README revision 111823
138032Speter 264562Sgshapiro SENDMAIL CONFIGURATION FILES 338032Speter 490792SgshapiroThis document describes the sendmail configuration files. It 590792Sgshapiroexplains how to create a sendmail.cf file for use with sendmail. 690792SgshapiroIt also describes how to set options for sendmail which are explained 790792Sgshapiroin the Sendmail Installation and Operation guide (doc/op/op.me). 838032Speter 990792SgshapiroTo get started, you may want to look at tcpproto.mc (for TCP-only 1090792Sgshapirosites) and clientproto.mc (for clusters of clients using a single 1190792Sgshapiromail host), or the generic-*.mc files as operating system-specific 1290792Sgshapiroexamples. 1338032Speter 1490792SgshapiroTable of Content: 1538032Speter 1690792SgshapiroINTRODUCTION AND EXAMPLE 1790792SgshapiroA BRIEF INTRODUCTION TO M4 1890792SgshapiroFILE LOCATIONS 1990792SgshapiroOSTYPE 2090792SgshapiroDOMAINS 2190792SgshapiroMAILERS 2290792SgshapiroFEATURES 2390792SgshapiroHACKS 2490792SgshapiroSITE CONFIGURATION 2590792SgshapiroUSING UUCP MAILERS 2690792SgshapiroTWEAKING RULESETS 2790792SgshapiroMASQUERADING AND RELAYING 2890792SgshapiroUSING LDAP FOR ALIASES, MAPS, AND CLASSES 2990792SgshapiroLDAP ROUTING 3090792SgshapiroANTI-SPAM CONFIGURATION CONTROL 3190792SgshapiroSTARTTLS 3290792SgshapiroSMTP AUTHENTICATION 3390792SgshapiroADDING NEW MAILERS OR RULESETS 3490792SgshapiroADDING NEW MAIL FILTERS 3590792SgshapiroQUEUE GROUP DEFINITIONS 3690792SgshapiroNON-SMTP BASED CONFIGURATIONS 3790792SgshapiroWHO AM I? 3890792SgshapiroACCEPTING MAIL FOR MULTIPLE NAMES 3990792SgshapiroUSING MAILERTABLES 4090792SgshapiroUSING USERDB TO MAP FULL NAMES 4190792SgshapiroMISCELLANEOUS SPECIAL FEATURES 4290792SgshapiroSECURITY NOTES 4390792SgshapiroTWEAKING CONFIGURATION OPTIONS 4490792SgshapiroMESSAGE SUBMISSION PROGRAM 4590792SgshapiroFORMAT OF FILES AND MAPS 4690792SgshapiroDIRECTORY LAYOUT 4790792SgshapiroADMINISTRATIVE DETAILS 4838032Speter 4990792Sgshapiro 5038032Speter+--------------------------+ 5138032Speter| INTRODUCTION AND EXAMPLE | 5238032Speter+--------------------------+ 5338032Speter 5438032SpeterConfiguration files are contained in the subdirectory "cf", with a 5538032Spetersuffix ".mc". They must be run through "m4" to produce a ".cf" file. 5638032SpeterYou must pre-load "cf.m4": 5738032Speter 5838032Speter m4 ${CFDIR}/m4/cf.m4 config.mc > config.cf 5938032Speter 6064562SgshapiroAlternatively, you can simply: 6164562Sgshapiro 6264562Sgshapiro cd ${CFDIR}/cf 6364562Sgshapiro ./Build config.cf 6464562Sgshapiro 6538032Speterwhere ${CFDIR} is the root of the cf directory and config.mc is the 6638032Spetername of your configuration file. If you are running a version of M4 6738032Speterthat understands the __file__ builtin (versions of GNU m4 >= 0.75 do 6838032Speterthis, but the versions distributed with 4.4BSD and derivatives do not) 6938032Speteror the -I flag (ditto), then ${CFDIR} can be in an arbitrary directory. 7038032SpeterFor "traditional" versions, ${CFDIR} ***MUST*** be "..", or you MUST 7138032Speteruse -D_CF_DIR_=/path/to/cf/dir/ -- note the trailing slash! For example: 7238032Speter 7338032Speter m4 -D_CF_DIR_=${CFDIR}/ ${CFDIR}/m4/cf.m4 config.mc > config.cf 7438032Speter 7538032SpeterLet's examine a typical .mc file: 7638032Speter 7738032Speter divert(-1) 7838032Speter # 7990792Sgshapiro # Copyright (c) 1998-2002 Sendmail, Inc. and its suppliers. 8064562Sgshapiro # All rights reserved. 8138032Speter # Copyright (c) 1983 Eric P. Allman. All rights reserved. 8238032Speter # Copyright (c) 1988, 1993 8338032Speter # The Regents of the University of California. All rights reserved. 8438032Speter # 8538032Speter # By using this file, you agree to the terms and conditions set 8638032Speter # forth in the LICENSE file which can be found at the top level of 8738032Speter # the sendmail distribution. 8838032Speter # 8938032Speter 9038032Speter # 9138032Speter # This is a Berkeley-specific configuration file for HP-UX 9.x. 9238032Speter # It applies only to the Computer Science Division at Berkeley, 9338032Speter # and should not be used elsewhere. It is provided on the sendmail 9438032Speter # distribution as a sample only. To create your own configuration 9538032Speter # file, create an appropriate domain file in ../domain, change the 9638032Speter # `DOMAIN' macro below to reference that file, and copy the result 9738032Speter # to a name of your own choosing. 9838032Speter # 9938032Speter divert(0) 10038032Speter 10138032SpeterThe divert(-1) will delete the crud in the resulting output file. 10238032SpeterThe copyright notice can be replaced by whatever your lawyers require; 10364562Sgshapiroour lawyers require the one that is included in these files. A copyleft 10438032Speteris a copyright by another name. The divert(0) restores regular output. 10538032Speter 10638032Speter VERSIONID(`<SCCS or RCS version id>') 10738032Speter 10838032SpeterVERSIONID is a macro that stuffs the version information into the 10964562Sgshapiroresulting file. You could use SCCS, RCS, CVS, something else, or 11038032Speteromit it completely. This is not the same as the version id included 11138032Speterin SMTP greeting messages -- this is defined in m4/version.m4. 11238032Speter 11364562Sgshapiro OSTYPE(`hpux9')dnl 11438032Speter 11538032SpeterYou must specify an OSTYPE to properly configure things such as the 11638032Speterpathname of the help and status files, the flags needed for the local 11738032Spetermailer, and other important things. If you omit it, you will get an 11838032Spetererror when you try to build the configuration. Look at the ostype 11938032Speterdirectory for the list of known operating system types. 12038032Speter 12164562Sgshapiro DOMAIN(`CS.Berkeley.EDU')dnl 12238032Speter 12338032SpeterThis example is specific to the Computer Science Division at Berkeley. 12464562SgshapiroYou can use "DOMAIN(`generic')" to get a sufficiently bland definition 12538032Speterthat may well work for you, or you can create a customized domain 12638032Speterdefinition appropriate for your environment. 12738032Speter 12864562Sgshapiro MAILER(`local') 12964562Sgshapiro MAILER(`smtp') 13038032Speter 13190792SgshapiroThese describe the mailers used at the default CS site. The local 13290792Sgshapiromailer is always included automatically. Beware: MAILER declarations 13390792Sgshapiroshould always be at the end of the configuration file. The general 13490792Sgshapirorules are that the order should be: 13538032Speter 13638032Speter VERSIONID 13738032Speter OSTYPE 13838032Speter DOMAIN 13938032Speter FEATURE 14038032Speter local macro definitions 14138032Speter MAILER 14290792Sgshapiro LOCAL_CONFIG 14364562Sgshapiro LOCAL_RULE_* 14464562Sgshapiro LOCAL_RULESETS 14538032Speter 14664562SgshapiroThere are a few exceptions to this rule. Local macro definitions which 14764562Sgshapiroinfluence a FEATURE() should be done before that feature. For example, 14864562Sgshapiroa define(`PROCMAIL_MAILER_PATH', ...) should be done before 14964562SgshapiroFEATURE(`local_procmail'). 15038032Speter 15190792Sgshapiro******************************************************************* 15290792Sgshapiro*** BE SURE YOU CUSTOMIZE THESE FILES! They have some *** 15390792Sgshapiro*** Berkeley-specific assumptions built in, such as the name *** 15490792Sgshapiro*** of their UUCP-relay. You'll want to create your own *** 15590792Sgshapiro*** domain description, and use that in place of *** 15690792Sgshapiro*** domain/Berkeley.EDU.m4. *** 15790792Sgshapiro******************************************************************* 15864562Sgshapiro 15990792Sgshapiro 16038032Speter+----------------------------+ 16138032Speter| A BRIEF INTRODUCTION TO M4 | 16238032Speter+----------------------------+ 16338032Speter 16438032SpeterSendmail uses the M4 macro processor to ``compile'' the configuration 16538032Speterfiles. The most important thing to know is that M4 is stream-based, 16638032Speterthat is, it doesn't understand about lines. For this reason, in some 16738032Speterplaces you may see the word ``dnl'', which stands for ``delete 16838032Speterthrough newline''; essentially, it deletes all characters starting 16938032Speterat the ``dnl'' up to and including the next newline character. In 17038032Spetermost cases sendmail uses this only to avoid lots of unnecessary 17138032Speterblank lines in the output. 17238032Speter 17338032SpeterOther important directives are define(A, B) which defines the macro 17438032Speter``A'' to have value ``B''. Macros are expanded as they are read, so 17538032Speterone normally quotes both values to prevent expansion. For example, 17638032Speter 17738032Speter define(`SMART_HOST', `smart.foo.com') 17838032Speter 17938032SpeterOne word of warning: M4 macros are expanded even in lines that appear 18038032Speterto be comments. For example, if you have 18138032Speter 18264562Sgshapiro # See FEATURE(`foo') above 18338032Speter 18464562Sgshapiroit will not do what you expect, because the FEATURE(`foo') will be 18538032Speterexpanded. This also applies to 18638032Speter 18738032Speter # And then define the $X macro to be the return address 18838032Speter 18938032Speterbecause ``define'' is an M4 keyword. If you want to use them, surround 19038032Speterthem with directed quotes, `like this'. 19138032Speter 192110560SgshapiroSince m4 uses single quotes (opening "`" and closing "'") to quote 193110560Sgshapiroarguments, those quotes can't be used in arguments. For example, 194110560Sgshapiroit is not possible to define a rejection message containing a single 195110560Sgshapiroquote. Usually there are simple workarounds by changing those 196110560Sgshapiromessages; in the worst case it might be ok to change the value 197110560Sgshapirodirectly in the generated .cf file, which however is not advised. 19890792Sgshapiro 199110560Sgshapiro 20090792SgshapiroNotice: 20190792Sgshapiro------- 20290792Sgshapiro 20390792SgshapiroThis package requires a post-V7 version of m4; if you are running the 20490792Sgshapiro4.2bsd, SysV.2, or 7th Edition version. SunOS's /usr/5bin/m4 or 20590792SgshapiroBSD-Net/2's m4 both work. GNU m4 version 1.1 or later also works. 20690792SgshapiroUnfortunately, the M4 on BSDI 1.0 doesn't work -- you'll have to use a 20790792SgshapiroNet/2 or GNU version. GNU m4 is available from 20890792Sgshapiroftp://ftp.gnu.org/pub/gnu/m4/m4-1.4.tar.gz (check for the latest version). 20990792SgshapiroEXCEPTIONS: DEC's m4 on Digital UNIX 4.x is broken (3.x is fine). Use GNU 21090792Sgshapirom4 on this platform. 21190792Sgshapiro 21290792Sgshapiro 21338032Speter+----------------+ 21438032Speter| FILE LOCATIONS | 21538032Speter+----------------+ 21638032Speter 21738032Spetersendmail 8.9 has introduced a new configuration directory for sendmail 21838032Speterrelated files, /etc/mail. The new files available for sendmail 8.9 -- 21964562Sgshapirothe class {R} /etc/mail/relay-domains and the access database 22064562Sgshapiro/etc/mail/access -- take advantage of this new directory. Beginning with 22164562Sgshapiro8.10, all files will use this directory by default (some options may be 22264562Sgshapiroset by OSTYPE() files). This new directory should help to restore 22364562Sgshapirouniformity to sendmail's file locations. 22438032Speter 22564562SgshapiroBelow is a table of some of the common changes: 22664562Sgshapiro 22764562SgshapiroOld filename New filename 22864562Sgshapiro------------ ------------ 22964562Sgshapiro/etc/bitdomain /etc/mail/bitdomain 23064562Sgshapiro/etc/domaintable /etc/mail/domaintable 23164562Sgshapiro/etc/genericstable /etc/mail/genericstable 23264562Sgshapiro/etc/uudomain /etc/mail/uudomain 23364562Sgshapiro/etc/virtusertable /etc/mail/virtusertable 23464562Sgshapiro/etc/userdb /etc/mail/userdb 23564562Sgshapiro 23664562Sgshapiro/etc/aliases /etc/mail/aliases 23764562Sgshapiro/etc/sendmail/aliases /etc/mail/aliases 23864562Sgshapiro/etc/ucbmail/aliases /etc/mail/aliases 23964562Sgshapiro/usr/adm/sendmail/aliases /etc/mail/aliases 24064562Sgshapiro/usr/lib/aliases /etc/mail/aliases 24164562Sgshapiro/usr/lib/mail/aliases /etc/mail/aliases 24264562Sgshapiro/usr/ucblib/aliases /etc/mail/aliases 24364562Sgshapiro 24464562Sgshapiro/etc/sendmail.cw /etc/mail/local-host-names 24564562Sgshapiro/etc/mail/sendmail.cw /etc/mail/local-host-names 24664562Sgshapiro/etc/sendmail/sendmail.cw /etc/mail/local-host-names 24764562Sgshapiro 24864562Sgshapiro/etc/sendmail.ct /etc/mail/trusted-users 24964562Sgshapiro 25064562Sgshapiro/etc/sendmail.oE /etc/mail/error-header 25164562Sgshapiro 25264562Sgshapiro/etc/sendmail.hf /etc/mail/helpfile 25364562Sgshapiro/etc/mail/sendmail.hf /etc/mail/helpfile 25464562Sgshapiro/usr/ucblib/sendmail.hf /etc/mail/helpfile 25564562Sgshapiro/etc/ucbmail/sendmail.hf /etc/mail/helpfile 25664562Sgshapiro/usr/lib/sendmail.hf /etc/mail/helpfile 25764562Sgshapiro/usr/share/lib/sendmail.hf /etc/mail/helpfile 25864562Sgshapiro/usr/share/misc/sendmail.hf /etc/mail/helpfile 25964562Sgshapiro/share/misc/sendmail.hf /etc/mail/helpfile 26064562Sgshapiro 26164562Sgshapiro/etc/service.switch /etc/mail/service.switch 26264562Sgshapiro 26364562Sgshapiro/etc/sendmail.st /etc/mail/statistics 26464562Sgshapiro/etc/mail/sendmail.st /etc/mail/statistics 26564562Sgshapiro/etc/mailer/sendmail.st /etc/mail/statistics 26664562Sgshapiro/etc/sendmail/sendmail.st /etc/mail/statistics 26764562Sgshapiro/usr/lib/sendmail.st /etc/mail/statistics 26864562Sgshapiro/usr/ucblib/sendmail.st /etc/mail/statistics 26964562Sgshapiro 27064562SgshapiroNote that all of these paths actually use a new m4 macro MAIL_SETTINGS_DIR 27164562Sgshapiroto create the pathnames. The default value of this variable is 27264562Sgshapiro`/etc/mail/'. If you set this macro to a different value, you MUST include 27364562Sgshapiroa trailing slash. 27464562Sgshapiro 27580785SgshapiroNotice: all filenames used in a .mc (or .cf) file should be absolute 27680785Sgshapiro(starting at the root, i.e., with '/'). Relative filenames most 27780785Sgshapirolikely cause surprises during operations (unless otherwise noted). 27880785Sgshapiro 27980785Sgshapiro 28038032Speter+--------+ 28138032Speter| OSTYPE | 28238032Speter+--------+ 28338032Speter 28438032SpeterYou MUST define an operating system environment, or the configuration 28538032Speterfile build will puke. There are several environments available; look 28638032Speterat the "ostype" directory for the current list. This macro changes 28738032Speterthings like the location of the alias file and queue directory. Some 28838032Speterof these files are identical to one another. 28938032Speter 29038032SpeterIt is IMPERATIVE that the OSTYPE occur before any MAILER definitions. 29138032SpeterIn general, the OSTYPE macro should go immediately after any version 29238032Speterinformation, and MAILER definitions should always go last. 29338032Speter 29438032SpeterOperating system definitions are usually easy to write. They may define 29538032Speterthe following variables (everything defaults, so an ostype file may be 29638032Speterempty). Unfortunately, the list of configuration-supported systems is 29738032Speternot as broad as the list of source-supported systems, since many of 29838032Speterthe source contributors do not include corresponding ostype files. 29938032Speter 30064562SgshapiroALIAS_FILE [/etc/mail/aliases] The location of the text version 30138032Speter of the alias file(s). It can be a comma-separated 30238032Speter list of names (but be sure you quote values with 30338032Speter commas in them -- for example, use 30438032Speter define(`ALIAS_FILE', `a,b') 30538032Speter to get "a" and "b" both listed as alias files; 30638032Speter otherwise the define() primitive only sees "a"). 30764562SgshapiroHELP_FILE [/etc/mail/helpfile] The name of the file 30838032Speter containing information printed in response to 30938032Speter the SMTP HELP command. 31038032SpeterQUEUE_DIR [/var/spool/mqueue] The directory containing 31164562Sgshapiro queue files. To use multiple queues, supply 31264562Sgshapiro a value ending with an asterisk. For 31373188Sgshapiro example, /var/spool/mqueue/qd* will use all of the 31464562Sgshapiro directories or symbolic links to directories 31573188Sgshapiro beginning with 'qd' in /var/spool/mqueue as queue 31664562Sgshapiro directories. The names 'qf', 'df', and 'xf' are 31773188Sgshapiro reserved as specific subdirectories for the 31873188Sgshapiro corresponding queue file types as explained in 31990792Sgshapiro doc/op/op.me. See also QUEUE GROUP DEFINITIONS. 32090792SgshapiroMSP_QUEUE_DIR [/var/spool/clientmqueue] The directory containing 32190792Sgshapiro queue files for the MSP (Mail Submission Program, 32290792Sgshapiro see sendmail/SECURITY). 32364562SgshapiroSTATUS_FILE [/etc/mail/statistics] The file containing status 32438032Speter information. 32538032SpeterLOCAL_MAILER_PATH [/bin/mail] The program used to deliver local mail. 32664562SgshapiroLOCAL_MAILER_FLAGS [Prmn9] The flags used by the local mailer. The 32764562Sgshapiro flags lsDFMAw5:/|@q are always included. 32838032SpeterLOCAL_MAILER_ARGS [mail -d $u] The arguments passed to deliver local 32938032Speter mail. 33038032SpeterLOCAL_MAILER_MAX [undefined] If defined, the maximum size of local 33138032Speter mail that you are willing to accept. 33264562SgshapiroLOCAL_MAILER_MAXMSGS [undefined] If defined, the maximum number of 33364562Sgshapiro messages to deliver in a single connection. Only 33464562Sgshapiro useful for LMTP local mailers. 33538032SpeterLOCAL_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data 33638032Speter that ARRIVE from an address that resolves to the 33738032Speter local mailer and which are converted to MIME will be 33838032Speter labeled with this character set. 33964562SgshapiroLOCAL_MAILER_EOL [undefined] If defined, the string to use as the 34064562Sgshapiro end of line for the local mailer. 34164562SgshapiroLOCAL_MAILER_DSN_DIAGNOSTIC_CODE 34264562Sgshapiro [X-Unix] The DSN Diagnostic-Code value for the 34364562Sgshapiro local mailer. This should be changed with care. 34438032SpeterLOCAL_SHELL_PATH [/bin/sh] The shell used to deliver piped email. 34538032SpeterLOCAL_SHELL_FLAGS [eu9] The flags used by the shell mailer. The 34638032Speter flags lsDFM are always included. 34738032SpeterLOCAL_SHELL_ARGS [sh -c $u] The arguments passed to deliver "prog" 34838032Speter mail. 34938032SpeterLOCAL_SHELL_DIR [$z:/] The directory search path in which the 35038032Speter shell should run. 35190792SgshapiroLOCAL_MAILER_QGRP [undefined] The queue group for the local mailer. 35238032SpeterUSENET_MAILER_PATH [/usr/lib/news/inews] The name of the program 35338032Speter used to submit news. 35464562SgshapiroUSENET_MAILER_FLAGS [rsDFMmn] The mailer flags for the usenet mailer. 35538032SpeterUSENET_MAILER_ARGS [-m -h -n] The command line arguments for the 35690792Sgshapiro usenet mailer. NOTE: Some versions of inews 35790792Sgshapiro (such as those shipped with newer versions of INN) 35890792Sgshapiro use different flags. Double check the defaults 35990792Sgshapiro against the inews man page. 360102528SgshapiroUSENET_MAILER_MAX [undefined] The maximum size of messages that will 36138032Speter be accepted by the usenet mailer. 36290792SgshapiroUSENET_MAILER_QGRP [undefined] The queue group for the usenet mailer. 36338032SpeterSMTP_MAILER_FLAGS [undefined] Flags added to SMTP mailer. Default 36464562Sgshapiro flags are `mDFMuX' for all SMTP-based mailers; the 36564562Sgshapiro "esmtp" mailer adds `a'; "smtp8" adds `8'; and 36664562Sgshapiro "dsmtp" adds `%'. 36764562SgshapiroRELAY_MAILER_FLAGS [undefined] Flags added to the relay mailer. Default 36864562Sgshapiro flags are `mDFMuX' for all SMTP-based mailers; the 36964562Sgshapiro relay mailer adds `a8'. If this is not defined, 37064562Sgshapiro then SMTP_MAILER_FLAGS is used. 37138032SpeterSMTP_MAILER_MAX [undefined] The maximum size of messages that will 37264562Sgshapiro be transported using the smtp, smtp8, esmtp, or dsmtp 37338032Speter mailers. 37464562SgshapiroSMTP_MAILER_MAXMSGS [undefined] If defined, the maximum number of 37564562Sgshapiro messages to deliver in a single connection for the 37664562Sgshapiro smtp, smtp8, esmtp, or dsmtp mailers. 37794334SgshapiroSMTP_MAILER_MAXRCPTS [undefined] If defined, the maximum number of 37894334Sgshapiro recipients to deliver in a single connection for the 37994334Sgshapiro smtp, smtp8, esmtp, or dsmtp mailers. 38066494SgshapiroSMTP_MAILER_ARGS [TCP $h] The arguments passed to the smtp mailer. 38138032Speter About the only reason you would want to change this 38238032Speter would be to change the default port. 38366494SgshapiroESMTP_MAILER_ARGS [TCP $h] The arguments passed to the esmtp mailer. 38466494SgshapiroSMTP8_MAILER_ARGS [TCP $h] The arguments passed to the smtp8 mailer. 38566494SgshapiroDSMTP_MAILER_ARGS [TCP $h] The arguments passed to the dsmtp mailer. 38666494SgshapiroRELAY_MAILER_ARGS [TCP $h] The arguments passed to the relay mailer. 38790792SgshapiroSMTP_MAILER_QGRP [undefined] The queue group for the smtp mailer. 38890792SgshapiroESMTP_MAILER_QGRP [undefined] The queue group for the esmtp mailer. 38990792SgshapiroSMTP8_MAILER_QGRP [undefined] The queue group for the smtp8 mailer. 39090792SgshapiroDSMTP_MAILER_QGRP [undefined] The queue group for the dsmtp mailer. 39190792SgshapiroRELAY_MAILER_QGRP [undefined] The queue group for the relay mailer. 39264562SgshapiroRELAY_MAILER_MAXMSGS [undefined] If defined, the maximum number of 39364562Sgshapiro messages to deliver in a single connection for the 39464562Sgshapiro relay mailer. 39538032SpeterSMTP_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data 39638032Speter that ARRIVE from an address that resolves to one of 39738032Speter the SMTP mailers and which are converted to MIME will 39838032Speter be labeled with this character set. 39938032SpeterUUCP_MAILER_PATH [/usr/bin/uux] The program used to send UUCP mail. 40038032SpeterUUCP_MAILER_FLAGS [undefined] Flags added to UUCP mailer. Default 40138032Speter flags are `DFMhuU' (and `m' for uucp-new mailer, 40238032Speter minus `U' for uucp-dom mailer). 40338032SpeterUUCP_MAILER_ARGS [uux - -r -z -a$g -gC $h!rmail ($u)] The arguments 40438032Speter passed to the UUCP mailer. 40538032SpeterUUCP_MAILER_MAX [100000] The maximum size message accepted for 40638032Speter transmission by the UUCP mailers. 40738032SpeterUUCP_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data 40838032Speter that ARRIVE from an address that resolves to one of 40938032Speter the UUCP mailers and which are converted to MIME will 41038032Speter be labeled with this character set. 41190792SgshapiroUUCP_MAILER_QGRP [undefined] The queue group for the UUCP mailers. 41238032SpeterFAX_MAILER_PATH [/usr/local/lib/fax/mailfax] The program used to 41338032Speter submit FAX messages. 41438032SpeterFAX_MAILER_ARGS [mailfax $u $h $f] The arguments passed to the FAX 41538032Speter mailer. 41638032SpeterFAX_MAILER_MAX [100000] The maximum size message accepted for 41738032Speter transmission by FAX. 41838032SpeterPOP_MAILER_PATH [/usr/lib/mh/spop] The pathname of the POP mailer. 41964562SgshapiroPOP_MAILER_FLAGS [Penu] Flags added to POP mailer. Flags lsDFMq 42038032Speter are always added. 42138032SpeterPOP_MAILER_ARGS [pop $u] The arguments passed to the POP mailer. 42290792SgshapiroPOP_MAILER_QGRP [undefined] The queue group for the pop mailer. 42338032SpeterPROCMAIL_MAILER_PATH [/usr/local/bin/procmail] The path to the procmail 42443730Speter program. This is also used by 42543730Speter FEATURE(`local_procmail'). 42638032SpeterPROCMAIL_MAILER_FLAGS [SPhnu9] Flags added to Procmail mailer. Flags 42764562Sgshapiro DFM are always set. This is NOT used by 42843730Speter FEATURE(`local_procmail'); tweak LOCAL_MAILER_FLAGS 42938032Speter instead. 43038032SpeterPROCMAIL_MAILER_ARGS [procmail -Y -m $h $f $u] The arguments passed to 43138032Speter the Procmail mailer. This is NOT used by 43243730Speter FEATURE(`local_procmail'); tweak LOCAL_MAILER_ARGS 43338032Speter instead. 43438032SpeterPROCMAIL_MAILER_MAX [undefined] If set, the maximum size message that 43538032Speter will be accepted by the procmail mailer. 43690792SgshapiroPROCMAIL_MAILER_QGRP [undefined] The queue group for the procmail mailer. 43738032SpeterMAIL11_MAILER_PATH [/usr/etc/mail11] The path to the mail11 mailer. 43838032SpeterMAIL11_MAILER_FLAGS [nsFx] Flags for the mail11 mailer. 43938032SpeterMAIL11_MAILER_ARGS [mail11 $g $x $h $u] Arguments passed to the mail11 44038032Speter mailer. 44190792SgshapiroMAIL11_MAILER_QGRP [undefined] The queue group for the mail11 mailer. 44238032SpeterPH_MAILER_PATH [/usr/local/etc/phquery] The path to the phquery 44338032Speter program. 44464562SgshapiroPH_MAILER_FLAGS [ehmu] Flags for the phquery mailer. Flags nrDFM 44564562Sgshapiro are always set. 44638032SpeterPH_MAILER_ARGS [phquery -- $u] -- arguments to the phquery mailer. 44790792SgshapiroPH_MAILER_QGRP [undefined] The queue group for the ph mailer. 44864562SgshapiroCYRUS_MAILER_FLAGS [Ah5@/:|] The flags used by the cyrus mailer. The 44938032Speter flags lsDFMnPq are always included. 45038032SpeterCYRUS_MAILER_PATH [/usr/cyrus/bin/deliver] The program used to deliver 45138032Speter cyrus mail. 45238032SpeterCYRUS_MAILER_ARGS [deliver -e -m $h -- $u] The arguments passed 45338032Speter to deliver cyrus mail. 45438032SpeterCYRUS_MAILER_MAX [undefined] If set, the maximum size message that 45538032Speter will be accepted by the cyrus mailer. 45638032SpeterCYRUS_MAILER_USER [cyrus:mail] The user and group to become when 45738032Speter running the cyrus mailer. 45890792SgshapiroCYRUS_MAILER_QGRP [undefined] The queue group for the cyrus mailer. 45964562SgshapiroCYRUS_BB_MAILER_FLAGS [u] The flags used by the cyrusbb mailer. 46064562Sgshapiro The flags lsDFMnP are always included. 46138032SpeterCYRUS_BB_MAILER_ARGS [deliver -e -m $u] The arguments passed 46238032Speter to deliver cyrusbb mail. 46398121SgshapiroCYRUSV2_MAILER_FLAGS [A@/:|m] The flags used by the cyrusv2 mailer. The 46498121Sgshapiro flags lsDFMnqXz are always included. 46598121SgshapiroCYRUSV2_MAILER_MAXMSGS [undefined] If defined, the maximum number of 46698121Sgshapiro messages to deliver in a single connection for the 46798121Sgshapiro cyrusv2 mailer. 46898121SgshapiroCYRUSV2_MAILER_MAXRCPTS [undefined] If defined, the maximum number of 46998121Sgshapiro recipients to deliver in a single connection for the 47098121Sgshapiro cyrusv2 mailer. 47198121SgshapiroCYRUSV2_MAILER_ARGS [FILE /var/imap/socket/lmtp] The arguments passed 47298121Sgshapiro to the cyrusv2 mailer. This can be used to 47398121Sgshapiro change the name of the Unix domain socket, or 47498121Sgshapiro to switch to delivery via TCP (e.g., `TCP $h lmtp') 47598121SgshapiroCYRUSV2_MAILER_QGRP [undefined] The queue group for the cyrusv2 mailer. 476110560SgshapiroCYRUSV2_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data 477110560Sgshapiro that ARRIVE from an address that resolves to one the 478110560Sgshapiro Cyrus mailer and which are converted to MIME will 479110560Sgshapiro be labeled with this character set. 48038032SpeterconfEBINDIR [/usr/libexec] The directory for executables. 48143730Speter Currently used for FEATURE(`local_lmtp') and 48243730Speter FEATURE(`smrsh'). 48364562SgshapiroQPAGE_MAILER_FLAGS [mDFMs] The flags used by the qpage mailer. 48464562SgshapiroQPAGE_MAILER_PATH [/usr/local/bin/qpage] The program used to deliver 48564562Sgshapiro qpage mail. 48664562SgshapiroQPAGE_MAILER_ARGS [qpage -l0 -m -P$u] The arguments passed 48764562Sgshapiro to deliver qpage mail. 48864562SgshapiroQPAGE_MAILER_MAX [4096] If set, the maximum size message that 48964562Sgshapiro will be accepted by the qpage mailer. 49090792SgshapiroQPAGE_MAILER_QGRP [undefined] The queue group for the qpage mailer. 49190792SgshapiroLOCAL_PROG_QGRP [undefined] The queue group for the prog mailer. 49238032Speter 49364562SgshapiroNote: to tweak Name_MAILER_FLAGS use the macro MODIFY_MAILER_FLAGS: 49464562SgshapiroMODIFY_MAILER_FLAGS(`Name', `change') where Name is the first part of 49564562Sgshapirothe macro Name_MAILER_FLAGS and change can be: flags that should 49664562Sgshapirobe used directly (thus overriding the default value), or if it 49764562Sgshapirostarts with `+' (`-') then those flags are added to (removed from) 49864562Sgshapirothe default value. Example: 49938032Speter 50064562Sgshapiro MODIFY_MAILER_FLAGS(`LOCAL', `+e') 50138032Speter 50290792Sgshapirowill add the flag `e' to LOCAL_MAILER_FLAGS. Notice: there are 50390792Sgshapiroseveral smtp mailers all of which are manipulated individually. 50490792SgshapiroSee the section MAILERS for the available mailer names. 50564562SgshapiroWARNING: The FEATUREs local_lmtp and local_procmail set LOCAL_MAILER_FLAGS 50664562Sgshapirounconditionally, i.e., without respecting any definitions in an 50764562SgshapiroOSTYPE setting. 50864562Sgshapiro 50964562Sgshapiro 51038032Speter+---------+ 51138032Speter| DOMAINS | 51238032Speter+---------+ 51338032Speter 51438032SpeterYou will probably want to collect domain-dependent defines into one 51564562Sgshapirofile, referenced by the DOMAIN macro. For example, the Berkeley 51638032Speterdomain file includes definitions for several internal distinguished 51738032Speterhosts: 51838032Speter 51938032SpeterUUCP_RELAY The host that will accept UUCP-addressed email. 52038032Speter If not defined, all UUCP sites must be directly 52138032Speter connected. 52238032SpeterBITNET_RELAY The host that will accept BITNET-addressed email. 52338032Speter If not defined, the .BITNET pseudo-domain won't work. 52438032SpeterDECNET_RELAY The host that will accept DECNET-addressed email. 52538032Speter If not defined, the .DECNET pseudo-domain and addresses 52638032Speter of the form node::user will not work. 52738032SpeterFAX_RELAY The host that will accept mail to the .FAX pseudo-domain. 52838032Speter The "fax" mailer overrides this value. 52971345SgshapiroLOCAL_RELAY The site that will handle unqualified names -- that 53082017Sgshapiro is, names without an @domain extension. 53171345Sgshapiro Normally MAIL_HUB is preferred for this function. 53271345Sgshapiro LOCAL_RELAY is mostly useful in conjunction with 53390792Sgshapiro FEATURE(`stickyhost') -- see the discussion of 53471345Sgshapiro stickyhost below. If not set, they are assumed to 53571345Sgshapiro belong on this machine. This allows you to have a 53671345Sgshapiro central site to store a company- or department-wide 53771345Sgshapiro alias database. This only works at small sites, 53871345Sgshapiro and only with some user agents. 53938032SpeterLUSER_RELAY The site that will handle lusers -- that is, apparently 54064562Sgshapiro local names that aren't local accounts or aliases. To 54164562Sgshapiro specify a local user instead of a site, set this to 54264562Sgshapiro ``local:username''. 54338032Speter 54438032SpeterAny of these can be either ``mailer:hostname'' (in which case the 54538032Spetermailer is the internal mailer name, such as ``uucp-new'' and the hostname 54638032Speteris the name of the host as appropriate for that mailer) or just a 54738032Speter``hostname'', in which case a default mailer type (usually ``relay'', 54838032Spetera variant on SMTP) is used. WARNING: if you have a wildcard MX 54938032Speterrecord matching your domain, you probably want to define these to 55038032Speterhave a trailing dot so that you won't get the mail diverted back 55138032Speterto yourself. 55238032Speter 55338032SpeterThe domain file can also be used to define a domain name, if needed 55438032Speter(using "DD<domain>") and set certain site-wide features. If all hosts 55538032Speterat your site masquerade behind one email name, you could also use 55638032SpeterMASQUERADE_AS here. 55738032Speter 55838032SpeterYou do not have to define a domain -- in particular, if you are a 55938032Spetersingle machine sitting off somewhere, it is probably more work than 56038032Speterit's worth. This is just a mechanism for combining "domain dependent 56138032Speterknowledge" into one place. 56238032Speter 56390792Sgshapiro 56438032Speter+---------+ 56538032Speter| MAILERS | 56638032Speter+---------+ 56738032Speter 56838032SpeterThere are fewer mailers supported in this version than the previous 56938032Speterversion, owing mostly to a simpler world. As a general rule, put the 57090792SgshapiroMAILER definitions last in your .mc file. 57138032Speter 57238032Speterlocal The local and prog mailers. You will almost always 57338032Speter need these; the only exception is if you relay ALL 57438032Speter your mail to another site. This mailer is included 57538032Speter automatically. 57638032Speter 57738032Spetersmtp The Simple Mail Transport Protocol mailer. This does 57838032Speter not hide hosts behind a gateway or another other 57938032Speter such hack; it assumes a world where everyone is 58038032Speter running the name server. This file actually defines 58164562Sgshapiro five mailers: "smtp" for regular (old-style) SMTP to 58238032Speter other servers, "esmtp" for extended SMTP to other 58338032Speter servers, "smtp8" to do SMTP to other servers without 58438032Speter converting 8-bit data to MIME (essentially, this is 58538032Speter your statement that you know the other end is 8-bit 58664562Sgshapiro clean even if it doesn't say so), "dsmtp" to do on 58764562Sgshapiro demand delivery, and "relay" for transmission to the 58864562Sgshapiro RELAY_HOST, LUSER_RELAY, or MAIL_HUB. 58938032Speter 59066494Sgshapirouucp The UNIX-to-UNIX Copy Program mailer. Actually, this 59138032Speter defines two mailers, "uucp-old" (a.k.a. "uucp") and 59238032Speter "uucp-new" (a.k.a. "suucp"). The latter is for when you 59338032Speter know that the UUCP mailer at the other end can handle 59438032Speter multiple recipients in one transfer. If the smtp mailer 59590792Sgshapiro is included in your configuration, two other mailers 59690792Sgshapiro ("uucp-dom" and "uucp-uudom") are also defined [warning: you 59790792Sgshapiro MUST specify MAILER(`smtp') before MAILER(`uucp')]. When you 59838032Speter include the uucp mailer, sendmail looks for all names in 59964562Sgshapiro class {U} and sends them to the uucp-old mailer; all 60064562Sgshapiro names in class {Y} are sent to uucp-new; and all 60164562Sgshapiro names in class {Z} are sent to uucp-uudom. Note that 60238032Speter this is a function of what version of rmail runs on 60338032Speter the receiving end, and hence may be out of your control. 60438032Speter See the section below describing UUCP mailers in more 60538032Speter detail. 60638032Speter 60738032Speterusenet Usenet (network news) delivery. If this is specified, 60838032Speter an extra rule is added to ruleset 0 that forwards all 60938032Speter local email for users named ``group.usenet'' to the 61038032Speter ``inews'' program. Note that this works for all groups, 61138032Speter and may be considered a security problem. 61238032Speter 61338032Speterfax Facsimile transmission. This is experimental and based 61438032Speter on Sam Leffler's HylaFAX software. For more information, 61571345Sgshapiro see http://www.hylafax.org/. 61638032Speter 61738032Speterpop Post Office Protocol. 61838032Speter 61938032Speterprocmail An interface to procmail (does not come with sendmail). 62038032Speter This is designed to be used in mailertables. For example, 62138032Speter a common question is "how do I forward all mail for a given 62238032Speter domain to a single person?". If you have this mailer 62338032Speter defined, you could set up a mailertable reading: 62438032Speter 62538032Speter host.com procmail:/etc/procmailrcs/host.com 62638032Speter 62738032Speter with the file /etc/procmailrcs/host.com reading: 62838032Speter 62938032Speter :0 # forward mail for host.com 63038032Speter ! -oi -f $1 person@other.host 63138032Speter 63238032Speter This would arrange for (anything)@host.com to be sent 633111823Sgshapiro to person@other.host. In a procmail script, $1 is the 634111823Sgshapiro name of the sender and $2 is the name of the recipient. 63543730Speter If you use this with FEATURE(`local_procmail'), the FEATURE 63638032Speter should be listed first. 63738032Speter 63890792Sgshapiro Of course there are other ways to solve this particular 63990792Sgshapiro problem, e.g., a catch-all entry in a virtusertable. 64090792Sgshapiro 64138032Spetermail11 The DECnet mail11 mailer, useful only if you have the mail11 64238032Speter program from gatekeeper.dec.com:/pub/DEC/gwtools (and 64338032Speter DECnet, of course). This is for Phase IV DECnet support; 64438032Speter if you have Phase V at your site you may have additional 64538032Speter problems. 64638032Speter 64738032Speterphquery The phquery program. This is somewhat counterintuitively 64838032Speter referenced as the "ph" mailer internally. It can be used 64938032Speter to do CCSO name server lookups. The phquery program, which 65038032Speter this mailer uses, is distributed with the ph client. 65138032Speter 65238032Spetercyrus The cyrus and cyrusbb mailers. The cyrus mailer delivers to 65338032Speter a local cyrus user. this mailer can make use of the 65490792Sgshapiro "user+detail@local.host" syntax (see 65590792Sgshapiro FEATURE(`preserve_local_plus_detail')); it will deliver the 65690792Sgshapiro mail to the user's "detail" mailbox if the mailbox's ACL 65790792Sgshapiro permits. The cyrusbb mailer delivers to a system-wide 65890792Sgshapiro cyrus mailbox if the mailbox's ACL permits. The cyrus 65990792Sgshapiro mailer must be defined after the local mailer. 66038032Speter 66198121Sgshapirocyrusv2 The mailer for Cyrus v2.x. The cyrusv2 mailer delivers to 66298121Sgshapiro local cyrus users via LMTP. This mailer can make use of the 66398121Sgshapiro "user+detail@local.host" syntax (see 66498121Sgshapiro FEATURE(`preserve_local_plus_detail')); it will deliver the 66598121Sgshapiro mail to the user's "detail" mailbox if the mailbox's ACL 66698121Sgshapiro permits. The cyrusv2 mailer must be defined after the 66798121Sgshapiro local mailer. 66898121Sgshapiro 66964562Sgshapiroqpage A mailer for QuickPage, a pager interface. See 67064562Sgshapiro http://www.qpage.org/ for further information. 67138032Speter 67238032SpeterThe local mailer accepts addresses of the form "user+detail", where 67338032Speterthe "+detail" is not used for mailbox matching but is available 67443730Speterto certain local mail programs (in particular, see 67543730SpeterFEATURE(`local_procmail')). For example, "eric", "eric+sendmail", and 67643730Speter"eric+sww" all indicate the same user, but additional arguments <null>, 67743730Speter"sendmail", and "sww" may be provided for use in sorting mail. 67838032Speter 67938032Speter 68038032Speter+----------+ 68138032Speter| FEATURES | 68238032Speter+----------+ 68338032Speter 68438032SpeterSpecial features can be requested using the "FEATURE" macro. For 68538032Speterexample, the .mc line: 68638032Speter 68743730Speter FEATURE(`use_cw_file') 68838032Speter 68964562Sgshapirotells sendmail that you want to have it read an /etc/mail/local-host-names 69090792Sgshapirofile to get values for class {w}. A FEATURE may contain up to 9 69164562Sgshapirooptional parameters -- for example: 69238032Speter 69343730Speter FEATURE(`mailertable', `dbm /usr/lib/mailertable') 69438032Speter 69538032SpeterThe default database map type for the table features can be set with 69664562Sgshapiro 69738032Speter define(`DATABASE_MAP_TYPE', `dbm') 69838032Speter 69938032Speterwhich would set it to use ndbm databases. The default is the Berkeley DB 70038032Speterhash database format. Note that you must still declare a database map type 70138032Speterif you specify an argument to a FEATURE. DATABASE_MAP_TYPE is only used 70264562Sgshapiroif no argument is given for the FEATURE. It must be specified before any 70364562Sgshapirofeature that uses a map. 70438032Speter 70590792SgshapiroAlso, features which can take a map definition as an argument can also take 70690792Sgshapirothe special keyword `LDAP'. If that keyword is used, the map will use the 70790792SgshapiroLDAP definition described in the ``USING LDAP FOR ALIASES, MAPS, AND 70890792SgshapiroCLASSES'' section below. 70990792Sgshapiro 71038032SpeterAvailable features are: 71138032Speter 71264562Sgshapirouse_cw_file Read the file /etc/mail/local-host-names file to get 71364562Sgshapiro alternate names for this host. This might be used if you 71464562Sgshapiro were on a host that MXed for a dynamic set of other hosts. 71564562Sgshapiro If the set is static, just including the line "Cw<name1> 71664562Sgshapiro <name2> ..." (where the names are fully qualified domain 71764562Sgshapiro names) is probably superior. The actual filename can be 71864562Sgshapiro overridden by redefining confCW_FILE. 71938032Speter 72064562Sgshapirouse_ct_file Read the file /etc/mail/trusted-users file to get the 72164562Sgshapiro names of users that will be ``trusted'', that is, able to 72264562Sgshapiro set their envelope from address using -f without generating 72364562Sgshapiro a warning message. The actual filename can be overridden 72464562Sgshapiro by redefining confCT_FILE. 72538032Speter 72638032Speterredirect Reject all mail addressed to "address.REDIRECT" with 72764562Sgshapiro a ``551 User has moved; please try <address>'' message. 72838032Speter If this is set, you can alias people who have left 72938032Speter to their new address with ".REDIRECT" appended. 73038032Speter 73164562Sgshapironouucp Don't route UUCP addresses. This feature takes one 73264562Sgshapiro parameter: 73364562Sgshapiro `reject': reject addresses which have "!" in the local 73464562Sgshapiro part unless it originates from a system 73564562Sgshapiro that is allowed to relay. 73664562Sgshapiro `nospecial': don't do anything special with "!". 73790792Sgshapiro Warnings: 1. See the notice in the anti-spam section. 73864562Sgshapiro 2. don't remove "!" from OperatorChars if `reject' is 73964562Sgshapiro given as parameter. 74038032Speter 74164562Sgshapironocanonify Don't pass addresses to $[ ... $] for canonification 74271345Sgshapiro by default, i.e., host/domain names are considered canonical, 74371345Sgshapiro except for unqualified names, which must not be used in this 74471345Sgshapiro mode (violation of the standard). It can be changed by 74571345Sgshapiro setting the DaemonPortOptions modifiers (M=). That is, 74664562Sgshapiro FEATURE(`nocanonify') will be overridden by setting the 74764562Sgshapiro 'c' flag. Conversely, if FEATURE(`nocanonify') is not used, 74864562Sgshapiro it can be emulated by setting the 'C' flag 74964562Sgshapiro (DaemonPortOptions=Modifiers=C). This would generally only 75064562Sgshapiro be used by sites that only act as mail gateways or which have 75164562Sgshapiro user agents that do full canonification themselves. You may 75264562Sgshapiro also want to use 75364562Sgshapiro "define(`confBIND_OPTS', `-DNSRCH -DEFNAMES')" to turn off 75464562Sgshapiro the usual resolver options that do a similar thing. 75538032Speter 75664562Sgshapiro An exception list for FEATURE(`nocanonify') can be 75764562Sgshapiro specified with CANONIFY_DOMAIN or CANONIFY_DOMAIN_FILE, 75864562Sgshapiro i.e., a list of domains which are nevertheless passed to 75964562Sgshapiro $[ ... $] for canonification. This is useful to turn on 76064562Sgshapiro canonification for local domains, e.g., use 76164562Sgshapiro CANONIFY_DOMAIN(`my.domain my') to canonify addresses 76264562Sgshapiro which end in "my.domain" or "my". 76364562Sgshapiro Another way to require canonification in the local 76464562Sgshapiro domain is CANONIFY_DOMAIN(`$=m'). 76564562Sgshapiro 76664562Sgshapiro A trailing dot is added to addresses with more than 76764562Sgshapiro one component in it such that other features which 76864562Sgshapiro expect a trailing dot (e.g., virtusertable) will 76964562Sgshapiro still work. 77064562Sgshapiro 77164562Sgshapiro If `canonify_hosts' is specified as parameter, i.e., 77264562Sgshapiro FEATURE(`nocanonify', `canonify_hosts'), then 77364562Sgshapiro addresses which have only a hostname, e.g., 77464562Sgshapiro <user@host>, will be canonified (and hopefully fully 77564562Sgshapiro qualified), too. 77664562Sgshapiro 77771345Sgshapirostickyhost This feature is sometimes used with LOCAL_RELAY, 77871345Sgshapiro although it can be used for a different effect with 77971345Sgshapiro MAIL_HUB. 78038032Speter 78173188Sgshapiro When used without MAIL_HUB, email sent to 78271345Sgshapiro "user@local.host" are marked as "sticky" -- that 78371345Sgshapiro is, the local addresses aren't matched against UDB, 78471345Sgshapiro don't go through ruleset 5, and are not forwarded to 78571345Sgshapiro the LOCAL_RELAY (if defined). 78671345Sgshapiro 78771345Sgshapiro With MAIL_HUB, mail addressed to "user@local.host" 78871345Sgshapiro is forwarded to the mail hub, with the envelope 78971345Sgshapiro address still remaining "user@local.host". 79071345Sgshapiro Without stickyhost, the envelope would be changed 79171345Sgshapiro to "user@mail_hub", in order to protect against 79271345Sgshapiro mailing loops. 79371345Sgshapiro 79438032Spetermailertable Include a "mailer table" which can be used to override 79564562Sgshapiro routing for particular domains (which are not in class {w}, 79664562Sgshapiro i.e. local host names). The argument of the FEATURE may be 79764562Sgshapiro the key definition. If none is specified, the definition 79864562Sgshapiro used is: 79943730Speter 80064562Sgshapiro hash /etc/mail/mailertable 80143730Speter 80238032Speter Keys in this database are fully qualified domain names 80338032Speter or partial domains preceded by a dot -- for example, 80464562Sgshapiro "vangogh.CS.Berkeley.EDU" or ".CS.Berkeley.EDU". As a 80564562Sgshapiro special case of the latter, "." matches any domain not 80664562Sgshapiro covered by other keys. Values must be of the form: 80738032Speter mailer:domain 80838032Speter where "mailer" is the internal mailer name, and "domain" 80938032Speter is where to send the message. These maps are not 81038032Speter reflected into the message header. As a special case, 81138032Speter the forms: 81238032Speter local:user 81338032Speter will forward to the indicated user using the local mailer, 81438032Speter local: 81538032Speter will forward to the original user in the e-mail address 81638032Speter using the local mailer, and 81738032Speter error:code message 81864562Sgshapiro error:D.S.N:code message 81964562Sgshapiro will give an error message with the indicated SMTP reply 82064562Sgshapiro code and message, where D.S.N is an RFC 1893 compliant 82164562Sgshapiro error code. 82238032Speter 82338032Speterdomaintable Include a "domain table" which can be used to provide 82438032Speter domain name mapping. Use of this should really be 82538032Speter limited to your own domains. It may be useful if you 82638032Speter change names (e.g., your company changes names from 82738032Speter oldname.com to newname.com). The argument of the 82838032Speter FEATURE may be the key definition. If none is specified, 82938032Speter the definition used is: 83043730Speter 83164562Sgshapiro hash /etc/mail/domaintable 83243730Speter 83338032Speter The key in this table is the domain name; the value is 83438032Speter the new (fully qualified) domain. Anything in the 83538032Speter domaintable is reflected into headers; that is, this 83638032Speter is done in ruleset 3. 83738032Speter 83838032Speterbitdomain Look up bitnet hosts in a table to try to turn them into 83938032Speter internet addresses. The table can be built using the 84038032Speter bitdomain program contributed by John Gardiner Myers. 84138032Speter The argument of the FEATURE may be the key definition; if 84238032Speter none is specified, the definition used is: 84343730Speter 84464562Sgshapiro hash /etc/mail/bitdomain 84543730Speter 84638032Speter Keys are the bitnet hostname; values are the corresponding 84738032Speter internet hostname. 84838032Speter 84938032Speteruucpdomain Similar feature for UUCP hosts. The default map definition 85038032Speter is: 85143730Speter 85264562Sgshapiro hash /etc/mail/uudomain 85343730Speter 85438032Speter At the moment there is no automagic tool to build this 85538032Speter database. 85638032Speter 85738032Speteralways_add_domain 85838032Speter Include the local host domain even on locally delivered 85938032Speter mail. Normally it is not added on unqualified names. 86038032Speter However, if you use a shared message store but do not use 86138032Speter the same user name space everywhere, you may need the host 86290792Sgshapiro name on local names. An optional argument specifies 86390792Sgshapiro another domain to be added than the local. 86438032Speter 86538032Speterallmasquerade If masquerading is enabled (using MASQUERADE_AS), this 86638032Speter feature will cause recipient addresses to also masquerade 86738032Speter as being from the masquerade host. Normally they get 86838032Speter the local hostname. Although this may be right for 86938032Speter ordinary users, it can break local aliases. For example, 87038032Speter if you send to "localalias", the originating sendmail will 87138032Speter find that alias and send to all members, but send the 87238032Speter message with "To: localalias@masqueradehost". Since that 87338032Speter alias likely does not exist, replies will fail. Use this 87438032Speter feature ONLY if you can guarantee that the ENTIRE 87538032Speter namespace on your masquerade host supersets all the 87638032Speter local entries. 87738032Speter 87838032Speterlimited_masquerade 87964562Sgshapiro Normally, any hosts listed in class {w} are masqueraded. If 88064562Sgshapiro this feature is given, only the hosts listed in class {M} (see 88164562Sgshapiro below: MASQUERADE_DOMAIN) are masqueraded. This is useful 88264562Sgshapiro if you have several domains with disjoint namespaces hosted 88364562Sgshapiro on the same machine. 88438032Speter 88538032Spetermasquerade_entire_domain 88664562Sgshapiro If masquerading is enabled (using MASQUERADE_AS) and 88738032Speter MASQUERADE_DOMAIN (see below) is set, this feature will 88838032Speter cause addresses to be rewritten such that the masquerading 88938032Speter domains are actually entire domains to be hidden. All 89038032Speter hosts within the masquerading domains will be rewritten 89138032Speter to the masquerade name (used in MASQUERADE_AS). For example, 89238032Speter if you have: 89338032Speter 89464562Sgshapiro MASQUERADE_AS(`masq.com') 89564562Sgshapiro MASQUERADE_DOMAIN(`foo.org') 89664562Sgshapiro MASQUERADE_DOMAIN(`bar.com') 89738032Speter 89838032Speter then *foo.org and *bar.com are converted to masq.com. Without 89938032Speter this feature, only foo.org and bar.com are masqueraded. 90038032Speter 90138032Speter NOTE: only domains within your jurisdiction and 90238032Speter current hierarchy should be masqueraded using this. 90338032Speter 90490792Sgshapirolocal_no_masquerade 90590792Sgshapiro This feature prevents the local mailer from masquerading even 90690792Sgshapiro if MASQUERADE_AS is used. MASQUERADE_AS will only have effect 90790792Sgshapiro on addresses of mail going outside the local domain. 90890792Sgshapiro 909110560Sgshapiromasquerade_envelope 910110560Sgshapiro If masquerading is enabled (using MASQUERADE_AS) or the 911110560Sgshapiro genericstable is in use, this feature will cause envelope 912110560Sgshapiro addresses to also masquerade as being from the masquerade 913110560Sgshapiro host. Normally only the header addresses are masqueraded. 914110560Sgshapiro 91564562Sgshapirogenericstable This feature will cause unqualified addresses (i.e., without 91664562Sgshapiro a domain) and addresses with a domain listed in class {G} 91764562Sgshapiro to be looked up in a map and turned into another ("generic") 91864562Sgshapiro form, which can change both the domain name and the user name. 91990792Sgshapiro Notice: if you use an MSP (as it is default starting with 92090792Sgshapiro 8.12), the MTA will only receive qualified addresses from the 92190792Sgshapiro MSP (as required by the RFCs). Hence you need to add your 92290792Sgshapiro domain to class {G}. This feature is similar to the userdb 92390792Sgshapiro functionality. The same types of addresses as for 92490792Sgshapiro masquerading are looked up, i.e., only header sender 92590792Sgshapiro addresses unless the allmasquerade and/or masquerade_envelope 92690792Sgshapiro features are given. Qualified addresses must have the domain 92790792Sgshapiro part in class {G}; entries can be added to this class by the 92890792Sgshapiro macros GENERICS_DOMAIN or GENERICS_DOMAIN_FILE (analogously 92990792Sgshapiro to MASQUERADE_DOMAIN and MASQUERADE_DOMAIN_FILE, see below). 93038032Speter 93143730Speter The argument of FEATURE(`genericstable') may be the map 93238032Speter definition; the default map definition is: 93338032Speter 93464562Sgshapiro hash /etc/mail/genericstable 93538032Speter 93664562Sgshapiro The key for this table is either the full address, the domain 93764562Sgshapiro (with a leading @; the localpart is passed as first argument) 93864562Sgshapiro or the unqualified username (tried in the order mentioned); 93964562Sgshapiro the value is the new user address. If the new user address 94064562Sgshapiro does not include a domain, it will be qualified in the standard 94164562Sgshapiro manner, i.e., using $j or the masquerade name. Note that the 94238032Speter address being looked up must be fully qualified. For local 94343730Speter mail, it is necessary to use FEATURE(`always_add_domain') 94443730Speter for the addresses to be qualified. 94564562Sgshapiro The "+detail" of an address is passed as %1, so entries like 94638032Speter 94764562Sgshapiro old+*@foo.org new+%1@example.com 94864562Sgshapiro gen+*@foo.org %1@example.com 94964562Sgshapiro 95064562Sgshapiro and other forms are possible. 95164562Sgshapiro 95264562Sgshapirogenerics_entire_domain 95364562Sgshapiro If the genericstable is enabled and GENERICS_DOMAIN or 95464562Sgshapiro GENERICS_DOMAIN_FILE is used, this feature will cause 95564562Sgshapiro addresses to be searched in the map if their domain 95664562Sgshapiro parts are subdomains of elements in class {G}. 95764562Sgshapiro 95838032Spetervirtusertable A domain-specific form of aliasing, allowing multiple 95938032Speter virtual domains to be hosted on one machine. For example, 96038032Speter if the virtuser table contained: 96138032Speter 96238032Speter info@foo.com foo-info 96338032Speter info@bar.com bar-info 96490792Sgshapiro joe@bar.com error:nouser 550 No such user here 96590792Sgshapiro jax@bar.com error:5.7.0:550 Address invalid 96664562Sgshapiro @baz.org jane@example.net 96738032Speter 96838032Speter then mail addressed to info@foo.com will be sent to the 96938032Speter address foo-info, mail addressed to info@bar.com will be 97064562Sgshapiro delivered to bar-info, and mail addressed to anyone at baz.org 97164562Sgshapiro will be sent to jane@example.net, mail to joe@bar.com will 97264562Sgshapiro be rejected with the specified error message, and mail to 97364562Sgshapiro jax@bar.com will also have a RFC 1893 compliant error code 97490792Sgshapiro 5.7.0. 97538032Speter 97664562Sgshapiro The username from the original address is passed 97764562Sgshapiro as %1 allowing: 97838032Speter 97964562Sgshapiro @foo.org %1@example.com 98038032Speter 98164562Sgshapiro meaning someone@foo.org will be sent to someone@example.com. 98264562Sgshapiro Additionally, if the local part consists of "user+detail" 98390792Sgshapiro then "detail" is passed as %2 and "+detail" is passed as %3 98490792Sgshapiro when a match against user+* is attempted, so entries like 98564562Sgshapiro 98664562Sgshapiro old+*@foo.org new+%2@example.com 98764562Sgshapiro gen+*@foo.org %2@example.com 98890792Sgshapiro +*@foo.org %1%3@example.com 98990792Sgshapiro X++@foo.org Z%3@example.com 99090792Sgshapiro @bar.org %1%3 99164562Sgshapiro 99264562Sgshapiro and other forms are possible. Note: to preserve "+detail" 99390792Sgshapiro for a default case (@domain) %1%3 must be used as RHS. 99490792Sgshapiro There are two wildcards after "+": "+" matches only a non-empty 99590792Sgshapiro detail, "*" matches also empty details, e.g., user+@foo.org 99690792Sgshapiro matches +*@foo.org but not ++@foo.org. This can be used 99790792Sgshapiro to ensure that the parameters %2 and %3 are not empty. 99864562Sgshapiro 99938032Speter All the host names on the left hand side (foo.com, bar.com, 100090792Sgshapiro and baz.org) must be in class {w} or class {VirtHost}. The 100164562Sgshapiro latter can be defined by the macros VIRTUSER_DOMAIN or 100264562Sgshapiro VIRTUSER_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and 100364562Sgshapiro MASQUERADE_DOMAIN_FILE, see below). If VIRTUSER_DOMAIN or 100464562Sgshapiro VIRTUSER_DOMAIN_FILE is used, then the entries of class 100564562Sgshapiro {VirtHost} are added to class {R}, i.e., relaying is allowed 100664562Sgshapiro to (and from) those domains. The default map definition is: 100738032Speter 100864562Sgshapiro hash /etc/mail/virtusertable 100938032Speter 101038032Speter A new definition can be specified as the second argument of 101138032Speter the FEATURE macro, such as 101238032Speter 101364562Sgshapiro FEATURE(`virtusertable', `dbm /etc/mail/virtusers') 101438032Speter 101564562Sgshapirovirtuser_entire_domain 101664562Sgshapiro If the virtusertable is enabled and VIRTUSER_DOMAIN or 101764562Sgshapiro VIRTUSER_DOMAIN_FILE is used, this feature will cause 101864562Sgshapiro addresses to be searched in the map if their domain 101964562Sgshapiro parts are subdomains of elements in class {VirtHost}. 102064562Sgshapiro 102164562Sgshapiroldap_routing Implement LDAP-based e-mail recipient routing according to 102264562Sgshapiro the Internet Draft draft-lachman-laser-ldap-mail-routing-01. 102364562Sgshapiro This provides a method to re-route addresses with a 102464562Sgshapiro domain portion in class {LDAPRoute} to either a 102564562Sgshapiro different mail host or a different address. Hosts can 102664562Sgshapiro be added to this class using LDAPROUTE_DOMAIN and 102764562Sgshapiro LDAPROUTE_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and 102864562Sgshapiro MASQUERADE_DOMAIN_FILE, see below). 102964562Sgshapiro 103064562Sgshapiro See the LDAP ROUTING section below for more information. 103164562Sgshapiro 103264562Sgshapironodns If you aren't running DNS at your site (for example, 103364562Sgshapiro you are UUCP-only connected). It's hard to consider 103438032Speter this a "feature", but hey, it had to go somewhere. 103538032Speter Actually, as of 8.7 this is a no-op -- remove "dns" from 103638032Speter the hosts service switch entry instead. 103738032Speter 103864562Sgshapironullclient This is a special case -- it creates a configuration file 103964562Sgshapiro containing nothing but support for forwarding all mail to a 104064562Sgshapiro central hub via a local SMTP-based network. The argument 104164562Sgshapiro is the name of that hub. 104264562Sgshapiro 104338032Speter The only other feature that should be used in conjunction 104464562Sgshapiro with this one is FEATURE(`nocanonify'). No mailers 104538032Speter should be defined. No aliasing or forwarding is done. 104638032Speter 104738032Speterlocal_lmtp Use an LMTP capable local mailer. The argument to this 104838032Speter feature is the pathname of an LMTP capable mailer. By 104938032Speter default, mail.local is used. This is expected to be the 105038032Speter mail.local which came with the 8.9 distribution which is 105138032Speter LMTP capable. The path to mail.local is set by the 105238032Speter confEBINDIR m4 variable -- making the default 105338032Speter LOCAL_MAILER_PATH /usr/libexec/mail.local. 105464562Sgshapiro WARNING: This feature sets LOCAL_MAILER_FLAGS unconditionally, 105564562Sgshapiro i.e., without respecting any definitions in an OSTYPE setting. 105638032Speter 105764562Sgshapirolocal_procmail Use procmail or another delivery agent as the local mailer. 105864562Sgshapiro The argument to this feature is the pathname of the 105964562Sgshapiro delivery agent, which defaults to PROCMAIL_MAILER_PATH. 106064562Sgshapiro Note that this does NOT use PROCMAIL_MAILER_FLAGS or 106164562Sgshapiro PROCMAIL_MAILER_ARGS for the local mailer; tweak 106264562Sgshapiro LOCAL_MAILER_FLAGS and LOCAL_MAILER_ARGS instead, or 106364562Sgshapiro specify the appropriate parameters. When procmail is used, 106464562Sgshapiro the local mailer can make use of the 106564562Sgshapiro "user+indicator@local.host" syntax; normally the +indicator 106664562Sgshapiro is just tossed, but by default it is passed as the -a 106764562Sgshapiro argument to procmail. 106838032Speter 106964562Sgshapiro This feature can take up to three arguments: 107064562Sgshapiro 107164562Sgshapiro 1. Path to the mailer program 107264562Sgshapiro [default: /usr/local/bin/procmail] 107364562Sgshapiro 2. Argument vector including name of the program 107464562Sgshapiro [default: procmail -Y -a $h -d $u] 107564562Sgshapiro 3. Flags for the mailer [default: SPfhn9] 107664562Sgshapiro 107764562Sgshapiro Empty arguments cause the defaults to be taken. 1078110560Sgshapiro Note that if you are on a system with a broken 1079110560Sgshapiro setreuid() call, you may need to add -f $f to the procmail 1080110560Sgshapiro argument vector to pass the proper sender to procmail. 108164562Sgshapiro 108264562Sgshapiro For example, this allows it to use the maildrop 108364562Sgshapiro (http://www.flounder.net/~mrsam/maildrop/) mailer instead 108464562Sgshapiro by specifying: 108564562Sgshapiro 108664562Sgshapiro FEATURE(`local_procmail', `/usr/local/bin/maildrop', 108764562Sgshapiro `maildrop -d $u') 108864562Sgshapiro 108964562Sgshapiro or scanmails using: 109064562Sgshapiro 109164562Sgshapiro FEATURE(`local_procmail', `/usr/local/bin/scanmails') 109264562Sgshapiro 109364562Sgshapiro WARNING: This feature sets LOCAL_MAILER_FLAGS unconditionally, 109464562Sgshapiro i.e., without respecting any definitions in an OSTYPE setting. 109564562Sgshapiro 109638032Speterbestmx_is_local Accept mail as though locally addressed for any host that 109738032Speter lists us as the best possible MX record. This generates 109838032Speter additional DNS traffic, but should be OK for low to 109938032Speter medium traffic hosts. The argument may be a set of 110038032Speter domains, which will limit the feature to only apply to 110138032Speter these domains -- this will reduce unnecessary DNS 110238032Speter traffic. THIS FEATURE IS FUNDAMENTALLY INCOMPATIBLE WITH 110338032Speter WILDCARD MX RECORDS!!! If you have a wildcard MX record 110438032Speter that matches your domain, you cannot use this feature. 110538032Speter 110638032Spetersmrsh Use the SendMail Restricted SHell (smrsh) provided 110738032Speter with the distribution instead of /bin/sh for mailing 110838032Speter to programs. This improves the ability of the local 110938032Speter system administrator to control what gets run via 111038032Speter e-mail. If an argument is provided it is used as the 111138032Speter pathname to smrsh; otherwise, the path defined by 111238032Speter confEBINDIR is used for the smrsh binary -- by default, 111338032Speter /usr/libexec/smrsh is assumed. 111438032Speter 111538032Speterpromiscuous_relay 111638032Speter By default, the sendmail configuration files do not permit 111738032Speter mail relaying (that is, accepting mail from outside your 111864562Sgshapiro local host (class {w}) and sending it to another host than 111964562Sgshapiro your local host). This option sets your site to allow 112064562Sgshapiro mail relaying from any site to any site. In almost all 112164562Sgshapiro cases, it is better to control relaying more carefully 112264562Sgshapiro with the access map, class {R}, or authentication. Domains 112364562Sgshapiro can be added to class {R} by the macros RELAY_DOMAIN or 112464562Sgshapiro RELAY_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and 112564562Sgshapiro MASQUERADE_DOMAIN_FILE, see below). 112638032Speter 112738032Speterrelay_entire_domain 112898121Sgshapiro This option allows any host in your domain as defined by 112998121Sgshapiro class {m} to use your server for relaying. Notice: make 113098121Sgshapiro sure that your domain is not just a top level domain, 113198121Sgshapiro e.g., com. This can happen if you give your host a name 113298121Sgshapiro like example.com instead of host.example.com. 113338032Speter 113438032Speterrelay_hosts_only 113538032Speter By default, names that are listed as RELAY in the access 113698121Sgshapiro db and class {R} are treated as domain names, not host names. 113738032Speter For example, if you specify ``foo.com'', then mail to or 113838032Speter from foo.com, abc.foo.com, or a.very.deep.domain.foo.com 113938032Speter will all be accepted for relaying. This feature changes 114038032Speter the behaviour to lookup individual host names only. 114138032Speter 114238032Speterrelay_based_on_MX 114338032Speter Turns on the ability to allow relaying based on the MX 114442575Speter records of the host portion of an incoming recipient; that 114542575Speter is, if an MX record for host foo.com points to your site, 114642575Speter you will accept and relay mail addressed to foo.com. See 114738032Speter description below for more information before using this 114842575Speter feature. Also, see the KNOWNBUGS entry regarding bestmx 114942575Speter map lookups. 115038032Speter 115143730Speter FEATURE(`relay_based_on_MX') does not necessarily allow 115242575Speter routing of these messages which you expect to be allowed, 115342575Speter if route address syntax (or %-hack syntax) is used. If 115442575Speter this is a problem, add entries to the access-table or use 115543730Speter FEATURE(`loose_relay_check'). 115642575Speter 115764562Sgshapirorelay_mail_from 115864562Sgshapiro Allows relaying if the mail sender is listed as RELAY in 1159110560Sgshapiro the access map. If an optional argument `domain' (this 1160110560Sgshapiro is the literal word `domain', not a placeholder) is given, 116190792Sgshapiro relaying can be allowed just based on the domain portion 116290792Sgshapiro of the sender address. This feature should only be used if 116390792Sgshapiro absolutely necessary as the sender address can be easily 116498121Sgshapiro forged. Use of this feature requires the "From:" tag to 116598121Sgshapiro be used for the key in the access map; see the discussion 116690792Sgshapiro of tags and FEATURE(`relay_mail_from') in the section on 116790792Sgshapiro anti-spam configuration control. 116864562Sgshapiro 116938032Speterrelay_local_from 117038032Speter Allows relaying if the domain portion of the mail sender 117138032Speter is a local host. This should only be used if absolutely 117242575Speter necessary as it opens a window for spammers. Specifically, 117342575Speter they can send mail to your mail server that claims to be 117442575Speter from your domain (either directly or via a routed address), 117542575Speter and you will go ahead and relay it out to arbitrary hosts 117642575Speter on the Internet. 117764562Sgshapiro 117838032Speteraccept_unqualified_senders 117938032Speter Normally, MAIL FROM: commands in the SMTP session will be 118038032Speter refused if the connection is a network connection and the 118138032Speter sender address does not include a domain name. If your 118264562Sgshapiro setup sends local mail unqualified (i.e., MAIL FROM: <joe>), 118338032Speter you will need to use this feature to accept unqualified 118464562Sgshapiro sender addresses. Setting the DaemonPortOptions modifier 118564562Sgshapiro 'u' overrides the default behavior, i.e., unqualified 118664562Sgshapiro addresses are accepted even without this FEATURE. 118764562Sgshapiro If this FEATURE is not used, the DaemonPortOptions modifier 118864562Sgshapiro 'f' can be used to enforce fully qualified addresses. 118964562Sgshapiro 119038032Speteraccept_unresolvable_domains 119138032Speter Normally, MAIL FROM: commands in the SMTP session will be 119264562Sgshapiro refused if the host part of the argument to MAIL FROM: 119364562Sgshapiro cannot be located in the host name service (e.g., an A or 119464562Sgshapiro MX record in DNS). If you are inside a firewall that has 119564562Sgshapiro only a limited view of the Internet host name space, this 119664562Sgshapiro could cause problems. In this case you probably want to 119764562Sgshapiro use this feature to accept all domains on input, even if 119864562Sgshapiro they are unresolvable. 119938032Speter 120038032Speteraccess_db Turns on the access database feature. The access db gives 120138032Speter you the ability to allow or refuse to accept mail from 120290792Sgshapiro specified domains for administrative reasons. Moreover, 120390792Sgshapiro it can control the behavior of sendmail in various situations. 120490792Sgshapiro By default, the access database specification is: 120538032Speter 120690792Sgshapiro hash -T<TMPF> /etc/mail/access 120743730Speter 120890792Sgshapiro See the anti-spam configuration control section for further 120990792Sgshapiro important information about this feature. Notice: 121090792Sgshapiro "-T<TMPF>" is meant literal, do not replace it by anything. 121143730Speter 121238032Speterblacklist_recipients 121338032Speter Turns on the ability to block incoming mail for certain 121438032Speter recipient usernames, hostnames, or addresses. For 121538032Speter example, you can block incoming mail to user nobody, 121638032Speter host foo.mydomain.com, or guest@bar.mydomain.com. 121738032Speter These specifications are put in the access db as 121864562Sgshapiro described in the anti-spam configuration control section 121964562Sgshapiro later in this document. 122038032Speter 122171345Sgshapirodelay_checks The rulesets check_mail and check_relay will not be called 122271345Sgshapiro when a client connects or issues a MAIL command, respectively. 122371345Sgshapiro Instead, those rulesets will be called by the check_rcpt 122471345Sgshapiro ruleset; they will be skipped under certain circumstances. 122590792Sgshapiro See "Delay all checks" in the anti-spam configuration control 122690792Sgshapiro section. Note: this feature is incompatible to the versions 122790792Sgshapiro in 8.10 and 8.11. 122871345Sgshapiro 122964562Sgshapirodnsbl Turns on rejection of hosts found in an DNS based rejection 123064562Sgshapiro list. If an argument is provided it is used as the domain 123164562Sgshapiro in which blocked hosts are listed; otherwise it defaults to 123271345Sgshapiro blackholes.mail-abuse.org. An explanation for an DNS based 123390792Sgshapiro rejection list can be found at http://mail-abuse.org/rbl/. 123490792Sgshapiro A second argument can be used to change the default error 123590792Sgshapiro message. Without that second argument, the error message 123690792Sgshapiro will be 123798841Sgshapiro Rejected: IP-ADDRESS listed at SERVER 123890792Sgshapiro where IP-ADDRESS and SERVER are replaced by the appropriate 123990792Sgshapiro information. By default, temporary lookup failures are 124090792Sgshapiro ignored. This behavior can be changed by specifying a 124190792Sgshapiro third argument, which must be either `t' or a full error 124290792Sgshapiro message. See the anti-spam configuration control section for 124390792Sgshapiro an example. The dnsbl feature can be included several times 124490792Sgshapiro to query different DNS based rejection lists. See also 124590792Sgshapiro enhdnsbl for an enhanced version. 124664562Sgshapiro 1247110560Sgshapiro Set the DNSBL_MAP mc option to change the default map 1248110560Sgshapiro definition from `host'. Set the DNSBL_MAP_OPT mc option 1249110560Sgshapiro to add additional options to the map specification used. 1250110560Sgshapiro 125198121Sgshapiro Some DNS based rejection lists cause failures if asked 125298121Sgshapiro for AAAA records. If your sendmail version is compiled 125398121Sgshapiro with IPv6 support (NETINET6) and you experience this 125498121Sgshapiro problem, add 125598121Sgshapiro 125698121Sgshapiro define(`DNSBL_MAP', `dns -R A') 125798121Sgshapiro 125898121Sgshapiro before the first use of this feature. Alternatively you 1259111823Sgshapiro can use enhdnsbl instead (see below). Moreover, this 1260111823Sgshapiro statement can be used to reduce the number of DNS retries, 1261111823Sgshapiro e.g., 126298121Sgshapiro 1263111823Sgshapiro define(`DNSBL_MAP', `dns -R A -r2') 1264111823Sgshapiro 1265111823Sgshapiro See below (EDNSBL_TO) for an explanation. 1266111823Sgshapiro 126780785Sgshapiro NOTE: The default DNS blacklist, blackholes.mail-abuse.org, 126880785Sgshapiro is a service offered by the Mail Abuse Prevention System 126980785Sgshapiro (MAPS). As of July 31, 2001, MAPS is a subscription 127080785Sgshapiro service, so using that network address won't work if you 127180785Sgshapiro haven't subscribed. Contact MAPS to subscribe 127280785Sgshapiro (http://mail-abuse.org/). 127380785Sgshapiro 127490792Sgshapiroenhdnsbl Enhanced version of dnsbl (see above). Further arguments 127590792Sgshapiro (up to 5) can be used to specify specific return values 127690792Sgshapiro from lookups. Temporary lookup failures are ignored unless 127790792Sgshapiro a third argument is given, which must be either `t' or a full 127890792Sgshapiro error message. By default, any successful lookup will 127990792Sgshapiro generate an error. Otherwise the result of the lookup is 128090792Sgshapiro compared with the supplied argument(s), and only if a match 128190792Sgshapiro occurs an error is generated. For example, 128290792Sgshapiro 128390792Sgshapiro FEATURE(`enhdnsbl', `dnsbl.example.com', `', `t', `127.0.0.2.') 128490792Sgshapiro 128590792Sgshapiro will reject the e-mail if the lookup returns the value 128690792Sgshapiro ``127.0.0.2.'', or generate a 451 response if the lookup 128790792Sgshapiro temporarily failed. The arguments can contain metasymbols 128890792Sgshapiro as they are allowed in the LHS of rules. As the example 128990792Sgshapiro shows, the default values are also used if an empty argument, 129090792Sgshapiro i.e., `', is specified. This feature requires that sendmail 129190792Sgshapiro has been compiled with the flag DNSMAP (see sendmail/README). 129290792Sgshapiro 1293110560Sgshapiro Set the EDNSBL_TO mc option to change the DNS retry count 1294111823Sgshapiro from the default value of 5, this can be very useful when 1295111823Sgshapiro a DNS server is not responding, which in turn may cause 1296111823Sgshapiro clients to time out (an entry stating 1297110560Sgshapiro 1298111823Sgshapiro did not issue MAIL/EXPN/VRFY/ETRN 1299111823Sgshapiro 1300111823Sgshapiro will be logged). 1301111823Sgshapiro 130290792Sgshapirolookupdotdomain Look up also .domain in the access map. This allows to 130390792Sgshapiro match only subdomains. It does not work well with 130490792Sgshapiro FEATURE(`relay_hosts_only'), because most lookups for 130590792Sgshapiro subdomains are suppressed by the latter feature. 130690792Sgshapiro 130738032Speterloose_relay_check 130864562Sgshapiro Normally, if % addressing is used for a recipient, e.g. 130964562Sgshapiro user%site@othersite, and othersite is in class {R}, the 131038032Speter check_rcpt ruleset will strip @othersite and recheck 131138032Speter user@site for relaying. This feature changes that 131238032Speter behavior. It should not be needed for most installations. 131338032Speter 131490792Sgshapiroauthinfo Provide a separate map for client side authentication 131590792Sgshapiro information. See SMTP AUTHENTICATION for details. 131690792Sgshapiro By default, the authinfo database specification is: 131790792Sgshapiro 131890792Sgshapiro hash /etc/mail/authinfo 131990792Sgshapiro 132090792Sgshapiropreserve_luser_host 132190792Sgshapiro Preserve the name of the recipient host if LUSER_RELAY is 132290792Sgshapiro used. Without this option, the domain part of the 132390792Sgshapiro recipient address will be replaced by the host specified as 132490792Sgshapiro LUSER_RELAY. This feature only works if the hostname is 132590792Sgshapiro passed to the mailer (see mailer triple in op.me). Note 132690792Sgshapiro that in the default configuration the local mailer does not 132790792Sgshapiro receive the hostname, i.e., the mailer triple has an empty 132890792Sgshapiro hostname. 132990792Sgshapiro 133090792Sgshapiropreserve_local_plus_detail 133190792Sgshapiro Preserve the +detail portion of the address when passing 133290792Sgshapiro address to local delivery agent. Disables alias and 133390792Sgshapiro .forward +detail stripping (e.g., given user+detail, only 133490792Sgshapiro that address will be looked up in the alias file; user+* and 133590792Sgshapiro user will not be looked up). Only use if the local 133690792Sgshapiro delivery agent in use supports +detail addressing. 133790792Sgshapiro 133890792Sgshapirocompat_check Enable ruleset check_compat to look up pairs of addresses 133990792Sgshapiro with the Compat: tag -- Compat:sender<@>recipient -- in the 134090792Sgshapiro access map. Valid values for the RHS include 134190792Sgshapiro DISCARD silently discard recipient 134290792Sgshapiro TEMP: return a temporary error 134390792Sgshapiro ERROR: return a permanent error 134490792Sgshapiro In the last two cases, a 4xy/5xy SMTP reply code should 134590792Sgshapiro follow the colon. 134690792Sgshapiro 134764562Sgshapirono_default_msa Don't generate the default MSA daemon, i.e., 134864562Sgshapiro DAEMON_OPTIONS(`Port=587,Name=MSA,M=E') 134964562Sgshapiro To define a MSA daemon with other parameters, use this 135064562Sgshapiro FEATURE and introduce new settings via DAEMON_OPTIONS(). 135138032Speter 135290792Sgshapiromsp Defines config file for Message Submission Program. 135394334Sgshapiro See sendmail/SECURITY for details and cf/cf/submit.mc how 135494334Sgshapiro to use it. An optional argument can be used to override 135594334Sgshapiro the default of `[localhost]' to use as host to send all 135694334Sgshapiro e-mails to. Note that MX records will be used if the 135794334Sgshapiro specified hostname is not in square brackets (e.g., 135894334Sgshapiro [hostname]). If `MSA' is specified as second argument then 135994334Sgshapiro port 587 is used to contact the server. Example: 136090792Sgshapiro 136190792Sgshapiro FEATURE(`msp', `', `MSA') 136290792Sgshapiro 136390792Sgshapiro Some more hints about possible changes can be found below 136490792Sgshapiro in the section MESSAGE SUBMISSION PROGRAM. 136590792Sgshapiro 1366110560Sgshapiro Note: Due to many problems, submit.mc uses 136798121Sgshapiro 136898121Sgshapiro FEATURE(`msp', `[127.0.0.1]') 136998121Sgshapiro 1370110560Sgshapiro by default. If you have a machine with IPv6 only, 1371110560Sgshapiro change it to 1372110560Sgshapiro 1373110560Sgshapiro FEATURE(`msp', `[IPv6:::1]') 1374110560Sgshapiro 1375110560Sgshapiro If you want to continue using '[localhost]', (the behavior 1376110560Sgshapiro up to 8.12.6), use 1377110560Sgshapiro 1378110560Sgshapiro FEATURE(`msp') 1379110560Sgshapiro 138090792Sgshapiroqueuegroup A simple example how to select a queue group based 138190792Sgshapiro on the full e-mail address or the domain of the 138290792Sgshapiro recipient. Selection is done via entries in the 138390792Sgshapiro access map using the tag QGRP:, for example: 138490792Sgshapiro 138590792Sgshapiro QGRP:example.com main 138690792Sgshapiro QGRP:friend@some.org others 138790792Sgshapiro QGRP:my.domain local 138890792Sgshapiro 138990792Sgshapiro where "main", "others", and "local" are names of 139090792Sgshapiro queue groups. If an argument is specified, it is used 139190792Sgshapiro as default queue group. 139290792Sgshapiro 139394334Sgshapiro Note: please read the warning in doc/op/op.me about 139494334Sgshapiro queue groups and possible queue manipulations. 139594334Sgshapiro 139638032Speter+-------+ 139738032Speter| HACKS | 139838032Speter+-------+ 139938032Speter 140038032SpeterSome things just can't be called features. To make this clear, 140138032Speterthey go in the hack subdirectory and are referenced using the HACK 140238032Spetermacro. These will tend to be site-dependent. The release 140338032Speterincludes the Berkeley-dependent "cssubdomain" hack (that makes 140438032Spetersendmail accept local names in either Berkeley.EDU or CS.Berkeley.EDU; 140564562Sgshapirothis is intended as a short-term aid while moving hosts into 140638032Spetersubdomains. 140738032Speter 140838032Speter 140938032Speter+--------------------+ 141038032Speter| SITE CONFIGURATION | 141138032Speter+--------------------+ 141238032Speter 141338032Speter ***************************************************** 141438032Speter * This section is really obsolete, and is preserved * 141538032Speter * only for back compatibility. You should plan on * 141690792Sgshapiro * using mailertables for new installations. In * 141738032Speter * particular, it doesn't work for the newer forms * 141838032Speter * of UUCP mailers, such as uucp-uudom. * 141938032Speter ***************************************************** 142038032Speter 142138032SpeterComplex sites will need more local configuration information, such as 142238032Speterlists of UUCP hosts they speak with directly. This can get a bit more 142338032Spetertricky. For an example of a "complex" site, see cf/ucbvax.mc. 142438032Speter 142538032SpeterThe SITECONFIG macro allows you to indirectly reference site-dependent 142638032Speterconfiguration information stored in the siteconfig subdirectory. For 142738032Speterexample, the line 142838032Speter 142964562Sgshapiro SITECONFIG(`uucp.ucbvax', `ucbvax', `U') 143038032Speter 143138032Speterreads the file uucp.ucbvax for local connection information. The 143238032Spetersecond parameter is the local name (in this case just "ucbvax" since 143338032Speterit is locally connected, and hence a UUCP hostname). The third 143438032Speterparameter is the name of both a macro to store the local name (in 143564562Sgshapirothis case, {U}) and the name of the class (e.g., {U}) in which to store 143638032Speterthe host information read from the file. Another SITECONFIG line reads 143738032Speter 143864562Sgshapiro SITECONFIG(`uucp.ucbarpa', `ucbarpa.Berkeley.EDU', `W') 143938032Speter 144038032SpeterThis says that the file uucp.ucbarpa contains the list of UUCP sites 144164562Sgshapiroconnected to ucbarpa.Berkeley.EDU. Class {W} will be used to 144238032Speterstore this list, and $W is defined to be ucbarpa.Berkeley.EDU, that 144338032Speteris, the name of the relay to which the hosts listed in uucp.ucbarpa 144464562Sgshapiroare connected. [The machine ucbarpa is gone now, but this 144564562Sgshapiroout-of-date configuration file has been left around to demonstrate 144664562Sgshapirohow you might do this.] 144738032Speter 144838032SpeterNote that the case of SITECONFIG with a third parameter of ``U'' is 144938032Speterspecial; the second parameter is assumed to be the UUCP name of the 145038032Speterlocal site, rather than the name of a remote site, and the UUCP name 145164562Sgshapirois entered into class {w} (the list of local hostnames) as $U.UUCP. 145238032Speter 145338032SpeterThe siteconfig file (e.g., siteconfig/uucp.ucbvax.m4) contains nothing 145438032Spetermore than a sequence of SITE macros describing connectivity. For 145538032Speterexample: 145638032Speter 145764562Sgshapiro SITE(`cnmat') 145864562Sgshapiro SITE(`sgi olympus') 145938032Speter 146038032SpeterThe second example demonstrates that you can use two names on the 146138032Spetersame line; these are usually aliases for the same host (or are at 146238032Speterleast in the same company). 146338032Speter 146438032Speter 146538032Speter+--------------------+ 146638032Speter| USING UUCP MAILERS | 146738032Speter+--------------------+ 146838032Speter 146938032SpeterIt's hard to get UUCP mailers right because of the extremely ad hoc 147038032Speternature of UUCP addressing. These config files are really designed 147138032Speterfor domain-based addressing, even for UUCP sites. 147238032Speter 147338032SpeterThere are four UUCP mailers available. The choice of which one to 147438032Speteruse is partly a matter of local preferences and what is running at 147538032Speterthe other end of your UUCP connection. Unlike good protocols that 147638032Speterdefine what will go over the wire, UUCP uses the policy that you 147738032Spetershould do what is right for the other end; if they change, you have 147838032Speterto change. This makes it hard to do the right thing, and discourages 147938032Speterpeople from updating their software. In general, if you can avoid 148038032SpeterUUCP, please do. 148138032Speter 148238032SpeterThe major choice is whether to go for a domainized scheme or a 148338032Speternon-domainized scheme. This depends entirely on what the other 148438032Speterend will recognize. If at all possible, you should encourage the 148538032Speterother end to go to a domain-based system -- non-domainized addresses 148638032Speterdon't work entirely properly. 148738032Speter 148838032SpeterThe four mailers are: 148938032Speter 149038032Speter uucp-old (obsolete name: "uucp") 149138032Speter This is the oldest, the worst (but the closest to UUCP) way of 149238032Speter sending messages accros UUCP connections. It does bangify 149338032Speter everything and prepends $U (your UUCP name) to the sender's 149438032Speter address (which can already be a bang path itself). It can 149538032Speter only send to one address at a time, so it spends a lot of 149638032Speter time copying duplicates of messages. Avoid this if at all 149738032Speter possible. 149838032Speter 149938032Speter uucp-new (obsolete name: "suucp") 150038032Speter The same as above, except that it assumes that in one rmail 150138032Speter command you can specify several recipients. It still has a 150238032Speter lot of other problems. 150338032Speter 150438032Speter uucp-dom 150538032Speter This UUCP mailer keeps everything as domain addresses. 150638032Speter Basically, it uses the SMTP mailer rewriting rules. This mailer 150790792Sgshapiro is only included if MAILER(`smtp') is specified before 150890792Sgshapiro MAILER(`uucp'). 150938032Speter 151038032Speter Unfortunately, a lot of UUCP mailer transport agents require 151138032Speter bangified addresses in the envelope, although you can use 151238032Speter domain-based addresses in the message header. (The envelope 151338032Speter shows up as the From_ line on UNIX mail.) So.... 151438032Speter 151538032Speter uucp-uudom 151638032Speter This is a cross between uucp-new (for the envelope addresses) 151738032Speter and uucp-dom (for the header addresses). It bangifies the 151838032Speter envelope sender (From_ line in messages) without adding the 151938032Speter local hostname, unless there is no host name on the address 152038032Speter at all (e.g., "wolf") or the host component is a UUCP host name 152138032Speter instead of a domain name ("somehost!wolf" instead of 152264562Sgshapiro "some.dom.ain!wolf"). This is also included only if MAILER(`smtp') 152390792Sgshapiro is also specified earlier. 152438032Speter 152538032SpeterExamples: 152638032Speter 152764562SgshapiroOn host grasp.insa-lyon.fr (UUCP host name "grasp"), the following 152864562Sgshapirosummarizes the sender rewriting for various mailers. 152938032Speter 153066494SgshapiroMailer sender rewriting in the envelope 153138032Speter------ ------ ------------------------- 153238032Speteruucp-{old,new} wolf grasp!wolf 153338032Speteruucp-dom wolf wolf@grasp.insa-lyon.fr 153438032Speteruucp-uudom wolf grasp.insa-lyon.fr!wolf 153538032Speter 153638032Speteruucp-{old,new} wolf@fr.net grasp!fr.net!wolf 153738032Speteruucp-dom wolf@fr.net wolf@fr.net 153838032Speteruucp-uudom wolf@fr.net fr.net!wolf 153938032Speter 154038032Speteruucp-{old,new} somehost!wolf grasp!somehost!wolf 154138032Speteruucp-dom somehost!wolf somehost!wolf@grasp.insa-lyon.fr 154238032Speteruucp-uudom somehost!wolf grasp.insa-lyon.fr!somehost!wolf 154338032Speter 154438032SpeterIf you are using one of the domainized UUCP mailers, you really want 154538032Speterto convert all UUCP addresses to domain format -- otherwise, it will 154638032Speterdo it for you (and probably not the way you expected). For example, 154738032Speterif you have the address foo!bar!baz (and you are not sending to foo), 154838032Speterthe heuristics will add the @uucp.relay.name or @local.host.name to 154938032Speterthis address. However, if you map foo to foo.host.name first, it 155038032Speterwill not add the local hostname. You can do this using the uucpdomain 155138032Speterfeature. 155238032Speter 155338032Speter 155438032Speter+-------------------+ 155538032Speter| TWEAKING RULESETS | 155638032Speter+-------------------+ 155738032Speter 155838032SpeterFor more complex configurations, you can define special rules. 155938032SpeterThe macro LOCAL_RULE_3 introduces rules that are used in canonicalizing 156038032Speterthe names. Any modifications made here are reflected in the header. 156138032Speter 156238032SpeterA common use is to convert old UUCP addresses to SMTP addresses using 156338032Speterthe UUCPSMTP macro. For example: 156438032Speter 156538032Speter LOCAL_RULE_3 156664562Sgshapiro UUCPSMTP(`decvax', `decvax.dec.com') 156764562Sgshapiro UUCPSMTP(`research', `research.att.com') 156838032Speter 156938032Speterwill cause addresses of the form "decvax!user" and "research!user" 157038032Speterto be converted to "user@decvax.dec.com" and "user@research.att.com" 157138032Speterrespectively. 157238032Speter 157338032SpeterThis could also be used to look up hosts in a database map: 157438032Speter 157538032Speter LOCAL_RULE_3 157638032Speter R$* < @ $+ > $* $: $1 < @ $(hostmap $2 $) > $3 157738032Speter 157838032SpeterThis map would be defined in the LOCAL_CONFIG portion, as shown below. 157938032Speter 158038032SpeterSimilarly, LOCAL_RULE_0 can be used to introduce new parsing rules. 158138032SpeterFor example, new rules are needed to parse hostnames that you accept 158238032Spetervia MX records. For example, you might have: 158338032Speter 158438032Speter LOCAL_RULE_0 158538032Speter R$+ <@ host.dom.ain.> $#uucp $@ cnmat $: $1 < @ host.dom.ain.> 158638032Speter 158738032SpeterYou would use this if you had installed an MX record for cnmat.Berkeley.EDU 158838032Speterpointing at this host; this rule catches the message and forwards it on 158938032Speterusing UUCP. 159038032Speter 159138032SpeterYou can also tweak rulesets 1 and 2 using LOCAL_RULE_1 and LOCAL_RULE_2. 159238032SpeterThese rulesets are normally empty. 159338032Speter 159438032SpeterA similar macro is LOCAL_CONFIG. This introduces lines added after the 159564562Sgshapiroboilerplate option setting but before rulesets. Do not declare rulesets in 159664562Sgshapirothe LOCAL_CONFIG section. It can be used to declare local database maps or 159764562Sgshapirowhatever. For example: 159838032Speter 159938032Speter LOCAL_CONFIG 160064562Sgshapiro Khostmap hash /etc/mail/hostmap 160138032Speter Kyplocal nis -m hosts.byname 160238032Speter 160338032Speter 160438032Speter+---------------------------+ 160538032Speter| MASQUERADING AND RELAYING | 160638032Speter+---------------------------+ 160738032Speter 160838032SpeterYou can have your host masquerade as another using 160938032Speter 161064562Sgshapiro MASQUERADE_AS(`host.domain') 161138032Speter 161238032SpeterThis causes mail being sent to be labeled as coming from the 161338032Speterindicated host.domain, rather than $j. One normally masquerades as 161464562Sgshapiroone of one's own subdomains (for example, it's unlikely that 161564562SgshapiroBerkeley would choose to masquerade as an MIT site). This 161664562Sgshapirobehaviour is modified by a plethora of FEATUREs; in particular, see 161764562Sgshapiromasquerade_envelope, allmasquerade, limited_masquerade, and 161864562Sgshapiromasquerade_entire_domain. 161938032Speter 162038032SpeterThe masquerade name is not normally canonified, so it is important 162138032Speterthat it be your One True Name, that is, fully qualified and not a 162238032SpeterCNAME. However, if you use a CNAME, the receiving side may canonify 162338032Speterit for you, so don't think you can cheat CNAME mapping this way. 162438032Speter 162538032SpeterNormally the only addresses that are masqueraded are those that come 162664562Sgshapirofrom this host (that is, are either unqualified or in class {w}, the list 162764562Sgshapiroof local domain names). You can augment this list, which is realized 162864562Sgshapiroby class {M} using 162938032Speter 163064562Sgshapiro MASQUERADE_DOMAIN(`otherhost.domain') 163138032Speter 163238032SpeterThe effect of this is that although mail to user@otherhost.domain 163338032Speterwill not be delivered locally, any mail including any user@otherhost.domain 163438032Speterwill, when relayed, be rewritten to have the MASQUERADE_AS address. 163538032SpeterThis can be a space-separated list of names. 163638032Speter 163738032SpeterIf these names are in a file, you can use 163838032Speter 163964562Sgshapiro MASQUERADE_DOMAIN_FILE(`filename') 164038032Speter 164164562Sgshapiroto read the list of names from the indicated file (i.e., to add 164264562Sgshapiroelements to class {M}). 164338032Speter 164464562SgshapiroTo exempt hosts or subdomains from being masqueraded, you can use 164564562Sgshapiro 164664562Sgshapiro MASQUERADE_EXCEPTION(`host.domain') 164764562Sgshapiro 164864562SgshapiroThis can come handy if you want to masquerade a whole domain 164990792Sgshapiroexcept for one (or a few) host(s). If these names are in a file, 165090792Sgshapiroyou can use 165164562Sgshapiro 165290792Sgshapiro MASQUERADE_EXCEPTION_FILE(`filename') 165390792Sgshapiro 165438032SpeterNormally only header addresses are masqueraded. If you want to 165538032Spetermasquerade the envelope as well, use 165638032Speter 165743730Speter FEATURE(`masquerade_envelope') 165838032Speter 165938032SpeterThere are always users that need to be "exposed" -- that is, their 166038032Speterinternal site name should be displayed instead of the masquerade name. 166164562SgshapiroRoot is an example (which has been "exposed" by default prior to 8.10). 166264562SgshapiroYou can add users to this list using 166338032Speter 166464562Sgshapiro EXPOSED_USER(`usernames') 166538032Speter 166690792SgshapiroThis adds users to class {E}; you could also use 166738032Speter 166890792Sgshapiro EXPOSED_USER_FILE(`filename') 166938032Speter 167038032SpeterYou can also arrange to relay all unqualified names (that is, names 167138032Speterwithout @host) to a relay host. For example, if you have a central 167238032Speteremail server, you might relay to that host so that users don't have 167338032Speterto have .forward files or aliases. You can do this using 167438032Speter 167543730Speter define(`LOCAL_RELAY', `mailer:hostname') 167638032Speter 167738032SpeterThe ``mailer:'' can be omitted, in which case the mailer defaults to 167838032Speter"relay". There are some user names that you don't want relayed, perhaps 167938032Speterbecause of local aliases. A common example is root, which may be 168038032Speterlocally aliased. You can add entries to this list using 168138032Speter 168264562Sgshapiro LOCAL_USER(`usernames') 168338032Speter 168490792SgshapiroThis adds users to class {L}; you could also use 168538032Speter 168690792Sgshapiro LOCAL_USER_FILE(`filename') 168738032Speter 168838032SpeterIf you want all incoming mail sent to a centralized hub, as for a 168938032Spetershared /var/spool/mail scheme, use 169038032Speter 169143730Speter define(`MAIL_HUB', `mailer:hostname') 169238032Speter 169338032SpeterAgain, ``mailer:'' defaults to "relay". If you define both LOCAL_RELAY 169443730Speterand MAIL_HUB _AND_ you have FEATURE(`stickyhost'), unqualified names will 169538032Speterbe sent to the LOCAL_RELAY and other local names will be sent to MAIL_HUB. 169664562SgshapiroNote: there is a (long standing) bug which keeps this combination from 169764562Sgshapiroworking for addresses of the form user+detail. 169864562SgshapiroNames in class {L} will be delivered locally, so you MUST have aliases or 169938032Speter.forward files for them. 170038032Speter 170138032SpeterFor example, if you are on machine mastodon.CS.Berkeley.EDU and you have 170243730SpeterFEATURE(`stickyhost'), the following combinations of settings will have the 170338032Speterindicated effects: 170438032Speter 170538032Speteremail sent to.... eric eric@mastodon.CS.Berkeley.EDU 170638032Speter 170738032SpeterLOCAL_RELAY set to mail.CS.Berkeley.EDU (delivered locally) 170838032Spetermail.CS.Berkeley.EDU (no local aliasing) (aliasing done) 170938032Speter 171038032SpeterMAIL_HUB set to mammoth.CS.Berkeley.EDU mammoth.CS.Berkeley.EDU 171138032Spetermammoth.CS.Berkeley.EDU (aliasing done) (aliasing done) 171238032Speter 171338032SpeterBoth LOCAL_RELAY and mail.CS.Berkeley.EDU mammoth.CS.Berkeley.EDU 171438032SpeterMAIL_HUB set as above (no local aliasing) (aliasing done) 171538032Speter 171643730SpeterIf you do not have FEATURE(`stickyhost') set, then LOCAL_RELAY and 171738032SpeterMAIL_HUB act identically, with MAIL_HUB taking precedence. 171838032Speter 171938032SpeterIf you want all outgoing mail to go to a central relay site, define 172038032SpeterSMART_HOST as well. Briefly: 172138032Speter 172238032Speter LOCAL_RELAY applies to unqualified names (e.g., "eric"). 172338032Speter MAIL_HUB applies to names qualified with the name of the 172438032Speter local host (e.g., "eric@mastodon.CS.Berkeley.EDU"). 172564562Sgshapiro SMART_HOST applies to names qualified with other hosts or 172664562Sgshapiro bracketed addresses (e.g., "eric@mastodon.CS.Berkeley.EDU" 172764562Sgshapiro or "eric@[127.0.0.1]"). 172838032Speter 172938032SpeterHowever, beware that other relays (e.g., UUCP_RELAY, BITNET_RELAY, 173038032SpeterDECNET_RELAY, and FAX_RELAY) take precedence over SMART_HOST, so if you 173138032Speterreally want absolutely everything to go to a single central site you will 173238032Speterneed to unset all the other relays -- or better yet, find or build a 173338032Speterminimal config file that does this. 173438032Speter 173538032SpeterFor duplicate suppression to work properly, the host name is best 173638032Speterspecified with a terminal dot: 173738032Speter 173838032Speter define(`MAIL_HUB', `host.domain.') 173938032Speter note the trailing dot ---^ 174038032Speter 174138032Speter 174290792Sgshapiro+-------------------------------------------+ 174390792Sgshapiro| USING LDAP FOR ALIASES, MAPS, AND CLASSES | 174490792Sgshapiro+-------------------------------------------+ 174590792Sgshapiro 174690792SgshapiroLDAP can be used for aliases, maps, and classes by either specifying your 174790792Sgshapiroown LDAP map specification or using the built-in default LDAP map 174890792Sgshapirospecification. The built-in default specifications all provide lookups 174990792Sgshapirowhich match against either the machine's fully qualified hostname (${j}) or 175090792Sgshapiroa "cluster". The cluster allows you to share LDAP entries among a large 175190792Sgshapironumber of machines without having to enter each of the machine names into 175290792Sgshapiroeach LDAP entry. To set the LDAP cluster name to use for a particular 175390792Sgshapiromachine or set of machines, set the confLDAP_CLUSTER m4 variable to a 175490792Sgshapirounique name. For example: 175590792Sgshapiro 175690792Sgshapiro define(`confLDAP_CLUSTER', `Servers') 175790792Sgshapiro 175890792SgshapiroHere, the word `Servers' will be the cluster name. As an example, assume 175990792Sgshapirothat smtp.sendmail.org, etrn.sendmail.org, and mx.sendmail.org all belong 176090792Sgshapiroto the Servers cluster. 176190792Sgshapiro 176290792SgshapiroSome of the LDAP LDIF examples below show use of the Servers cluster. 176390792SgshapiroEvery entry must have either a sendmailMTAHost or sendmailMTACluster 176490792Sgshapiroattribute or it will be ignored. Be careful as mixing clusters and 176590792Sgshapiroindividual host records can have surprising results (see the CAUTION 176690792Sgshapirosections below). 176790792Sgshapiro 176890792SgshapiroSee the file cf/sendmail.schema for the actual LDAP schemas. Note that 176990792Sgshapirothis schema (and therefore the lookups and examples below) is experimental 177090792Sgshapiroat this point as it has had little public review. Therefore, it may change 177190792Sgshapiroin future versions. Feedback via sendmail@sendmail.org is encouraged. 177290792Sgshapiro 177390792Sgshapiro------- 177490792SgshapiroAliases 177590792Sgshapiro------- 177690792Sgshapiro 177790792SgshapiroThe ALIAS_FILE (O AliasFile) option can be set to use LDAP for alias 177890792Sgshapirolookups. To use the default schema, simply use: 177990792Sgshapiro 178090792Sgshapiro define(`ALIAS_FILE', `ldap:') 178190792Sgshapiro 178290792SgshapiroBy doing so, you will use the default schema which expands to a map 178390792Sgshapirodeclared as follows: 178490792Sgshapiro 178590792Sgshapiro ldap -k (&(objectClass=sendmailMTAAliasObject) 178690792Sgshapiro (sendmailMTAAliasGrouping=aliases) 178790792Sgshapiro (|(sendmailMTACluster=${sendmailMTACluster}) 178890792Sgshapiro (sendmailMTAHost=$j)) 178990792Sgshapiro (sendmailMTAKey=%0)) 179090792Sgshapiro -v sendmailMTAAliasValue 179190792Sgshapiro 179290792SgshapiroNOTE: The macros shown above ${sendmailMTACluster} and $j are not actually 179390792Sgshapiroused when the binary expands the `ldap:' token as the AliasFile option is 179490792Sgshapironot actually macro-expanded when read from the sendmail.cf file. 179590792Sgshapiro 179690792SgshapiroExample LDAP LDIF entries might be: 179790792Sgshapiro 179890792Sgshapiro dn: sendmailMTAKey=sendmail-list, dc=sendmail, dc=org 179990792Sgshapiro objectClass: sendmailMTA 180090792Sgshapiro objectClass: sendmailMTAAlias 180190792Sgshapiro objectClass: sendmailMTAAliasObject 180290792Sgshapiro sendmailMTAAliasGrouping: aliases 180390792Sgshapiro sendmailMTAHost: etrn.sendmail.org 180490792Sgshapiro sendmailMTAKey: sendmail-list 180590792Sgshapiro sendmailMTAAliasValue: ca@example.org 180690792Sgshapiro sendmailMTAAliasValue: eric 180790792Sgshapiro sendmailMTAAliasValue: gshapiro@example.com 180890792Sgshapiro 180990792Sgshapiro dn: sendmailMTAKey=owner-sendmail-list, dc=sendmail, dc=org 181090792Sgshapiro objectClass: sendmailMTA 181190792Sgshapiro objectClass: sendmailMTAAlias 181290792Sgshapiro objectClass: sendmailMTAAliasObject 181390792Sgshapiro sendmailMTAAliasGrouping: aliases 181490792Sgshapiro sendmailMTAHost: etrn.sendmail.org 181590792Sgshapiro sendmailMTAKey: owner-sendmail-list 181690792Sgshapiro sendmailMTAAliasValue: eric 181790792Sgshapiro 181890792Sgshapiro dn: sendmailMTAKey=postmaster, dc=sendmail, dc=org 181990792Sgshapiro objectClass: sendmailMTA 182090792Sgshapiro objectClass: sendmailMTAAlias 182190792Sgshapiro objectClass: sendmailMTAAliasObject 182290792Sgshapiro sendmailMTAAliasGrouping: aliases 182390792Sgshapiro sendmailMTACluster: Servers 182490792Sgshapiro sendmailMTAKey: postmaster 182590792Sgshapiro sendmailMTAAliasValue: eric 182690792Sgshapiro 182790792SgshapiroHere, the aliases sendmail-list and owner-sendmail-list will be available 182890792Sgshapiroonly on etrn.sendmail.org but the postmaster alias will be available on 182990792Sgshapiroevery machine in the Servers cluster (including etrn.sendmail.org). 183090792Sgshapiro 183190792SgshapiroCAUTION: aliases are additive so that entries like these: 183290792Sgshapiro 183390792Sgshapiro dn: sendmailMTAKey=bob, dc=sendmail, dc=org 183490792Sgshapiro objectClass: sendmailMTA 183590792Sgshapiro objectClass: sendmailMTAAlias 183690792Sgshapiro objectClass: sendmailMTAAliasObject 183790792Sgshapiro sendmailMTAAliasGrouping: aliases 183890792Sgshapiro sendmailMTACluster: Servers 183990792Sgshapiro sendmailMTAKey: bob 184090792Sgshapiro sendmailMTAAliasValue: eric 184190792Sgshapiro 184294334Sgshapiro dn: sendmailMTAKey=bobetrn, dc=sendmail, dc=org 184390792Sgshapiro objectClass: sendmailMTA 184490792Sgshapiro objectClass: sendmailMTAAlias 184590792Sgshapiro objectClass: sendmailMTAAliasObject 184690792Sgshapiro sendmailMTAAliasGrouping: aliases 184790792Sgshapiro sendmailMTAHost: etrn.sendmail.org 184890792Sgshapiro sendmailMTAKey: bob 184990792Sgshapiro sendmailMTAAliasValue: gshapiro 185090792Sgshapiro 185190792Sgshapirowould mean that on all of the hosts in the cluster, mail to bob would go to 185290792Sgshapiroeric EXCEPT on etrn.sendmail.org in which case it would go to BOTH eric and 185390792Sgshapirogshapiro. 185490792Sgshapiro 185590792SgshapiroIf you prefer not to use the default LDAP schema for your aliases, you can 185690792Sgshapirospecify the map parameters when setting ALIAS_FILE. For example: 185790792Sgshapiro 185890792Sgshapiro define(`ALIAS_FILE', `ldap:-k (&(objectClass=mailGroup)(mail=%0)) -v mgrpRFC822MailMember') 185990792Sgshapiro 186090792Sgshapiro---- 186190792SgshapiroMaps 186290792Sgshapiro---- 186390792Sgshapiro 186490792SgshapiroFEATURE()'s which take an optional map definition argument (e.g., access, 186590792Sgshapiromailertable, virtusertable, etc.) can instead take the special keyword 186690792Sgshapiro`LDAP', e.g.: 186790792Sgshapiro 186890792Sgshapiro FEATURE(`access_db', `LDAP') 186990792Sgshapiro FEATURE(`virtusertable', `LDAP') 187090792Sgshapiro 187190792SgshapiroWhen this keyword is given, that map will use LDAP lookups consisting of 187290792Sgshapirothe objectClass sendmailMTAClassObject, the attribute sendmailMTAMapName 187390792Sgshapirowith the map name, a search attribute of sendmailMTAKey, and the value 187490792Sgshapiroattribute sendmailMTAMapValue. 187590792Sgshapiro 187690792SgshapiroThe values for sendmailMTAMapName are: 187790792Sgshapiro 187890792Sgshapiro FEATURE() sendmailMTAMapName 187990792Sgshapiro --------- ------------------ 188090792Sgshapiro access_db access 188190792Sgshapiro authinfo authinfo 188290792Sgshapiro bitdomain bitdomain 188390792Sgshapiro domaintable domain 188490792Sgshapiro genericstable generics 188590792Sgshapiro mailertable mailer 188690792Sgshapiro uucpdomain uucpdomain 188790792Sgshapiro virtusertable virtuser 188890792Sgshapiro 188990792SgshapiroFor example, FEATURE(`mailertable', `LDAP') would use the map definition: 189090792Sgshapiro 189190792Sgshapiro Kmailertable ldap -k (&(objectClass=sendmailMTAMapObject) 189290792Sgshapiro (sendmailMTAMapName=mailer) 189390792Sgshapiro (|(sendmailMTACluster=${sendmailMTACluster}) 189490792Sgshapiro (sendmailMTAHost=$j)) 189590792Sgshapiro (sendmailMTAKey=%0)) 189690792Sgshapiro -1 -v sendmailMTAMapValue 189790792Sgshapiro 189890792SgshapiroAn example LDAP LDIF entry using this map might be: 189990792Sgshapiro 190090792Sgshapiro dn: sendmailMTAMapName=mailer, dc=sendmail, dc=org 190190792Sgshapiro objectClass: sendmailMTA 190290792Sgshapiro objectClass: sendmailMTAMap 190390792Sgshapiro sendmailMTACluster: Servers 190490792Sgshapiro sendmailMTAMapName: mailer 190590792Sgshapiro 190690792Sgshapiro dn: sendmailMTAKey=example.com, sendmailMTAMapName=mailer, dc=sendmail, dc=org 190790792Sgshapiro objectClass: sendmailMTA 190890792Sgshapiro objectClass: sendmailMTAMap 190990792Sgshapiro objectClass: sendmailMTAMapObject 191090792Sgshapiro sendmailMTAMapName: mailer 191190792Sgshapiro sendmailMTACluster: Servers 191290792Sgshapiro sendmailMTAKey: example.com 191390792Sgshapiro sendmailMTAMapValue: relay:[smtp.example.com] 191490792Sgshapiro 191590792SgshapiroCAUTION: If your LDAP database contains the record above and *ALSO* a host 191690792Sgshapirospecific record such as: 191790792Sgshapiro 191890792Sgshapiro dn: sendmailMTAKey=example.com@etrn, sendmailMTAMapName=mailer, dc=sendmail, dc=org 191990792Sgshapiro objectClass: sendmailMTA 192090792Sgshapiro objectClass: sendmailMTAMap 192190792Sgshapiro objectClass: sendmailMTAMapObject 192290792Sgshapiro sendmailMTAMapName: mailer 192390792Sgshapiro sendmailMTAHost: etrn.sendmail.org 192490792Sgshapiro sendmailMTAKey: example.com 192590792Sgshapiro sendmailMTAMapValue: relay:[mx.example.com] 192690792Sgshapiro 192790792Sgshapirothen these entries will give unexpected results. When the lookup is done 192890792Sgshapiroon etrn.sendmail.org, the effect is that there is *NO* match at all as maps 192990792Sgshapirorequire a single match. Since the host etrn.sendmail.org is also in the 193090792SgshapiroServers cluster, LDAP would return two answers for the example.com map key 193190792Sgshapiroin which case sendmail would treat this as no match at all. 193290792Sgshapiro 193390792SgshapiroIf you prefer not to use the default LDAP schema for your maps, you can 193490792Sgshapirospecify the map parameters when using the FEATURE(). For example: 193590792Sgshapiro 193690792Sgshapiro FEATURE(`access_db', `ldap:-1 -k (&(objectClass=mapDatabase)(key=%0)) -v value') 193790792Sgshapiro 193890792Sgshapiro------- 193990792SgshapiroClasses 194090792Sgshapiro------- 194190792Sgshapiro 194290792SgshapiroNormally, classes can be filled via files or programs. As of 8.12, they 194390792Sgshapirocan also be filled via map lookups using a new syntax: 194490792Sgshapiro 194590792Sgshapiro F{ClassName}mapkey@mapclass:mapspec 194690792Sgshapiro 194790792Sgshapiromapkey is optional and if not provided the map key will be empty. This can 194890792Sgshapirobe used with LDAP to read classes from LDAP. Note that the lookup is only 194990792Sgshapirodone when sendmail is initially started. Use the special value `@LDAP' to 195090792Sgshapirouse the default LDAP schema. For example: 195190792Sgshapiro 195290792Sgshapiro RELAY_DOMAIN_FILE(`@LDAP') 195390792Sgshapiro 195490792Sgshapirowould put all of the attribute sendmailMTAClassValue values of LDAP records 195590792Sgshapirowith objectClass sendmailMTAClass and an attribute sendmailMTAClassName of 195690792Sgshapiro'R' into class $={R}. In other words, it is equivalent to the LDAP map 195790792Sgshapirospecification: 195890792Sgshapiro 195990792Sgshapiro F{R}@ldap:-k (&(objectClass=sendmailMTAClass) 196090792Sgshapiro (sendmailMTAClassName=R) 196190792Sgshapiro (|(sendmailMTACluster=${sendmailMTACluster}) 196290792Sgshapiro (sendmailMTAHost=$j))) 196390792Sgshapiro -v sendmailMTAClassValue 196490792Sgshapiro 196590792SgshapiroNOTE: The macros shown above ${sendmailMTACluster} and $j are not actually 196690792Sgshapiroused when the binary expands the `@LDAP' token as class declarations are 196790792Sgshapironot actually macro-expanded when read from the sendmail.cf file. 196890792Sgshapiro 196990792SgshapiroThis can be used with class related commands such as RELAY_DOMAIN_FILE(), 197090792SgshapiroMASQUERADE_DOMAIN_FILE(), etc: 197190792Sgshapiro 197290792Sgshapiro Command sendmailMTAClassName 197390792Sgshapiro ------- -------------------- 197490792Sgshapiro CANONIFY_DOMAIN_FILE() Canonify 197590792Sgshapiro EXPOSED_USER_FILE() E 197690792Sgshapiro GENERICS_DOMAIN_FILE() G 197790792Sgshapiro LDAPROUTE_DOMAIN_FILE() LDAPRoute 197890792Sgshapiro LDAPROUTE_EQUIVALENT_FILE() LDAPRouteEquiv 197990792Sgshapiro LOCAL_USER_FILE() L 198090792Sgshapiro MASQUERADE_DOMAIN_FILE() M 198190792Sgshapiro MASQUERADE_EXCEPTION_FILE() N 198290792Sgshapiro RELAY_DOMAIN_FILE() R 198390792Sgshapiro VIRTUSER_DOMAIN_FILE() VirtHost 198490792Sgshapiro 198590792SgshapiroYou can also add your own as any 'F'ile class of the form: 198690792Sgshapiro 198790792Sgshapiro F{ClassName}@LDAP 198890792Sgshapiro ^^^^^^^^^ 198990792Sgshapirowill use "ClassName" for the sendmailMTAClassName. 199090792Sgshapiro 199190792SgshapiroAn example LDAP LDIF entry would look like: 199290792Sgshapiro 199390792Sgshapiro dn: sendmailMTAClassName=R, dc=sendmail, dc=org 199490792Sgshapiro objectClass: sendmailMTA 199590792Sgshapiro objectClass: sendmailMTAClass 199690792Sgshapiro sendmailMTACluster: Servers 199790792Sgshapiro sendmailMTAClassName: R 199890792Sgshapiro sendmailMTAClassValue: sendmail.org 199990792Sgshapiro sendmailMTAClassValue: example.com 200090792Sgshapiro sendmailMTAClassValue: 10.56.23 200190792Sgshapiro 200290792SgshapiroCAUTION: If your LDAP database contains the record above and *ALSO* a host 200390792Sgshapirospecific record such as: 200490792Sgshapiro 200590792Sgshapiro dn: sendmailMTAClassName=R@etrn.sendmail.org, dc=sendmail, dc=org 200690792Sgshapiro objectClass: sendmailMTA 200790792Sgshapiro objectClass: sendmailMTAClass 200890792Sgshapiro sendmailMTAHost: etrn.sendmail.org 200990792Sgshapiro sendmailMTAClassName: R 201090792Sgshapiro sendmailMTAClassValue: example.com 201190792Sgshapiro 201290792Sgshapirothe result will be similar to the aliases caution above. When the lookup 201390792Sgshapirois done on etrn.sendmail.org, $={R} would contain all of the entries (from 201490792Sgshapiroboth the cluster match and the host match). In other words, the effective 201590792Sgshapirois additive. 201690792Sgshapiro 201790792SgshapiroIf you prefer not to use the default LDAP schema for your classes, you can 201890792Sgshapirospecify the map parameters when using the class command. For example: 201990792Sgshapiro 202090792Sgshapiro VIRTUSER_DOMAIN_FILE(`@ldap:-k (&(objectClass=virtHosts)(host=*)) -v host') 202190792Sgshapiro 202290792SgshapiroRemember, macros can not be used in a class declaration as the binary does 202390792Sgshapironot expand them. 202490792Sgshapiro 202590792Sgshapiro 202664562Sgshapiro+--------------+ 202764562Sgshapiro| LDAP ROUTING | 202864562Sgshapiro+--------------+ 202964562Sgshapiro 203064562SgshapiroFEATURE(`ldap_routing') can be used to implement the IETF Internet Draft 203164562SgshapiroLDAP Schema for Intranet Mail Routing 203264562Sgshapiro(draft-lachman-laser-ldap-mail-routing-01). This feature enables 203364562SgshapiroLDAP-based rerouting of a particular address to either a different host 203464562Sgshapiroor a different address. The LDAP lookup is first attempted on the full 203564562Sgshapiroaddress (e.g., user@example.com) and then on the domain portion 203664562Sgshapiro(e.g., @example.com). Be sure to setup your domain for LDAP routing using 203764562SgshapiroLDAPROUTE_DOMAIN(), e.g.: 203864562Sgshapiro 203964562Sgshapiro LDAPROUTE_DOMAIN(`example.com') 204064562Sgshapiro 204190792SgshapiroAdditionally, you can specify equivalent domains for LDAP routing using 204290792SgshapiroLDAPROUTE_EQUIVALENT() and LDAPROUTE_EQUIVALENT_FILE(). 'Equivalent' 204390792Sgshapirohostnames are mapped to $M (the masqueraded hostname for the server) before 204490792Sgshapirothe LDAP query. For example, if the mail is addressed to 204590792Sgshapirouser@host1.example.com, normally the LDAP lookup would only be done for 204690792Sgshapiro'user@host1.example.com' and '@host1.example.com'. However, if 204790792SgshapiroLDAPROUTE_EQUIVALENT(`host1.example.com') is used, the lookups would also be 204890792Sgshapirodone on 'user@example.com' and '@example.com' after attempting the 204990792Sgshapirohost1.example.com lookups. 205090792Sgshapiro 205164562SgshapiroBy default, the feature will use the schemas as specified in the draft 205264562Sgshapiroand will not reject addresses not found by the LDAP lookup. However, 205364562Sgshapirothis behavior can be changed by giving additional arguments to the FEATURE() 205464562Sgshapirocommand: 205564562Sgshapiro 205690792Sgshapiro FEATURE(`ldap_routing', <mailHost>, <mailRoutingAddress>, <bounce>, <detail>) 205764562Sgshapiro 205864562Sgshapirowhere <mailHost> is a map definition describing how to lookup an alternative 205964562Sgshapiromail host for a particular address; <mailRoutingAddress> is a map definition 206090792Sgshapirodescribing how to lookup an alternative address for a particular address; 206164562Sgshapirothe <bounce> argument, if present and not the word "passthru", dictates 206264562Sgshapirothat mail should be bounced if neither a mailHost nor mailRoutingAddress 206390792Sgshapirois found; and <detail> indicates what actions to take if the address 206490792Sgshapirocontains +detail information -- `strip' tries the lookup with the +detail 206590792Sgshapiroand if no matches are found, strips the +detail and tries the lookup again; 206690792Sgshapiro`preserve', does the same as `strip' but if a mailRoutingAddress match is 206790792Sgshapirofound, the +detail information is copied to the new address. 206864562Sgshapiro 206964562SgshapiroThe default <mailHost> map definition is: 207064562Sgshapiro 207194334Sgshapiro ldap -1 -T<TMPF> -v mailHost -k (&(objectClass=inetLocalMailRecipient) 207264562Sgshapiro (mailLocalAddress=%0)) 207364562Sgshapiro 207464562SgshapiroThe default <mailRoutingAddress> map definition is: 207564562Sgshapiro 207694334Sgshapiro ldap -1 -T<TMPF> -v mailRoutingAddress 207794334Sgshapiro -k (&(objectClass=inetLocalMailRecipient) 207894334Sgshapiro (mailLocalAddress=%0)) 207964562Sgshapiro 208064562SgshapiroNote that neither includes the LDAP server hostname (-h server) or base DN 208164562Sgshapiro(-b o=org,c=COUNTRY), both necessary for LDAP queries. It is presumed that 208264562Sgshapiroyour .mc file contains a setting for the confLDAP_DEFAULT_SPEC option with 208364562Sgshapirothese settings. If this is not the case, the map definitions should be 208494334Sgshapirochanged as described above. The "-T<TMPF>" is required in any user 208594334Sgshapirospecified map definition to catch temporary errors. 208664562Sgshapiro 208764562SgshapiroThe following possibilities exist as a result of an LDAP lookup on an 208864562Sgshapiroaddress: 208964562Sgshapiro 209064562Sgshapiro mailHost is mailRoutingAddress is Results in 209164562Sgshapiro ----------- --------------------- ---------- 209264562Sgshapiro set to a set mail delivered to 209364562Sgshapiro "local" host mailRoutingAddress 209464562Sgshapiro 209564562Sgshapiro set to a not set delivered to 209664562Sgshapiro "local" host original address 209764562Sgshapiro 209864562Sgshapiro set to a set mailRoutingAddress 209964562Sgshapiro remote host relayed to mailHost 210064562Sgshapiro 210164562Sgshapiro set to a not set original address 210264562Sgshapiro remote host relayed to mailHost 210364562Sgshapiro 210464562Sgshapiro not set set mail delivered to 210564562Sgshapiro mailRoutingAddress 210664562Sgshapiro 210764562Sgshapiro not set not set delivered to 210864562Sgshapiro original address *OR* 210964562Sgshapiro bounced as unknown user 211064562Sgshapiro 211190792SgshapiroThe term "local" host above means the host specified is in class {w}. If 211290792Sgshapirothe result would mean sending the mail to a different host, that host is 211390792Sgshapirolooked up in the mailertable before delivery. 211490792Sgshapiro 211564562SgshapiroNote that the last case depends on whether the third argument is given 211664562Sgshapiroto the FEATURE() command. The default is to deliver the message to the 211764562Sgshapirooriginal address. 211864562Sgshapiro 211964562SgshapiroThe LDAP entries should be set up with an objectClass of 212064562SgshapiroinetLocalMailRecipient and the address be listed in a mailLocalAddress 212164562Sgshapiroattribute. If present, there must be only one mailHost attribute and it 212264562Sgshapiromust contain a fully qualified host name as its value. Similarly, if 212364562Sgshapiropresent, there must be only one mailRoutingAddress attribute and it must 212490792Sgshapirocontain an RFC 822 compliant address. Some example LDAP records (in LDIF 212564562Sgshapiroformat): 212664562Sgshapiro 212764562Sgshapiro dn: uid=tom, o=example.com, c=US 212864562Sgshapiro objectClass: inetLocalMailRecipient 212964562Sgshapiro mailLocalAddress: tom@example.com 213064562Sgshapiro mailRoutingAddress: thomas@mailhost.example.com 213164562Sgshapiro 213264562SgshapiroThis would deliver mail for tom@example.com to thomas@mailhost.example.com. 213364562Sgshapiro 213464562Sgshapiro dn: uid=dick, o=example.com, c=US 213564562Sgshapiro objectClass: inetLocalMailRecipient 213664562Sgshapiro mailLocalAddress: dick@example.com 213764562Sgshapiro mailHost: eng.example.com 213864562Sgshapiro 213964562SgshapiroThis would relay mail for dick@example.com to the same address but redirect 214090792Sgshapirothe mail to MX records listed for the host eng.example.com (unless the 214190792Sgshapiromailertable overrides). 214264562Sgshapiro 214364562Sgshapiro dn: uid=harry, o=example.com, c=US 214464562Sgshapiro objectClass: inetLocalMailRecipient 214564562Sgshapiro mailLocalAddress: harry@example.com 214664562Sgshapiro mailHost: mktmail.example.com 214764562Sgshapiro mailRoutingAddress: harry@mkt.example.com 214864562Sgshapiro 214964562SgshapiroThis would relay mail for harry@example.com to the MX records listed for 215064562Sgshapirothe host mktmail.example.com using the new address harry@mkt.example.com 215164562Sgshapirowhen talking to that host. 215264562Sgshapiro 215364562Sgshapiro dn: uid=virtual.example.com, o=example.com, c=US 215464562Sgshapiro objectClass: inetLocalMailRecipient 215564562Sgshapiro mailLocalAddress: @virtual.example.com 215664562Sgshapiro mailHost: server.example.com 215764562Sgshapiro mailRoutingAddress: virtual@example.com 215864562Sgshapiro 215964562SgshapiroThis would send all mail destined for any username @virtual.example.com to 216064562Sgshapirothe machine server.example.com's MX servers and deliver to the address 216164562Sgshapirovirtual@example.com on that relay machine. 216264562Sgshapiro 216364562Sgshapiro 216438032Speter+---------------------------------+ 216538032Speter| ANTI-SPAM CONFIGURATION CONTROL | 216638032Speter+---------------------------------+ 216738032Speter 216838032SpeterThe primary anti-spam features available in sendmail are: 216938032Speter 217038032Speter* Relaying is denied by default. 217138032Speter* Better checking on sender information. 217238032Speter* Access database. 217338032Speter* Header checks. 217438032Speter 217564562SgshapiroRelaying (transmission of messages from a site outside your host (class 217664562Sgshapiro{w}) to another site except yours) is denied by default. Note that this 217764562Sgshapirochanged in sendmail 8.9; previous versions allowed relaying by default. 217864562SgshapiroIf you really want to revert to the old behaviour, you will need to use 217964562SgshapiroFEATURE(`promiscuous_relay'). You can allow certain domains to relay 218064562Sgshapirothrough your server by adding their domain name or IP address to class 218164562Sgshapiro{R} using RELAY_DOMAIN() and RELAY_DOMAIN_FILE() or via the access database 218290792Sgshapiro(described below). Note that IPv6 addresses must be prefaced with "IPv6:". 218390792SgshapiroThe file consists (like any other file based class) of entries listed on 218490792Sgshapiroseparate lines, e.g., 218538032Speter 218664562Sgshapiro sendmail.org 218764562Sgshapiro 128.32 218890792Sgshapiro IPv6:2002:c0a8:02c7 218990792Sgshapiro IPv6:2002:c0a8:51d2::23f4 219064562Sgshapiro host.mydomain.com 219190792Sgshapiro [UNIX:localhost] 219264562Sgshapiro 219390792SgshapiroNotice: the last entry allows relaying for connections via a UNIX 219490792Sgshapirosocket to the MTA/MSP. This might be necessary if your configuration 219590792Sgshapirodoesn't allow relaying by other means in that case, e.g., by having 219690792Sgshapirolocalhost.$m in class {R} (make sure $m is not just a top level 219790792Sgshapirodomain). 219890792Sgshapiro 219938032SpeterIf you use 220038032Speter 220143730Speter FEATURE(`relay_entire_domain') 220238032Speter 220364562Sgshapirothen any host in any of your local domains (that is, class {m}) 220442575Speterwill be relayed (that is, you will accept mail either to or from any 220542575Speterhost in your domain). 220638032Speter 220738032SpeterYou can also allow relaying based on the MX records of the host 220838032Speterportion of an incoming recipient address by using 220938032Speter 221043730Speter FEATURE(`relay_based_on_MX') 221138032Speter 221238032SpeterFor example, if your server receives a recipient of user@domain.com 221338032Speterand domain.com lists your server in its MX records, the mail will be 221490792Sgshapiroaccepted for relay to domain.com. This feature may cause problems 221590792Sgshapiroif MX lookups for the recipient domain are slow or time out. In that 221690792Sgshapirocase, mail will be temporarily rejected. It is usually better to 221790792Sgshapiromaintain a list of hosts/domains for which the server acts as relay. 221890792SgshapiroNote also that this feature will stop spammers from using your host 221990792Sgshapiroto relay spam but it will not stop outsiders from using your server 222090792Sgshapiroas a relay for their site (that is, they set up an MX record pointing 222190792Sgshapiroto your mail server, and you will relay mail addressed to them 222290792Sgshapirowithout any prior arrangement). Along the same lines, 222338032Speter 222443730Speter FEATURE(`relay_local_from') 222538032Speter 222638032Speterwill allow relaying if the sender specifies a return path (i.e. 222790792SgshapiroMAIL FROM: <user@domain>) domain which is a local domain. This is a 222838032Speterdangerous feature as it will allow spammers to spam using your mail 222938032Speterserver by simply specifying a return address of user@your.domain.com. 223038032SpeterIt should not be used unless absolutely necessary. 223164562SgshapiroA slightly better solution is 223238032Speter 223364562Sgshapiro FEATURE(`relay_mail_from') 223464562Sgshapiro 223564562Sgshapirowhich allows relaying if the mail sender is listed as RELAY in the 2236110560Sgshapiroaccess map. If an optional argument `domain' (this is the literal 2237110560Sgshapiroword `domain', not a placeholder) is given, the domain portion of 2238110560Sgshapirothe mail sender is also checked to allowing relaying. This option 2239110560Sgshapiroonly works together with the tag From: for the LHS of the access 2240110560Sgshapiromap entries (see below: Finer control...). This feature allows 2241110560Sgshapirospammers to abuse your mail server by specifying a return address 2242110560Sgshapirothat you enabled in your access file. This may be harder to figure 2243110560Sgshapiroout for spammers, but it should not be used unless necessary. 2244110560SgshapiroInstead use SMTP AUTH or STARTTLS to allow relaying for roaming 2245110560Sgshapirousers. 224664562Sgshapiro 224764562Sgshapiro 224890792SgshapiroIf source routing is used in the recipient address (e.g., 224938032SpeterRCPT TO: <user%site.com@othersite.com>), sendmail will check 225038032Speteruser@site.com for relaying if othersite.com is an allowed relay host 225164562Sgshapiroin either class {R}, class {m} if FEATURE(`relay_entire_domain') is used, 225243730Speteror the access database if FEATURE(`access_db') is used. To prevent 225338032Speterthe address from being stripped down, use: 225438032Speter 225543730Speter FEATURE(`loose_relay_check') 225638032Speter 225738032SpeterIf you think you need to use this feature, you probably do not. This 225838032Spetershould only be used for sites which have no control over the addresses 225938032Speterthat they provide a gateway for. Use this FEATURE with caution as it 226038032Spetercan allow spammers to relay through your server if not setup properly. 226138032Speter 226264562SgshapiroNOTICE: It is possible to relay mail through a system which the anti-relay 226364562Sgshapirorules do not prevent: the case of a system that does use FEATURE(`nouucp', 226464562Sgshapiro`nospecial') (system A) and relays local messages to a mail hub (e.g., via 226564562SgshapiroLOCAL_RELAY or LUSER_RELAY) (system B). If system B doesn't use 226664562SgshapiroFEATURE(`nouucp') at all, addresses of the form 226764562Sgshapiro<example.net!user@local.host> would be relayed to <user@example.net>. 226864562SgshapiroSystem A doesn't recognize `!' as an address separator and therefore 226964562Sgshapiroforwards it to the mail hub which in turns relays it because it came from 227064562Sgshapiroa trusted local host. So if a mailserver allows UUCP (bang-format) 227164562Sgshapiroaddresses, all systems from which it allows relaying should do the same 227264562Sgshapiroor reject those addresses. 227364562Sgshapiro 227438032SpeterAs of 8.9, sendmail will refuse mail if the MAIL FROM: parameter has 227538032Speteran unresolvable domain (i.e., one that DNS, your local name service, 227690792Sgshapiroor special case rules in ruleset 3 cannot locate). This also applies 227790792Sgshapiroto addresses that use domain literals, e.g., <user@[1.2.3.4]>, if the 227890792SgshapiroIP address can't be mapped to a host name. If you want to continue 227990792Sgshapiroto accept such domains, e.g., because you are inside a firewall that 228090792Sgshapirohas only a limited view of the Internet host name space (note that you 228190792Sgshapirowill not be able to return mail to them unless you have some "smart 228290792Sgshapirohost" forwarder), use 228338032Speter 228443730Speter FEATURE(`accept_unresolvable_domains') 228538032Speter 228690792SgshapiroAlternatively, you can allow specific addresses by adding them to 228790792Sgshapirothe access map, e.g., 228890792Sgshapiro 228990792Sgshapiro From:unresolvable.domain OK 229090792Sgshapiro From:[1.2.3.4] OK 229190792Sgshapiro From:[1.2.4] OK 229290792Sgshapiro 229390792SgshapiroNotice: domains which are temporarily unresolvable are (temporarily) 229490792Sgshapirorejected with a 451 reply code. If those domains should be accepted 229590792Sgshapiro(which is discouraged) then you can use 229690792Sgshapiro 229790792Sgshapiro LOCAL_CONFIG 229890792Sgshapiro C{ResOk}TEMP 229990792Sgshapiro 230038032Spetersendmail will also refuse mail if the MAIL FROM: parameter is not 230138032Speterfully qualified (i.e., contains a domain as well as a user). If you 230238032Speterwant to continue to accept such senders, use 230338032Speter 230443730Speter FEATURE(`accept_unqualified_senders') 230538032Speter 230664562SgshapiroSetting the DaemonPortOptions modifier 'u' overrides the default behavior, 230764562Sgshapiroi.e., unqualified addresses are accepted even without this FEATURE. If 230864562Sgshapirothis FEATURE is not used, the DaemonPortOptions modifier 'f' can be used 230990792Sgshapiroto enforce fully qualified domain names. 231064562Sgshapiro 231138032SpeterAn ``access'' database can be created to accept or reject mail from 231238032Speterselected domains. For example, you may choose to reject all mail 231338032Speteroriginating from known spammers. To enable such a database, use 231438032Speter 231543730Speter FEATURE(`access_db') 231638032Speter 231790792SgshapiroNotice: the access database is applied to the envelope addresses 231890792Sgshapiroand the connection information, not to the header. 231990792Sgshapiro 232090792SgshapiroThe FEATURE macro can accept as second parameter the key file 232138032Speterdefinition for the database; for example 232238032Speter 232390792Sgshapiro FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access_map') 232438032Speter 232590792SgshapiroNotice: If a second argument is specified it must contain the option 232690792Sgshapiro`-T<TMPF>' as shown above. The optional third and fourth parameters 232790792Sgshapiromay be `skip' or `lookupdotdomain'. The former enables SKIP as 232890792Sgshapirovalue part (see below), the latter is another way to enable the 232990792Sgshapirofeature of the same name (see above). 233090792Sgshapiro 233142575SpeterRemember, since /etc/mail/access is a database, after creating the text 233242575Speterfile as described below, you must use makemap to create the database 233342575Spetermap. For example: 233442575Speter 233543730Speter makemap hash /etc/mail/access < /etc/mail/access 233642575Speter 233738032SpeterThe table itself uses e-mail addresses, domain names, and network 233890792Sgshapironumbers as keys. Note that IPv6 addresses must be prefaced with "IPv6:". 233990792SgshapiroFor example, 234038032Speter 234190792Sgshapiro spammer@aol.com REJECT 234290792Sgshapiro cyberspammer.com REJECT 234394334Sgshapiro TLD REJECT 234490792Sgshapiro 192.168.212 REJECT 234590792Sgshapiro IPv6:2002:c0a8:02c7 RELAY 234690792Sgshapiro IPv6:2002:c0a8:51d2::23f4 REJECT 234738032Speter 234838032Speterwould refuse mail from spammer@aol.com, any user from cyberspammer.com 234994334Sgshapiro(or any host within the cyberspammer.com domain), any host in the entire 235094334Sgshapirotop level domain TLD, 192.168.212.* network, and the IPv6 address 235194334Sgshapiro2002:c0a8:51d2::23f4. It would allow relay for the IPv6 network 235294334Sgshapiro2002:c0a8:02c7::/48. 235338032Speter 235438032SpeterThe value part of the map can contain: 235538032Speter 235690792Sgshapiro OK Accept mail even if other rules in the running 235790792Sgshapiro ruleset would reject it, for example, if the domain 235890792Sgshapiro name is unresolvable. "Accept" does not mean 235990792Sgshapiro "relay", but at most acceptance for local 236090792Sgshapiro recipients. That is, OK allows less than RELAY. 236142575Speter RELAY Accept mail addressed to the indicated domain or 236242575Speter received from the indicated domain for relaying 236342575Speter through your SMTP server. RELAY also serves as 236442575Speter an implicit OK for the other checks. 236542575Speter REJECT Reject the sender or recipient with a general 236638032Speter purpose message. 236742575Speter DISCARD Discard the message completely using the 236871345Sgshapiro $#discard mailer. If it is used in check_compat, 236971345Sgshapiro it affects only the designated recipient, not 237071345Sgshapiro the whole message as it does in all other cases. 237171345Sgshapiro This should only be used if really necessary. 237290792Sgshapiro SKIP This can only be used for host/domain names 237390792Sgshapiro and IP addresses/nets. It will abort the current 237490792Sgshapiro search for this entry without accepting or rejecting 237590792Sgshapiro it but causing the default action. 237666494Sgshapiro ### any text where ### is an RFC 821 compliant error code and 237766494Sgshapiro "any text" is a message to return for the command. 237866494Sgshapiro The string should be quoted to avoid surprises, 237966494Sgshapiro e.g., sendmail may remove spaces otherwise. 238090792Sgshapiro This type is deprecated, use one the two 238190792Sgshapiro ERROR: entries below instead. 238264562Sgshapiro ERROR:### any text 238364562Sgshapiro as above, but useful to mark error messages as such. 238464562Sgshapiro ERROR:D.S.N:### any text 238564562Sgshapiro where D.S.N is an RFC 1893 compliant error code 238664562Sgshapiro and the rest as above. 238738032Speter 238838032SpeterFor example: 238938032Speter 2390110560Sgshapiro cyberspammer.com ERROR:"550 We don't accept mail from spammers" 239138032Speter okay.cyberspammer.com OK 239264562Sgshapiro sendmail.org RELAY 239338032Speter 128.32 RELAY 239490792Sgshapiro IPv6:1:2:3:4:5:6:7 RELAY 239564562Sgshapiro [127.0.0.3] OK 239690792Sgshapiro [IPv6:1:2:3:4:5:6:7:8] OK 239738032Speter 239864562Sgshapirowould accept mail from okay.cyberspammer.com, but would reject mail from 239964562Sgshapiroall other hosts at cyberspammer.com with the indicated message. It would 240064562Sgshapiroallow relaying mail from and to any hosts in the sendmail.org domain, and 240164562Sgshapiroallow relaying from the 128.32.*.* network and the IPv6 1:2:3:4:5:6:7:* 240264562Sgshapironetwork. The latter two entries are for checks against ${client_name} if 240364562Sgshapirothe IP address doesn't resolve to a hostname (or is considered as "may be 240490792Sgshapiroforged"). That is, using square brackets means these are host names, 240590792Sgshapironot network numbers. 240638032Speter 240764562SgshapiroWarning: if you change the RFC 821 compliant error code from the default 240864562Sgshapirovalue of 550, then you should probably also change the RFC 1893 compliant 240964562Sgshapiroerror code to match it. For example, if you use 241064562Sgshapiro 241190792Sgshapiro user@example.com ERROR:450 mailbox full 241264562Sgshapiro 241390792Sgshapirothe error returned would be "450 5.0.0 mailbox full" which is wrong. 241490792SgshapiroUse "ERROR:4.2.2:450 mailbox full" instead. 241564562Sgshapiro 241664562SgshapiroNote, UUCP users may need to add hostname.UUCP to the access database 241790792Sgshapiroor class {R}. 241864562Sgshapiro 241990792SgshapiroIf you also use: 242090792Sgshapiro 242143730Speter FEATURE(`relay_hosts_only') 242238032Speter 242338032Speterthen the above example will allow relaying for sendmail.org, but not 242438032Speterhosts within the sendmail.org domain. Note that this will also require 242564562Sgshapirohosts listed in class {R} to be fully qualified host names. 242638032Speter 242738032SpeterYou can also use the access database to block sender addresses based on 242838032Speterthe username portion of the address. For example: 242938032Speter 243066494Sgshapiro FREE.STEALTH.MAILER@ ERROR:550 Spam not accepted 243138032Speter 243238032SpeterNote that you must include the @ after the username to signify that 243338032Speterthis database entry is for checking only the username portion of the 243438032Spetersender address. 243538032Speter 243638032SpeterIf you use: 243738032Speter 243843730Speter FEATURE(`blacklist_recipients') 243938032Speter 244038032Speterthen you can add entries to the map for local users, hosts in your 244138032Speterdomains, or addresses in your domain which should not receive mail: 244238032Speter 244366494Sgshapiro badlocaluser@ ERROR:550 Mailbox disabled for this username 244466494Sgshapiro host.mydomain.com ERROR:550 That host does not accept mail 244566494Sgshapiro user@otherhost.mydomain.com ERROR:550 Mailbox disabled for this recipient 244638032Speter 244738032SpeterThis would prevent a recipient of badlocaluser@mydomain.com, any 244838032Speteruser at host.mydomain.com, and the single address 244964562Sgshapirouser@otherhost.mydomain.com from receiving mail. Please note: a 245064562Sgshapirolocal username must be now tagged with an @ (this is consistent 245164562Sgshapirowith the check of the sender address, and hence it is possible to 245264562Sgshapirodistinguish between hostnames and usernames). Enabling this feature 245364562Sgshapirowill keep you from sending mails to all addresses that have an 245464562Sgshapiroerror message or REJECT as value part in the access map. Taking 245564562Sgshapirothe example from above: 245638032Speter 245742575Speter spammer@aol.com REJECT 245842575Speter cyberspammer.com REJECT 245942575Speter 246042575SpeterMail can't be sent to spammer@aol.com or anyone at cyberspammer.com. 246142575Speter 246290792SgshapiroThere are several DNS based blacklists, the first of which was 246390792Sgshapirothe RBL (``Realtime Blackhole List'') run by the MAPS project, 246490792Sgshapirosee http://mail-abuse.org/. These are databases of spammers 246590792Sgshapiromaintained in DNS. To use such a database, specify 246638032Speter 246764562Sgshapiro FEATURE(`dnsbl') 246838032Speter 246990792SgshapiroThis will cause sendmail to reject mail from any site in the original 247080785SgshapiroRealtime Blackhole List database. This default DNS blacklist, 247180785Sgshapiroblackholes.mail-abuse.org, is a service offered by the Mail Abuse 247280785SgshapiroPrevention System (MAPS). As of July 31, 2001, MAPS is a subscription 247380785Sgshapiroservice, so using that network address won't work if you haven't 247480785Sgshapirosubscribed. Contact MAPS to subscribe (http://mail-abuse.org/). 247538032Speter 247680785SgshapiroYou can specify an alternative RBL server to check by specifying an 247780785Sgshapiroargument to the FEATURE. The default error message is 247880785Sgshapiro 247998841Sgshapiro Rejected: IP-ADDRESS listed at SERVER 248080785Sgshapiro 248190792Sgshapirowhere IP-ADDRESS and SERVER are replaced by the appropriate 248290792Sgshapiroinformation. A second argument can be used to specify a different 248390792Sgshapirotext. By default, temporary lookup failures are ignored and hence 248490792Sgshapirocause the connection not to be rejected by the DNS based rejection 248590792Sgshapirolist. This behavior can be changed by specifying a third argument, 248690792Sgshapirowhich must be either `t' or a full error message. For example: 248771345Sgshapiro 248890792Sgshapiro FEATURE(`dnsbl', `dnsbl.example.com', `', 248990792Sgshapiro `"451 Temporary lookup failure for " $&{client_addr} " in dnsbl.example.com"') 249071345Sgshapiro 249190792SgshapiroIf `t' is used, the error message is: 249290792Sgshapiro 249390792Sgshapiro 451 Temporary lookup failure of IP-ADDRESS at SERVER 249490792Sgshapiro 249590792Sgshapirowhere IP-ADDRESS and SERVER are replaced by the appropriate 249690792Sgshapiroinformation. 249790792Sgshapiro 249890792SgshapiroThis FEATURE can be included several times to query different 249990792SgshapiroDNS based rejection lists, e.g., the dial-up user list (see 250090792Sgshapirohttp://mail-abuse.org/dul/). 250190792Sgshapiro 250290792SgshapiroNotice: to avoid checking your own local domains against those 250390792Sgshapiroblacklists, use the access_db feature and add: 250490792Sgshapiro 250590792Sgshapiro Connect:10.1 OK 250690792Sgshapiro Connect:127.0.0.1 RELAY 250790792Sgshapiro 250890792Sgshapiroto the access map, where 10.1 is your local network. You may 250990792Sgshapirowant to use "RELAY" instead of "OK" to allow also relaying 251090792Sgshapiroinstead of just disabling the DNS lookups in the backlists. 251190792Sgshapiro 251290792Sgshapiro 251338032SpeterThe features described above make use of the check_relay, check_mail, 2514110560Sgshapiroand check_rcpt rulesets. Note that check_relay checks the SMTP 2515110560Sgshapiroclient hostname and IP address when the connection is made to your 2516110560Sgshapiroserver. It does not check if a mail message is being relayed to 2517110560Sgshapiroanother server. That check is done in check_rcpt. If you wish to 2518110560Sgshapiroinclude your own checks, you can put your checks in the rulesets 2519110560SgshapiroLocal_check_relay, Local_check_mail, and Local_check_rcpt. For 2520110560Sgshapiroexample if you wanted to block senders with all numeric usernames 2521110560Sgshapiro(i.e. 2312343@bigisp.com), you would use Local_check_mail and the 2522110560Sgshapiroregex map: 252338032Speter 252464562Sgshapiro LOCAL_CONFIG 252564562Sgshapiro Kallnumbers regex -a@MATCH ^[0-9]+$ 252664562Sgshapiro 252764562Sgshapiro LOCAL_RULESETS 252864562Sgshapiro SLocal_check_mail 252964562Sgshapiro # check address against various regex checks 253038032Speter R$* $: $>Parse0 $>3 $1 253164562Sgshapiro R$+ < @ bigisp.com. > $* $: $(allnumbers $1 $) 253264562Sgshapiro R@MATCH $#error $: 553 Header Error 253338032Speter 253438032SpeterThese rules are called with the original arguments of the corresponding 253538032Spetercheck_* ruleset. If the local ruleset returns $#OK, no further checking 253638032Speteris done by the features described above and the mail is accepted. If the 253738032Speterlocal ruleset resolves to a mailer (such as $#error or $#discard), the 253838032Speterappropriate action is taken. Otherwise, the results of the local 253938032Speterrewriting are ignored. 254038032Speter 254164562SgshapiroFiner control by using tags for the LHS of the access map 254290792Sgshapiro--------------------------------------------------------- 254338032Speter 254464562SgshapiroRead this section only if the options listed so far are not sufficient 254564562Sgshapirofor your purposes. There is now the option to tag entries in the 254664562Sgshapiroaccess map according to their type. Three tags are available: 254764562Sgshapiro 254864562Sgshapiro Connect: connection information (${client_addr}, ${client_name}) 254973188Sgshapiro From: envelope sender 255073188Sgshapiro To: envelope recipient 255164562Sgshapiro 255264562SgshapiroIf the required item is looked up in a map, it will be tried first 255364562Sgshapirowith the corresponding tag in front, then (as fallback to enable 255490792Sgshapirobackward compatibility) without any tag, unless the specific feature 255590792Sgshapirorequires a tag. For example, 255664562Sgshapiro 255764562Sgshapiro From:spammer@some.dom REJECT 255864562Sgshapiro To:friend.domain RELAY 255964562Sgshapiro Connect:friend.domain OK 256064562Sgshapiro Connect:from.domain RELAY 256164562Sgshapiro From:good@another.dom OK 256264562Sgshapiro From:another.dom REJECT 256364562Sgshapiro 256464562SgshapiroThis would deny mails from spammer@some.dom but you could still 256564562Sgshapirosend mail to that address even if FEATURE(`blacklist_recipients') 256664562Sgshapirois enabled. Your system will allow relaying to friend.domain, but 256764562Sgshapironot from it (unless enabled by other means). Connections from that 256864562Sgshapirodomain will be allowed even if it ends up in one of the DNS based 256964562Sgshapirorejection lists. Relaying is enabled from from.domain but not to 257064562Sgshapiroit (since relaying is based on the connection information for 257164562Sgshapirooutgoing relaying, the tag Connect: must be used; for incoming 257264562Sgshapirorelaying, which is based on the recipient address, To: must be 257364562Sgshapiroused). The last two entries allow mails from good@another.dom but 257464562Sgshapiroreject mail from all other addresses with another.dom as domain 257564562Sgshapiropart. 257664562Sgshapiro 257764562SgshapiroDelay all checks 257890792Sgshapiro---------------- 257964562Sgshapiro 258064562SgshapiroBy using FEATURE(`delay_checks') the rulesets check_mail and check_relay 258164562Sgshapirowill not be called when a client connects or issues a MAIL command, 258264562Sgshapirorespectively. Instead, those rulesets will be called by the check_rcpt 258364562Sgshapiroruleset; they will be skipped if a sender has been authenticated using 258464562Sgshapiroa "trusted" mechanism, i.e., one that is defined via TRUST_AUTH_MECH(). 258564562SgshapiroIf check_mail returns an error then the RCPT TO command will be rejected 258664562Sgshapirowith that error. If it returns some other result starting with $# then 258764562Sgshapirocheck_relay will be skipped. If the sender address (or a part of it) is 258864562Sgshapirolisted in the access map and it has a RHS of OK or RELAY, then check_relay 258964562Sgshapirowill be skipped. This has an interesting side effect: if your domain is 259064562Sgshapiromy.domain and you have 259164562Sgshapiro 259264562Sgshapiro my.domain RELAY 259364562Sgshapiro 259464562Sgshapiroin the access map, then all e-mail with a sender address of 259564562Sgshapiro<user@my.domain> gets through, even if check_relay would reject it 259664562Sgshapiro(e.g., based on the hostname or IP address). This allows spammers 259764562Sgshapiroto get around DNS based blacklist by faking the sender address. To 259864562Sgshapiroavoid this problem you have to use tagged entries: 259964562Sgshapiro 260064562Sgshapiro To:my.domain RELAY 260164562Sgshapiro Connect:my.domain RELAY 260264562Sgshapiro 260364562Sgshapiroif you need those entries at all (class {R} may take care of them). 260473188Sgshapiro 260564562SgshapiroFEATURE(`delay_checks') can take an optional argument: 260664562Sgshapiro 260764562Sgshapiro FEATURE(`delay_checks', `friend') 260864562Sgshapiro enables spamfriend test 260964562Sgshapiro FEATURE(`delay_checks', `hater') 261064562Sgshapiro enables spamhater test 261164562Sgshapiro 261294334SgshapiroIf such an argument is given, the recipient will be looked up in the 261394334Sgshapiroaccess map (using the tag Spam:). If the argument is `friend', then 261494334Sgshapirothe default behavior is to apply the other rulesets and make a SPAM 261594334Sgshapirofriend the exception. The rulesets check_mail and check_relay will be 261694334Sgshapiroskipped only if the recipient address is found and has RHS FRIEND. If 261794334Sgshapirothe argument is `hater', then the default behavior is to skip the rulesets 261894334Sgshapirocheck_mail and check_relay and make a SPAM hater the exception. The 261994334Sgshapiroother two rulesets will be applied only if the recipient address is 262094334Sgshapirofound and has RHS HATER. 262164562Sgshapiro 262264562SgshapiroThis allows for simple exceptions from the tests, e.g., by activating 262390792Sgshapirothe friend option and having 262464562Sgshapiro 262590792Sgshapiro Spam:abuse@ FRIEND 262664562Sgshapiro 2627110560Sgshapiroin the access map, mail to abuse@localdomain will get through (where 2628110560Sgshapiro"localdomain" is any domain in class {w}). It is also possible to 2629110560Sgshapirospecify a full address or an address with +detail: 263064562Sgshapiro 263190792Sgshapiro Spam:abuse@my.domain FRIEND 263290792Sgshapiro Spam:me+abuse@ FRIEND 263390792Sgshapiro Spam:spam.domain FRIEND 263464562Sgshapiro 263590792SgshapiroNote: The required tag has been changed in 8.12 from To: to Spam:. 263690792SgshapiroThis change is incompatible to previous versions. However, you can 263790792Sgshapiro(for now) simply add the new entries to the access map, the old 263890792Sgshapiroones will be ignored. As soon as you removed the old entries from 263990792Sgshapirothe access map, specify a third parameter (`n') to this feature and 264090792Sgshapirothe backward compatibility rules will not be in the generated .cf 264190792Sgshapirofile. 264264562Sgshapiro 264364562SgshapiroHeader Checks 264490792Sgshapiro------------- 264564562Sgshapiro 264638032SpeterYou can also reject mail on the basis of the contents of headers. 264738032SpeterThis is done by adding a ruleset call to the 'H' header definition command 264838032Speterin sendmail.cf. For example, this can be used to check the validity of 264938032Spetera Message-ID: header: 265038032Speter 2651110560Sgshapiro LOCAL_CONFIG 265238032Speter HMessage-Id: $>CheckMessageId 265338032Speter 2654110560Sgshapiro LOCAL_RULESETS 265538032Speter SCheckMessageId 265638032Speter R< $+ @ $+ > $@ OK 265738032Speter R$* $#error $: 553 Header Error 265838032Speter 265964562SgshapiroThe alternative format: 266038032Speter 266164562Sgshapiro HSubject: $>+CheckSubject 266242575Speter 266364562Sgshapirothat is, $>+ instead of $>, gives the full Subject: header including 266464562Sgshapirocomments to the ruleset (comments in parentheses () are stripped 266564562Sgshapiroby default). 266642575Speter 266764562SgshapiroA default ruleset for headers which don't have a specific ruleset 266864562Sgshapirodefined for them can be given by: 266942575Speter 267064562Sgshapiro H*: $>CheckHdr 267143730Speter 267290792SgshapiroNotice: 267390792Sgshapiro1. All rules act on tokens as explained in doc/op/op.{me,ps,txt}. 267473188SgshapiroThat may cause problems with simple header checks due to the 267590792Sgshapirotokenization. It might be simpler to use a regex map and apply it 267673188Sgshapiroto $&{currHeader}. 267790792Sgshapiro2. There are no default rulesets coming with this distribution of 267890792Sgshapirosendmail. You can either write your own or you can search the 267990792SgshapiroWWW for examples, e.g., http://www.digitalanswers.org/check_local/ 268073188Sgshapiro 268164562SgshapiroAfter all of the headers are read, the check_eoh ruleset will be called for 268264562Sgshapiroany final header-related checks. The ruleset is called with the number of 268364562Sgshapiroheaders and the size of all of the headers in bytes separated by $|. One 268464562Sgshapiroexample usage is to reject messages which do not have a Message-Id: 268564562Sgshapiroheader. However, the Message-Id: header is *NOT* a required header and is 268664562Sgshapironot a guaranteed spam indicator. This ruleset is an example and should 268764562Sgshapiroprobably not be used in production. 268864562Sgshapiro 268964562Sgshapiro LOCAL_CONFIG 269064562Sgshapiro Kstorage macro 2691110560Sgshapiro HMessage-Id: $>CheckMessageId 269264562Sgshapiro 269364562Sgshapiro LOCAL_RULESETS 269464562Sgshapiro SCheckMessageId 269564562Sgshapiro # Record the presence of the header 269664562Sgshapiro R$* $: $(storage {MessageIdCheck} $@ OK $) $1 269764562Sgshapiro R< $+ @ $+ > $@ OK 269864562Sgshapiro R$* $#error $: 553 Header Error 269964562Sgshapiro 270064562Sgshapiro Scheck_eoh 270164562Sgshapiro # Check the macro 270264562Sgshapiro R$* $: < $&{MessageIdCheck} > 270364562Sgshapiro # Clear the macro for the next message 270464562Sgshapiro R$* $: $(storage {MessageIdCheck} $) $1 270564562Sgshapiro # Has a Message-Id: header 270664562Sgshapiro R< $+ > $@ OK 270764562Sgshapiro # Allow missing Message-Id: from local mail 270864562Sgshapiro R$* $: < $&{client_name} > 270964562Sgshapiro R< > $@ OK 271064562Sgshapiro R< $=w > $@ OK 271164562Sgshapiro # Otherwise, reject the mail 271264562Sgshapiro R$* $#error $: 553 Header Error 271364562Sgshapiro 271466494Sgshapiro+----------+ 271566494Sgshapiro| STARTTLS | 271666494Sgshapiro+----------+ 271764562Sgshapiro 271864562SgshapiroIn this text, cert will be used as an abreviation for X.509 certificate, 271990792SgshapiroDN (CN) is the distinguished (common) name of a cert, and CA is a 272090792Sgshapirocertification authority, which signs (issues) certs. 272164562Sgshapiro 272280785SgshapiroFor STARTTLS to be offered by sendmail you need to set at least 272380785Sgshapirothis variables (the file names and paths are just examples): 272480785Sgshapiro 272580785Sgshapiro define(`confCACERT_PATH', `/etc/mail/certs/') 272680785Sgshapiro define(`confCACERT', `/etc/mail/certs/CA.cert.pem') 272780785Sgshapiro define(`confSERVER_CERT', `/etc/mail/certs/my.cert.pem') 272880785Sgshapiro define(`confSERVER_KEY', `/etc/mail/certs/my.key.pem') 272980785Sgshapiro 273080785SgshapiroOn systems which do not have the compile flag HASURANDOM set (see 273180785Sgshapirosendmail/README) you also must set confRAND_FILE. 273280785Sgshapiro 273390792SgshapiroSee doc/op/op.{me,ps,txt} for more information about these options, 273490792Sgshapiroespecially the sections ``Certificates for STARTTLS'' and ``PRNG for 273580785SgshapiroSTARTTLS''. 273680785Sgshapiro 273764562SgshapiroMacros related to STARTTLS are: 273864562Sgshapiro 273964562Sgshapiro${cert_issuer} holds the DN of the CA (the cert issuer). 274064562Sgshapiro${cert_subject} holds the DN of the cert (called the cert subject). 274190792Sgshapiro${cn_issuer} holds the CN of the CA (the cert issuer). 274290792Sgshapiro${cn_subject} holds the CN of the cert (called the cert subject). 274364562Sgshapiro${tls_version} the TLS/SSL version used for the connection, e.g., TLSv1, 274490792Sgshapiro TLSv1/SSLv3, SSLv3, SSLv2. 274564562Sgshapiro${cipher} the cipher used for the connection, e.g., EDH-DSS-DES-CBC3-SHA, 274664562Sgshapiro EDH-RSA-DES-CBC-SHA, DES-CBC-MD5, DES-CBC3-SHA. 274764562Sgshapiro${cipher_bits} the keylength (in bits) of the symmetric encryption algorithm 274864562Sgshapiro used for the connection. 274990792Sgshapiro${verify} holds the result of the verification of the presented cert. 275090792Sgshapiro Possible values are: 275190792Sgshapiro OK verification succeeded. 275290792Sgshapiro NO no cert presented. 275390792Sgshapiro NOT no cert requested. 275490792Sgshapiro FAIL cert presented but could not be verified, 275590792Sgshapiro e.g., the cert of the signing CA is missing. 275690792Sgshapiro NONE STARTTLS has not been performed. 275790792Sgshapiro TEMP temporary error occurred. 275890792Sgshapiro PROTOCOL protocol error occurred (SMTP level). 275964562Sgshapiro SOFTWARE STARTTLS handshake failed. 276090792Sgshapiro${server_name} the name of the server of the current outgoing SMTP 276164562Sgshapiro connection. 276290792Sgshapiro${server_addr} the address of the server of the current outgoing SMTP 276364562Sgshapiro connection. 276464562Sgshapiro 276564562SgshapiroRelaying 276690792Sgshapiro-------- 276764562Sgshapiro 276864562Sgshapiro 2769110560SgshapiroSMTP STARTTLS can allow relaying for remote SMTP clients which have 2770110560Sgshapirosuccessfully authenticated themselves. This is done in the ruleset 2771110560SgshapiroRelayAuth. If the verification of the cert failed (${verify} != OK), 2772110560Sgshapirorelaying is subject to the usual rules. Otherwise the DN of the issuer is 2773110560Sgshapirolooked up in the access map using the tag CERTISSUER. If the resulting 2774110560Sgshapirovalue is RELAY, relaying is allowed. If it is SUBJECT, the DN of the cert 2775110560Sgshapirosubject is looked up next in the access map using the tag CERTSUBJECT. If 2776110560Sgshapirothe value is RELAY, relaying is allowed. 2777110560Sgshapiro 277864562Sgshapiro${cert_issuer} and ${cert_subject} can be optionally modified by regular 277964562Sgshapiroexpressions defined in the m4 variables _CERT_REGEX_ISSUER_ and 278090792Sgshapiro_CERT_REGEX_SUBJECT_, respectively. To avoid problems with those macros in 278164562Sgshapirorulesets and map lookups, they are modified as follows: each non-printable 2782110560Sgshapirocharacter and the characters '<', '>', '(', ')', '"', '+', ' ' are replaced 2783110560Sgshapiroby their HEX value with a leading '+'. For example: 278464562Sgshapiro 278564562Sgshapiro/C=US/ST=California/O=endmail.org/OU=private/CN=Darth Mail (Cert)/Email= 278664562Sgshapirodarth+cert@endmail.org 278764562Sgshapiro 278864562Sgshapirois encoded as: 278964562Sgshapiro 279064562Sgshapiro/C=US/ST=California/O=endmail.org/OU=private/CN= 279164562SgshapiroDarth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org 279264562Sgshapiro 279364562Sgshapiro(line breaks have been inserted for readability). 279464562Sgshapiro 2795110560SgshapiroThe macros which are subject to this encoding are ${cert_subject}, 2796110560Sgshapiro${cert_issuer}, ${cn_subject}, and ${cn_issuer}. 2797110560Sgshapiro 279890792SgshapiroExamples: 279990792Sgshapiro 280090792SgshapiroTo allow relaying for everyone who can present a cert signed by 280190792Sgshapiro 280290792Sgshapiro/C=US/ST=California/O=endmail.org/OU=private/CN= 280390792SgshapiroDarth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org 280490792Sgshapiro 280590792Sgshapirosimply use: 280690792Sgshapiro 2807110560SgshapiroCertIssuer:/C=US/ST=California/O=endmail.org/OU=private/CN= 280890792SgshapiroDarth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org RELAY 280990792Sgshapiro 281090792SgshapiroTo allow relaying only for a subset of machines that have a cert signed by 281190792Sgshapiro 281290792Sgshapiro/C=US/ST=California/O=endmail.org/OU=private/CN= 281390792SgshapiroDarth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org 281490792Sgshapiro 281590792Sgshapirouse: 281690792Sgshapiro 2817110560SgshapiroCertIssuer:/C=US/ST=California/O=endmail.org/OU=private/CN= 281890792SgshapiroDarth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org SUBJECT 2819110560SgshapiroCertSubject:/C=US/ST=California/O=endmail.org/OU=private/CN= 282090792SgshapiroDeathStar/Email=deathstar@endmail.org RELAY 282190792Sgshapiro 282290792SgshapiroNote: line breaks have been inserted after "CN=" for readability, 282390792Sgshapiroeach tagged entry must be one (long) line in the access map. 282490792Sgshapiro 282590792SgshapiroOf course it is also possible to write a simple ruleset that allows 282664562Sgshapirorelaying for everyone who can present a cert that can be verified, e.g., 282764562Sgshapiro 282864562SgshapiroLOCAL_RULESETS 282964562SgshapiroSLocal_check_rcpt 283064562SgshapiroR$* $: $&{verify} 283164562SgshapiroROK $# OK 283264562Sgshapiro 283364562SgshapiroAllowing Connections 283490792Sgshapiro-------------------- 283564562Sgshapiro 283690792SgshapiroThe rulesets tls_server, tls_client, and tls_rcpt are used to decide whether 283790792Sgshapiroan SMTP connection is accepted (or should continue). 283864562Sgshapiro 283964562Sgshapirotls_server is called when sendmail acts as client after a STARTTLS command 284090792Sgshapiro(should) have been issued. The parameter is the value of ${verify}. 284164562Sgshapiro 284264562Sgshapirotls_client is called when sendmail acts as server, after a STARTTLS command 284390792Sgshapirohas been issued, and from check_mail. The parameter is the value of 284464562Sgshapiro${verify} and STARTTLS or MAIL, respectively. 284564562Sgshapiro 284690792SgshapiroBoth rulesets behave the same. If no access map is in use, the connection 284764562Sgshapirowill be accepted unless ${verify} is SOFTWARE, in which case the connection 284890792Sgshapirois always aborted. For tls_server/tls_client, ${client_name}/${server_name} 284990792Sgshapirois looked up in the access map using the tag TLS_Srv/TLS_Clt, which is done 285090792Sgshapirowith the ruleset LookUpDomain. If no entry is found, ${client_addr} 285164562Sgshapiro(${server_addr}) is looked up in the access map (same tag, ruleset 285290792SgshapiroLookUpAddr). If this doesn't result in an entry either, just the tag is 285390792Sgshapirolooked up in the access map (included the trailing colon). Notice: 285490792Sgshapirorequiring that e-mail is sent to a server only encrypted, e.g., via 285564562Sgshapiro 285690792SgshapiroTLS_Srv:secure.domain ENCR:112 285790792Sgshapiro 285890792Sgshapirodoesn't necessarily mean that e-mail sent to that domain is encrypted. 285990792SgshapiroIf the domain has multiple MX servers, e.g., 286090792Sgshapiro 286190792Sgshapirosecure.domain. IN MX 10 mail.secure.domain. 286290792Sgshapirosecure.domain. IN MX 50 mail.other.domain. 286390792Sgshapiro 286490792Sgshapirothen mail to user@secure.domain may go unencrypted to mail.other.domain. 286590792Sgshapirotls_rcpt can be used to address this problem. 286690792Sgshapiro 286790792Sgshapirotls_rcpt is called before a RCPT TO: command is sent. The parameter is the 286890792Sgshapirocurrent recipient. This ruleset is only defined if FEATURE(`access_db') 286990792Sgshapirois selected. A recipient address user@domain is looked up in the access 287090792Sgshapiromap in four formats: TLS_Rcpt:user@domain, TLS_Rcpt:user@, TLS_Rcpt:domain, 287190792Sgshapiroand TLS_Rcpt:; the first match is taken. 287290792Sgshapiro 287390792SgshapiroThe result of the lookups is then used to call the ruleset TLS_connection, 287490792Sgshapirowhich checks the requirement specified by the RHS in the access map against 287590792Sgshapirothe actual parameters of the current TLS connection, esp. ${verify} and 287690792Sgshapiro${cipher_bits}. Legal RHSs in the access map are: 287790792Sgshapiro 287864562SgshapiroVERIFY verification must have succeeded 287964562SgshapiroVERIFY:bits verification must have succeeded and ${cipher_bits} must 288064562Sgshapiro be greater than or equal bits. 288164562SgshapiroENCR:bits ${cipher_bits} must be greater than or equal bits. 288264562Sgshapiro 288364562SgshapiroThe RHS can optionally be prefixed by TEMP+ or PERM+ to select a temporary 288490792Sgshapiroor permanent error. The default is a temporary error code (403 4.7.0) 288564562Sgshapirounless the macro TLS_PERM_ERR is set during generation of the .cf file. 288664562Sgshapiro 288764562SgshapiroIf a certain level of encryption is required, then it might also be 288864562Sgshapiropossible that this level is provided by the security layer from a SASL 288964562Sgshapiroalgorithm, e.g., DIGEST-MD5. 289064562Sgshapiro 289190792SgshapiroFurthermore, there can be a list of extensions added. Such a list 289290792Sgshapirostarts with '+' and the items are separated by '++'. Allowed 289390792Sgshapiroextensions are: 289490792Sgshapiro 289590792SgshapiroCN:name name must match ${cn_subject} 289690792SgshapiroCN ${server_name} must match ${cn_subject} 289790792SgshapiroCS:name name must match ${cert_subject} 289890792SgshapiroCI:name name must match ${cert_issuer} 289990792Sgshapiro 290082017SgshapiroExample: e-mail sent to secure.example.com should only use an encrypted 290190792Sgshapiroconnection. E-mail received from hosts within the laptop.example.com domain 290290792Sgshapiroshould only be accepted if they have been authenticated. The host which 290390792Sgshapiroreceives e-mail for darth@endmail.org must present a cert that uses the 290490792SgshapiroCN smtp.endmail.org. 290590792Sgshapiro 290664562SgshapiroTLS_Srv:secure.example.com ENCR:112 290764562SgshapiroTLS_Clt:laptop.example.com PERM+VERIFY:112 290890792SgshapiroTLS_Rcpt:darth@endmail.org ENCR:112+CN:smtp.endmail.org 290964562Sgshapiro 291073188Sgshapiro 291190792SgshapiroDisabling STARTTLS And Setting SMTP Server Features 291290792Sgshapiro--------------------------------------------------- 291373188Sgshapiro 291490792SgshapiroBy default STARTTLS is used whenever possible. However, there are 291590792Sgshapirosome broken MTAs that don't properly implement STARTTLS. To be able 291690792Sgshapiroto send to (or receive from) those MTAs, the ruleset try_tls 291790792Sgshapiro(srv_features) can be used that work together with the access map. 291890792SgshapiroEntries for the access map must be tagged with Try_TLS (Srv_Features) 291990792Sgshapiroand refer to the hostname or IP address of the connecting system. 292090792SgshapiroA default case can be specified by using just the tag. For example, 292190792Sgshapirothe following entries in the access map: 292273188Sgshapiro 292390792Sgshapiro Try_TLS:broken.server NO 292490792Sgshapiro Srv_Features:my.domain v 292590792Sgshapiro Srv_Features: V 292673188Sgshapiro 292790792Sgshapirowill turn off STARTTLS when sending to broken.server (or any host 292890792Sgshapiroin that domain), and request a client certificate during the TLS 292990792Sgshapirohandshake only for hosts in my.domain. The valid entries on the RHS 293090792Sgshapirofor Srv_Features are listed in the Sendmail Installation and 293190792SgshapiroOperations Guide. 293273188Sgshapiro 293373188Sgshapiro 293464562SgshapiroReceived: Header 293590792Sgshapiro---------------- 293664562Sgshapiro 293790792SgshapiroThe Received: header reveals whether STARTTLS has been used. It contains an 293864562Sgshapiroextra line: 293964562Sgshapiro 294090792Sgshapiro(version=${tls_version} cipher=${cipher} bits=${cipher_bits} verify=${verify}) 294164562Sgshapiro 294290792Sgshapiro 294366494Sgshapiro+---------------------+ 294466494Sgshapiro| SMTP AUTHENTICATION | 294566494Sgshapiro+---------------------+ 294664562Sgshapiro 294764562SgshapiroThe macros ${auth_authen}, ${auth_author}, and ${auth_type} can be 294864562Sgshapiroused in anti-relay rulesets to allow relaying for those users that 294964562Sgshapiroauthenticated themselves. A very simple example is: 295064562Sgshapiro 295164562SgshapiroSLocal_check_rcpt 295264562SgshapiroR$* $: $&{auth_type} 295364562SgshapiroR$+ $# OK 295464562Sgshapiro 295564562Sgshapirowhich checks whether a user has successfully authenticated using 295664562Sgshapiroany available mechanism. Depending on the setup of the CYRUS SASL 295764562Sgshapirolibrary, more sophisticated rulesets might be required, e.g., 295864562Sgshapiro 295964562SgshapiroSLocal_check_rcpt 296064562SgshapiroR$* $: $&{auth_type} $| $&{auth_authen} 296164562SgshapiroRDIGEST-MD5 $| $+@$=w $# OK 296264562Sgshapiro 296364562Sgshapiroto allow relaying for users that authenticated using DIGEST-MD5 296464562Sgshapiroand have an identity in the local domains. 296564562Sgshapiro 296690792SgshapiroThe ruleset trust_auth is used to determine whether a given AUTH= 296764562Sgshapiroparameter (that is passed to this ruleset) should be trusted. This 296864562Sgshapiroruleset may make use of the other ${auth_*} macros. Only if the 296964562Sgshapiroruleset resolves to the error mailer, the AUTH= parameter is not 297064562Sgshapirotrusted. A user supplied ruleset Local_trust_auth can be written 297164562Sgshapiroto modify the default behavior, which only trust the AUTH= 297264562Sgshapiroparameter if it is identical to the authenticated user. 297364562Sgshapiro 297464562SgshapiroPer default, relaying is allowed for any user who authenticated 297564562Sgshapirovia a "trusted" mechanism, i.e., one that is defined via 297664562SgshapiroTRUST_AUTH_MECH(`list of mechanisms') 297771345SgshapiroFor example: 297871345SgshapiroTRUST_AUTH_MECH(`KERBEROS_V4 DIGEST-MD5') 297964562Sgshapiro 298064562SgshapiroIf the selected mechanism provides a security layer the number of 298164562Sgshapirobits used for the key of the symmetric cipher is stored in the 298264562Sgshapiromacro ${auth_ssf}. 298364562Sgshapiro 298490792SgshapiroIf sendmail acts as client, it needs some information how to 298590792Sgshapiroauthenticate against another MTA. This information can be provided 298690792Sgshapiroby the ruleset authinfo or by the option DefaultAuthInfo. The 298790792Sgshapiroauthinfo ruleset looks up {server_name} using the tag AuthInfo: in 298890792Sgshapirothe access map. If no entry is found, {server_addr} is looked up 298990792Sgshapiroin the same way and finally just the tag AuthInfo: to provide 2990111823Sgshapirodefault values. Note: searches for domain parts or IP nets are 2991111823Sgshapiroonly performed if the access map is used; if the authinfo feature 2992111823Sgshapirois used then only up to three lookups are performed (two exact 2993111823Sgshapiromatches, one default). 299490792Sgshapiro 299590792SgshapiroNotice: the default configuration file causes the option DefaultAuthInfo 299690792Sgshapiroto fail since the ruleset authinfo is in the .cf file. If you really 299790792Sgshapirowant to use DefaultAuthInfo (it is deprecated) then you have to 299890792Sgshapiroremove the ruleset. 299990792Sgshapiro 300090792SgshapiroThe RHS for an AuthInfo: entry in the access map should consists of a 300190792Sgshapirolist of tokens, each of which has the form: "TDstring" (including 300290792Sgshapirothe quotes). T is a tag which describes the item, D is a delimiter, 300390792Sgshapiroeither ':' for simple text or '=' for a base64 encoded string. 300490792SgshapiroValid values for the tag are: 300590792Sgshapiro 300690792Sgshapiro U user (authorization) id 300790792Sgshapiro I authentication id 300890792Sgshapiro P password 300990792Sgshapiro R realm 301090792Sgshapiro M list of mechanisms delimited by spaces 301190792Sgshapiro 301290792SgshapiroExample entries are: 301390792Sgshapiro 301490792SgshapiroAuthInfo:other.dom "U:user" "I:user" "P:secret" "R:other.dom" "M:DIGEST-MD5" 3015111823SgshapiroAuthInfo:host.more.dom "U:user" "P=c2VjcmV0" 301690792Sgshapiro 3017111823SgshapiroUser id or authentication id must exist as well as the password. All 301890792Sgshapiroother entries have default values. If one of user or authentication 301990792Sgshapiroid is missing, the existing value is used for the missing item. 302090792SgshapiroIf "R:" is not specified, realm defaults to $j. The list of mechanisms 302190792Sgshapirodefaults to those specified by AuthMechanisms. 302290792Sgshapiro 302390792SgshapiroSince this map contains sensitive information, either the access 302490792Sgshapiromap must be unreadable by everyone but root (or the trusted user) 302590792Sgshapiroor FEATURE(`authinfo') must be used which provides a separate map. 302690792SgshapiroNotice: It is not checked whether the map is actually 302790792Sgshapirogroup/world-unreadable, this is left to the user. 302890792Sgshapiro 302964562Sgshapiro+--------------------------------+ 303038032Speter| ADDING NEW MAILERS OR RULESETS | 303138032Speter+--------------------------------+ 303238032Speter 303338032SpeterSometimes you may need to add entirely new mailers or rulesets. They 303438032Spetershould be introduced with the constructs MAILER_DEFINITIONS and 303538032SpeterLOCAL_RULESETS respectively. For example: 303638032Speter 303738032Speter MAILER_DEFINITIONS 303838032Speter Mmymailer, ... 303938032Speter ... 304038032Speter 304138032Speter LOCAL_RULESETS 304238032Speter Smyruleset 304338032Speter ... 304438032Speter 304590792SgshapiroLocal additions for the rulesets srv_features, try_tls, tls_rcpt, 304690792Sgshapirotls_client, and tls_server can be made using LOCAL_SRV_FEATURES, 304790792SgshapiroLOCAL_TRY_TLS, LOCAL_TLS_RCPT, LOCAL_TLS_CLIENT, and LOCAL_TLS_SERVER, 304890792Sgshapirorespectively. For example, to add a local ruleset that decides 304990792Sgshapirowhether to try STARTTLS in a sendmail client, use: 305038032Speter 305190792Sgshapiro LOCAL_TRY_TLS 305290792Sgshapiro R... 305390792Sgshapiro 305490792SgshapiroNote: you don't need to add a name for the ruleset, it is implicitly 305590792Sgshapirodefined by using the appropriate macro. 305690792Sgshapiro 305790792Sgshapiro 305871345Sgshapiro+-------------------------+ 305971345Sgshapiro| ADDING NEW MAIL FILTERS | 306071345Sgshapiro+-------------------------+ 306164562Sgshapiro 306264562SgshapiroSendmail supports mail filters to filter incoming SMTP messages according 306364562Sgshapiroto the "Sendmail Mail Filter API" documentation. These filters can be 306464562Sgshapiroconfigured in your mc file using the two commands: 306564562Sgshapiro 306664562Sgshapiro MAIL_FILTER(`name', `equates') 306764562Sgshapiro INPUT_MAIL_FILTER(`name', `equates') 306864562Sgshapiro 306964562SgshapiroThe first command, MAIL_FILTER(), simply defines a filter with the given 307064562Sgshapironame and equates. For example: 307164562Sgshapiro 307264562Sgshapiro MAIL_FILTER(`archive', `S=local:/var/run/archivesock, F=R') 307364562Sgshapiro 307464562SgshapiroThis creates the equivalent sendmail.cf entry: 307564562Sgshapiro 307664562Sgshapiro Xarchive, S=local:/var/run/archivesock, F=R 307764562Sgshapiro 307864562SgshapiroThe INPUT_MAIL_FILTER() command performs the same actions as MAIL_FILTER 307964562Sgshapirobut also populates the m4 variable `confINPUT_MAIL_FILTERS' with the name 308064562Sgshapiroof the filter such that the filter will actually be called by sendmail. 308164562Sgshapiro 308264562SgshapiroFor example, the two commands: 308364562Sgshapiro 308464562Sgshapiro INPUT_MAIL_FILTER(`archive', `S=local:/var/run/archivesock, F=R') 308564562Sgshapiro INPUT_MAIL_FILTER(`spamcheck', `S=inet:2525@localhost, F=T') 308664562Sgshapiro 308764562Sgshapiroare equivalent to the three commands: 308864562Sgshapiro 308964562Sgshapiro MAIL_FILTER(`archive', `S=local:/var/run/archivesock, F=R') 309064562Sgshapiro MAIL_FILTER(`spamcheck', `S=inet:2525@localhost, F=T') 309164562Sgshapiro define(`confINPUT_MAIL_FILTERS', `archive, spamcheck') 309264562Sgshapiro 309364562SgshapiroIn general, INPUT_MAIL_FILTER() should be used unless you need to define 309464562Sgshapiromore filters than you want to use for `confINPUT_MAIL_FILTERS'. 309564562Sgshapiro 309664562SgshapiroNote that setting `confINPUT_MAIL_FILTERS' after any INPUT_MAIL_FILTER() 309764562Sgshapirocommands will clear the list created by the prior INPUT_MAIL_FILTER() 309864562Sgshapirocommands. 309964562Sgshapiro 310064562Sgshapiro 310190792Sgshapiro+-------------------------+ 310290792Sgshapiro| QUEUE GROUP DEFINITIONS | 310390792Sgshapiro+-------------------------+ 310490792Sgshapiro 310590792SgshapiroIn addition to the queue directory (which is the default queue group 310690792Sgshapirocalled "mqueue"), sendmail can deal with multiple queue groups, which 310790792Sgshapiroare collections of queue directories with the same behaviour. Queue 310890792Sgshapirogroups can be defined using the command: 310990792Sgshapiro 311090792Sgshapiro QUEUE_GROUP(`name', `equates') 311190792Sgshapiro 311290792SgshapiroFor details about queue groups, please see doc/op/op.{me,ps,txt}. 311390792Sgshapiro 311438032Speter+-------------------------------+ 311538032Speter| NON-SMTP BASED CONFIGURATIONS | 311638032Speter+-------------------------------+ 311738032Speter 311864562SgshapiroThese configuration files are designed primarily for use by 311964562SgshapiroSMTP-based sites. They may not be well tuned for UUCP-only or 312038032SpeterUUCP-primarily nodes (the latter is defined as a small local net 312164562Sgshapiroconnected to the rest of the world via UUCP). However, there is 312264562Sgshapiroone hook to handle some special cases. 312338032Speter 312438032SpeterYou can define a ``smart host'' that understands a richer address syntax 312538032Speterusing: 312638032Speter 312743730Speter define(`SMART_HOST', `mailer:hostname') 312838032Speter 312938032SpeterIn this case, the ``mailer:'' defaults to "relay". Any messages that 313038032Spetercan't be handled using the usual UUCP rules are passed to this host. 313138032Speter 313238032SpeterIf you are on a local SMTP-based net that connects to the outside 313338032Speterworld via UUCP, you can use LOCAL_NET_CONFIG to add appropriate rules. 313438032SpeterFor example: 313538032Speter 313664562Sgshapiro define(`SMART_HOST', `uucp-new:uunet') 313738032Speter LOCAL_NET_CONFIG 313838032Speter R$* < @ $* .$m. > $* $#smtp $@ $2.$m. $: $1 < @ $2.$m. > $3 313938032Speter 314094334SgshapiroThis will cause all names that end in your domain name ($m) to be sent 314194334Sgshapirovia SMTP; anything else will be sent via uucp-new (smart UUCP) to uunet. 314243730SpeterIf you have FEATURE(`nocanonify'), you may need to omit the dots after 314338032Speterthe $m. If you are running a local DNS inside your domain which is 314438032Speternot otherwise connected to the outside world, you probably want to 314538032Speteruse: 314638032Speter 314743730Speter define(`SMART_HOST', `smtp:fire.wall.com') 314838032Speter LOCAL_NET_CONFIG 314938032Speter R$* < @ $* . > $* $#smtp $@ $2. $: $1 < @ $2. > $3 315038032Speter 315138032SpeterThat is, send directly only to things you found in your DNS lookup; 315238032Speteranything else goes through SMART_HOST. 315338032Speter 315438032SpeterYou may need to turn off the anti-spam rules in order to accept 315543730SpeterUUCP mail with FEATURE(`promiscuous_relay') and 315643730SpeterFEATURE(`accept_unresolvable_domains'). 315738032Speter 315838032Speter 315938032Speter+-----------+ 316038032Speter| WHO AM I? | 316138032Speter+-----------+ 316238032Speter 316338032SpeterNormally, the $j macro is automatically defined to be your fully 316438032Speterqualified domain name (FQDN). Sendmail does this by getting your 316538032Speterhost name using gethostname and then calling gethostbyname on the 316638032Speterresult. For example, in some environments gethostname returns 316738032Speteronly the root of the host name (such as "foo"); gethostbyname is 316838032Spetersupposed to return the FQDN ("foo.bar.com"). In some (fairly rare) 316938032Spetercases, gethostbyname may fail to return the FQDN. In this case 317038032Speteryou MUST define confDOMAIN_NAME to be your fully qualified domain 317138032Spetername. This is usually done using: 317238032Speter 317338032Speter Dmbar.com 317438032Speter define(`confDOMAIN_NAME', `$w.$m')dnl 317538032Speter 317638032Speter 317764562Sgshapiro+-----------------------------------+ 317864562Sgshapiro| ACCEPTING MAIL FOR MULTIPLE NAMES | 317964562Sgshapiro+-----------------------------------+ 318064562Sgshapiro 318164562SgshapiroIf your host is known by several different names, you need to augment 318264562Sgshapiroclass {w}. This is a list of names by which your host is known, and 318364562Sgshapiroanything sent to an address using a host name in this list will be 318464562Sgshapirotreated as local mail. You can do this in two ways: either create the 318564562Sgshapirofile /etc/mail/local-host-names containing a list of your aliases (one per 318664562Sgshapiroline), and use ``FEATURE(`use_cw_file')'' in the .mc file, or add 318764562Sgshapiro``LOCAL_DOMAIN(`alias.host.name')''. Be sure you use the fully-qualified 318864562Sgshapironame of the host, rather than a short name. 318964562Sgshapiro 319064562SgshapiroIf you want to have different address in different domains, take 319164562Sgshapiroa look at the virtusertable feature, which is also explained at 319264562Sgshapirohttp://www.sendmail.org/virtual-hosting.html 319364562Sgshapiro 319464562Sgshapiro 319538032Speter+--------------------+ 319638032Speter| USING MAILERTABLES | 319738032Speter+--------------------+ 319838032Speter 319943730SpeterTo use FEATURE(`mailertable'), you will have to create an external 320038032Speterdatabase containing the routing information for various domains. 320138032SpeterFor example, a mailertable file in text format might be: 320238032Speter 320338032Speter .my.domain xnet:%1.my.domain 320464562Sgshapiro uuhost1.my.domain uucp-new:uuhost1 320538032Speter .bitnet smtp:relay.bit.net 320638032Speter 320764562SgshapiroThis should normally be stored in /etc/mail/mailertable. The actual 320838032Speterdatabase version of the mailertable is built using: 320938032Speter 321064562Sgshapiro makemap hash /etc/mail/mailertable < /etc/mail/mailertable 321138032Speter 321238032SpeterThe semantics are simple. Any LHS entry that does not begin with 321338032Spetera dot matches the full host name indicated. LHS entries beginning 321466494Sgshapirowith a dot match anything ending with that domain name (including 321566494Sgshapirothe leading dot) -- that is, they can be thought of as having a 321666494Sgshapiroleading ".+" regular expression pattern for a non-empty sequence of 321766494Sgshapirocharacters. Matching is done in order of most-to-least qualified 321866494Sgshapiro-- for example, even though ".my.domain" is listed first in the 321966494Sgshapiroabove example, an entry of "uuhost1.my.domain" will match the second 322066494Sgshapiroentry since it is more explicit. Note: e-mail to "user@my.domain" 322166494Sgshapirodoes not match any entry in the above table. You need to have 322266494Sgshapirosomething like: 322338032Speter 322464562Sgshapiro my.domain esmtp:host.my.domain 322564562Sgshapiro 322638032SpeterThe RHS should always be a "mailer:host" pair. The mailer is the 322790792Sgshapiroconfiguration name of a mailer (that is, an M line in the 322838032Spetersendmail.cf file). The "host" will be the hostname passed to 322938032Speterthat mailer. In domain-based matches (that is, those with leading 323038032Speterdots) the "%1" may be used to interpolate the wildcarded part of 323138032Speterthe host name. For example, the first line above sends everything 323238032Speteraddressed to "anything.my.domain" to that same host name, but using 323338032Speterthe (presumably experimental) xnet mailer. 323438032Speter 323538032SpeterIn some cases you may want to temporarily turn off MX records, 323638032Speterparticularly on gateways. For example, you may want to MX 323738032Spetereverything in a domain to one machine that then forwards it 323838032Speterdirectly. To do this, you might use the DNS configuration: 323938032Speter 324038032Speter *.domain. IN MX 0 relay.machine 324138032Speter 324238032Speterand on relay.machine use the mailertable: 324338032Speter 324438032Speter .domain smtp:[gateway.domain] 324538032Speter 324638032SpeterThe [square brackets] turn off MX records for this host only. 324738032SpeterIf you didn't do this, the mailertable would use the MX record 324838032Speteragain, which would give you an MX loop. 324938032Speter 325038032Speter 325138032Speter+--------------------------------+ 325238032Speter| USING USERDB TO MAP FULL NAMES | 325338032Speter+--------------------------------+ 325438032Speter 325538032SpeterThe user database was not originally intended for mapping full names 325638032Speterto login names (e.g., Eric.Allman => eric), but some people are using 325764562Sgshapiroit that way. (it is recommended that you set up aliases for this 325838032Speterpurpose instead -- since you can specify multiple alias files, this 325938032Speteris fairly easy.) The intent was to locate the default maildrop at 326038032Spetera site, but allow you to override this by sending to a specific host. 326138032Speter 326238032SpeterIf you decide to set up the user database in this fashion, it is 326343730Speterimperative that you not use FEATURE(`stickyhost') -- otherwise, 326438032Spetere-mail sent to Full.Name@local.host.name will be rejected. 326538032Speter 326638032SpeterTo build the internal form of the user database, use: 326738032Speter 326864562Sgshapiro makemap btree /etc/mail/userdb < /etc/mail/userdb.txt 326938032Speter 327064562SgshapiroAs a general rule, it is an extremely bad idea to using full names 327164562Sgshapiroas e-mail addresses, since they are not in any sense unique. For 327266494Sgshapiroexample, the UNIX software-development community has at least two 327364562Sgshapirowell-known Peter Deutsches, and at one time Bell Labs had two 327464562SgshapiroStephen R. Bournes with offices along the same hallway. Which one 327564562Sgshapirowill be forced to suffer the indignity of being Stephen_R_Bourne_2? 327664562SgshapiroThe less famous of the two, or the one that was hired later? 327738032Speter 327838032SpeterFinger should handle full names (and be fuzzy). Mail should use 327964562Sgshapirohandles, and not be fuzzy. 328038032Speter 328138032Speter 328238032Speter+--------------------------------+ 328338032Speter| MISCELLANEOUS SPECIAL FEATURES | 328438032Speter+--------------------------------+ 328538032Speter 328638032SpeterPlussed users 328738032Speter Sometimes it is convenient to merge configuration on a 328838032Speter centralized mail machine, for example, to forward all 328938032Speter root mail to a mail server. In this case it might be 329038032Speter useful to be able to treat the root addresses as a class 329138032Speter of addresses with subtle differences. You can do this 329238032Speter using plussed users. For example, a client might include 329338032Speter the alias: 329438032Speter 329538032Speter root: root+client1@server 329638032Speter 329738032Speter On the server, this will match an alias for "root+client1". 329838032Speter If that is not found, the alias "root+*" will be tried, 329938032Speter then "root". 330038032Speter 330138032Speter 330238032Speter+----------------+ 330338032Speter| SECURITY NOTES | 330438032Speter+----------------+ 330538032Speter 330638032SpeterA lot of sendmail security comes down to you. Sendmail 8 is much 330738032Spetermore careful about checking for security problems than previous 330838032Speterversions, but there are some things that you still need to watch 330938032Speterfor. In particular: 331038032Speter 331198121Sgshapiro* Make sure the aliases file is not writable except by trusted 331238032Speter system personnel. This includes both the text and database 331338032Speter version. 331438032Speter 331538032Speter* Make sure that other files that sendmail reads, such as the 331638032Speter mailertable, are only writable by trusted system personnel. 331738032Speter 331838032Speter* The queue directory should not be world writable PARTICULARLY 331938032Speter if your system allows "file giveaways" (that is, if a non-root 332038032Speter user can chown any file they own to any other user). 332138032Speter 332238032Speter* If your system allows file giveaways, DO NOT create a publically 332338032Speter writable directory for forward files. This will allow anyone 332438032Speter to steal anyone else's e-mail. Instead, create a script that 332538032Speter copies the .forward file from users' home directories once a 332638032Speter night (if you want the non-NFS-mounted forward directory). 332738032Speter 332838032Speter* If your system allows file giveaways, you'll find that 332938032Speter sendmail is much less trusting of :include: files -- in 333038032Speter particular, you'll have to have /SENDMAIL/ANY/SHELL/ in 333138032Speter /etc/shells before they will be trusted (that is, before 333238032Speter files and programs listed in them will be honored). 333338032Speter 333438032SpeterIn general, file giveaways are a mistake -- if you can turn them 333564562Sgshapirooff, do so. 333638032Speter 333738032Speter 333838032Speter+--------------------------------+ 333938032Speter| TWEAKING CONFIGURATION OPTIONS | 334038032Speter+--------------------------------+ 334138032Speter 334238032SpeterThere are a large number of configuration options that don't normally 334338032Speterneed to be changed. However, if you feel you need to tweak them, you 334438032Spetercan define the following M4 variables. This list is shown in four 334538032Spetercolumns: the name you define, the default value for that definition, 334638032Speterthe option or macro that is affected (either Ox for an option or Dx 334738032Speterfor a macro), and a brief description. Greater detail of the semantics 334838032Spetercan be found in the Installation and Operations Guide. 334938032Speter 335038032SpeterSome options are likely to be deprecated in future versions -- that is, 335138032Speterthe option is only included to provide back-compatibility. These are 335238032Spetermarked with "*". 335338032Speter 335438032SpeterRemember that these options are M4 variables, and hence may need to 335538032Speterbe quoted. In particular, arguments with commas will usually have to 335638032Speterbe ``double quoted, like this phrase'' to avoid having the comma 335738032Speterconfuse things. This is common for alias file definitions and for 335838032Speterthe read timeout. 335938032Speter 336038032SpeterM4 Variable Name Configuration Description & [Default] 336138032Speter================ ============= ======================= 336238032SpeterconfMAILER_NAME $n macro [MAILER-DAEMON] The sender name used 336338032Speter for internally generated outgoing 336438032Speter messages. 336538032SpeterconfDOMAIN_NAME $j macro If defined, sets $j. This should 336638032Speter only be done if your system cannot 336738032Speter determine your local domain name, 336838032Speter and then it should be set to 336938032Speter $w.Foo.COM, where Foo.COM is your 337038032Speter domain name. 337138032SpeterconfCF_VERSION $Z macro If defined, this is appended to the 337238032Speter configuration version name. 337390792SgshapiroconfLDAP_CLUSTER ${sendmailMTACluster} macro 337490792Sgshapiro If defined, this is the LDAP 337590792Sgshapiro cluster to use for LDAP searches 337690792Sgshapiro as described above in ``USING LDAP 337790792Sgshapiro FOR ALIASES, MAPS, AND CLASSES''. 337864562SgshapiroconfFROM_HEADER From: [$?x$x <$g>$|$g$.] The format of an 337938032Speter internally generated From: address. 338038032SpeterconfRECEIVED_HEADER Received: 338138032Speter [$?sfrom $s $.$?_($?s$|from $.$_) 338264562Sgshapiro $.$?{auth_type}(authenticated) 338338032Speter $.by $j ($v/$Z)$?r with $r$. id $i$?u 338438032Speter for $u; $|; 338538032Speter $.$b] 338638032Speter The format of the Received: header 338738032Speter in messages passed through this host. 338838032Speter It is unwise to try to change this. 338964562SgshapiroconfCW_FILE Fw class [/etc/mail/local-host-names] Name 339064562Sgshapiro of file used to get the local 339164562Sgshapiro additions to class {w} (local host 339264562Sgshapiro names). 339364562SgshapiroconfCT_FILE Ft class [/etc/mail/trusted-users] Name of 339464562Sgshapiro file used to get the local additions 339564562Sgshapiro to class {t} (trusted users). 339638032SpeterconfCR_FILE FR class [/etc/mail/relay-domains] Name of 339738032Speter file used to get the local additions 339864562Sgshapiro to class {R} (hosts allowed to relay). 339938032SpeterconfTRUSTED_USERS Ct class [no default] Names of users to add to 340038032Speter the list of trusted users. This list 340138032Speter always includes root, uucp, and daemon. 340243730Speter See also FEATURE(`use_ct_file'). 340364562SgshapiroconfTRUSTED_USER TrustedUser [no default] Trusted user for file 340464562Sgshapiro ownership and starting the daemon. 340564562Sgshapiro Not to be confused with 340664562Sgshapiro confTRUSTED_USERS (see above). 340738032SpeterconfSMTP_MAILER - [esmtp] The mailer name used when 340838032Speter SMTP connectivity is required. 340964562Sgshapiro One of "smtp", "smtp8", 341064562Sgshapiro "esmtp", or "dsmtp". 341138032SpeterconfUUCP_MAILER - [uucp-old] The mailer to be used by 341238032Speter default for bang-format recipient 341338032Speter addresses. See also discussion of 341464562Sgshapiro class {U}, class {Y}, and class {Z} 341564562Sgshapiro in the MAILER(`uucp') section. 341638032SpeterconfLOCAL_MAILER - [local] The mailer name used when 341738032Speter local connectivity is required. 341838032Speter Almost always "local". 341938032SpeterconfRELAY_MAILER - [relay] The default mailer name used 342038032Speter for relaying any mail (e.g., to a 342138032Speter BITNET_RELAY, a SMART_HOST, or 342238032Speter whatever). This can reasonably be 342338032Speter "uucp-new" if you are on a 342438032Speter UUCP-connected site. 342538032SpeterconfSEVEN_BIT_INPUT SevenBitInput [False] Force input to seven bits? 342638032SpeterconfEIGHT_BIT_HANDLING EightBitMode [pass8] 8-bit data handling 342738032SpeterconfALIAS_WAIT AliasWait [10m] Time to wait for alias file 342838032Speter rebuild until you get bored and 342938032Speter decide that the apparently pending 343038032Speter rebuild failed. 343138032SpeterconfMIN_FREE_BLOCKS MinFreeBlocks [100] Minimum number of free blocks on 343238032Speter queue filesystem to accept SMTP mail. 343338032Speter (Prior to 8.7 this was minfree/maxsize, 343438032Speter where minfree was the number of free 343538032Speter blocks and maxsize was the maximum 343638032Speter message size. Use confMAX_MESSAGE_SIZE 343738032Speter for the second value now.) 343838032SpeterconfMAX_MESSAGE_SIZE MaxMessageSize [infinite] The maximum size of messages 343938032Speter that will be accepted (in bytes). 344038032SpeterconfBLANK_SUB BlankSub [.] Blank (space) substitution 344138032Speter character. 344238032SpeterconfCON_EXPENSIVE HoldExpensive [False] Avoid connecting immediately 344364562Sgshapiro to mailers marked expensive. 344438032SpeterconfCHECKPOINT_INTERVAL CheckpointInterval 344538032Speter [10] Checkpoint queue files every N 344638032Speter recipients. 344738032SpeterconfDELIVERY_MODE DeliveryMode [background] Default delivery mode. 344838032SpeterconfERROR_MODE ErrorMode [print] Error message mode. 344938032SpeterconfERROR_MESSAGE ErrorHeader [undefined] Error message header/file. 345042575SpeterconfSAVE_FROM_LINES SaveFromLine Save extra leading From_ lines. 345138032SpeterconfTEMP_FILE_MODE TempFileMode [0600] Temporary file mode. 345238032SpeterconfMATCH_GECOS MatchGECOS [False] Match GECOS field. 345338032SpeterconfMAX_HOP MaxHopCount [25] Maximum hop count. 345464562SgshapiroconfIGNORE_DOTS* IgnoreDots [False; always False in -bs or -bd 345564562Sgshapiro mode] Ignore dot as terminator for 345664562Sgshapiro incoming messages? 345738032SpeterconfBIND_OPTS ResolverOptions [undefined] Default options for DNS 345838032Speter resolver. 345938032SpeterconfMIME_FORMAT_ERRORS* SendMimeErrors [True] Send error messages as MIME- 346038032Speter encapsulated messages per RFC 1344. 346138032SpeterconfFORWARD_PATH ForwardPath [$z/.forward.$w:$z/.forward] 346238032Speter The colon-separated list of places to 346338032Speter search for .forward files. N.B.: see 346438032Speter the Security Notes section. 346538032SpeterconfMCI_CACHE_SIZE ConnectionCacheSize 346638032Speter [2] Size of open connection cache. 346738032SpeterconfMCI_CACHE_TIMEOUT ConnectionCacheTimeout 346838032Speter [5m] Open connection cache timeout. 346938032SpeterconfHOST_STATUS_DIRECTORY HostStatusDirectory 347038032Speter [undefined] If set, host status is kept 347138032Speter on disk between sendmail runs in the 347238032Speter named directory tree. This need not be 347338032Speter a full pathname, in which case it is 347438032Speter interpreted relative to the queue 347538032Speter directory. 347638032SpeterconfSINGLE_THREAD_DELIVERY SingleThreadDelivery 347738032Speter [False] If this option and the 347838032Speter HostStatusDirectory option are both 347938032Speter set, single thread deliveries to other 348038032Speter hosts. That is, don't allow any two 348138032Speter sendmails on this host to connect 348238032Speter simultaneously to any other single 348338032Speter host. This can slow down delivery in 348438032Speter some cases, in particular since a 348538032Speter cached but otherwise idle connection 348638032Speter to a host will prevent other sendmails 348738032Speter from connecting to the other host. 348864562SgshapiroconfUSE_ERRORS_TO* UseErrorsTo [False] Use the Errors-To: header to 348938032Speter deliver error messages. This should 349038032Speter not be necessary because of general 349138032Speter acceptance of the envelope/header 349238032Speter distinction. 349338032SpeterconfLOG_LEVEL LogLevel [9] Log level. 349464562SgshapiroconfME_TOO MeToo [True] Include sender in group 349564562Sgshapiro expansions. This option is 349664562Sgshapiro deprecated and will be removed from 349764562Sgshapiro a future version. 349838032SpeterconfCHECK_ALIASES CheckAliases [False] Check RHS of aliases when 349938032Speter running newaliases. Since this does 350038032Speter DNS lookups on every address, it can 350138032Speter slow down the alias rebuild process 350238032Speter considerably on large alias files. 350338032SpeterconfOLD_STYLE_HEADERS* OldStyleHeaders [True] Assume that headers without 350438032Speter special chars are old style. 350538032SpeterconfPRIVACY_FLAGS PrivacyOptions [authwarnings] Privacy flags. 350638032SpeterconfCOPY_ERRORS_TO PostmasterCopy [undefined] Address for additional 350738032Speter copies of all error messages. 350838032SpeterconfQUEUE_FACTOR QueueFactor [600000] Slope of queue-only function. 350990792SgshapiroconfQUEUE_FILE_MODE QueueFileMode [undefined] Default permissions for 351090792Sgshapiro queue files (octal). If not set, 351190792Sgshapiro sendmail uses 0600 unless its real 351290792Sgshapiro and effective uid are different in 351390792Sgshapiro which case it uses 0644. 351438032SpeterconfDONT_PRUNE_ROUTES DontPruneRoutes [False] Don't prune down route-addr 351538032Speter syntax addresses to the minimum 351638032Speter possible. 351738032SpeterconfSAFE_QUEUE* SuperSafe [True] Commit all messages to disk 351838032Speter before forking. 351938032SpeterconfTO_INITIAL Timeout.initial [5m] The timeout waiting for a response 352038032Speter on the initial connect. 352138032SpeterconfTO_CONNECT Timeout.connect [0] The timeout waiting for an initial 352238032Speter connect() to complete. This can only 352338032Speter shorten connection timeouts; the kernel 352438032Speter silently enforces an absolute maximum 352538032Speter (which varies depending on the system). 352638032SpeterconfTO_ICONNECT Timeout.iconnect 352738032Speter [undefined] Like Timeout.connect, but 352838032Speter applies only to the very first attempt 352938032Speter to connect to a host in a message. 353038032Speter This allows a single very fast pass 353138032Speter followed by more careful delivery 353238032Speter attempts in the future. 353390792SgshapiroconfTO_ACONNECT Timeout.aconnect 353490792Sgshapiro [0] The overall timeout waiting for 353590792Sgshapiro all connection for a single delivery 353690792Sgshapiro attempt to succeed. If 0, no overall 353790792Sgshapiro limit is applied. 353838032SpeterconfTO_HELO Timeout.helo [5m] The timeout waiting for a response 353938032Speter to a HELO or EHLO command. 354038032SpeterconfTO_MAIL Timeout.mail [10m] The timeout waiting for a 354138032Speter response to the MAIL command. 354238032SpeterconfTO_RCPT Timeout.rcpt [1h] The timeout waiting for a response 354338032Speter to the RCPT command. 354438032SpeterconfTO_DATAINIT Timeout.datainit 354538032Speter [5m] The timeout waiting for a 354 354638032Speter response from the DATA command. 354738032SpeterconfTO_DATABLOCK Timeout.datablock 354838032Speter [1h] The timeout waiting for a block 354938032Speter during DATA phase. 355038032SpeterconfTO_DATAFINAL Timeout.datafinal 355138032Speter [1h] The timeout waiting for a response 355238032Speter to the final "." that terminates a 355338032Speter message. 355438032SpeterconfTO_RSET Timeout.rset [5m] The timeout waiting for a response 355538032Speter to the RSET command. 355638032SpeterconfTO_QUIT Timeout.quit [2m] The timeout waiting for a response 355738032Speter to the QUIT command. 355838032SpeterconfTO_MISC Timeout.misc [2m] The timeout waiting for a response 355938032Speter to other SMTP commands. 356064562SgshapiroconfTO_COMMAND Timeout.command [1h] In server SMTP, the timeout 356164562Sgshapiro waiting for a command to be issued. 356264562SgshapiroconfTO_IDENT Timeout.ident [5s] The timeout waiting for a 356364562Sgshapiro response to an IDENT query. 356438032SpeterconfTO_FILEOPEN Timeout.fileopen 356538032Speter [60s] The timeout waiting for a file 356638032Speter (e.g., :include: file) to be opened. 356790792SgshapiroconfTO_LHLO Timeout.lhlo [2m] The timeout waiting for a response 356890792Sgshapiro to an LMTP LHLO command. 356990792SgshapiroconfTO_AUTH Timeout.auth [10m] The timeout waiting for a 357090792Sgshapiro response in an AUTH dialogue. 357190792SgshapiroconfTO_STARTTLS Timeout.starttls 357290792Sgshapiro [1h] The timeout waiting for a 357390792Sgshapiro response to an SMTP STARTTLS command. 357464562SgshapiroconfTO_CONTROL Timeout.control 357564562Sgshapiro [2m] The timeout for a complete 357664562Sgshapiro control socket transaction to complete. 357738032SpeterconfTO_QUEUERETURN Timeout.queuereturn 357838032Speter [5d] The timeout before a message is 357938032Speter returned as undeliverable. 358038032SpeterconfTO_QUEUERETURN_NORMAL 358138032Speter Timeout.queuereturn.normal 358238032Speter [undefined] As above, for normal 358338032Speter priority messages. 358438032SpeterconfTO_QUEUERETURN_URGENT 358538032Speter Timeout.queuereturn.urgent 358638032Speter [undefined] As above, for urgent 358738032Speter priority messages. 358838032SpeterconfTO_QUEUERETURN_NONURGENT 358938032Speter Timeout.queuereturn.non-urgent 359038032Speter [undefined] As above, for non-urgent 359138032Speter (low) priority messages. 359238032SpeterconfTO_QUEUEWARN Timeout.queuewarn 359338032Speter [4h] The timeout before a warning 359438032Speter message is sent to the sender telling 359564562Sgshapiro them that the message has been 359664562Sgshapiro deferred. 359738032SpeterconfTO_QUEUEWARN_NORMAL Timeout.queuewarn.normal 359838032Speter [undefined] As above, for normal 359938032Speter priority messages. 360038032SpeterconfTO_QUEUEWARN_URGENT Timeout.queuewarn.urgent 360138032Speter [undefined] As above, for urgent 360238032Speter priority messages. 360338032SpeterconfTO_QUEUEWARN_NONURGENT 360438032Speter Timeout.queuewarn.non-urgent 360538032Speter [undefined] As above, for non-urgent 360638032Speter (low) priority messages. 360738032SpeterconfTO_HOSTSTATUS Timeout.hoststatus 360838032Speter [30m] How long information about host 360938032Speter statuses will be maintained before it 361038032Speter is considered stale and the host should 361138032Speter be retried. This applies both within 361238032Speter a single queue run and to persistent 361338032Speter information (see below). 361464562SgshapiroconfTO_RESOLVER_RETRANS Timeout.resolver.retrans 361564562Sgshapiro [varies] Sets the resolver's 361698121Sgshapiro retransmission time interval (in 361764562Sgshapiro seconds). Sets both 361864562Sgshapiro Timeout.resolver.retrans.first and 361964562Sgshapiro Timeout.resolver.retrans.normal. 362064562SgshapiroconfTO_RESOLVER_RETRANS_FIRST Timeout.resolver.retrans.first 362164562Sgshapiro [varies] Sets the resolver's 362298121Sgshapiro retransmission time interval (in 362364562Sgshapiro seconds) for the first attempt to 362464562Sgshapiro deliver a message. 362564562SgshapiroconfTO_RESOLVER_RETRANS_NORMAL Timeout.resolver.retrans.normal 362664562Sgshapiro [varies] Sets the resolver's 362798121Sgshapiro retransmission time interval (in 362864562Sgshapiro seconds) for all resolver lookups 362964562Sgshapiro except the first delivery attempt. 363064562SgshapiroconfTO_RESOLVER_RETRY Timeout.resolver.retry 363164562Sgshapiro [varies] Sets the number of times 363264562Sgshapiro to retransmit a resolver query. 363364562Sgshapiro Sets both 363464562Sgshapiro Timeout.resolver.retry.first and 363564562Sgshapiro Timeout.resolver.retry.normal. 363664562SgshapiroconfTO_RESOLVER_RETRY_FIRST Timeout.resolver.retry.first 363764562Sgshapiro [varies] Sets the number of times 363864562Sgshapiro to retransmit a resolver query for 363964562Sgshapiro the first attempt to deliver a 364064562Sgshapiro message. 364164562SgshapiroconfTO_RESOLVER_RETRY_NORMAL Timeout.resolver.retry.normal 364264562Sgshapiro [varies] Sets the number of times 364364562Sgshapiro to retransmit a resolver query for 364464562Sgshapiro all resolver lookups except the 364564562Sgshapiro first delivery attempt. 364638032SpeterconfTIME_ZONE TimeZoneSpec [USE_SYSTEM] Time zone info -- can be 364738032Speter USE_SYSTEM to use the system's idea, 364838032Speter USE_TZ to use the user's TZ envariable, 364938032Speter or something else to force that value. 365038032SpeterconfDEF_USER_ID DefaultUser [1:1] Default user id. 365138032SpeterconfUSERDB_SPEC UserDatabaseSpec 365264562Sgshapiro [undefined] User database 365364562Sgshapiro specification. 365438032SpeterconfFALLBACK_MX FallbackMXhost [undefined] Fallback MX host. 365564562SgshapiroconfTRY_NULL_MX_LIST TryNullMXList [False] If this host is the best MX 365664562Sgshapiro for a host and other arrangements 365764562Sgshapiro haven't been made, try connecting 365864562Sgshapiro to the host directly; normally this 365964562Sgshapiro would be a config error. 366064562SgshapiroconfQUEUE_LA QueueLA [varies] Load average at which 366164562Sgshapiro queue-only function kicks in. 366264562Sgshapiro Default values is (8 * numproc) 366364562Sgshapiro where numproc is the number of 366464562Sgshapiro processors online (if that can be 366564562Sgshapiro determined). 366664562SgshapiroconfREFUSE_LA RefuseLA [varies] Load average at which 366764562Sgshapiro incoming SMTP connections are 366864562Sgshapiro refused. Default values is (12 * 366964562Sgshapiro numproc) where numproc is the 367064562Sgshapiro number of processors online (if 367164562Sgshapiro that can be determined). 367290792SgshapiroconfDELAY_LA DelayLA [0] Load average at which sendmail 367390792Sgshapiro will sleep for one second on most 367490792Sgshapiro SMTP commands and before accepting 367590792Sgshapiro connections. 0 means no limit. 367664562SgshapiroconfMAX_ALIAS_RECURSION MaxAliasRecursion 367764562Sgshapiro [10] Maximum depth of alias recursion. 367838032SpeterconfMAX_DAEMON_CHILDREN MaxDaemonChildren 367938032Speter [undefined] The maximum number of 368038032Speter children the daemon will permit. After 368138032Speter this number, connections will be 368238032Speter rejected. If not set or <= 0, there is 368338032Speter no limit. 368464562SgshapiroconfMAX_HEADERS_LENGTH MaxHeadersLength 368571345Sgshapiro [32768] Maximum length of the sum 368664562Sgshapiro of all headers. 368764562SgshapiroconfMAX_MIME_HEADER_LENGTH MaxMimeHeaderLength 368864562Sgshapiro [undefined] Maximum length of 368964562Sgshapiro certain MIME header field values. 369038032SpeterconfCONNECTION_RATE_THROTTLE ConnectionRateThrottle 369138032Speter [undefined] The maximum number of 369290792Sgshapiro connections permitted per second per 369390792Sgshapiro daemon. After this many connections 369490792Sgshapiro are accepted, further connections 369590792Sgshapiro will be delayed. If not set or <= 0, 369690792Sgshapiro there is no limit. 369738032SpeterconfWORK_RECIPIENT_FACTOR 369838032Speter RecipientFactor [30000] Cost of each recipient. 369964562SgshapiroconfSEPARATE_PROC ForkEachJob [False] Run all deliveries in a 370064562Sgshapiro separate process. 370138032SpeterconfWORK_CLASS_FACTOR ClassFactor [1800] Priority multiplier for class. 370238032SpeterconfWORK_TIME_FACTOR RetryFactor [90000] Cost of each delivery attempt. 370338032SpeterconfQUEUE_SORT_ORDER QueueSortOrder [Priority] Queue sort algorithm: 370490792Sgshapiro Priority, Host, Filename, Random, 370590792Sgshapiro Modification, or Time. 370638032SpeterconfMIN_QUEUE_AGE MinQueueAge [0] The minimum amount of time a job 370738032Speter must sit in the queue between queue 370838032Speter runs. This allows you to set the 370938032Speter queue run interval low for better 371038032Speter responsiveness without trying all 371138032Speter jobs in each run. 371238032SpeterconfDEF_CHAR_SET DefaultCharSet [unknown-8bit] When converting 371338032Speter unlabeled 8 bit input to MIME, the 371438032Speter character set to use by default. 371538032SpeterconfSERVICE_SWITCH_FILE ServiceSwitchFile 371664562Sgshapiro [/etc/mail/service.switch] The file 371764562Sgshapiro to use for the service switch on 371864562Sgshapiro systems that do not have a 371964562Sgshapiro system-defined switch. 372038032SpeterconfHOSTS_FILE HostsFile [/etc/hosts] The file to use when doing 372138032Speter "file" type access of hosts names. 372238032SpeterconfDIAL_DELAY DialDelay [0s] If a connection fails, wait this 372338032Speter long and try again. Zero means "don't 372438032Speter retry". This is to allow "dial on 372538032Speter demand" connections to have enough time 372638032Speter to complete a connection. 372738032SpeterconfNO_RCPT_ACTION NoRecipientAction 372838032Speter [none] What to do if there are no legal 372938032Speter recipient fields (To:, Cc: or Bcc:) 373038032Speter in the message. Legal values can 373138032Speter be "none" to just leave the 373238032Speter nonconforming message as is, "add-to" 373338032Speter to add a To: header with all the 373438032Speter known recipients (which may expose 373538032Speter blind recipients), "add-apparently-to" 373638032Speter to do the same but use Apparently-To: 373790792Sgshapiro instead of To: (strongly discouraged 373890792Sgshapiro in accordance with IETF standards), 373990792Sgshapiro "add-bcc" to add an empty Bcc: 374090792Sgshapiro header, or "add-to-undisclosed" to 374190792Sgshapiro add the header 374238032Speter ``To: undisclosed-recipients:;''. 374338032SpeterconfSAFE_FILE_ENV SafeFileEnvironment 374438032Speter [undefined] If set, sendmail will do a 374538032Speter chroot() into this directory before 374638032Speter writing files. 374738032SpeterconfCOLON_OK_IN_ADDR ColonOkInAddr [True unless Configuration Level > 6] 374838032Speter If set, colons are treated as a regular 374938032Speter character in addresses. If not set, 375038032Speter they are treated as the introducer to 375138032Speter the RFC 822 "group" syntax. Colons are 375238032Speter handled properly in route-addrs. This 375338032Speter option defaults on for V5 and lower 375438032Speter configuration files. 375538032SpeterconfMAX_QUEUE_RUN_SIZE MaxQueueRunSize [0] If set, limit the maximum size of 375638032Speter any given queue run to this number of 375738032Speter entries. Essentially, this will stop 375864562Sgshapiro reading each queue directory after this 375938032Speter number of entries are reached; it does 376038032Speter _not_ pick the highest priority jobs, 376138032Speter so this should be as large as your 376238032Speter system can tolerate. If not set, there 376338032Speter is no limit. 376490792SgshapiroconfMAX_QUEUE_CHILDREN MaxQueueChildren 376590792Sgshapiro [undefined] Limits the maximum number 376690792Sgshapiro of concurrent queue runners active. 376790792Sgshapiro This is to keep system resources used 376890792Sgshapiro within a reasonable limit. Relates to 376990792Sgshapiro Queue Groups and ForkAllJobs. 377090792SgshapiroconfMAX_RUNNERS_PER_QUEUE MaxRunnersPerQueue 377190792Sgshapiro [1] Only active when MaxQueueChildren 377290792Sgshapiro defined. Controls the maximum number 377390792Sgshapiro of queue runners (aka queue children) 377490792Sgshapiro active at the same time in a work 377590792Sgshapiro group. See also MaxQueueChildren. 377638032SpeterconfDONT_EXPAND_CNAMES DontExpandCnames 377738032Speter [False] If set, $[ ... $] lookups that 377838032Speter do DNS based lookups do not expand 377938032Speter CNAME records. This currently violates 378038032Speter the published standards, but the IETF 378138032Speter seems to be moving toward legalizing 378238032Speter this. For example, if "FTP.Foo.ORG" 378338032Speter is a CNAME for "Cruft.Foo.ORG", then 378438032Speter with this option set a lookup of 378538032Speter "FTP" will return "FTP.Foo.ORG"; if 378638032Speter clear it returns "Cruft.FOO.ORG". N.B. 378738032Speter you may not see any effect until your 378838032Speter downstream neighbors stop doing CNAME 378938032Speter lookups as well. 379064562SgshapiroconfFROM_LINE UnixFromLine [From $g $d] The From_ line used 379138032Speter when sending to files or programs. 379238032SpeterconfSINGLE_LINE_FROM_HEADER SingleLineFromHeader 379338032Speter [False] From: lines that have 379438032Speter embedded newlines are unwrapped 379538032Speter onto one line. 379638032SpeterconfALLOW_BOGUS_HELO AllowBogusHELO [False] Allow HELO SMTP command that 379738032Speter does not include a host name. 379838032SpeterconfMUST_QUOTE_CHARS MustQuoteChars [.'] Characters to be quoted in a full 379938032Speter name phrase (@,;:\()[] are automatic). 380038032SpeterconfOPERATORS OperatorChars [.:%@!^/[]+] Address operator 380138032Speter characters. 380238032SpeterconfSMTP_LOGIN_MSG SmtpGreetingMessage 380338032Speter [$j Sendmail $v/$Z; $b] 380438032Speter The initial (spontaneous) SMTP 380538032Speter greeting message. The word "ESMTP" 380638032Speter will be inserted between the first and 380738032Speter second words to convince other 380838032Speter sendmails to try to speak ESMTP. 380938032SpeterconfDONT_INIT_GROUPS DontInitGroups [False] If set, the initgroups(3) 381038032Speter routine will never be invoked. You 381138032Speter might want to do this if you are 381238032Speter running NIS and you have a large group 381338032Speter map, since this call does a sequential 381438032Speter scan of the map; in a large site this 381538032Speter can cause your ypserv to run 381638032Speter essentially full time. If you set 381738032Speter this, agents run on behalf of users 381838032Speter will only have their primary 381938032Speter (/etc/passwd) group permissions. 382038032SpeterconfUNSAFE_GROUP_WRITES UnsafeGroupWrites 382138032Speter [False] If set, group-writable 382238032Speter :include: and .forward files are 382338032Speter considered "unsafe", that is, programs 382438032Speter and files cannot be directly referenced 382538032Speter from such files. World-writable files 382638032Speter are always considered unsafe. 382764562SgshapiroconfCONNECT_ONLY_TO ConnectOnlyTo [undefined] override connection 382864562Sgshapiro address (for testing). 382964562SgshapiroconfCONTROL_SOCKET_NAME ControlSocketName 383064562Sgshapiro [undefined] Control socket for daemon 383164562Sgshapiro management. 383238032SpeterconfDOUBLE_BOUNCE_ADDRESS DoubleBounceAddress 383338032Speter [postmaster] If an error occurs when 383438032Speter sending an error message, send that 383538032Speter "double bounce" error message to this 383690792Sgshapiro address. If it expands to an empty 383790792Sgshapiro string, double bounces are dropped. 383864562SgshapiroconfDEAD_LETTER_DROP DeadLetterDrop [undefined] Filename to save bounce 383964562Sgshapiro messages which could not be returned 384064562Sgshapiro to the user or sent to postmaster. 384164562Sgshapiro If not set, the queue file will 384264562Sgshapiro be renamed. 384364562SgshapiroconfRRT_IMPLIES_DSN RrtImpliesDsn [False] Return-Receipt-To: header 384464562Sgshapiro implies DSN request. 384538032SpeterconfRUN_AS_USER RunAsUser [undefined] If set, become this user 384638032Speter when reading and delivering mail. 384738032Speter Causes all file reads (e.g., .forward 384838032Speter and :include: files) to be done as 384938032Speter this user. Also, all programs will 385038032Speter be run as this user, and all output 385138032Speter files will be written as this user. 385238032Speter Intended for use only on firewalls 385338032Speter where users do not have accounts. 385438032SpeterconfMAX_RCPTS_PER_MESSAGE MaxRecipientsPerMessage 385538032Speter [infinite] If set, allow no more than 385638032Speter the specified number of recipients in 385738032Speter an SMTP envelope. Further recipients 385838032Speter receive a 452 error code (i.e., they 385938032Speter are deferred for the next delivery 386038032Speter attempt). 386190792SgshapiroconfBAD_RCPT_THROTTLE BadRcptThrottle [infinite] If set and more than the 386290792Sgshapiro specified number of recipients in an 386390792Sgshapiro envelope are rejected, sleep for one 386490792Sgshapiro second after each rejected RCPT 386590792Sgshapiro command. 386638032SpeterconfDONT_PROBE_INTERFACES DontProbeInterfaces 386738032Speter [False] If set, sendmail will _not_ 386838032Speter insert the names and addresses of any 386964562Sgshapiro local interfaces into class {w} 387038032Speter (list of known "equivalent" addresses). 387138032Speter If you set this, you must also include 387238032Speter some support for these addresses (e.g., 387338032Speter in a mailertable entry) -- otherwise, 387438032Speter mail to addresses in this list will 387538032Speter bounce with a configuration error. 387690792Sgshapiro If set to "loopback" (without 387790792Sgshapiro quotes), sendmail will skip 387890792Sgshapiro loopback interfaces (e.g., "lo0"). 387964562SgshapiroconfPID_FILE PidFile [system dependent] Location of pid 388064562Sgshapiro file. 388164562SgshapiroconfPROCESS_TITLE_PREFIX ProcessTitlePrefix 388264562Sgshapiro [undefined] Prefix string for the 388364562Sgshapiro process title shown on 'ps' listings. 388438032SpeterconfDONT_BLAME_SENDMAIL DontBlameSendmail 388538032Speter [safe] Override sendmail's file 388638032Speter safety checks. This will definitely 388738032Speter compromise system security and should 388838032Speter not be used unless absolutely 388938032Speter necessary. 389038032SpeterconfREJECT_MSG - [550 Access denied] The message 389138032Speter given if the access database contains 389238032Speter REJECT in the value portion. 389390792SgshapiroconfRELAY_MSG - [550 Relaying denied] The message 389490792Sgshapiro given if an unauthorized relaying 389590792Sgshapiro attempt is rejected. 389664562SgshapiroconfDF_BUFFER_SIZE DataFileBufferSize 389764562Sgshapiro [4096] The maximum size of a 389864562Sgshapiro memory-buffered data (df) file 389964562Sgshapiro before a disk-based file is used. 390064562SgshapiroconfXF_BUFFER_SIZE XScriptFileBufferSize 390164562Sgshapiro [4096] The maximum size of a 390264562Sgshapiro memory-buffered transcript (xf) 390364562Sgshapiro file before a disk-based file is 390464562Sgshapiro used. 390564562SgshapiroconfAUTH_MECHANISMS AuthMechanisms [GSSAPI KERBEROS_V4 DIGEST-MD5 390664562Sgshapiro CRAM-MD5] List of authentication 390764562Sgshapiro mechanisms for AUTH (separated by 390864562Sgshapiro spaces). The advertised list of 390964562Sgshapiro authentication mechanisms will be the 391064562Sgshapiro intersection of this list and the list 391164562Sgshapiro of available mechanisms as determined 391264562Sgshapiro by the CYRUS SASL library. 391373188SgshapiroconfDEF_AUTH_INFO DefaultAuthInfo [undefined] Name of file that contains 391464562Sgshapiro authentication information for 391590792Sgshapiro outgoing connections. This file must 391690792Sgshapiro contain the user id, the authorization 391790792Sgshapiro id, the password (plain text), the 391890792Sgshapiro realm to use, and the list of 391990792Sgshapiro mechanisms to try, each on a separate 392090792Sgshapiro line and must be readable by root (or 392190792Sgshapiro the trusted user) only. If no realm 392290792Sgshapiro is specified, $j is used. If no 392390792Sgshapiro mechanisms are given in the file, 392490792Sgshapiro AuthMechanisms is used. Notice: this 392590792Sgshapiro option is deprecated and will be 392690792Sgshapiro removed in future versions; it doesn't 392790792Sgshapiro work for the MSP since it can't read 392890792Sgshapiro the file. Use the authinfo ruleset 392990792Sgshapiro instead. See also the section SMTP 393090792Sgshapiro AUTHENTICATION. 393190792SgshapiroconfAUTH_OPTIONS AuthOptions [undefined] If this option is 'A' 393264562Sgshapiro then the AUTH= parameter for the 393364562Sgshapiro MAIL FROM command is only issued 393464562Sgshapiro when authentication succeeded. 393590792Sgshapiro Other values (which should be listed 393690792Sgshapiro one after the other without any 393790792Sgshapiro intervening characters except for 393890792Sgshapiro space or comma) are a, c, d, f, p, 393990792Sgshapiro and y. See doc/op/op.me for 394090792Sgshapiro details. 394190792SgshapiroconfAUTH_MAX_BITS AuthMaxBits [INT_MAX] Limit the maximum encryption 394290792Sgshapiro strength for the security layer in 394390792Sgshapiro SMTP AUTH (SASL). Default is 394490792Sgshapiro essentially unlimited. 394590792SgshapiroconfTLS_SRV_OPTIONS TLSSrvOptions If this option is 'V' no client 394690792Sgshapiro verification is performed, i.e., 394790792Sgshapiro the server doesn't ask for a 394890792Sgshapiro certificate. 394964562SgshapiroconfLDAP_DEFAULT_SPEC LDAPDefaultSpec [undefined] Default map 395064562Sgshapiro specification for LDAP maps. The 395164562Sgshapiro value should only contain LDAP 395264562Sgshapiro specific settings such as "-h host 395364562Sgshapiro -p port -d bindDN", etc. The 395464562Sgshapiro settings will be used for all LDAP 395564562Sgshapiro maps unless they are specified in 395664562Sgshapiro the individual map specification 395764562Sgshapiro ('K' command). 3958110560SgshapiroconfCACERT_PATH CACertPath [undefined] Path to directory 395964562Sgshapiro with certs of CAs. 3960110560SgshapiroconfCACERT CACertFile [undefined] File containing one CA 396164562Sgshapiro cert. 396264562SgshapiroconfSERVER_CERT ServerCertFile [undefined] File containing the 396364562Sgshapiro cert of the server, i.e., this cert 396464562Sgshapiro is used when sendmail acts as 396564562Sgshapiro server. 396664562SgshapiroconfSERVER_KEY ServerKeyFile [undefined] File containing the 396764562Sgshapiro private key belonging to the server 396864562Sgshapiro cert. 396964562SgshapiroconfCLIENT_CERT ClientCertFile [undefined] File containing the 397064562Sgshapiro cert of the client, i.e., this cert 397164562Sgshapiro is used when sendmail acts as 397264562Sgshapiro client. 397364562SgshapiroconfCLIENT_KEY ClientKeyFile [undefined] File containing the 397464562Sgshapiro private key belonging to the client 397564562Sgshapiro cert. 397664562SgshapiroconfDH_PARAMETERS DHParameters [undefined] File containing the 397764562Sgshapiro DH parameters. 397864562SgshapiroconfRAND_FILE RandFile [undefined] File containing random 397966494Sgshapiro data (use prefix file:) or the 398066494Sgshapiro name of the UNIX socket if EGD is 398166494Sgshapiro used (use prefix egd:). STARTTLS 398266494Sgshapiro requires this option if the compile 398366494Sgshapiro flag HASURANDOM is not set (see 398464562Sgshapiro sendmail/README). 398590792SgshapiroconfNICE_QUEUE_RUN NiceQueueRun [undefined] If set, the priority of 398690792Sgshapiro queue runners is set the given value 398790792Sgshapiro (nice(3)). 398890792SgshapiroconfDIRECT_SUBMISSION_MODIFIERS DirectSubmissionModifiers 398990792Sgshapiro [undefined] Defines {daemon_flags} 399090792Sgshapiro for direct submissions. 399190792SgshapiroconfUSE_MSP UseMSP [false] Use as mail submission 399290792Sgshapiro program, see sendmail/SECURITY. 399390792SgshapiroconfDELIVER_BY_MIN DeliverByMin [0] Minimum time for Deliver By 399490792Sgshapiro SMTP Service Extension (RFC 2852). 399590792SgshapiroconfSHARED_MEMORY_KEY SharedMemoryKey [0] Key for shared memory. 399690792SgshapiroconfFAST_SPLIT FastSplit [1] If set to a value greater than 399790792Sgshapiro zero, the initial MX lookups on 399890792Sgshapiro addresses is suppressed when they 399990792Sgshapiro are sorted which may result in 400090792Sgshapiro faster envelope splitting. If the 400190792Sgshapiro mail is submitted directly from the 400290792Sgshapiro command line, then the value also 400390792Sgshapiro limits the number of processes to 400490792Sgshapiro deliver the envelopes. 400590792SgshapiroconfMAILBOX_DATABASE MailboxDatabase [pw] Type of lookup to find 400690792Sgshapiro information about local mailboxes. 400790792SgshapiroconfDEQUOTE_OPTS - [empty] Additional options for the 400890792Sgshapiro dequote map. 400990792SgshapiroconfINPUT_MAIL_FILTERS InputMailFilters 401090792Sgshapiro A comma separated list of filters 401190792Sgshapiro which determines which filters and 401290792Sgshapiro the invocation sequence are 401390792Sgshapiro contacted for incoming SMTP 401490792Sgshapiro messages. If none are set, no 401590792Sgshapiro filters will be contacted. 401690792SgshapiroconfMILTER_LOG_LEVEL Milter.LogLevel [9] Log level for input mail filter 401790792Sgshapiro actions, defaults to LogLevel. 401890792SgshapiroconfMILTER_MACROS_CONNECT Milter.macros.connect 4019110560Sgshapiro [j, _, {daemon_name}, {if_name}, 4020110560Sgshapiro {if_addr}] Macros to transmit to 4021110560Sgshapiro milters when a session connection 4022110560Sgshapiro starts. 402390792SgshapiroconfMILTER_MACROS_HELO Milter.macros.helo 4024110560Sgshapiro [{tls_version}, {cipher}, 4025110560Sgshapiro {cipher_bits}, {cert_subject}, 4026110560Sgshapiro {cert_issuer}] Macros to transmit to 4027110560Sgshapiro milters after HELO/EHLO command. 402890792SgshapiroconfMILTER_MACROS_ENVFROM Milter.macros.envfrom 4029110560Sgshapiro [i, {auth_type}, {auth_authen}, 4030110560Sgshapiro {auth_ssf}, {auth_author}, 4031110560Sgshapiro {mail_mailer}, {mail_host}, 4032110560Sgshapiro {mail_addr}] Macros to transmit to 4033110560Sgshapiro milters after MAIL FROM command. 403490792SgshapiroconfMILTER_MACROS_ENVRCPT Milter.macros.envrcpt 4035110560Sgshapiro [{rcpt_mailer}, {rcpt_host}, 4036110560Sgshapiro {rcpt_addr}] Macros to transmit to 4037110560Sgshapiro milters after RCPT TO command. 403864562Sgshapiro 403990792Sgshapiro 404038032SpeterSee also the description of OSTYPE for some parameters that can be 404138032Spetertweaked (generally pathnames to mailers). 404238032Speter 404390792SgshapiroClientPortOptions and DaemonPortOptions are special cases since multiple 404490792Sgshapiroclients/daemons can be defined. This can be done via 404538032Speter 404690792Sgshapiro CLIENT_OPTIONS(`field1=value1,field2=value2,...') 404764562Sgshapiro DAEMON_OPTIONS(`field1=value1,field2=value2,...') 404864562Sgshapiro 404990792SgshapiroNote that multiple CLIENT_OPTIONS() commands (and therefore multiple 405090792SgshapiroClientPortOptions settings) are allowed in order to give settings for each 405190792Sgshapiroprotocol family (e.g., one for Family=inet and one for Family=inet6). A 405290792Sgshapirorestriction placed on one family only affects outgoing connections on that 405390792Sgshapiroparticular family. 405490792Sgshapiro 405564562SgshapiroIf DAEMON_OPTIONS is not used, then the default is 405664562Sgshapiro 405764562Sgshapiro DAEMON_OPTIONS(`Port=smtp, Name=MTA') 405864562Sgshapiro DAEMON_OPTIONS(`Port=587, Name=MSA, M=E') 405964562Sgshapiro 406064562SgshapiroIf you use one DAEMON_OPTIONS macro, it will alter the parameters 406164562Sgshapiroof the first of these. The second will still be defaulted; it 406264562Sgshapirorepresents a "Message Submission Agent" (MSA) as defined by RFC 406364562Sgshapiro2476 (see below). To turn off the default definition for the MSA, 406464562Sgshapirouse FEATURE(`no_default_msa') (see also FEATURES). If you use 406564562Sgshapiroadditional DAEMON_OPTIONS macros, they will add additional daemons. 406664562Sgshapiro 406764562SgshapiroExample 1: To change the port for the SMTP listener, while 406864562Sgshapirostill using the MSA default, use 406964562Sgshapiro DAEMON_OPTIONS(`Port=925, Name=MTA') 407064562Sgshapiro 407164562SgshapiroExample 2: To change the port for the MSA daemon, while still 407264562Sgshapirousing the default SMTP port, use 407364562Sgshapiro FEATURE(`no_default_msa') 407464562Sgshapiro DAEMON_OPTIONS(`Name=MTA') 407564562Sgshapiro DAEMON_OPTIONS(`Port=987, Name=MSA, M=E') 407664562Sgshapiro 407764562SgshapiroNote that if the first of those DAEMON_OPTIONS lines were omitted, then 407864562Sgshapirothere would be no listener on the standard SMTP port. 407964562Sgshapiro 408064562SgshapiroExample 3: To listen on both IPv4 and IPv6 interfaces, use 408164562Sgshapiro 408264562Sgshapiro DAEMON_OPTIONS(`Name=MTA-v4, Family=inet') 408364562Sgshapiro DAEMON_OPTIONS(`Name=MTA-v6, Family=inet6') 408464562Sgshapiro 408564562SgshapiroA "Message Submission Agent" still uses all of the same rulesets for 408664562Sgshapiroprocessing the message (and therefore still allows message rejection via 408764562Sgshapirothe check_* rulesets). In accordance with the RFC, the MSA will ensure 4088110560Sgshapirothat all domains in envelope addresses are fully qualified if the message 4089110560Sgshapirois relayed to another MTA. It will also enforce the normal address syntax 4090110560Sgshapirorules and log error messages. Additionally, by using the M=a modifier you 4091110560Sgshapirocan require authentication before messages are accepted by the MSA. 4092110560SgshapiroNotice: Do NOT use the 'a' modifier on a public accessible MTA! Finally, 4093110560Sgshapirothe M=E modifier shown above disables ETRN as required by RFC 2476. 409464562Sgshapiro 409590792SgshapiroMail filters can be defined using the INPUT_MAIL_FILTER() and MAIL_FILTER() 409690792Sgshapirocommands: 409764562Sgshapiro 409890792Sgshapiro INPUT_MAIL_FILTER(`sample', `S=local:/var/run/f1.sock') 409990792Sgshapiro MAIL_FILTER(`myfilter', `S=inet:3333@localhost') 410038032Speter 410190792SgshapiroThe INPUT_MAIL_FILTER() command causes the filter(s) to be called in the 410290792Sgshapirosame order they were specified by also setting confINPUT_MAIL_FILTERS. A 410390792Sgshapirofilter can be defined without adding it to the input filter list by using 410490792SgshapiroMAIL_FILTER() instead of INPUT_MAIL_FILTER() in your .mc file. 410590792SgshapiroAlternatively, you can reset the list of filters and their order by setting 410690792SgshapiroconfINPUT_MAIL_FILTERS option after all INPUT_MAIL_FILTER() commands in 410790792Sgshapiroyour .mc file. 410890792Sgshapiro 410990792Sgshapiro 411090792Sgshapiro+----------------------------+ 411190792Sgshapiro| MESSAGE SUBMISSION PROGRAM | 411290792Sgshapiro+----------------------------+ 411390792Sgshapiro 411490792SgshapiroThe purpose of the message submission program (MSP) is explained 411590792Sgshapiroin sendmail/SECURITY. This section contains a list of caveats and 411690792Sgshapiroa few hints how for those who want to tweak the default configuration 411790792Sgshapirofor it (which is installed as submit.cf). 411890792Sgshapiro 411990792SgshapiroNotice: do not add options/features to submit.mc unless you are 412090792Sgshapiroabsolutely sure you need them. Options you may want to change 412190792Sgshapiroinclude: 412290792Sgshapiro 412394334Sgshapiro- confTRUSTED_USERS, FEATURE(`use_ct_file'), and confCT_FILE for 412498121Sgshapiro avoiding X-Authentication warnings. 412594334Sgshapiro- confTIME_ZONE to change it from the default `USE_TZ'. 412690792Sgshapiro- confDELIVERY_MODE is set to interactive in msp.m4 instead 412790792Sgshapiro of the default background mode. 412898121Sgshapiro- FEATURE(stickyhost) and LOCAL_RELAY to send unqualified addresses 412998121Sgshapiro to the LOCAL_RELAY instead of the default relay. 413098121Sgshapiro- confRAND_FILE if you use STARTTLS and sendmail is not compiled with 413198121Sgshapiro the flag HASURANDOM. 413290792Sgshapiro 413398121SgshapiroThe MSP performs hostname canonicalization by default. As also 413498121Sgshapiroexplained in sendmail/SECURITY, mail may end up for various DNS 413598121Sgshapirorelated reasons in the MSP queue. This problem can be minimized by 413698121Sgshapirousing 413798121Sgshapiro 413898121Sgshapiro FEATURE(`nocanonify', `canonify_hosts') 413998121Sgshapiro define(`confDIRECT_SUBMISSION_MODIFIERS', `C') 414098121Sgshapiro 414198121SgshapiroSee the discussion about nocanonify for possible side effects. 414298121Sgshapiro 414390792SgshapiroSome things are not intended to work with the MSP. These include 414490792Sgshapirofeatures that influence the delivery process (e.g., mailertable, 414590792Sgshapiroaliases), or those that are only important for a SMTP server (e.g., 414690792Sgshapirovirtusertable, DaemonPortOptions, multiple queues). Moreover, 414790792Sgshapirorelaxing certain restrictions (RestrictQueueRun, permissions on 414890792Sgshapiroqueue directory) or adding features (e.g., enabling prog/file mailer) 414990792Sgshapirocan cause security problems. 415090792Sgshapiro 415190792SgshapiroOther things don't work well with the MSP and require tweaking or 415290792Sgshapiroworkarounds. For example, to allow for client authentication it 415390792Sgshapirois not just sufficient to provide a client certificate and the 415490792Sgshapirocorresponding key, but it is also necessary to make the key group 415590792Sgshapiro(smmsp) readable and tell sendmail not to complain about that, i.e., 415690792Sgshapiro 415790792Sgshapiro define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile') 415890792Sgshapiro 415990792SgshapiroIf the MSP should actually use AUTH then the necessary data 416090792Sgshapiroshould be placed in a map as explained in SMTP AUTHENTICATION: 416190792Sgshapiro 416290792SgshapiroFEATURE(`authinfo', `DATABASE_MAP_TYPE /etc/mail/msp-authinfo') 416390792Sgshapiro 416490792Sgshapiro/etc/mail/msp-authinfo should contain an entry like: 416590792Sgshapiro 416690792Sgshapiro AuthInfo:127.0.0.1 "U:smmsp" "P:secret" "M:DIGEST-MD5" 416790792Sgshapiro 416890792SgshapiroThe file and the map created by makemap should be owned by smmsp, 416990792Sgshapiroits group should be smmsp, and it should have mode 640. The database 417090792Sgshapiroused by the MTA for AUTH must have a corresponding entry. 417190792SgshapiroAdditionally the MTA must trust this authentication data so the AUTH= 417290792Sgshapiropart will be relayed on to the next hop. This can be achieved by 417390792Sgshapiroadding the following to your sendmail.mc file: 417490792Sgshapiro 417590792Sgshapiro LOCAL_RULESETS 417690792Sgshapiro SLocal_trust_auth 417790792Sgshapiro R$* $: $&{auth_authen} 417890792Sgshapiro Rsmmsp $# OK 417990792Sgshapiro 418090792Sgshapirofeature/msp.m4 defines almost all settings for the MSP. Most of 418190792Sgshapirothose should not be changed at all. Some of the features and options 418290792Sgshapirocan be overridden if really necessary. It is a bit tricky to do 418390792Sgshapirothis, because it depends on the actual way the option is defined 418490792Sgshapiroin feature/msp.m4. If it is directly defined (i.e., define()) then 418590792Sgshapirothe modified value must be defined after 418690792Sgshapiro 418790792Sgshapiro FEATURE(`msp') 418890792Sgshapiro 418990792SgshapiroIf it is conditionally defined (i.e., ifdef()) then the desired 419090792Sgshapirovalue must be defined before the FEATURE line in the .mc file. 419190792SgshapiroTo see how the options are defined read feature/msp.m4. 419290792Sgshapiro 419390792Sgshapiro 419490792Sgshapiro+--------------------------+ 419590792Sgshapiro| FORMAT OF FILES AND MAPS | 419690792Sgshapiro+--------------------------+ 419790792Sgshapiro 419890792SgshapiroFiles that define classes, i.e., F{classname}, consist of lines 419990792Sgshapiroeach of which contains a single element of the class. For example, 420090792Sgshapiro/etc/mail/local-host-names may have the following content: 420190792Sgshapiro 420290792Sgshapiromy.domain 420390792Sgshapiroanother.domain 420490792Sgshapiro 420590792SgshapiroMaps must be created using makemap(8) , e.g., 420690792Sgshapiro 420790792Sgshapiro makemap hash MAP < MAP 420890792Sgshapiro 420990792SgshapiroIn general, a text file from which a map is created contains lines 421090792Sgshapiroof the form 421190792Sgshapiro 421290792Sgshapirokey value 421390792Sgshapiro 421490792Sgshapirowhere 'key' and 'value' are also called LHS and RHS, respectively. 421590792SgshapiroBy default, the delimiter between LHS and RHS is a non-empty sequence 421690792Sgshapiroof white space characters. 421790792Sgshapiro 421890792Sgshapiro 421990792Sgshapiro+------------------+ 422090792Sgshapiro| DIRECTORY LAYOUT | 422190792Sgshapiro+------------------+ 422290792Sgshapiro 422338032SpeterWithin this directory are several subdirectories, to wit: 422438032Speter 422538032Speterm4 General support routines. These are typically 422638032Speter very important and should not be changed without 422738032Speter very careful consideration. 422838032Speter 422938032Spetercf The configuration files themselves. They have 423038032Speter ".mc" suffixes, and must be run through m4 to 423138032Speter become complete. The resulting output should 423238032Speter have a ".cf" suffix. 423338032Speter 423438032Speterostype Definitions describing a particular operating 423538032Speter system type. These should always be referenced 423638032Speter using the OSTYPE macro in the .mc file. Examples 423738032Speter include "bsd4.3", "bsd4.4", "sunos3.5", and 423838032Speter "sunos4.1". 423938032Speter 424038032Speterdomain Definitions describing a particular domain, referenced 424138032Speter using the DOMAIN macro in the .mc file. These are 424238032Speter site dependent; for example, "CS.Berkeley.EDU.m4" 424338032Speter describes hosts in the CS.Berkeley.EDU subdomain. 424438032Speter 424566494Sgshapiromailer Descriptions of mailers. These are referenced using 424638032Speter the MAILER macro in the .mc file. 424738032Speter 424838032Spetersh Shell files used when building the .cf file from the 424938032Speter .mc file in the cf subdirectory. 425038032Speter 425138032Speterfeature These hold special orthogonal features that you might 425238032Speter want to include. They should be referenced using 425338032Speter the FEATURE macro. 425438032Speter 425538032Speterhack Local hacks. These can be referenced using the HACK 425638032Speter macro. They shouldn't be of more than voyeuristic 425738032Speter interest outside the .Berkeley.EDU domain, but who knows? 425838032Speter 425938032Spetersiteconfig Site configuration -- e.g., tables of locally connected 426038032Speter UUCP sites. 426138032Speter 426238032Speter 426338032Speter+------------------------+ 426438032Speter| ADMINISTRATIVE DETAILS | 426538032Speter+------------------------+ 426638032Speter 426738032SpeterThe following sections detail usage of certain internal parts of the 426838032Spetersendmail.cf file. Read them carefully if you are trying to modify 426938032Speterthe current model. If you find the above descriptions adequate, these 427038032Spetershould be {boring, confusing, tedious, ridiculous} (pick one or more). 427138032Speter 427238032SpeterRULESETS (* means built in to sendmail) 427338032Speter 427438032Speter 0 * Parsing 427538032Speter 1 * Sender rewriting 427638032Speter 2 * Recipient rewriting 427738032Speter 3 * Canonicalization 427838032Speter 4 * Post cleanup 427938032Speter 5 * Local address rewrite (after aliasing) 428038032Speter 1x mailer rules (sender qualification) 428138032Speter 2x mailer rules (recipient qualification) 428238032Speter 3x mailer rules (sender header qualification) 428338032Speter 4x mailer rules (recipient header qualification) 428438032Speter 5x mailer subroutines (general) 428538032Speter 6x mailer subroutines (general) 428638032Speter 7x mailer subroutines (general) 428738032Speter 8x reserved 428838032Speter 90 Mailertable host stripping 428938032Speter 96 Bottom half of Ruleset 3 (ruleset 6 in old sendmail) 429038032Speter 97 Hook for recursive ruleset 0 call (ruleset 7 in old sendmail) 429138032Speter 98 Local part of ruleset 0 (ruleset 8 in old sendmail) 429238032Speter 429338032Speter 429438032SpeterMAILERS 429538032Speter 429638032Speter 0 local, prog local and program mailers 429738032Speter 1 [e]smtp, relay SMTP channel 429838032Speter 2 uucp-* UNIX-to-UNIX Copy Program 429938032Speter 3 netnews Network News delivery 430038032Speter 4 fax Sam Leffler's HylaFAX software 430138032Speter 5 mail11 DECnet mailer 430238032Speter 430338032Speter 430438032SpeterMACROS 430538032Speter 430638032Speter A 430738032Speter B Bitnet Relay 430838032Speter C DECnet Relay 430938032Speter D The local domain -- usually not needed 431038032Speter E reserved for X.400 Relay 431138032Speter F FAX Relay 431238032Speter G 431338032Speter H mail Hub (for mail clusters) 431438032Speter I 431538032Speter J 431638032Speter K 431738032Speter L Luser Relay 431864562Sgshapiro M Masquerade (who you claim to be) 431938032Speter N 432038032Speter O 432138032Speter P 432238032Speter Q 432338032Speter R Relay (for unqualified names) 432438032Speter S Smart Host 432538032Speter T 432664562Sgshapiro U my UUCP name (if you have a UUCP connection) 432764562Sgshapiro V UUCP Relay (class {V} hosts) 432864562Sgshapiro W UUCP Relay (class {W} hosts) 432964562Sgshapiro X UUCP Relay (class {X} hosts) 433038032Speter Y UUCP Relay (all other hosts) 433138032Speter Z Version number 433238032Speter 433338032Speter 433438032SpeterCLASSES 433538032Speter 433638032Speter A 433738032Speter B domains that are candidates for bestmx lookup 433838032Speter C 433938032Speter D 434038032Speter E addresses that should not seem to come from $M 434164562Sgshapiro F hosts this system forward for 434238032Speter G domains that should be looked up in genericstable 434338032Speter H 434438032Speter I 434538032Speter J 434638032Speter K 434738032Speter L addresses that should not be forwarded to $R 434838032Speter M domains that should be mapped to $M 434964562Sgshapiro N host/domains that should not be mapped to $M 435038032Speter O operators that indicate network operations (cannot be in local names) 435138032Speter P top level pseudo-domains: BITNET, DECNET, FAX, UUCP, etc. 435238032Speter Q 435364562Sgshapiro R domains this system is willing to relay (pass anti-spam filters) 435438032Speter S 435538032Speter T 435638032Speter U locally connected UUCP hosts 435738032Speter V UUCP hosts connected to relay $V 435838032Speter W UUCP hosts connected to relay $W 435938032Speter X UUCP hosts connected to relay $X 436038032Speter Y locally connected smart UUCP hosts 436138032Speter Z locally connected domain-ized UUCP hosts 436238032Speter . the class containing only a dot 436338032Speter [ the class containing only a left bracket 436438032Speter 436538032Speter 436638032SpeterM4 DIVERSIONS 436738032Speter 436838032Speter 1 Local host detection and resolution 436938032Speter 2 Local Ruleset 3 additions 437038032Speter 3 Local Ruleset 0 additions 437138032Speter 4 UUCP Ruleset 0 additions 437238032Speter 5 locally interpreted names (overrides $R) 437338032Speter 6 local configuration (at top of file) 437438032Speter 7 mailer definitions 437564562Sgshapiro 8 DNS based blacklists 437638032Speter 9 special local rulesets (1 and 2) 437764562Sgshapiro 4378111823Sgshapiro$Revision: 8.623.2.21 $, Last updated $Date: 2003/01/17 00:36:57 $ 4379