From root@gits.dyndns.org  Sat Jun 23 02:13:28 2001
Return-Path: <root@gits.dyndns.org>
Received: from mail.noos.fr (lafontaine.noos.net [212.198.2.72])
	by hub.freebsd.org (Postfix) with ESMTP id F230B37B406
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 23 Jun 2001 02:13:27 -0700 (PDT)
	(envelope-from root@gits.dyndns.org)
Received: (qmail 6874289 invoked by uid 0); 23 Jun 2001 09:13:26 -0000
Received: from unknown (HELO gits.dyndns.org) ([212.198.231.187]) (envelope-sender <root@gits.dyndns.org>)
          by 212.198.2.72 (qmail-ldap-1.03) with SMTP
          for <FreeBSD-gnats-submit@freebsd.org>; 23 Jun 2001 09:13:26 -0000
Received: (from root@localhost)
	by gits.dyndns.org (8.11.4/8.11.4) id f5N9DPd04939;
	Sat, 23 Jun 2001 11:13:25 +0200 (CEST)
	(envelope-from root)
Message-Id: <200106230913.f5N9DPd04939@gits.dyndns.org>
Date: Sat, 23 Jun 2001 11:13:25 +0200 (CEST)
From: Cyrille Lefevre <clefevre@redirect.to>
Reply-To: Cyrille Lefevre <clefevre@redirect.to>
To: FreeBSD-gnats-submit@freebsd.org
Subject: sendmail.cf is missing some STARTTLS support
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         28361
>Category:       conf
>Synopsis:       sendmail.cf is missing some STARTTLS support
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    gshapiro
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun 23 02:20:01 PDT 2001
>Closed-Date:    Mon Sep 10 11:03:43 PDT 2001
>Last-Modified:  Mon Sep 10 11:05:41 PDT 2001
>Originator:     Cyrille Lefevre
>Release:        FreeBSD 4.3-STABLE i386
>Organization:
ACME
>Environment:

System: FreeBSD gits 4.3-STABLE FreeBSD 4.3-STABLE #26: Wed May 23 12:46:38 CEST 2001 root@gits:/disk2/4.x-stable/src/sys/compile/CUSTOM i386

>Description:
	since sendmail is compiled w/ some _FFR_* options,
	sendmail.cf files have to be generated with some
	of them also (currently _FFR_TLS_O_T). see
	http://www.sendmail.org/~ca/email/tricks.html
	for details. the following patch conditionally
	add the required options to M4.

>How-To-Repeat:
	# cd /etc/mail
	# echo Try_TLS:noos.fr NO > access
	# make all install
/usr/bin/m4 -D_CF_DIR_=/usr/share/sendmail/cf/ /usr/share/sendmail/cf/m4/cf.m4  /etc/mail/gits.mc > /etc/mail/gits.cf
/usr/sbin/makemap hash access.db < access
install -C -c -m 444 /etc/mail/gits.cf /etc/mail/sendmail.cf
	# grep -E '(offer|try)_tls' sendmail.cf
	(nop)
	# sendmail -v -q
Running /var/spool/mqueue/f5MNskW76121 (sequence 1 of 4)
lefevrec@yahoo.com... Connecting to mail.noos.fr via relay...
220 mail.noos.fr ESMTP
>Fix:

Index: Makefile
===================================================================
RCS file: /home/ncvs/src/etc/mail/Makefile,v
retrieving revision 1.9.2.9
diff -u -r1.9.2.9 Makefile
--- Makefile	2001/05/24 20:51:06	1.9.2.9
+++ Makefile	2001/06/23 03:39:39
@@ -55,12 +55,21 @@
 # This is the directory where the sendmail configuration files are
 # located.
 #
+STARTTLS_SUPPORT=	false
 .if exists(/usr/share/sendmail/cf)
 SENDMAIL_CF_DIR?=	/usr/share/sendmail/cf
+.if exists(/usr/lib/libssl.so)
+STARTTLS_SUPPORT=	true
+.endif
 .elif exists(/usr/src/contrib/sendmail/cf)
 SENDMAIL_CF_DIR?=	/usr/src/contrib/sendmail/cf
+.if exists(../../secure)
+STARTTLS_SUPPORT=	true
+.endif
 .endif
 
+M4FLAGS=	-D_CF_DIR_=${SENDMAIL_CF_DIR}/
+
 #
 # The pid is used to stop and restart the running daemon.
 #
@@ -74,6 +83,13 @@
 M4?=			/usr/bin/m4
 KILL?=			/bin/kill
 
+# STARTTLS support
+.if (${STARTTLS_SUPPORT} == "true") && \
+	!defined(NOCRYPT) && !defined(NOSECURE) && \
+	!defined(NO_OPENSSL) && !defined(RELEASE_CRUNCH)
+M4FLAGS+=	-D_FFR_TLS_O_T
+.endif
+
 # Set a reasonable default
 .MAIN:	all
 
@@ -124,7 +140,7 @@
 .SUFFIXES:	.cf .mc
 
 .mc.cf:		${M4FILES}
-	${M4} -D_CF_DIR_=${SENDMAIL_CF_DIR}/ ${SENDMAIL_CF_DIR}/m4/cf.m4 \
+	${M4} ${M4FLAGS} ${SENDMAIL_CF_DIR}/m4/cf.m4 \
 		${@:R}.mc > ${.TARGET}
 
 #
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->gshapiro 
Responsible-Changed-By: dd 
Responsible-Changed-When: Sun Jun 24 11:00:25 PDT 2001 
Responsible-Changed-Why:  
Over to in-tree sendmail maintainer. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=28361 

From: Gregory Neil Shapiro <gshapiro@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org, clefevre@redirect.to
Cc:  
Subject: Re: conf/28361: sendmail.cf is missing some STARTTLS support
Date: Tue, 26 Jun 2001 18:46:48 -0700

 I prefer to take more generic approaches to issues like this.  Would you be
 satisfied with this solution?
 
 Index: etc/defaults/make.conf
 ===================================================================
 RCS file: /src/FreeBSD/cvsrepo/src/etc/defaults/make.conf,v
 retrieving revision 1.97.2.51
 diff -u -r1.97.2.51 make.conf
 --- etc/defaults/make.conf	2001/06/11 16:28:18	1.97.2.51
 +++ etc/defaults/make.conf	2001/06/27 01:35:31
 @@ -350,6 +350,12 @@
  #
  #SENDMAIL_ADDITIONAL_MC=/etc/mail/foo.mc /etc/mail/bar.mc
  #
 +# Setting the following variable modifies the flags passed to m4 when
 +# building a .cf file from a .mc file.  It can be used to enable
 +# features disabled by default.
 +#
 +#SENDMAIL_M4_FLAGS=-D_FFR_TLS_O_T
 +#
  # Setting the following variables modifes the build environment for
  # sendmail and its related utilities. For example, SASL support can be
  # added with settings such as:
 Index: etc/mail/Makefile
 ===================================================================
 RCS file: /src/FreeBSD/cvsrepo/src/etc/mail/Makefile,v
 retrieving revision 1.9.2.9
 diff -u -r1.9.2.9 Makefile
 --- etc/mail/Makefile	2001/05/24 20:51:06	1.9.2.9
 +++ etc/mail/Makefile	2001/06/27 01:36:03
 @@ -124,8 +124,8 @@
  .SUFFIXES:	.cf .mc
  
  .mc.cf:		${M4FILES}
 -	${M4} -D_CF_DIR_=${SENDMAIL_CF_DIR}/ ${SENDMAIL_CF_DIR}/m4/cf.m4 \
 -		${@:R}.mc > ${.TARGET}
 +	${M4} -D_CF_DIR_=${SENDMAIL_CF_DIR}/ ${SENDMAIL_M4_FLAGS} \
 +		${SENDMAIL_CF_DIR}/m4/cf.m4 ${@:R}.mc > ${.TARGET}
  
  #
  # Aliases are handled separately since they normally reside in /etc
 Index: etc/sendmail/Makefile
 ===================================================================
 RCS file: /src/FreeBSD/cvsrepo/src/etc/sendmail/Makefile,v
 retrieving revision 1.3.2.5
 diff -u -r1.3.2.5 Makefile
 --- etc/sendmail/Makefile	2001/03/06 01:56:44	1.3.2.5
 +++ etc/sendmail/Makefile	2001/06/27 01:37:14
 @@ -18,7 +18,8 @@
  .mc.cf:		${M4FILES}
  	${RM} ${.TARGET}
  	(cd ${.CURDIR} && \
 -	    ${M4} -D_CF_DIR_=${CFDIR}/ ${CFDIR}/m4/cf.m4 ${@:R}.mc) > ${.TARGET}
 +	    ${M4} -D_CF_DIR_=${CFDIR}/ ${SENDMAIL_M4_FLAGS} \
 +		${CFDIR}/m4/cf.m4 ${@:R}.mc) > ${.TARGET}
  	${CHMOD} ${ROMODE} ${.TARGET}
  
  ALL=	freebsd.cf

From: Cyrille Lefevre <clefevre@redirect.to>
To: freebsd-gnats-submit@FreeBSD.org
Cc: gshapiro@FreeBSD.org
Subject: Re: conf/28361: sendmail.cf is missing some STARTTLS support
Date: Fri, 29 Jun 2001 02:29:51 +0200 (CEST)

 Gregory Neil Shapiro wrote:
 > I responded to your PR a few days ago but mail isn't getting out to you:
 >
 > f5R1koaj096116     2160 Tue Jun 26 18:46 <gshapiro@horsey.gshapiro.net>
 >                  (Deferred: Connection refused by lala.v3.com.)
 >                                          <clefevre@redirect.to>
 
 sorry, but this is just a relay (aka forwarder) and I don't have
 any control over it. thanks anyway.
 
 > I'll leave it in the queue in case the machine starts accepting connections
 > again.
 >
 > Here is my response again in case this address reaches you instead:
 
 thanks, I got it :)
 
 > I prefer to take more generic approaches to issues like this.  Would you be
 > satisfied with this solution?
 
 I'm not sure this is the right way to go since this is relevant to
 the sendmail maintainer to set or not such flags depending on flags
 sets to compile the sendmail binary. do you understand what I mean ?
 but the idea of SENDMAIL_M4_FLAGS for other purpose could stay.
 
 [snip]
 
 Cyrille.
 --
 home: mailto:clefevre@redirect.to   UNIX is user-friendly; it's just particular
 work: mailto:Cyrille.Lefevre@edf.fr   about who it chooses to be friends with.

From: Gregory Neil Shapiro <gshapiro@FreeBSD.org>
To: clefevre@redirect.to
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: conf/28361: sendmail.cf is missing some STARTTLS support
Date: Thu, 28 Jun 2001 18:38:15 -0700

 clefevre> I'm not sure this is the right way to go since this is relevant to
 clefevre> the sendmail maintainer to set or not such flags depending on flags
 clefevre> sets to compile the sendmail binary. do you understand what I mean ?
 clefevre> but the idea of SENDMAIL_M4_FLAGS for other purpose could stay.
 
 I think I understand what you mean.  You don't want the user to have to
 know to add the -D_FFR_TLS_O_T.  How about using my patch exactly as shown
 except changing the make.conf addition from:
 
 +# Setting the following variable modifies the flags passed to m4 when
 +# building a .cf file from a .mc file.  It can be used to enable
 +# features disabled by default.
 +#
 +#SENDMAIL_M4_FLAGS=-D_FFR_TLS_O_T
 
 to:
 
 +# Setting the following variable modifies the flags passed to m4 when
 +# building a .cf file from a .mc file.  It can be used to enable
 +# features disabled by default.
 +#
 +SENDMAIL_M4_FLAGS=-D_FFR_TLS_O_T
 
 That way, the default already includes the -D_FFR_TLS_O_T.  Note that I
 didn't bother going through all of the checking your original patch does as
 there is no harm done if the FFR is defined on a non-STARTTLS sendmail
 binary.  The extra ruleset it adds will be ignored.
State-Changed-From-To: open->analyzed 
State-Changed-By: gshapiro 
State-Changed-When: Thu Jun 28 19:15:09 PDT 2001 
State-Changed-Why:  
Working out issues with the submitter 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=28361 
State-Changed-From-To: analyzed->feedback 
State-Changed-By: gshapiro 
State-Changed-When: Sun Jul 22 18:34:21 PDT 2001 
State-Changed-Why:  
The fix has been committed to the HEAD.  I will close this PR when 
it is MFC'ed to RELENG_4. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=28361 
State-Changed-From-To: feedback->closed 
State-Changed-By: gshapiro 
State-Changed-When: Mon Sep 10 11:03:43 PDT 2001 
State-Changed-Why:  
I had to revert the commit adding the FFR as it broken configurations which 
did not include FEATURE(`access_db').  However, the make.conf variable is in 
place which lets users add it if they need it.  Additionally, 8.12, now 
released, no longer requires the FFR.  This issue will go away when 8.12 
is imported. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=28361 
>Unformatted:
 >>> EHLO gits.dyndns.org
 250-mail.noos.fr
 250-PIPELINING
 250-STARTTLS
 250-SIZE 10485760
 250 8BITMIME
 >>> STARTTLS
 220 ready for tls
 lefevrec@yahoo.com... Deferred: 403 4.7.0 lefevrec@yahoo.com... TLS handshake failed.
 
 	(w/ this patch)
 
 	# cd /etc/mail; make all install
 /usr/bin/m4 -D_CF_DIR_=/usr/share/sendmail/cf/ -D_FFR_TLS_O_T /usr/share/sendmail/cf/m4/cf.m4  /etc/mail/gits.mc > /etc/mail/gits.cf
 install -C -c -m 444 /etc/mail/gits.cf /etc/mail/sendmail.cf
 	# grep -E '(offer|try)_tls' sendmail.cf
 Soffer_tls
 Stry_tls
 	# sendmail -v -q
 lefevrec@yahoo.com... Connecting to mail.noos.fr via relay...
 220 mail.noos.fr ESMTP
 >>> EHLO gits.dyndns.org
 250-mail.noos.fr
 250-PIPELINING
 250-STARTTLS
 250-SIZE 10485760
 250 8BITMIME
 >>> MAIL From:<root@gits.dyndns.org> SIZE=48
 ...
 lefevrec@yahoo.com... Sent (ok 993273557 qp 6747083)
 Closing connection to mail.noos.fr
 >>> QUIT
 221 mail.noos.fr
 
