Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 6 Feb 2024 23:54:34 -0800
From:      Gregory Shapiro <gshapiro@freebsd.org>
To:        freebsd-stable@freebsd.org
Subject:   sendmail 8.18.1 MFC'ed to stable/13 and stable/14
Message-ID:  <kuweloin2as6rvj46zff4kfm5lhyess73hdloiw2ggkpmzukhp@mzrzjmdli4yc>

next in thread | raw e-mail | index | archive | help
As noted in UPDATING:

20240207:
	sendmail 8.18.1 has been imported and merged.  This version enforces
	stricter RFC compliance by default, especially with respect to line
	endings.  This may cause issues with receiving messages from
	non-compliant MTAs; please see the first 8.18.1 release note in
	contrib/sendmail/RELEASE_NOTES for mitigations.

Here is that release note entry:

8.18.1/8.18.1	2024/01/31
	sendmail is now stricter in following the RFCs and rejects
		some invalid input with respect to line endings
		and pipelining:
		- Prevent transaction stuffing by ensuring SMTP clients
		wait for the HELO/EHLO and DATA response before sending
		further SMTP commands.  This can be disabled using
		the new srv_features option 'F'.  Issue reported by
		Yepeng Pan and Christian Rossow from CISPA Helmholtz
		Center for Information Security.
		- Accept only CRLF . CRLF as end of an SMTP message
		as required by the RFCs, which can disabled by the
		new srv_features option 'O'.
		- Do not accept a CR or LF except in the combination
		CRLF (as required by the RFCs).  These checks can
		be disabled by the new srv_features options
		'U' and 'G', respectively.  In this case it is
		suggested to use 'u2' and 'g2' instead so the server
		replaces offending bare CR or bare LF with a space.
		It is recommended to only turn these protections off
		for trusted networks due to the potential for abuse.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?kuweloin2as6rvj46zff4kfm5lhyess73hdloiw2ggkpmzukhp>