Sendmail 8.18 incorporates a fix for CVE-2023-51765 which has stricter rules for blank lines:
8.18.1/8.18.1 2024/01/31
sendmail is now stricter in following the RFCs and rejects
some invalid input with respect to line endings
and pipelining:
- Prevent transaction stuffing by ensuring SMTP clients
wait for the HELO/EHLO and DATA response before sending
further SMTP commands. This can be disabled using
the new srv_features option 'F'. Issue reported by
Yepeng Pan and Christian Rossow from CISPA Helmholtz
Center for Information Security.
- Accept only CRLF . CRLF as end of an SMTP message
as required by the RFCs, which can disabled by the
new srv_features option 'O'.
- Do not accept a CR or LF except in the combination
CRLF (as required by the RFCs). These checks can
be disabled by the new srv_features options
'U' and 'G', respectively. In this case it is
suggested to use 'u2' and 'g2' instead so the server
replaces offending bare CR or bare LF with a space.
It is recommended to only turn these protections off
for trusted networks due to the potential for abuse.
We have an application that broke after the update. It tries to mail reports but the error reported in syslog is:
May 14 14:03:04.062 hostname sendmail[15938]: [ID 801593 mail.notice] 44EJ34vO015938: collect: relay=localhost, from=<email@company.com>, info=Bare linefeed (LF) not allowed, where=body, status=tempfail
Looking for some guidance on how to implement feature srv_features in Solaris 11.4.