Update to sendmail-8.14.0. OK mbalmer@

11 files changed, 288 insertions, 55 deletions

diff --git a/gnu/usr.sbin/sendmail/cf/README b/gnu/usr.sbin/sendmail/cf/README
index bb30698d9da..930be34162f 100644
--- a/gnu/usr.sbin/sendmail/cf/README
+++ b/gnu/usr.sbin/sendmail/cf/README
@@ -397,6 +397,9 @@ SMTP_MAILER_CHARSET	[undefined] If defined, messages containing 8-bit data
 			that ARRIVE from an address that resolves to one of
 			the SMTP mailers and which are converted to MIME will
 			be labeled with this character set.
+SMTP_MAILER_LL		[990] The maximum line length for SMTP mailers
+			(except the relay mailer).
+RELAY_MAILER_LL		[2040] The maximum line length for the relay mailer.
 UUCP_MAILER_PATH	[/usr/bin/uux] The program used to send UUCP mail.
 UUCP_MAILER_FLAGS	[undefined] Flags added to UUCP mailer.  Default
 			flags are `DFMhuU' (and `m' for uucp-new mailer,
@@ -1031,12 +1034,6 @@ ldap_routing	Implement LDAP-based e-mail recipient routing according to
 
 		See the LDAP ROUTING section below for more information.
 
-nodns		If you aren't running DNS at your site (for example,
-		you are UUCP-only connected).  It's hard to consider
-		this a "feature", but hey, it had to go somewhere.
-		Actually, as of 8.7 this is a no-op -- remove "dns" from
-		the hosts service switch entry instead.
-
 nullclient	This is a special case -- it creates a configuration file
 		containing nothing but support for forwarding all mail to a
 		central hub via a local SMTP-based network.  The argument
@@ -1241,12 +1238,15 @@ use_client_ptr	If this feature is enabled then check_relay will override
 		versions when delay_checks was not in use.  See doc/op/op.*
 		about check_relay, {client_name}, and {client_ptr}.
 
-dnsbl		Turns on rejection of hosts found in an DNS based rejection
-		list.  The first is used as the domain in which blocked
-		hosts are listed.  A second argument can be used to change
-		the default error message.  Without that second argument,
-		the error message will be
+dnsbl		Turns on rejection, discarding, or quarantining of hosts
+		found in a DNS based list.  The first argument is used as
+		the domain in which blocked hosts are listed.  A second
+		argument can be used to change the default error message,
+		or select one of the operations `discard' and 'quarantine'.
+		Without that second argument, the error message will be
+
 			Rejected: IP-ADDRESS listed at SERVER
+
 		where IP-ADDRESS and SERVER are replaced by the appropriate
 		information.  By default, temporary lookup failures are
 		ignored.  This behavior can be changed by specifying a
@@ -1485,6 +1485,70 @@ greet_pause	Adds the greet_pause ruleset which enables open proxy
 			R$*		$: $&{daemon_flags}
 			R$* a $*	$# 0
 
+block_bad_helo	Reject messages from SMTP clients which provide a HELO/EHLO
+		argument which is either unqualified, or is one of our own
+		names (i.e., the server name instead of the client name).
+
+require_rdns	Reject mail from connecting SMTP clients without proper
+		rDNS (reverse DNS), functional gethostbyaddr() resolution.
+
+		The basic policy is to reject message with a 5xx error if
+		the IP address fails to resolve.  However, if this is a
+		temporary failure, a 4xx temporary failure is returned.
+		If the look-up succeeds, but returns an apparently forged
+		value, this is treated as a temporary failure with a 4xx
+		error code.
+
+		EXCEPTIONS:
+
+		Exceptions based on access entries are discussed below.
+		Any IP address matched using $=R (the "relay-domains" file)
+		is excepted from the rules.  Since we have explicitly
+		allowed relaying for this host, based on IP address, we
+		ignore the rDNS failure.
+
+		The philosophical assumption here is that most users do
+		not control their rDNS.  They should be able to send mail
+		through their ISP, whether or not they have valid rDNS.
+		The class $=R, roughly speaking, contains those IP addresses
+		and address ranges for which we are the ISP, or are acting
+		as if the ISP.
+
+		If `delay_checks' is in effect (recommended), then any
+		sender who has authenticated is also excepted from the
+		restrictions.  This happens because the rules produced by
+		this FEATURE() will not be applied to authenticated senders
+		(assuming `delay_checks').
+
+		ACCESS MAP ENTRIES:
+
+		Entries such as
+			Connect:1.2.3.4		OK
+			Connect:1.2		RELAY
+		will whitelist IP address 1.2.3.4, so that the rDNS
+		blocking does apply to that IP address
+
+		Entries such as
+			Connect:1.2.3.4		REJECT
+		will have the effect of forcing a temporary failure for
+		that address to be treated as a permanent failure.
+
+badmx		Reject envelope sender addresses (MAIL) whose domain part
+		resolves to a "bad" MX record.  By default these are
+		MX records which resolve to A records that match the
+		regular expression:
+
+		^(127\.|10\.|0\.0\.0\.0)
+
+		This default regular expression can be overridden by
+		specifying an argument, e.g.,
+
+		FEATURE(`badmx', `^127\.0\.0\.1')
+
+		Note: this feature requires that the sendmail binary
+		has been compiled with the options MAP_REGEX and
+		DNSMAP.
+
 +-------+
 | HACKS |
 +-------+
@@ -2426,10 +2490,15 @@ definition for the database; for example
 	FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access_map')
 
 Notice: If a second argument is specified it must contain the option
-`-T<TMPF>' as shown above.  The optional third and fourth parameters
-may be `skip' or `lookupdotdomain'.  The former enables SKIP as
-value part (see below), the latter is another way to enable the
-feature of the same name (see above).
+`-T<TMPF>' as shown above.  The optional parameters may be
+
+	`skip'			enables SKIP as value part (see below).
+	`lookupdotdomain'	another way to enable the feature of the
+				same name (see above).
+	`relaytofulladdress'	enable entries of the form
+				To:user@example.com	RELAY
+				to allow relaying to just a specific
+				e-mail address instead of an entire domain.
 
 Remember, since /etc/mail/access is a database, after creating the text
 file as described below, you must use makemap to create the database
@@ -2497,7 +2566,8 @@ The value part of the map can contain:
 			name is unresolvable.  "Accept" does not mean
 			"relay", but at most acceptance for local
 			recipients.  That is, OK allows less than RELAY.
-	RELAY		Accept mail addressed to the indicated domain or
+	RELAY		Accept mail addressed to the indicated domain
+			(or address if `relaytofulladdress' is set) or
 			received from the indicated domain for relaying
 			through your SMTP server.  RELAY also serves as
 			an implicit OK for the other checks.
@@ -2628,7 +2698,7 @@ maintained in DNS.  To use such a database, specify
 	FEATURE(`dnsbl', `dnsbl.example.com')
 
 This will cause sendmail to reject mail from any site listed in the
-DNS based blacklist.  You must select an DNSB based blacklist domain
+DNS based blacklist.  You must select a DNS based blacklist domain
 to check by specifying an argument to the FEATURE.  The default
 error message is
 
@@ -2636,10 +2706,18 @@ error message is
 
 where IP-ADDRESS and SERVER are replaced by the appropriate
 information.  A second argument can be used to specify a different
-text.  By default, temporary lookup failures are ignored and hence
-cause the connection not to be rejected by the DNS based rejection
-list.  This behavior can be changed by specifying a third argument,
-which must be either `t' or a full error message.  For example:
+text or action.  For example,
+
+	FEATURE(`dnsbl', `dnsbl.example.com', `quarantine')
+
+would quarantine the message if the client IP address is listed
+at `dnsbl.example.com'.
+
+By default, temporary lookup failures are ignored
+and hence cause the connection not to be rejected by the DNS based
+rejection list.  This behavior can be changed by specifying a third
+argument, which must be either `t' or a full error message.  For
+example:
 
 	FEATURE(`dnsbl', `dnsbl.example.com', `',
 	`"451 Temporary lookup failure for " $&{client_addr} " in dnsbl.example.com"')
@@ -4197,6 +4275,11 @@ confREQUIRES_DIR_FSYNC	RequiresDirfsync	[true] RequiresDirfsync can
 					flag REQUIRES_DIR_FSYNC at runtime.
 					See sendmail/README for details.
 confSHARED_MEMORY_KEY	SharedMemoryKey [0] Key for shared memory.
+confSHARED_MEMORY_KEY_FILE
+			SharedMemoryKeyFile
+					[undefined] File where the
+					automatically selected key for
+					shared memory is stored.
 confFAST_SPLIT		FastSplit	[1] If set to a value greater than
 					zero, the initial MX lookups on
 					addresses is suppressed when they
@@ -4210,6 +4293,11 @@ confMAILBOX_DATABASE	MailboxDatabase	[pw] Type of lookup to find
 					information about local mailboxes.
 confDEQUOTE_OPTS	-		[empty] Additional options for the
 					dequote map.
+confMAX_NOOP_COMMANDS	MaxNOOPCommands	[20] Maximum number of "useless"
+					commands before the SMTP server
+					will slow down responding.
+confHELO_NAME		HeloName	If defined, use as name for EHLO/HELO
+					command (instead of $j).
 confINPUT_MAIL_FILTERS	InputMailFilters
 					A comma separated list of filters
 					which determines which filters and
@@ -4588,4 +4676,4 @@ M4 DIVERSIONS
    8	DNS based blacklists
    9	special local rulesets (1 and 2)
 
-$Revision: 1.25 $, Last updated $Date: 2006/08/13 13:01:48 $
+$Revision: 1.26 $, Last updated $Date: 2007/02/04 13:17:34 $
diff --git a/gnu/usr.sbin/sendmail/cf/cf/knecht.mc b/gnu/usr.sbin/sendmail/cf/cf/knecht.mc
index 9968c9827cf..7b663ba90ab 100644
--- a/gnu/usr.sbin/sendmail/cf/cf/knecht.mc
+++ b/gnu/usr.sbin/sendmail/cf/cf/knecht.mc
@@ -19,7 +19,7 @@ divert(-1)
 #
 
 divert(0)
-VERSIONID(`$Sendmail: knecht.mc,v 8.61 2005/10/06 05:56:03 ca Exp $')
+VERSIONID(`$Sendmail: knecht.mc,v 8.62 2006/09/27 19:48:59 eric Exp $')
 OSTYPE(bsd4.4)
 DOMAIN(generic)
 
@@ -30,6 +30,7 @@ define(`confHOST_STATUS_DIRECTORY', `.hoststat')
 define(`confTO_ICONNECT', `10s')
 define(`confTO_QUEUEWARN', `8h')
 define(`confMIN_QUEUE_AGE', `27m')
+define(`confTRUSTED_USER', `smtrust')
 define(`confTRUSTED_USERS', ``www listmgr'')
 define(`confPRIVACY_FLAGS', ``authwarnings,noexpn,novrfy'')
 
@@ -42,6 +43,7 @@ define(`confCLIENT_CERT', `CERT_DIR/MYcert.pem')
 define(`confCLIENT_KEY', `CERT_DIR/MYkey.pem')
 
 define(`CYRUS_MAILER_PATH', `/usr/local/cyrus/bin/deliver')
+define(`CYRUS_MAILER_FLAGS', `fAh5@/:|')
 
 FEATURE(`access_db')
 FEATURE(`blacklist_recipients')
@@ -64,10 +66,16 @@ define(`confFAST_SPLIT', `10')
 dnl #  10 runners, split into at most 15 recipients per envelope
 QUEUE_GROUP(`mqueue', `P=/var/spool/mqueue, R=5, r=15, F=f')
 
-
 dnl # enable spam assassin
 INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter.sock, F=, T=C:15m;S:4m;R:4m;E:10m')
 
+dnl # enable DomainKeys and DKIM
+INPUT_MAIL_FILTER(`dkim-filter', `S=unix:/var/run/smtrust/dkim.sock, F=T, T=R:2m')
+dnl INPUT_MAIL_FILTER(`dk-filter', `S=unix:/var/run/smtrust/dk.sock, F=T, T=R:2m')
+
+define(`confMILTER_MACROS_CONNECT', `j, {daemon_name}')
+define(`confMILTER_MACROS_ENVFROM', `i, {auth_type}')
+
 dnl # enable some DNSBLs
 dnl FEATURE(`dnsbl', `dnsbl.sorbs.net', `"550 Mail from " $`'&{client_addr} " refused - see http://www.dnsbl.sorbs.net/"')
 FEATURE(`dnsbl', `sbl-xbl.spamhaus.org', `"550 Mail from " $`'&{client_addr} " refused - see http://www.spamhaus.org/sbl/"')
diff --git a/gnu/usr.sbin/sendmail/cf/feature/access_db.m4 b/gnu/usr.sbin/sendmail/cf/feature/access_db.m4
index 886202c9b3a..8078abe9fc6 100644
--- a/gnu/usr.sbin/sendmail/cf/feature/access_db.m4
+++ b/gnu/usr.sbin/sendmail/cf/feature/access_db.m4
@@ -1,6 +1,6 @@
 divert(-1)
 #
-# Copyright (c) 1998-2002, 2004 Sendmail, Inc. and its suppliers.
+# Copyright (c) 1998-2002, 2004, 2006 Sendmail, Inc. and its suppliers.
 #	All rights reserved.
 #
 # By using this file, you agree to the terms and conditions set
@@ -10,15 +10,20 @@ divert(-1)
 #
 
 divert(0)
-VERSIONID(`$Sendmail: access_db.m4,v 8.26 2004/06/24 18:10:02 ca Exp $')
+VERSIONID(`$Sendmail: access_db.m4,v 8.27 2006/07/06 21:10:10 ca Exp $')
 divert(-1)
 
 define(`_ACCESS_TABLE_', `')
 define(`_TAG_DELIM_', `:')dnl should be in OperatorChars
 ifelse(lower(_ARG2_),`skip',`define(`_ACCESS_SKIP_', `1')')
 ifelse(lower(_ARG2_),`lookupdotdomain',`define(`_LOOKUPDOTDOMAIN_', `1')')
+ifelse(lower(_ARG2_),`relaytofulladdress',`define(`_RELAY_FULL_ADDR_', `1')')
 ifelse(lower(_ARG3_),`skip',`define(`_ACCESS_SKIP_', `1')')
 ifelse(lower(_ARG3_),`lookupdotdomain',`define(`_LOOKUPDOTDOMAIN_', `1')')
+ifelse(lower(_ARG3_),`relaytofulladdress',`define(`_RELAY_FULL_ADDR_', `1')')
+ifelse(lower(_ARG4_),`skip',`define(`_ACCESS_SKIP_', `1')')
+ifelse(lower(_ARG4_),`lookupdotdomain',`define(`_LOOKUPDOTDOMAIN_', `1')')
+ifelse(lower(_ARG4_),`relaytofulladdress',`define(`_RELAY_FULL_ADDR_', `1')')
 define(`_ATMPF_', `<TMPF>')dnl
 dnl check whether arg contains -T`'_ATMPF_
 dnl unless it is a sequence map
diff --git a/gnu/usr.sbin/sendmail/cf/feature/badmx.m4 b/gnu/usr.sbin/sendmail/cf/feature/badmx.m4
new file mode 100644
index 00000000000..2d26331afb0
--- /dev/null
+++ b/gnu/usr.sbin/sendmail/cf/feature/badmx.m4
@@ -0,0 +1,22 @@
+divert(-1)
+#
+# Copyright (c) 2006 Sendmail, Inc. and its suppliers.
+#	All rights reserved.
+#
+# By using this file, you agree to the terms and conditions set
+# forth in the LICENSE file which can be found at the top level of
+# the sendmail distribution.
+#
+#
+
+divert(0)
+VERSIONID(`$Sendmail: badmx.m4,v 1.1 2006/12/16 00:56:32 ca Exp $')
+divert(-1)
+
+define(`_BADMX_CHK_', 1)
+
+LOCAL_CONFIG
+Kmxlist bestmx -z: -T<TEMP>
+Kbadmx regex -a<BADMX> ^(([0-9]{1,3}\.){3}[0-9]){0,1}\.$
+KdnsA dns -R A -a. -T<TEMP>
+KBadMXIP regex -a<BADMXIP> ifelse(defn(`_ARG_'), `', `^(127\.|10\.|0\.0\.0\.0)', `_ARG_')
diff --git a/gnu/usr.sbin/sendmail/cf/feature/block_bad_helo.m4 b/gnu/usr.sbin/sendmail/cf/feature/block_bad_helo.m4
new file mode 100644
index 00000000000..db804079ac2
--- /dev/null
+++ b/gnu/usr.sbin/sendmail/cf/feature/block_bad_helo.m4
@@ -0,0 +1,18 @@
+divert(-1)
+#
+# Copyright (c) 2006 Sendmail, Inc. and its suppliers.
+#	All rights reserved.
+#
+# By using this file, you agree to the terms and conditions set
+# forth in the LICENSE file which can be found at the top level of
+# the sendmail distribution.
+#
+#
+
+divert(0)dnl
+VERSIONID(`$Sendmail: block_bad_helo.m4,v 1.1 2006/06/15 22:49:30 ca Exp $')
+divert(-1)
+
+define(`_BLOCK_BAD_HELO_', `')dnl
+RELAY_DOMAIN(`127.0.0.1')dnl
+LOCAL_DOMAIN(`[127.0.0.1]')dnl
diff --git a/gnu/usr.sbin/sendmail/cf/feature/dnsbl.m4 b/gnu/usr.sbin/sendmail/cf/feature/dnsbl.m4
index d76727eae3e..d5f348de19b 100644
--- a/gnu/usr.sbin/sendmail/cf/feature/dnsbl.m4
+++ b/gnu/usr.sbin/sendmail/cf/feature/dnsbl.m4
@@ -1,6 +1,6 @@
 divert(-1)
 #
-# Copyright (c) 1998-2002, 2005, 2006 Sendmail, Inc. and its suppliers.
+# Copyright (c) 1998-2002, 2005-2007 Sendmail, Inc. and its suppliers.
 #	All rights reserved.
 #
 # By using this file, you agree to the terms and conditions set
@@ -12,7 +12,7 @@ divert(-1)
 ifdef(`DNSBL_MAP', `', `define(`DNSBL_MAP', `dns -R A')')
 divert(0)
 ifdef(`_DNSBL_R_',`dnl',`dnl
-VERSIONID(`$Sendmail: dnsbl.m4,v 8.32 2006/03/29 22:50:16 ca Exp $')
+VERSIONID(`$Sendmail: dnsbl.m4,v 8.33 2007/01/05 18:49:29 ca Exp $')
 define(`_DNSBL_R_',`')
 ifelse(defn(`_ARG_'), `', 
 	`errprint(`*** ERROR: missing argument for FEATURE(`dnsbl')')')
@@ -31,5 +31,9 @@ R<?>OK			$: OKSOFAR
 ifelse(len(X`'_ARG3_),`1',
 `R<?>$+<TMP>		$: TMPOK',
 `R<?>$+<TMP>		$#error $@ 4.4.3 $: _DNSBL_MSG_TMP_')
-R<?>$+			$#error $@ 5.7.1 $: _DNSBL_MSG_
+ifelse(`X'_ARG2_,`Xquarantine',
+`R<?>$+		$#error $@ quarantine $: _DNSBL_SRV_',
+`X'_ARG2_,`Xdiscard',
+`R<?>$+		$#discard $: _DNSBL_SRV_',
+`R<?>$+		$#error $@ 5.7.1 $: _DNSBL_MSG_')
 divert(-1)
diff --git a/gnu/usr.sbin/sendmail/cf/feature/enhdnsbl.m4 b/gnu/usr.sbin/sendmail/cf/feature/enhdnsbl.m4
index 419a5ea669f..fe24420a19e 100644
--- a/gnu/usr.sbin/sendmail/cf/feature/enhdnsbl.m4
+++ b/gnu/usr.sbin/sendmail/cf/feature/enhdnsbl.m4
@@ -1,6 +1,6 @@
 divert(-1)
 #
-# Copyright (c) 2000-2002, 2005, 2006 Sendmail, Inc. and its suppliers.
+# Copyright (c) 2000-2002, 2005-2007 Sendmail, Inc. and its suppliers.
 #	All rights reserved.
 #
 # By using this file, you agree to the terms and conditions set
@@ -13,7 +13,7 @@ ifelse(defn(`_ARG_'), `',
 	`errprint(`*** ERROR: missing argument for FEATURE(`enhdnsbl')')')
 divert(0)
 ifdef(`_EDNSBL_R_',`dnl',`dnl
-VERSIONID(`$Sendmail: enhdnsbl.m4,v 1.11 2006/03/31 19:56:16 ca Exp $')
+VERSIONID(`$Sendmail: enhdnsbl.m4,v 1.12 2007/01/08 18:22:05 ca Exp $')
 LOCAL_CONFIG
 define(`_EDNSBL_R_',`')dnl
 # map for enhanced DNS based blacklist lookups
@@ -21,9 +21,16 @@ Kednsbl dns -R A -a. -T<TMP> -r`'ifdef(`EDNSBL_TO',`EDNSBL_TO',`5')
 ')
 divert(-1)
 define(`_EDNSBL_SRV_', `_ARG_')dnl
-define(`_EDNSBL_MSG_', `ifelse(len(X`'_ARG2_),`1',`"550 Rejected: " $`'&{client_addr} " listed at '_EDNSBL_SRV_`"',`_ARG2_')')dnl
+define(`_EDNSBL_MSG_',
+	`ifelse(len(X`'_ARG2_),`1',`"550 Rejected: " $`'&{client_addr} " listed at '_EDNSBL_SRV_`"',
+		X`'_ARG2_,`Xquarantine',`_EDNSBL_SRV_',
+		`_ARG2_')')dnl
 define(`_EDNSBL_MSG_TMP_', `ifelse(_ARG3_,`t',`"451 Temporary lookup failure of " $`'&{client_addr} " at '_EDNSBL_SRV_`"',`_ARG3_')')dnl
 define(`_EDNSBL_MATCH_', `ifelse(len(X`'_ARG4_),`1',`$`'+',_ARG4_)')dnl
+define(`_EDNSBL_ACTION_',
+	`ifelse(X`'_ARG2_,`Xquarantine',`$`'#error $`'@ quarantine',
+		X`'_ARG2_,`Xdiscard',`$`'#discard',
+		`$`'#error $`'@ 5.7.1')')dnl
 divert(8)
 # DNS based IP address spam list _EDNSBL_SRV_
 R$*			$: $&{client_addr}
@@ -32,15 +39,15 @@ R<?>OK			$: OKSOFAR
 ifelse(len(X`'_ARG3_),`1',
 `R<?>$+<TMP>		$: TMPOK',
 `R<?>$+<TMP>		$#error $@ 4.4.3 $: _EDNSBL_MSG_TMP_')
-R<?>_EDNSBL_MATCH_	$#error $@ 5.7.1 $: _EDNSBL_MSG_
+R<?>_EDNSBL_MATCH_	_EDNSBL_ACTION_ $: _EDNSBL_MSG_
 ifelse(len(X`'_ARG5_),`1',`dnl',
-`R<?>_ARG5_	$#error $@ 5.7.1 $: _EDNSBL_MSG_')
+`R<?>_ARG5_		_EDNSBL_ACTION_ $: _EDNSBL_MSG_')
 ifelse(len(X`'_ARG6_),`1',`dnl',
-`R<?>_ARG6_	$#error $@ 5.7.1 $: _EDNSBL_MSG_')
+`R<?>_ARG6_		_EDNSBL_ACTION_ $: _EDNSBL_MSG_')
 ifelse(len(X`'_ARG7_),`1',`dnl',
-`R<?>_ARG7_	$#error $@ 5.7.1 $: _EDNSBL_MSG_')
+`R<?>_ARG7_		_EDNSBL_ACTION_ $: _EDNSBL_MSG_')
 ifelse(len(X`'_ARG8_),`1',`dnl',
-`R<?>_ARG8_	$#error $@ 5.7.1 $: _EDNSBL_MSG_')
+`R<?>_ARG8_		_EDNSBL_ACTION_ $: _EDNSBL_MSG_')
 ifelse(len(X`'_ARG9_),`1',`dnl',
-`R<?>_ARG9_	$#error $@ 5.7.1 $: _EDNSBL_MSG_')
+`R<?>_ARG9_		_EDNSBL_ACTION_ $: _EDNSBL_MSG_')
 divert(-1)
diff --git a/gnu/usr.sbin/sendmail/cf/feature/require_rdns.m4 b/gnu/usr.sbin/sendmail/cf/feature/require_rdns.m4
new file mode 100644
index 00000000000..62aee8a0095
--- /dev/null
+++ b/gnu/usr.sbin/sendmail/cf/feature/require_rdns.m4
@@ -0,0 +1,16 @@
+divert(-1)
+#
+# Copyright (c) 2006 Sendmail, Inc. and its suppliers.
+#	All rights reserved.
+#
+# By using this file, you agree to the terms and conditions set
+# forth in the LICENSE file which can be found at the top level of
+# the sendmail distribution.
+#
+#
+
+divert(0)dnl
+VERSIONID(`$Sendmail: require_rdns.m4,v 1.1 2006/06/15 22:49:30 ca Exp $')
+divert(-1)
+
+define(`_REQUIRE_RDNS_', `')
diff --git a/gnu/usr.sbin/sendmail/cf/m4/proto.m4 b/gnu/usr.sbin/sendmail/cf/m4/proto.m4
index 5aa0753d51e..1a8d652d712 100644
--- a/gnu/usr.sbin/sendmail/cf/m4/proto.m4
+++ b/gnu/usr.sbin/sendmail/cf/m4/proto.m4
@@ -13,7 +13,7 @@ divert(-1)
 #
 divert(0)
 
-VERSIONID(`$Sendmail: proto.m4,v 8.719 2006/03/30 20:50:13 ca Exp $')
+VERSIONID(`$Sendmail: proto.m4,v 8.726 2007/01/04 18:27:46 ca Exp $')
 
 # level CF_LEVEL config file format
 V`'CF_LEVEL/ifdef(`VENDOR_NAME', `VENDOR_NAME', `Berkeley')
@@ -396,12 +396,11 @@ _OPTION(FastSplit, `confFAST_SPLIT', `1')
 # queue directory
 O QueueDirectory=ifdef(`QUEUE_DIR', QUEUE_DIR, `/var/spool/mqueue')
 
-# key for shared memory; 0 to turn off
+# key for shared memory; 0 to turn off, -1 to auto-select
 _OPTION(SharedMemoryKey, `confSHARED_MEMORY_KEY', `0')
 
-ifdef(`confSHARED_MEMORY_KEY_FILE', `dnl
-# file to store key for shared memory (if SharedMemoryKey = -1)
-O SharedMemoryKeyFile=confSHARED_MEMORY_KEY_FILE')
+# file to store auto-selected key for shared memory (SharedMemoryKey = -1)
+_OPTION(SharedMemoryKeyFile, `confSHARED_MEMORY_KEY_FILE', `')
 
 # timeouts (many of these)
 _OPTION(Timeout.initial, `confTO_INITIAL', `5m')
@@ -452,7 +451,7 @@ _OPTION(DontPruneRoutes, `confDONT_PRUNE_ROUTES', `False')
 _OPTION(SuperSafe, `confSAFE_QUEUE', `True')
 
 # status file
-O StatusFile=ifdef(`STATUS_FILE', `STATUS_FILE', `MAIL_SETTINGS_DIR`'statistics')
+_OPTION(StatusFile, `STATUS_FILE')
 
 # time zone handling:
 #  if undefined, use system default
@@ -669,6 +668,12 @@ _OPTION(DHParameters, `confDH_PARAMETERS', `')
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 _OPTION(RandFile, `confRAND_FILE', `')
 
+# Maximum number of "useless" commands before slowing down
+_OPTION(MaxNOOPCommands, `confMAX_NOOP_COMMANDS', `20')
+
+# Name to use for EHLO (defaults to $j)
+_OPTION(HeloName, `confHELO_NAME')
+
 ############################
 `# QUEUE GROUP DEFINITIONS  #'
 ############################
@@ -1782,6 +1787,14 @@ ifdef(`_CONN_CONTROL_IMMEDIATE_',`',`dnl
 dnl workspace: ignored...
 R$*		$: $>"ConnControl" dummy')', `dnl')
 undivert(8)
+ifdef(`_REQUIRE_RDNS_', `dnl
+R$*			$: $&{client_addr} $| $&{client_resolve}
+R$=R $*			$@ RELAY		We relay for these
+R$* $| OK		$@ OK			Resolves.
+R$* $| FAIL		$#error $@ 5.7.1 $: 550 Fix reverse DNS for $1
+R$* $| TEMP		$#error $@ 4.1.8 $: 451 Client IP address $1 does not resolve
+R$* $| FORGED		$#error $@ 4.1.8 $: 451 Possibly forged hostname for $1
+', `dnl')
 
 ######################################################################
 ###  check_mail -- check SMTP ``MAIL FROM:'' command argument
@@ -1907,7 +1920,7 @@ R<? $+> $*		$#error $@ 5.5.4 $: "_CODE553 Domain name required for sender addres
 							...remote is not')
 # check results
 R<?> $*			$: @ $1		mark address: nothing known about it
-R<$={ResOk}> $*		$@ <_RES_OK_>	domain ok: stop
+R<$={ResOk}> $*		$: @ $2		domain ok
 R<TEMP> $*		$#error $@ 4.1.8 $: "451 Domain of sender address " $&f " does not resolve"
 R<PERM> $*		$#error $@ 5.1.8 $: "_CODE553 Domain of sender address " $&f " does not exist"
 ifdef(`_ACCESS_TABLE_', `dnl
@@ -1922,6 +1935,34 @@ ifdef(`_ATMPF_', `R<_ATMPF_> $*		$#error $@ 4.3.0 $: "451 Temporary system failu
 dnl generic error from access map
 R<$+> $*		$#error $: $1		error from access db',
 `dnl')
+dnl workspace: @ CanonicalAddress (i.e. address in canonical form localpart<@host>)
+
+ifdef(`_BADMX_CHK_', `dnl
+R@ $*<@$+>$*		$: $1<@$2>$3 $| $>BadMX $2
+R$* $| $#$*		$#$2
+
+SBadMX
+# Look up MX records and ferret away a copy of the original address.
+# input: domain part of address to check
+R$+				$:<MX><$1><:$(mxlist $1$):><:>
+# workspace: <MX><domain><: mxlist-result $><:>
+R<MX><$+><:$*<TEMP>:><$*>	$#error $@ 4.1.2 $: "450 MX lookup failure for "$1
+# workspace: <MX> <original destination> <unchecked mxlist> <checked mxlist>
+# Recursively run badmx check on each mx.
+R<MX><$*><:$+:$*><:$*>		<MX><$1><:$3><: $4 $(badmx $2 $):>
+# See if any of them fail.
+R<MX><$*><$*><$*<BADMX>:$*>	$#error $@ 5.1.2 $:"550 Illegal MX record for recipient host "$1
+# Reverse the mxlists so we can use the same argument order again.
+R<MX><$*><$*><$*>		$:<MX><$1><$3><$2>
+R<MX><$*><:$+:$*><:$*>		<MX><$1><:$3><:$4 $(dnsA $2 $) :>
+
+# Reverse the lists so we can use the same argument order again.
+R<MX><$*><$*><$*>		$:<MX><$1><$3><$2>
+R<MX><$*><:$+:$*><:$*>		<MX><$1><:$3><:$4 $(BadMXIP $2 $) :>
+
+R<MX><$*><$*><$*<BADMXIP>:$*>	$#error $@ 5.1.2 $:"550 Invalid MX record for recipient host "$1',
+`dnl')
+
 
 ######################################################################
 ###  check_rcpt -- check SMTP ``RCPT TO:'' command argument
@@ -2312,6 +2353,7 @@ ifdef(`_SPAM_HATER_',
 R<HATER> $+		$: $1			spam hater: continue checks
 R<$*> $+		$@ $>"Delay_TLS_Clt2" NOSPAMHATER	everyone else: stop
 dnl',`dnl')
+
 dnl run further checks: check_mail
 dnl should we "clean up" $&f?
 ifdef(`_FFR_MAIL_MACRO',
@@ -2325,6 +2367,27 @@ R$* $| $#$*		$#$2
 R$* $| $*		$: $1
 ', `dnl')
 
+ifdef(`_BLOCK_BAD_HELO_', `dnl
+R$*			$: $1 $| <$&{auth_authen}>	Get auth info
+dnl Bypass the test for users who have authenticated.
+R$* $| <$+>		$: $1				skip if auth
+R$* $| <$*>		$: $1 $| <$&{client_addr}> [$&s]	Get connection info
+dnl Bypass for local clients -- IP address starts with $=R
+R$* $| <$=R $*> [$*]	$: $1				skip if local client
+dnl Bypass a "sendmail -bs" session, which use 0 for client ip address
+R$* $| <0> [$*]		$: $1				skip if sendmail -bs
+dnl Reject our IP - assumes "[ip]" is in class $=w
+R$* $| <$*> $=w		$#error $@ 5.7.1 $:"550 bogus HELO name used: " $&s
+dnl Reject our hostname
+R$* $| <$*> [$=w]	$#error $@ 5.7.1 $:"550 bogus HELO name used: " $&s
+dnl Pass anything else with a "." in the domain parameter
+R$* $| <$*> [$+.$+]	$: $1				qualified domain ok
+dnl Reject if there was no "." or only an initial or final "."
+R$* $| <$*> [$*]	$#error $@ 5.7.1 $:"550 bogus HELO name used: " $&s
+dnl Clean up the workspace
+R$* $| $*		$: $1
+', `dnl')
+
 ifdef(`_ACCESS_TABLE_', `dnl', `divert(-1)')
 ######################################################################
 ###  F: LookUpFull -- search for an entry in access database
diff --git a/gnu/usr.sbin/sendmail/cf/m4/version.m4 b/gnu/usr.sbin/sendmail/cf/m4/version.m4
index 16ba024d2e0..58424b65fa1 100644
--- a/gnu/usr.sbin/sendmail/cf/m4/version.m4
+++ b/gnu/usr.sbin/sendmail/cf/m4/version.m4
@@ -1,6 +1,6 @@
 divert(-1)
 #
-# Copyright (c) 1998-2006 Sendmail, Inc. and its suppliers.
+# Copyright (c) 1998-2007 Sendmail, Inc. and its suppliers.
 #	All rights reserved.
 # Copyright (c) 1983 Eric P. Allman.  All rights reserved.
 # Copyright (c) 1988, 1993
@@ -11,8 +11,8 @@ divert(-1)
 # the sendmail distribution.
 #
 #
-VERSIONID(`$Sendmail: version.m4,v 8.150.2.8 2006/07/26 17:24:02 ca Exp $')
+VERSIONID(`$Sendmail: version.m4,v 8.169 2007/01/31 19:00:43 ca Exp $')
 #
 divert(0)
 # Configuration version number
-DZ8.13.8`'ifdef(`confCF_VERSION', `/confCF_VERSION')
+DZ8.14.0`'ifdef(`confCF_VERSION', `/confCF_VERSION')
diff --git a/gnu/usr.sbin/sendmail/cf/mailer/smtp.m4 b/gnu/usr.sbin/sendmail/cf/mailer/smtp.m4
index 0259481541e..69c914189dc 100644
--- a/gnu/usr.sbin/sendmail/cf/mailer/smtp.m4
+++ b/gnu/usr.sbin/sendmail/cf/mailer/smtp.m4
@@ -1,6 +1,6 @@
 PUSHDIVERT(-1)
 #
-# Copyright (c) 1998-2001 Sendmail, Inc. and its suppliers.
+# Copyright (c) 1998-2001, 2006 Sendmail, Inc. and its suppliers.
 #	All rights reserved.
 # Copyright (c) 1983 Eric P. Allman.  All rights reserved.
 # Copyright (c) 1988, 1993
@@ -13,6 +13,8 @@ PUSHDIVERT(-1)
 #
 _DEFIFNOT(`_DEF_SMTP_MAILER_FLAGS', `mDFMuX')
 _DEFIFNOT(`SMTP_MAILER_FLAGS',`')
+_DEFIFNOT(`SMTP_MAILER_LL',`990')
+_DEFIFNOT(`RELAY_MAILER_LL',`2040')
 _DEFIFNOT(`RELAY_MAILER_FLAGS', `SMTP_MAILER_FLAGS')
 ifdef(`SMTP_MAILER_ARGS',, `define(`SMTP_MAILER_ARGS', `TCP $h')')
 ifdef(`ESMTP_MAILER_ARGS',, `define(`ESMTP_MAILER_ARGS', `TCP $h')')
@@ -29,7 +31,7 @@ POPDIVERT
 ###   SMTP Mailer specification   ###
 #####################################
 
-VERSIONID(`$Sendmail: smtp.m4,v 8.64 2001/04/03 01:52:54 gshapiro Exp $')
+VERSIONID(`$Sendmail: smtp.m4,v 8.65 2006/07/12 21:08:10 ca Exp $')
 
 #
 #  common sender and masquerading recipient rewriting
@@ -105,18 +107,18 @@ SMasqRelay
 R$+			$: $>MasqSMTP $1
 R$+			$: $>MasqHdr $1
 
-Msmtp,		P=[IPC], F=_MODMF_(CONCAT(_DEF_SMTP_MAILER_FLAGS, SMTP_MAILER_FLAGS), `SMTP'), S=EnvFromSMTP/HdrFromSMTP, R=ifdef(`_ALL_MASQUERADE_', `EnvToSMTP/HdrFromSMTP', `EnvToSMTP'), E=\r\n, L=990,
+Msmtp,		P=[IPC], F=_MODMF_(CONCAT(_DEF_SMTP_MAILER_FLAGS, SMTP_MAILER_FLAGS), `SMTP'), S=EnvFromSMTP/HdrFromSMTP, R=ifdef(`_ALL_MASQUERADE_', `EnvToSMTP/HdrFromSMTP', `EnvToSMTP'), E=\r\n, L=SMTP_MAILER_LL,
 		_OPTINS(`SMTP_MAILER_MAX', `M=', `, ')_OPTINS(`SMTP_MAILER_MAXMSGS', `m=', `, ')_OPTINS(`SMTP_MAILER_MAXRCPTS', `r=', `, ')_OPTINS(`SMTP_MAILER_CHARSET', `C=', `, ')T=DNS/RFC822/SMTP,_SMTP_QGRP
 		A=SMTP_MAILER_ARGS
-Mesmtp,		P=[IPC], F=_MODMF_(CONCAT(_DEF_SMTP_MAILER_FLAGS, `a', SMTP_MAILER_FLAGS), `ESMTP'), S=EnvFromSMTP/HdrFromSMTP, R=ifdef(`_ALL_MASQUERADE_', `EnvToSMTP/HdrFromSMTP', `EnvToSMTP'), E=\r\n, L=990,
+Mesmtp,		P=[IPC], F=_MODMF_(CONCAT(_DEF_SMTP_MAILER_FLAGS, `a', SMTP_MAILER_FLAGS), `ESMTP'), S=EnvFromSMTP/HdrFromSMTP, R=ifdef(`_ALL_MASQUERADE_', `EnvToSMTP/HdrFromSMTP', `EnvToSMTP'), E=\r\n, L=SMTP_MAILER_LL,
 		_OPTINS(`SMTP_MAILER_MAX', `M=', `, ')_OPTINS(`SMTP_MAILER_MAXMSGS', `m=', `, ')_OPTINS(`SMTP_MAILER_MAXRCPTS', `r=', `, ')_OPTINS(`SMTP_MAILER_CHARSET', `C=', `, ')T=DNS/RFC822/SMTP,_ESMTP_QGRP
 		A=ESMTP_MAILER_ARGS
-Msmtp8,		P=[IPC], F=_MODMF_(CONCAT(_DEF_SMTP_MAILER_FLAGS, `8', SMTP_MAILER_FLAGS), `SMTP8'), S=EnvFromSMTP/HdrFromSMTP, R=ifdef(`_ALL_MASQUERADE_', `EnvToSMTP/HdrFromSMTP', `EnvToSMTP'), E=\r\n, L=990,
+Msmtp8,		P=[IPC], F=_MODMF_(CONCAT(_DEF_SMTP_MAILER_FLAGS, `8', SMTP_MAILER_FLAGS), `SMTP8'), S=EnvFromSMTP/HdrFromSMTP, R=ifdef(`_ALL_MASQUERADE_', `EnvToSMTP/HdrFromSMTP', `EnvToSMTP'), E=\r\n, L=SMTP_MAILER_LL,
 		_OPTINS(`SMTP_MAILER_MAX', `M=', `, ')_OPTINS(`SMTP_MAILER_MAXMSGS', `m=', `, ')_OPTINS(`SMTP_MAILER_MAXRCPTS', `r=', `, ')_OPTINS(`SMTP_MAILER_CHARSET', `C=', `, ')T=DNS/RFC822/SMTP,_SMTP8_QGRP
 		A=SMTP8_MAILER_ARGS
-Mdsmtp,		P=[IPC], F=_MODMF_(CONCAT(_DEF_SMTP_MAILER_FLAGS, `a%', SMTP_MAILER_FLAGS), `DSMTP'), S=EnvFromSMTP/HdrFromSMTP, R=ifdef(`_ALL_MASQUERADE_', `EnvToSMTP/HdrFromSMTP', `EnvToSMTP'), E=\r\n, L=990,
+Mdsmtp,		P=[IPC], F=_MODMF_(CONCAT(_DEF_SMTP_MAILER_FLAGS, `a%', SMTP_MAILER_FLAGS), `DSMTP'), S=EnvFromSMTP/HdrFromSMTP, R=ifdef(`_ALL_MASQUERADE_', `EnvToSMTP/HdrFromSMTP', `EnvToSMTP'), E=\r\n, L=SMTP_MAILER_LL,
 		_OPTINS(`SMTP_MAILER_MAX', `M=', `, ')_OPTINS(`SMTP_MAILER_MAXMSGS', `m=', `, ')_OPTINS(`SMTP_MAILER_MAXRCPTS', `r=', `, ')_OPTINS(`SMTP_MAILER_CHARSET', `C=', `, ')T=DNS/RFC822/SMTP,_DSMTP_QGRP
 		A=DSMTP_MAILER_ARGS
-Mrelay,		P=[IPC], F=_MODMF_(CONCAT(_DEF_SMTP_MAILER_FLAGS, `a8', RELAY_MAILER_FLAGS), `RELAY'), S=EnvFromSMTP/HdrFromSMTP, R=ifdef(`_ALL_MASQUERADE_', `MasqSMTP/MasqRelay', `MasqSMTP'), E=\r\n, L=2040,
+Mrelay,		P=[IPC], F=_MODMF_(CONCAT(_DEF_SMTP_MAILER_FLAGS, `a8', RELAY_MAILER_FLAGS), `RELAY'), S=EnvFromSMTP/HdrFromSMTP, R=ifdef(`_ALL_MASQUERADE_', `MasqSMTP/MasqRelay', `MasqSMTP'), E=\r\n, L=RELAY_MAILER_LL,
 		_OPTINS(`RELAY_MAILER_CHARSET', `C=', `, ')_OPTINS(`RELAY_MAILER_MAXMSGS', `m=', `, ')_OPTINS(`SMTP_MAILER_MAXRCPTS', `r=', `, ')T=DNS/RFC822/SMTP,_RELAY_QGRP
 		A=RELAY_MAILER_ARGS