Date: Tue, 6 Feb 2024 23:54:34 -0800 From: Gregory Shapiro <gshapiro@freebsd.org> To: freebsd-stable@freebsd.org Subject: sendmail 8.18.1 MFC'ed to stable/13 and stable/14 Message-ID: <kuweloin2as6rvj46zff4kfm5lhyess73hdloiw2ggkpmzukhp@mzrzjmdli4yc>
next in thread | raw e-mail | index | archive | help
As noted in UPDATING: 20240207: sendmail 8.18.1 has been imported and merged. This version enforces stricter RFC compliance by default, especially with respect to line endings. This may cause issues with receiving messages from non-compliant MTAs; please see the first 8.18.1 release note in contrib/sendmail/RELEASE_NOTES for mitigations. Here is that release note entry: 8.18.1/8.18.1 2024/01/31 sendmail is now stricter in following the RFCs and rejects some invalid input with respect to line endings and pipelining: - Prevent transaction stuffing by ensuring SMTP clients wait for the HELO/EHLO and DATA response before sending further SMTP commands. This can be disabled using the new srv_features option 'F'. Issue reported by Yepeng Pan and Christian Rossow from CISPA Helmholtz Center for Information Security. - Accept only CRLF . CRLF as end of an SMTP message as required by the RFCs, which can disabled by the new srv_features option 'O'. - Do not accept a CR or LF except in the combination CRLF (as required by the RFCs). These checks can be disabled by the new srv_features options 'U' and 'G', respectively. In this case it is suggested to use 'u2' and 'g2' instead so the server replaces offending bare CR or bare LF with a space. It is recommended to only turn these protections off for trusted networks due to the potential for abuse.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?kuweloin2as6rvj46zff4kfm5lhyess73hdloiw2ggkpmzukhp>