DK-MILTER RELEASE NOTES $Id: RELEASE_NOTES,v 1.155 2007/05/31 20:24:40 msk Exp $ This listing shows the versions of the dk-milter package, the date of release, and a summary of the changes in that release. Bug and feature request (RFE) numbers that start with "SF" were logged via Sourceforge (http://www.sourceforge.net) trackers. Those not so labelled were logged internally at Sendmail, Inc. 0.6.0 2007/05/31 Fix bug #SF1728696: Repair message corruption occurring when a message body spams multiple milter writes. Reported by Eric Singer. Patch #SF1705006: Fix X-header malformation. LIBAR: Fix bug #SF1537457: Add proper support for IPv6 nameservers. Reported by Mark Martinec. BUILD: Copy the consolidated build system from the dkim-milter package. Activate the following FFRs: _FFR_LOG_SSL_ERRORS _FFR_QUARANTINE _FFR_REPORTINFO 0.5.0 2007/04/10 Copy several enhancements from the latest dkim-milter update: o Support for 8.14 (milter v2) and the leading space patch from dkim-milter. o Fixes/enhancements under POPAUTH. o Pass the correct length variable to RSA_sign() so that the value returned is sane on 64-bit platforms. o _FFR_ANTICIPATE_SENDMAIL_MUNGE o Feature request #SF1497801: _FFR_QUARANTINE Fix bug #SF1541450: Correct header selection in dk_hdrsigned(). Reported by Mark Martinec. LIBDK: Fix bug #SF1537918: Add dk_geterror() to retrieve additional diagnostic data from the API when a function call returns DK_STAT_INTERNAL or something else whose cause isn't readily apparent. Copied from libdkim. LIBAR: Block signals that should be caught and handled elsewhere, such as in libmilter. 0.4.2 2007/03/13 Fix bug #SF1509093, SF1611082: Set group ID as well as user ID when "-u" is used on the command line. Patch from Vincent Rivellino. Fix bug #SF1514447: Re-query for the job ID in mlfi_eom() to accomodate postfix's milter implementation. Copied from dkim-filter; requested by Jakob Schlyter. Fix bug #SF1541439: Fix mis-canonicalization of skipped headers in "nofws" mode. Reported by Mark Martinec. Fix bug #SF1541789: Stop spurious syntax errors on unsigned messages. Problem reported by S. Moonesamy of Eland Systems. 0.4.1 2006/06/14 LIBDK: Properly handle key and policy records that don't have whitespace after semicolons. LIBDK: In dk_eom(), return DK_STAT_SYNTAX if dk_skipbody is set. Failing to do so means a message with a signature header below which there is no sender header will report a bogus success status. Problem noted by Lennert Buytenhek. 0.4.0 2006/05/19 Remove spurious CRLFs injected into canonicalization when multiple body chunks arrive from the MTA. Patch from Suzuki Takahiko of Internet Initiative Japan, Inc. If _FFR_REPORTINFO is enabled, don't call dkf_report() if no DomainKeys context was ever created for a message. Simplify dk_sterilize() a little, and handle failures from it. Problem reported by Fredrik Pettai. RFC2822 doesn't require any recipient headers, so remove those checks inside _FFR_REQUIRED_HEADERS. Fix bug #SF1485119: Canonicalize in the correct order when not using "-H" on the command line. Problem noted by S. Moonesamy of Eland Systems. Activate _FFR_MACRO_LIST and _FFR_EXTERNAL_IGNORE_LIST. LIBDK: New flag DK_OPTS_HDRLIST for dk_options(). 0.3.4 2006/05/02 If _FFR_REPORTINFO is enabled, send reports on all failures, not just those which aren't in test mode. Ignore unknown tags in keys and policies, rather than returning an error. LIBDK: Return an error if the signing function returned success but also reported a zero-length signature. Reported by S. Moonesamy of Eland Systems. LIBAR: Add a timeout to the I/O wait so that retransmissions actually get done while waiting for activity. 0.3.3 2006/03/13 Fix test mode check at the end of mlfi_eom(), which was overriding any configuration settings from the command line. Reported by Arkadi Poliakevitch of Invidi Technologies. Copy the value of -C before parsing it so the output of "ps" doesn't get munged. Reported by Arkadi Poliakevitch of Invidi Technologies. Fix "-o", which wasn't actually working at all. Reported by Ben Lentz. Add _FFR_LOG_SSL_ERRORS which sends to syslog errors reported by the OpenSSL libraries. 0.3.2 2005/12/12 Patch a small but definite memory leak. Reported by Ray Krebs of eBay. 0.3.1 2005/12/02 Tolerate "b=" in signature headers at places other than the end of the signature (and, in fact, other things at the end of the signature). Reported by Jason Long. (Bug SF1234164) Don't reject or report about messages which fail verification when the sending domain advertises that it's in test mode. Patch from Adrian Havill. Fixes to POPAUTH compilation from S. Moonesamy of Eland Systems. Allow "-d" to specify a list from which domains should be read, and allow wildcarding in domain names. Requested by Ray Krebs of eBay. (Feature request SF1312453) Add "-o" command line option to allow certain headers to be omitted from signing operations. Suggested by Ben Lentz. (Feature request SF1314350) LIBAR: Fix a build issue introduced in the last release. 0.3.0 2005/04/28 Properly terminate pointer arrays built from command line arguments. Problem noted by Dick St. Peters of NetHeaven. Adjust position of optional domain name comment on output from gentxt.csh. Requested by Scott Grayban. (RFE SF1051288) Pass mail that has no From: header or Sender: header. Previously only the From: header was checked. Correctly report which header and value was used to do verification. Reported by S. Moonesamy of Eland Systems. (Bug SF1181850) Support for Sleepycat DB version 4. Based on a patch from Adrian D. Havill. Do a better job passing error information up from libar to the calling functions and logging it. To this end, add the DK_DEBUG "d" flag which causes libdk to log errors reported by libar. Activate _FFR_AUTH_RESULTS, to match the new DomainKeys draft. Activate _FFR_POPAUTH; now you compile with POPAUTH, and make sure the build can find the appropriate includes and libraries. This also adds the "-U" command line option to specify the location of the POP-before-SMTP database. LIBAR: Make a more concerted effort to report errors up to callers. 0.2.7 2005/03/11 Detect senders without domain names (e.g. "postmaster@") and reject them. LIBAR: Fix up some linked list shenanigans that could cause loops and other problems. 0.2.6 2005/02/11 Ignore spaces in wrapped "h=" sections of signature headers. 0.2.5 2005/02/07 Output long "h=" sections of signature headers in a more palatable way. (RFE SF1086264) Add new "-b" command line switch for limiting the filter to sign or verify only operations. (RFE SF1077832) 0.2.4 2004/12/08 Add new "-T" command line switch for controlling DNS timeouts when using the asynchronous resolver package. Fix policy record parsing so that values aren't skipped when they end at a NULL rather than a semi-colon. Discard "unknown-msgid" logging or header values, since it's actually the absence of the job ID being logged. (RFE SF1071960) Update the Authentication-Results: header content to match the current specification. (_FFR_AUTH_RESULTS) LIBDK: Improved handling of syntax errors and NULL-terminated values in zone records, and some size and NULL checks. Patch from shoon@dreamwiz.com. LIBDK: Only parse the first DomainKey-Signature: header found. Patch from shoon@dreamwiz.com. LIBDK: Return a "can't verify" error from dk_eoh() if the signer's domain could not be determined from the headers. Patch from shoon@dreamwiz.com. LIBDK: Add dk_options(), which is required to get _FFR_REPORTINFO working. LIBDK: Add dk_timeout() for new "-T" command line switch. Portability: Fixes for Solaris 10 (and earlier). Machine access courtesy of J.D. Bronson of Aurora Health Care Information Services. (Bug SF1068155) New FFR: REPORTINFO -- if a site policy contains a reporting address ("r=" parameter), optionally send reports about verification failures to that address 0.2.3 2004/10/22 Add optional command line argument to gentxt.csh to include a domain name comment on output. Requested by Scott Grayban. (RFE SF1051288) More strict command line argument parsing. Fix a linked list problem that would cause the filter to spin on startup. Reported by Scott Grayban. (_FFR_MULTIPLE_KEYS) Fixes to subdomain signing from Thorvald Natvig. (Patch SF1050425) LIBDK: Call res_init() in dk_init() if not using the asynchronous resolver. LIBDK: Don't include the CRLF separating the headers and the body unless the body contains at least one non-blank line. LIBDK: Add dk_reportinfo(). LIBAR: Add ar_setretry() and ar_setmaxretry(), and fail over to other available nameservers if that interval passes without an answer. (Bug SF1027541) New FFR: EXTERNAL_IGNORE_LIST -- optional list of hosts/networks which may send mail as one of our signing domains, but we know about it so don't log it (RFE SF1027562) 0.2.2 2004/09/11 Don't segfault when "-i" refers to an empty list. Don't run off the end of the macro list when creating/scanning it (_FFR_MACRO_LIST). Improve handling when res_query() returns -1 by checking h_errno. (Bug SF1026225) Automatically include braces around macro queries to make life easier when specifying macro lists (_FFR_MACRO_LIST). Minor build and documentation fixes. (Bugs SF1021948, SF1020931) LIBDK: Fix processing of unsigned messages, which were incorrectly logging syntax errors. LIBDK: Skip the body processing and hashing on unsigned messages. LIBDK: Cache the From:/Sender: even if unprotected so that unsigned messages can have their sender policies checked in dk_eoh(). 0.2.1 2004/09/01 Fix a cut-and-paste error that broke the build when REQUIRE_HEADERS is enabled. Reported by S. Moonesamy of Eland Systems. (Bug SF1016105) LIBDK: Report bad format when the selector or domain in a signature header is empty. Portability: Fixes for Solaris builds from Al Smith of aeschi.ch.eu.org. New FFRs: AUTH_RESULTS -- use the proposed Auth-Results: header instead of the original DomainKey-Status: header MACRO_LIST -- optional list of macros and values to be checked when making the sign vs. verify decision (RFE SF1015642) 0.2.0 2004/08/23 Support granularity, "nofws" canonicalization, revoked keys, and other changes as per the updated ("base-01") DomainKeys draft. Remove "blake", "sendmail" and "headerlist" canonicalizations. Fix a compile time bug in the inet6 code. From Graham Murray of Webywayone. When in autorestart mode, write the process ID of the parent, not the child, to the pid file. Don't segfault when sendmail is invoked with "-bs" mode, which causes mlfi_connect() to get a NULL "ip" parameter. Propagate termination signal to the child when in autorestart mode. Route the standard descriptors to /dev/null and call setsid() after the initial fork() in any mode. Zero out and deallocate the private key(s) before shutdown. Don't create temporary files any more, unless requested to do so for debugging. Add "-D" command line option to sign subdomains. New FFRs: FLUSH_HEADERS -- optionally delete existing DomainKey headers Activated FFRs: SIGN_SUBDOMAINS TEMP_FILES_OPTIONAL 0.1.17 2004/08/08 Allow IPv6 addresses for the "-i" option. Requested by Graham Murray of Webywayone. (RFE SF999896) New FFRs: REQUIRE_HEADERS -- require mandatory RFC2822 headers to sign or verify. Suggested by Jose Marcio Martins da Cruz of Ecole des Mines de Paris. (RFE SF999291) TEMP_FILES_OPTIONAL -- don't create temporary files unless requested by debugging options; instead, hand them directly to the hashing algorithm. (RFE SF991203) 0.1.16 2004/07/30 Skip body and EOM processing if at EOH we know for sure there will be no signing or verifying going on. (RFE SF991210) Print out active FFRs as part of -V output. Under "headerlist" canonicalization, if no header list was provided, assume all headers were included in the signature. Replace calls to inet_ntoa() with calls to a thread-safe version of that function. Since there is actually no default for the "q=" part of the signature header, always put a string there. New FFRs: POPAUTH -- authorize clients for signing based on a "popb4smtp" database. Patch provided by S. Moonesamy of Eland Systems. SELECT_CANONICALIZATION - select canonicalization via a special header. Proposed by Jim Fenton. (RFE SF996949) Portability: Fixes for Solaris 2.7. 0.1.15 2004/07/22 Copy the value of "-d" before parsing it, so that all of the domains being signed get logged, not just the first one. (Bug SF989735) Make the usage message more explicit about the fact that the values of "-a" and "-i" are files, not addresses. (Bug SF989737) Use {auth_type} instead of {auth_author} to determine whether or not a client authenticated. (Bug SF995333) Avoid a segmentation fault when "-s" is not specified. Consult the DK_TMPDIR environment variable for a preferred location for temporary files. (RFE SF991145) Signature header aesthetics. Suggested by Al Smith of aeschi.ch.eu.org. (RFE SF989240) Add "headerlist" canonicalization. LIBDK: It was possible for a BIO handle to be allocated and never freed through some code paths in dk_eom() and dk_getsig(). Problem noted by Kai Zhu. (Bug SF995376) 0.1.14 2004/07/07 Log command line arguments at startup. Fixes to debug mode. New FFRs: MULTIPLE_KEYS - supply multiple keys for signing (RFE SF974374) SIGN_SUBDOMAINS - sign subdomains as well as listed domains (RFE SF965524) 0.1.13 2004/06/19 When unable to determine the sender's domain, report "bad format" in the DomainKey-Status: header rather than temp-failing the message. (Bug SF975599) Portability: Fixes for Solaris 2.6 build from Al Smith of aeschi.ch.eu.org. 0.1.12 2004/06/16 Support for CNAME recursion. This required a change to the parameter list for ar_addquery(). (Bug SF972813) Set the DNS query timeout on calls to ar_addquery(), not on calls to ar_waitreply(). Take two -- Don't log "external host attempted to send as" for other than our signing domains. LIBAR: When reacting to timeouts in ar_waitreply(), be more correct about whether returning AR_STAT_NOREPLY or AR_STAT_EXPIRED. 0.1.11 2004/06/11 The package no longer needs to be unpacked in the middle of the sendmail Open Source distribution in order to be built. However, OpenSSL and libmilter are required and must be available. Don't log "external host attempted to send as" for other than our signing domains. Add "blake" canonicalization. LIBAR: Avoid memory allocation loops when res_mkquery() returns -1 for reasons other than the buffer being too small. Instead, if a 32K buffer isn't big enough, give up. 0.1.10 2004/06/04 Require a domain name match even if the message arrived on an approved submission port. Reported by S. Moonesamy of Eland Systems. (Bug SF966671) 0.1.9 2004/06/03 Add "-m" option to specify daemon submission ports whose mail should always be signed. Suggested by S. Moonesamy of Eland Systems. (RFE SF965525) LIBDK: Add a much better public RFC2822 header parsing function. (Bug SF965122) 0.1.8 2004/06/02 Rename "-c" (configure) option to "-C". Add new "-c" option to select the canonicalization method to use when signing messages. The DomainKeys-Signature: header selects the method to use when verifying. LIBDK: Return DK_STAT_INTERNAL if API functions are used out-of-order in the calling application. LIBDK: Detail added to documentation of DK_STAT. LIBDK: Tweaks to "sendmail" canonicalization. 0.1.7 2004/06/01 Only sign mail from "internal" hosts, i.e. the loopback address or any connection that authenticated; also add "-i" command line option, allowing definition of additional hosts or netblocks as "internal". Reported by S. Moonesamy of Eland Systems. 0.1.6 2004/05/31 Add "gentxt.csh" to automate generation of keys and DNS records. Portability: Fixes for Solaris and HP/UX. 0.1.5 2004/05/29 LIBAR: TCP mode error handling fixes. LIBDK: Handle error returns from ar_addquery(). 0.1.4 2004/05/28 Initial public open source release.