#ident	"@(#)smail:ToDo,v 1.41 1998/08/02 17:41:29 woods Exp"

Things that should be done before the next minor release (patches are,
of course, graciously accepted!):

Important Bugs:
--------------------

- mail sent to a domain that has only an A RR and there's no daemon
  running, then the mail never bounces.  It just records ERR148
  transport smtp: connect: Connection refused.  (sometimes)

- change smtp_info to smtp_allow_expn/smtp_allow_vrfy.  Add warning
about RFC-1123 says "MUST implement VRFY" and "SHOULD implement EXPN"
both in the code and smailconf.5 and note VRFY is as safe as RCPT TO.

- fix bug where qualify_domain() isn't called for addresses specified on
the command line (i.e. it only seems to be called when '-t' is used)

- fix broken handling of multiple failure addresses, eg.:

    |------------------------- Failed addresses follow: ---------------------|
     azramenon@ATTMAIL.uucp ... transport smtp: 553 <domreg@WGN.uucp> not matched: <domreg@WGN.uucp> is not a vaild domain.
     domreg@WGN.uucp ... transport smtp: 553 <azramenon@ATTMAIL.uucp> not matched: <azramenon@ATTMAIL.uucp> is not a vaild domain.

I've also seen three different addresses report the exact same error
from the transport even though not all three might have failed.

- verify that it is indeed legal for a SMTP connection timeout error to
still result in forwarding what appears to be a complete message....
[it is possible the remote end is failing to issue a quit and either
hanging or disconnecting pre-maturely].  Eg:

08/06/1997 02:51:40: [m0wvzwX-00076xC] Received FROM:freenrg-l-request@eskimo.com HOST:mx1.eskimo.com[204.122.16.48] PROTOCOL:esmtp PROGRAM:sendmail ORIG-ID:<"YWOb-3.0.dc2.9x1wp"@mx1> SIZE:6669 IDENT:smartlst ID-METHOD:rfc1413
08/06/1997 02:56:39: [m0wvzwX-00076xC] SMTP connection timeout while talking with mx1.eskimo.com [204.122.16.48].
08/06/1997 02:57:33: [m0wvzwX-00076xC] Delivered TO:woods ORIG-TO:<woods@weird.com> DIRECTOR:user TRANSPORT:local
08/06/1997 02:57:33: [m0wvzwX-00076xC] Completed.

Further notes from Weitse Venema suggest that if the receiver thinks
it's received the '.', and sent the reply, but the sender never sees the
reply then both mailers will become responsible for sending the message
and duplicates can result (see RFC 1047).  This might explain the above
and show that it's legal to deliver the message even when the "OK" reply
is not successfully sent to the sender.

- use ftruncate() to remove partially written messages in appendfile.c
if ERR_135 [if possible].

- re-write aliasfile.c in the style of the fwdfile.c with a finish_*()
function which properly expands an owner address for each input address.

- find out why RCPT TO verification sometimes returns the wrong error
for domains that don't exist (should be "no such domain"):

08/19/1997 12:03:25: remote woods@very.weird.com[204.92.254.3]: '<no-such-user@no.such.domain>' <no-such-user@no.such.domain> recipient for sender 'woods@web.net' not matched by anything!
22:47 [340] $ host -a no.such.domain
jungle.on.ca does not exist (Authoritative answer)

Actually it seems these just drop out the bottom after all routers fail
to return a match....

- investigate extra <>'s in received for bounces:

  Received: from most.weird.com (4544 bytes) by most.weird.com
	via sendmail with P:bsmtp/D:user/T:local
	(sender: <MAILER-DAEMON>) (ident <MAILER-DAEMON> using unix)
	id <m0x2LJo-00076wC@most.weird.com>
	for <<woods>>; Sat, 23 Aug 1997 14:53:52 -0400 (EDT)
	(Smail-3.2.0.98-Pre 1997-Aug-19 #7 built 1997-Aug-20)

- deal with un-qualified local hostnames when there's no qualify file in
some sane way....  (the qualify.c stuff is perhaps overloaded and
shouldn't be used to qualify both local names in outgoing headers at the
same time as being used to qualify destination hostnames).

- fix "from_field" to never allow "From:" to go missing and if it's nil
do something appropriate....

- fix db lookup parser to allow '#' in left-hand side (if quoted?) [aliasfile]

- investigate the Apparently-To: being set, while input_addr not being set:
(no To/Resent-To/Cc/Bcc, etc., header in data, just envelope "MAIL FROM:")
	
	Received: from [204.92.254.3] by most.weird.com
		via sendmail with smtp (ident woods using rfc1413)
		id <m0udnxb-00076qC@most.weird.com>
		for <unknown>; Tue, 9 Jul 1996 21:20:59 -0400 (EDT)
		(Smail-3.2 1996-Jul-4 #1 built 1996-Jul-4)
	Apparently-To: foo@anet

perhaps $input_addr should be set from envelope (always?).

- investigate smail vs. MH via SMTP and BCC.  Seems the BCC line can end
up in the initial Received header.  I'm not even sure why the first
received line is there.  This may have something to do with other
instances where multiple addresses per message give strange log entries
and bounce messages.

    Received: from woffi.planix.com([204.29.161.34]) (1436 bytes) by whome.planix.com
        via sendmail with P:esmtp/D:aliases/R:inet_hosts/T:smtp
        (sender: <andreas@planix.com>) 
        id <m0x3NUM-0008NDC@whome.planix.com>
        for <partners@planix.com>; Tue, 26 Aug 1997 11:25:02 -0400 (EDT)
        (Smail-3.2.0.97 1997-Aug-19 #2 built 1997-Aug-25)
    Received: from localhost.planix.com(localhost[127.0.0.1]) (1104 bytes) by woffi.planix.com
        via sendmail with P:esmtp/R:inet_hosts/T:smtp
        (sender: <andreas@planix.com>) 
        id <m0x3NUL-000EExC@woffi.planix.com>
        for <customers_aew@planix.com>; Tue, 26 Aug 1997 11:25:01 -0400 (EDT)
        (Smail-3.2.0.97 1997-Aug-19 #2 built 1997-Aug-19)
    To: customers@planix.com (to /dev/null), partners@planix.com (an alias)
 >> Dcc: customers_hidden@planix.com (an alias to everyone)

Note MH uses 'Dcc' instead of 'Bcc' for normal (direct) blind carbon.

- do something about the premature lower-casing of user names.  Users
with upper case characters may not be able to receive mail (or at least
read the stuff they've received....)  The correct solution is probably
to provide another field in struct addr in which the un-adulterated
user-id can be stored for use in the "local" transport's filename
expansion.  I.e. the "user" director, with the 'ignore-case' attribute
set, will do a caseless match of the user-id against the mailbox portion
of the address, and then the actual user-id with case preserved can be
used in generating the mailbox spool filename.  [PR#295 notes that
getpwbyname() in pwcache.c explicitly lowercases the user name passed to
it before a getpwnam() search is proposed and the PR actually suggests
removing this lowercasing (so that the case is preserved in the cache),
but still doing a case-insensitive search through the password file,
though it doesn't pay heed to the ignore-case attribute, nor does it
provide for storing the case-preserved user-id in struct addr.]

- fix aliasfile parser to allow case sensitive aliases (ala above?)
[keep in mind the lists director uses "lists/${lc:user}"]

- turn down the verbose logging of failed locks, if known other smail
process holds lock....  eg:

	02/28/96 12:07:36: open_spool: /local/var/spool/smail/input/0trpIB-00076nC: lock failed: Permission denied

Unfortunately this will probably require re-writing the spool locking
functions to use pid-in-a-lock-file mechanisms.  [effectively fixed in
3.2.1 for systems that return EAGAIN if lock_fd() meets another lock?]
[it has been noted that there may be real race conditions in here!]

- check out what's going on with Apparently-From being added multiple
times

- check out re-writing From: if from '-f'

- Make sure "From:" and "To:" are always generated correctly for all
locally originating mail and never for anything else.

- stop smail from generating those horrible Apparently-* headers now
that the envelope is completely available in the default received
header [Apparently-From should be gone from 3.2.1].


Incomplete Features:
--------------------

- fully support $max_message_size [include hints to user about resending
in bounce if not immeadiately rejected by ESMTP, and perhaps add a new
option $truncate_oversize_bounce or similar with default ON].

- enable and test HAVE_DF_SPOOL for all systems were possible [or wait
for autoconf?].

- think about allowing $listen_name to be set on command line too [if
this is used for more than one domain then you'll need separate config
files anyay, so just use -C; but if you are using this to avoid having
smtp some interfaces then this info may be easier to manage in one place
in the /etc/rc* files or whatever].

- do something to make aliasfile parsing identical across lookup protos.
(related to 'db lookup parser' bug above?)

- implement 'mailq' to follow through on '-t' option (i.e. read header)

- have 'mailq' print "Mail queue is empty' when it is (isatty()?) ala sendmail

- Put the following in default.c for SVR4's local, pipe, & file transports:

	remove_header="Content-Length",
	append_header="${if !header:Content-Type :Content-Type: text}",
	append_header="Content-Length: $body_size",

- think about how to integrate checkerr and savelog so that security
violations can be snarfed from logfile just after it is cycled.  Perhaps
a new over-all maintenance script (smailmaint?) could do the work and
there would only be one crontab entry necessary.  [syslog logging will
change all of this since then security violations will get more
attention from syslog if the admin desires...]

- add an "always" attribute to the directors drivers, esp. aliasfile.

- add 'senders' and 'senders_except' attributes to directors and routers
to implement restricted aliases, transports, etc.

- add 'smtp_recipient_no_verify' (a list for match_ip()) that can be
used for dumb MUA clients that deliver by SMTP but need a real bounce
message, not a 400/500 error.  [This will also fix problems for clients
that use ESMTP pipelining but then don't multiply their timeout by the
number of addresses they've submitted, such as Lotus Notes.]

- change the syntax of smtp_remote_allow patterns (i.e. match_ip()) to
allow IP address specification with CIDR notation and/or maybe netmask
notation.  [steal netmask code from tcp_wrappers, or perhaps the
hostmask() routine from ip_filter?]  Also allow hostnames by doing a
reverse lookup on the address and matching the PTR(s) with hostname
patters [regex's too?].

- think about making smtp_remote_allow and other users of match_ip()
capable of specifying a file lookup mechanism:

       smtp_remote_allow="${lookup:sender_host_addr:ipsearch:{
				/etc/smail/remote.allow}:$value}"

where "ipsearch" iterates the [new] match_ip() function over all the
values in the file.  (does this mean keeping the double compare?)  (the
file should probably be cached in-core and treated as a list)

- Think about splitting lsearch and USE_LSEARCH_REGEXCMP into a plain
old lsearch and a new "research" (is this a bad name? ;-) for straight
RE linear searches.  Think about not using double quotes to trigger the
RE match, but rather doing it for every key value.  Think about a
combined lsearch/research that would do what lsearch+REGEXCMP does now
with the double quote trigger.

- adjust the error messages in config file parsing to include at least
the line number, and anything else helpful, not just:

05/07/1997 15:40:59: /local/etc/smail/config: parse error: unexpected end of attribute

- make some of the SMTP error messages more explanitory and think about
using continuation lines, such as this:

      550-'<chris@cheddar.netmonger.net>SIZE=2088' sender address target
      550-domain 'cheddar.netmonger.net' is not a valid e-mail domain
      550 (there is no MX record in the DNS for it).

- think about adding eqic{, ltic{, gtic{ operators that unify the case
of their arguments before testing.

- think about changing the "var" portion of the eq{ et al operators to
be a fully expanded value, not just a variable name (which would make
the above mentioned eqic{ et al operators redundant).

- add support for Kiem-Phong Vo <kpv@research.att.com> Vmalloc library,
particularly debugging support.

- document ${eval: if it turns out to be useful.


New Features:
--------------------

- implement optional $max_mailbox_size [optionally as a colon separated
list of "user=size" tokens with something like '*' as the default user
and "nolimit" to unset per user].

- never completely fill the spooldir if HAVE_DF_SPOOL (add optional
$min_spooldir_free?)

- be careful about never filling the logfile too (can we instantly defer
connections if we're out of resources like this?)

- Think about a config variable that could (maybe $log_events?) that
could control which items are logged and which are not [or wait for
syslog support?]

- make the startup log message more verbose (version, build, build date,
release date, etc.) [use $smtp_banner ???]

- write a minimal mailstats replacement (new log file format only)
[real stats, not just what logsumm does]

- implement 'mailq' option to read the "error" queue (mailq -e?)

- implement '-R'

     -Rstring       Go through the  queue  of  pending  mail  and
                    attempt  to  deliver any message with a reci-
                    pient containing the specified string.   This
                    is useful for clearing out mail directed to a
                    machine which has been down for awhile.

- implement ETRN from RFC 1985 ala the above.

- implement other standards-track SMTP extensions....

- when possible make the daemon childer change their ps command line
text to show what they are currently doing.

- teach substitute() to recognize the variable names listed in
  conf_attributes, etc.

- try to ensure all variables are run through expand_string().


Miscellaneous:
--------------------

- add #ifdef HAVE_UNISTD_H #include <unistd.h> where appropriate [or
wait for autoconf?].

- remove nested includes from "jump.h" [and everywhere!].

- think about getting <string.h> out of defs.h [or wait for autoconf?]

- investigate: ORIG-ID:<199604230758.AA13625@post.tandem.com\POS,$ZNET^U5>

- think about doing something to allow an alias to be used to force a
"no-such-user" bounce.

- install ".so" longname manual pages on systems with longnames [need to
fix up xrefs too?]

- should we add IsValid*() checking?  from:
<ftp://ftp.cert.org/pub/cert_advisories/CA-96.04.corrupt_info_from_servers>

- read draft-ietf-drums-smtpupd-04.txt [or newer] more carefully.

- think about not stripping comments from aliases, etc., and providing
GCOS info; esp. for EXPN and VRFY, perhaps re-using smtp_info to control.

- Should the "real_user" director set ignore_alias_match?

- consider allowing multiple whitespace characters to act as one when
speparating words in a string parsed by expand_string().