| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: sendmail-starttls | Distribution: openSUSE Tumbleweed |
| Version: 8.18.2 | Vendor: openSUSE |
| Release: 2.1 | Build date: Tue Mar 3 14:52:03 2026 |
| Group: Productivity/Networking/Security | Build host: reproducible |
| Size: 688 | Source RPM: sendmail-8.18.2-2.1.src.rpm |
| Packager: https://bugs.opensuse.org | |
| Url: http://www.sendmail.org/ | |
| Summary: BSD Sendmail Starttls helper scripts | |
This package includes the directory layout as well as some useful helper scripts for better SSL/TLS support. "sendmail" is a trademark of Sendmail, Inc.
Sendmail
* Tue Mar 03 2026 Dr. Werner Fink <werner@suse.de>
- Avoid permission checks below /var
* Wed Feb 11 2026 Dirk Müller <dmueller@suse.com>
- update to 8.12.2:
* Avoid adding a second To: header to DSNs, instead any
additional addresses are appended to an existing
To: header (this also applies to Cc: and Bcc:).
* Fix matching of wildcard SANs in the experimental support
for SMTP MTA Strict Transport Security (MTA-STS).
Problem reported by Dilyan Palauzo.
* The experimental support for SMTP MTA Strict Transport
Security has been significantly rewritten to handle
the problems caused by it being tied to the domain
of a RCPT address (instead to an SMTP server for
all the domains it handles - compare DANE).
The most visible change is that an SMTP transaction
where the first RCPT has an STS policy will have
only RCPTs with the same domain instead of all
RCPTs going to the same servers (MX).
Accordingly, MTA-STS can be disabled per RCPT domain
by adding access map entries of the form
STS:domain NO
Successful deliveries to RCPTs which have an STS
policy show STS=OK in the to=... stat=Sent log entry.
If an STS policy for a RCPT could not be fulfilled
then the RCPT is not being sent and an error containing
the string "STS" is logged.
* MaxQueueAge is now observed for all types of QueueSortOrder
even those which internally skip some code (including
the MaxQueueAge check).
* On some systems the rejection of a RCPT by a milter could
silently be ignored.
* Increase size for an internal buffer which can contain AUTH
data because XOAUTH2 could use very long tokens.
* Wed Jan 07 2026 Dr. Werner Fink <werner@suse.de>
- Correct group permission of /var/spool/clientmqueue to make
sendmail work again (boo#1255437)
* Wed Dec 17 2025 Dr. Werner Fink <werner@suse.de>
- Support Immutable Mode (jsc#PED-14688)
* Note that still sendmail is not part of SLES-16 and above
* Mon Jul 07 2025 Marcus Meissner <meissner@suse.com>
- ran /usr/lib/obs/service/source_validators/helpers/fix_changelog
to fixup changes to current standard.
* Tue Apr 08 2025 Friedrich Haubensak <hsk17@mail.de>
- add -std=gnu11 to compiler flags, to fix gcc15 compile time
error, and to still allow build on Leap 15.6
* Mon Mar 17 2025 Dr. Werner Fink <werner@suse.de>
- Update keyring
* Wed Feb 12 2025 Dr. Werner Fink <werner@suse.de>
- Skip /var/spool/mail/ from permissons files of sendmail (boo#1236847)
- Handle Leap 16.0 similar to TW
* Thu Feb 06 2025 Dr. Werner Fink <werner@suse.de>
- Avoid rpmlint warning
* Thu Feb 06 2025 Dr. Werner Fink <werner@suse.de>
- Skip sysvinit
* Tue Jan 28 2025 Dr. Werner Fink <werner@suse.de>
- Allow libmilter to be installed without local MTA as it can be
used with a remote MTA as well
* Tue Jan 28 2025 Marcus Meissner <meissner@suse.com>
- reduce requires smtp_daemon to recommends, to allow e.g. smaller
clamav footprints.
* Tue Dec 17 2024 Bernhard Wiedemann <bwiedemann@suse.com>
- Add sendmail.8.18.1-reproducibleuname.patch to not embed
the build machine's kernel version in debuginfo (boo#1234629)
* Mon Feb 26 2024 Dominique Leuenberger <dimstar@opensuse.org>
- Use %patch -P N instead of deprecated %patchN.
* Mon Feb 05 2024 Dr. Werner Fink <werner@suse.de>
- Update to version sendmail 8.18.1 2024/01/31
* sendmail is now stricter in following the RFCs and rejects
some invalid input with respect to line endings
and pipelining:
- Prevent transaction stuffing by ensuring SMTP clients
wait for the HELO/EHLO and DATA response before sending
further SMTP commands. This can be disabled using
the new srv_features option 'F'. Issue reported by
Yepeng Pan and Christian Rossow from CISPA Helmholtz
Center for Information Security.
- Accept only CRLF . CRLF as end of an SMTP message
as required by the RFCs, which can disabled by the
new srv_features option 'O'.
- Do not accept a CR or LF except in the combination
CRLF (as required by the RFCs). These checks can
be disabled by the new srv_features options
'U' and 'G', respectively. In this case it is
suggested to use 'u2' and 'g2' instead so the server
replaces offending bare CR or bare LF with a space.
It is recommended to only turn these protections off
for trusted networks due to the potential for abuse.
* Full DANE support is available if OpenSSL versions 1.1.1 or 3.x
are used, i.e., TLSA RR 2-x-y and 3-x-y are supported
as required by RFC 7672.
* OpenSSL version 3.0.x is supported. Note: OpenSSL 3 loads by
default an openssl.cnf file from a location specified
in the library which may cause unwanted behaviour
in sendmail. Hence sendmail sets the environment
variable OPENSSL_CONF to /etc/mail/sendmail.ossl
to override the default. The file name can be
changed by defining confOPENSSL_CNF in the mc file;
using an empty value prevents setting OPENSSL_CONF.
Note: referring to a file which does not exist does
not cause an an error.
* Two new values have been added for {verify}:
"DANE_TEMP": DANE verification failed temporarily.
"DANE_NOTLS": DANE was required but STARTTLS was not
offered by the server.
The default rules return a temporary error for these
cases, so delivery is not attempted.
* If the TLS setup code in the client fails and DANE requirements
exist then {verify} will be set to "DANE_TEMP" thus
preventing delivery by default.
* DANE related logging has been slightly changed for clarification:
"DANE configured in DNS but no STARTTLS available"
changed to
"DANE configured in DNS but STARTTLS not offered"
* When the compile time option USE_EAI is enabled, vacation could
fail to respond when it should (the code change in
8.17.2 was incomplete). Problem reported by Alex
Hautequest.
* If SMTPUTF8 BODY=7BIT are used as parameters for the MAIL command
the parsing of UTF8 addresses could fail (USE_EAI).
* If a reply to a previous RCPT was received while sending
another RCPT in pipelining mode then parts of the
reply could have been assigned to the wrong RCPT.
* New DontBlameSendmail option CertOwner to relax requirement
for certificate public and private key ownership.
Based on suggestion from Marius Strobl of the
FreeBSD project.
* clt_features was not checked for connections via Unix domain
sockets.
* CONFIG: FEATURE(`enhdnsbl') did not handle multiple replies
from DNS lookups thus potentially causing random
"false negatives".
Note: the fix creates an incompatibility:
the arguments must not have a trailing dot anymore
because the -a. option has been removed (as it only
applies to the entire result, not individual values).
* CONFIG: New FEATURE(`fips3') for basic FIPS support in OpenSSL 3.
* VACATION: Add support for Return-Path header to set sender
to match OpenBSD and NetBSD functionality.
* VACATION: Honor RFC3834 and avoid an auto-reply if
'Auto-Submitted: no' is found in the headers to
match OpenBSD and NetBSD functionality.
* VACATION: Avoid an auto-reply if a 'List-Id:' is found in
the headers to match OpenBSD functionality.
* VACATION: Add support for $SUBJECT in .vacation.msg which
is replaced with the first line of the subject of the
original message to match OpenBSD and NetBSD
functionality.
* New Files:
cf/feature/fips3.m4
devtools/OS/Darwin.23.x
- This release fixes CVE-2023-51765 (bsc#1218351)
- Port and rename patch sendmail-8.17.2.dif which is now sendmail-8.18.1.dif
* Tue Jan 30 2024 Dr. Werner Fink <werner@suse.de>
- Correct permisson files path to /usr/share/permissions/permissions.d/ (boo#1219339)
* Tue Jan 30 2024 Dr. Werner Fink <werner@suse.de>
- Fix file provides of openssl and timeout
* Thu Jan 25 2024 Dr. Werner Fink <werner@suse.de>
- Avoid error messages of chkstat as this tools does not
accept slashes at the end of directory paths!
- Move sendmails permissions files to /usr/share/permissions/
* Wed Jan 17 2024 Dr. Werner Fink <werner@suse.de>
- Work on certificates usage of smart and relay host
- Work on certificates for running sendmail
* Mon Dec 18 2023 Dr. Werner Fink <werner@suse.de>
- There is no such beast called var-run.mount anymore
* Fri Jun 23 2023 Dr. Werner Fink <werner@suse.de>
- Update to pre version sendmail 8.17.2
* Make sure DANE checks (if enabled) are performed even if
CACertPath or CACertFile are not set or unusable.
* Note: if the code to set up TLS in the client fails, then
{verify} will be set to TEMP but DANE requirements
will be ignored, i.e., by default mail will be sent
without STARTTLS. This can be changed via a
LOCAL_TLS_SERVER ruleset.
* Pass server name to clt_features ruleset instead of client
name to account for limitations in macro availability
described below in CONFIG section. This may break
custom clt_features rulesets which expect to receive
the client name as input.
* Fix a regression introduced in 8.17.1: aliases file which
contain continuation lines caused parsing errors.
* Add an FFR (for future release) compile time option _FFR_LOG_STAGE
to log the protocol stage as stage= for some errors during
delivery attempts to make troubleshooting simpler. This
new logging may be enabled in a future release.
* When EAI is enabled, milters also got the arguments of MAIL/RCPT
commands in argv[0] for xxfi_envfrom()/xxfi_envrcpt()
callbacks instead of just the mail address.
Problem reported by Dilyan Palauzo.
* When EAI is enabled, mailq prints UTF-8 addresses as such
if SMTPUTF8 was used.
* When EAI is enabled, the $h macro is now in the correct format.
Previously this could cause wrong values for relay=
in log entries and the mailer argument vector.
* When the compile time option USE_EAI is enabled, vacation could
fail to respond when it should. Problem reported by
Alex Hautequest.
* When EAI was enabled, header truncation might not have been
logged even when it happened. Problem reported by
Werner Wiethege.
* Handle a possible change in an upcoming release of Cyrus-SASL
(2.1.28) by changing the definition of an internal flag.
Patch from Dilyan Palauzo.
* Avoid an assertion failure when an smtps connection is made
to the server and a milter is unavailable.
Problem reported by Dilyan Palauzo.
* Fixed some spelling errors in documentation and comments,
based on a codespell report by Jens Schleusener
of fossies.org.
* The result of try_tls is now logged using status= instead
of reject=.
* If tls_rcpt rejected the delivery of a recipient then a bogus
dsn= entry might have been logged under some circumstances.
* If a server replied with 421 to a RCPT command then a bogus reply=
might have been logged.
* When quoting the value for ${currHeader} avoid causing a syntax
error (Unbalanced '"') when truncating a header value
which is too long. Problem reported by Werner Wiethege.
* Reduce the performance impact of a change introduced in
8.12.9: the default for MaxMimeHeaderLength was
set to 2048/1024. Problem reported by Tabata
Shintaro of Internet Initiative Japan Inc.
* CONFIG: The default clt_features ruleset tried to access
${server_name} and ${server_addr} which are not set
when the ruleset is invoked. Only the server name
is available which is passed as an argument.
* CONFIG: Properly quote host variable to prevent cf build
breakage when a hostname contains 'dnl'. Problem
reported by Maxim Shalomikhin of Kaspersky.
* DEVTOOLS: Add configure.sh support for BSD's mandoc as an
alternative man page formatting tool.
* DOC: Document that USAGE is a possible value for {verify}.
* LIBMILTER: The macros for the EOH and EOM callbacks are
sent in reverse order which means accessing macros
in the EOM callback got the macro for the EOH
callback. Store those macros in the expected order
in libmilter. Note: this does not affect sendmail
because the macros for both callbacks are the same
because the message is sent to libmilter after it
is completely read by sendmail. Fix and problem
report from David Buergin.
* Portability:
Make use of IN_LOOPBACK, if defined, to determine if
using a loopback address. Patch from Mike Karels of
FreeBSD.
On Linux use gethostbyname2(3) if glibc 2.19 or newer
is used to avoid potential problems with IPv6 lookups.
Patch from Werner Wiethege.
Add support for Darwin 21 and Darwin 22.
Solaris 12 has been renamed to Solaris 11.4, hence
adapt a condition for sigwait(2) taking one argument.
Patch from John Beck.
- Port and rename patch sendmail-8.17.1.dif which is now sendmail-8.17.2.dif
* Thu Jun 01 2023 Werner Fink <werner@suse.de>
- Use the bash intrinsic virtual file /dev/tcp/localhost/<port>
to check for MTA port
* Wed May 31 2023 Dr. Werner Fink <werner@suse.de>
- Avoid fuser for detecting if sendmail is listen on MTA port
* Tue Feb 14 2023 Dr. Werner Fink <werner@suse.de>
- Drop NIS/NISPLUS support for Tumbleweed (boo#1208221)
* Tue Jan 24 2023 Dominique Leuenberger <dimstar@opensuse.org>
- Fix source URLs: ftp.sendmail.com was restructured and the
pub/sendmail directory is now the root directory.
* Tue Jan 24 2023 Dr. Werner Fink <werner@suse.de>
- Switch over to https URLs
* Fri Jan 20 2023 Thorsten Kukuk <kukuk@suse.com>
- Fix wrong "without sysvinit", don't require sysvinit in that case
/etc/mail/certs/certs /etc/mail/certs/crl /etc/mail/certs/newcerts /etc/mail/certs/private /etc/mail/certs/scripts /etc/mail/certs/scripts/certificates.sh
Generated by rpm2html 1.8.1
Fabrice Bellet, Mon Apr 20 22:27:34 2026