From release notes for 8.16.1: "8.16.1/8.16.1 2020/07/XX SECURITY: If sendmail tried to reuse an SMTP session which had already been closed by the server, then the connection cache could have invalid information about the session. One possible consequence was that STARTTLS was not used even if offered. This problem has been fixed by clearing out all relevant status information when a closed session is encountered."
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c97bd0e2aa41d659ac1a5f39c241c2093c7f4241 commit c97bd0e2aa41d659ac1a5f39c241c2093c7f4241 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2020-08-17 02:52:02 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2020-08-17 03:06:40 +0000 mail-mta/sendmail: bump to 8.16.1 * Bump due to security issue * Add -D_FFR_TLS_EC to compile options which supports ECDHE and PFS * Stop building libmilter separately and introduce dep on mail-filter/libmilter * By depending on mail-filter/libmilter sendmail no longer installs static-libs. * Add -DMAXDAEMONS=64 to fix IPV6 environments * Fix various QA issues with lack of dies. More to be fixed. Bug: https://bugs.gentoo.org/730890 Bug: https://bugs.gentoo.org/681232 Closes: https://bugs.gentoo.org/542370 Closes: https://bugs.gentoo.org/681224 Closes: https://bugs.gentoo.org/724548 Closes: https://bugs.gentoo.org/606490 Acked-by: Sam James <sam@gentoo.org> Signed-off-by: Aaron Bauman <bman@gentoo.org> mail-mta/sendmail/Manifest | 1 + .../files/sendmail-8.14.6-build-system.patch | 73 +------- mail-mta/sendmail/sendmail-8.16.1.ebuild | 208 +++++++++++++++++++++ 3 files changed, 219 insertions(+), 63 deletions(-)
We will give this a little bit of time because of the large number of changes in the ebuild(s) to both sendmail and libmilter.
Sanity check failed: > mail-mta/sendmail-8.16.1 > depend amd64 stable profile default/linux/amd64/17.0 (70 total) > sys-libs/db:6.0 > depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (35 total) > sys-libs/db:6.0 > rdepend amd64 stable profile default/linux/amd64/17.0 (70 total) > sys-libs/db:6.0 > rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (35 total) > sys-libs/db:6.0
The new ebuild - sendmail-8.16.1.ebuild does not work for me and the update also broke the old build - sendmail-8.15.2-r2.ebuild. This is because instead of introducing a new sendmail-8.16.1-build-system.patch, the commit updated sendmail-8.14.6-build-system.patch, which no logger works with the previous version of the ebuild. Related question: it seems the update removes some sections of the patch regarding Makefile.m4, why? https://gitweb.gentoo.org/repo/gentoo.git/commit/mail-mta/sendmail/files/sendmail-8.14.6-build-system.patch?id=c97bd0e2aa41d659ac1a5f39c241c2093c7f4241 mail-mta/sendmail-8.15.2-r2::gentoo failure: >>> Emerging (1 of 1) mail-mta/sendmail-8.15.2-r2::gentoo * sendmail.8.15.2.tar.gz BLAKE2B SHA512 size ;-) ... [ ok ] >>> Unpacking source... >>> Unpacking sendmail.8.15.2.tar.gz to /var/tmp/portage/mail-mta/sendmail-8.15.2-r2/work >>> Source unpacked in /var/tmp/portage/mail-mta/sendmail-8.15.2-r2/work >>> Preparing source in /var/tmp/portage/mail-mta/sendmail-8.15.2-r2/work/sendmail-8.15.2 ... * Applying sendmail-8.14.6-build-system.patch ... patching file cf/cf/Makefile patching file devtools/M4/UNIX/defines.m4 patching file devtools/M4/UNIX/executable.m4 patching file devtools/M4/UNIX/library.m4 patching file devtools/M4/UNIX/manpage.m4 patching file libmilter/Makefile.m4 patching file mail.local/Makefile.m4 patching file rmail/Makefile.m4 patching file sendmail/Makefile.m4 Hunk #1 FAILED at 43. 1 out of 1 hunk FAILED -- saving rejects to file sendmail/Makefile.m4.rej [ !! ] * ERROR: mail-mta/sendmail-8.15.2-r2::gentoo failed (prepare phase): * patch -p1 failed with /var/tmp/portage/mail-mta/sendmail-8.15.2-r2/files/sendmail-8.14.6-build-system.patch mail-mta/sendmail-8.16.1::gentoo failure: install -c -o root -g root -m 644 mail.local.8 "/var/tmp/portage/mail-mta/sendmail-8.16.1/image/usr/share/man/man8/mail.local.8" make: Leaving directory '/var/tmp/portage/mail-mta/sendmail-8.16.1/work/sendmail-8.16.1/obj.Linux.4.14.188-o1.x86_64/mail.local' m4:/var/tmp/portage/mail-mta/sendmail-8.16.1/image/etc/mail/sendmail.mc:3: cannot open `/usr/share/sendmail-cf/m4/cf.m4': No such file or directory * ERROR: mail-mta/sendmail-8.16.1::gentoo failed (install phase): * cf.m4 failed * * Call stack: * ebuild.sh, line 125: Called src_install * environment, line 1182: Called die * The specific snippet of code: * m4 "${D}"/usr/share/sendmail-cf/m4/cf.m4 "${D}"/etc/mail/sendmail.mc > "${D}"/etc/mail/sendmail.cf || die "cf.m4 failed"; * * If you need support, post the output of `emerge --info '=mail-mta/sendmail-8.16.1::gentoo'`, * the complete build log and the output of `emerge -pqv '=mail-mta/sendmail-8.16.1::gentoo'`. * The complete build log is located at '/var/tmp/portage/mail-mta/sendmail-8.16.1/temp/build.log'. * The ebuild environment file is located at '/var/tmp/portage/mail-mta/sendmail-8.16.1/temp/environment'. * Working directory: '/var/tmp/portage/mail-mta/sendmail-8.16.1/work/sendmail-8.16.1' * S: '/var/tmp/portage/mail-mta/sendmail-8.16.1/work/sendmail-8.16.1' I wonder if mail-mta/sendmail-8.16.1 expects sendmail to be installed to provide /usr/share/sendmail-cf/m4/cf.m4? I removed the previous version due to collision with now required libmilter. BTW: what is the reason for requiring sys-libs/db:6.0? The previous ebuild has >=sys-libs/db-3.2 and RELEASE_NOTES does not state anything about 6.0 being now required.
(In reply to Krzysztof Olędzki from comment #4) > The new ebuild - sendmail-8.16.1.ebuild does not work for me and the update > also broke the old build - sendmail-8.15.2-r2.ebuild. > > This is because instead of introducing a new > sendmail-8.16.1-build-system.patch, the commit updated > sendmail-8.14.6-build-system.patch, which no logger works with the previous > version of the ebuild. > Fixed in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=654d9d598347aafcbfd15b9b64e26fb67b7bd506. > Related question: it seems the update removes some sections of the patch > regarding Makefile.m4, why? > https://gitweb.gentoo.org/repo/gentoo.git/commit/mail-mta/sendmail/files/ > sendmail-8.14.6-build-system. > patch?id=c97bd0e2aa41d659ac1a5f39c241c2093c7f4241 IIRC they were now upstreamed. But those shouldn't have been changed in-place. > > mail-mta/sendmail-8.16.1::gentoo failure: > install -c -o root -g root -m 644 mail.local.8 > "/var/tmp/portage/mail-mta/sendmail-8.16.1/image/usr/share/man/man8/mail. > local.8" > make: Leaving directory > '/var/tmp/portage/mail-mta/sendmail-8.16.1/work/sendmail-8.16.1/obj.Linux.4. > 14.188-o1.x86_64/mail.local' > m4:/var/tmp/portage/mail-mta/sendmail-8.16.1/image/etc/mail/sendmail.mc:3: > cannot open `/usr/share/sendmail-cf/m4/cf.m4': No such file or directory > * ERROR: mail-mta/sendmail-8.16.1::gentoo failed (install phase): [...] > I wonder if mail-mta/sendmail-8.16.1 expects sendmail to be installed to > provide /usr/share/sendmail-cf/m4/cf.m4? I removed the previous version due > to collision with now required libmilter. > I'll need to play to see if I can reproduce this. > BTW: what is the reason for requiring sys-libs/db:6.0? The previous ebuild > has >=sys-libs/db-3.2 and RELEASE_NOTES does not state anything about 6.0 > being now required. I changed this back in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e8db49070c8c0468e76baadb59f014e5cc69f0a4. I don't think :6.0 is needed.
I think the problem is with this change: m4 "${D}"/usr/share/sendmail-cf/m4/cf.m4 "${D}"/etc/mail/sendmail.mc \ - > "${D}"/etc/mail/sendmail.cf + > "${D}"/etc/mail/sendmail.cf || die "cf.m4 failed" Inside etc/mail/sendmail.mc we have: include(`/usr/share/sendmail-cf/m4/cf.m4')dnl and this files does not exist so an error gets generated. Because the m4 call includes "${D}"/usr/share/sendmail-cf/m4/cf.m4" the output file can be generate correctly. However, with "|| die" condition, the build fails. I completely understand why you added it, so maybe something like this can work: m4 "${D}"/usr/share/sendmail-cf/m4/cf.m4 \ <(grep -v /usr/share/sendmail-cf/m4/cf.m4 "${D}"/etc/mail/sendmail.mc) \ > "${D}"/etc/mail/sendmail.cf || die "cf.m4 failed" One more thing: sendmail-8.16.1 now also supports gethostbyname2 with HAS_GETHOSTBYNAME2, would it be possible to add it?
Or maybe something like this: m4 <(sed "s#\(include(\`\)\(.*m4\)#\1${D}\2#" < "${D}"/etc/mail/sendmail.mc) \ > "${D}"/etc/mail/sendmail.cf || die "cf.m4 failed" Unless there is a better way to "sandbox" reads.
(In reply to Krzysztof Olędzki from comment #6) > I completely understand why you added it, so maybe something like this can > work: > > m4 "${D}"/usr/share/sendmail-cf/m4/cf.m4 \ > <(grep -v /usr/share/sendmail-cf/m4/cf.m4 > "${D}"/etc/mail/sendmail.mc) \ > > "${D}"/etc/mail/sendmail.cf || die "cf.m4 failed" > I've added this to 8.16.1, could you see if it works now? > One more thing: sendmail-8.16.1 now also supports gethostbyname2 with > HAS_GETHOSTBYNAME2, would it be possible to add it? Sure. Please try them and let me know.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7bee70abcfad720bacea9273a4814bd42868ab6a commit 7bee70abcfad720bacea9273a4814bd42868ab6a Author: Sam James <sam@gentoo.org> AuthorDate: 2021-01-22 21:40:41 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-01-22 21:42:16 +0000 mail-filter/libmilter: add -DHAS_GETHOSTBYNAME2=1 Bug: https://bugs.gentoo.org/730890 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Sam James <sam@gentoo.org> mail-filter/libmilter/libmilter-1.0.2_p1-r1.ebuild | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
Thank you so much Sam! The ebuild works for me, just had to add entries to package.accept_keywords for mail-mta/sendmail and mail-filter/libmilter but I assume this is WAI. That said, there are two small issues we may want to try handle. First, I had to uninstall the old version first. Due to the sendmail -> sendmail+libmilter split, libmilter is now a dependency for sendmail and is instaleld first. Because of this the install fails with: * Detected file collision(s): * * /usr/include/libmilter/mfapi.h * /usr/include/libmilter/mfdef.h * /usr/lib/libmilter.so * * Searching all installed packages for file collisions... * * Press Ctrl-C to Stop * * mail-mta/sendmail-8.15.2-r2:0::gentoo * /usr/include/libmilter/mfapi.h * /usr/include/libmilter/mfdef.h * /usr/lib/libmilter.so Second issue, is that after I installed the new version, sending e-mails locally did not work: WARNING: RunAsUser for MSP ignored, check group ids (egid=209, want=12) can not write to queue directory /var/spool/clientmqueue/ (RunAsGid=0, required=209): Permission denied Can't send mail: sendmail process failed with error code 71 From log message: sendmail[8103]: NOQUEUE: SYSERR(nagios): can not write to queue directory /var/spool/clientmqueue/ (RunAsGid=0, required=209): Permission denied The issue is that the new version of Sendmail is more picky, and I had the following entry in /etc/passwd: smmsp:x:209:12:user for sendmail daemon:/dev/null:/sbin/nologin # grep :12: /etc/group mail::12:mail Changing it into: smmsp:x:209:209:user for sendmail daemon:/dev/null:/sbin/nologin ... fixed the problem. I also checked that emerging acct-group/mail acct-user/mail creates the proper entry w 209:209. However, this was an old system and these entries were added long time ago, by now an ancient version of the sendmail ebuild. I wonder if this is something we can and want to check during install and fail with en error message, so users have a chance to fix the issue, instead of ending up with a broken system which may not detect for some time. In my case, the only reason I was able to notice immediately is that I have nagios monitoring that also checks sendmail e-mails locally.
(In reply to Krzysztof Olędzki from comment #10) > The ebuild works for me, just had to add entries to package.accept_keywords > for mail-mta/sendmail and mail-filter/libmilter but I assume this is WAI. > > That said, there are two small issues we may want to try handle. Sorry for the long wait. If available, could you give a try to the bug's linked PullRequest? Would also be good to know if any new issues you ran into since then.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ca7a38d8b58e0c136bff28e536f483096f092e49 commit ca7a38d8b58e0c136bff28e536f483096f092e49 Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2021-06-01 09:35:00 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2021-06-01 09:43:55 +0000 mail-mta/sendmail: add libnsl dep for USE=nis and update other deps Without libnsl: rpcsvc/ypclnt.h: No such file or directory Require >=acct-user/smmsp-0-r2 for bug #730890 !net-mail/vacation moved to RDEPEND, and removed pointless >=mailbase-0.00 already defined in both. Bug: https://bugs.gentoo.org/730890 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> .../{sendmail-8.16.1.ebuild => sendmail-8.16.1-r1.ebuild} | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f982cfde859486143f64b42f4864121870fef703 commit f982cfde859486143f64b42f4864121870fef703 Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2021-06-01 09:34:59 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2021-06-01 09:43:54 +0000 mail-filter/libmilter: add soft-blocker for <sendmail-8.16.1 Needed to prevent collisions with old sendmail-provided libmilter. Bug: https://bugs.gentoo.org/730890 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> .../{libmilter-1.0.2_p1-r1.ebuild => libmilter-1.0.2_p1-r2.ebuild} | 2 ++ 1 file changed, 2 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a8f9f5745aef6a921b7d27f0a3c92b9c67a412f7 commit a8f9f5745aef6a921b7d27f0a3c92b9c67a412f7 Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2021-06-01 09:34:58 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2021-06-01 09:43:53 +0000 acct-user/smmsp: revbump to use smmsp group This reverts to sendmail-8.15.2-r2 user.eclass behavior that never used mail group. Allows access to /var/spool/clientmqueue Bug: https://bugs.gentoo.org/730890 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> acct-user/smmsp/{smmsp-0-r1.ebuild => smmsp-0-r2.ebuild} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
Unable to check for sanity: > no match for package: mail-mta/sendmail-8.16.1
I changed back smmsp to 209:12, it got corrected during reinstall: >>> Installing (2 of 3) acct-user/smmsp-0-r2::gentoo * checking 1 files for package collisions >>> Merging acct-user/smmsp-0-r2 to / --- /usr/ --- /usr/lib/ --- /usr/lib/sysusers.d/ >>> /usr/lib/sysusers.d/acct-user-smmsp.conf >>> Safely unmerging already-installed instance... No package files given... Grabbing a set. >>> Regenerating /etc/ld.so.cache... >>> Original instance of package unmerged safely. * Updating home for user 'smmsp' ... * - Home: /dev/null * Updating groups for user 'smmsp' ... * - Groups: smmsp * Updating comment for user 'smmsp' ... * - Comment: user for sendmail daemon >>> acct-user/smmsp-0-r2 merged. # grep smmsp /etc/passwd smmsp:x:209:209:user for sendmail daemon:/dev/null:/sbin/nologin I also tested 8.15.2-r2::gentoo -> mail-mta/sendmail-8.16.1-r1::gentoo upgrade and it worked - no collision, no need to uninstall the old version, etc. Finally, no issues with generating default sendmail.cf. That was my test system, I'll now upgrade the prod.
Prod, with mail-mta/sendmail-8.16.1::gentoo -> mail-mta/sendmail-8.16.1-r1::gentoo and mail-filter/libmilter/libmilter-1.0.2_p1-r1 -> mail-filter/libmilter/libmilter-1.0.2_p1-r2 also worked well. Once again, I only had to update /etc/portage/package.accept_keywords, which I believe is WAI at this point. Thank you!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=507be3b000a17265f75c2381d4badd7532f51829 commit 507be3b000a17265f75c2381d4badd7532f51829 Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2021-07-18 01:16:51 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2021-07-18 01:27:28 +0000 mail-mta/sendmail: restore keywords for 8.16.1-r1 Minus dropped ~mips ~s390 due to libmilter Bug: https://bugs.gentoo.org/730890 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> mail-mta/sendmail/sendmail-8.16.1-r1.ebuild | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b8a2eb6b5a519f9241f60043220e5eec8831537f commit b8a2eb6b5a519f9241f60043220e5eec8831537f Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2021-07-18 01:19:11 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2021-07-18 01:19:35 +0000 mail-filter/libmilter: restore keywords for 1.0.2_p1-r2 Bug: https://bugs.gentoo.org/730890 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> mail-filter/libmilter/libmilter-1.0.2_p1-r2.ebuild | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
Sanity check failed: > mail-mta/sendmail-8.16.1-r1 > rdepend hppa stable profile default/linux/hppa/17.0 (3 total) > >=mail-filter/libmilter-1.0.2_p1-r1
All sanity-check issues have been resolved
Unable to check for sanity: > invalid use of ^ keyword on first line
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=67de9fec4394930a661d450549b3ed1760fecd3b commit 67de9fec4394930a661d450549b3ed1760fecd3b Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2021-08-27 21:33:47 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2021-08-27 21:34:37 +0000 mail-filter/libmilter: drop old version Bug: https://bugs.gentoo.org/730890 Package-Manager: Portage-3.0.22, Repoman-3.0.3 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> mail-filter/libmilter/Manifest | 2 - .../libmilter/files/libmilter-build-system.patch | 89 --------- .../libmilter/files/libmilter-glibc-2.30.patch | 25 --- .../files/sendmail-8.14.6-build-system.patch | 211 --------------------- mail-filter/libmilter/libmilter-1.0.2.ebuild | 66 ------- mail-filter/libmilter/libmilter-1.0.2_p1.ebuild | 79 -------- 6 files changed, 472 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e2542b5fa54ad7471c5094910818f8c35cb284f9 commit e2542b5fa54ad7471c5094910818f8c35cb284f9 Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2021-08-27 21:29:34 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2021-08-27 21:34:36 +0000 mail-mta/sendmail: drop old version Bug: https://bugs.gentoo.org/730890 Closes: https://bugs.gentoo.org/699414 Package-Manager: Portage-3.0.22, Repoman-3.0.3 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> mail-mta/sendmail/Manifest | 1 - mail-mta/sendmail/files/libmilter-sharedlib.patch | 55 ------ .../files/sendmail-8.14.6-build-system.patch | 211 --------------------- .../files/sendmail-8.15.2-glibc-2.30.patch | 52 ----- .../files/sendmail-8.15.2-openssl-1.1.0-fix.patch | 182 ------------------ .../files/sendmail-starttls-multi-crl.patch | 20 -- mail-mta/sendmail/sendmail-8.15.2-r2.ebuild | 208 -------------------- 7 files changed, 729 deletions(-)
