PMDF V6.4 Release Notes July 2008 This is a document containing a list of new fea- tures and bug fixes that have been made since PMDF V6.3. Note that some minor enhancements and bug fixes were included in the OpenVMS/I64 release of V6.3-1, and the Linux release of V6.3-2 that were not included in the V6.3 release for the other plat- forms. Release notes items for those are also in- cluded here. Software Version: PMDF V6.4 Operating System and Version: Solaris SPARC or In- tel V2.6, V8 or later; (SunOS V5.6, V5.8 or later); Tru64 UNIX V4.0D or later; Red Hat Enterprise Linux 4 update 4 or later on x86 (or other com- patible Linux dis- tribution); OpenVMS Alpha or VAX V6.1 or later; OpenVMS I64 V8.2 or later; Win- dows 2000; Windows 2003 ii __________ Copyright ©2008 Process Software, LLC. Unpublished - all rights reserved under the copyright laws of the United States No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval sys- tem, or translated into any language or computer language, in any form or by any means electronic, mechanical, magnetic, optical, chemical, or oth- erwise without the prior written permission of: Process Software, LLC 959 Concord Street Framingham, MA 01701-4682 USA Voice: +1 508 879 6994; FAX: +1 508 879 0042 info@process.com Process Software, LLC ("Process") makes no rep- resentations or warranties with respect to the con- tents hereof and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose. Furthermore, Process Software reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation of Process Software to notify any person of such revision or changes. Use of PMDF, PMDF-DIRSYNC, PMDF-FAX, PMDF-LAN, PMDF-MR, PMDF-MSGSTORE, PMDF-MTA, PMDF-TLS, PMDF- X400, PMDF-X500, PMDF-XGP, and/or PMDF-XGS soft- ware and associated documentation is authorized only by a Software License Agreement. Such license agree- ments specify the number of systems on which the software is authorized for use, and, among other things, specifically prohibit use or duplication of software or documentation, in whole or in part, except as authorized by the Software License Agree- ment. Restricted Rights Legend Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 or as set forth in the Commercial Computer Software - Restricted Rights clause at FAR 52.227-19. The PMDF mark and AlphaMate is a registered all PMDF-based trademark of Motorola, Inc. trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries and are used under license. ALL-IN-1, Alpha AXP, cc:Mail is a trademark of AXP, Bookreader, cc:Mail, Inc., a wholly- DEC, DECnet, HP, owned subsidiary of Lotus I64, IA64, Integrity, Development Corporation. MAILbus, MailWorks, Lotus Notes is a registered Message Router, trademark of Lotus MicroVAX, OpenVMS, Development Corporation. Pathworks, PSI, RMS, TeamLinks, TOPS-20, Tru64, TruCluster, ULTRIX, VAX, VAX Notes, VMScluster, VMS, and WPS-PLUS are registered trademarks of Hewlett- Packard Company. iv AS/400, CICS, IBM, RC2 and RC4 are registered Office Vision, trademarks of RSA Data OS/2, PROFS, and Security, Inc. VTAM are registered trademarks of International Business Machines Corporation. CMS, DISOSS, OfficeVision/VM, OfficeVision/400, OV/VM, and TSO are trademarks of International Business Machines Corporation. dexNET is a registered Ethernet is a registered trademark of Fujitsu trademark of Xerox Imaging Systems of Corporation. America, Inc. FaxBox is a registered GIF and "Graphics Interchange trademark of DCE Format" are trademarks of Communications Group CompuServe, Incorporated. Limited. InterConnections InterDrive is a registered is a trademark of trademark of FTP Software, InterConnections, Inc. Inc. LANmanager and Memo is a trade mark of Microsoft are Verimation ApS. registered trademarks of Microsoft Corporation. MHS, Netware, and LaserJet and PCL are Novell are registered registered trademarks of trademarks of Novell, Hewlett-Packard Company. Inc. v PGP and Pretty Good Jnet is a registered Privacy are registered trademark of Wingra, Inc. trademarks of Pretty Good Privacy, Inc. Attachmate is a Pine and Pico are trademarks registered trademark of the University of and PathWay is a Washington, used by trademark of Attachmate permission. Corporation. PostScript is a Solaris, Sun, and SunOS registered trademark are trademarks of Sun of Adobe Systems Microsystems, Inc. Incorporated. SPARC is a trademark TCPware and MultiNet are of SPARC International, registered trademarks of Inc. Process Software. UNIX is a registered TIFF is a trademark of Aldus trademark of UNIX Corporation. System Laboratories, Inc. Gold-Mail is a Copyright (c) 1990-2000 trademark of Data Sleepycat Software. All Processing Design, rights reserved. Inc. Copyright (c) 1990, Copyright (c) 1995, 1996 1993, 1994, 1995 The President and Fellows The Regents of of Harvard University. All the University of rights reserved. California. All rights reserved. vi _______________________________________________________ Contents _______________________________________________________ CHAPTER 1 INSTALLATION OF PMDF V6.4 1-1 1.1 LICENSE DATE 1-1 1.2 GETTING HELP 1-1 1.3 RELEASE NOTES LOCATION 1-2 1.4 OBTAINING NEW FILES 1-2 _______________________________________________________ CHAPTER 2 INSTALLATION GOTCHAS 2-1 2.1 BERKELEY DB ENVIRONMENT FILES 2-1 2.2 COMPILED CONFIGURATIONS MUST BE RECOMPILED 2-2 2.3 KNOWN ISSUES 2-2 _______________________________________________________ CHAPTER 3 NEW FEATURES 3-1 3.1 LINUX SUPPORT 3-1 3.2 DISCLAIMER CHANNEL 3-1 3.2.1 Configuring the Disclaimer Channel _______________________ 3-2 3.2.1.1 Disclaimer Channel Definition and Rewrite Rules, 3-2 3.2.1.2 DISCLAIMER Mapping Table, 3-3 3.2.1.3 Disclaimer Channel Option File, 3-4 3.2.1.4 Files Containing Disclaimer Text, 3-5 3.3 LDAP OVER TLS 3-6 3.3.1 Configuring PMDF To Use LDAP Over TLS ______________________ 3-6 3.3.1.1 CA Certificate File, 3-6 3.3.1.2 LDAP Aliases, 3-7 3.3.1.3 Directory Channel, 3-7 3.3.1.4 Password Authentication Via LDAP, 3-8 iii Contents 3.4 SASL AUTHENTICATION FOR THE PMDF SMTP CLIENT 3-9 3.4.1 Configuring SASL for PMDF SMTP Client ________________________ 3-9 3.4.1.1 Specifying Username And Password, 3-9 3.4.1.2 Configuring The Channel, 3-10 3.5 SPF (SENDER POLICY FRAMEWORK) AND SRS (SENDER REWRITING SCHEME) 3-11 3.5.1 Configuring SPF _______________ 3-12 3.5.2 Configuring SRS _______________ 3-14 3.5.2.1 Option File Changes, 3-15 3.5.2.2 Configuration File Changes, 3-15 3.5.2.3 Mapping File Changes, 3-16 3.5.2.3.1 REVERSE Mapping Table, 3-16 3.5.2.3.2 FORWARD Mapping Table, 3-17 3.5.2.4 The Secret Word, 3-18 _______________________________________________________ CHAPTER 4 CONTRIBUTED SOFTWARE 4-1 4.1 VFASTSCAN LITE 4-1 4.1.1 Obtaining and Installing the vFastScan Lite Kit ____________ 4-2 _______________________________________________________ CHAPTER 5 RELEASE NOTES 5-1 5.1 UPGRADES 5-1 5.2 ALIASES AND MAILING LISTS 5-1 5.3 DISPATCHER AND SERVERS 5-2 5.4 LOGGING 5-2 5.5 JOB CONTROLLER (UNIX AND WINDOWS ONLY) 5-3 5.6 MAILBOX FILTERS 5-4 5.7 MAILSERV 5-5 5.8 MISCELLANEOUS 5-5 iv Contents 5.9 POPSTORE / MESSAGESTORE 5-7 5.10 TLS 5-9 5.11 UTILITIES 5-9 5.12 WEB INTERFACE 5-10 v _______________________________________________________ 1 Installation of PMDF V6.4 This document contains installation gotchas and release notes for upgrading to PMDF V6.4 from V6.3, V6.3-1, or V6.3-2. If you are upgrading from an earlier version of PMDF, please read the instal- lation gotchas and release notes for all of the ver- sions between your version and V6.4. Those release notes are available on the Process Software web site. __________________________________________________________________ 1.1 License Date The release date for the PMDF V6.4 kit is: 25-JUL-2008 Check your PMDF licenses to make sure they are valid for this release. The release date contained in each license must be later than the release date of the kit. See the PMDF Installation Guide for your platform for more information about how PMDF licenses work. __________________________________________________________________ 1.2 Getting Help Contact your PMDF distributor or Process Soft- ware if you need assistance or have questions con- cerning the installation or configuration of PMDF. Process Software provides technical support if you have a current Maintenance Service Agreement [support@process.com; 800-394-8700 or 508-628-5074]. 1-1 Installation of PMDF V6.4 Getting Help If you obtained PMDF from an authorized distrib- utor or partner, you receive your technical sup- port directly from them. Timely notices, point- ers to new PMDF images, and other PMDF news of in- terest may also be found at the Process Software web site, www.process.com. __________________________________________________________________ 1.3 Release Notes Location The text version of these release notes is in- stalled on VMS in the SYS$HELP directory, and on UNIX and Windows in the PMDF documentation direc- tory. The postscript and PDF versions on all plat- forms are installed into the PMDF documentation di- rectory ( PMDF_ROOT:[DOC] on VMS, /pmdf/doc on UNIX, and C:\pmdf\doc on Windows). __________________________________________________________________ 1.4 Obtaining new files New files may be obtained from the anonymous FTP account on ftp.pmdf.process.com; use FTP to con- nect to the host ftp.pmdf.process.com and login as the user anonymous. Use your e-mail address as the login password. Move to the pmdf_64_patches subdirectory: ftp> cd pmdf_64_patches Patches will be located in platform-specific sub- trees, as follows: _______________________________________________ Platform_______Subdirectory____________________ Linux linux OpenVMS vms Solaris/SPARC solaris-sparc Solaris/x86 solaris-x86 1-2 Installation of PMDF V6.4 Obtaining new files _______________________________________________ Platform_______Subdirectory____________________ Tru64 osf Windows________windows_________________________ 1-3 _______________________________________________________ 2 Installation Gotchas Make sure you read the PMDF Installation Guide for your platform before starting the installation. Make sure you complete the Post-Installation Tasks for Upgrades or Post-Installation Tasks for New Sites in the installation guide after the installation. __________________________________________________________________ 2.1 Berkeley DB Environment Files The format of the Berkeley DB (formerly known as SleepyCat) environment files on UNIX and Win- dows platforms has changed since PMDF V6.3 and V6.3- 2. The old files must be removed. Execute the fol- lowing commands: For UNIX: # rm /pmdf/table/__db.0* # rm /pmdf/table/queue_cache/__db.0* # rm /var/tmp/__db.0* # rm /pmdf/tmp/__db.0* For Windows: del c:\pmdf\table\__db.* del c:\pmdf\tmp\__db.* 2-1 Installation Gotchas Compiled Configurations Must Be Recompiled __________________________________________________________________ 2.2 Compiled Configurations Must Be Recompiled For all platforms, the format of the compiled configuration has changed as of PMDF V6.4. After installation, in order to use a compiled config- uration you must recompile your configuration. Con- figurations that were compiled by versions of PMDF prior to version 6.4 will no longer be recognized by PMDF. __________________________________________________________________ 2.3 Known Issues 1. There are no known issues at this time. 2-2 _______________________________________________________ 3 New Features __________________________________________________________________ 3.1 Linux Support As of PMDF V6.3-2, PMDF is available on the Linux platform (on Intel x86 only). The same function- ality is provided on Linux as on the other Unix plat- forms (Tru64 and Solaris), with the following ex- ceptions: o Support for PMDF-X400 is not provided. o Support for PMDF-XGS (SNADS) is not provided. o The utility pmdftune is not provided. The Linux kit is supplied as an RPM kit, and is built on Red Hat Enterprise Linux version 4 update 4 on an Intel 32-bit processor. It should work on any distribution of Linux that supports RPM instal- lations. It should work on 64-bit versions of Linux as long as it supports 32-bit images. The Linux core version supported is 2.6.9-42 or later. __________________________________________________________________ 3.2 Disclaimer Channel PMDF now provides a disclaimer channel. (D/E 8442) The disclaimer channel can be used to modify mes- sages to add text (usually containing a disclaimer). There are five different places where the disclaimer channel can add text to a message: o in the header using X-Disclaim headers 3-1 New Features Disclaimer Channel o to the top of plain text messages o to the bottom of plain text messages o to the top of HTML text messages o to the bottom of HTML text messages The default is for the disclaimer channel to add text to the bottom of both plain text and HTML mes- sages, using text from the file pmdf_table:disclaimer.txt. Using an option file, you can specify a differ- ent file containing different text for one or more of the above locations. For example, this lets you specify a plain text disclaimer to be added to plain text messages, and text with HTML code to be added to HTML messages. Similar to the conversion and script channels, you can define multiple disclaimer channels, and invoke different ones based on the DISCLAIMER map- ping table. Each disclaimer channel has a differ- ent option file, in which you can specify differ- ent text. For example, you might want your sales department to have a different disclaimer than the engineering department. ___________________________ 3.2.1 Configuring the Disclaimer Channel The disclaimer channel is set up similarly to the conversion and script channels. _____________________ 3.2.1.1 Disclaimer Channel Definition and Rewrite Rules The first step is to add the disclaimer chan- nel to the PMDF configuration file, pmdf_table:pmdf.cnf. You need to add both a channel definition and rewrite rules for it. 3-2 New Features Disclaimer Channel Example rewrite rules: disclaimer $U%disclaimer.example.com@DISCLAIMER-DAEMON disclaimer.example.com $U%disclaimer.example.com@DISCLAIMER-DAEMON Channel definition: disclaimer DISCLAIMER-DAEMON Additional disclaimer channels may be defined, in the format disclaimer_xxx, for example disclaimer_ 2. _____________________ 3.2.1.2 DISCLAIMER Mapping Table The disclaimer channel is invoked using a map- ping table called DISCLAIMER, which is similar to the CONVERSION and SCRIPT mapping tables. You de- cide when to invoke the disclaimer channel for a given message based on the incoming channel and the outgoing channel. Typically people want to add disclaimer notices to messages headed outside their company. In or- der to accomplish this, you would set up the DIS- CLAIMER mapping table to invoke the disclaimer chan- nel if the incoming channel for a message is l or tcp_internal, and the outgoing channel is tcp_local. Use yes or no as the right-hand-side value of the mapping table entry to indicate whether to in- voke the disclaimer channel or not. Use the chan- nel keyword to specify an alternate disclaimer chan- nel to use, if desired. Example DISCLAIMER mapping table: 3-3 New Features Disclaimer Channel DISCLAIMER IN-CHAN=l;OUT-CHAN=tcp_local;DISCLAIMER yes IN-CHAN=tcp_internal;OUT-CHAN=tcp_local;DISCLAIMER yes IN-CHAN=tcp_special;OUT-CHAN=tcp_local;DISCLAIMER yes,channel=disclaimer_2 IN-CHAN=*;OUT-CHAN=*;DISCLAIMER no If you want to have only a subset of your users use the disclaimer channel, or if you want some users to use a different disclaimer channel than other users, you can redirect people to a different in- coming channel using the switchchannel channel key- word and IP-address based rewrite rules. The DIS- CLAIMER mapping table can then be set up to rec- ognize those channels as the incoming channel and turn on or off the disclaimer channel, or use an alternate disclaimer channel, as desired. _____________________ 3.2.1.3 Disclaimer Channel Option File In order to control the actions of the disclaimer channel, it has an option file. As with all chan- nels, the file should be put into the PMDF table directory and named xxx_option where xxx is the name of the channel that the option file is for. So usu- ally the file is pmdf_table:disclaimer_option. The option file is not required. If no option file exists, the default operation of the disclaimer channel is to append the text that is in the file pmdf_table:disclaimer.txt to the bottom of both plain text and HTML text messages. If you want to specify a different default file name or location, use the DEFAULT_FILE option. Any or all of the HEADER, PLAIN_TOP, HTML_TOP, PLAIN_BOTTOM, or HTML_BOTTOM options can be spec- ified in the option file to instruct the disclaimer channel to add text to the header of the message, to the top of plain text messages, to the top of 3-4 New Features Disclaimer Channel HTML text messages, to the bottom of plain text mes- sages, and/or to the bottom of HTML messages, re- spectively. Each of these options takes a file name as a value. Or they can also take as a value the keyword DE- FAULT_FILE, which indicates that the default file should be used. An additional option, MULTIPLE_HEADERS may be specified to control how the HEADER disclaimer text is added to the headers of the message. We rec- ommend that header disclaimer text be short and on a single line. However, if the text spans several lines, the MULTIPLE_HEADERS option tells the dis- claimer channel whether to put those multiple lines of text into one or multiple X-Disclaim headers. The default value of 0 causes a single X-Disclaim header to be added, with continuation lines if nec- essary. A value of 1 causes multiple X-Disclaim headers to be added, one per line of disclaimer text. Example disclaimer channel option file: DEFAULT_FILE=/myfiles/disclaimer/default.txt HEADER=/myfiles/disclaimer/header.txt MULTIPLE_HEADERS=0 PLAIN_TOP=DEFAULT_FILE HTML_TOP=DEFAULT_FILE PLAIN_BOTTOM=/myfiles/disclaimer/plain/bottom.txt HTML_BOTTOM=/myfiles/disclaimer/html/bottom.htm _____________________ 3.2.1.4 Files Containing Disclaimer Text You have to create the files containing your dis- claimer text yourself. By default, this would be the file pmdf_table:disclaimer.txt. You also have to create the files pointed to by the options you specified in the options file. 3-5 New Features Disclaimer Channel Note that the text to be added to the headers (specified by the HEADER option) has a maximum of 1024 characters. It can have multiple lines. Each line is added as a separate X-Disclaim header. The files for the plain and HTML top and bot- tom text can be any length and contain any text you'd like. For example, the ones intended to be added to HTML messages can contain HTML code such as links or images. __________________________________________________________________ 3.3 LDAP over TLS PMDF now has the ability to access LDAP servers using SSL/TLS authentication. This is available when doing address lookups through the aliases file, address lookups from the directory channel, and also when doing username and password authentication via LDAP. (D/E 7848) NOTE: Make sure that your LDAP server is set up to do TLS. It is beyond the scope of this document to provide information on how to configure an LDAP server for TLS usage. Please consult your LDAP server manuals for instructions on how to use TLS on your particular LDAP server. ___________________________ 3.3.1 Configuring_PMDF_To_Use LDAP Over TLS 3.3.1.1 CA Certificate File You may need to have the Certificate Authority (CA) certificate to be used by LDAP on your PMDF system. If so, by default the CA certificate should be placed in the file pmdf_table:ldap-cacert.pem. An alternate file name can be specified for the di- rectory channel, or when doing username and pass- word authentication (see sections below). 3-6 New Features LDAP over TLS _____________________ 3.3.1.2 LDAP Aliases If you have aliases in the aliases file or database which go to LDAP, you can tell PMDF to use TLS when looking these up in LDAP, by specifying the LDAP_ TLS_MODE option in the pmdf_table:option.dat file. A value of 1 tells PMDF to try to use TLS to look up the alias in LDAP, but continue without it if TLS is not available. A value of 2 tells PMDF to require TLS. For alias lookups, PMDF always looks for the CA certificate in the default file pmdf_table:ldap- cacert.pem, if it exists. _____________________ 3.3.1.3 Directory Channel Configure the directory channel to do lookups via LDAP using the standard LDAP options in the di- rectory channel option file (e.g. LDAP_SERVERS, LDAP_BASE). Set it up to use TLS by specifying the TLS_MODE option. A value of 1 tells the directory channel to try to use TLS, but continue without it if TLS is not available. A value of 2 tells the direc- tory channel to require TLS. By default, the directory channel will use the CA certificate in the default file pmdf_table:ldap- cacert.pem, if it exists. You can specify an al- ternate CA certificate file name, for example if you need to use different CA certificates for dif- ferent domains, by using the CACERTFILE option. Example directory channel option file: 3-7 New Features LDAP over TLS example.org=2 example.org_ldap_servers=ldap.example.org example.org_ldap_base=dc=ldap.example,dc=com example.org_tls_mode=2 example.org_cacertfile=/pmdf/table/example-cacert.pem _____________________ 3.3.1.4 Password Authentication Via LDAP Configure pmdf_table:security.cnf to use LDAP to do username and password authentication, using the standard [AUTH_SOURCE=LDAP] options, such as BASEDN and SERVER. Set it up to use TLS by specifying the LDAP_TLS_ MODE option. A value of 1 tells PMDF to try to use TLS, but continue without it if TLS is not avail- able. A value of 2 tells PMDF to require TLS. By default, PMDF will use the CA certificate in the default file pmdf_table:ldap-cacert.pem, if it exists. You can specify an alternate CA certifi- cate file name, by using the LDAP_CACERTFILE op- tion. Example sections of the security.cnf file: [RULESET=default] ENABLE=LDAP/* ! [AUTH_SOURCE=LDAP] BASEDN=DC=EC,DC=Example,DC=com SERVER=ldapauth.example.com LDAP_TLS_MODE=1 LDAP_CACERTFILE=/pmdf/table/ldapauth-cacert.pem 3-8 New Features SASL Authentication for the PMDF SMTP Client __________________________________________________________________ 3.4 SASL Authentication for the PMDF SMTP Client PMDF now has the ability to configure the PMDF SMTP client to use SASL via the SMTP AUTH command when sending mail out from the PMDF MTA to a re- mote MTA. This is primarily needed by home users who are running PMDF on their home systems and have an ISP that requires a username and password to be able to send out mail through the ISP's MTA. (D/E 10383) ___________________________ 3.4.1 Configuring_SASL_for_PMDF SMTP Client 3.4.1.1 Specifying Username And Password The username and password to use is configured in a new section in the pmdf_table:security.cnf file. The name of this new section is CLIENT_AUTH. The format is the same as the RULESET or AUTH_SOURCE sections. As with RULESET, there is a default sec- tion, or you can create named sections. Within the CLIENT_AUTH section, you specify the username to use for authentication on the remote system with the USER option. You specify the pass- word for that username on the remote system with the PASSWORD option. Optionally, you can specify which SASL mecha- nisms you want to use with the MECHANISMS option. The following mechanisms are supported: PLAIN, LO- GIN, CRAM-MD5, and DIGEST-MD5. Example CLIENT_AUTH sections: 3-9 New Features SASL Authentication for the PMDF SMTP Client ! default settings [CLIENT_AUTH=default] USER=johnson PASSWORD=mypassword ! ! for system "alpha" [CLIENT_AUTH=alpha] USER=smith PASSWORD=happyday MECHANISMS=cram-md5 _____________________ 3.4.1.2 Configuring The Channel You need to enable client-side SASL authenti- cation on the appropriate channel. This could be a channel that you have configured to go to a spe- cific remote system. If all of your mail goes out through a single system (e.g. for your ISP), this could instead be the tcp_local channel. To enable client-side SASL, add one of the fol- lowing channel keywords to the channel definition in pmdf.cnf: o maysaslclient - attempts SASL but continues if it fails o mustsaslclient - performs SASL authentication and does not continue if it fails o maysasl - enables both client-side and server- side SASL authentication o mustsasl - requires both client-side and server- side SASL authentication Optionally, the channel may have the following keywords added as needed: o port - if you need to use an alternate port other than the standard SMTP port 25 3-10 New Features SASL Authentication for the PMDF SMTP Client o daemon router - used for channels that are con- figured for a single remote system o maytls or musttls - if you wish to use TLS as well on the channel By default, the [CLIENT_AUTH=default] section in the security.cnf file is used to get the user- name and password. If you want to use a differ- ent CLIENT_AUTH section, you can specify its name using the client_auth channel keyword. Example channel definition: ! goes to system 'alpha' on the smtp submit port tcp_alpha smtp mx port 587 daemon router maysaslclient allowswitchchannel \ maytls client_auth alpha alpha.example.edu TCP-ALPHA __________________________________________________________________ 3.5 SPF (Sender Policy Framework) and SRS (Sender Rewriting Scheme) PMDF now provides a way to do SPF (Sender Pol- icy Framework) checks for messages. PMDF also now supports SRS (Sender Rewriting Scheme) for forwarded messages. (D/E 9633, 10751) For more information about SPF and SRS, see http://www.openspf.org/. Note: SPF and SRS are not available for PMDF on Windows or Tru64. IMPORTANT: For OpenVMS sites running MultiNet, the ECO UCX_ LIBRARY_EMULATION-090_A052 or later is required for SPF/SRS to function. For sites running TCPware, you need the patch DRIVERS_V582P020. For sites run- ning TCP/IP Services, you need version 5.3 or later. 3-11 New Features SPF (Sender Policy Framework) and SRS (Sender Rewriting Scheme) ___________________________ 3.5.1 Configuring SPF The configuration for SPF is similar to that for DNS_VERIFY (see the PMDF System Manager's Guide, section 16.1.8 for DNS_VERIFY). As with DNS_VERIFY, SPF is invoked via an ACCESS mapping table call- out to a sharable image on OpenVMS (PMDF_EXE:LIBSPFSHR.EXE) or sharable object library on unix platforms (/pmdf/lib/libspf.so). See the PMDF System Manager's Guide, section 2.2.6.7, for information on mapping table callouts. SPF could be invoked from any of the following mapping ta- bles: FROM_ACCESS, ORIG_MAIL_ACCESS, or MAIL_ACCESS. However, we recommend using the FROM_ACCESS map- ping table for greatest efficiency since it is called only once, after the MAIL FROM: SMTP command in- stead of after every RCPT TO: SMTP command. Note that internal or trusted systems (such as mail gateways) should be excluded from SPF checks by adding mapping table entries before the SPF en- tries in the mapping table. On Unix platforms, the symbol PMDF_SPF_LIBRARY is defined in /etc/pmdf_tailor to point to /pmdf/lib/libspf.so. On OpenVMS, the logical name PMDF_SPF_LIBRARY is defined in pmdf_startup.com to point to PMDF_EXE:LIBSPFSHR.EXE. We also recommend that you install the LIBSPFSHR.EXE sharable image for efficiency. The following com- mand to do this may be put in your pmdf_com:pmdf_ site_startup.com file: $ INSTALL ADD PMDF_SPF_LIBRARY/OPEN/HEAD/SHARE The SPF library has three routines that can be called: o spf_lookup - does the SPF lookup and adds a Received- SPF: header upon successful completion or a header of your choosing upon error (such as if there are no SPF records) 3-12 New Features SPF (Sender Policy Framework) and SRS (Sender Rewriting Scheme) o spf_lookup_reject_fail - does the SPF lookup and rejects the message if it gets a fail result o spf_lookup_reject_softfail - does the SPF lookup and rejects the message if it gets a fail or soft- fail result These routines all accept four arguments: 1. the sending IP address 2. the MAIL FROM: address 3. the domain name to display in Received-SPF: head- ers 4. for the spf_lookup routine, this is the type of header to add upon error; for the other routines, this is the rejection text to use The following examples show the various ways the routines can be used: To add a Received_SPF: header, or in the case where there is no SPF record, a X-PMDF-SPF: header: FROM_ACCESS TCP|*|25|*|*|SMTP|*|tcp_*|*|* $C$[PMDF_SPF_LIBRARY,spf_lookup,\ $1,$5,example.com,X-PMDF-SPF]$E To reject mail that fails the SPF lookup: FROM_ACCESS TCP|*|25|*|*|SMTP|*|tcp_*|*|* $C$[PMDF_SPF_LIBRARY,spf_lookup_reject_softfail,\ $1,$5,example.com,Rejected$ by$ SPF$ lookup]$E 3-13 New Features SPF (Sender Policy Framework) and SRS (Sender Rewriting Scheme) ___________________________ 3.5.2 Configuring SRS The configuration of SRS is similar to that of SPF. As with SPF, SRS is invoked via mapping ta- ble callouts to a sharable image on OpenVMS (PMDF_ EXE:LIBSRS2SHR.EXE) or sharable object library on unix platforms (/pmdf/lib/libsrs2.so). On Unix platforms, the symbol PMDF_SRS_LIBRARY is defined in /etc/pmdf_tailor to point to /pmdf/lib/libsrs2.so. On OpenVMS, the logical name PMDF_SRS_LIBRARY is defined in pmdf_startup.com to point to PMDF_EXE:LIBSRS2SHR.EXE. We also recommend that you install the LIBSRS2SHR.EXE sharable image for efficiency. The following com- mand to do this may be put in your pmdf_com:pmdf_ site_startup.com file: $ INSTALL ADD PMDF_SRS_LIBRARY/OPEN/HEAD/SHARE SRS is used both to encode the envelope from ad- dress when messages are being forwarded, and to de- code envelope to addresses that are SRS-encoded (as for example for error messages sent in reply to for- warded messages). The REVERSE mapping table is used to call SRS to encode the envelope from addresses, and the FORWARD mapping table is used to call SRS to decode addresses. To configure PMDF to use SRS, changes are re- quired to the PMDF option file pmdf_table:option.dat, configuration file pmdf_table:pmdf.cnf, and map- ping file pmdf_table:mappings. 3-14 New Features SPF (Sender Policy Framework) and SRS (Sender Rewriting Scheme) _____________________ 3.5.2.1 Option File Changes Two options need to be added to the PMDF option file: REVERSE_ENVELOPE, and USE_REVERSE_DATABASE. The REVERSE_ENVELOPE option needs to be set to 1 to tell PMDF to apply the REVERSE mapping table to envelope from addresses (by default the REVERSE map- ping table is only applied to header addresses). The USE_REVERSE_DATABASE option should be set to a value of 266. This value turns on address re- versal processing (the REVERSE mapping table in this case), as well as specifying that the destination channel be prepended to the address when probing the REVERSE mapping table. REVERSE_ENVELOPE=1 USE_REVERSE_DATABASE=266 _____________________ 3.5.2.2 Configuration File Changes By default, the REVERSE mapping table is checked for every destination channel. For SRS, normally you'd only want to encode the envelope from address for messages that are being forwarded to the in- ternet, for example, being sent out the tcp_local channel. To avoid unnecessary processing, the checking of the REVERSE mapping table can be restricted to when tcp_local is the destination channel. This is done by using the noreverse and reverse chan- nel keywords in the pmdf.cnf file. Place the noreverse channel keyword on the de- faults line in pmdf.cnf to turn off checking of the REVERSE mapping table by default. To turn the check- ing on for the tcp_local channel, add the reverse channel keyword to the tcp_local channel defini- tion. If there are any other channels you use that you wish to use SRS on, put the reverse channel key- word on those channel definitions as well. 3-15 New Features SPF (Sender Policy Framework) and SRS (Sender Rewriting Scheme) _____________________ 3.5.2.3 Mapping File Changes The SRS library has two routines that can be called: o pmdf_srs_forward - takes an address and encodes it as defined by the SRS rules, returns the SRS- encoded address o pmdf_srs_reverse - takes an SRS-encoded address and decodes it into the original address These routines both accept three arguments: 1. The address to encode or decode. 2. A secret word used by the encoding and decod- ing process. 3. The local domain to use. The pmdf_srs_forward routine is called from the REVERSE mapping table to encode the envelope from address. The pmdf_srs_reverse routine is called from the FORWARD mapping table to decode any SRS- encoded envelope to addresses. Note: Notice that the name of the routine is opposite from the name of the mapping table that it is used in. _____________________ 3.5.2.3.1 REVERSE Mapping Table The option.dat option REVERSE_ENVELOPE above causes PMDF to apply the REVERSE mapping table to the en- velope from address as well as to header addresses. Since SRS should be applied only to the envelope address and not to header addresses, you must spec- ify the $:E flag on your REVERSE mapping table en- try to make it apply only to envelope addresses. For best efficiency, SRS should only be applied via the REVERSE mapping table to messages going out via the tcp_local channel (or other external chan- nel). The option.dat option USE_REVERSE_DATABASE above specified with a value of 266 causes PMDF to 3-16 New Features SPF (Sender Policy Framework) and SRS (Sender Rewriting Scheme) prepend the destination channel to the address when the REVERSE mapping table is probed. To apply the mapping table entry to only tcp_local, specify "tcp_ local|" at the front of your reverse mapping ta- ble entries. Note: Note that if you are already using the REVERSE map- ping table for something else, this setting of USE_ REVERSE_DATABASE causes the destination channel to be prepended for all REVERSE mapping table entries. Also, SRS should only be applied to messages that are being forwarded, and not to locally-generated messages. To do this, add additional entries to the REVERSE mapping table that exempts messages that have a local envelope from address. As explained above, to invoke SRS from the RE- VERSE mapping table, make a call out to the PMDF_ SRS_LIBRARY shareable, to the routine pmdf_srs_forward. For example: REVERSE tcp_local|*@*example.com $N tcp_local|*@* \ $:E$[PMDF_SRS_LIBRARY,pmdf_srs_forward,$0@$1,secret,example.com]$E _____________________ 3.5.2.3.2 FORWARD Mapping Table You also need a FORWARD mapping table to decode any SRS-encoded envelope to addresses (for exam- ple, for responses to mail that you sent with the SRS-encoded envelope from address), so the mail can be forwarded on to the real original sender. To invoke the SRS decode routine, make a call out to the PMDF_SRS_LIBRARY shareable, to the rou- tine pmdf_srs_reverse (as described above). You also need to use the $D flag to tell PMDF to send 3-17 New Features SPF (Sender Policy Framework) and SRS (Sender Rewriting Scheme) the resulting address back through the rewrite pro- cess. Since SRS decoding should only be applied to SRS- encoded addresses, you can select for this by check- ing for addresses that have two equal signs in the username part. For example: FORWARD *=*=*@example.com \ $[PMDF_SRS_LIBRARY,pmdf_srs_reverse,$0=$1=$2@example.com,secret,example.com]$D _____________________ 3.5.2.4 The Secret Word The secret word specified in the mapping table callouts is used by the SRS encoding and decoding to make sure that the SRS-encoded address is not forged. You do not have to change your secret word at all, but if you wish to do so, the decoding rou- tine needs to know all of the secret words used so that it can properly decode messages that were en- coded using a previous secret word. The SRS decoding routine will check for the file pmdf_table:srs_secret.dat for a list of previous secret words. Whenever you change your secret word, add the old secret word to this file (one word per line). 3-18 _______________________________________________________ 4 Contributed Software __________________________________________________________________ 4.1 vFastScan Lite PMDF 6.4 includes vFastScan Lite provided by Eu- roKom Ltd (www.eurokom.ie) for OpenVMS. vFastScan offers a faster interface on OpenVMS systems be- tween PMDF and Sophos VSWEEP using the Sophos API. This results in significant performance gains over using the VSWEEP command (up to 15 fold increases have been seen). vFastScan Lite is easily integrated into your PMDF conversion script by replacing the VSWEEP com- mand by vFastScan's SCAN command, allowing for faster virus scanning. Further performance improvements are possible by upgrading vFastScan Lite into the full product. Please note vFastScan Lite is owned and provided by Eurokom Ltd. It is provided "as is" with no war- ranty from Process Software. It does not require the purchase of a license from either Process Soft- ware or Eurokom Ltd. Informal support for vFastScan Lite is avail- able via the info-pmdf mail list. Problems may be reported and questions asked via the list. If you do not currently subscribe to info-pmdf and would like to, send an email to: Info-PMDF-Request@process.com with the following single line as the body of the message: 4-1 Contributed Software vFastScan Lite SUBSCRIBE For more information, refer to the vFastScan Lite kit. ___________________________ 4.1.1 Obtaining and Installing the vFastScan Lite Kit vFastScan Lite is provided as a standalone kit that must be installed separately from PMDF. The kit is available on the PMDF V6.4 CD for OpenVMS, and on the anonymous PMDF ftp site ftp.pmdf.process.com, in the contrib directory. vFastScan Lite is provided as a VMSINSTAL kit on the CD, along with the documentation. On the ftp site, the kit and documentation are provided as a ZIP file. 4-2 _______________________________________________________ 5 Release Notes The following sections document the enhancements and bug fixes that have been made since PMDF V6.3. __________________________________________________________________ 5.1 Upgrades 1. Berkeley DB (formerly known as SleepyCat) has been upgraded to version 4.6.21. 2. The LDAP library that PMDF uses has been upgraded to OpenLDAP 2.3.32. 3. Pine for Unix platforms has been upgraded to ver- sion 4.64. (D/E 9207) __________________________________________________________________ 5.2 Aliases and Mailing Lists 1. Fixed a problem with symbol substitution in LDAP URLs in the aliases file. It now works and sym- bols such as $U are now correctly replaced with their values. (D/E 10304) 2. Changed the TAG mailing list named parameter to use a vertical bar, i.e. |, instead of a space to separate tags. This allows for multi-word tags. (D/E 10374) 3. Fixed a problem with mailing lists stored in LDAP when there are nested lists and some of them are empty. (D/E 10468) 5-1 Release Notes Aliases and Mailing Lists 4. Added a new value to the USE_ALIAS_DATABASE op- tion. When this option is set to 2, if the alias database is unavailable, all mail is rejected with a temporary error. (D/E 10045) __________________________________________________________________ 5.3 Dispatcher and Servers 1. Modified the legacy IMAP server to respond to a UID SEARCH command with at least one UID to conform to RFC 3501, and to match the behavior of the msgstore IMAP server. (D/E 8984) 2. Modified how process names are generated for server processes so that the server type name doesn't get cut off unnecessarily when the number part expands from two to three digits. (D/E 10028) [OpenVMS only] 3. Fixed a problem that could cause various pro- cesses such as the SMTP server to crash with a segfault when trying to get some information from the system. (D/E 10504) [Unix only] 4. Fixed a problem accessing NFS-mounted native unix (BSD) mailboxes via the legacy IMAP server, where you would sometimes get a "permission denied" error. (D/E 10535) [Linux only] __________________________________________________________________ 5.4 Logging 1. Entries have been added to debug log files to show the username and password that the SMTP server receives in response to its AUTH command prompts. (D/E 9841) 2. The "rfc822" prefix in entries in mail.log_* files is now always written in lower case. (D/E 10486) 5-2 Release Notes Logging 3. Fixed a problem on Linux with glibc causing the SMTP client to crash when the LOG_HEADER option is used. (D/E 10693) [Linux only] 4. On Unix and Windows, restored the adding of a 'D' entry to mail.log_current when a message is deleted by QM. (The 'D' entry is added on Open- VMS, and used to be added on Unix/Windows with the old job controller. This feature was in- advertently removed with the new job controller.) Also, on all platforms, a 'D' entry is now added when messages are deleted by the pmdf qclean com- mand or the QM clean command. (D/E 10644) __________________________________________________________________ 5.5 Job Controller (Unix and Windows only) 1. Fixed the job controller to honor a queue chan- nel keyword specified in a channel definition in pmdf.cnf, and to use the queue specified there if there is no queue specified in the job_controller.cnf or job_controller.cnf_site file for that chan- nel. (D/E 10364) 2. Fixed a memory corruption problem when trying to talk to the job controller which causes var- ious PMDF processes to exit with error. Note that this only occurs if job controller API de- bug logging is turned on. (D/E 10390) 3. Fixed a memory corruption problem which caused the job controller to crash. (D/E 10432) 4. Fixed several coding problems that caused in- ternal queue corruptions which resulted in the job controller working incorrectly or eventu- ally crashing or hanging. (D/E 10540) 5-3 Release Notes Job Controller (Unix and Windows only) 5. Fixed several problems with the job controller options MAX_CONNS and MAX_AGE. These options work correctly now. Note that MAX_CONNS only applies to TCP channels. Also note that the default value for MAX_AGE is 30 minutes, not the 5 minutes in- correctly stated in the System Manager's Guide. (D/E 10559) 6. Fixed some problems with how the SMTP client and the job controller worked together to process messages in tcp_xxx channels, which could cause an SMTP client to get into a state where it would only process messages going to one remote host and not process any messages going to other hosts. This has been fixed. (D/E 10568) 7. Fixed a problem with the job controller not re- porting all of the messages that it knows about, for example in response to the commands "pmdf qm -maint dir -database" or "pmdf cache -view". (D/E 10576) 8. Modified the job controller to sort messages as it reads them in from the queue directories dur- ing startup. (D/E 10587) 9. Fixed a problem in the job controller which could cause an internal data structure to be corrupted, causing hangs or crashes. (D/E 10729) __________________________________________________________________ 5.6 Mailbox Filters 1. Modified PMDF to ignore errors in mailbox fil- ter files when processing Non-Delivery Notifi- cations (NDNs). (D/E 7010) 2. Fixed a problem with the mailbox filters web in- terface in creating the filter file when pop- store is in use with USERNAME_STYLE=2. (D/E 9711) [OpenVMS only] 5-4 Release Notes Mailbox Filters 3. Fixed a problem with using the mailbox filter file "redirect" command where the ORIG_SEND_ACCESS mapping table anti-relay entries could be trig- gered incorrectly. (D/E 9903) __________________________________________________________________ 5.7 Mailserv 1. Modified the MAILSERV server to support mixed- case mailing list file names. If the list is in mixed case, then MAILSERV commands which con- tain a list-name parameter must specify the ex- act same mix of upper and lower case. If the mailing list file name is in all lowercase, then the list-name parameter on MAILSERV commands can be specified in any mixture of upper and lower case and the mailing list file will still be found (this is the same as the previous behavior). (D/E 10263) [Unix platforms only] 2. Fixed a problem with MAILSERV where it would not use the $A reply address from the MAILSERV_LISTS mapping table for confirmation messages. (D/E 10272) __________________________________________________________________ 5.8 Miscellaneous 1. Fixed problem with messages that go through Pre- ciseMail Anti-Spam (PMAS) counting twice against the PMDF license counter. (D/E 9272) 2. The parts of PMDF that write to PMDF_TMP have been modified to be able to write to an alter- nate directory instead. If you define logical PMDF_IMAP_TMP to point to a directory, then the legacy IMAP server will use that directory to store its temporary files instead of PMDF_TMP. 5-5 Release Notes Miscellaneous If you define logical PMDF_SPEC_TMP, then cer- tain channel master programs that create spe- cial temporary files will use that directory in- stead of PMDF_TMP. The main channels that cre- ate these special temporary files are the con- version, script, and pipe channels. (D/E 9802) [OpenVMS only] 3. Added code to be able to handle disconnects dur- ing an SMTP session more gracefully, returning non-delivery notices for addresses that are known to be bad before PMDF retries to send the mes- sage later. (D/E 10278) 4. The following channel keywords have been added: interpretmessageencoding ignoremessageencoding interpretmultipartencoding ignoremultipartencoding These keywords are similar to the existing in- terpretencoding and ignoreencoding channel key- words, which instruct PMDF to interpret or ig- nore any Encoding: headers in a message when using CHARSET-CONVERSION. The new keywords tell PMDF to interpret or ignore Encoding: headers inside nested messages or multipart messages. (D/E 10308) 5. Fixed a problem with a PMDF routine conflict- ing with a C RTL routine of the same name, which caused problems in user-written applications linked with the PMDF API. (D/E 10313) 6. Removed the informational and misleading "SMTP routine failure from SMTPC_ENQUEUE" message. (D/E 10514) 7. Fixed a problem that could crash the SMTP client and server if the timezone was not set properly. (D/E 10531) [Linux only] 5-6 Release Notes Miscellaneous 8. Fixed a problem with running PMDF on OpenVMS/Alpha V6.x and OpenVMS/VAX V6.x systems, getting er- ror "illegal event flag cluster". (D/E 10560) [OpenVMS/Alpha and OpenVMS/VAX V6.x only] 9. Fixed a problem where PMDF would lose one char- acter every 1022 bytes when it was decoding en- coded attached text files. PMDF will decode at- tachments for example when the inner keyword is specified on the destination channel, or when the thurman keyword is used. (D/E 10599) 10. Fixed a problem with authentication through LDAP if you are using LDAP V3, where it gives a "pro- tocol error". (D/E 10603) 11. Changed the noremotehost channel keyword so that it will undo the effects of a remotehost chan- nel keyword after a channel switch. (D/E 10659) 12. Fixed a problem where the post count was not be- ing updated correctly. (D/E 10406) [Windows only] 13. Changed PMDF behavior in regard to databases so that running processes will now see and open a newly created database. (D/E 10736) __________________________________________________________________ 5.9 popstore / MessageStore 1. The validatelocalmsgstore channel keyword now checks for the DISMAIL flag when checking whether a username is a valid msgstore account. It also now correctly checks for usernames that are only listed in the msgstore forward database. (D/E 8988) 2. The REJECT_OVER_QUOTA option now applies to both popstore and msgstore accounts, and is checked by validatelocalmsgstore. (D/E 10314) 5-7 Release Notes popstore / MessageStore 3. Fixed a problem with msgstore with handling cer- tain malformed MIME messages, where it sees them as corrupt. (D/E 10249) 4. Fixed a problem with delivering messages to a given msgstore account, getting the error "re- quest not queued". (D/E 10372) [OpenVMS only] 5. Removed the count of stored messages from be- ing displayed on the msgstore/popstore account user web page, and in the msgstore administra- tor's page to show an account, since the mes- sage count is not used for msgstore accounts. (D/E 10407) 6. Made another attempt to fix problems with ms- gstore files (and other miscellaneous files) end- ing up unusable with the following situation: FILE.TYP;2 y/z FILE.TYP;1 0/0 FILE.TYP-XXXYYY;1 y/z Note: It is no longer the case that the version num- ber of such files is required to be version ;1. The version number from now on will increase un- til it hits version ;9999, at which time it will be rewound back to version ;1. (D/E 10725) [OpenVMS only] 7. Fixed a problem with reconstructing a mailbox that has no control files. (D/E 10737) [Open- VMS only] 8. Modified the behavior of the channel keyword val- idatelocalmsgstore so that it will now accept accounts that have a forward database entry, even if the account itself is set to DISMAIL. (D/E 10738) 5-8 Release Notes TLS __________________________________________________________________ 5.10 TLS 1. Added support for chained TLS certificates. (D/E 8704) 2. Fixed a problem with using Internet Explorer with TLS to a Tru64 PMDF system. (D/E 10141) [Tru64 only] 3. Fixed a problem with crashes of the SMTP server and client processes with the following error message: (D/E 10415) Assertion failed: md_c[1] == md_count[1], file /pmdf_common/ssl/crypto/rand/md_rand.c, line 312 __________________________________________________________________ 5.11 Utilities 1. cnbuild utility: a. Fixed a problem with detecting when pmdf.cnf exceeds the channel table size. (D/E 10347) 2. crdb utility: a. Fixed a problem with this utility crashing if the last entry in the main input file is an include of an empty file. (D/E 10583) [Unix only] 3. pine utility: a. Fixed a problem where while composing a mes- sage it would display the error "Error prepar- ing to close file: bad file number". (D/E 10447) [OpenVMS/I64 only] 4. pmdf process utility: a. Improved the output to no longer show certain non-PMDF processes. (D/E 10306) [OpenVMS only] 5-9 Release Notes Utilities b. Fixed a problem with this command sometimes reporting syntax errors, or causing the cre- ation of random files. (D/E 10489) [Unix only] c. Modified the output on Unix to now display the channel name for master channel processes. (D/E 10743) [Unix only] d. Updated to support mixed-case directory and file names with ODS-5. [OpenVMS only] 5. qm -maint utility: a. Fixed a problem with the clean command where it would sometimes not delete/hold any of the messages that it should have based on the cri- teria. (D/E 10298) [Solaris and Tru64 only] 6. VMS MAIL utility: a. Fixed a problem where sending a file through PMDF from VMS MAIL causes it to always be sent as foreign. (D/E 10396) [OpenVMS/I64 only] __________________________________________________________________ 5.12 Web Interface 1. The "Password Change Utility" web page on the PMDF web interface has been enhanced to allow system managers to set the passwords on behalf of users. Users may still change the password themselves by specifying their own username and the old (current) password when prompted. Sys- tem managers may set the password on behalf of a user by logging in as either the pmdf account, or the system account (i.e. the root account (on unix), the system account (on vms), or the administrator account (on windows)). (D/E 9921) 5-10