--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/sendmail/patches/README.patch Fri Jan 16 12:38:45 2015 -0800
@@ -0,0 +1,603 @@
+# This patch is Solaris-specific and thus has not been contributed upstream.
+
+--- sendmail-8.14.9/cf/README~ 2014-05-16 13:40:15.000000000 -0700
++++ sendmail-8.14.9/cf/README 2014-12-04 12:36:34.759814094 -0800
+@@ -4,12 +4,10 @@
+ This document describes the sendmail configuration files. It
+ explains how to create a sendmail.cf file for use with sendmail.
+ It also describes how to set options for sendmail which are explained
+-in the Sendmail Installation and Operation guide (doc/op/op.me).
+-
+-To get started, you may want to look at tcpproto.mc (for TCP-only
+-sites) and clientproto.mc (for clusters of clients using a single
+-mail host), or the generic-*.mc files as operating system-specific
+-examples.
++in the Sendmail Installation and Operation guide, which can be found
++on-line at http://www.sendmail.org/%7Eca/email/doc8.12/op.html .
++Recall this URL throughout this document when references to
++doc/op/op.* are made.
+
+ Table of Content:
+
+@@ -30,7 +28,6 @@
+ ANTI-SPAM CONFIGURATION CONTROL
+ CONNECTION CONTROL
+ STARTTLS
+-SMTP AUTHENTICATION
+ ADDING NEW MAILERS OR RULESETS
+ ADDING NEW MAIL FILTERS
+ QUEUE GROUP DEFINITIONS
+@@ -61,7 +58,7 @@
+ Alternatively, you can simply:
+
+ cd ${CFDIR}/cf
+- ./Build config.cf
++ /usr/bin/make config.cf
+
+ where ${CFDIR} is the root of the cf directory and config.mc is the
+ name of your configuration file. If you are running a version of M4
+@@ -149,14 +146,6 @@
+ a define(`PROCMAIL_MAILER_PATH', ...) should be done before
+ FEATURE(`local_procmail').
+
+-*******************************************************************
+-*** BE SURE YOU CUSTOMIZE THESE FILES! They have some ***
+-*** Berkeley-specific assumptions built in, such as the name ***
+-*** of their UUCP-relay. You'll want to create your own ***
+-*** domain description, and use that in place of ***
+-*** domain/Berkeley.EDU.m4. ***
+-*******************************************************************
+-
+
+ +----------------------------+
+ | A BRIEF INTRODUCTION TO M4 |
+@@ -197,20 +186,6 @@
+ messages; in the worst case it might be ok to change the value
+ directly in the generated .cf file, which however is not advised.
+
+-
+-Notice:
+--------
+-
+-This package requires a post-V7 version of m4; if you are running the
+-4.2bsd, SysV.2, or 7th Edition version. SunOS's /usr/5bin/m4 or
+-BSD-Net/2's m4 both work. GNU m4 version 1.1 or later also works.
+-Unfortunately, the M4 on BSDI 1.0 doesn't work -- you'll have to use a
+-Net/2 or GNU version. GNU m4 is available from
+-ftp://ftp.gnu.org/pub/gnu/m4/m4-1.4.tar.gz (check for the latest version).
+-EXCEPTIONS: DEC's m4 on Digital UNIX 4.x is broken (3.x is fine). Use GNU
+-m4 on this platform.
+-
+-
+ +----------------+
+ | FILE LOCATIONS |
+ +----------------+
+@@ -319,8 +294,7 @@
+ corresponding queue file types as explained in
+ doc/op/op.me. See also QUEUE GROUP DEFINITIONS.
+ MSP_QUEUE_DIR [/var/spool/clientmqueue] The directory containing
+- queue files for the MSP (Mail Submission Program,
+- see sendmail/SECURITY).
++ queue files for the MSP (Mail Submission Program).
+ STATUS_FILE [/etc/mail/statistics] The file containing status
+ information.
+ LOCAL_MAILER_PATH [/bin/mail] The program used to deliver local mail.
+@@ -350,17 +324,6 @@
+ LOCAL_SHELL_DIR [$z:/] The directory search path in which the
+ shell should run.
+ LOCAL_MAILER_QGRP [undefined] The queue group for the local mailer.
+-USENET_MAILER_PATH [/usr/lib/news/inews] The name of the program
+- used to submit news.
+-USENET_MAILER_FLAGS [rsDFMmn] The mailer flags for the usenet mailer.
+-USENET_MAILER_ARGS [-m -h -n] The command line arguments for the
+- usenet mailer. NOTE: Some versions of inews
+- (such as those shipped with newer versions of INN)
+- use different flags. Double check the defaults
+- against the inews man page.
+-USENET_MAILER_MAX [undefined] The maximum size of messages that will
+- be accepted by the usenet mailer.
+-USENET_MAILER_QGRP [undefined] The queue group for the usenet mailer.
+ SMTP_MAILER_FLAGS [undefined] Flags added to SMTP mailer. Default
+ flags are `mDFMuX' for all SMTP-based mailers; the
+ "esmtp" mailer adds `a'; "smtp8" adds `8'; and
+@@ -413,17 +376,6 @@
+ the UUCP mailers and which are converted to MIME will
+ be labeled with this character set.
+ UUCP_MAILER_QGRP [undefined] The queue group for the UUCP mailers.
+-FAX_MAILER_PATH [/usr/local/lib/fax/mailfax] The program used to
+- submit FAX messages.
+-FAX_MAILER_ARGS [mailfax $u $h $f] The arguments passed to the FAX
+- mailer.
+-FAX_MAILER_MAX [100000] The maximum size message accepted for
+- transmission by FAX.
+-POP_MAILER_PATH [/usr/lib/mh/spop] The pathname of the POP mailer.
+-POP_MAILER_FLAGS [Penu] Flags added to POP mailer. Flags lsDFMq
+- are always added.
+-POP_MAILER_ARGS [pop $u] The arguments passed to the POP mailer.
+-POP_MAILER_QGRP [undefined] The queue group for the pop mailer.
+ PROCMAIL_MAILER_PATH [/usr/local/bin/procmail] The path to the procmail
+ program. This is also used by
+ FEATURE(`local_procmail').
+@@ -438,60 +390,9 @@
+ PROCMAIL_MAILER_MAX [undefined] If set, the maximum size message that
+ will be accepted by the procmail mailer.
+ PROCMAIL_MAILER_QGRP [undefined] The queue group for the procmail mailer.
+-MAIL11_MAILER_PATH [/usr/etc/mail11] The path to the mail11 mailer.
+-MAIL11_MAILER_FLAGS [nsFx] Flags for the mail11 mailer.
+-MAIL11_MAILER_ARGS [mail11 $g $x $h $u] Arguments passed to the mail11
+- mailer.
+-MAIL11_MAILER_QGRP [undefined] The queue group for the mail11 mailer.
+-PH_MAILER_PATH [/usr/local/etc/phquery] The path to the phquery
+- program.
+-PH_MAILER_FLAGS [ehmu] Flags for the phquery mailer. Flags nrDFM
+- are always set.
+-PH_MAILER_ARGS [phquery -- $u] -- arguments to the phquery mailer.
+-PH_MAILER_QGRP [undefined] The queue group for the ph mailer.
+-CYRUS_MAILER_FLAGS [Ah5@/:|] The flags used by the cyrus mailer. The
+- flags lsDFMnPq are always included.
+-CYRUS_MAILER_PATH [/usr/cyrus/bin/deliver] The program used to deliver
+- cyrus mail.
+-CYRUS_MAILER_ARGS [deliver -e -m $h -- $u] The arguments passed
+- to deliver cyrus mail.
+-CYRUS_MAILER_MAX [undefined] If set, the maximum size message that
+- will be accepted by the cyrus mailer.
+-CYRUS_MAILER_USER [cyrus:mail] The user and group to become when
+- running the cyrus mailer.
+-CYRUS_MAILER_QGRP [undefined] The queue group for the cyrus mailer.
+-CYRUS_BB_MAILER_FLAGS [u] The flags used by the cyrusbb mailer.
+- The flags lsDFMnP are always included.
+-CYRUS_BB_MAILER_ARGS [deliver -e -m $u] The arguments passed
+- to deliver cyrusbb mail.
+-CYRUSV2_MAILER_FLAGS [A@/:|m] The flags used by the cyrusv2 mailer. The
+- flags lsDFMnqXz are always included.
+-CYRUSV2_MAILER_MAXMSGS [undefined] If defined, the maximum number of
+- messages to deliver in a single connection for the
+- cyrusv2 mailer.
+-CYRUSV2_MAILER_MAXRCPTS [undefined] If defined, the maximum number of
+- recipients to deliver in a single connection for the
+- cyrusv2 mailer.
+-CYRUSV2_MAILER_ARGS [FILE /var/imap/socket/lmtp] The arguments passed
+- to the cyrusv2 mailer. This can be used to
+- change the name of the Unix domain socket, or
+- to switch to delivery via TCP (e.g., `TCP $h lmtp')
+-CYRUSV2_MAILER_QGRP [undefined] The queue group for the cyrusv2 mailer.
+-CYRUSV2_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data
+- that ARRIVE from an address that resolves to one the
+- Cyrus mailer and which are converted to MIME will
+- be labeled with this character set.
+ confEBINDIR [/usr/libexec] The directory for executables.
+ Currently used for FEATURE(`local_lmtp') and
+ FEATURE(`smrsh').
+-QPAGE_MAILER_FLAGS [mDFMs] The flags used by the qpage mailer.
+-QPAGE_MAILER_PATH [/usr/local/bin/qpage] The program used to deliver
+- qpage mail.
+-QPAGE_MAILER_ARGS [qpage -l0 -m -P$u] The arguments passed
+- to deliver qpage mail.
+-QPAGE_MAILER_MAX [4096] If set, the maximum size message that
+- will be accepted by the qpage mailer.
+-QPAGE_MAILER_QGRP [undefined] The queue group for the qpage mailer.
+ LOCAL_PROG_QGRP [undefined] The queue group for the prog mailer.
+
+ Note: to tweak Name_MAILER_FLAGS use the macro MODIFY_MAILER_FLAGS:
+@@ -609,18 +510,6 @@
+ See the section below describing UUCP mailers in more
+ detail.
+
+-usenet Usenet (network news) delivery. If this is specified,
+- an extra rule is added to ruleset 0 that forwards all
+- local email for users named ``group.usenet'' to the
+- ``inews'' program. Note that this works for all groups,
+- and may be considered a security problem.
+-
+-fax Facsimile transmission. This is experimental and based
+- on Sam Leffler's HylaFAX software. For more information,
+- see http://www.hylafax.org/.
+-
+-pop Post Office Protocol.
+-
+ procmail An interface to procmail (does not come with sendmail).
+ This is designed to be used in mailertables. For example,
+ a common question is "how do I forward all mail for a given
+@@ -643,37 +532,6 @@
+ Of course there are other ways to solve this particular
+ problem, e.g., a catch-all entry in a virtusertable.
+
+-mail11 The DECnet mail11 mailer, useful only if you have the mail11
+- program from gatekeeper.dec.com:/pub/DEC/gwtools (and
+- DECnet, of course). This is for Phase IV DECnet support;
+- if you have Phase V at your site you may have additional
+- problems.
+-
+-phquery The phquery program. This is somewhat counterintuitively
+- referenced as the "ph" mailer internally. It can be used
+- to do CCSO name server lookups. The phquery program, which
+- this mailer uses, is distributed with the ph client.
+-
+-cyrus The cyrus and cyrusbb mailers. The cyrus mailer delivers to
+- a local cyrus user. this mailer can make use of the
+- "[email protected]" syntax (see
+- FEATURE(`preserve_local_plus_detail')); it will deliver the
+- mail to the user's "detail" mailbox if the mailbox's ACL
+- permits. The cyrusbb mailer delivers to a system-wide
+- cyrus mailbox if the mailbox's ACL permits. The cyrus
+- mailer must be defined after the local mailer.
+-
+-cyrusv2 The mailer for Cyrus v2.x. The cyrusv2 mailer delivers to
+- local cyrus users via LMTP. This mailer can make use of the
+- "[email protected]" syntax (see
+- FEATURE(`preserve_local_plus_detail')); it will deliver the
+- mail to the user's "detail" mailbox if the mailbox's ACL
+- permits. The cyrusv2 mailer must be defined after the
+- local mailer.
+-
+-qpage A mailer for QuickPage, a pager interface. See
+- http://www.qpage.org/ for further information.
+-
+ The local mailer accepts addresses of the form "user+detail", where
+ the "+detail" is not used for mailbox matching but is available
+ to certain local mail programs (in particular, see
+@@ -1379,12 +1237,6 @@
+ user@site for relaying. This feature changes that
+ behavior. It should not be needed for most installations.
+
+-authinfo Provide a separate map for client side authentication
+- information. See SMTP AUTHENTICATION for details.
+- By default, the authinfo database specification is:
+-
+- hash /etc/mail/authinfo
+-
+ preserve_luser_host
+ Preserve the name of the recipient host if LUSER_RELAY is
+ used. Without this option, the domain part of the
+@@ -1421,7 +1273,7 @@
+ FEATURE and introduce new settings via DAEMON_OPTIONS().
+
+ msp Defines config file for Message Submission Program.
+- See sendmail/SECURITY for details and cf/cf/submit.mc how
++ See cf/submit.mc for how
+ to use it. An optional argument can be used to override
+ the default of `[localhost]' to use as host to send all
+ e-mails to. Note that MX records will be used if the
+@@ -1565,78 +1417,6 @@
+ has been compiled with the options MAP_REGEX and
+ DNSMAP.
+
+-+-------+
+-| HACKS |
+-+-------+
+-
+-Some things just can't be called features. To make this clear,
+-they go in the hack subdirectory and are referenced using the HACK
+-macro. These will tend to be site-dependent. The release
+-includes the Berkeley-dependent "cssubdomain" hack (that makes
+-sendmail accept local names in either Berkeley.EDU or CS.Berkeley.EDU;
+-this is intended as a short-term aid while moving hosts into
+-subdomains.
+-
+-
+-+--------------------+
+-| SITE CONFIGURATION |
+-+--------------------+
+-
+- *****************************************************
+- * This section is really obsolete, and is preserved *
+- * only for back compatibility. You should plan on *
+- * using mailertables for new installations. In *
+- * particular, it doesn't work for the newer forms *
+- * of UUCP mailers, such as uucp-uudom. *
+- *****************************************************
+-
+-Complex sites will need more local configuration information, such as
+-lists of UUCP hosts they speak with directly. This can get a bit more
+-tricky. For an example of a "complex" site, see cf/ucbvax.mc.
+-
+-The SITECONFIG macro allows you to indirectly reference site-dependent
+-configuration information stored in the siteconfig subdirectory. For
+-example, the line
+-
+- SITECONFIG(`uucp.ucbvax', `ucbvax', `U')
+-
+-reads the file uucp.ucbvax for local connection information. The
+-second parameter is the local name (in this case just "ucbvax" since
+-it is locally connected, and hence a UUCP hostname). The third
+-parameter is the name of both a macro to store the local name (in
+-this case, {U}) and the name of the class (e.g., {U}) in which to store
+-the host information read from the file. Another SITECONFIG line reads
+-
+- SITECONFIG(`uucp.ucbarpa', `ucbarpa.Berkeley.EDU', `W')
+-
+-This says that the file uucp.ucbarpa contains the list of UUCP sites
+-connected to ucbarpa.Berkeley.EDU. Class {W} will be used to
+-store this list, and $W is defined to be ucbarpa.Berkeley.EDU, that
+-is, the name of the relay to which the hosts listed in uucp.ucbarpa
+-are connected. [The machine ucbarpa is gone now, but this
+-out-of-date configuration file has been left around to demonstrate
+-how you might do this.]
+-
+-Note that the case of SITECONFIG with a third parameter of ``U'' is
+-special; the second parameter is assumed to be the UUCP name of the
+-local site, rather than the name of a remote site, and the UUCP name
+-is entered into class {w} (the list of local hostnames) as $U.UUCP.
+-
+-The siteconfig file (e.g., siteconfig/uucp.ucbvax.m4) contains nothing
+-more than a sequence of SITE macros describing connectivity. For
+-example:
+-
+- SITE(`cnmat')
+- SITE(`sgi olympus')
+-
+-The second example demonstrates that you can use two names on the
+-same line; these are usually aliases for the same host (or are at
+-least in the same company).
+-
+-The macro LOCAL_UUCP can be used to add rules into the generated
+-cf file at the place where MAILER(`uucp') inserts its rules. This
+-should only be used if really necessary.
+-
+ +--------------------+
+ | USING UUCP MAILERS |
+ +--------------------+
+@@ -2424,7 +2204,7 @@
+ map entries. This feature allows spammers to abuse your mail server
+ by specifying a return address that you enabled in your access file.
+ This may be harder to figure out for spammers, but it should not
+-be used unless necessary. Instead use SMTP AUTH or STARTTLS to
++be used unless necessary. Instead use STARTTLS to
+ allow relaying for roaming users.
+
+
+@@ -2890,8 +2670,7 @@
+ tokenization. It might be simpler to use a regex map and apply it
+ to $&{currHeader}.
+ 2. There are no default rulesets coming with this distribution of
+-sendmail. You can write your own, can search the WWW for examples,
+-or take a look at cf/cf/knecht.mc.
++sendmail. You can write your own or search the WWW for examples.
+ 3. When using a default ruleset for headers, the name of the header
+ currently being checked can be found in the $&{hdr_name} macro.
+
+@@ -3192,101 +2971,6 @@
+ (version=${tls_version} cipher=${cipher} bits=${cipher_bits} verify=${verify})
+
+
+-+---------------------+
+-| SMTP AUTHENTICATION |
+-+---------------------+
+-
+-The macros ${auth_authen}, ${auth_author}, and ${auth_type} can be
+-used in anti-relay rulesets to allow relaying for those users that
+-authenticated themselves. A very simple example is:
+-
+-SLocal_check_rcpt
+-R$* $: $&{auth_type}
+-R$+ $# OK
+-
+-which checks whether a user has successfully authenticated using
+-any available mechanism. Depending on the setup of the Cyrus SASL
+-library, more sophisticated rulesets might be required, e.g.,
+-
+-SLocal_check_rcpt
+-R$* $: $&{auth_type} $| $&{auth_authen}
+-RDIGEST-MD5 $| $+@$=w $# OK
+-
+-to allow relaying for users that authenticated using DIGEST-MD5
+-and have an identity in the local domains.
+-
+-The ruleset trust_auth is used to determine whether a given AUTH=
+-parameter (that is passed to this ruleset) should be trusted. This
+-ruleset may make use of the other ${auth_*} macros. Only if the
+-ruleset resolves to the error mailer, the AUTH= parameter is not
+-trusted. A user supplied ruleset Local_trust_auth can be written
+-to modify the default behavior, which only trust the AUTH=
+-parameter if it is identical to the authenticated user.
+-
+-Per default, relaying is allowed for any user who authenticated
+-via a "trusted" mechanism, i.e., one that is defined via
+-TRUST_AUTH_MECH(`list of mechanisms')
+-For example:
+-TRUST_AUTH_MECH(`KERBEROS_V4 DIGEST-MD5')
+-
+-If the selected mechanism provides a security layer the number of
+-bits used for the key of the symmetric cipher is stored in the
+-macro ${auth_ssf}.
+-
+-Providing SMTP AUTH Data when sendmail acts as Client
+------------------------------------------------------
+-
+-If sendmail acts as client, it needs some information how to
+-authenticate against another MTA. This information can be provided
+-by the ruleset authinfo or by the option DefaultAuthInfo. The
+-authinfo ruleset looks up {server_name} using the tag AuthInfo: in
+-the access map. If no entry is found, {server_addr} is looked up
+-in the same way and finally just the tag AuthInfo: to provide
+-default values. Note: searches for domain parts or IP nets are
+-only performed if the access map is used; if the authinfo feature
+-is used then only up to three lookups are performed (two exact
+-matches, one default).
+-
+-Note: If your daemon does client authentication when sending, and
+-if it uses either PLAIN or LOGIN authentication, then you *must*
+-prevent ordinary users from seeing verbose output. Do NOT install
+-sendmail set-user-ID. Use PrivacyOptions to turn off verbose output
+-("goaway" works for this).
+-
+-Notice: the default configuration file causes the option DefaultAuthInfo
+-to fail since the ruleset authinfo is in the .cf file. If you really
+-want to use DefaultAuthInfo (it is deprecated) then you have to
+-remove the ruleset.
+-
+-The RHS for an AuthInfo: entry in the access map should consists of a
+-list of tokens, each of which has the form: "TDstring" (including
+-the quotes). T is a tag which describes the item, D is a delimiter,
+-either ':' for simple text or '=' for a base64 encoded string.
+-Valid values for the tag are:
+-
+- U user (authorization) id
+- I authentication id
+- P password
+- R realm
+- M list of mechanisms delimited by spaces
+-
+-Example entries are:
+-
+-AuthInfo:other.dom "U:user" "I:user" "P:secret" "R:other.dom" "M:DIGEST-MD5"
+-AuthInfo:host.more.dom "U:user" "P=c2VjcmV0"
+-
+-User id or authentication id must exist as well as the password. All
+-other entries have default values. If one of user or authentication
+-id is missing, the existing value is used for the missing item.
+-If "R:" is not specified, realm defaults to $j. The list of mechanisms
+-defaults to those specified by AuthMechanisms.
+-
+-Since this map contains sensitive information, either the access
+-map must be unreadable by everyone but root (or the trusted user)
+-or FEATURE(`authinfo') must be used which provides a separate map.
+-Notice: It is not checked whether the map is actually
+-group/world-unreadable, this is left to the user.
+-
+ +--------------------------------+
+ | ADDING NEW MAILERS OR RULESETS |
+ +--------------------------------+
+@@ -3612,8 +3296,6 @@
+ This list is shown in four columns: the name you define, the default
+ value for that definition, the option or macro that is affected
+ (either Ox for an option or Dx for a macro), and a brief description.
+-Greater detail of the semantics can be found in the Installation
+-and Operations Guide.
+
+ Some options are likely to be deprecated in future versions -- that is,
+ the option is only included to provide back-compatibility. These are
+@@ -3837,8 +3519,6 @@
+ (e.g., :include: file) to be opened.
+ confTO_LHLO Timeout.lhlo [2m] The timeout waiting for a response
+ to an LMTP LHLO command.
+-confTO_AUTH Timeout.auth [10m] The timeout waiting for a
+- response in an AUTH dialogue.
+ confTO_STARTTLS Timeout.starttls
+ [1h] The timeout waiting for a
+ response to an SMTP STARTTLS command.
+@@ -4197,46 +3877,6 @@
+ memory-buffered transcript (xf)
+ file before a disk-based file is
+ used.
+-confAUTH_MECHANISMS AuthMechanisms [GSSAPI KERBEROS_V4 DIGEST-MD5
+- CRAM-MD5] List of authentication
+- mechanisms for AUTH (separated by
+- spaces). The advertised list of
+- authentication mechanisms will be the
+- intersection of this list and the list
+- of available mechanisms as determined
+- by the Cyrus SASL library.
+-confAUTH_REALM AuthRealm [undefined] The authentication realm
+- that is passed to the Cyrus SASL
+- library. If no realm is specified,
+- $j is used.
+-confDEF_AUTH_INFO DefaultAuthInfo [undefined] Name of file that contains
+- authentication information for
+- outgoing connections. This file must
+- contain the user id, the authorization
+- id, the password (plain text), the
+- realm to use, and the list of
+- mechanisms to try, each on a separate
+- line and must be readable by root (or
+- the trusted user) only. If no realm
+- is specified, $j is used. If no
+- mechanisms are given in the file,
+- AuthMechanisms is used. Notice: this
+- option is deprecated and will be
+- removed in future versions; it doesn't
+- work for the MSP since it can't read
+- the file. Use the authinfo ruleset
+- instead. See also the section SMTP
+- AUTHENTICATION.
+-confAUTH_OPTIONS AuthOptions [undefined] If this option is 'A'
+- then the AUTH= parameter for the
+- MAIL FROM command is only issued
+- when authentication succeeded.
+- See doc/op/op.me for more options
+- and details.
+-confAUTH_MAX_BITS AuthMaxBits [INT_MAX] Limit the maximum encryption
+- strength for the security layer in
+- SMTP AUTH (SASL). Default is
+- essentially unlimited.
+ confTLS_SRV_OPTIONS TLSSrvOptions If this option is 'V' no client
+ verification is performed, i.e.,
+ the server doesn't ask for a
+@@ -4288,7 +3928,7 @@
+ [undefined] Defines {daemon_flags}
+ for direct submissions.
+ confUSE_MSP UseMSP [undefined] Use as mail submission
+- program, see sendmail/SECURITY.
++ program.
+ confDELIVER_BY_MIN DeliverByMin [0] Minimum time for Deliver By
+ SMTP Service Extension (RFC 2852).
+ confREQUIRES_DIR_FSYNC RequiresDirfsync [true] RequiresDirfsync can
+@@ -4434,8 +4074,7 @@
+ | MESSAGE SUBMISSION PROGRAM |
+ +----------------------------+
+
+-The purpose of the message submission program (MSP) is explained
+-in sendmail/SECURITY. This section contains a list of caveats and
++This section contains a list of caveats and
+ a few hints how for those who want to tweak the default configuration
+ for it (which is installed as submit.cf).
+
+@@ -4450,13 +4089,10 @@
+ of the default background mode.
+ - FEATURE(stickyhost) and LOCAL_RELAY to send unqualified addresses
+ to the LOCAL_RELAY instead of the default relay.
+-- confRAND_FILE if you use STARTTLS and sendmail is not compiled with
+- the flag HASURANDOM.
+
+-The MSP performs hostname canonicalization by default. As also
+-explained in sendmail/SECURITY, mail may end up for various DNS
+-related reasons in the MSP queue. This problem can be minimized by
+-using
++The MSP performs hostname canonicalization by default. Mail may end
++up for various DNS related reasons in the MSP queue. This problem
++can be minimized by using
+
+ FEATURE(`nocanonify', `canonify_hosts')
+ define(`confDIRECT_SUBMISSION_MODIFIERS', `C')
+@@ -4472,39 +4108,10 @@
+ can cause security problems.
+
+ Other things don't work well with the MSP and require tweaking or
+-workarounds. For example, to allow for client authentication it
+-is not just sufficient to provide a client certificate and the
+-corresponding key, but it is also necessary to make the key group
+-(smmsp) readable and tell sendmail not to complain about that, i.e.,
+-
+- define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile')
+-
+-If the MSP should actually use AUTH then the necessary data
+-should be placed in a map as explained in SMTP AUTHENTICATION:
+-
+-FEATURE(`authinfo', `DATABASE_MAP_TYPE /etc/mail/msp-authinfo')
+-
+-/etc/mail/msp-authinfo should contain an entry like:
+-
+- AuthInfo:127.0.0.1 "U:smmsp" "P:secret" "M:DIGEST-MD5"
++workarounds.
+
+ The file and the map created by makemap should be owned by smmsp,
+-its group should be smmsp, and it should have mode 640. The database
+-used by the MTA for AUTH must have a corresponding entry.
+-Additionally the MTA must trust this authentication data so the AUTH=
+-part will be relayed on to the next hop. This can be achieved by
+-adding the following to your sendmail.mc file:
+-
+- LOCAL_RULESETS
+- SLocal_trust_auth
+- R$* $: $&{auth_authen}
+- Rsmmsp $# OK
+-
+-Note: the authentication data can leak to local users who invoke
+-the MSP with debug options or even with -v. For that reason either
+-an authentication mechanism that does not show the password in the
+-AUTH dialogue (e.g., DIGEST-MD5) or a different authentication
+-method like STARTTLS should be used.
++its group should be smmsp, and it should have mode 640.
+
+ feature/msp.m4 defines almost all settings for the MSP. Most of
+ those should not be changed at all. Some of the features and options