CVE-2023-51765: sendmail through at least 8.14.7 allows SMTP smuggling in certain configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because sendmail supports <LF>.<CR><LF> but some other popular e-mail servers do not. https://www.openwall.com/lists/oss-security/2023/12/26/5 mentions: """ 3. Mention that 8.18 fixes the problem: Accept only CR LF . CR LF as end of an SMTP message as required by the RFCs when the new srv_features option 'o' is used. sendmail 8.18.0.2 is available at https://ftp.sendmail.org/snapshots/sendmail.8.18.0.2.tar.gz https://ftp.sendmail.org/snapshots/sendmail.8.18.0.2.tar.gz.sig """
https://ftp.sendmail.org/sendmail.8.18.1.tar.gz is now available: 8.18.1/8.18.1 2024/01/31 sendmail is now stricter in following the RFCs and rejects some invalid input with respect to line endings and pipelining: - Prevent transaction stuffing by ensuring SMTP clients wait for the HELO/EHLO and DATA response before sending further SMTP commands. This can be disabled using the new srv_features option 'F'. Issue reported by Yepeng Pan and Christian Rossow from CISPA Helmholtz Center for Information Security. - Accept only CRLF . CRLF as end of an SMTP message as required by the RFCs, which can disabled by the new srv_features option 'O'. - Do not accept a CR or LF except in the combination CRLF (as required by the RFCs). These checks can be disabled by the new srv_features options 'U' and 'G', respectively. In this case it is suggested to use 'u2' and 'g2' instead so the server replaces offending bare CR or bare LF with a space. It is recommended to only turn these protections off for trusted networks due to the potential for abuse. Full DANE support is available if OpenSSL versions 1.1.1 or 3.x are used, i.e., TLSA RR 2-x-y and 3-x-y are supported as required by RFC 7672. OpenSSL version 3.0.x is supported. Note: OpenSSL 3 loads by default an openssl.cnf file from a location specified in the library which may cause unwanted behaviour in sendmail. Hence sendmail sets the environment variable OPENSSL_CONF to /etc/mail/sendmail.ossl to override the default. The file name can be changed by defining confOPENSSL_CNF in the mc file; using an empty value prevents setting OPENSSL_CONF. Note: referring to a file which does not exist does not cause an an error. Two new values have been added for {verify}: "DANE_TEMP": DANE verification failed temporarily. "DANE_NOTLS": DANE was required but STARTTLS was not offered by the server. The default rules return a temporary error for these cases, so delivery is not attempted. If the TLS setup code in the client fails and DANE requirements exist then {verify} will be set to "DANE_TEMP" thus preventing delivery by default. DANE related logging has been slightly changed for clarification: "DANE configured in DNS but no STARTTLS available" changed to "DANE configured in DNS but STARTTLS not offered" When the compile time option USE_EAI is enabled, vacation could fail to respond when it should (the code change in 8.17.2 was incomplete). Problem reported by Alex Hautequest. If SMTPUTF8 BODY=7BIT are used as parameters for the MAIL command the parsing of UTF8 addresses could fail (USE_EAI). If a reply to a previous RCPT was received while sending another RCPT in pipelining mode then parts of the reply could have been assigned to the wrong RCPT. New DontBlameSendmail option CertOwner to relax requirement for certificate public and private key ownership. Based on suggestion from Marius Strobl of the FreeBSD project. clt_features was not checked for connections via Unix domain sockets. CONFIG: FEATURE(`enhdnsbl') did not handle multiple replies from DNS lookups thus potentially causing random "false negatives". Note: the fix creates an incompatibility: the arguments must not have a trailing dot anymore because the -a. option has been removed (as it only applies to the entire result, not individual values). CONFIG: New FEATURE(`fips3') for basic FIPS support in OpenSSL 3. VACATION: Add support for Return-Path header to set sender to match OpenBSD and NetBSD functionality. VACATION: Honor RFC3834 and avoid an auto-reply if 'Auto-Submitted: no' is found in the headers to match OpenBSD and NetBSD functionality. VACATION: Avoid an auto-reply if a 'List-Id:' is found in the headers to match OpenBSD functionality. VACATION: Add support for $SUBJECT in .vacation.msg which is replaced with the first line of the subject of the original message to match OpenBSD and NetBSD functionality. Portability: Add support for Darwin 23. New Files: cf/feature/fips3.m4 devtools/OS/Darwin.23.x
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2988c7148a532f78524820d0e40d96738940ea02 commit 2988c7148a532f78524820d0e40d96738940ea02 Author: Cristian Othón Martínez Vera <cfuga@cfuga.mx> AuthorDate: 2025-04-03 16:07:35 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2025-04-10 09:32:54 +0000 mail-mta/sendmail: bump to version 8.18.1, add myself as maintainer * Convert ```sys-libs/db``` to an optional dependency, controlled by the ```berkdb``` USE flag. * Add ```eai``` USE flag to support optional Email Address Internationalization, like ```mail-mta/postfix```. * Add ```tinycdb``` USE flag to compile with ```dev-db/tinycdb``` and prevent automagic linking with ```dev-db/cdb```. * Add ```_FFR_TLS_USE_CERTIFICATE_CHAIN_FILE```, to fix STARTTLS chain validation when the server's certificate requires intermediate certs. * Add ```mail-filter/maildrop``` as alternative to use maildir-style mailboxes. * Keep ```sys-libs/db``` and ```mail-filter/procmail``` as default dependencies, to allow seamless upgrades from previous versions. * Fix compilation with gcc-15/-std=c23 * Clean up blockers. * Fix some ebuild typos. * Fix building with musl, using patches borrowed from ```mail-filter/libmilter```. It just compiles; needs more tweaking/debugging to make it work. Closes: https://bugs.gentoo.org/830525 Closes: https://bugs.gentoo.org/831999 Closes: https://bugs.gentoo.org/914272 Closes: https://bugs.gentoo.org/921521 Closes: https://bugs.gentoo.org/944822 Closes: https://bugs.gentoo.org/945726 Signed-off-by: Cristian Othón Martínez Vera <cfuga@cfuga.mx> Signed-off-by: Sam James <sam@gentoo.org> mail-mta/sendmail/Manifest | 1 + .../sendmail/files/sendmail-8.18.1-ctime.patch | 13 + mail-mta/sendmail/files/sendmail-maildir.mc | 13 + .../files/sendmail-musl-disable-cdefs.patch | 11 + .../sendmail/files/sendmail-musl-stack-size.patch | 42 ++++ mail-mta/sendmail/metadata.xml | 14 +- mail-mta/sendmail/sendmail-8.18.1.ebuild | 280 +++++++++++++++++++++ 7 files changed, 373 insertions(+), 1 deletion(-)
