+5R2ix2xSoNYso
+GQJwO+RIv2fKYY3cl+JLeGlNQU0eeBbBDtXVcnqs00KUxrDh6LLfjuzYRtWK0bBF
+iw7Upq4TehzNlzGp8yE1IL2N2o1+/Ism3/BexUWamduY3HAu6l3MnPssS7AKUKIe
+2tQSCZ7LsuqyNaH8diZykRiSFF/H7NduwzUc6QBVbXE5pFvzuraJu3jL3q6+DMtD
+EVzjyeK/trF79jGlQ9dioNRuZj2DYqvXZ5/7JvGYOKFd7XcLEkSm9n4Q3Zt6GpWH
+wWIimNgsjFo4ZYdv6JawXAjsZN4X0+nnAuWG3Mbj86gYNjJMDxgy6wovYLwwf1tg
+WHCy8jUcOejFH7XKyjuQR8vTm2o/jHKoXT0FG+qtyA1P7cEf5VaJ80n0Vg24xXnE
+I6tRrDUqH79gogOp9z6WnbC4+jKFgUCkyiQJuB6Y1rtLBFV+x90aL9KsJYMiyycP
+bE3WLqL9TGhRXuYhJ3lZ4wARAQABiQI2BBgBCgAgFiEEYyfdy15+gOSYfqO3/Xnc
+DIHZIQoFAmHsknQCGwwACgkQ/XncDIHZIQp+9Q//bdbiu1QTFRHRHSi7d5bTxqt5
+jCXtkFWSvyTf40/ul0t6sjdq8MkI94ZNb8/omOuMen8BgGtNBgC0SJxeXfYhBk7e
+gBCGz3Ryu1Zz65nmca+WXaGNleMJRwnuK56XZZuTg1/dWYoC7FiRbUwt0FvImIZT
+nWr0kAfdIkCdIbPHwrH5l9BTdOIVi03kfSG8ci54DEJ73PmmZrvH6PtFleUJvo7g
+U9iWNhOFGffi0v/UAMK8UZAoEsGIY/JD8JFHerfJZbmEJPPgbgdi+ZEaopVYibdb
+w56sTb79J7WiTrjxL9ngIn55zza3eOSDPeIulurpCebjb6DM/r/e+srQbhe/3slF
+IA6F/BB8dX/qdUG4NWQHP6Tcruu3rUwN9cC6iPW5aYt6w+dOqZYXN3qbDu745CYJ
+gfCyXeSTcHp7xsKXmTYBGZthB+LcHNt7t4wG/k2X5D+5VCR63V4NUq3P6uvHvH9j
+hl1R4YsB4Vi/fqPUSK/MAj7VxE7Tf/4W/rBzHQEP9i9hkmgunOkQ0wbjaP44EqO1
+JHPB24py0dIBY9JWq2DqVHRAmvEZ7unbihLzJ+uzepsM84ujvipoT6Rlb5224unm
+yB3NrRwSOHn1BpPIqBwNbt/lZX6AByTaTNyPoC2pitK2mJoMLU3kIwktpFEfVOmh
+0Kb4rGd12E5b+czXoxg=
+=LSBA
+-----END PGP PUBLIC KEY BLOCK-----
 
 pub   4096R/4BEE1BEE 2021-01-24
       Key fingerprint = F4CE 2263 2102 53D6 A9F9  79B0 4C66 EA8D 4BEE 1BEE
@@ -363,7 +982,6 @@ ra/bqVWSpZTlHZ0xT9seCUSs1urxGw9Z
 =3HCo
 -----END PGP PUBLIC KEY BLOCK-----
 
-
 pub   rsa4096/0xD583210EF51471A7 2020-04-08 [SC]
       Key fingerprint = ADFD B709 FE1E A682 E585  5971 D583 210E F514 71A7
 uid                   [  full  ] Sendmail Signing Key/2020 <sendmail@Sendmail.ORG>
@@ -557,7 +1175,6 @@ gmOJ78JKVfONBpmdVsw/emTMU5I/C/8m9l0nO0P4Q6diao23krgWk73x7dBoBqDn
 =jgHV
 -----END PGP PUBLIC KEY BLOCK-----
 
-
 pub   rsa4096/0x09E01FA03C0C504E 2019-01-09 [SC]
       Key fingerprint = 50A3 0309 8EA2 DD7B CBEE  2ADA 09E0 1FA0 3C0C 504E
 uid                             Sendmail Signing Key/2019 <sendmail@Sendmail.ORG>
@@ -739,7 +1356,6 @@ HcRQfq7rqZkS3NE+iD9D/lUyXVYfH9A=
 =jN/3
 -----END PGP PUBLIC KEY BLOCK-----
 
-
 pub   4096R/0xF06059FD5DC7CC3F 2018-04-24 [SC]
       Key fingerprint = A687 3D24 A4D6 D628 4AE4  2A75 F060 59FD 5DC7 CC3F
 uid                   Sendmail Signing Key/2018 <sendmail@Sendmail.ORG>
@@ -883,7 +1499,6 @@ fvZ+LS/6hJ9C77uOaBqoDPmtpn0WDqc3oDeT81Ans73BZhwhFAjzpHp+XnJQ
 =K0Kz
 -----END PGP PUBLIC KEY BLOCK-----
 
-
 pub   4096R/6BF726AD 2016-12-31
       Key fingerprint = 3C8A 1E8E 7F44 CADE 114F  ED46 4BC9 BDA6 6BF7 26AD
 uid                  Sendmail Signing Key/2017 <sendmail@Sendmail.ORG>
@@ -1069,7 +1684,6 @@ FtJxkIHVIx/VvvBqS3HEm8QCRvr+o10/Ue7NljolDV13B7fljxgvLFyJ8T91jWsz
 =Lt+h
 -----END PGP PUBLIC KEY BLOCK-----
 
-
 pub   2048R/29FB03DE 2016-01-04
 fingerprint: 0F5C 96AE C8E6 9E9C 8E54  2E5C 6D4C D194 29FB 03DE
 uid  Sendmail Signing Key/2016 <sendmail@Sendmail.ORG>
@@ -1269,7 +1883,6 @@ j68I
 =MdUt
 -----END PGP PUBLIC KEY BLOCK-----
 
-
 pub   2048R/0xAAF5B5DE05BDCC53 2015-01-02
 fingerprint: 30BC A747 05FA 4154 5573  1D7B AAF5 B5DE 05BD CC53
 uid  Sendmail Signing Key/2015 <sendmail@Sendmail.ORG>

README

@@ -4,11 +4,12 @@
 This directory has the latest sendmail(TM) software from Proofpoint, Inc.
 
 Report any bugs to sendmail-bugs-YYYY@support.sendmail.org
-where YYYY is the current year, e.g., 2005.
+where YYYY is the current year, e.g., 2023.
 
-There is a web site at http://www.sendmail.org/ -- see that site for
+There is a web site at https://www.sendmail.org/ -- see that site for
 the latest updates.
 
+
 +--------------+
 | INTRODUCTION |
 +--------------+
@@ -40,6 +41,7 @@ the latest updates.
 Sendmail is a trademark of Proofpoint, Inc.
 US Patent Numbers 6865671, 6986037.
 
+
 +-----------------------+
 | DIRECTORY PERMISSIONS |
 +-----------------------+
@@ -197,14 +199,6 @@ There are other files you should read.  Rooted in this directory are:
 
 	This sets a word in a smaller pointsize.
 
-	- with new groff versions (1.18 seems affected)
-
-	GROFF_NO_SGR=1
-
-	needs to be set, e.g., in doc/op/Makefile:
-
-	ROFF_CMD=	GROFF_NO_SGR=1 groff
-
 
 +--------------+
 | RELATED RFCS |
@@ -248,6 +242,13 @@ Important RFCs for electronic mail are:
 	RFC2822 Internet Message Format
 	RFC2852 Deliver By SMTP Service Extension
 	RFC2920 SMTP Service Extension for Command Pipelining
+	RFC5321 Simple Mail Transfer Protocol
+	RFC5322 Internet Message Format
+	RFC6530 Overview and Framework for Internationalized Email
+	RFC6531 SMTP Extension for Internationalized Email
+	RFC6532 Internationalized Email Headers
+	RFC6533 Internationalized Delivery Status and Disposition Notifications
+	RFC8461 SMTP MTA Strict Transport Security (MTA-STS)
 
 Other standards that may be of interest (but which are less directly
 relevant to sendmail) are:
@@ -325,6 +326,10 @@ DB 2.X and 3.X.  If you are upgrading from one of those versions, you must
 recreate your database file(s).  Do this by rebuilding all maps with
 makemap and rebuilding the alias file with newaliases.
 
+File locking using fcntl() does not interoperate with Berkeley DB
+5.x (and probably later).  Use CDB, flock() (-DHASFLOCK), or an
+earlier Berkeley DB version.
+
 
 +--------------------+
 | HOST NAME SERVICES |
@@ -391,6 +396,7 @@ CommuniGate Pro
 	in .mc file if you have compiled sendmail with Cyrus SASL
 	and you communicate with CommuniGate Pro servers.
 
+
 +---------------------+
 | DIRECTORY STRUCTURE |
 +---------------------+

RELEASE_NOTES

@@ -5,6 +5,187 @@ This listing shows the version of the sendmail binary, the version
 of the sendmail configuration files, the date of release, and a
 summary of the changes in that release.
 
+
+8.18.1/8.18.1	2024/01/31
+	sendmail is now stricter in following the RFCs and rejects
+		some invalid input with respect to line endings
+		and pipelining:
+		- Prevent transaction stuffing by ensuring SMTP clients
+		wait for the HELO/EHLO and DATA response before sending
+		further SMTP commands.  This can be disabled using
+		the new srv_features option 'F'.  Issue reported by
+		Yepeng Pan and Christian Rossow from CISPA Helmholtz
+		Center for Information Security.
+		- Accept only CRLF . CRLF as end of an SMTP message
+		as required by the RFCs, which can disabled by the
+		new srv_features option 'O'.
+		- Do not accept a CR or LF except in the combination
+		CRLF (as required by the RFCs).  These checks can
+		be disabled by the new srv_features options
+		'U' and 'G', respectively.  In this case it is
+		suggested to use 'u2' and 'g2' instead so the server
+		replaces offending bare CR or bare LF with a space.
+		It is recommended to only turn these protections off
+		for trusted networks due to the potential for abuse.
+	Full DANE support is available if OpenSSL versions 1.1.1 or 3.x
+		are used, i.e., TLSA RR 2-x-y and 3-x-y are supported
+		as required by RFC 7672.
+	OpenSSL version 3.0.x is supported.  Note: OpenSSL 3 loads by
+		default an openssl.cnf file from a location specified
+		in the library which may cause unwanted behaviour
+		in sendmail.  Hence sendmail sets the environment
+		variable OPENSSL_CONF to /etc/mail/sendmail.ossl
+		to override the default.  The file name can be
+		changed by defining confOPENSSL_CNF in the mc file;
+		using an empty value prevents setting OPENSSL_CONF.
+		Note: referring to a file which does not exist does
+		not cause an an error.
+	Two new values have been added for {verify}:
+		"DANE_TEMP": DANE verification failed temporarily.
+		"DANE_NOTLS": DANE was required but STARTTLS was not
+		offered by the server.
+		The default rules return a temporary error for these
+		cases, so delivery is not attempted.
+	If the TLS setup code in the client fails and DANE requirements
+		exist then {verify} will be set to "DANE_TEMP" thus
+		preventing delivery by default.
+	DANE related logging has been slightly changed for clarification:
+		"DANE configured in DNS but no STARTTLS available"
+		changed to
+		"DANE configured in DNS but STARTTLS not offered"
+	When the compile time option USE_EAI is enabled, vacation could
+		fail to respond when it should (the code change in
+		8.17.2 was incomplete).  Problem reported by Alex
+		Hautequest.
+	If SMTPUTF8 BODY=7BIT are used as parameters for the MAIL command
+		the parsing of UTF8 addresses could fail (USE_EAI).
+	If a reply to a previous RCPT was received while sending
+		another RCPT in pipelining mode then parts of the
+		reply could have been assigned to the wrong RCPT.
+	New DontBlameSendmail option CertOwner to relax requirement
+		for certificate public and private key ownership.
+		Based on suggestion from Marius Strobl of the
+		FreeBSD project.
+	clt_features was not checked for connections via Unix domain
+		sockets.
+	CONFIG: FEATURE(`enhdnsbl') did not handle multiple replies
+		from DNS lookups thus potentially causing random
+		"false negatives".
+		Note: the fix creates an incompatibility:
+		the arguments must not have a trailing dot anymore
+		because the -a. option has been removed (as it only
+		applies to the entire result, not individual values).
+	CONFIG: New FEATURE(`fips3') for basic FIPS support in OpenSSL 3.
+	VACATION: Add support for Return-Path header to set sender
+		to match OpenBSD and NetBSD functionality.
+	VACATION: Honor RFC3834 and avoid an auto-reply if
+		'Auto-Submitted: no' is found in the headers to
+		match OpenBSD and NetBSD functionality.
+	VACATION: Avoid an auto-reply if a 'List-Id:' is found in
+		the headers to match OpenBSD functionality.
+	VACATION: Add support for $SUBJECT in .vacation.msg which
+		is replaced with the first line of the subject of the
+		original message to match OpenBSD and NetBSD
+		functionality.
+	Portability:
+		Add support for Darwin 23.
+	New Files:
+		cf/feature/fips3.m4
+		devtools/OS/Darwin.23.x
+
+8.17.2/8.17.2	2023/06/03
+	Make sure DANE checks (if enabled) are performed even if
+		CACertPath or CACertFile are not set or unusable.
+	Note: if the code to set up TLS in the client fails, then
+		{verify} will be set to TEMP but DANE requirements
+		will be ignored, i.e., by default mail will be sent
+		without STARTTLS.  This can be changed via a
+		LOCAL_TLS_SERVER ruleset.
+	Pass server name to clt_features ruleset instead of client
+		name to account for limitations in macro availability
+		described below in CONFIG section.  This may break
+		custom clt_features rulesets which expect to receive
+		the client name as input.
+	Fix a regression introduced in 8.17.1: aliases file which
+		contain continuation lines caused parsing errors.
+	Add an FFR (for future release) compile time option _FFR_LOG_STAGE
+		to log the protocol stage as stage= for some errors during
+		delivery attempts to make troubleshooting simpler.  This
+		new logging may be enabled in a future release.
+	When EAI is enabled, milters also got the arguments of MAIL/RCPT
+		commands in argv[0] for xxfi_envfrom()/xxfi_envrcpt()
+		callbacks instead of just the mail address.
+		Problem reported by Dilyan Palauzo.
+	When EAI is enabled, mailq prints UTF-8 addresses as such
+		if SMTPUTF8 was used.
+	When EAI is enabled, the $h macro is now in the correct format.
+		Previously this could cause wrong values for relay=
+		in log entries and the mailer argument vector.
+	When the compile time option USE_EAI is enabled, vacation could
+		fail to respond when it should.  Problem reported by
+		Alex Hautequest.
+	When EAI was enabled, header truncation might not have been
+		logged even when it happened. Problem reported by
+		Werner Wiethege.
+	Handle a possible change in an upcoming release of Cyrus-SASL
+		(2.1.28) by changing the definition of an internal flag.
+		Patch from Dilyan Palauzo.
+	Avoid an assertion failure when an smtps connection is made
+		to the server and a milter is unavailable.
+		Problem reported by Dilyan Palauzo.
+	Fixed some spelling errors in documentation and comments,
+		based on a codespell report by Jens Schleusener
+		of fossies.org.
+	The result of try_tls is now logged using status= instead
+		of reject=.
+	If tls_rcpt rejected the delivery of a recipient then a bogus
+		dsn= entry might have been logged under some circumstances.
+	If a server replied with 421 to a RCPT command then a bogus reply=
+		might have been logged.
+	When quoting the value for ${currHeader} avoid causing a syntax
+		error (Unbalanced '"') when truncating a header value
+		which is too long.  Problem reported by Werner Wiethege.
+	Reduce the performance impact of a change introduced in
+		8.12.9: the default for MaxMimeHeaderLength was
+		set to 2048/1024.  Problem reported by Tabata
+		Shintaro of Internet Initiative Japan Inc.
+	CONFIG: The default clt_features ruleset tried to access
+		${server_name} and ${server_addr} which are not set
+		when the ruleset is invoked.  Only the server name
+		is available which is passed as an argument.
+	CONFIG: Properly quote host variable to prevent cf build
+		breakage when a hostname contains 'dnl'.  Problem
+		reported by Maxim Shalomikhin of Kaspersky.
+	DEVTOOLS: Add configure.sh support for BSD's mandoc as an
+		alternative man page formatting tool.
+	DOC: Document that USAGE is a possible value for {verify}.
+	LIBMILTER: The macros for the EOH and EOM callbacks are
+		sent in reverse order which means accessing macros
+		in the EOM callback got the macro for the EOH
+		callback. Store those macros in the expected order
+		in libmilter. Note: this does not affect sendmail
+		because the macros for both callbacks are the same
+		because the message is sent to libmilter after it
+		is completely read by sendmail.  Fix and problem
+		report from David Buergin.
+	Portability:
+		Make use of IN_LOOPBACK, if defined, to determine if
+		using a loopback address.  Patch from Mike Karels of
+		FreeBSD.
+		On Linux use gethostbyname2(3) if glibc 2.19 or newer
+		is used to avoid potential problems with IPv6 lookups.
+		Patch from Werner Wiethege.
+		Add support for Darwin 21 and Darwin 22.
+		Solaris 12 has been renamed to Solaris 11.4, hence
+		adapt a condition for sigwait(2) taking one argument.
+		Patch from John Beck.
+	New Files:
+		devtools/M4/UNIX/sharedlib.m4
+		devtools/OS/Darwin.21.x
+		devtools/OS/Darwin.22.x
+		sendmail/sched.c
+		libsm/notify.h
+
 8.17.1/8.17.1	2021/08/17
 	Deprecation notice: due to compatibility problems with some
 		third party code, we plan to finally switch from K&R
@@ -37,6 +218,9 @@ summary of the changes in that release.
 		in the SMTP client per server.  Currently only two
 		flags are available: D/M to disable DANE/MTA-STS,
 		respectively.
+	New compile time option NO_EOH_FIELDS to disable the special
+		meaning of the headers Message: and Text: to denote the
+		end of the message header.
 	Avoid leaking session macros for an envelope between
 		delivery attempts to different servers.  This problem
 		could have affected check_compat.
@@ -76,10 +260,17 @@ summary of the changes in that release.
 		properly, as the persistent macro applies to all
 		RCPTs and hence implicitly to all destinations (servers).
 		The option TLSFallbacktoClear should be used if needed.
+	CONTRIB: AuthRealm.p0 has been modified for 8.16.1 by Anne Bennett.
+	CONTRIB: Added cidrexpand -O option for suppressing duplicates from
+		a CIDR expansion that overlaps a later entry and -S option
+		for skipping comments exactly like makemap does.
 	MAIL.LOCAL: Enhance some error messages to simplify
 		troubleshooting.
 	Portability:
 		Add support for Darwin 19 & 20.
+		Use proper FreeBSD version define to allow for cross
+			compiling.  Fix from Brooks Davis of the FreeBSD
+			project.
 		NOTE: File locking using fcntl() does not interoperate
 		  with Berkeley DB 5.x (and probably later).  Use
 		  CDB, flock() (-DHASFLOCK), or an earlier Berkeley
@@ -104,22 +295,6 @@ summary of the changes in that release.
 		libsmutil/t-lockfile-0.sh
 		libsmutil/t-maplock-0.sh
 
-8.16.2/8.16.2	202X/XX/XX
-	New compile time option NO_EOH_FIELDS to disable the special
-		meaning of the headers Message: and Text: to denote the
-		end of the message header.
-	CONTRIB: AuthRealm.p0 has been modified for 8.16.1 by Anne Bennett.
-	CONTRIB: Added cidrexpand -O option for suppressing duplicates from
-		a CIDR expansion that overlaps a later entry and -S option
-		for skipping comments exactly like makemap does.
-	Portability:
-		Add support for Darwin 19 (Mac OS X 10.15).
-		Use proper FreeBSD version define to allow for cross
-			compiling.  Fix from Brooks Davis of the FreeBSD
-			project.
-	New Files:
-		devtools/OS/Darwin.19.x
-
 8.16.1/8.16.1	2020/07/05
 	SECURITY: If sendmail tried to reuse an SMTP session which had
 		already been closed by the server, then the connection
@@ -5392,7 +5567,7 @@ summary of the changes in that release.
 		characters (in LMTP mode), mail.local split the incoming
 		line up into 2046-character output lines (excluding the
 		newline).  If an input line was 2047 characters long
-		(excluding CR-LF) and the last character was a '.',
+		(excluding CRLF) and the last character was a '.',
 		mail.local saw it as the end of input, transferred it to the
 		user mailbox and tried to write an `ok' back to sendmail.
 		If the message was much longer, both sendmail and
@@ -7675,7 +7850,7 @@ summary of the changes in that release.
 		files that are group writable are considered "unsafe" -- that
 		is, programs and files referenced from such files are not
 		valid recipients.
-	Delete bogosity test for FallBackMX host; this prevented it to be a
+	Delete bogosity test for FallBackMXhost; this prevented it to be a
 		name that was not in DNS or was a domain-literal.  Problem
 		noted by Tom May.
 	Change the introduction to error messages to more clearly delineate
@@ -8414,7 +8589,7 @@ summary of the changes in that release.
 		should show the pathname rather than hex bytes.
 	Restore ``-ba'' mode -- this reads a file from stdin and parses
 		the header for envelope sender information and uses
-		CR-LF as message terminators.  It was thought to be
+		CRLF as message terminators.  It was thought to be
 		obsolete (used only for Arpanet NCP protocols), but it
 		turns out that the UK ``Grey Book'' protocols require
 		that functionality.
@@ -10742,7 +10917,7 @@ summary of the changes in that release.
 		as well as the effective.  The program test/t_setreuid.c
 		will test to see if your implementation of setreuid(2)
 		is appropriately functional.
-	The FallBackMX (option V) handling failed to properly identify
+	The FallBackMXhost (option V) handling failed to properly identify
 		fallback to yourself -- most of the code was there,
 		but it wasn't being enabled.  Problem noted by Murray
 		Kucherawy of the University of Waterloo.

cf/README

@@ -1301,6 +1301,8 @@ dnsbl		Turns on rejection, discarding, or quarantining of hosts
 		definition from `host'.  Set the DNSBL_MAP_OPT mc option
 		to add additional options to the map specification used.
 
+		Note: currently only IPv4 addresses are checked.
+
 		Some DNS based rejection lists cause failures if asked
 		for AAAA records. If your sendmail version is compiled
 		with IPv6 support (NETINET6) and you experience this
@@ -1326,10 +1328,10 @@ enhdnsbl	Enhanced version of dnsbl (see above).  Further arguments
 		compared with the supplied argument(s), and only if a match
 		occurs an error is generated.  For example,
 
-		FEATURE(`enhdnsbl', `dnsbl.example.com', `', `t', `127.0.0.2.')
+		FEATURE(`enhdnsbl', `dnsbl.example.com', `', `t', `127.0.0.2')
 
 		will reject the e-mail if the lookup returns the value
-		``127.0.0.2.'', or generate a 451 response if the lookup
+		``127.0.0.2'', or generate a 451 response if the lookup
 		temporarily failed.  The arguments can contain metasymbols
 		as they are allowed in the LHS of rules.  As the example
 		shows, the default values are also used if an empty argument,
@@ -1616,6 +1618,12 @@ sts		Experimental support for Strict Transport Security
 		for the default value).
 		For more information see doc/op/op.me.
 
+fips3		Basic support for FIPS in OpenSSL 3 by setting
+		the environment variables OPENSSL_CONF and
+		OPENSSL_MODULES to the first and second argument,
+		respectively.  For details, see the file and
+		the OpenSSL documentation.
+
 +-------+
 | HACKS |
 +-------+
@@ -1688,6 +1696,7 @@ The macro LOCAL_UUCP can be used to add rules into the generated
 cf file at the place where MAILER(`uucp') inserts its rules.  This
 should only be used if really necessary.
 
+
 +--------------------+
 | USING UUCP MAILERS |
 +--------------------+
@@ -3183,8 +3192,8 @@ VERIFY:bits	verification must have succeeded and ${cipher_bits} must
 ENCR:bits	${cipher_bits} must be greater than or equal bits.
 
 The RHS can optionally be prefixed by TEMP+ or PERM+ to select a temporary
-or permanent error.  The default is a temporary error code (403 4.7.0)
-unless the macro TLS_PERM_ERR is set during generation of the .cf file.
+or permanent error.  The default is a temporary error code unless
+the macro TLS_PERM_ERR is set during generation of the .cf file.
 
 If a certain level of encryption is required, then it might also be
 possible that this level is provided by the security layer from a SASL
@@ -3256,9 +3265,10 @@ default TLS options are not modified.
 About 2): the rulesets try_tls, srv_features, and clt_features can
 be used together with the access map.  Entries for the access map
 must be tagged with Try_TLS, Srv_Features, Clt_Features and refer
-to the hostname or IP address of the connecting system.  A default
-case can be specified by using just the tag.  For example, the
-following entries in the access map:
+to the hostname or IP address of the connecting system (the latter
+is not available for clt_features).  A default case can be specified
+by using just the tag.  For example, the following entries in the
+access map:
 
 	Try_TLS:broken.server	NO
 	Srv_Features:my.domain	v
@@ -3376,6 +3386,7 @@ or FEATURE(`authinfo') must be used which provides a separate map.
 Notice: It is not checked whether the map is actually
 group/world-unreadable, this is left to the user.
 
+
 +--------------------------------+
 | ADDING NEW MAILERS OR RULESETS |
 +--------------------------------+
@@ -3461,6 +3472,7 @@ groups can be defined using the command:
 
 For details about queue groups, please see doc/op/op.{me,ps,txt}.
 
+
 +-------------------------------+
 | NON-SMTP BASED CONFIGURATIONS |
 +-------------------------------+
@@ -4406,6 +4418,9 @@ confCERT_FINGERPRINT_ALGORITHM	CertFingerprintAlgorithm
 confSSL_ENGINE		SSLEngine	[undefined] Name of SSLEngine.
 confSSL_ENGINE_PATH	SSLEnginePath	[undefined] Path to dynamic library
 					for SSLEngine.
+confOPENSSL_CNF				[/etc/mail/sendmail.ossl] Set the
+					environment variable OPENSSL_CONF.
+					An empty value disables setting it.
 confNICE_QUEUE_RUN	NiceQueueRun	[undefined]  If set, the priority of
 					queue runners is set the given value
 					(nice(3)).

cf/cf/generic-bsd4.4.cf

@@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@lab.smi.sendmail.com on Sun Aug 15 23:04:59 PDT 2021
-##### in /var/tmp/ca/sm8.head/sendmail/OpenSource/sendmail-8.17.1/cf/cf
+##### built by xbuild@xenon14.us.proofpoint.com on Tue Jan 30 22:39:25 PST 2024
+##### in /export/jenkins/jenkins3/workspace/pps-sendmail/OpenSource/sendmail-8.18.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@@ -120,10 +120,12 @@ C{E}root
 DnMAILER-DAEMON
 
 
+
 CPREDIRECT
+EOPENSSL_CONF=/etc/mail/sendmail.ossl
 
 # Configuration version number
-DZ8.17.1
+DZ8.18.1
 
 
 ###############
@@ -1256,6 +1258,7 @@ Stry_tls
 
 
 
+
 ######################################################################
 ###  tls_rcpt: is connection with server "good" enough?
 ###	(done in client, per recipient)
@@ -1264,7 +1267,10 @@ Stry_tls
 ###		$1: recipient
 ######################################################################
 Stls_rcpt
-
+R$*			$: $1 $| $&{verify}
+R$* $| DANE_NOTLS	$#error $@ 4.7.0 $: "454 DANE: missing STARTTLS."
+R$* $| DANE_TEMP	$#error $@ 4.7.0 $: "454 DANE check failed temporarily."
+R$* $| DANE_FAIL	$#error $@ 4.7.0 $: "454 DANE check failed."
 
 ######################################################################
 ###  tls_client: is connection with client "good" enough?
@@ -1296,7 +1302,6 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "454 TLS handshake failed."
-RDANE_FAIL	$#error $@ 4.7.0 $: "454 DANE check failed."
 RPROTOCOL	$#error $@ 4.7.0 $: "454 STARTTLS failed."
 RCONFIG		$#error $@ 4.7.0 $: "454 STARTTLS temporarily not possible."
 

cf/cf/generic-hpux10.cf

@@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@lab.smi.sendmail.com on Sun Aug 15 23:04:59 PDT 2021
-##### in /var/tmp/ca/sm8.head/sendmail/OpenSource/sendmail-8.17.1/cf/cf
+##### built by xbuild@xenon14.us.proofpoint.com on Tue Jan 30 22:39:25 PST 2024
+##### in /export/jenkins/jenkins3/workspace/pps-sendmail/OpenSource/sendmail-8.18.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@@ -121,10 +121,12 @@ C{E}root
 DnMAILER-DAEMON
 
 
+
 CPREDIRECT
+EOPENSSL_CONF=/etc/mail/sendmail.ossl
 
 # Configuration version number
-DZ8.17.1
+DZ8.18.1
 
 
 ###############
@@ -1257,6 +1259,7 @@ Stry_tls
 
 
 
+
 ######################################################################
 ###  tls_rcpt: is connection with server "good" enough?
 ###	(done in client, per recipient)
@@ -1265,7 +1268,10 @@ Stry_tls
 ###		$1: recipient
 ######################################################################
 Stls_rcpt
-
+R$*			$: $1 $| $&{verify}
+R$* $| DANE_NOTLS	$#error $@ 4.7.0 $: "454 DANE: missing STARTTLS."
+R$* $| DANE_TEMP	$#error $@ 4.7.0 $: "454 DANE check failed temporarily."
+R$* $| DANE_FAIL	$#error $@ 4.7.0 $: "454 DANE check failed."
 
 ######################################################################
 ###  tls_client: is connection with client "good" enough?
@@ -1297,7 +1303,6 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "454 TLS handshake failed."
-RDANE_FAIL	$#error $@ 4.7.0 $: "454 DANE check failed."
 RPROTOCOL	$#error $@ 4.7.0 $: "454 STARTTLS failed."
 RCONFIG		$#error $@ 4.7.0 $: "454 STARTTLS temporarily not possible."
 

cf/cf/generic-hpux9.cf

@@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@lab.smi.sendmail.com on Sun Aug 15 23:04:59 PDT 2021
-##### in /var/tmp/ca/sm8.head/sendmail/OpenSource/sendmail-8.17.1/cf/cf
+##### built by xbuild@xenon14.us.proofpoint.com on Tue Jan 30 22:39:25 PST 2024
+##### in /export/jenkins/jenkins3/workspace/pps-sendmail/OpenSource/sendmail-8.18.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@@ -121,10 +121,12 @@ C{E}root
 DnMAILER-DAEMON
 
 
+
 CPREDIRECT
+EOPENSSL_CONF=/etc/mail/sendmail.ossl
 
 # Configuration version number
-DZ8.17.1
+DZ8.18.1
 
 
 ###############
@@ -1257,6 +1259,7 @@ Stry_tls
 
 
 
+
 ######################################################################
 ###  tls_rcpt: is connection with server "good" enough?
 ###	(done in client, per recipient)
@@ -1265,7 +1268,10 @@ Stry_tls
 ###		$1: recipient
 ######################################################################
 Stls_rcpt
-
+R$*			$: $1 $| $&{verify}
+R$* $| DANE_NOTLS	$#error $@ 4.7.0 $: "454 DANE: missing STARTTLS."
+R$* $| DANE_TEMP	$#error $@ 4.7.0 $: "454 DANE check failed temporarily."
+R$* $| DANE_FAIL	$#error $@ 4.7.0 $: "454 DANE check failed."
 
 ######################################################################
 ###  tls_client: is connection with client "good" enough?
@@ -1297,7 +1303,6 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "454 TLS handshake failed."
-RDANE_FAIL	$#error $@ 4.7.0 $: "454 DANE check failed."
 RPROTOCOL	$#error $@ 4.7.0 $: "454 STARTTLS failed."
 RCONFIG		$#error $@ 4.7.0 $: "454 STARTTLS temporarily not possible."
 

cf/cf/generic-linux.cf

@@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@lab.smi.sendmail.com on Sun Aug 15 23:04:59 PDT 2021
-##### in /var/tmp/ca/sm8.head/sendmail/OpenSource/sendmail-8.17.1/cf/cf
+##### built by xbuild@xenon14.us.proofpoint.com on Tue Jan 30 22:39:25 PST 2024
+##### in /export/jenkins/jenkins3/workspace/pps-sendmail/OpenSource/sendmail-8.18.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@@ -125,10 +125,12 @@ C{E}root
 DnMAILER-DAEMON
 
 
+
 CPREDIRECT
+EOPENSSL_CONF=/etc/mail/sendmail.ossl
 
 # Configuration version number
-DZ8.17.1
+DZ8.18.1
 
 
 ###############
@@ -1261,6 +1263,7 @@ Stry_tls
 
 
 
+
 ######################################################################
 ###  tls_rcpt: is connection with server "good" enough?
 ###	(done in client, per recipient)
@@ -1269,7 +1272,10 @@ Stry_tls
 ###		$1: recipient
 ######################################################################
 Stls_rcpt
-
+R$*			$: $1 $| $&{verify}
+R$* $| DANE_NOTLS	$#error $@ 4.7.0 $: "454 DANE: missing STARTTLS."
+R$* $| DANE_TEMP	$#error $@ 4.7.0 $: "454 DANE check failed temporarily."
+R$* $| DANE_FAIL	$#error $@ 4.7.0 $: "454 DANE check failed."
 
 ######################################################################
 ###  tls_client: is connection with client "good" enough?
@@ -1301,7 +1307,6 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "454 TLS handshake failed."
-RDANE_FAIL	$#error $@ 4.7.0 $: "454 DANE check failed."
 RPROTOCOL	$#error $@ 4.7.0 $: "454 STARTTLS failed."
 RCONFIG		$#error $@ 4.7.0 $: "454 STARTTLS temporarily not possible."
 

cf/cf/generic-mpeix.cf

@@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@lab.smi.sendmail.com on Sun Aug 15 23:04:59 PDT 2021
-##### in /var/tmp/ca/sm8.head/sendmail/OpenSource/sendmail-8.17.1/cf/cf
+##### built by xbuild@xenon14.us.proofpoint.com on Tue Jan 30 22:39:25 PST 2024
+##### in /export/jenkins/jenkins3/workspace/pps-sendmail/OpenSource/sendmail-8.18.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@@ -121,10 +121,12 @@ C{E}root
 DnMAILER-DAEMON
 
 
+
 CPREDIRECT
+EOPENSSL_CONF=/etc/mail/sendmail.ossl
 
 # Configuration version number
-DZ8.17.1
+DZ8.18.1
 
 
 ###############
@@ -1257,6 +1259,7 @@ Stry_tls
 
 
 
+
 ######################################################################
 ###  tls_rcpt: is connection with server "good" enough?
 ###	(done in client, per recipient)
@@ -1265,7 +1268,10 @@ Stry_tls
 ###		$1: recipient
 ######################################################################
 Stls_rcpt
-
+R$*			$: $1 $| $&{verify}
+R$* $| DANE_NOTLS	$#error $@ 4.7.0 $: "454 DANE: missing STARTTLS."
+R$* $| DANE_TEMP	$#error $@ 4.7.0 $: "454 DANE check failed temporarily."
+R$* $| DANE_FAIL	$#error $@ 4.7.0 $: "454 DANE check failed."
 
 ######################################################################
 ###  tls_client: is connection with client "good" enough?
@@ -1297,7 +1303,6 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "454 TLS handshake failed."
-RDANE_FAIL	$#error $@ 4.7.0 $: "454 DANE check failed."
 RPROTOCOL	$#error $@ 4.7.0 $: "454 STARTTLS failed."
 RCONFIG		$#error $@ 4.7.0 $: "454 STARTTLS temporarily not possible."
 

cf/cf/generic-nextstep3.3.cf

@@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@lab.smi.sendmail.com on Sun Aug 15 23:04:59 PDT 2021
-##### in /var/tmp/ca/sm8.head/sendmail/OpenSource/sendmail-8.17.1/cf/cf
+##### built by xbuild@xenon14.us.proofpoint.com on Tue Jan 30 22:39:25 PST 2024
+##### in /export/jenkins/jenkins3/workspace/pps-sendmail/OpenSource/sendmail-8.18.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@@ -120,10 +120,12 @@ C{E}root
 DnMAILER-DAEMON
 
 
+
 CPREDIRECT
+EOPENSSL_CONF=/etc/mail/sendmail.ossl
 
 # Configuration version number
-DZ8.17.1
+DZ8.18.1
 
 
 ###############
@@ -1256,6 +1258,7 @@ Stry_tls
 
 
 
+
 ######################################################################
 ###  tls_rcpt: is connection with server "good" enough?
 ###	(done in client, per recipient)
@@ -1264,7 +1267,10 @@ Stry_tls
 ###		$1: recipient
 ######################################################################
 Stls_rcpt
-
+R$*			$: $1 $| $&{verify}
+R$* $| DANE_NOTLS	$#error $@ 4.7.0 $: "454 DANE: missing STARTTLS."
+R$* $| DANE_TEMP	$#error $@ 4.7.0 $: "454 DANE check failed temporarily."
+R$* $| DANE_FAIL	$#error $@ 4.7.0 $: "454 DANE check failed."
 
 ######################################################################
 ###  tls_client: is connection with client "good" enough?
@@ -1296,7 +1302,6 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "454 TLS handshake failed."
-RDANE_FAIL	$#error $@ 4.7.0 $: "454 DANE check failed."
 RPROTOCOL	$#error $@ 4.7.0 $: "454 STARTTLS failed."
 RCONFIG		$#error $@ 4.7.0 $: "454 STARTTLS temporarily not possible."
 

cf/cf/generic-osf1.cf

@@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@lab.smi.sendmail.com on Sun Aug 15 23:04:59 PDT 2021
-##### in /var/tmp/ca/sm8.head/sendmail/OpenSource/sendmail-8.17.1/cf/cf
+##### built by xbuild@xenon14.us.proofpoint.com on Tue Jan 30 22:39:25 PST 2024
+##### in /export/jenkins/jenkins3/workspace/pps-sendmail/OpenSource/sendmail-8.18.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@@ -121,10 +121,12 @@ C{E}root
 DnMAILER-DAEMON
 
 
+
 CPREDIRECT
+EOPENSSL_CONF=/etc/mail/sendmail.ossl
 
 # Configuration version number
-DZ8.17.1
+DZ8.18.1
 
 
 ###############
@@ -1257,6 +1259,7 @@ Stry_tls
 
 
 
+
 ######################################################################
 ###  tls_rcpt: is connection with server "good" enough?
 ###	(done in client, per recipient)
@@ -1265,7 +1268,10 @@ Stry_tls
 ###		$1: recipient
 ######################################################################
 Stls_rcpt
-
+R$*			$: $1 $| $&{verify}
+R$* $| DANE_NOTLS	$#error $@ 4.7.0 $: "454 DANE: missing STARTTLS."
+R$* $| DANE_TEMP	$#error $@ 4.7.0 $: "454 DANE check failed temporarily."
+R$* $| DANE_FAIL	$#error $@ 4.7.0 $: "454 DANE check failed."
 
 ######################################################################
 ###  tls_client: is connection with client "good" enough?
@@ -1297,7 +1303,6 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "454 TLS handshake failed."
-RDANE_FAIL	$#error $@ 4.7.0 $: "454 DANE check failed."
 RPROTOCOL	$#error $@ 4.7.0 $: "454 STARTTLS failed."
 RCONFIG		$#error $@ 4.7.0 $: "454 STARTTLS temporarily not possible."
 

cf/cf/generic-solaris.cf

@@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@lab.smi.sendmail.com on Sun Aug 15 23:05:00 PDT 2021
-##### in /var/tmp/ca/sm8.head/sendmail/OpenSource/sendmail-8.17.1/cf/cf
+##### built by xbuild@xenon14.us.proofpoint.com on Tue Jan 30 22:39:25 PST 2024
+##### in /export/jenkins/jenkins3/workspace/pps-sendmail/OpenSource/sendmail-8.18.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@@ -120,10 +120,12 @@ C{E}root
 DnMAILER-DAEMON
 
 
+
 CPREDIRECT
+EOPENSSL_CONF=/etc/mail/sendmail.ossl
 
 # Configuration version number
-DZ8.17.1
+DZ8.18.1
 
 
 ###############
@@ -1256,6 +1258,7 @@ Stry_tls
 
 
 
+
 ######################################################################
 ###  tls_rcpt: is connection with server "good" enough?
 ###	(done in client, per recipient)
@@ -1264,7 +1267,10 @@ Stry_tls
 ###		$1: recipient
 ######################################################################
 Stls_rcpt
-
+R$*			$: $1 $| $&{verify}
+R$* $| DANE_NOTLS	$#error $@ 4.7.0 $: "454 DANE: missing STARTTLS."
+R$* $| DANE_TEMP	$#error $@ 4.7.0 $: "454 DANE check failed temporarily."
+R$* $| DANE_FAIL	$#error $@ 4.7.0 $: "454 DANE check failed."
 
 ######################################################################
 ###  tls_client: is connection with client "good" enough?
@@ -1296,7 +1302,6 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "454 TLS handshake failed."
-RDANE_FAIL	$#error $@ 4.7.0 $: "454 DANE check failed."
 RPROTOCOL	$#error $@ 4.7.0 $: "454 STARTTLS failed."
 RCONFIG		$#error $@ 4.7.0 $: "454 STARTTLS temporarily not possible."
 

cf/cf/generic-sunos4.1.cf

@@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@lab.smi.sendmail.com on Sun Aug 15 23:05:00 PDT 2021
-##### in /var/tmp/ca/sm8.head/sendmail/OpenSource/sendmail-8.17.1/cf/cf
+##### built by xbuild@xenon14.us.proofpoint.com on Tue Jan 30 22:39:25 PST 2024
+##### in /export/jenkins/jenkins3/workspace/pps-sendmail/OpenSource/sendmail-8.18.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@@ -121,10 +121,12 @@ C{E}root
 DnMAILER-DAEMON
 
 
+
 CPREDIRECT
+EOPENSSL_CONF=/etc/mail/sendmail.ossl
 
 # Configuration version number
-DZ8.17.1
+DZ8.18.1
 
 
 ###############
@@ -1257,6 +1259,7 @@ Stry_tls
 
 
 
+
 ######################################################################
 ###  tls_rcpt: is connection with server "good" enough?
 ###	(done in client, per recipient)
@@ -1265,7 +1268,10 @@ Stry_tls
 ###		$1: recipient
 ######################################################################
 Stls_rcpt
-
+R$*			$: $1 $| $&{verify}
+R$* $| DANE_NOTLS	$#error $@ 4.7.0 $: "454 DANE: missing STARTTLS."
+R$* $| DANE_TEMP	$#error $@ 4.7.0 $: "454 DANE check failed temporarily."
+R$* $| DANE_FAIL	$#error $@ 4.7.0 $: "454 DANE check failed."
 
 ######################################################################
 ###  tls_client: is connection with client "good" enough?
@@ -1297,7 +1303,6 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "454 TLS handshake failed."
-RDANE_FAIL	$#error $@ 4.7.0 $: "454 DANE check failed."
 RPROTOCOL	$#error $@ 4.7.0 $: "454 STARTTLS failed."
 RCONFIG		$#error $@ 4.7.0 $: "454 STARTTLS temporarily not possible."
 

cf/cf/generic-ultrix4.cf

@@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@lab.smi.sendmail.com on Sun Aug 15 23:05:00 PDT 2021
-##### in /var/tmp/ca/sm8.head/sendmail/OpenSource/sendmail-8.17.1/cf/cf
+##### built by xbuild@xenon14.us.proofpoint.com on Tue Jan 30 22:39:25 PST 2024
+##### in /export/jenkins/jenkins3/workspace/pps-sendmail/OpenSource/sendmail-8.18.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@@ -121,10 +121,12 @@ C{E}root
 DnMAILER-DAEMON
 
 
+
 CPREDIRECT
+EOPENSSL_CONF=/etc/mail/sendmail.ossl
 
 # Configuration version number
-DZ8.17.1
+DZ8.18.1
 
 
 ###############
@@ -1257,6 +1259,7 @@ Stry_tls
 
 
 
+
 ######################################################################
 ###  tls_rcpt: is connection with server "good" enough?
 ###	(done in client, per recipient)
@@ -1265,7 +1268,10 @@ Stry_tls
 ###		$1: recipient
 ######################################################################
 Stls_rcpt
-
+R$*			$: $1 $| $&{verify}
+R$* $| DANE_NOTLS	$#error $@ 4.7.0 $: "454 DANE: missing STARTTLS."
+R$* $| DANE_TEMP	$#error $@ 4.7.0 $: "454 DANE check failed temporarily."
+R$* $| DANE_FAIL	$#error $@ 4.7.0 $: "454 DANE check failed."
 
 ######################################################################
 ###  tls_client: is connection with client "good" enough?
@@ -1297,7 +1303,6 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "454 TLS handshake failed."
-RDANE_FAIL	$#error $@ 4.7.0 $: "454 DANE check failed."
 RPROTOCOL	$#error $@ 4.7.0 $: "454 STARTTLS failed."
 RCONFIG		$#error $@ 4.7.0 $: "454 STARTTLS temporarily not possible."
 

cf/cf/submit.cf

@@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@lab.smi.sendmail.com on Sun Aug 15 23:05:00 PDT 2021
-##### in /var/tmp/ca/sm8.head/sendmail/OpenSource/sendmail-8.17.1/cf/cf
+##### built by xbuild@xenon14.us.proofpoint.com on Tue Jan 30 22:39:25 PST 2024
+##### in /export/jenkins/jenkins3/workspace/pps-sendmail/OpenSource/sendmail-8.18.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@@ -111,11 +111,13 @@ Kdequote dequote
 DnMAILER-DAEMON
 
 
+
 D{MTAHost}[127.0.0.1]
 
+EOPENSSL_CONF=/etc/mail/sendmail.ossl
 
 # Configuration version number
-DZ8.17.1/Submit
+DZ8.18.1/Submit
 
 
 ###############
@@ -1248,6 +1250,7 @@ Stry_tls
 
 
 
+
 ######################################################################
 ###  tls_rcpt: is connection with server "good" enough?
 ###	(done in client, per recipient)
@@ -1256,7 +1259,10 @@ Stry_tls
 ###		$1: recipient
 ######################################################################
 Stls_rcpt
-
+R$*			$: $1 $| $&{verify}
+R$* $| DANE_NOTLS	$#error $@ 4.7.0 $: "454 DANE: missing STARTTLS."
+R$* $| DANE_TEMP	$#error $@ 4.7.0 $: "454 DANE check failed temporarily."
+R$* $| DANE_FAIL	$#error $@ 4.7.0 $: "454 DANE check failed."
 
 ######################################################################
 ###  tls_client: is connection with client "good" enough?
@@ -1288,7 +1294,6 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "454 TLS handshake failed."
-RDANE_FAIL	$#error $@ 4.7.0 $: "454 DANE check failed."
 RPROTOCOL	$#error $@ 4.7.0 $: "454 STARTTLS failed."
 RCONFIG		$#error $@ 4.7.0 $: "454 STARTTLS temporarily not possible."
 

cf/feature/check_cert_altnames.m4

@@ -13,5 +13,5 @@ divert(0)dnl
 VERSIONID(`$Id: check_cert_altnames.m4 1.0 2019-01-01 01:01:01 ca Exp $')
 divert(-1)
 define(`_FFR_TLS_ALTNAMES', `1')
-divert(6)dnl
+LOCAL_CONFIG
 O SetCertAltnames=true

cf/feature/enhdnsbl.m4

@@ -17,7 +17,7 @@ VERSIONID(`$Id: enhdnsbl.m4,v 1.13 2013-11-22 20:51:11 ca Exp $')
 LOCAL_CONFIG
 define(`_EDNSBL_R_',`')dnl
 # map for enhanced DNS based blocklist lookups
-Kednsbl dns -R A -a. -T<TMP> -r`'ifdef(`EDNSBL_TO',`EDNSBL_TO',`5')
+Kednsbl dns -R A -T<TMP> -z  -Z32 -r`'ifdef(`EDNSBL_TO',`EDNSBL_TO',`5')
 ')
 divert(-1)
 define(`_EDNSBL_SRV_', `_ARG_')dnl
@@ -39,15 +39,15 @@ R<?>OK			$: OKSOFAR
 ifelse(len(X`'_ARG3_),`1',
 `R<?>$+<TMP>		$: TMPOK',
 `R<?>$+<TMP>		$#error $@ 4.4.3 $: _EDNSBL_MSG_TMP_')
-R<?>_EDNSBL_MATCH_	_EDNSBL_ACTION_ $: _EDNSBL_MSG_
+R<?>$* patsubst(_EDNSBL_MATCH_, `\.$', `') $*	_EDNSBL_ACTION_ $: _EDNSBL_MSG_
 ifelse(len(X`'_ARG5_),`1',`dnl',
-`R<?>_ARG5_		_EDNSBL_ACTION_ $: _EDNSBL_MSG_')
+`R<?>$* patsubst(_ARG5_, `\.$', `') $*		_EDNSBL_ACTION_ $: _EDNSBL_MSG_')
 ifelse(len(X`'_ARG6_),`1',`dnl',
-`R<?>_ARG6_		_EDNSBL_ACTION_ $: _EDNSBL_MSG_')
+`R<?>$* patsubst(_ARG6_, `\.$', `') $*		_EDNSBL_ACTION_ $: _EDNSBL_MSG_')
 ifelse(len(X`'_ARG7_),`1',`dnl',
-`R<?>_ARG7_		_EDNSBL_ACTION_ $: _EDNSBL_MSG_')
+`R<?>$* patsubst(_ARG7_, `\.$', `') $*		_EDNSBL_ACTION_ $: _EDNSBL_MSG_')
 ifelse(len(X`'_ARG8_),`1',`dnl',
-`R<?>_ARG8_		_EDNSBL_ACTION_ $: _EDNSBL_MSG_')
+`R<?>$* patsubst(_ARG8_, `\.$', `') $*		_EDNSBL_ACTION_ $: _EDNSBL_MSG_')
 ifelse(len(X`'_ARG9_),`1',`dnl',
-`R<?>_ARG9_		_EDNSBL_ACTION_ $: _EDNSBL_MSG_')
+`R<?>$* patsubst(_ARG9_, `\.$', `') $*		_EDNSBL_ACTION_ $: _EDNSBL_MSG_')
 divert(-1)

cf/feature/fips3.m4

@@ -0,0 +1,16 @@
+divert(-1)
+#
+# Copyright (c) 2023 Proofpoint, Inc. and its suppliers.
+#	All rights reserved.
+#
+# By using this file, you agree to the terms and conditions set
+# forth in the LICENSE file which can be found at the top level of
+# the sendmail distribution.
+#
+#
+
+divert(0)
+define(`confOPENSSL_CNF', dnl
+ifelse(defn(`_ARG_'), `', `/etc/mail/fips.ossl', `_ARG_'))dnl
+ifelse(len(X`'_ARG2_),`1',`',`LOCAL_CONFIG
+EOPENSSL_MODULES=_ARG2_')

cf/feature/ldap_routing.m4

@@ -18,7 +18,7 @@ ifelse(len(X`'_ARG1_), `1', `define(`_LDAP_ROUTING_WARN_', `yes')')
 ifelse(len(X`'_ARG2_), `1', `define(`_LDAP_ROUTING_WARN_', `yes')')
 ifelse(len(X`'_ARG5_), `1', `', `define(`_LDAP_ROUTE_NODOMAIN_', `yes')')
 
-# Check for third argument to indicate how to deal with non-existant
+# Check for third argument to indicate how to deal with non-existent
 # LDAP records
 ifelse(len(X`'_ARG3_), `1', `define(`_LDAP_ROUTING_', `_PASS_THROUGH_')',
        _ARG3_, `passthru', `define(`_LDAP_ROUTING_', `_PASS_THROUGH_')',

cf/hack/xconnect.m4

@@ -20,6 +20,8 @@ LOCAL_RULESETS
 #
 # x_connect ruleset for looking up XConnect: tag in access DB to enable
 # XCONNECT support in MTA
+# if the RHS of the map entry is haproxy1,
+# then HAproxy protocol version 1 is used
 #
 Sx_connect
 dnl workspace: {client_name} $| {client_addr}
@@ -32,6 +34,6 @@ R<?> <$+>		$: $>A < $1 > <?> <! XConnect> <>	no: another lookup
 dnl workspace: <result-of-lookup> (<>|<{client_addr}>)
 R<?> <$*>		$# no					found nothing
 dnl workspace: <result-of-lookup> (<>|<{client_addr}>) | OK
-R<$+> <$*>		$@ yes					found in access DB',
+R<$+> <$*>		$@ $1					found in access DB',
 	`errprint(`*** ERROR: HACK(xconnect) requires FEATURE(access_db)
 ')')

cf/m4/proto.m4

@@ -247,7 +247,9 @@ DM`'MASQUERADE_NAME')
 # my name for error messages
 ifdef(`confMAILER_NAME', `Dn`'confMAILER_NAME', `#DnMAILER-DAEMON')
 
+ifdef(`confOPENSSL_CNF',, `define(`confOPENSSL_CNF', `/etc/mail/sendmail.ossl')')
 undivert(6)dnl LOCAL_CONFIG
+ifelse(defn(`confOPENSSL_CNF'), `', `', `EOPENSSL_CONF=confOPENSSL_CNF')
 include(_CF_DIR_`m4/version.m4')
 
 ###############
@@ -938,7 +940,7 @@ ifdef(`_CANONIFY_HOSTS_', `dnl
 dnl this should only apply to unqualified hostnames
 dnl but if a valid character inside an unqualified hostname is an OperatorChar
 dnl then $- does not work.
-# lookup unqualified hostnames
+# look up unqualified hostnames
 R$* $| $* < @ $* > $*		$: $2 < @ $[ $3 $] > $4', `dnl')', `dnl
 dnl _NO_CANONIFY_ is not set: canonify unless:
 dnl {daemon_flags} contains CC (do not canonify)
@@ -1234,7 +1236,7 @@ R$+ . USENET		$#usenet $@ usenet $: $1',
 
 ifdef(`_LOCAL_RULES_',
 `# figure out what should stay in our local mail system
-undivert(1)', `dnl')
+undivert(1)dnl LOCAL_NET_CONFIG', `dnl')
 
 # pass names that still have a host to a smarthost (if defined)
 R$* < @ $* > $*		$: $>MailerToTriple < $S > $1 < @ $2 > $3	glue on smarthost name
@@ -1436,11 +1438,12 @@ dnl if generics should be applied add a @ as mark
 R$+ < @ *LOCAL* >	$: < $1@$j > $1 < @ *LOCAL* > @	mark
 dnl workspace: either user<@domain> or <user@domain> user <@domain> @
 dnl ignore the first case for now
-dnl if it has the mark lookup full address
+dnl if it has the mark look up full address
 dnl broken: %1 is full address not just detail
 R< $+ > $+ < $* > @	$: < $(generics $1 $: @ $1 $) > $2 < $3 >
 dnl workspace: ... or <match|@user@domain> user <@domain>
-dnl no match, try user+detail@domain
+dnl no match, try user+detail@domain:
+dnl look up user+*@domain and user@domain
 R<@$+ + $* @ $+> $+ < @ $+ >
 		$: < $(generics $1+*@$3 $@ $2 $:@$1 + $2@$3 $) >  $4 < @ $5 >
 R<@$+ + $* @ $+> $+ < @ $+ >
@@ -1527,7 +1530,7 @@ R$={SMTPOpModes} $| TMPF <e r> $| $+	$#error $@ 4.3.0 $: _TMPFMSG_(`OPM')')
 # ... return original address for MTA to queue up
 R$* $| TMPF <$*> $| $+			$@ $3
 
-# if mailRoutingAddress and local or non-existant mailHost,
+# if mailRoutingAddress and local or non-existent mailHost,
 # return the new mailRoutingAddress
 ifelse(_LDAP_ROUTE_DETAIL_, `_PRESERVE_', `dnl
 R<$+@$+> <$=w> <$+> <$+> <$*>	$@ $>Parse0 $>canonify $1 $6 @ $2
@@ -1610,14 +1613,14 @@ dnl			<result> <passthru>
 
 SD
 dnl workspace <key> <default> <passthru> <mark>
-dnl lookup with tag (in front, no delimiter here)
+dnl look up with tag (in front, no delimiter here)
 dnl    2    3  4    5
 R<$*> <$+> <$- $-> <$*>		$: < $(access $4`'_TAG_DELIM_`'$1 $: ? $) > <$1> <$2> <$3 $4> <$5>
 dnl workspace <result-of-lookup|?> <key> <default> <passthru> <mark>
-dnl lookup without tag?
+dnl look up without tag?
 dnl   1    2      3    4
 R<?> <$+> <$+> <+ $-> <$*>	$: < $(access $1 $: ? $) > <$1> <$2> <+ $3> <$4>
-ifdef(`_LOOKUPDOTDOMAIN_', `dnl omit first component: lookup .rest
+ifdef(`_LOOKUPDOTDOMAIN_', `dnl omit first component: look up .rest
 dnl XXX apply this also to IP addresses?
 dnl currently it works the wrong way round for [1.2.3.4]
 dnl   1  2    3    4  5    6
@@ -1640,7 +1643,7 @@ R<?> <[$+:$-]> <$+> <$- $-> <$*>	$: $>D <[$1]> <$3> <$4 $5> <$6>')
 dnl not found, but subdomain: try again
 dnl   1  2    3    4  5    6
 R<?> <$+.$+> <$+> <$- $-> <$*>	$@ $>D <$2> <$3> <$4 $5> <$6>
-ifdef(`_FFR_LOOKUPTAG_', `dnl lookup Tag:
+ifdef(`_FFR_LOOKUPTAG_', `dnl look up Tag:
 dnl   1    2      3    4
 R<?> <$+> <$+> <! $-> <$*>	$: < $(access $3`'_TAG_DELIM_ $: ? $) > <$1> <$2> <! $3> <$4>', `dnl')
 dnl not found, no subdomain: return <default> and <passthru>
@@ -1669,10 +1672,10 @@ dnl			<result> <passthru>
 ######################################################################
 
 SA
-dnl lookup with tag
+dnl look up with tag
 dnl    2    3  4    5
 R<$+> <$+> <$- $-> <$*>		$: < $(access $4`'_TAG_DELIM_`'$1 $: ? $) > <$1> <$2> <$3 $4> <$5>
-dnl lookup without tag
+dnl look up without tag
 dnl   1    2      3    4
 R<?> <$+> <$+> <+ $-> <$*>	$: < $(access $1 $: ? $) > <$1> <$2> <+ $3> <$4>
 dnl workspace <result-of-lookup|?> <key> <default> <mark> <passthru>
@@ -2402,7 +2405,7 @@ dnl otherwise call tls_client; see above
 R$+ $| $#$*		$@ $>"Delay_TLS_Clt" $2
 R$+ $| $*		$: <?> $>FullAddr $>CanonAddr $1
 ifdef(`_SPAM_FH_',
-`dnl lookup user@ and user@address
+`dnl look up user@ and user@address
 ifdef(`_ACCESS_TABLE_', `',
 `errprint(`*** ERROR: FEATURE(`delay_checks', `argument') requires FEATURE(`access_db')
 ')')dnl
@@ -2412,7 +2415,7 @@ dnl and simplified by omitting some < >.
 R<?> $+ < @ $=w >	$: <> $1 < @ $2 > $| <F: $1@$2 > <D: $2 > <U: $1@>
 R<?> $+ < @ $* >	$: <> $1 < @ $2 > $| <F: $1@$2 > <D: $2 >
 dnl R<?>		$@ something_is_very_wrong_here
-# lookup the addresses only with Spam tag
+# look up the addresses only with Spam tag
 R<> $* $| <$+>		$: <@> $1 $| $>SearchList <! Spam> $| <$2> <>
 R<@> $* $| $*		$: $2 $1		reverse result
 dnl', `dnl')
@@ -2608,16 +2611,16 @@ R<$+> <$*> <$- $-> <$*>		$@ <$1> <$5>
 ###	Parameters:
 ###		<exact tag> $| <mark:address> <mark:address> ... <>
 dnl	maybe we should have a @ (again) in front of the mark to
-dnl	avoid errorneous matches (with error messages?)
+dnl	avoid erroneous matches (with error messages?)
 dnl	if we can make sure that tag is always a single token
 dnl	then we can omit the delimiter $|, otherwise we need it
-dnl	to avoid errorneous matchs (first rule: D: if there
+dnl	to avoid erroneous matches (first rule: D: if there
 dnl	is that mark somewhere in the list, it will be taken).
 dnl	moreover, we can do some tricks to enforce lookup with
 dnl	the tag only, e.g.:
 ###	where "exact" is either "+" or "!":
-###	<+ TAG>	lookup with and w/o tag
-###	<! TAG>	lookup with tag
+###	<+ TAG>	look up with and w/o tag
+###	<! TAG>	look up with tag
 dnl	Warning: + and ! should be in OperatorChars (otherwise there must be
 dnl		a blank between them and the tag.
 ###	possible values for "mark" are:
@@ -2706,8 +2709,9 @@ R$*			$: $1 $| $>"Local_clt_features" $1
 R$* $| $#$*		$#$2
 R$* $| $*		$: $1', `dnl')
 ifdef(`_ACCESS_TABLE_', `dnl
-R$*		$: $>D <$&{client_name}> <?> <! CLT_FEAT_TAG> <>
-R<?>$*		$: $>A <$&{client_addr}> <?> <! CLT_FEAT_TAG> <>
+dnl the servername can have a trailing dot from canonification
+R$* .		$1
+R$+		$: $>D <$1> <?> <! CLT_FEAT_TAG> <>
 R<?>$*		$: <$(access CLT_FEAT_TAG`'_TAG_DELIM_ $: ? $)>
 R<?>$*		$@ OK
 ifdef(`_ATMPF_', `dnl tempfail?
@@ -2802,6 +2806,18 @@ R:$* $| $-.$+	$: $(macro {TLS_Name} $@ .$3 $) $>TLS_NameInList :$1
 R$* ok		$@ $>STS_SAN
 R:$*:		$#error $@ 4.7.0 $: 450 $&{server_name} not found in " "$1', `dnl')
 
+ifdef(`TLS_PERM_ERR', `dnl
+define(`TLS_DSNCODE', `5.7.0')dnl
+define(`TLS_ERRCODE', `554')',`dnl
+define(`TLS_DSNCODE', `4.7.0')dnl
+define(`TLS_ERRCODE', `454')')dnl
+define(`SW_MSG', `TLS handshake failed.')dnl
+define(`DANE_MSG', `DANE check failed.')dnl
+define(`DANE_TEMP_MSG', `DANE check failed temporarily.')dnl
+define(`DANE_NOTLS_MSG', `DANE: missing STARTTLS.')dnl
+define(`PROT_MSG', `STARTTLS failed.')dnl
+define(`CNF_MSG', `STARTTLS temporarily not possible.')dnl
+
 ######################################################################
 ###  tls_rcpt: is connection with server "good" enough?
 ###	(done in client, per recipient)
@@ -2833,12 +2849,22 @@ R<?> $+			$: $1 $| <U:$1@> <E:>
 dnl look it up
 dnl also look up a default value via E:
 R$* $| $+	$: $1 $| $>SearchList <! TLS_RCPT_TAG> $| $2 <>
+dnl no applicable requirements; trigger an error on DANE_FAIL
+dnl note: this allows to disable DANE per RCPT.
+R$* $| <?>	$: $1 $| $&{verify} $| <?>
+R$* $| DANE_FAIL $| <?>	$#error $@ TLS_DSNCODE $: "TLS_ERRCODE DANE_MSG"
+R$* $| DANE_NOTLS $| <?>	$#error $@ TLS_DSNCODE $: "TLS_ERRCODE DANE_NOTLS_MSG"
+R$* $| DANE_TEMP $| <?>	$#error $@ TLS_DSNCODE $: "TLS_ERRCODE DANE_TEMP_MSG"
 dnl found nothing: stop here
 R$* $| <?>	$@ OK
 ifdef(`_ATMPF_', `dnl tempfail?
 R$* $| <$* _ATMPF_>	$#error $@ 4.3.0 $: _TMPFMSG_(`TR')', `dnl')
 dnl use the generic routine (for now)
-R$* $| <$+>	$@ $>"TLS_connection" $&{verify} $| <$2>')
+R$* $| <$+>		$@ $>"TLS_connection" $&{verify} $| <$2>', `dnl
+R$*			$: $1 $| $&{verify}
+R$* $| DANE_NOTLS	$#error $@ TLS_DSNCODE $: "TLS_ERRCODE DANE_NOTLS_MSG"
+R$* $| DANE_TEMP	$#error $@ TLS_DSNCODE $: "TLS_ERRCODE DANE_TEMP_MSG"
+R$* $| DANE_FAIL	$#error $@ TLS_DSNCODE $: "TLS_ERRCODE DANE_MSG"')
 
 ######################################################################
 ###  tls_client: is connection with client "good" enough?
@@ -2915,22 +2941,14 @@ dnl	[(PERM|TEMP)+] (VERIFY[:bits]|ENCR:bits) [+extensions]
 dnl	extensions: could be a list of further requirements
 dnl		for now: CN:string	{cn_subject} == string
 ######################################################################
-ifdef(`TLS_PERM_ERR', `dnl
-define(`TLS_DSNCODE', `5.7.0')dnl
-define(`TLS_ERRCODE', `554')',`dnl
-define(`TLS_DSNCODE', `4.7.0')dnl
-define(`TLS_ERRCODE', `454')')dnl
-define(`SW_MSG', `TLS handshake failed.')dnl
-define(`DANE_MSG', `DANE check failed.')dnl
-define(`PROT_MSG', `STARTTLS failed.')dnl
-define(`CNF_MSG', `STARTTLS temporarily not possible.')dnl
 STLS_connection
 ifdef(`_FULL_TLS_CONNECTION_CHECK_', `dnl', `dnl use default error
 dnl deal with TLS handshake failures: abort
 RSOFTWARE	$#error $@ TLS_DSNCODE $: "TLS_ERRCODE SW_MSG"
-RDANE_FAIL	$#error $@ TLS_DSNCODE $: "TLS_ERRCODE DANE_MSG"
+dnl RDANE_FAIL	$#error $@ TLS_DSNCODE $: "TLS_ERRCODE DANE_MSG"
 RPROTOCOL	$#error $@ TLS_DSNCODE $: "TLS_ERRCODE PROT_MSG"
 RCONFIG		$#error $@ TLS_DSNCODE $: "TLS_ERRCODE CNF_MSG"
+dnl RDANE_TEMP	$#error $@ 4.7.0 $: "454 DANE_TEMP_MSG"
 divert(-1)')
 dnl common ruleset for tls_{client|server}
 dnl input: ${verify} $| <ResultOfLookup> [<>]
@@ -2953,10 +2971,12 @@ R`'$1 $| $`'*		$`'#error $`'@ TLS_DSNCODE $: "TLS_ERRCODE $2"')dnl
 TLS_ERRORS(SOFTWARE,SW_MSG)
 # deal with TLS protocol errors: abort
 TLS_ERRORS(PROTOCOL,PROT_MSG)
-# deal with DANE errors: abort
-TLS_ERRORS(DANE_FAIL,DANE_MSG)
+dnl # deal with DANE errors: abort
+dnl TLS_ERRORS(DANE_FAIL,DANE_MSG)
 # deal with CONFIG (tls_clt_features) errors: abort
 TLS_ERRORS(CONFIG,CNF_MSG)
+dnl # deal with DANE tempfail: abort
+dnl TLS_ERRORS(DANE_TEMP,DANE_TEMP_MSG)
 R$* $| <$*> <VERIFY>		$: <$2> <VERIFY> <> $1
 dnl separate optional requirements
 R$* $| <$*> <VERIFY + $+>	$: <$2> <VERIFY> <$3> $1

cf/m4/version.m4

@@ -15,4 +15,4 @@ VERSIONID(`$Id: version.m4,v 8.237 2014-01-27 12:55:17 ca Exp $')
 #
 divert(0)
 # Configuration version number
-DZ8.17.1`'ifdef(`confCF_VERSION', `/confCF_VERSION')
+DZ8.18.1`'ifdef(`confCF_VERSION', `/confCF_VERSION')

cf/sh/makeinfo.sh

@@ -55,4 +55,4 @@ fi
 echo '#####' built by $user@$host on `date`
 echo '#####' in `pwd` | sed 's/\/tmp_mnt//'
 echo '#####' using $1 as configuration include directory | sed 's/\/tmp_mnt//'
-echo "define(\`__HOST__', $host)dnl"
+echo "define(\`__HOST__', \`$host')dnl"

contrib/buildvirtuser

@@ -170,7 +170,7 @@ LINE:	while (<DOMAIN>)
 			warn "Bogus line $line in $virts/$domain\n";
 		}
 
-		# Variable subsitution
+		# Variable substitution
 		$key =~ s/\$DOMAIN/$domain/g;
 		$value =~ s/\$DOMAIN/$domain/g;
 		$value =~ s/\$LHS/$lhs/g;

devtools/M4/UNIX/all.m4

@@ -30,7 +30,7 @@ check_PROGRAMS=bldCHECK_PROGRAMS')
 ifdef(`bldCHECK_TARGETS',`dnl
 TESTS=bldCHECK_TARGETS')
 
-VPATH=${srcdir}
+VPATH=${srcdir}:${srcdir}/tests
 changequote([[, ]])
 check-TESTS: $(TESTS)
 	@failed=0; all=0; xfail=0; xpass=0; skip=0; \
@@ -39,6 +39,7 @@ check-TESTS: $(TESTS)
 	if test -n "$$list"; then \
 	  for tst in $$list; do \
 	    if test -f ./$$tst; then dir=./; \
+	    elif test -f "$(srcdir)/tests/$$tst"; then dir="$(srcdir)/tests/"; \
 	    elif test -f $$tst; then dir=; \
 	    else dir="$(srcdir)/"; fi; \
 	    if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \

devtools/M4/UNIX/sharedlib.m4

@@ -0,0 +1,64 @@
+divert(-1)
+#
+# Copyright (c) 2000-2001, 2006, 2008 Proofpoint, Inc. and its suppliers.
+#	All rights reserved.
+#
+# By using this file, you agree to the terms and conditions set
+# forth in the LICENSE file which can be found at the top level of
+# the sendmail distribution.
+#
+#
+#  Definitions for Makefile construction for sendmail
+#
+#	$Id: sharedlib.m4,v 8.19 2013-11-22 20:51:23 ca Exp $
+#
+divert(0)dnl
+
+define(`confLIBEXT', `a')dnl
+
+SHAREDLIB_SUFFIX= ifdef(`confSHAREDLIB_SUFFIX', `confSHAREDLIB_SUFFIX', `')
+SHAREDLIB_EXT= ifdef(`confSHAREDLIB_EXT', `confSHAREDLIB_EXT', `.so')
+SHAREDLIB= bldCURRENT_PRODUCT${SHAREDLIB_EXT}${SHAREDLIB_SUFFIX}
+SHAREDLIB_LINK= bldCURRENT_PRODUCT${SHAREDLIB_EXT}
+SHAREDLIBDIR= ifdef(`confSHAREDLIBDIR',`confSHAREDLIBDIR',`/usr/lib/')
+DEPLIBS= ifdef(`confDEPLIBS', `confDEPLIBS', `') ${bldCURRENT_PRODUCT`SMDEPLIBS'}
+
+CONFIG_SONAME= ifdef(`confSONAME', `confSONAME ${SHAREDLIB}', `')
+
+include(confBUILDTOOLSDIR`/M4/'bldM4_TYPE_DIR`/links.m4')dnl
+bldLIST_PUSH_ITEM(`bldC_PRODUCTS', bldCURRENT_PRODUCT)dnl
+bldPUSH_TARGET(${SHAREDLIB})dnl
+bldPUSH_TARGET(bldCURRENT_PRODUCT`.a')dnl
+bldPUSH_INSTALL_TARGET(`install-'bldCURRENT_PRODUCT)dnl
+bldPUSH_CLEAN_TARGET(bldCURRENT_PRODUCT`-clean')dnl
+
+ifdef(`bld_ALREADY_SO',,
+	`ifdef(`confCCOPTS_SO',
+		`PREPENDDEF(`confCCOPTS', `defn(`confCCOPTS_SO')')')')
+define(`bld_ALREADY_SO')
+include(confBUILDTOOLSDIR`/M4/'bldM4_TYPE_DIR`/defines.m4')
+divert(bldTARGETS_SECTION)
+
+${SHAREDLIB}: ${BEFORE} ${bldCURRENT_PRODUCT`OBJS'} ifelse(bldOS, `AIX', `bldCURRENT_PRODUCT.a')
+	${LD} ${LDOPTS_SO} ${CONFIG_SONAME} -o ${SHAREDLIB} ${bldCURRENT_PRODUCT`OBJS'} ${LIBDIRS} ${DEPLIBS}
+	ifelse(bldOS, `AIX', `${CP} ${SHAREDLIB} shr.o
+	${AR} ${AROPTS} bldCURRENT_PRODUCT.a shr.o
+	${CP} bldCURRENT_PRODUCT.a ${SHAREDLIB}',`rm -f bldCURRENT_PRODUCT${SHAREDLIB_EXT}
+	${LN} ${SHAREDLIB} bldCURRENT_PRODUCT${SHAREDLIB_EXT}')
+
+bldCURRENT_PRODUCT.a: ${BEFORE} ${bldCURRENT_PRODUCT`OBJS'}
+	${AR} ${AROPTS} bldCURRENT_PRODUCT.a ${bldCURRENT_PRODUCT`OBJS'}
+	${RANLIB} ${RANLIBOPTS} bldCURRENT_PRODUCT.a
+
+ifdef(`bldLINK_SOURCES', `bldMAKE_SOURCE_LINKS(bldLINK_SOURCES)')
+
+install-`'bldCURRENT_PRODUCT: ${SHAREDLIB}
+	ifdef(`confMKDIR', `if [ ! -d ${DESTDIR}${SHAREDLIBDIR} ]; then confMKDIR -p ${DESTDIR}${SHAREDLIBDIR}; else :; fi ')
+	${INSTALL} -c -o ${LIBOWN} -g ${LIBGRP} -m ${LIBMODE} ${SHAREDLIB} ${DESTDIR}${SHAREDLIBDIR}
+	ifelse(bldOS, `AIX', `${AR} ${AROPTS} ${DESTDIR}${SHAREDLIBDIR}bldCURRENT_PRODUCT.a ${SHAREDLIB}', `rm -f ${DESTDIR}${SHAREDLIBDIR}${SHAREDLIB_LINK}
+	${LN} ${LNOPTS} ${DESTDIR}${SHAREDLIBDIR}${SHAREDLIB} ${DESTDIR}${SHAREDLIBDIR}${SHAREDLIB_LINK}')
+
+bldCURRENT_PRODUCT-clean:
+	rm -f ${OBJS} ${SHAREDLIB} bldCURRENT_PRODUCT.a ${MANPAGES} ifelse(bldOS, `AIX', `shr.o', `bldCURRENT_PRODUCT${SHAREDLIB_EXT}')
+
+divert(0)

devtools/OS/Darwin.21.x

@@ -0,0 +1,24 @@
+dnl	DO NOT EDIT THIS FILE.
+dnl	Place personal settings in devtools/Site/site.config.m4
+
+#
+define(`confCC', `cc -pipe ${Extra_CC_Flags}')
+define(`confMAPDEF', `-DNEWDB -DNIS -DMAP_REGEX')
+define(`confENVDEF', `-DDARWIN=210000 -DBIND_8_COMPAT -DNETINET6')
+define(`confLDOPTS', `${Extra_LD_Flags}')
+define(`confMTLDOPTS', `-lpthread')
+define(`confMILTER_STATIC', `')
+define(`confDEPEND_TYPE', `CC-M')
+define(`confOPTIMIZE', `-O3')
+define(`confRANLIBOPTS', `-c')
+define(`confHFDIR', `/usr/share/sendmail')
+define(`confINSTALL_RAWMAN')
+define(`confMANOWN', `root')
+define(`confMANGRP', `wheel')
+define(`confUBINOWN', `root')
+define(`confUBINGRP', `wheel')
+define(`confSBINOWN', `root')
+define(`confSBINGRP', `wheel')
+define(`confLDOPTS_SO', `-dynamiclib -flat_namespace -undefined suppress -single_module')
+define(`confSHAREDLIB_EXT', `.dylib')
+APPENDDEF(`conf_sendmail_LIBS', `-lresolv')

devtools/OS/Darwin.22.x

@@ -0,0 +1,24 @@
+dnl	DO NOT EDIT THIS FILE.
+dnl	Place personal settings in devtools/Site/site.config.m4
+
+#
+define(`confCC', `cc -pipe ${Extra_CC_Flags}')
+define(`confMAPDEF', `-DNEWDB -DNIS -DMAP_REGEX')
+define(`confENVDEF', `-DDARWIN=220000 -DBIND_8_COMPAT -DNETINET6')
+define(`confLDOPTS', `${Extra_LD_Flags}')
+define(`confMTLDOPTS', `-lpthread')
+define(`confMILTER_STATIC', `')
+define(`confDEPEND_TYPE', `CC-M')
+define(`confOPTIMIZE', `-O3')
+define(`confRANLIBOPTS', `-c')
+define(`confHFDIR', `/usr/share/sendmail')
+define(`confINSTALL_RAWMAN')
+define(`confMANOWN', `root')
+define(`confMANGRP', `wheel')
+define(`confUBINOWN', `root')
+define(`confUBINGRP', `wheel')
+define(`confSBINOWN', `root')
+define(`confSBINGRP', `wheel')
+define(`confLDOPTS_SO', `-dynamiclib -flat_namespace -undefined suppress -single_module')
+define(`confSHAREDLIB_EXT', `.dylib')
+APPENDDEF(`conf_sendmail_LIBS', `-lresolv')

devtools/OS/Darwin.23.x

@@ -0,0 +1,24 @@
+dnl	DO NOT EDIT THIS FILE.
+dnl	Place personal settings in devtools/Site/site.config.m4
+
+#
+define(`confCC', `cc -pipe ${Extra_CC_Flags}')
+define(`confMAPDEF', `-DNEWDB -DNIS -DMAP_REGEX')
+define(`confENVDEF', `-DDARWIN=230000 -DBIND_8_COMPAT -DNETINET6')
+define(`confLDOPTS', `${Extra_LD_Flags}')
+define(`confMTLDOPTS', `-lpthread')
+define(`confMILTER_STATIC', `')
+define(`confDEPEND_TYPE', `CC-M')
+define(`confOPTIMIZE', `-O3')
+define(`confRANLIBOPTS', `-c')
+define(`confHFDIR', `/usr/share/sendmail')
+define(`confINSTALL_RAWMAN')
+define(`confMANOWN', `root')
+define(`confMANGRP', `wheel')
+define(`confUBINOWN', `root')
+define(`confUBINGRP', `wheel')
+define(`confSBINOWN', `root')
+define(`confSBINGRP', `wheel')
+define(`confLDOPTS_SO', `-dynamiclib -flat_namespace -undefined suppress -single_module')
+define(`confSHAREDLIB_EXT', `.dylib')
+APPENDDEF(`conf_sendmail_LIBS', `-lresolv')

devtools/OS/HP-UX.11.x

@@ -3,7 +3,7 @@
 dnl	DO NOT EDIT THIS FILE.
 dnl	Place personal settings in devtools/Site/site.config.m4
 
-# +z is to generate position independant code
+# +z is to generate position independent code
 define(`confCClibsmi', `cc -Ae +Z')
 define(`confCC', `cc -Ae')
 define(`confMAPDEF', `-DNDBM -DNIS -DMAP_REGEX')

devtools/README

@@ -49,8 +49,7 @@ configuration step by specifying the -S flag with the Build command.
 The OS subtree contains definitions for variations on a standard
 model for system installation.  The M4 variables that can be defined
 and their defaults before referencing the appropriate OS definitions
-are listed below.  Note that variables preceded by an asterisk (*)
-are currently not used in the open source distribution.
+are listed below.
 
 confBEFORE	    [empty]		Files to create before sendmail is
 					compiled.  The methods must be defined
@@ -86,7 +85,7 @@ confBUILDBIN	    ../../devtools/bin	The location of the build support
 					directory.
 confCC		    cc			The C compiler to use.
 confCCOPTS	    [empty]		Additional options to pass to confCC.
-*confCCOPTS_SO	    [empty]		Additional options for compiling
+confCCOPTS_SO	    [empty]		Additional options for compiling
 					shared object libraries.
 confCCLINK	    confCC		Linker to use (for executables).
 confCOPY	    cp			A program that copies files.
@@ -127,9 +126,9 @@ confINSTALL	    install		The BSD-compatible install program.
 					Use ${BUILDBIN}/install.sh if none
 					is available on your system.
 confINSTALL_RAWMAN  [undefined]		Install the unformatted manual pages.
-*confLD		    confCC		Linker to use (for libraries).
+confLD		    confCC		Linker to use (for libraries).
 confLDOPTS	    [empty]		Linker options.
-*confLDOPTS_SO	    [empty]		Additional linker options for
+confLDOPTS_SO	    [empty]		Additional linker options for
 					linking shared object libraries.
 confLIBDIR	    /usr/lib		Where to install library files.
 confLIBDIRS	    [empty]		-L flags passed to ld.
@@ -214,9 +213,9 @@ confSBINOWN	    root		The owner for set-user-ID binaries.
 confSETUSERID_INSTALL	[undefined]	Needs to be defined to enable the
 					install-set-user-id target for
 					sendmail.  See sendmail/SECURITY.
-confSHAREDLIB_EXT   .so              	Shared library file extenion name.
+confSHAREDLIB_EXT   .so              	Shared library file extension name.
 confSHAREDLIB_SUFFIX [empty]		Shared object version suffix.
-confSHAREDLIBDIR    /usr/lib/		Directory for installing shared
+confSHAREDLIBDIR   /usr/lib/		Directory for installing shared
 					library.  Note: if the value is
 					not empty, it must end with a
 					slash ('/') otherwise it will not

devtools/Site/site.config.m4.sample

@@ -21,7 +21,7 @@ APPENDDEF(`confENVDEF', `-UNIS')
 dnl #####################################################################
 dnl ###                                                               ###
 dnl ### The next group of statements illustrates how to add support   ###
-dnl ### for a particular map class.
+dnl ### for a particular map class.                                   ###
 dnl ###                                                               ###
 dnl ### Note that the map define goes in confMAPDEF, and that any     ###
 dnl ### special library must be defined.  Note, also that include     ###

devtools/bin/configure.sh

@@ -167,7 +167,7 @@ then
 	echo "define(\`confRANLIB', \`ranlib')dnl"
 fi
 
-roff_progs="groff nroff"
+roff_progs="groff nroff mandoc"
 for roff_prog in $roff_progs
 do
 	if [ ! -z "`$SHELL $find_prog $roff_prog`" ]
@@ -179,7 +179,7 @@ done
 
 case $found_roff
 in
-	groff)
+	groff|mandoc)
 		echo "ifdef(\`confNROFF',,\`define(\`confNROFF', \`$found_roff -Tascii')')dnl"
 		;;
 	nroff)

doc/op/Makefile

@@ -13,9 +13,12 @@ PIC=		${PIC_CMD} -C
 EQNASCII=	${EQN_CMD} -C -Tascii
 EQNPS=		${EQN_CMD} -C -Tps
 ROFFASCII=	${ROFF_CMD} -Tascii ${MACROS}
+ROFFNOSGR=	GROFF_NO_SGR=1 ${ROFFASCII}
 ROFFPS=		${ROFF_CMD} -Tps -mps ${MACROS}
 ULASCII=	${UL_CMD} -t dumb
 PS2PDF=		${PS2PDF_CMD}
+OPTXT_CMD=	${PIC} ${SRCS} | ${EQNASCII} | ${ROFFASCII} | ${ULASCII} 2>/dev/null
+OPTXTNS_CMD=	${PIC} ${SRCS} | ${EQNASCII} | ${ROFFNOSGR} | ${ULASCII}
 
 all: ${OBJS}
 
@@ -26,8 +29,7 @@ op.ps: ${SRCS}
 
 op.txt: ${SRCS}
 	rm -f $@
-	@echo "Note: see README file in case of errors."
-	${PIC} ${SRCS} | ${EQNASCII} | ${ROFFASCII} | ${ULASCII} > $@
+	${OPTXT_CMD} > $@ || ${OPTXTNS_CMD} > $@
 
 op.pdf: op.ps
 	rm -f $@

doc/op/op.me

@@ -92,7 +92,7 @@ Version \\$2
 ..
 .rm Ve
 .sp
-For Sendmail Version 8.17
+For Sendmail Version 8.18
 .)l
 .(f
 Sendmail is a trademark of Proofpoint, Inc.
@@ -1690,22 +1690,17 @@ Blank lines and lines beginning with a sharp sign
 .q # )
 are comments.
 .pp
-The second form is processed by the
+The second form is processed by one of the available map types,
+e.g.,
 .i ndbm \|(3)\**
 .(f
 \**The
 .i gdbm
 package does not work.
 .)f
-or the Berkeley DB library.
-This form is in the file
-.i /etc/mail/aliases.db
-(if using NEWDB)
+the Berkeley DB library,
 or
-.i /etc/mail/aliases.dir
-and
-.i /etc/mail/aliases.pag
-(if using NDBM).
+.i cdb .
 This is the form that
 .i sendmail
 actually uses to resolve aliases.
@@ -3246,6 +3241,9 @@ often cannot assume that a given file was created by the owner,
 particularly when it is in a writable directory.
 You can set this flag if you know that file giveaway is restricted
 on your system.
+.ip CertOwner
+Accept certificate public and private key files
+which are not owned by RunAsUser for STARTTLS.
 .ip ClassFileInUnsafeDirPath
 When reading class files (using the
 .b F
@@ -4415,17 +4413,18 @@ It can accept or reject the command.
 The
 .i clt_features
 ruleset is called with the server's host name
-when sendmail connects to it.
+before sendmail connects to it
+(only if sendmail is compiled with STARTTLS or SASL).
 This ruleset should return
 .b $#
 followed by a list of options
-(single characters delimited by white space).
+(in general, single characters delimited by white space).
 If the return value starts with anything else it is silently ignored.
 Generally upper case characters turn off a feature
 while lower case characters turn it on.
 Options `D'/`M' cause the client to not use DANE/MTA-STS,
 respectively,
-which is useful to interact with MTAs/MUs that have broken
+which is useful to interact with MTAs that have broken
 DANE/MTA-STS setups by simply not using it.
 Note:
 The
@@ -4454,15 +4453,18 @@ not passed on to the next relay.
 .pp
 The
 .i tls_client
-ruleset is called when sendmail acts as server, after a STARTTLS command
-has been issued, and from
+ruleset is called when sendmail acts as server:
+after a STARTTLS command has been issued and the TLS handshake
+was performed,
+and from
 .i check_mail.
 The parameter is the value of
 .b ${verify}
 and STARTTLS or MAIL, respectively.
 If the ruleset does resolve to the
 .q error
-mailer, the appropriate error code is returned to the client.
+mailer, the appropriate error code is returned to the client,
+for STARTTLS this happens for (most) subsequent commands.
 .sh 4 "tls_server"
 .pp
 The
@@ -4506,8 +4508,8 @@ ruleset is called with the connecting client's host name
 when a client connects to sendmail.
 This ruleset should return
 .b $#
-followed by a list of options (single characters
-delimited by white space).
+followed by a list of options
+(in general, single characters delimited by white space).
 If the return value starts with anything else it is silently ignored.
 Generally upper case characters turn off a feature
 while lower case characters turn it on.
@@ -4526,6 +4528,40 @@ If a client sends one of the (HTTP) commands GET, POST, CONNECT, or USER
 the connection is immediately terminated in the following cases:
 if sent as first command, if sent as first command after STARTTLS,
 or if the 'h' option is set.
+Option 'F' disables SMTP transaction stuffing protection which is
+enabled by default.
+The protection checks for clients which try to send commands
+without waiting for the server HELO/EHLO and DATA response.
+Option 'o' causes the server to accept only
+CRLF . CRLF
+as end of an SMTP message as required by the RFCs
+which is also a defense against SMTP smuggling (CVE-2023-51765).
+Option 'O' allows the server to accept a single dot on a line by itself
+as end of an SMTP message.
+Option 'g' instructs the server to fail SMTP messages
+which have a LF without a CR directly before it ("bare LF")
+by dropping the session with a 421 error.
+Option 'G' accepts SMTP messages which have a "bare LF".
+Option 'u' instructs the server to fail SMTP messages
+which have a CR without a LF directly after it ("bare CR")
+by dropping the session with a 421 error.
+Option 'U' accepts SMTP messages which have a "bare CR".
+There is a variant for the options 'u' and 'g':
+a '2' can be appended to the single character,
+in which case the server will replace the offending bare CR
+or bare LF with a space.
+This allows to accept mail from broken systems,
+but the message is modified to avoid SMTP smuggling.
+If needed, systems with broken SMTP implementations
+can be allowed some violations, e.g., a combination of
+.(b
+G U g2 u2 O
+.)b
+A command like
+.(b
+egrep 'Bare.*(CR|LF).*not allowed' $MAILLOG
+.)b
+can be used to find hosts which send bare CR or LF.
 .(b
 .ta 9n
 A	Do not offer AUTH
@@ -4539,13 +4575,24 @@ D	Do not offer DSN
 d	Offer DSN (default)
 E	Do not offer ETRN
 e	Offer ETRN (default)
+F	Disable transaction stuffing protection
+f	Enforce transaction stuffing protection (default)
+G	Accept "bare LF"s in a message
+g	Do not accept "bare LF"s in a message (default)
+g2	Replace "bare LF" in a message with space
 h	Terminate session after HTTP commands
 L	Do not require AUTH (default)
 l	Require AUTH
+O	Accept a single dot on a line by itself
+	as end of an SMTP message
+o	Require CRLF . CRLF as end of an SMTP message (default)
 P	Do not offer PIPELINING
 p	Offer PIPELINING (default)
 S	Do not offer STARTTLS
 s	Offer STARTTLS (default)
+U	Accept "bare CR"s in a message
+u	Do not accept "bare CR"s in a message (default)
+u2	Replace "bare CR" in a message with space
 V	Do not request a client certificate
 v	Request a client certificate (default)
 X	Do not offer EXPN
@@ -4566,6 +4613,7 @@ accept email.
 The
 .i try_tls
 ruleset is called when sendmail connects to another MTA.
+The argument for the ruleset is the name of the server.
 If the ruleset does resolve to the
 .q error
 mailer, sendmail does not try STARTTLS even if it is offered.
@@ -4667,6 +4715,10 @@ specifying only one is an error.
 The
 .i authinfo
 ruleset is called when sendmail tries to authenticate to another MTA.
+The arguments for the ruleset are the host name and IP address
+of the server separated by
+.b $|
+(which is a metacharacter).
 It should return
 .b $#
 followed by a list of tokens that are used for SMTP AUTH.
@@ -4713,6 +4765,10 @@ The
 .i greet_pause
 ruleset is used to specify the amount of time to pause before sending the
 initial SMTP 220 greeting.
+The arguments for the ruleset are the host name and IP address
+of the client separated by
+.b $|
+(which is a metacharacter).
 If any traffic is received during that pause, an SMTP 554 rejection
 response is given instead of the 220 greeting and all SMTP commands are
 rejected during that connection.
@@ -4967,26 +5023,6 @@ a richer set of operators is
 which adds support for UUCP, the %-hack, and X.400 addresses.
 .ip $p
 Sendmail's process id.
-.ip $q\(dg
-Default format of sender address.
-The
-.b $q
-macro specifies how an address should appear in a message
-when it is defaulted.
-Defaults to
-.q "<$g>" .
-It is commonly redefined to be
-.q "$?x$x <$g>$|$g$."
-or
-.q "$g$?x ($x)$." ,
-corresponding to the following two formats:
-.(b
-Eric Allman <eric@CS.Berkeley.EDU>
-eric@CS.Berkeley.EDU (Eric Allman)
-.)b
-.i Sendmail
-properly quotes names that have special characters
-if the first form is used.
 .ip $r
 Protocol used to receive the message.
 Set from the
@@ -5356,16 +5392,21 @@ Possible values are:
 .(b
 .ta 13n
 TRUSTED	verification via DANE succeeded.
+DANE_FAIL	verification via DANE failed.
+DANE_TEMP	verification via DANE failed temporarily.
+DANE_NOTLS	DANE required but STARTTLS was not available.
 OK	verification succeeded.
 NO	no cert presented.
 NOT	no cert requested.
 FAIL	cert presented but could not be verified,
 	e.g., the signing CA is missing.
 NONE	STARTTLS has not been performed.
-CLEAR	STARTTLS has been disabled internally for a clear text delivery attempt.
+CLEAR	STARTTLS has been disabled internally
+	for a clear text delivery attempt.
 TEMP	temporary error occurred.
 PROTOCOL	some protocol error occurred
 	at the ESMTP level (not TLS).
+CONFIG	tls_*_features failed due to a syntax error.
 SOFTWARE	STARTTLS handshake failed,
 	which is a fatal error for this session,
 	the e-mail will be queued.
@@ -5670,7 +5711,7 @@ will fill the class
 .b $={VirtHosts}
 from an LDAP map lookup and
 .b $={MyClass}
-from a hash database map lookup of the
+from a hash database map lookup of the key
 .b foo .
 There is also a built-in schema that can be accessed by only specifying:
 .(b
@@ -5703,7 +5744,7 @@ Some classes have internal meaning to
 .nr ii 0.5i
 .\".ip $=b
 .\"A set of Content-Types that will not have the newline character
-.\"translated to CR-LF before encoding into base64 MIME.
+.\"translated to CRLF before encoding into base64 MIME.
 .\"The class can have major times
 .\"(e.g.,
 .\".q image )
@@ -5793,6 +5834,24 @@ file into a class, use
 FL/etc/passwd %[^:]
 .)b
 which reads every line up to the first colon.
+.sh 2 "E \*- Set or Propagate Environment Variables"
+.pp
+.b E
+configuration lines set or propagate environment variables into children.
+.(b F
+.b E \c
+.i name
+.)b
+will propagate the named variable from the environment when
+.i sendmail
+was invoked into any children it calls;
+.(b F
+.b E \c
+.i name =\c
+.i value
+.)b
+sets the named variable to the indicated value.
+Any variables not explicitly named will not be in the child environment.
 .sh 2 "M \*- Define Mailer"
 .pp
 Programs and interfaces to mailers
@@ -5819,7 +5878,7 @@ Path	The pathname of the mailer
 Flags	Special flags for this mailer
 Sender	Rewriting set(s) for sender addresses
 Recipient	Rewriting set(s) for recipient addresses
-recipients	Maximum number of recipients per connection
+recipients	Maximum number of recipients per envelope
 Argv	An argument vector to pass to this mailer
 Eol	The end-of-line string for this mailer
 Maxsize	The maximum message length to this mailer
@@ -6146,7 +6205,7 @@ Do not apply
 .b FallbackMXhost
 either.
 .ip 1
-Don't send null characters ('\\0') to this mailer.
+Strip null characters ('\\0') when sending to this mailer.
 .ip 2
 Don't use ESMTP even if offered; this is useful for broken
 systems that offer ESMTP but fail on EHLO (without recovering
@@ -6187,7 +6246,7 @@ do
 7\(->8 bit MIME conversions.
 These conversions are limited to text/plain data.
 .ip :
-Check addresses to see if they begin
+Check addresses to see if they begin with
 .q :include: ;
 if they do, convert them to the
 .q *include*
@@ -6679,13 +6738,11 @@ If it does not appear in the
 .i timeout
 interval issue a warning.
 .ip AllowBogusHELO
-[no short name]
 If set, allow HELO SMTP commands that don't include a host name.
 Setting this violates RFC 1123 section 5.2.5,
 but is necessary to interoperate with several SMTP clients.
 If there is a value, it is still checked for legitimacy.
 .ip AuthMaxBits=\fIN\fP
-[no short name]
 Limit the maximum encryption strength for the security layer in
 SMTP AUTH (SASL). Default is essentially unlimited.
 This allows to turn off additional encryption in SASL if
@@ -6698,7 +6755,6 @@ Hence setting
 .b AuthMaxBits
 to 168 will disable any encryption in SASL.
 .ip AuthMechanisms
-[no short name]
 List of authentication mechanisms for AUTH (separated by spaces).
 The advertised list of authentication mechanisms will be the
 intersection of this list and the list of available mechanisms as
@@ -6706,7 +6762,6 @@ determined by the Cyrus SASL library.
 If STARTTLS is active, EXTERNAL will be added to this list.
 In that case, the value of {cert_subject} is used as authentication id.
 .ip AuthOptions
-[no short name]
 List of options for SMTP AUTH consisting of single characters
 with intervening white space or commas.
 .(b
@@ -6743,14 +6798,12 @@ The options 'a', 'c', 'd', 'f', 'p', and 'y' refer to properties of the
 selected SASL mechanisms.
 Explanations of these properties can be found in the Cyrus SASL documentation.
 .ip AuthRealm
-[no short name]
 The authentication realm that is passed to the Cyrus SASL library.
 If no realm is specified,
 .b $j
 is used.
 See also KNOWNBUGS.
 .ip BadRcptThrottle=\fIN\fP
-[no short name]
 If set and the specified number of recipients in a single SMTP
 transaction have been rejected, sleep for one second after each subsequent
 RCPT command in that transaction.
@@ -6761,12 +6814,10 @@ Set the blank substitution character to
 Unquoted spaces in addresses are replaced by this character.
 Defaults to space (i.e., no change is made).
 .ip CACertPath
-[no short name]
 Path to directory with certificates of CAs.
 This directory directory must contain the hashes of each CA certificate
 as filenames (or as links to them).
 .ip CACertFile
-[no short name]
 File containing one or more CA certificates;
 see section about STARTTLS for more information.
 .ip CertFingerprintAlgorithm
@@ -6811,19 +6862,16 @@ and subtracted from the priority.
 Thus, messages with a higher Priority: will be favored.
 Defaults to 1800.
 .ip ClientCertFile
-[no short name]
 File containing the certificate of the client, i.e., this certificate
 is used when
 .i sendmail
 acts as client (for STARTTLS).
 .ip ClientKeyFile
-[no short name]
 File containing the private key belonging to the client certificate
 (for STARTTLS if
 .i sendmail
 runs as client).
 .ip ClientPortOptions=\fIoptions\fP
-[no short name]
 Set client SMTP options.
 The options are
 .i key=value
@@ -6886,7 +6934,6 @@ Options can be cleared by preceding them with a minus sign.
 It is also possible to specify numerical values, e.g.,
 .b -0x0010 .
 .ip ColonOkInAddr
-[no short name]
 If set, colons are acceptable in e-mail addresses
 (e.g.,
 .q host:user ).
@@ -6935,11 +6982,9 @@ and avoid using up excessive resources
 on the other end.
 The default is five minutes.
 .ip ConnectOnlyTo=\fIaddress\fP
-[no short name]
 This can be used to
 override the connection address (for testing purposes).
 .ip ConnectionRateThrottle=\fIN\fP
-[no short name]
 If set to a positive value,
 allow no more than
 .i N
@@ -6948,12 +6993,10 @@ This is intended to flatten out peaks
 and allow the load average checking to cut in.
 Defaults to zero (no limits).
 .ip ConnectionRateWindowSize=\fIN\fP
-[no short name]
 Define the length of the interval for which
 the number of incoming connections is maintained.
 The default is 60 seconds.
 .ip ControlSocketName=\fIname\fP
-[no short name]
 Name of the control socket for daemon management.
 A running
 .i sendmail
@@ -6974,13 +7017,11 @@ and the load average of the machine expressed as an integer.
 If not set, no control socket will be available.
 Solaris and pre-4.4BSD kernel users should see the note in sendmail/README .
 .ip CRLFile=\fIname\fP
-[no short name]
 Name of file that contains certificate
 revocation status, useful for X.509v3 authentication.
 Note: if a CRLFile is specified but the file is unusable,
 STARTTLS is disabled.
 .ip CRLPath=\fIname\fP
-[no short name]
 Name of directory that contains hashes pointing to
 certificate revocation status files.
 Symbolic links can be generated with the following
@@ -7142,7 +7183,6 @@ The modifier ``O'' causes sendmail to ignore a socket
 if it can't be opened.
 This applies to failures from the socket(2) and bind(2) calls.
 .ip DefaultAuthInfo
-[no short name]
 Filename that contains default authentication information for outgoing
 connections. This file must contain the user id, the authorization id,
 the password (plain text), the realm and the list of mechanisms to use
@@ -7162,7 +7202,6 @@ will complain).
 Use the authinfo ruleset instead which provides more control over
 the usage of the data anyway.
 .ip DefaultCharSet=\fIcharset\fP
-[no short name]
 When a message that has 8-bit characters but is not in MIME format
 is converted to MIME
 (see the EightBitMode option)
@@ -7174,7 +7213,6 @@ If this option is not set, the value
 .q unknown-8bit
 is used.
 .ip DataFileBufferSize=\fIthreshold\fP
-[no short name]
 Set the
 .i threshold ,
 in bytes,
@@ -7183,7 +7221,6 @@ queue data file
 becomes disk-based.
 The default is 4096 bytes.
 .ip DeadLetterDrop=\fIfile\fP
-[no short name]
 Defines the location of the system-wide dead.letter file,
 formerly hardcoded to /usr/tmp/dead.letter.
 If this option is not set (the default),
@@ -7224,14 +7261,12 @@ option has been combined into the
 option.
 .)f
 .ip DelayLA=\fILA\fP
-[no short name]
 When the system load average exceeds
 .i LA ,
 .i sendmail
 will sleep for one second on most SMTP commands and
 before accepting connections.
 .ip DeliverByMin=\fItime\fP
-[no short name]
 Set minimum time for Deliver By SMTP Service Extension (RFC 2852).
 If 0, no time is listed, if less than 0, the extension is not offered,
 if greater than 0, it is listed as minimum time
@@ -7260,7 +7295,6 @@ Note: for internal reasons,
 if a milter is enabled which can reject or delete recipients.
 In that case the mode will be changed to ``b''.
 .ip DialDelay=\fIsleeptime\fP
-[no short name]
 Dial-on-demand network connections can see timeouts
 if a connection is opened before the call is set up.
 If this is set to an interval and a connection times out
@@ -7287,7 +7321,6 @@ is either "CC f" if the option
 is used or "c u" otherwise.
 Note that only the "CC", "c", "f", and "u" flags are checked.
 .ip DontBlameSendmail=\fIoption,option,...\fP
-[no short name]
 In order to avoid possible cracking attempts
 caused by world- and group-writable files and directories,
 .i sendmail
@@ -7304,7 +7337,6 @@ The details of these flags are described above.
 .\"XXX should have more here!!!  XXX
 .b "Use of this option is not recommended."
 .ip DontExpandCnames
-[no short name]
 The standards say that all host addresses used in a mail message
 must be fully canonical.
 For example, if your host is named
@@ -7322,7 +7354,6 @@ so the behavior may become acceptable.
 Please note that hosts downstream may still rewrite the address
 to be the true canonical name however.
 .ip DontInitGroups
-[no short name]
 If set,
 .i sendmail
 will avoid using the initgroups(3) call.
@@ -7334,7 +7365,6 @@ will be their primary group (the one in the password file),
 which will make file access permissions somewhat more restrictive.
 Has no effect on systems that don't have group lists.
 .ip DontProbeInterfaces
-[no short name]
 .i Sendmail
 normally finds the names of all interfaces active on your machine
 when it starts up
@@ -7375,7 +7405,6 @@ and the mail will be sent to the first address in the route,
 even if later addresses are known.
 This may be useful if you are caught behind a firewall.
 .ip DoubleBounceAddress=\fIerror-address\fP
-[no short name]
 If an error occurs when sending an error message,
 send the error report
 (termed a
@@ -7483,7 +7512,7 @@ background delivery.
 If specified, the
 .i fallbackhost
 acts like a very low priority MX
-on every host.
+on a host.
 MX records will be looked up for this host,
 unless the name is surrounded by square brackets.
 This is intended to be used by sites with poor network connectivity.
@@ -7493,12 +7522,11 @@ also go to the FallbackMXhost.
 .ip FallBackSmartHost=\fIhostname\fP
 If specified, the
 .i FallBackSmartHost
-will be used in a last-ditch effort for each host.
+will be used in a last-ditch effort for a host.
 This is intended to be used by sites with "fake internal DNS",
 e.g., a company whose DNS accurately reflects the world
 inside that company's domain but not outside.
 .ip FastSplit
-[no short name]
 If set to a value greater than zero (the default is one),
 it suppresses the MX lookups on addresses
 when they are initially sorted, i.e., for the first delivery attempt.
@@ -7538,7 +7566,6 @@ and then in
 .i ~username /.forward
 (but only if the first file does not exist).
 .ip HeloName=\fIname\fP
-[no short name]
 Set the name to be used for HELO/EHLO (instead of $j).
 .ip HelpFile=\fIfile\fP
 [H]
@@ -7555,7 +7582,6 @@ To avoid providing this information to a client specify an empty file.
 If an outgoing mailer is marked as being expensive,
 don't connect immediately.
 .ip HostsFile=\fIpath\fP
-[no short name]
 The path to the hosts database,
 normally
 .q /etc/hosts .
@@ -7573,7 +7599,6 @@ that is under the control of the system
 .i gethostbyname (3)
 routine.
 .ip HostStatusDirectory=\fIpath\fP
-[no short name]
 The location of the long term host status information.
 When set,
 information about the status of hosts
@@ -7592,16 +7617,15 @@ A suggested value for sites desiring persistent host status is
 (i.e., a subdirectory of the queue directory).
 .ip IgnoreDots
 [i]
-Ignore dots in incoming messages.
-This is always disabled (that is, dots are always accepted)
-when reading SMTP mail.
+Do not treat leading dots in incoming messages in a special way,
+e.g., as end of a message if it is the only character in a line.
+This is always disabled when reading SMTP mail.
 .ip InputMailFilters=\fIname,name,...\fP
 A comma separated list of filters which determines which filters
 (see the "X \*- Mail Filter (Milter) Definitions" section)
 and the invocation sequence are contacted for incoming SMTP messages.
 If none are set, no filters will be contacted.
 .ip LDAPDefaultSpec=\fIspec\fP
-[no short name]
 Sets a default map specification for LDAP maps.
 The value should only contain LDAP specific settings
 such as
@@ -7625,14 +7649,12 @@ The
 .b \-M
 flag is preferred.
 .ip MailboxDatabase
-[no short name]
 Type of lookup to find information about local mailboxes,
 defaults to ``pw'' which uses
 .i getpwnam .
 Other types can be introduced by adding them to the source code,
 see libsm/mbdb.c for details.
 .ip UseMSP
-[no short name]
 Use as mail submission program, i.e.,
 allow group writable queue files
 if the group is the same as that of a set-group-ID sendmail binary.
@@ -7653,10 +7675,8 @@ This also requires that MATCHGECOS
 be turned on during compilation.
 This option is not recommended.
 .ip MaxAliasRecursion=\fIN\fP
-[no short name]
 The maximum depth of alias recursion (default: 10).
 .ip MaxDaemonChildren=\fIN\fP
-[no short name]
 If set,
 .i sendmail
 will refuse connections when it has more than
@@ -7676,7 +7696,6 @@ other than background must be used.
 If not set, there is no limit to the number of children --
 that is, the system load average controls this.
 .ip MaxHeadersLength=\fIN\fP
-[no short name]
 If set to a value greater than zero it specifies
 the maximum length of the sum of all headers.
 This can be used to prevent a denial of service attack.
@@ -7689,7 +7708,6 @@ Messages that have been processed more than
 times are assumed to be in a loop and are rejected.
 Defaults to 25.
 .ip MaxMessageSize=\fIN\fP
-[no short name]
 Specify the maximum message size
 to be advertised in the ESMTP EHLO response.
 Messages larger than this will be rejected.
@@ -7698,7 +7716,6 @@ that value will be listed in the SIZE response,
 otherwise SIZE is advertised in the ESMTP EHLO response
 without a parameter.
 .ip MaxMimeHeaderLength=\fIN[/M]\fP
-[no short name]
 Sets the maximum length of certain MIME header field values to
 .i N
 characters.
@@ -7724,7 +7741,6 @@ for the number of
 commands, see Section
 "Measures against Denial of Service Attacks".
 .ip MaxQueueChildren=\fIN\fP
-[no short name]
 When set, this limits the number of concurrent queue runner processes to
 .i N.
 This helps to control the amount of system resources used when processing
@@ -7748,7 +7764,6 @@ imposed by
 This discrepancy can be large if some queue runners have to wait
 for a slow server and if short intervals are used.
 .ip MaxQueueRunSize=\fIN\fP
-[no short name]
 The maximum number of jobs that will be processed
 in a single queue run.
 If not set, there is no limit on the size.
@@ -7773,14 +7788,12 @@ then only
 .b N
 entries are printed per queue group.
 .ip MaxRecipientsPerMessage=\fIN\fP
-[no short name]
 The maximum number of recipients that will be accepted per message
 in an SMTP transaction.
 Note: setting this too low can interfere with sending mail from
 MUAs that use SMTP for initial submission.
 If not set, there is no limit on the number of recipients per envelope.
 .ip MaxRunnersPerQueue=\fIN\fP
-[no short name]
 This sets the default maximum number of queue runners for queue groups.
 Up to
 .i N
@@ -7799,7 +7812,6 @@ even if I am in an alias expansion.
 This option is deprecated
 and will be removed from a future version.
 .ip Milter
-[no short name]
 This option has several sub(sub)options.
 The names of the suboptions are separated by dots.
 At the first level the following options are available:
@@ -7840,14 +7852,12 @@ gives a 452 response
 to the MAIL command.
 This invites the sender to try again later.
 .ip MaxQueueAge=\fIage\fP
-[no short name]
 If this is set to a value greater than zero,
 entries in the queue will be retried during a queue run
 only if the individual retry time has been reached
 which is doubled for each attempt.
 The maximum retry time is limited by the specified value.
 .ip MinQueueAge=\fIage\fP
-[no short name]
 Don't process any queued jobs
 that have been in the queue less than the indicated time interval.
 This is intended to allow you to get responsiveness
@@ -7859,7 +7869,6 @@ This option is ignored for queue runs that select a subset
 of the queue, i.e.,
 .q \-q[!][I|R|S|Q][string]
 .ip MustQuoteChars=\fIs\fP
-[no short name]
 Sets the list of characters that must be quoted if used in a full name
 that is in the phrase part of a ``phrase <address>'' syntax.
 The default is ``\'.''.
@@ -7871,11 +7880,9 @@ O MustQuoteChars=.
 .)b
 Moreover, relaxed header signing should be used for DKIM signatures.
 .ip NiceQueueRun
-[no short name]
 The priority of queue runners (nice(3)).
 This value must be greater or equal zero.
 .ip NoRecipientAction
-[no short name]
 The action to take when you receive a message that has no valid
 recipient headers (To:, Cc:, Bcc:, or Apparently-To: \(em
 the last included for back compatibility with old
@@ -7933,7 +7940,6 @@ are always operators.
 Note that OperatorChars must be set in the
 configuration file before any rulesets.
 .ip PidFile=\fIfilename\fP
-[no short name]
 Filename of the pid file.
 (default is _PATH_SENDMAILPID).
 The
@@ -8029,7 +8035,6 @@ Authentication Warnings add warnings about various conditions
 that may indicate attempts to spoof the mail system,
 such as using a non-standard queue directory.
 .ip ProcessTitlePrefix=\fIstring\fP
-[no short name]
 Prefix the process title shown on 'ps' listings with
 .i string .
 The
@@ -8092,12 +8097,10 @@ Defaults to 8 multiplied by
 the number of processors online on the system
 (if that can be determined).
 .ip QueueFileMode=\fImode\fP
-[no short name]
 Default permissions for queue files (octal).
 If not set, sendmail uses 0600 unless its real
 and effective uid are different in which case it uses 0644.
 .ip QueueSortOrder=\fIalgorithm\fP
-[no short name]
 Sets the
 .i algorithm
 used for sorting the queue.
@@ -8142,7 +8145,6 @@ Use that form instead of the
 .q QueueTimeout
 form.
 .ip RandFile
-[no short name]
 Name of file containing random data or the name of the UNIX socket
 if EGD is used.
 A (required) prefix "egd:" or "file:" specifies the type.
@@ -8191,7 +8193,6 @@ Notice: it might be necessary to apply the same (or similar) options to
 .i submit.cf
 too.
 .ip RequiresDirfsync
-[no short name]
 This option can be used to override the compile time flag
 .b REQUIRES_DIR_FSYNC
 at runtime by setting it to
@@ -8205,14 +8206,12 @@ it is enabled by default for Linux.
 According to some information this flag is not needed
 anymore for kernel 2.4.16 and newer.
 .ip RrtImpliesDsn
-[no short name]
 If this option is set, a
 .q Return-Receipt-To:
 header causes the request of a DSN, which is sent to
 the envelope sender as required by RFC 1891,
 not to the address given in the header.
 .ip RunAsUser=\fIuser\fP
-[no short name]
 The
 .i user
 parameter may be a user name
@@ -8276,7 +8275,6 @@ Defaults to 12 multiplied by
 the number of processors online on the system
 (if that can be determined).
 .ip RejectLogInterval=\fItimeout\fP
-[no short name]
 Log interval when refusing connections for this long
 (default: 3h).
 .ip RetryFactor=\fIfact\fP
@@ -8292,7 +8290,6 @@ In most environments this should be positive,
 since hosts that are down are all too often down for a long time.
 Defaults to 90000.
 .ip SafeFileEnvironment=\fIdir\fP
-[no short name]
 If this option is set,
 .i sendmail
 will do a
@@ -8332,12 +8329,10 @@ will not return the DSN keyword in response to an EHLO
 and will not do Delivery Status Notification processing as described in
 RFC 1891.
 .ip ServerCertFile
-[no short name]
 File containing the certificate of the server, i.e., this certificate
 is used when sendmail acts as server
 (used for STARTTLS).
 .ip ServerKeyFile
-[no short name]
 File containing the private key belonging to the server certificate
 (used for STARTTLS).
 .ip ServerSSLOptions
@@ -8357,7 +8352,6 @@ Options can be cleared by preceding them with a minus sign.
 It is also possible to specify numerical values, e.g.,
 .b -0x0010 .
 .ip ServiceSwitchFile=\fIfilename\fP
-[no short name]
 If your host operating system has a service switch abstraction
 (e.g., /etc/nsswitch.conf on Solaris
 or /etc/svc.conf on Ultrix and DEC OSF/1)
@@ -8397,7 +8391,6 @@ The default file is
 Strip input to seven bits for compatibility with old systems.
 This shouldn't be necessary.
 .ip SharedMemoryKey
-[no short name]
 Key to use for shared memory segment;
 if not set (or 0), shared memory will not be used.
 If set to
@@ -8417,7 +8410,6 @@ This allows for more efficient program execution, since only
 one process needs to update the data instead of each individual
 process gathering the data each time it is required.
 .ip SharedMemoryKeyFile
-[no short name]
 If
 .b SharedMemoryKey
 is set to
@@ -8425,13 +8417,11 @@ is set to
 then the automatically selected shared memory key will be stored
 in the specified file.
 .ip SingleLineFromHeader
-[no short name]
 If set, From: lines that have embedded newlines are unwrapped
 onto one line.
 This is to get around a botch in Lotus Notes
 that apparently cannot understand legally wrapped RFC 822 headers.
 .ip SingleThreadDelivery
-[no short name]
 If set, a client machine will never try to open two SMTP connections
 to a single server machine at the same time,
 even in different processes.
@@ -8532,7 +8522,6 @@ PostMilter is useful only when
 is running as an SMTP server; in all other situations it
 acts the same as True.
 .ip TLSFallbacktoClear
-[no short name]
 If set,
 .i sendmail
 immediately tries an outbound connection again without STARTTLS
@@ -8548,7 +8537,6 @@ Hence such requirements will cause an error on a retry without STARTTLS.
 Therefore they should only trigger a temporary failure so the connection
 is later on tried again.
 .ip TLSSrvOptions
-[no short name]
 List of options for SMTP STARTTLS for the server
 consisting of single characters
 with intervening white space or commas.
@@ -8587,7 +8575,6 @@ the TZ environment variable is cleared (so the system default is used);
 if set but null, the user's TZ variable is used,
 and if set and non-null the TZ variable is set to this value.
 .ip TrustedUser=\fIuser\fP
-[no short name]
 The
 .i user
 parameter may be a user name
@@ -8633,7 +8620,6 @@ Defaults to
 Don't change this unless your system uses a different UNIX mailbox format
 (very unlikely).
 .ip UnsafeGroupWrites
-[no short name]
 If set (default),
 :include: and .forward files that are group writable are considered
 .q unsafe ,
@@ -8645,7 +8631,6 @@ Note: use
 .b DontBlameSendmail
 instead; this option is deprecated.
 .ip UseCompressedIPv6Addresses
-[no short name]
 If set, the compressed format of IPv6 addresses,
 such as IPV6:::1, will be used,
 instead of the uncompressed format,
@@ -8699,7 +8684,6 @@ SMTP command with a suitable
 .b PrivacyOptions
 setting.
 .ip XscriptFileBufferSize=\fIthreshold\fP
-[no short name]
 Set the
 .i threshold ,
 in bytes,
@@ -9004,7 +8988,7 @@ For example, the rule
 .ta 1.5i
 R$\- ! $+	$: $(uucp $1 $@ $2 $: $2 @ $1 . UUCP $)
 .)b
-Looks up the UUCP name in a (user defined) UUCP map;
+looks up the UUCP name in a (user defined) UUCP map;
 if not found it turns it into
 .q \&.UUCP
 form.
@@ -10226,7 +10210,7 @@ the new version of the DBM library
 that allows multiple databases will be used.
 If neither CDB, NDBM, nor NEWDB are set,
 a much less efficient method of alias lookup is used.
-.ip CWDB
+.ip CDB
 If set, use the cdb (tinycdb) package.
 .ip NEWDB
 If set, use the new database package from Berkeley (from 4.4BSD).
@@ -11251,12 +11235,30 @@ as well as
 {auth_authen} and {auth_author}.
 .sh 2 "DANE"
 .pp
-Initial support for DANE (see RFC 7672 et.al.)
+Support for DANE (see RFC 7672 et.al.)
 is available if
 .i sendmail
 is compiled with the option
 .b DANE .
-Only TLSA RR 3-1-x (DANE-EE) is currently implemented.
+If OpenSSL 1.1.1 or at least 3.0.0 are used,
+then full DANE support for DANE-EE and DANE-TA
+(as required by RFC 7672)
+is available via the functions
+provided by those OpenSSL versions
+(run
+.(b
+sendmail -bt -d0.3 < /dev/null
+.)b
+and check that HAVE_SSL_CTX_dane_enable is in the output),
+otherwise support for TLSA RR 3-1-x
+is implemented directly in 
+.i sendmail .
+Note: if OpenSSL functions related to DANE cause a failure,
+then the macro
+.b ${verify}
+is set to
+.b DANE_TEMP .
+This also applies if TLS cannot be initialized at all.
 The option
 .(b
 O DANE=true
@@ -11270,8 +11272,10 @@ to
 .(b
 O ResolverOptions
 .)b
-This requires a (preferrably local)
-validating DNS resolver which supports those options.
+This requires a DNSSEC-validating recursive resolver
+which supports those options.
+The resolver must be reachable via a trusted connection,
+hence it is best to run it locally.
 
 If the client finds a usable TLSA RR and the check
 succeeds the macro
@@ -11281,9 +11285,8 @@ is set to
 All non-DNS maps are considered
 .i secure
 just like DNS lookups with DNSSEC.
-Be aware that the implementation might not handle all
-error conditions as required by the RFCs.
-Moreover, TLSA RRs are not looked up for some features,
+Be aware that
+TLSA RRs are not looked up for some features,
 e.g.,
 .i FallBackSmartHost .
 .sh 2 "EAI"
@@ -11943,6 +11946,8 @@ and
 .ip Z
 The original envelope id (from the ESMTP transaction).
 For Deliver Status Notifications only.
+.ip !
+Information for Deliver-By SMTP extension.
 .pp
 As an example,
 the following is a queue file sent to

editmap/editmap.0

@@ -1,4 +1,4 @@
-EDITMAP(8)                  System Manager's Manual                 EDITMAP(8)
+EDITMAP(8)                                                          EDITMAP(8)
 
 
 
@@ -19,38 +19,38 @@ DDEESSCCRRIIPPTTIIOONN
 
        dbm    DBM format maps.  This requires the ndbm(3) library.
 
-       btree  B-Tree format maps.  This requires the new Berkeley DB library.
+       btree  B-Tree  format maps.  This requires the new Berkeley DB library.
 
        hash   Hash format maps.  This also requires the Berkeley DB library.
 
-       cdb    CDB  (Constant DataBase) format maps.  This requires the tinycdb
+       cdb    CDB (Constant DataBase) format maps.  This requires the  tinycdb
               library.
 
        If the _T_r_u_s_t_e_d_U_s_e_r option is set in the sendmail configuration file and
-       eeddiittmmaapp  is  invoked  as root, the generated files will be owned by the
+       eeddiittmmaapp is invoked as root, the generated files will be  owned  by  the
        specified _T_r_u_s_t_e_d_U_s_e_r_.
 
    FFllaaggss
        --CC     Use the specified sseennddmmaaiill configuration file for looking up the
               TrustedUser option.
 
-       --NN     Include  the  null  byte that terminates strings in the map (for
+       --NN     Include the null byte that terminates strings in  the  map  (for
               alias maps).
 
-       --ff     Normally all upper case letters in the key are folded  to  lower
-              case.   This  flag disables that behaviour.  This is intended to
-              mesh with the -f flag in the KK line in sendmail.cf.   The  value
+       --ff     Normally  all  upper case letters in the key are folded to lower
+              case.  This flag disables that behaviour.  This is  intended  to
+              mesh  with  the -f flag in the KK line in sendmail.cf.  The value
               is never case folded.
 
-       --qq     Query  the  map for the specified key.  If found, print value to
-              standard output and exit with 0.  If not found then print an er-
-              ror message to stdout and exit with EX_UNAVAILABLE.
+       --qq     Query the map for the specified key.  If found, print  value  to
+              standard  output  and  exit  with 0.  If not found then print an
+              error message to stdout and exit with EX_UNAVAILABLE.
 
-       --uu     Update  the record for _k_e_y with _v_a_l_u_e or inserts a new record if
+       --uu     Update the record for _k_e_y with _v_a_l_u_e or inserts a new record  if
               one doesn't exist.  Exits with 0 on success or EX_IOERR on fail-
               ure.
 
-       --xx     Deletes  the specific key from the map.  Exits with 0 on success
+       --xx     Deletes the specific key from the map.  Exits with 0 on  success
               or EX_IOERR on failure.
 
 

include/libsmdb/smdb.h

@@ -117,7 +117,7 @@ typedef int (*db_get_func) __P((SMDB_DATABASE *db,
 **		key -- The key to use.
 **		data -- The data to store.
 **		flags -- put options:
-**			SMDBF_NO_OVERWRITE - Return an error if key alread
+**			SMDBF_NO_OVERWRITE - Return an error if key already
 **					     exists.
 **
 **	Returns:

include/sendmail/sendmail.h

@@ -118,6 +118,7 @@ extern bool	filechanged __P((char *, int, struct stat *));
 #define DBS_WORLDWRITABLEINCLUDEFILE			40
 #define DBS_GROUPREADABLEKEYFILE			41
 #define DBS_GROUPREADABLEAUTHINFOFILE			42
+#define DBS_CERTOWNER					43
 
 /* struct defining such things */
 struct dbsval

include/sm/conf.h

@@ -473,8 +473,8 @@ typedef int		pid_t;
 #   ifndef HASGETUSERSHELL
 #    define HASGETUSERSHELL 0	/* getusershell(3) causes core dumps pre-2.7 */
 #   endif
-#   if SOLARIS < 21200
-#    define SIGWAIT_TAKES_1_ARG	1	/* S12 moves to UNIX V7 semantic */
+#   if SOLARIS < 21140
+#    define SIGWAIT_TAKES_1_ARG	1	/* S11.4 moves to UNIX V7 semantic */
 #   endif
 
 #  else /* SOLARIS */
@@ -1575,9 +1575,11 @@ extern void		*malloc();
 #  if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,0,36)) && !defined(HASFCHMOD)
 #    define HASFCHMOD	1	/* fchmod(2) */
 #  endif
+#  if (__GLIBC__ >= 2 && __GLIBC_MINOR__ >= 19) && !defined(HAS_GETHOSTBYNAME2)
+#   define HAS_GETHOSTBYNAME2 1
+#  endif
 # endif /* __linux__ */
 
-
 /*
 **  DELL SVR4 Issue 2.2, and others
 **	From Kimmo Suominen <kim@grendel.lut.fi>

include/sm/fdset.h

@@ -17,6 +17,7 @@
 **	before.
 */
 
+#define SM_FD_CLR(fd, pfdset)	FD_CLR(fd, pfdset)
 #define SM_FD_SET(fd, pfdset)	FD_SET(fd, pfdset)
 #define SM_FD_ISSET(fd, pfdset)	FD_ISSET(fd, pfdset)
 #define SM_FD_SETSIZE		FD_SETSIZE

include/sm/gen.h

@@ -89,4 +89,8 @@ typedef unsigned int SM_ATOMIC_UINT_T;
 # define _FFR_8BITENVADDR 1
 #endif
 
+#if _FFR_HAPROXY && !defined(_FFR_XCNCT)
+# define _FFR_XCNCT 1
+#endif
+
 #endif /* SM_GEN_H */

include/sm/ixlen.h

@@ -27,6 +27,7 @@ extern int xleni __P((const char *));
 
 # if USE_EAI
 extern bool	asciistr __P((const char *));
+extern bool	asciinstr __P((const char *, size_t));
 extern int	uxtext_unquote __P((const char *, char *, int));
 extern char	*sm_lowercase  __P((const char *));
 extern bool	utf8_valid  __P((const char *, size_t));

include/sm/notify.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016 Proofpoint, Inc. and its suppliers.
+ * Copyright (c) 2021 Proofpoint, Inc. and its suppliers.
  *      All rights reserved.
  *
  * By using this file, you agree to the terms and conditions set
@@ -10,13 +10,10 @@
 #ifndef SM_NOTIFY_H
 #define SM_NOTIFY_H
 
-/* microseconds */
-#define SM_MICROS 1000000L
-
 int sm_notify_init __P((int));
 int sm_notify_start __P((bool, int));
 int sm_notify_stop __P((bool, int));
 int sm_notify_rcv __P((char *, size_t, long));
 int sm_notify_snd __P((char *, size_t));
 
-#endif /* ! SM_MSG_H */
+#endif /* ! SM_NOTIFY_H */

include/sm/os/sm_os_openbsd.h

@@ -18,20 +18,6 @@
 
 #define SM_OS_NAME	"openbsd"
 
-/* 
-**  Temporary HACK for newer icu4c versions which include stdbool.h:
-**  pretend that it is already included
-**  otherwise compilation will break because bool is then
-**  redefined between the prototype declaration and
-**  the function definition, e.g.,
-**	lowercase.c: error: conflicting types for 'asciistr'
-**	../../include/sm/ixlen.h:29:13: note: previous declaration is here
-*/
-
-#if USE_EAI && !SM_CONF_STDBOOL_H
-# define _STDBOOL_H_	1
-#endif
-
 #define SM_CONF_SYS_CDEFS_H	1
 #ifndef SM_CONF_SHM
 # define SM_CONF_SHM	1

include/sm/rpool.h

@@ -163,6 +163,8 @@ extern void *
 sm_rpool_malloc __P((
 	SM_RPOOL_T *_rpool,
 	size_t _size));
+#  define sm_rpool_malloc_tagged(rpool, size, file, line, group)	sm_rpool_malloc(rpool, size)
+#  define sm_rpool_malloc_tagged_x(rpool, size, file, line, group)	sm_rpool_malloc_x(rpool, size)
 # endif /* SM_HEAP_CHECK */
 
 #if DO_NOT_USE_STRCPY

libmilter/README

@@ -15,6 +15,7 @@ the milter API.
 Note: if you want to write a milter in Java, then see
 http://sendmail-jilter.sourceforge.net/
 
+
 +----------------+
 | SECURITY HINTS |
 +----------------+
@@ -26,6 +27,7 @@ if really necessary.  A milter should probably check first whether
 it runs as root and refuse to start in that case.  libmilter will
 not unlink a socket when running as root.
 
+
 +----------------------+
 | CONFIGURATION MACROS |
 +----------------------+
@@ -36,6 +38,7 @@ features of the C compiler and standard C libraries.
 SM_CONF_POLL
 	Set to 1 if poll(2) should be used instead of select(2).
 
+
 +-------------------+
 | BUILDING A FILTER |
 +-------------------+

libmilter/docs/overview.html

@@ -60,7 +60,7 @@ returns to <CODE>MESSAGE</CODE>.
 For each of N connections
 {
 	For each filter
-		egotiate MTA/milter capabilities/requirements (<A HREF="xxfi_negotiate.html">xxfi_negotiate</A>)
+		negotiate MTA/milter capabilities/requirements (<A HREF="xxfi_negotiate.html">xxfi_negotiate</A>)
 	For each filter
 		process connection (<A HREF="xxfi_connect.html">xxfi_connect</A>)
 	For each filter

libmilter/docs/smfi_getsymval.html

@@ -76,13 +76,18 @@ By default, the following macros are valid in the given contexts:
 <TR><TD>xxfi_eom</TD>    <TD>msg_id</TD></TR>
 </TABLE>
 <P>
-All macros stay in effect from the point they are received
-until the end of the connection for the first two sets,
-the end of the message for the third (xxfi_envfrom) and last (xxfi_eom),
-and just for each recipient for xxfi_envrcpt.
+All macros stay in effect from the point they are received until
+<UL>
+<LI>the end of the connection for the first two sets,
+<LI>just for each recipient for xxfi_envrcpt.
+<LI>and the end of the message for the rest.
+</UL>
 <P>
-The macro list can be changed using the confMILTER_MACROS_* options in
-sendmail.mc.
+The macro list can be changed using
+the confMILTER_MACROS_* options in sendmail.mc
+or via the
+<A HREF="smfi_setsymlist.html">smfi_setsymlist</A>
+function.
 The scopes of such macros will be determined by when they are set by sendmail.
 For descriptions of macros' values,
 please see the

libmilter/docs/smfi_replacebody.html

@@ -45,7 +45,7 @@ body.
 	<TD>Opaque context structure.
 	</TD></TR>
     <TR valign="top"><TD>bodyp</TD>
-	<TD>A pointer to the start of the new body data, which does not have to be null-terminated.  If bodyp is NULL, it is treated as having length == 0.  Body data should be in CR/LF form.
+	<TD>A pointer to the start of the new body data, which does not have to be null-terminated.  If bodyp is NULL, it is treated as having length == 0.  Body data should be in CRLF form.
 	</TD></TR>
     <TR valign="top"><TD>bodylen</TD>
 	<TD>The number of data bytes pointed to by bodyp.

libmilter/docs/xxfi_body.html

@@ -64,7 +64,7 @@ Hence even if a trailing '\0' is added, C string functions may still fail
 to work as expected.
 <LI>Since message bodies can be very large, defining xxfi_body can
 significantly impact filter performance.
-<LI>End-of-lines are represented as received from SMTP (normally CR/LF).
+<LI>End-of-lines are represented as received from SMTP (normally CRLF).
 <LI>Later filters will see body changes made by earlier ones.
 <LI>Message bodies may be sent in multiple chunks, with one call to
     xxfi_body per chunk.

libmilter/docs/xxfi_header.html

@@ -48,8 +48,8 @@ Handle a message header.
 	<TD>Header field value.
 	The content of the header may include folded white space,
 	i.e., multiple lines with following white space
-	where lines are separated by LF (not CR/LF).
-	The trailing line terminator (CR/LF) is removed.
+	where lines are separated by LF (not CRLF).
+	The trailing line terminator (CRLF) is removed.
 	</TD></TR>
     </TABLE>
 </TD></TR>

libmilter/engine.c

@@ -60,32 +60,32 @@ typedef struct cmdfct_t cmdfct;
 #define	CI_MAIL		2
 #define CI_RCPT		3
 #define CI_DATA		4
-#define CI_EOM		5
-#define CI_EOH		6
-#define CI_LAST		CI_EOH
+#define CI_EOH		5
+#define CI_EOM		6
+#define CI_LAST		CI_EOM
 #if CI_LAST < CI_DATA
-# ERROR "do not compile with CI_LAST < CI_DATA"
+# error "do not compile with CI_LAST < CI_DATA"
 #endif
 #if CI_LAST < CI_EOM
-# ERROR "do not compile with CI_LAST < CI_EOM"
+# error "do not compile with CI_LAST < CI_EOM"
 #endif
 #if CI_LAST < CI_EOH
-# ERROR "do not compile with CI_LAST < CI_EOH"
+# error "do not compile with CI_LAST < CI_EOH"
 #endif
 #if CI_LAST < CI_RCPT
-# ERROR "do not compile with CI_LAST < CI_RCPT"
+# error "do not compile with CI_LAST < CI_RCPT"
 #endif
 #if CI_LAST < CI_MAIL
-# ERROR "do not compile with CI_LAST < CI_MAIL"
+# error "do not compile with CI_LAST < CI_MAIL"
 #endif
 #if CI_LAST < CI_HELO
-# ERROR "do not compile with CI_LAST < CI_HELO"
+# error "do not compile with CI_LAST < CI_HELO"
 #endif
 #if CI_LAST < CI_CONN
-# ERROR "do not compile with CI_LAST < CI_CONN"
+# error "do not compile with CI_LAST < CI_CONN"
 #endif
 #if CI_LAST >= MAX_MACROS_ENTRIES
-# ERROR "do not compile with CI_LAST >= MAX_MACROS_ENTRIES"
+# error "do not compile with CI_LAST >= MAX_MACROS_ENTRIES"
 #endif
 
 /* function prototypes */
@@ -111,7 +111,7 @@ static int	dec_arg2 __P((char *, size_t, char **, char **));
 static void	mi_clr_symlist __P((SMFICTX_PTR));
 
 #if _FFR_WORKERS_POOL
-static bool     mi_rd_socket_ready __P((int));
+static bool	mi_rd_socket_ready __P((int));
 #endif
 
 /* states */

libsm/Makefile.m4

@@ -45,7 +45,6 @@ dnl ? smcheck(`t-isprint', `compile-run')
 smcheck(`t-ixlen', `compile')
 smcheck(`t-ixlen.sh', `run')
 smcheck(`t-streq', `compile')
-smcheck(`t-utf8_valid', `compile')
 smcheck(`t-streq.sh', `run')
 divert(bldTARGETS_SECTION)
 divert(0)

libsm/README

@@ -34,6 +34,7 @@ The programs are:
 
 b-strcmp.c	tests strcasecmp().
 
+
 +----------------------+
 | CONFIGURATION MACROS |
 +----------------------+
@@ -106,9 +107,6 @@ SM_CONF_SEM
 SM_CONF_BROKEN_STRTOD
 	Set to 1 if your strtod() does not work properly.
 
-SM_CONF_GETOPT
-	Set to 1 if your operating system does not include getopt(3).
-
 SM_CONF_LDAP_INITIALIZE
 	Set to 1 if your LDAP client libraries include ldap_initialize(3).
 

libsm/b-strl.c

@@ -101,7 +101,7 @@ main(argc, argv)
 	**  the copy.
 	*/
 	(void) strlcpy(source,
-		" This is the longer string that will be used for catenation and copying for the the performace testing. The longer the string being catenated or copied the greater the difference in measureable performance\n",
+		" This is the longer string that will be used for catenation and copying for the the performance testing. The longer the string being catenated or copied the greater the difference in measureable performance\n",
 		SRC_SIZE - 1);
 
 	/* Run-time comments to the user */

libsm/exc.html

@@ -350,7 +350,7 @@ of type SM_EXC_TYPE_T, which has the following members:
 	<dt><tt>"E"</tt>
 	<dd>The function could not complete its task because an error occurred.
 	    (It might be useful to define subclasses of this category,
-	    in which case our taxonony becomes a tree, and 'F' becomes
+	    in which case our taxonomy becomes a tree, and 'F' becomes
 	    a subclass of 'E'.)
 
 	<dt><tt>"J"</tt>

libsm/heap.c

@@ -242,7 +242,7 @@ size_t SmHeapMaxTotal = 0;
 */
 
 SM_DEBUG_T SmHeapLimit = SM_DEBUG_INITIALIZER("sm_heap_limit",
-    "@(#)$Debug: sm_heap_limit - max # of bytes permitted in heap $");
+	"@(#)$Debug: sm_heap_limit - max # of bytes permitted in heap $");
 
 /*
 **  This is the data structure that keeps track of all currently

libsm/io.html

@@ -481,7 +481,7 @@ close file descriptors 0, 1 and 2).
 Thus <tt>sm_io_open()</tt> should
 never be called: the named file pointers should be used directly.
 Calls to <b>stdio</b> are safe to make when using these three<b>sm_io</b>
-file pointers though no code is shared between the two libaries.
+file pointers though no code is shared between the two libraries.
 However, the input and output between <i>sm_io</i> and <i>stdio</i> is
 coordinated for these three file pointers: <i>smiostdin</i>,
 <i>smiostdout</i> and <i>smiostderr</i> are layered on-top-of
@@ -574,10 +574,12 @@ SM_FILE_T. The file pointer content (internal structure members) of an active
 file should only be set and observed with the "info" functions.
 The two exceptions to the above statement are the structure members
 <i>cookie</i> and <i>ival</i>. <i>Cookie</i> is of type <tt>void *</tt>
-while <i>ival</i> is of type <tt>int</tt>. These two structure members exist
-specificly for your created file type to use. The <i>sm_io</i> functions
-will not change or set these two structure members; only specific file type
-will change or set these variables.
+while <i>ival</i> is of type <tt>int</tt>.
+These two structure members exist specifically
+for your created file type to use.
+The <i>sm_io</i> functions
+will not change or set these two structure members;
+only specific file type will change or set these variables.
 </p>
 <p>
 For maintaining information privately about status for a file type the
@@ -598,7 +600,7 @@ For the <i>cookie</i> to be passed to all members of a function type
 cleanly the location of the cookie must assigned during
 the call to open. The file type functions should not attempt to
 maintain the <i>cookie</i> internally since the file type may have
-serveral instances (file pointers).
+several instances (file pointers).
 </p>
 <p>
 The SM_FILE_T's member <i>ival</i> may be used in a manner similar to

libsm/ldap.c

@@ -36,6 +36,8 @@ SM_DEBUG_T SmLDAPTrace = SM_DEBUG_INITIALIZER("sm_trace_ldap",
 static bool	sm_ldap_has_objectclass __P((SM_LDAP_STRUCT *, LDAPMessage *, char *));
 static SM_LDAP_RECURSE_ENTRY *sm_ldap_add_recurse __P((SM_LDAP_RECURSE_LIST **, char *, int, SM_RPOOL_T *));
 
+static char *sm_ldap_geterror __P((LDAP *));
+
 /*
 **  SM_LDAP_CLEAR -- set default values for SM_LDAP_STRUCT
 **
@@ -49,10 +51,10 @@ static SM_LDAP_RECURSE_ENTRY *sm_ldap_add_recurse __P((SM_LDAP_RECURSE_LIST **,
 
 # if _FFR_LDAP_VERSION
 #  if defined(LDAP_VERSION_MAX) && _FFR_LDAP_VERSION > LDAP_VERSION_MAX
-#   ERROR "_FFR_LDAP_VERSION > LDAP_VERSION_MAX"
+#   error "_FFR_LDAP_VERSION > LDAP_VERSION_MAX"
 #  endif
 #  if defined(LDAP_VERSION_MIN) && _FFR_LDAP_VERSION < LDAP_VERSION_MIN
-#   ERROR "_FFR_LDAP_VERSION < LDAP_VERSION_MAX"
+#   error "_FFR_LDAP_VERSION < LDAP_VERSION_MAX"
 #  endif
 #  define SM_LDAP_VERSION_DEFAULT	_FFR_LDAP_VERSION
 # else /* _FFR_LDAP_VERSION */
@@ -79,6 +81,9 @@ sm_ldap_clear(lmap)
 	lmap->ldap_options = 0;
 # endif
 	lmap->ldap_attrsep = '\0';
+# if LDAP_NETWORK_TIMEOUT
+	lmap->ldap_networktmo = 0;
+# endif
 	lmap->ldap_binddn = NULL;
 	lmap->ldap_secret = NULL;
 	lmap->ldap_method = LDAP_AUTH_SIMPLE;
@@ -229,6 +234,23 @@ sm_ldap_setopts(ld, lmap)
 #  ifdef LDAP_OPT_RESTART
 	ldap_set_option(ld, LDAP_OPT_RESTART, LDAP_OPT_ON);
 #  endif
+#  if _FFR_TESTS
+	if (sm_debug_active(&SmLDAPTrace, 101))
+	{
+		char *cert;
+		char buf[PATH_MAX];
+
+		cert = getcwd(buf, sizeof(buf));
+		if (NULL != cert)
+		{
+			int r;
+
+			(void) sm_strlcat(buf, "/ldaps.pem", sizeof(buf));
+			r = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, cert);
+			sm_dprintf("LDAP_OPT_X_TLS_CACERTFILE(%s)=%d\n", cert, r);
+		}
+	}
+#  endif /* _FFR_TESTS */
 
 # else /* USE_LDAP_SET_OPTION */
 	/* From here on in we can use ldap internal timelimits */
@@ -305,6 +327,7 @@ sm_ldap_start(name, lmap)
 {
 	int save_errno = 0;
 	char *id;
+	char *errmsg;
 # if !USE_LDAP_INIT || !LDAP_NETWORK_TIMEOUT
 	SM_EVENT *ev = NULL;
 # endif
@@ -312,6 +335,7 @@ sm_ldap_start(name, lmap)
 	struct timeval tmo;
 	int msgid, err, r;
 
+	errmsg = NULL;
 	if (sm_debug_active(&SmLDAPTrace, 2))
 		sm_dprintf("ldapmap_start(%s)\n", name == NULL ? "" : name);
 
@@ -439,37 +463,66 @@ sm_ldap_start(name, lmap)
 			lmap->ldap_method);
 	save_errno = errno;
 	if (sm_debug_active(&SmLDAPTrace, 9))
-		sm_dprintf("ldap_bind(%s)=%d, errno=%d, tmo=%ld\n",
+	{
+		errmsg = sm_ldap_geterror(ld);
+		sm_dprintf("ldap_bind(%s)=%d, errno=%d, ldaperr=%d, ld_error=%s, tmo=%lld\n",
 			lmap->ldap_uri, msgid, save_errno,
-			(long) tmo.tv_sec);
+			sm_ldap_geterrno(ld), errmsg, (long long) tmo.tv_sec);
+		if (NULL != errmsg)
+		{
+			ldap_memfree(errmsg);
+			errmsg = NULL;
+		}
+	}
 	if (-1 == msgid)
 	{
 		r = -1;
+		err = sm_ldap_geterrno(ld);
+		if (LDAP_SUCCESS != err)
+			save_errno = err + E_LDAPBASE;
 		goto fail;
 	}
 
 	errno = 0;
 	r = ldap_result(ld, msgid, LDAP_MSG_ALL,
 			tmo.tv_sec == 0 ? NULL : &(tmo), &(lmap->ldap_res));
+	save_errno = errno;
 	if (sm_debug_active(&SmLDAPTrace, 9))
-		sm_dprintf("ldap_result(%s)=%d, errno=%d\n", lmap->ldap_uri, r, errno);
+	{
+		errmsg = sm_ldap_geterror(ld);
+		sm_dprintf("ldap_result(%s)=%d, errno=%d, ldaperr=%d, ld_error=%s\n",
+			lmap->ldap_uri, r, errno,
+			sm_ldap_geterrno(ld), errmsg);
+		if (NULL != errmsg)
+		{
+			ldap_memfree(errmsg);
+			errmsg = NULL;
+		}
+	}
 	if (-1 == r)
+	{
+		err = sm_ldap_geterrno(ld);
+		if (LDAP_SUCCESS != err)
+			save_errno = err + E_LDAPBASE;
 		goto fail;
+	}
 	if (0 == r)
 	{
 		save_errno = ETIMEDOUT;
 		r = -1;
 		goto fail;
 	}
-	r = ldap_parse_result(ld, lmap->ldap_res, &err, NULL, NULL, NULL, NULL,
-				1);
+	r = ldap_parse_result(ld, lmap->ldap_res, &err, NULL, &errmsg, NULL,
+				NULL, 1);
+	save_errno = errno;
 	if (sm_debug_active(&SmLDAPTrace, 9))
-		sm_dprintf("ldap_parse_result(%s)=%d, err=%d\n", lmap->ldap_uri, r, err);
+		sm_dprintf("ldap_parse_result(%s)=%d, err=%d, errmsg=%s\n",
+				lmap->ldap_uri, r, err, errmsg);
 	if (r != LDAP_SUCCESS)
 		goto fail;
 	if (err != LDAP_SUCCESS)
 	{
-		r = -1;
+		r = err;
 		goto fail;
 	}
 
@@ -487,12 +540,22 @@ sm_ldap_start(name, lmap)
 			errno = save_errno;
 		else
 			errno = r + E_LDAPBASE;
+		if (NULL != errmsg)
+		{
+			ldap_memfree(errmsg);
+			errmsg = NULL;
+		}
 		return false;
 	}
 
 	/* Save PID to make sure only this PID closes the LDAP connection */
 	lmap->ldap_pid = getpid();
 	lmap->ldap_ld = ld;
+	if (NULL != errmsg)
+	{
+		ldap_memfree(errmsg);
+		errmsg = NULL;
+	}
 	return true;
 }
 
@@ -536,7 +599,7 @@ sm_ldap_search_m(lmap, argv)
 		if (lmap->ldap_multi_args)
 		{
 # if SM_LDAP_ARGS < 10
-#  ERROR _SM_LDAP_ARGS must be 10
+#  error _SM_LDAP_ARGS must be 10
 # endif
 			if (q[1] == 's')
 				key = argv[0];
@@ -1559,7 +1622,6 @@ sm_ldap_results(lmap, msgid, flags, delim, rpool, result,
 **
 **	Returns:
 **		None.
-**
 */
 
 void
@@ -1574,6 +1636,7 @@ sm_ldap_close(lmap)
 	lmap->ldap_ld = NULL;
 	lmap->ldap_pid = 0;
 }
+
 /*
 **  SM_LDAP_GETERRNO -- get ldap errno value
 **
@@ -1582,7 +1645,6 @@ sm_ldap_close(lmap)
 **
 **	Returns:
 **		LDAP errno.
-**
 */
 
 int
@@ -1614,4 +1676,28 @@ sm_ldap_geterrno(ld)
 # endif /* defined(LDAP_VERSION_MAX) && LDAP_VERSION_MAX >= 3 */
 	return err;
 }
+
+/*
+**  SM_LDAP_GETERROR -- get ldap error value
+**
+**	Parameters:
+**		ld -- LDAP session handle
+**
+**	Returns:
+**		LDAP error
+*/
+
+static char *
+sm_ldap_geterror(ld)
+	LDAP *ld;
+{
+	char *error = NULL;
+
+# if defined(LDAP_OPT_DIAGNOSTIC_MESSAGE)
+	(void) ldap_get_option(ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, &error);
+# endif
+	return error;
+}
+
+
 #endif /* LDAPMAP */

libsm/lowercase.c

@@ -15,10 +15,11 @@
 #include <sm/string.h>
 #include <sm/heap.h>
 #if USE_EAI
-# include <sm/ixlen.h>
+# include <sm/limits.h>
 # include <unicode/ucasemap.h>
 # include <unicode/ustring.h>
 # include <unicode/uchar.h>
+# include <sm/ixlen.h>
 
 /*
 **  ASCIISTR -- check whether a string is printable ASCII
@@ -42,6 +43,38 @@ asciistr(str)
 		str++;
 	return ch == '\0';
 }
+
+/*
+**  ASCIINSTR -- check whether a string is printable ASCII up to len
+**
+**	Parameters:
+**		str -- string
+**		len -- length to check
+**
+**	Returns:
+**		TRUE iff printable ASCII
+*/
+
+bool
+asciinstr(str, len)
+	const char *str;
+	size_t len;
+{
+	unsigned char ch;
+	int n;
+
+	if (str == NULL)
+		return true;
+	SM_REQUIRE(len < INT_MAX);
+	n = 0;
+	while (n < len && (ch = (unsigned char)*str) != '\0'
+	       && ch >= 32 && ch < 127)
+	{
+		n++;
+		str++;
+	}
+	return n == len || ch == '\0';
+}
 #endif /* USE_EAI */
 
 /*

libsm/mpeix.c

@@ -314,7 +314,7 @@ sendmail_mpe_getpwnam(name)
 /*
 **  SENDMAIL_MPE_GETPWUID -- shadow function for getpwuid()
 **
-**	Initializes the uninitalized fields in the passwd struct.
+**	Initializes the uninitialized fields in the passwd struct.
 **
 **	Parameters:
 **		uid -- uid to obtain passwd data for

libsm/notify.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016 Proofpoint, Inc. and its suppliers.
+ * Copyright (c) 2020 Proofpoint, Inc. and its suppliers.
  *	All rights reserved.
  *
  * By using this file, you agree to the terms and conditions set
@@ -10,11 +10,12 @@
 
 #include <sm/gen.h>
 
-#if _FFR_DMTRIGGER
+#if _FFR_DMTRIGGER && _FFR_NOTIFY < 2
 #include <sm/conf.h>	/* FDSET_CAST */
 #include <sm/fdset.h>
 #include <sm/assert.h>
 #include <sm/notify.h>
+#include "notify.h"
 #include <sm/time.h>
 #include <sm/string.h>
 
@@ -28,12 +29,6 @@
 #include <fcntl.h>
 #include <string.h>	/* for memset() */
 
-#if SM_NOTIFY_DEBUG
-#define SM_DBG(p)	fprintf p
-#else
-#define SM_DBG(p)	
-#endif
-
 static int	Notifypipe[2];
 #define NotifyRDpipe Notifypipe[0]
 #define NotifyWRpipe Notifypipe[1]
@@ -129,9 +124,6 @@ sm_notify_stop(owner, flags)
 **		<0: -errno
 */
 
-#define MAX_NETSTR 1024
-#define NETSTRPRE 5
-
 int
 sm_notify_snd(buf, buflen)
 	char *buf;
@@ -152,7 +144,7 @@ sm_notify_snd(buf, buflen)
 	len = sm_snprintf(netstr, sizeof(netstr), "%04d:%s,", (int)buflen, buf);
 	r = write(NotifyWRpipe, netstr, len);
 	save_errno = errno;
-	SM_DBG((stderr, "write=%d, fd=%d, e=%d\n", r, NotifyWRpipe, save_errno));
+	SM_DBG((stderr, "pid=%ld, write=%d, fd=%d, e=%d\n", (long)getpid(), r, NotifyWRpipe, save_errno));
 	return r >= 0 ? 0 : -save_errno;
 }
 
@@ -165,7 +157,8 @@ sm_notify_snd(buf, buflen)
 **		tmo -- timeout (micro seconds)
 **
 **	Returns:
-**		0: success
+**		0: EOF (XXX need to provide info about client)
+**		>0: length of received data
 **		<0: -errno
 */
 
@@ -186,55 +179,14 @@ sm_notify_rcv(buf, buflen, tmo)
 		return -EINVAL;
 	FD_ZERO(&readfds);
 	SM_FD_SET(NotifyRDpipe, &readfds);
-	if (tmo < 0)
-		tval = NULL;
-	else
-	{
-		timeout.tv_sec = (long) (tmo / SM_MICROS);
-		timeout.tv_usec = tmo % SM_MICROS;
-		tval = &timeout;
-	}
+	SM_MICROS2TVAL(tmo, tval, timeout);
 
 	do {
 		r = select(NotifyRDpipe + 1, FDSET_CAST &readfds, NULL, NULL, tval);
 		save_errno = errno;
-		SM_DBG((stderr, "select=%d, fd=%d, e=%d\n", r, NotifyRDpipe, save_errno));
+		SM_DBG((stderr, "pid=%ld, select=%d, fd=%d, e=%d\n", (long)getpid(), r, NotifyRDpipe, save_errno));
 	} while (r < 0 && save_errno == EINTR);
 
-	if (r <= 0)
-	{
-		SM_DBG((stderr, "select=%d, e=%d\n", r, save_errno));
-		return -ETIMEDOUT;
-	}
-
-	/* bogus... need to check again? */
-	if (!FD_ISSET(NotifyRDpipe, &readfds))
-		return -ETIMEDOUT;
-
-	r = read(NotifyRDpipe, buf, NETSTRPRE);
-	if (NETSTRPRE != r)
-		return -1;	/* ??? */
-
-	if (sm_io_sscanf(buf, "%4u:", &len) != 1)
-		return -EINVAL;	/* ??? */
-	if (len >= MAX_NETSTR)
-		return -E2BIG;	/* ??? */
-	if (len >= buflen - 1)
-		return -E2BIG;	/* ??? */
-	if (len <= 0)
-		return -EINVAL;	/* ??? */
-	r = read(NotifyRDpipe, buf, len + 1);
-	save_errno = errno;
-	SM_DBG((stderr, "read=%d, e=%d\n", r, save_errno));
-	if (r == 0)
-		return -1;	/* ??? */
-	if (r < 0)
-		return -save_errno;
-	if (len + 1 != r)
-		return -1;	/* ??? */
-	if (buf[len] != ',')
-		return -EINVAL;	/* ??? */
-	buf[len] = '\0';
-	return r;
+	RDNETSTR(r, NotifyRDpipe, (void)0);
 }
-#endif /* _FFR_DMTRIGGER */
+#endif /* _FFR_DMTRIGGER && _FFR_NOTIFY < 2 */

libsm/notify.h

@@ -0,0 +1,111 @@
+/*
+ * Copyright (c) 2021 Proofpoint, Inc. and its suppliers.
+ *      All rights reserved.
+ *
+ * By using this file, you agree to the terms and conditions set
+ * forth in the LICENSE file which can be found at the top level of
+ * the sendmail distribution.
+ */
+
+#ifndef LIBSM_NOTIFY_H
+#define LIBSM_NOTIFY_H
+
+#if SM_NOTIFY_DEBUG
+#define SM_DBG(p)	fprintf p
+#else
+#define SM_DBG(p)	
+#endif
+
+/* microseconds */
+#define SM_MICROS 1000000L
+
+#define SM_MICROS2TVAL(tmo, tval, timeout) \
+	do	\
+	{	\
+		if (tmo < 0)	\
+			tval = NULL;	\
+		else	\
+		{	\
+			timeout.tv_sec = (long) (tmo / SM_MICROS);	\
+			timeout.tv_usec = tmo % SM_MICROS;	\
+			tval = &timeout;	\
+		}	\
+	} while (0)
+
+#define MAX_NETSTR 1024
+#define NETSTRPRE 5
+
+/* flow through code, be careful how to use! */
+#define RDNETSTR(rc, fd, SM_NOTIFY_EOF)	\
+	if ((rc) <= 0)	\
+	{	\
+		SM_DBG((stderr, "pid=%ld, select=%d, e=%d\n", (long)getpid(), (rc), save_errno)); \
+		return -ETIMEDOUT;	\
+	}	\
+	\
+	/* bogus... need to check again? */	\
+	if (!FD_ISSET(fd, &readfds))	\
+	{	\
+		SM_DBG((stderr, "pid=%ld, fd=%d, isset=false\n", (long)getpid(), fd)); \
+		return -ETIMEDOUT;	\
+	}	\
+	r = read(fd, buf, NETSTRPRE);	\
+	if (0 == r)	\
+	{	\
+		SM_DBG((stderr, "pid=%ld, fd=%d, read1=EOF, e=%d\n", (long)getpid(), fd, errno));	\
+		SM_NOTIFY_EOF;	\
+		return r;	\
+	}	\
+	if (NETSTRPRE != r)	\
+	{	\
+		SM_DBG((stderr, "pid=%ld, fd=%d, read1=%d, e=%d\n", (long)getpid(), fd, r, errno));	\
+		return -1;	/* ??? */	\
+	}	\
+	\
+	if (sm_io_sscanf(buf, "%4u:", &len) != 1)	\
+	{	\
+		SM_DBG((stderr, "pid=%ld, scanf, e=%d\n", (long)getpid(), errno));	\
+		return -EINVAL;	/* ??? */	\
+	}	\
+	if (len >= MAX_NETSTR)	\
+	{	\
+		SM_DBG((stderr, "pid=%ld, 1: len=%d\n", (long)getpid(), len));	\
+		return -E2BIG;	/* ??? */	\
+	}	\
+	if (len >= buflen - 1)	\
+	{	\
+		SM_DBG((stderr, "pid=%ld, 2: len=%d\n", (long)getpid(), len));	\
+		return -E2BIG;	/* ??? */	\
+	}	\
+	if (len <= 0)	\
+	{	\
+		SM_DBG((stderr, "pid=%ld, 3: len=%d\n", (long)getpid(), len));	\
+		return -EINVAL;	/* ??? */	\
+	}	\
+	r = read(fd, buf, len + 1);	\
+	save_errno = errno;	\
+	SM_DBG((stderr, "pid=%ld, fd=%d, read=%d, len=%d, e=%d\n", (long)getpid(), fd, r, len+1, save_errno));	\
+	if (r == 0)	\
+	{	\
+		SM_DBG((stderr, "pid=%ld, fd=%d, read2=%d, e=%d\n", (long)getpid(), fd, r, save_errno));	\
+		return -1;	/* ??? */	\
+	}	\
+	if (r < 0)	\
+	{	\
+		SM_DBG((stderr, "pid=%ld, fd=%d, read3=%d, e=%d\n", (long)getpid(), fd, r, save_errno));	\
+		return -save_errno;	\
+	}	\
+	if (len + 1 != r)	\
+	{	\
+		SM_DBG((stderr, "pid=%ld, fd=%d, read4=%d, len=%d\n", (long)getpid(), fd, r, len));	\
+		return -1;	/* ??? */	\
+	}	\
+	if (buf[len] != ',')	\
+	{	\
+		SM_DBG((stderr, "pid=%ld, fd=%d, read5=%d, f=%d\n", (long)getpid(), fd, r, buf[len]));	\
+		return -EINVAL;	/* ??? */	\
+	}	\
+	buf[len] = '\0';	\
+	return r
+
+#endif /* ! LIBSM_MSG_H */

libsm/rewind.c

@@ -25,7 +25,7 @@ SM_RCSID("@(#)$Id: rewind.c,v 1.19 2013-11-22 20:51:43 ca Exp $")
 **	Seeks the file to the beginning and clears any outstanding errors.
 **
 **	Parameters:
-**		fp -- the flie pointer for rewind
+**		fp -- the file pointer for rewind
 **		timeout -- time to complete the rewind
 **
 **	Returns:

libsm/setvbuf.c

@@ -17,6 +17,7 @@ SM_RCSID("@(#)$Id: setvbuf.c,v 1.33 2013-11-22 20:51:43 ca Exp $")
 #include <stdlib.h>
 #include <errno.h>
 #include <fcntl.h>
+#include <sm/limits.h>
 #include <sm/io.h>
 #include <sm/heap.h>
 #include <sm/assert.h>
@@ -67,7 +68,7 @@ sm_io_setvbuf(fp, timeout, buf, mode, size)
 
 	if (mode != SM_IO_NBF)
 		if ((mode != SM_IO_FBF && mode != SM_IO_LBF &&
-		    mode != SM_IO_NOW) || (int) size < 0)
+		    mode != SM_IO_NOW) || size > INT_MAX)
 			return SM_IO_EOF;
 
 	/*

libsm/stdio.c

@@ -162,7 +162,7 @@ sm_stdwrite(fp, buf, n)
 /*
 **  SM_STDSEEK -- set the file offset position
 **
-**	Parmeters:
+**	Parameters:
 **		fp -- file pointer to position
 **		offset -- how far to position from "base" (set by 'whence')
 **		whence -- indicates where the "base" of the 'offset' to start

libsm/strcaseeq.c

@@ -17,7 +17,7 @@
 #include <sm/ixlen.h>
 
 /*
-**  SM_STRCASEEQ -- are two strings equal (case-insenstive)?
+**  SM_STRCASEEQ -- are two strings equal (case-insensitive)?
 **
 **	Parameters:
 **		s1 -- string
@@ -63,7 +63,7 @@ sm_strcaseeq(s1, s2)
 }
 
 /*
-**  SM_STRNCASEEQ -- are two strings (up to a length) equal (case-insenstive)?
+**  SM_STRNCASEEQ -- are two strings (up to a length) equal (case-insensitive)?
 **
 **	Parameters:
 **		s1 -- string
@@ -86,13 +86,13 @@ sm_strncaseeq(s1, s2, n)
 
 	if (0 == n)
 		return true;
-	if (asciistr(s1))
+	if (asciinstr(s1, n))
 	{
-		if (!asciistr(s2))
+		if (!asciinstr(s2, n))
 			return false;
 		return (sm_strncasecmp(s1, s2, n) == 0);
 	}
-	if (asciistr(s2))
+	if (asciinstr(s2, n))
 		return false;
 	l1 = sm_lowercase(s1);
 	if (l1 != s1)
@@ -104,7 +104,7 @@ sm_strncaseeq(s1, s2, n)
 		f1 = NULL;
 	l2 = sm_lowercase(s2);
 
-	while (*l1 == *l2 && '\0' != *l1 && n-- > 0)
+	while (*l1 == *l2 && '\0' != *l1 && --n > 0)
 		l1++, l2++;
 	same = *l1 == *l2;
 

libsm/t-ixlen.c

@@ -19,6 +19,7 @@ SM_IDSTR(id, "@(#)$Id: t-qic.c,v 1.10 2013-11-22 20:51:43 ca Exp $")
 
 #if _FFR_8BITENVADDR
 extern bool SmTestVerbose;
+static int Verbose = 0;
 
 static void
 chkilenx(str, len)
@@ -30,10 +31,41 @@ chkilenx(str, len)
 	xlen = ilenx(str);
 	SM_TEST(len == xlen);
 	if (len != xlen)
-		fprintf(stderr, "str=\"%s\", len=%d, excpected=%d\n",
+		fprintf(stderr, "str=\"%s\", len=%d, expected=%d\n",
 			str, xlen, len);
 }
 
+static void
+chkilen(str)
+	char *str;
+{
+	char *obp;
+	int outlen, leni, lenx, ilen;
+	char line_in[1024];
+	XLENDECL
+
+	lenx = strlen(str);
+	sm_strlcpy(line_in, str, sizeof(line_in));
+	obp = quote_internal_chars(str, NULL, &outlen, NULL);
+	leni = strlen(obp);
+
+	for (ilen = 0; *obp != '\0'; obp++, ilen++)
+	{
+		XLEN(*obp);
+	}
+	if (Verbose)
+		fprintf(stderr, "str=\"%s\", ilen=%d, xlen=%d\n",
+			str, ilen, xlen);
+	SM_TEST(ilen == leni);
+	if (ilen != leni)
+		fprintf(stderr, "str=\"%s\", ilen=%d, leni=%d\n",
+			str, ilen, leni);
+	SM_TEST(xlen == lenx);
+	if (xlen != lenx)
+		fprintf(stderr, "str=\"%s\", xlen=%d, lenx=%d\n",
+			str, xlen, lenx);
+}
+
 static void
 chkxleni(str, len)
 	const char *str;
@@ -44,7 +76,7 @@ chkxleni(str, len)
 	ilen = xleni(str);
 	SM_TEST(len == ilen);
 	if (len != ilen)
-		fprintf(stderr, "str=\"%s\", len=%d, excpected=%d\n",
+		fprintf(stderr, "str=\"%s\", len=%d, expected=%d\n",
 			str, ilen, len);
 }
 
@@ -64,18 +96,26 @@ main(argc, argv)
 	char *argv[];
 {
 	int o, len;
-	bool x;
+	bool x, both;
 	char line[1024];
 
-	x = false;
-	while ((o = getopt(argc, argv, "x")) != -1)
+	x = both = false;
+	while ((o = getopt(argc, argv, "bxV")) != -1)
 	{
 		switch ((char) o)
 		{
+		  case 'b':
+			both = true;
+			break;
+
 		  case 'x':
 			x = true;
 			break;
 
+		  case 'V':
+			Verbose++;
+			break;
+
 		  default:
 			usage(argv[0]);
 			exit(1);
@@ -84,6 +124,12 @@ main(argc, argv)
 
 	sm_test_begin(argc, argv, "test ilenx");
 
+	if (both)
+	{
+		while (fscanf(stdin, "%s\n", line) == 1)
+			chkilen(line);
+		return sm_test_end();
+	}
 	while (fscanf(stdin, "%d:%s\n", &len, line) == 2)
 	{
 		if (x)

libsm/t-notify.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016 Proofpoint, Inc. and its suppliers.
+ * Copyright (c) 2020 Proofpoint, Inc. and its suppliers.
  *      All rights reserved.
  *
  * By using this file, you agree to the terms and conditions set
@@ -8,7 +8,6 @@
  */
 
 #include <sm/gen.h>
-
 #include <stdio.h>
 
 #if _FFR_DMTRIGGER || _FFR_NOTIFY
@@ -20,23 +19,32 @@
 # include <sm/test.h>
 # include <sm/notify.h>
 # include <sm/conf.h>
+# include "notify.h"
+
+static int Verbose = 0;
+#define MAX_CHILDREN	256
+#define MAX_MSGS	1024
+static pid_t pids[MAX_CHILDREN];
+static char msgs[MAX_CHILDREN][MAX_MSGS];
 
 /*
-**  NOTIFY_WR -- test of notify feature
+**  NOTIFY_WR -- test of notify write feature
 **
 **	Parameters:
 **		pid -- pid of process
+**		nmsgs -- number of messages to write
 **
 **	Returns:
-**		0 on success
+**		>=0 on success
 **		< 0 on failure
 */
 
 static int
-notify_wr(pid)
+notify_wr(pid, nmsgs)
 	pid_t pid;
+	int nmsgs;
 {
-	int r;
+	int r, i;
 	size_t len;
 	char buf[64];
 #define TSTSTR "qf0001"
@@ -48,16 +56,38 @@ notify_wr(pid)
 		return -1;
 	}
 
-	len = sm_snprintf(buf, sizeof(buf), "%s-%ld", TSTSTR, (long) pid);
-	r = sm_notify_snd(buf, len);
-	SM_TEST(r >= 0);
+	for (i = 0; i < nmsgs; i++)
+	{
+		len = sm_snprintf(buf, sizeof(buf), "%s-%ld_%d", TSTSTR,
+				(long) pid, i);
+		r = sm_notify_snd(buf, len);
+		SM_TEST(r >= 0);
+	}
 	return r;
 }
 
+static int
+validpid(nproc, cpid)
+	int nproc;
+	pid_t cpid;
+{
+	int i;
+
+	for (i = 0; i < nproc; i++)
+		if (cpid == pids[i])
+			return i;
+	if (Verbose > 0)
+		fprintf(stderr, "pid=%ld not found, nproc=%d\n",
+			(long) cpid, nproc);
+	return -1;
+}
+
 /*
-**  NOTIFY_RD -- test of notify feature
+**  NOTIFY_RD -- test of notify read feature
 **
 **	Parameters:
+**		nproc -- number of processes started
+**		nmsgs -- number of messages to read for each process
 **
 **	Returns:
 **		0 on success
@@ -65,11 +95,13 @@ notify_wr(pid)
 */
 
 static int
-notify_rd(nproc)
+notify_rd(nproc, nmsgs)
 	int nproc;
+	int nmsgs;
 {
-	int r, i;
-	char buf[64];
+	int r, i, pidx;
+	long cpid;
+	char buf[64], *p;
 #define TSTSTR "qf0001"
 
 	r = sm_notify_start(true, 0);
@@ -79,21 +111,52 @@ notify_rd(nproc)
 		return -1;
 	}
 
-	for (i = 0; i < nproc; i++)
+	for (i = 0; i < nmsgs * nproc; i++)
 	{
-		r = sm_notify_rcv(buf, sizeof(buf), 5 * SM_MICROS);
-		SM_TEST(r >= 0);
+		do
+		{
+			r = sm_notify_rcv(buf, sizeof(buf), 5 * SM_MICROS);
+			SM_TEST(r >= 0);
+		} while (0 == r);
 		if (r < 0)
 		{
-			fprintf(stderr, "rcv=%d\n", r);
+			fprintf(stderr, "pid=%ld, rcv=%d, i=%d\n",
+				(long)getpid(), r, i);
 			return r;
 		}
 		if (r > 0 && r < sizeof(buf))
 			buf[r] = '\0';
 		buf[sizeof(buf) - 1] = '\0';
+
+		if (Verbose > 0)
+			fprintf(stderr, "pid=%ld, buf=\"%s\", i=%d\n",
+				(long)getpid(), buf, i);
+
 		SM_TEST(strncmp(buf, TSTSTR, sizeof(TSTSTR) - 1) == 0);
 		SM_TEST(r > sizeof(TSTSTR));
-		fprintf(stderr, "buf=\"%s\"\n", buf);
+
+		r = sscanf(buf + sizeof(TSTSTR), "%ld", &cpid);
+		SM_TEST(1 == r);
+		pidx = validpid(nproc, (pid_t)cpid);
+		SM_TEST(pidx >= 0);
+		SM_TEST(pidx < nproc);
+
+		p = strchr(buf, '_');
+		SM_TEST(NULL != p);
+		if (NULL != p && pidx < nproc && pidx >= 0)
+		{
+			int n;
+
+			r = sscanf(p + 1, "%d", &n);
+			SM_TEST(1 == r);
+			SM_TEST(n >= 0);
+			SM_TEST(n < nmsgs);
+			if (1 == r && n < nmsgs && n >= 0)
+			{
+				SM_TEST('\0' == msgs[pidx][n]);
+				msgs[pidx][n] = 'f';
+			}
+		}
 	}
 	return 0;
 }
@@ -106,27 +169,53 @@ main(argc, argv)
 	int i;
 	int r = 0;
 	int nproc = 1;
+	int nmsgs = 1;
 	pid_t pid;
 
-# define OPTIONS	"p:"
+# define OPTIONS	"n:p:V"
 	while ((i = getopt(argc, argv, OPTIONS)) != -1)
 	{
 		switch ((char) i)
 		{
+		  case 'n':
+			nmsgs = atoi(optarg);
+			if (nmsgs < 1)
+			{
+				errno = EINVAL;
+				fprintf(stderr, "-%c: must be >0\n", (char) i);
+				return 1;
+			}
+			if (nmsgs >= MAX_MSGS)
+			{
+				errno = EINVAL;
+				fprintf(stderr, "-%c: must be <%d\n", (char) i, MAX_MSGS);
+				return 1;
+			}
+			break;
 		  case 'p':
 			nproc = atoi(optarg);
 			if (nproc < 1)
 			{
 				errno = EINVAL;
-				perror("-p: must be >0\n");
-				return r;
+				fprintf(stderr, "-%c: must be >0\n", (char) i);
+				return 1;
 			}
+			if (nproc >= MAX_CHILDREN)
+			{
+				errno = EINVAL;
+				fprintf(stderr, "-%c: must be <%d\n", (char) i, MAX_CHILDREN);
+				return 1;
+			}
+			break;
+		  case 'V':
+			++Verbose;
 			break;
 		  default:
 			break;
 		}
 	}
 
+	memset(msgs, '\0', sizeof(msgs));
 	sm_test_begin(argc, argv, "test notify");
 	r = sm_notify_init(0);
 	SM_TEST(r >= 0);
@@ -149,12 +238,14 @@ main(argc, argv)
 		{
 			/* give the parent the chance to set up data */
 			sleep(1);
-			r = notify_wr(getpid());
+			r = notify_wr(getpid(), nmsgs);
 			break;
 		}
+		if (pid > 0)
+			pids[i] = pid;
 	}
 	if (pid > 0)
-		r = notify_rd(nproc);
+		r = notify_rd(nproc, nmsgs);
 	SM_TEST(r >= 0);
 	return sm_test_end();
 }
@@ -164,7 +255,7 @@ main(argc, argv)
 	int argc;
 	char *argv[];
 {
-	printf("SKIPPED: no _FFR_DMTRIGGER\n");
+	printf("SKIPPED: no _FFR_DMTRIGGER || _FFR_NOTIFY\n");
 	return 0;
 }
-#endif /* _FFR_DMTRIGGER */
+#endif /* _FFR_DMTRIGGER || _FFR_NOTIFY */

libsm/t-qic.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006 Proofpoint, Inc. and its suppliers.
+ * Copyright (c) 2006, 2023 Proofpoint, Inc. and its suppliers.
  *	All rights reserved.
  *
  * By using this file, you agree to the terms and conditions set
@@ -19,7 +19,6 @@ SM_IDSTR(id, "@(#)$Id: t-qic.c,v 1.10 2013-11-22 20:51:43 ca Exp $")
 
 extern bool SmTestVerbose;
 
-
 void
 show_diff(s1, s2)
 	const char *s1;
@@ -107,6 +106,8 @@ main(argc, argv)
 	int i, los, cmp, mode;
 	sm_qic_T inout[] = {
 		  { "", "",	0 }
+		, { "\t", "\t",	0 }
+		, { "\tuser", "\tuser",	0 }
 		, { "abcdef", "abcdef",	0 }
 		, { "01234567890123456789", "01234567890123456789",	0 }
 		, { "\\", "\\",	0 }
@@ -242,5 +243,16 @@ main(argc, argv)
 		}
 	}
 
+	los = -1;
+	obp = quote_internal_chars(NULL, NULL, &los, NULL);
+	SM_TEST(NULL == obp);
+	SM_TEST(-1 == los);
+
+	sm_strlcpy(line_in, "nothing", sizeof(line_in));
+	los = -123;
+	obp = quote_internal_chars(line_in, NULL, &los, NULL);
+	SM_TEST(NULL != obp);
+	SM_TEST(los > 0);
+
 	return sm_test_end();
 }

libsm/t-streq.c

@@ -17,7 +17,6 @@ SM_IDSTR(id, "@(#)$Id: t-qic.c,v 1.10 2013-11-22 20:51:43 ca Exp $")
 #include <sm/ixlen.h>
 #include <sm/test.h>
 
-#if _FFR_8BITENVADDR
 extern bool SmTestVerbose;
 
 static int
@@ -37,6 +36,32 @@ usage(prg)
 	fprintf(stderr, "options:\n");
 }
 
+static void
+hack(str)
+	char *str;
+{
+	char c;
+
+	/* replace just one \x char */
+	while ((c = *str++) != '\0')
+	{
+		if (c != '\\')
+			continue;
+		c = *str;
+		switch (c)
+		{
+		  case 'n': c ='\n'; break;
+		  case 't': c ='\t'; break;
+		  case 'r': c ='\r'; break;
+		  /* case 'X': c ='\X'; break; */
+		  default: c ='\0'; break;
+		}
+		*(str - 1) = c;
+		*str = '\0';
+		break;
+	}
+}
+
 int
 main(argc, argv)
 	int argc;
@@ -61,17 +86,14 @@ main(argc, argv)
 	while (fscanf(stdin, "%d:%s\n", &len, s1) == 2 &&
 		fscanf(stdin, "%d:%s\n", &o,s2) == 2)
 	{
+		int r;
+
+		hack(s1);
+		hack(s2);
 		SM_TEST(tstrncaseeq(s1, s2, len) == o);
+		if ((r = tstrncaseeq(s1, s2, len)) != o)
+			fprintf(stderr, "\"%s\"\n\"%s\"\n%d!=%d\n", s1, s2, o, r);
 	}
 
 	return sm_test_end();
 }
-#else /* _FFR_8BITENVADDR */
-int
-main(argc, argv)
-	int argc;
-	char *argv[];
-{
-	return 0;
-}
-#endif /* _FFR_8BITENVADDR */

libsm/t-streq.sh

@@ -12,6 +12,13 @@
 
 PRG=./t-streq
 R=0
+# format:
+# two lines:
+# len:string1
+# result:string2
+# result:
+# 1: equal
+# 0: not equal
 ${PRG} <<EOF
 0:a
 1:X
@@ -23,6 +30,18 @@ ${PRG} <<EOF
 1:AC
 2:aB
 0:AC
+2:aB\n
+1:AB
+20:xabcez@uabcey.por.az\n
+1:xabcez@uabcey.por.az
+7:ünchen\n
+1:ünchen
+7:ünchen\n
+0:üncheX
+22:iseadmin@somest.sld.br>\n
+1:iseadmin@somest.sld.br
+22:iseadmin@somest.sld.br
+1:iseadmin@somest.sld.br>\n
 EOF
 R=$?
 

libsm/test.c

@@ -96,7 +96,7 @@ sm_test_begin(argc, argv, testname)
 **  SM_TEST -- single test.
 **
 **	Parameters:
-**		success -- did test succeeed?
+**		success -- did test succeed?
 **		expr -- expression that has been evaluated.
 **		filename -- guess...
 **		lineno -- line number.

libsm/util.c

@@ -132,10 +132,11 @@ str2prt(s)
 **		ibp -- a pointer to the string to translate [x]
 **		obp -- a pointer to an output buffer [i][m:A]
 **		bsp -- pointer to the length of the output buffer
+**		rpool -- rpool for allocations
 **
 **	Returns:
-**		A possibly new bp (if the buffer needed to grow); if
-**		it is different, *bsp will updated to the size of
+**		A possibly new obp (if the buffer needed to grow);
+**		if it is different, *bsp will updated to the size of
 **		the new buffer and the caller is responsible for
 **		freeing the memory.
 */
@@ -171,7 +172,12 @@ quote_internal_chars
 	int bufused, olen;
 	bool buffer_same, needs_quoting;
 
+	if (NULL == ibp)
+		return NULL;
 	buffer_same = ibp == obp;
+	SM_REQUIRE(NULL != bsp);
+	if (NULL == obp)
+		*bsp = 0;
 	needs_quoting = false;
 
 	/* determine length of output string (starts at 1 for trailing '\0') */

libsm/vfprintf.c

@@ -74,7 +74,7 @@ sm_print(fp, timeout, uio)
 }
 
 /*
-**  SM_BPRINTF -- allow formating to an unbuffered file.
+**  SM_BPRINTF -- allow formatting to an unbuffered file.
 **
 **  Helper function for `fprintf to unbuffered unix file': creates a
 **  temporary buffer (via a "fake" file pointer).
@@ -84,11 +84,11 @@ sm_print(fp, timeout, uio)
 **	Parameters:
 **		fp -- the file to send the o/p to
 **		fmt -- format instructions for the o/p
-**		ap -- vectors of data units used for formating
+**		ap -- vectors of data units used for formatting
 **
 **	Results:
 **		Failure: SM_IO_EOF and errno set
-**		Success: number of data units used in the formating
+**		Success: number of data units used in the formatting
 **
 **	Side effects:
 **		formatted o/p can be SM_IO_BUFSIZ length maximum
@@ -156,13 +156,13 @@ sm_bprintf(fp, fmt, ap)
 #define FPT		0x100		/* Floating point number */
 
 /*
-**  SM_IO_VFPRINTF -- performs actual formating for o/p
+**  SM_IO_VFPRINTF -- performs actual formatting for o/p
 **
 **	Parameters:
 **		fp -- file pointer for o/p
 **		timeout -- time to complete the print
-**		fmt0 -- formating directives
-**		ap -- vectors with data units for formating
+**		fmt0 -- formatting directives
+**		ap -- vectors with data units for formatting
 **
 **	Results:
 **		Success: number of data units used for formatting
@@ -816,8 +816,8 @@ number:			if ((dprec = prec) >= 0)
 **  It will be replaced with a malloc-ed one if it overflows.
 **
 **	Parameters:
-**		fmt0 -- formating directives
-**		ap -- vector list of data unit for formating consumption
+**		fmt0 -- formatting directives
+**		ap -- vector list of data unit for formatting consumption
 **		argtable -- an indexable table (returned) of 'ap'
 **
 **	Results:

libsm/vfscanf.c

@@ -655,7 +655,7 @@ again:		c = *fmt++;
 				c = *fp->f_p;
 
 				/*
-				**  This code mimicks the integer conversion
+				**  This code mimics the integer conversion
 				**  code, but is much simpler.
 				*/
 

libsmdb/smcdb.c

@@ -409,7 +409,7 @@ smcdb_cursor(database, cursor, flags)
 **	Parameters:
 **		database -- An unallocated database pointer to a pointer.
 **		db_name -- The name of the database without extension.
-**		mode -- File permisions for a created database.
+**		mode -- File permissions for a created database.
 **		mode_mask -- Mode bits that must match on an opened database.
 **		sff -- Flags for safefile.
 **		type -- The type of database to open

libsmdb/smdb.c

@@ -333,10 +333,9 @@ smdb_lock_file(lock_fd, db_name, mode, sff, extension)
 
 	return SMDBE_OK;
 }
+
 /*
-**  SMDB_UNLOCK_FILE -- Unlocks a file
-**
-**	Unlocks a file.
+**  SMDB_UNLOCK_FILE -- Unlocks a file - via close()
 **
 **	Parameters:
 **		lock_fd -- The descriptor for the locked file.
@@ -488,7 +487,7 @@ smdb_filechanged(db_name, extension, db_fd, stat_info)
 **  SMDB_PRINT_AVAILABLE_TYPES -- Prints the names of the available types.
 **
 **	Parameters:
-**		None
+**		ext - also show extension?
 **
 **	Returns:
 **		None

libsmdb/smdb1.c

@@ -423,7 +423,7 @@ smdb1_cursor(database, cursor, flags)
 **	Parameters:
 **		database -- An unallocated database pointer to a pointer.
 **		db_name -- The name of the database without extension.
-**		mode -- File permisions on the database if created.
+**		mode -- File permissions on the database if created.
 **		mode_mask -- Mode bits that must match on an existing database.
 **		sff -- Flags for safefile.
 **		type -- The type of database to open

libsmdb/smdb2.c

@@ -549,7 +549,7 @@ smdb_db_open_internal(db_name, db_type, db_flags, db_params, db)
 **	Parameters:
 **		database -- An unallocated database pointer to a pointer.
 **		db_name -- The name of the database without extension.
-**		mode -- File permisions for a created database.
+**		mode -- File permissions for a created database.
 **		mode_mask -- Mode bits that must match on an opened database.
 **		sff -- Flags for safefile.
 **		type -- The type of database to open

libsmdb/smndbm.c

@@ -17,7 +17,7 @@ SM_RCSID("@(#)$Id: smndbm.c,v 8.55 2013-11-22 20:51:49 ca Exp $")
 #include <sendmail/sendmail.h>
 #include <libsmdb/smdb.h>
 
-#ifdef NDBM
+#if NDBM
 
 # define SMNDB_PAG_FILE_EXTENSION "pag"
 
@@ -465,7 +465,7 @@ smdbm_cursor(database, cursor, flags)
 **	Parameters:
 **		database -- An unallocated database pointer to a pointer.
 **		db_name -- The name of the database without extension.
-**		mode -- File permisions on a created database.
+**		mode -- File permissions on a created database.
 **		mode_mask -- Mode bits that much match on an opened database.
 **		sff -- Flags to safefile.
 **		type -- The type of database to open.

libsmutil/t-lockfile.c

@@ -21,7 +21,20 @@ char iobuf[IOBUFSZ];
 static int noio, chk;
 static pid_t pid;
 
-int
+/*
+**  OPENFILE -- open a file
+**
+**	Parameters:
+**		owner -- create file?
+**		filename -- name of file.
+**		flags -- flags for open(2)
+**
+**	Returns:
+**		>=0 fd
+**		<0 on failure.
+*/
+
+static int
 openfile(owner, filename, flags)
 	int owner;
 	char *filename;
@@ -36,10 +49,21 @@ openfile(owner, filename, flags)
 		return fd;
 	fprintf(stderr, "%d: %ld: owner=%d, open(%s) failed\n",
 		(int) pid, (long) time(NULL), owner, filename);
-	return 1;
+	return -1;
 }
 
-int
+/*
+**  WRBUF -- write iobuf to fd
+**
+**	Parameters:
+**		fd -- file descriptor.
+**
+**	Returns:
+**		==0 write was ok
+**		!=0 on failure.
+*/
+
+static int
 wrbuf(fd)
 	int fd;
 {
@@ -55,7 +79,19 @@ wrbuf(fd)
 	return 1;
 }
 
-int
+/*
+**  RDBUF -- read from fd
+**
+**	Parameters:
+**		fd -- file descriptor.
+**		xbuf -- expected content.
+**
+**	Returns:
+**		==0 read was ok and content matches
+**		!=0 otherwise
+*/
+
+static int
 rdbuf(fd, xbuf)
 	int fd;
 	const char *xbuf;
@@ -81,7 +117,7 @@ rdbuf(fd, xbuf)
 }
 
 /*
-**  LOCKTEST -- test of file locking
+**  LOCKTESTWR -- test WR/EX file locking
 **
 **	Parameters:
 **		owner -- create file?
@@ -102,7 +138,7 @@ rdbuf(fd, xbuf)
 		fprintf(stderr, str, filename, shared ? "RD" : "EX");	\
 	} while (0)
 
-int
+static int
 locktestwr(filename, flags, delay)
 	char *filename;
 	int flags;
@@ -128,7 +164,8 @@ locktestwr(filename, flags, delay)
 	sm_strlcpy(iobuf, FIRSTLINE, sizeof(iobuf));
 	if (wrbuf(fd))
 		return 1;
-	sleep(delay);
+	if (delay > 0)
+		sleep(delay);
 	sm_strlcpy(iobuf, LASTLINE, sizeof(iobuf));
 	if (wrbuf(fd))
 		return 1;
@@ -149,7 +186,22 @@ locktestwr(filename, flags, delay)
 	return 0;
 }
 
-long
+/*
+**  CHKLCK -- check whether fd is locked (only for fcntl())
+**
+**	Parameters:
+**		owner -- create file?
+**		filename -- name of file.
+**		flags -- flags for open(2)
+**		delay -- how long to keep file locked?
+**
+**	Returns:
+**		0 if not locked
+**		>0 pid of process which holds a WR lock
+**		<0 error
+*/
+
+static long
 chklck(fd)
 	int fd;
 {
@@ -168,13 +220,27 @@ chklck(fd)
 		return (long)lfd.l_pid;
 	return 0L;
 #else /* !HASFLOCK */
-	fprintf(stderr, "%d: %ld: flock: no lock test\n",
+	fprintf(stderr, "%d: %ld: flock(): no lock test\n",
 		(int) pid, (long) time(NULL));
 	return -1L;
 #endif /* !HASFLOCK */
 }
 
-int
+/*
+**  LOCKTESTRD -- test file locking for reading
+**
+**	Parameters:
+**		filename -- name of file.
+**		flags -- flags for open(2)
+**		delay -- how long is file locked by owner?
+**		shared -- LOCK_{EX/SH}
+**
+**	Returns:
+**		0 on success
+**		!= 0 on failure.
+*/
+
+static int
 locktestrd(filename, flags, delay, shared)
 	char *filename;
 	int flags;
@@ -252,6 +318,16 @@ locktestrd(filename, flags, delay, shared)
 	return 0;
 }
 
+/*
+**  USAGE -- show usage
+**
+**	Parameters:
+**		prg -- name of program
+**
+**	Returns:
+**		nothing.
+*/
+
 static void
 usage(prg)
 	const char *prg;
@@ -264,6 +340,12 @@ usage(prg)
 		"-r		use shared locking for reader\n"
 		"-s delay	sleep delay seconds before unlocking\n"
 		"-W		only start writer process\n"
+#if !HASFLOCK
+		"uses fcntl()\n"
+#else
+		"uses flock()\n"
+#endif
+
 		, prg);
 }
 
@@ -335,7 +417,7 @@ main(argc, argv)
 	r = 0;
 	if (reader || fpid == 0)
 	{
-		/* give the parent the chance to setup data */
+		/* give the parent the chance to set up data */
 		pid = getpid();
 		sleep(1);
 		r = locktestrd(filename, flags, nb ? delay : 0, shared);

mail.local/mail.local.0

@@ -1,4 +1,4 @@
-MAIL.LOCAL(8)               System Manager's Manual              MAIL.LOCAL(8)
+MAIL.LOCAL(8)                                                    MAIL.LOCAL(8)
 
 
 
@@ -63,8 +63,8 @@ DDEESSCCRRIIPPTTIIOONN
        line (that is, a line beginning with the five characters ``From '' fol-
        lowing a blank line).
 
-       The mail files are exclusively locked with flock(2) while mail  is  ap-
-       pended,  and  a  uusseerr..lloocckk  file  also  is created while the mailbox is
+       The mail files are exclusively  locked  with  flock(2)  while  mail  is
+       appended,  and  a  uusseerr..lloocckk  file also is created while the mailbox is
        locked for compatibility with older MUAs.
 
        If the ``biff'' service  is  returned  by  getservbyname(3),  the  biff
@@ -89,8 +89,8 @@ WWAARRNNIINNGG
        the local mailer in the sendmail.cf file.
 
 HHIISSTTOORRYY
-       A  superset of mmaaiill..llooccaall (handling mailbox reading as well as mail de-
-       livery) appeared in Version 7 AT&T UNIX as the program mmaaiill.
+       A  superset  of  mmaaiill..llooccaall  (handling  mailbox reading as well as mail
+       delivery) appeared in Version 7 AT&T UNIX as the program mmaaiill.
 
 
 

mail.local/mail.local.c

@@ -1686,7 +1686,7 @@ hashname(name)
 	MD5_CTX ctx;
 	unsigned char md5[18];
 #  if MAXPATHLEN <= 24
-#    ERROR "MAXPATHLEN <= 24"
+#    error "MAXPATHLEN <= 24"
 #  endif
 	char b64[24];
 	MD5_LONG bits;

mailstats/mailstats.0

@@ -1,4 +1,4 @@
-MAILSTATS(8)                System Manager's Manual               MAILSTATS(8)
+MAILSTATS(8)                                                      MAILSTATS(8)
 
 
 
@@ -27,25 +27,25 @@ DDEESSCCRRIIPPTTIIOONN
               MMaaiilleerr      The name of the mailer.
 
        After this display, a line totaling the values for all of  the  mailers
-       is  displayed  (preceded with a ``T''), separated from the previous in-
-       formation by a line containing only equals (``='') characters.  Another
-       line preceded with a ``C'' lists the number of TCP connections.
+       is  displayed  (preceded  with  a  ``T''),  separated from the previous
+       information by  a  line  containing  only  equals  (``='')  characters.
+       Another line preceded with a ``C'' lists the number of TCP connections.
 
        The options are as follows:
 
        --CC     Read the specified file instead of the default sseennddmmaaiill configu-
               ration file.
 
-       --cc     Try to use submit.cf instead of the default sseennddmmaaiill  configura-
+       --cc     Try  to use submit.cf instead of the default sseennddmmaaiill configura-
               tion file.
 
-       --ff     Read  the  specified  statistics  file instead of the statistics
+       --ff     Read the specified statistics file  instead  of  the  statistics
               file specified in the sseennddmmaaiill configuration file.
 
-       --PP     Output information in  program-readable  mode  without  clearing
+       --PP     Output  information  in  program-readable  mode without clearing
               statistics.
 
-       --pp     Output  information  in  program-readable mode and clear statis-
+       --pp     Output information in program-readable mode  and  clear  statis-
               tics.
 
        --oo     Don't display the name of the mailer in the output.

makemap/makemap.0

@@ -1,4 +1,4 @@
-MAKEMAP(8)                  System Manager's Manual                 MAKEMAP(8)
+MAKEMAP(8)                                                          MAKEMAP(8)
 
 
 
@@ -7,7 +7,7 @@ NNAAMMEE
 
 SSYYNNOOPPSSIISS
        mmaakkeemmaapp  [--CC  _f_i_l_e] [--NN] [--cc _c_a_c_h_e_s_i_z_e] [--dd] [--DD _c_o_m_m_e_n_t_c_h_a_r] [--ee] [--ff]
-       [--ll] [--oo] [--rr] [--ss] [--tt _d_e_l_i_m] [--uu] [--vv] _m_a_p_t_y_p_e _m_a_p_n_a_m
+       [--ii _t_y_p_e] [--ll] [--oo] [--rr] [--ss] [--tt _d_e_l_i_m] [--uu] [--vv] _m_a_p_t_y_p_e _m_a_p_n_a_m
 
 DDEESSCCRRIIPPTTIIOONN
        MMaakkeemmaapp creates the database maps used by  the  keyed  map  lookups  in
@@ -19,36 +19,36 @@ DDEESSCCRRIIPPTTIIOONN
 
        dbm    DBM format maps.  This requires the ndbm(3) library.
 
-       btree  B-Tree format maps.  This requires the new Berkeley DB library.
+       btree  B-Tree  format maps.  This requires the new Berkeley DB library.
 
        hash   Hash format maps.  This also requires the Berkeley DB library.
 
-       cdb    CDB  (Constant DataBase) format maps.  This requires the tinycdb
+       cdb    CDB (Constant DataBase) format maps.  This requires the  tinycdb
               library.
 
        implicit
-              The first available format in the following  order:  hash,  dbm,
+              The  first  available  format in the following order: hash, dbm,
               and cdb.
 
        In all cases, mmaakkeemmaapp reads lines from the standard input consisting of
        two words separated by white space.  The first is the database key, the
-       second  is the value.  The value may contain ``%_n'' strings to indicate
-       parameter substitution.  Literal percents should be  doubled  (``%%'').
+       second is the value.  The value may contain ``%_n'' strings to  indicate
+       parameter  substitution.   Literal percents should be doubled (``%%'').
        Blank lines and lines beginning with ``#'' are ignored.
 
-       Notice:  do  nnoott  use  mmaakkeemmaapp  to  create  the  aliases data base, but
-       nneewwaalliiaasseess which puts a special token into the data base  that  is  re-
-       quired by sseennddmmaaiill..
+       Notice: do nnoott use  mmaakkeemmaapp  to  create  the  aliases  data  base,  but
+       nneewwaalliiaasseess  which  puts  a  special  token  into  the data base that is
+       required by sseennddmmaaiill..
 
        If the _T_r_u_s_t_e_d_U_s_e_r option is set in the sendmail configuration file and
-       mmaakkeemmaapp is invoked as root, the generated files will be  owned  by  the
+       mmaakkeemmaapp  is  invoked  as root, the generated files will be owned by the
        specified _T_r_u_s_t_e_d_U_s_e_r_.
 
    FFllaaggss
        --CC     Use the specified sseennddmmaaiill configuration file for looking up the
               TrustedUser option.
 
-       --NN     Include the null byte that terminates strings in the map.   This
+       --NN     Include  the null byte that terminates strings in the map.  This
               must match the -N flag in the sendmail.cf ``K'' line.
 
        --cc     Use the specified hash and B-Tree cache size.
@@ -57,16 +57,19 @@ DDEESSCCRRIIPPTTIIOONN
               is ignored) instead of the default of '#'.
 
        --dd     Allow duplicate keys in the map.  This is only allowed on B-Tree
-              format  maps.  If two identical keys are read, they will both be
+              format maps.  If two identical keys are read, they will both  be
               inserted into the map.
 
        --ee     Allow empty value (right hand side).
 
-       --ff     Normally all upper case letters in the key are folded  to  lower
-              case.   This  flag disables that behaviour.  This is intended to
-              mesh with the -f flag in the KK line in sendmail.cf.   The  value
+       --ff     Normally  all  upper case letters in the key are folded to lower
+              case.  This flag disables that behaviour.  This is  intended  to
+              mesh  with  the -f flag in the KK line in sendmail.cf.  The value
               is never case folded.
 
+       --ii     Use the specified type as fallback if the given _m_a_p_t_y_p_e  is  not
+              available.
+
        --ll     List supported map types.
 
        --oo     Append  to  an old file.  This allows you to augment an existing
@@ -87,6 +90,7 @@ DDEESSCCRRIIPPTTIIOONN
 
        --vv     Verbosely print what it is doing.
 
+
 EExxaammppllee
        makemap hash /etc/mail/access < /etc/mail/access
 

makemap/makemap.8

@@ -26,6 +26,8 @@ makemap
 .IR commentchar ]
 .RB [ \-e ]
 .RB [ \-f ]
+.RB [ \-i
+.IR type ]
 .RB [ \-l ]
 .RB [ \-o ]
 .RB [ \-r ]
@@ -144,6 +146,12 @@ This is intended to mesh with the
 line in sendmail.cf.  
 The value is never case folded.
 .TP
+.B \-i
+Use the specified type as fallback
+if the given
+.I maptype
+is not available.
+.TP
 .B \-l
 List supported map types.
 .TP

makemap/makemap.c

@@ -53,12 +53,17 @@ bool	DontInitGroups = false;
 uid_t	TrustedUid = 0;
 BITMAP256 DontBlameSendmail;
 
+static bool verbose = false;
+static int exitstat;
+
 #define BUFSIZE		1024
 #define ISASCII(c)	isascii((unsigned char)(c))
+#define ISSPACE(c)	(ISASCII(c) && isspace(c))
 #define ISSEP(c) (sep == '\0' ? ISASCII(c) && isspace(c) : (c) == sep)
 
 static void usage __P((const char *));
 static char *readcf __P((const char *, char *, bool));
+static void db_put __P((SMDB_DATABASE *, SMDB_DBENT, SMDB_DBENT, int, const char *, int, const char *));
 
 static void
 usage(progname)
@@ -68,7 +73,7 @@ usage(progname)
 		      "Usage: %s [-C cffile] [-N] [-c cachesize] [-D commentchar]\n",
 		      progname);
 	sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
-		      "       %*s [-d] [-e] [-f] [-l] [-o] [-r] [-s] [-t delimiter]\n",
+		      "       %*s [-d] [-e] [-f] [-i type] [-l] [-o] [-r] [-s] [-t delimiter]\n",
 		      (int) strlen(progname), "");
 #if _FFR_TESTS
 	sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
@@ -81,6 +86,69 @@ usage(progname)
 	exit(EX_USAGE);
 }
 
+/*
+**  DB_PUT -- do the DB insert
+**
+**	Parameters:
+**		database -- DB to use
+**		db_key -- key
+**		db_val -- value
+**		putflags -- flags for smdb_put()
+**		mapname -- name of map (for error reporting)
+**		lineno -- line number (for error reporting)
+**		progname -- name of program (for error reporting)
+**
+**	Returns:
+**		none.
+**
+**	Side effects:
+**		Sets exitstat so makemap exits with error if put fails
+*/
+
+static void
+db_put(database, db_key, db_val, putflags, mapname, lineno, progname)
+	SMDB_DATABASE *database;
+	SMDB_DBENT db_key, db_val;
+	int putflags;
+	const char *mapname;
+	int lineno;
+	const char *progname;
+{
+	int errcode;
+
+	if (verbose)
+	{
+		(void) sm_io_fprintf(smioout, SM_TIME_DEFAULT,
+				     "key=`%s', val=`%s'\n",
+				     (char *) db_key.data,
+				     (char *) db_val.data);
+	}
+
+	errcode = database->smdb_put(database, &db_key, &db_val, putflags);
+	if (0 == errcode)
+		return;
+
+	(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT, "%s: %s: ",
+			     progname, mapname);
+	if (lineno >= 0)
+		(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT, "line %u: ",
+				     lineno);
+	(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT, "key %s: ",
+			     (char *) db_key.data);
+	if (SMDBE_KEY_EXIST == errcode)
+	{
+		(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
+				     "duplicate key\n");
+		exitstat = EX_DATAERR;
+	}
+	else
+	{
+		(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
+				     "put error: %s\n", sm_errstring(errcode));
+		exitstat = EX_IOERR;
+	}
+}
+
 /*
 **  READCF -- read some settings from configuration file.
 **
@@ -106,7 +174,7 @@ readcf(cfile, mapfile, fullpath)
 	SM_FILE_T *cfp;
 	char buf[MAXLINE];
 	static char classbuf[MAXLINE];
-	char *classname;
+	char *classname, *mapname;
 	char *p;
 
 	if ((cfp = sm_io_open(SmFtStdio, SM_TIME_DEFAULT, cfile,
@@ -120,13 +188,21 @@ readcf(cfile, mapfile, fullpath)
 	classname = NULL;
 	classbuf[0] = '\0';
 
+	mapname = mapfile;
 	if (!fullpath && mapfile != NULL)
 	{
 		p = strrchr(mapfile, '/');
 		if (p != NULL)
 			mapfile = ++p;
-		p = strrchr(mapfile, '.');
-		if (p != NULL)
+		mapname = strdup(mapfile);
+		if (NULL == mapname)
+		{
+			sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
+			      "makemap: strdup(%s) failed: %s\n",
+			      mapfile, sm_errstring(errno));
+			exit(EX_OSERR);
+		}
+		if ((p = strchr(mapname, '.')) != NULL)
 			*p = '\0';
 	}
 
@@ -184,18 +260,19 @@ readcf(cfile, mapfile, fullpath)
 		  case 'K':		/* Keyfile (map) */
 			if (classname != NULL)	/* found it already */
 				continue;
-			if (mapfile == NULL || *mapfile == '\0')
+			if (mapname == NULL || *mapname == '\0')
 				continue;
 
 			/* cut off trailing spaces */
-			for (p = buf + strlen(buf) - 1; ISASCII(*p) && isspace(*p) && p > buf; p--)
+			for (p = buf + strlen(buf) - 1;
+			     ISASCII(*p) && isspace(*p) && p > buf; p--)
 				*p = '\0';
 
 			/* find the last argument */
 			p = strrchr(buf, ' ');
 			if (p == NULL)
 				continue;
-			b = strstr(p, mapfile);
+			b = strstr(p, mapname);
 			if (b == NULL)
 				continue;
 			if (b <= buf)
@@ -208,7 +285,7 @@ readcf(cfile, mapfile, fullpath)
 			}
 
 			/* allow trailing white space? */
-			if (strcmp(mapfile, b) != 0)
+			if (strcmp(mapname, b) != 0)
 				continue;
 			/* SM_ASSERT(b > buf); */
 			--b;
@@ -253,6 +330,12 @@ readcf(cfile, mapfile, fullpath)
 	}
 	(void) sm_io_close(cfp, SM_TIME_DEFAULT);
 
+	/* not really needed because it is just a "one time leak" */
+	if (mapname != mapfile && mapname != NULL)
+	{
+		free(mapname);
+		mapname = NULL;
+	}
 	return classbuf;
 }
 
@@ -267,19 +350,24 @@ main(argc, argv)
 	bool notrunc = false;
 	bool allowreplace = false;
 	bool allowempty = false;
-	bool verbose = false;
 	bool foldcase = true;
 	bool unmake = false;
+#if _FFR_MM_ALIASES
+	/*
+	**  NOTE: this does not work properly:
+	**  sendmail does address rewriting which is not done here.
+	*/
+
+	bool aliases = false;
+#endif
 	bool didreadcf = false;
 	char sep = '\0';
 	char comment = '#';
-	int exitstat;
 	int opt;
 	char *typename = NULL;
 	char *fallback = NULL;
 	char *mapname = NULL;
 	unsigned int lineno;
-	int st;
 	int mode;
 	int smode;
 	int putflags = 0;
@@ -327,12 +415,17 @@ main(argc, argv)
 		       SMDB_MAX_USER_NAME_LEN);
 
 #define OPTIONS		"C:D:Nc:defi:Llorst:uvx"
+#if _FFR_MM_ALIASES
+# define A_OPTIONS		"a"
+#else
+# define A_OPTIONS
+#endif
 #if _FFR_TESTS
 # define X_OPTIONS		"S:"
 #else
 # define X_OPTIONS
 #endif
-	while ((opt = getopt(argc, argv, OPTIONS X_OPTIONS)) != -1)
+	while ((opt = getopt(argc, argv, A_OPTIONS OPTIONS X_OPTIONS)) != -1)
 	{
 		switch (opt)
 		{
@@ -344,6 +437,14 @@ main(argc, argv)
 			inclnull = true;
 			break;
 
+#if _FFR_MM_ALIASES
+		  case 'a':
+			/* Note: this doesn't verify e-mail addresses */
+			sep = ':';
+			aliases = true;
+			break;
+#endif
+
 		  case 'c':
 			params.smdbp_cache_size = atol(optarg);
 			break;
@@ -669,6 +770,10 @@ main(argc, argv)
 				*p++ = '\0';
 			while (*p != '\0' && ISSEP(*p))
 				p++;
+#if _FFR_MM_ALIASES
+			while (aliases && *p != '\0' && ISSPACE(*p))
+				p++;
+#endif
 			if (!allowempty && *p == '\0')
 			{
 				(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
@@ -688,50 +793,22 @@ main(argc, argv)
 			**  Do the database insert.
 			*/
 
-			if (verbose)
-			{
-				(void) sm_io_fprintf(smioout, SM_TIME_DEFAULT,
-						     "key=`%s', val=`%s'\n",
-						     (char *) db_key.data,
-						     (char *) db_val.data);
-			}
-
-			errno = database->smdb_put(database, &db_key, &db_val,
-						   putflags);
-			switch (errno)
-			{
-			  case SMDBE_KEY_EXIST:
-				st = 1;
-				break;
-
-			  case 0:
-				st = 0;
-				break;
-
-			  default:
-				st = -1;
-				break;
-			}
-
-			if (st < 0)
-			{
-				(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
-						     "%s: %s: line %u: key %s: put error: %s\n",
-						     progname, mapname, lineno,
-						     (char *) db_key.data,
-						     sm_errstring(errno));
-				exitstat = EX_IOERR;
-			}
-			else if (st > 0)
-			{
-				(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
-						     "%s: %s: line %u: key %s: duplicate key\n",
-						     progname, mapname,
-						     lineno,
-						     (char *) db_key.data);
-				exitstat = EX_DATAERR;
-			}
+			db_put(database, db_key, db_val, putflags, mapname,
+				lineno, progname);
 		}
+#if _FFR_MM_ALIASES
+		if (aliases)
+		{
+			char magic[2] = "@";
+
+			db_key.data = magic;
+			db_val.data = magic;
+			db_key.size = 1;
+			db_val.size = 1;
+			db_put(database, db_key, db_val, putflags, mapname, -1,
+				progname);
+		}
+#endif /* _FFR_MM_ALIASES */
 	}
 
 #if _FFR_TESTS

praliases/praliases.0

@@ -1,4 +1,4 @@
-PRALIASES(8)                System Manager's Manual               PRALIASES(8)
+PRALIASES(8)                                                      PRALIASES(8)
 
 
 

rmail/rmail.0

@@ -1,4 +1,4 @@
-RMAIL(8)                    System Manager's Manual                   RMAIL(8)
+RMAIL(8)                                                              RMAIL(8)
 
 
 

smrsh/README

@@ -51,7 +51,7 @@ the bin directory used by smrsh.
 							path.
 -DSMRSH_CMDDIR=\"dir\"	\"/usr/adm/sm.bin\"		The default smrsh
 							program directory
- 
+
 These can be added to the devtools/Site/site.config.m4 file using the
 global M4 macro confENVDEF or the smrsh specific M4 macro
 conf_smrsh_ENVDEF.

smrsh/smrsh.0

@@ -1,4 +1,4 @@
-SMRSH(8)                    System Manager's Manual                   SMRSH(8)
+SMRSH(8)                                                              SMRSH(8)
 
 
 
@@ -22,24 +22,24 @@ DDEESSCCRRIIPPTTIIOONN
        acceptable  commands,  and  to  the  shell  builtin  commands ``exec'',
        ``exit'', and ``echo''.  It also rejects any commands with the  charac-
        ters ``', `<', `>', `;', `$', `(', `)', `\r' (carriage return), or `\n'
-       (newline) on the command line to prevent ``end run'' attacks.   It  al-
-       lows  ``||''  and  ``&&''  to  enable  commands like: ``"|exec /usr/lo-
-       cal/bin/filter || exit 75"''
+       (newline) on the command line  to  prevent  ``end  run''  attacks.   It
+       allows   ``||''   and   ``&&''   to   enable  commands  like:  ``"|exec
+       /usr/local/bin/filter || exit 75"''
 
        Initial  pathnames  on  programs  are  stripped,   so   forwarding   to
-       ``/usr/ucb/vacation'',     ``/usr/bin/vacation'',    ``/home/server/my-
-       dir/bin/vacation'',  and   ``vacation''   all   actually   forward   to
-       ``/usr/adm/sm.bin/vacation''.
+       ``/usr/ucb/vacation'',                           ``/usr/bin/vacation'',
+       ``/home/server/mydir/bin/vacation'', and ``vacation'' all actually for-
+       ward to ``/usr/adm/sm.bin/vacation''.
 
        System  administrators  should  be  conservative  about  populating the
        sm.bin directory.  For example, a reasonable additions is  _v_a_c_a_t_i_o_n(1),
        and  the like.  No matter how brow-beaten you may be, never include any
        shell or shell-like program (such as _p_e_r_l(1)) in the sm.bin  directory.
        Note  that  this  does not restrict the use of shell or perl scripts in
-       the sm.bin directory (using the ``#!'' syntax); it simply disallows ex-
-       ecution of arbitrary programs.  Also, including mail filtering programs
-       such as _p_r_o_c_m_a_i_l(1) is a very bad idea.  _p_r_o_c_m_a_i_l(1)  allows  users  to
-       run arbitrary programs in their _p_r_o_c_m_a_i_l_r_c(5).
+       the sm.bin directory (using the ``#!''  syntax);  it  simply  disallows
+       execution  of  arbitrary programs.  Also, including mail filtering pro-
+       grams such as _p_r_o_c_m_a_i_l(1) is a very bad idea.  _p_r_o_c_m_a_i_l(1) allows users
+       to run arbitrary programs in their _p_r_o_c_m_a_i_l_r_c(5).
 
 CCOOMMPPIILLAATTIIOONN
        Compilation  should  be  trivial  on most systems.  You may need to use
@@ -50,10 +50,10 @@ CCOOMMPPIILLAATTIIOONN
 FFIILLEESS
        /usr/adm/sm.bin - default directory for restricted programs on most OSs
 
-       /var/adm/sm.bin - directory for restricted programs on HP  UX  and  So-
-       laris
+       /var/adm/sm.bin  -  directory  for  restricted  programs  on  HP UX and
+       Solaris
 
-       /usr/libexec/sm.bin  - directory for restricted programs on FreeBSD (>=
+       /usr/libexec/sm.bin - directory for restricted programs on FreeBSD  (>=
        3.3) and DragonFly BSD
 
 

src/Makefile.m4

@@ -6,7 +6,7 @@ define(`confREQUIRE_SM_OS_H', `true')
 bldPRODUCT_START(`executable', `sendmail')
 define(`bldBIN_TYPE', `G')
 define(`bldINSTALL_DIR', `')
-define(`bldSOURCES', `main.c alias.c arpadate.c bf.c collect.c conf.c control.c convtime.c daemon.c deliver.c domain.c envelope.c err.c headers.c macro.c map.c mci.c milter.c mime.c parseaddr.c queue.c ratectrl.c readcf.c recipient.c sasl.c savemail.c sfsasl.c shmticklib.c sm_resolve.c srvrsmtp.c stab.c stats.c sysexits.c timers.c tlsh.c tls.c trace.c udb.c usersmtp.c util.c version.c ')
+define(`bldSOURCES', `main.c alias.c arpadate.c bf.c collect.c conf.c control.c convtime.c daemon.c deliver.c domain.c envelope.c err.c headers.c macro.c map.c mci.c milter.c mime.c parseaddr.c queue.c ratectrl.c readcf.c recipient.c sasl.c savemail.c sched.c sfsasl.c shmticklib.c sm_resolve.c srvrsmtp.c stab.c stats.c sysexits.c timers.c tlsh.c tls.c trace.c udb.c usersmtp.c util.c version.c ')
 PREPENDDEF(`confENVDEF', `confMAPDEF')
 bldPUSH_SMLIB(`sm')
 bldPUSH_SMLIB(`smutil')

src/README

@@ -232,8 +232,8 @@ HASFLOCK	Set this if you prefer to use the flock(2) system call
 		rather than using fcntl-based locking.  Fcntl locking
 		has some semantic gotchas, but many vendor systems
 		also interface it to lockd(8) to do NFS-style locking.
-		Unfortunately, may vendors implementations of fcntl locking
-		is just plain broken (e.g., locks are never released,
+		Unfortunately, many vendor implementations of fcntl locking
+		are just plain broken (e.g., locks are never released,
 		causing your sendmail to deadlock; when the kernel runs
 		out of locks your system crashes).  For this reason, I
 		recommend always defining this unless you are absolutely
@@ -309,9 +309,9 @@ HASSTRERROR	Define this if you have the libc strerror(3) function (which
 HASCLOSEFROM	Define this if your system has closefrom(3).
 HASFDWALK	Define this if your system has fdwalk(3).
 SM_CONF_GETOPT	Define this as 0 if you need a reimplementation of getopt(3).
-		On some systems, getopt does very odd things if called
+		On some systems, getopt() does very odd things if called
 		to scan the arguments twice.  This flag will ask sendmail
-		to compile in a local version of getopt that works
+		to compile in a local version of getopt() that works
 		properly.  You may also need this if you build with
 		another library that introduces a non-standard getopt(3).
 NEEDSTRTOL	Define this if your standard C library does not define
@@ -625,7 +625,7 @@ SHARE_V1	Support for the fair share scheduler, version 1.  Setting to
 		resource limitations.  So far as I know, this is only
 		supported on ConvexOS.
 SASL		Enables SMTP AUTH (RFC 2554).  This requires the Cyrus SASL
-		library (ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/).  Please
+		library (https://github.com/cyrusimap/cyrus-sasl).  Please
 		install at least version 1.5.13.  See below for further
 		information: SASL COMPILATION AND CONFIGURATION.  If your
 		SASL library is older than 1.5.10, you have to set this
@@ -640,7 +640,9 @@ EGD		Define this if your system has EGD installed, see
 		http://egd.sourceforge.net/ .  It should be used to
 		seed the PRNG for STARTTLS if HASURANDOMDEV is not defined.
 STARTTLS	Enables SMTP STARTTLS (RFC 2487).  This requires OpenSSL
-		(http://www.OpenSSL.org/); use OpenSSL 0.9.8zc or later.
+		(http://www.OpenSSL.org/); use an OpenSSL version
+		which is supported by sendmail and preferably your
+		OS distribution or OpenSSL.
 		See STARTTLS COMPILATION AND CONFIGURATION for further
 		information.
 TLS_EC		Enable use of elliptic curve cryptography in STARTTLS.
@@ -765,6 +767,10 @@ From: Garrett Wollman <wollman@lcs.mit.edu>
     certificate authentication -- even some of those which already support
     SSL/TLS for confidentiality.
 
+OpenSSL 3 deprecated a lot of functionality which sendmail uses by
+default. However, the code can be disabled via compile time options
+if needed:
+-DNO_DH: related to DH and DSA.
 
 +------------------------------------+
 | SASL COMPILATION AND CONFIGURATION |
@@ -1804,6 +1810,7 @@ conf.h		Configuration that must be known everywhere.
 control.c	Routines to implement control socket.
 convtime.c	A routine to sanely process times.
 daemon.c	Routines to implement daemon mode.
+daemon.h	Header file for daemon.c.
 deliver.c	Routines to deliver mail.
 domain.c	Routines that interface with DNS (the Domain Name
 		System).
@@ -1818,17 +1825,21 @@ main.c		The main routine to sendmail.  This file also
 		contains some miscellaneous routines.
 makesendmail	A convenience for calling ./Build.
 map.c		Support for database maps.
+map.h		Header file for map.c.
 mci.c		Routines that handle mail connection information caching.
 milter.c	MTA portions of the mail filter API.
 mime.c		MIME conversion routines.
 newaliases.1	Man page for the newaliases command.
 parseaddr.c	The routines which do address parsing.
 queue.c		Routines to implement message queueing.
+ratectrl.c	Routines for rate/connnection control.
+ratectrl.h	Header file for rate/connnection control.
 readcf.c	The routine that reads the configuration file and
 		translates it to internal form.
 recipient.c	Routines that manipulate the recipient list.
 sasl.c		Routines to interact with Cyrys-SASL.
 savemail.c	Routines which save the letter on processing errors.
+sched.c		Routines for scheduling queue management.
 sendmail.8	Man page for the sendmail command.
 sendmail.h	Main header file for sendmail.
 sfsasl.c	I/O interface between SASL/TLS and the MTA.
@@ -1846,6 +1857,8 @@ sysexits.h	List of error codes for systems that lack their own.
 timers.c	Routines to provide microtimers.
 timers.h	Data structure and function declarations for timers.h.
 tls.c		Routines for TLS.
+tls.h		Header file for tls*.c
+tlsh.c		Helper routines for TLS, mostly DANE.
 trace.c		The trace package.  These routines allow setting and
 		testing of trace flags with a high granularity.
 udb.c		The user database interface module.

src/SECURITY

@@ -14,12 +14,12 @@ people who are very security conscious (you should be...).
 Even though sendmail goes through great lengths to assure that it
 can't be compromised even if the system it is running on is
 incorrectly or insecurely configured, it can't work around everything.
-This has been demonstrated by recent OS problems which have
-subsequently been used to compromise the root account using sendmail
-as a vector.  One way to minimize the possibility of such problems
-is to install sendmail without set-user-ID root, which avoids local
-exploits.  This configuration, which is the default starting with
-8.12, is described in the first section of this security guide.
+This has been demonstrated by OS problems which have subsequently
+been used to compromise the root account using sendmail as a vector.
+One way to minimize the possibility of such problems is to install
+sendmail without set-user-ID root, which avoids local exploits.
+This configuration, which is the default starting with 8.12, is
+described in the first section of this security guide.
 
 
 *****************************************************
@@ -112,6 +112,7 @@ information.)  You can start this program as root, it will change
 its user id to RunAsUser (smmsp by default, recommended uid: 25).
 This way smmsp does not need a valid shell.
 
+
 Summary
 -------
 
@@ -186,6 +187,7 @@ You can use
 to install a sendmail program to act as daemon etc under the name
 sm-mta.
 
+
 Set-User-Id
 -----------
 

src/TRACEFLAGS

@@ -71,15 +71,14 @@
 57	util.c		snprintf
 58	bf.c		bf* routines
 59	parseaddr.c	cataddr
-60	map.c
+60	parseaddr.c	map_lookup
 61	conf.c		sm_gethostbyname
 62	multiple	file descriptor checking
 63	queue.c		runqueue process watching
 64	multiple	Milter
 65	main.c		permission checks
 #if DANE
-66	domain.c	force port=25 for TLSA RR lookups
-67	domain.c	TLSA RR lookups
+66,>99	domain.c	force port=25 for TLSA RR lookups
 #endif
 68	unused
 #if _FFR_QUEUE_SCHED_DBG
@@ -105,19 +104,26 @@
 83	collect.c	timeout
 84	deliver.c	timeout
 85	map.c		dprintf map
+#if _FFR_TESTS
+86,>99	milter.c	macro tests
+#endif
 #if _FFR_PROXY
 87	srvrsmtp.c	proxy mode
 #endif
 88,>99	tls.c		disable the effect of _FFR_VRFY_TRUSTED_FIRST
 89	conf.c		>=8 use sm_dprintf() instead of syslog()
-90	unused
+#if _FFR_TESTS
+90,>99	tls.c deliver.c	Simulate error for OpenSSL functions related to DANE
+#endif
 91	mci.c		syslogging of MCI cache information
 92	EF_LOGSENDER
 93,>99	*		Prevent daemon connection fork for profiling/debugging
 94,>99	srvrsmtp.c	cause commands to fail (for protocol testing)
 95	srvrsmtp.c	AUTH
 95	usersmtp.c	AUTH
-96	tls.c		DHparam info, Activate SSL_CTX_set_info_callback()
+96	tls.c		DHparam info, activate SSL_CTX_set_info_callback(), etc
 97	srvrsmtp.c	Trace automode settings for I/O
+#if _FFR_TIMERS
 98	*		timers
+#endif
 99	main.c		avoid backgrounding (no printed output)

src/alias.c

@@ -381,10 +381,11 @@ setalias(spec)
 		}
 	}
 }
+
 /*
 **  ALIASWAIT -- wait for distinguished @:@ token to appear.
 **
-**	This can decide to reopen or rebuild the alias file
+**	This can decide to reopen the alias file
 **
 **	Parameters:
 **		map -- a pointer to the map descriptor for this alias file.
@@ -402,7 +403,7 @@ setalias(spec)
 bool
 aliaswait(map, ext, isopen)
 	MAP *map;
-	char *ext;
+	const char *ext;
 	bool isopen;
 {
 	bool attimeout = false;
@@ -411,13 +412,14 @@ aliaswait(map, ext, isopen)
 	char buf[MAXPATHLEN];
 
 	if (tTd(27, 3))
-		sm_dprintf("aliaswait(%s:%s)\n",
-			   map->map_class->map_cname, map->map_file);
+		sm_dprintf("aliaswait(%s:%s), open=%d, wait=%d\n",
+			   map->map_class->map_cname, map->map_file,
+			   isopen, bitset(MF_ALIASWAIT, map->map_mflags));
 	if (bitset(MF_ALIASWAIT, map->map_mflags))
 		return isopen;
 	map->map_mflags |= MF_ALIASWAIT;
 
-	if (SafeAlias > 0)
+	if (isopen && SafeAlias > 0)
 	{
 		auto int st;
 		unsigned int sleeptime = 2;
@@ -448,7 +450,7 @@ aliaswait(map, ext, isopen)
 
 			map->map_mflags |= MF_CLOSING;
 			map->map_class->map_close(map);
-			map->map_mflags &= ~(MF_OPEN|MF_WRITABLE|MF_CLOSING);
+			map->map_mflags &= ~(MF_OPEN|MF_WRITABLE|MF_CLOSING|MF_CHKED_CHGD);
 			(void) sleep(sleeptime);
 			sleeptime *= 2;
 			if (sleeptime > 60)
@@ -456,6 +458,7 @@ aliaswait(map, ext, isopen)
 			isopen = map->map_class->map_open(map, O_RDONLY);
 		}
 	}
+	map->map_mflags &= ~MF_CHKED_CHGD;
 
 	/* see if we need to go into auto-rebuild mode */
 	if (!bitset(MCF_REBUILDABLE, map->map_class->map_cflags))
@@ -499,20 +502,17 @@ aliaswait(map, ext, isopen)
 **
 **	Parameters:
 **		map -- the database to rebuild.
-**		automatic -- set if this was automatically generated.
 **
 **	Returns:
 **		true if successful; false otherwise.
 **
 **	Side Effects:
-**		Reads the text version of the database, builds the
-**		DBM or DB version.
+**		Reads the text version of the database, builds the map.
 */
 
 bool
-rebuildaliases(map, automatic)
+rebuildaliases(map)
 	register MAP *map;
-	bool automatic;
 {
 	SM_FILE_T *af;
 	bool nolock = false;
@@ -538,7 +538,7 @@ rebuildaliases(map, automatic)
 	{
 		struct stat stb;
 
-		if ((errno != EACCES && errno != EROFS) || automatic ||
+		if ((errno != EACCES && errno != EROFS) ||
 		    (af = safefopen(map->map_file, O_RDONLY, 0, sff)) == NULL)
 		{
 			int saveerr = errno;
@@ -546,7 +546,7 @@ rebuildaliases(map, automatic)
 			if (tTd(27, 1))
 				sm_dprintf("Can't open %s: %s\n",
 					map->map_file, sm_errstring(saveerr));
-			if (!automatic && !bitset(MF_OPTIONAL, map->map_mflags))
+			if (!bitset(MF_OPTIONAL, map->map_mflags))
 				message("newaliases: cannot open %s: %s",
 					map->map_file, sm_errstring(saveerr));
 			errno = 0;
@@ -590,13 +590,12 @@ rebuildaliases(map, automatic)
 		if (LogLevel > 7)
 		{
 			sm_syslog(LOG_NOTICE, NOQID,
-				"alias database %s %srebuilt by %s",
-				map->map_file, automatic ? "auto" : "",
-				username());
+				"alias database %s rebuilt by %s",
+				map->map_file, username());
 		}
 		map->map_mflags |= MF_OPEN|MF_WRITABLE;
 		map->map_pid = CurrentPid;
-		readaliases(map, af, !automatic, true);
+		readaliases(map, af, true, true);
 		success = true;
 	}
 	else
@@ -604,9 +603,8 @@ rebuildaliases(map, automatic)
 		if (tTd(27, 1))
 			sm_dprintf("Can't create database for %s: %s\n",
 				map->map_file, sm_errstring(errno));
-		if (!automatic)
-			syserr("Cannot create database for alias file %s",
-				map->map_file);
+		syserr("Cannot create database for alias file %s",
+			map->map_file);
 	}
 
 	/* close the file, thus releasing locks */
@@ -621,8 +619,10 @@ rebuildaliases(map, automatic)
 			int sl;
 
 			sl = tTdlevel(78) - 100;
-			sm_dprintf("rebuildaliases: sleep=%d\n", sl);
+			sm_dprintf("rebuildaliases: sleep=%d, file=%s\n",
+				sl, map->map_file);
 			sleep(sl);
+			sm_dprintf("rebuildaliases: done\n");
 		}
 #endif
 		map->map_mflags |= MF_CLOSING;
@@ -638,6 +638,54 @@ rebuildaliases(map, automatic)
 #endif
 	return success;
 }
+
+/*
+**  CONTLINE -- handle potential continuation line
+**
+**	Parameters:
+**		fp -- file to read
+**		line -- current line
+**
+**	Returns:
+**		pointer to end of current line if there is a continuation line
+**		NULL otherwise
+**
+**	Side Effects:
+**		Modifies line if it is a continuation line
+*/
+
+static char *contline __P((SM_FILE_T *, char *));
+static char *
+contline(fp, line)
+	SM_FILE_T *fp;
+	char *line;
+{
+	char *p;
+	int c;
+
+	if ((p = strchr(line, '\n')) != NULL && p > line && p[-1] == '\\')
+	{
+		*p = '\0';
+		*--p = '\0';
+		return p;
+	}
+
+	c = sm_io_getc(fp, SM_TIME_DEFAULT);
+	if (!sm_io_eof(fp))
+		(void) sm_io_ungetc(fp, SM_TIME_DEFAULT, c);
+	if (c == ' ' || c == '\t')
+	{
+		char *nlp;
+
+		p = line;
+		nlp = &p[strlen(p)];
+		if (nlp > p && nlp[-1] == '\n')
+			*--nlp = '\0';
+		return nlp;
+	}
+	return NULL;
+}
+
 /*
 **  READALIASES -- read and process the alias file.
 **
@@ -688,48 +736,74 @@ readaliases(map, af, announcestats, logstats)
 	naliases = bytes = longest = 0;
 	skipping = false;
 	line = NULL;
+
 	while (sm_io_fgets(af, SM_TIME_DEFAULT, lbuf, sizeof(lbuf)) >= 0)
 	{
 		int lhssize, rhssize;
 		int c;
+		char *newp;
 
 		LineNumber++;
-#if _FFR_8BITENVADDR
-		if (line != lbuf)
-			SM_FREE(line);
-		len = 0;
-		line = quote_internal_chars(lbuf, NULL, &len, NULL);
-#else
-		line = lbuf;
-#endif
-		p = strchr(line, '\n');
 
 		/* XXX what if line="a\\" ? */
-		while (p != NULL && p > line && p[-1] == '\\')
+		line = lbuf;
+		p = line;
+		while ((newp = contline(af, line)) != NULL)
 		{
-			p--;
-			if (sm_io_fgets(af, SM_TIME_DEFAULT, p,
-					SPACELEFT(line, p)) < 0)
+			p = newp;
+			if ((c = sm_io_fgets(af, SM_TIME_DEFAULT, p,
+					SPACELEFT(lbuf, p))) < 0)
+			{
 				break;
+			}
 			LineNumber++;
-			p = strchr(p, '\n');
 		}
+#if _FFR_8BITENVADDR
+		if (SMTP_UTF8 || EightBitAddrOK)
+		{
+			if (line != lbuf)
+				SM_FREE(line);
+			line = quote_internal_chars(lbuf, NULL, &len, NULL);
+		}
+		else
+#endif
+		/* "else" in #if code above */
+		line = lbuf;
+
+		p = strchr(line, '\n');
 		if (p != NULL)
 			*p = '\0';
 		else if (!sm_io_eof(af))
 		{
+			int prev;
+			bool cl;
+
 			errno = 0;
 			syserr("554 5.3.0 alias line too long");
 
-			/* flush to end of line */
-			while ((c = sm_io_getc(af, SM_TIME_DEFAULT)) !=
-				SM_IO_EOF && c != '\n')
-				continue;
+			prev = '\0';
+			cl = false;
+
+			do {
+				/* flush to end of "virtual" line */
+				while ((c = sm_io_getc(af, SM_TIME_DEFAULT)) !=
+					SM_IO_EOF && c != '\n')
+				{
+					prev = c;
+				}
+				cl = ('\\' == prev && '\n' == c);
+				if (!cl)
+				{
+					c = sm_io_getc(af, SM_TIME_DEFAULT);
+					if (!sm_io_eof(af))
+						(void) sm_io_ungetc(af, SM_TIME_DEFAULT, c);
+					cl = (c == ' ' || c == '\t');
+				}
+			} while (cl);
 
-			/* skip any continuation lines */
-			skipping = true;
 			continue;
 		}
+
 		switch (line[0])
 		{
 		  case '#':
@@ -779,7 +853,6 @@ readaliases(map, af, announcestats, logstats)
 		while (SM_ISSPACE(*p))
 			p++;
 		rhs = p;
-		for (;;)
 		{
 			register char *nlp;
 
@@ -810,31 +883,7 @@ readaliases(map, af, announcestats, logstats)
 			{
 				p = nlp;
 			}
-
-			/* see if there should be a continuation line */
-			c = sm_io_getc(af, SM_TIME_DEFAULT);
-			if (!sm_io_eof(af))
-				(void) sm_io_ungetc(af, SM_TIME_DEFAULT, c);
-			if (c != ' ' && c != '\t')
-				break;
-
-			/* read continuation line */
-			if (sm_io_fgets(af, SM_TIME_DEFAULT, p,
-					sizeof(line) - (p-line)) < 0)
-				break;
-			LineNumber++;
-
-			/* check for line overflow */
-			if (strchr(p, '\n') == NULL && !sm_io_eof(af))
-			{
-				usrerr("554 5.3.5 alias too long");
-				while ((c = sm_io_getc(af, SM_TIME_DEFAULT))
-				       != SM_IO_EOF && c != '\n')
-					continue;
-				skipping = true;
-				break;
-			}
-		}
+		} while (0);
 
 		if (skipping)
 			continue;
@@ -868,17 +917,20 @@ readaliases(map, af, announcestats, logstats)
 		{
 			syserr("554 5.3.5 %.40s... missing value for alias",
 			       line);
-
 		}
 		else
 		{
 #if _FFR_8BITENVADDR
-			dequote_internal_chars(al.q_user, lhsbuf, sizeof(lhsbuf));
-			dequote_internal_chars(rhs, rhsbuf, sizeof(rhsbuf));
-			map->map_class->map_store(map, lhsbuf, rhsbuf);
-#else
-			map->map_class->map_store(map, al.q_user, rhs);
+			if (SMTP_UTF8 || EightBitAddrOK)
+			{
+				dequote_internal_chars(al.q_user, lhsbuf, sizeof(lhsbuf));
+				dequote_internal_chars(rhs, rhsbuf, sizeof(rhsbuf));
+				map->map_class->map_store(map, lhsbuf, rhsbuf);
+			}
+			else
 #endif
+			/* "else" in #if code above */
+			map->map_class->map_store(map, al.q_user, rhs);
 
 			/* statistics */
 			naliases++;
@@ -947,7 +999,16 @@ forward(user, sendq, aliaslevel, e)
 	/* good address -- look for .forward file in home */
 	macdefine(&e->e_macro, A_PERM, 'z', user->q_home);
 	macdefine(&e->e_macro, A_PERM, 'u', user->q_user);
-	macdefine(&e->e_macro, A_PERM, 'h', user->q_host);
+	pp = user->q_host;
+#if _FFR_8BITENVADDR
+	if (NULL != pp)
+	{
+		int len;
+
+		pp = quote_internal_chars(pp, NULL, &len, NULL);
+	}
+#endif
+	macdefine(&e->e_macro, A_PERM, 'h', pp);
 	if (ForwardPath == NULL)
 		ForwardPath = newstr("\201z/.forward");
 

src/aliases.0

@@ -1,4 +1,4 @@
-ALIASES(5)                    File Formats Manual                   ALIASES(5)
+ALIASES(5)                                                          ALIASES(5)