-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Proofpoint, Inc., and the Sendmail Consortium announce the availability
of sendmail 8.17.1. It offers experimental support for SMTPUTF8 (EAI,
see RFC 6530-6533) and SMTP MTA Strict Transport Security (MTA-STS,
see RFC 8461). It also offers stricter handling of unknown commands
and those which might come from an HTTP client. This version also
has several other fixes and enhancements as listed below.

Please send bug reports and general feedback to one of the addresses
listed at: http://www.sendmail.org/email-addresses.html

The version can be found at
https://ftp.sendmail.org/sendmail.8.17.1.tar.gz
https://ftp.sendmail.org/sendmail.8.17.1.tar.gz.sig
https://ftp.sendmail.org/sendmail.8.17.1.tar.Z
https://ftp.sendmail.org/sendmail.8.17.1.tar.Z.sig

(or via ftp://ftp.sendmail.org/pub/sendmail/)

SHA-256 checksums
SHA256 (sendmail.8.17.1.tar.Z) = 6b82e7db7dd150689008406d1b8a6d1672697031c832e02e8db5ebbef9ff2ed1
SHA256 (sendmail.8.17.1.tar.Z.sig) = ea4af96b269bf5894dd107519e0d111bde15bba904a3134c509cb21d1996c96b
SHA256 (sendmail.8.17.1.tar.gz) = 04bc76b6c886e6d111be7fd8daa32b8ce00128a288b6b52e067bc29f3854a6e6
SHA256 (sendmail.8.17.1.tar.gz.sig) = 86b612ad355402b0ac96cd9561f0662b22c271827527a44fe2b28d480452b628

You either need the first two files or the third and fourth,
i.e., the gzip'ed version or the compressed version and the
corresponding sig file. The PGP signature was created using
the Sendmail Signing Key/2021, available on the web site
(http://www.sendmail.com/sm/open_source/download/) or on
the public key servers (keyid 0x4BEE1BEE).

Since sendmail 8.11 and later includes hooks to cryptography, the
following information from OpenSSL applies to sendmail as well.

PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY
SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING
TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME
PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR
COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL
SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE
YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT
AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR
ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY.

SENDMAIL RELEASE NOTES

This listing shows the version of the sendmail binary, the version
of the sendmail configuration files, the date of release, and a
summary of the changes in that release.

8.17.1/8.17.1 2021/08/17
Deprecation notice: due to compatibility problems with some
third party code, we plan to finally switch from K&R
to ANSI C. If you are using sendmail on a system
which does not have a compiler for ANSI C contact us
with details as soon as possible so we can determine
how to proceed.
Experimental support for SMTPUTF8 (EAI, see RFC 6530-6533)
is available when using the compile time option USE_EAI
(see also devtools/Site/site.config.m4.sample for other
required settings) and the cf option SMTPUTF8.
If a mail submission via the command line requires
the use of SMTPUTF8, e.g., because a header uses UTF-8
encoding, but the addresses on the command line are all
ASCII, then the new option -U must be used, and
the cf option SMTPUTF8 must be set in submit.cf.
Please test and provide feedback.
Experimental support for SMTP MTA Strict Transport Security
(MTA-STS, see RFC 8461) is available when using
- the compile time option _FFR_MTA_STS (which requires
STARTTLS, MAP_REGEX, SOCKETMAP, and _FFR_TLS_ALTNAMES),
- FEATURE(sts), which implicitly sets the cf option
StrictTransportSecurity,
- postfix-mta-sts-resolver, see
https://github.com/Snawoot/postfix-mta-sts-resolver.git
New ruleset check_other which is called for all unknown SMTP
commands in the server and for commands which do not
have specific rulesets, e.g., NOOP and VERB.
New ruleset clt_features which can be used to select features
in the SMTP client per server. Currently only two
flags are available: D/M to disable DANE/MTA-STS,
respectively.
Avoid leaking session macros for an envelope between
delivery attempts to different servers. This problem
could have affected check_compat.
Avoid leaking actual SMTP replies between delivery attempts
to different servers which could cause bogus logging
of reply= entries.
Change default SMTP reply code for STARTTLS related problems
from 403 to 454 to better match the RFCs.
Fix a theoretical buffer overflow when encountering an
unknown/unsupported socket address family on an
operating system where sa_data is larger than 30
(the standard is 14). Based on patch by Toomas Soome.
Several potential memory leaks and other similar problems
(mostly in error handling code) have been fixed.
Problems reported by Tomas Korbar of RedHat.
Previously the commands GET, POST, CONNECT, or USER terminate
a connection immediately only if sent as first command.
Now this is also done if any of these is sent directly
after STARTTLS or if the 'h' option is set via
srv_features.
CDB map locking has been changed so a sendmail process which
does have a CDB map open does not block an in-place
update of the map by makemap. The simple workaround
for that problem in earlier versions is to create
the map under a different name and then move it
into place.
On some systems the rejection of a RCPT by a milter could
silently fail.
CONFIG: New FEATURE(`check_other') to provide a default
check_other ruleset.
CONFIG: FEATURE(`tls_failures') is deprecated and will be
removed in future versions because it has a fundamental
problem: it is message oriented but STARTTLS is
session oriented. For example, having multiple
RCPTs in one envelope for different destinations,
with different temporary errors, does not work
properly, as the persistent macro applies to all
RCPTs and hence implicitly to all destinations (servers).
The option TLSFallbacktoClear should be used if needed.
MAIL.LOCAL: Enhance some error messages to simplify
troubleshooting.
Portability:
Add support for Darwin 19 & 20.
NOTE: File locking using fcntl() does not interoperate
with Berkeley DB 5.x (and probably later). Use
CDB, flock() (-DHASFLOCK), or an earlier Berkeley
DB version. Problem noted by Harald Hannelius.
New Files:
cf/feature/check_other.m4
cf/feature/sts.m4
devtools/OS/Darwin.19.x
devtools/OS/Darwin.20.x
include/sm/ixlen.h
libsm/ilenx.c
libsm/lowercase.c
libsm/strcaseeq.c
libsm/t-ixlen.c
libsm/t-ixlen.sh
libsm/t-streq.c
libsm/t-streq.sh
libsm/utf8_valid.c
libsm/uxtext_unquote.c
libsm/xleni.c
libsmutil/t-lockfile.c
libsmutil/t-lockfile-0.sh
libsmutil/t-maplock-0.sh

-----BEGIN PGP SIGNATURE-----

iQIbBAEBAgAGBQJhGkQoAAoJEExm6o1L7hvuCVMP+MP1f6Ov+Df7TLbZFAKn/X4h
2YbxDE9TbxmuSH0KNo8tL393CCM+JiNT22nwHVICUSEHcl9JZtpAVVox5fSZnhVX
a7np97qlBEkMSHvUE/9cFvU6tO4f9W/kQMnW0Ok3pTzZX9djNs1gCozVUmEiuYaf
i0l6g233++6kVWxalYlvWEye7LhA6qLOAz5esRjX7tG0Sz88nvA+JdcKrf63tKBA
9CzJoRSzM47cJuawzZBEy2tHxtNFD21nxqDd3eIbW+Tgy56V4s0gZ/r+aZlAxc8+
2MbP9wXTIFDjkHbT6oWOSX5ZSKpPyxgnjA7jTIpwX7Qh5vY7NwTzNIQBYnmVeQZO
Se+J1MCIax4E9NFLol5ujj3TkYP4//n6twZPMkUf/3IyBa4KvAAVElOQ/TSIlx+K
uJLDIpH2o7ouvvPOamzZ20eOErS34gvi9p77WwXfJ3VYXkzvY1lLIbyIM03roaTE
pJqjUXqfp+9fN0VNFCPUzslYp2zevZJe3eDAnlL9Cv3M87KpEZ9A2ifWxpboWIdX
PCkiLdQFOh1Pr1NbqmyvgdYpk86evnZXecSYluZg3+xv72It4KdlSF09mm+NyCXP
mzse3twUT2Gx/hGj3vMm9QwrjjLutmzV0m57qIzM+btIkpHzBWf4D/AfIn28znwY
4Q+Epb6tTY6b0PkgCr4=
=T+jo
-----END PGP SIGNATURE-----