Sendmail race condition issue CERT has reported a race condition issue in sendmail which may lead to arbitrary remote code execution. CERT has assinged this issue the name VU#834865 this is the FL version of bug 184465
From CERT VU#834865[1]: The Problem Sendmail contains a race condition caused by the improper handling of asynchronous signals. In particular, by forcing SMTP server to have an I/O timeout at exactly the correct instant, the attacker may be able to execute arbitrary code with the privileges of the Sendmail process. More information is available in the Sendmail version 8.13.6 release page[2] and the Sendmail MTA Security Vulnerability Advisory[3]. Versions of Sendmail prior to 8.13.6 are affected. II. Impact A remote, unauthenticated attacker could execute arbitrary code with the privileges of the Sendmail process. If Sendmail is running as root, the attacker could take complete control of an affected system. III. Solution Upgrade This issue is corrected in Sendmail version 8.13.6[2]. Patches to correct this issue in Sendmail versions 8.12.11[4] and 8.13.5[5] are also available. Refer to the Sendmail MTA Security Vulnerability Advisory[6] for steps to reduce the impact of this vulnerability. References: 1. CERT VU#834865: <http://www.kb.cert.org/vuls/id/834865> 2. Sendmail 8.13.6 release page: <http://www.sendmail.org/8.13.6.html> 3. Vulnerability Advisory: <http://www.sendmail.com/company/advisory/> 4. ftp://ftp.sendmail.org/pub/sendmail/8.12.11.p0 5. ftp://ftp.sendmail.org/pub/sendmail/8.13.5.p0 6. http://www.sendmail.com/company/advisory/#mitigation Also: * CVE-2006-0058: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058
Red Hat issued RHSA-2006-0264 and RHSA-2006-0265 today for these issues. <http://rhn.redhat.com/errata/RHSA-2006-0265.html> RHEL 2.1 <http://rhn.redhat.com/errata/RHSA-2006-0264.html> RHEL 3 & 4. All Legacy distros are affected. Affected packages for each distro: * RHL 7.3: sendmail-8.11.6-27.73 * RHL 9: sendmail-8.12.8-9.90 * FC1: sendmail-8.12.10-1.1.1 * FC2: sendmail-8.12.11-4.6 * FC3: sendmail-8.13.1-2 In order to fix RHL7.3, RHL9 and FC1, we will need to upgrade those versions to sendmail-8.12.11 in order to apply the patch available from upstream. Or we might just want to re-spin the RHEL 2.1 package, at least for RHL 7.3. Perhaps we can respin the RHEL 3 package for RHL9, FC1, & FC2. My suggestion for FC3 is that we just implement sendmail-8.13.6 instead of upgrading to sendmail-8.13.5 and patching. Here's the text from RHSA-2006-0265 advisory (for RHEL 2.1): "A flaw in the handling of asynchronous signals was discovered in Sendmail. A remote attacker may be able to exploit a race condition to execute arbitrary code as root. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0058 to this issue. "By default on Red Hat Enterprise Linux 2.1, Sendmail is configured to only accept connections from the local host. Therefore only users who have configured Sendmail to listen to remote hosts would be able to be remotely exploited by this vulnerability. "In order to correct this issue for Red Hat Enterprise Linux 2.1 users, it was necessary to upgrade the version of Sendmail from 8.11 as originally shipped to Sendmail 8.12 with the addition of the security patch supplied by Sendmail Inc. This erratum provides updated packages based on Sendmail 8.12 with a compatibility mode enabled. After updating to these packages, users should pay close attention to their sendmail logs to ensure that the upgrade completed sucessfully."
I take back my suggestion for FC3. RHEL 4 released sendmail-8.13.1 today, presumably patched for this problem, so we could just use those sources.
David, thanks for the research. I'll look into backporting RHEL patches, and hopefully post updated packages very soon.
Note that the sendmail patch doesn't work on rh73 if you build with ssl support, because the SSL version that comes with that doesn't provide SSL_get_[rw]fd. Does anyone know what the 'gcc296' patch in the RHEL2 sendmail package is meant to fix? changelog doesn't point to anything specific, and we've been running stock 8.12.11 on rh7.3 (compiled with gcc296) for the last year or so without issues.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Packages for sendmail problem CVE-2006-0058 Sendmail race condition issue RHL7.3 package pulled directly from RHEL2.1. 7.3's sendmail was too old for the patch, so like RHEL2.1 did, pulled in the newer version but built it into compat mode. RHL9, FC1, and FC2's package are all the same, based on FC2's sendmail with the patch applied, and FC1 and RHL9s packages provide /etc/alias and RHL9's is built w/out -fpie (not available in the compiler). FC3's package just adds the patch. All packages add BuildRequires: groff so that man pages will build. These should get extra testing due to version upgrades necessary to apply patches. http://geek.j2solutions.net/rpms/legacy/sendmail/ 9442f310b50ab21962feb69004324752a705e598 ./7.3/SRPM/sendmail-8.12.11-4.22.8.legacy.src.rpm 03e40f075a5fe6793f8e7b5dc1fad24d8aeca411 ./7.3/i386/sendmail-devel-8.12.11-4.22.8.legacy.i386.rpm ccd79b18310db610cfeeff97a3a807347888250f ./7.3/i386/sendmail-8.12.11-4.22.8.legacy.i386.rpm c904cd0037dead018d212be03f6bce2507af25e0 ./7.3/i386/sendmail-cf-8.12.11-4.22.8.legacy.i386.rpm 8d4a3bc5d33d35955d8d2c536cf8717cb69d304e ./7.3/i386/sendmail-doc-8.12.11-4.22.8.legacy.i386.rpm 921719465dd9184e161787abce8023d6ffc633ff ./fc1/SRPM/sendmail-8.12.11-4.25.legacy.src.rpm 662be990c4dc5559e35fe07222fb061618b2ec4f ./fc1/i386/sendmail-devel-8.12.11-4.25.legacy.i386.rpm 58a67f3403be4bfcd4e69a4ddd4d57d56d95f41f ./fc1/i386/sendmail-doc-8.12.11-4.25.legacy.i386.rpm a62936d6e7bf86d74d083ef49416264ae320d023 ./fc1/i386/sendmail-8.12.11-4.25.legacy.i386.rpm f47c4b5c4e283b6c3d2afe7dc703e4e231aeebd7 ./fc1/i386/sendmail-cf-8.12.11-4.25.legacy.i386.rpm 053dd6ee565d3e071951c205b013f3e19c17c511 ./fc3/SRPM/sendmail-8.13.1-3.legacy.src.rpm 95fa2ca8970fbdd441fe483d27262412911a38eb ./fc3/i386/sendmail-cf-8.13.1-3.legacy.i386.rpm 7642014c3a37da2c971165e383f1b3a8d0536f1a ./fc3/i386/sendmail-doc-8.13.1-3.legacy.i386.rpm 1372277299112c57827c392c1ab2a974de44c570 ./fc3/i386/sendmail-8.13.1-3.legacy.i386.rpm c539ab544982ec1163381bdea9db23291956a728 ./fc3/i386/sendmail-devel-8.13.1-3.legacy.i386.rpm 59b713db0c3ab1899f9c0c91e3fd9188d97455c7 ./fc3/x86_64/sendmail-devel-8.13.1-3.legacy.x86_64.rpm 49be60337bf663c136be4abc0909e5e9831782e9 ./fc3/x86_64/sendmail-cf-8.13.1-3.legacy.x86_64.rpm 58b2a98e7524ff5bf2675c8a3a47726dce920cee ./fc3/x86_64/sendmail-8.13.1-3.legacy.x86_64.rpm 46025d459f9724e9c77730486e0adf009692485b ./fc3/x86_64/sendmail-doc-8.13.1-3.legacy.x86_64.rpm a3166b6b0227f450498561acd80042636019aff1 ./9/SRPM/sendmail-8.12.11-4.24.legacy.src.rpm 0b61665414349d5b885e50dbf5649edfab079eca ./9/i386/sendmail-doc-8.12.11-4.24.legacy.i386.rpm 77cc98ee8bd520b8b220b99254871ac57d3e4455 ./9/i386/sendmail-cf-8.12.11-4.24.legacy.i386.rpm 69efec9b25ab3d48bdd180d71070abbdc497ed0b ./9/i386/sendmail-devel-8.12.11-4.24.legacy.i386.rpm f36924313332e8fc85b11cfe5fdc263b9db48179 ./9/i386/sendmail-8.12.11-4.24.legacy.i386.rpm 7d9135551126681633b5999947bc69cf0fcb2d4c ./fc2/SRPM/sendmail-8.12.11-4.26.legacy.src.rpm 4a7f960685eac046f2cc60c8cbd0a569ec7e64f2 ./fc2/i386/sendmail-cf-8.12.11-4.26.legacy.i386.rpm c4c0fc021fc6d912ceaa1ce4af2183dcba306252 ./fc2/i386/sendmail-doc-8.12.11-4.26.legacy.i386.rpm 3ee7c42846137c5217bc80a22d56a92c8a2b301f ./fc2/i386/sendmail-devel-8.12.11-4.26.legacy.i386.rpm fb8928621816392580ebee32b31d7518483adf65 ./fc2/i386/sendmail-8.12.11-4.26.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEIhsd4v2HLvE71NURAqbeAKC7h+1fg48iOxS1UtpdXpbokvwHRwCfagp2 Eqx59MizSOr4cCtmw4Iv9Sc= =2H4y -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 7.3 packages respun for: - - Use right name in changelog - - enable alternatives a9c43e6e124e89b5583a096b3c5b378e8552a66c 7.3/SRPM/sendmail-8.12.11-4.22.9.legacy.src.rpm 3c8b76e1180fef2eafda9479a9cce7a2350c6617 7.3/i386/sendmail-doc-8.12.11-4.22.9.legacy.i386.rpm aa639e9c26e2e24c0fd2c447c824a4f9eca310fb 7.3/i386/sendmail-8.12.11-4.22.9.legacy.i386.rpm b5e18e0536c7c5fbdd721d2a74995c98b18eaf29 7.3/i386/sendmail-devel-8.12.11-4.22.9.legacy.i386.rpm 60fe825ab8e0a1c376db3bd4567ff468c4e0fa67 7.3/i386/sendmail-cf-8.12.11-4.22.9.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEIiUr4v2HLvE71NURAmshAKCANyAYQOfSUIzRvEO1RXYsEfVHFgCgtedk g6inFg6Sy8smr1aQdcuVTLA= =WEQ5 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Er... wrong packages. Here are the right ones: a9c43e6e124e89b5583a096b3c5b378e8552a66c 7.3/SRPM/sendmail-8.12.11-4.22.9.legacy.src.rpm 48adbe1fa8ea9a5661d072322679cd4187d406b6 7.3/i386/sendmail-doc-8.12.11-4.22.9.legacy.i386.rpm da92a27da0ebf9179925c64ed6e77f283a200dfd 7.3/i386/sendmail-8.12.11-4.22.9.legacy.i386.rpm c9dbb555a482f42cccbcda4d2bde99525a4f87f8 7.3/i386/sendmail-devel-8.12.11-4.22.9.legacy.i386.rpm 52c4a6d18122c7edfaa20795edf2914fa350ffda 7.3/i386/sendmail-cf-8.12.11-4.22.9.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEIiZd4v2HLvE71NURAgFKAJ9KInXyQ8Nwb0ZI2ECVHgH+jbRgvQCgvyqY 1iwOILP6mUn1w0ZxfdWvuVY= =T2Yn -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rebuilt RHL9 for - - correct alias file - - use sasl1 - - BuildReq gdbm-devel Rebuilt FC1 for - - correct alias file 1fcea0854577e577a65307f554b779fe5e1d895e 9/SRPM/sendmail-8.12.11-4.24.1.legacy.src.rpm e7327cc244fee93808d8e4d2b0ad442fcdac9d5b 9/i386/sendmail-8.12.11-4.24.1.legacy.i386.rpm 680eda3987ea2f6eb48d067c340220d34062fdb5 9/i386/sendmail-cf-8.12.11-4.24.1.legacy.i386.rpm 99f3014e97bbfcdac59b0d5ee8def509ad5650b0 9/i386/sendmail-devel-8.12.11-4.24.1.legacy.i386.rpm de2c2dfc0fb63fd07e68a9c8c8d9f1172c9e7855 9/i386/sendmail-doc-8.12.11-4.24.1.legacy.i386.rpm 7fa8de1a72b4b3b1baab1b4d0247be25b2490383 fc1/SRPM/sendmail-8.12.11-4.25.1.legacy.src.rpm df92215793717ae80e7d867037de263acb0d0c5f fc1/i386/sendmail-8.12.11-4.25.1.legacy.i386.rpm 002073c4317f9af5fdb5bbbb5e606abd8ad58b47 fc1/i386/sendmail-devel-8.12.11-4.25.1.legacy.i386.rpm aedbbedbdea17d9bf95cac16ef5323c8068ace2e fc1/i386/sendmail-doc-8.12.11-4.25.1.legacy.i386.rpm 973223a7106ab14a693dbb379aeb49ffacca2802 fc1/i386/sendmail-cf-8.12.11-4.25.1.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEIjWf4v2HLvE71NURAvnOAJ4lduFvP/lEFEBOzPVF0RT3KMucpQCfbUMf eSdLTXAiuKMpYHATC+f7p8w= =o6Xv -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA on Jesse's packages: a9c43e6e124e89b5583a096b3c5b378e8552a66c 7.3/SRPM/sendmail-8.12.11-4.22.9.legacy.src.rpm 1fcea0854577e577a65307f554b779fe5e1d895e 9/SRPM/sendmail-8.12.11-4.24.1.legacy.src.rpm 7fa8de1a72b4b3b1baab1b4d0247be25b2490383 fc1/SRPM/sendmail-8.12.11-4.25.1.legacy.src.rpm 7d9135551126681633b5999947bc69cf0fcb2d4c fc2/SRPM/sendmail-8.12.11-4.26.legacy.src.rpm 053dd6ee565d3e071951c205b013f3e19c17c511 fc3/SRPM/sendmail-8.13.1-3.legacy.src.rpm - - rh73 package matches RHEL21 with appropriate changes - - fc2 package matches previous release with upstream patch added - - fc1 package matches fc2 with appropriate changes - - rh9 package matches fc2 with appropriate changes - - fc3 package matches previous release with upstream patch added +PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEIjldLMAs/0C4zNoRAncVAJ0WOFX62XYV53OlYNijcD83hXkoQQCfbIbl 7bfFApHclwXQTGvcn1Yr4Z8= =q3JN -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 e7327cc244fee93808d8e4d2b0ad442fcdac9d5b sendmail-8.12.11-4.24.1.legacy.i386.rpm680eda3987ea2f6eb48d067c340220d34062fdb5 sendmail-cf-8.12.11-4.24.1.legacy.i386.rpm 99f3014e97bbfcdac59b0d5ee8def509ad5650b0 sendmail-devel-8.12.11-4.24.1.legacy.i386.rpm de2c2dfc0fb63fd07e68a9c8c8d9f1172c9e7855 sendmail-doc-8.12.11-4.24.1.legacy.i386.rpm i note i got these packages direct from jesse's server (geek.j2solutions.net) rather than via yum. that said, they install OK. creating a new cf file via m4 works OK. mail comes and goes OK. +VERIFY RH9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEIsYZePtvKV31zw4RAl6iAJ9DVcd2ZP7VWzO9Pkmeb9tKNmgO/QCghAed QtcfB5sda4EiL9q5/RTmTl4= =uT5A -----END PGP SIGNATURE-----
i'm impressed by the speed at which this is moving forward, but it still sucks that the FL team didn't have the advance notice that all the other "vendors" have. anyone know how to get a rep from FL onto the vendor-sec list (or whatever it's called) so that we can prepare fixes to release at the same time everybody else does? had this been an easier hole to exploit, there would be a LOT of compromised RH73 and RH9 boxes out there right about now :(
I did have advance notice and I was on vendor-sec. However like you said this was a hard hole to exploit, and we were in the middle of upgrading our build system. Had this been an easier hole to exploit, we would have had test packages ready prior to the public announcement.
This bug was pushed to updates-testing at 02:50am EST 2006-03-23 (11:50pm PST 2006-03-22) by Jesse. Needs verify. The updates-testing announcement can be found here: <http://www.redhat.com/archives/fedora-legacy-list/2006-March/msg00171.html> Thanks, Jesse!!
Ah, Tom! Thanks for your verify in comment #11! :-) (I rpm-build-compared the files you tested with the files pushed to updates- testing, and they contain exactly the same binaries and files.)
The first paragraph of the announcement refers to 'An updated tar package'; that should presumably be 'Updated sendmail packages'
Indeed heh (;
Maybe something in the message about checking the .cf file, too? the rh7 8.11 .cf file used with 8.12 ends up having annoying features like ident enabled by default.
The rh7.3 package includes a sendmail.mc that says to use make to rebuild sendmail.cf. However, the included Makefile is missing the %.cf target. Workaround is to remember the old way: m4 /etc/mail/sendmail.mc >/etc/sendmail.cf
Comment #18 and comment #19 both seem like good things to include in the release announcement. Thanks for the feedback.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for 7.3 packages: 80f02c886b020e6d6ef17389c22c8b530fb05a48 sendmail-8.12.11-4.22.9.legacy.i386.rpm 285816881a55fe4b8a74fee48205c8ceedaee5e5 sendmail-cf-8.12.11-4.22.9.legacy.i386.rpm b4154a342e7747d980b7acaf352649ddc1dcc40d sendmail-devel-8.12.11-4.22.9.legacy.i386.rpm 81a36048a12cc5c08a8e93490dde6817c402ae54 sendmail-doc-8.12.11-4.22.9.legacy.i386.rpm Packages install cleanly Sendmail restarted ok Sent multiple messages through sendmail without any problems RH73 VERIFY++ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (Darwin) iD8DBQFEIykVKe7MLJjUbNMRAqFeAJsHW0SS/53dio1jyBS4DuFzJjtJ4QCgiC6W rK6VZU3kcucTgYxcnAb+uFw= =4feC -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for FC1 packages: df880ab03eaeb2f82be81bee96c28392984a4b86 sendmail-8.12.11-4.25.1.legacy.i386.rpm 729bcaeb1269b65728f014bbbedb5c1a54a5158e sendmail-cf-8.12.11-4.25.1.legacy.i386.rpm 256ff91b67ecc7680a5f2fb97b3b32142bb80d18 sendmail-devel-8.12.11-4.25.1.legacy.i386.rpm 65725c811c4c7eede9f88c006a13c15e458d353f sendmail-doc-8.12.11-4.25.1.legacy.i386.rpm Packages install cleanly Sendmail restarted ok Sent multiple messages through sendmail without any problems FC1 VERIFY++ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (Darwin) iD8DBQFEIyrtKe7MLJjUbNMRApwKAKC4IeXxEldtoz7RiNoICrwlChVE9ACcC3L6 yh4o+qlC68LInzy9k9R+mQo= =bl0b -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA on FC1 packages: df880ab03eaeb2f82be81bee96c28392984a4b86__sendmail-8.12.11-4.25.1.legacy.i386.rpm 729bcaeb1269b65728f014bbbedb5c1a54a5158e__sendmail-cf-8.12.11-4.25.1.legacy.i386.rpm 256ff91b67ecc7680a5f2fb97b3b32142bb80d18__sendmail-devel-8.12.11-4.25.1.legacy.i386.rpm 65725c811c4c7eede9f88c006a13c15e458d353f__sendmail-doc-8.12.11-4.25.1.legacy.i386.rpm * Packages install just fine * Did rpm-build-compare on main sendmail package. Differences are reasonable. sendmail 8.12.11 requires openldap and openssl, which 8.12.10 did not; but I don't see that as a problem. * Starts up fine. * Was able to send and receive several emails just fine. No burps. * Was able to use the sendmail-cf files to do "make sendmail.cf" in the /etc/mail directory. Worked just fine. * I concur that it is a good idea to emphasize that folks check their .cf files. VERIFY++ FC1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFEIz1Lxou1V/j9XZwRAs5yAKCRcJgU5NaSu54IYVtfygXz6QigdgCg7pU/ UqTHbwM7tpTu5gu2zPw0Vtc= =KPCT -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I installed the FC3 package: 95fa2ca8970fbdd441fe483d27262412911a38eb fc3/i386/sendmail-cf-8.13.1-3.legacy.i386.rpm 7642014c3a37da2c971165e383f1b3a8d0536f1a fc3/i386/sendmail-doc-8.13.1-3.legacy.i386.rpm 1372277299112c57827c392c1ab2a974de44c570 fc3/i386/sendmail-8.13.1-3.legacy.i386.rpm c539ab544982ec1163381bdea9db23291956a728 fc3/i386/sendmail-devel-8.13.1-3.legacy.i386.rpm - - Installed OK - - Restarted OK - - Received and delivered mail +VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEI0AYLMAs/0C4zNoRAqKXAJ9uAveY49KhkdhqVhz6hJaMDTKBQQCgvwcs kFQ6ZUCkFlCSBOIl3QRuPbE= =fy8K -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for FC2 packages: 7e44b02696338832e2dfc0057aeb58c98511d0d2 sendmail-8.12.11-4.26.legacy.i386.rpm d159f0c92bd530799b75341d18b5b2cbe5aa5a0a sendmail-cf-8.12.11-4.26.legacy.i386.rpm 8421bfb2eb2f2b3fddb35e905fdcfecd0fb8088c sendmail-devel-8.12.11-4.26.legacy.i386.rpm b659d2733afa3d6f4df840a395c6eae3a5c07d50 sendmail-doc-8.12.11-4.26.legacy.i386.rpm Packages install cleanly Sendmail restarted ok Sent multiple messages through sendmail without any problems FC2 VERIFY++ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (Darwin) iD8DBQFEI0FqKe7MLJjUbNMRAnlrAKC1z81NN1o/+lelrGJt9GdTgsTJPACgnfGK dfj7tQovOZR9r9ea9inyTd4= =jY03 -----END PGP SIGNATURE-----
Is there any other testing we need to release?
Comments #18 and #20 seem troubling to me. It seems inappropriate if the software upgrade just simply overwrites the config file, and requires manual intervention to fix the configuration. Would this be easily fixable without serious caveats?
I don't believe that the software upgrade simply overwrites the config. file. It didn't on my install on FC1. The RHL7.3 sendmail.spec file has these lines: %config(noreplace) /etc/sendmail.cf %attr(0644,root,root) %config(noreplace) /etc/mail/sendmail.mc %config(noreplace) /etc/mail/local-host-names ... and many more like it in the %files section. I think the concern in comment #18 was that upgrading using the new 8.12.11 sendmail software in combination with the *old* 8.11.6 config file has some perhaps unanticipated side effects...
Right - it doesn't replace it. It seems to work anyway, though.
On RH9, since upgrading from 8.2.8 (the previous FL update) this morning, the users on my local network are unable to send mail. In /var/log/maillog I see messages like: Mar 24 09:36:47 biscotti sendmail[21526]: k2O9acSr021526: clares.zolv.com [192.168.0.141] (may be forged): possible SMTP attack: command=AUTH, count=4 Mar 24 10:03:53 biscotti sendmail[22105]: k2OA3kCj022105: clares.zolv.com [192.168.0.141] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA I can send mail from the local machine OK. [root@biscotti mail]# rpm -qa | grep sendmail sendmail-8.12.11-4.24.1.legacy sendmail-cf-8.12.11-4.24.1.legacy sendmail-devel-8.12.11-4.24.1.legacy [root@biscotti mail]# uname -a Linux biscotti.zolv.com 2.4.20-43.9.legacy #1 Sat Apr 30 19:18:42 EDT 2005 i686 i686 i386 GNU/Linux I'm not sure if this is something in my local config (I can post config files if necessary) or a problem with the release. Anyone have any ideas? I'm going to roll back to 8.12.8 for now.
Regarding comment #30 I think it must be something in your config. I just installed the packages on a RH9 machine and I'm able to telnet to port 25 (from a remote machine) and send messages that way. Did you change your configs when you upgraded, or are you still using the same config files?
Same (customised) config files as before the update (I made sure the .cf files were definitely rebuilt after the update, but no joy). In /etc/mail/access this line enables relaying from our network: 192.168.0 RELAY Here's a few excerpts from /etc/mail/sendmail.mc that may be relevant (let me know if I can post anything else that might help): define(`confAUTH_OPTIONS', `A')dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl For users, the symptom of the problem is that users (mostly using Thunderbird) get a box asking them for their password when sending mail, but their password is not accepted. Since people use laptops from home and the office, SMTP authentication is enabled in the clients. Interestingly, I started getting error e-mails like the following from Webmin's service monitor (running on same machine) as soon as I'd upgraded, which could be related: From: root.com (Cron Daemon) To: root.com Subject: Cron <root@biscotti> /etc/webmin/status/monitor.pl X-Cron-Env: <SHELL=/bin/sh> X-Cron-Env: <HOME=/root> X-Cron-Env: <PATH=/usr/bin:/bin> X-Cron-Env: <LOGNAME=root> Error ----- No mail program was found on your system! ----- I have rolled back to 8.12.8 from http://download.fedoralegacy.org/redhat/9/updates/i386/ and all is once again working (with the same config).
I am having an issue similar to comment #30. Using the updated packages for FC1 (8.12.11-4.25.1.legacy) I am unable to send mail using TLS. I get errors like: robotics saslauthd[27723]: do_auth : auth failure: [user=klk] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] robotics sendmail[28132]: Password verification failed in /var/log/messages. I am using the exact same config files as before the update. I downgraded to 8.12.10-1.1.1 and everything works as expected. I can attach my config file or other logs if that would help.
seems that sasl might not be working right. I'm not entirely sure how to further investigate, are you absolutely certian that there was no config change between the two versions?
Created attachment 126665 [details] my sendmail config file.
I am absolutely certain that the config file is the same. I just checked again to make sure: - started with 8.12.10-1.1.1 (FC1) - backed up sendmail.mc just in case... - mail is sent with no problems. - upgraded to 8.12.11-4.25.1.legacy. Only sendmail, -doc, and -cf were upgraded. No other packages changed. - copied backed-up sendmail.mc to /etc/mail, ran "make", restarted sendmail. - mail can't be sent, mail client (kmail) says: The server responded: "5.7.0 authentication failed" - downgrade back to 8.12.10-1.1.1 - mail sends just fine. So the only thing changing is sendmail. I have made an attachment with my config file. I'll also make one with snippets of /var/log/maillog and /var/log/messages when things fail/work.
Just a WAG... If you had hacked up or removed the old /etc/pam.d/smtp, the upgrade would have installed the new one which is now named /etc/pam.d/smtp.sendmail. Also, /etc/mail/certs/is not valid on some of the older distros. You need to go back to /usr/share/ssl/certs/ or wherever...
Created attachment 126666 [details] Logfile snippets Snippets from /var/log/messages and /var/log/maillog. It may indicate that the problem is on the client side, but nothing on the client is changing between tests.
Kristo, check your /etc/sysconfig/saslauthd. It seems to use MECH=pam, which is ok. Then check to have /etc/pam.d/smtp, which should be a symlink target from origin /etc/pam.d/smtp.sendmail. The content has to be #%PAM-1.0 auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth Make sure saslauthd is running.
RHL 7.3 update Why is the Sendmail binary linked against SASLv2? RHL 7.3 came with SASL 1.5 only. $ ldd sendmail.sendmail | grep sasl libsasl.so.7 => /usr/lib/libsasl.so.7 (0x006ea000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x0076d000) Did someone test the update for 7.3 to be working with SMTP AUTH?
Which sendmail package for 7.3 did you install? Can you give me a sha1sum of it? The specfile used explicitly enables saslv1 not v2.
In reference to Comment #39, everything is as you specified.
Jesse http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-8.12.11-4.22.9.legacy.i386.rpm $ sha1sum sendmail-8.12.11-4.22.9.legacy.i386.rpm 80f02c886b020e6d6ef17389c22c8b530fb05a48 sendmail-8.12.11-4.22.9.legacy.i386.rpm I do not run RHL 7.3 myself but on comp.mail.sendmail was a report by someone complaing the update requiring saslauthd. So I investigated the package by defalting it using rpm2pio. `ldd /var/tmp/usr/sbin/sendmail.sendmail' shows what I pasted in #40.
I can't reproduce the sasl issue on a 7.3 box: $ rpm -q sendmail sendmail-8.12.11-4.22.9.legacy $ ldd /usr/sbin/sendmail.sendmail | grep sasl libsasl.so.7 => /usr/lib/libsasl.so.7 (0x40106000)
As an FYI aside, the postuninstall script uses readlink but the rpm does not reflect the dependency on tetex. I just update another old rh73 system with minimalist packages and saw the error: /var/tmp/rpm-tmp.77878: readlink: command not found
Yeah, the packages seem to be broken on so many levels, though some of it caused by RHEL... The packages will need to be re-rolled, IMHO. Due to the alternatives bug, sendmail doesn't even restart anymore (as /usr/sbin/sendmail no longer exists, the init script just exists), and hence the daemon is still vulnerable. d9c001d8a34f11f528ff6be2a9f8dd15818caf40 sendmail-8.12.11-4.22.9.legacy.src.rpm With rpm-build-compare.sh, I note the following problems in RHL73 just by looking at the spec file for 10 minutes: - as mentioned, readlink doesn't exist, so scripts fail in two places - alternatives is "no" though earlier specfile enabled it (through 'errata >= 73') - hesiod-devel buildprereq went missing Some other broken stuff but doesn't affect RHL73: if old_setup is "no" (RHL73 is yes), aliases file is sourced from **/etc/*** +%if "%{old_setup}" == "yes" Source3: aliases +%else +Source3: /etc/aliases +%endif
Wow...something happened there somewhere. The rh73 packages were specifically rebuilt to include alternatives, but somehow ended up in updates-testing with alternatives turned off.
Ok, here's the problem. The binary packages and the source package in RH73 updates don't match, although they have the same release number. The binary packages have alternatives in with a relevant "- Enable alternatives" entry in the changelog. The source rpm is from a previous build that omits the alternatives modification. Somehow, the wrong source rpm got pushed to updates-testing.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The FC2 and FC3 seem fine. Here are fixed packages for rh73, rh9 and fc1 to QA. They should take care of the issues people are having with the previous upgrades. 7.3 changelog: * Sat Mar 25 2006 Marc Deslauriers <marcdeslauriers> 8.12.11-4.22.10.legacy - - Added hesiod-devel to BuildRequires - - Reverted to previous alternatives files - - Removed new triggers - - Modified instructions in sendmail.mc 9 changelog: * Sat Mar 25 2006 Marc Deslauriers <marcdeslauriers> - 8.12.11-4.24.2.legacy - - Reverted statistics file to /etc/mail - - Reverted to previous alternatives files fc1 changelog: * Sat Mar 25 2006 Marc Deslauriers <marcdeslauriers> - 8.12.11-4.25.2.legacy - - Reverted statistics file to /etc/mail - - Reverted to previous alternatives files - - Added gdbm-devel to BuildRequires 7.3: c57140069224f247c71bbdb87a9b4320d0b65a8d sendmail-8.12.11-4.22.10.legacy.i386.rpm c834e9b1089a1a6b7796209f0ce0e2fa87ca60b7 sendmail-cf-8.12.11-4.22.10.legacy.i386.rpm eac9d007dffbbcf7efb3e025e680407a737008f6 sendmail-devel-8.12.11-4.22.10.legacy.i386.rpm 24a25b9e22ffb6bf32895d2af99f28c83062883e sendmail-doc-8.12.11-4.22.10.legacy.i386.rpm http://turbosphere.fedoralegacy.org/logs/redhat-7.3-core/65-sendmail-8.12.11-4.22.10.legacy/i386/ 9: f2fe962096c186bbd45ae5494951aae3042b9d68 sendmail-8.12.11-4.24.2.legacy.i386.rpm d576a57e9e5e5d023c162a37590ecf55c24bbba2 sendmail-cf-8.12.11-4.24.2.legacy.i386.rpm d0805a6b17baf313756480b0ca8db614959b286f sendmail-devel-8.12.11-4.24.2.legacy.i386.rpm 46cd5e43f83f456bcdef06df638ee55ce70d7afc sendmail-doc-8.12.11-4.24.2.legacy.i386.rpm http://turbosphere.fedoralegacy.org/logs/redhat-9-core/66-sendmail-8.12.11-4.24.2.legacy/i386/ 1: 0fd91369abb6a9202046bfef39e60dbb50d453fa sendmail-8.12.11-4.25.2.legacy.i386.rpm 4b4571061a33a151bfd9b4541a7895b286028112 sendmail-cf-8.12.11-4.25.2.legacy.i386.rpm 225ab50da0fb3153293f9a51de70cbe06c202bcc sendmail-devel-8.12.11-4.25.2.legacy.i386.rpm 90d0e9b1c2438ee7fb1e0d06f69cdb858a695273 sendmail-doc-8.12.11-4.25.2.legacy.i386.rpm http://turbosphere.fedoralegacy.org/logs/fedora-1-core/67-sendmail-8.12.11-4.25.2.legacy/i386/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEJgXqLMAs/0C4zNoRAmP0AKDCzbWF098q5GyLch9aSqxeDOKaFQCgjTNa c6EIqAka2wvV3Tf/5utHpEo= =7BEG -----END PGP SIGNATURE-----
Hmm.. I didn't quite understand the reason why you reverted to the old alternatives stuff: you seem to be partially simulating the case where alternatives is "no", even though it was already enabled in RHL73 so many years ago? If old_setup is set to "no", the packages still depend on the contents of /etc/aliases on the build machine (when it runs $RPM_BUILD_ROOT/usr/bin/makemap) on RHL9. That's not cool. (There's a lot of other nastiness in RHL73/RHL9 wrt old_setup -- old_setup=no is not correct on RHL73 while old_setup=yes is not correct on RHL9..) Perhaps on RHL73, removal of the readlink could be replaced with: ls -l /etc/alternatives/mta | sed s":.* /:/:" | sed s":.* -> ::" .. where the first sed strips out everything except the filename and path, and the second sed reads the symlink if it exists. + daemon /usr/sbin/sendmail $([ "x$DAEMON" = xyes ] && echo -bd) \ + $([ -n "$QUEUE" ] && echo -q$QUEUE) doesn't pass at the end $SENDMAIL_OPTARG, so if you do reload(), do you lose arguments if you defined any? On RHL9, the defined CERT dirs don't exist under /etc/mail/. /usr/share/ssl/certs do though, but weren't enabled. I guess it's bad practice to point to cert dirs that don't exist, maybe dnl these from .mc? RHL9 supports sasl2, but it wasn't enabled in the previous RHL9 sendmail update in 2003; it's not clear to me as I don't use SASL whether we should keep the old practice or upgrade sendmail to use sasl2. In RHL9, smmsp is no longer confTRUSTED_USER. Apparently RH removed this in Sep 2003, so I guess it's OK.
The reason everyone is having problems is because the sendmail update we released contains three more files that were assigned to alternatives. When the package gets upgraded, sendmail is already configured in the systems alternatives system, so the three new symlinks don't get created. There are three possible ways around this problem, 1- remove sendmail from alternatives during the upgrade before adding it back in to force alternatives to re-create the symlinks, 2- try and get alternatives to recreate the symlinks with a funky postun trigger, 3- revert the three files to their previous behaviour with the previous sendmail release. After much thought, it appeared the simplest way was to revert to the way the previous sendmail package worked. Starting with FC2, sendmail doesn't provide the /etc/aliases anymore. The old_setup flag indicates in the spec file if we want an aliases file or not. It should be turned on for rh73, rh9 and fc1. I'm not sure why you say it's turned off in rh73, or why you say it shouldn't be turned on in rh9. Please explain. The readlink section of the spec file was to upgrade sendmail in RHEL21. This is unnecessary with our rh73 upgrade. The initscript doesn't pass the $SENDMAIL_OPTARG in the reload function as it doesn't actually start sendmail, it just sends it a -HUP. No need to pass arguments there. The defined CERT dirs under /etc/mail don't exist on any release. The included makecert.sh command creates them for you, as documented in the .mc file. For rhl9, the previous sendmail didn't use sasl2. There may have been a reason for that. It would be better to use sasl1, as the previous release did.
OK, I guess the second option would have been easier if readlink had been available on RHL73.. But the functional difference is probably not significant enough to change to 2) and use an alternative to readlink.. Sorry for confusion, yes, old_setup is enabled for both rhl73 and rhl9. What I meant to say is that the non-default option (in this case "no") is broken on both src.rpm's. It's arguable whether this is more than a cosmetic problem or a way to shoot yourself in the foot..
sendmail-8.12.11-4.24.2.legacy (RH9): sendmail.mc -dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl +define(`STATUS_FILE', `/var/log/mail/statistics')dnl - 8.12.8-9.90 sendmail.mc says /etc/mail/statistics - 12.11-4.24.2.legacy sendmail.mc says /var/log/statistics - and activates it! - rpm-qlp of 12.11-4.24.2.legacy CONTAINS /etc/mail/statistics - recommend revert back to old location -dnl define(`confCACERT_PATH',`/usr/share/ssl/certs') -dnl define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt') -dnl define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem') -dnl define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem') +define(`CERT_DIR',`/etc/mail/certs') +define(`confCACERT_PATH',`CERT_DIR') +define(`confCACERT',`CERT_DIR/cacert.pem') +define(`confSERVER_CERT',`CERT_DIR/cert.pem') +define(`confSERVER_KEY',`CERT_DIR/key.pem') +define(`confCLIENT_CERT',`CERT_DIR/cert.pem') +define(`confCLIENT_KEY',`CERT_DIR/key.pem') - changes locations - changes CACert filename - changes server/client key filename - activates bogus config - recommend keep or DNL the new lines, but revert the locations back to the older supplied locations. Activating the config with new locations is introducing either a bug or a feature, and either may not be recommended. This package DOES appear to fix bug 186579, but ships with immediate concerns of its own.
sendmail-8.12.11-4.25.1.legacy (FC1) contains the same random change to the sendmail.mc. I don't have an FC2 system,but I notice the FC3 packages *don't* include any new features/changes, and I'm definitely for the idea of keeping the MCs very similar to their normal formats -- not only because they'll be the same as originally released for all RH-derived distros released in almost a decade, and not only because it's an added feature of the type I've been told we don't like to add into updates, but also because I've learned the headache of supporting even a change as innocuous in appearance as this one. sendmail-8.12.11-4.25.1.legacy also do the Alternatives work in %post when upgrading from the next most recent version: [root@fishy /]# ls -l /etc/pam.d/smtp* /usr/lib/sendmail* -rw-r--r-- 1 root root 116 Mar 23 00:22 /etc/pam.d/smtp.sendmail lrwxrwxrwx 1 root root 16 Mar 26 17:41 /usr/lib/sendmail.sendmail -> ../sbin/sendmail I'd suggest 8.12.11-4.25.1 fails QA based on the random feature with the location change, and the alternatives concern.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In response to comment 53, here are updated packages for RH9 and FC1: - - Reverted statistics file path in mc file - - Reverted CERT paths in mc file - - Don't enable statistics by default rh9: 6ee6122a976ff1aa32d784cb817caf9aa53daa97 sendmail-8.12.11-4.24.3.legacy.i386.rpm 0b690b7dfd72d962c6a44897fb826ddc3c73e699 sendmail-cf-8.12.11-4.24.3.legacy.i386.rpm 7648da4c91b79a035ea7cad78e58eeff73c04b2e sendmail-devel-8.12.11-4.24.3.legacy.i386.rpm aa9cd92fa507433ed612f1b6889277f4fd46bdcd sendmail-doc-8.12.11-4.24.3.legacy.i386.rpm fab24bdbf1d46fb7d488de2fab60ed0da5dabaeb sendmail-8.12.11-4.24.3.legacy.src.rpm http://turbosphere.fedoralegacy.org/logs/redhat-9-core/68-sendmail-8.12.11-4.24.3.legacy/ fc1: a5e3f8c6aa59aa48ce78fb96cc03601173ba9f98 sendmail-8.12.11-4.25.3.legacy.i386.rpm 2a2299397fd86ca7c06ebfe2c4ca047385ee2988 sendmail-cf-8.12.11-4.25.3.legacy.i386.rpm ed85bed5db216b77949ddf4ac6e0721ae7688a52 sendmail-devel-8.12.11-4.25.3.legacy.i386.rpm 544a83a270864e118be0f98064eebaff1c783b10 sendmail-doc-8.12.11-4.25.3.legacy.i386.rpm e39214f5c41d727fe776ea36c37673ebb31ec7fa sendmail-8.12.11-4.25.3.legacy.src.rpm http://turbosphere.fedoralegacy.org/logs/fedora-1-core/69-sendmail-8.12.11-4.25.3.legacy/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEJ2GkLMAs/0C4zNoRArnrAJ4g5amzMQknJhQ3TmJwdg5L1ybX1QCgkEkw qXgPGk3DCXc464i4tNdtx7M= =JDxT -----END PGP SIGNATURE-----
*** Bug 186927 has been marked as a duplicate of this bug. ***
One of my complaints is it is overwriting my /etc/init.d/sendmail file (RHL 9). Seems like we should patch the spec file: 555c555 < %config %{initdir}/sendmail --- > %config(noreplace) %{initdir}/sendmail This would create a /etc/init.d/sendmail.rpmnew if there is a custom script, which is what I expect personally. I don't think there are any changes to the init script which are needed for the update; rather they just make it more robust and add a reload() and so on. I think leaving the custom script in place will work fine, though I've not exhaustively researched the scripts. Anyone else agree or disagree?
We might want to mention in the release note that the new /etc/init.d/sendmail script as well as the new /etc/mail/Makefile now rebuild the sendmail.cf file from the sendmail.mc file... This means if someone has been editing/customizing their sendmail.cf file without modifying/customizing the sendmail.mc file, then installing our package and rebooting, or installing our package and doing a "make all" in /etc/mail, will remove all their customizations and perhaps shutdown their mail services (and I don't think there is any way to recover without backups). This is kind of a critical point as some people do hand-edit sendmail.cf without ever touching sendmail.mc, perhaps even deleting sendmail.mc which our script might then replace with a stock one, and this could really bite them...
In response to comment #58: I'm not sure why you think the behaviour has changed. The previous rh9 sendmail release does it also. Am I missing something?
Because I was confusing versions? 7.3 doesn't do this, 9 does; and your updates seem to keep that the same way. Sorry for the noise, although it still wouldn't hurt to mention it even though it is "expected" behaviour... In any case, I stand corrected; the rpms are doing exactly what the RH rpms did for both 7.3 and 9.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for updated 7.3 package (comment #49): b719f1d31d54a3326aa718faced760f1f854807f sendmail-8.12.11-4.22.10.legacy.src.rpm sendmail Source matches previous package Only other source change is to sendmail-redhat.mc where the comments are changed to reflect how to build the cf file Spec file changes look good and should correct problems people are experiencing with alternatives QA for updated RH9 package (comment #55): fab24bdbf1d46fb7d488de2fab60ed0da5dabaeb sendmail-8.12.11-4.24.3.legacy.src.rpm sendmail source matches previous package Other source changes are: removing makecert.sh included .mc uses /etc/mail/statistics instead of /var/log/mail/statistics included .mc uses /usr/share/ssl/certs instead of /etc/mail/certs Those all seem like valid changes to me as it reverts to previous expected behavior. Spec file changes all look good (reverting to behavior of previous rh9 package) RH73 PUBLISH++ RH9 PUBLISH++ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (Darwin) iD8DBQFEKIckKe7MLJjUbNMRAnsGAJ0XmGXjPVNsyKXrUfw7I3RzH2PkdQCffGk2 vJOrVSrXb/RkflMAUXxJ4vg= =qwoJ -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - spec file changes minimal from the already-updated version, large from the original FC1 version but should be OK.. - no patch changes from the previous release, should be OK from the original FC1 version. +PUBLISH FC1 e39214f5c41d727fe776ea36c37673ebb31ec7fa sendmail-8.12.11-4.25.3.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFEKMl7GHbTkzxSL7QRAiifAJ41HBH2xvSlAGh7WlKNbSwWqNz6tQCgpZKA iKspNi2OdTpM8818oBAgH+k= =Cw/J -----END PGP SIGNATURE-----
Updated packages for rh73, rh9 and fc1 were pushed to updates-testing
If some of the people who were having problems with the previous packages could test out the new packages in updates-testing, that would be very helpful!
I can report that the FC1 package in updates-testing (8.12.11-4.25.3.legacy) seems to work fine for me. I do not have the problem first noted in comment #33.
Seconded. On RH9 with legacy updates I got the secure SMTP auth problem after the published update. Updating from updates-testing solved it. No other changes were made manually either before or after the update between it and the one in updates-testing. I've just done some quick checks, mainly that auth now works and that my virtusertable is functioning. Hopefully there are no "hidden" problems.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 9f1caeadce45e2922f6bc29ea0f4e7bce4e26d02 sendmail-8.12.11-4.24.3.legacy.i386.rpm6b7b437bb58ac9f805185ae992da9a157a0d755d sendmail-cf-8.12.11-4.24.3.legacy.i386.rpm ae48cf1d3a5d8f5bfc789a408de392fe27e84b73 sendmail-devel-8.12.11-4.24.3.legacy.i386.rpm 4571b20f603bf6f90558aa09107f5b2ae17e8111 sendmail-doc-8.12.11-4.24.3.legacy.i386.rpm installs OK. mail come and goes OK, although as in comment #11 i reiterate that i generate my own sendmail.cf by hand, which i again did before verifying the functionality. +VERIFY RH9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEK9yxePtvKV31zw4RAv48AKCFQKc6WOrOBkqiGqssTgdvuPvdwwCgtIve j2ET8esmXC0crpE/1eKoIFA= =IpwP -----END PGP SIGNATURE-----
I'd say the FC1 comment is good enough to decrease the timeout to one week unless issues come up.. :-)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++VERIFY for RHL 9 Downloaded packages: 9f1caeadce45e2922f6bc29ea0f4e7bce4e26d02 sendmail-8.12.11-4.24.3.legacy.i386.rpm 6b7b437bb58ac9f805185ae992da9a157a0d755d sendmail-cf-8.12.11-4.24.3.legacy.i386.rpm Package installed fine on a single machine. All previous problems I saw on that machine are now fixed. Vote for release for RHL 9. ++VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFELDFD4jZRbknHoPIRAtgKAJ4mNOUFHnA6wx4T1jTD42ey6bZ5FgCfeGlz 1uqibmD5mAuN2JSWLhGb+1s= =gUWv -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Test of FC1 sendmail-8.12.11-4.25.3.legacy.i386. 3f6edb4bdcd42cca1f01fce9482d3ac10b56f530__sendmail-8.12.11-4.25.3.legacy.i386.rpm 7aaa9743d312b7ebc95baa83e186acaa267f6915__sendmail-cf-8.12.11-4.25.3.legacy.i386.rpm dfabadaa764d471b2c5963547643ca4bbe5ca0e7__sendmail-devel-8.12.11-4.25.3.legacy.i386.rpm 121433ec0c71a163993cf2a94f33fa67df786b11__sendmail-doc-8.12.11-4.25.3.legacy.i386.rpm * sha1sums and gpg signatures ok * upgrading from original FC1 sendmail (8.12.10), seems to install well: - Pre-install scriptlet worked fine. - Package file Installation -- Config files: . left /etc/aliases alone (I'd modified it), built new /etc/aliases.db; . replaced /etc/mail/access (I'd not changed it); . replaced /etc/mail/Makefile (I'd not changed it); . skipped /etc/mail/local-host-names (I'd modified it); . left my /etc/mail/sendmail.cf alone, but created the packaged file as sendmail.cf.rpmnew; . same for /etc/mail/sendmail.mc; . replaced /etc/mail/submit.cf (I'd not changed it); . replaced /etc/mail/submit.mc (I'd not changed it); . replaced /etc/mail/trusted-users (I'd not changed it); . replaced /etc/pam.d/smtp (I'd not changed it); . replaced /etc/rc.d/init.d/sendmail (which it would do whether or not I changed it); . replaced /etc/sysconfig/sendmail (I'd not changed it); . kept (or replaced) the symlink /usr/lib/sendmail -> ../sbin/sendmail - Post-install scriptlet appeared to work fine. No surprises. - Alternatives system appears to be set up correctly, reverted to the alternatives used in sendmail-8.12.10; no missing alternative files. - Pre-uninstall scriptlet does nothing ([ 1 = 0 ]), which is correct, as this is a sendmail update/upgrade. - Erase of sendmail-8.12.10 packaged files skipped all files, since they all were replaced by the 8.12.11-4.25.3 package. Good. - Post-uninstall scriptlet restarted sendmail 'condrestart' (which only stops and starts sendmail if it is already running). Good. * Looks like previous issues have been taken care of: - /etc/pam.d/smtp not missing (auth should work) - /usr/lib/sendmail not missing - /usr/share/man/man8/sendmail.8.gz not missing - in new sendmail.mc file, status file left at /etc/mail/statistics and left undefined ('dnl'); and certificate directory reverted to /usr/share/ssl/certs and also left undefined. * It works. Was able to send message from FC1 box to a hotmail account and receive mail from hotmail to the FC1 box's sendmail. VERIFY++ FC1 sendmail -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFEMbNvxou1V/j9XZwRAg+jAJsHDFqU/vXc0KuyJ3Pg2L4zlT7zWwCdH3Zv Os/+BIGY6IOz6ZvbvQzc8PI= =+AUH -----END PGP SIGNATURE-----
FWIW, sendmail works fine on RHL73 as well, but as I recompiled it, I didn't want to write it as a verify vote.. The timeout is due today in any case, so this is going to be released in any case..
Packages were released to updates.
A bit late I realise, but I just tested on RH9 and all is working correctly (none of the problems in comment 30 and comment 32). Thanks to all concerned!